FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW

1
FREQUENTLY ASKED QUESTIONS IN
CISA CERTIFIED ROLE
INTERVIEW
2
CISA
The Certi?ed Information Systems Auditor (CISA)
certi?cation is highly desired after credential
for IT risk, IT security, and IT Auditors. Many
CISA (Certi?ed Information Systems Auditor)
certi?ed positions are available in reputable
?rms such as Internal Auditor, Accountant,
Accounts and Audit Assistant, Accounts Executive,
Account Assistant, Accounts Manager, Accounts
Of?cer, and Audit Executive. Here we will
discuss frequently asked questions in a CISA
interview.
www.infosectrain.com sales_at_infosectrain.com
02
3
Interview Questions
1
What exactly is a Request for Change (RFC)? A
Request for Change (RFC) is a method that
provides authorization for system changes. The
CISA Auditor must be able to recognize and act
on developments that could risk the networks
security. The RFC keeps track of all current and
previous system changes.

• What is Change Management?
• Change Management is typically a group of
  professionals tasked with identifying the risk
  and impact of system modifications. The CISA
  will be in charge of assessing security concerns
  associated with modifications.
• What happens if a change harms a system or does
  not go as planned?
• Calling a rollback is the responsibility of the
  CISA and other change management personnel. If
  something goes wrong with the deployment, all
  modifications should include a rollback plan.

www.infosectrain.com sales_at_infosectrain.com
03
4
4 What security systems do you have in place

• to protect against unauthorized traffic?
• At the router or server level, firewalls
  safeguard the internal network. Penetration
  testing systems use scripts to discover
  potential network risks, while antivirus
  protection prevents virus software from
  installing.
• What is the role of a CISA Audit Trail?
• Audit trails enable you and the firm to keep
  track of systems that contain sensitive data.
  Audit trails are primarily used to keep track of
  which users accessed data and when they did so.
  These trails can assist businesses in detecting
  unauthorized access to personal information.
• In performing a risk-based audit, which risk
• assessment is completed first by an IS Auditor?
• Inherent risk assessment. Inherent risk exists
  independently of an audit and can occur because
  of the nature of the business. It is necessary
  to be aware of the related business process to
  conduct an audit successfully. To perform an
  audit, an IS Auditor needs to understand the
  business process. By understanding the business
  process, an IS Auditor better understands the
  inherent risk.

www.infosectrain.com sales_at_infosectrain.com
04
5
7 What is the most important reason an audit

• planning should be reviewed at periodic
  intervals?
• To consider changes to the risk environment, it
  is important to review audit planning at
  periodic intervals. Short and long-term issues
  that drive audit planning can be heavily
  impacted by the changes to the organizations
  risk environment, technologies, and business
  processes.
• What is the goal of an IT audit?
• An IT audits primary function is to evaluate
  existing methods to maintain an organizations
  essential information.
• What exactly are IT General Controls?
• IT General Controls (ITGC) are the fundamental
  controls that apply to IT systems such as
  databases, applications, operating systems, and
  other IT infrastructure to ensure the integrity
  of the systems processes and data.
• What is the distinction between an internal and

an external audit? Employees of the company
conduct internal audits. External audits are
carried out by professionals of a third-party
firm. Some sectors necessitate an external audit
to ensure compliance with industry regulations.
www.infosectrain.com sales_at_infosectrain.com
05
6
11 What are the essential skills of an IT Auditor?

• The following are essential skills for an IT
  Auditor
• IT risk
• Security risk management
• Security testing and auditing
• Internal auditing standards
• General computer security
• Data analysis and visualization tools
• Analytical and critical thinking skills
• Communication skills

www.infosectrain.com sales_at_infosectrain.com
06
7
12 How do you go about conducting a risk

• assessment?
• Depending on the industry, risk assessments may
  differ. In some industries, an auditor is
  required to apply pre-writ- ten risk assessment
  procedures. However, the goal of any risk
  assessment is to use available tools or processes
  to identify vulnerabilities particular to the
  company being assessed and develop a strategy to
  address them.
• What are the advantages of an IT audit for a\
  company or organization?
• IT audits assist in identifying weaknesses and
  vulnerabilities in system design, giving the
  company vital information for further hardening
  their systems.
• Do you try to resolve a bug in an application
  yourself?
• No. The best approach is to bring it to the
  attention of both the technical team and the
  system owners. The problem can be recorded in
  the final report as well.

www.infosectrain.com sales_at_infosectrain.com
07
8
15 Why does active FTP (File Transfer Protocol)
fail

• with network firewalls?
• Two TCP connections are formed when a user begins
  a connection with the FTP server. The FTP server
  initiates and establishes the second TCP
  connection (FTP data connection). When there is
  a firewall between the FTP client and the
  server, it will prohibit the connection
  initiated from the FTP server because it is an
  outside connection. Passive FTP can be used to
  solve this, or the firewall rule can be updated
  to add the FTP server as trustworthy.
• How can a Brute Force Attack on a windows login
  page be prevented?
• Set up an account lockout for a certain number of
  failed login attempts, and the user account will
  be automatically locked after that amount.
• How can a CISA Auditor gain a better
  understanding of the system?
• CISA Auditor can talk to management, read
  documentation, observe other employees
  activities, and examine system logs and reports.

www.infosectrain.com sales_at_infosectrain.com
08
9
18 What are intangible assets?
Intangible assets are those that cannot be seen,
such as the companys worth. 19 What exactly is
Vouching? Vouching is the process of verifying
the presence of something for example,
verifying from the overall record to the
required documents. 20How frequently does the
company update its assessment of the top
risks? The enterprise-wide risk assessment
approach should be adaptable to changing
business conditions. A solid strategy for
identifying and prioritizing essential
enterprise risks, such as emerging risks, is
critical to maintaining an up-to-date
perspective of the top risks.
www.infosectrain.com sales_at_infosectrain.com
09