Home > CISA (Certified Information Systems Auditor) > Quizzes > CISA Domain 1: Information Systems Auditing Process
CISA Domain 1: Information Systems Auditing Process
Fast practice, instant feedback. Timer auto-submits when time’s up.
Avg score: 28% Most missed: “An IT service desk manager is the control owner for the IT department change con…”
CISA Domain 1: Information Systems Auditing Process
Time left 00:00
25 Questions

1. A cybersecurity audit firm has completed a penetration test of an organization’s web application. The final report contains two findings that indicate the presence of two critical vulnerabilities. The organization disputes the findings because of the presence of compensating controls outside of the web application interface. How should the audit proceed?
2. An auditor is planning an audit of a financial planning application. Can the auditor rely on a recent penetration test of the application as a risk-based audit?
3. An auditor is auditing an organization’s system-hardening policy within its vulnerability management process. The auditor has examined the organization’s system-hardening standards and wants to examine the configuration of some of the production servers. What is the best method for the auditor to obtain evidence?
4. Which of the following is the best method for ensuring that an audit project can be completed on time?
5. An auditor has delivered a Sarbanes-Oxley audit report containing 12 exceptions to the audit client, who disagrees with the findings. The audit client is upset and is asking the auditor to remove any six findings from the report in exchange for a payment of $25,000. A review of the audit findings resulted in the confirmation that all 12 findings are valid. How should the auditor proceed?
6. An auditor has completed an audit, and the deliverable is ready to give to the audit client. What is the best method for delivering the audit report to the client?
7. An auditor is about to start an audit of a user account access request and fulfillment process. The audit covers a six-month period from January through June. The population contains 1,800 transactions. Which of the following sampling methodologies is best suited for this audit?
8. An organization processes payroll and expense reports in an SaaS-based environment to thousands of corporate customers. Those customers want assurance that the organization’s processes are effective. What kind of an audit should the organization undertake?
9. An external auditor is auditing an organization’s third-party risk management (TPRM) process. The auditor has observed that the organization has developed an ISO-based questionnaire that is sent to all third-party service providers annually. What value-added remarks can the auditor provide?
10. Which of the following is true about the ISACA Audit Standards and Audit Guidelines?
11. An auditor is auditing an organization’s user account request and fulfillment process. What is the first type of evidence collection the auditor will likely want to examine?
12. Why are preventive controls preferred over detective controls?
13. A QSA auditor in an audit firm has completed a PCI-DSS audit of a client and has found the client to be noncompliant with one or more PCI-DSS controls. Management in the audit firm has asked the QSA auditor to sign off on the audit as compliant, arguing that the client’s level of compliance has improved from prior years. What should the QSA auditor do?
14. An organization uses an automated workflow process for request, review, approval, and provisioning of user accounts. Anyone in the organization can request access. Specific persons are assigned to the review and approval steps. Provisioning is automated. What kind of control is the separation of duties between the review and approval steps?
15. An organization processes payroll and expense reports in an SaaS-based environment to thousands of corporate customers. Those customers want assurance that the organization’s processes are effective. What kind of an audit should the organization undertake?
16. A QSA (PCI) audit firm has been commissioned by a large merchant organization to perform a PCI-DSS report on compliance (ROC). The audit firm has noted that the merchant’s compliance deadline is less than one month away. What should the audit firm do next?
17. An auditor is auditing an organization’s personnel onboarding process and is examining the background check process. The auditor is mainly interested in whether background checks are performed for all personnel and whether background check results lead to no-hire decisions. Which of the following evidence collection techniques will support this audit objective?
18. An audit firm is planning an audit of an organization’s asset management records. For what reason would the auditor request a copy of the entire asset database from the DBA versus a report of assets from the owner of the asset process?
19. An auditor is auditing an accounts payable process and has discovered that a single individual has requested and also approved several payments to vendors. What kind of an issue has the auditor found?
20. Which of the following audit types is appropriate for a financial services provider such as a payroll service?
21. An external audit firm is performing an audit of a customer’s financial accounting processes and IT systems. While examining a data storage system’s user access permissions, the staff auditor has discovered the presence of illegal content. What should the staff auditor do next?
22. An auditor is auditing the payment systems for a retail store chain that has 80 stores in the region. The auditor needs to observe and take samples from some of the stores’ systems. The audit client has selected two stores that are located in the same city as the store chain headquarters and two stores in a nearby town. How should the audit of the store locations proceed?
23. As a part of an audit of a business process, the auditor has had a discussion with the control owner, as well as the control operators, and has collected procedure documents and records. The auditor is asking internal customers of the business process to describe in their own words how the business process is operated. What kind of evidence collection are these discussions with internal customers?
24. Which of the following methods is best suited for an auditee to deliver evidence to an auditor during the audit of a background check process?
25. The capability wherein a server is constituted from backup media is known as which type of control?