Practice Free CISA Exam Online Questions
Question #231
Which of the following would be an auditor’s GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?
- A . Undocumented code formats data and transmits directly to the database.
- B . There is not a complete inventory of spreadsheets, and file naming is inconsistent.
- C . The department data protection policy has not been reviewed or updated for two years.
- D . Spreadsheets are accessible by all members of the finance department.
Correct Answer: A
A
Explanation:
The auditor’s greatest concern when reviewing data inputs from spreadsheets into the core finance system would be undocumented code that formats data and transmits directly to the database. This is because undocumented code can introduce errors, inconsistencies, and security risks in the data processing and reporting. Undocumented code can also make it difficult to verify the accuracy, completeness, and validity of the data inputs and outputs, as well as to trace the source and destination of the data. Undocumented code can also violate the principles of segregation of duties, as the same person who creates the code may also have access to the data and the database.
The other options are not as concerning as undocumented code, although they may also pose some risks. A lack of complete inventory of spreadsheets and inconsistent file naming may make it challenging to identify and locate the relevant spreadsheets, but they do not directly affect the quality or integrity of the data inputs. The department data protection policy not being reviewed or updated for two years may indicate a lack of awareness or compliance with the current data protection regulations, but it does not necessarily imply that the data inputs are compromised or inaccurate. Spreadsheets being accessible by all members of the finance department may increase the risk of unauthorized or accidental changes to the data, but it can be mitigated by implementing access controls, password protection, and audit trails.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2261 Five Common Spreadsheet Risks and Ways to Control Them2 GREATEST Concerns When Reviewing Data Inputs from Spreadsheets3
A
Explanation:
The auditor’s greatest concern when reviewing data inputs from spreadsheets into the core finance system would be undocumented code that formats data and transmits directly to the database. This is because undocumented code can introduce errors, inconsistencies, and security risks in the data processing and reporting. Undocumented code can also make it difficult to verify the accuracy, completeness, and validity of the data inputs and outputs, as well as to trace the source and destination of the data. Undocumented code can also violate the principles of segregation of duties, as the same person who creates the code may also have access to the data and the database.
The other options are not as concerning as undocumented code, although they may also pose some risks. A lack of complete inventory of spreadsheets and inconsistent file naming may make it challenging to identify and locate the relevant spreadsheets, but they do not directly affect the quality or integrity of the data inputs. The department data protection policy not being reviewed or updated for two years may indicate a lack of awareness or compliance with the current data protection regulations, but it does not necessarily imply that the data inputs are compromised or inaccurate. Spreadsheets being accessible by all members of the finance department may increase the risk of unauthorized or accidental changes to the data, but it can be mitigated by implementing access controls, password protection, and audit trails.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2261 Five Common Spreadsheet Risks and Ways to Control Them2 GREATEST Concerns When Reviewing Data Inputs from Spreadsheets3
Question #232
An organization has developed mature risk management practices that are followed across all departments.
What is the MOST effective way for the audit team to leverage this risk management maturity?
- A . Implementing risk responses on management’s behalf
- B . Integrating the risk register for audit planning purposes
- C . Providing assurances to management regarding risk
- D . Facilitating audit risk identification and evaluation workshops
Correct Answer: B
B
Explanation:
The most effective way for the audit team to leverage the risk management maturity of the organization is to integrate the risk register for audit planning purposes. The risk register is a document that records the identified risks, their likelihood, impact, and mitigation strategies for a project or an organization. By using the risk register, the audit team can align their audit objectives, scope, and procedures with the organization’s risk profile and priorities. This will help the audit team to provide more value-added and relevant assurance and recommendations to the management and stakeholders.
Some of the web sources that support this answer are:
Audit Maturity And Risk Management | Ideagen
Building a Mature Enterprise Risk Management Plan | AuditBoard
CISA CertifiedInformation Systems Auditor C Question0551
B
Explanation:
The most effective way for the audit team to leverage the risk management maturity of the organization is to integrate the risk register for audit planning purposes. The risk register is a document that records the identified risks, their likelihood, impact, and mitigation strategies for a project or an organization. By using the risk register, the audit team can align their audit objectives, scope, and procedures with the organization’s risk profile and priorities. This will help the audit team to provide more value-added and relevant assurance and recommendations to the management and stakeholders.
Some of the web sources that support this answer are:
Audit Maturity And Risk Management | Ideagen
Building a Mature Enterprise Risk Management Plan | AuditBoard
CISA CertifiedInformation Systems Auditor C Question0551
Question #233
In the case of a disaster where the data center is no longer available, which of the following tasks should be done FIRST?
- A . Perform data recovery.
- B . Arrange for a secondary site.
- C . Analyze risk.
- D . Activate the call tree.
Correct Answer: D
D
Explanation:
In the event of a disaster where the data center is no longer available, the first step should be to activate the call tree1. A call tree is a layered hierarchical communication model used to notify specific individuals of an event and coordinate recovery efforts1. This ensures that all relevant parties are informed about the situation and can begin executing their parts of the disaster recovery plan1.
Reference: IT Disaster Recovery Plan | Ready.gov
D
Explanation:
In the event of a disaster where the data center is no longer available, the first step should be to activate the call tree1. A call tree is a layered hierarchical communication model used to notify specific individuals of an event and coordinate recovery efforts1. This ensures that all relevant parties are informed about the situation and can begin executing their parts of the disaster recovery plan1.
Reference: IT Disaster Recovery Plan | Ready.gov
Question #234
Which of the following should be done FIRST to minimize the risk of unstructured data?
- A . Identify repositories of unstructured data.
- B . Purchase tools to analyze unstructured data.
- C . Implement strong encryption for unstructured data.
- D . Implement user access controls to unstructured data.
Correct Answer: A
A
Explanation:
Unstructured data is data that does not have a predefined model or organization, making it difficult to store, process, and analyze using traditional relational databases or spreadsheets. Unstructured data can pose a risk to an organization if it contains sensitive, confidential, or regulated information that is not properly secured, managed, or governed. To minimize the risk of unstructured data, the first step is to identify the repositories of unstructured data, such as file servers, cloud storage, email systems, social media platforms, etc. This will help to understand the scope, volume, and nature of unstructured data in the organization, and to prioritize the areas that need further analysis and action.
Reference: Unstructured data -Wikipedia
A
Explanation:
Unstructured data is data that does not have a predefined model or organization, making it difficult to store, process, and analyze using traditional relational databases or spreadsheets. Unstructured data can pose a risk to an organization if it contains sensitive, confidential, or regulated information that is not properly secured, managed, or governed. To minimize the risk of unstructured data, the first step is to identify the repositories of unstructured data, such as file servers, cloud storage, email systems, social media platforms, etc. This will help to understand the scope, volume, and nature of unstructured data in the organization, and to prioritize the areas that need further analysis and action.
Reference: Unstructured data -Wikipedia
Question #235
Which of the following would be MOST helpful to an IS auditor performing a risk assessment of an application programming interface (API) that feeds credit scores from a well-known commercial credit agency into an organizational system?
- A . A data dictionary of the transferred data
- B . A technical design document for the interface configuration
- C . The most recent audit report from the credit agency
- D . The approved business case for the API
Correct Answer: B
Question #236
Which of the following is the MOST effective way to ensure adequate system resources are available for high-priority activities?
- A . System virtualization
- B . Job scheduling
- C . Zero Trust
- D . Code optimization
Correct Answer: B
B
Explanation:
Job scheduling ensures that system resources are allocated efficiently by prioritizing high-priority tasks during peak periods. It prevents resource contention by scheduling less critical jobs at off-peak times or when resources are underutilized. This method is the most direct and effective way to ensure adequate resources for essential activities.
System Virtualization (Option A): While useful for optimizing resource utilization, it does not prioritize activities dynamically.
Zero Trust (Option C): This is a security framework and does not address resource allocation.
Code Optimization (Option D): This improves performance but is not directly related to resource scheduling.
Reference: ISACA CISA Review Manual, Job Practice Area 3: Information Systems Operations and Business Resilience.
B
Explanation:
Job scheduling ensures that system resources are allocated efficiently by prioritizing high-priority tasks during peak periods. It prevents resource contention by scheduling less critical jobs at off-peak times or when resources are underutilized. This method is the most direct and effective way to ensure adequate resources for essential activities.
System Virtualization (Option A): While useful for optimizing resource utilization, it does not prioritize activities dynamically.
Zero Trust (Option C): This is a security framework and does not address resource allocation.
Code Optimization (Option D): This improves performance but is not directly related to resource scheduling.
Reference: ISACA CISA Review Manual, Job Practice Area 3: Information Systems Operations and Business Resilience.
Question #237
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s IT process performance reports over the last quarter?
- A . Metrics are not aligned with industry benchmarks
- B . Performance reporting includes too many technical terms
- C . Key performance indicators (KPIs) were met in only one month
- D . Metrics were defined without stakeholder review
Correct Answer: C
Question #238
A source code repository should be designed to:
- A . prevent changes from being incorporated into existing code.
- B . prevent developers from accessing secure source code.
- C . provide secure versioning and backup capabilities for existing code.
- D . provide automatic incorporation and distribution of modified code.
Correct Answer: C
C
Explanation:
A source code repository is a system that stores and manages the source code of a software project. A source code repository should be designed to provide secure versioning and backup capabilities for existing code, as these are essential features for concurrent development, code quality, and disaster recovery. Versioning allows developers to track, compare, and revert changes to the code over time. Backup ensures that the code is safely stored and can be restored in case of data loss or corruption.
Reference
Source Code Repositories: What is a Source Code Repository?
Git Source Code Repository Design Considerations
Best practices for repositories – GitHub Docs
C
Explanation:
A source code repository is a system that stores and manages the source code of a software project. A source code repository should be designed to provide secure versioning and backup capabilities for existing code, as these are essential features for concurrent development, code quality, and disaster recovery. Versioning allows developers to track, compare, and revert changes to the code over time. Backup ensures that the code is safely stored and can be restored in case of data loss or corruption.
Reference
Source Code Repositories: What is a Source Code Repository?
Git Source Code Repository Design Considerations
Best practices for repositories – GitHub Docs
Question #239
Which of the following is the BEST reason for software developers to use automated testing versus manual testing?
- A . CAATs are easily developed
- B . Improved regression testing
- C . Ease of maintaining automated test scripts
- D . Reduces the scope of acceptance testing
Correct Answer: B
Question #240
Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?
- A . Limit check
- B . Parity check
- C . Reasonableness check
- D . Validity check
Correct Answer: D
D
Explanation:
The most likely application input control that would detect data input errors in the customer account number field during the processing of an accounts receivable transaction is a validity check. A validity check is a type of application control that verifieswhether the data entered in an application matches a predefined set of values or criteria1. For example, a validity check can compare the customer account number entered by the user with a list of existing customer account numbers stored in a database, and reject any input that does not match any of the valid values2.
The other options are not as likely to detect data input errors in the customer account number field, because they do not compare the input with a predefined set of values or criteria. A limit check is a type of application control that verifies whether the data entered in an application falls within a specified range or limit1. For example, a limitcheck can ensure that the amount entered for an invoice does not exceed a certainmaximum value2. A parity check is a type of application control that verifies whether the data entered in an application has an even or odd number of bits1. For example, a parity check can detect transmission errors in binary data by adding an extra bit to the data and checking whether the number of bits is consistent3. A reasonableness check is a type of application control that verifies whether the data entered in an application is logical or sensible based on other related data or information1.
For example, a reasonableness check can ensure that the date entered for an order is not in the future or before the date of creation of the customer account2.
Reference:
What are application controls? Definition, examples & best practices1 General Control Vs Application Control: Key Differences and Example …4 Parity Check – an overview | ScienceDirect Topics
D
Explanation:
The most likely application input control that would detect data input errors in the customer account number field during the processing of an accounts receivable transaction is a validity check. A validity check is a type of application control that verifieswhether the data entered in an application matches a predefined set of values or criteria1. For example, a validity check can compare the customer account number entered by the user with a list of existing customer account numbers stored in a database, and reject any input that does not match any of the valid values2.
The other options are not as likely to detect data input errors in the customer account number field, because they do not compare the input with a predefined set of values or criteria. A limit check is a type of application control that verifies whether the data entered in an application falls within a specified range or limit1. For example, a limitcheck can ensure that the amount entered for an invoice does not exceed a certainmaximum value2. A parity check is a type of application control that verifies whether the data entered in an application has an even or odd number of bits1. For example, a parity check can detect transmission errors in binary data by adding an extra bit to the data and checking whether the number of bits is consistent3. A reasonableness check is a type of application control that verifies whether the data entered in an application is logical or sensible based on other related data or information1.
For example, a reasonableness check can ensure that the date entered for an order is not in the future or before the date of creation of the customer account2.
Reference:
What are application controls? Definition, examples & best practices1 General Control Vs Application Control: Key Differences and Example …4 Parity Check – an overview | ScienceDirect Topics