Practice Free CISA Exam Online Questions
Question #351
Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization’s disaster recovery plan (DRP)?
- A . Performing a cyber resilience test
- B . Performing a full interruption test
- C . Performing a tabletop test
- D . Performing a parallel test
Correct Answer: B
B
Explanation:
A full interruption test is the most realistic and reliable way to ensure that recovery time objectives (RTOs) are met for an organization’s disaster recovery plan (DRP). RTOs are the maximum amount of time that a business can tolerate being offline after a disaster. A full interruption test involves shutting down the primary site and switching over to the backup site, simulating a real disaster scenario. This test can measure the actual time it takes to restore the systems, applications, and functions that are critical for the business continuity. A full interruption test can also reveal any issues or gaps in the DRP that might affect the recovery process.
The other options are not as effective as a full interruption test for ensuring RTOs are met. A cyber resilience test is a type of DR test that focuses on the ability to withstand and recover from cyberattacks. It does not necessarily cover other types of disasters or test the entire DRP. A tabletop test is a low-impact DR test that involves a walkthrough of the DRP with the key stakeholders and staff. It does not involve any actual switching over or testing of the backup systems. A parallel test is a type of DR test that involves running the backup systems alongside the primary systems, without disrupting the normal operations. It does not measure the time it takes to switch over or resume operations at the backup site.
Reference: Best Practices For Disaster Recovery Testing
Disaster recovery testing
Disaster Recovery Testing: Everything to Know
B
Explanation:
A full interruption test is the most realistic and reliable way to ensure that recovery time objectives (RTOs) are met for an organization’s disaster recovery plan (DRP). RTOs are the maximum amount of time that a business can tolerate being offline after a disaster. A full interruption test involves shutting down the primary site and switching over to the backup site, simulating a real disaster scenario. This test can measure the actual time it takes to restore the systems, applications, and functions that are critical for the business continuity. A full interruption test can also reveal any issues or gaps in the DRP that might affect the recovery process.
The other options are not as effective as a full interruption test for ensuring RTOs are met. A cyber resilience test is a type of DR test that focuses on the ability to withstand and recover from cyberattacks. It does not necessarily cover other types of disasters or test the entire DRP. A tabletop test is a low-impact DR test that involves a walkthrough of the DRP with the key stakeholders and staff. It does not involve any actual switching over or testing of the backup systems. A parallel test is a type of DR test that involves running the backup systems alongside the primary systems, without disrupting the normal operations. It does not measure the time it takes to switch over or resume operations at the backup site.
Reference: Best Practices For Disaster Recovery Testing
Disaster recovery testing
Disaster Recovery Testing: Everything to Know
Question #352
Which of the following should be an IS auditor’s GREATEST concern when reviewing an organization’s security controls for policy compliance?
- A . Security policies are not applicable across all business units
- B . End users are not required to acknowledge security policy training
- C . The security policy has not been reviewed within the past year
- D . Security policy documents are available on a public domain website
Correct Answer: D
D
Explanation:
The auditor should be most concerned about the security policy documents being available on a public domain website. This is because this exposes the organization’s security posture and strategy to potential attackers, who can exploit the information to launch targeted attacks or bypass the security controls. The security policy documents should be classified as confidential and protected from unauthorized access or disclosure. The other options are less severe than exposing the security policy documents to the public, although they may also indicate some gaps or weaknesses in the security policy development, implementation, or maintenance process.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.31 CISA Online Review Course, Domain 3, Module 1, Lesson 12
D
Explanation:
The auditor should be most concerned about the security policy documents being available on a public domain website. This is because this exposes the organization’s security posture and strategy to potential attackers, who can exploit the information to launch targeted attacks or bypass the security controls. The security policy documents should be classified as confidential and protected from unauthorized access or disclosure. The other options are less severe than exposing the security policy documents to the public, although they may also indicate some gaps or weaknesses in the security policy development, implementation, or maintenance process.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.31 CISA Online Review Course, Domain 3, Module 1, Lesson 12
Question #353
An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit.
Which of the following should be the auditor’s NEXT course of action?
- A . Evaluate the appropriateness of the remedial action taken.
- B . Conduct a risk analysis incorporating the change.
- C . Report results of the follow-up to the audit committee.
- D . Inform senior management of the change in approach.
Correct Answer: A
A
Explanation:
The auditor’s next course of action should be to evaluate the appropriateness of the remedial action taken by the auditee. The auditor should assess whether the alternative approach taken by the auditee is effective, efficient, and aligned with the audit objectives and recommendations. The auditor should also consider the impact of the change on the audit scope, criteria, and risk assessment. Conducting a risk analysis incorporating the change, reporting results of the follow-up to the audit committee, and informing senior management of the change in approach are possible subsequent actions that the auditor may take after evaluating the appropriateness of the remedial action taken.
Reference: CISA Review Manual (Digital Version): Chapter 1 – Information Systems Auditing Process
A
Explanation:
The auditor’s next course of action should be to evaluate the appropriateness of the remedial action taken by the auditee. The auditor should assess whether the alternative approach taken by the auditee is effective, efficient, and aligned with the audit objectives and recommendations. The auditor should also consider the impact of the change on the audit scope, criteria, and risk assessment. Conducting a risk analysis incorporating the change, reporting results of the follow-up to the audit committee, and informing senior management of the change in approach are possible subsequent actions that the auditor may take after evaluating the appropriateness of the remedial action taken.
Reference: CISA Review Manual (Digital Version): Chapter 1 – Information Systems Auditing Process
Question #354
Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization’s incident management processes?
- A . Service management standards are not followed.
- B . Expected time to resolve incidents is not specified.
- C . Metrics are not reported to senior management.
- D . Prioritization criteria are not defined.
Correct Answer: D
D
Explanation:
he design of an incident management process should include prioritization criteria to ensure that incidents are handled according to their impact and urgency. Without prioritization criteria, the organization may not be able to allocate resources effectively and respond to incidents in a timely manner. Expected time to resolve incidents, service management standards, and metrics reporting are important aspects of incident management, but they are not as critical as prioritization criteria for the design of the process.
Reference: ISACA Journal Article: Incident Management: A Practical Approach
D
Explanation:
he design of an incident management process should include prioritization criteria to ensure that incidents are handled according to their impact and urgency. Without prioritization criteria, the organization may not be able to allocate resources effectively and respond to incidents in a timely manner. Expected time to resolve incidents, service management standards, and metrics reporting are important aspects of incident management, but they are not as critical as prioritization criteria for the design of the process.
Reference: ISACA Journal Article: Incident Management: A Practical Approach
Question #355
In an online application, which of the following would provide the MOST information about the transaction audit trail?
- A . System/process flowchart
- B . File layouts
- C . Data architecture
- D . Source code documentation
Correct Answer: C
C
Explanation:
In an online application, data architecture provides the most information about the transaction audit trail, as it describes how data are created, stored, processed, accessed and exchanged among different components of the application. Data architecture includes data models, schemas, dictionaries, metadata, standards and policies that define the structure, quality, integrity, security and governance of data. Data architecture can help the IS auditor to trace the origin, flow, transformation and destination of data in an online transaction, and to identify the key data elements, attributes and relationships that are relevant for audit purposes. A system/process flowchart is a graphical representation of the sequence of steps or activities that are performed by a system or process. A system/process flowchart can provide some information about the transaction audit trail, but it is not as detailed or comprehensive as data architecture. A system/process flowchart shows the inputs, outputs, decisions and actions of a system or process, but it does not show the data elements, attributes and relationships that are involved in each step or activity. A file layout is a specification of the format and structure of a data file. A file layout can provide some information about the transaction audit trail, but it is not as detailed or comprehensive as data architecture. A file layout shows the fields, types, lengths and positions of data in a file, but it does not show the origin, flow, transformation and destination of data in an online transaction. Source code documentation is a description of the logic, functionality and purpose of a program or module written in a programming language. Source code documentation can provide some information about the transaction audit trail, but it is not as detailed or comprehensive as data architecture. Source code documentation shows the instructions, variables and parameters that are used to perform calculations and operations on data, but it does not show the data elements, attributes and relationships that are involved in each instruction or operation.
Reference: CISA Review Manual (Digital Version) 1, Chapter 4: Information Systems Operations and Business Resilience, Section 4.2: Data Administration Practices.
C
Explanation:
In an online application, data architecture provides the most information about the transaction audit trail, as it describes how data are created, stored, processed, accessed and exchanged among different components of the application. Data architecture includes data models, schemas, dictionaries, metadata, standards and policies that define the structure, quality, integrity, security and governance of data. Data architecture can help the IS auditor to trace the origin, flow, transformation and destination of data in an online transaction, and to identify the key data elements, attributes and relationships that are relevant for audit purposes. A system/process flowchart is a graphical representation of the sequence of steps or activities that are performed by a system or process. A system/process flowchart can provide some information about the transaction audit trail, but it is not as detailed or comprehensive as data architecture. A system/process flowchart shows the inputs, outputs, decisions and actions of a system or process, but it does not show the data elements, attributes and relationships that are involved in each step or activity. A file layout is a specification of the format and structure of a data file. A file layout can provide some information about the transaction audit trail, but it is not as detailed or comprehensive as data architecture. A file layout shows the fields, types, lengths and positions of data in a file, but it does not show the origin, flow, transformation and destination of data in an online transaction. Source code documentation is a description of the logic, functionality and purpose of a program or module written in a programming language. Source code documentation can provide some information about the transaction audit trail, but it is not as detailed or comprehensive as data architecture. Source code documentation shows the instructions, variables and parameters that are used to perform calculations and operations on data, but it does not show the data elements, attributes and relationships that are involved in each instruction or operation.
Reference: CISA Review Manual (Digital Version) 1, Chapter 4: Information Systems Operations and Business Resilience, Section 4.2: Data Administration Practices.
Question #356
Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?
- A . Testing
- B . Replication
- C . Staging
- D . Development
Correct Answer: C
C
Explanation:
The best environment for copying data and transforming it into a compatible data warehouse format is the staging environment. The staging environment is a temporary area where data from various sources are extracted, transformed, and loaded (ETL) before being moved to the data warehouse. The staging environment allows for data cleansing, validation, integration, and standardization without affecting the source or target systems. The testing environment is not suitable for copying data and transforming it into a compatible data warehouse format, as it is used for verifying and validating the functionality and performance of applications or systems. The replication environment is not suitable for copying data and transforming it into a compatible data warehouse format, as it is used for creating identical copies of data or systems for backup or recovery purposes. The development environment is not suitable for copying data and transforming it into a compatible data warehouse format, as it is used for creating or modifying applications or systems.
Reference: CISA Review Manual, 27th Edition, pages 475-4761
CISA Review Questions, Answers & Explanations Database, Question ID: 2642
C
Explanation:
The best environment for copying data and transforming it into a compatible data warehouse format is the staging environment. The staging environment is a temporary area where data from various sources are extracted, transformed, and loaded (ETL) before being moved to the data warehouse. The staging environment allows for data cleansing, validation, integration, and standardization without affecting the source or target systems. The testing environment is not suitable for copying data and transforming it into a compatible data warehouse format, as it is used for verifying and validating the functionality and performance of applications or systems. The replication environment is not suitable for copying data and transforming it into a compatible data warehouse format, as it is used for creating identical copies of data or systems for backup or recovery purposes. The development environment is not suitable for copying data and transforming it into a compatible data warehouse format, as it is used for creating or modifying applications or systems.
Reference: CISA Review Manual, 27th Edition, pages 475-4761
CISA Review Questions, Answers & Explanations Database, Question ID: 2642
Question #357
Which of the following are BEST suited for continuous auditing?
- A . Low-value transactions
- B . Real-lime transactions
- C . Irregular transactions
- D . Manual transactions
Correct Answer: B
B
Explanation:
Continuous auditing is a method of performing audit-related activities on a real-time or near real-time basis. Continuous auditing is best suited for real-time transactions, such as online banking, e-commerce, or electronic funds transfer, that require immediate verification and assurance. Low-value transactions are not necessarily suitable for continuous auditing, as they may not pose significant risks or require frequent monitoring. Irregular transactions are not suitable for continuous auditing, as they may not occur frequently or consistently enough to justify the use of continuous auditing techniques. Manual transactions are not suitable for continuous auditing, as they may not be captured or processed by automated systems that enable continuous auditing.
Reference: CISA Review Manual, 27th Edition, pages 307-3081
CISA Review Questions, Answers & Explanations Database, Question ID: 253
B
Explanation:
Continuous auditing is a method of performing audit-related activities on a real-time or near real-time basis. Continuous auditing is best suited for real-time transactions, such as online banking, e-commerce, or electronic funds transfer, that require immediate verification and assurance. Low-value transactions are not necessarily suitable for continuous auditing, as they may not pose significant risks or require frequent monitoring. Irregular transactions are not suitable for continuous auditing, as they may not occur frequently or consistently enough to justify the use of continuous auditing techniques. Manual transactions are not suitable for continuous auditing, as they may not be captured or processed by automated systems that enable continuous auditing.
Reference: CISA Review Manual, 27th Edition, pages 307-3081
CISA Review Questions, Answers & Explanations Database, Question ID: 253
Question #358
Which of the following business continuity activities prioritizes the recovery of critical functions?
- A . Business continuity plan (BCP) testing
- B . Business impact analysis (BIA)
- C . Disaster recovery plan (DRP) testing
- D . Risk assessment
Correct Answer: B
B
Explanation:
A business impact analysis (BIA) is a process that identifies and evaluates the potential effects or consequences of disruptions or disasters on an organization’s critical business functions or processes. A BIA can help prioritize the recovery of critical functions by assessing their importance and urgency for the organization’s operations, objectives, and stakeholders, and determining their recovery time objectives (RTOs), which are the maximum acceptable time for restoring a function after a disruption. A business continuity plan (BCP) testing is a process that verifies and validates the effectiveness and readiness of a BCP, which is a document that outlines the strategies and procedures for ensuring the continuity of critical business functions in the event of a disruption or disaster. A BCP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are recovered according to the BCP. A disaster recovery plan (DRP) testing is a process that verifies and validates the effectiveness and readiness of a DRP, which is a document that outlines the technical and operational steps for restoring the IT systems and infrastructure that support critical business functions in the event of a disruption or disaster. A DRP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are supported by the IT systems and infrastructure according to the DRP. A risk assessment is a process that identifies and analyzes the potential threats and vulnerabilities that could affect an organization’s critical business functions or processes. A risk assessment does not prioritize the recovery of critical functions, but rather estimates their likelihood and impact of being disrupted by various risk scenarios.
B
Explanation:
A business impact analysis (BIA) is a process that identifies and evaluates the potential effects or consequences of disruptions or disasters on an organization’s critical business functions or processes. A BIA can help prioritize the recovery of critical functions by assessing their importance and urgency for the organization’s operations, objectives, and stakeholders, and determining their recovery time objectives (RTOs), which are the maximum acceptable time for restoring a function after a disruption. A business continuity plan (BCP) testing is a process that verifies and validates the effectiveness and readiness of a BCP, which is a document that outlines the strategies and procedures for ensuring the continuity of critical business functions in the event of a disruption or disaster. A BCP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are recovered according to the BCP. A disaster recovery plan (DRP) testing is a process that verifies and validates the effectiveness and readiness of a DRP, which is a document that outlines the technical and operational steps for restoring the IT systems and infrastructure that support critical business functions in the event of a disruption or disaster. A DRP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are supported by the IT systems and infrastructure according to the DRP. A risk assessment is a process that identifies and analyzes the potential threats and vulnerabilities that could affect an organization’s critical business functions or processes. A risk assessment does not prioritize the recovery of critical functions, but rather estimates their likelihood and impact of being disrupted by various risk scenarios.
Question #359
An IS auditor is reviewing a data conversion project.
Which of the following is the auditor’s BEST recommendation prior to go-live?
- A . Review test procedures and scenarios
- B . Conduct a mock conversion test
- C . Establish a configuration baseline
- D . Automate the test scripts
Correct Answer: B
B
Explanation:
The auditor’s best recommendation prior to go-live is to conduct a mock conversion test. This is because a mock conversion test can help to verify the accuracy, completeness, and validity of the data conversion process. A mock conversion test can also help to identify and resolve any issues or errors before the actual conversion takes place. A mock conversion test can also provide assurance that the converted data meets the business requirements and expectations.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.3.21 CISA Online Review Course, Domain 2, Module 2, Lesson 22
B
Explanation:
The auditor’s best recommendation prior to go-live is to conduct a mock conversion test. This is because a mock conversion test can help to verify the accuracy, completeness, and validity of the data conversion process. A mock conversion test can also help to identify and resolve any issues or errors before the actual conversion takes place. A mock conversion test can also provide assurance that the converted data meets the business requirements and expectations.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.3.21 CISA Online Review Course, Domain 2, Module 2, Lesson 22
Question #360
Which of the following key performance indicators (KPIs) provides stakeholders with the MOST useful information about whether information security risk is being managed?
- A . Time from identifying security threats to implementing solutions
- B . The number of security controls audited
- C . Time from security log capture to log analysis
- D . The number of entries in the security risk register
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
Thespeed at which security threats are mitigatedis akey indicatorof an organization’srisk management effectiveness.
Option A (Correct): Response time to security threatsmeasures how efficiently security teams detect, analyze, and mitigate risks, providingclear insight into security operations.
Option B (Incorrect): The number of security controls auditeddoes not indicatehow well risk is being managed, only that reviews are taking place.
Option C (Incorrect): Log analysis speedis useful, but it does notdirectly measure risk mitigation
effectiveness.
Option D (Incorrect): Risk register entriesindicate known risks but do not provide insight intohow well those risks are managed.
Reference: ISACA CISA Review Manual CDomain 5: Protection of Information AssetsC Coverssecurity metrics, KPIs, and risk management evaluation.
A
Explanation:
Comprehensive and Detailed Step-by-Step
Thespeed at which security threats are mitigatedis akey indicatorof an organization’srisk management effectiveness.
Option A (Correct): Response time to security threatsmeasures how efficiently security teams detect, analyze, and mitigate risks, providingclear insight into security operations.
Option B (Incorrect): The number of security controls auditeddoes not indicatehow well risk is being managed, only that reviews are taking place.
Option C (Incorrect): Log analysis speedis useful, but it does notdirectly measure risk mitigation
effectiveness.
Option D (Incorrect): Risk register entriesindicate known risks but do not provide insight intohow well those risks are managed.
Reference: ISACA CISA Review Manual CDomain 5: Protection of Information AssetsC Coverssecurity metrics, KPIs, and risk management evaluation.