CISA Exam Questions (QAE)
QUESTIONS WELL ANSWERED
An IS auditor finds a small number of user access requests that were not authorized by
managers through the normal predefined workflow steps and escalation rules. The IS auditor
should - ANS ✔✔:The IS auditor needs to perform substantive testing and additional analysis to
determine why the approval and workflow processes are not working as intended. Before
making any recommendation, the IS auditor should gain a good understanding of the scope of
the problem and the factors that caused this incident. The IS auditor should identify whether
the issue was caused by managers not following procedures, a problem with the workflow of
the automated system or a combination of the two.
An internal IS audit function is planning a general IS audit. Which of the following activities takes
place during the FIRST step of the planning phase? - ANS ✔✔A risk assessment should be
performed to determine how internal audit resources should be allocated to ensure that all
material items will be addressed.
During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation
of segregation of duties within an IT department? - ANS ✔✔Discussing the implementation of
segregation of duties with the IT managers is the best way to determine how responsibilities are
assigned within the department.
An IS auditor reviewing a network log discovers that an employee ran elevated commands on
their PC by invoking the task scheduler to launch restricted applications. This is an example
what type of attack? - ANS ✔✔This is a type of attack where higher-level system authority is
obtained by various methods. In this example, the task scheduler service runs with
administrator permissions, and a security flaw allows programs launched by the scheduler to
run at the same permission level.
An IS auditor reviewing digital rights management applications should expect to find an
extensive use for which of the following technologies? - ANS ✔✔This is a technique for
,concealing the existence of messages or information within another message. An increasingly
important steganographical technique is digital watermarking, which hides data within data
(e.g., by encoding rights information in a picture or music file without altering the picture or
music's perceivable aesthetic qualities).
An IS auditor recommends that an initial validation control be programmed into a credit card
transaction capture application. The initial validation process would MOST likely - ANS ✔✔:The
initial validation should confirm whether the card is valid. This validity is established through the
card number and personal identification number entered by the user.
Which of the following preventive controls BEST helps secure a web application? - ANS ✔✔Of
the given choices, teaching developers to write secure code is the best way to secure a web
application.
An IS auditor is testing employee access to a large financial system, and the IS auditor selected a
sample from the current employee list provided by the auditee. Which of the following
evidence is the MOST reliable to support the testing? - ANS ✔✔The access list generated by the
system is the most reliable, because it is the most objective evidence to perform a comparison
against the samples selected. The evidence is objective, because it was generated by the system
rather than by an individual.
While reviewing the process for continuous monitoring of the capacity and performance of IT
resources, an IS auditor should PRIMARILY ensure that the process is focused on - ANS
✔✔:Accurate capacity monitoring of IT resources would be the most critical element of a
continuous monitoring process.
Which of the following processes will be MOST effective in reducing the risk that unauthorized
software on a backup server is distributed to the production server? - ANS ✔✔It is common
practice for software changes to be tracked and controlled using version control software. An IS
auditor should review reports or logs from this system to identify the software that is promoted
to production. Only moving the versions on the version control system program will prevent the
transfer of development or earlier versions.
, An organization is replacing a payroll program that it developed in-house, with the relevant
subsystem of a commercial enterprise resource planning (ERP) system. Which of the following
would represent the HIGHEST potential risk? - ANS ✔✔The most significant risk after a payroll
system conversion is loss of data integrity and not being able to pay employees in a timely and
accurate manner or have records of past payments. As a result, maintaining data integrity and
accuracy during migration is paramount.
During the audit of an acquired software package, an IS auditor finds that the software purchase
was based on information obtained through the Internet, rather than from responses to a
request for proposal. The IS auditor should FIRST - ANS ✔✔:In the case of a deviation from the
predefined procedures, an IS auditor should first ensure that the procedure followed for
acquiring the software is consistent with the business objectives and has been approved by the
appropriate authorities.
The PRIMARY benefit of an enterprise architecture initiative is to - ANS ✔✔:The primary focus
of the enterprise architecture (EA) is to ensure that technology investments are consistent with
the platform, data and development standards of the IT organization
therefore, the goal of the EA is to help the organization to implement the technology that is
most effective. - ANS ✔✔
Which of the following is an advantage of prototyping? - ANS ✔✔Prototype systems can provide
significant time and cost savings through better user interaction and the ability to rapidly adapt
to changing requirements
however, they also have several disadvantages, including loss of overall security focus, project
oversight and implementation of a prototype that is not yet ready for production. - ANS ✔✔
Which of the following is the responsibility of information asset owners? - ANS ✔✔It is the
responsibility of owners to define the criticality (and sensitivity) levels of information assets.
QUESTIONS WELL ANSWERED
An IS auditor finds a small number of user access requests that were not authorized by
managers through the normal predefined workflow steps and escalation rules. The IS auditor
should - ANS ✔✔:The IS auditor needs to perform substantive testing and additional analysis to
determine why the approval and workflow processes are not working as intended. Before
making any recommendation, the IS auditor should gain a good understanding of the scope of
the problem and the factors that caused this incident. The IS auditor should identify whether
the issue was caused by managers not following procedures, a problem with the workflow of
the automated system or a combination of the two.
An internal IS audit function is planning a general IS audit. Which of the following activities takes
place during the FIRST step of the planning phase? - ANS ✔✔A risk assessment should be
performed to determine how internal audit resources should be allocated to ensure that all
material items will be addressed.
During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation
of segregation of duties within an IT department? - ANS ✔✔Discussing the implementation of
segregation of duties with the IT managers is the best way to determine how responsibilities are
assigned within the department.
An IS auditor reviewing a network log discovers that an employee ran elevated commands on
their PC by invoking the task scheduler to launch restricted applications. This is an example
what type of attack? - ANS ✔✔This is a type of attack where higher-level system authority is
obtained by various methods. In this example, the task scheduler service runs with
administrator permissions, and a security flaw allows programs launched by the scheduler to
run at the same permission level.
An IS auditor reviewing digital rights management applications should expect to find an
extensive use for which of the following technologies? - ANS ✔✔This is a technique for
,concealing the existence of messages or information within another message. An increasingly
important steganographical technique is digital watermarking, which hides data within data
(e.g., by encoding rights information in a picture or music file without altering the picture or
music's perceivable aesthetic qualities).
An IS auditor recommends that an initial validation control be programmed into a credit card
transaction capture application. The initial validation process would MOST likely - ANS ✔✔:The
initial validation should confirm whether the card is valid. This validity is established through the
card number and personal identification number entered by the user.
Which of the following preventive controls BEST helps secure a web application? - ANS ✔✔Of
the given choices, teaching developers to write secure code is the best way to secure a web
application.
An IS auditor is testing employee access to a large financial system, and the IS auditor selected a
sample from the current employee list provided by the auditee. Which of the following
evidence is the MOST reliable to support the testing? - ANS ✔✔The access list generated by the
system is the most reliable, because it is the most objective evidence to perform a comparison
against the samples selected. The evidence is objective, because it was generated by the system
rather than by an individual.
While reviewing the process for continuous monitoring of the capacity and performance of IT
resources, an IS auditor should PRIMARILY ensure that the process is focused on - ANS
✔✔:Accurate capacity monitoring of IT resources would be the most critical element of a
continuous monitoring process.
Which of the following processes will be MOST effective in reducing the risk that unauthorized
software on a backup server is distributed to the production server? - ANS ✔✔It is common
practice for software changes to be tracked and controlled using version control software. An IS
auditor should review reports or logs from this system to identify the software that is promoted
to production. Only moving the versions on the version control system program will prevent the
transfer of development or earlier versions.
, An organization is replacing a payroll program that it developed in-house, with the relevant
subsystem of a commercial enterprise resource planning (ERP) system. Which of the following
would represent the HIGHEST potential risk? - ANS ✔✔The most significant risk after a payroll
system conversion is loss of data integrity and not being able to pay employees in a timely and
accurate manner or have records of past payments. As a result, maintaining data integrity and
accuracy during migration is paramount.
During the audit of an acquired software package, an IS auditor finds that the software purchase
was based on information obtained through the Internet, rather than from responses to a
request for proposal. The IS auditor should FIRST - ANS ✔✔:In the case of a deviation from the
predefined procedures, an IS auditor should first ensure that the procedure followed for
acquiring the software is consistent with the business objectives and has been approved by the
appropriate authorities.
The PRIMARY benefit of an enterprise architecture initiative is to - ANS ✔✔:The primary focus
of the enterprise architecture (EA) is to ensure that technology investments are consistent with
the platform, data and development standards of the IT organization
therefore, the goal of the EA is to help the organization to implement the technology that is
most effective. - ANS ✔✔
Which of the following is an advantage of prototyping? - ANS ✔✔Prototype systems can provide
significant time and cost savings through better user interaction and the ability to rapidly adapt
to changing requirements
however, they also have several disadvantages, including loss of overall security focus, project
oversight and implementation of a prototype that is not yet ready for production. - ANS ✔✔
Which of the following is the responsibility of information asset owners? - ANS ✔✔It is the
responsibility of owners to define the criticality (and sensitivity) levels of information assets.
