Text preview & study summary
ISACA CISA - Certified Information Systems Auditor - IS Audit IT Governance Systems Acquisition Operations Asset Protection
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
During a systems acquisition audit, an IS auditor reviews a vendor selection process for a new HR information system. The organization selected the most expensive vendor without formal evaluation criteria. What governance concern does this raise?
Explanation
IT procurement governance requires: (1) formal RFP/RFQ process with defined requirements, (2) objective evaluation criteria and scoring methodology applied consistently to all vendors, (3) documented scoring results and decision rationale, (4) conflict of interest declarations by evaluators, (5) appropriate approval authority based on contract value. Without these, the selection may reflect personal preferences, undisclosed relationships, or inappropriate incentives. The IS auditor looks for evidence of a fair, documented process. The "most expensive" being selected isn't inherently wrong — it could score highest on evaluation criteria — but without the documented process, the auditor cannot verify objectivity.
Question 2
An IS auditor is assessing the reliability of computer-generated reports used for financial reporting. What procedure provides the MOST assurance that the reports accurately reflect the underlying data?
Explanation
Report reliability testing (tracing transactions end-to-end) is the most reliable audit procedure for computer-generated reports. The process: (1) select a sample of transactions from source systems, (2) trace through all processing steps (extract, transform, load/calculate), (3) compare to report output. This verifies that the report logic correctly captures, processes, and presents data. Automated processing introduces risks: incorrect formulas, data truncation, rounding errors, and misclassification. Management sign-off (option C) doesn't verify technical accuracy — management typically trusts the system output. Vendor certification (option D) doesn't verify the organization's specific configuration and data.
Question 3
An IS auditor is performing a compliance audit against GDPR requirements. The organization processes EU citizen personal data. Which finding is MOST SIGNIFICANT?
Explanation
The most serious GDPR compliance failures are fundamental requirements: (1) Legal basis for processing (Article 6) — every processing activity must have a documented lawful basis (consent, contract, legal obligation, etc.), (2) Records of Processing Activities (Article 30) — organizations must maintain detailed records of all processing, (3) Data Subject Rights (Articles 15-22) — failure to respond to DSARs is a direct violation with potential fines up to €20M or 4% of global turnover. These are core GDPR compliance requirements whose absence represents fundamental non-compliance, as opposed to best practice improvements (reading level, DPO contact in cookies, update frequency).
Question 4
During a pre-implementation audit of a new ERP system, an IS auditor identifies that the vendor will have remote maintenance access using a single shared administrator account. What segregation of duties concern does this create?
Explanation
Shared accounts are a fundamental control deficiency because: (1) no individual accountability — if a change or incident occurs, you cannot determine which specific vendor employee performed it, (2) credential management — sharing credentials creates distribution/security challenges, (3) audit trail gaps — logs show "vendor-admin" not a specific individual, making forensic investigation difficult. Required controls: individual named accounts for each vendor technician with MFA, session recording, just-in-time access provisioning, and least-privilege access. Contractually require the vendor to maintain their own access management policies.
Question 5
During an access control audit, an IS auditor reviews user access to the financial system and finds 45 accounts belong to employees who left the organization between 6 and 18 months ago. What is the MOST significant risk?
Explanation
Orphaned/dormant accounts (accounts of separated employees not timely deprovisioned) are a critical access control risk. They represent: (1) insider threat — former employees with active credentials retaining access to sensitive systems, (2) external threat — attackers can use compromised orphaned credentials that nobody monitors, (3) compliance violation — most regulations (SOX, HIPAA, PCI DSS) require timely deprovisioning. This finding typically represents: a failure in the joiner-mover-leaver (JML) process, lack of HR-IT integration, and absence of periodic access reviews.
