Practice Free CISA Exam Online Questions
Question #191
An IS auditor is reviewing an organization’s primary router access control list.
Which of the following should result in a finding?
- A . There are conflicting permit and deny rules for the IT group.
- B . The network security group can change network address translation (NAT).
- C . Individual permissions are overriding group permissions.
- D . There is only one rule per group with access privileges.
Correct Answer: C
C
Explanation:
This should result in a finding because it violates the best practice of setting rules for groups rather than users. According to one of the web search results1, using group permissions instead of individual permissions can simplify the management and maintenance of ACLs, reduce the risk of human errors, and ensure consistency and compliance. Individual permissions can create conflicts, confusion, and security gaps in the ACLs. Therefore, the IS auditor should report this as a finding and recommend using group permissions instead.
C
Explanation:
This should result in a finding because it violates the best practice of setting rules for groups rather than users. According to one of the web search results1, using group permissions instead of individual permissions can simplify the management and maintenance of ACLs, reduce the risk of human errors, and ensure consistency and compliance. Individual permissions can create conflicts, confusion, and security gaps in the ACLs. Therefore, the IS auditor should report this as a finding and recommend using group permissions instead.
Question #192
What Is the BEST method to determine if IT resource spending is aligned with planned project spending?
- A . Earned value analysis (EVA)
- B . Return on investment (ROI) analysis
- C . Gantt chart
- D . Critical path analysis
Correct Answer: A
A
Explanation:
The best method to determine if IT resource spending is aligned with planned project spending is earned value analysis (EVA). EVA is a technique that compares the actual cost, schedule, and scope of a project with the planned or budgeted values. EVA can help to measure the project progress and performance, and identify any variances or deviations from the baseline plan1.
EVA uses three basic values to calculate the project status: planned value (PV), earned value (EV), and actual cost (AC). PV is the amount of work that was expected to be completed by a certain date, according to the project plan. EV is the amount of work that was actually completed by that date, measured in terms of the budgeted cost. AC is the amount of money that was actually spent to complete the work by that date1.
By comparing these values, EVA can determine if the project is on track, ahead, or behind schedule
and budget. EVA can also calculate various indicators, such as cost variance (CV), schedule variance (SV), cost performance index (CPI), and schedule performance index (SPI), to quantify the magnitude and direction of the variances. EVA can also forecast the future performanceand completion of the project, based on the current trends and assumptions1.
The other options are not as effective as EVA in determining if IT resource spending is aligned with planned project spending.
Option B, return on investment (ROI) analysis, is a technique that evaluates the profitability or efficiency of an investment, by comparing the benefits or revenues with the costs. ROI analysis can help to justify or prioritize a project, but it does not measure the actual progress or performance of the project against the plan2.
Option C, Gantt chart, is a tool that displays the tasks, durations, dependencies, and milestones of a project in a graphical format. Gantt chart can help to plan and monitor a project schedule, but it does not show the actual cost or scope of the project3.
Option D, critical path analysis, is a technique that identifies the longest sequence of tasks or activities that must be completed on time for the project to finish on schedule. Critical path analysis can help to optimize and control a project schedule, but it does not account for the actual cost or scope of the project4.
Reference: Earned Value Analysis & Management (EVA/EVM) C Definition& Formulae1
Return on Investment (ROI) Formula2
What Is a Gantt Chart?3
Critical Path Method for Project Management
A
Explanation:
The best method to determine if IT resource spending is aligned with planned project spending is earned value analysis (EVA). EVA is a technique that compares the actual cost, schedule, and scope of a project with the planned or budgeted values. EVA can help to measure the project progress and performance, and identify any variances or deviations from the baseline plan1.
EVA uses three basic values to calculate the project status: planned value (PV), earned value (EV), and actual cost (AC). PV is the amount of work that was expected to be completed by a certain date, according to the project plan. EV is the amount of work that was actually completed by that date, measured in terms of the budgeted cost. AC is the amount of money that was actually spent to complete the work by that date1.
By comparing these values, EVA can determine if the project is on track, ahead, or behind schedule
and budget. EVA can also calculate various indicators, such as cost variance (CV), schedule variance (SV), cost performance index (CPI), and schedule performance index (SPI), to quantify the magnitude and direction of the variances. EVA can also forecast the future performanceand completion of the project, based on the current trends and assumptions1.
The other options are not as effective as EVA in determining if IT resource spending is aligned with planned project spending.
Option B, return on investment (ROI) analysis, is a technique that evaluates the profitability or efficiency of an investment, by comparing the benefits or revenues with the costs. ROI analysis can help to justify or prioritize a project, but it does not measure the actual progress or performance of the project against the plan2.
Option C, Gantt chart, is a tool that displays the tasks, durations, dependencies, and milestones of a project in a graphical format. Gantt chart can help to plan and monitor a project schedule, but it does not show the actual cost or scope of the project3.
Option D, critical path analysis, is a technique that identifies the longest sequence of tasks or activities that must be completed on time for the project to finish on schedule. Critical path analysis can help to optimize and control a project schedule, but it does not account for the actual cost or scope of the project4.
Reference: Earned Value Analysis & Management (EVA/EVM) C Definition& Formulae1
Return on Investment (ROI) Formula2
What Is a Gantt Chart?3
Critical Path Method for Project Management
Question #193
Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?
- A . Readily available resources such as domains and risk and control methodologies
- B . Comprehensive coverage of fundamental and critical risk and control areas for IT governance
- C . Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies
- D . Wide acceptance by different business and support units with IT governance objectives
Correct Answer: D
D
Explanation:
The greatest benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization is wide acceptance by different business and support units with IT governance objectives. An international IT governance framework, such as COBIT, provides a common language and understanding for IT governance among various stakeholders, such as management, users, auditors and regulators. This facilitates alignment, communication and collaboration among them. Readily available resources, comprehensive coverage and fewer resources expended are also benefits of adopting an international IT governance framework, but they are not the greatest benefit.
Reference: CISA Review Manual (Digital Version), Chapter 1, Section 1.3.1.
D
Explanation:
The greatest benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization is wide acceptance by different business and support units with IT governance objectives. An international IT governance framework, such as COBIT, provides a common language and understanding for IT governance among various stakeholders, such as management, users, auditors and regulators. This facilitates alignment, communication and collaboration among them. Readily available resources, comprehensive coverage and fewer resources expended are also benefits of adopting an international IT governance framework, but they are not the greatest benefit.
Reference: CISA Review Manual (Digital Version), Chapter 1, Section 1.3.1.
Question #194
An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance.
This would MOST likely increase the risk of a successful attack by.
- A . phishing.
- B . denial of service (DoS)
- C . structured query language (SQL) injection
- D . buffer overflow
Correct Answer: C
C
Explanation:
Moving validation controls from the server side into the browser would most likely increase the risk of a successful attack by structured query language (SQL) injection. SQL injection is a technique that exploits a security vulnerability in an application’s database layer by inserting malicious SQL statements into user input fields. Validation controls are used to check and filter user input before sending it to the database. If these controls are moved to the browser, they can be easily bypassed or modified by an attacker, who can then execute arbitrary SQL commands on the database.
Reference: CISA Review Manual, 27th Edition, page 361
C
Explanation:
Moving validation controls from the server side into the browser would most likely increase the risk of a successful attack by structured query language (SQL) injection. SQL injection is a technique that exploits a security vulnerability in an application’s database layer by inserting malicious SQL statements into user input fields. Validation controls are used to check and filter user input before sending it to the database. If these controls are moved to the browser, they can be easily bypassed or modified by an attacker, who can then execute arbitrary SQL commands on the database.
Reference: CISA Review Manual, 27th Edition, page 361
Question #195
Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?
- A . Restricting program functionality according to user security profiles
- B . Restricting access to update programs to accounts payable staff only
- C . Including the creator’s user ID as a field in every transaction record created
- D . Ensuring that audit trails exist for transactions
Correct Answer: D
D
Explanation:
Segregation of duties (SoD) is a key internal control that aims to prevent fraud and errors by ensuring that no single individual can perform incompatible or conflicting tasks within a business process. SoD reduces the risk of unauthorized or improper transactions, manipulation of data, or misappropriation of assets.
In the accounts payable department, SoD involves separating the following functions: invoice processing, payment authorization, payment execution, and reconciliation. For example, the person who approves an invoice should not be the same person who issues the payment or reconciles the bank statement.
One of the best ways to ensure appropriate SoD within the accounts payable department is to restrict program functionality according to user security profiles. This means that each user of the accounts payable system should have a unique login and password, and should only have access to the functions that are relevant to their role and responsibilities. For instance, an invoice processor should not be able to approve payments or modify vendor records. This way, the system can enforce SoD and prevent unauthorized or fraudulent activities.
The other options are not as effective as restricting program functionality according to user security profiles. Restricting access to update programs to accounts payable staff only is a general access control measure, but it does not address the SoD issue within the accounts payable department. Including the creator’s user ID as a field in every transaction record created is a useful audit trail feature, but it does not prevent users from performing incompatible functions. Ensuring that audit trails exist for transactions is a detective control that can help identify and investigate any irregularities, but it does not prevent them from occurring in the first place.
D
Explanation:
Segregation of duties (SoD) is a key internal control that aims to prevent fraud and errors by ensuring that no single individual can perform incompatible or conflicting tasks within a business process. SoD reduces the risk of unauthorized or improper transactions, manipulation of data, or misappropriation of assets.
In the accounts payable department, SoD involves separating the following functions: invoice processing, payment authorization, payment execution, and reconciliation. For example, the person who approves an invoice should not be the same person who issues the payment or reconciles the bank statement.
One of the best ways to ensure appropriate SoD within the accounts payable department is to restrict program functionality according to user security profiles. This means that each user of the accounts payable system should have a unique login and password, and should only have access to the functions that are relevant to their role and responsibilities. For instance, an invoice processor should not be able to approve payments or modify vendor records. This way, the system can enforce SoD and prevent unauthorized or fraudulent activities.
The other options are not as effective as restricting program functionality according to user security profiles. Restricting access to update programs to accounts payable staff only is a general access control measure, but it does not address the SoD issue within the accounts payable department. Including the creator’s user ID as a field in every transaction record created is a useful audit trail feature, but it does not prevent users from performing incompatible functions. Ensuring that audit trails exist for transactions is a detective control that can help identify and investigate any irregularities, but it does not prevent them from occurring in the first place.
Question #196
Which of the following poses the GREATEST risk to the use of active RFID tags?
- A . Session hijacking
- B . Eavesdropping
- C . Piggybacking
- D . Phishing attacks
Correct Answer: B
Question #197
Which of the following is the PRIMARY reason to perform a risk assessment?
- A . To determine the current risk profile
- B . To ensure alignment with the business impact analysis (BIA)
- C . To achieve compliance with regulatory requirements
- D . To help allocate budget for risk mitigation controls
Correct Answer: A
A
Explanation:
The primary reason to perform a risk assessment is to determine the current risk profile of the organization, which is the level of risk exposure and the likelihood and impact of potential threats. This will help the organization to identify and prioritize the risks that need to be addressed and to align the risk management strategy with the business objectives. A risk assessment may also help to achieve compliance, support the BIA, and allocate budget, but these are not the primary reasons.
Reference: ISACA Glossary of Terms, section “risk assessment”
A
Explanation:
The primary reason to perform a risk assessment is to determine the current risk profile of the organization, which is the level of risk exposure and the likelihood and impact of potential threats. This will help the organization to identify and prioritize the risks that need to be addressed and to align the risk management strategy with the business objectives. A risk assessment may also help to achieve compliance, support the BIA, and allocate budget, but these are not the primary reasons.
Reference: ISACA Glossary of Terms, section “risk assessment”
Question #198
During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed, as management has decided to accept the risk.
Which of the following is the IS auditors BEST course of action?
- A . Require the auditee to address the recommendations in full.
- B . Update the audit program based on management’s acceptance of risk.
- C . Evaluate senior management’s acceptance of the risk.
- D . Adjust the annual risk assessment accordingly.
Correct Answer: D
Question #199
Which of the following controls BEST provides confidentiality and nonrepudiation for an online business looking for digital payment data security?
- A . Data Encryption Standard (DES)
- B . Advanced Encryption Standard (AES)
- C . Public Key Infrastructure (PKI)
- D . Virtual Private Network (VPN)
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Step-by-Step
For online payment security, bothconfidentiality(protection of data) andnonrepudiation(ensuring the sender cannot deny a transaction) are essential.
Option A (Incorrect): DES is outdatedandinsecurefor modern encryption needs. It has been replaced by stronger algorithms.
Option B (Incorrect): AES provides strong encryption(confidentiality) but does not handlenonrepudiationon its own.
Option C (Correct): PKI (Public Key Infrastructure) is the best solution because it providesencryption for confidentialityanddigital signatures for nonrepudiation, ensuring bothsecuretransactions andauthenticationof parties involved.
Option D (Incorrect): AVPN secures network traffic, but it does not address nonrepudiation, which is critical in online payments.
Reference: ISACA CISA Review Manual CDomain 5: Protection of Information AssetsC Covers encryption, PKI, and secure payment processing.
C
Explanation:
Comprehensive and Detailed Step-by-Step
For online payment security, bothconfidentiality(protection of data) andnonrepudiation(ensuring the sender cannot deny a transaction) are essential.
Option A (Incorrect): DES is outdatedandinsecurefor modern encryption needs. It has been replaced by stronger algorithms.
Option B (Incorrect): AES provides strong encryption(confidentiality) but does not handlenonrepudiationon its own.
Option C (Correct): PKI (Public Key Infrastructure) is the best solution because it providesencryption for confidentialityanddigital signatures for nonrepudiation, ensuring bothsecuretransactions andauthenticationof parties involved.
Option D (Incorrect): AVPN secures network traffic, but it does not address nonrepudiation, which is critical in online payments.
Reference: ISACA CISA Review Manual CDomain 5: Protection of Information AssetsC Covers encryption, PKI, and secure payment processing.
Question #200
Which of the following would be the BEST process for continuous auditing to a large financial Institution?
- A . Testing encryption standards on the disaster recovery system
- B . Validating access controls for real-time data systems
- C . Performing parallel testing between systems
- D . Validating performance of help desk metrics
Correct Answer: B
B
Explanation:
The best process for continuous auditing for a large financial institution is validating access controls for real-time data systems. This is because access controls are critical for ensuring the confidentiality, integrity, and availability of the financial data that is processed and transmitted by the real-time data systems. Real-time data systems are systems that provide timely and accurate information to support decision-making and transactions in a dynamic and complex environment. Examples of real-time data systems in the financial sector include payment systems, trading platforms, risk management systems, and fraud detection systems. Continuous auditing of access controls can help detect and prevent unauthorized access, data leakage, data manipulation, or data loss that could compromise the security, reliability, or compliance of the real-time data systems.
Testing encryption standards on the disaster recovery system is not the best process for continuous auditing for a large financial institution. Encryption standards are important for protecting the data stored or transmitted by the disaster recovery system, which is a system that provides backup and recovery capabilities in case of a disruption or disaster. However, testing encryption standards is not a continuous process, but rather a periodic or event-driven process that can be performed as part of the disaster recovery plan testing or validation.
Performing parallel testing between systems is not the best process for continuous auditing for a large financial institution. Parallel testing is a process of comparing the results of two or more systems that perform the same function or task, such as a new system and an old system, or a primary system and a backup system. Parallel testing can help verify the accuracy, consistency, and compatibility of the systems. However, parallel testing is not a continuous process, but rather a temporary or transitional process that can be performed as part of the system implementation or migration.
Validating performance of help desk metrics is not the best process for continuous auditing for a large financial institution. Help desk metrics are indicators that measure the efficiency, effectiveness, and quality of the help desk service, which is a service that provides technical support and assistance to the users of information systems and technology. Help desk metrics can include metrics such as response time, resolution time, customer satisfaction, and service level agreement (SLA) compliance. Validating performance of help desk metrics can help evaluate and improve the help desk service. However, validating performance of help desk metrics is not a continuous auditing process, but rather a continuous monitoring process that can be performed by the help desk management or quality assurance team.
Reference: All eyes on: Continuous auditing – KPMG Global 1
Internal audit’s role at financial institutions: PwC 2
The Fed – Supervisory Policy and Guidance Topics – Large Banking … 3
Continuous Audit: Definition, Steps, Advantages and Disadvantages 4
B
Explanation:
The best process for continuous auditing for a large financial institution is validating access controls for real-time data systems. This is because access controls are critical for ensuring the confidentiality, integrity, and availability of the financial data that is processed and transmitted by the real-time data systems. Real-time data systems are systems that provide timely and accurate information to support decision-making and transactions in a dynamic and complex environment. Examples of real-time data systems in the financial sector include payment systems, trading platforms, risk management systems, and fraud detection systems. Continuous auditing of access controls can help detect and prevent unauthorized access, data leakage, data manipulation, or data loss that could compromise the security, reliability, or compliance of the real-time data systems.
Testing encryption standards on the disaster recovery system is not the best process for continuous auditing for a large financial institution. Encryption standards are important for protecting the data stored or transmitted by the disaster recovery system, which is a system that provides backup and recovery capabilities in case of a disruption or disaster. However, testing encryption standards is not a continuous process, but rather a periodic or event-driven process that can be performed as part of the disaster recovery plan testing or validation.
Performing parallel testing between systems is not the best process for continuous auditing for a large financial institution. Parallel testing is a process of comparing the results of two or more systems that perform the same function or task, such as a new system and an old system, or a primary system and a backup system. Parallel testing can help verify the accuracy, consistency, and compatibility of the systems. However, parallel testing is not a continuous process, but rather a temporary or transitional process that can be performed as part of the system implementation or migration.
Validating performance of help desk metrics is not the best process for continuous auditing for a large financial institution. Help desk metrics are indicators that measure the efficiency, effectiveness, and quality of the help desk service, which is a service that provides technical support and assistance to the users of information systems and technology. Help desk metrics can include metrics such as response time, resolution time, customer satisfaction, and service level agreement (SLA) compliance. Validating performance of help desk metrics can help evaluate and improve the help desk service. However, validating performance of help desk metrics is not a continuous auditing process, but rather a continuous monitoring process that can be performed by the help desk management or quality assurance team.
Reference: All eyes on: Continuous auditing – KPMG Global 1
Internal audit’s role at financial institutions: PwC 2
The Fed – Supervisory Policy and Guidance Topics – Large Banking … 3
Continuous Audit: Definition, Steps, Advantages and Disadvantages 4