Practice Free CISA Exam Online Questions
Question #311
Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported.
Which of the following is the IS auditor’s BEST recommendation?
- A . Ensure corrected program code is compiled in a dedicated server.
- B . Ensure change management reports are independently reviewed.
- C . Ensure programmers cannot access code after the completion of program edits.
- D . Ensure the business signs off on end-to-end user acceptance test (UAT) results.
Correct Answer: C
C
Explanation:
The IS auditor’s best recommendation is to ensure that programmers cannot access code after the completion of program edits. This is because programmers who have access to code after editing may introduce unauthorized or malicious changes that could compromise the security, functionality, or performance of the application. By restricting access to code after editing, the organization can ensure that only authorized and tested code is released into production, and prevent any tampering or reoccurrence of the same issue.
Reference:
1 discusses the importance of controlling access to code after editing and testing, and provides some best practices for doing so.
2 explains how programmers can introduce malicious code into applications, and how to prevent and detect such attacks.
3 describes the role of IS auditors in reviewing and assessing the security and quality of application code.
C
Explanation:
The IS auditor’s best recommendation is to ensure that programmers cannot access code after the completion of program edits. This is because programmers who have access to code after editing may introduce unauthorized or malicious changes that could compromise the security, functionality, or performance of the application. By restricting access to code after editing, the organization can ensure that only authorized and tested code is released into production, and prevent any tampering or reoccurrence of the same issue.
Reference:
1 discusses the importance of controlling access to code after editing and testing, and provides some best practices for doing so.
2 explains how programmers can introduce malicious code into applications, and how to prevent and detect such attacks.
3 describes the role of IS auditors in reviewing and assessing the security and quality of application code.
Question #312
Data from a system of sensors located outside of a network is received by the open ports on a server.
Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?
- A . Route the traffic from the sensor system through a proxy server.
- B . Hash the data that is transmitted from the sensor system.
- C . Implement network address translation on the sensor system.
- D . Transmit the sensor data via a virtual private network (VPN) to the server.
Correct Answer: B
Question #313
Which of the following tasks would cause the GREATEST segregation of duties (SoD) concern if performed by the person who reconciles the organization’s device inventory?
- A . Tracking devices used for spare parts
- B . Creating the device policy
- C . vIssuing devices to employees
- D . Approving the issuing of devices
Correct Answer: C
Question #314
Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?
- A . Have an independent party review the source calculations
- B . Execute copies of EUC programs out of a secure library
- C . implement complex password controls
- D . Verify EUC results through manual calculations
Correct Answer: B
B
Explanation:
The best way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC) is to execute copies of EUC programs out of a secure library. This will ensure that the original EUC programs are protected from unauthorized changes and that thecopies are run in a controlled environment. A secure library is a repository of EUC programs that have been tested, validated, and approved by the appropriate authority. Executing copies of EUC programs out of a secure library can also help with version control, backup, and recovery of EUC programs. Having an independent party review the source calculations, implementing complex password controls, and verifying EUC results through manual calculations are not as effective as executing copies of EUC programs out of a secure library, as they do not prevent or detect unintentional modifications of complex calculations in EUC.
Reference: End-User Computing (EUC) Risks: A Comprehensive Guide, End User Computing (EUC) Risk Management
B
Explanation:
The best way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC) is to execute copies of EUC programs out of a secure library. This will ensure that the original EUC programs are protected from unauthorized changes and that thecopies are run in a controlled environment. A secure library is a repository of EUC programs that have been tested, validated, and approved by the appropriate authority. Executing copies of EUC programs out of a secure library can also help with version control, backup, and recovery of EUC programs. Having an independent party review the source calculations, implementing complex password controls, and verifying EUC results through manual calculations are not as effective as executing copies of EUC programs out of a secure library, as they do not prevent or detect unintentional modifications of complex calculations in EUC.
Reference: End-User Computing (EUC) Risks: A Comprehensive Guide, End User Computing (EUC) Risk Management
Question #315
Which of the following provides an IS auditor the BEST evidence that a third-party service provider’s information security controls are effective?
- A . Documentation of the service provider’s security configuration controls
- B . A review of the service provider’s policies and procedures
- C . An audit report of the controls by an external auditor
- D . An interview with the service provider’s senior management
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Step-by-Step
Toverify the effectivenessof a third-party provider’ssecurity controls, anindependent external audit reportis thestrongestevidence.
Option A (Incorrect): Security configuration documentsare helpful butdo not confirm effectivenesswithout validation.
Option B (Incorrect): Policies and procedures outlineintent, but anaudit confirms actual implementation.
Option C (Correct): External audit reports (e.g., SOC 2, ISO 27001)provideindependent assurancethat security controls are effective.
Option D (Incorrect): Management interviews providequalitativeinsights but arenot objective evidenceof control effectiveness.
Reference: ISACA CISA Review Manual CDomain 3: Information Systems Acquisition, Development, and ImplementationC Coversthird-party risk assessments and audit assurance.
C
Explanation:
Comprehensive and Detailed Step-by-Step
Toverify the effectivenessof a third-party provider’ssecurity controls, anindependent external audit reportis thestrongestevidence.
Option A (Incorrect): Security configuration documentsare helpful butdo not confirm effectivenesswithout validation.
Option B (Incorrect): Policies and procedures outlineintent, but anaudit confirms actual implementation.
Option C (Correct): External audit reports (e.g., SOC 2, ISO 27001)provideindependent assurancethat security controls are effective.
Option D (Incorrect): Management interviews providequalitativeinsights but arenot objective evidenceof control effectiveness.
Reference: ISACA CISA Review Manual CDomain 3: Information Systems Acquisition, Development, and ImplementationC Coversthird-party risk assessments and audit assurance.
Question #316
Which of the following is MOST important with regard to an application development acceptance test?
- A . The programming team is involved in the testing process.
- B . All data files are tested for valid information before conversion.
- C . User management approves the test design before the test is started.
- D . The quality assurance (QA) team is in charge of the testing process.
Correct Answer: C
C
Explanation:
The most important aspect of an application development acceptance test is that user management approves the test design before the test is started, as this ensures that the test objectives, criteria, and procedures are aligned with the user requirements and expectations. The programming team’s involvement in the testing process, the testing of data files for valid information before conversion, and the quality assurance (QA) team’s charge of the testing process are also important, but they are not as critical as user management’s approval of the test design.
Reference: CISA Review Manual (Digital Version), Chapter 4, Section 4.4.2
C
Explanation:
The most important aspect of an application development acceptance test is that user management approves the test design before the test is started, as this ensures that the test objectives, criteria, and procedures are aligned with the user requirements and expectations. The programming team’s involvement in the testing process, the testing of data files for valid information before conversion, and the quality assurance (QA) team’s charge of the testing process are also important, but they are not as critical as user management’s approval of the test design.
Reference: CISA Review Manual (Digital Version), Chapter 4, Section 4.4.2
Question #317
Which of the following findings would be of GREATEST concern to an IS auditor reviewing firewall security for an organization’s corporate network?
- A . The production configuration does not conform to corporate policy.
- B . Responsibility for the firewall administration rests with two different divisions.
- C . Industry hardening guidance has not been considered.
- D . The firewall configuration file is extremely long and complex.
Correct Answer: A
Question #318
An IT governance body wants to determine whether IT service delivery is based on consistently effective processes.
Which of the following is the BEST approach?
- A . Evaluate key performance indicators (KPIs).
- B . Conduct a gap analysis.
- C . Develop a maturity model.
- D . Implement a control self-assessment (CSA).
Correct Answer: C
Question #319
An IS auditor finds that the process for removing access for terminated employees is not documented.
What is the MOST significant risk from this observation?
- A . Procedures may not align with best practices
- B . Human resources (HR) records may not match system access.
- C . Unauthorized access cannot he identified.
- D . Access rights may not be removed in a timely manner.
Correct Answer: D
D
Explanation:
The most significant risk from this observation is that access rights may not be removed in a timely manner. If the process for removing access for terminated employees is not documented, there is no clear guidance or accountability for who, how, when, and what actions should be taken to revoke the access rights of the employees who leave the organization. This could result in delays, inconsistencies, or omissions in removing access rights, which could allow terminated employees to retain unauthorized access to the organization’s systems and data. This could compromise the security, confidentiality, integrity, and availability of the information assets.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
D
Explanation:
The most significant risk from this observation is that access rights may not be removed in a timely manner. If the process for removing access for terminated employees is not documented, there is no clear guidance or accountability for who, how, when, and what actions should be taken to revoke the access rights of the employees who leave the organization. This could result in delays, inconsistencies, or omissions in removing access rights, which could allow terminated employees to retain unauthorized access to the organization’s systems and data. This could compromise the security, confidentiality, integrity, and availability of the information assets.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
Question #320
An organization uses an automated continuous integration/continuous deployment (CI/CD) tool to deploy changes to production.
Which of the following would be an IS auditor’s GREATEST concern in this situation?
- A . Releases are scheduled once per week.
- B . Post-implementation reviews are conducted quarterly.
- C . Test cases may be inaccurate.
- D . Functional requirements are changed frequently by users.
Correct Answer: C
C
Explanation:
The greatest concern in a CI/CD environment is the accuracy of automated testing. Since code is deployed rapidly and often without manual intervention, weak or inaccurate test cases can allow vulnerabilities and defects to be pushed directly into production. Release frequency (A) and changing user requirements (D) are expected characteristics of agile/DevOps models and can be managed with governance. Delayed post-implementation reviews (B) may reduce oversight but do not directly undermine the core pipeline integrity. ISACA’s DevOps guidance emphasizes that automated testing and validation of requirements must be thorough and reliable to ensure continuous deployment does not compromise quality or security.
Reference (ISACA): COBIT® Focus Area for DevOps; BAI06 Managed IT Changes.
C
Explanation:
The greatest concern in a CI/CD environment is the accuracy of automated testing. Since code is deployed rapidly and often without manual intervention, weak or inaccurate test cases can allow vulnerabilities and defects to be pushed directly into production. Release frequency (A) and changing user requirements (D) are expected characteristics of agile/DevOps models and can be managed with governance. Delayed post-implementation reviews (B) may reduce oversight but do not directly undermine the core pipeline integrity. ISACA’s DevOps guidance emphasizes that automated testing and validation of requirements must be thorough and reliable to ensure continuous deployment does not compromise quality or security.
Reference (ISACA): COBIT® Focus Area for DevOps; BAI06 Managed IT Changes.