Practice Free CISA Exam Online Questions
Question #141
An IS auditor learns that an organization’s business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant.
Which of the following is the auditor’s BEST course of action?
- A . Determine whether the business impact analysis (BIA) is current with the organization’s structure and context.
- B . Determine the types of technologies used at the plant and how they may affect the BCP.
- C . Perform testing to determine the impact to the recovery time objective (R TO).
- D . Assess the risk to operations from the closing of the plant.
Correct Answer: A
A
Explanation:
The IS auditor should first determine whether the business impact analysis (BIA) is current with the organization’s structure and context. The BIA is a critical component of the BCP and should reflect the current state of the organization. If the BIA is not up-to-date, it may not accurately reflect the impact of a disruption to the organization’s operations, including the closure of a production plant12.
Reference: ISACA’s Information Systems Auditor Study Materials1
A
Explanation:
The IS auditor should first determine whether the business impact analysis (BIA) is current with the organization’s structure and context. The BIA is a critical component of the BCP and should reflect the current state of the organization. If the BIA is not up-to-date, it may not accurately reflect the impact of a disruption to the organization’s operations, including the closure of a production plant12.
Reference: ISACA’s Information Systems Auditor Study Materials1
Question #142
The MOST effective way to reduce sampling risk is to increase:
- A . confidence interval.
- B . population.
- C . audit sampling training.
- D . sample size.
Correct Answer: D
Question #143
Which of the following is the PRIMARY reason for an IS auditor to perform a risk assessment?
- A . It helps to identify areas with a relatively high probability of material problems.
- B . It provides a basis for the formulation of corrective action plans.
- C . It increases awareness of the types of management actions that may be inappropriate
- D . It helps to identify areas that are most sensitive to fraudulent or inaccurate practices
Correct Answer: A
A
Explanation:
The primary reason for an IS auditor to perform a risk assessment is to help identify areas with a relatively high probability of material problems. A risk assessment is a systematic process of evaluating the potential risks that may be involved in an activity or undertaking. It involves identifying the sources of risk, analyzing the likelihood and impact of the risk, and prioritizing the risks based on their significance. A risk assessment helps the IS auditor to focus on the areas that are most vulnerable to errors, fraud, or inefficiencies, and to design appropriate audit procedures to address those risks. A risk assessment also helps the IS auditor to allocate audit resources efficiently and effectively.
A risk assessment does not provide a basis for the formulation of corrective action plans, as this is a responsibility of management, not the IS auditor. A risk assessment does not increase awareness of the types of management actions that may be inappropriate, as this is a matter of professional ethics and judgment. A risk assessment does not help to identify areas that are most sensitive to fraudulent or inaccurate practices, as this is a result of the risk assessment, not its purpose.
Reference: ISACA, CISA Review Manual, 27th Edition, Chapter 1: The Process of Auditing Information Systems, Section 1.3: Risk Assessment in Planning1
Corporate Finance Institute, Audit Risk Model2
A
Explanation:
The primary reason for an IS auditor to perform a risk assessment is to help identify areas with a relatively high probability of material problems. A risk assessment is a systematic process of evaluating the potential risks that may be involved in an activity or undertaking. It involves identifying the sources of risk, analyzing the likelihood and impact of the risk, and prioritizing the risks based on their significance. A risk assessment helps the IS auditor to focus on the areas that are most vulnerable to errors, fraud, or inefficiencies, and to design appropriate audit procedures to address those risks. A risk assessment also helps the IS auditor to allocate audit resources efficiently and effectively.
A risk assessment does not provide a basis for the formulation of corrective action plans, as this is a responsibility of management, not the IS auditor. A risk assessment does not increase awareness of the types of management actions that may be inappropriate, as this is a matter of professional ethics and judgment. A risk assessment does not help to identify areas that are most sensitive to fraudulent or inaccurate practices, as this is a result of the risk assessment, not its purpose.
Reference: ISACA, CISA Review Manual, 27th Edition, Chapter 1: The Process of Auditing Information Systems, Section 1.3: Risk Assessment in Planning1
Corporate Finance Institute, Audit Risk Model2
Question #144
During an audit of a financial application, it was determined that many terminated users’ accounts were not disabled.
Which of the following should be the IS auditor’s NEXT step?
- A . Perform substantive testing of terminated users’ access rights.
- B . Perform a review of terminated users’ account activity
- C . Communicate risks to the application owner.
- D . Conclude that IT general controls ate ineffective.
Correct Answer: B
B
Explanation:
The IS auditor’s next step after determining that many terminated users’ accounts were not disabled is to perform a review of terminated users’ account activity. This means that the IS auditor should check whether any of the terminated users’ accounts were accessed or used after their termination date, which could indicate unauthorized or fraudulent activity. The IS auditor should also assess the impact and risk of such activity on the confidentiality, integrity, and availability of IT resources and data. The other options are not as appropriate as performing a review of terminated users’ account activity, as they do not provide sufficient evidence or assurance of the extent and effect of the problem.
Reference: CISA Review Manual, 27th Edition, page 240
B
Explanation:
The IS auditor’s next step after determining that many terminated users’ accounts were not disabled is to perform a review of terminated users’ account activity. This means that the IS auditor should check whether any of the terminated users’ accounts were accessed or used after their termination date, which could indicate unauthorized or fraudulent activity. The IS auditor should also assess the impact and risk of such activity on the confidentiality, integrity, and availability of IT resources and data. The other options are not as appropriate as performing a review of terminated users’ account activity, as they do not provide sufficient evidence or assurance of the extent and effect of the problem.
Reference: CISA Review Manual, 27th Edition, page 240
Question #145
An external audit firm was engaged to perform a validation and verification review for a systems implementation project. The IS auditor identifies that regression testing is not part of the project plan and was not performed by the systems implementation team. According to the team, the parallel testing being performed is sufficient, making regression testing unnecessary.
What should be the auditor’s NEXT step?
- A . Evaluate the extent of the parallel testing being performed
- B . Recommend integration and stress testing be conducted by the systems implementation team
- C . Conclude that parallel testing is sufficient and regression testing is not needed
- D . Recommend regression testing be conducted by the systems implementation team
Correct Answer: D
D
Explanation:
Regression testing is crucial to ensure that new changes do not negatively impact existing functionalities. The IS auditor should recommend that regression testing be conducted to confirm that the system operates correctly after changes are made.
Reference
ISACA CISA Review Manual 27th Edition, Page 256-257 (Testing Strategies)
D
Explanation:
Regression testing is crucial to ensure that new changes do not negatively impact existing functionalities. The IS auditor should recommend that regression testing be conducted to confirm that the system operates correctly after changes are made.
Reference
ISACA CISA Review Manual 27th Edition, Page 256-257 (Testing Strategies)
Question #146
When reviewing an organization’s enterprise architecture (EA), which of the following is an IS auditor MOST likely to find within the EA documentation?
- A . Contact information for key resources within the IT department
- B . Detailed encryption standards
- C . Roadmaps showing the evolution from current state to future state
- D . Protocols used to communicate between systems
Correct Answer: C
C
Explanation:
Enterprise Architecture (EA) documentation primarily includes strategic and operational blueprints outlining the evolution of IT infrastructure to align with business goals. Roadmaps showing the evolution from current state to future state (C) are essential for understanding how the organization’s IT environment will change over time to support business strategy.
Other options:
Contact information for key resources (A) is more of an operational or administrative document rather than an EA component.
Detailed encryption standards (B) would typically be found in security policies or system-specific documentation rather than in EA documentation.
Protocols used to communicate between systems (D) are typically documented within network or system architecture diagrams rather than high-level EA documentation.
Reference: ISACA CISA Review Manual, IT Governance and Management of IT
C
Explanation:
Enterprise Architecture (EA) documentation primarily includes strategic and operational blueprints outlining the evolution of IT infrastructure to align with business goals. Roadmaps showing the evolution from current state to future state (C) are essential for understanding how the organization’s IT environment will change over time to support business strategy.
Other options:
Contact information for key resources (A) is more of an operational or administrative document rather than an EA component.
Detailed encryption standards (B) would typically be found in security policies or system-specific documentation rather than in EA documentation.
Protocols used to communicate between systems (D) are typically documented within network or system architecture diagrams rather than high-level EA documentation.
Reference: ISACA CISA Review Manual, IT Governance and Management of IT
Question #147
Which of the following documents should specify roles and responsibilities within an IT audit organization?
- A . Organizational chart
- B . Audit charier
- C . Engagement letter
- D . Annual audit plan
Correct Answer: B
B
Explanation:
The audit charter is a document that defines the purpose, scope, authority, and responsibility of an IT audit organization. The audit charter should specify roles and responsibilities within an IT audit organization, such as who is accountable for approving the audit plan, who is responsible for conducting the audits, who is authorized to access the audit evidence, and who is accountable for reporting the audit results. The organizational chart, the engagement letter, and the annual audit plan are also important documents for an IT audit organization, but they do not specify roles and responsibilities as clearly and comprehensively as the audit charter.
B
Explanation:
The audit charter is a document that defines the purpose, scope, authority, and responsibility of an IT audit organization. The audit charter should specify roles and responsibilities within an IT audit organization, such as who is accountable for approving the audit plan, who is responsible for conducting the audits, who is authorized to access the audit evidence, and who is accountable for reporting the audit results. The organizational chart, the engagement letter, and the annual audit plan are also important documents for an IT audit organization, but they do not specify roles and responsibilities as clearly and comprehensively as the audit charter.
Question #148
For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization’s information security plan includes:
- A . attributes for system passwords.
- B . security training prior to implementation.
- C . security requirements for the new application.
- D . the firewall configuration for the web server.
Correct Answer: C
C
Explanation:
For an organization that has plans to implement web-based trading, it would be most important for an IS auditor to verify that the organization’s information security plan includes security requirements for the new application. Security requirements are statements that define what security features and functions are needed to protect the confidentiality, integrity, and availability of the web-based trading application and its data. Security requirements should be identified and documented during the planning phase of the application development life cycle, before any design or coding activities take place. Attributes for system passwords, security training prior to implementation, and firewall configuration for the web server are also important aspects of information security, but they are not as essential as security requirements for ensuring that the web-based trading application meets its security objectives.
C
Explanation:
For an organization that has plans to implement web-based trading, it would be most important for an IS auditor to verify that the organization’s information security plan includes security requirements for the new application. Security requirements are statements that define what security features and functions are needed to protect the confidentiality, integrity, and availability of the web-based trading application and its data. Security requirements should be identified and documented during the planning phase of the application development life cycle, before any design or coding activities take place. Attributes for system passwords, security training prior to implementation, and firewall configuration for the web server are also important aspects of information security, but they are not as essential as security requirements for ensuring that the web-based trading application meets its security objectives.
Question #149
What is the PRIMARY benefit of using one-time passwords?
- A . An intercepted password cannot be reused
- B . Security for applications can be automated
- C . Users do not have to memorize complex passwords
- D . Users cannot be locked out of an account
Correct Answer: A
A
Explanation:
The primary benefit of using one-time passwords is that an intercepted password cannot be reused, as it is valid only for a single login session or transaction. One-time passwords enhance the security of authentication by preventing replay attacks or password guessing. The other options are not the primary benefits of using one-time passwords. Security for applications can be automated with or without one-time passwords. Users may still have to memorize complex passwords or use a device or software to generate one-time passwords. Users can still be locked out of an account if they enter an incorrect or expired one-time password.
Reference: CISA Review Manual (Digital Version), Chapter 6, Section 6.1
A
Explanation:
The primary benefit of using one-time passwords is that an intercepted password cannot be reused, as it is valid only for a single login session or transaction. One-time passwords enhance the security of authentication by preventing replay attacks or password guessing. The other options are not the primary benefits of using one-time passwords. Security for applications can be automated with or without one-time passwords. Users may still have to memorize complex passwords or use a device or software to generate one-time passwords. Users can still be locked out of an account if they enter an incorrect or expired one-time password.
Reference: CISA Review Manual (Digital Version), Chapter 6, Section 6.1
Question #150
Which of the following provides the BEST assurance of data integrity after file transfers?
- A . Check digits
- B . Monetary unit sampling
- C . Hash values
- D . Reasonableness check
Correct Answer: C
C
Explanation:
The best assurance of data integrity after file transfers is hash values. Hash values are unique strings that are generated by applying a mathematical function to the data. Hash values can be used to verify that the data has not been altered or corrupted during the transfer, as any change in the data would result in a different hash value. By comparing the hash values of the source and destination files, one can confirm that the data is identical and intact.
The other options are not as effective as hash values for ensuring data integrity after file transfers. Check digits are digits added to a number to detect errors in data entry or transmission, but they are not reliable for detecting intentional or complex modifications of the data. Monetary unit sampling is a statistical sampling technique used for auditing financial statements, but it is not applicable for verifying data integrity after file transfers. Reasonableness check is a validation method that checks whether the data falls within an expected range or format, but it does not guarantee that the data is accurate or consistent with the source.
Reference: 5: On Windows, how to check that data is unchanged after copying? – Super User
6: Data integrity | Cloud Storage Transfer Service Documentation | Google Cloud
7: Checking File Integrity – HECC Knowledge Base
8: How to setup File Transfer Integrity Checks – Progress.com
C
Explanation:
The best assurance of data integrity after file transfers is hash values. Hash values are unique strings that are generated by applying a mathematical function to the data. Hash values can be used to verify that the data has not been altered or corrupted during the transfer, as any change in the data would result in a different hash value. By comparing the hash values of the source and destination files, one can confirm that the data is identical and intact.
The other options are not as effective as hash values for ensuring data integrity after file transfers. Check digits are digits added to a number to detect errors in data entry or transmission, but they are not reliable for detecting intentional or complex modifications of the data. Monetary unit sampling is a statistical sampling technique used for auditing financial statements, but it is not applicable for verifying data integrity after file transfers. Reasonableness check is a validation method that checks whether the data falls within an expected range or format, but it does not guarantee that the data is accurate or consistent with the source.
Reference: 5: On Windows, how to check that data is unchanged after copying? – Super User
6: Data integrity | Cloud Storage Transfer Service Documentation | Google Cloud
7: Checking File Integrity – HECC Knowledge Base
8: How to setup File Transfer Integrity Checks – Progress.com