Skip to main content

The CISA Prep Guide: Mastering the Certified Information Systems Auditor Exam

The CISA Prep Guide: Mastering the Certified Information Systems Auditor Exam

John Kramer

ISBN: 978-0-471-46978-0

May 2003

570 pages

Select type: E-Book


Product not available for purchase


  • This is the first commercially available book to offer CISA study materials
  • The consulting editor, Ronald Krutz, is the co-author of The CISSP Prep Guide (0-471-26802-X)
  • Provides definitions and background on the seven content areas of CISA
  • Includes many sample test questions and explanations of answers
  • More than 10,000 people registered for the CISA exam in 2002
  • CD-ROM contains annual updates to the exam so the book remains current for a number of years

Chapter 1. The Information System Audit Process.

Chapter 2. Management, Planning, and Organization of Information Systems.

Chapter 3. Technical Infrastructure and Operational Practices.

Chapter 4. Protection of Information Assets.

Chapter 5. Disaster Recovery and Business Continuity.

Chapter 6. Business Application Systems Development, Acquisition, Implementation, and Maintenance.

Chapter 7. Business Process Evaluation and Risk Management.

Appendix A: Answers to Sample Exam Questions.

Appendix B: What's on the CD-ROM.


ChapterPageDetailsDatePrint Run
CD ID#4CD Question ID#4
Question: Which of the following is not part of the IS auditor's code of ethics?

Answer 1: Serve the interest of the employers in a diligent loyal and honest manner.
Answer 2: Maintain the standards of conduct and the appearance of independence through the use of audit information for personal gain.
Answer 3: Maintain competency in the interrelated fields of audit and information systems.
Answer 4: Use due care to document factual client information on which to base conclusions and recommendations.

Explanation: The correct answer is C. Use of client information is unethical and a cause for revocation of your certification. The other three are tenants of the code of ethics.

Errata: The correct answer should be B.

CD ID#17CD Question ID#17
Question: Some audit managements choose to use the element of surprise to ensure that the policies and procedures documents line up with actual practices.
A: Scare the auditees and to see if there are procedures that can be used as a back up
B: Ensure that staffing is sufficient to manage an audit and daily processing simultaneously
C: Ensure that supervision is appropriate during surprise inspections
D: Ensure that policies and procedures coincide with the actual practices in place

Explanation: The correct answer is A. Some of the other answers are nonsensical but the real reason for using the element of surprise is to ensure that the policies and procedures documents line up with actual practices.

Errata: The correct answer should be D.

CD ID#57CD Question ID#57
Question: Which of the following should an IS auditor review when performing an assessment of a PBX?

I. Ensure that the dial-in numbers enabling toll-free outbound access are turned off.
II. Ensure that voicemail systems do not enable access to phone lines through hijacking.
III. Ensure that the access codes for the maintenance ports have been changed from the default.
IV. Ensure that outbound toll numbers, such as 900 numbers, are restricted.
V. Ensure that excessive phone usage is flagged and investigated for fraud.

Answer 1: I, II, III, and IV only
Answer 2: II, III, and IV only
Answer 3: II, III, IV, and V only
Answer 4: I, II, III, IV, and V

Explanation: The correct answer is C. All of these answers except (I) are necessary activities for a PBX review. Voice mail systems (II) need to be contained to voice mail traffic only and the ability to use these access points to the system to get a dial tone should be controlled and not allow hijacking to occur. Access codes for maintenance ports (III) should be strictly controlled and not only changed from their vendor given defaults but changed periodically. 900 numbers and other outbound toll scenarios (IV) should be controlled, and the business decisions should support any allowance for these costs to be incurred. Any excessive call tolls (V) outside of a predetermined boundary should be immediately flagged as potentially fraudulent and investigated if not shut down until an investigation can occur. The ability of obtaining an outbound toll-free line from a dial in number (I) is a business decision and may be turned off, but that is a risk and business decision that should be made by management not the IS auditor. The audit should verify that this is a conscious decision of the business, however.

Errata: The 900 numbers referred to in Selection IV are 1-900 numbers that are charged calls, not free and does not refer to 900 numbers without the 1- prefix which includes the 911 (emergency) number. Those would not be restricted.


CD ID#125CD Question ID#125
Question: In a systems development life cycle, the following process steps occur:

I. Systems Design
II. Feasibility Analysis
III. Systems Testing and Acceptance
IV. Systems Specification Documentation
V. Functional Requirements Definition
VI. Systems Development

What is the natural order of the processes in an SDLC methodology?

Answer 1: V, IV, II, I, VI, III
Answer 2: V, II, IV, I, VI, III
Answer 3: II, IV, V, VI, I, III
Answer 4: II, V, I, VI, III, IV

Explanation: The correct answer is A. Classic Systems Development Life Cycle (SDLC) methodologies begin by understanding the business or functional requirements and then a feasibility analysis is performed on the solution options. Systems specifications then are further defined based on the accepted solution and approach from which a design is created. That design is developed into an application and that application is tested and finally accepted by the business.
Errata: The correct answer should be B, not A.