If you ever have the intention of starting a career in Cybersecurity, you should start with this practice test. In case you miss any questions, adequate explanations have been provided. . We highly recommend you Login / Register to take this test.
- 15 questions in all. There is no time constraint, so take your time. You need to score at least 70% to pass
- You can retake the test at any time. We recommend you share with friends too.
HD Quiz powered by harmonic design
#1. During an IT control review to support a financial statement audit, users of the general ledger (GL) complained to the IS auditor about the considerable delay in accessing data. The MOST appropriate action for the IS auditor is to
Understanding the root-cause of response-time issues is out of scope in the current audit. The impact of IT controls on the integrity of financial statements is the primary objective of audit, and thus, operational issues with the database should not be the primary focus of audit opinion. A reduction of throughput does not imply there is a control deficiency that may lead to misstatements in the financial accounts. Load balancing may not address the underlying cause in the reduction of throughput. The complaints should be substantiated before including in the management letter.
#2. The CISA is reviewing a Stores Purchase application. How are the purchase orders validated?
Testing access controls will help determine the purchase order validity.
#3. Which of these is the most effective control over a guest wireless ID given to the vendor staff?
A renewable user ID which expires daily would be a good control since it would ensure that wireless access is not used without authorization. While it is recommended to monitor vendor activities while vendor staff are on the system, this is a detective control and thus is not as strong as a preventive control. The user ID format does not change the overall security of either connection and thus this is not the correct answer. Controls related to the encryption of the wireless network are important; however, the access to that network is a more critical issue.
#4. A human resources (HR) company provides free wireless Internet access to its guests by authenticating with a generic user ID and password. Which of these controls BEST addresses the situation?
Changing the password for the wireless network does not secure against unauthorized access to the company network, especially since a guest could gain access to the wireless local area network (WLAN) at any time prior to the weekly password change interval. A stateful inspection firewall will screen all packets from the wireless network into the company network; however, the configuration of the firewall would need to be audited and firewall compromises- although unlikely- are possible. Keeping the wireless network physically separate from the company network is the best way to secure the company network from intrusion. An IDS will detect intrusions but will not prevent unauthorized individuals from accessing the network.
#5. A CISA has found an inadequate policy definition for data and systems ownership during audit. What is the primary concern?
If there’s no policy defining the responsibility for granting access to specific systems, system access can be gained without proper authorization. Authority to grant access to specific users must be documented.
#6. A CISA needs to appraise whether there have been unapproved program changes since the last software version was released. Which of the following audit techniques could be used?
Automated code comparison is an automated method and follows a method of comparing two versions of the same program to conclude whether the two tally and is therefore most effective.
#7. IR teams fix a retention date on a file. This is to make sure the ____________.
A retention date is typically attached to a file to ensure that it is not overwritten before the date has elapsed.
#8. A CISA during an audit has found that employees are issued security tokens in addition to a personalized identification number (PIN) for access to the corporate virtual private network (VPN). What would be of primary concern to the auditor?
When user write their PIN on a slip of paper, then any person can access the network based on their possession of the token and the PIN noted on the slip.
#9. During a compliance audit of an organization, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by a supervisor would represent the BEST compensating control?
Computer logs will record the activities of individuals during their access to a computer system or data file and will record any abnormal activities, such as the modification or deletion of financial data. An audit trail of only the date and time of the transaction would not be sufficient to compensate for the risk of multiple functions being performed by the same individual. Review of the summary financial reports would not compensate for the segregation of duties issue. Supervisor review of user account administration would be a good control; however, it may not detect inappropriate activities.
#10. Why are IT control objectives useful to IS auditors?
An IT control objective is well-defined as the report of the preferred result or purpose to be achieved by implementing control procedures in a particular IT activity and provides the actual objectives for implementing controls.
#11. When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software
Choice C implies which software is not allowed by policy. Any software that is allowed should be part of a standard software list. This is the first thing to review since this would also indicate compliance with policies; noncompliance would result in IT and legal risks. The other options are important issues, but not as critical as unapproved software being installed on organization PCs.
#12. How will an IS auditor review the firewall and VPN permissions for an application that is retrieved through the Internet?
The auditor will execute and detail a risk analysis to determine the firewall rules and VPN configuration settings that offer the highest risk and include them in the audit scope. The risk analysis would include aspects such as previous system revisions, connected security incidents, resources available for review, etc.
#13. The CISA should review which of the below to gain an understanding of organization's effectiveness in terms of planning and management of IT investments?
The IT Balanced Scorecard is a device that offers the connection between IT objectives and business objectives by supplementing financial assessments with measures of customer satisfaction, internal processes and the ability to innovate.
#14. An organization reviews key project deliverables prior to a project's closure, and decides to make a number of late changes in the project. The management observes these changes affect the achievement of the predefined goals. What controls should an IS auditor recommend to improve the project management process?
Periodic monitoring of the project performance ensures the errors or variances related to budget, time, and resources are discovered early in the project execution phase-when the cost of changes made is lower than its closure (when the cost of making changes may increase). The standardization of framework used for the project management process also aids in establishing effective project control as the activities and templates become customized. This will not ensure that adequate performance monitoring is performed. The segmentation of project activities into phases help ensure ease of management, planning, and control. However, this will not ensure the achievement of the objective of each phase. Senior management approval is required before the project begins to ensure the required resources are made available, and this does not ensure the project is properly monitored or its objectives are met.
#15. An IS auditor is reviewing a software application that is built on the principles of service oriented architecture (SOA). What is the BEST first step?
An SOA relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing details, the IS auditor must understand the mapping of business processes to services. Choices B and C are not correct because sampling the use of service security standards as represented by the SAML and reviewing the SLAs are essentially follow-up steps. Choice D is not correct because auditing a single service and its dependencies with others would be time consuming.
Results
