Practice Free CISA Exam Online Questions
Question #311
Which of the following is BEST used for detailed testing of a business application’s data and configuration files?
- A . Version control software
- B . Audit hooks
- C . Utility software
- D . Audit analytics tool
Correct Answer: D
D
Explanation:
The best tool for detailed testing of a business application’s data and configuration files is an audit analytics tool. An audit analytics tool is a software that helps auditors to analyze large sets of data and identify anomalies, trends, and patterns that are relevant to the audit objectives. An audit analytics tool can also provide audit evidence and support the auditor’s professional judgment and conclusions.
Some of the benefits of using an audit analytics tool are:
It can improve the efficiency and effectiveness of the audit by reducing the time and effort required to perform manual tests and procedures.
It can enhance the quality and reliability of the audit by increasing the coverage and accuracy of the data analysis and testing.
It can enable the auditor to perform more complex and sophisticated tests and procedures that may not be possible or feasible with traditional methods.
It can help the auditor to discover new insights and risks that may not be apparent or detectable with traditional methods.
Some examples of audit analytics tools are:
IDEA: A data analysis software that allows auditors to import, analyze, and visualize data from various sources and formats. It also offers features such as sampling, stratification, gap analysis, duplicate detection, Benford’s law, and regression analysis.1
ACL: A data analysis software that helps auditors to access, analyze, and report on data from various sources and formats. It also offers features such as sampling, stratification, gap analysis, duplicate detection, Benford’s law, regression analysis, and scripting.2
TeamMate Analytics: A data analysis software that integrates with Microsoft Excel and provides auditors with a range of tools and functions to perform data analysis and testing. It also offers features such as sampling, stratification, gap analysis, duplicate detection, Benford’s law, regression analysis, and scripting.3
D
Explanation:
The best tool for detailed testing of a business application’s data and configuration files is an audit analytics tool. An audit analytics tool is a software that helps auditors to analyze large sets of data and identify anomalies, trends, and patterns that are relevant to the audit objectives. An audit analytics tool can also provide audit evidence and support the auditor’s professional judgment and conclusions.
Some of the benefits of using an audit analytics tool are:
It can improve the efficiency and effectiveness of the audit by reducing the time and effort required to perform manual tests and procedures.
It can enhance the quality and reliability of the audit by increasing the coverage and accuracy of the data analysis and testing.
It can enable the auditor to perform more complex and sophisticated tests and procedures that may not be possible or feasible with traditional methods.
It can help the auditor to discover new insights and risks that may not be apparent or detectable with traditional methods.
Some examples of audit analytics tools are:
IDEA: A data analysis software that allows auditors to import, analyze, and visualize data from various sources and formats. It also offers features such as sampling, stratification, gap analysis, duplicate detection, Benford’s law, and regression analysis.1
ACL: A data analysis software that helps auditors to access, analyze, and report on data from various sources and formats. It also offers features such as sampling, stratification, gap analysis, duplicate detection, Benford’s law, regression analysis, and scripting.2
TeamMate Analytics: A data analysis software that integrates with Microsoft Excel and provides auditors with a range of tools and functions to perform data analysis and testing. It also offers features such as sampling, stratification, gap analysis, duplicate detection, Benford’s law, regression analysis, and scripting.3
Question #312
In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:
- A . integrated test facility (ITF).
- B . parallel simulation.
- C . transaction tagging.
- D . embedded audit modules.
Correct Answer: C
C
Explanation:
Transaction tagging is a technique by which transactions are marked with unique identifiers or headers and traced through the system using agents or sensors at each processing point1. Transaction tagging allows for continuous monitoring and analysis of transaction processing in a high-volume, real-time system by providing visibility into the performance, availability, and reliability of each transaction and its components1. Transaction tagging can also help to identify and isolate errors, bottlenecks, anomalies, and security issues in the system1.
C
Explanation:
Transaction tagging is a technique by which transactions are marked with unique identifiers or headers and traced through the system using agents or sensors at each processing point1. Transaction tagging allows for continuous monitoring and analysis of transaction processing in a high-volume, real-time system by providing visibility into the performance, availability, and reliability of each transaction and its components1. Transaction tagging can also help to identify and isolate errors, bottlenecks, anomalies, and security issues in the system1.
Question #313
Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?
- A . File level encryption
- B . File Transfer Protocol (FTP)
- C . Instant messaging policy
- D . Application-level firewalls
Correct Answer: D
D
Explanation:
Application level firewalls are the best control to prevent the transfer of files to external parties through instant messaging (IM) applications, because they can inspect and filter network traffic based on application-specific protocols and commands, such as IM file transfer commands.
Application level firewalls can block or allow IM file transfers based on predefined rules or policies. File level encryption, file transfer protocol (FTP), and instant messaging policy are not effective controls to prevent IM file transfers, because they do not restrict or monitor IM network traffic.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.1
D
Explanation:
Application level firewalls are the best control to prevent the transfer of files to external parties through instant messaging (IM) applications, because they can inspect and filter network traffic based on application-specific protocols and commands, such as IM file transfer commands.
Application level firewalls can block or allow IM file transfers based on predefined rules or policies. File level encryption, file transfer protocol (FTP), and instant messaging policy are not effective controls to prevent IM file transfers, because they do not restrict or monitor IM network traffic.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.1
Question #314
In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:
- A . hire another person to perform migration to production.
- B . implement continuous monitoring controls.
- C . remove production access from the developers.
- D . perform a user access review for the development team
Correct Answer: C
C
Explanation:
The best recommendation for a small IT web development company where developers must have write access to production is to remove production access from the developers. Production access is the ability to modify or update the live systems or applications that are used by customers or end users. Production access should be restricted to authorized and qualified personnel only, as any changes or errors in production can affect the functionality, performance, or security of the systems or applications. Developers should not have write access to production, as they may introduce bugs, vulnerabilities, or inconsistencies in the code that can compromise the quality or reliability of the systems or applications. The other options are not as effective as removing production access from the developers, as they do not address the root cause of the problem or provide the same benefits. Hiring another person to perform migration to production is a costly solution that can help segregate the roles and responsibilities of developers and migrators, but it does not remove production access from the developers. Implementing continuous monitoring controls is a good practice that can help detect and correct any issues or anomalies in production, but it does not remove production access from the developers. Performing a user access review for the development team is a detective control that can help verify and validate the access rights and privileges of developers, but it does not remove production access from the developers.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
C
Explanation:
The best recommendation for a small IT web development company where developers must have write access to production is to remove production access from the developers. Production access is the ability to modify or update the live systems or applications that are used by customers or end users. Production access should be restricted to authorized and qualified personnel only, as any changes or errors in production can affect the functionality, performance, or security of the systems or applications. Developers should not have write access to production, as they may introduce bugs, vulnerabilities, or inconsistencies in the code that can compromise the quality or reliability of the systems or applications. The other options are not as effective as removing production access from the developers, as they do not address the root cause of the problem or provide the same benefits. Hiring another person to perform migration to production is a costly solution that can help segregate the roles and responsibilities of developers and migrators, but it does not remove production access from the developers. Implementing continuous monitoring controls is a good practice that can help detect and correct any issues or anomalies in production, but it does not remove production access from the developers. Performing a user access review for the development team is a detective control that can help verify and validate the access rights and privileges of developers, but it does not remove production access from the developers.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
Question #315
Which of the following practices associated with capacity planning provides the GREATEST assurance that future incidents related to existing server performance will be prevented?
- A . Reviewing results from simulated high-demand stress test scenarios
- B . Performing a root cause analysis for past performance incidents
- C . Anticipating current service level agreements (SLAs) will remain unchanged
- D . Duplicating existing disk drive systems to improve redundancy and data storage
Correct Answer: A
Question #316
Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management’s decision.
Which of the following should be the IS auditor’s NEXT course of action?
- A . Accept management’s decision and continue the follow-up.
- B . Report the issue to IS audit management.
- C . Report the disagreement to the board.
- D . Present the issue to executive management.
Correct Answer: B
B
Explanation:
Prior to a follow-up engagement, if an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation, the IS auditor should report the issue to IS audit management. This is because IS audit management is responsible for ensuring that audit findings are properly communicated and resolved. Accepting management’s decision and continuing the follow-up would not address the IS auditor’s concern. Reporting the disagreement to the board or executive management would be premature and inappropriate without consulting IS audit management first.
Reference: CISA Review Manual (Digital Version), Chapter 1, Section 1.6
B
Explanation:
Prior to a follow-up engagement, if an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation, the IS auditor should report the issue to IS audit management. This is because IS audit management is responsible for ensuring that audit findings are properly communicated and resolved. Accepting management’s decision and continuing the follow-up would not address the IS auditor’s concern. Reporting the disagreement to the board or executive management would be premature and inappropriate without consulting IS audit management first.
Reference: CISA Review Manual (Digital Version), Chapter 1, Section 1.6
Question #317
Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?
- A . Classifies documents to correctly reflect the level of sensitivity of information they contain
- B . Defines the conditions under which documents containing sensitive information may be transmitted
- C . Classifies documents in accordance with industry standards and best practices
- D . Ensures documents are handled in accordance With the sensitivity of information they contain
Correct Answer: A
A
Explanation:
The role of a document owner when implementing a data classification policy in an organization is to classify documents to correctly reflect the level of sensitivity of information they contain. A document owner is the person who is ultimately responsible for the creation, maintenance, and protection of a document, usually a member of senior management or a business unit1. A data classification policy is a plan that defines how the organization categorizesits data based on its value, risk, and regulatory requirements, and how it handles and secures each data category2.
According to the data classification policy template by Netwrix3, one of the roles and responsibilities of the document owner is to assign data classification labels based on the data’s potential impact level. Data classification labels are tags or markings that indicate the sensitivity level of the data, such as public, internal, confidential, or restricted. The document owner should apply the data classification labels to the documents that contain the data, either manually or automatically, using tools and methods such as metadata, watermarks, headers, footers, or encryption. The document owner should also review and update the data classification labels periodically or whenever there is a change in the data’s sensitivity level.
By classifying documents to correctly reflect the level of sensitivity of information they contain, the document owner can help to ensure that the documents are handled in accordance with the data classification policy. This means that the documents are stored, accessed, shared, transmitted, and disposed of in a secure and appropriate manner, based on the rules and controls defined for each data category. This can also help to prevent data loss, leakage, or breach incidents that may cause harm or damage to the organization or its stakeholders.
Therefore, option A is the correct answer.
Reference: Data Classification Policy: Definition, Examples, & Free Template2
Data Classification Policy Template – Netwrix3
Data Classification and Handling Policy – University of Hull1
A
Explanation:
The role of a document owner when implementing a data classification policy in an organization is to classify documents to correctly reflect the level of sensitivity of information they contain. A document owner is the person who is ultimately responsible for the creation, maintenance, and protection of a document, usually a member of senior management or a business unit1. A data classification policy is a plan that defines how the organization categorizesits data based on its value, risk, and regulatory requirements, and how it handles and secures each data category2.
According to the data classification policy template by Netwrix3, one of the roles and responsibilities of the document owner is to assign data classification labels based on the data’s potential impact level. Data classification labels are tags or markings that indicate the sensitivity level of the data, such as public, internal, confidential, or restricted. The document owner should apply the data classification labels to the documents that contain the data, either manually or automatically, using tools and methods such as metadata, watermarks, headers, footers, or encryption. The document owner should also review and update the data classification labels periodically or whenever there is a change in the data’s sensitivity level.
By classifying documents to correctly reflect the level of sensitivity of information they contain, the document owner can help to ensure that the documents are handled in accordance with the data classification policy. This means that the documents are stored, accessed, shared, transmitted, and disposed of in a secure and appropriate manner, based on the rules and controls defined for each data category. This can also help to prevent data loss, leakage, or breach incidents that may cause harm or damage to the organization or its stakeholders.
Therefore, option A is the correct answer.
Reference: Data Classification Policy: Definition, Examples, & Free Template2
Data Classification Policy Template – Netwrix3
Data Classification and Handling Policy – University of Hull1
Question #318
When designing metrics for information security, the MOST important consideration is that the metrics:
- A . conform to industry standards.
- B . apply to all business units.
- C . provide actionable data.
- D . are easy to understand.
Correct Answer: C
Question #319
An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year.
Which of the following should the auditor do FIRST
- A . Escalate to audit management to discuss the audit plan
- B . Notify the chief operating officer (COO) and discuss the audit plan risks
- C . Exclude IS audits from the upcoming year’s plan
- D . Increase the number of IS audits in the clan
Correct Answer: A
A
Explanation:
The auditor should first escalate to audit management to discuss the audit plan. This is because the audit plan should be based on a risk assessment and aligned with the organization’s objectives and strategies. The auditor should not accept the CIO’s request without proper justification and approval from the audit management, who are responsible for ensuring the audit plan’s quality and independence. The auditor should also communicate the potential risks and implications of not conducting IS audits in the upcoming year, such as missing new or emerging threats, vulnerabilities, or compliance issues.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.11 CISA Online Review Course, Domain 1, Module 1, Lesson 22
A
Explanation:
The auditor should first escalate to audit management to discuss the audit plan. This is because the audit plan should be based on a risk assessment and aligned with the organization’s objectives and strategies. The auditor should not accept the CIO’s request without proper justification and approval from the audit management, who are responsible for ensuring the audit plan’s quality and independence. The auditor should also communicate the potential risks and implications of not conducting IS audits in the upcoming year, such as missing new or emerging threats, vulnerabilities, or compliance issues.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.11 CISA Online Review Course, Domain 1, Module 1, Lesson 22
Question #320
Which of the following is the PRIMARY basis on which audit objectives are established?
- A . Audit risk
- B . Consideration of risks
- C . Assessment of prior audits
- D . Business strategy
Correct Answer: B
B
Explanation:
The primary basis on which audit objectives are established is the consideration of risks12. This involves identifying and assessing the risks that could prevent the organization from achieving its objectives12. The audit objectives are then designed to address these risks and provide assurance that the organization’s controls are effective in managing them12. While audit risk, assessment of prior audits, and business strategy are important factors in the audit process, they are secondary to the fundamental requirement of considering risks12.
Reference: Objectives of Auditing – Primary and Secondary Objectives of Auditing | Auditing Management Notes Audit Objectives | Primary and Subsidiary Audit Objectives – EDUCBA
B
Explanation:
The primary basis on which audit objectives are established is the consideration of risks12. This involves identifying and assessing the risks that could prevent the organization from achieving its objectives12. The audit objectives are then designed to address these risks and provide assurance that the organization’s controls are effective in managing them12. While audit risk, assessment of prior audits, and business strategy are important factors in the audit process, they are secondary to the fundamental requirement of considering risks12.
Reference: Objectives of Auditing – Primary and Secondary Objectives of Auditing | Auditing Management Notes Audit Objectives | Primary and Subsidiary Audit Objectives – EDUCBA