Practice Free CISA Exam Online Questions
Question #131
An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found.
Which sampling method would be appropriate?
- A . Discovery sampling
- B . Judgmental sampling
- C . Variable sampling
- D . Stratified sampling
Correct Answer: A
A
Explanation:
Discovery sampling is an appropriate sampling method for an IS auditor who intends to launch an intensive investigation if one exception is found. Discovery sampling is a type of attribute sampling that determines the sample size based on an acceptable risk of not finding at least one occurrence of an attribute when a given rate of occurrence exists in a population. Discovery sampling can be used by an IS auditor who wants to detect fraud or errors that have a low probability but high impacton an audit objective. The other options are not appropriate sampling methods for this purpose, as they may involve judgmental sampling, variable sampling, or stratified sampling.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.31
CISA ReviewQuestions, Answers & Explanations Database, Question ID 230
A
Explanation:
Discovery sampling is an appropriate sampling method for an IS auditor who intends to launch an intensive investigation if one exception is found. Discovery sampling is a type of attribute sampling that determines the sample size based on an acceptable risk of not finding at least one occurrence of an attribute when a given rate of occurrence exists in a population. Discovery sampling can be used by an IS auditor who wants to detect fraud or errors that have a low probability but high impacton an audit objective. The other options are not appropriate sampling methods for this purpose, as they may involve judgmental sampling, variable sampling, or stratified sampling.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.31
CISA ReviewQuestions, Answers & Explanations Database, Question ID 230
Question #132
An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data.
Which of the following is the PRIMARY advantage of this approach?
- A . Audit transparency
- B . Data confidentiality
- C . Professionalism
- D . Audit efficiency
Correct Answer: D
D
Explanation:
The primary advantage of this approach is that it improves audit efficiency. Audit efficiency is the measure of how well the audit resources are used to achieve the audit objectives. Audit efficiency can be enhanced by using methods or techniques that can save time, cost, or effort without compromising the quality or scope of the audit. By requesting direct access to data required to perform audit procedures instead of asking management to provide the data, the auditor can reduce the dependency on management’s cooperation, availability, or timeliness. The auditor can also avoid potential delays, errors, or biases that may occur when management provides the data.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.41 CISA Online Review Course, Domain 1, Module 1, Lesson 42
D
Explanation:
The primary advantage of this approach is that it improves audit efficiency. Audit efficiency is the measure of how well the audit resources are used to achieve the audit objectives. Audit efficiency can be enhanced by using methods or techniques that can save time, cost, or effort without compromising the quality or scope of the audit. By requesting direct access to data required to perform audit procedures instead of asking management to provide the data, the auditor can reduce the dependency on management’s cooperation, availability, or timeliness. The auditor can also avoid potential delays, errors, or biases that may occur when management provides the data.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.41 CISA Online Review Course, Domain 1, Module 1, Lesson 42
Question #133
Which of the following is the MOST effective way to maintain network integrity when using mobile devices?
- A . Implement network access control.
- B . Implement outbound firewall rules.
- C . Perform network reviews.
- D . Review access control lists.
Correct Answer: A
A
Explanation:
The most effective way to maintain network integrity when using mobile devices is to implement network access control. Network access control is a security control that regulates and restricts access to network resources based on predefined policies and criteria, such as device type, identity, location, or security posture. Network access control can help maintain network integrity when using mobile devices by preventing unauthorized or compromised devices from accessing or affecting network systems or data. The other options are not as effective as network access control in maintaining network integrity when using mobile devices, as they do not address all aspects of network access or security. Implementing outbound firewall rules is a security control that filters and blocks network traffic based on source, destination, protocol, or port, but it does not regulate or restrict network access based on device characteristics or conditions. Performing network reviews is a monitoring activity that evaluates and reports on the performance, availability, or security of network resources, but it does not regulate or restrict network access based on device characteristics or conditions. Reviewing access control lists is a verification activity that validates and confirms the access rights and privileges of network users or devices, but it does not regulate or restrict network access based on device characteristics or conditions.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.2
A
Explanation:
The most effective way to maintain network integrity when using mobile devices is to implement network access control. Network access control is a security control that regulates and restricts access to network resources based on predefined policies and criteria, such as device type, identity, location, or security posture. Network access control can help maintain network integrity when using mobile devices by preventing unauthorized or compromised devices from accessing or affecting network systems or data. The other options are not as effective as network access control in maintaining network integrity when using mobile devices, as they do not address all aspects of network access or security. Implementing outbound firewall rules is a security control that filters and blocks network traffic based on source, destination, protocol, or port, but it does not regulate or restrict network access based on device characteristics or conditions. Performing network reviews is a monitoring activity that evaluates and reports on the performance, availability, or security of network resources, but it does not regulate or restrict network access based on device characteristics or conditions. Reviewing access control lists is a verification activity that validates and confirms the access rights and privileges of network users or devices, but it does not regulate or restrict network access based on device characteristics or conditions.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.2
Question #134
Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?
- A . Role-based access control policies
- B . Types of data that can be uploaded to the platform
- C . Processes for on-boarding and off-boarding users to the platform
- D . Processes for reviewing administrator activity
Correct Answer: A
A
Explanation:
The most important thing to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition is the types of data that can be uploaded to the platform. This is because different types of data may have different security, privacy, and compliance requirements, depending on the nature, sensitivity, and value of the data. For example, personal data, financial data, health data, or intellectual property data may be subject to various laws and regulations that govern how they can be collected, stored, processed, and shared in the cloud. Therefore, it is essential to identify and classify the types of data that will be uploaded to the platform, and ensure that the platform meets the organization’s policies and standards for data protection1.
The other options are not as important as the types of data that can be uploaded to the platform during the planning phase of a cloud-based messaging and collaboration platform acquisition.
Option A, role-based access control policies, is a mechanism that defines who can access what data and resources on the platform based on their roles and responsibilities. Role-based access control policies are important for ensuring data security and accountability, but they can be designed and implemented after the platform is acquired2.
Option C, processes for on-boarding and off-boarding users to the platform, are procedures that enable or disable user accounts and access rights on the platform. Processes for on-boarding and off-boarding users are important for managing user identities and lifecycles, but they can be developed and executed after the platform is acquired3.
Option D, processes for reviewing administrator activity, are methods that monitor and audit the actions and events performed by administrators on the platform. Processes for reviewing administrator activity are important for detecting and preventing unauthorized or malicious activities, but they can be established and performed after the platform is acquired4.
Reference: Cloud Messaging and Collaboration Services – Maryland.gov DoIT4
Message Bird acquires real-time notifications and in-app messaging platform Pusher for$35M | TechCrunch2
Symphony to lead financial market communications with the acquisition of Cloud9 Technologies3 Cloud messaging and collaboration | Sumo Logic
A
Explanation:
The most important thing to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition is the types of data that can be uploaded to the platform. This is because different types of data may have different security, privacy, and compliance requirements, depending on the nature, sensitivity, and value of the data. For example, personal data, financial data, health data, or intellectual property data may be subject to various laws and regulations that govern how they can be collected, stored, processed, and shared in the cloud. Therefore, it is essential to identify and classify the types of data that will be uploaded to the platform, and ensure that the platform meets the organization’s policies and standards for data protection1.
The other options are not as important as the types of data that can be uploaded to the platform during the planning phase of a cloud-based messaging and collaboration platform acquisition.
Option A, role-based access control policies, is a mechanism that defines who can access what data and resources on the platform based on their roles and responsibilities. Role-based access control policies are important for ensuring data security and accountability, but they can be designed and implemented after the platform is acquired2.
Option C, processes for on-boarding and off-boarding users to the platform, are procedures that enable or disable user accounts and access rights on the platform. Processes for on-boarding and off-boarding users are important for managing user identities and lifecycles, but they can be developed and executed after the platform is acquired3.
Option D, processes for reviewing administrator activity, are methods that monitor and audit the actions and events performed by administrators on the platform. Processes for reviewing administrator activity are important for detecting and preventing unauthorized or malicious activities, but they can be established and performed after the platform is acquired4.
Reference: Cloud Messaging and Collaboration Services – Maryland.gov DoIT4
Message Bird acquires real-time notifications and in-app messaging platform Pusher for$35M | TechCrunch2
Symphony to lead financial market communications with the acquisition of Cloud9 Technologies3 Cloud messaging and collaboration | Sumo Logic
Question #134
Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?
- A . Role-based access control policies
- B . Types of data that can be uploaded to the platform
- C . Processes for on-boarding and off-boarding users to the platform
- D . Processes for reviewing administrator activity
Correct Answer: A
A
Explanation:
The most important thing to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition is the types of data that can be uploaded to the platform. This is because different types of data may have different security, privacy, and compliance requirements, depending on the nature, sensitivity, and value of the data. For example, personal data, financial data, health data, or intellectual property data may be subject to various laws and regulations that govern how they can be collected, stored, processed, and shared in the cloud. Therefore, it is essential to identify and classify the types of data that will be uploaded to the platform, and ensure that the platform meets the organization’s policies and standards for data protection1.
The other options are not as important as the types of data that can be uploaded to the platform during the planning phase of a cloud-based messaging and collaboration platform acquisition.
Option A, role-based access control policies, is a mechanism that defines who can access what data and resources on the platform based on their roles and responsibilities. Role-based access control policies are important for ensuring data security and accountability, but they can be designed and implemented after the platform is acquired2.
Option C, processes for on-boarding and off-boarding users to the platform, are procedures that enable or disable user accounts and access rights on the platform. Processes for on-boarding and off-boarding users are important for managing user identities and lifecycles, but they can be developed and executed after the platform is acquired3.
Option D, processes for reviewing administrator activity, are methods that monitor and audit the actions and events performed by administrators on the platform. Processes for reviewing administrator activity are important for detecting and preventing unauthorized or malicious activities, but they can be established and performed after the platform is acquired4.
Reference: Cloud Messaging and Collaboration Services – Maryland.gov DoIT4
Message Bird acquires real-time notifications and in-app messaging platform Pusher for$35M | TechCrunch2
Symphony to lead financial market communications with the acquisition of Cloud9 Technologies3 Cloud messaging and collaboration | Sumo Logic
A
Explanation:
The most important thing to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition is the types of data that can be uploaded to the platform. This is because different types of data may have different security, privacy, and compliance requirements, depending on the nature, sensitivity, and value of the data. For example, personal data, financial data, health data, or intellectual property data may be subject to various laws and regulations that govern how they can be collected, stored, processed, and shared in the cloud. Therefore, it is essential to identify and classify the types of data that will be uploaded to the platform, and ensure that the platform meets the organization’s policies and standards for data protection1.
The other options are not as important as the types of data that can be uploaded to the platform during the planning phase of a cloud-based messaging and collaboration platform acquisition.
Option A, role-based access control policies, is a mechanism that defines who can access what data and resources on the platform based on their roles and responsibilities. Role-based access control policies are important for ensuring data security and accountability, but they can be designed and implemented after the platform is acquired2.
Option C, processes for on-boarding and off-boarding users to the platform, are procedures that enable or disable user accounts and access rights on the platform. Processes for on-boarding and off-boarding users are important for managing user identities and lifecycles, but they can be developed and executed after the platform is acquired3.
Option D, processes for reviewing administrator activity, are methods that monitor and audit the actions and events performed by administrators on the platform. Processes for reviewing administrator activity are important for detecting and preventing unauthorized or malicious activities, but they can be established and performed after the platform is acquired4.
Reference: Cloud Messaging and Collaboration Services – Maryland.gov DoIT4
Message Bird acquires real-time notifications and in-app messaging platform Pusher for$35M | TechCrunch2
Symphony to lead financial market communications with the acquisition of Cloud9 Technologies3 Cloud messaging and collaboration | Sumo Logic
Question #136
Management has learned the implementation of a new IT system will not be completed on time and has requested an audit.
Which of the following audit findings should be of GREATEST concern?
- A . The actual start times of some activities were later than originally scheduled.
- B . Tasks defined on the critical path do not have resources allocated.
- C . The project manager lacks formal certification.
- D . Milestones have not been defined for all project products.
Correct Answer: B
B
Explanation:
The audit finding that should be of greatest concern is that tasks defined on the critical path do not have resources allocated, as this means that the project is likely to face significant delays and cost overruns, since the critical path is the sequence of activities that determines the minimum time required to complete the project. The actual start times of some activities being later than originally scheduled may indicate some minor deviations from the project plan, but they may not necessarily affect the overall project completion time if they are not on the critical path. The project manager lacking formal certification may affect the quality and efficiency of the project management process, but it does not necessarily imply that the project manager is incompetent or unqualified. Milestones have been defined for all project products, but they may not be realistic or achievable if they do not take into account the resource constraints and dependencies of the critical path
tasks.
Reference: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.3: IT Project Management
B
Explanation:
The audit finding that should be of greatest concern is that tasks defined on the critical path do not have resources allocated, as this means that the project is likely to face significant delays and cost overruns, since the critical path is the sequence of activities that determines the minimum time required to complete the project. The actual start times of some activities being later than originally scheduled may indicate some minor deviations from the project plan, but they may not necessarily affect the overall project completion time if they are not on the critical path. The project manager lacking formal certification may affect the quality and efficiency of the project management process, but it does not necessarily imply that the project manager is incompetent or unqualified. Milestones have been defined for all project products, but they may not be realistic or achievable if they do not take into account the resource constraints and dependencies of the critical path
tasks.
Reference: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.3: IT Project Management
Question #137
Which of the following information security requirements BE ST enables the tracking of organizational data in a bring your own device (BYOD) environment?
- A . Employees must immediately report lost or stolen mobile devices containing organizational data
- B . Employees must sign acknowledgment of the organization’s mobile device acceptable use policy
- C . Employees must enroll their personal devices in the organization’s mobile device management program
Correct Answer: C
C
Explanation:
The best way to track organizational data in a BYOD environment is to enroll the personal devices in the organization’s mobile device management (MDM) program. This will allow the organization to monitor, control, and secure the data on the devices remotely. Employees must also report lost or stolen devices and sign the acceptable use policy, but these are not sufficient to enable tracking of data.
Reference: Info Technology & Systems Resources |COBIT, Risk, Governance … – ISACA, section “Book IT Control Objectives for Sarbanes-Oxley, 4th Edition | Digital | English”
C
Explanation:
The best way to track organizational data in a BYOD environment is to enroll the personal devices in the organization’s mobile device management (MDM) program. This will allow the organization to monitor, control, and secure the data on the devices remotely. Employees must also report lost or stolen devices and sign the acceptable use policy, but these are not sufficient to enable tracking of data.
Reference: Info Technology & Systems Resources |COBIT, Risk, Governance … – ISACA, section “Book IT Control Objectives for Sarbanes-Oxley, 4th Edition | Digital | English”
Question #138
Which of the following is the PRIMARY purpose of a business impact analysts (BIA) in an organization’s overall risk management strategy?
- A . Evaluating business investment opportunities for the organization
- B . Identifying critical business processes to effectively prioritize recovery efforts
- C . Ensuring compliance with regulations through regular audits
- D . Conducting vulnerability assessments to enhance network security measures
Correct Answer: B
Question #139
An organization’s IT department and internal IS audit function all report to the chief information officer (CIO).
Which of the following is the GREATEST concern associated with this reporting structure?
- A . Potential for inaccurate audit findings
- B . Compromise of IS audit independence
- C . IS audit resources being shared with other IT functions
- D . IS audit being isolated from other audit functions
Correct Answer: B
B
Explanation:
The greatest concern with the IT department and internal IS audit function both reporting to the CIO is the potential compromise of IS audit independence. Auditor independence refers to the impartiality and objectivity of an auditor in conducting an audit, free from conflicts of interest and bias1. It is crucial for ensuring the quality and reliability of financial reporting1. If the IS audit function reports to the CIO, who also oversees the IT department, it could create a conflict of interest that might compromise the impartiality and objectivity of the IS audit function.
Reference: Auditor Independence – What is it, Rules, Importance, Examples
B
Explanation:
The greatest concern with the IT department and internal IS audit function both reporting to the CIO is the potential compromise of IS audit independence. Auditor independence refers to the impartiality and objectivity of an auditor in conducting an audit, free from conflicts of interest and bias1. It is crucial for ensuring the quality and reliability of financial reporting1. If the IS audit function reports to the CIO, who also oversees the IT department, it could create a conflict of interest that might compromise the impartiality and objectivity of the IS audit function.
Reference: Auditor Independence – What is it, Rules, Importance, Examples
Question #140
Which of the following is the BEST source of organizational direction on when to use cloud services?
- A . Enterprise architecture (EA)
- B . Business continuity plans (BCPs)
- C . Availability requirements
- D . Cloud regulations
Correct Answer: A