Practice Free CISA Exam Online Questions
Question #221
An IS auditor finds that irregularities have occurred and that auditee management has chosen to ignore them.
If reporting to external authorities is required which of the following is the BEST action for the IS auditor to take?
- A . Submit the report to appropriate regulators immediately.
- B . Obtain approval from audit management to submit the report.
- C . Obtain approval from auditee management to release the report.
- D . Obtain approval from both audit and auditee management to release the report.
Correct Answer: B
Question #222
Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?
- A . Cross-site scripting (XSS)
- B . Copyright violations
- C . Social engineering
- D . Adverse posts about the organization
Correct Answer: C
C
Explanation:
Social engineering is the manipulation of people to perform actions or divulge confidential information. It is a common technique used by attackers to gain unauthorized access to systems or data. Employees who use public social networking sites may be vulnerable to social engineering attacks, such as phishing, baiting, or pretexting, which pose the greatest risk to the organization’s security. The other options are not as serious as social engineering, as they relate to web application vulnerabilities, intellectual property rights, and reputation management, which are less likely to compromise the organization’s assets or operations.
Reference: CISA Review Manual (Digital Version), Domain 5: Protection of Information Assets, Section 5.3 Security Awareness Training1
C
Explanation:
Social engineering is the manipulation of people to perform actions or divulge confidential information. It is a common technique used by attackers to gain unauthorized access to systems or data. Employees who use public social networking sites may be vulnerable to social engineering attacks, such as phishing, baiting, or pretexting, which pose the greatest risk to the organization’s security. The other options are not as serious as social engineering, as they relate to web application vulnerabilities, intellectual property rights, and reputation management, which are less likely to compromise the organization’s assets or operations.
Reference: CISA Review Manual (Digital Version), Domain 5: Protection of Information Assets, Section 5.3 Security Awareness Training1
Question #223
During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS).
Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?
- A . Sampling risk
- B . Detection risk
- C . Control risk
- D . Inherent risk
Correct Answer: B
B
Explanation:
The type of risk associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration is detection risk. Detection risk is the risk that the auditor’s procedures will not detect a material misstatement or error that exists in an assertion or a control. Detection risk can be affected by factors such as the nature, timing, and extent of the audit procedures, the quality and sufficiency of the audit evidence, and the auditor’s professional judgment and competence. Detection risk can be reduced by applying appropriate audit techniques, such as sampling, testing, observation, inquiry, and analysis.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
B
Explanation:
The type of risk associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration is detection risk. Detection risk is the risk that the auditor’s procedures will not detect a material misstatement or error that exists in an assertion or a control. Detection risk can be affected by factors such as the nature, timing, and extent of the audit procedures, the quality and sufficiency of the audit evidence, and the auditor’s professional judgment and competence. Detection risk can be reduced by applying appropriate audit techniques, such as sampling, testing, observation, inquiry, and analysis.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
Question #224
The FIRST step in auditing a data communication system is to determine:
- A . traffic volumes and response-time criteria
- B . physical security for network equipment
- C . the level of redundancy in the various communication paths
- D . business use and types of messages to be transmitted
Correct Answer: D
D
Explanation:
The first step in auditing a data communication system is to determine the business use and types of messages to be transmitted. This is because the auditor needs to understand the purpose, scope, and objectives of the data communication system, as well as the nature, volume, and sensitivity of the data being transmitted. This will help the auditor to identify the risks, controls, and audit criteria for the data communication system. Traffic volumes and response-time criteria, physical security for network equipment, and the level of redundancy in the various communication paths are important aspects of a data communication system, but they are not the first step in auditing it. They depend on the business use and types of messages to be transmitted, and they may vary according to different scenarios and requirements.
Reference: CISA Review Manual (Digital Version), [ISACA Auditing Standards]
D
Explanation:
The first step in auditing a data communication system is to determine the business use and types of messages to be transmitted. This is because the auditor needs to understand the purpose, scope, and objectives of the data communication system, as well as the nature, volume, and sensitivity of the data being transmitted. This will help the auditor to identify the risks, controls, and audit criteria for the data communication system. Traffic volumes and response-time criteria, physical security for network equipment, and the level of redundancy in the various communication paths are important aspects of a data communication system, but they are not the first step in auditing it. They depend on the business use and types of messages to be transmitted, and they may vary according to different scenarios and requirements.
Reference: CISA Review Manual (Digital Version), [ISACA Auditing Standards]
Question #225
Which of the following provides the MOST useful information for performing a business impact analysis (B1A)?
- A . inventory of relevant business processes
- B . Policies for business procurement
- C . Documentation of application configurations
- D . Results of business resumption planning efforts
Correct Answer: A
A
Explanation:
A business impact analysis (BIA) is a process that identifies and evaluates the potential effects of disruptions to critical business operations as a result of a disaster, accident or emergency. A BIA should include an inventory of relevant business processes that support the organization’s strategic objectives and are essential for its continuity. The inventory should also identify the dependencies, interdependencies, recovery priorities and time frames for each business process. Policies for business procurement, documentation of application configurations and results of business resumption planning efforts are not as useful as an inventory of relevant business processes for performing a BIA.
Reference: Business Impact Analysis (BIA) Definition
Business Impact Analysis (BIA) | ISACA
A
Explanation:
A business impact analysis (BIA) is a process that identifies and evaluates the potential effects of disruptions to critical business operations as a result of a disaster, accident or emergency. A BIA should include an inventory of relevant business processes that support the organization’s strategic objectives and are essential for its continuity. The inventory should also identify the dependencies, interdependencies, recovery priorities and time frames for each business process. Policies for business procurement, documentation of application configurations and results of business resumption planning efforts are not as useful as an inventory of relevant business processes for performing a BIA.
Reference: Business Impact Analysis (BIA) Definition
Business Impact Analysis (BIA) | ISACA
Question #226
A programmer has made unauthorized changes lo key fields in a payroll system report.
Which of the following control weaknesses would have contributed MOST to this problem?
- A . The programmer did not involve the user in testing
- B . The user requirements were not documented
- C . The programmer has access to the production programs
- D . Payroll files were not under the control of a librarian
Correct Answer: C
C
Explanation:
The programmer having access to the production programs is a control weakness that would have contributed most to the problem of unauthorized changes to key fields in a payroll system report. This is because it violates the principle of segregation of duties, which requires that different individuals or groups perform different functions related to system development, testing, implementation, and operation. Allowing programmers to access production programs increases the risk of errors, fraud, or malicious actions that may compromise the integrity, availability, or confidentiality of the system or its data. The other options are not as significant as having access to production programs, as they relate to other aspects of system development or maintenance, such as user involvement in testing (which affects user satisfaction and acceptance), user requirements documentation (which affects system functionality and quality), and payroll files control (which affects data security and accuracy).
Reference: CISA Review Manual (Digital Version), Domain 3: Information Systems Acquisition, Development and Implementation, Section 3.2 Project Management Practices
C
Explanation:
The programmer having access to the production programs is a control weakness that would have contributed most to the problem of unauthorized changes to key fields in a payroll system report. This is because it violates the principle of segregation of duties, which requires that different individuals or groups perform different functions related to system development, testing, implementation, and operation. Allowing programmers to access production programs increases the risk of errors, fraud, or malicious actions that may compromise the integrity, availability, or confidentiality of the system or its data. The other options are not as significant as having access to production programs, as they relate to other aspects of system development or maintenance, such as user involvement in testing (which affects user satisfaction and acceptance), user requirements documentation (which affects system functionality and quality), and payroll files control (which affects data security and accuracy).
Reference: CISA Review Manual (Digital Version), Domain 3: Information Systems Acquisition, Development and Implementation, Section 3.2 Project Management Practices
Question #227
During a pre-implementation review, an IS auditor notes that some scenarios have not been tested. Management has indicated that the project is critical and cannot be postponed.
Which of the following is the auditor’s BEST course of action?
- A . Determine whether the tested scenarios covered the most significant project risks.
- B . Help management complete remaining scenario testing before implementation.
- C . Recommend project implementation be postponed until all scenarios have been tested.
- D . Perform remaining scenario testing in the production environment post implementation.
Correct Answer: A
Question #228
An internal audit team is deciding whether to use an audit management application hosted by a third
party in a different country.
What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted application?
- A . Financial regulations affecting the organization
- B . Data center physical access controls whore the application is hosted
- C . Privacy regulations affecting the organization
- D . Per-unit cost charged by the hosting services provider for storage
Correct Answer: C
C
Explanation:
This is because privacy regulations are laws or rules that protect the personal information of individuals from unauthorized access, use, disclosure, or transfer by third parties. Payroll audit documentation may contain sensitive and confidential data, such as employee names, salaries, benefits, taxes, deductions, and bank accounts. If the audit management application is hosted by a third party in a different country, the organization may need to comply with the privacy regulations of both its own country and the host country, as well as any international or regional agreements or frameworks that apply. Privacy regulations may impose various requirements and obligations on the organization, such as obtaining consent from the data subjects, implementing appropriate security measures, notifying data breaches, and ensuring data quality and accuracy. Privacy regulations may also grant various rights to the data subjects, such as accessing, correcting, deleting, or transferring their data. Failing to comply with privacy regulations may expose the organization to significant risks and consequences, such as legal actions, fines, sanctions, reputational damage, or loss of trust.
Some examples of privacy regulations affecting the organization are:
The General Data Protection Regulation (GDPR), which is a comprehensive and strict privacy regulation that applies to any organization that processes personal data of individuals in the European Union (EU) or offers goods or services to them, regardless of where the organization or the data is located1.
The California Consumer Privacy Act (CCPA), which is a broad and influential privacy regulation that applies to any organization that collects personal information of California residents and meets certain thresholds of revenue, data volume, or data sharing2.
The Health Insurance Portability and Accountability Act (HIPAA), which is a sector-specific privacy regulation that applies to any organization that handles protected health information (PHI) of individuals in the United States, such as health care providers, health plans, or health care clearinghouses3.
Therefore, before using an audit management application hosted by a third party in a different country, the internal audit team should conduct a thorough assessment of the privacy regulations affecting the organization and ensure that they have adequate policies, procedures, and controls in place to comply with them.
C
Explanation:
This is because privacy regulations are laws or rules that protect the personal information of individuals from unauthorized access, use, disclosure, or transfer by third parties. Payroll audit documentation may contain sensitive and confidential data, such as employee names, salaries, benefits, taxes, deductions, and bank accounts. If the audit management application is hosted by a third party in a different country, the organization may need to comply with the privacy regulations of both its own country and the host country, as well as any international or regional agreements or frameworks that apply. Privacy regulations may impose various requirements and obligations on the organization, such as obtaining consent from the data subjects, implementing appropriate security measures, notifying data breaches, and ensuring data quality and accuracy. Privacy regulations may also grant various rights to the data subjects, such as accessing, correcting, deleting, or transferring their data. Failing to comply with privacy regulations may expose the organization to significant risks and consequences, such as legal actions, fines, sanctions, reputational damage, or loss of trust.
Some examples of privacy regulations affecting the organization are:
The General Data Protection Regulation (GDPR), which is a comprehensive and strict privacy regulation that applies to any organization that processes personal data of individuals in the European Union (EU) or offers goods or services to them, regardless of where the organization or the data is located1.
The California Consumer Privacy Act (CCPA), which is a broad and influential privacy regulation that applies to any organization that collects personal information of California residents and meets certain thresholds of revenue, data volume, or data sharing2.
The Health Insurance Portability and Accountability Act (HIPAA), which is a sector-specific privacy regulation that applies to any organization that handles protected health information (PHI) of individuals in the United States, such as health care providers, health plans, or health care clearinghouses3.
Therefore, before using an audit management application hosted by a third party in a different country, the internal audit team should conduct a thorough assessment of the privacy regulations affecting the organization and ensure that they have adequate policies, procedures, and controls in place to comply with them.
Question #229
Which of the following BEST helps data loss prevention (DLP) tools detect movement of sensitive data m transit?
- A . Network traffic logs
- B . Deep packet inspection
- C . Data inventory
- D . Proprietary encryption
Correct Answer: B
B
Explanation:
Deep packet inspection (DPI) is a core capability of data loss prevention (DLP) tools that allows the analysis of the content of data packets in transit. This helps detect the unauthorized movement of
sensitive data by examining packet-level details.
Network Traffic Logs (Option A): These provide historical data but do not actively detect data in transit.
Data Inventory (Option C): Useful for identifying where sensitive data resides but not for monitoring its movement.
Proprietary Encryption (Option D): Protects data but does not detect unauthorized transmission.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
B
Explanation:
Deep packet inspection (DPI) is a core capability of data loss prevention (DLP) tools that allows the analysis of the content of data packets in transit. This helps detect the unauthorized movement of
sensitive data by examining packet-level details.
Network Traffic Logs (Option A): These provide historical data but do not actively detect data in transit.
Data Inventory (Option C): Useful for identifying where sensitive data resides but not for monitoring its movement.
Proprietary Encryption (Option D): Protects data but does not detect unauthorized transmission.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
Question #230
Which of the following would BEST indicate the effectiveness of a security awareness training program?
- A . Results of third-party social engineering tests
- B . Employee satisfaction with training
- C . Increased number of employees completing training
- D . Reduced unintentional violations
Correct Answer: D
D
Explanation:
The effectiveness of a security awareness training program is best indicated by a reduction in unintentional violations. When employees are well-trained and aware of security practices, they are less likely to inadvertently violate security policies or make mistakes that could lead to breaches. While other factors (such as third-party social engineering tests, employee satisfaction, and completion rates) provide valuable insights, the ultimate goal of security awareness training is to minimize unintentional errors and improve overall security posture12.
Reference: 1(https://www.isaca.org/resources/isaca-journal/issues/2023/volume-2/considerations-for-developing-cybersecurity-awareness-training) 2(https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2023/security-awareness-training-a-critical-success-factor-for-organizations)
D
Explanation:
The effectiveness of a security awareness training program is best indicated by a reduction in unintentional violations. When employees are well-trained and aware of security practices, they are less likely to inadvertently violate security policies or make mistakes that could lead to breaches. While other factors (such as third-party social engineering tests, employee satisfaction, and completion rates) provide valuable insights, the ultimate goal of security awareness training is to minimize unintentional errors and improve overall security posture12.
Reference: 1(https://www.isaca.org/resources/isaca-journal/issues/2023/volume-2/considerations-for-developing-cybersecurity-awareness-training) 2(https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2023/security-awareness-training-a-critical-success-factor-for-organizations)