Practice Free CISA Exam Online Questions
Question #161
In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?
- A . Planning phase
- B . Execution phase
- C . Follow-up phase
- D . Selection phase
Correct Answer: A
A
Explanation:
The planning phase is the stage of the internal audit process where contact is established with the individuals responsible for the business processes in scope for review. The planning phase involves defining the objectives, scope, and criteria of the audit, as well as identifying the key risks and controls related to the audited area. The planning phase also involves communicating with the auditee to obtain relevant information, documents, and data, as well as to schedule interviews, walkthroughs, and meetings. The planning phase aims to ensure that the audit team has a clear understanding of the audited area and its context, and that the audit plan is aligned with the expectations and needs of the auditee and other stakeholders.
The execution phase is the stage of the internal audit process where the audit team performs the audit procedures according to the audit plan. The execution phase involves testing the design and operating effectiveness of the controls, collecting and analyzing evidence, documenting the audit work and results, and identifying any issues or findings. The execution phase aims to provide sufficient and appropriate evidence to support the audit conclusions and recommendations.
The follow-up phase is the stage of the internal audit process where the audit team monitors and verifies the implementation of the corrective actions agreed upon by the auditee in response to the audit findings. The follow-up phase involves reviewing the evidence provided by the auditee, conducting additional tests or interviews if necessary, and evaluating whether the corrective actions have adequately addressed the root causes of the findings. The follow-up phase aims to ensure that the auditee has taken timely and effective actions to improve its processes and controls.
The selection phase is not a standard stage of the internal audit process, but it may refer to the process of selecting which areas or functions to audit based on a risk assessment or an annual audit plan. The selection phase involves evaluating the inherent and residual risks of each potential auditable area, considering the impact, likelihood, and frequency of those risks, as well as other factors such as regulatory requirements, stakeholder expectations, previous audit results, and available resources. The selection phase aims to prioritize and allocate the audit resources to those areas that present the highest risks or opportunities for improvement.
Therefore, option A is the correct answer.
Reference: Stages and phases of internal audit – piranirisk.com
Step-by-Step Internal Audit Checklist | AuditBoard
AuditProcess | The Office of Internal Audit – University of Oregon
A
Explanation:
The planning phase is the stage of the internal audit process where contact is established with the individuals responsible for the business processes in scope for review. The planning phase involves defining the objectives, scope, and criteria of the audit, as well as identifying the key risks and controls related to the audited area. The planning phase also involves communicating with the auditee to obtain relevant information, documents, and data, as well as to schedule interviews, walkthroughs, and meetings. The planning phase aims to ensure that the audit team has a clear understanding of the audited area and its context, and that the audit plan is aligned with the expectations and needs of the auditee and other stakeholders.
The execution phase is the stage of the internal audit process where the audit team performs the audit procedures according to the audit plan. The execution phase involves testing the design and operating effectiveness of the controls, collecting and analyzing evidence, documenting the audit work and results, and identifying any issues or findings. The execution phase aims to provide sufficient and appropriate evidence to support the audit conclusions and recommendations.
The follow-up phase is the stage of the internal audit process where the audit team monitors and verifies the implementation of the corrective actions agreed upon by the auditee in response to the audit findings. The follow-up phase involves reviewing the evidence provided by the auditee, conducting additional tests or interviews if necessary, and evaluating whether the corrective actions have adequately addressed the root causes of the findings. The follow-up phase aims to ensure that the auditee has taken timely and effective actions to improve its processes and controls.
The selection phase is not a standard stage of the internal audit process, but it may refer to the process of selecting which areas or functions to audit based on a risk assessment or an annual audit plan. The selection phase involves evaluating the inherent and residual risks of each potential auditable area, considering the impact, likelihood, and frequency of those risks, as well as other factors such as regulatory requirements, stakeholder expectations, previous audit results, and available resources. The selection phase aims to prioritize and allocate the audit resources to those areas that present the highest risks or opportunities for improvement.
Therefore, option A is the correct answer.
Reference: Stages and phases of internal audit – piranirisk.com
Step-by-Step Internal Audit Checklist | AuditBoard
AuditProcess | The Office of Internal Audit – University of Oregon
Question #162
Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?
- A . Purchase requisitions and purchase orders
- B . Invoices and reconciliations
- C . Vendor selection and statements of work
- D . Good receipts and payments
Correct Answer: D
D
Explanation:
The greatest segregation of duties conflict would occur if the individual who performs the related tasks also has approval authority for purchase requisitions and purchase orders. This is because these two tasks are directly related to each other and involve financial transactions. If the same person is responsible for both tasks, it could lead to potential fraud or error12. For instance, the individual could approve a purchase order for a personal need and then also approve the payment for it, leading to misuse of company funds12.
Reference: Segregation of Duties: Examples of Roles, Duties & Violations – Pathlock Functions in the Purchasing Process and how to Segregate Purchasing Duties
D
Explanation:
The greatest segregation of duties conflict would occur if the individual who performs the related tasks also has approval authority for purchase requisitions and purchase orders. This is because these two tasks are directly related to each other and involve financial transactions. If the same person is responsible for both tasks, it could lead to potential fraud or error12. For instance, the individual could approve a purchase order for a personal need and then also approve the payment for it, leading to misuse of company funds12.
Reference: Segregation of Duties: Examples of Roles, Duties & Violations – Pathlock Functions in the Purchasing Process and how to Segregate Purchasing Duties
Question #163
An IS auditor is reviewing job scheduling software and notes instances of delayed processing time, unexpected job interruption, and out-of-sequence job execution.
Which of the following should the auditor examine FIRST to help determine the reasons for these instances?
- A . System schedule
- B . Job schedule
- C . Exception log
- D . Change log
Correct Answer: C
Question #164
The PRIMARY advantage of object-oriented technology is enhanced:
- A . efficiency due to the re-use of elements of logic.
- B . management of sequential program execution for data access.
- C . grouping of objects into methods for data access.
- D . management of a restricted variety of data types for a data object.
Correct Answer: A
A
Explanation:
The primary advantage of object-oriented technology is enhanced efficiency due to the re-use of elements of logic. Object-oriented technology is a software design model that uses objects, which contain both data and code, to create modular and reusable programs. Objects can be inherited from other objects, which reduces duplication and improves maintainability. Grouping objects into methods for data access, managing sequential program execution for data access, and managing a restricted variety of data types for a data object are not advantages of object-oriented technology.
Reference: ISACA CISA Review Manual 27th Edition, page 304
A
Explanation:
The primary advantage of object-oriented technology is enhanced efficiency due to the re-use of elements of logic. Object-oriented technology is a software design model that uses objects, which contain both data and code, to create modular and reusable programs. Objects can be inherited from other objects, which reduces duplication and improves maintainability. Grouping objects into methods for data access, managing sequential program execution for data access, and managing a restricted variety of data types for a data object are not advantages of object-oriented technology.
Reference: ISACA CISA Review Manual 27th Edition, page 304
Question #165
Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?
- A . Periodic vendor reviews
- B . Dual control
- C . Independent reconciliation
- D . Re-keying of monetary amounts
- E . Engage an external security incident response expert for incident handling.
Correct Answer: B
B
Explanation:
The best recommendation to prevent fraudulent electronic funds transfers by accounts payable employees is dual control. Dual control is a segregation of duties control that requires two or more individuals to perform or authorize a transaction or activity. Dual control can prevent fraudulent electronic funds transfers by requiring independent verification and approval of payment requests, amounts, and recipients by different accounts payable employees. The other options are not as effective as dual control in preventing fraudulent electronic funds transfers, as they do not involve independent checks or approvals. Periodic vendor reviews are detective controls that can help identify any irregularities or anomalies in vendor payments, but they do not prevent fraudulent electronic funds transfers from occurring. Independent reconciliation is a detective control that can help compare and confirm payment records with bank statements, but it does not prevent fraudulent electronic funds transfers from occurring. Re-keying of monetary amounts is an input control that can help detect any errors or discrepancies in payment amounts, but it does not prevent fraudulentelectronic funds transfers from occurring.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
B
Explanation:
The best recommendation to prevent fraudulent electronic funds transfers by accounts payable employees is dual control. Dual control is a segregation of duties control that requires two or more individuals to perform or authorize a transaction or activity. Dual control can prevent fraudulent electronic funds transfers by requiring independent verification and approval of payment requests, amounts, and recipients by different accounts payable employees. The other options are not as effective as dual control in preventing fraudulent electronic funds transfers, as they do not involve independent checks or approvals. Periodic vendor reviews are detective controls that can help identify any irregularities or anomalies in vendor payments, but they do not prevent fraudulent electronic funds transfers from occurring. Independent reconciliation is a detective control that can help compare and confirm payment records with bank statements, but it does not prevent fraudulent electronic funds transfers from occurring. Re-keying of monetary amounts is an input control that can help detect any errors or discrepancies in payment amounts, but it does not prevent fraudulentelectronic funds transfers from occurring.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
Question #166
A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification.
Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?
- A . Include the requirement in the incident management response plan.
- B . Establish key performance indicators (KPIs) for timely identification of security incidents.
- C . Enhance the alert functionality of the intrusion detection system (IDS).
- D . Engage an external security incident response expert for incident handling.
Correct Answer: A
A
Explanation:
The best recommendation to facilitate compliance with the regulation that requires organizations to report significant security incidents to the regulator within 24 hours of identification is to include the requirement in the incident management response plan. An incident management response plan is a document that defines the roles, responsibilities, procedures, and tools for managing security incidents effectively and efficiently. Including the requirement in the incident management response plan can help ensure that security incidents are identified, classified, reported, and escalated in accordance with the regulation. The other options are not as effective as including the requirement in the incident management response plan, as they do not address all aspects of incident management or compliance. Establishing key performance indicators (KPIs) for timely identification of security incidents is a monitoring technique that can help measure and improve the performance of incident management processes, but it does not ensure compliance with the regulation. Enhancing the alert functionality of the intrusion detection system (IDS) is a technical control that can help detect and notify security incidents faster, but it does not ensure compliance with the regulation. Engaging an external security incident response expert for incident handling is a contingency measure that can help augment the organization’s internal capabilities and resources for managing security incidents, but it does not ensure compliance with the regulation.
Reference: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2
A
Explanation:
The best recommendation to facilitate compliance with the regulation that requires organizations to report significant security incidents to the regulator within 24 hours of identification is to include the requirement in the incident management response plan. An incident management response plan is a document that defines the roles, responsibilities, procedures, and tools for managing security incidents effectively and efficiently. Including the requirement in the incident management response plan can help ensure that security incidents are identified, classified, reported, and escalated in accordance with the regulation. The other options are not as effective as including the requirement in the incident management response plan, as they do not address all aspects of incident management or compliance. Establishing key performance indicators (KPIs) for timely identification of security incidents is a monitoring technique that can help measure and improve the performance of incident management processes, but it does not ensure compliance with the regulation. Enhancing the alert functionality of the intrusion detection system (IDS) is a technical control that can help detect and notify security incidents faster, but it does not ensure compliance with the regulation. Engaging an external security incident response expert for incident handling is a contingency measure that can help augment the organization’s internal capabilities and resources for managing security incidents, but it does not ensure compliance with the regulation.
Reference: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2
Question #167
In the development of a new financial application, the IS auditor’s FIRST involvement should be in the:
- A . control design.
- B . feasibility study.
- C . application design.
- D . system test.
Correct Answer: B
B
Explanation:
In the development of a new financial application, the IS auditor’s first involvement should be in the feasibility study. A feasibility study is a preliminary analysis that evaluates the technical, operational, economic, and legal aspects of a proposed project or system. A feasibility study helps determine whether the project or system is viable, feasible, and desirable for the organization and its stakeholders.
The IS auditor’s role in the feasibility study is to provide an independent and objective assessment of the project or system’s risks, benefits, costs, and impacts. The IS auditor should also ensure that the feasibility study follows a structured and systematic approach, considers all relevant factors and alternatives, and complies with the organization’s policies and standards. The IS auditor should also verify that the feasibility study is documented and communicated to the appropriate decision-makers.
The IS auditor’s involvement in the feasibility study is important because it can help:
Identify and mitigate potential risks and issues that could affect the project or system’s success
Evaluate and justify the project or system’s alignment with the organization’s strategy, goals, and value proposition
Estimate and optimize the project or system’s resources, budget, schedule, and quality Assess and enhance the project or system’s security, reliability, performance, and usability
Ensure that the project or system meets the expectations and requirements of the users and other stakeholders
The other three options are not the first involvement of the IS auditor in the development of a new financial application, although they may be part of the subsequent stages of the development process. Control design is the process of defining and implementing controls that ensure the security, integrity, availability, and efficiency of the system. Application design is the process of specifying the functional and technical features of the system. System test is the process of verifying that the system meets the specifications and requirements.
Therefore, feasibility study is the best answer.
Reference: [Feasibility Study – ISACA]
[IS Auditing Guideline G13 Performing an IS Audit Engagement – ISACA]
B
Explanation:
In the development of a new financial application, the IS auditor’s first involvement should be in the feasibility study. A feasibility study is a preliminary analysis that evaluates the technical, operational, economic, and legal aspects of a proposed project or system. A feasibility study helps determine whether the project or system is viable, feasible, and desirable for the organization and its stakeholders.
The IS auditor’s role in the feasibility study is to provide an independent and objective assessment of the project or system’s risks, benefits, costs, and impacts. The IS auditor should also ensure that the feasibility study follows a structured and systematic approach, considers all relevant factors and alternatives, and complies with the organization’s policies and standards. The IS auditor should also verify that the feasibility study is documented and communicated to the appropriate decision-makers.
The IS auditor’s involvement in the feasibility study is important because it can help:
Identify and mitigate potential risks and issues that could affect the project or system’s success
Evaluate and justify the project or system’s alignment with the organization’s strategy, goals, and value proposition
Estimate and optimize the project or system’s resources, budget, schedule, and quality Assess and enhance the project or system’s security, reliability, performance, and usability
Ensure that the project or system meets the expectations and requirements of the users and other stakeholders
The other three options are not the first involvement of the IS auditor in the development of a new financial application, although they may be part of the subsequent stages of the development process. Control design is the process of defining and implementing controls that ensure the security, integrity, availability, and efficiency of the system. Application design is the process of specifying the functional and technical features of the system. System test is the process of verifying that the system meets the specifications and requirements.
Therefore, feasibility study is the best answer.
Reference: [Feasibility Study – ISACA]
[IS Auditing Guideline G13 Performing an IS Audit Engagement – ISACA]
Question #168
When conducting an audit of an organization’s use of AI in its customer service chatbots, an IS auditor should PRIMARILY focus on the:
- A . Safeguarding of personal data processing by the AI system.
- B . AI system’s compliance with industry security standards.
- C . Speed and accuracy of chatbot responses to customer queries.
- D . AI system’s ability to handle multiple customer queries at once.
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
Theprimary concernwhen auditing an AI-powered chatbot is ensuring thesafeguarding of personal datato comply with privacy regulations such asGDPR, CCPA, and ISO 27701. AI chatbots process customer inquiries, often handling sensitive personal data.
Safeguarding of Personal Data (Correct Answer C A)
Ensures compliance with data protection laws.
Reduces the risk of unauthorized access or data leakage.
Example: An AI chatbot collecting customer financial information must follow encryption and access control policies.
Compliance with Industry Standards (Incorrect C B)
Important, but protecting customer data takes priority over general compliance.
Speed and Accuracy of Chatbot Responses (Incorrect C C)
A performance metric, but not a primary audit focus.
AI’s Ability to Handle Multiple Queries (Incorrect C D)
Efficiency metric, but does not address security risks.
Reference: ISACA CISA Review Manual
ISO 27701 (Privacy Information Management System)
GDPR & CCPA Compliance Guidelines
A
Explanation:
Comprehensive and Detailed Step-by-Step
Theprimary concernwhen auditing an AI-powered chatbot is ensuring thesafeguarding of personal datato comply with privacy regulations such asGDPR, CCPA, and ISO 27701. AI chatbots process customer inquiries, often handling sensitive personal data.
Safeguarding of Personal Data (Correct Answer C A)
Ensures compliance with data protection laws.
Reduces the risk of unauthorized access or data leakage.
Example: An AI chatbot collecting customer financial information must follow encryption and access control policies.
Compliance with Industry Standards (Incorrect C B)
Important, but protecting customer data takes priority over general compliance.
Speed and Accuracy of Chatbot Responses (Incorrect C C)
A performance metric, but not a primary audit focus.
AI’s Ability to Handle Multiple Queries (Incorrect C D)
Efficiency metric, but does not address security risks.
Reference: ISACA CISA Review Manual
ISO 27701 (Privacy Information Management System)
GDPR & CCPA Compliance Guidelines
Question #169
An IS auditor can BEST evaluate the business impact of system failures by:
- A . assessing user satisfaction levels.
- B . interviewing the security administrator.
- C . analyzing equipment maintenance logs.
- D . reviewing system-generated logs.
Correct Answer: C
Question #170
Which of the following is the BEST indication that a software development project is on track to meet its completion deadline?
- A . Technical specifications and development requirements have been agreed upon and formally recorded.
- B . Project plan due dates have been documented for each phase of the software development life cycle.
- C . Issues identified during user acceptance testing (UAT) have been addressed prior to the original implementation date.
- D . The planned software go-live date has been communicated in advance to end users and stakeholders.
Correct Answer: C