Practice Free CISA Exam Online Questions
Question #111
Which of the following is the BEST indication of effective IT investment management?
- A . IT investments are implemented and monitored following a system development life cycle (SDLC)
- B . IT investments are mapped to specific business objectives
- C . Key performance indicators (KPIs) are defined for each business requiring IT Investment
- D . The IT Investment budget is significantly below industry benchmarks
Correct Answer: B
B
Explanation:
This means that the IT investments are aligned with the strategic goals and priorities of the organization, and that they deliver value and benefits to the business. Mapping IT investments to specific business objectives can help ensure that the IT investments are relevant, justified, and measurable, and that they support the organization’s mission and vision.
IT investments are implemented and monitored following a system development life cycle (SDLC) is an indication of effective IT project management, but not necessarily of effective IT investment management. The SDLC is a framework that guides the development and implementation of IT systemsand applications, but it does not address the alignment, justification, or measurement of the IT investments.
Key performance indicators (KPIs) are defined for each business requiring IT investment is an indication of effective IT performance management, but not necessarily of effective IT investment management. KPIs are metrics that measure the outcomes and results of IT activities and processes, but they do not address the alignment, justification, or value of the IT investments.
The IT investment budget is significantly below industry benchmarks is not an indication of effective IT investment management, but rather of low IT spending. The IT investment budget should be based on the organization’s needs and capabilities, and not on external comparisons. A low IT investment budget may indicate that the organization is underinvesting in IT, which could limit its potential for growth and innovation.
B
Explanation:
This means that the IT investments are aligned with the strategic goals and priorities of the organization, and that they deliver value and benefits to the business. Mapping IT investments to specific business objectives can help ensure that the IT investments are relevant, justified, and measurable, and that they support the organization’s mission and vision.
IT investments are implemented and monitored following a system development life cycle (SDLC) is an indication of effective IT project management, but not necessarily of effective IT investment management. The SDLC is a framework that guides the development and implementation of IT systemsand applications, but it does not address the alignment, justification, or measurement of the IT investments.
Key performance indicators (KPIs) are defined for each business requiring IT investment is an indication of effective IT performance management, but not necessarily of effective IT investment management. KPIs are metrics that measure the outcomes and results of IT activities and processes, but they do not address the alignment, justification, or value of the IT investments.
The IT investment budget is significantly below industry benchmarks is not an indication of effective IT investment management, but rather of low IT spending. The IT investment budget should be based on the organization’s needs and capabilities, and not on external comparisons. A low IT investment budget may indicate that the organization is underinvesting in IT, which could limit its potential for growth and innovation.
Question #112
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated.
The GREATEST concern to the IS auditor is that policies and procedures might not:
- A . reflect current practices.
- B . include new systems and corresponding process changes.
- C . incorporate changes to relevant laws.
- D . be subject to adequate quality assurance (QA).
Correct Answer: A
A
Explanation:
The greatest concern for an IS auditor when reviewing IT policies and procedures that are not regularly reviewed and updated is that policies and procedures might not reflect current practices. Policies are documents that define the goals, objectives, and guidelines for an organization’s information systems and resources. Procedures are documents that describe the steps, tasks, or activities for implementing or executing policies. Policies and procedures should be regularly reviewed and updated to ensure that they are relevant, accurate, consistent, and effective for the organization’s information systems and resources. Policies and procedures that are not regularly reviewed and updated might not reflect current practices, as they might be outdated, obsolete, or incompatible with the current state or needs of the organization’s information systems and resources. This can cause confusion, inconsistency, inefficiency, or noncompliance among users or stakeholders who rely on policies and procedures for guidance or direction. Policies and procedures might not include new systems and corresponding process changes is a possible concern for an IS auditor when reviewing IT policies and procedures that are not regularly reviewed and updated, but it is not the greatest one. Policies and procedures might not include new systems and corresponding process changes, as they might be unaware of or unresponsive to the introduction or modification of information systems or resources within the organization. This can cause gaps, overlaps, or conflicts among policies and procedures that affect different information systems or resources.
A
Explanation:
The greatest concern for an IS auditor when reviewing IT policies and procedures that are not regularly reviewed and updated is that policies and procedures might not reflect current practices. Policies are documents that define the goals, objectives, and guidelines for an organization’s information systems and resources. Procedures are documents that describe the steps, tasks, or activities for implementing or executing policies. Policies and procedures should be regularly reviewed and updated to ensure that they are relevant, accurate, consistent, and effective for the organization’s information systems and resources. Policies and procedures that are not regularly reviewed and updated might not reflect current practices, as they might be outdated, obsolete, or incompatible with the current state or needs of the organization’s information systems and resources. This can cause confusion, inconsistency, inefficiency, or noncompliance among users or stakeholders who rely on policies and procedures for guidance or direction. Policies and procedures might not include new systems and corresponding process changes is a possible concern for an IS auditor when reviewing IT policies and procedures that are not regularly reviewed and updated, but it is not the greatest one. Policies and procedures might not include new systems and corresponding process changes, as they might be unaware of or unresponsive to the introduction or modification of information systems or resources within the organization. This can cause gaps, overlaps, or conflicts among policies and procedures that affect different information systems or resources.
Question #113
Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization’s data loss prevention (DLP) controls?
- A . Review data classification levels based on industry best practice
- B . Verify that current DLP software is installed on all computer systems.
- C . Conduct interviews to identify possible data protection vulnerabilities.
- D . Verify that confidential files cannot be transmitted to a personal USB device.
Correct Answer: D
D
Explanation:
The most reliable way for an IS auditor to evaluate the operational effectiveness of an organization’s data loss prevention (DLP) controls is to verify that confidential files cannot be transmitted to a personal USB device. This is because DLP controls are designed to prevent the loss, leakage or misuse of sensitive data through breaches, ex-filtration transmissions and unauthorized use1. A personal USB device is a common way for data to be stolen or compromised, as it can bypass network security measures and allow unauthorized access to confidential files. Therefore, testing the DLP controls by attempting to copy or transfer confidential files to a personal USB device can provide a direct and objective evidence of whether the DLP controls are working as intended or not.
The other options are less reliable ways for an IS auditor to evaluate the operational effectiveness of an organization’s DLP controls. Reviewing data classification levels based on industry best practice is a way to assess the adequacy of the organization’s data protection policies, but it does not measure how well the DLP controls are implemented or enforced in practice. Verifying that current DLP software is installed on all computer systems is a way to check the technical configuration of the DLP solution, but it does not test how well the DLP software detects and prevents data loss incidents in real scenarios. Conducting interviews to identify possible data protection vulnerabilities is a way to gather qualitative information from stakeholders, but it does not provide quantitative or empirical data on the actual performance of the DLP controls.
Reference: What is Data Loss Prevention (DLP)? [Guide] – CrowdStrike
D
Explanation:
The most reliable way for an IS auditor to evaluate the operational effectiveness of an organization’s data loss prevention (DLP) controls is to verify that confidential files cannot be transmitted to a personal USB device. This is because DLP controls are designed to prevent the loss, leakage or misuse of sensitive data through breaches, ex-filtration transmissions and unauthorized use1. A personal USB device is a common way for data to be stolen or compromised, as it can bypass network security measures and allow unauthorized access to confidential files. Therefore, testing the DLP controls by attempting to copy or transfer confidential files to a personal USB device can provide a direct and objective evidence of whether the DLP controls are working as intended or not.
The other options are less reliable ways for an IS auditor to evaluate the operational effectiveness of an organization’s DLP controls. Reviewing data classification levels based on industry best practice is a way to assess the adequacy of the organization’s data protection policies, but it does not measure how well the DLP controls are implemented or enforced in practice. Verifying that current DLP software is installed on all computer systems is a way to check the technical configuration of the DLP solution, but it does not test how well the DLP software detects and prevents data loss incidents in real scenarios. Conducting interviews to identify possible data protection vulnerabilities is a way to gather qualitative information from stakeholders, but it does not provide quantitative or empirical data on the actual performance of the DLP controls.
Reference: What is Data Loss Prevention (DLP)? [Guide] – CrowdStrike
Question #114
An IS auditor follows up on a recent security incident and finds the incident response was not adequate.
Which of the following findings should be considered MOST critical?
- A . The security weakness facilitating the attack was not identified.
- B . The attack was not automatically blocked by the intrusion detection system (IDS).
- C . The attack could not be traced back to the originating person.
- D . Appropriate response documentation was not maintained.
Correct Answer: A
A
Explanation:
The most critical finding for an IS auditor following up on a recent security incident is that the security weakness facilitating the attack was not identified. This finding indicates that the root cause of the incident was not analyzed, and the vulnerability that allowed the attack to succeed was not remediated. This means that the organization is still exposed to the same or similar attacks in the future, and its security posture has not improved. Identifying and addressing the security weakness is a key step in the incident response process, as it helps to prevent recurrence, mitigate impact, and improve resilience.
The other findings are not as critical as the failure to identify the security weakness, but they are still important issues that should be addressed by the organization. The attack was not automatically blocked by the intrusion detection system (IDS) is a finding that suggests that the IDS was not configured properly, or that it did not have the latest signatures or rules to detect and prevent the attack. The attack could not be traced back to the originating person is a finding that implies that the organization did not have sufficient logging, monitoring, or forensic capabilities to identify and attribute the attacker. Appropriate response documentation was not maintained is a finding that indicates that the organization did not follow a consistent and formal incident response procedure, or that it did not document its actions, decisions, and lessons learned from the incident.
Reference: ISACA CISA Review Manual 27th Edition (2019), page 254
Incident Response Process – ISACA1
Incident Response: How to Identify and Fix Security Weaknesses
A
Explanation:
The most critical finding for an IS auditor following up on a recent security incident is that the security weakness facilitating the attack was not identified. This finding indicates that the root cause of the incident was not analyzed, and the vulnerability that allowed the attack to succeed was not remediated. This means that the organization is still exposed to the same or similar attacks in the future, and its security posture has not improved. Identifying and addressing the security weakness is a key step in the incident response process, as it helps to prevent recurrence, mitigate impact, and improve resilience.
The other findings are not as critical as the failure to identify the security weakness, but they are still important issues that should be addressed by the organization. The attack was not automatically blocked by the intrusion detection system (IDS) is a finding that suggests that the IDS was not configured properly, or that it did not have the latest signatures or rules to detect and prevent the attack. The attack could not be traced back to the originating person is a finding that implies that the organization did not have sufficient logging, monitoring, or forensic capabilities to identify and attribute the attacker. Appropriate response documentation was not maintained is a finding that indicates that the organization did not follow a consistent and formal incident response procedure, or that it did not document its actions, decisions, and lessons learned from the incident.
Reference: ISACA CISA Review Manual 27th Edition (2019), page 254
Incident Response Process – ISACA1
Incident Response: How to Identify and Fix Security Weaknesses
Question #115
In which phase of the audit life cycle process should an IS auditor initially discuss observations with management?
- A . Planning phase
- B . Reporting phase
- C . Follow-up phase
- D . Fieldwork phase
Correct Answer: D
D
Explanation:
Comprehensive and Detailed Step-by-Step
Audit findings should be communicated as early as possible to avoid misunderstandings, provide an opportunity for corrective action, and ensure transparency.
Option A (Incorrect): The planning phase involves defining audit scope, objectives, and methodology, but findings are not yet available to discuss with management.
Option B (Incorrect): The reporting phase formalizes audit results, but discussing issue sonly at this stage may lead to delays in corrective action.
Option C (Incorrect): The follow-up phase ensures that management has implemented corrective actions, but this occurs after the initial discussion of findings.
Option D (Correct): The fieldwork phase is when auditors actively gather evidence, analyze data, and identify issues. Discussing observations during this phase allows for immediate clarification, validation, and resolution of misunderstandings before the final report.
Reference: ISACA CISA Review Manual CDomain 1: Information Systems Auditing ProcessC Discusses audit engagement, reporting, and communication best practices.
D
Explanation:
Comprehensive and Detailed Step-by-Step
Audit findings should be communicated as early as possible to avoid misunderstandings, provide an opportunity for corrective action, and ensure transparency.
Option A (Incorrect): The planning phase involves defining audit scope, objectives, and methodology, but findings are not yet available to discuss with management.
Option B (Incorrect): The reporting phase formalizes audit results, but discussing issue sonly at this stage may lead to delays in corrective action.
Option C (Incorrect): The follow-up phase ensures that management has implemented corrective actions, but this occurs after the initial discussion of findings.
Option D (Correct): The fieldwork phase is when auditors actively gather evidence, analyze data, and identify issues. Discussing observations during this phase allows for immediate clarification, validation, and resolution of misunderstandings before the final report.
Reference: ISACA CISA Review Manual CDomain 1: Information Systems Auditing ProcessC Discusses audit engagement, reporting, and communication best practices.
Question #116
A bank has a combination of corporate customer accounts (higher monetary value) and small business accounts (lower monetary value) as part of online banking.
Which of the following is the BEST sampling approach for an IS auditor to use for these accounts?
- A . Difference estimation sampling
- B . Stratified mean per unit sampling
- C . Customer unit sampling
- D . Unstratified mean per unit sampling
Correct Answer: B
B
Explanation:
Stratified mean per unit sampling is a method of audit sampling that divides the population into subgroups (strata) based on some characteristic, such as monetary value, and then selects a sample from each stratum using mean per unit sampling. Mean per unit sampling is a method of audit sampling that estimates the total value of a population by multiplying the average value of the sample items by the number of items in the population. Stratified mean per unit sampling is suitable for populations that have a high variability or a skewed distribution, such as the bank accounts in this question. By stratifying the population, the auditor can reduce the sampling error and increase the precision of the estimate.
Difference estimation sampling (option A) is not the best sampling approach for these accounts. Difference estimation sampling is a method of audit sampling that estimates the total error or misstatement in a population by multiplying the average difference between the book value and the audited value of the sample items by the number of items in the population. Difference estimation sampling is suitable for populations that have a low variability and a symmetrical distribution, which is not the case for the bank accounts in this question.
Customer unit sampling (option C) is not a sampling approach, but a type of monetary unit sampling. Monetary unit sampling is a method of audit sampling that selects sample items based on their monetary value, rather than their physical units. Customer unit sampling is a variation of monetary unit sampling that treats each customer account as a single unit, regardless of how many transactions or balances it contains. Customer unit sampling may be appropriate for testing existence or occurrence assertions, but not for estimating total values.
Unstratified mean per unit sampling (option D) is not the best sampling approach for these accounts. Unstratified mean per unit sampling is a method of audit sampling that applies mean per unit sampling to the entire population without dividing it into subgroups. Unstratified mean per unit sampling may result in a larger sample size and a lower precision than stratified mean per unit sampling, especially for populations that have a high variability or a skewed distribution, such as the bank accounts in this question.
Therefore, option B is the correct answer.
Reference: Audit Sampling – AICPA
Audit Sampling: Examples and Guidance To The Sampling Methods
Audit Sampling |Audit | Financial Audit – Scribd
B
Explanation:
Stratified mean per unit sampling is a method of audit sampling that divides the population into subgroups (strata) based on some characteristic, such as monetary value, and then selects a sample from each stratum using mean per unit sampling. Mean per unit sampling is a method of audit sampling that estimates the total value of a population by multiplying the average value of the sample items by the number of items in the population. Stratified mean per unit sampling is suitable for populations that have a high variability or a skewed distribution, such as the bank accounts in this question. By stratifying the population, the auditor can reduce the sampling error and increase the precision of the estimate.
Difference estimation sampling (option A) is not the best sampling approach for these accounts. Difference estimation sampling is a method of audit sampling that estimates the total error or misstatement in a population by multiplying the average difference between the book value and the audited value of the sample items by the number of items in the population. Difference estimation sampling is suitable for populations that have a low variability and a symmetrical distribution, which is not the case for the bank accounts in this question.
Customer unit sampling (option C) is not a sampling approach, but a type of monetary unit sampling. Monetary unit sampling is a method of audit sampling that selects sample items based on their monetary value, rather than their physical units. Customer unit sampling is a variation of monetary unit sampling that treats each customer account as a single unit, regardless of how many transactions or balances it contains. Customer unit sampling may be appropriate for testing existence or occurrence assertions, but not for estimating total values.
Unstratified mean per unit sampling (option D) is not the best sampling approach for these accounts. Unstratified mean per unit sampling is a method of audit sampling that applies mean per unit sampling to the entire population without dividing it into subgroups. Unstratified mean per unit sampling may result in a larger sample size and a lower precision than stratified mean per unit sampling, especially for populations that have a high variability or a skewed distribution, such as the bank accounts in this question.
Therefore, option B is the correct answer.
Reference: Audit Sampling – AICPA
Audit Sampling: Examples and Guidance To The Sampling Methods
Audit Sampling |Audit | Financial Audit – Scribd
Question #117
Which of the following BEST describes the process of creating a digital envelope?
- A . The encryption key is compressed within a folder after a message is encoded using symmetric encryption.
- B . A message is encoded using symmetric encryption, and then the encryption key is secured using public key encryption.
- C . The message is hashed, and the hash total is sent using symmetric encryption.
- D . A message digest is encrypted using asymmetric encryption, and the encryption key is sent using asymmetric encryption.
Correct Answer: B
B
Explanation:
A digital envelope combines the strengths of symmetric and asymmetric cryptography. The message itself is encrypted using a fast symmetric algorithm. The session key used for symmetric encryption is then encrypted using the recipient’s public key. This ensures efficiency (large data encrypted quickly with symmetric keys) and security (session key securely transmitted using asymmetric encryption).
Options A, C, and D describe other cryptographic processes (compression, hashing, or digital signatures) but do not correctly represent a digital envelope. ISACA training materials and CISA manuals highlight this hybrid approach as the standard method for secure data transmission.
Reference (ISACA): CISA Review Manual C Cryptography Concepts; ISACA Glossary.
B
Explanation:
A digital envelope combines the strengths of symmetric and asymmetric cryptography. The message itself is encrypted using a fast symmetric algorithm. The session key used for symmetric encryption is then encrypted using the recipient’s public key. This ensures efficiency (large data encrypted quickly with symmetric keys) and security (session key securely transmitted using asymmetric encryption).
Options A, C, and D describe other cryptographic processes (compression, hashing, or digital signatures) but do not correctly represent a digital envelope. ISACA training materials and CISA manuals highlight this hybrid approach as the standard method for secure data transmission.
Reference (ISACA): CISA Review Manual C Cryptography Concepts; ISACA Glossary.
Question #118
An IS auditor reviewing an organization’s IT systems finds that the organization frequently purchases systems that are incompatible with the technologies already in the organization.
Which of the following is the MOST likely reason?
- A . Ineffective risk management policy
- B . Lack of enterprise architecture (EA)
- C . Lack of a maturity model
- D . Outdated enterprise resource planning (ERP) system
Correct Answer: B
Question #119
Which of the following should be an IS auditor’s PRIMARY focus when developing a risk-based IS audit program?
- A . Portfolio management
- B . Business plans
- C . Business processes
- D . IT strategic plans
Correct Answer: C
C
Explanation:
Business processes should be the primary focus of an IS auditor when developing a risk-based IS audit program, because they represent the core activities and functions of the organization that support its objectives and goals. Business processes also involve the use of IT resources and systems that may pose risks to the organization’s performance and compliance. A risk-based IS audit program should identify and assess the risks associated with the business processes and determine the appropriate audit scope and procedures to provide assurance on their effectiveness and efficiency. Portfolio management, business plans, and IT strategic plans are also relevant factors for developing a risk-based IS audit program, but they are not as important as business processes.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.2.1
C
Explanation:
Business processes should be the primary focus of an IS auditor when developing a risk-based IS audit program, because they represent the core activities and functions of the organization that support its objectives and goals. Business processes also involve the use of IT resources and systems that may pose risks to the organization’s performance and compliance. A risk-based IS audit program should identify and assess the risks associated with the business processes and determine the appropriate audit scope and procedures to provide assurance on their effectiveness and efficiency. Portfolio management, business plans, and IT strategic plans are also relevant factors for developing a risk-based IS audit program, but they are not as important as business processes.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.2.1
Question #120
Which of the following cloud capabilities BEST enables an organization to meet unexpectedly high service demand?
- A . Scalability
- B . High availability
- C . Alternate routing
- D . Flexibility
Correct Answer: A