Test your basic knowledge |

CISA: Certified Information Systems Auditor

Subjects : certifications, cisa, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. (1.) Feasibility Study (2.) Definition of Requirements (3.) Design (4.) Development (5.) Testing (6.) Implementation (7.) Post-implementation phase
SDLC Phases
Antivirus software on the email servers
Categories of risk treatment
Risk Management

2. Collections of Controls that work together to achieve an entire range of an organization's objectives.
Data Link Layer Standards
Sample Standard Deviation
Frameworks
Information systems access

3. An audit that is performed in support of an anticipated or active legal proceeding.
Formal waterfall
Sampling
OSI Layer 7: Application
A Forensic Audit

4. The 5 types of risks that are related to audits include: (1.) Control Risk (2.) Detection Risk (3.) Inherent risk (4.) _____________ (5.) Sampling risk
Function Point Analysis
Overall audit risk
Concentrate on samples known to represent high risk
An Integrated Audit

5. Risk Mitigation Risk Avoidance Risk Transfer Risk Acceptance
OSI: Network Layer
PERT Diagram?
Options for Risk Treatment
Input validation checking

6. To measure organizational performance and effectiveness against strategic goals.
The Eight Types of Audits
Background checks performed
Balanced Scorecard
TCP/IP Internet Layer

7. (1.) Operational (2.) Financial (3.) Integrated (4.) IS (5.) Administrative (6.) Compliance (7.) Forensic (8.) Service Provider
TCP/IP Link Layer
ITIL definition of CHANGE MANAGEMENT
The Eight Types of Audits
Reduced sign-on

8. Subjective sampling is used when the auditor wants to _________________________.
A Forensic Audit
Statement of Impact
Resource details
Concentrate on samples known to represent high risk

9. (1.) Access controls (2.) Encryption (3.) Audit logging
Formal waterfall
Documentation and interview personnel
Three Types of Controls
Primary security features of relational databases

10. A field in a record in one table that can reference a primary key in another table that can reference a primary key in another table.
A Financial Audit
Foreign Key
Entire password for an encryption key
ITIL - IT Infrastructure Library

11. An audit to determine the level and degree of compliance to a law - regulation - standard - contract provision - or internal control.
(1.) Man-made (2.) Natural
OSI Layer 5: Session
A Compliance audit
less than 24 hours

12. Outsourcing is an opportunity for the organization to focus on core competencies. When an organization oursources a business function - it no longer needs to be concerned about training employees in that function. Outsources does not always reduce co
BCP Plans
The Software Program Library
Stratified Sampling
Advantages of outsourcing

13. Should include 4 steps: (1.) Emergency Approval (2.) Implementation (3.) Verification (4.) Review
Emergency Changes
IT standards are not being reviewed often enough
Change management
The Release process

14. Critical Path Methodology helps a project manager determine which activities are on a project's critical list - ________________________.
Power system controls
Variable Sampling
A Forensic Audit
To identify the tasks that are responsible for project delays

15. A facility that is used to store and manage access to an organization's application source and object code. It consists of 5 parts: (1.) Access and authorization controls (2.) Program checkout (3.) Program Check-in (4.) Version Control (5.) Code Ana
Hash
The Eight Types of Audits
CPU
The Software Program Library

16. An audit of IS controls - security controls - or business controls to determine control existence and effectiveness.
An Operational Audit
Geographic location
The Steering Committee
Disaster Recovery

17. Individual events may often create combined threats to enterprise operations: A tornado might also spawn ____________________.
Structural fires and transportation accidents
Business Realization
An Operational Audit
An Administrative

18. (1.) Statistical (2.) Judgmental (3.) Attribute (4.) Variable (5.) Stop-or-Go (6.) Discovery (7.) Stratified
Precision means
Types of sampling an auditor can perform.
Emergency Changes
Critical Path Methodology

19. A maturity model that represents the aggregations of other maturity models.
IT Strategy
The Release process
Capability Maturity Model Integration (CMMI)
Emergency Changes

20. An estimate that expresses the percent of errors or exceptions that may exist in an entire population
Primary security features of relational databases
Structural fires and transportation accidents
Expected Error Rate
Substantive Testing (test of transaction integrity)

21. A sampling technique used to study the characteristics of a population to determine the numeric total of a specific attribute from the entire population.
Change management
A Problem
Control Risk
Variable Sampling

22. (1.) Access Control (2.) Change Management (3.) Security Controls (4.) Incident Management (5.) SDLC (6.) Source code and versioning controls (7.) Monitoring and logging (8.) Event Management
Examples of IT General Controls
Security Awareness program
Referential Integrity
Employee termination process

23. Handle application processing
Separate administrative accounts
The Eight Types of Audits
Stay current with technology
Application Controls

24. (1.) Avoidance (2.) Transfer (3.) Mitigation (4.) Acceptance
Categories of risk treatment
Application Layer protocols
Business Realization
OSI Layer 5: Session

25. A sampling technique where a population is divided into classes or strata - based upon the value of one of the attributes. Samples are then selected from each class.
A Forensic Audit
Stratified Sampling
An IS audit
Business Realization

26. (1.) General (2.) Application
Testing activities
Main types of Controls
Judgmental sampling
Sample Standard Deviation

27. Governed by: (1.) Effective Change Management (2.) Effective Application Testing (3.) Resilient Architecture (4.) Serviceable Components
OSI: Network Layer
Project Management Strategies
Personnel involved in the requirements phase of a software development project
The availability of IT systems

28. Contains programs that communicate directly with the end user.
Concentrate on samples known to represent high risk
IT standards are not being reviewed often enough
OSI Layer 7: Application
Function Point Analysis

29. Deliver messages from one station to another on the same network or on different networks. Messaging at this layer is not guaranteed.
Sampling Risk
Hash
Project Management Strategies
TCP/IP Internet Layer

30. 1.) Executive Support (2.) Well-defined roles and responsibilities.
Insourcing
IT Services Financial Management
Application Controls
Information security policy

31. An IS auditor is examining the IT standards document for an organization that was last reviewed two years earlier. The best course of action for the IS auditor is: Report that the ____________________________. Two years is far too long between revie
A Compliance audit
OSI: Network Layer
Personnel involved in the requirements phase of a software development project
IT standards are not being reviewed often enough

32. An organization has discovered that some of its employees have criminal records. The best course of action for the organization to take - The organization should have ___________________ on all of its existing employees and also begin instituting bac
OSI Layer 6: Presentation
Background checks performed
Sampling
Cloud computing

33. A technique that is used to select a portion of a population when it is not feasible to test an entire population.
An Administrative
OSI Layer 5: Session
A gate process
Sampling

34. What three elements allow validation of business practices against acceptable measures of regulatory compliance - performance - and standard operational guidelines.
A Virtual Server
(1.) Polices (2.) Procedures (3.) Standards
A Service Provider audit
Volumes of COSO framework

35. Guide program execution through organization of resources and development of clear project objectives.
Six steps of the Release Management process
Capability Maturity Model Integration (CMMI)
Information systems access
Project Management Strategies

36. Used to schedule and sequence activities in a waterfall-type representation. Planned activities are shown flowing downward to completion. More simplistic than a PERT Diagram.
Three Types of Controls
Resource details
An IS audit
Gantt Chart

37. A sampling technique used to permit sampling to stop at the earliest possible time. This technique is used when the auditor feels that there is a low risk or low rate of exceptions in the population.
Deming Cycle
OSI: Data Link Layer
Stop-or-go Sampling
Network Layer Protocols

38. A database term - which means that the database will not permit a program (or user) to deleted rows from a table if there are records in other tables whose foreign keys reference the row to be deleted.
Substantive Testing (test of transaction integrity)
Referential Integrity
Sampling Risk
TCP/IP Transport Layer

39. The inventory of all in-scope business processes and systems
Service Continuity Management
An Administrative
Blade Computer Architecture
The first step in a business impact analysis

40. (1.) Automatic (2.) Manual
A Service Provider audit
The two Categories of Controls
Sampling
Criticality analysis

41. Consists of two main packet transport protocols: TCP and UDP.
Personnel involved in the requirements phase of a software development project
Project Management Strategies
Annualized Loss Expectance (ALE)
TCP/IP Transport Layer

42. (1.) Monitoring (2.) Control Environment (3.) Risk Assessment and Control (4.) Information and Communication
Prblem Management
The audit program
Elements of the COSO pyramid
ITIL definition of PROBLEM

43. The set of activities that is concerned with the ability of the organization to continue to provide services - primarily in the event that a natural or man made disaster has occurred.
The availability of IT systems
The BCP process
OSI: Data Link Layer
Service Continuity Management

44. (1.) Observations (2.) Written Notes (3.) Correspondence (4.) Process and Procedure documentation (5.) Business records
Detection Risk
Configuration Management
Criticality analysis
The 5 types of Evidence that the auditor will collect during an audit.

45. An audit of operational efficiency.
An Administrative
OSI Layer 7: Application
objective and unbiased
List of systems examined

46. (1.) Authentication (2.) Authorization (3.) Change Management (4.) Completeness checks (5.) Validation checks (6.) Input controls (7.) Output controls (8.) Problem management (9.) Identification/access controls
Information security policy
Examples of Application Controls
Resource details
Rating Scale for Process Maturity

47. The CPU has: (1.) Arithmetic Logic Unit (2.) ______________ (3.) a small amount of memory (usually in to form of registers)
Control Unit
Capability Maturity Model
Audit Methodologies
Notify the Audit Committee

48. A critical application is backed up once per day. The recovery point objective (RPO) for an application that is backed up once per day cannot be ________.
A Service Provider audit
less than 24 hours
Project change request
Critical Path Methodology

49. (1.) Utility (DNS - SNMP - DHCP (2.) Messaging protocols (SMTP) (3.) Data Transfer protocols (NFS - FTP) (4.) Interactive protocols (Telnet)
An Administrative
Application Layer protocols
A Forensic Audit
A Cold Site

50. A database administrator has been asked to configure a database management system so that it records all changes made by users - The DBA should implement ___________. This will cause the database to record every change that is made to it.
Audit logging
less than 24 hours
Emergency Changes
TCP/IP Internet Layer