CISA Mock Test 1 QUESTIONS WITH
VERIFIED SOLUTIONS
Who is accountable for ensuring relevant controls over IS resources? - ANS ✔✔Resource owners
The primary consideration of an IS auditor when evaluating a fraudulent transaction
is_______________. - ANS ✔✔To ensure that the integrity of the evidence is maintained.
An IS auditor observes that an enterprise has outsourced software development to a startup
company or a third party. To ensure that the enterprise's investment in software is protected,
which of the following should be recommended by the IS auditor? - ANS ✔✔There should be a
source code escrow agreement in place.
An IS auditor finds a small number of user access requests that managers had not authorised
through the normal predefined workflow steps and escalation rules. The IS auditor should
_________________. - ANS ✔✔Perform an additional analysis
Responsibility of granting access to data with the help of security officer resides
with________________. - ANS ✔✔The data owners
An IS auditor is reviewing the physical security controls of a data center and notices several
areas for concern. Which of the following areas is the most important? - ANS ✔✔The
emergency exit door is blocked.
Which of the following choices best helps information owners to classify data correctly? - ANS
✔✔Training on organisational policies and standards.
,A test that is conducted when a system is in the development phase is_______________. - ANS
✔✔A unit test
An enterprise's risk appetite is best established by_________________. - ANS ✔✔The steering
committee
Which of the following is the best performance indicator for the effectiveness of an incident
management program? - ANS ✔✔Incident resolution meantime.
Backups will most effectively minimise a disruptive incident's impact on a business if they
are__________________. - ANS ✔✔Scheduled according to the service delivery objectives.
An IS audit reveals that an organisation is not proactively addressing known vulnerabilities.
Which of the following should the IS auditor recommend the organisation does first? - ANS
✔✔Assess the security risks to the business.
An IS auditor has completed the fieldwork phase of a network security review and is preparing
the initial draft of the audit report. Which of the following findings should be ranked as the
highest risk? - ANS ✔✔The network device inventory is incomplete.
Which of the following is the primary advantage of parallel processing for a new system
implementation? - ANS ✔✔Assurance that the new system meets functional requirements.
During an internal audit of automated controls, an IS auditor identifies that the integrity of data
transfer between systems has not been tested since its successful implementation two years
ago. Which of the following should the auditor do next? - ANS ✔✔Review relevant system
changes.
The MAIN benefit of using an integrated test facility (ITF) as an online auditing technique is that
it enables________________. - ANS ✔✔Auditors to test without impacting production data.
,Which of the following should be the MOST important consideration when conducting a review
of IT portfolio management? - ANS ✔✔Controls to minimise risk and maximise value for the IT
portfolio
Which of the following would BEST facilitate the successful implementation of an IT-related
framework? - ANS ✔✔Involving appropriate business representation within the framework.
What is the MAIN reason to use incremental backups? - ANS ✔✔To minimise the backup time
and resources
When auditing the security architecture of an online application, an IS auditor should FIRST
review the_________________. - ANS ✔✔Configuration of the firewall.
An organisation is planning an acquisition and has engaged an IS auditor to evaluate the IT
governance framework of the target company. Which of the following would be MOST helpful in
determining the effectiveness of the framework? - ANS ✔✔Recent third-party IS audit reports
The IT Assurance Framework consists of all of the following except _______________. - ANS
✔✔ISACA Audit Job Practice
An audit project has been taking far too long, and management is beginning to ask questions
about its schedule and completion. This audit may be lacking________________. - ANS
✔✔Effective project management
Which of the following is true about the ISACA Audit Standards and Audit Guidelines? - ANS
✔✔ISACA Audit Standards are mandatory.
For the purposes of audit planning, can an auditor rely upon the audit client's risk assessment? -
ANS ✔✔Yes, if the risk assessment was performed by a qualified external entity.
, An auditor is auditing the user account request and fulfilment process. The event population
consists of hundreds of transactions, so the auditor cannot view them all. The auditor wants to
view a random selection of transactions, as well as some of the transactions for privileged
access requests. This type of sampling is known as_____________. - ANS ✔✔Judgmental
sampling
An auditor is developing an audit plan for an accounts payable function. Rather than randomly
selecting transactions to examine, the auditor wants to select transactions from low, medium,
and large payment amounts. Which sample methodology is appropriate for this approach - ANS
✔✔Stratified sampling
What is the objective of the ISACA audit standard on organisational independence? - ANS
✔✔The auditor's placement in the organisation should ensure the auditor can act
independently.
Which of the following audit types is appropriate for a financial services provider such as a
payroll service? - ANS ✔✔SSAE18
An auditor is auditing an organisation's personnel onboarding process and is examining the
background check process. The auditor is mainly interested in whether background checks are
performed for all personnel and whether background check results lead to no-hire decisions.
Which of the following evidence-collection techniques will support this audit objective? - ANS
✔✔Request the background check ledger that includes the candidates' names, results of
background checks, and hire/no-hire decisions.
According to ISACA Audit Standard 1202, which types of risks should be considered when
planning an audit? - ANS ✔✔Business risk
Which of the following is the best example of a control self-assessment of a user account
provisioning process? - ANS ✔✔Reconciliation of all user account changes against approved
requests in the ticketing system.
VERIFIED SOLUTIONS
Who is accountable for ensuring relevant controls over IS resources? - ANS ✔✔Resource owners
The primary consideration of an IS auditor when evaluating a fraudulent transaction
is_______________. - ANS ✔✔To ensure that the integrity of the evidence is maintained.
An IS auditor observes that an enterprise has outsourced software development to a startup
company or a third party. To ensure that the enterprise's investment in software is protected,
which of the following should be recommended by the IS auditor? - ANS ✔✔There should be a
source code escrow agreement in place.
An IS auditor finds a small number of user access requests that managers had not authorised
through the normal predefined workflow steps and escalation rules. The IS auditor should
_________________. - ANS ✔✔Perform an additional analysis
Responsibility of granting access to data with the help of security officer resides
with________________. - ANS ✔✔The data owners
An IS auditor is reviewing the physical security controls of a data center and notices several
areas for concern. Which of the following areas is the most important? - ANS ✔✔The
emergency exit door is blocked.
Which of the following choices best helps information owners to classify data correctly? - ANS
✔✔Training on organisational policies and standards.
,A test that is conducted when a system is in the development phase is_______________. - ANS
✔✔A unit test
An enterprise's risk appetite is best established by_________________. - ANS ✔✔The steering
committee
Which of the following is the best performance indicator for the effectiveness of an incident
management program? - ANS ✔✔Incident resolution meantime.
Backups will most effectively minimise a disruptive incident's impact on a business if they
are__________________. - ANS ✔✔Scheduled according to the service delivery objectives.
An IS audit reveals that an organisation is not proactively addressing known vulnerabilities.
Which of the following should the IS auditor recommend the organisation does first? - ANS
✔✔Assess the security risks to the business.
An IS auditor has completed the fieldwork phase of a network security review and is preparing
the initial draft of the audit report. Which of the following findings should be ranked as the
highest risk? - ANS ✔✔The network device inventory is incomplete.
Which of the following is the primary advantage of parallel processing for a new system
implementation? - ANS ✔✔Assurance that the new system meets functional requirements.
During an internal audit of automated controls, an IS auditor identifies that the integrity of data
transfer between systems has not been tested since its successful implementation two years
ago. Which of the following should the auditor do next? - ANS ✔✔Review relevant system
changes.
The MAIN benefit of using an integrated test facility (ITF) as an online auditing technique is that
it enables________________. - ANS ✔✔Auditors to test without impacting production data.
,Which of the following should be the MOST important consideration when conducting a review
of IT portfolio management? - ANS ✔✔Controls to minimise risk and maximise value for the IT
portfolio
Which of the following would BEST facilitate the successful implementation of an IT-related
framework? - ANS ✔✔Involving appropriate business representation within the framework.
What is the MAIN reason to use incremental backups? - ANS ✔✔To minimise the backup time
and resources
When auditing the security architecture of an online application, an IS auditor should FIRST
review the_________________. - ANS ✔✔Configuration of the firewall.
An organisation is planning an acquisition and has engaged an IS auditor to evaluate the IT
governance framework of the target company. Which of the following would be MOST helpful in
determining the effectiveness of the framework? - ANS ✔✔Recent third-party IS audit reports
The IT Assurance Framework consists of all of the following except _______________. - ANS
✔✔ISACA Audit Job Practice
An audit project has been taking far too long, and management is beginning to ask questions
about its schedule and completion. This audit may be lacking________________. - ANS
✔✔Effective project management
Which of the following is true about the ISACA Audit Standards and Audit Guidelines? - ANS
✔✔ISACA Audit Standards are mandatory.
For the purposes of audit planning, can an auditor rely upon the audit client's risk assessment? -
ANS ✔✔Yes, if the risk assessment was performed by a qualified external entity.
, An auditor is auditing the user account request and fulfilment process. The event population
consists of hundreds of transactions, so the auditor cannot view them all. The auditor wants to
view a random selection of transactions, as well as some of the transactions for privileged
access requests. This type of sampling is known as_____________. - ANS ✔✔Judgmental
sampling
An auditor is developing an audit plan for an accounts payable function. Rather than randomly
selecting transactions to examine, the auditor wants to select transactions from low, medium,
and large payment amounts. Which sample methodology is appropriate for this approach - ANS
✔✔Stratified sampling
What is the objective of the ISACA audit standard on organisational independence? - ANS
✔✔The auditor's placement in the organisation should ensure the auditor can act
independently.
Which of the following audit types is appropriate for a financial services provider such as a
payroll service? - ANS ✔✔SSAE18
An auditor is auditing an organisation's personnel onboarding process and is examining the
background check process. The auditor is mainly interested in whether background checks are
performed for all personnel and whether background check results lead to no-hire decisions.
Which of the following evidence-collection techniques will support this audit objective? - ANS
✔✔Request the background check ledger that includes the candidates' names, results of
background checks, and hire/no-hire decisions.
According to ISACA Audit Standard 1202, which types of risks should be considered when
planning an audit? - ANS ✔✔Business risk
Which of the following is the best example of a control self-assessment of a user account
provisioning process? - ANS ✔✔Reconciliation of all user account changes against approved
requests in the ticketing system.
