Test your basic knowledge |

CISA: Certified Information Systems Auditor

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. To communication security policies - procedures - and other security-related information to an organization's employees.






2. Change Management includes a _____________ of six steps: (1.) Proposal or Request (2.) Review (3.) Approval (4.) Implementation (5.) Verification (6.) Post-change Review






3. Focuses on: post-event recovery and restoration of services






4. Use of a set of monitoring and review activities that confirm whether IS operations is providing service to its customers.






5. An external IS auditor has discovered a _______________________ - The external auditor can only document the finding in the audit report. An external auditor is not in a position to implement controls.






6. The portion of IT management that tracks the financial value of IT services that support organizational objectives. It includes 4 activities: (1.) Budgeting (2.) Capital Investment (3.) Expense Management (4.) Project accounting and project ROI (Ret






7. (1.) Statistical (2.) Judgmental (3.) Attribute (4.) Variable (5.) Stop-or-Go (6.) Discovery (7.) Stratified






8. (1.) Physical (2.) Technical (4.) Administrative






9. ____________________ of the hot site is most important consideration for site selection. IF they are too close together then a single event may involve both locations






10. Used to translate or transform data from lower layers into formats that the application layer can work with.






11. (1.) Developers (2.) Architects (3.) Analysts (4.) Users






12. The inventory of all in-scope business processes and systems






13. Used for several types of system changes: (1.) Incidents and problem resolution (bug fixes.) (2.) Enhancements (new functionality.) (3.) Subsystem patches and changes (require testing similar to when changes are made to the application itself.)






14. External auditors are needed under these conditions: (1.) When the organization ________________________. (2.) Some regulations and standards require external - independent auditors






15. The risk that a material error exists that will not be prevented or detected by the organization's control framework - The possibility that a process or procedure will be unable to prevent or deter serious errors and wrongdoing.






16. (1.) Monitoring (2.) Control Environment (3.) Risk Assessment and Control (4.) Information and Communication






17. (1.) IP (2.) ICMP (3.) RRC (Radio Resource Control) (4.) AppleTalk






18. Any event which is not part of the standard operation of service and which causes or may cause an interruption to or reduction in quality of that service. Includes THREE incident types: (1.) Service Outage (2.) Service Slowdown (3.) Software Bug






19. An organization is building a data center in an area frequented by power outages. The organization cannot tolerate power outages. The best _________________solution is an electric generator and an uninterruptible power supply. The UPS responds to the






20. Used to control connections that are established between systems (1.) TCP (2.) IPC (3.) SIP (Session Initiation Protocol) (4.) RPC (Remote Procedure Call) (5.) NetBIOS






21. A programmer is updating an application that saves passwords in plaintext. In this case - Passwords should be stored in a _____. This makes it impossible for any person to retrieve a password - which could lead to account compromise.






22. A sampling technique used to permit sampling to stop at the earliest possible time. This technique is used when the auditor feels that there is a low risk or low rate of exceptions in the population.






23. The set of activities that is concerned with the ability of the organization to continue to provide services - primarily in the event that a natural or man made disaster has occurred.






24. Delivery of packets from one station to another - on the same network or on different networks.






25. (1.) Access controls (2.) Encryption (3.) Audit logging






26. Who is responsible for imposing an IT governance model encompassing IT strategy - information security - and formal enterprise architectural mandates?






27. A sampling technique where at least one exception is sought in a population






28. (1.) TCP (2.) UDP






29. (1.) Executive Summary (2.) Framework (3.) Reporting to External Parties (4.) Evaluation Tools






30. IT Service Management is defined in ___________________ framework.






31. An alternate processing center that contains no information processing equipment.






32. A large number of loosely coupled computers that are used to solve a common task may be in close proximity to each other or scattered over a large geographical area.






33. (1.) MPLS (2.) SONET (3.) T-Carrier (4.) Frame Relay (5.) ISDN (6.) X.25






34. A computation of the variance of sample values from the sample mean. This is a measurement of the spread of values in a sample






35. The IS auditor should act as a SME in the control self-assessment - but should not play a major role in the process.






36. Risk Mitigation Risk Avoidance Risk Transfer Risk Acceptance






37. The first major task in a disaster recovery or business continuity planning project.






38. The risk that an IS auditor will overlook errors or exceptions during an audit.






39. A sampling technique where items are chosen based upon the auditor's judgment - usually based on risk or materiality.






40. An auditor has discovered several errors in user account management: many terminated employees' computer accounts are still active. The best course of action - To improve the _________________ to reduce the number of exceptions. For a time - the proc






41. A condition that is the result of multiple incidents that exhibit common symptoms e.g. A web application is displaying information incorrectly and many users have contacted the IT service desk.






42. Defines internal controls and provides guidance for assessing and improving internal control systems.






43. To measure organizational performance and effectiveness against strategic goals.






44. Used to measure the relative maturity of an organization and its processes.






45. Handle application processing






46. A sampling technique where items are chosen at random; each item has a statistically equal probability of being chosen.






47. To review and approve proposed changes to systems and infrastructure. This helps to reduce the risk of unintended events and unplanned downtime.






48. The probability that a sample selected does not represent the entire population. This is usually expressed as a percentage - as the numeric inverse of the confidence coefficient.






49. Used to determine which business processes are the most critical - by ranking them in order of criticality






50. An audit report usually includes the following 10 elements: (1.) Cover letter (2.) Introduction (3.) Summary (4.) Audit description (5.) _______________ (6.) Interviewees (7.) Evidence (8.) Explanation of sampling techniques (9.) Findings (10.) Recom