Practice Free CISA Exam Online Questions
Question #131
An organization that has decided to approve the use of end-user computing (EUC) should FIRST ensure:
- A . a business impact analysis (BIA) is conducted.
- B . EUC controls are reviewed.
- C . EUC use cases are assessed and documented.
- D . an EUC policy is developed.
Correct Answer: D
Question #132
The PRIMARY objective of a control self-assessment (CSA) is to:
- A . educate functional areas on risks and controls.
- B . ensure appropriate access controls are implemented.
- C . eliminate the audit risk by leveraging management’s analysis.
- D . gain assurance for business functions that cannot be audited.
Correct Answer: A
A
Explanation:
The primary objective of a control self-assessment (CSA) is to educate functional areas on risks and controls. CSA is a technique that allows managers and work teams directly involved in business units, functions or processes to participate in assessing the organization’s risk management and control processes1. CSA can help functional areas to obtain a clear and shared understanding of their major activities and objectives, to foster an improved awareness of risk and controls among management and staff, to enhance responsibility and accountability for risks and controls, and to highlight best practices and opportunities to improve business performance2.
The other options are not the primary objective of a CSA. Ensuring appropriate access controls are implemented is a specific type of control that may be assessed by a CSA, but it is not the main goal of the technique. Eliminating the audit risk by leveraging management’s analysis is not a realistic or desirable outcome of a CSA, as audit risk can never be completely eliminated, and management’s analysis may not be sufficient or reliable without independent verification. Gaining assurance for business functions that cannot be audited is not a valid reason for conducting a CSA, as all business functions should be subject to audit, and a CSA is not a substitute for an audit.
Reference: Control Self Assessments – PwC
Control self-assessment – Wikipedia
Control Self Assessment – AuditNet
A
Explanation:
The primary objective of a control self-assessment (CSA) is to educate functional areas on risks and controls. CSA is a technique that allows managers and work teams directly involved in business units, functions or processes to participate in assessing the organization’s risk management and control processes1. CSA can help functional areas to obtain a clear and shared understanding of their major activities and objectives, to foster an improved awareness of risk and controls among management and staff, to enhance responsibility and accountability for risks and controls, and to highlight best practices and opportunities to improve business performance2.
The other options are not the primary objective of a CSA. Ensuring appropriate access controls are implemented is a specific type of control that may be assessed by a CSA, but it is not the main goal of the technique. Eliminating the audit risk by leveraging management’s analysis is not a realistic or desirable outcome of a CSA, as audit risk can never be completely eliminated, and management’s analysis may not be sufficient or reliable without independent verification. Gaining assurance for business functions that cannot be audited is not a valid reason for conducting a CSA, as all business functions should be subject to audit, and a CSA is not a substitute for an audit.
Reference: Control Self Assessments – PwC
Control self-assessment – Wikipedia
Control Self Assessment – AuditNet
Question #133
Following a merger, a review of an international organization determines the IT steering committee’s decisions do not extend to regional offices as required in the consolidated IT operating model.
Which of the following is the IS auditor’s BEST recommendation?
- A . Create regional centers of excellence.
- B . Engage an IT governance consultant.
- C . Create regional IT steering committees.
- D . Update the IT steering committee’s formal charter.
Correct Answer: D
Question #134
An IS auditor has been asked to provide support to the control self-assessment (CSA) program.
Which of the following BEST represents the scope of the auditor’s role in the program?
- A . The auditor should act as a program facilitator.
- B . The auditor should focus on improving process productivity
- C . The auditor should perform detailed audit procedures
- D . The auditor’s presence replaces the audit responsibilities of other team members.
Correct Answer: A
Question #135
Which of the following should be of GREATEST concern for an IS auditor when reviewing user account policies?
- A . There is no policy to revoke an employee’s system access upon termination.
- B . There is no policy in place for ongoing security awareness training.
- C . There is no policy requiring employees to sign nondisclosure agreements (NDAs).
- D . There is no policy to revoke previous access rights when employees change roles.
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
Failure torevoke access upon terminationposes the greatest security risk, as ex-employees could still access sensitive data or systems.
No Policy to Revoke Access (Correct Answer C A)
A terminated employee retaining access can lead todata breaches or insider threats. Example: A former employee misuses active credentials to access financial systems. Lack of Security Awareness Training (Incorrect C B)
Important but does not pose an immediate security risk like an active ex-employee account. No NDAs (Incorrect C C)
Protects intellectual property but is not as critical as system access.
No Access Revocation for Role Changes (Incorrect C D)
Still a concern, but ex-employees with active access are ahigherrisk.
Reference: ISACA CISA Review Manual
NIST 800-53 (Access Control)
A
Explanation:
Comprehensive and Detailed Step-by-Step
Failure torevoke access upon terminationposes the greatest security risk, as ex-employees could still access sensitive data or systems.
No Policy to Revoke Access (Correct Answer C A)
A terminated employee retaining access can lead todata breaches or insider threats. Example: A former employee misuses active credentials to access financial systems. Lack of Security Awareness Training (Incorrect C B)
Important but does not pose an immediate security risk like an active ex-employee account. No NDAs (Incorrect C C)
Protects intellectual property but is not as critical as system access.
No Access Revocation for Role Changes (Incorrect C D)
Still a concern, but ex-employees with active access are ahigherrisk.
Reference: ISACA CISA Review Manual
NIST 800-53 (Access Control)
Question #136
Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?
- A . Document the security view as part of the EA
- B . Consider stakeholder concerns when defining the EA
- C . Perform mandatory post-implementation reviews of IT implementations
- D . Conduct EA reviews as part of the change advisory board
Correct Answer: D
D
Explanation:
The best way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements is to conduct EA reviews as part of the change advisory board (CAB). A CAB is a committee that evaluates and authorizes changes to IT services, such as new IT implementations. By conducting EA reviews as part of the CAB process, the organization can ensure that the proposed changes are consistent with the EA vision, goals, standards, and guidelines. This can help avoid potential conflicts, risks, or inefficiencies that may arise from misaligned IT implementations. Additionally, EA reviews can help identify opportunities for improvement, optimization, or innovation in the IT services.
The other options are not the best ways to help ensure new IT implementations align with EA principles and requirements. Documenting the security view as part of the EA is important, but it does not guarantee that new IT implementations will follow the security requirements or best practices. Considering stakeholder concerns when defining the EA is also essential, but it does not ensure that new IT implementations will meet the stakeholder expectations or needs. Performing mandatory post-implementation reviews of IT implementations is a good practice, but it does not prevent potential issues or problems that may arise from misaligned IT implementations.
Reference: 5: Change Advisory Board Best Practices: 15+ Industry Leaders Weigh In
6: What Does the Change Advisory Board (CAB) Do?
7: How do I set up an effective change advisory board? – ServiceNow
8: ITIL Change Management – The Role of the Change Advisory Board
D
Explanation:
The best way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements is to conduct EA reviews as part of the change advisory board (CAB). A CAB is a committee that evaluates and authorizes changes to IT services, such as new IT implementations. By conducting EA reviews as part of the CAB process, the organization can ensure that the proposed changes are consistent with the EA vision, goals, standards, and guidelines. This can help avoid potential conflicts, risks, or inefficiencies that may arise from misaligned IT implementations. Additionally, EA reviews can help identify opportunities for improvement, optimization, or innovation in the IT services.
The other options are not the best ways to help ensure new IT implementations align with EA principles and requirements. Documenting the security view as part of the EA is important, but it does not guarantee that new IT implementations will follow the security requirements or best practices. Considering stakeholder concerns when defining the EA is also essential, but it does not ensure that new IT implementations will meet the stakeholder expectations or needs. Performing mandatory post-implementation reviews of IT implementations is a good practice, but it does not prevent potential issues or problems that may arise from misaligned IT implementations.
Reference: 5: Change Advisory Board Best Practices: 15+ Industry Leaders Weigh In
6: What Does the Change Advisory Board (CAB) Do?
7: How do I set up an effective change advisory board? – ServiceNow
8: ITIL Change Management – The Role of the Change Advisory Board
Question #137
Which of the following controls is BEST implemented through system configuration?
- A . Network user accounts for temporary workers expire after 90 days.
- B . Application user access is reviewed every 180 days for appropriateness.
- C . Financial data in key reports is traced to source systems for completeness and accuracy.
- D . Computer operations personnel initiate batch processing jobs daily.
Correct Answer: A
A
Explanation:
This control is best implemented through system configuration because it can be enforced automatically by setting a parameter in the network operating system or directory service. This ensures that temporary workers do not have access to the network beyond their authorized period, and reduces the risk of unauthorized or malicious use of their accounts12.
Reference1: Configuration and Change Management – CISA2: What is IT Governance? – Definition from Techopedia
A
Explanation:
This control is best implemented through system configuration because it can be enforced automatically by setting a parameter in the network operating system or directory service. This ensures that temporary workers do not have access to the network beyond their authorized period, and reduces the risk of unauthorized or malicious use of their accounts12.
Reference1: Configuration and Change Management – CISA2: What is IT Governance? – Definition from Techopedia
Question #138
An IS auditor is reviewing how password resets are performed for users working remotely.
Which type of documentation should be requested to understand the detailed steps required for this activity?
- A . Standards
- B . Guidelines
- C . Policies
- D . Procedures
Correct Answer: D
Question #139
The GREATEST benefit of using a polo typing approach in software development is that it helps to:
- A . minimize scope changes to the system.
- B . decrease the time allocated for user testing and review.
- C . conceptualize and clarify requirements.
- D . Improve efficiency of quality assurance (QA) testing
Correct Answer: C
C
Explanation:
The greatest benefit of using a prototyping approach in software development is that it helps to conceptualize and clarify requirements. A prototyping approach is a method of creating a simplified or partial version of a software product to demonstrate its features and functionality. A prototyping approach can help to elicit, validate, and refine the requirements of the software product, as well as to obtain feedback from the users and stakeholders. The other options are not the greatest benefits of using a prototyping approach, but rather possible outcomes or advantages of doing so.
Reference: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.11
CISA Review Questions, Answers & Explanations Database, Question ID 227
C
Explanation:
The greatest benefit of using a prototyping approach in software development is that it helps to conceptualize and clarify requirements. A prototyping approach is a method of creating a simplified or partial version of a software product to demonstrate its features and functionality. A prototyping approach can help to elicit, validate, and refine the requirements of the software product, as well as to obtain feedback from the users and stakeholders. The other options are not the greatest benefits of using a prototyping approach, but rather possible outcomes or advantages of doing so.
Reference: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.11
CISA Review Questions, Answers & Explanations Database, Question ID 227
Question #140
Which of the following is the MOST effective way to identify exfiltration of sensitive data by a malicious insider?
- A . Implement data loss prevention (DLP) software
- B . Review perimeter firewall logs
- C . Provide ongoing information security awareness training
- D . Establish behavioral analytics monitoring
Correct Answer: D
D
Explanation:
The most effective way to identify exfiltration of sensitive data by a malicious insider is to establish behavioral analytics monitoring. Behavioral analytics is the process of analyzing the patterns and anomalies in user behavior to detect and prevent insider threats. Behavioral analytics can help identify unusual or suspicious activities, such as accessing sensitive data at odd hours, transferring large amounts of data to external devices or locations, or using unauthorized applications or protocols. Behavioral analytics can also help correlate data from multiple sources, such as network logs, user profiles, and access rights, to provide a holistic view of user activity and risk.
Data loss prevention (DLP) software is a tool that can help prevent exfiltration of sensitive data by a malicious insider, but it is not the most effective way to identify it. DLP software can block or alert on unauthorized data transfers based on predefined rules and policies, but it may not be able to detect sophisticated or stealthy exfiltration techniques, such as encryption, steganography, or data obfuscation.
Reviewing perimeter firewall logs is a way to identify exfiltration of sensitive data by a malicious insider, but it is not the most effective way. Perimeter firewall logs can show the traffic volume and destination of data transfers, but they may not be able to show the content or context of the data. Perimeter firewall logs may also be overwhelmed by the amount of normal traffic and miss the signals of malicious exfiltration.
Providing ongoing information security awareness training is a way to reduce the risk of exfiltration of sensitive data by a malicious insider, but it is not a way to identify it. Information security awareness training can help educate users on the importance of protecting sensitive data and the consequences of violating policies and regulations, but it may not deter or detect those who are intentionally or maliciously exfiltrating data.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 300
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription 1
Cybersecurity Engineering for Legacy Systems: 6 Recommendations – SEI Blog 2
How to Secure Your Company’s Legacy Applications – iCorps
D
Explanation:
The most effective way to identify exfiltration of sensitive data by a malicious insider is to establish behavioral analytics monitoring. Behavioral analytics is the process of analyzing the patterns and anomalies in user behavior to detect and prevent insider threats. Behavioral analytics can help identify unusual or suspicious activities, such as accessing sensitive data at odd hours, transferring large amounts of data to external devices or locations, or using unauthorized applications or protocols. Behavioral analytics can also help correlate data from multiple sources, such as network logs, user profiles, and access rights, to provide a holistic view of user activity and risk.
Data loss prevention (DLP) software is a tool that can help prevent exfiltration of sensitive data by a malicious insider, but it is not the most effective way to identify it. DLP software can block or alert on unauthorized data transfers based on predefined rules and policies, but it may not be able to detect sophisticated or stealthy exfiltration techniques, such as encryption, steganography, or data obfuscation.
Reviewing perimeter firewall logs is a way to identify exfiltration of sensitive data by a malicious insider, but it is not the most effective way. Perimeter firewall logs can show the traffic volume and destination of data transfers, but they may not be able to show the content or context of the data. Perimeter firewall logs may also be overwhelmed by the amount of normal traffic and miss the signals of malicious exfiltration.
Providing ongoing information security awareness training is a way to reduce the risk of exfiltration of sensitive data by a malicious insider, but it is not a way to identify it. Information security awareness training can help educate users on the importance of protecting sensitive data and the consequences of violating policies and regulations, but it may not deter or detect those who are intentionally or maliciously exfiltrating data.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 300
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription 1
Cybersecurity Engineering for Legacy Systems: 6 Recommendations – SEI Blog 2
How to Secure Your Company’s Legacy Applications – iCorps