Practice Free CISA Exam Online Questions
Question #91
An organization implemented a cybersecurity policy last year.
Which of the following is the GREATE ST indicator that the policy may need to be revised?
- A . A significant increase in authorized connections to third parties
- B . A significant increase in cybersecurity audit findings
- C . A significant increase in approved exceptions
- D . A significant increase in external attack attempts
Correct Answer: C
C
Explanation:
The greatest indicator that the cybersecurity policy may need to be revised is a significant increase in approved exceptions. This implies that the policy is not aligned with the current business needs and risks, and that it may be too restrictive or outdated. The other options are not necessarily indicators of a need for policy revision, as they may be due to other factors such as changes in the external environment, audit scope or methodology.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.21
C
Explanation:
The greatest indicator that the cybersecurity policy may need to be revised is a significant increase in approved exceptions. This implies that the policy is not aligned with the current business needs and risks, and that it may be too restrictive or outdated. The other options are not necessarily indicators of a need for policy revision, as they may be due to other factors such as changes in the external environment, audit scope or methodology.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.21
Question #92
The BEST way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and:
- A . payment processing.
- B . payroll processing.
- C . procurement.
- D . product registration.
Correct Answer: A
A
Explanation:
Segregation of duties is a key internal control that aims to prevent fraud and errors by ensuring that no single individual has the authority to execute two or more conflicting sensitive transactions or functions. In the accounts payable vendor payment cycle, segregation of duties involves separating the tasks of vendor setup, procurement, invoice approval, and payment processing1. This way, an employee cannot create a fictitious vendor and issue a payment to themselves or their accomplices without being detected by another person. Therefore, the best way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and payment
processing.
Reference: 1: Segregation of Duties in the Accounts Payable Vendor Payment Cycle for SMBs – Now With a Podcast! – Debra R Richardson: What is Separation of duties – University of California, Berkeley
A
Explanation:
Segregation of duties is a key internal control that aims to prevent fraud and errors by ensuring that no single individual has the authority to execute two or more conflicting sensitive transactions or functions. In the accounts payable vendor payment cycle, segregation of duties involves separating the tasks of vendor setup, procurement, invoice approval, and payment processing1. This way, an employee cannot create a fictitious vendor and issue a payment to themselves or their accomplices without being detected by another person. Therefore, the best way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and payment
processing.
Reference: 1: Segregation of Duties in the Accounts Payable Vendor Payment Cycle for SMBs – Now With a Podcast! – Debra R Richardson: What is Separation of duties – University of California, Berkeley
Question #93
Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?
- A . Human resources (HR) sourcing strategy
- B . Records of actual time spent on projects
- C . Peer organization staffing benchmarks
- D . Budgeted forecast for the next financial year
Correct Answer: B
B
Explanation:
The best source of information for IT management to estimate resource requirements for future projects is the records of actual time spent on projects. This data can provide a realistic and reliable basis for forecasting future resource needs based on historical trends and patterns. The records of actual time spent on projects can also help IT management to identify any gaps or inefficiencies in resource allocation and utilization. The human resources (HR) sourcing strategy is not a good source of information for estimating resource requirements for future projects, as it may not reflect the actual demand and availability of IT resources. The peer organization staffing benchmarks are not a good source of information for estimating resource requirements for future projects, as they may not account for the specific characteristics and needs of each organization. The budgeted forecast for the
next financial year is not a good source of information for estimating resource requirements for future projects, as it may not be based on accurate or realistic assumptions.
Reference: CISA Review Manual, 27th Edition, pages 465-4661
CISA Review Questions, Answers & Explanations Database, Question ID: 263
B
Explanation:
The best source of information for IT management to estimate resource requirements for future projects is the records of actual time spent on projects. This data can provide a realistic and reliable basis for forecasting future resource needs based on historical trends and patterns. The records of actual time spent on projects can also help IT management to identify any gaps or inefficiencies in resource allocation and utilization. The human resources (HR) sourcing strategy is not a good source of information for estimating resource requirements for future projects, as it may not reflect the actual demand and availability of IT resources. The peer organization staffing benchmarks are not a good source of information for estimating resource requirements for future projects, as they may not account for the specific characteristics and needs of each organization. The budgeted forecast for the
next financial year is not a good source of information for estimating resource requirements for future projects, as it may not be based on accurate or realistic assumptions.
Reference: CISA Review Manual, 27th Edition, pages 465-4661
CISA Review Questions, Answers & Explanations Database, Question ID: 263
Question #94
Which of the following approaches would present the GREATEST concern for the implementation of a quality assurance (QA) function?
- A . Developers introducing the changes will review the work, as they are most familiar with them.
- B . Peer developers from the same development team who are unfamiliar with the changes will review them.
- C . Developers from a separate development team in the organization will review the submitted changes.
- D . Reviewers outside the development group who do not have development roles will review the changes.
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
A strongQA functionrequires anindependentreview of changes toavoid biasandensure objectivity.
Option A (Correct): Ifdevelopers review their own changes, there is ahigh risk of biasand overlooking issues, making this the greatest concern. This violatesseparation of dutiesandbest practices for quality assurance.
Option B (Incorrect): Peer reviews within the same teamreduce risksincefresh eyesreview the changes, though it is not as strong as an external review.
Option C (Incorrect): Havingdevelopers from a separate teamreview the code providesbetter objectivityand reduces risks associated withself-review.
Option D (Incorrect): Whilenon-developers may lack technical expertise, their review ensuresindependence, making it a stronger control than self-review.
Reference: ISACA CISA Review Manual CDomain 3: Information Systems Acquisition, Development, and ImplementationC Coversquality assurance, code reviews, and segregation of duties.
A
Explanation:
Comprehensive and Detailed Step-by-Step
A strongQA functionrequires anindependentreview of changes toavoid biasandensure objectivity.
Option A (Correct): Ifdevelopers review their own changes, there is ahigh risk of biasand overlooking issues, making this the greatest concern. This violatesseparation of dutiesandbest practices for quality assurance.
Option B (Incorrect): Peer reviews within the same teamreduce risksincefresh eyesreview the changes, though it is not as strong as an external review.
Option C (Incorrect): Havingdevelopers from a separate teamreview the code providesbetter objectivityand reduces risks associated withself-review.
Option D (Incorrect): Whilenon-developers may lack technical expertise, their review ensuresindependence, making it a stronger control than self-review.
Reference: ISACA CISA Review Manual CDomain 3: Information Systems Acquisition, Development, and ImplementationC Coversquality assurance, code reviews, and segregation of duties.
Question #95
Due to limited storage capacity, an organization has decided to reduce the actual retention period for
media containing completed low-value transactions.
Which of the following is MOST important for the organization to ensure?
- A . The policy includes a strong risk-based approach.
- B . The retention period allows for review during the year-end audit.
- C . The total transaction amount has no impact on financial reporting.
- D . The retention period complies with data owner responsibilities.
Correct Answer: D
D
Explanation:
The most important thing for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions is that the retention period complies with data owner responsibilities. Data owners are accountable for the quality, security, and availability of the data under their control. They are also responsible for defining and enforcing data retention policies that comply with legal, regulatory, contractual, and business requirements. Data owners should be consulted and involved in any decision that affects the retention period of their data, as they are ultimately liable for any consequences of data loss or breach.
The policy includes a strong risk-based approach, the retention period allows for review during the year-end audit, and the total transaction amount has no impact on financial reporting are not the most important things for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions. These are possible factors or benefits that may influence or justify the decision, but they do not override or replace the data owner responsibilities.
D
Explanation:
The most important thing for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions is that the retention period complies with data owner responsibilities. Data owners are accountable for the quality, security, and availability of the data under their control. They are also responsible for defining and enforcing data retention policies that comply with legal, regulatory, contractual, and business requirements. Data owners should be consulted and involved in any decision that affects the retention period of their data, as they are ultimately liable for any consequences of data loss or breach.
The policy includes a strong risk-based approach, the retention period allows for review during the year-end audit, and the total transaction amount has no impact on financial reporting are not the most important things for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions. These are possible factors or benefits that may influence or justify the decision, but they do not override or replace the data owner responsibilities.
Question #96
To confirm integrity for a hashed message, the receiver should use:
- A . the same hashing algorithm as the sender’s to create a binary image of the file.
- B . a different hashing algorithm from the sender’s to create a binary image of the file.
- C . the same hashing algorithm as the sender’s to create a numerical representation of the file.
- D . a different hashing algorithm from the sender’s to create a numerical representation of the file.
Correct Answer: C
C
Explanation:
To confirm integrity for a hashed message, the receiver should use the same hashing algorithm as the sender’s to create a binary image of the file. A hashing algorithm is a mathematical function that transforms an input data into a fixed-length output value, called a hash or a digest. A hashing algorithm has two main properties: it is one-way, meaning that it is easy to compute the hash from the input, but hard to recover the input from the hash; and it is collision-resistant, meaning that it is very unlikely to find two different inputs that produce the same hash. These properties make hashing algorithms useful for verifying the integrity of data, as any change in the input data will result in a different hash value. Therefore, to confirm integrity for a hashed message, the receiver should use the same hashing algorithm as the sender’s to create a binary image of the file, which is a representation of the file in bits (0s and 1s). The receiver should then compare this binary image with the hash value sent by the sender. If they match, then the message has not been altered in transit. If they do not match, then the message has been corrupted or tampered with.
Reference: Ensuring Data Integrity with Hash Codes
Message Integrity
C
Explanation:
To confirm integrity for a hashed message, the receiver should use the same hashing algorithm as the sender’s to create a binary image of the file. A hashing algorithm is a mathematical function that transforms an input data into a fixed-length output value, called a hash or a digest. A hashing algorithm has two main properties: it is one-way, meaning that it is easy to compute the hash from the input, but hard to recover the input from the hash; and it is collision-resistant, meaning that it is very unlikely to find two different inputs that produce the same hash. These properties make hashing algorithms useful for verifying the integrity of data, as any change in the input data will result in a different hash value. Therefore, to confirm integrity for a hashed message, the receiver should use the same hashing algorithm as the sender’s to create a binary image of the file, which is a representation of the file in bits (0s and 1s). The receiver should then compare this binary image with the hash value sent by the sender. If they match, then the message has not been altered in transit. If they do not match, then the message has been corrupted or tampered with.
Reference: Ensuring Data Integrity with Hash Codes
Message Integrity
Question #97
When reviewing hard disk utilization reports, an IS auditor observes that utilization is routinely above 95%.
Which of the following should be the GREATEST concern to the IS auditor?
- A . Availability
- B . Consistency
- C . Denial of service (DoS) attacks
- D . Data security
Correct Answer: A
Question #98
Which of the following is the GREATEST risk associated with storing customer data on a web server?
- A . Data availability
- B . Data confidentiality
- C . Data integrity
- D . Data redundancy
Correct Answer: B
B
Explanation:
The greatest risk associated with storing customer data on a web server is data confidentiality. Data confidentiality is the property that ensures that data are accessible only to authorized entities or individuals, and protected from unauthorized disclosure or exposure. Storing customer data on a web server poses a high risk to data confidentiality, as web servers are exposed to the internet and may be vulnerable to various types of attacks or breaches that can compromise the security and privacy of customer data, such as hacking, phishing, malware, denial of service (DoS), etc. Customer data may contain sensitive or personal information that can cause harm or damage to customers or the organization if disclosed or exposed, such as identity theft, fraud, reputation loss, legal liability, etc. Data availability is the property that ensures that data are accessible and usable by authorized entities or individuals when needed. Data availability is a risk associated with storing customer data on a web server, as web servers may experience failures or disruptions that can affect the accessibility and usability of customer data, such as hardware faults, network issues, power outages, etc. However, data availability is not the greatest risk associated with storing customer data on a web server, as it does not affect the security and privacy of customer data. Data integrity is the property that ensures that data are accurate and consistent, and protected from unauthorized modification or corruption. Data integrity is a risk associated with storing customer data on a web server, as web servers may be subject to attacks or errors that can affect the accuracy and consistency of customer data, such as injection attacks, tampering, replication issues, etc. However, data integrity is not the greatest risk associated with storing customer data on a web server, as it does not affect the security and privacy of customer data. Data redundancy is the condition of having duplicate or unnecessary data in a database or system. Data redundancy is not a risk associated with storing customer data on a web server, but rather a result of poor database design or management.
B
Explanation:
The greatest risk associated with storing customer data on a web server is data confidentiality. Data confidentiality is the property that ensures that data are accessible only to authorized entities or individuals, and protected from unauthorized disclosure or exposure. Storing customer data on a web server poses a high risk to data confidentiality, as web servers are exposed to the internet and may be vulnerable to various types of attacks or breaches that can compromise the security and privacy of customer data, such as hacking, phishing, malware, denial of service (DoS), etc. Customer data may contain sensitive or personal information that can cause harm or damage to customers or the organization if disclosed or exposed, such as identity theft, fraud, reputation loss, legal liability, etc. Data availability is the property that ensures that data are accessible and usable by authorized entities or individuals when needed. Data availability is a risk associated with storing customer data on a web server, as web servers may experience failures or disruptions that can affect the accessibility and usability of customer data, such as hardware faults, network issues, power outages, etc. However, data availability is not the greatest risk associated with storing customer data on a web server, as it does not affect the security and privacy of customer data. Data integrity is the property that ensures that data are accurate and consistent, and protected from unauthorized modification or corruption. Data integrity is a risk associated with storing customer data on a web server, as web servers may be subject to attacks or errors that can affect the accuracy and consistency of customer data, such as injection attacks, tampering, replication issues, etc. However, data integrity is not the greatest risk associated with storing customer data on a web server, as it does not affect the security and privacy of customer data. Data redundancy is the condition of having duplicate or unnecessary data in a database or system. Data redundancy is not a risk associated with storing customer data on a web server, but rather a result of poor database design or management.
Question #99
Which of the following criteria is MOST important for the successful delivery of benefits from an IT project?
- A . Assessing the impact of changes to individuals and business units within the organization
- B . Involving key stakeholders during the development and execution phases of the project
- C . Ensuring that IT project managers have sign-off authority on the business case
- D . Quantifying the size of the software development effort required by the project
Correct Answer: B
Question #100
Which of the following is MOST helpful for measuring benefits realization for a new system?
- A . Function point analysis
- B . Balanced scorecard review
- C . Post-implementation review
- D . Business impact analysis (BIA)
Correct Answer: C
C
Explanation:
This is the most helpful method for measuring benefits realization for a new system, because it involves evaluating the actual outcomes and impacts of the system after it has been implemented and used for a certain period of time. A post-implementation review can compare the actual benefits with the expected benefits that were defined in the business case or the benefits realization plan, and identify any gaps, issues, or opportunities for improvement. A post-implementation review can also assess the effectiveness, efficiency, and satisfaction of the system’s users, stakeholders, and customers, and provide feedback and recommendations for future enhancements or changes.
The other options are not as helpful as post-implementation review for measuring benefits realization for a new system:
Function point analysis. This is a technique that measures the size and complexity of a software system based on the number and types of functions it provides. Function point analysiscan help estimate the cost, effort, and time required to develop, maintain, or enhance a software system, but it does not measure the actual benefits or value that the system delivers to the organization or its users.
Balanced scorecard review. This is a strategic management tool that measures the performance of an organization or a business unit based on four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard review can help align the organization’s vision, mission, and goals with its activities and outcomes, but it does not measure the specific benefits or impacts of a new system.
Business impact analysis (BIA). This is a process that identifies and evaluates the potential effects of a disruption or disaster on the organization’s critical business functions and processes. A BIA can help determine the recovery priorities, objectives, and strategies for the organization in case of an emergency, but it does not measure the benefits or value of a new system.
C
Explanation:
This is the most helpful method for measuring benefits realization for a new system, because it involves evaluating the actual outcomes and impacts of the system after it has been implemented and used for a certain period of time. A post-implementation review can compare the actual benefits with the expected benefits that were defined in the business case or the benefits realization plan, and identify any gaps, issues, or opportunities for improvement. A post-implementation review can also assess the effectiveness, efficiency, and satisfaction of the system’s users, stakeholders, and customers, and provide feedback and recommendations for future enhancements or changes.
The other options are not as helpful as post-implementation review for measuring benefits realization for a new system:
Function point analysis. This is a technique that measures the size and complexity of a software system based on the number and types of functions it provides. Function point analysiscan help estimate the cost, effort, and time required to develop, maintain, or enhance a software system, but it does not measure the actual benefits or value that the system delivers to the organization or its users.
Balanced scorecard review. This is a strategic management tool that measures the performance of an organization or a business unit based on four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard review can help align the organization’s vision, mission, and goals with its activities and outcomes, but it does not measure the specific benefits or impacts of a new system.
Business impact analysis (BIA). This is a process that identifies and evaluates the potential effects of a disruption or disaster on the organization’s critical business functions and processes. A BIA can help determine the recovery priorities, objectives, and strategies for the organization in case of an emergency, but it does not measure the benefits or value of a new system.