Practice Free CISA Exam Online Questions
Question #141
An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit.
Which of the following should be the auditor’s NEXT course of action?
- A . Evaluate the appropriateness of the remedial action taken.
- B . Conduct a risk analysis incorporating the change.
- C . Report results of the follow-up to the audit committee.
- D . Inform senior management of the change in approach.
Correct Answer: A
A
Explanation:
The auditor’s next course of action should be to evaluate the appropriateness of the remedial action taken by the auditee. The auditor should assess whether the alternative approach taken by the auditee is effective, efficient, and aligned with the audit objectives and recommendations. The auditor should also consider the impact of the change on the audit scope, criteria, and risk assessment. Conducting a risk analysis incorporating the change, reporting results of the follow-up to the audit committee, and informing senior management of the change in approach are possible subsequent actions that the auditor may take after evaluating the appropriateness of the remedial action taken.
Reference: CISA Review Manual (Digital Version): Chapter 1 – Information Systems Auditing Process
A
Explanation:
The auditor’s next course of action should be to evaluate the appropriateness of the remedial action taken by the auditee. The auditor should assess whether the alternative approach taken by the auditee is effective, efficient, and aligned with the audit objectives and recommendations. The auditor should also consider the impact of the change on the audit scope, criteria, and risk assessment. Conducting a risk analysis incorporating the change, reporting results of the follow-up to the audit committee, and informing senior management of the change in approach are possible subsequent actions that the auditor may take after evaluating the appropriateness of the remedial action taken.
Reference: CISA Review Manual (Digital Version): Chapter 1 – Information Systems Auditing Process
Question #142
During the planning stage of a compliance audit, an IS auditor discovers that a bank’s inventory of compliance requirements does not include recent regulatory changes related to managing data risk.
What should the auditor do FIRST?
- A . Ask management why the regulatory changes have not been Included.
- B . Discuss potential regulatory issues with the legal department
- C . Report the missing regulatory updates to the chief information officer (CIO).
- D . Exclude recent regulatory changes from the audit scope.
Correct Answer: A
A
Explanation:
Asking management why the regulatory changes have not been included is the first thing that an IS auditor should do during the planning stage of a compliance audit. An IS auditor should inquire about the reasons for not updating the inventory of compliance requirements with recent regulatory changes related to managing data risk. This will help the IS auditor to understand whether there is a gap in awareness, communication, or implementation of compliance obligations within the organization. The other options are not the first things that an IS auditor should do, but rather possible subsequent actions that may depend on management’s response.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.31
CISA Review Questions, Answers & Explanations Database, Question ID 214
A
Explanation:
Asking management why the regulatory changes have not been included is the first thing that an IS auditor should do during the planning stage of a compliance audit. An IS auditor should inquire about the reasons for not updating the inventory of compliance requirements with recent regulatory changes related to managing data risk. This will help the IS auditor to understand whether there is a gap in awareness, communication, or implementation of compliance obligations within the organization. The other options are not the first things that an IS auditor should do, but rather possible subsequent actions that may depend on management’s response.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.31
CISA Review Questions, Answers & Explanations Database, Question ID 214
Question #143
Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization’s goals?
- A . Balanced scorecard
- B . Enterprise dashboard
- C . Enterprise architecture (EA)
- D . Key performance indicators (KPIs)
Correct Answer: A
A
Explanation:
The most useful tool for determining whether the goals of IT are aligned with the organization’s goals is a balanced scorecard. A balanced scorecard is a strategic management system that translates an organization’s vision and mission into a set of objectives and measures across four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard helps align IT goals with organizational goals by linking them to a common strategy map that shows how IT contributes to value creation and performance improvement in each perspective. A balanced scorecard also helps monitor and evaluate IT performance against predefined targets and indicators.
Enterprise dashboard, enterprise architecture (EA), and key performance indicators (KPIs) are not the most useful tools for determining whether the goals of IT are aligned with the organization’s goals. These tools may help communicate, design, or measure IT goals or activities, but they do not provide a comprehensive framework for aligning IT goals with organizational goals across multiple dimensions.
A
Explanation:
The most useful tool for determining whether the goals of IT are aligned with the organization’s goals is a balanced scorecard. A balanced scorecard is a strategic management system that translates an organization’s vision and mission into a set of objectives and measures across four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard helps align IT goals with organizational goals by linking them to a common strategy map that shows how IT contributes to value creation and performance improvement in each perspective. A balanced scorecard also helps monitor and evaluate IT performance against predefined targets and indicators.
Enterprise dashboard, enterprise architecture (EA), and key performance indicators (KPIs) are not the most useful tools for determining whether the goals of IT are aligned with the organization’s goals. These tools may help communicate, design, or measure IT goals or activities, but they do not provide a comprehensive framework for aligning IT goals with organizational goals across multiple dimensions.
Question #144
An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud.
Who should be responsible for the data classification in this project?
- A . Information security officer
- B . Database administrator (DBA)
- C . Information owner
- D . Data architect
Correct Answer: C
C
Explanation:
The best option for the question is C, information owner.
This is because:
The information owner is the person or entity that has the authority and responsibility for the business processes and functions that collect, use, store, and dispose of data1.
The information owner is accountable for ensuring that the data is handled in compliance with the applicable laws, regulations, policies, and standards, such as the GDPR and the PIPEDA1234.
The information owner is in the best position to determine the purpose and necessity of collecting and retaining data, as well as the risks and benefits associated with it1.
The information owner should consult with other stakeholders, such as the risk manager, the database administrator (DBA), and the privacy manager, to establish and implement appropriate data classification policies and procedures2.
Data classification is the process of organizing data in groups based on their attributes and characteristics, and then assigning class labels that describe a set of attributes that hold true for the corresponding data sets345.
Data classification helps organizations to identify, manage, protect, and understand their data, as well as to comply with modern data privacy regulations345.
Data classification also helps to determine appropriate user access levels, which means defining who can access, modify, share, or delete data based on their roles, responsibilities, and needs345.
Therefore, the information owner should be responsible for the data classification in an ERP migration project from local systems to the cloud (option C), as they have the authority and accountability for the data and its protection.
The other options are not correct because:
The information security officer (option A) is responsible for overseeing and coordinating the security policies and practices of the organization that involve data6. The information security officer should advise and assist the information owner on the best practices and standards for data security, but not determine the data classification.
The database administrator (DBA) (option B) is responsible for installing, configuring, monitoring, maintaining, and improving the performance of databases and data stores that contain data5. The DBA should support the information owner in implementing and enforcing the data classification policies and procedures, but not determine them.
The data architect (option D) is responsible for designing, modeling, and documenting the logical and physical structures of databases and data stores that contain data7. The data architect should collaborate with the information owner in creating and maintaining the data classification schema and metadata, but not determine them.
C
Explanation:
The best option for the question is C, information owner.
This is because:
The information owner is the person or entity that has the authority and responsibility for the business processes and functions that collect, use, store, and dispose of data1.
The information owner is accountable for ensuring that the data is handled in compliance with the applicable laws, regulations, policies, and standards, such as the GDPR and the PIPEDA1234.
The information owner is in the best position to determine the purpose and necessity of collecting and retaining data, as well as the risks and benefits associated with it1.
The information owner should consult with other stakeholders, such as the risk manager, the database administrator (DBA), and the privacy manager, to establish and implement appropriate data classification policies and procedures2.
Data classification is the process of organizing data in groups based on their attributes and characteristics, and then assigning class labels that describe a set of attributes that hold true for the corresponding data sets345.
Data classification helps organizations to identify, manage, protect, and understand their data, as well as to comply with modern data privacy regulations345.
Data classification also helps to determine appropriate user access levels, which means defining who can access, modify, share, or delete data based on their roles, responsibilities, and needs345.
Therefore, the information owner should be responsible for the data classification in an ERP migration project from local systems to the cloud (option C), as they have the authority and accountability for the data and its protection.
The other options are not correct because:
The information security officer (option A) is responsible for overseeing and coordinating the security policies and practices of the organization that involve data6. The information security officer should advise and assist the information owner on the best practices and standards for data security, but not determine the data classification.
The database administrator (DBA) (option B) is responsible for installing, configuring, monitoring, maintaining, and improving the performance of databases and data stores that contain data5. The DBA should support the information owner in implementing and enforcing the data classification policies and procedures, but not determine them.
The data architect (option D) is responsible for designing, modeling, and documenting the logical and physical structures of databases and data stores that contain data7. The data architect should collaborate with the information owner in creating and maintaining the data classification schema and metadata, but not determine them.
Question #145
During a database security audit, an IS auditor is reviewing the process used to input data.
Which of the following is the MOST significant risk area for the auditor to focus on?
- A . Data resilience
- B . Data availability
- C . Data normalization
- D . Data integrity
Correct Answer: D
D
Explanation:
The key audit concern at data input is integrity―ensuring accuracy, validity, and completeness. Without integrity, outputs cannot be trusted. Availability and resilience are operational concerns, while normalization is a design technique. Integrity remains the top security and audit focus.
Reference (ISACA): ISACA Audit & Assurance Standards C Information Criteria (Effectiveness, Efficiency, Integrity, Availability).
D
Explanation:
The key audit concern at data input is integrity―ensuring accuracy, validity, and completeness. Without integrity, outputs cannot be trusted. Availability and resilience are operational concerns, while normalization is a design technique. Integrity remains the top security and audit focus.
Reference (ISACA): ISACA Audit & Assurance Standards C Information Criteria (Effectiveness, Efficiency, Integrity, Availability).
Question #146
A third-party consultant is managing the replacement of an accounting system.
Which of the following should be the IS auditor’s GREATEST concern?
- A . Data migration is not part of the contracted activities.
- B . The replacement is occurring near year-end reporting
- C . The user department will manage access rights.
- D . Testing was performed by the third-party consultant
Correct Answer: C
C
Explanation:
The greatest concern for an IS auditor in this scenario is that the user department will manage access rights to the new accounting system. This could pose a significant risk of unauthorized access, segregation of duties violations, data tampering and fraud. The IS auditor should ensure that access rights are defined, approved and monitored by an independent function, such as IT security or internal audit. The other options are not as concerning as option C, as they can be mitigated by other controls or procedures. Data migration is an important part of the system replacement project, but it can be performed by another party or verified by the IS auditor. The timing of the replacement near year-end reporting is a challenge, but it can be managed by proper planning, testing and contingency plans. Testing performed by the third-party consultant is acceptable, as long as it is reviewed and validated by the IS auditor or another independent party.
Reference: CISA Review Manual (Digital Version) 1, Chapter 3: Information Systems Acquisition, Development & Implementation, Section 3.4: System Implementation.
C
Explanation:
The greatest concern for an IS auditor in this scenario is that the user department will manage access rights to the new accounting system. This could pose a significant risk of unauthorized access, segregation of duties violations, data tampering and fraud. The IS auditor should ensure that access rights are defined, approved and monitored by an independent function, such as IT security or internal audit. The other options are not as concerning as option C, as they can be mitigated by other controls or procedures. Data migration is an important part of the system replacement project, but it can be performed by another party or verified by the IS auditor. The timing of the replacement near year-end reporting is a challenge, but it can be managed by proper planning, testing and contingency plans. Testing performed by the third-party consultant is acceptable, as long as it is reviewed and validated by the IS auditor or another independent party.
Reference: CISA Review Manual (Digital Version) 1, Chapter 3: Information Systems Acquisition, Development & Implementation, Section 3.4: System Implementation.
Question #147
Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?
- A . Expected deliverables meeting project deadlines
- B . Sign-off from the IT team
- C . Ongoing participation by relevant stakeholders
- D . Quality assurance (OA) review
Correct Answer: B
Question #148
Which of the following is the BEST method to safeguard data on an organization’s laptop computers?
- A . Disabled USB ports
- B . Full disk encryption
- C . Biometric access control
- D . Two-factor authentication
Correct Answer: B
B
Explanation:
The best method to safeguard data on an organization’s laptop computers is full disk encryption. Full disk encryption is a technique that encrypts all the data stored on a harddrive, including the operating system, applications, files, and folders. This means that if the laptop is lost, stolen, or accessed by an unauthorized person, they will not be able to read or modify any data without knowing the encryption key or password. Full disk encryption provides a strong level of protection for data at rest, as it prevents data leakage or exposure in case of physical theft or loss of the device.
Reference: How to Protect theData on Your Laptop
6 Steps to Practice Strong Laptop Security
B
Explanation:
The best method to safeguard data on an organization’s laptop computers is full disk encryption. Full disk encryption is a technique that encrypts all the data stored on a harddrive, including the operating system, applications, files, and folders. This means that if the laptop is lost, stolen, or accessed by an unauthorized person, they will not be able to read or modify any data without knowing the encryption key or password. Full disk encryption provides a strong level of protection for data at rest, as it prevents data leakage or exposure in case of physical theft or loss of the device.
Reference: How to Protect theData on Your Laptop
6 Steps to Practice Strong Laptop Security
Question #149
When processing speed is the highest priority, which cryptographic algorithm should be used to verify the integrity of a bit-for-bit copy from digital evidence?
- A . MD5
- B . SHA-1
- C . AES
- D . SHA-2
Correct Answer: A
A
Explanation:
Comprehensive and Detailed
When verifying the integrity of a bit-for-bit copy of digital evidence, hashing algorithms are used.
The primary factors in selecting a hashing algorithm are speed and collision resistance.
MD5 (Message Digest 5): While not cryptographically secure for all modern applications due to collision vulnerabilities, it is very fast and still acceptable in forensic integrity verification where speed is critical and the probability of collision is negligible for one-time checks.
SHA-1 / SHA-2: Provide stronger cryptographic assurance but are slower than MD5. They are preferred for long-term integrity assurance but not when processing speed is the top priority.
AES (Advanced Encryption Standard): AES is an encryption algorithm, not a hashing algorithm, and therefore is not appropriate for integrity verification.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5 (Protection of Information Assets), section on cryptographic controls for evidence integrity.
A
Explanation:
Comprehensive and Detailed
When verifying the integrity of a bit-for-bit copy of digital evidence, hashing algorithms are used.
The primary factors in selecting a hashing algorithm are speed and collision resistance.
MD5 (Message Digest 5): While not cryptographically secure for all modern applications due to collision vulnerabilities, it is very fast and still acceptable in forensic integrity verification where speed is critical and the probability of collision is negligible for one-time checks.
SHA-1 / SHA-2: Provide stronger cryptographic assurance but are slower than MD5. They are preferred for long-term integrity assurance but not when processing speed is the top priority.
AES (Advanced Encryption Standard): AES is an encryption algorithm, not a hashing algorithm, and therefore is not appropriate for integrity verification.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5 (Protection of Information Assets), section on cryptographic controls for evidence integrity.
Question #150
Which of the following presents the GREATEST risk associated with end-user computing (EUC) applications over financial reporting?
- A . Inability to quickly modify and deploy a solution
- B . Lack of portability for users
- C . Loss of time due to manual processes
- D . Calculation errors in spreadsheets
Correct Answer: D
D
Explanation:
Spreadsheets, often used in EUC, are prone to manual input errors and formula mistakes. These errors can significantly compromise the accuracy and integrity of financial reporting.
Reference
ISACA CISA Review Manual (Current Edition) – Chapter on End-User Computing (EUC) risks
Industry Research on Spreadsheet Errors: Multiple studies highlight the prevalence of errors in spreadsheets, especially those used for financial purposes.
D
Explanation:
Spreadsheets, often used in EUC, are prone to manual input errors and formula mistakes. These errors can significantly compromise the accuracy and integrity of financial reporting.
Reference
ISACA CISA Review Manual (Current Edition) – Chapter on End-User Computing (EUC) risks
Industry Research on Spreadsheet Errors: Multiple studies highlight the prevalence of errors in spreadsheets, especially those used for financial purposes.