Practice Free CISA Exam Online Questions
Question #281
Which of the following is me GREATE ST impact as a result of the ongoing deterioration of a detective control?
- A . Increased number of false negatives in security logs
- B . Decreased effectiveness of roof cause analysis
- C . Decreased overall recovery time
- D . Increased demand for storage space for logs
Correct Answer: A
A
Explanation:
The greatest impact as a result of the ongoing deterioration of a detective control is an increased number of false negatives in security logs. A detective control is a control that monitors and identifies any deviations or anomalies from the expected or normal behavior or performance of a system or process. A security log is a record of events or activities that occur within a system or network, such as user access, file changes, system errors, or security incidents. A false negative is a situation where a security log fails to detect or report an actual deviation or anomaly that has occurred, such as an unauthorized access, a malicious modification, or a security breach. An increased number of false negatives in security logs can have a significant impact on the organization’s security posture and risk management, because it can prevent timely detection and response to security threats, compromise the accuracy and reliability of security monitoring and reporting, and undermine the accountability and auditability of user actions and transactions. The other options are not as impactful as anincreased number of false negatives in security logs, because they either do not affect the detection capability of a detective control, or they have less severe consequences for security management.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.1
A
Explanation:
The greatest impact as a result of the ongoing deterioration of a detective control is an increased number of false negatives in security logs. A detective control is a control that monitors and identifies any deviations or anomalies from the expected or normal behavior or performance of a system or process. A security log is a record of events or activities that occur within a system or network, such as user access, file changes, system errors, or security incidents. A false negative is a situation where a security log fails to detect or report an actual deviation or anomaly that has occurred, such as an unauthorized access, a malicious modification, or a security breach. An increased number of false negatives in security logs can have a significant impact on the organization’s security posture and risk management, because it can prevent timely detection and response to security threats, compromise the accuracy and reliability of security monitoring and reporting, and undermine the accountability and auditability of user actions and transactions. The other options are not as impactful as anincreased number of false negatives in security logs, because they either do not affect the detection capability of a detective control, or they have less severe consequences for security management.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.1
Question #282
Which of the following constitutes an effective detective control in a distributed processing environment?
- A . A log of privileged account use is reviewed.
- B . A disaster recovery plan (DRP)4% in place for the entire system.
- C . User IDs are suspended after three incorrect passwords have been entered.
- D . Users are required to request additional access via an electronic mail system.
Correct Answer: A
Question #283
Which of the following is MOST likely to be reduced when implementing optimal risk management strategies?
- A . Sampling risk
- B . Residual risk
- C . Detection risk
- D . Inherent risk
Correct Answer: D
Question #284
Which of the following network topologies will provide the GREATEST fault tolerance?
- A . Bus configuration
- B . Mesh configuration
- C . Star configuration
- D . Ring configuration
Correct Answer: B
Question #285
The PRIMARY reason to perform internal quality assurance (QA) for an internal audit function is to ensure:
- A . Internal audit activity conforms with audit standards and methodology.
- B . The audit function is adequately governed and meets performance metrics.
- C . Inherent risk in audits is minimized.
- D . Audit resources are used most effectively.
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
Internalquality assurance (QA) reviewsare conducted toensure conformancewith professionalaudit standards and methodology.
Option A (Correct): The primary purpose of QA reviews is toconfirm that the internal audit function adheres to industry standards, such asISACA’s IT audit frameworkand theInternational Standards for the Professional Practice of Internal Auditing (IPPF).
Option B (Incorrect): Whilegovernance and performance metricsare important, conformance to standardsis theprimary goalof QA reviews.
Option C (Incorrect): Risk management is part of audits, butQA reviews focus on adherence to methodologyrather than reducing audit risk.
Option D (Incorrect): Efficient resource usageis a goal butnot the main objectiveof an audit QA program.
Reference: ISACA CISA Review Manual CDomain 1: Information Systems Auditing ProcessC Coversaudit quality assurance and compliance with professional standards.
A
Explanation:
Comprehensive and Detailed Step-by-Step
Internalquality assurance (QA) reviewsare conducted toensure conformancewith professionalaudit standards and methodology.
Option A (Correct): The primary purpose of QA reviews is toconfirm that the internal audit function adheres to industry standards, such asISACA’s IT audit frameworkand theInternational Standards for the Professional Practice of Internal Auditing (IPPF).
Option B (Incorrect): Whilegovernance and performance metricsare important, conformance to standardsis theprimary goalof QA reviews.
Option C (Incorrect): Risk management is part of audits, butQA reviews focus on adherence to methodologyrather than reducing audit risk.
Option D (Incorrect): Efficient resource usageis a goal butnot the main objectiveof an audit QA program.
Reference: ISACA CISA Review Manual CDomain 1: Information Systems Auditing ProcessC Coversaudit quality assurance and compliance with professional standards.
Question #286
Which of the following is an IS auditor’s BEST recommendation to protect an organization from attacks when its file server needs to be accessible to external users?
- A . Enforce a secure tunnel connection.
- B . Enhance internal firewalls.
- C . Set up a demilitarized zone (DMZ).
- D . Implement a secure protocol.
Correct Answer: C
C
Explanation:
A demilitarized zone (DMZ) is a network segment that is separated from the internal network and the external network, such as the internet, by firewalls or other security devices. A DMZ provides an extra layer of security for the organization’s internal network by isolating the servers and services that need to be accessible to external users, such as a file server, from the rest of the network. A DMZ also prevents external users from accessing the internal network directly, as they have to go through two firewalls to reach it. Therefore, setting up a DMZ is an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external users12.
The other possible options are:
Enforce a secure tunnel connection: This means that the organization requires external users to establish a secure and encrypted connection, such as a virtual private network (VPN), to access its file server. This can provide some level of security and privacy for the data transmission, but it does not protect the file server or the internal network from attacks if the connection is compromised or if the external users are malicious. Therefore, enforcing asecuretunnel connection is not an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external users3.
Enhance internal firewalls: This means that the organization improves the security and performance of its internal firewalls, which are devices that filter and control the network traffic between different segments of the network. This can provide some level of protection for the internal network from unauthorized or malicious access, but it does not protect the file server or the external network from attacks if the file server is exposed to the internet or if the external network is compromised. Therefore, enhancing internal firewalls is not an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external users4.
Implement a secure protocol: This means that the organization uses a secure and standardized protocol, such as Secure File Transfer Protocol (SFTP) or Secure Shell (SSH), to transfer files between its file server and external users. This can provide some level of security and integrity for the data transmission, but it does not protect the file server or the internal network from attacks if the protocol is exploited or if the external users are malicious. Therefore, implementing a secure protocol is not an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external users5.
Reference: 1: What Is a DMZ Network and Why Would You Use It? | Fortinet 2: Demilitarised zone (DMZ) | Cyber.gov.au 3: What Is VPN Tunneling? | Fortinet 4: Firewall – Wikipedia 5: Secure Shell – Wikipedia
C
Explanation:
A demilitarized zone (DMZ) is a network segment that is separated from the internal network and the external network, such as the internet, by firewalls or other security devices. A DMZ provides an extra layer of security for the organization’s internal network by isolating the servers and services that need to be accessible to external users, such as a file server, from the rest of the network. A DMZ also prevents external users from accessing the internal network directly, as they have to go through two firewalls to reach it. Therefore, setting up a DMZ is an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external users12.
The other possible options are:
Enforce a secure tunnel connection: This means that the organization requires external users to establish a secure and encrypted connection, such as a virtual private network (VPN), to access its file server. This can provide some level of security and privacy for the data transmission, but it does not protect the file server or the internal network from attacks if the connection is compromised or if the external users are malicious. Therefore, enforcing asecuretunnel connection is not an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external users3.
Enhance internal firewalls: This means that the organization improves the security and performance of its internal firewalls, which are devices that filter and control the network traffic between different segments of the network. This can provide some level of protection for the internal network from unauthorized or malicious access, but it does not protect the file server or the external network from attacks if the file server is exposed to the internet or if the external network is compromised. Therefore, enhancing internal firewalls is not an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external users4.
Implement a secure protocol: This means that the organization uses a secure and standardized protocol, such as Secure File Transfer Protocol (SFTP) or Secure Shell (SSH), to transfer files between its file server and external users. This can provide some level of security and integrity for the data transmission, but it does not protect the file server or the internal network from attacks if the protocol is exploited or if the external users are malicious. Therefore, implementing a secure protocol is not an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external users5.
Reference: 1: What Is a DMZ Network and Why Would You Use It? | Fortinet 2: Demilitarised zone (DMZ) | Cyber.gov.au 3: What Is VPN Tunneling? | Fortinet 4: Firewall – Wikipedia 5: Secure Shell – Wikipedia
Question #287
Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?
- A . Establishing a risk appetite
- B . Establishing a risk management framework
- C . Validating enterprise risk management (ERM)
- D . Operating the risk management framework
Correct Answer: C
C
Explanation:
The primary role of an internal audit function in the management of identified business risks is to validate the enterprise risk management (ERM) process and provide assurance on its effectiveness. The internal audit function should evaluate whether the ERM process is aligned with the organization’s objectives, strategies, policies and culture, and whether it covers all relevant risks and controls. The internal audit function should also assess whether the ERM process is operating as designed and producing reliable and timely information for decision making. The other options are not the primary role of an internal audit function, but rather the responsibilities of senior management, board of directors or risk owners.
Reference: ISACA, CISA Review Manual, 27thEdition, chapter 1, section 1.41
ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12072
C
Explanation:
The primary role of an internal audit function in the management of identified business risks is to validate the enterprise risk management (ERM) process and provide assurance on its effectiveness. The internal audit function should evaluate whether the ERM process is aligned with the organization’s objectives, strategies, policies and culture, and whether it covers all relevant risks and controls. The internal audit function should also assess whether the ERM process is operating as designed and producing reliable and timely information for decision making. The other options are not the primary role of an internal audit function, but rather the responsibilities of senior management, board of directors or risk owners.
Reference: ISACA, CISA Review Manual, 27thEdition, chapter 1, section 1.41
ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12072
Question #288
Which of the following should be of GREATEST concern to an |$ auditor reviewing data conversion and migration during the implementation of a newapplication system?
- A . The change management process was not formally documented
- B . Backups of the old system and data are not available online
- C . Unauthorized data modifications occurred during conversion.
- D . Data conversion was performed using manual processes
Correct Answer: C
C
Explanation:
The finding that should be of greatest concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system is that unauthorized data modificationsoccurred during conversion. Data conversion and migration is a process that involves transferring data from one system to another, ensuring its accuracy, completeness, integrity, and usability. Unauthorized data modifications during conversion can result in data loss, corruption, inconsistency, or duplication, which can affect the functionality, performance, reliability, and security of the new system. Unauthorized data modifications can also have serious business implications, such as affecting decision making, reporting, compliance, customer service, and revenue. The IS auditor should verify that adequate controls are in place to prevent, detect, and correct unauthorized data modifications during conversion, such as access control, data validation, reconciliation, audit trail, and backup and recovery. The other findings (A, B and D) are less concerning, as they can be mitigated by documenting the change management process, restoring the backups of the old system and data from offline storage, or automating the data conversion process.
Reference: CISA Review
Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development &
Implementation, Section 3.4: System Implementation
C
Explanation:
The finding that should be of greatest concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system is that unauthorized data modificationsoccurred during conversion. Data conversion and migration is a process that involves transferring data from one system to another, ensuring its accuracy, completeness, integrity, and usability. Unauthorized data modifications during conversion can result in data loss, corruption, inconsistency, or duplication, which can affect the functionality, performance, reliability, and security of the new system. Unauthorized data modifications can also have serious business implications, such as affecting decision making, reporting, compliance, customer service, and revenue. The IS auditor should verify that adequate controls are in place to prevent, detect, and correct unauthorized data modifications during conversion, such as access control, data validation, reconciliation, audit trail, and backup and recovery. The other findings (A, B and D) are less concerning, as they can be mitigated by documenting the change management process, restoring the backups of the old system and data from offline storage, or automating the data conversion process.
Reference: CISA Review
Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development &
Implementation, Section 3.4: System Implementation
Question #289
Which of the following should be identified FIRST during the risk assessment process?
- A . Vulnerability to threats
- B . Existing controls
- C . Information assets
- D . Legal requirements
Correct Answer: C
C
Explanation:
The risk assessment process involves identifying the information assets that are at risk, analyzing the threats and vulnerabilities that could affect them, evaluating the impact and likelihood of a risk event, and determining the appropriate controls to mitigate the risk. The first step is to identify the information assets, as they are the objects of protection and the basis for the rest of the process. Without knowing what assets are at risk, it is not possible to assess their value, exposure, or protection level.
Reference: ISACA Frameworks: Blueprints for Success
C
Explanation:
The risk assessment process involves identifying the information assets that are at risk, analyzing the threats and vulnerabilities that could affect them, evaluating the impact and likelihood of a risk event, and determining the appropriate controls to mitigate the risk. The first step is to identify the information assets, as they are the objects of protection and the basis for the rest of the process. Without knowing what assets are at risk, it is not possible to assess their value, exposure, or protection level.
Reference: ISACA Frameworks: Blueprints for Success
Question #290
An IS auditor is reviewing processes for importing market price data from external data providers.
Which of the following findings should the auditor consider MOST critical?
- A . The transfer protocol does not require authentication.
- B . The quality of the data is not monitored.
- C . Imported data is not disposed of frequently.
- D . The transfer protocol is not encrypted.
Correct Answer: A