Practice Free CISA Exam Online Questions
Question #121
Which of the following is MOST helpful to an IS auditor reviewing the alignment of planned IT budget with the organization’s goals and strategic objectives?
- A . Enterprise architecture (EA)
- B . Business impact analysis (BIA)
- C . Risk assessment report
- D . Audit recommendations
Correct Answer: A
A
Explanation:
Enterprise architecture (EA) is the most helpful to an IS auditor reviewing the alignment of planned IT budget with the organization’s goals and strategic objectives. EA is a well-defined practice for conducting enterprise analysis, design, planning, and implementation, using a comprehensive approach at all times, for the successful development and execution of strategy1. EA provides a blueprint for an effective IT strategy and guides the controlled evolution of IT in a way that delivers business benefit in a cost-effective way2. By reviewing the EA, the IS auditor can evaluate how well the planned IT budget supports the business vision, strategy, objectives, and capabilities of the organization.
The other options are not as helpful as EA for reviewing the alignment of planned IT budget with the organization’s goals and strategic objectives. BIA is a process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption3. BIA quantifies the impacts of disruptions on service delivery, risks to service delivery, and recovery time objectives (RTOs) and recovery point objectives (RPOs)3. BIA is useful for developing strategies, solutions, and plans for business continuity and disaster recovery, but it does not directly address the alignment of planned IT budget with the organization’s goals and strategic objectives. Risk assessment report is a document that contains the results of performing a risk assessment or the formal output from the process of assessing risk4. Risk assessment is a method to identify, analyze, and control hazards and risks present in a situation or a place5. Risk assessment report is useful for identifying and mitigating potential threats and issues that are detrimental to the business or an enterprise, but it does not directly address the alignment of planned IT budget with the organization’s goals and strategic objectives. Audit recommendations are guidance that highlights actions to be taken by management6. When implemented, process risks should be mitigated, and performance should be enhanced6. Audit recommendations are useful for improving the quality and reliability of the information system and its outputs, but they do not directly address the alignment of planned IT budget with the organization’s goals and strategic objectives. Therefore, option A is the correct answer.
A
Explanation:
Enterprise architecture (EA) is the most helpful to an IS auditor reviewing the alignment of planned IT budget with the organization’s goals and strategic objectives. EA is a well-defined practice for conducting enterprise analysis, design, planning, and implementation, using a comprehensive approach at all times, for the successful development and execution of strategy1. EA provides a blueprint for an effective IT strategy and guides the controlled evolution of IT in a way that delivers business benefit in a cost-effective way2. By reviewing the EA, the IS auditor can evaluate how well the planned IT budget supports the business vision, strategy, objectives, and capabilities of the organization.
The other options are not as helpful as EA for reviewing the alignment of planned IT budget with the organization’s goals and strategic objectives. BIA is a process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption3. BIA quantifies the impacts of disruptions on service delivery, risks to service delivery, and recovery time objectives (RTOs) and recovery point objectives (RPOs)3. BIA is useful for developing strategies, solutions, and plans for business continuity and disaster recovery, but it does not directly address the alignment of planned IT budget with the organization’s goals and strategic objectives. Risk assessment report is a document that contains the results of performing a risk assessment or the formal output from the process of assessing risk4. Risk assessment is a method to identify, analyze, and control hazards and risks present in a situation or a place5. Risk assessment report is useful for identifying and mitigating potential threats and issues that are detrimental to the business or an enterprise, but it does not directly address the alignment of planned IT budget with the organization’s goals and strategic objectives. Audit recommendations are guidance that highlights actions to be taken by management6. When implemented, process risks should be mitigated, and performance should be enhanced6. Audit recommendations are useful for improving the quality and reliability of the information system and its outputs, but they do not directly address the alignment of planned IT budget with the organization’s goals and strategic objectives. Therefore, option A is the correct answer.
Question #122
Which of the following should be an IS auditor’s PRIMARY focus when auditing the implementation of a new IT operations performance monitoring system?
- A . Reviewing whether all changes have been implemented
- B . Validating whether baselines have been established
- C . Confirming whether multi-factor authentication (MFA) is deployed as part of the operational enhancements
- D . Determining whether there is a process for annual review of the maintenance manual
Correct Answer: B
Question #122
Which of the following should be an IS auditor’s PRIMARY focus when auditing the implementation of a new IT operations performance monitoring system?
- A . Reviewing whether all changes have been implemented
- B . Validating whether baselines have been established
- C . Confirming whether multi-factor authentication (MFA) is deployed as part of the operational enhancements
- D . Determining whether there is a process for annual review of the maintenance manual
Correct Answer: B
Question #124
Which of the following is MOST important to ensure when developing an effective security awareness program?
- A . Training personnel are information security professionals.
- B . Outcome metrics for the program are established.
- C . Security threat scenarios are included in the program content.
- D . Phishing exercises are conducted post-training
Correct Answer: B
B
Explanation:
The most important factor to ensure when developing an effective security awareness program is B. Outcome metrics for the program are established. This is because outcome metrics are measures that evaluate the impact and results of the security awareness program on the behavior and performance of the users, and the security posture and objectives of the organization1.
Outcome metrics can help ensure the effectiveness of the security awareness program by:
Providing feedback and evidence on whether the security awareness program is achieving its goals and expectations, such as reducing the number of incidents, improving the compliance rate, or increasing the reporting rate1.
Identifying and quantifying the strengths and weaknesses of the security awareness program, and enabling continuous improvement and optimization of the program content, delivery, and frequency1.
Demonstrating and communicating the value and return on investment of the security awareness program to the stakeholders and management, and securing their support and commitment for the program1.
B
Explanation:
The most important factor to ensure when developing an effective security awareness program is B. Outcome metrics for the program are established. This is because outcome metrics are measures that evaluate the impact and results of the security awareness program on the behavior and performance of the users, and the security posture and objectives of the organization1.
Outcome metrics can help ensure the effectiveness of the security awareness program by:
Providing feedback and evidence on whether the security awareness program is achieving its goals and expectations, such as reducing the number of incidents, improving the compliance rate, or increasing the reporting rate1.
Identifying and quantifying the strengths and weaknesses of the security awareness program, and enabling continuous improvement and optimization of the program content, delivery, and frequency1.
Demonstrating and communicating the value and return on investment of the security awareness program to the stakeholders and management, and securing their support and commitment for the program1.
Question #125
An organization uses public key infrastructure (PKI) to provide email security.
Which of the following would be the MOST efficient method to determine whether email messages have been modified in transit?
- A . The message is encrypted using a symmetric algorithm.
- B . The message is sent using Transport Layer Security (TLS) protocol.
- C . The message is sent along with an encrypted hash of the message.
- D . The message is encrypted using the private key of the sender.
Correct Answer: C
C
Explanation:
This method is known as creating a digital signature of the message. It ensures the integrity of the message by verifying that it has not been tampered with in transit. The process involves hashing the message and encrypting the hash value with the sender’s private key. Any changes to the message will result in a different hash value1. This method is used in DomainKeys Identified Mail (DKIM), which verifies an email’s domain and helps show that the email has not been tampered with in transit2.
Reference: Understanding Digital Signatures | CISA
Using DomainKeys Identified Mail (DKIM) in your organisation
C
Explanation:
This method is known as creating a digital signature of the message. It ensures the integrity of the message by verifying that it has not been tampered with in transit. The process involves hashing the message and encrypting the hash value with the sender’s private key. Any changes to the message will result in a different hash value1. This method is used in DomainKeys Identified Mail (DKIM), which verifies an email’s domain and helps show that the email has not been tampered with in transit2.
Reference: Understanding Digital Signatures | CISA
Using DomainKeys Identified Mail (DKIM) in your organisation
Question #126
What is the PRIMARY reason to adopt a risk-based IS audit strategy?
- A . To achieve synergy between audit and other risk management functions
- B . To prioritize available resources and focus on areas with significant risk
- C . To reduce the time and effort needed to perform a full audit cycle
- D . To identify key threats, risks, and controls for the organization
Correct Answer: B
Question #127
An IS auditor is planning a review of an organizations robotic process automation (RPA) technology.
Which of the following MUST be included in the audit work plan?
- A . Integration architecture
- B . Change management
- C . Cost-benefit analysis
- D . Employee training content
Correct Answer: D
Question #128
Data Loss Prevention (DLP) tools provide the MOST protection against:
- A . The installation of unknown malware.
- B . Malicious programs running on organizational systems.
- C . The downloading of sensitive information to devices by employees.
- D . The sending of corrupt data files to external parties via email.
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Step-by-Step
DLP (Data Loss Prevention) toolsare designed toprevent unauthorized access, transfer, or leakage of sensitive data, especially byinsider threatsorunauthorized downloads.
Preventing Unauthorized Downloads (Correct Answer C C) DLP solutionsblock or log attemptsto transfer sensitive files.
Example: A DLP tool detects andblocks an employee from copying confidential data to a USB drive. Preventing Malware Installation (Incorrect C A, B)
Antivirus and endpoint protection tools, not DLP, handle malware threats.
Preventing Corrupt Data Transmission (Incorrect C D)
DLP focuses ondata protection, not detecting corrupt files.
Reference: ISACA CISA Review Manual
NIST 800-53 (Data Protection Controls)
CIS (Center for Internet Security) DLP Best Practices
C
Explanation:
Comprehensive and Detailed Step-by-Step
DLP (Data Loss Prevention) toolsare designed toprevent unauthorized access, transfer, or leakage of sensitive data, especially byinsider threatsorunauthorized downloads.
Preventing Unauthorized Downloads (Correct Answer C C) DLP solutionsblock or log attemptsto transfer sensitive files.
Example: A DLP tool detects andblocks an employee from copying confidential data to a USB drive. Preventing Malware Installation (Incorrect C A, B)
Antivirus and endpoint protection tools, not DLP, handle malware threats.
Preventing Corrupt Data Transmission (Incorrect C D)
DLP focuses ondata protection, not detecting corrupt files.
Reference: ISACA CISA Review Manual
NIST 800-53 (Data Protection Controls)
CIS (Center for Internet Security) DLP Best Practices
Question #129
An organization has decided to purchase a web-based email service from a third-party vendor and eliminate its own email server infrastructure.
What type of cloud computing environment would BEST meet the organization’s objective?
- A . Platform as a Service (PaaS)
- B . Software as a Service (SaaS)
- C . Database as a Service (DBaaS)
- D . Infrastructure as a Service (laaS)
Correct Answer: B
Question #130
Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?
- A . The audit program does not involve periodic engagement with external assessors.
- B . Quarterly reports are not distributed to the audit committee.
- C . Results of corrective actions are not tracked consistently.
- D . Substantive testing is not performed during the assessment phase of some audits.
Correct Answer: A
A
Explanation:
According to the ISACA CISA documentation, one of the requirements for internal audit quality assurance (QA) and continuous improvement processes is to have an external assessment at least once every five years by a qualified, independent reviewer or review team from outside the organization1. This is to ensure that the internal audit activity conforms to the International Standards for the Professional Practice of Internal Auditing (the Standards) and the Code of Ethics, and to identify opportunities for improvement2. Therefore, the lack of periodic engagement with external assessors would present the greatest concern during a review of internal audit QA and continuous improvement processes.
A
Explanation:
According to the ISACA CISA documentation, one of the requirements for internal audit quality assurance (QA) and continuous improvement processes is to have an external assessment at least once every five years by a qualified, independent reviewer or review team from outside the organization1. This is to ensure that the internal audit activity conforms to the International Standards for the Professional Practice of Internal Auditing (the Standards) and the Code of Ethics, and to identify opportunities for improvement2. Therefore, the lack of periodic engagement with external assessors would present the greatest concern during a review of internal audit QA and continuous improvement processes.