Practice Free CISA Exam Online Questions
Question #291
A steering committee established to oversee an organization’s digital transformation program is MOST likely to be involved with which of the following activities?
- A . Preparing project status reports
- B . Designing interface controls
- C . Reviewing escalated project issues
- D . Documenting requirements
Correct Answer: C
Question #292
Which of the following is the BEST preventive control to protect the confidentiality of data on a
corporate smartphone in the event it is lost?
- A . Biometric authentication for the device
- B . Remote data wipe program
- C . Encryption of the data stored on the device
- D . Password for device authentication
Correct Answer: C
Question #293
In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire.
Which of the following recommendations would BEST address the risk with minimal disruption to the business?
- A . Modify applications to no longer require direct access to the database.
- B . Introduce database access monitoring into the environment
- C . Modify the access management policy to make allowances for application accounts.
- D . Schedule downtime to implement password changes.
Correct Answer: B
B
Explanation:
The best recommendation to address the risk of privileged application accounts with passwords set to never expire in a 24/7 processing environment is to introduce database access monitoring into the environment. Database access monitoring is a security control that tracks and records all activities and transactions performed on a database, especially by privileged users or accounts. Database access monitoring can help address the risk of privileged application accounts with passwords set to never expire by detecting and alerting any unauthorized or abnormal access or actions on the database. The other options are not as effective as database access monitoring in addressing the risk, as they may cause disruption to the business or violate the access management policy. Modifying applications to no longer require direct access to the database is a complex and costly solution that may affect the functionality or performance of the applications, and it may not be feasible or practical in a 24/7 processing environment. Modifying the access management policy to make allowances for application accounts is a risky solution that may create exceptions or loopholes in the policy, and it may not comply with the best practices or standards for password management. Scheduling downtime to implement password changes is a disruptive solution that may affect the availability or continuity of the systems or applications, and it may not be acceptable or possible in a 24/7 processing environment.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.4
B
Explanation:
The best recommendation to address the risk of privileged application accounts with passwords set to never expire in a 24/7 processing environment is to introduce database access monitoring into the environment. Database access monitoring is a security control that tracks and records all activities and transactions performed on a database, especially by privileged users or accounts. Database access monitoring can help address the risk of privileged application accounts with passwords set to never expire by detecting and alerting any unauthorized or abnormal access or actions on the database. The other options are not as effective as database access monitoring in addressing the risk, as they may cause disruption to the business or violate the access management policy. Modifying applications to no longer require direct access to the database is a complex and costly solution that may affect the functionality or performance of the applications, and it may not be feasible or practical in a 24/7 processing environment. Modifying the access management policy to make allowances for application accounts is a risky solution that may create exceptions or loopholes in the policy, and it may not comply with the best practices or standards for password management. Scheduling downtime to implement password changes is a disruptive solution that may affect the availability or continuity of the systems or applications, and it may not be acceptable or possible in a 24/7 processing environment.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.4
Question #294
An IS auditor is reviewing the service management of an outsourced help desk.
Which of the following is the BEST indicator of how effectively the service provider is performing this function?
- A . Average ticket age
- B . Number of calls worked
- C . Customer satisfaction ratings
- D . Call transcript reviews
Correct Answer: C
Question #295
Which of the following is the MOST effective control when granting access to a service provider for a ctoud-6ased application?
- A . Administrator access is provided for a limited period with an expiration date.
- B . Access has been provided on a need-to-know basis.
- C . User IDs are deleted when work is completed.
- D . Access is provided to correspond with the service level agreement (SLA).
Correct Answer: B
B
Explanation:
Granting access on a need-to-know basis ensures that a service provider only has the permissions necessary to perform their specific tasks. This principle minimizes the risk of unauthorized access or accidental misuse of the system by restricting access to essential areas only. It aligns with the least privilege principle, a cornerstone of effective access control.
Limited Administrator Access with Expiration (Option A): This is helpful but does not ensure that the access granted aligns with the specific job requirements.
Deleting User IDs After Completion (Option C): This is a good practice but applies after the task, not during access.
Access Corresponding to the SLA (Option D): While important, this focuses on timeframes and does not restrict permissions effectively.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
B
Explanation:
Granting access on a need-to-know basis ensures that a service provider only has the permissions necessary to perform their specific tasks. This principle minimizes the risk of unauthorized access or accidental misuse of the system by restricting access to essential areas only. It aligns with the least privilege principle, a cornerstone of effective access control.
Limited Administrator Access with Expiration (Option A): This is helpful but does not ensure that the access granted aligns with the specific job requirements.
Deleting User IDs After Completion (Option C): This is a good practice but applies after the task, not during access.
Access Corresponding to the SLA (Option D): While important, this focuses on timeframes and does not restrict permissions effectively.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
Question #296
Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?
- A . Compliance with action plans resulting from recent audits
- B . Compliance with local laws and regulations
- C . Compliance with industry standards and best practice
- D . Compliance with the organization’s policies and procedures
Correct Answer: B
B
Explanation:
The best test to provide assurance that a health care organization is handling patient data appropriately is compliance with local laws and regulations, as these are the primary sources of authority and obligation for data protection and privacy. Compliance with action plans, industry standards, or organizational policies and procedures are also important, but they may not cover all the legal requirements or reflect the currentbest practices for handling patient data.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.3
B
Explanation:
The best test to provide assurance that a health care organization is handling patient data appropriately is compliance with local laws and regulations, as these are the primary sources of authority and obligation for data protection and privacy. Compliance with action plans, industry standards, or organizational policies and procedures are also important, but they may not cover all the legal requirements or reflect the currentbest practices for handling patient data.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.3
Question #297
Which of the following system redundancy configurations BEST improves system resiliency and reduces the possibility of a single cause of failure impacting system dependability?
- A . Active redundancy
- B . Homogeneous redundancy
- C . Diverse redundancy
- D . Passive redundancy
Correct Answer: C
Question #298
An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization’s payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management experience.
What is the BEST course of action?
- A . Transfer the assignment to a different audit manager despite lack of IT project management experience.
- B . Outsource the audit to independent and qualified resources.
- C . Manage the audit since there is no one else with the appropriate experience.
- D . Have a senior IS auditor manage the project with the IS audit manager performing final review.
Correct Answer: B
B
Explanation:
Outsourcing the audit to independent and qualified resources is the best course of action for the IS audit manager who was temporarily tasked with supervising a project manager assigned to the organization’s payroll application upgrade. This is because the IS audit manager has a potential conflict of interest and a threat to objectivity and independence, which are essential principles and standards for IS auditors.
According to the ISACA Code of Professional Ethics, IS auditors should maintain objectivity and independence in their professional judgment and avoid any situations that may impair or be presumed to impair their objectivity or independence1. Objectivity is the mental attitude of an IS auditor that allows them to perform their work honestly, impartially, and with integrity, while independence is the freedom from conditions that threaten the ability of an IS auditor to carry out their work in an unbiased manner2.
The IS audit manager who was involved in supervising the payroll application upgrade project may have a self-review threat, which is the risk that an IS auditor will not appropriately evaluate the results of a previous judgment made or service performed by them or their subordinates3. The IS audit manager may also have a familiarity threat, which is the risk that an IS auditor will be influenced by a close relationship with someone involved in the project or by their own personal interests4. These threats may compromise the IS audit manager’s objectivity and independence and affect the quality and credibility of the audit.
Therefore, the IS audit manager should disclose their involvement in the project to their senior management and the audit committee and decline to perform or manage the audit. The IS audit manager should also recommend outsourcing the audit to independent and qualified resources who have no connection or interest in the project and who have the necessary skills and experience to conduct a reliable and effective audit.
The other options are not the best course of action for the IS audit manager.
Transferring the assignment to a different audit manager despite lack of IT project management experience is not the best course of action because it may result in a low-quality audit that does not meet the expectations and standards of the stakeholders. IT project management experience is essential for auditing an IT project, as it requires knowledge of project management methodologies, tools, techniques, risks, and best practices. An audit manager who lacks IT project management experience may not be able to plan, execute, report, and follow up on the audit effectively and efficiently.
Managing the audit since there is no one else with the appropriate experience is not the best course of action because it violates the ethical principles and standards of objectivity and independence for IS auditors. Managing the audit would create a conflict of interest and a threat to objectivity and independence for the IS audit manager, as they would be reviewing their own work or that of their subordinate. Managing the audit would also undermine the credibility and reliability of the audit results and recommendations, as they may be biased or influenced by personal or professional relationships or interests.
Having a senior IS auditor manage the project with the IS audit manager performing final review is not the best course of action because it still involves the IS audit manager in the audit process, which poses a conflict of interest and a threat to objectivity and independence. Performing final review would require the IS audit manager to evaluate and approve the work done by the senior IS auditor, which may be affected by their previous involvement in or knowledge of the project. Performing final review would also expose the IS audit manager to undue pressure or influence from management or other stakeholders who may have expectations or preferences regarding the audit outcome.
B
Explanation:
Outsourcing the audit to independent and qualified resources is the best course of action for the IS audit manager who was temporarily tasked with supervising a project manager assigned to the organization’s payroll application upgrade. This is because the IS audit manager has a potential conflict of interest and a threat to objectivity and independence, which are essential principles and standards for IS auditors.
According to the ISACA Code of Professional Ethics, IS auditors should maintain objectivity and independence in their professional judgment and avoid any situations that may impair or be presumed to impair their objectivity or independence1. Objectivity is the mental attitude of an IS auditor that allows them to perform their work honestly, impartially, and with integrity, while independence is the freedom from conditions that threaten the ability of an IS auditor to carry out their work in an unbiased manner2.
The IS audit manager who was involved in supervising the payroll application upgrade project may have a self-review threat, which is the risk that an IS auditor will not appropriately evaluate the results of a previous judgment made or service performed by them or their subordinates3. The IS audit manager may also have a familiarity threat, which is the risk that an IS auditor will be influenced by a close relationship with someone involved in the project or by their own personal interests4. These threats may compromise the IS audit manager’s objectivity and independence and affect the quality and credibility of the audit.
Therefore, the IS audit manager should disclose their involvement in the project to their senior management and the audit committee and decline to perform or manage the audit. The IS audit manager should also recommend outsourcing the audit to independent and qualified resources who have no connection or interest in the project and who have the necessary skills and experience to conduct a reliable and effective audit.
The other options are not the best course of action for the IS audit manager.
Transferring the assignment to a different audit manager despite lack of IT project management experience is not the best course of action because it may result in a low-quality audit that does not meet the expectations and standards of the stakeholders. IT project management experience is essential for auditing an IT project, as it requires knowledge of project management methodologies, tools, techniques, risks, and best practices. An audit manager who lacks IT project management experience may not be able to plan, execute, report, and follow up on the audit effectively and efficiently.
Managing the audit since there is no one else with the appropriate experience is not the best course of action because it violates the ethical principles and standards of objectivity and independence for IS auditors. Managing the audit would create a conflict of interest and a threat to objectivity and independence for the IS audit manager, as they would be reviewing their own work or that of their subordinate. Managing the audit would also undermine the credibility and reliability of the audit results and recommendations, as they may be biased or influenced by personal or professional relationships or interests.
Having a senior IS auditor manage the project with the IS audit manager performing final review is not the best course of action because it still involves the IS audit manager in the audit process, which poses a conflict of interest and a threat to objectivity and independence. Performing final review would require the IS audit manager to evaluate and approve the work done by the senior IS auditor, which may be affected by their previous involvement in or knowledge of the project. Performing final review would also expose the IS audit manager to undue pressure or influence from management or other stakeholders who may have expectations or preferences regarding the audit outcome.
Question #299
As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (B1A)?
- A . Risk appetite
- B . Critical applications m the cloud
- C . Completeness of critical asset inventory
- D . Recovery scenarios
Correct Answer: C
C
Explanation:
The most important thing to assess when conducting a business impact analysis (BIA) is the completeness of critical asset inventory. This is because the critical asset inventory is the basis for identifying and prioritizing the business processes, functions, and resources that are essential for the continuity of operations. The critical asset inventory should include both tangible and intangible assets, such as hardware, software, data, personnel, facilities, contracts, and reputation. The critical asset inventory should also be updated regularly to reflect any changes in the business environment or needs.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.41 CISA Online Review Course, Domain 3, Module 3, Lesson 12
C
Explanation:
The most important thing to assess when conducting a business impact analysis (BIA) is the completeness of critical asset inventory. This is because the critical asset inventory is the basis for identifying and prioritizing the business processes, functions, and resources that are essential for the continuity of operations. The critical asset inventory should include both tangible and intangible assets, such as hardware, software, data, personnel, facilities, contracts, and reputation. The critical asset inventory should also be updated regularly to reflect any changes in the business environment or needs.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.41 CISA Online Review Course, Domain 3, Module 3, Lesson 12
Question #300
An IS auditor finds that an organization’s data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor’s MAIN concern should be that:
- A . violation reports may not be reviewed in a timely manner.
- B . a significant number of false positive violations may be reported.
- C . violations may not be categorized according to the organization’s risk profile.
- D . violation reports may not be retained according to the organization’s risk profile.
Correct Answer: C