Practice Free CISA Exam Online Questions
Question #21
Which of the following would a digital signature MOST likely prevent?
- A . Repudiation
- B . Unauthorized change
- C . Corruption
- D . Disclosure
Correct Answer: B
B
Explanation:
A digital signature is a cryptographic technique that uses the sender’s private key to generate a unique code for a message or document. The receiver can use the sender’s public key to verify the authenticity and integrity of the message or document. A digital signature can prevent unauthorized change, as any modification to the message or document will invalidate the signature and alert the receiver of tampering.
Reference
What is a digital signature?
Digital Signature – an overview | ScienceDirect Topics
ISACA CISA Review Manual, 27th Edition, page 253
B
Explanation:
A digital signature is a cryptographic technique that uses the sender’s private key to generate a unique code for a message or document. The receiver can use the sender’s public key to verify the authenticity and integrity of the message or document. A digital signature can prevent unauthorized change, as any modification to the message or document will invalidate the signature and alert the receiver of tampering.
Reference
What is a digital signature?
Digital Signature – an overview | ScienceDirect Topics
ISACA CISA Review Manual, 27th Edition, page 253
Question #22
Which of the following should be an IS auditor’s GREATEST concern when reviewing an organization’s security controls for policy compliance?
- A . The security policy has not been reviewed within the past year.
- B . Security policy documents are available on a public domain website.
- C . Security policies are not applicable across all business units.
- D . End users are not required to acknowledge security policy training.
Correct Answer: B
Question #23
Which of the following is the BEST indication to an IS auditor that management’s post-implementation review was effective?
- A . Lessons learned were documented and applied.
- B . Business and IT stakeholders participated in the post-implementation review.
- C . Post-implementation review is a formal phase in the system development life cycle (SDLC).
- D . Internal audit follow-up was completed without any findings.
Correct Answer: A
A
Explanation:
The best indication to an IS auditor that management’s post-implementation review was effective is that lessons learned were documented and applied, as this shows that the management has identified and addressed the issues and gaps that arose during the implementation, and has improved the processes and practices for future projects. Business and IT stakeholders participating in the post-implementation review is a good practice, but it does not guarantee that the review was effective or that the outcomes were implemented. Post-implementation review being a formal phase in the system development life cycle (SDLC) is a requirement, but it does not ensure that the review was effective or that the outcomes were implemented. Internal audit follow-up being completed without any findings is a desirable result, but it does not indicate that the management’s post-implementation review was effectiveorthat the outcomes were implemented.
Reference: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.2: Project Management Practices1
A
Explanation:
The best indication to an IS auditor that management’s post-implementation review was effective is that lessons learned were documented and applied, as this shows that the management has identified and addressed the issues and gaps that arose during the implementation, and has improved the processes and practices for future projects. Business and IT stakeholders participating in the post-implementation review is a good practice, but it does not guarantee that the review was effective or that the outcomes were implemented. Post-implementation review being a formal phase in the system development life cycle (SDLC) is a requirement, but it does not ensure that the review was effective or that the outcomes were implemented. Internal audit follow-up being completed without any findings is a desirable result, but it does not indicate that the management’s post-implementation review was effectiveorthat the outcomes were implemented.
Reference: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.2: Project Management Practices1
Question #24
An IS auditor finds that a recently deployed application has a number of developers with inappropriate update access left over from the testing environment.
Which of the following would have BEST prevented the update access from being migrated?
- A . Establishing a role-based matrix for provisioning users
- B . Re-assigning user access rights in the quality assurance (QA) environment
- C . Holding the application owner accountable for application security
- D . Including a step within the system development life cycle (SDLC) to clean up access prior to go-live
Correct Answer: D
Question #25
Which of the following business continuity activities prioritizes the recovery of critical functions?
- A . Business continuity plan (BCP) testing
- B . Business impact analysis (BIA)
- C . Disaster recovery plan (DRP) testing
- D . Risk assessment
Correct Answer: B
B
Explanation:
A business impact analysis (BIA) is a process that identifies and evaluates the potential effects or consequences of disruptions or disasters on an organization’s critical business functions or processes. A BIA can help prioritize the recovery of critical functions by assessing their importance and urgency for the organization’s operations, objectives, and stakeholders, and determining their recovery time objectives (RTOs), which are the maximum acceptable time for restoring a function after a disruption. A business continuity plan (BCP) testing is a process that verifies and validates the effectiveness and readiness of a BCP, which is a document that outlines the strategies and procedures for ensuring the continuity of critical business functions in the event of a disruption or disaster. A BCP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are recovered according to the BCP. A disaster recovery plan (DRP) testing is a process that verifies and validates the effectiveness and readiness of a DRP, which is a document that outlines the technical and operational steps for restoring the IT systems and infrastructure that support critical business functions in the event of a disruption or disaster. A DRP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are supported by the IT systems and infrastructure according to the DRP. A risk assessment is a process that identifies and analyzes the potential threats and vulnerabilities that could affect an organization’s critical business functions or processes. A risk assessment does not prioritize the recovery of critical functions, but rather estimates their likelihood and impact of being disrupted by various risk scenarios.
B
Explanation:
A business impact analysis (BIA) is a process that identifies and evaluates the potential effects or consequences of disruptions or disasters on an organization’s critical business functions or processes. A BIA can help prioritize the recovery of critical functions by assessing their importance and urgency for the organization’s operations, objectives, and stakeholders, and determining their recovery time objectives (RTOs), which are the maximum acceptable time for restoring a function after a disruption. A business continuity plan (BCP) testing is a process that verifies and validates the effectiveness and readiness of a BCP, which is a document that outlines the strategies and procedures for ensuring the continuity of critical business functions in the event of a disruption or disaster. A BCP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are recovered according to the BCP. A disaster recovery plan (DRP) testing is a process that verifies and validates the effectiveness and readiness of a DRP, which is a document that outlines the technical and operational steps for restoring the IT systems and infrastructure that support critical business functions in the event of a disruption or disaster. A DRP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are supported by the IT systems and infrastructure according to the DRP. A risk assessment is a process that identifies and analyzes the potential threats and vulnerabilities that could affect an organization’s critical business functions or processes. A risk assessment does not prioritize the recovery of critical functions, but rather estimates their likelihood and impact of being disrupted by various risk scenarios.
Question #26
IT management has accepted the risk associated with an IS auditor’s finding due to the cost and complexity of the corrective actions.
Which of the following should be the auditor’s NEXT course of action?
- A . Perform a cost-benefit analysis.
- B . Document and inform the audit committee.
- C . Report the finding to external regulators.
- D . Notify senior management.
Correct Answer: B
Question #27
When selecting a new data loss prevention (DLP) solution, the MOST important consideration is that the solution:
- A . is cost effective and meets proposed return on investment (ROI) criteria.
- B . provides comprehensive reporting and alerting features with detailed insights on data movements.
- C . is compatible with legacy IT infrastructure and integrates with other security tools.
- D . identifies and safeguards confidential information from unauthorized transmission.
Correct Answer: D
Question #28
An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards.
Which of the following should be the auditor’s NEXT action1?
- A . Make recommendations to IS management as to appropriate quality standards
- B . Postpone the audit until IS management implements written standards
- C . Document and lest compliance with the informal standards
- D . Finalize the audit and report the finding
Correct Answer: C
C
Explanation:
The auditor’s next action after finding that there is an informal unwritten set of standards in the IS department is to document and test compliance with the informal standards. This is because the auditor’s role is to evaluate the adequacy and effectiveness of the existing controls, regardless of whether they are formal or informal, written or unwritten. The auditor should also assess the risks and implications of having informal standards, such as lack of consistency, accountability, or traceability. The auditor should not make recommendations, postpone the audit, or finalize the audit without performing the audit procedures.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.21
CISA Online Review Course, Domain 1, Module 1, Lesson 12
C
Explanation:
The auditor’s next action after finding that there is an informal unwritten set of standards in the IS department is to document and test compliance with the informal standards. This is because the auditor’s role is to evaluate the adequacy and effectiveness of the existing controls, regardless of whether they are formal or informal, written or unwritten. The auditor should also assess the risks and implications of having informal standards, such as lack of consistency, accountability, or traceability. The auditor should not make recommendations, postpone the audit, or finalize the audit without performing the audit procedures.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.21
CISA Online Review Course, Domain 1, Module 1, Lesson 12
Question #29
An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons.
Which of the following should the auditor recommend be performed FIRST?
- A . Implement a process to actively monitor postings on social networking sites.
- B . Adjust budget for network usage to include social media usage.
- C . Use data loss prevention (DLP) tools on endpoints.
- D . implement policies addressing acceptable usage of social media during working hours.
Correct Answer: D
D
Explanation:
The first course of action that the auditor should recommend after finding that several employees are spending an excessive amount of time using social media sites for personal reasons is to implement policies addressing acceptable usage of social media during working hours. Policies can help define the scope, purpose, rules, and expectations of using social media in the workplace, both for personal and professional reasons. Policies can also specify the consequences of violating the policies, such as disciplinary actions or termination. Policies can help deter employees from misusing social media at work, which could affect their productivity, performance, or security. Policies can also help protect the organization from legal liabilities or reputational damages that could arise from inappropriate or unlawful employee behavior on social media.
D
Explanation:
The first course of action that the auditor should recommend after finding that several employees are spending an excessive amount of time using social media sites for personal reasons is to implement policies addressing acceptable usage of social media during working hours. Policies can help define the scope, purpose, rules, and expectations of using social media in the workplace, both for personal and professional reasons. Policies can also specify the consequences of violating the policies, such as disciplinary actions or termination. Policies can help deter employees from misusing social media at work, which could affect their productivity, performance, or security. Policies can also help protect the organization from legal liabilities or reputational damages that could arise from inappropriate or unlawful employee behavior on social media.
Question #30
Which of the following responses to risk associated with separation of duties would incur the LOWEST initial cost?
- A . Risk mitigation
- B . Risk acceptance
- C . Risk transference
- D . Risk reduction
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Step-by-Step
Risk acceptancemeanschoosing not to take immediate actionto mitigate the risk, making it thelowest-costapproach in the short term.
Risk Acceptance (Correct Answer C B)
The organizationacknowledges the riskand decides toaccept itwithout implementing additional controls.
Example: A small companyaccepts the riskof not segregating financial duties due to limited staff.
Risk Mitigation (Incorrect C A)
Requiresimplementing controls, whichincur costs.
Risk Transference (Incorrect C C)
Involvesoutsourcing risk(e.g., buying insurance), which hasfinancial costs.
Risk Reduction (Incorrect C D)
Involvesapplying security controls, leading to additional costs.
Reference: ISACA CISA Review Manual
ISO 31000 (Risk Management Framework)
B
Explanation:
Comprehensive and Detailed Step-by-Step
Risk acceptancemeanschoosing not to take immediate actionto mitigate the risk, making it thelowest-costapproach in the short term.
Risk Acceptance (Correct Answer C B)
The organizationacknowledges the riskand decides toaccept itwithout implementing additional controls.
Example: A small companyaccepts the riskof not segregating financial duties due to limited staff.
Risk Mitigation (Incorrect C A)
Requiresimplementing controls, whichincur costs.
Risk Transference (Incorrect C C)
Involvesoutsourcing risk(e.g., buying insurance), which hasfinancial costs.
Risk Reduction (Incorrect C D)
Involvesapplying security controls, leading to additional costs.
Reference: ISACA CISA Review Manual
ISO 31000 (Risk Management Framework)