Practice Free CISA Exam Online Questions
Question #161
An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction.
Which of the following should the auditor do NEXT?
- A . Report the variance immediately to the audit committee
- B . Request an explanation of the variance from the auditee
- C . Increase the sample size to 100% of the population
- D . Exclude the transaction from the sample population
Correct Answer: B
B
Explanation:
An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction. The next step that the auditor should do is to request an explanation of the variance from the auditee. This is because the variance may indicate an error, fraud, or an unusual but legitimate transaction that requires further investigation. The auditor should not report the variance immediately to the audit committee without verifying its cause and significance. The auditor should not increase the sample size to 100% of the population without considering the cost-benefit analysis and the sampling methodology. The auditor should not exclude the transaction from the sample population without justification, as it may affect the validity and reliability of the audit results.
Reference: CISA Review Manual (Digital Version), [ISACA Auditing Standards]
B
Explanation:
An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction. The next step that the auditor should do is to request an explanation of the variance from the auditee. This is because the variance may indicate an error, fraud, or an unusual but legitimate transaction that requires further investigation. The auditor should not report the variance immediately to the audit committee without verifying its cause and significance. The auditor should not increase the sample size to 100% of the population without considering the cost-benefit analysis and the sampling methodology. The auditor should not exclude the transaction from the sample population without justification, as it may affect the validity and reliability of the audit results.
Reference: CISA Review Manual (Digital Version), [ISACA Auditing Standards]
Question #162
An IT balanced scorecard is PRIMARILY used for:
- A . evaluating the IT project portfolio
- B . measuring IT strategic performance
- C . allocating IT budget and resources
- D . monitoring risk in lT-related processes
Correct Answer: B
B
Explanation:
An IT balanced scorecard is primarily used for measuring IT strategic performance. An IT balanced scorecard is a framework that translates the IT strategy into measurable objectives, indicators, targets, and initiatives across four perspectives: financial, customer, internal process, and learning and growth. An IT balanced scorecard helps to monitor and evaluate how well the IT function is delivering value to the organization, achieving its strategic goals, and improving its capabilities and competencies. The otheroptions are not the primary uses of an IT balanced scorecard, because they either focus on specific aspects of IT rather than the overall performance, or they are not directly related to the IT strategy.
Reference: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.3
B
Explanation:
An IT balanced scorecard is primarily used for measuring IT strategic performance. An IT balanced scorecard is a framework that translates the IT strategy into measurable objectives, indicators, targets, and initiatives across four perspectives: financial, customer, internal process, and learning and growth. An IT balanced scorecard helps to monitor and evaluate how well the IT function is delivering value to the organization, achieving its strategic goals, and improving its capabilities and competencies. The otheroptions are not the primary uses of an IT balanced scorecard, because they either focus on specific aspects of IT rather than the overall performance, or they are not directly related to the IT strategy.
Reference: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.3
Question #163
During recent post-implementation reviews, an IS auditor has noted that several deployed applications are not being used by the business.
The MOST likely cause would be the lack of:
- A . IT portfolio management.
- B . IT resource management.
- C . system support documentation.
- D . change management.
Correct Answer: B
Question #164
A KEY benefit of integrated auditing is that it:
- A . Facilitates the business in reviewing its control environment.
- B . Enables continuous auditing and monitoring.
- C . Improves the review of audit work by team leaders.
- D . Combines skill sets from operational, functional, and IS auditors.
Correct Answer: D
D
Explanation:
Comprehensive and Detailed
An integrated audit merges financial, operational, compliance, and IT audits into a single coordinated review. The key benefit is leveraging a multidisciplinary team with combined skill sets, resulting in a more holistic evaluation of risks and controls.
Option A: Business reviews are important but not the primary benefit.
Option B: Continuous auditing is a separate methodology.
Option C: Better review by team leaders may occur, but that’s not unique to integrated audits.
Option D: Correct ― the main advantage is combining diverse audit expertise.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 1, section on integrated audits and multidisciplinary audit approaches.
D
Explanation:
Comprehensive and Detailed
An integrated audit merges financial, operational, compliance, and IT audits into a single coordinated review. The key benefit is leveraging a multidisciplinary team with combined skill sets, resulting in a more holistic evaluation of risks and controls.
Option A: Business reviews are important but not the primary benefit.
Option B: Continuous auditing is a separate methodology.
Option C: Better review by team leaders may occur, but that’s not unique to integrated audits.
Option D: Correct ― the main advantage is combining diverse audit expertise.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 1, section on integrated audits and multidisciplinary audit approaches.
Question #165
During the forensic investigation of a cyberattack involving credit card data, which of the following is MOST important to ensure?
- A . Adequate card security features are activated.
- B . The company’s payment platforms are blocked.
- C . Proper chain of custody is maintained.
- D . All staff in the payment card unit are interviewed.
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Step-by-Step
In forensic investigations, maintaining a proper chain of custodyiscriticalto ensuring that evidence is admissible in court and has not been altered.
Option A (Incorrect): Activatingsecurity features(e.g., encryption or tokenization) is apreventive measurebut does not aid in investigating the attack.
Option B (Incorrect): Blocking payment platforms may be necessary fordamage control, but it does
not ensure a properinvestigation.
Option C (Correct): Thechain of custodyensures thatevidence remains intact, can betraced, and islegally validfor prosecution. This is the most critical aspect of forensic investigations.
Option D (Incorrect): Interviewing staff may provide insights, but without properevidence handling, the investigation’s integrity is at risk.
Reference: ISACA CISA Review Manual CDomain 5: Protection of Information AssetsC Coversforensic investigations, evidence handling, and legal compliance.
C
Explanation:
Comprehensive and Detailed Step-by-Step
In forensic investigations, maintaining a proper chain of custodyiscriticalto ensuring that evidence is admissible in court and has not been altered.
Option A (Incorrect): Activatingsecurity features(e.g., encryption or tokenization) is apreventive measurebut does not aid in investigating the attack.
Option B (Incorrect): Blocking payment platforms may be necessary fordamage control, but it does
not ensure a properinvestigation.
Option C (Correct): Thechain of custodyensures thatevidence remains intact, can betraced, and islegally validfor prosecution. This is the most critical aspect of forensic investigations.
Option D (Incorrect): Interviewing staff may provide insights, but without properevidence handling, the investigation’s integrity is at risk.
Reference: ISACA CISA Review Manual CDomain 5: Protection of Information AssetsC Coversforensic investigations, evidence handling, and legal compliance.
Question #166
Which of the following should be the GREATEST concern to an IS auditor reviewing the information security framework of an organization?
- A . The information security policy has not been updated in the last two years.
- B . Senior management was not involved in the development of the information security policy.
- C . A list of critical information assets was not included in the information security policy.
- D . The information security policy is not aligned with regulatory requirements.
Correct Answer: D
Question #167
Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?
- A . Classifies documents to correctly reflect the level of sensitivity of information they contain
- B . Defines the conditions under which documents containing sensitive information may be transmitted
- C . Classifies documents in accordance with industry standards and best practices
- D . Ensures documents are handled in accordance With the sensitivity of information they contain
Correct Answer: A
A
Explanation:
The role of a document owner when implementing a data classification policy in an organization is to classify documents to correctly reflect the level of sensitivity of information they contain. A document owner is the person who is ultimately responsible for the creation, maintenance, and protection of a document, usually a member of senior management or a business unit1. A data classification policy is a plan that defines how the organization categorizesits data based on its value, risk, and regulatory requirements, and how it handles and secures each data category2.
According to the data classification policy template by Netwrix3, one of the roles and responsibilities of the document owner is to assign data classification labels based on the data’s potential impact level. Data classification labels are tags or markings that indicate the sensitivity level of the data, such as public, internal, confidential, or restricted. The document owner should apply the data classification labels to the documents that contain the data, either manually or automatically, using tools and methods such as metadata, watermarks, headers, footers, or encryption. The document owner should also review and update the data classification labels periodically or whenever there is a change in the data’s sensitivity level.
By classifying documents to correctly reflect the level of sensitivity of information they contain, the document owner can help to ensure that the documents are handled in accordance with the data classification policy. This means that the documents are stored, accessed, shared, transmitted, and disposed of in a secure and appropriate manner, based on the rules and controls defined for each data category. This can also help to prevent data loss, leakage, or breach incidents that may cause harm or damage to the organization or its stakeholders.
Therefore, option A is the correct answer.
Reference: Data Classification Policy: Definition, Examples, & Free Template2
Data Classification Policy Template – Netwrix3
Data Classification and Handling Policy – University of Hull1
A
Explanation:
The role of a document owner when implementing a data classification policy in an organization is to classify documents to correctly reflect the level of sensitivity of information they contain. A document owner is the person who is ultimately responsible for the creation, maintenance, and protection of a document, usually a member of senior management or a business unit1. A data classification policy is a plan that defines how the organization categorizesits data based on its value, risk, and regulatory requirements, and how it handles and secures each data category2.
According to the data classification policy template by Netwrix3, one of the roles and responsibilities of the document owner is to assign data classification labels based on the data’s potential impact level. Data classification labels are tags or markings that indicate the sensitivity level of the data, such as public, internal, confidential, or restricted. The document owner should apply the data classification labels to the documents that contain the data, either manually or automatically, using tools and methods such as metadata, watermarks, headers, footers, or encryption. The document owner should also review and update the data classification labels periodically or whenever there is a change in the data’s sensitivity level.
By classifying documents to correctly reflect the level of sensitivity of information they contain, the document owner can help to ensure that the documents are handled in accordance with the data classification policy. This means that the documents are stored, accessed, shared, transmitted, and disposed of in a secure and appropriate manner, based on the rules and controls defined for each data category. This can also help to prevent data loss, leakage, or breach incidents that may cause harm or damage to the organization or its stakeholders.
Therefore, option A is the correct answer.
Reference: Data Classification Policy: Definition, Examples, & Free Template2
Data Classification Policy Template – Netwrix3
Data Classification and Handling Policy – University of Hull1
Question #168
Which of the following helps to ensure the integrity of data for a system interface?
- A . System interface testing
- B . user acceptance testing (IJAT)
- C . Validation checks
- D . Audit logs
Correct Answer: C
C
Explanation:
Validation checks are a type of data quality control that helps to ensure the integrity of data for a system interface. Validation checks verify that the data entered or transferred between systems is correct, consistent, and conforms to predefined rules or standards. Validation checks can prevent or detect errors, anomalies, or inconsistencies in the data that may affect the system’s functionality, performance, or security.
Option C is correct because validation checks are a common and effective method of ensuring data integrity for a system interface. Validation checks can be performed at various stages of the data lifecycle, such as input, processing, output, or storage. Validation checks can also be applied to different types of data, such as data types, codes, ranges, formats, consistency, and uniqueness.
Option A is incorrect because system interface testing is a type of software testing that verifies the interaction between two separate systems or components of a system. System interface testing does not directly ensure the integrity of data for a system interface, but rather the functionality and reliability of the interface itself. System interface testing may use validation checks as part of its test cases, but it is not the same as validation checks.
Option B is incorrect because user acceptance testing (UAT) is a type of software testing that evaluates whether the system meets the user’s expectations and requirements. UAT does not directly ensure the integrity of data for a system interface, but rather the usability and acceptability of the system from the user’s perspective. UAT may use validation checks as part of its test scenarios, but it is not the same as validation checks.
Option D is incorrect because audit logs are records of events and activities that occur within a system or network. Audit logs do not directly ensure the integrity of data for a system interface, but rather provide evidence and accountability for the system’s operations and security. Audit logs may use validation checks as part of their analysis or reporting, but they are not the same as validation checks.
Reference: CISA Online Review Course1, Module 5: Protection of Information Assets, Lesson 4: Data Quality Management, slide 5-6.
CISA Review Manual (Digital Version)2, Chapter 5: Protection of Information Assets, Section 5.3: Data Quality Management, p. 281-282.
CISA Review Manual (Print Version), Chapter 5: Protection of Information Assets, Section 5.3: Data Quality Management, p. 281-282.
CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_722. Data Validation – Overview, Types, Practical Examples4 Data Validity: The Best Practice for Your Business5 Validation – Data validation6
What is Data Validation? Types, Techniques, Tools7
C
Explanation:
Validation checks are a type of data quality control that helps to ensure the integrity of data for a system interface. Validation checks verify that the data entered or transferred between systems is correct, consistent, and conforms to predefined rules or standards. Validation checks can prevent or detect errors, anomalies, or inconsistencies in the data that may affect the system’s functionality, performance, or security.
Option C is correct because validation checks are a common and effective method of ensuring data integrity for a system interface. Validation checks can be performed at various stages of the data lifecycle, such as input, processing, output, or storage. Validation checks can also be applied to different types of data, such as data types, codes, ranges, formats, consistency, and uniqueness.
Option A is incorrect because system interface testing is a type of software testing that verifies the interaction between two separate systems or components of a system. System interface testing does not directly ensure the integrity of data for a system interface, but rather the functionality and reliability of the interface itself. System interface testing may use validation checks as part of its test cases, but it is not the same as validation checks.
Option B is incorrect because user acceptance testing (UAT) is a type of software testing that evaluates whether the system meets the user’s expectations and requirements. UAT does not directly ensure the integrity of data for a system interface, but rather the usability and acceptability of the system from the user’s perspective. UAT may use validation checks as part of its test scenarios, but it is not the same as validation checks.
Option D is incorrect because audit logs are records of events and activities that occur within a system or network. Audit logs do not directly ensure the integrity of data for a system interface, but rather provide evidence and accountability for the system’s operations and security. Audit logs may use validation checks as part of their analysis or reporting, but they are not the same as validation checks.
Reference: CISA Online Review Course1, Module 5: Protection of Information Assets, Lesson 4: Data Quality Management, slide 5-6.
CISA Review Manual (Digital Version)2, Chapter 5: Protection of Information Assets, Section 5.3: Data Quality Management, p. 281-282.
CISA Review Manual (Print Version), Chapter 5: Protection of Information Assets, Section 5.3: Data Quality Management, p. 281-282.
CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_722. Data Validation – Overview, Types, Practical Examples4 Data Validity: The Best Practice for Your Business5 Validation – Data validation6
What is Data Validation? Types, Techniques, Tools7
Question #169
Which of the following should be an IS auditor’s PRIMARY focus when auditing the implementation of a new IT operations performance monitoring system?
- A . Reviewing whether all changes have been implemented
- B . Validating whether baselines have been established
- C . Confirming whether multi-factor authentication (MFA) is deployed as part of the operational enhancements
- D . Determining whether there is a process for annual review of the maintenance manual
Correct Answer: B
Question #170
Which of the following is the PRIMARY function of an internal IS auditor when the organization acquires a new IT system to support its business strategy?
- A . Identifying significant IT errors and fraud
- B . Assessing system development life cycle (SDLC) controls
- C . Implementing risk and control gap mitigation
- D . Evaluating IT risk and controls
Correct Answer: D