CISA EXAM 3 150 QUESTIONS AND CORRECT ANSWERS
Q1) When using public key encryption to secure data being transmitted across a
network:
A) the key used to encrypt is private, but the key used to decrypt the data is
public.
B) the key used to encrypt is public, but the key used to decrypt the data is
private.
C) both the key used to encrypt and decrypt the data are public.
D) both the key used to encrypt and decrypt the data are private.
Answer: B
Q2) Which of the following functions is performed by a virtual private
network?
A) Hiding information from sniffers on the net
B) Enforcing security policies
C) Detecting misuse or mistakes
D) Regulating access
Answer: A
Q3) An IS auditor invited to a project development meeting notes that no
project risk has been documented. When the IS auditor raises this issue, the
project manager responds that it is too early to identify risk and that, if risk
starts impacting the project, a risk manager will be hired. The appropriate
response of the IS auditor would be to:
A) accept the project manager's position because the project manager is
accountable for the outcome of the project.
B) offer to work with the risk manager when one is appointed.
,C) inform the project manager that the IS auditor will conduct a review of the
risk at the completion of the requirements definition phase of the project.
D) stress the importance of spending time at this point in the project to consider
and document risk and to develop contingency plans.
Answer: D
Q4) The MAIN purpose of a transaction audit trail is to:
A) provide useful information for capacity planning.
B) determine accountability and responsibility for processed transactions.
C) reduce the use of storage media.
D) help an IS auditor trace transactions.
Answer: B
Q5) An IS auditor is reviewing system access and discovers an excessive
number of users with privileged access. The IS auditor discusses the situation
with the system administrator, who states that some personnel in other
departments need privileged access and management has approved the access.
Which of the following would be the BEST course of action for the IS auditor?
A) Document the issue in the audit report.
B) Determine whether compensating controls are in place.
C) Discuss the issue with senior management.
D) Recommend an update to the procedures.
Answer: B
Q6) Which of the following inputs would PRIMARILY help in designing the
data backup strategy in case of potential natural disasters?
,A) Volume of data to be backed up
B) Recovery point objective
C) Available data backup technologies
D) Recovery time objective
Answer: B
Q7) A project manager for a project that is scheduled to take 18 months to
complete announces that the project is in a healthy financial position because,
after six months, only one-sixth of the budget has been spent. The IS auditor
should FIRST determine:
A) if the project could be brought in ahead of schedule.
B) if the project budget can be reduced.
C) the amount of progress achieved compared to the project schedule.
D) if the budget savings can be applied to increase the project scope.
Answer: C
Q8) Which of the following types of firewalls would BEST protect a network
from an Internet attack?
A) Screened subnet firewall
B) Circuit-level gateway
C) Application filtering gateway
D) Packet filtering router
Answer: A
, Q9) A system developer transfers to the audit department to serve as an IT
auditor. When production systems are to be reviewed by this employee, which
of the following will become the MOST significant concern?
A) Audit points may largely shift to technical aspects.
B) The employee may not have sufficient control assessment skills.
C) The work may be construed as a self-audit.
D) The employee's knowledge of business risk may be limited.
Answer: C
Q10) An IS auditor is testing employee access to a large financial system, and
the IS auditor selected a sample from the current employee list provided by the
auditee. Which of the following evidence is the MOST reliable to support the
testing?
A) Observations performed onsite in the presence of a system administrator
B) A list of accounts with access levels generated by the system
C) Human resources access documents signed by employees' managers.
D) A spreadsheet provided by the system administrator
Answer: B
Q11) An IS auditor is reviewing an organization's logical access security to its
remote systems, which of the following would be of GREATEST concern to an
IS auditor?
A) Third-party users possess administrator access.
B) Unencrypted passwords are used.
C) Passwords are shared.
D) Redundant logon IDs exist.
Q1) When using public key encryption to secure data being transmitted across a
network:
A) the key used to encrypt is private, but the key used to decrypt the data is
public.
B) the key used to encrypt is public, but the key used to decrypt the data is
private.
C) both the key used to encrypt and decrypt the data are public.
D) both the key used to encrypt and decrypt the data are private.
Answer: B
Q2) Which of the following functions is performed by a virtual private
network?
A) Hiding information from sniffers on the net
B) Enforcing security policies
C) Detecting misuse or mistakes
D) Regulating access
Answer: A
Q3) An IS auditor invited to a project development meeting notes that no
project risk has been documented. When the IS auditor raises this issue, the
project manager responds that it is too early to identify risk and that, if risk
starts impacting the project, a risk manager will be hired. The appropriate
response of the IS auditor would be to:
A) accept the project manager's position because the project manager is
accountable for the outcome of the project.
B) offer to work with the risk manager when one is appointed.
,C) inform the project manager that the IS auditor will conduct a review of the
risk at the completion of the requirements definition phase of the project.
D) stress the importance of spending time at this point in the project to consider
and document risk and to develop contingency plans.
Answer: D
Q4) The MAIN purpose of a transaction audit trail is to:
A) provide useful information for capacity planning.
B) determine accountability and responsibility for processed transactions.
C) reduce the use of storage media.
D) help an IS auditor trace transactions.
Answer: B
Q5) An IS auditor is reviewing system access and discovers an excessive
number of users with privileged access. The IS auditor discusses the situation
with the system administrator, who states that some personnel in other
departments need privileged access and management has approved the access.
Which of the following would be the BEST course of action for the IS auditor?
A) Document the issue in the audit report.
B) Determine whether compensating controls are in place.
C) Discuss the issue with senior management.
D) Recommend an update to the procedures.
Answer: B
Q6) Which of the following inputs would PRIMARILY help in designing the
data backup strategy in case of potential natural disasters?
,A) Volume of data to be backed up
B) Recovery point objective
C) Available data backup technologies
D) Recovery time objective
Answer: B
Q7) A project manager for a project that is scheduled to take 18 months to
complete announces that the project is in a healthy financial position because,
after six months, only one-sixth of the budget has been spent. The IS auditor
should FIRST determine:
A) if the project could be brought in ahead of schedule.
B) if the project budget can be reduced.
C) the amount of progress achieved compared to the project schedule.
D) if the budget savings can be applied to increase the project scope.
Answer: C
Q8) Which of the following types of firewalls would BEST protect a network
from an Internet attack?
A) Screened subnet firewall
B) Circuit-level gateway
C) Application filtering gateway
D) Packet filtering router
Answer: A
, Q9) A system developer transfers to the audit department to serve as an IT
auditor. When production systems are to be reviewed by this employee, which
of the following will become the MOST significant concern?
A) Audit points may largely shift to technical aspects.
B) The employee may not have sufficient control assessment skills.
C) The work may be construed as a self-audit.
D) The employee's knowledge of business risk may be limited.
Answer: C
Q10) An IS auditor is testing employee access to a large financial system, and
the IS auditor selected a sample from the current employee list provided by the
auditee. Which of the following evidence is the MOST reliable to support the
testing?
A) Observations performed onsite in the presence of a system administrator
B) A list of accounts with access levels generated by the system
C) Human resources access documents signed by employees' managers.
D) A spreadsheet provided by the system administrator
Answer: B
Q11) An IS auditor is reviewing an organization's logical access security to its
remote systems, which of the following would be of GREATEST concern to an
IS auditor?
A) Third-party users possess administrator access.
B) Unencrypted passwords are used.
C) Passwords are shared.
D) Redundant logon IDs exist.
