Practice Free CISA Exam Online Questions
Question #101
Which of the following is the MOST effective way to ensure adequate system resources are available for high-priority activities?
- A . System virtualization
- B . Job scheduling
- C . Zero Trust
- D . Code optimization
Correct Answer: B
B
Explanation:
Job scheduling ensures that system resources are allocated efficiently by prioritizing high-priority tasks during peak periods. It prevents resource contention by scheduling less critical jobs at off-peak times or when resources are underutilized. This method is the most direct and effective way to ensure adequate resources for essential activities.
System Virtualization (Option A): While useful for optimizing resource utilization, it does not prioritize activities dynamically.
Zero Trust (Option C): This is a security framework and does not address resource allocation.
Code Optimization (Option D): This improves performance but is not directly related to resource scheduling.
Reference: ISACA CISA Review Manual, Job Practice Area 3: Information Systems Operations and Business Resilience.
B
Explanation:
Job scheduling ensures that system resources are allocated efficiently by prioritizing high-priority tasks during peak periods. It prevents resource contention by scheduling less critical jobs at off-peak times or when resources are underutilized. This method is the most direct and effective way to ensure adequate resources for essential activities.
System Virtualization (Option A): While useful for optimizing resource utilization, it does not prioritize activities dynamically.
Zero Trust (Option C): This is a security framework and does not address resource allocation.
Code Optimization (Option D): This improves performance but is not directly related to resource scheduling.
Reference: ISACA CISA Review Manual, Job Practice Area 3: Information Systems Operations and Business Resilience.
Question #102
A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization.
Which of the following is MOST effective in detecting such an intrusion?
- A . Periodically reviewing log files
- B . Configuring the router as a firewall
- C . Using smart cards with one-time passwords
- D . Installing biometrics-based authentication
Correct Answer: A
A
Explanation:
The most effective way to detect an intrusion attempt is to periodically review log files, which record the activities and events on a system or network. Log files can provide evidence of unauthorized access attempts, malicious activities, or system errors. Configuring the router as a firewall, using smart cards with one-time passwords, and installing biometrics-basedauthentication are preventive controls that can reduce the likelihood of an intrusion, but they do not detect it.
Reference: ISACA CISA Review Manual 27th Edition, page 301
A
Explanation:
The most effective way to detect an intrusion attempt is to periodically review log files, which record the activities and events on a system or network. Log files can provide evidence of unauthorized access attempts, malicious activities, or system errors. Configuring the router as a firewall, using smart cards with one-time passwords, and installing biometrics-basedauthentication are preventive controls that can reduce the likelihood of an intrusion, but they do not detect it.
Reference: ISACA CISA Review Manual 27th Edition, page 301
Question #103
Which of following is MOST important to determine when conducting a post-implementation review?
- A . Whether the solution architecture compiles with IT standards
- B . Whether success criteria have been achieved
- C . Whether the project has been delivered within the approved budget
- D . Whether lessons teamed have been documented
Correct Answer: B
B
Explanation:
The most important thing to determine when conducting a post-implementation review is whether success criteria have been achieved. A post-implementation review is a process of evaluating the results and outcomes of a project or initiative after it has been completed and implemented. The success criteria are the measurable indicators that define what constitutes a successful project or initiative in terms of its objectives, benefits, quality, performance, and stakeholder satisfaction. The IS auditor should verify whether the success criteria have been achieved by comparing the actual results and outcomes with the expected or planned ones, and by assessing whether they meet or exceed the expectations and requirements of the stakeholders. The IS auditor should also identify any gaps, issues, or risks that may affect the sustainability or scalability of the project or initiative, and provide recommendations for improvement or remediation. The other options are not as important as determining whether success criteria have been achieved when conducting a post-implementation review, because they either focus on specific aspects or components of the project or initiative rather than theoverall value proposition, or they are part of the pre-implementation or implementation phases rather than the post-implementation phase.
Reference: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.3
B
Explanation:
The most important thing to determine when conducting a post-implementation review is whether success criteria have been achieved. A post-implementation review is a process of evaluating the results and outcomes of a project or initiative after it has been completed and implemented. The success criteria are the measurable indicators that define what constitutes a successful project or initiative in terms of its objectives, benefits, quality, performance, and stakeholder satisfaction. The IS auditor should verify whether the success criteria have been achieved by comparing the actual results and outcomes with the expected or planned ones, and by assessing whether they meet or exceed the expectations and requirements of the stakeholders. The IS auditor should also identify any gaps, issues, or risks that may affect the sustainability or scalability of the project or initiative, and provide recommendations for improvement or remediation. The other options are not as important as determining whether success criteria have been achieved when conducting a post-implementation review, because they either focus on specific aspects or components of the project or initiative rather than theoverall value proposition, or they are part of the pre-implementation or implementation phases rather than the post-implementation phase.
Reference: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.3
Question #104
Which of the following technology trends can lead to more robust data loss prevention (DLP) tools?
- A . Cloud computing
- B . Robotic process automation (RPA)
- C . Internet of Things (IoT)
- D . Machine learning algorithms
Correct Answer: D
Question #105
Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?
- A . Lack of appropriate labelling
- B . Lack of recent awareness training.
- C . Lack of password protection
- D . Lack of appropriate data classification
Correct Answer: D
D
Explanation:
The most concerning issue when determining if information assets are adequately safeguarded during transport and disposal is lack of appropriate data classification. Data classification is a process that assigns categories or levels of sensitivity to different types of information assets based on their value, criticality, or risk to the organization. Data classification can help safeguard information assets during transport and disposal by providing criteria and guidelines for identifying, labeling, handling, and protecting information assets according to their sensitivity. Lack of appropriate data classification can compromise the security and confidentiality of information assets during transport and disposal by exposing them to unauthorized access, disclosure, theft, damage, or destruction. The other options are not as concerning as lack of appropriate data classification in safeguarding information assets during transport and disposal, as they do not affect the identification, labeling, handling, or protection of information assets according to their sensitivity. Lack of appropriate labeling is a possible factor that may increase the risk of misplacing, losing, or mishandling information assets during transport and disposal, but it does not affect the classification of information assets according to their sensitivity. Lack of recent awareness training is a possible factor that may affect the knowledge or behavior of staff involved in transporting or disposing of information assets, but it does not affect the classification of information assets according to their sensitivity. Lack of password protection is a possible factor that may affect the security or confidentiality of information assets stored on devices during transport and disposal, but it does not affect the classification of information assets according to their sensitivity.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2
D
Explanation:
The most concerning issue when determining if information assets are adequately safeguarded during transport and disposal is lack of appropriate data classification. Data classification is a process that assigns categories or levels of sensitivity to different types of information assets based on their value, criticality, or risk to the organization. Data classification can help safeguard information assets during transport and disposal by providing criteria and guidelines for identifying, labeling, handling, and protecting information assets according to their sensitivity. Lack of appropriate data classification can compromise the security and confidentiality of information assets during transport and disposal by exposing them to unauthorized access, disclosure, theft, damage, or destruction. The other options are not as concerning as lack of appropriate data classification in safeguarding information assets during transport and disposal, as they do not affect the identification, labeling, handling, or protection of information assets according to their sensitivity. Lack of appropriate labeling is a possible factor that may increase the risk of misplacing, losing, or mishandling information assets during transport and disposal, but it does not affect the classification of information assets according to their sensitivity. Lack of recent awareness training is a possible factor that may affect the knowledge or behavior of staff involved in transporting or disposing of information assets, but it does not affect the classification of information assets according to their sensitivity. Lack of password protection is a possible factor that may affect the security or confidentiality of information assets stored on devices during transport and disposal, but it does not affect the classification of information assets according to their sensitivity.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2
Question #106
What should an IS auditor evaluate FIRST when reviewing an organization’s response to new privacy legislation?
- A . Implementation plan for restricting the collection of personal information
- B . Privacy legislation in other countries that may contain similar requirements
- C . Operational plan for achieving compliance with the legislation
- D . Analysis of systems that contain privacy components
Correct Answer: D
D
Explanation:
The first thing that an IS auditor should evaluate when reviewing an organization’s response to new privacy legislation is the analysis of systems that contain privacy components. Privacy components are elements of a system that collect, process, store, or transmit personal information that is subject to privacy legislation. An analysis of systems that contain privacy components should identify what types of personal information are involved, where they are located, how they are used, who has access to them, and what risks or threats they face. An analysis of systems that contain privacy components is essential for determining the scope and impact of the new privacy legislation on the organization’s systems and processes.
The other options are not as important as option D. An implementation plan for restricting the collection of personal information is a possible action, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. An implementation plan for restricting the collection of personal information is a document that outlines how an organization will comply with the principle of data minimization, which states that personal information should be collected only for specific and legitimate purposes and only to the extent necessary for those purposes. An implementation plan for restricting the collection of personal information should be based on an analysis of systems that contain privacy components. Privacy legislation in other countries that may contain similar requirements is a possible source of reference, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. Privacy legislation in other countries that may contain similar requirements is a set of laws or regulations that governs the protection of personal information in other jurisdictions that may have comparable or compatible standards or expectations as the new privacy legislation. Privacy legislation in other countries that may contain similar requirements may provide guidance or best practices for complying with the new privacy legislation. However, privacy legislation in other countries that may contain similar requirements should not be used as a substitute for an analysis of systems that contain privacy components. An operational plan for achieving compliance with the legislation is a possible deliverable, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. An operational plan for achieving compliance with the legislation is a document that describes how an organization will implement and maintain the necessary policies, procedures, controls, and measures to comply with the new privacy legislation. An operational plan for achieving compliance with the legislation should be derived from an analysis of systems that contain privacy components.
Reference: Privacy law – Wikipedia, Data Protection and Privacy Legislation Worldwide | UNCTAD, Data minimization – Wikipedia
D
Explanation:
The first thing that an IS auditor should evaluate when reviewing an organization’s response to new privacy legislation is the analysis of systems that contain privacy components. Privacy components are elements of a system that collect, process, store, or transmit personal information that is subject to privacy legislation. An analysis of systems that contain privacy components should identify what types of personal information are involved, where they are located, how they are used, who has access to them, and what risks or threats they face. An analysis of systems that contain privacy components is essential for determining the scope and impact of the new privacy legislation on the organization’s systems and processes.
The other options are not as important as option D. An implementation plan for restricting the collection of personal information is a possible action, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. An implementation plan for restricting the collection of personal information is a document that outlines how an organization will comply with the principle of data minimization, which states that personal information should be collected only for specific and legitimate purposes and only to the extent necessary for those purposes. An implementation plan for restricting the collection of personal information should be based on an analysis of systems that contain privacy components. Privacy legislation in other countries that may contain similar requirements is a possible source of reference, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. Privacy legislation in other countries that may contain similar requirements is a set of laws or regulations that governs the protection of personal information in other jurisdictions that may have comparable or compatible standards or expectations as the new privacy legislation. Privacy legislation in other countries that may contain similar requirements may provide guidance or best practices for complying with the new privacy legislation. However, privacy legislation in other countries that may contain similar requirements should not be used as a substitute for an analysis of systems that contain privacy components. An operational plan for achieving compliance with the legislation is a possible deliverable, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. An operational plan for achieving compliance with the legislation is a document that describes how an organization will implement and maintain the necessary policies, procedures, controls, and measures to comply with the new privacy legislation. An operational plan for achieving compliance with the legislation should be derived from an analysis of systems that contain privacy components.
Reference: Privacy law – Wikipedia, Data Protection and Privacy Legislation Worldwide | UNCTAD, Data minimization – Wikipedia
Question #107
The PRIMARY role of a control self-assessment (CSA) facilitator is to:
- A . conduct interviews to gain background information.
- B . focus the team on internal controls.
- C . report on the internal control weaknesses.
- D . provide solutions for control weaknesses.
Correct Answer: B
B
Explanation:
The primary role of a control self-assessment (CSA) facilitator is to focus the team on internal controls. A CSA facilitator is a person who guides the CSA process and helps the participants to identify, assess, and improve their internal controls. The facilitator does not conduct interviews, report on weaknesses, or provide solutions, as these are the responsibilities of the participants themselves1.
The other options are incorrect because they are not the primary role of a CSA facilitator.
Option A, conduct interviews to gain background information, is a preliminary step that may be done by the facilitator or the participants before the CSA session, but it is not the main purpose of the facilitator.
Option C, report on the internal control weaknesses, is an outcome of the CSA process that should be done by the participants who own and operate the controls.
Option D, provide solutions for control weaknesses, is also an outcome of the CSA process that should be done by the participants who are in charge of implementing the improvements.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, page 2822
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription, QID 1066693
PwC, Control Self Assessments4
Workiva, 4factors of an effective control self-assessment (CSA) program5
B
Explanation:
The primary role of a control self-assessment (CSA) facilitator is to focus the team on internal controls. A CSA facilitator is a person who guides the CSA process and helps the participants to identify, assess, and improve their internal controls. The facilitator does not conduct interviews, report on weaknesses, or provide solutions, as these are the responsibilities of the participants themselves1.
The other options are incorrect because they are not the primary role of a CSA facilitator.
Option A, conduct interviews to gain background information, is a preliminary step that may be done by the facilitator or the participants before the CSA session, but it is not the main purpose of the facilitator.
Option C, report on the internal control weaknesses, is an outcome of the CSA process that should be done by the participants who own and operate the controls.
Option D, provide solutions for control weaknesses, is also an outcome of the CSA process that should be done by the participants who are in charge of implementing the improvements.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, page 2822
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription, QID 1066693
PwC, Control Self Assessments4
Workiva, 4factors of an effective control self-assessment (CSA) program5
Question #108
Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program”
- A . Steps taken to address identified vulnerabilities are not formally documented
- B . Results are not reported to individuals with authority to ensure resolution
- C . Scans are performed less frequently than required by the organization’s vulnerability scanning schedule
- D . Results are not approved by senior management
Correct Answer: B
B
Explanation:
The finding that should be of greatest concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program is that results are not reported to individuals with authority to ensure resolution. This indicates a lack of accountability and communication for vulnerability management, which may result in unresolved or delayed remediation of identified vulnerabilities. This may expose the organization to increased risk of cyberattacks or breaches. The other findings are also concerning, but not as much as this one, because they may affect the completeness, accuracy or timeliness of the vulnerability scanning process, but not necessarily its effectiveness.
Reference: ISACA, CISA Review Manual, 27th Edition, chapter 4, section 4.41
ISACA, COBIT 2019 Framework: Introduction and Methodology, section 3.2
B
Explanation:
The finding that should be of greatest concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program is that results are not reported to individuals with authority to ensure resolution. This indicates a lack of accountability and communication for vulnerability management, which may result in unresolved or delayed remediation of identified vulnerabilities. This may expose the organization to increased risk of cyberattacks or breaches. The other findings are also concerning, but not as much as this one, because they may affect the completeness, accuracy or timeliness of the vulnerability scanning process, but not necessarily its effectiveness.
Reference: ISACA, CISA Review Manual, 27th Edition, chapter 4, section 4.41
ISACA, COBIT 2019 Framework: Introduction and Methodology, section 3.2
Question #109
An IT balanced scorecard is the MOST effective means of monitoring:
- A . governance of enterprise IT.
- B . control effectiveness.
- C . return on investment (ROI).
- D . change management effectiveness.
Correct Answer: A
A
Explanation:
An IT balanced scorecard is a strategic management tool that aligns IT objectives with business goals and measures the performance of IT processes using key performance indicators (KPIs). It is the most effective means of monitoring governance of enterprise IT, which is the process of ensuring that IT supports the organization’s strategy and objectives. Governance of enterprise IT covers aspects such as IT value delivery, IT risk management, IT resource management, and IT performance measurement. An IT balanced scorecard can help monitor these aspects and provide feedback to improve IT governance.
Reference: ISACA Frameworks: Blueprints for Success, CISA Review Manual (Digital Version)
A
Explanation:
An IT balanced scorecard is a strategic management tool that aligns IT objectives with business goals and measures the performance of IT processes using key performance indicators (KPIs). It is the most effective means of monitoring governance of enterprise IT, which is the process of ensuring that IT supports the organization’s strategy and objectives. Governance of enterprise IT covers aspects such as IT value delivery, IT risk management, IT resource management, and IT performance measurement. An IT balanced scorecard can help monitor these aspects and provide feedback to improve IT governance.
Reference: ISACA Frameworks: Blueprints for Success, CISA Review Manual (Digital Version)
Question #110
During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing.
Which of the following should the IS auditor identity as the associated risk?
- A . The use of the cloud negatively impacting IT availably
- B . Increased need for user awareness training
- C . Increased vulnerability due to anytime, anywhere accessibility
- D . Lack of governance and oversight for IT infrastructure and applications
Correct Answer: C
C
Explanation:
The associated risk of mobile computing that an IS auditor should identify during the planning phase of a data loss prevention (DLP) audit is increased vulnerability due to anytime, anywhere accessibility. Mobile computing refers to the use of portable devices, such as laptops, tablets, smartphones, or wearable devices, that can access data and applications over wireless networks from any location6. Mobile computing enables greater flexibility, productivity, and convenience for users, but also poses significant security challenges for organizations. One of these challenges is increased vulnerability due to anytime, anywhere accessibility. This means that mobile devices are exposed to a higher risk of loss, theft, damage, or unauthorized access than stationary devices7. If mobile devices contain or access sensitive data without proper protection, such as encryption or authentication, they could result in data leakage or breach in case of compromise8. Therefore, an IS auditor should identify this risk as part of a DLP audit.
The other options are less relevant or incorrect because:
C
Explanation:
The associated risk of mobile computing that an IS auditor should identify during the planning phase of a data loss prevention (DLP) audit is increased vulnerability due to anytime, anywhere accessibility. Mobile computing refers to the use of portable devices, such as laptops, tablets, smartphones, or wearable devices, that can access data and applications over wireless networks from any location6. Mobile computing enables greater flexibility, productivity, and convenience for users, but also poses significant security challenges for organizations. One of these challenges is increased vulnerability due to anytime, anywhere accessibility. This means that mobile devices are exposed to a higher risk of loss, theft, damage, or unauthorized access than stationary devices7. If mobile devices contain or access sensitive data without proper protection, such as encryption or authentication, they could result in data leakage or breach in case of compromise8. Therefore, an IS auditor should identify this risk as part of a DLP audit.
The other options are less relevant or incorrect because: