Text preview & study summary

ISACA CISA - Certified Information Systems Auditor - IS Audit IT Governance Systems Acquisition Operations Asset Protection

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

During a systems acquisition audit, an IS auditor reviews a vendor selection process for a new HR information system. The organization selected the most expensive vendor without formal evaluation criteria. What governance concern does this raise?

Answer choices

  • A. The most expensive solution is usually the best — no audit concern is raised

  • B. The selection process lacked formal evaluation criteria, scoring methodology, and documented decision rationale — this raises concerns about objectivity, potential bias/conflict of interest, and whether the selected solution best meets organizational needs (Correct)

  • C. IT should always select the least expensive solution that meets minimum requirements

  • D. Vendor selection should always be performed by the business, not IT

Explanation

IT procurement governance requires: (1) formal RFP/RFQ process with defined requirements, (2) objective evaluation criteria and scoring methodology applied consistently to all vendors, (3) documented scoring results and decision rationale, (4) conflict of interest declarations by evaluators, (5) appropriate approval authority based on contract value. Without these, the selection may reflect personal preferences, undisclosed relationships, or inappropriate incentives. The IS auditor looks for evidence of a fair, documented process. The "most expensive" being selected isn't inherently wrong — it could score highest on evaluation criteria — but without the documented process, the auditor cannot verify objectivity.

Question 2

An IS auditor is assessing the reliability of computer-generated reports used for financial reporting. What procedure provides the MOST assurance that the reports accurately reflect the underlying data?

Answer choices

  • A. Verify that the report printing process executes without error messages

  • B. Test the report logic by tracing a sample of transactions from source data through the processing logic to the final report output, verifying each step — this is called "end-to-end" testing (Correct)

  • C. Confirm that management reviews and signs off on the reports before submission

  • D. Verify that the reporting system has been certified by the software vendor

Explanation

Report reliability testing (tracing transactions end-to-end) is the most reliable audit procedure for computer-generated reports. The process: (1) select a sample of transactions from source systems, (2) trace through all processing steps (extract, transform, load/calculate), (3) compare to report output. This verifies that the report logic correctly captures, processes, and presents data. Automated processing introduces risks: incorrect formulas, data truncation, rounding errors, and misclassification. Management sign-off (option C) doesn't verify technical accuracy — management typically trusts the system output. Vendor certification (option D) doesn't verify the organization's specific configuration and data.

Question 3

An IS auditor is performing a compliance audit against GDPR requirements. The organization processes EU citizen personal data. Which finding is MOST SIGNIFICANT?

Answer choices

  • A. The privacy policy on the website is written at a graduate reading level rather than plain language

  • B. The organization has no documented legal basis for processing personal data, no records of processing activities (ROPA), and has never responded to a data subject access request (DSAR) (Correct)

  • C. Cookie consent banners don't include the company's DPO contact information

  • D. The privacy policy was last updated 14 months ago instead of annually

Explanation

The most serious GDPR compliance failures are fundamental requirements: (1) Legal basis for processing (Article 6) — every processing activity must have a documented lawful basis (consent, contract, legal obligation, etc.), (2) Records of Processing Activities (Article 30) — organizations must maintain detailed records of all processing, (3) Data Subject Rights (Articles 15-22) — failure to respond to DSARs is a direct violation with potential fines up to €20M or 4% of global turnover. These are core GDPR compliance requirements whose absence represents fundamental non-compliance, as opposed to best practice improvements (reading level, DPO contact in cookies, update frequency).

Question 4

During a pre-implementation audit of a new ERP system, an IS auditor identifies that the vendor will have remote maintenance access using a single shared administrator account. What segregation of duties concern does this create?

Answer choices

  • A. The shared account has too many characters in the username

  • B. Shared accounts prevent individual accountability — activities performed under shared credentials cannot be attributed to specific vendor personnel, eliminating auditability and accountability for privileged actions (Correct)

  • C. The ERP vendor should not have administrator access at all

  • D. Remote access should require VPN but the type of VPN is not specified

Explanation

Shared accounts are a fundamental control deficiency because: (1) no individual accountability — if a change or incident occurs, you cannot determine which specific vendor employee performed it, (2) credential management — sharing credentials creates distribution/security challenges, (3) audit trail gaps — logs show "vendor-admin" not a specific individual, making forensic investigation difficult. Required controls: individual named accounts for each vendor technician with MFA, session recording, just-in-time access provisioning, and least-privilege access. Contractually require the vendor to maintain their own access management policies.

Question 5

During an access control audit, an IS auditor reviews user access to the financial system and finds 45 accounts belong to employees who left the organization between 6 and 18 months ago. What is the MOST significant risk?

Answer choices

  • A. The system storage is wasted by inactive accounts

  • B. Orphaned accounts represent a significant access control risk — they may still have valid credentials and could be used for unauthorized access or exploited by former employees or external attackers who obtain the credentials (Correct)

  • C. Regulatory non-compliance with username format standards

  • D. The IT department will have difficulty managing the excess accounts

Explanation

Orphaned/dormant accounts (accounts of separated employees not timely deprovisioned) are a critical access control risk. They represent: (1) insider threat — former employees with active credentials retaining access to sensitive systems, (2) external threat — attackers can use compromised orphaned credentials that nobody monitors, (3) compliance violation — most regulations (SOX, HIPAA, PCI DSS) require timely deprovisioning. This finding typically represents: a failure in the joiner-mover-leaver (JML) process, lack of HR-IT integration, and absence of periodic access reviews.