Practice Free CISA Exam Online Questions
Question #91
Which of the following is the MOST important privacy consideration for an organization that uses a cloud service provider to process customer data?
- A . Data privacy must be managed in accordance with the regulations applicable to the organization.
- B . Data privacy must be monitored in accordance with industry standards and best practices.
- C . No personal information may be transferred to the service provider without notifying the customer.
- D . Customer data transferred to the service provider must be reported to the regulatory authority.
Correct Answer: D
Question #92
Which of the following would be an auditor’s GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?
- A . Undocumented code formats data and transmits directly to the database.
- B . There is not a complete inventory of spreadsheets, and file naming is inconsistent.
- C . The department data protection policy has not been reviewed or updated for two years.
- D . Spreadsheets are accessible by all members of the finance department.
Correct Answer: A
A
Explanation:
The auditor’s greatest concern when reviewing data inputs from spreadsheets into the core finance system would be undocumented code that formats data and transmits directly to the database. This is because undocumented code can introduce errors, inconsistencies, and security risks in the data processing and reporting. Undocumented code can also make it difficult to verify the accuracy, completeness, and validity of the data inputs and outputs, as well as to trace the source and destination of the data. Undocumented code can also violate the principles of segregation of duties, as the same person who creates the code may also have access to the data and the database.
The other options are not as concerning as undocumented code, although they may also pose some risks. A lack of complete inventory of spreadsheets and inconsistent file naming may make it challenging to identify and locate the relevant spreadsheets, but they do not directly affect the quality or integrity of the data inputs. The department data protection policy not being reviewed or updated for two years may indicate a lack of awareness or compliance with the current data protection regulations, but it does not necessarily imply that the data inputs are compromised or inaccurate. Spreadsheets being accessible by all members of the finance department may increase the risk of unauthorized or accidental changes to the data, but it can be mitigated by implementing access controls, password protection, and audit trails.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2261 Five Common Spreadsheet Risks and Ways to Control Them2 GREATEST Concerns When Reviewing Data Inputs from Spreadsheets3
A
Explanation:
The auditor’s greatest concern when reviewing data inputs from spreadsheets into the core finance system would be undocumented code that formats data and transmits directly to the database. This is because undocumented code can introduce errors, inconsistencies, and security risks in the data processing and reporting. Undocumented code can also make it difficult to verify the accuracy, completeness, and validity of the data inputs and outputs, as well as to trace the source and destination of the data. Undocumented code can also violate the principles of segregation of duties, as the same person who creates the code may also have access to the data and the database.
The other options are not as concerning as undocumented code, although they may also pose some risks. A lack of complete inventory of spreadsheets and inconsistent file naming may make it challenging to identify and locate the relevant spreadsheets, but they do not directly affect the quality or integrity of the data inputs. The department data protection policy not being reviewed or updated for two years may indicate a lack of awareness or compliance with the current data protection regulations, but it does not necessarily imply that the data inputs are compromised or inaccurate. Spreadsheets being accessible by all members of the finance department may increase the risk of unauthorized or accidental changes to the data, but it can be mitigated by implementing access controls, password protection, and audit trails.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2261 Five Common Spreadsheet Risks and Ways to Control Them2 GREATEST Concerns When Reviewing Data Inputs from Spreadsheets3
Question #93
Which of the following should be the GREATEST concern to an IS auditor reviewing an organization’s job scheduling practices?
- A . Most jobs are run manually.
- B . Jobs are executed during working hours.
- C . Job dependencies are undefined.
- D . Job processing procedures are missing.
Correct Answer: C
Question #94
An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed.
Which of the following should be the IS auditor’s NEXT course of action?
- A . Review the list of end users and evaluate for authorization.
- B . Report this control process weakness to senior management.
- C . Verify managements approval for this exemption
- D . Obtain a verbal confirmation from IT for this exemption.
Correct Answer: B
B
Explanation:
The IS auditor’s next course of action should be to report this control process weakness to senior management, as it may indicate a lack of oversight and accountability for the reporting system. Read-only users may have access to sensitive or confidential information that should be restricted or monitored. Periodic reviews of read-only users are a good practice to ensure that the access rights are still valid and appropriate for the users’ roles and responsibilities. Reporting this weakness to senior management will also allow them to take corrective actions or implement compensating controls if needed.
Option A is incorrect because reviewing the list of end users and evaluating for authorization is not the IS auditor’s responsibility, but rather the system owner’s or administrator’s. The IS auditor should only verify that such reviews are performed and documented by the responsible parties.
Option C is incorrect because verifying management’s approval for this exemption is not sufficient to address the control process weakness. Even if there is a valid reason for not performing periodic reviews of read-only users, the IS auditor should still report this as a potential risk and recommend mitigating controls.
Option D is incorrect because obtaining a verbal confirmation from IT for this exemption is not adequate evidence or documentation. The IS auditor should obtain written approval from management and verify that it is aligned with the organization’s policies and standards.
Reference: CISA Review Manual (Digital Version)1, Chapter 1: The Process of Auditing Information Systems, Section 1.4: Audit Evidence, p. 31-32.
CISA Review Manual (Print Version), Chapter 1: The Process of Auditing Information Systems, Section 1.4: Audit Evidence, p. 31-32.
CISA Online Review Course2, Module 1: The Process of Auditing Information Systems, Lesson 4: Audit Evidence, slide 9-10.
CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_710.
B
Explanation:
The IS auditor’s next course of action should be to report this control process weakness to senior management, as it may indicate a lack of oversight and accountability for the reporting system. Read-only users may have access to sensitive or confidential information that should be restricted or monitored. Periodic reviews of read-only users are a good practice to ensure that the access rights are still valid and appropriate for the users’ roles and responsibilities. Reporting this weakness to senior management will also allow them to take corrective actions or implement compensating controls if needed.
Option A is incorrect because reviewing the list of end users and evaluating for authorization is not the IS auditor’s responsibility, but rather the system owner’s or administrator’s. The IS auditor should only verify that such reviews are performed and documented by the responsible parties.
Option C is incorrect because verifying management’s approval for this exemption is not sufficient to address the control process weakness. Even if there is a valid reason for not performing periodic reviews of read-only users, the IS auditor should still report this as a potential risk and recommend mitigating controls.
Option D is incorrect because obtaining a verbal confirmation from IT for this exemption is not adequate evidence or documentation. The IS auditor should obtain written approval from management and verify that it is aligned with the organization’s policies and standards.
Reference: CISA Review Manual (Digital Version)1, Chapter 1: The Process of Auditing Information Systems, Section 1.4: Audit Evidence, p. 31-32.
CISA Review Manual (Print Version), Chapter 1: The Process of Auditing Information Systems, Section 1.4: Audit Evidence, p. 31-32.
CISA Online Review Course2, Module 1: The Process of Auditing Information Systems, Lesson 4: Audit Evidence, slide 9-10.
CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_710.
Question #95
An external audit firm was engaged to perform a validation and verification review for a systems implementation project. The IS auditor identifies that regression testing is not part of the project plan and was not performed by the systems implementation team. According to the team, the parallel testing being performed is sufficient, making regression testing unnecessary.
What should be the auditor’s NEXT step?
- A . Evaluate the extent of the parallel testing being performed
- B . Recommend integration and stress testing be conducted by the systems implementation team
- C . Conclude that parallel testing is sufficient and regression testing is not needed
- D . Recommend regression testing be conducted by the systems implementation team
Correct Answer: D
D
Explanation:
Regression testing is crucial to ensure that new changes do not negatively impact existing functionalities. The IS auditor should recommend that regression testing be conducted to confirm that the system operates correctly after changes are made.
Reference
ISACA CISA Review Manual 27th Edition, Page 256-257 (Testing Strategies)
D
Explanation:
Regression testing is crucial to ensure that new changes do not negatively impact existing functionalities. The IS auditor should recommend that regression testing be conducted to confirm that the system operates correctly after changes are made.
Reference
ISACA CISA Review Manual 27th Edition, Page 256-257 (Testing Strategies)
Question #96
Which of the following approaches would present the GREATEST concern for the implementation of a quality assurance (QA) function?
- A . Developers introducing the changes will review the work, as they are most familiar with them.
- B . Peer developers from the same development team who are unfamiliar with the changes will review them.
- C . Developers from a separate development team in the organization will review the submitted changes.
- D . Reviewers outside the development group who do not have development roles will review the changes.
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
A strongQA functionrequires anindependentreview of changes toavoid biasandensure objectivity.
Option A (Correct): Ifdevelopers review their own changes, there is ahigh risk of biasand overlooking issues, making this the greatest concern. This violatesseparation of dutiesandbest practices for quality assurance.
Option B (Incorrect): Peer reviews within the same teamreduce risksincefresh eyesreview the changes, though it is not as strong as an external review.
Option C (Incorrect): Havingdevelopers from a separate teamreview the code providesbetter objectivityand reduces risks associated withself-review.
Option D (Incorrect): Whilenon-developers may lack technical expertise, their review ensuresindependence, making it a stronger control than self-review.
Reference: ISACA CISA Review Manual CDomain 3: Information Systems Acquisition, Development, and ImplementationC Coversquality assurance, code reviews, and segregation of duties.
A
Explanation:
Comprehensive and Detailed Step-by-Step
A strongQA functionrequires anindependentreview of changes toavoid biasandensure objectivity.
Option A (Correct): Ifdevelopers review their own changes, there is ahigh risk of biasand overlooking issues, making this the greatest concern. This violatesseparation of dutiesandbest practices for quality assurance.
Option B (Incorrect): Peer reviews within the same teamreduce risksincefresh eyesreview the changes, though it is not as strong as an external review.
Option C (Incorrect): Havingdevelopers from a separate teamreview the code providesbetter objectivityand reduces risks associated withself-review.
Option D (Incorrect): Whilenon-developers may lack technical expertise, their review ensuresindependence, making it a stronger control than self-review.
Reference: ISACA CISA Review Manual CDomain 3: Information Systems Acquisition, Development, and ImplementationC Coversquality assurance, code reviews, and segregation of duties.
Question #97
Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?
- A . Implementing the remediation plan
- B . Partially completing the CSA
- C . Developing the remediation plan
- D . Developing the CSA questionnaire
Correct Answer: D
D
Explanation:
Developing the CSA questionnaire is an activity that would allow an IS auditor to maintain independence while facilitating a control self-assessment (CSA). An IS auditor can design and provide a CSA questionnaire to help the business units or process owners to evaluate their own controls and identify any issues or improvement opportunities. This will enable an IS auditor to support and guide the CSA process without compromising their objectivity or independence. The other options are activities that would impair an IS auditor’s independence while facilitating a CSA, as they involve implementing, completing, or developing remediation actions for control issues.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.41
CISA Review Questions, Answers & Explanations Database, Question ID 215
D
Explanation:
Developing the CSA questionnaire is an activity that would allow an IS auditor to maintain independence while facilitating a control self-assessment (CSA). An IS auditor can design and provide a CSA questionnaire to help the business units or process owners to evaluate their own controls and identify any issues or improvement opportunities. This will enable an IS auditor to support and guide the CSA process without compromising their objectivity or independence. The other options are activities that would impair an IS auditor’s independence while facilitating a CSA, as they involve implementing, completing, or developing remediation actions for control issues.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.41
CISA Review Questions, Answers & Explanations Database, Question ID 215
Question #98
Which of the following is the MAJOR advantage of automating internal controls?
- A . To enable the review of large value transactions
- B . To efficiently test large volumes of data
- C . To help identity transactions with no segregation of duties
- D . To assist in performing analytical reviews
Correct Answer: B
B
Explanation:
The major advantage of automating internal controls is to efficiently test large volumes of data, because automated controls can perform repetitive tasks faster, more accurately, and more consistently than manual controls. Automated controls can also provide audit trails and exception reports that facilitate the monitoring and evaluation of the control effectiveness12. Reviewing large value transactions, identifying transactions with no segregation of duties, and performing analytical reviews are possible benefits of automating internal controls, but not the major advantage.
Reference: 1: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.2 2: CISA Online Review Course, Module 5, Lesson 2
B
Explanation:
The major advantage of automating internal controls is to efficiently test large volumes of data, because automated controls can perform repetitive tasks faster, more accurately, and more consistently than manual controls. Automated controls can also provide audit trails and exception reports that facilitate the monitoring and evaluation of the control effectiveness12. Reviewing large value transactions, identifying transactions with no segregation of duties, and performing analytical reviews are possible benefits of automating internal controls, but not the major advantage.
Reference: 1: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.2 2: CISA Online Review Course, Module 5, Lesson 2
Question #99
Which of the following is the BEST point in time to conduct a post-implementation review?
- A . After a full processing cycle
- B . Immediately after deployment
- C . After the warranty period
- D . Prior to the annual performance review
Correct Answer: A
A
Explanation:
The best point in time to conduct a post-implementation review is after a full processing cycle. A post-implementation review is a process to evaluate whether the objectives of the project were met, how effective the project was managed, what benefits were realized, and what lessons were learned. A post-implementation review should be conducted after a full processing cycle, which is the period of time required for a system or process to complete all its functions and produce its outputs. This allows for a more accurate and comprehensive assessment of the project’s performance, outcomes, impacts, and issues.
The other options are not as good as option
A
Explanation:
The best point in time to conduct a post-implementation review is after a full processing cycle. A post-implementation review is a process to evaluate whether the objectives of the project were met, how effective the project was managed, what benefits were realized, and what lessons were learned. A post-implementation review should be conducted after a full processing cycle, which is the period of time required for a system or process to complete all its functions and produce its outputs. This allows for a more accurate and comprehensive assessment of the project’s performance, outcomes, impacts, and issues.
The other options are not as good as option
Question #100
Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?
- A . Implement controls to prohibit downloads of unauthorized software.
- B . Conduct periodic software scanning.
- C . Perform periodic counting of licenses.
- D . Require senior management approval when installing licenses.
Correct Answer: B
B
Explanation:
The best way to detect unauthorized copies of licensed software on systems is to conduct periodic software scanning. Software scanning is a process of using specialized tools or programs to scan the systems and identify the software installed, the license status, the usage, and the compliance with the software policies and agreements. Software scanning can help to detect any unauthorized, unlicensed, or illegal copies of software on the systems, as well as any discrepancies or violations of the software licenses. Software scanning can also help to optimize the software inventory, reduce the software costs, and improve the security and performance of the systems12.
Some examples of software scanning tools are:
Microsoft Software Inventory Analyzer (MSIA): A free tool that scans Windows-based computers and servers and generates reports on the Microsoft products installed, such as operating systems, applications, and updates3.
Belarc Advisor: A free tool that scans Windows-based computers and generates reports on the hardware and software installed, including license keys, versions, usage, and security status4.
Lansweeper: A paid tool that scans Windows, Linux, Mac, and other network devices and generates reports on the hardware and software inventory, license compliance, configuration, and vulnerabilities5.
To conduct periodic software scanning, you need to:
Choose a suitable software scanning tool that meets your needs and budget.
Define the scope and frequency of the software scanning, such as which systems to scan, how often to scan, and what information to collect.
Configure and run the software scanning tool according to the instructions and settings.
Review and analyze the software scanning reports and identify any unauthorized copies of licensed software on the systems.
Take appropriate actions to remove or regularize the unauthorized copies of licensed software on the systems.
Document and report the results and findings of the software scanning.
B
Explanation:
The best way to detect unauthorized copies of licensed software on systems is to conduct periodic software scanning. Software scanning is a process of using specialized tools or programs to scan the systems and identify the software installed, the license status, the usage, and the compliance with the software policies and agreements. Software scanning can help to detect any unauthorized, unlicensed, or illegal copies of software on the systems, as well as any discrepancies or violations of the software licenses. Software scanning can also help to optimize the software inventory, reduce the software costs, and improve the security and performance of the systems12.
Some examples of software scanning tools are:
Microsoft Software Inventory Analyzer (MSIA): A free tool that scans Windows-based computers and servers and generates reports on the Microsoft products installed, such as operating systems, applications, and updates3.
Belarc Advisor: A free tool that scans Windows-based computers and generates reports on the hardware and software installed, including license keys, versions, usage, and security status4.
Lansweeper: A paid tool that scans Windows, Linux, Mac, and other network devices and generates reports on the hardware and software inventory, license compliance, configuration, and vulnerabilities5.
To conduct periodic software scanning, you need to:
Choose a suitable software scanning tool that meets your needs and budget.
Define the scope and frequency of the software scanning, such as which systems to scan, how often to scan, and what information to collect.
Configure and run the software scanning tool according to the instructions and settings.
Review and analyze the software scanning reports and identify any unauthorized copies of licensed software on the systems.
Take appropriate actions to remove or regularize the unauthorized copies of licensed software on the systems.
Document and report the results and findings of the software scanning.