Practice Free CISA Exam Online Questions
Question #241
An IS auditor determines that the vendor’s deliverables do not include the source code for a newly acquired product.
To address this issue, which of the following should the auditor recommend be included in the contract?
- A . Confidentiality and data protection clauses
- B . Service level agreement (SLA)
- C . Software escrow agreement
- D . Right-to-audit clause
Correct Answer: C
C
Explanation:
The correct answer is
C. Software escrow agreement. A software escrow agreement is a legal arrangement between three parties: the software developer (licensor), the end-user (licensee), and an escrow agent. The agreement ensures that the software’s source code and other relevant assets are securely stored with the escrow agent, and can be released to the licensee under certain conditions, such as the licensor’s bankruptcy, insolvency, or failure to provide support or maintenance1. A software escrow agreement can provide the licensee with assurance and continuity for the software they depend on, and protect them from losing access or functionality in case of any unforeseen events or disputes with the licensor1.
C
Explanation:
The correct answer is
C. Software escrow agreement. A software escrow agreement is a legal arrangement between three parties: the software developer (licensor), the end-user (licensee), and an escrow agent. The agreement ensures that the software’s source code and other relevant assets are securely stored with the escrow agent, and can be released to the licensee under certain conditions, such as the licensor’s bankruptcy, insolvency, or failure to provide support or maintenance1. A software escrow agreement can provide the licensee with assurance and continuity for the software they depend on, and protect them from losing access or functionality in case of any unforeseen events or disputes with the licensor1.
Question #242
An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the business continuity plan (BCP).
Which of the following is the auditor’s BEST course of action?
- A . Confirm the BCP has been recently updated.
- B . Review the effectiveness of the business response.
- C . Raise an audit issue for the lack of simulated testing.
- D . Interview staff members to obtain commentary on the BCP’s effectiveness.
Correct Answer: B
B
Explanation:
This is because the auditor’s primary objective is to evaluate the adequacy and performance of the business continuity plan (BCP) in ensuring the continuity and resilience of the organization’s critical functions and processes during a disruption. The auditor should review the actual results and outcomes of the business response, such as the recovery time, recovery point, service level, customer satisfaction, and incident management, and compare them with the predefined objectives and criteria of the BCP. The auditor should also identify and analyze any gaps, issues, or lessons learned from the business response, and provide recommendations for improvement12.
Answer
B
Explanation:
This is because the auditor’s primary objective is to evaluate the adequacy and performance of the business continuity plan (BCP) in ensuring the continuity and resilience of the organization’s critical functions and processes during a disruption. The auditor should review the actual results and outcomes of the business response, such as the recovery time, recovery point, service level, customer satisfaction, and incident management, and compare them with the predefined objectives and criteria of the BCP. The auditor should also identify and analyze any gaps, issues, or lessons learned from the business response, and provide recommendations for improvement12.
Answer
Question #243
The MOST effective way to reduce sampling risk is to increase:
- A . confidence interval.
- B . population.
- C . audit sampling training.
- D . sample size.
Correct Answer: D
Question #244
Which of the following backup methods is MOST appropriate when storage space is limited?
- A . Incremental backups
- B . Mirror backups
- C . Full backups
- D . Annual backups
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
When storage space is limited, incremental backupsare the most efficient because they store only the changes made since the last backup, reducing storage requirements.
Option A (Correct): Incremental backupsonly store data that has changed since the last backup, significantly reducing storage usage while maintaining a historical record of changes.
Option B (Incorrect): Mirror backupscreate an exact copy of the entire system, consuming significant storage space andnot retaining historical versions.
Option C (Incorrect): Full backupscapture everything and require large amounts of storage, making them impractical for space-constrained environments.
Option D (Incorrect): Annual backupsrefer to frequency rather than method. They do not inherently
optimize storage usage.
Reference: ISACA CISA Review Manual CDomain 4: Information Systems Operations and Business ResilienceC Covers backup strategies, storage management, and disaster recovery.
A
Explanation:
Comprehensive and Detailed Step-by-Step
When storage space is limited, incremental backupsare the most efficient because they store only the changes made since the last backup, reducing storage requirements.
Option A (Correct): Incremental backupsonly store data that has changed since the last backup, significantly reducing storage usage while maintaining a historical record of changes.
Option B (Incorrect): Mirror backupscreate an exact copy of the entire system, consuming significant storage space andnot retaining historical versions.
Option C (Incorrect): Full backupscapture everything and require large amounts of storage, making them impractical for space-constrained environments.
Option D (Incorrect): Annual backupsrefer to frequency rather than method. They do not inherently
optimize storage usage.
Reference: ISACA CISA Review Manual CDomain 4: Information Systems Operations and Business ResilienceC Covers backup strategies, storage management, and disaster recovery.
Question #245
Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?
- A . The job scheduler application has not been designed to display pop-up error messages.
- B . Access to the job scheduler application has not been restricted to a maximum of two staff
members - C . Operations shift turnover logs are not utilized to coordinate and control the processing environment
- D . Changes to the job scheduler application’s parameters are not approved and reviewed by an operations supervisor
Correct Answer: D
D
Explanation:
Changes to the job scheduler application’s parameters are not approved and reviewed by an operations supervisor. This is a serious control weakness that could compromise the integrity, availability, and security of the IT operations. An IS auditor should be concerned about the lack of oversight and accountability for such changes, which could result in unauthorized, erroneous, or malicious modifications that affect the processing environment. The other options are less critical issues that may not have a significant impact on the IT operations.
Reference: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.3.11
CISA Review Questions, Answers & Explanations Database, Question ID 202
D
Explanation:
Changes to the job scheduler application’s parameters are not approved and reviewed by an operations supervisor. This is a serious control weakness that could compromise the integrity, availability, and security of the IT operations. An IS auditor should be concerned about the lack of oversight and accountability for such changes, which could result in unauthorized, erroneous, or malicious modifications that affect the processing environment. The other options are less critical issues that may not have a significant impact on the IT operations.
Reference: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.3.11
CISA Review Questions, Answers & Explanations Database, Question ID 202
Question #246
The PRIMARY reason to assign data ownership for protection of data is to establish:
- A . reliability.
- B . traceability.
- C . authority.
- D . accountability.
Correct Answer: D
Question #247
Which of the following is the MOST important responsibility of user departments associated with program changes?
- A . Providing unit test data
- B . Analyzing change requests
- C . Updating documentation lo reflect latest changes
- D . Approving changes before implementation
Correct Answer: D
D
Explanation:
The most important responsibility of user departments associated with program changes is approving changes before implementation. This is because user departments are the primary stakeholders and beneficiaries of the program changes, and they need to ensure that the changes meet their requirements, expectations, and objectives. User departments also need to approve the changes before implementation to avoid unauthorized, unnecessary, or erroneous changes that could affect the functionality, performance, or security of the program.
Providing unit test data is a responsibility of user departments associated with program changes, but it is not the most important one. Unit test data is used to verify that the individual components of the program work as expected after the changes. However, unit test data alone cannot guarantee that the program as a whole works correctly, or that the changes are aligned with the user departments’ needs.
Analyzing change requests is a responsibility of user departments associated with program changes, but it is not the most important one. Analyzing change requests is the process of evaluating the feasibility, necessity, and impact of the proposed changes. However, analyzing change requests does not ensure that the changes are implemented correctly, or that they are acceptable to the user departments.
Updating documentation to reflect latest changes is a responsibility of user departments associated with program changes, but it is not the most important one. Updating documentation is the process of maintaining accurate and complete records of the program’s specifications, features, and functionsafter the changes. However, updating documentation does not ensure that the changes are effective, or that they are approved by the user departments.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 281
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
D
Explanation:
The most important responsibility of user departments associated with program changes is approving changes before implementation. This is because user departments are the primary stakeholders and beneficiaries of the program changes, and they need to ensure that the changes meet their requirements, expectations, and objectives. User departments also need to approve the changes before implementation to avoid unauthorized, unnecessary, or erroneous changes that could affect the functionality, performance, or security of the program.
Providing unit test data is a responsibility of user departments associated with program changes, but it is not the most important one. Unit test data is used to verify that the individual components of the program work as expected after the changes. However, unit test data alone cannot guarantee that the program as a whole works correctly, or that the changes are aligned with the user departments’ needs.
Analyzing change requests is a responsibility of user departments associated with program changes, but it is not the most important one. Analyzing change requests is the process of evaluating the feasibility, necessity, and impact of the proposed changes. However, analyzing change requests does not ensure that the changes are implemented correctly, or that they are acceptable to the user departments.
Updating documentation to reflect latest changes is a responsibility of user departments associated with program changes, but it is not the most important one. Updating documentation is the process of maintaining accurate and complete records of the program’s specifications, features, and functionsafter the changes. However, updating documentation does not ensure that the changes are effective, or that they are approved by the user departments.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 281
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
Question #248
Which of the following would BEST prevent an arbitrary application of a patch?
- A . Database access control
- B . Established maintenance windows
- C . Network based access controls
- D . Change management
Correct Answer: D
Question #249
Which of the following should be an IS auditor’s GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?
- A . Business interruption due to remediation
- B . IT budgeting constraints
- C . Availability of responsible IT personnel
- D . Risk rating of original findings
Correct Answer: D
D
Explanation:
The most important consideration for an IS auditor when scheduling follow-up activities for agreed-upon management responses to remediate audit observations is the risk rating of original findings. The risk rating of original findings is an assessment of the potential impact or likelihood of an audit issue or observation on the organization’s objectives, operations, or reputation. The risk rating of original findings can help determine the priority and urgency of follow-up activities for agreed-upon management responses to remediate audit observations by ensuring that high-risk issues are addressed first and more frequently than low-risk issues. The other options are not as important as the risk rating of original findings in scheduling follow-up activities for agreed-upon management responses to remediate audit observations, as they do not reflect the significance or severity of audit issues or observations. Business interruption due to remediation is a possible consequence of implementing corrective actions to address audit issues or observations, but it does not indicate the priority or urgency of follow-up activities. IT budgeting constraints is a possible factor that may affect the availability or feasibility of resources for implementing corrective actions to address audit issues or observations, but it does not indicate the priority or urgency of follow-up activities. Availability of responsible IT personnel is a possible factor that may affect the accountability or responsiveness of staff for implementing corrective actions to address audit issues or observations, but it does not indicate the priority or urgency of follow-up activities.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.4
D
Explanation:
The most important consideration for an IS auditor when scheduling follow-up activities for agreed-upon management responses to remediate audit observations is the risk rating of original findings. The risk rating of original findings is an assessment of the potential impact or likelihood of an audit issue or observation on the organization’s objectives, operations, or reputation. The risk rating of original findings can help determine the priority and urgency of follow-up activities for agreed-upon management responses to remediate audit observations by ensuring that high-risk issues are addressed first and more frequently than low-risk issues. The other options are not as important as the risk rating of original findings in scheduling follow-up activities for agreed-upon management responses to remediate audit observations, as they do not reflect the significance or severity of audit issues or observations. Business interruption due to remediation is a possible consequence of implementing corrective actions to address audit issues or observations, but it does not indicate the priority or urgency of follow-up activities. IT budgeting constraints is a possible factor that may affect the availability or feasibility of resources for implementing corrective actions to address audit issues or observations, but it does not indicate the priority or urgency of follow-up activities. Availability of responsible IT personnel is a possible factor that may affect the accountability or responsiveness of staff for implementing corrective actions to address audit issues or observations, but it does not indicate the priority or urgency of follow-up activities.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.4
Question #250
Which of the following BEST enables a benefits realization process for a system development project?
- A . Metrics for the project have been selected before the project begins.
- B . Project budget includes costs to execute the project and costs associated with the solution.
- C . Estimates of business benefits are backed by similar previously completed projects.
- D . Metrics are evaluated immediately after the project has been implemented.
Correct Answer: A
A
Explanation:
A benefits realization process is a systematic way of identifying, defining, planning, tracking and realizing the benefits from a project or program. Benefits are the measurable improvements that result from the delivery of project outputs and outcomes. Benefits realization management (BRM) is the practice of ensuring that benefits are derived from outputs and outcomes.
One of the best practices for BRM is to select metrics for the project before it begins. Metrics are the indicators that measure the performance and value of the project and its benefits. By selecting metrics in advance, the project team can align the project objectives with the expected benefits, establish a baseline for comparison, and monitor and evaluate the progress and results of the project. Metrics also help to communicate the value of the project to stakeholders and justify the investment.
The other options are not as effective as selecting metrics before the project begins. Project budget is an important factor for BRM, but it does not enable the benefits realization process by itself. It only reflects the costs of executing the project and delivering the solution, not the benefits or value that are expected from them. Estimates of business benefits are useful for planning and forecasting, but they are not sufficient for BRM. They need to be validated by actual data and evidence from similar projects or other sources. Metrics are evaluated after the project has been implemented, but this is only one part of the benefits realization process. BRM requires continuous monitoring and evaluation throughout the project life cycle and beyond, to ensure that benefits are sustained and optimized.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 3261
PMI, Benefits Realization Management: A Practice Guide, 20192
APM, What is benefits management and project success?, 20213
A
Explanation:
A benefits realization process is a systematic way of identifying, defining, planning, tracking and realizing the benefits from a project or program. Benefits are the measurable improvements that result from the delivery of project outputs and outcomes. Benefits realization management (BRM) is the practice of ensuring that benefits are derived from outputs and outcomes.
One of the best practices for BRM is to select metrics for the project before it begins. Metrics are the indicators that measure the performance and value of the project and its benefits. By selecting metrics in advance, the project team can align the project objectives with the expected benefits, establish a baseline for comparison, and monitor and evaluate the progress and results of the project. Metrics also help to communicate the value of the project to stakeholders and justify the investment.
The other options are not as effective as selecting metrics before the project begins. Project budget is an important factor for BRM, but it does not enable the benefits realization process by itself. It only reflects the costs of executing the project and delivering the solution, not the benefits or value that are expected from them. Estimates of business benefits are useful for planning and forecasting, but they are not sufficient for BRM. They need to be validated by actual data and evidence from similar projects or other sources. Metrics are evaluated after the project has been implemented, but this is only one part of the benefits realization process. BRM requires continuous monitoring and evaluation throughout the project life cycle and beyond, to ensure that benefits are sustained and optimized.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 3261
PMI, Benefits Realization Management: A Practice Guide, 20192
APM, What is benefits management and project success?, 20213