Certified Information Systems Auditor (CISA)

Multiple Choice Questions:

1. An organisation is implementing a new system that supports a month-
end business process. Which of the following implementation strategies
would be most efficient to decrease business downtime?
a. Cutover
b. Phased
c. Pilot
d. Parallel

2. Which of the following should be the first step in managing the impact of
a recently discovered zero-day attack?
a. Estimating potential damage.
b. Identifying vulnerable assets.
c. Evaluating the likelihood of an attack.
d. Assessing the impact of vulnerabilities.

3. Which of the following is the best way to ensure that an application is

performing according to its specifications?
a. Pilot testing
b. System testing
c. Integration testing
d. Unit testing

4. Which of the following would be most effective to protect information

assets in a data center from theft by a vendor?
a. Conceal data devices and information labels.
b. Issue an access card to the vendor.
c. Monitor and restrict vendor activities.
d. Restrict the use of portable and wireless devices.
5. An employee loses a mobile device resulting in the loss of sensitive
corporate data. Which of the following would have best prevented data
leakage?
a. Data encryption on the mobile device.
b. The triggering of remote data wipe capabilities.
c. Awareness training for mobile device users.
d. Complex password policy for mobile devices.

6. During the evaluation of controls over a major application development

project, the most effective use of an IS auditor's time would be to review
and evaluate_________________.
a. Cost-benefit analysis
b. Acceptance testing
c. Application test cases
d. Project plans

7. Upon completion of audit work, an IS auditor should _______________.

a. Provide a report to the auditee stating the initial findings.
b. Provide a report to senior management before discussion with the
auditee.
c. Distribute a summary of general findings to the members of the
auditing team.
d. Review the working papers with the auditee.

8. The greatest benefit of using a prototyping approach in software

development is that it helps to
a. Improve the efficiency of quality assurance (QA) testing.
b. Conceptualise and clarify requirements.
c. Decrease the time allocated for user testing and review.
d. Minimise scope changes to the system.
9. After an employee termination, a network account was removed, but
the application account remained active. To keep this issue from
recurring, which of the following is the best recommendation?
a. Integrate application accounts with network single sign-on.
b. Perform periodic access reviews.
c. Retrain system administration staff.
d. Leverage shared accounts for the application.

10. During an IT general controls audit of a high-risk area where both

internal and external audit teams are reviewing the same areas
simultaneously, which of the following is the best approach to optimise
resources?
a. Leverage the work performed by external audit for internal audit
testing.
b. Ensure both the internal and external auditors perform the work
simultaneously.
c. Roll forward the general controls audit to the subsequent audit
year.
d. Request that the external audit team leverages the internal audit
work.

11. During an IT governance audit, an IS auditor notes that IT policies and

procedures are not regularly reviewed and updated. The greatest
concern to the IS auditor is that policies and procedures might not
______________.
a. Reflect current practices.
b. Be subject to adequate quality assurance (QA).
c. Include new systems and corresponding process changes.
d. Incorporate changes to relevant laws.
12. Management receives information indicating a high level of risk
associated with potential flooding near the organisation's data center
within the next few years. As a result, a decision has been made to move
data center operations to another facility on higher ground. Which
approach has been adopted?
a. Risk Reduction
b. Risk acceptance
c. Risk transfer
d. Risk avoidance

13. An emergency power-off switch should_________________.

a. Not be in the computer room.
b. Not be identified
c. Be protected.
d. Be illuminated.

14.Which of the following is the PRIMARY role of the IS auditor in an

organisation's information classification process?
a. Securing information assets by the classification assigned.
b. Validating that assets are protected according to assigned
classification.
c. Ensuring classification levels align with regulatory guidelines.
d. Defining classification levels for information assets within the
organisation.
15. When evaluating whether the expected benefits of a project have been
achieved, it is MOST important for an IS auditor to
review_________________.
a. The project schedules.
b. Quality assurance (QA) results.
c. Post-implementation issues.
d. The business cases.
16. Which of the following is the MOST important reason for IS auditors to
perform post-implementation reviews for critical IT projects?
a. To determine whether vendors should be paid for project
deliverables.
b. To provide the audit committee with an assessment of project
team performance.
c. To guide the financial return on investment (ROI) of projects.
d. To determine whether the organisation's objectives were met as
expected.

17. Which of the following BEST indicates that an incident management

process is effective?
a. Decreased number of calls to the help desk.
b. Increased number of incidents reviewed by IT management.
c. Decreased time for incident resolution.
d. Increased the number of reported critical incidents.

18. Which of the following MOST effectively minimises downtime during

system conversions?
a. Phased approach
b. Parallel run
c. Direct cutover
d. Pilot study

19. Which of the following would MOST effectively ensure the integrity of
data transmitted over a network?
a. Message encryption
b. Steganography
c. A certificate authority (CA)
d. Message digest
20. Which of the following would be MOST useful to an IS auditor assessing
the effectiveness of IT resource planning?
a. Budget execution status.
b. A capacity analysis of IT operations.
c. A succession plan for key IT personnel.
d. A list of new applications to be implemented.

21. An IS auditor is evaluating controls for monitoring the regulatory

compliance of a third party that provides IT services to the organisation.
Which of the following should be the auditor's GREATEST concern?
a. A gap analysis against regulatory requirements has not been
conducted.
b. The third party disclosed a policy-related issue of non-compliance.
c. The organisation has not reviewed the third party's policies and
procedures.
d. The organisation has not communicated regulatory requirements
to the third party.

22. Which of the following is an audit reviewer's PRIMARY role about

evidence?
a. Ensuring appropriate statistical sampling methods were used.
b. Ensuring evidence is labeled to show it was obtained from an
approved source.
c. Ensuring unauthorised individuals do not tamper with evidence
after it has been captured.
d. Ensuring evidence is sufficient to support audit conclusions.

23. When an intrusion into an organisation's network is detected, which of

the following should be done FIRST?
a. Contact law enforcement.
b. Identify nodes that have been compromised.
c. Block all compromised network nodes.
d. Notify senior management
24. An IS auditor is reviewing processes for importing market price data
from external data providers. Which of the following findings should the
auditor consider MOST critical?
a. The quality of the data is not monitored.
b. The transfer protocol does not require authentication.
c. Imported data is not disposed of frequently.
d. The transfer protocol is not encrypted.

25. In a controlled application development environment, the MOST

important segregation of duties should be between the person who
implements changes into the production environment and
the_______________.
a. Application programmer.
b. Quality assurance (QA) personnel.
c. Computer operator.
d. Systems programmer.

26. A small startup organisation does not have the resources to implement
segregation of duties. Which of the following is the MOST effective
compensating control?
a. Rotation of log monitoring and analysis responsibilities.
b. Additional management reviews and reconciliations.
c. Mandatory vacations.
d. Third-party assessments.

27. When planning an audit to assess application controls of a cloud-based

system, it is MOST important for the IS auditor to understand
the_______________.
a. Availability reports associated with the cloud-based system.
b. Architecture and cloud environment of the system.
c. Policies and procedures of the business area being audited.
d. Business process supported by the system.
28. Which of the following data would be used when performing a business
impact analysis (BIA)?
a. Projected impact of current business on future business.
b. Expected costs for recovering the business.
c. Cost of regulatory compliance.
d. Cost-benefit analysis of running the current business.

29. Which of the following is the BEST indicator of the effectiveness of an

organisation's incident response program?
a. Number of successful penetration tests.
b. Percentage of protected business applications.
c. Number of security vulnerability patches.
d. Financial impact per security event.

30. An organisation recently implemented a cloud document storage

solution and removed the ability for end users to save data to their local
workstation hard drives. Which of the following findings should be the IS
auditor's greatest concern?
a. Mobile devices are not encrypted.
b. Users are not required to sign updated acceptable use
agreements.
c. The business continuity plan (BCP) was not updated.
d. Users have not been trained on the new system.

31. Which of the following security measures will reduce the risk of
propagation when a cyberattack occurs?
a. Data loss prevention (DLP) system.
b. Perimeter firewall.
c. Network segmentation on Web application firewall.
d. Internally-facing network assets.
32. An IS auditor notes that the previous year's disaster recovery test was
not completed within the scheduled time frame due to insufficient
hardware allocated by a third-party vendor. Which of the following
provides the best evidence that adequate resources are now allocated
to successfully recover the systems?
a. Hardware change management policy.
b. An up-to-date RACI charts.
c. Vendor memo indicating problem correction.
d. Service level agreement (SLA).

33. When implementing Internet Protocol security (IPsec) architecture, the

servers involved in application delivery _________________.
a. Channel access only through the public-facing firewall.
b. Channel access through authentication.
c. Communicate via Transport Layer Security (TLS).
d. Block authorised users from unauthorised activities.

34. During audit fieldwork, an IS auditor learns that employees are allowed
to connect their personal devices to company-owned computers. How
can the auditor best validate that appropriate security controls are in
place to prevent data loss?
a. Verify the data loss prevention (DLP) tool is properly configured by
the organisation.
b. Review compliance with data loss and applicable mobile device
user acceptance policies.
c. Verify employees have received appropriate mobile device
security awareness training.
d. Conduct a walk-through to view the results of an employee
plugging in a device to transfer confidential data.
35. Management has requested a post-implementation review of a newly
implemented purchasing package to determine to what extent business
requirements are being met. Which of the following is most likely to be
assessed?
a. Implementation methodology
b. Test results
c. Purchasing guidelines and policies
d. Results of live processing

36. Which of the following is an advantage of using agile software

development methodology over the waterfall methodology?
a. Quicker end-user acceptance
b. Clearly defined business expectations
c. Quicker deliverables
d. Less funding required overall

37. In an online application, which of the following would provide the MOST
information about the transaction audit trail?
a. File layouts
b. Data architecture
c. System/process flowchart
d. Source code documentation

38. On a public-key cryptosystem when there is no previous knowledge

between parties, which of the following will best help to prevent one
person from using a fictitious key to impersonate someone else?
a. Send a certificate that can be verified by a certification authority
with the public key.
b. Encrypt the message containing the sender's public key, using the
recipient's public key.
c. Send the public key to the recipient before establishing the
connection.
d. Encrypt the message containing the sender's public key, using a
private-key cryptosystem.
39. The IS quality assurance (QA) group is responsible for:
a. monitoring the execution of computer processing tasks.
b. designing procedures to protect data against accidental
disclosure.
c. Ensuring that program changes adhere to established standards.
d. Ensuring that the output received from system processing is
complete.

40. Which of the following approaches will ensure recovery time objectives
(RTOs) are met for an organisation's disaster recovery plan (DRP)?
a. Performing a full interruption test
b. Performing a parallel test
c. Performing a tabletop test
d. Performing a cyber-resilience test