Isaca CISA Certified Information Systems Auditor Exam Practice Test

Answer : B

The audit procedure that would have most likely identified the exception of critical servers not included in the central log repository is to compare a list of all servers from the directory server against a list of all servers present in the central log repository. This would allow the IS auditor to detect any discrepancies or omissions in the central log repository. The other audit procedures (A, C and D) would not be effective in identifying this exception, as they would only focus on the alerts generated, the alert settings configured, or the servers included in the previous year's audit, which may not reflect the current state of the central log repository.Reference:IS Audit and Assurance Guideline 2202: Evidence Collection Techniques,CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.3: Logging and Monitoring

Answer : B

Management's commitment to information security is the most critical factor for the success of an information security program, as it sets the tone and direction for the organization's security culture and practices. Management's commitment is demonstrated by establishing a clear security policy, providing adequate resources, assigning roles and responsibilities, enforcing compliance, and supporting continuous improvement.The other options are important elements of an information security program, but they depend on management's commitment to be effective.Reference:CISA Review Manual (Digital Version)1, page 439.

Answer : C

An outsourced accounting application has the most inherent risk and should be prioritized during audit planning because it involves external parties, sensitive data, and complex transactions that are susceptible to material misstatement, error, or fraud12.An outsourced accounting application also requires more oversight and monitoring from the internal audit department to ensure compliance with the service level agreement and the organization's policies and standards3.

Reference

1: Inherent Risk: Definition, Examples, and 3 Types of Audit Risks2: 3 Types of Audit Risk - Inherent, Control and Detection - Accountinguide3: IS Audit Basics: The Core of IT Auditing

Answer : C

Answer : B

Answer : C

A demilitarized zone (DMZ) is a network segment that is separated from the internal network and the external network, such as the internet, by firewalls or other security devices. A DMZ provides an extra layer of security for the organization's internal network by isolating the servers and services that need to be accessible to external users, such as a file server, from the rest of the network. A DMZ also prevents external users from accessing the internal network directly, as they have to go through two firewalls to reach it.Therefore, setting up a DMZ is an IS auditor's best recommendation to protect anorganization from attacks when its file server needs to be accessible to external users12.

The other possible options are:

Enforce a secure tunnel connection: This means that the organization requires external users to establish a secure and encrypted connection, such as a virtual private network (VPN), to access its file server. This can provide some level of security and privacy for the data transmission, but it does not protect the file server or the internal network from attacks if the connection is compromised or if the external users are malicious.Therefore, enforcing asecuretunnel connection is not an IS auditor's best recommendation to protect an organization from attacks when its file server needs to be accessible to external users3.

Enhance internal firewalls: This means that the organization improves the security and performance of its internal firewalls, which are devices that filter and control the network traffic between different segments of the network. This can provide some level of protection for the internal network from unauthorized or malicious access, but it does not protect the file server or the external network from attacks if the file server is exposed to the internet or if the external network is compromised.Therefore, enhancing internal firewalls is not an IS auditor's best recommendation to protect an organization from attacks when its file server needs to be accessible to external users4.

Implement a secure protocol: This means that the organization uses a secure and standardized protocol, such as Secure File Transfer Protocol (SFTP) or Secure Shell (SSH), to transfer files between its file server and external users. This can provide some level of security and integrity for the data transmission, but it does not protect the file server or the internal network from attacks if the protocol is exploited or if the external users are malicious.Therefore, implementing a secure protocol is not an IS auditor's best recommendation to protect an organization from attacks when its file server needs to be accessible to external users5.Reference:1: What Is a DMZ Network and Why Would You Use It?| Fortinet2: Demilitarised zone (DMZ) | Cyber.gov.au3: What Is VPN Tunneling?| Fortinet4: Firewall - Wikipedia5: Secure Shell - Wikipedia

Answer : B

Due professional care is the obligation of an IS auditor to exercise the appropriate level of skill, competence, and diligence in performing an audit. It also requires the IS auditor to comply with the relevant standards, guidelines, and ethical principles of the profession. Completing an engagement by email only may compromise due professional care, as it may limit the IS auditor's ability to obtain sufficient and appropriate evidence, to communicate effectively with the auditee and other stakeholders, and to perform adequate quality assurance and review procedures.The other options are not as relevant as due professional care, as they relate to specific aspects of an audit, such as proficiency (the knowledge and skills of the IS auditor), sufficient evidence (the quantity and quality of the audit evidence), and reporting (the presentation and communication of the audit results).Reference:CISA Review Manual (Digital Version), Domain 1: The Process of Auditing Information Systems, Section 1.2 ISACA IT Audit and Assurance Standards