Practice Free CISA Exam Online Questions
Question #101
Which of the following should an IS auditor be MOST concerned with during a post-implementation review?
- A . The system does not have a maintenance plan.
- B . The system contains several minor defects.
- C . The system deployment was delayed by three weeks.
- D . The system was over budget by 15%.
Correct Answer: A
A
Explanation:
A post-implementation review (PIR) is an assessment conducted at the end of a project cycle to determine if the project was indeed successful and to identify any existing flaws in the project1. One of the main objectives of a PIR isto evaluate the outcome and functional value of a project1. Therefore, an IS auditor should be most concerned with whether the system meets the intended requirements and delivers the expected benefits to the stakeholders. A system that does not have a maintenance plan is a major risk, as it may not be able to cope with changing needs, fix errors, or prevent security breaches. A maintenance planis essential for ensuring the system’s reliability, availability, and performance in the long term2.
The other options are less critical for a PIR, as they are more related to the project management aspects than the system quality aspects. The system may contain several minor defects that do not affect its functionality or usability, and these can be resolved in future updates. The system deployment may be delayed by three weeks due to unforeseen circumstances or dependencies, but this does not necessarily mean that the system is faulty or ineffective. The system may be over budget by 15% due to various factors such as scope creep, resource constraints, or market fluctuations, but this does not imply that the system is not valuable or beneficial.
Reference: 1: Post-Implementation Review Best Practices – MetaPM 2: What is Post-Implementation Review in Project Management?
A
Explanation:
A post-implementation review (PIR) is an assessment conducted at the end of a project cycle to determine if the project was indeed successful and to identify any existing flaws in the project1. One of the main objectives of a PIR isto evaluate the outcome and functional value of a project1. Therefore, an IS auditor should be most concerned with whether the system meets the intended requirements and delivers the expected benefits to the stakeholders. A system that does not have a maintenance plan is a major risk, as it may not be able to cope with changing needs, fix errors, or prevent security breaches. A maintenance planis essential for ensuring the system’s reliability, availability, and performance in the long term2.
The other options are less critical for a PIR, as they are more related to the project management aspects than the system quality aspects. The system may contain several minor defects that do not affect its functionality or usability, and these can be resolved in future updates. The system deployment may be delayed by three weeks due to unforeseen circumstances or dependencies, but this does not necessarily mean that the system is faulty or ineffective. The system may be over budget by 15% due to various factors such as scope creep, resource constraints, or market fluctuations, but this does not imply that the system is not valuable or beneficial.
Reference: 1: Post-Implementation Review Best Practices – MetaPM 2: What is Post-Implementation Review in Project Management?
Question #102
During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed, as management has decided to accept the risk.
Which of the following is the IS auditors BEST course of action?
- A . Require the auditee to address the recommendations in full.
- B . Update the audit program based on management’s acceptance of risk.
- C . Evaluate senior management’s acceptance of the risk.
- D . Adjust the annual risk assessment accordingly.
Correct Answer: D
Question #103
An IS auditor suspects an organization’s computer may have been used to commit a crime.
Which of the following is the auditor’s BEST course of action?
- A . Examine the computer to search for evidence supporting the suspicions.
- B . Advise management of the crime after the investigation.
- C . Contact the incident response team to conduct an investigation.
- D . Notify local law enforcement of the potential crime before further investigation.
Correct Answer: C
C
Explanation:
The IS auditor’s best course of action if they suspect an organization’s computer may have been used to commit a crime is to contact the incident response team to conduct an investigation. The incident response team is a group of experts who are responsible for responding to security incidents, such as data breaches, ransomware attacks, or cybercrimes. The incident response team can help to preserve and collect digital evidence, determine the scope and impact of the incident, contain and eradicate the threat, and restore normal operations. The IS auditor should not examine the computer themselves, as they may inadvertently alter or destroy potential evidence, or compromise the chain of custody. The IS auditor should also not notify local law enforcement before further investigation, as this may escalate the situation unnecessarily or interfere with the internal investigation process. The IS auditor should advise management of the crime after the investigation, or as soon as possible if there is an imminent risk or legal obligation to do so.
C
Explanation:
The IS auditor’s best course of action if they suspect an organization’s computer may have been used to commit a crime is to contact the incident response team to conduct an investigation. The incident response team is a group of experts who are responsible for responding to security incidents, such as data breaches, ransomware attacks, or cybercrimes. The incident response team can help to preserve and collect digital evidence, determine the scope and impact of the incident, contain and eradicate the threat, and restore normal operations. The IS auditor should not examine the computer themselves, as they may inadvertently alter or destroy potential evidence, or compromise the chain of custody. The IS auditor should also not notify local law enforcement before further investigation, as this may escalate the situation unnecessarily or interfere with the internal investigation process. The IS auditor should advise management of the crime after the investigation, or as soon as possible if there is an imminent risk or legal obligation to do so.
Question #104
Who is accountable for an organization’s enterprise risk management (ERM) program?
- A . Board of directors
- B . Steering committee
- C . Chief risk officer (CRO)
- D . Executive management
Correct Answer: A
Question #105
Which of the following is an IS auditor’s MOST important step in a privacy audit?
- A . Assess the controls in place for data management.
- B . Determine whether privacy training is being conducted for employees.
- C . Review third-party agreements for adequate personally identifiable information (PII) protection measures.
- D . Analyze all stages of the personally identifiable information (PII) data life cycle to identify potential risks.
Correct Answer: D
D
Explanation:
Comprehensive and Detailed
The most important step in a privacy audit is to ensure that all risks associated with PII handling are identified. This requires analyzing the entire PII data life cycle―from collection, processing, storage, and transfer to retention and destruction.
Option A: Reviewing data management controls is part of the audit but is narrower than life cycle coverage.
Option B: Privacy training is necessary, but training alone doesn’t ensure compliance.
Option C: Reviewing third-party agreements is important but only covers outsourced risks.
Option D: Provides comprehensive coverage of privacy risks across all stages.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5, section on data privacy, data life cycle, and PII risks.
D
Explanation:
Comprehensive and Detailed
The most important step in a privacy audit is to ensure that all risks associated with PII handling are identified. This requires analyzing the entire PII data life cycle―from collection, processing, storage, and transfer to retention and destruction.
Option A: Reviewing data management controls is part of the audit but is narrower than life cycle coverage.
Option B: Privacy training is necessary, but training alone doesn’t ensure compliance.
Option C: Reviewing third-party agreements is important but only covers outsourced risks.
Option D: Provides comprehensive coverage of privacy risks across all stages.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5, section on data privacy, data life cycle, and PII risks.
Question #106
An organization’s payroll department recently implemented a new Software as a Service (SaaS) tool for payment processing.
Which of the following audits is MOST appropriate for an IS auditor to validate that the new tool is configured as expected to meet performance requirements?
- A . Financial audit
- B . Administrative audit
- C . Functional audit
- D . Compliance audit
Correct Answer: C
Question #107
Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?
- A . An increase in the number of identified false positives
- B . An increase in the number of detected Incidents not previously identified
- C . An increase in the number of unfamiliar sources of intruders
- D . An increase in the number of internally reported critical incidents
Correct Answer: B
B
Explanation:
Signature-based intrusion detection systems (IDS) are systems that compare network traffic with predefined patterns of known attacks, called signatures. The effectiveness of signature-based IDS depends on how well they can detect new or unknown attacks that are not in their signature database. Therefore, an increase in the number of detected incidents not previously identified is the best indicator of the effectiveness of signature-based IDS, as it shows that they can recognize novel or modified attacks.
B
Explanation:
Signature-based intrusion detection systems (IDS) are systems that compare network traffic with predefined patterns of known attacks, called signatures. The effectiveness of signature-based IDS depends on how well they can detect new or unknown attacks that are not in their signature database. Therefore, an increase in the number of detected incidents not previously identified is the best indicator of the effectiveness of signature-based IDS, as it shows that they can recognize novel or modified attacks.
Question #108
Which of the following BEST enables an IS auditor to combine and compare access control lists from various applications and devices?
- A . Integrated test facility (ITF)
- B . Snapshots
- C . Data analytics
- D . Audit hooks
Correct Answer: C
C
Explanation:
Data analytics is the process of analyzing large and complex data sets to discover patterns, trends, and insights that can support decision making and problem solving. Data analytics can enable an IS auditor to combine and compare access control lists from various applications and devices by using techniques such as data extraction, transformation, loading, cleansing, integration, aggregation, visualization, and reporting. Data analytics can help an IS auditor to identify and assess the risks and controls related to access management, such as unauthorized or excessive access, segregation of duties violations, access policy compliance, access activity monitoring, and access review and remediation.
The other options are not as effective or relevant as data analytics for combining and comparing access control lists from various applications and devices. Integrated test facility (ITF) is a technique for testing the validity and accuracy of application processing by inserting fictitious transactions into the system and verifying the results. ITF does not directly involve the analysis of access control lists. Snapshots are records of selected information at a specific point in time that can be used to monitor system activity or performance. Snapshots can provide some information about access control lists, but they are not sufficient to combine and compare them across different sources. Audit hooks are software routines embedded in an application that can trigger an alert or a report when certain conditions are met. Audit hooks can help to detect anomalies or exceptions in access control lists, but they do not provide a comprehensive or integrated view of them.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2361
ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 3rd Edition, 2014, p. 882
Data Analytics for Auditing Access Control3
C
Explanation:
Data analytics is the process of analyzing large and complex data sets to discover patterns, trends, and insights that can support decision making and problem solving. Data analytics can enable an IS auditor to combine and compare access control lists from various applications and devices by using techniques such as data extraction, transformation, loading, cleansing, integration, aggregation, visualization, and reporting. Data analytics can help an IS auditor to identify and assess the risks and controls related to access management, such as unauthorized or excessive access, segregation of duties violations, access policy compliance, access activity monitoring, and access review and remediation.
The other options are not as effective or relevant as data analytics for combining and comparing access control lists from various applications and devices. Integrated test facility (ITF) is a technique for testing the validity and accuracy of application processing by inserting fictitious transactions into the system and verifying the results. ITF does not directly involve the analysis of access control lists. Snapshots are records of selected information at a specific point in time that can be used to monitor system activity or performance. Snapshots can provide some information about access control lists, but they are not sufficient to combine and compare them across different sources. Audit hooks are software routines embedded in an application that can trigger an alert or a report when certain conditions are met. Audit hooks can help to detect anomalies or exceptions in access control lists, but they do not provide a comprehensive or integrated view of them.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2361
ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 3rd Edition, 2014, p. 882
Data Analytics for Auditing Access Control3
Question #109
In an organization’s feasibility study to acquire hardware to support a new web server, omission of which of the following would be of MOST concern?
- A . Alternatives for financing the acquisition
- B . Financial stability of potential vendors
- C . Reputation of potential vendors
- D . Cost-benefit analysis of available products
Correct Answer: D
D
Explanation:
The most important part of a feasibility study is the economics1. A cost-benefit analysis of available products is crucial as it helps to understand the economic viability of the project1. It compares the costs of the project with the benefits it is expected to deliver, which is essential for making informed decisions1. Omitting this could lead to investments in hardware that may not provide the expected returns or meet the organization’s needs.
Reference: The Components of a Feasibility Study – ProjectEngineer
D
Explanation:
The most important part of a feasibility study is the economics1. A cost-benefit analysis of available products is crucial as it helps to understand the economic viability of the project1. It compares the costs of the project with the benefits it is expected to deliver, which is essential for making informed decisions1. Omitting this could lead to investments in hardware that may not provide the expected returns or meet the organization’s needs.
Reference: The Components of a Feasibility Study – ProjectEngineer
Question #110
When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:
- A . compare the organization’s strategic plan against industry best practice.
- B . interview senior managers for their opinion of the IT function.
- C . ensure an IT steering committee is appointed to monitor new IT projects.
- D . evaluate deliverables of new IT initiatives against planned business services.
Correct Answer: D
D
Explanation:
When auditing the alignment of IT to the business strategy, it is most important for the IS auditor to evaluate deliverables of new IT initiatives against planned business services. This can help the IS auditor to assess whether the IT initiatives are meeting the business needs and expectations, delivering value and benefits, and supporting the business objectives and goals. Comparing the organization’s strategic plan against industry best practice is a possible technique for auditing the alignment of IT to the business strategy, but it is not the most important thing for the IS auditor to do, as industry best practice may not be applicable or relevant to the specific context or situation of the organization. Interviewing senior managers for their opinion of the IT function is a possible technique for auditing the alignment of IT to the business strategy, but it is not the most important thing for the IS auditor to do, as senior managers’ opinions may be subjective or biased, and may not reflect the actual performance or outcomes of the IT function. Ensuring an IT steering committee is appointed to monitor new IT projects is a possible control for ensuring the alignment of IT to the business strategy, but it is not the most important thing for the IS auditor to do, as an IT steering committee may not be effective or efficient in monitoring new IT projects, and may not have sufficient authority or influence over the IT function.
D
Explanation:
When auditing the alignment of IT to the business strategy, it is most important for the IS auditor to evaluate deliverables of new IT initiatives against planned business services. This can help the IS auditor to assess whether the IT initiatives are meeting the business needs and expectations, delivering value and benefits, and supporting the business objectives and goals. Comparing the organization’s strategic plan against industry best practice is a possible technique for auditing the alignment of IT to the business strategy, but it is not the most important thing for the IS auditor to do, as industry best practice may not be applicable or relevant to the specific context or situation of the organization. Interviewing senior managers for their opinion of the IT function is a possible technique for auditing the alignment of IT to the business strategy, but it is not the most important thing for the IS auditor to do, as senior managers’ opinions may be subjective or biased, and may not reflect the actual performance or outcomes of the IT function. Ensuring an IT steering committee is appointed to monitor new IT projects is a possible control for ensuring the alignment of IT to the business strategy, but it is not the most important thing for the IS auditor to do, as an IT steering committee may not be effective or efficient in monitoring new IT projects, and may not have sufficient authority or influence over the IT function.