CISA FINAL EXAM QUESTIONS AND 100%
CORRECT ANSWERS!!
1. A legacy payroll application is migrated to a new application. Which of the following
stakeholders should be PRIMARILY responsible for reviewing and signing-off on the
accuracy and completeness of the data before going live?
A. IS auditor
B. Database administrator
C. Project manager
D. Data owner
D
2. Upon receipt of the initial signed digital certificate the user will decrypt the certificate
with the public key of the:
A. registration authority (RA).
B. certificate authority (CA).
C. certificate repository.
D. receiver.
B
3. An IS auditor discovers that devices connected to the network have not been included in
a network diagram that had been used to develop the scope of the audit. The chief
information officer (CIO) explains that the diagram is being updated and awaiting final
approval. The IS auditor should FIRST:
A. expand the scope of the IS audit to include the devices that are not on the network
diagram.
B. evaluate the impact of the undocumented devices on the audit scope.
C. note a control deficiency because the network diagram has not been updated.
D. plan follow-up audits of the undocumented devices.
B
,4. In a small organization, developers may release emergency changes directly to
production. Which of the following will BEST control the risk in this situation?
A. Approve and document the change the next business day.
B. Limit developer access to production to a specific time frame.
C. Obtain secondary approval before releasing to production.
D. Disable the compiler option in the production machine.
A
5. While reviewing the IT infrastructure, an IS auditor notices that storage resources are
continuously being added. The IS auditor should:
A. recommend the use of disk mirroring.
B. review the adequacy of offsite storage.
C. review the capacity management process.
D. recommend the use of a compression algorithm.
C
6. During a compliance audit of a small bank, the IS auditor notes that both the IT and
accounting functions are being performed by the same user of the financial system. Which
of the following reviews conducted by a supervisor would represent the BEST
compensating control?
A. Audit trails that show the date and time of the transaction.
B. A summary daily report with the total numbers and dollar amounts of each transaction.
C. User account administration.
D. Computer log files that show individual transactions in the financial system.
D
7. From a control perspective, the PRIMARY objective of classifying information assets is
to:
A. establish guidelines for the level of access controls that should be assigned.
B. ensure access controls are assigned to all information assets.
C. assist management and auditors in risk assessment.
D. identify which assets need to be insured against losses.
, A
8. To gain an understanding of the effectiveness of an organization's planning and
management of investments in IT assets, an IS auditor should review the:
A. enterprise data model.
B. IT balanced scorecard (BSC).
C. IT organizational structure.
D. historical financial statements.
B
9. When using a universal storage bus (USB) flash drive to transport confidential corporate
data to an offsite location, an effective control would be to:
A. carry the flash drive in a portable safe.
B. assure management that you will not lose the flash drive.
C. request that management deliver the flash drive by courier.
D. encrypt the folder containing the data with a strong key.
D
10. For a mission-critical application with a low recovery time objective (RTO), the IS
auditor would recommend the use of which of the following recovery strategies?
A. Mobile site.
B. Redundant site.
C. Hot site.
D. Reciprocal agreements.
B
11. When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy
supports the organizations' business objectives by determining whether IS:
A. has all the personnel and equipment it needs.
B. plans are consistent with management strategy.
C. uses its equipment and personnel efficiently and effectively.
D. has sufficient excess capacity to respond to changing directions.
CORRECT ANSWERS!!
1. A legacy payroll application is migrated to a new application. Which of the following
stakeholders should be PRIMARILY responsible for reviewing and signing-off on the
accuracy and completeness of the data before going live?
A. IS auditor
B. Database administrator
C. Project manager
D. Data owner
D
2. Upon receipt of the initial signed digital certificate the user will decrypt the certificate
with the public key of the:
A. registration authority (RA).
B. certificate authority (CA).
C. certificate repository.
D. receiver.
B
3. An IS auditor discovers that devices connected to the network have not been included in
a network diagram that had been used to develop the scope of the audit. The chief
information officer (CIO) explains that the diagram is being updated and awaiting final
approval. The IS auditor should FIRST:
A. expand the scope of the IS audit to include the devices that are not on the network
diagram.
B. evaluate the impact of the undocumented devices on the audit scope.
C. note a control deficiency because the network diagram has not been updated.
D. plan follow-up audits of the undocumented devices.
B
,4. In a small organization, developers may release emergency changes directly to
production. Which of the following will BEST control the risk in this situation?
A. Approve and document the change the next business day.
B. Limit developer access to production to a specific time frame.
C. Obtain secondary approval before releasing to production.
D. Disable the compiler option in the production machine.
A
5. While reviewing the IT infrastructure, an IS auditor notices that storage resources are
continuously being added. The IS auditor should:
A. recommend the use of disk mirroring.
B. review the adequacy of offsite storage.
C. review the capacity management process.
D. recommend the use of a compression algorithm.
C
6. During a compliance audit of a small bank, the IS auditor notes that both the IT and
accounting functions are being performed by the same user of the financial system. Which
of the following reviews conducted by a supervisor would represent the BEST
compensating control?
A. Audit trails that show the date and time of the transaction.
B. A summary daily report with the total numbers and dollar amounts of each transaction.
C. User account administration.
D. Computer log files that show individual transactions in the financial system.
D
7. From a control perspective, the PRIMARY objective of classifying information assets is
to:
A. establish guidelines for the level of access controls that should be assigned.
B. ensure access controls are assigned to all information assets.
C. assist management and auditors in risk assessment.
D. identify which assets need to be insured against losses.
, A
8. To gain an understanding of the effectiveness of an organization's planning and
management of investments in IT assets, an IS auditor should review the:
A. enterprise data model.
B. IT balanced scorecard (BSC).
C. IT organizational structure.
D. historical financial statements.
B
9. When using a universal storage bus (USB) flash drive to transport confidential corporate
data to an offsite location, an effective control would be to:
A. carry the flash drive in a portable safe.
B. assure management that you will not lose the flash drive.
C. request that management deliver the flash drive by courier.
D. encrypt the folder containing the data with a strong key.
D
10. For a mission-critical application with a low recovery time objective (RTO), the IS
auditor would recommend the use of which of the following recovery strategies?
A. Mobile site.
B. Redundant site.
C. Hot site.
D. Reciprocal agreements.
B
11. When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy
supports the organizations' business objectives by determining whether IS:
A. has all the personnel and equipment it needs.
B. plans are consistent with management strategy.
C. uses its equipment and personnel efficiently and effectively.
D. has sufficient excess capacity to respond to changing directions.
