Test your basic knowledge |

CISA: Certified Information Systems Auditor

Subjects : certifications, cisa, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. (1.) Physical (2.) Technical (4.) Administrative
OSI Layer 6: Presentation
Options for Risk Treatment
The two Categories of Controls
Three Types of Controls

2. Subjective sampling is used when the auditor wants to _________________________.
The 4-item focus of a Balanced Scorecard
Background checks performed
Application Controls
Concentrate on samples known to represent high risk

3. A representation of how closely a sample represents an entire population.
A Forensic Audit
Split custody
Precision means
The 7 phases and their order in the SDLC

4. Disasters are generally grouped in terms of type: ______________.
ITIL definition of PROBLEM
The Eight Types of Audits
(1.) Man-made (2.) Natural
Emergency Changes

5. (1.) Developers (2.) Architects (3.) Analysts (4.) Users
Capability Maturity Model Integration (CMMI)
Rating Scale for Process Maturity
Project Management Strategies
Personnel involved in the requirements phase of a software development project

6. 1.) Executive Support (2.) Well-defined roles and responsibilities.
Types of sampling an auditor can perform.
Information security policy
Input validation checking
Control Risk

7. Contains programs that communicate directly with the end user.
OSI Layer 7: Application
ITIL definition of CHANGE MANAGEMENT
List of systems examined
Server cluster

8. (1.) Link (2.) Internet (3.) Transport (4.) Application
TCP/IP Network Model
Vulnerability in the organization's PBX
Assess the maturity of its business processes
The 7 phases and their order in the SDLC

9. What activity involves the identification of potential risk and the appropriate response for each threat based on impact assessment using qualitative and/or quantitative measures for an enterprise-wide risk management strategy?
Deming Cycle
A Financial Audit
Risk Management
Primary security features of relational databases

10. The probability that a sample selected does not represent the entire population. This is usually expressed as a percentage - as the numeric inverse of the confidence coefficient.
Blade Computer Architecture
Categories of risk treatment
Sampling Risk
TCP/IP Network Model

11. An auditor is examining a key management process and has found that the IT department is not following its split-custody procedure. As a result - Someone may be in possession of the _________________.
The Release process
Entire password for an encryption key
Tolerable Error Rate
Statement of Impact

12. An auditor has reviewed access privileges of some employees and has discovered that employees with longer terms of service have excessive privileges. This means User privileges are not being removed from their old position when they transfer to a new
Resource details
Foreign Key
Employees with excessive privileges
Expected Error Rate

13. Requires that a password be broken into two or more parts - with each part in the possession of a separate person.
Hash
Categories of risk treatment
Server cluster
Split custody

14. (1.) LAN protocols (2.) 80 (2.) 11 MAC/LLC (WiFi) (3.) Common Carrier packet networks (4.) ARP (5.) PPP and SLIP (6.) Tunneling - PPTP - L2TP
Data Link Layer Standards
An Operational Audit
TCP/IP Transport Layer packet delivery
Project change request

15. Framework for auditing and measuring IT Service Management Processes.
Business Realization
ITIL definition of CHANGE MANAGEMENT
Capability Maturity Model Integration (CMMI)
ISO 20000 Standard:

16. Concerns the reliability of data transfer between systems. (1.) Connection Oriented (2.) Guaranteed Delivery (3.) Order of Delivery
OSI: Transport Layer
OSI Layer 5: Session
Emergency Changes
Expected Error Rate

17. An audit of an accounting system - accounting department processes - and procedures to determine if business controls are sufficient to ensure the integrity of financial statements.
The Eight Types of Audits
The availability of IT systems
A Financial Audit
Stratified Sampling

18. The probability that a sample selected actually represents the entire population. This is usually expressed as a percentage.
The two Categories of Controls
Change management
OSI: Data Link Layer
Confidence coefficient

19. (1.) Reliable delivery (2.) Connection oriented (persistent connection) (3.) Order of Delivery (4.) Flow Control (transfer rate is throttled) (5.) Port Number
To identify the tasks that are responsible for project delays
TCP/IP Transport Layer packet delivery
A Sample Mean
IT Strategy

20. Consists of 11 distinct activities: (1.) Service Desk (2.) Incident Management (3.) Problem Management (4.) Change Management (5.) Configuration Management (6.) Release Management (7.) Service-level Management (8.) Financial Management (9.) Capacity
IT Service Management
OSI Layer 5: Session
A Problem
Personnel involved in the requirements phase of a software development project

21. (1.) Authentication (2.) Authorization (3.) Change Management (4.) Completeness checks (5.) Validation checks (6.) Input controls (7.) Output controls (8.) Problem management (9.) Identification/access controls
Emergency Changes
Examples of Application Controls
Security Awareness program
Categories of risk treatment

22. Used to translate or transform data from lower layers into formats that the application layer can work with.
Sampling Risk
ISO 20000 Standard:
OSI Layer 6: Presentation
Hash

23. (1.) Monitoring (2.) Control Environment (3.) Risk Assessment and Control (4.) Information and Communication
The Steering Committee
Buffers
OSI: Physical Layer
Elements of the COSO pyramid

24. The memory locations in the CPU where arithmetic values are stored.
objective and unbiased
TCP/IP Link Layer
Sample Standard Deviation
Registers

25. (1.) Executive Summary (2.) Framework (3.) Reporting to External Parties (4.) Evaluation Tools
Employee termination process
Control Unit
Cloud computing
Volumes of COSO framework

26. Must be tested to validate effectiveness through: (1.) Document Review (2.) Walkthrough (3.) Simulation (4.) Parallel testing (5.) Cutover testing practices
BCP Plans
Stay current with technology
Compliance Testing
OSI Layer 6: Presentation

27. An audit that combines an operational audit and a financial audit.
Categories of risk treatment
less than 24 hours
An Integrated Audit
Prblem Management

28. A four-step quality control process known as PDSA - or PDCA. Steps: (1.) Plan (2.) Do (3.) Study (4.) Act
Business impact analysis
Deming Cycle
Cloud computing
General Controls

29. Focuses on: post-event recovery and restoration of services
Prblem Management
Disaster Recovery
Types of sampling an auditor can perform.
Judgmental sampling

30. An organization has discovered that some of its employees have criminal records. The best course of action for the organization to take - The organization should have ___________________ on all of its existing employees and also begin instituting bac
Assess the maturity of its business processes
less than 24 hours
Buffers
Background checks performed

31. (1.) Operational (2.) Financial (3.) Integrated (4.) IS (5.) Administrative (6.) Compliance (7.) Forensic (8.) Service Provider
Personnel involved in the requirements phase of a software development project
The Eight Types of Audits
ITIL definition of CHANGE MANAGEMENT
Main types of Controls

32. A programmer is updating an application that saves passwords in plaintext. In this case - Passwords should be stored in a _____. This makes it impossible for any person to retrieve a password - which could lead to account compromise.
Examples of IT General Controls
The Internet Layer in the TCP/IP model
Hash
Blade Computer Architecture

33. A quantitative risk analysis is __________________ because: It is difficult to get accurate figures on the frequency of specific threats. It is difficult to determine the probability that a threat will be realized. It is relatively easy to determine
Discovery Sampling
Entire password for an encryption key
An Administrative
More difficult to perform

34. A field in a record in one table that can reference a primary key in another table that can reference a primary key in another table.
Server cluster
Foreign Key
Substantive Testing
Variable Sampling

35. To measure organizational performance and effectiveness against strategic goals.
General Controls
Confidence coefficient
ITIL definition of CHANGE MANAGEMENT
Balanced Scorecard

36. (1.) Access controls (2.) Encryption (3.) Audit logging
Stratified Sampling
Frameworks
Overall audit risk
Primary security features of relational databases

37. The first major task in a disaster recovery or business continuity planning project.
The Business Process Life Cycle
OSI: Network Layer
Business impact analysis
Statistical Sampling

38. An organization wants to reduce the number of user IDs and passwords that its employees need to remember. The best available solution to this - _______________. This provides a single authentication service (such as LDAP or AD) that many applications
Reduced sign-on
Balanced Scorecard
Business Realization
Examples of Application Controls

39. (1.) General (2.) Application
Discovery Sampling
Sampling Risk
Main types of Controls
Types of sampling an auditor can perform.

40. 0. No process at all (1.) Process are ad hoc and disorganized (2.) Consistent processes (3.) Documented processes (4.) Measured and managed processes (5.) Processes are continuously improved
Background checks performed
Annualized Loss Expectance (ALE)
Rating Scale for Process Maturity
Network Layer Protocols

41. The risk that a material error exists that will not be prevented or detected by the organization's control framework - The possibility that a process or procedure will be unable to prevent or deter serious errors and wrongdoing.
Sampling Risk
The two Categories of Controls
Control Risk
Stop-or-go Sampling

42. Delivery of packets from one station to another - on the same network or on different networks.
The Internet Layer in the TCP/IP model
Elements of the COSO pyramid
Service Continuity Management
Substantive Testing (test of transaction integrity)

43. To ensure that input values are within established ranges - of the correct character types - and free of harmful contents.
A Problem
Elements of the COSO pyramid
Input validation checking
The Eight Types of Audits

44. A sampling technique where items are chosen based upon the auditor's judgment - usually based on risk or materiality.
The two Categories of Controls
Advantages of outsourcing
Sampling Risk
Judgmental sampling

45. An audit of operational efficiency.
Input validation checking
Transport Layer Protocols
Business impact analysis
An Administrative

46. Used to schedule and sequence activities in a waterfall-type representation. Planned activities are shown flowing downward to completion. More simplistic than a PERT Diagram.
Gantt Chart
Compliance Testing
Three Types of Controls
A gate process

47. (1.) Objectives (2.) Components (3.) Business Units / Areas
Employees with excessive privileges
IT executives and the Board of Directors
The Eight Types of Audits
Dimensions of the COSO cube

48. Used to measure the relative maturity of an organization and its processes.
The 5 types of Evidence that the auditor will collect during an audit.
Dimensions of the COSO cube
Capability Maturity Model Integration (CMMI)
Capability Maturity Model

49. A large number of loosely coupled computers that are used to solve a common task may be in close proximity to each other or scattered over a large geographical area.
Service Continuity Management
Grid Computing
Application Layer protocols
A Server Cluster

50. Used to estimate the effort required to develop a software program.
CPU
BCP Plans
Separate administrative accounts
Function Point Analysis