Practice Free CISA Exam Online Questions
Question #301
An organization is considering allowing users to connect personal devices to the corporate network.
Which of the following should be done FIRST?
- A . Conduct security awareness training.
- B . Implement an acceptable use policy
- C . Create inventory records of personal devices
- D . Configure users on the mobile device management (MDM) solution
Correct Answer: B
B
Explanation:
The first thing that should be done before allowing users to connect personal devices to the corporate network is to implement an acceptable use policy. An acceptable use policy is a document that defines the rules and guidelines for using personal devices on the corporate network, such as security requirements, access rights, responsibilities, and consequences. An acceptable use policy can help to protect the organization from potential risks such as data leakage, malware infection, or legal liability. The other options are not as important as implementing an acceptable use policy, as they do not establish the boundaries and expectations for using personal devices on the corporate network.
Reference: CISA Review Manual, 27th Edition, page 318
B
Explanation:
The first thing that should be done before allowing users to connect personal devices to the corporate network is to implement an acceptable use policy. An acceptable use policy is a document that defines the rules and guidelines for using personal devices on the corporate network, such as security requirements, access rights, responsibilities, and consequences. An acceptable use policy can help to protect the organization from potential risks such as data leakage, malware infection, or legal liability. The other options are not as important as implementing an acceptable use policy, as they do not establish the boundaries and expectations for using personal devices on the corporate network.
Reference: CISA Review Manual, 27th Edition, page 318
Question #302
A CFO has requested an audit of IT capacity management due to a series of finance system slowdowns during month-end reporting.
What would be MOST important to consider before including this audit in the program?
- A . Whether system delays result in more frequent use of manual processing
- B . Whether the system’s performance poses a significant risk to the organization
- C . Whether stakeholders are committed to assisting with the audit
- D . Whether internal auditors have the required skills to perform the audit
Correct Answer: B
B
Explanation:
The most important thing to consider before including an audit of IT capacity management in the program is whether the system’s performance poses a significant risk to the organization. IT capacity management is a process that ensures that IT resources are sufficient to meet current and future business needs, and that they are optimized for cost and performance. A poor IT capacity management can result in system slowdowns, outages, failures, or breaches, which can affect the availability, reliability, security, and efficiency of IT services and business processes. Therefore, before conducting an audit of IT capacity management, the auditor should assess the potential impact and likelihood of these risks on the organization’s objectives, reputation, compliance, and customer satisfaction.
Whether system delays result in more frequent use of manual processing (option A) is not the most important thing to consider before including an audit of IT capacity management in the program, as it is only one possible consequence of poor IT capacity management. Manual processing can introduce errors, delays, inefficiencies, and inconsistencies in the data and reports, which can affect the quality and accuracy of financial information. However, manual processing is not the only or the worst outcome of poor IT capacity management; there may be other more severe or frequent risks that need to be considered.
Whether stakeholders are committed to assisting with the audit (option C) is also not the most important thing to consider before including an audit of IT capacity management in the program, as it is a factor that affects the feasibility and effectiveness of the audit, not the necessity or priority of it. Stakeholder commitment is important for ensuring that the auditor has access to relevant information, documents, data, and personnel, as well as for facilitating communication, collaboration, and feedback during the audit process. However, stakeholder commitment is not a sufficient reason to conduct an audit of IT capacity management; there must be a clear risk-based rationale for selecting this area for audit.
Whether internal auditors have the required skills to perform the audit (option D) is also not the most important thing to consider before including an audit of IT capacity management in the program, as it is a factor that affects the quality and credibility of the audit, not the urgency or importance of it. Internal auditors should have the appropriate knowledge, skills, and experience to perform an audit of IT capacity management, which may include technical, business, analytical, and communication skills. However, internal auditors can also acquire or supplement these skills through training, coaching, consulting, or outsourcing. Therefore, internal auditors’ skills are not a decisive factor for choosing this area for audit.
Therefore, option B is the correct answer.
Reference: Guide to IT Capacity Management | Smartsheet
ISO 27001 capacity management: How to implement control A.12.1.3 – Advisera ISO 27002:2022 C Control 8.6 C Capacity Management
B
Explanation:
The most important thing to consider before including an audit of IT capacity management in the program is whether the system’s performance poses a significant risk to the organization. IT capacity management is a process that ensures that IT resources are sufficient to meet current and future business needs, and that they are optimized for cost and performance. A poor IT capacity management can result in system slowdowns, outages, failures, or breaches, which can affect the availability, reliability, security, and efficiency of IT services and business processes. Therefore, before conducting an audit of IT capacity management, the auditor should assess the potential impact and likelihood of these risks on the organization’s objectives, reputation, compliance, and customer satisfaction.
Whether system delays result in more frequent use of manual processing (option A) is not the most important thing to consider before including an audit of IT capacity management in the program, as it is only one possible consequence of poor IT capacity management. Manual processing can introduce errors, delays, inefficiencies, and inconsistencies in the data and reports, which can affect the quality and accuracy of financial information. However, manual processing is not the only or the worst outcome of poor IT capacity management; there may be other more severe or frequent risks that need to be considered.
Whether stakeholders are committed to assisting with the audit (option C) is also not the most important thing to consider before including an audit of IT capacity management in the program, as it is a factor that affects the feasibility and effectiveness of the audit, not the necessity or priority of it. Stakeholder commitment is important for ensuring that the auditor has access to relevant information, documents, data, and personnel, as well as for facilitating communication, collaboration, and feedback during the audit process. However, stakeholder commitment is not a sufficient reason to conduct an audit of IT capacity management; there must be a clear risk-based rationale for selecting this area for audit.
Whether internal auditors have the required skills to perform the audit (option D) is also not the most important thing to consider before including an audit of IT capacity management in the program, as it is a factor that affects the quality and credibility of the audit, not the urgency or importance of it. Internal auditors should have the appropriate knowledge, skills, and experience to perform an audit of IT capacity management, which may include technical, business, analytical, and communication skills. However, internal auditors can also acquire or supplement these skills through training, coaching, consulting, or outsourcing. Therefore, internal auditors’ skills are not a decisive factor for choosing this area for audit.
Therefore, option B is the correct answer.
Reference: Guide to IT Capacity Management | Smartsheet
ISO 27001 capacity management: How to implement control A.12.1.3 – Advisera ISO 27002:2022 C Control 8.6 C Capacity Management
Question #303
Which of the following BEST describes an audit risk?
- A . The company is being sued for false accusations.
- B . The financial report may contain undetected material errors.
- C . Employees have been misappropriating funds.
- D . Key employees have not taken vacation for 2 years.
Correct Answer: B
B
Explanation:
The best description of an audit risk is that the financial report may contain undetected material errors. Audit risk is the risk that the auditor expresses an inappropriate opinion on the financial report when it contains material misstatements or errors. Audit risk consists of three components: inherent risk, control risk, and detection risk. Inherent risk is the susceptibility of an assertion or a control to a material misstatement or error due to factors such as complexity, volatility, fraud, or human error. Control risk is the risk that a material misstatement or error will not be prevented or detected by the internal controls. Detection risk is the risk that the auditor’s procedures will not detect a material misstatement or error that exists in an assertion or a control.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
B
Explanation:
The best description of an audit risk is that the financial report may contain undetected material errors. Audit risk is the risk that the auditor expresses an inappropriate opinion on the financial report when it contains material misstatements or errors. Audit risk consists of three components: inherent risk, control risk, and detection risk. Inherent risk is the susceptibility of an assertion or a control to a material misstatement or error due to factors such as complexity, volatility, fraud, or human error. Control risk is the risk that a material misstatement or error will not be prevented or detected by the internal controls. Detection risk is the risk that the auditor’s procedures will not detect a material misstatement or error that exists in an assertion or a control.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
Question #304
Which of the following is an example of a passive attack method?
- A . Keystroke logging
- B . Piggybacking
- C . Eavesdropping
- D . Phishing
Correct Answer: C
C
Explanation:
Comprehensive and Detailed in-Depth
A passive attack involves monitoring or listening without altering data or system operations. Eavesdropping is a classic example, where attackers intercept data without affecting the transmission.
Keystroke logging (Option A) and phishing (Option D) are active attacks. Piggybacking (Option B) involves unauthorized access and is also active.
ISACA CISA
Reference: Domain 5 – Protection of Information Assets
C
Explanation:
Comprehensive and Detailed in-Depth
A passive attack involves monitoring or listening without altering data or system operations. Eavesdropping is a classic example, where attackers intercept data without affecting the transmission.
Keystroke logging (Option A) and phishing (Option D) are active attacks. Piggybacking (Option B) involves unauthorized access and is also active.
ISACA CISA
Reference: Domain 5 – Protection of Information Assets
Question #305
What is the MOST effective way to manage contractors’ access to a data center?
- A . Badge identification worn by visitors
- B . Escort requirement for visitor access
- C . Management approval of visitor access
- D . Verification of visitor identification
Correct Answer: B
Question #306
An organization uses public key infrastructure (PKI) to provide email security.
Which of the following would be the MOST efficient method to determine whether email messages have been modified in transit?
- A . The message is encrypted using a symmetric algorithm.
- B . The message is sent using Transport Layer Security (TLS) protocol.
- C . The message is sent along with an encrypted hash of the message.
- D . The message is encrypted using the private key of the sender.
Correct Answer: C
C
Explanation:
This method is known as creating a digital signature of the message. It ensures the integrity of the message by verifying that it has not been tampered with in transit. The process involves hashing the message and encrypting the hash value with the sender’s private key. Any changes to the message will result in a different hash value1. This method is used in DomainKeys Identified Mail (DKIM), which verifies an email’s domain and helps show that the email has not been tampered with in transit2.
Reference: Understanding Digital Signatures | CISA
Using DomainKeys Identified Mail (DKIM) in your organisation
C
Explanation:
This method is known as creating a digital signature of the message. It ensures the integrity of the message by verifying that it has not been tampered with in transit. The process involves hashing the message and encrypting the hash value with the sender’s private key. Any changes to the message will result in a different hash value1. This method is used in DomainKeys Identified Mail (DKIM), which verifies an email’s domain and helps show that the email has not been tampered with in transit2.
Reference: Understanding Digital Signatures | CISA
Using DomainKeys Identified Mail (DKIM) in your organisation
Question #307
A review of an organization’s enterprise architecture (EA) BEST enables an IS auditor to determine:
- A . alignment of IT service levels with business objectives.
- B . the organization’s level of compliance with regulations.
- C . adherence to budget for current IT initiative implementations.
- D . alignment of the IT strategy with business strategy.
Correct Answer: D
Question #308
What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?
- A . The contract does not contain a right-to-audit clause.
- B . An operational level agreement (OLA) was not negotiated.
- C . Several vendor deliverables missed the commitment date.
- D . Software escrow was not negotiated.
Correct Answer: D
D
Explanation:
The greatest concern for an IS auditor reviewing contracts for licensed software that executes a critical business process is that software escrow was not negotiated. Software escrow is an arrangement where a third-party holds a copy of the source code and documentation of a licensed software in a secure location. The software escrow agreement specifies the conditions under which the licensee can access the escrowed materials, such as in case of bankruptcy, termination, or breach of contract by the licensor. Software escrow is important for ensuring the continuity and availability of a critical business process that depends on a licensed software. Without software escrow, the licensee may face significant risks and challenges in maintaining, modifying, or recovering the software in case of any disruption or dispute with the licensor.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
D
Explanation:
The greatest concern for an IS auditor reviewing contracts for licensed software that executes a critical business process is that software escrow was not negotiated. Software escrow is an arrangement where a third-party holds a copy of the source code and documentation of a licensed software in a secure location. The software escrow agreement specifies the conditions under which the licensee can access the escrowed materials, such as in case of bankruptcy, termination, or breach of contract by the licensor. Software escrow is important for ensuring the continuity and availability of a critical business process that depends on a licensed software. Without software escrow, the licensee may face significant risks and challenges in maintaining, modifying, or recovering the software in case of any disruption or dispute with the licensor.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
Question #309
IT disaster recovery time objectives (RTOs) should be based on the:
- A . maximum tolerable loss of data.
- B . nature of the outage
- C . maximum tolerable downtime (MTD).
- D . business-defined criticality of the systems.
Correct Answer: D
D
Explanation:
IT disaster recovery time objectives (RTOs) are the maximum acceptable time that an IT system can be unavailable after a disaster before it causes unacceptable consequences for the business. IT RTOs should be based on the business-defined criticality of the systems, which reflects how important they are for supporting the business processes and functions. The maximum tolerable loss of data, the nature of the outage, and the maximum tolerable downtime (MTD) are also factors that affect the IT RTOs, but they are not the primary basis for determining them.
D
Explanation:
IT disaster recovery time objectives (RTOs) are the maximum acceptable time that an IT system can be unavailable after a disaster before it causes unacceptable consequences for the business. IT RTOs should be based on the business-defined criticality of the systems, which reflects how important they are for supporting the business processes and functions. The maximum tolerable loss of data, the nature of the outage, and the maximum tolerable downtime (MTD) are also factors that affect the IT RTOs, but they are not the primary basis for determining them.
Question #310
Which of the following would be an IS auditor’s GREATEST concern when reviewing the organization’s business continuity plan (BCP)?
- A . The recovery plan does not contain the process and application dependencies.
- B . The duration of tabletop exercises is longer than the recovery point objective (RPO).
- C . The duration of tabletop exercises is longer than the recovery time objective (RTO).
- D . The recovery point objective (RPO) and recovery time objective (R TO) are not the same.
Correct Answer: A
A
Explanation:
A business continuity plan (BCP) is a document that outlines how an organization will continue its critical functions in the event of a disruption or disaster. A BCP should include the following elements1:
Business impact analysis: This is the process of identifying and prioritizing the key business processes and assets that are essential for the organization’s survival and recovery.
Risk assessment: This is the process of identifying and evaluating the potential threats and vulnerabilities that could affect the organization’s business continuity.
Recovery strategies: These are the actions and procedures that the organization will implement to restore its normal operations as quickly and effectively as possible after a disruption or disaster.
Recovery objectives: These are the metrics that define the acceptable level of recovery for the organization’s business processes and assets.
The two main recovery objectives are:
Recovery point objective (RPO): This is the maximum amount of data loss that the organization can tolerate in terms of time. For example, an RPO of one hour means that the organization can afford to lose up to one hour’s worth of data after a disruption or disaster.
Recovery time objective (RTO): This is the maximum amount of time that the organization can tolerate to restore its normal operations after a disruption or disaster. For example, an RTO of four hours means that the organization must resume its normal operations within four hours after a disruption or disaster.
Testing and validation: This is the process of verifying and evaluating the effectiveness and efficiency of the BCP and its components.
Testing and validation can include various methods, such as:
Tabletop exercises: These are discussion-based sessions where team members meet in an informal setting to review and discuss their roles and responsibilities during a disruption or disaster scenario. A facilitator guides participants through a discussion of one or more scenarios2.
Simulation exercises: These are more realistic and interactive sessions where team members perform their roles and responsibilities during a simulated disruption or disaster scenario. A facilitator controls and monitors the simulation and injects events and challenges3.
Full-scale exercises: These are the most complex and realistic sessions where team members perform their roles and responsibilities during a real-life disruption or disaster scenario. A facilitator coordinates and evaluates the exercise with external stakeholders, such as emergency services, media, or customers4.
As an IS auditor, your greatest concern when reviewing the organization’s BCP would be A. The recovery plan does not contain the process and application dependencies.
A
Explanation:
A business continuity plan (BCP) is a document that outlines how an organization will continue its critical functions in the event of a disruption or disaster. A BCP should include the following elements1:
Business impact analysis: This is the process of identifying and prioritizing the key business processes and assets that are essential for the organization’s survival and recovery.
Risk assessment: This is the process of identifying and evaluating the potential threats and vulnerabilities that could affect the organization’s business continuity.
Recovery strategies: These are the actions and procedures that the organization will implement to restore its normal operations as quickly and effectively as possible after a disruption or disaster.
Recovery objectives: These are the metrics that define the acceptable level of recovery for the organization’s business processes and assets.
The two main recovery objectives are:
Recovery point objective (RPO): This is the maximum amount of data loss that the organization can tolerate in terms of time. For example, an RPO of one hour means that the organization can afford to lose up to one hour’s worth of data after a disruption or disaster.
Recovery time objective (RTO): This is the maximum amount of time that the organization can tolerate to restore its normal operations after a disruption or disaster. For example, an RTO of four hours means that the organization must resume its normal operations within four hours after a disruption or disaster.
Testing and validation: This is the process of verifying and evaluating the effectiveness and efficiency of the BCP and its components.
Testing and validation can include various methods, such as:
Tabletop exercises: These are discussion-based sessions where team members meet in an informal setting to review and discuss their roles and responsibilities during a disruption or disaster scenario. A facilitator guides participants through a discussion of one or more scenarios2.
Simulation exercises: These are more realistic and interactive sessions where team members perform their roles and responsibilities during a simulated disruption or disaster scenario. A facilitator controls and monitors the simulation and injects events and challenges3.
Full-scale exercises: These are the most complex and realistic sessions where team members perform their roles and responsibilities during a real-life disruption or disaster scenario. A facilitator coordinates and evaluates the exercise with external stakeholders, such as emergency services, media, or customers4.
As an IS auditor, your greatest concern when reviewing the organization’s BCP would be A. The recovery plan does not contain the process and application dependencies.