Site icon Exam4Training

ISACA CISA Certified Information Systems Auditor Online Training

exams
Question #1

An IT balanced scorecard is the MOST effective means of monitoring:

  • A . governance of enterprise IT.
  • B . control effectiveness.
  • C . return on investment (ROI).
  • D . change management effectiveness.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

An IT balanced scorecard is a strategic management tool that aligns IT objectives with business goals and measures the performance of IT processes using key performance indicators (KPIs). It is the most effective means of monitoring governance of enterprise IT, which is the process of ensuring that IT supports the organization’s strategy and objectives. Governance of enterprise IT covers aspects such as IT value delivery, IT risk management, IT resource management, and IT performance measurement. An IT balanced scorecard can help monitor these aspects and provide feedback to improve IT governance.

References: ISACA Frameworks: Blueprints for Success, CISA Review Manual (Digital Version)
Question #2

When reviewing an organization’s information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:

  • A . a risk management process.
  • B . an information security framework.
  • C . past information security incidents.
  • D . industry best practices.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Information security policies are high-level statements that define the organization’s approach to protecting its information assets from threats and risks. They should be based primarily on a risk management process, which is a systematic method of identifying, analyzing, evaluating, treating, and monitoring information security risks. A risk management process can help ensure that the policies are aligned with the organization’s risk appetite, business objectives, legal and regulatory requirements, and stakeholder expectations. An information security framework is a set of standards, guidelines, and best practices that provide a structure for implementing information security policies. It can support the risk management process, but it is not the primary basis for defining the policies. Past information security incidents and industry best practices can also provide valuable inputs for defining the policies, but they are not sufficient to address the organization’s specific context and needs.

References: Insights and Expertise, CISA Review Manual (Digital Version)
Question #3

Which of the following would be an IS auditor’s GREATEST concern when reviewing the early stages of a software development project?

  • A . The lack of technical documentation to support the program code
  • B . The lack of completion of all requirements at the end of each sprint
  • C . The lack of acceptance criteria behind user requirements.
  • D . The lack of a detailed unit and system test plan

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

User requirements are statements that describe what the users expect from the software system in terms of functionality, quality, and usability. They are essential inputs for the software development process, as they guide the design, implementation, testing, and deployment of the system.

Therefore, an IS auditor’s greatest concern when reviewing the early stages of a software development project would be the lack of acceptance criteria behind user requirements. Acceptance criteria are measurable conditions that define when a user requirement is met or satisfied. They help ensure that the user requirements are clear, complete, consistent, testable, and verifiable. Without acceptance criteria, it would be difficult to evaluate whether the system meets the user expectations and delivers value to the organization. Technical documentation, such as program code, is usually produced in later stages of the software development process. Completion of all requirements at the end of each sprint is not mandatory in agile software development methods, as long as there is a prioritized backlog of requirements that can be delivered incrementally. A detailed unit and system test plan is also important for ensuring software quality, but it depends on well-defined user requirements and acceptance criteria.

References: Information Systems Acquisition, Development & Implementation, CISA Review Manual (Digital Version)
Question #4

Which of the following is the BEST data integrity check?

  • A . Counting the transactions processed per day
  • B . Performing a sequence check
  • C . Tracing data back to the point of origin
  • D . Preparing and running test data

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Data integrity is the property that ensures that data is accurate, complete, consistent, and reliable throughout its lifecycle. The best data integrity check is tracing data back to the point of origin, which is the source where the data was originally created or captured. This check can verify that data has not been altered or corrupted during transmission, processing, or storage. It can also identify any errors or discrepancies in data entry or conversion. Counting the transactions processed per day is a performance measure that does not directly assess data integrity. Performing a sequence check is a validity check that ensures that data follows a predefined order or pattern. It can detect missing or out-of-order data elements, but it cannot verify their accuracy or completeness. Preparing and running test data is a testing technique that simulates real data to evaluate how a system handles different scenarios. It can help identify errors or bugs in the system logic or functionality, but it cannot ensure data integrity in production environments.

References: Information Systems Operations and Business Resilience, CISA Review Manual (Digital Version)
Question #5

Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system.

What is the BEST control to ensure that data is accurately entered into the system?

  • A . Reconciliation of total amounts by project
  • B . Validity checks, preventing entry of character data
  • C . Reasonableness checks for each cost type
  • D . Display the back of the project detail after the entry

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reconciliation of total amounts by project is the best control to ensure that data is accurately entered into the job-costing system from spreadsheets. Reconciliation is a process of comparing two sets of data to identify any differences or discrepancies between them. By reconciling the total amounts by project from spreadsheets with those from the job-costing system, any errors or omissions in data entry can be detected and corrected. Validity checks are controls that verify that data conforms to predefined formats or ranges. They can prevent entry of character data into numeric fields, but they cannot ensure that the numeric data is correct or complete. Reasonableness checks are controls that verify that data is within expected or acceptable limits. They can detect outliers or anomalies in data, but they cannot ensure that the data matches the source. Display back of project detail after entry is a control that allows the user to review and confirm the data entered into the system. It can help reduce human errors, but it cannot guarantee that the data is accurate or consistent with the source.

References: Information Systems Operations and Business Resilience, CISA Review Manual (Digital Version)
Question #6

An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

  • A . incident management.
  • B . quality assurance (QA).
  • C . change management.
  • D . project management.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A weakness in change management is the most likely cause of an incorrect version of source code being amended by a development team. Change management is the process of controlling and documenting changes to IT systems and software. It ensures that changes are authorized, tested, and implemented in a controlled manner. If change management is weak, there is a risk of using outdated or incorrect versions of source code, which can lead to errors, defects, or security vulnerabilities in the software.
Question #7

An organizations audit charier PRIMARILY:

  • A . describes the auditors’ authority to conduct audits.
  • B . defines the auditors’ code of conduct.
  • C . formally records the annual and quarterly audit plans.
  • D . documents the audit process and reporting standards.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

An organization’s audit charter primarily describes the auditors’ authority to conduct audits. The audit charter is a formal document that defines the purpose, scope, responsibilities, and reporting relationships of the internal audit function. It also establishes the auditors’ right of access to information, records, personnel, and physical properties relevant to their work. The audit charter provides the basis for the auditors’ independence and accountability to the governing body and senior management.
Question #8

The decision to accept an IT control risk related to data quality should be the responsibility of the:

  • A . information security team.
  • B . IS audit manager.
  • C . chief information officer (CIO).
  • D . business owner.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The decision to accept an IT control risk related to data quality should be the responsibility of the business owner. The business owner is the person who has the authority and accountability for the business process that relies on the data quality. The business owner should understand the impact of data quality issues on the business objectives, performance, and compliance. The business owner should also be involved in defining the data quality requirements, assessing the data quality risks, and implementing the data quality controls or mitigation strategies.
Question #9

Which of the following data would be used when performing a business impact analysis (BIA)?

  • A . Projected impact of current business on future business
  • B . Cost-benefit analysis of running the current business
  • C . Cost of regulatory compliance
  • D . Expected costs for recovering the business

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The expected costs for recovering the business would be used when performing a business impact analysis (BIA). A BIA is a process of identifying and evaluating the potential effects of disruptions to critical business functions or processes. A BIA helps to determine the recovery priorities, strategies, and resources needed to resume normal operations after a disruption. One of the key outputs of a BIA is an estimate of the financial losses or costs associated with different types of disruptions, such as lost revenue, increased expenses, contractual penalties, or regulatory fines.
Question #10

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy?

  • A . Alignment with the IT tactical plan
  • B . IT steering committee minutes
  • C . Compliance with industry best practice
  • D . Business objectives

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The most important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy is its alignment with the business objectives. The information security policy is a high-level document that defines the organization’s vision, goals, principles, and responsibilities for protecting its information assets. The information security policy should support and enable the achievement of the business objectives, such as increasing customer satisfaction, enhancing competitive advantage, or complying with legal requirements. The information security policy should also be consistent with other relevant policies, standards, and frameworks that guide the organization’s governance, risk management, and compliance activities.

Question #11

During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor’s time would be to review and evaluate:

  • A . application test cases.
  • B . acceptance testing.
  • C . cost-benefit analysis.
  • D . project plans.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reviewing and evaluating application test cases is the most effective use of an IS auditor’s time during the evaluation of controls over a major application development project. Application test cases are designed to verify that the application meets the functional and non-functional requirements and specifications. They also help to identify and correct any errors, defects, or vulnerabilities in the application before it is deployed. By reviewing and evaluating the test cases, the IS auditor can assess the quality, reliability, security, and performance of the application and provide recommendations for improvement.
Question #12

An IS auditor finds that firewalls are outdated and not supported by vendors.

Which of the following should be the auditor’s NEXT course of action?

  • A . Report the mitigating controls.
  • B . Report the security posture of the organization.
  • C . Determine the value of the firewall.
  • D . Determine the risk of not replacing the firewall.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The IS auditor’s next course of action after finding that firewalls are outdated and not supported by vendors should be to determine the risk of not replacing the firewall. Outdated firewalls may have known vulnerabilities that can be exploited by attackers to bypass security controls and access the network. They may also lack compatibility with newer technologies or standards that are required for optimal network performance and protection. Not replacing the firewall could expose the organization to various threats, such as data breaches, denial-of-service attacks, malware infections, or regulatory non-compliance. The IS auditor should assess the likelihood and impact of these threats and quantify the risk level for management to make informed decisions.
Question #13

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

  • A . Analyze whether predetermined test objectives were met.
  • B . Perform testing at the backup data center.
  • C . Evaluate participation by key personnel.
  • D . Test offsite backup files.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The best way to determine whether a test of a disaster recovery plan (DRP) was successful is to analyze whether predetermined test objectives were met. Test objectives are specific, measurable, achievable, relevant, and time-bound (SMART) goals that define what the test aims to accomplish and how it will be evaluated. Test objectives should be aligned with the DRP objectives and scope, and should cover aspects such as recovery time objectives (RTOs), recovery point objectives (RPOs), critical business functions, roles and responsibilities, communication channels, backup systems, and contingency procedures. By comparing the actual test results with the expected test objectives, the IS auditor can measure the effectiveness and efficiency of the DRP and identify any gaps or weaknesses that need to be addressed.
Question #14

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes.

Which of the following recommendations would BEST help to reduce the risk of data leakage?

  • A . Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees
  • B . Establishing strong access controls on confidential data
  • C . Providing education and guidelines to employees on use of social networking sites
  • D . Monitoring employees’ social networking usage

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The best recommendation to reduce the risk of data leakage from employee use of social networking sites for business purposes is to provide education and guidelines to employees on use of social networking sites. Education and guidelines can help employees understand the benefits and risks of using social media for business purposes, such as enhancing brand awareness, engaging with customers, or sharing industry insights. They can also inform employees about the dos and don’ts of social media etiquette, such as respecting privacy, protecting intellectual property, avoiding conflicts of interest, or complying with legal obligations. Education and guidelines can also raise awareness of potential data leakage scenarios, such as phishing attacks, malicious links, fake profiles, or oversharing sensitive information, and provide tips on how to prevent or respond to them.
Question #15

An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons.

Which of the following should the auditor recommend be performed FIRST?

  • A . Implement a process to actively monitor postings on social networking sites.
  • B . Adjust budget for network usage to include social media usage.
  • C . Use data loss prevention (DLP) tools on endpoints.
  • D . implement policies addressing acceptable usage of social media during working hours.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The first course of action that the auditor should recommend after finding that several employees are spending an excessive amount of time using social media sites for personal reasons is to implement policies addressing acceptable usage of social media during working hours. Policies can help define the scope, purpose, rules, and expectations of using social media in the workplace, both for personal and professional reasons. Policies can also specify the consequences of violating the policies, such as disciplinary actions or termination. Policies can help deter employees from misusing social media at work, which could affect their productivity, performance, or security. Policies can also help protect the organization from legal liabilities or reputational damages that could arise from inappropriate or unlawful employee behavior on social media.
Question #16

Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?

  • A . Carbon dioxide
  • B . FM-200
  • C . Dry pipe
  • D . Halon

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Carbon dioxide fire suppression systems need to be combined with an automatic switch to shut down the electricity supply in the event of activation. This is because carbon dioxide displaces oxygen in the air and can create a suffocation hazard for people in the protected area. Therefore, it is essential to cut off the power source before releasing carbon dioxide to avoid electrical shocks and sparks that could ignite the fire again. Carbon dioxide systems are typically used for total flooding applications in spaces that are not habitable, such as server rooms or data centers.
Question #17

Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?

  • A . The IS auditor provided consulting advice concerning application system best practices.
  • B . The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.
  • C . The IS auditor designed an embedded audit module exclusively for auditing the application system.
  • D . The IS auditor implemented a specific control during the development of the application system.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The IS auditor’s independence would be most likely impaired if they implemented a specific control during the development of an application system. This is because the IS auditor would be auditing their own work, which creates a self-review threat that could compromise their objectivity and impartiality. The IS auditor should avoid participating in any operational or management activities that could affect their ability to perform an unbiased audit. The other options do not pose a significant threat to the IS auditor’s independence, as long as they follow the ethical standards and guidelines of the profession.
Question #18

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider.

Which of the following would be the BEST way to prevent accepting bad data?

  • A . Obtain error codes indicating failed data feeds.
  • B . Appoint data quality champions across the organization.
  • C . Purchase data cleansing tools from a reputable vendor.
  • D . Implement business rules to reject invalid data.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The best way to prevent accepting bad data from a third-party service provider is to implement business rules to reject invalid data. Business rules are logical expressions that define the business requirements and constraints for specific data elements. They can be used to validate, transform, or filter incoming data from external sources, ensuring that only high-quality data is accepted into the enterprise data warehouse. Business rules can also help to identify and resolve data quality issues, such as missing values, duplicates, outliers, or inconsistencies.
Question #19

An IS auditor suspects an organization’s computer may have been used to commit a crime.

Which of the following is the auditor’s BEST course of action?

  • A . Examine the computer to search for evidence supporting the suspicions.
  • B . Advise management of the crime after the investigation.
  • C . Contact the incident response team to conduct an investigation.
  • D . Notify local law enforcement of the potential crime before further investigation.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The IS auditor’s best course of action if they suspect an organization’s computer may have been used to commit a crime is to contact the incident response team to conduct an investigation. The incident response team is a group of experts who are responsible for responding to security incidents, such as data breaches, ransomware attacks, or cybercrimes. The incident response team can help to preserve and collect digital evidence, determine the scope and impact of the incident, contain and eradicate the threat, and restore normal operations. The IS auditor should not examine the computer themselves, as they may inadvertently alter or destroy potential evidence, or compromise the chain of custody. The IS auditor should also not notify local law enforcement before further investigation, as this may escalate the situation unnecessarily or interfere with the internal investigation process. The IS auditor should advise management of the crime after the investigation, or as soon as possible if there is an imminent risk or legal obligation to do so.
Question #20

Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?

  • A . Write access to production program libraries
  • B . Write access to development data libraries
  • C . Execute access to production program libraries
  • D . Execute access to development program libraries

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Write access to production program libraries presents the greatest risk when granted to a new member of the system development staff. Production program libraries contain executable code that runs on live systems and supports critical business functions. Write access allows a user to modify or delete existing programs, or add new programs to the library. If a user were to make unauthorized or erroneous changes to production programs, it could cause serious disruptions, errors, or security breaches in the organization’s operations. Therefore, write access to production program libraries should be restricted to authorized personnel only, and subject to strict change management controls.

Question #21

An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system.

The auditor’s FIRST course of action should be to:

  • A . review recent changes to the system.
  • B . verify completeness of user acceptance testing (UAT).
  • C . verify results to determine validity of user concerns.
  • D . review initial business requirements.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The IS auditor’s first course of action should be to verify the results of the critical automatic calculations made by the system to determine the validity of user concerns. This is because the IS auditor needs to obtain sufficient and appropriate audit evidence to support the audit findings and conclusions. By verifying the results, the IS auditor can assess whether there are any errors or discrepancies in the system’s calculations that could affect the accuracy and reliability of the financial data. The IS auditor can use various techniques to verify the results, such as re-performing the calculations, comparing them with expected values, or tracing them to source documents.
Question #22

Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

  • A . Walk-through reviews
  • B . Substantive testing
  • C . Compliance testing
  • D . Design documentation reviews

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Substantive testing provides the most reliable audit evidence on the validity of transactions in a financial application. Substantive testing is an audit procedure that examines the financial statements and supporting documentation to see if they contain errors or misstatements. Substantive testing can help to verify that the transactions recorded in the financial application are authorized, complete, accurate, and properly classified. Substantive testing can include methods such as vouching, confirmation, analytical procedures, or physical examination.
Question #23

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period.

Which of the following is the auditor’s MOST important course of action?

  • A . Document the finding and present it to management.
  • B . Determine if a root cause analysis was conducted.
  • C . Confirm the resolution time of the incidents.
  • D . Validate whether all incidents have been actioned.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The IS auditor’s most important course of action after finding that several similar incidents were logged during the audit period is to determine if a root cause analysis was conducted. A root cause analysis is a systematic process that identifies the underlying causes of system failures or incidents. A root cause analysis can help to prevent recurrence of similar incidents, improve system performance and reliability, and enhance incident management processes. The IS auditor should evaluate whether a root cause analysis was performed for each incident, whether it was timely and thorough, and whether it resulted in effective corrective actions.
Question #24

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization.

Which of the following should be recommended as the PRIMARY factor to determine system criticality?

  • A . Key performance indicators (KPIs)
  • B . Maximum allowable downtime (MAD)
  • C . Recovery point objective (RPO)
  • D . Mean time to restore (MTTR)

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The primary factor to determine system criticality within an organization is the maximum allowable downtime (MAD). MAD is the maximum time frame during which recovery must become effective before an outage compromises the ability of an organization to achieve its business objectives and/or survival. MAD reflects the business impact of a system outage on the organization’s operations, reputation, compliance, and finances. MAD can help to prioritize system recovery efforts, allocate resources, and establish recovery objectives.
Question #25

An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged.

The IS auditor’s FIRST action should be to:

  • A . recommend that the option to directly modify the database be removed immediately.
  • B . recommend that the system require two persons to be involved in modifying the database.
  • C . determine whether the log of changes to the tables is backed up.
  • D . determine whether the audit trail is secured and reviewed.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The IS auditor’s first action after discovering an option in a database that allows the administrator to directly modify any table should be to determine whether the audit trail is secured and reviewed.

This is because direct modification of database tables can pose a significant risk to data integrity, security, and accountability. An audit trail is a record of all changes made to database tables, including who made them, when they were made, and what was changed. An audit trail can help to detect unauthorized or erroneous changes, provide evidence for investigations or audits, and support data recovery or restoration. The IS auditor should assess whether the audit trail is protected from tampering or deletion, and whether it is regularly reviewed for anomalies or exceptions.
Question #26

An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available.

What should the auditor recommend be done FIRST?

  • A . Implement a new system that can be patched.
  • B . Implement additional firewalls to protect the system.
  • C . Decommission the server.
  • D . Evaluate the associated risk.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The first step in addressing a vulnerability is to evaluate the associated risk, which involves assessing the likelihood and impact of a potential exploit. Based on the risk assessment, the appropriate mitigation strategy can be determined, such as implementing a new system, adding firewalls, or decommissioning the server.

References: ISACA CISA Review Manual 27th Edition, page 280
Question #27

IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance.

Which of the following controls will MOST effectively compensate for the lack of referential integrity?

  • A . More frequent data backups
  • B . Periodic table link checks
  • C . Concurrent access controls
  • D . Performance monitoring tools

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Referential integrity is a property of data that ensures that all references between tables are valid and consistent. Disabling referential integrity controls can result in orphaned records, data anomalies, and inaccurate queries. The most effective way to compensate for the lack of referential integrity is to perform periodic table link checks, which verify that all foreign keys match existing primary keys in the related tables. More frequent data backups, concurrent access controls, and performance monitoring tools do not address the issue of data consistency and accuracy.

References: ISACA CISA Review Manual 27th Edition, page 291
Question #28

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization.

Which of the following is MOST effective in detecting such an intrusion?

  • A . Periodically reviewing log files
  • B . Configuring the router as a firewall
  • C . Using smart cards with one-time passwords
  • D . Installing biometrics-based authentication

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The most effective way to detect an intrusion attempt is to periodically review log files, which record the activities and events on a system or network. Log files can provide evidence of unauthorized access attempts, malicious activities, or system errors. Configuring the router as a firewall, using smart cards with one-time passwords, and installing biometrics-based authentication are preventive controls that can reduce the likelihood of an intrusion, but they do not detect it.

References: ISACA CISA Review Manual 27th Edition, page 301
Question #29

The PRIMARY advantage of object-oriented technology is enhanced:

  • A . efficiency due to the re-use of elements of logic.
  • B . management of sequential program execution for data access.
  • C . grouping of objects into methods for data access.
  • D . management of a restricted variety of data types for a data object.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The primary advantage of object-oriented technology is enhanced efficiency due to the re-use of elements of logic. Object-oriented technology is a software design model that uses objects, which contain both data and code, to create modular and reusable programs. Objects can be inherited from other objects, which reduces duplication and improves maintainability. Grouping objects into methods for data access, managing sequential program execution for data access, and managing a restricted variety of data types for a data object are not advantages of object-oriented technology.

References: ISACA CISA Review Manual 27th Edition, page 304
Question #30

From an IS auditor’s perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

  • A . Inability to close unused ports on critical servers
  • B . Inability to identify unused licenses within the organization
  • C . Inability to deploy updated security patches
  • D . Inability to determine the cost of deployed software

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The greatest risk associated with an incomplete inventory of deployed software in an organization is the inability to deploy updated security patches. Security patches are updates that fix vulnerabilities or bugs in software that could be exploited by attackers. Without an accurate inventory of software versions and configurations, it is difficult to identify and apply the relevant patches in a timely manner, which exposes the organization to increased security risks. Inability to close unused ports on critical servers, inability to identify unused licenses within the organization, and inability to determine the cost of deployed software are not as critical as security risks.

References: ISACA CISA Review Manual 27th Edition, page 308

Question #31

Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?

  • A . Configure a single server as a primary authentication server and a second server as a secondary authentication server.
  • B . Configure each authentication server as belonging to a cluster of authentication servers.
  • C . Configure each authentication server and ensure that each disk of its RAID is attached to the primary controller.
  • D . Configure each authentication server and ensure that the disks of each server form part of a duplex.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Configuring each authentication server as belonging to a cluster of authentication servers is the best way to minimize performance degradation of servers used to authenticate users of an e-commerce website. A cluster is a group of servers that work together to provide high availability, load balancing, and fault tolerance. If one server fails or becomes overloaded, another server in the cluster can take over its workload without disrupting the service. A single server as a primary authentication server and a second server as a secondary authentication server is not as effective as a cluster, because the secondary server is only used when the primary server fails, which means it is idle most of the time and does not improve performance. Configuring each authentication server and ensuring that each disk of its RAID is attached to the primary controller does not address the issue of performance degradation, but rather the issue of data redundancy and reliability. RAID (redundant array of independent disks) is a technology that combines multiple disks into a logical unit that can tolerate disk failures and improve data access speed. Configuring each authentication server and ensuring that the disks of each server form part of a duplex does not address the issue of performance degradation, but rather the issue of data backup and recovery. A duplex is a pair of disks that store identical copies of data, so that if one disk fails, the other disk can be used to restore the data.

References: ISACA CISA Review Manual 27th Edition, page 310
Question #32

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:

  • A . allocation of resources during an emergency.
  • B . frequency of system testing.
  • C . differences in IS policies and procedures.
  • D . maintenance of hardware and software compatibility.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be most concerned with the allocation of resources during an emergency. A reciprocal disaster recovery agreement is an arrangement by which one organization agrees to use another’s resources in the event of a business continuity event or incident. The IS auditor would need to ensure that both parties have clearly defined their roles and responsibilities, their resource requirements, their priority levels, their communication channels, and their escalation procedures in case of a disaster. The IS auditor would also need to verify that both parties have tested their agreement and have updated it regularly to reflect any changes in their business environments. The frequency of system testing is not as critical as the allocation of resources during an emergency, because system testing can be performed periodically or on demand, while resource allocation is a dynamic and complex process that requires careful planning and coordination. The differences in IS policies and procedures are not as critical as the allocation of resources during an emergency, because both parties can agree on common standards and protocols for their disaster recovery operations, or they can adapt their policies and procedures to suit each other’s needs. The maintenance of hardware and software compatibility is not as critical as the allocation of resources during an emergency, because both parties can use compatible or interoperable systems, or they can use virtualization or cloud computing technologies to overcome any compatibility issues.

References: ISACA CISA Review Manual 27th Edition, page 281
Question #33

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

  • A . Phishing
  • B . Using a dictionary attack of encrypted passwords
  • C . Intercepting packets and viewing passwords
  • D . Flooding the site with an excessive number of packets

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Flooding the site with an excessive number of packets is an attack technique that will succeed because of an inherent security weakness in an Internet firewall. This type of attack is also known as a denial-of-service (DoS) attack or a distributed denial-of-service (DDoS) attack if it involves multiple sources. The aim of this attack is to overwhelm the network bandwidth or the processing capacity of the firewall or the target system, rendering it unable to respond to legitimate requests or perform its normal functions. An Internet firewall is a device or software that monitors and controls incoming and outgoing network traffic based on predefined rules. A firewall can block or allow traffic based on various criteria, such as source address, destination address, port number, protocol type, application type, etc. However, a firewall cannot prevent traffic from reaching its interface or distinguish between legitimate and malicious traffic based on its content or behavior. Therefore, a firewall is vulnerable to flooding attacks that exploit its limited resources. Phishing is an attack technique that involves sending fraudulent emails or messages that appear to come from legitimate sources, such as banks, government agencies, online services, etc., in order to trick recipients into revealing their personal or financial information, such as passwords, credit card numbers, bank account details, etc., or into clicking on malicious links or attachments that can infect their systems with malware or ransomware. Phishing does not exploit an inherent security weakness in an Internet firewall, but rather exploits human psychology and social engineering techniques. A firewall cannot prevent phishing emails or messages from reaching their intended targets, unless they contain some identifiable features that can be filtered out by the firewall rules. However, a firewall cannot detect or prevent users from responding to phishing emails or messages or from opening malicious links or attachments. Using a dictionary attack of encrypted passwords is an attack technique that involves trying to guess or crack passwords by using a list of common or likely passwords or by using a brute-force method that tries all possible combinations of characters. This type of attack does not exploit an inherent security weakness in an Internet firewall, but rather exploits weak or poorly chosen passwords or weak encryption algorithms. A firewall cannot prevent a dictionary attack of encrypted passwords, unless it has some mechanisms to detect and block repeated or suspicious login attempts or to enforce strong password policies. However, a firewall cannot protect passwords from being stolen or intercepted by other means, such as phishing, malware, keylogging, etc. Intercepting packets and viewing passwords is an attack technique that involves capturing and analyzing network traffic that contains sensitive information, such as passwords, credit card numbers, bank account details, etc., in order to use them for malicious purposes. This type of attack does not exploit an inherent security weakness in an Internet firewall, but rather exploits insecure or unencrypted network communication protocols or channels. A firewall cannot prevent packets from being intercepted and viewed by unauthorized parties, unless it has some mechanisms to encrypt or obfuscate the network traffic or to authenticate the source and destination of the traffic. However, a firewall cannot protect packets from being modified or tampered with by other means, such as man-in-the-middle attacks, replay attacks, etc.

References: ISACA CISA Review Manual 27th Edition, page 300
Question #34

Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?

  • A . Effectiveness of the security program
  • B . Security incidents vs. industry benchmarks
  • C . Total number of hours budgeted to security
  • D . Total number of false positives

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The executive management concern that could be addressed by the implementation of a security metrics dashboard is the effectiveness of the security program. A security metrics dashboard is a tool that provides a visual representation of key performance indicators (KPIs) and key risk indicators (KRIs) related to the organization’s information security objectives and activities. A security metrics dashboard can help executive management monitor and evaluate the performance and value delivery of the security program, identify strengths and weaknesses, assess compliance with policies and standards, and support decision making and improvement initiatives. Security incidents vs. industry benchmarks, total number of hours budgeted to security, and total number of false positives are not executive management concerns that could be addressed by the implementation of a security metrics dashboard. These are more operational or technical aspects of information security that could be measured and reported by other means, such as incident reports, budget reports, or log analysis.

References: [ISACA CISA Review Manual 27th Edition], page 302
Question #35

One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:

  • A . basis for allocating indirect costs.
  • B . cost of replacing equipment.
  • C . estimated cost of ownership.
  • D . basis for allocating financial resources.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

One benefit of return on investment (ROI) analysis in IT decision making is that it provides the basis for allocating financial resources. ROI analysis is a method of evaluating the profitability or cost-effectiveness of an IT project or investment by comparing the expected benefits with the required costs. ROI analysis can help IT decision makers prioritize and justify their IT initiatives, allocate their financial resources optimally, and demonstrate the value contribution of IT to the organization’s goals and objectives. Basis for allocating indirect costs, cost of replacing equipment, and estimated cost of ownership are not benefits of ROI analysis in IT decision making. These are more inputs or outputs of ROI analysis that could be used to calculate or estimate the costs or benefits of an IT project or investment.

References: [ISACA CISA Review Manual 27th Edition], page 307
Question #36

Which of the following is an audit reviewer’s PRIMARY role with regard to evidence?

  • A . Ensuring unauthorized individuals do not tamper with evidence after it has been captured
  • B . Ensuring evidence is sufficient to support audit conclusions
  • C . Ensuring appropriate statistical sampling methods were used
  • D . Ensuring evidence is labeled to show it was obtained from an approved source

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The primary role of an audit reviewer with regard to evidence is to ensure that evidence is sufficient to support audit conclusions. Evidence is the information obtained by the auditor to provide a reasonable basis for the audit opinion or findings. Evidence should be sufficient, reliable, relevant, and useful to support the audit objectives and criteria. The audit reviewer should evaluate the quality and quantity of evidence collected by the auditor and determine if it is adequate to draw valid conclusions and recommendations. Ensuring unauthorized individuals do not tamper with evidence after it has been captured is a role of the auditor, not the audit reviewer. The auditor is responsible for safeguarding the evidence from loss, damage, or alteration during the audit process. The auditor should also document the source, date, and method of obtaining the evidence, as well as any limitations or restrictions on its use or disclosure. Ensuring appropriate statistical sampling methods were used is a role of the auditor, not the audit reviewer. The auditor is responsible for selecting an appropriate sampling method and technique that can provide sufficient evidence to achieve the audit objectives and criteria. The auditor should also document the sampling plan, population, sample size, selection method, evaluation method, and results. Ensuring evidence is labeled to show it was obtained from an approved source is a role of the auditor, not the audit reviewer. The auditor is responsible for labeling the evidence to indicate its origin, nature, and ownership. The auditor should also ensure that the evidence is obtained from reliable and credible sources that can be verified and corroborated.

References: ISACA CISA Review Manual 27th Edition, page 295
Question #37

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

  • A . Identifying relevant roles for an enterprise IT governance framework
  • B . Making decisions regarding risk response and monitoring of residual risk
  • C . Verifying that legal, regulatory, and contractual requirements are being met
  • D . Providing independent and objective feedback to facilitate improvement of IT processes

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The most important benefit of involving IS audit when implementing governance of enterprise IT is providing independent and objective feedback to facilitate improvement of IT processes. Governance of enterprise IT is the process of ensuring that IT supports the organization’s strategy, goals, and objectives in an effective, efficient, ethical, and compliant manner. IS audit can provide value to governance of enterprise IT by assessing the alignment of IT with business needs, evaluating the performance and value delivery of IT, identifying risks and issues related to IT, recommending corrective actions and best practices, and monitoring the implementation and effectiveness of IT governance activities. IS audit can also provide assurance that IT governance processes are designed and operating in accordance with relevant standards, frameworks, laws, regulations, and contractual obligations. Identifying relevant roles for an enterprise IT governance framework is a benefit of involving IS audit when implementing governance of enterprise IT, but not the most important one. IS audit can help define and clarify the roles and responsibilities of various stakeholders involved in IT governance, such as board members, senior management, business units, IT function, external parties, etc. IS audit can also help ensure that these roles are aligned with the organization’s strategy, goals, and objectives, and that they have adequate authority, accountability, communication, and reporting mechanisms. However, this benefit is more related to the design phase of IT governance implementation than to the ongoing monitoring and improvement phase. Making decisions regarding risk response and monitoring of residual risk is a benefit of involving IS audit when implementing governance of enterprise IT, but not the most important one. IS audit can help identify and assess the risks associated with IT activities and processes, such as strategic risks, operational risks, compliance risks, security risks, etc. IS audit can also help evaluate the effectiveness of risk management practices and controls implemented by management to mitigate or reduce these risks. However, this benefit is more related to the assurance function of IS audit than to its advisory function. Verifying that legal, regulatory, and contractual requirements are being met is a benefit of involving IS audit when implementing governance of enterprise IT, but not the most important one. IS audit can help verify that IT activities and processes comply with applicable laws, regulations, and contractual obligations, such as data protection laws, privacy laws, cybersecurity laws, industry standards, service level agreements, etc. IS audit can also help identify and report any instances of noncompliance or violations that could result in legal or reputational consequences for the organization. However, this benefit is more related to the assurance function of IS audit than to its advisory function.

References: ISACA CISA Review Manual 27th Edition, page 283
Question #38

Which of the following is MOST important for an effective control self-assessment (CSA) program?

  • A . Determining the scope of the assessment
  • B . Performing detailed test procedures
  • C . Evaluating changes to the risk environment
  • D . Understanding the business process

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Understanding the business process is the most important factor for an effective control self-assessment (CSA) program. A CSA program is a technique that allows managers and work teams directly involved in business units, functions or processes to participate in assessing the organization’s risk management and control processes1. A CSA program can help identify risks and potential exposures to achieving strategic business objectives, evaluate the adequacy and effectiveness of controls, and implement remediation plans to address any gaps or weaknesses2. To conduct a successful CSA, it is essential to have a clear and comprehensive understanding of the business process under review, including its objectives, inputs, outputs, activities, resources, dependencies, stakeholders, performance indicators, etc. This will help to identify the relevant risks and controls associated with the process, as well as to evaluate their impact and likelihood. Determining the scope of the assessment, performing detailed test procedures, and evaluating changes to the risk environment are also important factors for an effective CSA program, but not as important as understanding the business process. These factors are more related to the execution and monitoring phases of the CSA program, while understanding the business process is related to the planning and preparation phase. Without a solid understanding of the business process, the scope, testing, and evaluation of the CSA may not be accurate or complete.

References: ISACA CISA Review Manual 27th Edition, page 310
Question #39

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

  • A . Senior management’s request
  • B . Prior year’s audit findings
  • C . Organizational risk assessment
  • D . Previous audit coverage and scope

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The primary basis for selecting which IS audits to perform in the coming year is the organizational risk assessment. An organizational risk assessment is a formal process for identifying, evaluating, and controlling risks that may affect the achievement of the organization’s goals and objectives3. An organizational risk assessment can help IS auditors prioritize and plan their audit activities based on the level of risk exposure and impact of each area or process within the organization. An organizational risk assessment can also help IS auditors align their audit objectives and criteria with the organization’s strategy and performance indicators. Senior management’s request, prior year’s audit findings, and previous audit coverage and scope are also possible bases for selecting which IS audits to perform in the coming year, but not as primary as the organizational risk assessment. These factors are more secondary or supplementary sources of information that can help IS auditors refine or adjust their audit plan based on specific needs or issues identified by management or previous audits. However, these factors may not reflect the current or emerging risks that may affect the organization’s operations or performance.

References: ISACA CISA Review Manual 27th Edition, page 295
Question #40

Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?

  • A . Segregation of duties between staff ordering and staff receiving information assets
  • B . Complete and accurate list of information assets that have been deployed
  • C . Availability and testing of onsite backup generators
  • D . Knowledge of the IT staff regarding data protection requirements

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The most important prerequisite for the protection of physical information assets in a data center is a complete and accurate list of information assets that have been deployed. Information assets are any data, devices, systems, or software that have value for the organization and need to be protected from unauthorized access, use, disclosure, modification, or destruction4. A data center is a facility that houses various information assets such as servers, storage devices, network equipment, etc., that support the organization’s IT operations and services5. A complete and accurate list of information assets that have been deployed in a data center can help to identify and classify the assets based on their importance, sensitivity, or criticality for the organization. This can help to determine the appropriate level of protection and security measures that need to be applied to each asset. A complete and accurate list of information assets can also help to track and monitor the location, status, ownership, usage, configuration, maintenance, etc., of each asset. This can help to prevent or detect any unauthorized or inappropriate changes or movements of assets that may compromise their security or integrity. Segregation of duties between staff ordering and staff receiving information assets, availability and testing of onsite backup generators, and knowledge of the IT staff regarding data protection requirements are also important prerequisites for the protection of physical information assets in a data center, but not as important as a complete and accurate list of information assets that have been deployed. These factors are more related to the implementation and maintenance of security controls and procedures that depend on having a complete and accurate list of information assets as a starting point.

References: ISACA CISA Review Manual 27th Edition, page 308

Question #41

A proper audit trail of changes to server start-up procedures would include evidence of:

  • A . subsystem structure.
  • B . program execution.
  • C . security control options.
  • D . operator overrides.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

A proper audit trail of changes to server start-up procedures would include evidence of operator overrides, which are actions taken by the system operator to bypass or modify the normal execution of the server start-up process. Operator overrides may indicate unauthorized or improper changes that could affect the security, availability, or performance of the server. Therefore, an audit trail should capture and document any operator overrides that occur during the server start-up process. Evidence of subsystem structure, program execution, and security control options are not directly related to changes to server start-up procedures. Subsystem structure refers to the components and relationships of a subsystem within a larger system. Program execution refers to the process of running a software program on a computer. Security control options refer to the settings and parameters that define the security level and access rights for a system or application. These are all important aspects of auditing a server, but they do not provide evidence of changes to server start-up procedures.
Question #42

Which of the following would be a result of utilizing a top-down maturity model process?

  • A . A means of benchmarking the effectiveness of similar processes with peers
  • B . A means of comparing the effectiveness of other processes within the enterprise
  • C . Identification of older, more established processes to ensure timely review
  • D . Identification of processes with the most improvement opportunities

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

A top-down maturity model process is a method of assessing and improving the maturity level of a process or a set of processes within an organization. A maturity level is a measure of how well-defined, controlled, measured, and optimized a process is. A top-down maturity model process starts with defining the desired maturity level and then identifying the gaps and improvement opportunities for each process. This helps prioritize the processes that need the most attention and improvement. Therefore, a result of utilizing a top-down maturity model process is identification of processes with the most improvement opportunities.

A means of benchmarking the effectiveness of similar processes with peers, a means of comparing the effectiveness of other processes within the enterprise, and identification of older, more established processes to ensure timely review are not results of utilizing a top-down maturity model process. These are possible benefits or objectives of using other types of maturity models or assessment methods, but they are not specific to a top-down approach.
Question #43

Which audit approach is MOST helpful in optimizing the use of IS audit resources?

  • A . Agile auditing
  • B . Continuous auditing
  • C . Outsourced auditing
  • D . Risk-based auditing

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Risk-based auditing is an audit approach that focuses on the analysis and management of risk within an organization. Risk-based auditing helps identify and prioritize the areas or processes that pose the highest risk to the organization’s objectives and allocate audit resources accordingly. Risk-based auditing also helps provide assurance and advisory services related to the organization’s risk management processes and controls. By using risk-based auditing, internal auditors can optimize the use of their audit resources and add value to the organization.

Agile auditing, continuous auditing, and outsourced auditing are not audit approaches that are most helpful in optimizing the use of IS audit resources. Agile auditing is a flexible and iterative audit methodology that adapts to changing circumstances and stakeholder needs. Continuous auditing is a method of performing audit activities on a real-time or near-real-time basis using automated tools and techniques. Outsourced auditing is a practice of contracting external auditors to perform some or all of the internal audit functions. These audit methods may have some advantages or disadvantages depending on the context and objectives of the audit, but they do not necessarily optimize the use of IS audit resources.
Question #44

Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

  • A . Annual sign-off of acceptable use policy
  • B . Regular monitoring of user access logs
  • C . Security awareness training
  • D . Formalized disciplinary action

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The most effective control to mitigate unintentional misuse of authorized access is security awareness training. This is because security awareness training can educate users on the proper use of their access rights, the potential consequences of misuse, and the best practices to protect the confidentiality, integrity, and availability of information systems. Security awareness training can also help users recognize and avoid common threats such as phishing, malware, and social engineering. Annual sign-off of acceptable use policy, regular monitoring of user access logs, and formalized disciplinary action are not the most effective controls to mitigate unintentional misuse of authorized access. These controls may help deter or detect intentional misuse, but they do not address the root cause of unintentional misuse, which is often a lack of knowledge or awareness of security policies and procedures.
Question #45

Which of the following BEST guards against the risk of attack by hackers?

  • A . Tunneling
  • B . Encryption
  • C . Message validation
  • D . Firewalls

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The best guard against the risk of attack by hackers is encryption. Encryption is the process of transforming data into an unreadable format using a secret key or algorithm. Encryption can protect data in transit and at rest from unauthorized access, modification, or disclosure by hackers. Encryption can also ensure the authenticity and integrity of data by using digital signatures or hashes.

Tunneling, message validation, and firewalls are not the best guards against the risk of attack by hackers. Tunneling is a technique that encapsulates one network protocol within another to create a secure connection between two endpoints. Message validation is a process that verifies the format, content, and origin of a message before accepting it. Firewalls are devices or software that filter network traffic based on predefined rules. These controls may help reduce the exposure or impact of hacker attacks, but they do not provide the same level of protection as encryption.
Question #46

A system development project is experiencing delays due to ongoing staff shortages.

Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

  • A . Implement overtime pay and bonuses for all development staff.
  • B . Utilize new system development tools to improve productivity.
  • C . Recruit IS staff to expedite system development.
  • D . Deliver only the core functionality on the initial target date.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The strategy that would provide the greatest assurance of system quality at implementation is delivering only the core functionality on the initial target date. This strategy can help avoid compromising the quality of the system by focusing on the essential features that meet the user needs and expectations. Delivering only the core functionality can also help reduce the scope creep, complexity, and testing efforts of the system development project.

Implementing overtime pay and bonuses for all development staff, utilizing new system development tools to improve productivity, and recruiting IS staff to expedite system development are not strategies that would provide the greatest assurance of system quality at implementation. These strategies may help speed up the system development process, but they may also introduce new risks or challenges such as burnout, learning curve, integration issues, or communication gaps. These risks or challenges may adversely affect the quality of the system.
Question #47

Which of the following should be done FIRST when planning a penetration test?

  • A . Execute nondisclosure agreements (NDAs).
  • B . Determine reporting requirements for vulnerabilities.
  • C . Define the testing scope.
  • D . Obtain management consent for the testing.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The first step when planning a penetration test is to obtain management consent for the testing. This is because a penetration test involves simulating a cyberattack against the organization’s systems and networks, which may have legal, ethical, and operational implications. Without proper authorization from management, a penetration test may violate laws, policies, contracts, or service level agreements. Management consent also helps define the objectives, scope, and boundaries of the test, as well as the roles and responsibilities of the testers and the stakeholders. Obtaining management consent for the testing also demonstrates due care and due diligence on the part of the testers and the organization.

Executing nondisclosure agreements (NDAs), determining reporting requirements for vulnerabilities, and defining the testing scope are important steps when planning a penetration test, but they are not the first step. These steps should be done after obtaining management consent for the testing, as they depend on the approval and involvement of management and other parties.
Question #48

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions.

Which of the following is MOST important for the organization to ensure?

  • A . The policy includes a strong risk-based approach.
  • B . The retention period allows for review during the year-end audit.
  • C . The total transaction amount has no impact on financial reporting.
  • D . The retention period complies with data owner responsibilities.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The most important thing for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions is that the retention period complies with data owner responsibilities. Data owners are accountable for the quality, security, and availability of the data under their control. They are also responsible for defining and enforcing data retention policies that comply with legal, regulatory, contractual, and business requirements. Data owners should be consulted and involved in any decision that affects the retention period of their data, as they are ultimately liable for any consequences of data loss or breach.

The policy includes a strong risk-based approach, the retention period allows for review during the year-end audit, and the total transaction amount has no impact on financial reporting are not the most important things for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions. These are possible factors or benefits that may influence or justify the decision, but they do not override or replace the data owner responsibilities.
Question #49

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

  • A . Rollback strategy
  • B . Test cases
  • C . Post-implementation review objectives
  • D . Business case

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The most important consideration for a go-live decision when implementing an upgraded enterprise resource planning (ERP) system is the business case. The business case is the document that defines and justifies the need, value, feasibility, and risks of the project. It also outlines the expected costs, benefits, outcomes, and impacts of the project. The business case provides the basis for measuring and evaluating the success of the project. Therefore, before deciding to go live with an upgraded ERP system, it is essential to review and validate the business case to ensure that it is still relevant, accurate, realistic, and achievable.

A rollback strategy, test cases, and post-implementation review objectives are not the most important considerations for a go-live decision when implementing an upgraded ERP system. These are important elements of project planning, execution, and evaluation, but they are not sufficient to determine whether the project is worth pursuing or delivering. These elements should be aligned with and derived from the business case.
Question #50

Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization’s goals?

  • A . Balanced scorecard
  • B . Enterprise dashboard
  • C . Enterprise architecture (EA)
  • D . Key performance indicators (KPIs)

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The most useful tool for determining whether the goals of IT are aligned with the organization’s goals is a balanced scorecard. A balanced scorecard is a strategic management system that translates an organization’s vision and mission into a set of objectives and measures across four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard helps align IT goals with organizational goals by linking them to a common strategy map that shows how IT contributes to value creation and performance improvement in each perspective. A balanced scorecard also helps monitor and evaluate IT performance against predefined targets and indicators. Enterprise dashboard, enterprise architecture (EA), and key performance indicators (KPIs) are not the most useful tools for determining whether the goals of IT are aligned with the organization’s goals. These tools may help communicate, design, or measure IT goals or activities, but they do not provide a comprehensive framework for aligning IT goals with organizational goals across multiple dimensions.

Question #51

During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

  • A . perform a business impact analysis (BIA).
  • B . issue an intermediate report to management.
  • C . evaluate the impact on current disaster recovery capability.
  • D . conduct additional compliance testing.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The first step that an IS auditor should take when finding that a business impact analysis (BIA) has not been performed is to evaluate the impact on current disaster recovery capability. A BIA is a process that identifies and analyzes the potential effects of disruptions to critical business functions and processes. A BIA helps determine the recovery priorities, objectives, and strategies for the organization. Without a BIA, the disaster recovery plan may not be aligned with the business needs and expectations, and may not provide adequate protection and recovery for the most critical assets and activities. Therefore, an IS auditor should assess how the lack of a BIA affects the current disaster recovery capability and identify any gaps or risks that need to be addressed.

Performing a BIA, issuing an intermediate report to management, and conducting additional compliance testing are not the first steps that an IS auditor should take when finding that a BIA has not been performed. These steps may be done later in the audit process, after evaluating the impact on current disaster recovery capability. Performing a BIA is not the responsibility of the IS auditor, but of the business owners and managers. Issuing an intermediate report to management may be premature without sufficient evidence and analysis. Conducting additional compliance testing may not be relevant or necessary without a clear understanding of the disaster recovery requirements and objectives.
Question #52

Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

  • A . Monitor access to stored images and snapshots of virtual machines.
  • B . Restrict access to images and snapshots of virtual machines.
  • C . Limit creation of virtual machine images and snapshots.
  • D . Review logical access controls on virtual machines regularly.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The most effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines is to monitor access to stored images and snapshots of virtual machines. Images and snapshots are copies of virtual machines that can be used for backup, restoration, or cloning purposes. If data stored on virtual machines are unencrypted, they may be exposed or compromised if unauthorized or malicious users access or copy the images or snapshots. Therefore, monitoring access to stored images and snapshots can help detect and prevent any unauthorized or suspicious activities, and provide audit trails for accountability and investigation.

Restricting access to images and snapshots of virtual machines, limiting creation of virtual machine images and snapshots, and reviewing logical access controls on virtual machines regularly are not the most effective controls for protecting the confidentiality and integrity of data stored unencrypted on virtual machines. These controls may help reduce the risk or impact of data exposure or compromise, but they do not provide sufficient visibility or assurance of data protection. Restricting access to images and snapshots may not prevent authorized users from abusing their privileges or credentials. Limiting creation of virtual machine images and snapshots may not address the existing copies that may contain sensitive data. Reviewing logical access controls on virtual machines regularly may not reflect the actual access activities on images and snapshots.
Question #53

An IS auditor is examining a front-end subledger and a main ledger.

Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?

  • A . Double-posting of a single journal entry
  • B . Inability to support new business transactions
  • C . Unauthorized alteration of account attributes
  • D . Inaccuracy of financial reporting

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The greatest concern for an IS auditor if there are flaws in the mapping of accounts between a front-end subledger and a main ledger is the inaccuracy of financial reporting. A subledger is a detailed record of transactions for a specific account, such as accounts receivable, accounts payable, inventory, or fixed assets. A main ledger is a summary record of all transactions for all accounts in an accounting system. The mapping of accounts between a subledger and a main ledger is the process of linking or reconciling the transactions in the subledger with the corresponding entries in the main ledger. If there are flaws in the mapping of accounts, such as missing, duplicated, or incorrect transactions, the main ledger may not reflect the true financial position and performance of the organization. This may lead to inaccurate financial reporting, which may affect decision making, compliance, auditing, taxation, and stakeholder confidence.

Double-posting of a single journal entry, inability to support new business transactions, and unauthorized alteration of account attributes are not the greatest concerns for an IS auditor if there are flaws in the mapping of accounts between a front-end subledger and a main ledger. These are possible consequences or causes of flaws in the mapping of accounts, but they do not have as significant an impact as inaccuracy of financial reporting. Double-posting of a single journal entry may result in errors or discrepancies in the main ledger balances. Inability to support new business transactions may indicate limitations or inefficiencies in the accounting system design or configuration. Unauthorized alteration of account attributes may suggest weaknesses or breaches in access control or segregation of duties.
Question #54

What is MOST important to verify during an external assessment of network vulnerability?

  • A . Update of security information event management (SIEM) rules
  • B . Regular review of the network security policy
  • C . Completeness of network asset inventory
  • D . Location of intrusion detection systems (IDS)

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

An external assessment of network vulnerability is a process of identifying and evaluating the weaknesses and risks that affect the security and availability of a network from an outsider’s perspective. The most important factor to verify during this process is the completeness of network asset inventory, which is a list of all the devices, systems, and software that are connected to or part of the network. A complete and accurate network asset inventory can help identify the scope and boundaries of the network, the potential attack vectors and entry points, the critical assets and dependencies, and the existing security controls and gaps. Without a complete network asset inventory, an external assessment of network vulnerability may miss some important assets or vulnerabilities, leading to inaccurate or incomplete results and recommendations.

References:

1 explains what is an external vulnerability scan and why it is important to have a complete network asset inventory.

2 provides a guide on how to conduct a full network vulnerability assessment and emphasizes the importance of knowing the network assets.

3 compares internal and external vulnerability scanning and highlights the need for a comprehensive network asset inventory for both types.
Question #55

A data breach has occurred due lo malware.

Which of the following should be the FIRST course of action?

  • A . Notify the cyber insurance company.
  • B . Shut down the affected systems.
  • C . Quarantine the impacted systems.
  • D . Notify customers of the breach.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The first course of action when a data breach has occurred due to malware is to quarantine the impacted systems. This means isolating the infected systems from the rest of the network and preventing any further communication or data transfer with them. This can help contain the spread of the malware, limit the damage and exposure of sensitive data, and facilitate the investigation and remediation of the incident. Quarantining the impacted systems can also help preserve the evidence and logs that may be needed for forensic analysis or legal action.

References:

[1] provides a guide on how to respond to a data breach caused by malware and recommends quarantining the impacted systems as the first step.

[2] explains what is malware and how it can cause data breaches, and suggests quarantining the infected devices as a best practice.

[3] describes the steps involved in quarantining a system infected by malware and the benefits of doing so.
Question #56

Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

  • A . The system does not have a maintenance plan.
  • B . The system contains several minor defects.
  • C . The system deployment was delayed by three weeks.
  • D . The system was over budget by 15%.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

A post-implementation review (PIR) is an assessment conducted at the end of a project cycle to determine if the project was indeed successful and to identify any existing flaws in the project1. One of the main objectives of a PIR is to evaluate the outcome and functional value of a project1. Therefore, an IS auditor should be most concerned with whether the system meets the intended requirements and delivers the expected benefits to the stakeholders. A system that does not have a maintenance plan is a major risk, as it may not be able to cope with changing needs, fix errors, or prevent security breaches. A maintenance plan is essential for ensuring the system’s reliability, availability, and performance in the long term2.

The other options are less critical for a PIR, as they are more related to the project management aspects than the system quality aspects. The system may contain several minor defects that do not affect its functionality or usability, and these can be resolved in future updates. The system deployment may be delayed by three weeks due to unforeseen circumstances or dependencies, but this does not necessarily mean that the system is faulty or ineffective. The system may be over budget by 15% due to various factors such as scope creep, resource constraints, or market fluctuations, but this does not imply that the system is not valuable or beneficial.

References: 1: Post-Implementation Review Best Practices – MetaPM 2: What is Post-Implementation Review in Project Management?
Question #57

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

  • A . Frequent testing of backups
  • B . Annual walk-through testing
  • C . Periodic risk assessment
  • D . Full operational test

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

A disaster recovery plan (DRP) is a set of procedures and resources that enable an organization to restore its critical operations, data, and applications in the event of a disaster1. A DRP should be aligned with the organization’s business continuity plan (BCP), which defines the strategies and objectives for maintaining business functions during and after a disaster1.

To ensure that a DRP is effective, it should be tested regularly and thoroughly to identify and resolve

any issues or gaps that might hinder its execution2345. Testing a DRP can help evaluate its feasibility, validity, reliability, and compatibility with the organization’s environment and needs4. Testing can also help prepare the staff, stakeholders, and vendors involved in the DRP for their roles and responsibilities during a disaster3.

There are different methods and levels of testing a DRP, depending on the scope, complexity, and objectives of the test4.

Some of the common testing methods are:

Walkthrough testing: This is a step-by-step review of the DRP by the disaster recovery team and relevant stakeholders. It aims to verify the completeness and accuracy of the plan, as well as to clarify any doubts or questions among the participants45.

Simulation testing: This is a mock exercise of the DRP in a simulated disaster scenario. It aims to assess the readiness and effectiveness of the plan, as well as to identify any challenges or weaknesses that might arise during a real disaster45.

Checklist testing: This is a verification of the availability and functionality of the resources and equipment required for the DRP. It aims to ensure that the backup systems, data, and documentation are accessible and up-to-date45.

Full interruption testing: This is the most realistic and rigorous method of testing a DRP. It involves shutting down the primary site and activating the backup site for a certain period of time. It aims to measure the actual impact and performance of the DRP under real conditions45.

Parallel testing: This is a less disruptive method of testing a DRP. It involves running the backup site in parallel with the primary site without affecting the normal operations. It aims to compare and validate the results and outputs of both sites45.

Among these methods, full interruption testing would best demonstrate that an effective DRP is in place, as it provides the most accurate and comprehensive evaluation of the plan’s capabilities and limitations4. Full interruption testing can reveal any hidden or unforeseen issues or risks that might affect the recovery process, such as data loss, system failure, compatibility problems, or human errors4. Full interruption testing can also verify that the backup site can support the critical operations and services of the organization without compromising its quality or security4. However, full interruption testing also has some drawbacks, such as being costly, time-consuming, risky, and disruptive to the normal operations4. Therefore, it should be planned carefully and conducted periodically with proper coordination and communication among all parties involved4. The other options are not as effective as full interruption testing in demonstrating that an effective DRP is in place. Frequent testing of backups is only one aspect of checklist testing, which does not cover other components or scenarios of the DRP4. Annual walk-through testing is only a theoretical review of the DRP, which does not test its practical implementation or outcomes4. Periodic risk assessment is only a preparatory step for developing or updating the DRP, which does not test its functionality or performance4.

References: 2: Best Practices For Disaster Recovery Testing | Snyk 3: Disaster Recovery Plan (DR)

Testing ― Methods and Must-haves – US Signal 4: Disaster Recovery Testing: What You Need to Know

– Enterprise Storage Forum 5: Disaster Recovery Testing Best Practices – MSP360 1: How to Test a Disaster Recovery Plan – Abacus
Question #58

Which of the following is the BEST way to mitigate the impact of ransomware attacks?

  • A . Invoking the disaster recovery plan (DRP)
  • B . Backing up data frequently
  • C . Paying the ransom
  • D . Requiring password changes for administrative accounts

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Ransomware is a type of malicious software that encrypts the victim’s data and demands a ransom for its decryption1. Ransomware attacks can cause significant damage to an organization’s operations, reputation, and finances1. Therefore, it is important to mitigate the impact of ransomware attacks by implementing effective prevention and recovery strategies.

One of the best ways to mitigate the impact of ransomware attacks is to back up data frequently12345. Data backups are copies of the organization’s data that are stored in a separate location or medium, such as an external hard drive, cloud storage, or tape2. Data backups can help the organization restore its data in case of a ransomware attack, without paying the ransom or losing valuable information2. Data backups should be performed regularly, preferably daily or weekly, depending on the criticality and volume of the data2. Data backups should also be tested periodically to ensure their integrity and usability2.

The other options are not as effective as backing up data frequently in mitigating the impact of ransomware attacks. Invoking the disaster recovery plan (DRP) is a reactive measure that can help the organization resume its operations after a ransomware attack, but it does not prevent or reduce the damage caused by the attack3. Paying the ransom is not a recommended option, as it does not guarantee the decryption of the data or the deletion of the stolen data by the attackers. Paying the ransom also encourages further attacks and funds criminal activities14. Requiring password changes for administrative accounts is a good security practice, but it is not sufficient to prevent or recover from ransomware attacks. Ransomware attacks can exploit other vulnerabilities, such as phishing emails, outdated software, or weak network security15.

References: 1: How to Mitigate the Risk of Ransomware Attacks: The Definitive Guide 2: Mitigating

malware and ransomware attacks – The National Cyber Security Centre 3: 3 steps to prevent and

recover from ransomware 4: Ransomware Epidemic: Use these 8 Strategies to Mitigate Risk 5:

Practical Steps to Mitigate Ransomware Attacks – ITSecurityWire
Question #59

Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported.

Which of the following is the IS auditor’s BEST recommendation?

  • A . Ensure corrected program code is compiled in a dedicated server.
  • B . Ensure change management reports are independently reviewed.
  • C . Ensure programmers cannot access code after the completion of program edits.
  • D . Ensure the business signs off on end-to-end user acceptance test (UAT) results.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The IS auditor’s best recommendation is to ensure that programmers cannot access code after the completion of program edits. This is because programmers who have access to code after editing may introduce unauthorized or malicious changes that could compromise the security, functionality,

or performance of the application. By restricting access to code after editing, the organization can ensure that only authorized and tested code is released into production, and prevent any tampering or reoccurrence of the same issue.

References:

1 discusses the importance of controlling access to code after editing and testing, and provides some best practices for doing so.

2 explains how programmers can introduce malicious code into applications, and how to prevent and detect such attacks.

3 describes the role of IS auditors in reviewing and assessing the security and quality of application code.
Question #60

Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:

  • A . business impact analysis (BIA).
  • B . threat and risk assessment.
  • C . business continuity plan (BCP).
  • D . disaster recovery plan (DRP).

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster1. A core part of a BCP is the documentation of workaround processes to keep a business function operational during recovery of IT systems. Workaround processes are alternative methods or procedures that can be used to perform a business function when the normal IT systems are unavailable or disrupted2. For example, if an online payment system is down, a workaround process could be to accept manual payments or use a backup system. Workaround processes help to minimize the impact of IT disruptions on the business operations and ensure continuity of service to customers and stakeholders3.

References:

1 explains what is a business continuity plan and why it is important.

2 defines what is a workaround process and how it can be used in a BCP.

3 provides examples of workaround processes for different business functions.

Question #61

Which of the following strategies BEST optimizes data storage without compromising data retention practices?

  • A . Limiting the size of file attachments being sent via email
  • B . Automatically deleting emails older than one year
  • C . Moving emails to a virtual email vault after 30 days
  • D . Allowing employees to store large emails on flash drives

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The best strategy to optimize data storage without compromising data retention practices is to limit the size of file attachments being sent via email. This strategy can reduce the amount of storage space required for email messages, as well as the network bandwidth consumed by email traffic. File attachments can be large and often contain redundant or unnecessary information that can be compressed, converted, or removed before sending. By limiting the size of file attachments, the sender can encourage the use of more efficient formats, such as PDF or ZIP, or alternative methods of sharing files, such as cloud storage or web links. This can also improve the security and privacy of email communications, as large attachments may pose a higher risk of being intercepted, corrupted, or infected by malware.

References:

Data Storage Optimization: What is it and Why Does it Matter?

Data storage optimization 101: Everything you need to know
Question #62

Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?

  • A . Align service level agreements (SLAs) with current needs.
  • B . Monitor customer satisfaction with the change.
  • C . Minimize costs related to the third-party agreement.
  • D . Ensure right to audit is included within the contract.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The primary area of focus when an organization decides to outsource technical support for its external customers is to align service level agreements (SLAs) with current needs. SLAs are contracts that define the scope, quality, and expectations of the services provided by the vendor, as well as the remedies or penalties for non-compliance. SLAs are essential for ensuring that the outsourced technical support meets the customer’s requirements and satisfaction, as well as the organization’s objectives and standards. By aligning SLAs with current needs, the organization can specify the key performance indicators (KPIs), metrics, and targets that reflect the desired outcomes and value of the technical support. This can also help to monitor and evaluate the vendor’s performance, identify gaps or issues, and implement corrective actions or improvements.

References:

Service Level Agreement (SLA) Examples and Template What is an SLA? Best practices for service-level agreements
Question #63

To confirm integrity for a hashed message, the receiver should use:

  • A . the same hashing algorithm as the sender’s to create a binary image of the file.
  • B . a different hashing algorithm from the sender’s to create a binary image of the file.
  • C . the same hashing algorithm as the sender’s to create a numerical representation of the file.
  • D . a different hashing algorithm from the sender’s to create a numerical representation of the file.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

To confirm integrity for a hashed message, the receiver should use the same hashing algorithm as the sender’s to create a binary image of the file. A hashing algorithm is a mathematical function that transforms an input data into a fixed-length output value, called a hash or a digest. A hashing algorithm has two main properties: it is one-way, meaning that it is easy to compute the hash from the input, but hard to recover the input from the hash; and it is collision-resistant, meaning that it is very unlikely to find two different inputs that produce the same hash. These properties make hashing algorithms useful for verifying the integrity of data, as any change in the input data will result in a different hash value. Therefore, to confirm integrity for a hashed message, the receiver should use the same hashing algorithm as the sender’s to create a binary image of the file, which is a representation of the file in bits (0s and 1s). The receiver should then compare this binary image with the hash value sent by the sender. If they match, then the message has not been altered in transit. If they do not match, then the message has been corrupted or tampered with.

References:

Ensuring Data Integrity with Hash Codes

Message Integrity
Question #64

Which of the following is MOST important to ensure when planning a black box penetration test?

  • A . The management of the client organization is aware of the testing.
  • B . The test results will be documented and communicated to management.
  • C . The environment and penetration test scope have been determined.
  • D . Diagrams of the organization’s network architecture are available.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A black box penetration test is a type of security assessment that simulates an attack on a system or network without any prior knowledge of its configuration or architecture. The main objective of this test is to identify vulnerabilities and weaknesses that can be exploited by external or internal threat actors. To plan a black box penetration test, it is most important to ensure that the environment and penetration test scope have been determined. This means that the tester and the client organization have agreed on the boundaries, objectives, methods, and deliverables of the test, as well as the legal and ethical aspects of the engagement. Without a clear definition of the environment and scope, the test may not be effective, efficient, or compliant with relevant standards and regulations.

Additionally, the tester may cause unintended damage or disruption to the client’s systems or networks, or violate their privacy or security policies.

References:

What are black box, grey box, and white box penetration testing?

What Is Black-Box Penetration Testing and Why Should You Choose It?
Question #65

Which of the following is the BEST method to safeguard data on an organization’s laptop computers?

  • A . Disabled USB ports
  • B . Full disk encryption
  • C . Biometric access control
  • D . Two-factor authentication

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The best method to safeguard data on an organization’s laptop computers is full disk encryption. Full disk encryption is a technique that encrypts all the data stored on a hard drive, including the operating system, applications, files, and folders. This means that if the laptop is lost, stolen, or accessed by an unauthorized person, they will not be able to read or modify any data without knowing the encryption key or password. Full disk encryption provides a strong level of protection for data at rest, as it prevents data leakage or exposure in case of physical theft or loss of the device.

References:

How to Protect the Data on Your Laptop

6 Steps to Practice Strong Laptop Security
Question #66

An IS auditor is planning an audit of an organization’s accounts payable processes.

Which of the following controls is MOST important to assess in the audit?

  • A . Segregation of duties between issuing purchase orders and making payments.
  • B . Segregation of duties between receiving invoices and setting authorization limits
  • C . Management review and approval of authorization tiers
  • D . Management review and approval of purchase orders

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The most important control to assess in an audit of an organization’s accounts payable processes is segregation of duties between issuing purchase orders and making payments. Segregation of duties is a principle that requires different individuals or departments to perform different tasks or functions within a process, in order to prevent fraud, errors, or conflicts of interest. In the accounts payable process, segregation of duties between issuing purchase orders and making payments ensures that no one person can initiate and complete a transaction without proper authorization and verification. This reduces the risk of duplicate payments, overpayments, unauthorized payments, or payments to fictitious vendors.

References:

Accounts payable controls

Accounts Payable Internal Controls: A Simple Checklist
Question #67

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

  • A . Incident monitoring togs
  • B . The ISP service level agreement
  • C . Reports of network traffic analysis
  • D . Network topology diagrams

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Network topology diagrams are the most important for an IS auditor to review when evaluating the design of controls related to network monitoring, because they show how the network components are connected and configured, and what security measures are in place to protect the network from unauthorized access or attacks. Incident monitoring logs, the ISP service level agreement, and reports of network traffic analysis are useful for evaluating the effectiveness and performance of network monitoring, but not the design of controls.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.3
Question #68

An organization has recently acquired and implemented intelligent-agent software for granting loans to customers.

During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?

  • A . Review system and error logs to verify transaction accuracy.
  • B . Review input and output control reports to verify the accuracy of the system decisions.
  • C . Review signed approvals to ensure responsibilities for decisions of the system are well defined.
  • D . Review system documentation to ensure completeness.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reviewing input and output control reports to verify the accuracy of the system decisions is the most important procedure for the IS auditor to perform during the post-implementation review of intelligent-agent software for granting loans to customers, because it can help identify any errors or anomalies in the system logic or data that may affect the quality and reliability of the system outcomes. Reviewing system and error logs, signed approvals, and system documentation are also important procedures, but they are not as critical as verifying the accuracy of the system decisions.

References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.21
Question #69

What is the BEST control to address SQL injection vulnerabilities?

  • A . Unicode translation
  • B . Secure Sockets Layer (SSL) encryption
  • C . Input validation
  • D . Digital signatures

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Input validation is the best control to address SQL injection vulnerabilities, because it can prevent malicious users from entering SQL commands or statements into input fields that are intended for data entry, such as usernames or passwords. SQL injection is a technique that exploits a security vulnerability in an application’s software by inserting SQL code into a query string that can execute commands on a database server. Unicode translation, SSL encryption, and digital signatures are not effective controls against SQL injection, because they do not prevent or detect SQL code injection into input fields.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2
Question #70

An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization’s website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur.

Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

  • A . Assign responsibility for improving data quality.
  • B . Invest in additional employee training for data entry.
  • C . Outsource data cleansing activities to reliable third parties.
  • D . Implement business rules to validate employee data entry.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Implementing business rules to validate employee data entry is the best way to reduce the likelihood of future occurrences of poor data quality that cause customer complaints about receiving different items from what they ordered on the organization’s website. Business rules are logical statements that define the conditions and actions for data validation, such as checking for data completeness, accuracy, consistency, and integrity. Assigning responsibility for improving data quality, investing in additional employee training for data entry, and outsourcing data cleansing activities to reliable third parties are also possible ways to improve data quality, but they are not as effective as implementing business rules to validate employee data entry.

References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.1

Question #71

Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

  • A . Risk identification
  • B . Risk classification
  • C . Control self-assessment (CSA)
  • D . Impact assessment

Reveal Solution Hide Solution

Correct Answer: D
Question #72

Which of the following would BEST facilitate the successful implementation of an IT-related framework?

  • A . Aligning the framework to industry best practices
  • B . Establishing committees to support and oversee framework activities
  • C . Involving appropriate business representation within the framework
  • D . Documenting IT-related policies and procedures

Reveal Solution Hide Solution

Correct Answer: C
Question #73

During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures.

The auditor’s NEXT step should be to:

  • A . note the noncompliance in the audit working papers.
  • B . issue an audit memorandum identifying the noncompliance.
  • C . include the noncompliance in the audit report.
  • D . determine why the procedures were not followed.

Reveal Solution Hide Solution

Correct Answer: D
Question #74

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

  • A . Assurance that the new system meets functional requirements
  • B . More time for users to complete training for the new system
  • C . Significant cost savings over other system implemental or approaches
  • D . Assurance that the new system meets performance requirements

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Explanation:

Parallel processing is a system implementation approach that involves running the new system and the old system simultaneously for a period of time until the new system is verified and accepted. The primary advantage of parallel processing is that it provides assurance that the new system meets performance requirements and produces the same or better results as the old system. Parallel processing also minimizes the risk of system failure and data loss, as the old system can be used as a backup or fallback option in case of any problems with the new system.
Question #75

An IS auditor finds the log management system is overwhelmed with false positive alerts.

The auditor’s BEST recommendation would be to:

  • A . establish criteria for reviewing alerts.
  • B . recruit more monitoring personnel.
  • C . reduce the firewall rules.
  • D . fine tune the intrusion detection system (IDS).

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Fine tuning the intrusion detection system (IDS) is the best recommendation to reduce the number of false positive alerts that overwhelm the log management system, because it can help adjust the sensitivity and accuracy of the IDS rules and signatures to match the network environment and traffic patterns. Establishing criteria for reviewing alerts, recruiting more monitoring personnel, and reducing the firewall rules are not effective solutions to address the root cause of the false positive alerts, but rather ways to cope with the consequences.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.3
Question #76

Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?

  • A . Assignment of responsibility for each project to an IT team member
  • B . Adherence to best practice and industry approved methodologies
  • C . Controls to minimize risk and maximize value for the IT portfolio
  • D . Frequency of meetings where the business discusses the IT portfolio

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Controls to minimize risk and maximize value for the IT portfolio should be the most important consideration when conducting a review of IT portfolio management, because they ensure that the IT portfolio aligns with the business strategy, objectives, and priorities, and that the IT investments deliver optimal benefits and outcomes. Assignment of responsibility for each project to an IT team member, adherence to best practice and industry approved methodologies, and frequency of meetings where the business discusses the IT portfolio are also relevant aspects of IT portfolio management, but they are not as important as controls to minimize risk and maximize value.

References: CISA Review Manual (Digital Version), Chapter 1, Section 1.2.3
Question #77

Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

  • A . Audit cycle defined in the audit plan
  • B . Complexity of management’s action plans
  • C . Recommendation from executive management
  • D . Residual risk from the findings of previous audits

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Residual risk from the findings of previous audits should be the primary basis for prioritizing follow-up audits, because it reflects the level of exposure and potential impact that remains after management has implemented corrective actions or accepted the risk. Follow-up audits should focus on verifying whether the residual risk is within acceptable levels and whether the corrective actions are effective and sustainable. Audit cycle defined in the audit plan, complexity of management’s action plans, and recommendation from executive management are not valid criteria for prioritizing follow-up audits, because they do not consider the residual risk from previous audits.

References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4.3
Question #78

Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?

  • A . File level encryption
  • B . File Transfer Protocol (FTP)
  • C . Instant messaging policy
  • D . Application-level firewalls

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Application level firewalls are the best control to prevent the transfer of files to external parties through instant messaging (IM) applications, because they can inspect and filter network traffic based on application-specific protocols and commands, such as IM file transfer commands.

Application level firewalls can block or allow IM file transfers based on predefined rules or policies. File level encryption, file transfer protocol (FTP), and instant messaging policy are not effective controls to prevent IM file transfers, because they do not restrict or monitor IM network traffic.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.1
Question #79

Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?

  • A . Blocking attachments in IM
  • B . Blocking external IM traffic
  • C . Allowing only corporate IM solutions
  • D . Encrypting IM traffic

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Allowing only corporate IM solutions is the best control to mitigate the malware risk associated with an IM system, because it can prevent unauthorized or malicious IM applications from accessing the network and infecting the system with malware. Corporate IM solutions can also enforce security policies and standards, such as encryption, authentication, and logging, to protect the IM system from malware attacks. Blocking attachments in IM, blocking external IM traffic, and encrypting IM traffic are also possible controls to mitigate the malware risk, but they are not as effective as allowing only corporate IM solutions.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.4
Question #80

Which of the following should be an IS auditor’s PRIMARY focus when developing a risk-based IS audit program?

  • A . Portfolio management
  • B . Business plans
  • C . Business processes
  • D . IT strategic plans

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Business processes should be the primary focus of an IS auditor when developing a risk-based IS audit program, because they represent the core activities and functions of the organization that support its objectives and goals. Business processes also involve the use of IT resources and systems that may pose risks to the organization’s performance and compliance. A risk-based IS audit program should identify and assess the risks associated with the business processes and determine the appropriate audit scope and procedures to provide assurance on their effectiveness and efficiency. Portfolio management, business plans, and IT strategic plans are also relevant factors for developing a risk-based IS audit program, but they are not as important as business processes.

References: CISA Review Manual (Digital Version), Chapter 2, Section 2.2.1

Question #81

Cross-site scripting (XSS) attacks are BEST prevented through:

  • A . application firewall policy settings.
  • B . a three-tier web architecture.
  • C . secure coding practices.
  • D . use of common industry frameworks.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Secure coding practices are the best way to prevent cross-site scripting (XSS) attacks, because they can ensure that the web application validates and sanitizes user input and output data to prevent malicious scripts from being executed on the web browser. XSS attacks are a type of web application vulnerability that exploit the lack of input validation or output encoding in web pages that accept user input or display dynamic content. Application firewall policy settings, a three-tier web architecture, and use of common industry frameworks are not effective controls to prevent XSS attacks, because they do not address the root cause of the vulnerability in the web application code.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2
Question #82

When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

  • A . Implementation plan
  • B . Project budget provisions
  • C . Requirements analysis
  • D . Project plan

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Requirements analysis should be the best thing to compare against the business case when determining whether a project in the design phase will meet organizational objectives, because it defines the functional and non-functional specifications of the project deliverables that should satisfy the business needs and expectations. Requirements analysis can help evaluate whether the project design is aligned with the business case and whether it can achieve the desired outcomes and benefits. Implementation plan, project budget provisions, and project plan are also important aspects of a project in the design phase, but they are not as relevant as requirements analysis for comparing against the business case.

References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.1
Question #83

An organization has outsourced its data processing function to a service provider.

Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?

  • A . Assessment of the personnel training processes of the provider
  • B . Adequacy of the service provider’s insurance
  • C . Review of performance against service level agreements (SLAs)
  • D . Periodic audits of controls by an independent auditor

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Reviewing the performance against service level agreements (SLAs) would best determine whether the service provider continues to meet the organization’s objectives, as SLAs define the expected level of service, quality, availability, and responsibilities of both parties. Assessment of the personnel training processes of the provider, adequacy of the service provider’s insurance, and periodic audits of controls by an independent auditor are important aspects of outsourcing, but they do not directly measure the performance of the service provider against the organization’s objectives.

References: CISA Review Manual (Digital Version), Chapter 3, Section 3.5.2
Question #84

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

  • A . communicate via Transport Layer Security (TLS),
  • B . block authorized users from unauthorized activities.
  • C . channel access only through the public-facing firewall.
  • D . channel access through authentication.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery communicate via Transport Layer Security (TLS), which is a protocol that provides encryption and authentication for data transmitted over a network. IPsec operates at the network layer and provides security for IP packets, while TLS operates at the transport layer and provides security for TCP connections. Blocking authorized users from unauthorized activities, channeling access only through the public-facing firewall, and channeling access through authentication are not functions of IPsec architecture.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2
Question #85

Coding standards provide which of the following?

  • A . Program documentation
  • B . Access control tables
  • C . Data flow diagrams
  • D . Field naming conventions

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Coding standards provide field naming conventions, which are rules for naming variables, constants, functions, classes, and other elements in a program. Coding standards help to ensure consistency, readability, maintainability, and portability of code. Program documentation, access control tables, and data flow diagrams are not part of coding standards.

References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.1
Question #86

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management’s decision.

Which of the following should be the IS auditor’s NEXT course of action?

  • A . Accept management’s decision and continue the follow-up.
  • B . Report the issue to IS audit management.
  • C . Report the disagreement to the board.
  • D . Present the issue to executive management.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Prior to a follow-up engagement, if an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation, the IS auditor should report the issue to IS audit management. This is because IS audit management is responsible for ensuring that audit findings are properly communicated and resolved. Accepting management’s decision and continuing the follow-up would not address the IS auditor’s concern. Reporting the disagreement to the board or executive management would be premature and inappropriate without consulting IS audit management first.

References: CISA Review Manual (Digital Version), Chapter 1, Section 1.6
Question #87

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

  • A . is more effective at suppressing flames.
  • B . allows more time to abort release of the suppressant.
  • C . has a decreased risk of leakage.
  • D . disperses dry chemical suppressants exclusively.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The primary benefit of using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system has a decreased risk of leakage, as the pipes are filled with pressurized air or nitrogen instead of water until the system is activated. A wet-pipe system has a higher risk of leakage, corrosion, and freezing. A dry-pipe system is not more effective at suppressing flames, as it uses the same water-based suppressant as a wet-pipe system. A dry-pipe system does not allow more time to abort release of the suppressant, as it has a delay of only a few seconds before the water is released. A dry-pipe system does not disperse dry chemical suppressants exclusively, as it uses water as the primary suppressant.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.3
Question #88

Which of the following is MOST important with regard to an application development acceptance test?

  • A . The programming team is involved in the testing process.
  • B . All data files are tested for valid information before conversion.
  • C . User management approves the test design before the test is started.
  • D . The quality assurance (QA) team is in charge of the testing process.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The most important aspect of an application development acceptance test is that user management approves the test design before the test is started, as this ensures that the test objectives, criteria, and procedures are aligned with the user requirements and expectations. The programming team’s involvement in the testing process, the testing of data files for valid information before conversion, and the quality assurance (QA) team’s charge of the testing process are also important, but they are not as critical as user management’s approval of the test design.

References: CISA Review Manual (Digital Version), Chapter 4, Section 4.4.2
Question #89

An organization’s enterprise architecture (EA) department decides to change a legacy system’s components while maintaining its original functionality.

Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

  • A . The current business capabilities delivered by the legacy system
  • B . The proposed network topology to be used by the redesigned system
  • C . The data flows between the components to be used by the redesigned system
  • D . The database entity relationships within the legacy system

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

When reviewing an enterprise architecture (EA) department’s decision to change a legacy system’s components while maintaining its original functionality, an IS auditor should understand the current

business capabilities delivered by the legacy system, as this would help to evaluate whether the change is justified, feasible, and aligned with the business goals and needs. The proposed network topology to be used by the redesigned system, the data flows between the components to be used by the redesigned system, and the database entity relationships within the legacy system are technical details that are less relevant for an IS auditor to understand when reviewing this decision.

References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
Question #90

An IS auditor is evaluating an organization’s IT strategy and plans.

Which of the following would be of GREATEST concern?

  • A . There is not a defined IT security policy.
  • B . The business strategy meeting minutes are not distributed.
  • C . IT is not engaged in business strategic planning.
  • D . There is inadequate documentation of IT strategic planning.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The greatest concern for an IS auditor when evaluating an organization’s IT strategy and plans is that IT is not engaged in business strategic planning, as this indicates a lack of alignment between IT and business objectives, which could result in inefficient and ineffective use of IT resources and capabilities. The absence of a defined IT security policy, the nondistribution of business strategy meeting minutes, and the inadequate documentation of IT strategic planning are also issues that should be addressed by an IS auditor, but they are not as significant as IT’s noninvolvement in business strategic planning.

References: CISA Review Manual (Digital Version), Chapter 3, Section 3.1

Question #91

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor’s BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

  • A . the Internet.
  • B . the demilitarized zone (DMZ).
  • C . the organization’s web server.
  • D . the organization’s network.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor’s best recommendation is to place an intrusion detection system (IDS) between the firewall and the Internet, as this would provide an additional layer of security and alert the organization of any malicious traffic that bypasses or penetrates the firewall. Placing an IDS between the firewall and the demilitarized zone (DMZ), the organization’s web server, or the organization’s network would not

be as effective, as it would only monitor the traffic that has already passed through the firewall.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.3
Question #92

An IS auditor is reviewing an organization’s information asset management process.

Which of the following would be of GREATEST concern to the auditor?

  • A . The process does not require specifying the physical locations of assets.
  • B . Process ownership has not been established.
  • C . The process does not include asset review.
  • D . Identification of asset value is not included in the process.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

An IS auditor would be most concerned if process ownership has not been established for the information asset management process, as this would indicate a lack of accountability, responsibility, and authority for managing the assets throughout their lifecycle. The process owner should also ensure that the process is aligned with the organization’s objectives, policies, and standards. The process should require specifying the physical locations of assets, include asset review, and identify asset value, but these are less critical than establishing process ownership.

References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3
Question #93

An IS audit reveals that an organization is not proactively addressing known vulnerabilities.

Which of the following should the IS auditor recommend the organization do FIRST?

  • A . Verify the disaster recovery plan (DRP) has been tested.
  • B . Ensure the intrusion prevention system (IPS) is effective.
  • C . Assess the security risks to the business.
  • D . Confirm the incident response team understands the issue.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

If an IS audit reveals that an organization is not proactively addressing known vulnerabilities, the IS auditor should recommend that the organization assess the security risks to the business first, as this would help to prioritize the vulnerabilities based on their impact and likelihood, and determine the appropriate mitigation strategies. Verifying the disaster recovery plan (DRP) has been tested, ensuring the intrusion prevention system (IPS) is effective, and confirming the incident response team understands the issue are important steps, but they are not as urgent as assessing the security risks to the business.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.6
Question #94

Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

  • A . Rotate job duties periodically.
  • B . Perform an independent audit.
  • C . Hire temporary staff.
  • D . Implement compensating controls.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The best way to address segregation of duties issues in an organization with budget constraints is to implement compensating controls, which are alternative controls that reduce or eliminate the risk of errors or fraud due to inadequate segregation of duties. Compensating controls may include independent reviews, reconciliations, approvals, or supervisions. Rotating job duties periodically may reduce the risk of collusion or abuse of privileges, but it may also affect operational efficiency and continuity. Performing an independent audit may detect segregation of duties issues, but it does not prevent them. Hiring temporary staff may increase operational costs and introduce new risks.

References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4
Question #95

An organization’s security policy mandates that all new employees must receive appropriate security awareness training.

Which of the following metrics would BEST assure compliance with this policy?

  • A . Percentage of new hires that have completed the training.
  • B . Number of new hires who have violated enterprise security policies.
  • C . Number of reported incidents by new hires.
  • D . Percentage of new hires who report incidents

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The best metric to assure compliance with the policy of providing security awareness training to all new employees is the percentage of new hires that have completed the training, as this directly measures the extent to which the policy is implemented and enforced. The number of new hires who have violated enterprise security policies, the number of reported incidents by new hires, and the percentage of new hires who report incidents are not directly related to the policy, as they may depend on other factors such as the nature and frequency of threats, the effectiveness of security controls, and the reporting culture of the organization.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.7
Question #96

An IS auditor is following up on prior period items and finds management did not address an audit finding.

Which of the following should be the IS auditor’s NEXT course of action?

  • A . Note the exception in a new report as the item was not addressed by management.
  • B . Recommend alternative solutions to address the repeat finding.
  • C . Conduct a risk assessment of the repeat finding.
  • D . Interview management to determine why the finding was not addressed.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

If an IS auditor finds that management did not address a prior period audit finding, the next course of action should be to interview management to determine why the finding was not addressed, as this would help to understand the root cause, the impact, and the risk level of the issue. Noting the exception in a new report, recommending alternative solutions, or conducting a risk assessment are possible subsequent steps, but they should not precede interviewing management.

References: CISA Review Manual (Digital Version), Chapter 1, Section 1.6
Question #97

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

  • A . Compliance with action plans resulting from recent audits
  • B . Compliance with local laws and regulations
  • C . Compliance with industry standards and best practice
  • D . Compliance with the organization’s policies and procedures

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The best test to provide assurance that a health care organization is handling patient data appropriately is compliance with local laws and regulations, as these are the primary sources of authority and obligation for data protection and privacy. Compliance with action plans, industry standards, or organizational policies and procedures are also important, but they may not cover all the legal requirements or reflect the current best practices for handling patient data.

References: CISA Review Manual (Digital Version), Chapter 2, Section 2.3
Question #98

An organization allows employees to retain confidential data on personal mobile devices.

Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

  • A . Require employees to attend security awareness training.
  • B . Password protect critical data files.
  • C . Configure to auto-wipe after multiple failed access attempts.
  • D . Enable device auto-lock function.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The best recommendation to mitigate the risk of data leakage from lost or stolen devices that contain confidential data is to configure them to auto-wipe after multiple failed access attempts, as this would prevent unauthorized access and erase sensitive information from the device. Requiring employees to attend security awareness training, password protecting critical data files, or enabling device auto-lock function are also good practices, but they may not be sufficient or effective in preventing data leakage from lost or stolen devices.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3
Question #99

Which of the following demonstrates the use of data analytics for a loan origination process?

  • A . Evaluating whether loan records are included in the batch file and are validated by the servicing system
  • B . Comparing a population of loans input in the origination system to loans booked on the servicing system
  • C . Validating whether reconciliations between the two systems are performed and discrepancies are investigated
  • D . Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Data analytics can be used to compare data from different sources and identify any discrepancies or anomalies. In this case, comparing a population of loans input in the origination system to loans booked on the servicing system can help detect any errors or frauds in the loan origination process. The other options are not examples of data analytics, but rather controls for data integrity, reconciliation, and error handling.

References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3.2
Question #100

Which of the following BEST indicates the effectiveness of an organization’s risk management program?

  • A . Inherent risk is eliminated.
  • B . Residual risk is minimized.
  • C . Control risk is minimized.
  • D . Overall risk is quantified.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The effectiveness of a risk management program can be measured by how well it reduces the

residual risk, which is the risk that remains after applying controls, to an acceptable level. Inherent risk is the risk that exists before applying any controls, and it cannot be eliminated completely. Control risk is the risk that the controls fail to prevent or detect a risk event, and it is a component of residual risk. Overall risk is not a meaningful metric for assessing the effectiveness of a risk management program, as it does not account for the impact and likelihood of different risk events.

References: CISA Review Manual (Digital Version), Chapter 1, Section 1.2.2
Exit mobile version