Practice Free CISA Exam Online Questions
Question #201
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available.
What should the auditor recommend be done FIRST?
- A . Implement a new system that can be patched.
- B . Implement additional firewalls to protect the system.
- C . Decommission the server.
- D . Evaluate the associated risk.
Correct Answer: D
D
Explanation:
The first step in addressing a vulnerability is to evaluate the associated risk, which involves assessing the likelihood and impact of a potential exploit. Based on the risk assessment, the appropriate mitigation strategy can be determined, such as implementing a new system, addingfirewalls, or decommissioning the server.
Reference: ISACA CISA Review Manual 27th Edition, page 280
D
Explanation:
The first step in addressing a vulnerability is to evaluate the associated risk, which involves assessing the likelihood and impact of a potential exploit. Based on the risk assessment, the appropriate mitigation strategy can be determined, such as implementing a new system, addingfirewalls, or decommissioning the server.
Reference: ISACA CISA Review Manual 27th Edition, page 280
Question #202
An IS auditor observes that a business-critical application does not currently have any level of fault tolerance.
Which of the following is the GREATEST concern with this situation?
- A . Degradation of services
- B . Limited tolerance for damage
- C . Decreased mean time between failures (MTBF)
- D . Single point of failure
Correct Answer: D
D
Explanation:
The greatest concern with this situation is that a business-critical application does not currently have any level of fault tolerance and thus has a single point of failure. A single point of failure is a component or element of a system that, if it fails, will cause the entire system to stop functioning. Fault tolerance is the ability of a system to continue operating without interruption or degradation in the event of a failure of one or more of its components or elements. Fault tolerance can be achieved by using techniques such as redundancy, replication, backup, or failover. A business-critical application should have a high level of fault tolerance to ensure its availability, reliability, and continuity.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.51 CISA Online Review Course, Domain 3, Module 3, Lesson 22
D
Explanation:
The greatest concern with this situation is that a business-critical application does not currently have any level of fault tolerance and thus has a single point of failure. A single point of failure is a component or element of a system that, if it fails, will cause the entire system to stop functioning. Fault tolerance is the ability of a system to continue operating without interruption or degradation in the event of a failure of one or more of its components or elements. Fault tolerance can be achieved by using techniques such as redundancy, replication, backup, or failover. A business-critical application should have a high level of fault tolerance to ensure its availability, reliability, and continuity.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.51 CISA Online Review Course, Domain 3, Module 3, Lesson 22
Question #203
An IS auditor is tasked to review an organization’s plan-do-check-act (PDCA) method for improving IT-related processes and wants to determine the accuracy of defined targets to be achieved.
Which of the following steps in the PDCA process should the auditor PRIMARILY focus on in this situation?
- A . Check
- B . Plan
- C . Do
- D . Act
Correct Answer: B
B
Explanation:
In the PDCA cycle, the "Plan" phase is where targets and objectives are defined. Focusing on this phase allows the auditor to evaluate the accuracy and appropriateness of the defined targets before they are implemented and measured in subsequent phases.
Reference
ISACA CISA Review Manual 27th Edition, Page 315-316 (PDCA Cycle)
B
Explanation:
In the PDCA cycle, the "Plan" phase is where targets and objectives are defined. Focusing on this phase allows the auditor to evaluate the accuracy and appropriateness of the defined targets before they are implemented and measured in subsequent phases.
Reference
ISACA CISA Review Manual 27th Edition, Page 315-316 (PDCA Cycle)
Question #204
An IS auditor has learned that access privileges are not periodically reviewed or updated.
Which of the following would provide the BEST evidence to determine whether transactions have been executed by authorized employees?
- A . Audit trails
- B . Control totals
- C . Reconciliations
- D . Change logs
Correct Answer: A
A
Explanation:
The best evidence to determine whether transactions have been executed by authorized employees is audit trails. Audit trails are secure records that catalog events or procedures to provide support documentation. They are used to authenticate security and operational actions, mitigate challenges, or provide proof of compliance and operational integrity2.
Audit trails can track and trace the following information related to transactions:
Who initiated, approved, modified, or deleted a transaction
When a transaction occurred (date and time)
Where a transaction took place (location or device)
What type of transaction was performed (action or operation)
Why a transaction was executed (purpose or reason)
By analyzing audit trails, an IS auditor can verify whether transactions have been executed by authorized employees or not. Audit trails can also identify any unauthorized, fraudulent, or erroneous transactions that may have occurred. Audit trails can also help to resolve any disputes or discrepancies that may arise from transactions.
Reference: What Is an Audit Trail? Everything You Need to Know
A
Explanation:
The best evidence to determine whether transactions have been executed by authorized employees is audit trails. Audit trails are secure records that catalog events or procedures to provide support documentation. They are used to authenticate security and operational actions, mitigate challenges, or provide proof of compliance and operational integrity2.
Audit trails can track and trace the following information related to transactions:
Who initiated, approved, modified, or deleted a transaction
When a transaction occurred (date and time)
Where a transaction took place (location or device)
What type of transaction was performed (action or operation)
Why a transaction was executed (purpose or reason)
By analyzing audit trails, an IS auditor can verify whether transactions have been executed by authorized employees or not. Audit trails can also identify any unauthorized, fraudulent, or erroneous transactions that may have occurred. Audit trails can also help to resolve any disputes or discrepancies that may arise from transactions.
Reference: What Is an Audit Trail? Everything You Need to Know
Question #205
Which of the following provides the BE ST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?
- A . Enabling remote data destruction capabilities
- B . Implementing mobile device management (MDM)
- C . Disabling unnecessary network connectivity options
- D . Requiring security awareness training for mobile users
Correct Answer: B
B
Explanation:
The best method for maintaining the security of corporate applications pushed to employee-owned mobile devices is implementing mobile device management (MDM). MDM is a software solution that allows an organization to remotely manage, configure, and secure the mobile devices that access its network and data. MDM can help protect corporate applications on employee-owned devices by:
Enforcing security policies and settings, such as encryption, password, firewall, antivirus, and VPN.
Controlling the installation, update, and removal of corporate applications and data.
Separating corporate and personal data and applications on the device using containers or profiles.
Monitoring and auditing the device’s compliance status, activity, and location.
Performing remote actions, such as lock, wipe, backup, or restore, in case of loss, theft, or compromise.
MDM can provide a comprehensive and centralized approach to maintain the security of corporate applications on employee-owned devices, regardless of the device type, platform, or ownership. MDM can also help the organization comply with regulatory and industry standards for data protection and privacy.
Enabling remote data destruction capabilities is a useful feature for maintaining the security of corporate applications on employee-owned devices, but it is not the best method by itself. Remote data destruction allows the organization to erase the corporate data and applications from the device in case of loss, theft, or compromise. However, this feature does not prevent unauthorized access or misuse of the corporate data and applications before they are destroyed. Remote data destruction is usually part of an MDM solution.
Disabling unnecessary network connectivity options is a good practice for maintaining the security of corporate applications on employee-owned devices, but it is not the best method by itself. Network connectivity options, such as Wi-Fi, Bluetooth, NFC, or USB, can expose the device to potential attacks or data leakage. Disabling these options when they are not needed can reduce the attack surface and improve battery life. However, this practice does not address other security risks or requirements for the corporate applications on the device. Disabling network connectivity options can also be part of an MDM solution.
Requiring security awareness training for mobile users is an important measure for maintaining the security of corporate applications on employee-owned devices, but it is not the best method by itself. Security awareness training can educate the users about the potential threats and best practices for using their devices securely. It can also help foster a culture of security and responsibility among the users. However, security awareness training cannot guarantee that the users will follow the security policies and guidelines consistently and correctly. Security awareness training should be complemented by technical controls, such as MDM.
Reference: Protecting Corporate Data on Mobile Devices for All Companies1 Mobile Device Security: Corporate-Owned Personally-Enabled (COPE)23
B
Explanation:
The best method for maintaining the security of corporate applications pushed to employee-owned mobile devices is implementing mobile device management (MDM). MDM is a software solution that allows an organization to remotely manage, configure, and secure the mobile devices that access its network and data. MDM can help protect corporate applications on employee-owned devices by:
Enforcing security policies and settings, such as encryption, password, firewall, antivirus, and VPN.
Controlling the installation, update, and removal of corporate applications and data.
Separating corporate and personal data and applications on the device using containers or profiles.
Monitoring and auditing the device’s compliance status, activity, and location.
Performing remote actions, such as lock, wipe, backup, or restore, in case of loss, theft, or compromise.
MDM can provide a comprehensive and centralized approach to maintain the security of corporate applications on employee-owned devices, regardless of the device type, platform, or ownership. MDM can also help the organization comply with regulatory and industry standards for data protection and privacy.
Enabling remote data destruction capabilities is a useful feature for maintaining the security of corporate applications on employee-owned devices, but it is not the best method by itself. Remote data destruction allows the organization to erase the corporate data and applications from the device in case of loss, theft, or compromise. However, this feature does not prevent unauthorized access or misuse of the corporate data and applications before they are destroyed. Remote data destruction is usually part of an MDM solution.
Disabling unnecessary network connectivity options is a good practice for maintaining the security of corporate applications on employee-owned devices, but it is not the best method by itself. Network connectivity options, such as Wi-Fi, Bluetooth, NFC, or USB, can expose the device to potential attacks or data leakage. Disabling these options when they are not needed can reduce the attack surface and improve battery life. However, this practice does not address other security risks or requirements for the corporate applications on the device. Disabling network connectivity options can also be part of an MDM solution.
Requiring security awareness training for mobile users is an important measure for maintaining the security of corporate applications on employee-owned devices, but it is not the best method by itself. Security awareness training can educate the users about the potential threats and best practices for using their devices securely. It can also help foster a culture of security and responsibility among the users. However, security awareness training cannot guarantee that the users will follow the security policies and guidelines consistently and correctly. Security awareness training should be complemented by technical controls, such as MDM.
Reference: Protecting Corporate Data on Mobile Devices for All Companies1 Mobile Device Security: Corporate-Owned Personally-Enabled (COPE)23
Question #206
Which of the following is the BEST way to prevent social engineering incidents?
- A . Maintain an onboarding and annual security awareness program.
- B . Ensure user workstations are running the most recent version of antivirus software.
- C . Include security responsibilities in job descriptions and require signed acknowledgment.
- D . Enforce strict email security gateway controls
Correct Answer: A
A
Explanation:
Maintaining an onboarding and annual security awareness program is the best way to prevent social engineering incidents because it can educate the users about the common techniques and tactics used by social engineers and how to avoid falling victim to them. Ensuring user workstations are running the most recent version of antivirus software, including security responsibilities in job descriptions and requiring signed acknowledgment, and enforcing strict email security gateway controls are all good security practices, but they do not directly address the human factor that is exploited by social engineering.
Reference: ISACA, CISA Review Manual, 27th Edition, 2020, p. 3671
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription2
A
Explanation:
Maintaining an onboarding and annual security awareness program is the best way to prevent social engineering incidents because it can educate the users about the common techniques and tactics used by social engineers and how to avoid falling victim to them. Ensuring user workstations are running the most recent version of antivirus software, including security responsibilities in job descriptions and requiring signed acknowledgment, and enforcing strict email security gateway controls are all good security practices, but they do not directly address the human factor that is exploited by social engineering.
Reference: ISACA, CISA Review Manual, 27th Edition, 2020, p. 3671
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription2
Question #207
An IS auditor is asked to provide feedback on the systems options analysis for a new project. The BEST course of action for the IS auditor would be to:
- A . Identify the best alternative.
- B . Retain comments as findings for the audit report.
- C . Comment on the criteria used to assess the alternatives.
- D . Request at least one other alternative.
Correct Answer: C
C
Explanation:
Comprehensive and Detailed
The IS auditor should remain independent and objective. The best way to provide value without interfering in management decisions is to review and comment on the criteria used for evaluating alternatives, ensuring they are complete, relevant, and aligned with business needs.
Option A: Identifying the “best” option compromises independence.
Option B: Deferring to the audit report misses the chance to add timely value.
Option D: Requesting another alternative intrudes on management’s role.
Option C: Correct ― ensures appropriate evaluation criteria without biasing decisions.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 3, section on auditor’s role in system development projects.
C
Explanation:
Comprehensive and Detailed
The IS auditor should remain independent and objective. The best way to provide value without interfering in management decisions is to review and comment on the criteria used for evaluating alternatives, ensuring they are complete, relevant, and aligned with business needs.
Option A: Identifying the “best” option compromises independence.
Option B: Deferring to the audit report misses the chance to add timely value.
Option D: Requesting another alternative intrudes on management’s role.
Option C: Correct ― ensures appropriate evaluation criteria without biasing decisions.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 3, section on auditor’s role in system development projects.
Question #208
Which of the following BEST helps to ensure data integrity across system interfaces?
- A . Environment segregation
- B . Reconciliation
- C . System backups
- D . Access controls
Correct Answer: B
B
Explanation:
The best way to ensure data integrity across system interfaces is to perform reconciliation. Reconciliation is the process of comparing and verifying the data from different sources or systems to ensure that they are consistent, accurate, and complete. Reconciliation can help to identify and resolve any discrepancies, errors, or anomalies in the data that could affect the quality, reliability, or validity of the information. Reconciliation can also help to detect and prevent any unauthorized or fraudulent data manipulation or modification.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
B
Explanation:
The best way to ensure data integrity across system interfaces is to perform reconciliation. Reconciliation is the process of comparing and verifying the data from different sources or systems to ensure that they are consistent, accurate, and complete. Reconciliation can help to identify and resolve any discrepancies, errors, or anomalies in the data that could affect the quality, reliability, or validity of the information. Reconciliation can also help to detect and prevent any unauthorized or fraudulent data manipulation or modification.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
Question #209
The IS quality assurance (OA) group is responsible for:
- A . ensuring that program changes adhere to established standards.
- B . designing procedures to protect data against accidental disclosure.
- C . ensuring that the output received from system processing is complete.
- D . monitoring the execution of computer processing tasks.
Correct Answer: A
A
Explanation:
The IS quality assurance (QA) group is responsible for ensuring that program changes adhere to established standards. Program changes are modifications made to software applications or systems to fix errors, improve performance, add functionality, or meet changing requirements. Program changes should follow established standards for documentation, authorization, testing, implementation, and review. The IS QA group is responsible for verifying that program changes comply with these standards and meet the expected quality criteria. Designing procedures to protect dataagainst accidental disclosure; ensuring that the output received from system processing is complete; and monitoring the execution of computer processing tasks are not responsibilities of the IS QA group.
Reference: [ISACA CISA Review Manual 27th Edition], page 304.
A
Explanation:
The IS quality assurance (QA) group is responsible for ensuring that program changes adhere to established standards. Program changes are modifications made to software applications or systems to fix errors, improve performance, add functionality, or meet changing requirements. Program changes should follow established standards for documentation, authorization, testing, implementation, and review. The IS QA group is responsible for verifying that program changes comply with these standards and meet the expected quality criteria. Designing procedures to protect dataagainst accidental disclosure; ensuring that the output received from system processing is complete; and monitoring the execution of computer processing tasks are not responsibilities of the IS QA group.
Reference: [ISACA CISA Review Manual 27th Edition], page 304.
Question #210
The PRIMARY purpose of requiring source code escrow in a contractual agreement is to:
- A . comply with vendor management policy
- B . convert source code to new executable code.
- C . satisfy regulatory requirements.
- D . ensure the source code is available.
Correct Answer: D
D
Explanation:
The primary purpose of requiring source code escrow in a contractual agreement is to ensure the source code is available. Source code escrow is a service that involves depositing the source code of a software or system with a third-party agent or escrow provider, who can release it to a designated beneficiary under specific conditions, such as bankruptcy, termination, or breach of contract by the software vendor or developer. Source code escrow can help to protect the interests and rights of the software user or licensee, who may need access to the source code for maintenance, modification, enhancement, or troubleshooting purposes. The IS auditor should verify that the contractual agreement specifies the terms and conditions for source code escrow, such as the escrow agent, the escrow fees, the deposit frequency and format, the release events and procedures, and the verification and audit requirements.
Reference: CISA ReviewManual (Digital Version)1, Chapter 3, Section 3.2.2
D
Explanation:
The primary purpose of requiring source code escrow in a contractual agreement is to ensure the source code is available. Source code escrow is a service that involves depositing the source code of a software or system with a third-party agent or escrow provider, who can release it to a designated beneficiary under specific conditions, such as bankruptcy, termination, or breach of contract by the software vendor or developer. Source code escrow can help to protect the interests and rights of the software user or licensee, who may need access to the source code for maintenance, modification, enhancement, or troubleshooting purposes. The IS auditor should verify that the contractual agreement specifies the terms and conditions for source code escrow, such as the escrow agent, the escrow fees, the deposit frequency and format, the release events and procedures, and the verification and audit requirements.
Reference: CISA ReviewManual (Digital Version)1, Chapter 3, Section 3.2.2