Test your basic knowledge |

CISA: Certified Information Systems Auditor

Subjects : certifications, cisa, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. A quantitative risk analysis is __________________ because: It is difficult to get accurate figures on the frequency of specific threats. It is difficult to determine the probability that a threat will be realized. It is relatively easy to determine
Referential Integrity
Sample Standard Deviation
Service Continuity Management
More difficult to perform

2. Defines internal controls and provides guidance for assessing and improving internal control systems.
Prblem Management
COSO (Committee of Sponsoring Organizations of the Treadway Commission)
The two Categories of Controls
Release management

3. When several incidents have occurred that appear to have the same or a similar root cause - a PROBLEM is occurring.
The best approach for identifying high risk areas for an audit
Examples of Application Controls
Database primary key
Prblem Management

4. IT Governance is most concerned with ________.
Incident Management
IT Strategy
Power system controls
Business Realization

5. An audit of an accounting system - accounting department processes - and procedures to determine if business controls are sufficient to ensure the integrity of financial statements.
Tolerable Error Rate
A Financial Audit
The Release process
The BCP process

6. An active - instance of a server operating system running on a machine that is designed to house two or more such virtual servers.
The first step in a business impact analysis
Registers
A Virtual Server
Assess the maturity of its business processes

7. Outsourcing is an opportunity for the organization to focus on core competencies. When an organization oursources a business function - it no longer needs to be concerned about training employees in that function. Outsources does not always reduce co
Elements of the COSO pyramid
Risk Management
Advantages of outsourcing
Controls

8. The probability that a sample selected does not represent the entire population. This is usually expressed as a percentage - as the numeric inverse of the confidence coefficient.
Sampling Risk
Employees with excessive privileges
Testing activities
Input validation checking

9. (1.) Link (2.) Internet (3.) Transport (4.) Application
Assess the maturity of its business processes
Insourcing
TCP/IP Network Model
Application Layer protocols

10. The maximum period of downtime for a process or application
CPU
Main types of Controls
Recovery time objective
The 7 phases and their order in the SDLC

11. The set of activities that is concerned with the ability of the organization to continue to provide services - primarily in the event that a natural or man made disaster has occurred.
Service Continuity Management
Tolerable Error Rate
Documentation and interview personnel
OSI: Network Layer

12. A sampling technique used to study the characteristics of a population to determine the numeric total of a specific attribute from the entire population.
Split custody
A Cold Site
Variable Sampling
Segregation of duties issue in a high value process

13. Any event which is not part of the standard operation of service and which causes or may cause an interruption to or reduction in quality of that service. Includes THREE incident types: (1.) Service Outage (2.) Service Slowdown (3.) Software Bug
The Software Program Library
Resource details
Main types of Controls
Incident Management

14. An audit of a third-party organization that provides services to other organizations.
Employee termination process
A Service Provider audit
A Virtual Server
SDLC Phases

15. Information is arranged in frames and transported across the medium. Collision detection. Checksum verification of delivery.
The availability of IT systems
OSI: Data Link Layer
Sampling Risk
TCP/IP Transport Layer

16. A large number of loosely coupled computers that are used to solve a common task may be in close proximity to each other or scattered over a large geographical area.
Grid Computing
Inform the auditee
Vulnerability in the organization's PBX
OSI: Data Link Layer

17. (1.) TCP (2.) UDP
Documentation and interview personnel
Confidence coefficient
Transport Layer Protocols
Detection Risk

18. A representation of how closely a sample represents an entire population.
Precision means
Business impact analysis
The Business Process Life Cycle
The Release process

19. An organization is building a data center in an area frequented by power outages. The organization cannot tolerate power outages. The best _________________solution is an electric generator and an uninterruptible power supply. The UPS responds to the
Antivirus software on the email servers
The appropriate role of an IS auditor in a control self-assessment
An IS audit
Power system controls

20. The annual expected loss to an asset. It is calculated as the single loss expectancy (SLE) X the annualized rate of occurrence (ARO.)
Examples of Application Controls
Service Continuity Management
Annualized Loss Expectance (ALE)
Separate administrative accounts

21. (1.) MPLS (2.) SONET (3.) T-Carrier (4.) Frame Relay (5.) ISDN (6.) X.25
Notify the Audit Committee
Power system controls
Examples of Application Controls
WAN Protocols

22. An external IS auditor has discovered a _______________________ - The external auditor can only document the finding in the audit report. An external auditor is not in a position to implement controls.
Blade Computer Architecture
The Requirements
Segregation of duties issue in a high value process
IT Services Financial Management

23. (1.) Developers (2.) Architects (3.) Analysts (4.) Users
Personnel involved in the requirements phase of a software development project
The 5 types of Evidence that the auditor will collect during an audit.
OSI Layer 5: Session
Stop-or-go Sampling

24. The means by which management establishes and measures processes by which organizational objectives are achieved
Controls
Dimensions of the COSO cube
A Cold Site
Rating Scale for Process Maturity

25. The process of recording the configuration of IT systems. Each configuration setting is known in ITSM parlance as a Configuration Item.
TCP/IP Link Layer
Configuration Management
Tolerable Error Rate
Capability Maturity Model

26. A collection of two or more servers that is designed to appear as a single server.
IT Services Financial Management
Server cluster
An Administrative
The appropriate role of an IS auditor in a control self-assessment

27. Concerned with electrical and physical specifications for devices. No frames or packets involved.
OSI: Physical Layer
Separate administrative accounts
objective and unbiased
Dimensions of the COSO cube

28. The IS auditor should conduct a risk assessment first to determine which areas have highest risk. She should devote more testing resources to those high-risk areas.
Power system controls
Grid Computing
The best approach for identifying high risk areas for an audit
Elements of the COSO pyramid

29. The first major task in a disaster recovery or business continuity planning project.
An Integrated Audit
List of systems examined
Business impact analysis
General Controls

30. Consists of 11 distinct activities: (1.) Service Desk (2.) Incident Management (3.) Problem Management (4.) Change Management (5.) Configuration Management (6.) Release Management (7.) Service-level Management (8.) Financial Management (9.) Capacity
IT Service Management
Three Types of Controls
Business Continuity
Entire password for an encryption key

31. A technique that is used to select a portion of a population when it is not feasible to test an entire population.
Sampling Risk
OSI: Physical Layer
Sampling
Deming Cycle

32. (1.) Objectives (2.) Components (3.) Business Units / Areas
The appropriate role of an IS auditor in a control self-assessment
Balanced Scorecard
OSI: Network Layer
Dimensions of the COSO cube

33. The purpose of an auditor doing interviews - To observe personnel to better understand their discipline - as well as ______________.
Tolerable Error Rate
Buffers
Organizational culture and maturity
TCP/IP Internet Layer

34. A sampling technique where items are chosen based upon the auditor's judgment - usually based on risk or materiality.
Service Level Management
Judgmental sampling
Discovery Sampling
Control Risk

35. What type of testing is performed to verify the accuracy and integrity of transactions as they flow through a system?
Elements of the COSO pyramid
Substantive Testing
An Integrated Audit
Stratified Sampling

36. Who is responsible for imposing an IT governance model encompassing IT strategy - information security - and formal enterprise architectural mandates?
IT executives and the Board of Directors
A Sample Mean
OSI: Transport Layer
Testing activities

37. Risk Mitigation Risk Avoidance Risk Transfer Risk Acceptance
Options for Risk Treatment
Data Link Layer Standards
IT executives and the Board of Directors
The BCP process

38. Used to translate or transform data from lower layers into formats that the application layer can work with.
Overall audit risk
OSI Layer 6: Presentation
A Cold Site
Resource details

39. (1.) Access controls (2.) Encryption (3.) Audit logging
Statistical Sampling
OSI Layer 6: Presentation
Employee termination process
Primary security features of relational databases

40. A critical application is backed up once per day. The recovery point objective (RPO) for an application that is backed up once per day cannot be ________.
SDLC Phases
less than 24 hours
Precision means
Project Management Strategies

41. Must be tested to validate effectiveness through: (1.) Document Review (2.) Walkthrough (3.) Simulation (4.) Parallel testing (5.) Cutover testing practices
Capability Maturity Model Integration (CMMI)
A Problem
BCP Plans
Criticality analysis

42. An organization experiences frequent malware infections on end-user workstations that are received through email - despite the tact that workstations have anti-virus software. To reducing malware - Implementing ________________ will provide an effect
The Business Process Life Cycle
The 7 phases and their order in the SDLC
Antivirus software on the email servers
Buffers

43. Handle application processing
Information security policy
TCP/IP Link Layer
Application Controls
Detection Risk

44. Consists of two main packet transport protocols: TCP and UDP.
TCP/IP Internet Layer
Stay current with technology
Statistical Sampling
TCP/IP Transport Layer

45. IT Service Management is defined in ___________________ framework.
The Eight Types of Audits
Security Awareness program
TCP/IP Transport Layer packet delivery
ITIL - IT Infrastructure Library

46. What three elements allow validation of business practices against acceptable measures of regulatory compliance - performance - and standard operational guidelines.
Referential Integrity
Prblem Management
(1.) Polices (2.) Procedures (3.) Standards
TCP/IP Link Layer

47. The memory locations in the CPU where arithmetic values are stored.
Business Realization
Registers
Insourcing
Transport Layer Protocols

48. An auditor has detected potential fraud while testing a control objective - He should ___________________. Because Audit committee members are generally not involved in business operations - they will be sufficiently remove from the matter - and they
(1.) Man-made (2.) Natural
Inherent Risk
Notify the Audit Committee
ISO 20000 Standard:

49. A tightly coupled collection of computers that are used to solve a common task. One or more actively perform tasks - while zero or more may be in a standby state.
TCP/IP Link Layer
Recovery time objective
Sampling
A Server Cluster

50. An audit of IS controls - security controls - or business controls to determine control existence and effectiveness.
An Operational Audit
Department Charters
Inform the auditee
Statistical Sampling