Practice Free CISA Exam Online Questions
Question #231
In a data center audit, an IS auditor finds that the humidity level is very low.
The IS auditor would be MOST concerned because of an expected increase in:
- A . risk of fire.
- B . backup tape failures.
- C . static electricity problems.
- D . employee discomfort.
Correct Answer: C
Question #232
Which of the following should be the PRIMARY basis for prioritizing follow-up audits?
- A . Audit cycle defined in the audit plan
- B . Complexity of management’s action plans
- C . Recommendation from executive management
- D . Residual risk from the findings of previous audits
Correct Answer: D
D
Explanation:
Residual risk from the findings of previous audits should be the primary basis for prioritizing follow-up audits, because it reflects the level of exposure and potential impact that remains after management has implemented corrective actions or accepted the risk. Follow-up audits should focus on verifying whether the residual risk is within acceptable levels and whether the corrective actions are effective and sustainable. Audit cycle defined in the audit plan, complexity of management’s action plans, and recommendation from executive management are not valid criteria for prioritizing follow-up audits, because they do not consider the residual risk from previous audits.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.4.3
D
Explanation:
Residual risk from the findings of previous audits should be the primary basis for prioritizing follow-up audits, because it reflects the level of exposure and potential impact that remains after management has implemented corrective actions or accepted the risk. Follow-up audits should focus on verifying whether the residual risk is within acceptable levels and whether the corrective actions are effective and sustainable. Audit cycle defined in the audit plan, complexity of management’s action plans, and recommendation from executive management are not valid criteria for prioritizing follow-up audits, because they do not consider the residual risk from previous audits.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.4.3
Question #233
An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another.
Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
- A . Preserving the same data classifications
- B . Preserving the same data inputs
- C . Preserving the same data structure
- D . Preserving the same data interfaces
Correct Answer: C
C
Explanation:
The most helpful thing to ensure the integrity of the system throughout the change when moving from one database management system (DBMS) to another is preserving the same data structure. A DBMS is a software system that manages and manipulates data stored in a database, such as creating, updating, querying, deleting, etc. A database is a collection of structured or organized data that can be accessed or manipulated by a DBMS. A data structure is a way of organizing or arranging data in a database, such as tables, columns, rows, keys, indexes, etc. Preserving the same data structure when moving from one DBMS to another can help ensure the integrity of the system throughout the change, by maintaining the consistency and accuracy of data in the database, and avoiding any errors or issues that may arise from incompatible or inconsistent data structures between different DBMSs. Preserving the same data classifications is a possible thing to ensure the integrity of the system throughout the change when moving from one DBMS to another, but it is not the most helpful one. Data classifications are categories or labels that define the level of sensitivity or importance of data in a database, such as public, confidential, secret, etc. Data classifications can help protect the security and privacy of data in the database by applying appropriate controls or restrictions on data access or use based on their classifications. Preserving the same data classifications when moving from one DBMS to another can help ensure the integrity of the system throughout the change by preventing unauthorized or inappropriate access or use of data in the database. However, this may not be directly related to the DBMS change, as it may apply to any data migration or transfer process. Preserving the same data inputs is a possible thing to ensure the integrity of the system throughout the change when moving from one DBMS to another, but it is not the most helpful one. Data inputs are sources or methods that provide data to a database, such as user inputs, sensors, files, etc. Data inputs can affect the quality and validity of data in the database by introducing errors or inconsistencies in data entry or collection. Preserving the same data inputs when moving from one DBMS to another can help ensure the integrity of the system throughout the change by reducing errors or inconsistencies in data input or collection.
C
Explanation:
The most helpful thing to ensure the integrity of the system throughout the change when moving from one database management system (DBMS) to another is preserving the same data structure. A DBMS is a software system that manages and manipulates data stored in a database, such as creating, updating, querying, deleting, etc. A database is a collection of structured or organized data that can be accessed or manipulated by a DBMS. A data structure is a way of organizing or arranging data in a database, such as tables, columns, rows, keys, indexes, etc. Preserving the same data structure when moving from one DBMS to another can help ensure the integrity of the system throughout the change, by maintaining the consistency and accuracy of data in the database, and avoiding any errors or issues that may arise from incompatible or inconsistent data structures between different DBMSs. Preserving the same data classifications is a possible thing to ensure the integrity of the system throughout the change when moving from one DBMS to another, but it is not the most helpful one. Data classifications are categories or labels that define the level of sensitivity or importance of data in a database, such as public, confidential, secret, etc. Data classifications can help protect the security and privacy of data in the database by applying appropriate controls or restrictions on data access or use based on their classifications. Preserving the same data classifications when moving from one DBMS to another can help ensure the integrity of the system throughout the change by preventing unauthorized or inappropriate access or use of data in the database. However, this may not be directly related to the DBMS change, as it may apply to any data migration or transfer process. Preserving the same data inputs is a possible thing to ensure the integrity of the system throughout the change when moving from one DBMS to another, but it is not the most helpful one. Data inputs are sources or methods that provide data to a database, such as user inputs, sensors, files, etc. Data inputs can affect the quality and validity of data in the database by introducing errors or inconsistencies in data entry or collection. Preserving the same data inputs when moving from one DBMS to another can help ensure the integrity of the system throughout the change by reducing errors or inconsistencies in data input or collection.
Question #234
An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner.
Which of the following is the auditor’s BEST recommendation?
- A . Increase the capacity of existing systems.
- B . Upgrade hardware to newer technology.
- C . Hire temporary contract workers for the IT function.
- D . Build a virtual environment.
Correct Answer: D
D
Explanation:
The best recommendation for an organization that is unable to add new servers on demand in a cost-efficient manner is to build a virtual environment. A virtual environment is a technology that allows multiple virtual machines to run on a single physical server, sharing its resources and capabilities. A virtual environment can help the organization add new servers on demand in a cost-efficient manner by reducing the need for hardware acquisition, maintenance, and power consumption. The other options are not as effective as building a virtual environment, as they do not address the root cause of the problem or provide the same benefits. Increasing the capacity of existing systems is a short-term solution that can help improve the performance and availability of the current servers, but it does not enable the organization to add new servers on demand in a cost-efficient manner. Upgrading hardware to newer technology is a costly solution that can help enhance the functionality and reliability of the servers, but it does not enable the organization to add new servers on demand in a cost-efficient manner. Hiring temporary contract workers for the IT function is an irrelevant solution that can help supplement the IT staff’s skills and knowledge, but it does not enable the organization to add new servers on demand in a cost-efficient manner.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.3.1
D
Explanation:
The best recommendation for an organization that is unable to add new servers on demand in a cost-efficient manner is to build a virtual environment. A virtual environment is a technology that allows multiple virtual machines to run on a single physical server, sharing its resources and capabilities. A virtual environment can help the organization add new servers on demand in a cost-efficient manner by reducing the need for hardware acquisition, maintenance, and power consumption. The other options are not as effective as building a virtual environment, as they do not address the root cause of the problem or provide the same benefits. Increasing the capacity of existing systems is a short-term solution that can help improve the performance and availability of the current servers, but it does not enable the organization to add new servers on demand in a cost-efficient manner. Upgrading hardware to newer technology is a costly solution that can help enhance the functionality and reliability of the servers, but it does not enable the organization to add new servers on demand in a cost-efficient manner. Hiring temporary contract workers for the IT function is an irrelevant solution that can help supplement the IT staff’s skills and knowledge, but it does not enable the organization to add new servers on demand in a cost-efficient manner.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.3.1
Question #235
Which of the following is an IS auditor’s BEST approach when low-risk anomalies have been identified?
- A . Reprioritize further testing of the anomalies and refocus on issues with higher risk
- B . Update the audit plan to include the information collected during the audit
- C . Ask auditees to promptly remediate the anomalies
- D . Document the anomalies in audit workpapers
Correct Answer: D
D
Explanation:
Documenting anomalies in audit workpapers (D) is the best approach because it ensures traceability, supports findings in the audit report, and allows for future reference if similar issues arise. Even if an anomaly is low-risk, proper documentation is a fundamental audit practice.
Other options:
Reprioritizing testing (A) is a valid audit approach but does not address documentation needs.
Updating the audit plan (B) may be necessary but does not replace documentation.
Prompt remediation (C) is an operational concern but is not always the auditor’s primary role.
Reference: ISACA CISA Review Manual, Audit Process
D
Explanation:
Documenting anomalies in audit workpapers (D) is the best approach because it ensures traceability, supports findings in the audit report, and allows for future reference if similar issues arise. Even if an anomaly is low-risk, proper documentation is a fundamental audit practice.
Other options:
Reprioritizing testing (A) is a valid audit approach but does not address documentation needs.
Updating the audit plan (B) may be necessary but does not replace documentation.
Prompt remediation (C) is an operational concern but is not always the auditor’s primary role.
Reference: ISACA CISA Review Manual, Audit Process
Question #236
Which of the following should be of MOST concern to an IS auditor when reviewing an intrusion detection system (IDS)?
- A . High false-positive rate
- B . Delay in signature updates
- C . High false-negative rate
- D . Decrease in processing speed
Correct Answer: C
Question #237
An IS auditor is reviewing the perimeter security design of a network.
Which of the following provides the GREATEST assurance outgoing Internet traffic is controlled?
- A . Intrusion detection system (IDS)
- B . Security information and event management (SIEM) system
- C . Stateful firewall
- D . Load balancer
Correct Answer: C
C
Explanation:
A stateful firewall provides the greatest assurance that outgoing Internet traffic is controlled, as it monitors and filters packets based on their source, destination and connection state. A stateful firewall can prevent unauthorized or malicious traffic from leaving the network, as well as block incoming traffic that does not match an established connection. An intrusion detection system (IDS) can detect and alert on suspicious or anomalous traffic, but it does not block or control it. A security information and event management (SIEM) system can collect and analyze logs and events from various sources, but it does not directly control traffic. A load balancer can distribute traffic among multiple servers, but it does not filter or monitor it.
Reference: CISA Review Manual (Digital Version), Chapter 6, Section 6.2
C
Explanation:
A stateful firewall provides the greatest assurance that outgoing Internet traffic is controlled, as it monitors and filters packets based on their source, destination and connection state. A stateful firewall can prevent unauthorized or malicious traffic from leaving the network, as well as block incoming traffic that does not match an established connection. An intrusion detection system (IDS) can detect and alert on suspicious or anomalous traffic, but it does not block or control it. A security information and event management (SIEM) system can collect and analyze logs and events from various sources, but it does not directly control traffic. A load balancer can distribute traffic among multiple servers, but it does not filter or monitor it.
Reference: CISA Review Manual (Digital Version), Chapter 6, Section 6.2
Question #238
What would be an IS auditor’s BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?
- A . Ensure the open issues are retained in the audit results.
- B . Terminate the follow-up because open issues are not resolved
- C . Recommend compensating controls for open issues.
- D . Evaluate the residual risk due to open issues.
Correct Answer: D
D
Explanation:
The best course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit is to evaluate the residual risk due to open issues. Residual risk is the risk that remains after the implementation of controls or mitigating actions. Evaluating the residual risk due to open issues can help the IS auditor assess the impact and likelihood of the potential threats and vulnerabilities that have not been addressed by the auditee, as well as the adequacy and effectiveness of the existing controls or mitigating actions. Evaluating the residual risk due to open issues can also help the IS auditor prioritize and communicate the open issues to the auditee and other stakeholders, such as senior management or audit committee, and recommend appropriate actions or escalation procedures.
Ensuring the open issues are retained in the audit results is a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but it is not the best one. Ensuring the open issues are retained in the audit results can help the IS auditor document and report the status and progress of the audit recommendations, as well as provide a basis for future follow-up audits. However, ensuring the open issues are retained in the audit results does not provide an analysis or evaluation of the residual risk due to open issues, which is more important for informing decision-making and action-taking.
Terminating the follow-up because open issues are not resolved is not a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but rather a consequence or outcome of it. Terminating the follow-up because open issues are not resolved may indicate that the auditee has failed to comply with the agreed-upon actions or deadlines, or that the IS auditor has encountered significant obstacles or resistance from the auditee. Terminating the follow-up because open issues are not resolved may also trigger further actions or sanctions from the IS auditor or other authorities, such as issuing a qualified or adverse opinion, withholding certification, or imposing penalties.
Recommending compensating controls for open issues is not a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but rather a possible outcome or result of it. Compensating controls are alternative or additional controls that are implemented to reduce or eliminate the risk associated with a weakness or deficiency in another control. Recommending compensating controls for open issues may be appropriate when the auditee is unable to implement the original audit recommendations due to technical, operational, financial, or other constraints, and when the compensating controls can provide a similar or equivalent level of assurance. However, recommending compensating controls for open issues requires a prior evaluation of the residual risk due to open issues, which is more important for determining whether compensating controls are necessary and feasible.
Reference: Follow-up Audits – Canadian Audit and Accountability Foundation 1
Conducting The Audit Follow-Up: When To Verify – The Auditor 2
Internal Audit Follow Ups: Are They Really Worth The Effort
D
Explanation:
The best course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit is to evaluate the residual risk due to open issues. Residual risk is the risk that remains after the implementation of controls or mitigating actions. Evaluating the residual risk due to open issues can help the IS auditor assess the impact and likelihood of the potential threats and vulnerabilities that have not been addressed by the auditee, as well as the adequacy and effectiveness of the existing controls or mitigating actions. Evaluating the residual risk due to open issues can also help the IS auditor prioritize and communicate the open issues to the auditee and other stakeholders, such as senior management or audit committee, and recommend appropriate actions or escalation procedures.
Ensuring the open issues are retained in the audit results is a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but it is not the best one. Ensuring the open issues are retained in the audit results can help the IS auditor document and report the status and progress of the audit recommendations, as well as provide a basis for future follow-up audits. However, ensuring the open issues are retained in the audit results does not provide an analysis or evaluation of the residual risk due to open issues, which is more important for informing decision-making and action-taking.
Terminating the follow-up because open issues are not resolved is not a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but rather a consequence or outcome of it. Terminating the follow-up because open issues are not resolved may indicate that the auditee has failed to comply with the agreed-upon actions or deadlines, or that the IS auditor has encountered significant obstacles or resistance from the auditee. Terminating the follow-up because open issues are not resolved may also trigger further actions or sanctions from the IS auditor or other authorities, such as issuing a qualified or adverse opinion, withholding certification, or imposing penalties.
Recommending compensating controls for open issues is not a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but rather a possible outcome or result of it. Compensating controls are alternative or additional controls that are implemented to reduce or eliminate the risk associated with a weakness or deficiency in another control. Recommending compensating controls for open issues may be appropriate when the auditee is unable to implement the original audit recommendations due to technical, operational, financial, or other constraints, and when the compensating controls can provide a similar or equivalent level of assurance. However, recommending compensating controls for open issues requires a prior evaluation of the residual risk due to open issues, which is more important for determining whether compensating controls are necessary and feasible.
Reference: Follow-up Audits – Canadian Audit and Accountability Foundation 1
Conducting The Audit Follow-Up: When To Verify – The Auditor 2
Internal Audit Follow Ups: Are They Really Worth The Effort
Question #239
Which of the following is MOST important to include in forensic data collection and preservation procedures?
- A . Assuring the physical security of devices
- B . Preserving data integrity
- C . Maintaining chain of custody
- D . Determining tools to be used
Correct Answer: B
B
Explanation:
The most important thing to include in forensic data collection and preservation procedures is preserving data integrity. Data integrity is the property that ensures that data is accurate, complete, and consistent throughout its lifecycle. Preserving data integrity is essential for forensic data collection and preservation procedures because it ensures that the data can be used as valid and reliable evidence in legal proceedings or investigations. Preserving data integrity can be achieved by using methods such as hashing, checksums, digital signatures, write blockers, tamper-evident seals, or timestamps. The other options are not as important as preserving data integrity in forensic data collection and preservation procedures, as they do not affect the validity or reliability of the data. Assuring the physical security of devices is a security measure that protects devices from unauthorized access, theft, damage, or destruction, but it does not ensure that the data on the devices is accurate, complete, and consistent. Maintaining chain of custody is a documentation technique that records and tracks the handling and transfer of devices or data among different parties involved in forensic activities, but it does not ensure that the data on the devices is accurate, complete, and consistent. Determining tools to be used is a planning activity that selects and prepares the appropriate tools for forensic data collection and preservation procedures, but it does not ensure that the data collected and preserved by the tools is accurate, complete, and consistent.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4
B
Explanation:
The most important thing to include in forensic data collection and preservation procedures is preserving data integrity. Data integrity is the property that ensures that data is accurate, complete, and consistent throughout its lifecycle. Preserving data integrity is essential for forensic data collection and preservation procedures because it ensures that the data can be used as valid and reliable evidence in legal proceedings or investigations. Preserving data integrity can be achieved by using methods such as hashing, checksums, digital signatures, write blockers, tamper-evident seals, or timestamps. The other options are not as important as preserving data integrity in forensic data collection and preservation procedures, as they do not affect the validity or reliability of the data. Assuring the physical security of devices is a security measure that protects devices from unauthorized access, theft, damage, or destruction, but it does not ensure that the data on the devices is accurate, complete, and consistent. Maintaining chain of custody is a documentation technique that records and tracks the handling and transfer of devices or data among different parties involved in forensic activities, but it does not ensure that the data on the devices is accurate, complete, and consistent. Determining tools to be used is a planning activity that selects and prepares the appropriate tools for forensic data collection and preservation procedures, but it does not ensure that the data collected and preserved by the tools is accurate, complete, and consistent.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4
Question #240
Which of the following MOST effectively reduces the risk of emails containing personally identifiable information (PII) being sent to unauthorized recipients?
- A . Multi-factor authentication (MFA)
- B . Intrusion detection system (IDS)
- C . Email audit trails
- D . Regular security awareness training
Correct Answer: D
D
Explanation:
The greatest risk is unintentional human error, such as misaddressing an email. Security awareness training equips users to recognize PII and verify recipients. MFA protects account access but not outbound emails. IDS detects network threats, not email content. Audit trails only provide after-the-fact evidence.
Reference (ISACA): COBIT® DSS05 (security awareness and user controls).
D
Explanation:
The greatest risk is unintentional human error, such as misaddressing an email. Security awareness training equips users to recognize PII and verify recipients. MFA protects account access but not outbound emails. IDS detects network threats, not email content. Audit trails only provide after-the-fact evidence.
Reference (ISACA): COBIT® DSS05 (security awareness and user controls).