Practice Free CISA Exam Online Questions
Question #211
In a Zero Trust architecture, which element is MOST important for an IS auditor to evaluate to ensure that resources are accessed securely?
- A . The strength and frequency of perimeter firewall testing
- B . The alignment of access control policies with industry standards
- C . The frequency of user access reviews
- D . The protocols in place for remote access and data encryption
Correct Answer: B
B
Explanation:
Comprehensive and Detailed
In Zero Trust architecture (ZTA), the principle is “never trust, always verify.” The most important aspect for an IS auditor to evaluate is whether access control policies are properly designed, aligned with industry standards, and consistently enforced. These policies define how identities, devices, and contexts are authenticated and authorized before gaining access.
Option A: Perimeter firewalls are less relevant in Zero Trust, which minimizes reliance on network boundaries.
Option C: Access reviews are important but are periodic, not continuous enforcement.
Option D: Secure remote protocols are necessary but part of broader access policy enforcement.
Option B: Correct ― policies are the foundation of Zero Trust security.
ISACA
Reference: ISACA’s “Zero Trust and Audit Considerations” guidance; CISA Review Manual 27th Edition, Domain 5, section on identity, access, and authentication controls.
B
Explanation:
Comprehensive and Detailed
In Zero Trust architecture (ZTA), the principle is “never trust, always verify.” The most important aspect for an IS auditor to evaluate is whether access control policies are properly designed, aligned with industry standards, and consistently enforced. These policies define how identities, devices, and contexts are authenticated and authorized before gaining access.
Option A: Perimeter firewalls are less relevant in Zero Trust, which minimizes reliance on network boundaries.
Option C: Access reviews are important but are periodic, not continuous enforcement.
Option D: Secure remote protocols are necessary but part of broader access policy enforcement.
Option B: Correct ― policies are the foundation of Zero Trust security.
ISACA
Reference: ISACA’s “Zero Trust and Audit Considerations” guidance; CISA Review Manual 27th Edition, Domain 5, section on identity, access, and authentication controls.
Question #212
An organization has replaced its call center with Al chatbots that autonomously learn new responses through internet queries and customer conversation history.
Which of the following would an IS auditor tasked with verifying IT controls consider to be the GREATEST risk?
- A . The model may not result in expected efficiencies.
- B . The model’s operations may be difficult for the IT team to document.
- C . The model may not generate accurate responses due to overfitting.
- D . It may be difficult to audit the model due to the lack of a suitable framework.
Correct Answer: D
Question #213
During a closing meeting, the IT manager disagrees with a valid audit finding presented by the IS auditor and requests the finding be excluded from the final report.
Which of the following is the auditor’s BEST course of action?
- A . Request that the IT manager be removed from the remaining meetings and future audits.
- B . Modify the finding to include the IT manager’s comments and inform the audit manager of the changes.
- C . Remove the finding from the report and continue presenting the remaining findings.
- D . Provide the evidence which supports the finding and keep the finding in the report.
Correct Answer: D
Question #214
When classifying information, it is MOST important to align the classification to:
- A . business risk
- B . security policy
- C . data retention requirements
- D . industry standards
Correct Answer: A
A
Explanation:
When classifying information, it is most important to align the classification to business risk, because it ensures that the information is protected according to its value and impact to the organization34. Business risk considers factors such as legal, regulatory, contractual, operational, reputational, and financial implications of information disclosure or compromise34. Aligning information classification to business risk also helps to prioritize and allocate resources for information security measures. Security policy, data retention requirements, and industry standards are important considerations for information classification, but not as important as business risk.
Reference: 3: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2 4: CISA Online Review Course, Module 5, Lesson 4
A
Explanation:
When classifying information, it is most important to align the classification to business risk, because it ensures that the information is protected according to its value and impact to the organization34. Business risk considers factors such as legal, regulatory, contractual, operational, reputational, and financial implications of information disclosure or compromise34. Aligning information classification to business risk also helps to prioritize and allocate resources for information security measures. Security policy, data retention requirements, and industry standards are important considerations for information classification, but not as important as business risk.
Reference: 3: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2 4: CISA Online Review Course, Module 5, Lesson 4
Question #215
Which of the following is the BEST reason to implement a data retention policy?
- A . To establish a recovery point objective (RPO) for disaster recovery procedures
- B . To limit the liability associated with storing and protecting information
- C . To document business objectives for processing data within the organization
- D . To assign responsibility and ownership for data protection outside IT
Correct Answer: B
B
Explanation:
The best reason to implement a data retention policy is to limit the liability associated with storing and protecting information. A data retention policy is a business’ established protocol for maintaining information, typically defining what data needs to be retained, the format in which it should be kept, how long it should be stored for, whether it should eventually be archived or deleted, who has the authority to dispose of it, and what procedure to follow in the event of a policy violation1.
A data retention policy can help an organization to:
Comply with legal and regulatory requirements that mandate the retention and disposal of certain types of data, such as financial records, health records, or personal data
Reduce the risk of data breaches, theft, loss, or corruption by minimizing the amount of data stored and ensuring proper security measures are in place
Save costs and resources by optimizing the use of storage space and reducing the need for backup and recovery operations
Enhance operational efficiency and performance by eliminating unnecessary or outdated data and improving data quality and accessibility
Support business continuity and disaster recovery plans by ensuring critical data is available and recoverable in case of an emergency
Facilitate audit trails and investigations by providing evidence of data authenticity, integrity, and provenance
Therefore, by implementing a data retention policy, an organization can limit its liability associated with storing and protecting information, as well as improve its data governance and management practices.
Reference: Data Retention Policy 101: Best Practices, Examples & More
B
Explanation:
The best reason to implement a data retention policy is to limit the liability associated with storing and protecting information. A data retention policy is a business’ established protocol for maintaining information, typically defining what data needs to be retained, the format in which it should be kept, how long it should be stored for, whether it should eventually be archived or deleted, who has the authority to dispose of it, and what procedure to follow in the event of a policy violation1.
A data retention policy can help an organization to:
Comply with legal and regulatory requirements that mandate the retention and disposal of certain types of data, such as financial records, health records, or personal data
Reduce the risk of data breaches, theft, loss, or corruption by minimizing the amount of data stored and ensuring proper security measures are in place
Save costs and resources by optimizing the use of storage space and reducing the need for backup and recovery operations
Enhance operational efficiency and performance by eliminating unnecessary or outdated data and improving data quality and accessibility
Support business continuity and disaster recovery plans by ensuring critical data is available and recoverable in case of an emergency
Facilitate audit trails and investigations by providing evidence of data authenticity, integrity, and provenance
Therefore, by implementing a data retention policy, an organization can limit its liability associated with storing and protecting information, as well as improve its data governance and management practices.
Reference: Data Retention Policy 101: Best Practices, Examples & More
Question #216
The BEST way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and:
- A . payment processing.
- B . payroll processing.
- C . procurement.
- D . product registration.
Correct Answer: A
A
Explanation:
Segregation of duties is a key internal control that aims to prevent fraud and errors by ensuring that no single individual has the authority to execute two or more conflicting sensitive transactions or functions. In the accounts payable vendor payment cycle, segregation of duties involves separating the tasks of vendor setup, procurement, invoice approval, and payment processing1. This way, an employee cannot create a fictitious vendor and issue a payment to themselves or their accomplices without being detected by another person. Therefore, the best way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and payment
processing.
Reference: 1: Segregation of Duties in the Accounts Payable Vendor Payment Cycle for SMBs – Now With a Podcast! – Debra R Richardson: What is Separation of duties – University of California, Berkeley
A
Explanation:
Segregation of duties is a key internal control that aims to prevent fraud and errors by ensuring that no single individual has the authority to execute two or more conflicting sensitive transactions or functions. In the accounts payable vendor payment cycle, segregation of duties involves separating the tasks of vendor setup, procurement, invoice approval, and payment processing1. This way, an employee cannot create a fictitious vendor and issue a payment to themselves or their accomplices without being detected by another person. Therefore, the best way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and payment
processing.
Reference: 1: Segregation of Duties in the Accounts Payable Vendor Payment Cycle for SMBs – Now With a Podcast! – Debra R Richardson: What is Separation of duties – University of California, Berkeley
Question #217
An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment.
Which of the following should the auditor do FIRSTS
- A . Determine whether another DBA could make the changes
- B . Report a potential segregation of duties violation
- C . identify whether any compensating controls exist
- D . Ensure a change management process is followed prior to implementation
Correct Answer: C
C
Explanation:
A database administrator (DBA) is responsible for maintaining the integrity, security and performance of the database systems. A DBA who is also responsible for developing and executing changes into the production environment may have a conflict of interest and pose a risk to the data quality and availability. Therefore, the IS auditor should first identify whether any compensating controls exist to mitigate this risk, such as independent reviews, approvals, audits or monitoring of the changes. Determining whether another DBA could make the changes, reporting a potential segregation of duties violation and ensuring a change management process is followed prior to implementation are possible actions that the auditor could take after identifying the compensating controls or the lack thereof.
Reference: Database Administrator (DBA) Definition
Segregation of Duties | ISACA
[Compensating Control Definition]
C
Explanation:
A database administrator (DBA) is responsible for maintaining the integrity, security and performance of the database systems. A DBA who is also responsible for developing and executing changes into the production environment may have a conflict of interest and pose a risk to the data quality and availability. Therefore, the IS auditor should first identify whether any compensating controls exist to mitigate this risk, such as independent reviews, approvals, audits or monitoring of the changes. Determining whether another DBA could make the changes, reporting a potential segregation of duties violation and ensuring a change management process is followed prior to implementation are possible actions that the auditor could take after identifying the compensating controls or the lack thereof.
Reference: Database Administrator (DBA) Definition
Segregation of Duties | ISACA
[Compensating Control Definition]
Question #217
An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment.
Which of the following should the auditor do FIRSTS
- A . Determine whether another DBA could make the changes
- B . Report a potential segregation of duties violation
- C . identify whether any compensating controls exist
- D . Ensure a change management process is followed prior to implementation
Correct Answer: C
C
Explanation:
A database administrator (DBA) is responsible for maintaining the integrity, security and performance of the database systems. A DBA who is also responsible for developing and executing changes into the production environment may have a conflict of interest and pose a risk to the data quality and availability. Therefore, the IS auditor should first identify whether any compensating controls exist to mitigate this risk, such as independent reviews, approvals, audits or monitoring of the changes. Determining whether another DBA could make the changes, reporting a potential segregation of duties violation and ensuring a change management process is followed prior to implementation are possible actions that the auditor could take after identifying the compensating controls or the lack thereof.
Reference: Database Administrator (DBA) Definition
Segregation of Duties | ISACA
[Compensating Control Definition]
C
Explanation:
A database administrator (DBA) is responsible for maintaining the integrity, security and performance of the database systems. A DBA who is also responsible for developing and executing changes into the production environment may have a conflict of interest and pose a risk to the data quality and availability. Therefore, the IS auditor should first identify whether any compensating controls exist to mitigate this risk, such as independent reviews, approvals, audits or monitoring of the changes. Determining whether another DBA could make the changes, reporting a potential segregation of duties violation and ensuring a change management process is followed prior to implementation are possible actions that the auditor could take after identifying the compensating controls or the lack thereof.
Reference: Database Administrator (DBA) Definition
Segregation of Duties | ISACA
[Compensating Control Definition]
Question #219
Which of the following demonstrates the use of data analytics for a loan origination process?
- A . Evaluating whether loan records are included in the batch file and are validated by the servicing system
- B . Comparing a population of loans input in the origination system to loans booked on the servicing system
- C . Validating whether reconciliations between the two systems are performed and discrepancies are investigated
- D . Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure
Correct Answer: B
B
Explanation:
Data analytics can be used to compare data from different sources and identify any discrepancies or anomalies. In this case, comparing a population of loans input in the origination system to loans booked on the servicing system can help detect any errors or frauds in the loan origination process. The other options are not examples of data analytics, but rather controls for data integrity, reconciliation, and error handling.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.3.2
B
Explanation:
Data analytics can be used to compare data from different sources and identify any discrepancies or anomalies. In this case, comparing a population of loans input in the origination system to loans booked on the servicing system can help detect any errors or frauds in the loan origination process. The other options are not examples of data analytics, but rather controls for data integrity, reconciliation, and error handling.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.3.2
Question #220
Which of the following presents the GREATEST risk to an organization’s ability to manage quality control (QC) processes?
- A . Lack of segregation of duties
- B . Lack of a dedicated QC function
- C . Lack of policies and procedures
- D . Lack of formal training and attestation
Correct Answer: C
C
Explanation:
The greatest risk to an organization’s ability to manage QC processes is the lack of policies and procedures that define the QC objectives, standards, methods, roles, and responsibilities. Without policies and procedures, the QC processes may be inconsistent, ineffective, inefficient, or noncompliant with the relevant regulations and best practices. Policies and procedures provide the foundation and guidance for the QC processes and help to ensure their quality, reliability, and accountability.
Reference
ISACA CISA Review Manual, 27th Edition, page 253
Quality Control – an overview | ScienceDirect Topics
Quality Control: Meaning, Importance, Definition and Objectives
C
Explanation:
The greatest risk to an organization’s ability to manage QC processes is the lack of policies and procedures that define the QC objectives, standards, methods, roles, and responsibilities. Without policies and procedures, the QC processes may be inconsistent, ineffective, inefficient, or noncompliant with the relevant regulations and best practices. Policies and procedures provide the foundation and guidance for the QC processes and help to ensure their quality, reliability, and accountability.
Reference
ISACA CISA Review Manual, 27th Edition, page 253
Quality Control – an overview | ScienceDirect Topics
Quality Control: Meaning, Importance, Definition and Objectives