CISA - EXAM 2 QUESTIONS WELL
ANSWERED
Q1) Which of the following is the MOST efficient and sufficiently reliable way to test the design
effectiveness of a change control process?
A) Interview personnel in charge of the change control process
B) Perform an end-to-end walk-through of the process
C) Test a sample of authorized changes
D) Test a sample population of change requests - ANS ✔✔B) Perform an end-to-end walk-
through of the process is correct. Observation is the best and most effective method to test
changes to ensure that the process is effectively designed.
D) Test a sample population of change requests is incorrect. Testing a sample population of
changes is a test of compliance and operating effectiveness to ensure that users submitted the
proper documentation/requests. It does not test the effectiveness of the design.
C) Test a sample of authorized changes is incorrect. Testing changes that have been authorized
may not provide sufficient assurance of the entire process because it does not test the elements
of the process related to authorization or detect changes that bypassed the controls.
A) Interview personnel in charge of the change control process is incorrect. This is not as
effective as a walk-through of the change controls process because people may know the
process but not follow it.
,Q2) An organization provides information to its supply chain partners and customers through an
extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor
reviewing the firewall security architecture?
A) Inbound traffic is blocked unless the traffic type and connections have been specifically
permitted.
B) A Secure Sockets Layer has been implemented for user authentication and remote
administration of the firewall.
C) The firewall is placed on top of the commercial operating system with all default instillation
options.
D) Firewall policies are updated on the basis of changing requirements - ANS ✔✔C) The firewall
is placed on top of the commercial operating system with all default installation options is
correct. The greatest concern when implementing firewalls on top of commercial operating
systems is the potential presence of vulnerabilities that could undermine the security posture of
the firewall platform itself. In most circumstances, when commercial firewalls are breached, that
breach is facilitated by vulnerabilities in the underlying operating system. Keeping all installation
options available on the system further increases the risk of vulnerabilities and exploits.
B) A Secure Sockets Layer has been implemented for user authentication and remote
administration of the firewall is incorrect. Using Secure Sockets Layer for firewall administration
is important because changes in user and supply chain partners' roles and profiles will be
dynamic.
D) Firewall policies are updated on the basis of changing requirements is incorrect. It is
appropriate to maintain the firewall policies as needed.
A) Inbound traffic is blocked unless the traffic type and connections have been specifically
permitted is incorrect. It is prudent to block all inbound traffic to an extranet unless permitted.
,Q3) Which of the following choices would be the BEST source of information when developing a
risk-based audit plan?
A) System custodians identify vulnerabilities.
B)Process owners identify key controls.
C) Senior management identify key business processes.
D) Peer auditors understand previous audit results. - ANS ✔✔C) Senior management identify
key business processes is correct. Developing a risk-based audit plan must start with the
identification of key business processes, which determine and identify the risk that needs to be
addressed.
B) Process owners identify key controls is incorrect. Although process owners should be
consulted to identify key controls, senior management is a better source to identify business
processes, which are more important. System custodians identify vulnerabilities is incorrect.
A) System custodians are a good source to better understand the risk and controls as they apply
to specific applications; however, senior management is a better source to identify business
processes, which are more important.
D) Peer auditors understand previous audit results is incorrect. The review of previous audit
results is one input into the audit planning process; however, if previous audits focused on a
limited or a restricted scope or if the key business processes have changed and/or new business
processes have been introduced, then this does contribute to the development of a risk-based
audit plan.
, Q4) Which of the following inputs adds the MOST value to the strategic IT initiative decision-
making process?
A)The maturity of the project management process
B) The regulatory environment
C) Past audit findings
D) The IT project portfolio analysis - ANS ✔✔D) The IT project portfolio analysis is correct.
Portfolio analysis provides the best input into the decision-making process relating to planning
strategic IT initiatives. An analysis of the IT portfolio provides comparable information of
planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned
with the business strategy.
A) The maturity of the project management process is incorrect. The maturity of the project
management process is more important with respect to managing the day-to-day operations of
IT versus performing strategic planning.
B) The regulatory environment is incorrect. Regulatory requirements may drive investment in
certain technologies and initiatives; however, having to meet regulatory requirements is not
typically the main focus of the IT and business strategy.
C) Past audit findings is incorrect. Past audit findings may drive investment in certain
technologies and initiatives; however, having to remediate past audit findings is not the main
focus of the IT and business strategy.
Q5) The implementation of which of the following would MOST effectively prevent
unauthorized access to a system administration account on a web server?
ANSWERED
Q1) Which of the following is the MOST efficient and sufficiently reliable way to test the design
effectiveness of a change control process?
A) Interview personnel in charge of the change control process
B) Perform an end-to-end walk-through of the process
C) Test a sample of authorized changes
D) Test a sample population of change requests - ANS ✔✔B) Perform an end-to-end walk-
through of the process is correct. Observation is the best and most effective method to test
changes to ensure that the process is effectively designed.
D) Test a sample population of change requests is incorrect. Testing a sample population of
changes is a test of compliance and operating effectiveness to ensure that users submitted the
proper documentation/requests. It does not test the effectiveness of the design.
C) Test a sample of authorized changes is incorrect. Testing changes that have been authorized
may not provide sufficient assurance of the entire process because it does not test the elements
of the process related to authorization or detect changes that bypassed the controls.
A) Interview personnel in charge of the change control process is incorrect. This is not as
effective as a walk-through of the change controls process because people may know the
process but not follow it.
,Q2) An organization provides information to its supply chain partners and customers through an
extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor
reviewing the firewall security architecture?
A) Inbound traffic is blocked unless the traffic type and connections have been specifically
permitted.
B) A Secure Sockets Layer has been implemented for user authentication and remote
administration of the firewall.
C) The firewall is placed on top of the commercial operating system with all default instillation
options.
D) Firewall policies are updated on the basis of changing requirements - ANS ✔✔C) The firewall
is placed on top of the commercial operating system with all default installation options is
correct. The greatest concern when implementing firewalls on top of commercial operating
systems is the potential presence of vulnerabilities that could undermine the security posture of
the firewall platform itself. In most circumstances, when commercial firewalls are breached, that
breach is facilitated by vulnerabilities in the underlying operating system. Keeping all installation
options available on the system further increases the risk of vulnerabilities and exploits.
B) A Secure Sockets Layer has been implemented for user authentication and remote
administration of the firewall is incorrect. Using Secure Sockets Layer for firewall administration
is important because changes in user and supply chain partners' roles and profiles will be
dynamic.
D) Firewall policies are updated on the basis of changing requirements is incorrect. It is
appropriate to maintain the firewall policies as needed.
A) Inbound traffic is blocked unless the traffic type and connections have been specifically
permitted is incorrect. It is prudent to block all inbound traffic to an extranet unless permitted.
,Q3) Which of the following choices would be the BEST source of information when developing a
risk-based audit plan?
A) System custodians identify vulnerabilities.
B)Process owners identify key controls.
C) Senior management identify key business processes.
D) Peer auditors understand previous audit results. - ANS ✔✔C) Senior management identify
key business processes is correct. Developing a risk-based audit plan must start with the
identification of key business processes, which determine and identify the risk that needs to be
addressed.
B) Process owners identify key controls is incorrect. Although process owners should be
consulted to identify key controls, senior management is a better source to identify business
processes, which are more important. System custodians identify vulnerabilities is incorrect.
A) System custodians are a good source to better understand the risk and controls as they apply
to specific applications; however, senior management is a better source to identify business
processes, which are more important.
D) Peer auditors understand previous audit results is incorrect. The review of previous audit
results is one input into the audit planning process; however, if previous audits focused on a
limited or a restricted scope or if the key business processes have changed and/or new business
processes have been introduced, then this does contribute to the development of a risk-based
audit plan.
, Q4) Which of the following inputs adds the MOST value to the strategic IT initiative decision-
making process?
A)The maturity of the project management process
B) The regulatory environment
C) Past audit findings
D) The IT project portfolio analysis - ANS ✔✔D) The IT project portfolio analysis is correct.
Portfolio analysis provides the best input into the decision-making process relating to planning
strategic IT initiatives. An analysis of the IT portfolio provides comparable information of
planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned
with the business strategy.
A) The maturity of the project management process is incorrect. The maturity of the project
management process is more important with respect to managing the day-to-day operations of
IT versus performing strategic planning.
B) The regulatory environment is incorrect. Regulatory requirements may drive investment in
certain technologies and initiatives; however, having to meet regulatory requirements is not
typically the main focus of the IT and business strategy.
C) Past audit findings is incorrect. Past audit findings may drive investment in certain
technologies and initiatives; however, having to remediate past audit findings is not the main
focus of the IT and business strategy.
Q5) The implementation of which of the following would MOST effectively prevent
unauthorized access to a system administration account on a web server?
