CISA Practise Questions (Domain 1 - 100

Questions)
CISA Mock Test (Domain 1)
[email protected] Switch account

Draft saved
* Indicates required question

Email*

Your email

Name*

Email*

Country*

(1)Which of the following is an objective of a control self-assessment (CSA) program?

1 point

A. Concentration on areas of high risk

B. Conducting training and workshop
C. To increase risk awareness
D. To replace risk management programme.

Clear selection

(2)IS auditor is facilitating a CSA programme. Which of the following is the MOST
important requirement for a successful CSA?
1 point

A. Ability of auditor to act as a workshop facilitator

B. Simplicity of the CSA programme
C. Frequency of CSA programme
D. Involvement of line managers
 Clear selection

(3)A PRIMARY advantage of control self-assessment (CSA) techniques is that:

1 point

A. it ascertains high-risk areas that might need a detailed review later

B. risk can be assessed independently by IS auditors
C. it replaces audit activities
D. it allows management to delegate responsibility for control

Clear selection

(4)Main objective of a control self-assessment (CSA) program is to:

1 point

A. substitute audit program

B. substitute risk management program
C. support regulatory requirements
D. enhance audit responsibilities

Clear selection

(5)Which of the following the BEST time to perform a control self-assessment involving
all concerned parties?
1 point

A. post issuance of audit report

B. during preliminary survey
C. during compliance test
D. preparation of the audit report

Clear selection

(6)An IS auditor has been asked to facilitate a control self-assessment (CSA) program.
Which of the following is an objective of a CSA program?
1 point

A. Replacement of audit responsibilities

B. Enhancement of audit responsibilities
C. To evaluate risk management program
D. To provide audit training

Clear selection

(7) An IS auditor has been asked to participate in implementation of control self-

assessment program. The auditor should participate primarily as a:
1 point

A. Team leader
B. The auditor should not participate as it would create a potential conflict of interest.
C. Facilitator
D. Project Controller

Clear selection

(8)For successful control self-assessment (CSA) program, it is essential to:

1 point

A. design stringent control policy

B. have auditors take responsibility for control monitoring
C. have line managers take responsibility for control monitoring
D. implement stringent control policy

Clear selection

(9)An IS Auditor has been asked by the management to support its CSA program. The
role of an IS auditor in a control self-assessment (CSA) should be that of:
1 point

A.program incharge
B. program manager
C.program partner
D. program facilitator

Clear selection

(10)An IS auditor is evaluating control self-assessment program in an organisation.

What is MAIN objective for implementing control self-assessment (CSA) program?
1 point

A. To replace audit responsibilities

B. To enhance employee’s capabilities
C. To comply with regulatory requirements
D. To concentrates on high risk area

Clear selection

(11) An IS auditor is determining the appropriate sample size for testing the
effectiveness of change management process. No deviation noted in last 2 years audit
review and management has assured no deviation in the process for the period under
review. Auditor can adopt a :
1 point
A. higher confidence coefficient resulting in a smaller sample size
B.lower confidence coefficient resulting in a higher sample size.
C. lower confidence coefficient resulting in a lower sample size
D.higher confidence coefficient resulting in a higher sample size.

Clear selection

(12)Evidence gathering to evaluate the integrity of individual transactions, data or other

information is typical of which of the following?
1 point

A. Substantive testing
B. Compliance testing
C. Detection testing
D. Control testing

Clear selection

(13)Which of the following tests is an IS auditor performing when a sample of programs

is selected to determine if the source and object versions are the same?
1 point

A. A substantive test of program library controls

B. A compliance test of program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls

Clear selection

(14)An IS auditor is using a statistical sample to inventory the tape library. What type of
test would this be considered?
1 point

A. Substantive
B. Compliance
C. Integrated
D. Continuous audit

Clear selection

(15)The objective of compliance tests is to ensure:

1 point

A. controls are implemented as prescribed.

B. documentation is complete.
C. access to users is provided as specified.
D. data validation procedures are provided.
 Clear selection

(16)Which of the following is a substantive audit test?

1 point

A. Verifying that a management check has been performed regularly

B. Observing that user IDs and passwords are required to sign on the computer
C. Reviewing reports listing short shipments of goods received
D. Reviewing an aged trial balance of accounts receivable

Clear selection

(17) IS auditors are MOST likely to reduce substantive test procedure if after
compliance test they conclude that:
1 point

A. a substantive test would be too costly.

B. the control environment is poor.
C. inherent risk is low.
D. control risks are within the acceptable limits.

Clear selection

(18)When an IS auditor performs a test to ensure that only active users have access to
a, the IS auditor is performing a:
1 point

A. compliance test.
B. substantive test.
C. statistical sample.
D. Judgment Sampling.

Clear selection

(19)Major difference between compliance testing and substantive testing is that

compliance testing tests:
1 point

A. details, while substantive testing tests controls.

B. controls, while substantive testing tests details.
C. financial statements, while substantive testing tests items in trial balance.
D. internal requirements, while substantive testing tests internal controls.

Clear selection

(20)Which of the following is a substantive test?

1 point

A. Reviewing compliance with firewall policy.

B. Reviewing adherence to change management policy.
C. Using a statistical sample to inventory the tape library
D. Reviewing password history reports

Clear selection

(21)Test to determine whether last 50 new user requisitions were correctly processed is
an example of:
1 point

A. discovery sampling.
B. substantive testing.
C. compliance testing.
D. stop-or-go sampling.

Clear selection

(22)IS auditor is reviewing the internal control of an application software. The sampling
method that will be MOST useful when testing for compliance is:
1 point

A. Attribute sampling
B. Variable sampling
C. Discovery sampling
D. Stop or go sampling

Clear selection

(23)Major difference between compliance testing and substantive testing is that

substantive testing tests:
1 point

A. details of transactions, while control testing tests controls.

B. controls, while control testing tests details.
C. compliance with firewall policy, while compliance testing tests financial statements.
D. internal controls while compliance testing tests internal controls.

Clear selection

(24) Which of the following sampling methods would be the MOST effective to
determine whether access rights to staffs have been authorized as per the authorization
matrix?
1 point
A. stratified mean per unit
B. attribute sampling
C. discovery sampling
D. stop or go sampling

Clear selection

(25) IS auditor reviewing a critical financial application is concerned about fraud. Which
of the following sampling methods would BEST assist the auditors?
1 point

A. Attribute sampling
B. Variable sampling
C. Discovery sampling
D. Stop or go sampling

Clear selection

(26) Test to determine whether last 50 new user requisitions were correctly processed is
an example of:
1 point

A. discovery sampling
B. substantive testing
C. compliance testing
D. stop-or-go sampling

Clear selection

(27)With regard to confidence correlation, it can be said that:

1 point

A. small sample size will give high confidence correlation

B. if an auditor knows internal controls are strong, the confidence coefficient may be lowered
C. small confidence correlation will result into high sample size
D. if an auditor knows internal controls are strong, the confidence coefficient may be increased

Clear selection

(28) IS auditor is reviewing the internal control of application software. The sampling
method that will be MOST useful when testing for compliance is:
1 point

A. Attribute sampling
B. Variable sampling
C. Discovery sampling
D. Stop or go sampling
 Clear selection

(29)Statistical sampling reduces which of the following risk:

1 point

A. audit risk
B. detection risk
C. inherent risk
D. sampling risk

Clear selection

(30)Use of statistical sampling will be more relevant as compared to judgment (non-

statistical) sampling when:
1 point

A. it is required to mitigate sampling risk

B. auditor is inexperienced
C. the probability of error must be objectively quantified
D. it is required to mitigate audit risk

Clear selection

(31)Which of the following should an IS auditor use to detect duplicate invoice records
within an invoice master file?
1 point

A. Attribute sampling
B. Generalized audit software (GAS)
C. Test data
D. Integrated test facility (ITF)

Clear selection

(32)An IS auditor is using a statistical sample to inventory the tape library. What type of
test would this be considered?
1 point

A. Substantive
B. Compliance
C. Integrated
D. Continuous audit

Clear selection

(33)Which of the following is a substantive test?

1 point

A. Checking a list of exception reports

B. Ensuring approval for parameter changes
C. Using a statistical sample to inventory the tape library
D. Reviewing password history reports

Clear selection

(34)An IS auditor is performing an audit of a remotely managed server backup. The IS

auditor reviews the logs for one day and finds one case where logging on a server has
failed with the result that backup restarts cannot be confirmed. What should the auditor
do?
1 point

A. Issue an audit finding

B. Seek an explanation from IS management
C. Review the classifications of data held on the server
D. Expand the sample of logs reviewed

Clear selection

(35)Which of the following would be the BEST population to take a sample from when
testing program changes?
1 point

A. Test library listings

B. Source program listings
C. Program change requests
D. Production library listings

Clear selection

(36)Which of the following is MOST critical when creating data for testing the logic in a
new or modified application system?
1 point

A. A sufficient quantity of data for each test case

B. Data representing conditions that are expected in actual processing
C. Completing the test on schedule
D. A random sample of actual data

Clear selection

(37) An IS auditor is determining the appropriate sample size for testing the
effectiveness of change management process. No deviation noted in last 2 years audit
review and management has assured no deviation in the process for the period under
review. Auditor can adopt a :
1 point

A. higher confidence coefficient resulting in a smaller sample size

B.lower confidence coefficient resulting in a higher sample size.
C. lower confidence coefficient resulting in a lower sample size
D.higher confidence coefficient resulting in a higher sample size.

Clear selection

(38) Which of the following sampling methods would be the MOST effective to
determine whether access rights to staffs have been authorized as per the authorization
matrix?
1 point

A. stratified mean per unit

B. attribute sampling
C. discovery sampling
D. stop or go sampling

Clear selection

(39) IS auditor reviewing a critical financial application is concerned about fraud. Which
of the following sampling methods would BEST assist the auditors?
1 point

A. Attribute sampling
B. Variable sampling
C. Discovery sampling
D. Stop or go sampling

Clear selection

(40) Test to determine whether last 50 new user requisitions were correctly processed is
an example of:
1 point

A. discovery sampling
B. substantive testing
C. compliance testing
D. stop-or-go sampling

Clear selection

(41)With regard to confidence correlation, it can be said that:

1 point

A. small sample size will give high confidence correlation

B. if an auditor knows internal controls are strong, the confidence coefficient may be lowered
C. small confidence correlation will result into high sample size
D. if an auditor knows internal controls are strong, the confidence coefficient may be increased

Clear selection

(42) IS auditor is reviewing the internal control of application software. The sampling
method that will be MOST useful when testing for compliance is:
1 point

A. Attribute sampling
B. Variable sampling
C. Discovery sampling
D. Stop or go sampling

Clear selection

(43)Statistical sampling reduces which of the following risk:

1 point

A. audit risk
B. detection risk
C. inherent risk
D. sampling risk

Clear selection

(44)Use of statistical sampling will be more relevant as compared to judgment (non-

statistical) sampling when:
1 point

A. it is required to mitigate sampling risk

B. auditor is inexperienced
C. the probability of error must be objectively quantified
D. it is required to mitigate audit risk

Clear selection

(45)Which of the following should an IS auditor use to detect duplicate invoice records
within an invoice master file?
1 point

A. Attribute sampling
B. Generalized audit software (GAS)
C. Test data
D. Integrated test facility (ITF)

Clear selection

(46)An IS auditor is using a statistical sample to inventory the tape library. What type of
test would this be considered?
1 point

A. Substantive
B. Compliance
C. Integrated
D. Continuous audit

Clear selection

(47)Which of the following is a substantive test?

1 point

A. Checking a list of exception reports

B. Ensuring approval for parameter changes
C. Using a statistical sample to inventory the tape library
D. Reviewing password history reports

Clear selection

(48)An IS auditor is performing an audit of a remotely managed server backup. The IS

auditor reviews the logs for one day and finds one case where logging on a server has
failed with the result that backup restarts cannot be confirmed. What should the auditor
do?
1 point

A. Issue an audit finding

B. Seek an explanation from IS management
C. Review the classifications of data held on the server
D. Expand the sample of logs reviewed

Clear selection

(49)Which of the following would be the BEST population to take a sample from when
testing program changes?
1 point

A. Test library listings

B. Source program listings
C. Program change requests
D. Production library listings

Clear selection

(50)Which of the following is MOST critical when creating data for testing the logic in a
new or modified application system?
1 point

A. A sufficient quantity of data for each test case

B. Data representing conditions that are expected in actual processing
C. Completing the test on schedule
D. A random sample of actual data

Clear selection

(51) The prime objective of Audit Charter is to govern:

1 point

A. IS function
B. External Auditor
C. Internal Audit Function
D. Finance Function

Clear selection

(52) The authority, scope and responsibility of the Information System Audit function is:
1 point

A. Defined by the audit charter approved by the senior management/Board

B. Defined by the I.T. Head of the organization, as the expert in the matter
C. Defined by the various functional divisions, depending upon criticality
D. Generated by the Audit division of the organization

Clear selection

(53) Audit Charter should include:

1 point

A. Yearly audit resource planning.

B. audit function’s reporting structure.
C. audit report drafting guidelines.
D. Yearly audit calender.

Clear selection

(54) The result of risk management process is used for making:

1 point
A. business strategy plans.
B. audit charters.
C. security policy decisions.
D. decisions related to outsourcing.

Clear selection

(55) In a risk-based audit approach, an IS auditor, in addition to risk, would be

influenced PRIMARILY by:
1 point

A. the audit charter.

B. management's representation.
C. organizational structure
D. no. of outsourcing contracts.

Clear selection

(56) An IS auditor reviews an organization chart PRIMARILY for:

1 point

A. getting information about data-flow.

B. to assess number of employees in each department.
C. understanding the responsibilities and authority of individuals.
D. to assess number of laptops/desktops in each department.

Clear selection

(57) The document used by the top management of organizations to delegate authority
to the IS audit function is the:
1 point

A. audit calendar.
B. audit charter.
C. risks register.
D.audit compendium.

Clear selection

(58) Primary purpose of an audit charter is to:

1 point

A. describe audit procedure.

B. define resource requirement for audit department.
C. prescribe the code of ethics used by the auditor
D.to prescribe authority and responsibilities of audit department.
 Clear selection

(59) The audit charter should be approved by the highest level of management and
should:
1 point

A. be updated often to upgrade with the changing nature of technology and the audit profession.
B. include audit calendar along with resource allocation.
C. include plan of action in case of disruption of business services.
D. outlines the overall authority, scope and responsibilities of the audit function.

Clear selection

(60) An audit charter should state management's objectives for and delegation of
authority to IS audit and MUST be:
1 point

A. approved by the top management.

B. approved by Chief Audit Officer.
C. approved by IS department.
D. approved by IT steering committee.

Clear selection

(61)In an audit of an inventory application, which approach would provide the BEST
evidence that purchase orders are valid?
1 point

A. Testing whether inappropriate personnel can change application parameters

B. Tracing purchase orders to a computer listing
C. Comparing receiving reports to purchase order details
D. Reviewing the application documentation

Clear selection

(62)The extent to which data will be collected during an IS audit should be determined
based on the:
1 point

A. availability of critical and required information.

B. auditor's familiarity with the circumstances.
C. auditee's ability to find relevant evidence.
D. purpose and scope of the audit being done.

Clear selection
(63)The responsibility, authority and accountability of the IS audit function is
appropriately documented in an audit charter and MUST be:
1 point

A. approved by the highest level of management.

B. approved by audit department management.
C. approved by user department management.
D. changed every year before commencement of IS audits.

Clear selection

(64)A key element in a risk analysis is:

1 point

A. audit planning.
B. controls.
C. vulnerabilities.
D. liabilities.

Clear selection

(65)An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The
manager had written the password, allocated by the system administrator, inside his/her
desk drawer. The IS auditor should conclude that the:
1 point

A. manager's assistant perpetrated the fraud.

B. perpetrator cannot be established beyond doubt.
C. fraud must have been perpetrated by the manager.
D. system administrator perpetrated the fraud.

Clear selection

(66)During a review of a customer master file, an IS auditor discovered numerous

customer name duplications arising from variations in customer first names. To
determine the extent of the duplication, the IS auditor would use:
1 point

A. test data to validate data input.

B. test data to determine system sort capabilities.
C. generalized audit software to search for address field duplications.
D. generalized audit software to search for account field duplications.

Clear selection
(67)The IS department of an organization wants to ensure that the computer files used
in the information processing facility are adequately backed up to allow for proper
recovery. This is a(n):
1 point

A. control procedure.
B. control objective.
C. corrective control.
D. operational control.

Clear selection

(68)During a security audit of IT processes, an IS auditor found that there were no

documented security procedures. The IS auditor should:
1 point

A. create the procedures document.

B. terminate the audit.
C. conduct compliance testing.
D. identify and evaluate existing practices.

Clear selection

(69)When implementing continuous monitoring systems, an IS auditor's first step is to

identify:
1 point

A. reasonable target thresholds.

B. high-risk areas within the organization.
C. the location and format of output files.
D. applications that provide the highest potential payback.

Clear selection

(70)In an IS audit of several critical servers, the IS auditor wants to analyze audit trails
to discover potential anomalies in user or system behavior. Which of the following tools
is MOST suitable for performing that task?
1 point

A. CASE tools
B. Embedded data collection tools
C. Heuristic scanning tools
D. Trend/variance detection tools

Clear selection
(71)An IS auditor should use statistical sampling and not judgment (nonstatistical)
sampling, when:
1 point

A. the probability of error must be objectively quantified.

B. the auditor wishes to avoid sampling risk.
C. generalized audit software is unavailable.
D. the tolerable error rate cannot be determined.

Clear selection

(72)When developing a risk-based audit strategy, an IS auditor should conduct a risk

assessment to ensure that:
1 point

A. controls needed to mitigate risks are in place.

B. vulnerabilities and threats are identified.
C. audit risks are considered.
D. a gap analysis is appropriate.

Clear selection

(73)The vice president of human resources has requested an audit to identify payroll
overpayments for the previous year. Which would be the BEST audit technique to use in
this situation?
1 point

A. Test data
B. Generalized audit software
C. Integrated test facility
D. Embedded audit module

Clear selection

(74)Which of the following would be the BEST population to take a sample from when
testing program changes?
1 point

A. Test library listings

B. Source program listings
C. Program change requests
D. Production library listings

Clear selection
(75)Which of the following normally would be the MOST reliable evidence for an
auditor?
1 point

A. A confirmation letter received from a third party verifying an account balance

B. Assurance from line management that an application is working as designed
C. Trend data obtained from World Wide Web (Internet) sources
D. Ratio analysis developed by the IS auditor from reports supplied by line management

Clear selection

(76)During a review of the controls over the process of defining IT service levels, an IS
auditor would MOST likely interview the:
1 point

A. systems programmer.
B. legal staff.
C. business unit manager.
D. application programmer.

Clear selection

(77)In the course of performing a risk analysis, an IS auditor has identified threats and
potential impacts.Next, an IS auditor should:
1 point

A. identify and assess the risk assessment process used by management.

B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls.

Clear selection

(78)A PRIMARY benefit derived from an organization employing control self-

assessment (CSA) techniques is that it:
1 point

A can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control.

Clear selection

(79)Senior management has requested that an IS auditor assist the departmental

management in the implementation of necessary controls. The IS auditor should:
1 point

A. refuse the assignment since it is not the role of the IS auditor.

B. inform management of his/her inability to conduct future audits.
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation and follow-up.

Clear selection

(80)Which of the following is the MOST likely reason why e-mail systems have become
a useful source of evidence for litigation?
1 point

A. Multiple cycles of backup files remain available.

B. Access controls establish accountability for e-mail activity.
C. Data classification regulates what information should be communicated via e-mail.
D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available.

Clear selection

(81) Which of the following is a benefit of a risk-based approach to audit planning?

Audit:
1 point

A. scheduling may be performed months in advance.

B. budgets are more likely to be met by the IS audit staff.
C. staff will be exposed to a variety of technologies.
D. resources are allocated to the areas of highest concern.

Clear selection

(82)An audit charter should:

1 point

A. be dynamic and change often to coincide with the changing nature of technology and the
audit profession.
B. clearly state audit objectives for and the delegation of authority to the maintenance and
review of internal controls.
C. document the audit procedures designed to achieve the planned audit objectives.
D. outline the overall authority, scope and responsibilities of the audit function.

Clear selection

(83)An IS auditor is evaluating a corporate network for a possible penetration by

employees. Which of the following findings should give the IS auditor the GREATEST
concern?
1 point

A. There are a number of external modems connected to the network.

B. Users can install software on their desktops.
C. Network monitoring is very limited.
D. Many user ids have identical passwords.

Clear selection

(84)While planning an audit, an assessment of risk should be made to provide:

1 point

A. reasonable assurance that the audit will cover material items.

B. definite assurance that material items will be covered during the audit work.
C. reasonable assurance that all items will be covered by the audit.
D. sufficient assurance that all items will be covered during the audit work.

Clear selection

(85)To identify the value of inventory that has been kept for more than eight weeks, an
IS auditor would MOST likely use:
1 point

A. test data.
B. statistical sampling.
C. an integrated test facility.
D. generalized audit software.

Clear selection

(86) An integrated test facility is considered a useful audit tool because it:
1 point

A. is a cost-efficient approach to auditing application controls.

B. enables the financial and IS auditors to integrate their audit tests.
C. compares processing output with independently calculated data.
D. provides the IS auditor with a tool to analyze a large range of information.

Clear selection

(87)The decisions and actions of an IS auditor are MOST likely to affect which of the
following risks?
1 point

A. Inherent
B. Detection
C. Control
D. Business

Clear selection

(88)Data flow diagrams are used by IS auditors to:

1 point

A. order data hierarchically.

B. highlight high-level data definitions.
C. graphically summarize data paths and storage.
D. portray step-by-step details of data generation.

Clear selection

(89)Reviewing management's long-term strategic plans helps the IS auditor:

1 point

A. gain an understanding of an organization's goals and objectives.

B. test the enterprise's internal controls.
C. assess the organization's reliance on information systems.
D. determine the number of audit resources needed.

Clear selection

(90)When evaluating the collective effect of preventive, detective or corrective controls

within a process, an IS auditor should be aware:
1 point

A. of the point at which controls are exercised as data flow through the system.
B. that only preventive and detective controls are relevant.
C. that corrective controls can only be regarded as compensating.
D. that classification allows an IS auditor to determine which controls are missing.

Clear selection

(91)The risk of an IS auditor using an inadequate test procedure and concluding that
material errors do not exist when, in fact, they do is an example of:
1 point

A. inherent risk.
B. control risk.
C. detection risk.
D. audit risk.

Clear selection

(92)The PRIMARY purpose of an audit charter is to:

1 point

A. document the audit process used by the enterprise.

B. formally document the audit department's plan of action.
C. document a code of professional conduct for the auditor.
D. describe the authority and responsibilities of the audit department.

Clear selection

(93)An IS auditor has evaluated the controls for the integrity of the data in a financial
application. Which of the following findings would be the MOST significant?
1 point

A. The application owner was unaware of several changes applied to the application by the IT
department.
B. The application data are backed up only once a week.
C. The application development documentation is incomplete.
D. Information processing facilities are not protected by appropriate fire detection systems.

Clear selection

(94) Overall business risk for a particular threat can be expressed as:
1 point

A. a product of the probability and magnitude of the impact if a threat successfully exploits a
vulnerability.
B. the magnitude of the impact should a threat source successfully exploit the vulnerability.
C. the likelihood of a given threat source exploiting a given vulnerability.
D. the collective judgment of the risk assessment team.

Clear selection

(95)Which one of the following could an IS auditor use to validate the effectiveness of
edit and validation routines?
1 point

A. Domain integrity test

B. Relational integrity test
C. Referential integrity test
D. Parity checks

Clear selection

(96)An IS auditor reviews an organizational chart PRIMARILY for:

1 point

A. an understanding of workflows.
B. investigating various communication channels.
C. understanding the responsibilities and authority of individuals.
D. investigating the network connected to different employees.

Clear selection

(97)An IS auditor is evaluating management's risk assessment of information systems.

The IS auditor should FIRST review:
1 point

A. the controls already in place.

B. the effectiveness of the controls in place.
C. the mechanism for monitoring the risks related to the assets.
D. the threats/vulnerabilities affecting the assets.

Clear selection

(98)Which of the following is an objective of a control self-assessment (CSA) program?

1 point

A. Concentration on areas of high risk

B. Replacement of audit responsibilities
C. Completion of control questionnaires
D. Collaborative facilitative workshops

Clear selection

(99)Which of the following steps would an IS auditor normally perform FIRST in a data
center security review?
1 point

A. Evaluate physical access test results.

B. Determine the risks/threats to the data center site.
C. Review business continuity procedures.
D. Test for evidence of physical access at suspect locations.

Clear selection

(100) The traditional role of an IS auditor in a control self-assessment (CSA) should be

that of:
1 point

A. facilitator.
B. manager.
C. partner.
D. stakeholder.
Clear selection