Test your basic knowledge |

CISA: Certified Information Systems Auditor

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. An audit of operational efficiency.






2. (1.) Monitoring (2.) Control Environment (3.) Risk Assessment and Control (4.) Information and Communication






3. A field in a record in one table that can reference a primary key in another table that can reference a primary key in another table.






4. (1.) General (2.) Application






5. A sampling technique where items are chosen at random; each item has a statistically equal probability of being chosen.






6. The risk that there are material weaknesses in existing business processes and no compensating controls to detect or prevent them






7. Use of a set of monitoring and review activities that confirm whether IS operations is providing service to its customers.






8. (1.) Reliable delivery (2.) Connection oriented (persistent connection) (3.) Order of Delivery (4.) Flow Control (transfer rate is throttled) (5.) Port Number






9. The inventory of all in-scope business processes and systems






10. IS auditors can _____________________ through the following means: (1.) training courses (2.) webinars (3.) ISACA chapter training events (4.) Industry conferences






11. The primary source for test plans in a software development project is: ________________ that are developed for a project should be the primary source for detailed tests.






12. PERT: shows the ______________ critical path.






13. An organization has discovered that some of its employees have criminal records. The best course of action for the organization to take - The organization should have ___________________ on all of its existing employees and also begin instituting bac






14. External auditors are needed under these conditions: (1.) When the organization ________________________. (2.) Some regulations and standards require external - independent auditors






15. (1.) Executive Summary (2.) Framework (3.) Reporting to External Parties (4.) Evaluation Tools






16. The highest number of errors that can exist without a result being materially misstated.






17. Used for several types of system changes: (1.) Incidents and problem resolution (bug fixes.) (2.) Enhancements (new functionality.) (3.) Subsystem patches and changes (require testing similar to when changes are made to the application itself.)






18. Application controls limit ___________ in three ways: (1.) Point of Entry (Input Controls) (2.) During consumption (process controls) (3.) At the point of expression (Output Controls)






19. IT Service Management is defined in ___________________ framework.






20. (1.) Develop a BC Policy (2.) Conduct BIA (3.) Perform critical analysis (4.) Establish recovery targets (5.) Develop recovery and continuity strategies and plans (6.) Test recovery and continuity plans and procedures Train personnel Maintain strateg






21. A computation of the variance of sample values from the sample mean. This is a measurement of the spread of values in a sample






22. The annual expected loss to an asset. It is calculated as the single loss expectancy (SLE) X the annualized rate of occurrence (ARO.)






23. Framework for auditing and measuring IT Service Management Processes.






24. Change Management includes a _____________ of six steps: (1.) Proposal or Request (2.) Review (3.) Approval (4.) Implementation (5.) Verification (6.) Post-change Review






25. IT Governance is most concerned with ________.






26. Used to translate or transform data from lower layers into formats that the application layer can work with.






27. Outsourcing is an opportunity for the organization to focus on core competencies. When an organization oursources a business function - it no longer needs to be concerned about training employees in that function. Outsources does not always reduce co






28. The IS auditor should conduct a risk assessment first to determine which areas have highest risk. She should devote more testing resources to those high-risk areas.






29. When several incidents have occurred that appear to have the same or a similar root cause - a PROBLEM is occurring.






30. Consists of 11 distinct activities: (1.) Service Desk (2.) Incident Management (3.) Problem Management (4.) Change Management (5.) Configuration Management (6.) Release Management (7.) Service-level Management (8.) Financial Management (9.) Capacity






31. Concerns the reliability of data transfer between systems. (1.) Connection Oriented (2.) Guaranteed Delivery (3.) Order of Delivery






32. Consists of main chassis component that is equipped with slots are fitted with individual cpu modules. Main advantage is lower cost per unit.






33. Used to measure the relative maturity of an organization and its processes.






34. A technique that is used to select a portion of a population when it is not feasible to test an entire population.






35. Should include 4 steps: (1.) Emergency Approval (2.) Implementation (3.) Verification (4.) Review






36. (1.) Requirements (2.) Design (3.) Development (4.) Testing (5.) Release preparation (packaging) (6.) Release Deployment






37. (1.) Observations (2.) Written Notes (3.) Correspondence (4.) Process and Procedure documentation (5.) Business records






38. An audit of IS controls - security controls - or business controls to determine control existence and effectiveness.






39. (1.) Access controls (2.) Encryption (3.) Audit logging






40. A quantitative risk analysis is __________________ because: It is difficult to get accurate figures on the frequency of specific threats. It is difficult to determine the probability that a threat will be realized. It is relatively easy to determine






41. A database administrator has been asked to configure a database management system so that it records all changes made by users - The DBA should implement ___________. This will cause the database to record every change that is made to it.






42. To review and approve proposed changes to systems and infrastructure. This helps to reduce the risk of unintended events and unplanned downtime.






43. A Fire sprinkler system has water in its pipes - and sprinkler heads emit water only if the ambient temperature reaches 220 deg. F. This is a ________________. The system is charged with water and will discharge water out of any sprinkler head whose






44. An audit that combines an operational audit and a financial audit.






45. To measure organizational performance and effectiveness against strategic goals.






46. Disasters are generally grouped in terms of type: ______________.






47. An organization wants to reduce the number of user IDs and passwords that its employees need to remember. The best available solution to this - _______________. This provides a single authentication service (such as LDAP or AD) that many applications






48. A critical application is backed up once per day. The recovery point objective (RPO) for an application that is backed up once per day cannot be ________.






49. (1.) Authentication (2.) Authorization (3.) Change Management (4.) Completeness checks (5.) Validation checks (6.) Input controls (7.) Output controls (8.) Problem management (9.) Identification/access controls






50. Used to control connections that are established between systems (1.) TCP (2.) IPC (3.) SIP (Session Initiation Protocol) (4.) RPC (Remote Procedure Call) (5.) NetBIOS