CISA exam

An IS auditor is conducting a review of a healthcare organization’s IT policies for handling medical records. Which of the following is MOST important to verify?A . A documented policy approval process is in placeB . Policy writing standards are consistentC . The policies comply with regulatory requirementsD . IT...

John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the following technique is used by John to treat the...

An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found. Which sampling method would be appropriate?A . Discovery samplingB . Variable samplingC . Stratified samplingD . Judgmental samplingView AnswerAnswer: C

Which of the following audit risk is related to exposure of a process or entity to be audited without taking into account the control that management has implemented?A . Inherent RiskB . Control RiskC . Detection RiskD . Overall Audit RiskView AnswerAnswer: A Explanation: Inherent Risk is the risk level...

A shared resource matrix is a technique commonly used to locate:A . Malicious codeB . Security flawsC . Trap doorsD . Covert channelsView AnswerAnswer: D Explanation: Analyzing resources of a system is one standard for locating covert channels because the basis of a covert channel is a shared resource. The...

An IS auditor conducting audit follow-up activities learns that some previously agreed-upon corrective actions have not been taken and that the associated risk has been accepted by senior management. If the auditor disagrees with management’s decision, what is the BEST way to address the situation?A . Repeat the audit with...

An IS auditor observes that the CEO has full access to the enterprise resource planning (ERP) system. The IS auditor should FIRST:A . accept the level of access provided as appropriateB . recommend that the privilege be removedC . ignore the observation as not being material to the reviewD ....

Which of the following audit combines financial and operational audit steps?A . Compliance AuditB . Financial AuditC . Integrated AuditD . Forensic auditView AnswerAnswer: C Explanation: An integrated audit combines financial and operational audit steps. An integrated audit is also performed to assess overall objectives within an organization, related to...

Which of the following audit is mainly designed to evaluate the internal control structure in a given process or area?A . Compliance AuditB . Financial AuditC . Operational AuditD . Forensic auditView AnswerAnswer: C Explanation: Operational audit is mainly designed to evaluate the internal control structure in a given process...

What is an IS auditor’s BEST course of action if informed by a business unit’s representatives that they are too busy to cooperate with a scheduled audit?A . Reschedule the audit for a time more convenient to the business unit.B . Notify the chief audit executive who can negotiate with...