An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?

The number of users reporting receipt of the email to the information security team

The number of users deleting the email without reporting because it is a phishing email

The number of users clicking on the link to learn more about the sender of the email

The number of users forwarding the email to their business unit managers

The number of users reporting receipt of the email to the information security team

An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

structured query language (SQL) injection

Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

Centralizing procedures and implementing change control

Developing and communicating test procedure best practices to audit teams

Developing and implementing an audit data repository

Decentralizing procedures and Implementing periodic peer review

Centralizing procedures and implementing change control

During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective. Which of the following is the auditor's BEST action?

Re-perform the audit before changing the conclusion.

Explain to IT management that the new control will be evaluated during follow-up

Re-perform the audit before changing the conclusion.

Change the conclusion based on evidence provided by IT management.

Add comments about the action taken by IT management in the report.

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

Interviewing senior IT management

Which of the following BEST Indicates that an incident management process is effective?

Decreased time for incident resolution

Increased number of incidents reviewed by IT management

Decreased number of calls lo the help desk

Increased number of reported critical incidents

Which of the following is an example of a preventative control in an accounts payable system?

The system only allows payments to vendors who are included In the system's master vendor list.

Backups of the system and its data are performed on a nightly basis and tested periodically.

The system produces daily payment summary reports that staff use to compare against invoice totals.

Policies and procedures are clearly communicated to all members of the accounts payable department

An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

well understood by all employees.

An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?

A single point of failure for both voice and data communications

Inability to use virtual private networks (VPNs) for internal traffic

Lack of integration of voice and data communications

Voice quality degradation due to packet toss

Which of the following is a detective control?

Programmed edit checks for data entry

Use of pass cards to gain access to physical facilities

Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?

Business stakeholders are Involved In approving the IT strategy.

IT strategies are communicated to all Business stakeholders

Organizational strategies are communicated to the chief information officer (CIO).

Business stakeholders are Involved In approving the IT strategy.

The chief information officer (CIO) is involved In approving the organizational strategies

When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?

Reviewing a sample of system-generated backup logs

Observing the execution of a daily backup run

Evaluating the backup policies and procedures

Interviewing key personnel evolved In the backup process

Reviewing a sample of system-generated backup logs

Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?

Antivirus software has been implemented on the guest operating system only.

Guest operating systems are updated monthly

The hypervisor is updated quarterly.

A variety of guest operating systems operate on one virtual server

Antivirus software has been implemented on the guest operating system only.

An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?

The exact definition of the service levels and their measurement

The alerting and measurement process on the application servers

The actual availability of the servers as part of a substantive test

The regular performance-reporting documentation

During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?

Perform a review of terminated users' account activity

Perform substantive testing of terminated users' access rights.

Perform a review of terminated users' account activity

Communicate risks to the application owner.

Conclude that IT general controls ate ineffective.

An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?

Implement an acceptable use policy

Conduct security awareness training.

Implement an acceptable use policy

Create inventory records of personal devices

Configure users on the mobile device management (MDM) solution

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

Recent third-party IS audit reports

Sell-assessment reports of IT capability and maturity

IT performance benchmarking reports with competitors

Recent third-party IS audit reports

Current and previous internal IS audit reports

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor's PRIMARY concern Is that:

a dear business case has been established.

the implementation plan meets user requirements.

a full, visible audit trail will be Included.

a dear business case has been established.

the new hardware meets established security standards

During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?

Re-perform the calculation with audit software

Review the source code related to the calculation

Re-perform the calculation with audit software

Inspect user acceptance lest (UAT) results

An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?

Integrating the risk register for audit planning purposes

Implementing risk responses on management's behalf

Integrating the risk register for audit planning purposes

Providing assurances to management regarding risk

Facilitating audit risk identification and evaluation workshops

During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?

Gather evidence to analyze senior management's objections

Revise the assessment based on senior management's objections.

Escalate the issue to audit management.

Finalize the draft audit report without changes.

Gather evidence to analyze senior management's objections

Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?

Information security program plans

Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:

The network traffic was being monitored.

The domain controller was classified for high availability.

An IS auditor Is reviewing a recent security incident and is seeking information about me approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?

System event correlation report

Security incident and event management (SIEM) report

Which of the following security risks can be reduced by a property configured network firewall?

Denial of service (DoS) attacks

Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?

Obtaining the sender's private key

Reversing the hash function using the digest

Deciphering the receiver's public key

Obtaining the sender's private key

Which of the following is the BEST reason for an organization to use clustering?

To decrease system response time

To Improve the recovery lime objective (RTO)

Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

Logs are being collected in a separate protected host

Automated alerts are being sent when a risk is detected

Insider attacks are being controlled

Access to configuration files Is restricted.

Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

The organization's systems inventory is kept up to date.

Vulnerability scanning results are reported to the CISO.

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

Access to the vulnerability scanning tool is periodically reviewed

Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?

The results of the previous audit

Industry standards and best practices

The results of the previous audit

The amount of time since the previous audit

An IS auditor should ensure that an application's audit trail:

does not impact operational efficiency

Which of the following business continuity activities prioritizes the recovery of critical functions?

Business continuity plan (BCP) testing

Disaster recovery plan (DRP) testing

Capacity management enables organizations to:

identify the extent to which components need to be upgraded

establish the capacity of network communication links

identify the extent to which components need to be upgraded

determine business transaction volumes.

The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed. Which of the following should the audit manager do FIRST?

Determine where delays have occurred

Assign additional resources to supplement the audit

Escalate to the audit committee

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

the access rights that have been granted.

the access control system's log settings.

how the latest system changes were implemented.

the access control system's configuration.

the access rights that have been granted.

Isaca CISA Practice Test 5 - Free Online Exam Prep & Questions

Question 1 / 40

When auditing the security architecture of an online application, an IS auditor should FIRST review the:

firewall standards.

configuration of the firewall

firmware version of the firewall

location of the firewall within the network

Comment (0)

Isaca CISA Practice Test 5

Question

Isaca CISA Practice Tests

Practice Tests