Practice Free CISA Exam Online Questions
Question #361
During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed.
Who should be accountable for managing these risks?
- A . Enterprise risk manager
- B . Project sponsor
- C . Information security officer
- D . Project manager
Correct Answer: D
D
Explanation:
The project manager should be accountable for managing the risks to project benefits. Project benefits are the expected outcomes or value that a project delivers to its stakeholders, such as improved efficiency, quality, customer satisfaction, or revenue. Project risks are uncertain events or conditions that may affect the project objectives, scope, budget, schedule, or quality. The project manager is responsible for identifying, analyzing, prioritizing, responding to, and monitoring project risks throughout the project life cycle. The other options are not accountable for managing project risks, as they have different roles and responsibilities. The enterprise risk manager is responsible for overseeing the organization’s overall risk management framework and strategy, but not for managing specific project risks. The project sponsor is responsible for initiating, approving, and supporting the project, but not for managing project risks. The information security officer is responsible for ensuring that the project complies with the organization’s information security policies and standards, but not for managing project risks.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.3
D
Explanation:
The project manager should be accountable for managing the risks to project benefits. Project benefits are the expected outcomes or value that a project delivers to its stakeholders, such as improved efficiency, quality, customer satisfaction, or revenue. Project risks are uncertain events or conditions that may affect the project objectives, scope, budget, schedule, or quality. The project manager is responsible for identifying, analyzing, prioritizing, responding to, and monitoring project risks throughout the project life cycle. The other options are not accountable for managing project risks, as they have different roles and responsibilities. The enterprise risk manager is responsible for overseeing the organization’s overall risk management framework and strategy, but not for managing specific project risks. The project sponsor is responsible for initiating, approving, and supporting the project, but not for managing project risks. The information security officer is responsible for ensuring that the project complies with the organization’s information security policies and standards, but not for managing project risks.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.3
Question #362
Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?
- A . Analysis of industry benchmarks
- B . Identification of organizational goals
- C . Analysis of quantitative benefits
- D . Implementation of a balanced scorecard
Correct Answer: B
B
Explanation:
The first thing that should be performed before key performance indicators (KPIs) can be implemented is the identification of organizational goals. This is because KPIs are measurable values that demonstrate how effectively an organization is achieving its key business objectives4. Therefore, it is necessary that the organization defines its goals clearly and aligns them with its vision, mission, and strategy. By identifying its goals, the organization can then determine what KPIs are relevant and meaningful to measure its progress and performance.
Reference: 4: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.3: Benefits Realization, page 77: CISA Online Review Course, Module 2: Governance and Management of IT, Lesson 2.3: Benefits Realization: ISACA Journal Volume 1, 2020, Article: How to Measure Anything in IT Governance
B
Explanation:
The first thing that should be performed before key performance indicators (KPIs) can be implemented is the identification of organizational goals. This is because KPIs are measurable values that demonstrate how effectively an organization is achieving its key business objectives4. Therefore, it is necessary that the organization defines its goals clearly and aligns them with its vision, mission, and strategy. By identifying its goals, the organization can then determine what KPIs are relevant and meaningful to measure its progress and performance.
Reference: 4: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.3: Benefits Realization, page 77: CISA Online Review Course, Module 2: Governance and Management of IT, Lesson 2.3: Benefits Realization: ISACA Journal Volume 1, 2020, Article: How to Measure Anything in IT Governance
Question #363
Which of the following is the GREATEST risk when relying on reports generated by end-user computing (EUC)?
- A . Data may be inaccurate.
- B . Reports may not work efficiently.
- C . Reports may not be timely.
- D . Historical data may not be available.
Correct Answer: A
A
Explanation:
End-user computing (EUC) is a system in which users are able to create working applications besides the divided development process of design, build, test and release that is typically followed by software engineers1. Examples of EUC tools include spreadsheets, databases, low-code/no-code platforms, and generative AI applications2. EUC tools can provide flexibility, efficiency, and innovation for the users, but they also pose significant risks if not properly managed and controlled3.
The greatest risk when relying on reports generated by EUC is that the data may be inaccurate. Data accuracy refers to the extent to which the data in the reports reflect the true values of the underlying information4. Inaccurate data can lead to erroneous decisions, misleading analysis, unreliable reporting, and compliance violations. Some of the factors that can cause data inaccuracy in EUC reports are:
Lack of rigorous testing: EUC tools may not undergo the same level of testing and validation as IT-developed applications, which can result in errors, bugs, or inconsistencies in the data processing and output3.
Lack of version and change control: EUC tools may not have a clear record of the changes made to them over time, which can create confusion, duplication, or loss of data. Users may also modify or overwrite the data without proper authorization or documentation3.
Lack of documentation and reliance on end-user who developed it: EUC tools may not have sufficient documentation to explain their purpose, functionality, assumptions, limitations, and dependencies. Users may also rely on the knowledge and expertise of the original developer, who may not be available or may not have followed best practices3.
Lack of maintenance processes: EUC tools may not have regular updates, backups, or reviews to ensure their functionality and security. Users may also neglect to delete or archive obsolete or redundant data3.
Lack of security: EUC tools may not have adequate access controls, encryption, or authentication mechanisms to protect the data from unauthorized access, modification, or disclosure. Users may also store or share the data in insecure locations or devices3.
Lack of audit trail: EUC tools may not have a traceable history of the data sources, inputs, outputs, calculations, and transformations. Users may also manipulate or falsify the data without detection or accountability3.
Overreliance on manual controls: EUC tools may depend on human intervention to input, verify, or correct the data, which can introduce errors, delays, or biases. Users may also lack the skills or training to use the EUC tools effectively and efficiently3.
The other options are not as great as data inaccuracy when relying on EUC reports. Reports may not
work efficiently, reports may not be timely, and historical data may not be available are all potential risks associated with EUC tools, but they are less severe and less frequent than data inaccuracy. Moreover, these risks can be mitigated by improving the performance, scheduling, and storage of the EUC tools. However, data inaccuracy can have a pervasive and lasting impact on the quality and credibility of the reports and the decisions based on them. Therefore, option A is the correct answer.
Reference: What is Data Accuracy?
What Is End User Computing (EUC) Risk?
End-user computing
End-User Computing (EUC) Risks: A Comprehensive Guide
A
Explanation:
End-user computing (EUC) is a system in which users are able to create working applications besides the divided development process of design, build, test and release that is typically followed by software engineers1. Examples of EUC tools include spreadsheets, databases, low-code/no-code platforms, and generative AI applications2. EUC tools can provide flexibility, efficiency, and innovation for the users, but they also pose significant risks if not properly managed and controlled3.
The greatest risk when relying on reports generated by EUC is that the data may be inaccurate. Data accuracy refers to the extent to which the data in the reports reflect the true values of the underlying information4. Inaccurate data can lead to erroneous decisions, misleading analysis, unreliable reporting, and compliance violations. Some of the factors that can cause data inaccuracy in EUC reports are:
Lack of rigorous testing: EUC tools may not undergo the same level of testing and validation as IT-developed applications, which can result in errors, bugs, or inconsistencies in the data processing and output3.
Lack of version and change control: EUC tools may not have a clear record of the changes made to them over time, which can create confusion, duplication, or loss of data. Users may also modify or overwrite the data without proper authorization or documentation3.
Lack of documentation and reliance on end-user who developed it: EUC tools may not have sufficient documentation to explain their purpose, functionality, assumptions, limitations, and dependencies. Users may also rely on the knowledge and expertise of the original developer, who may not be available or may not have followed best practices3.
Lack of maintenance processes: EUC tools may not have regular updates, backups, or reviews to ensure their functionality and security. Users may also neglect to delete or archive obsolete or redundant data3.
Lack of security: EUC tools may not have adequate access controls, encryption, or authentication mechanisms to protect the data from unauthorized access, modification, or disclosure. Users may also store or share the data in insecure locations or devices3.
Lack of audit trail: EUC tools may not have a traceable history of the data sources, inputs, outputs, calculations, and transformations. Users may also manipulate or falsify the data without detection or accountability3.
Overreliance on manual controls: EUC tools may depend on human intervention to input, verify, or correct the data, which can introduce errors, delays, or biases. Users may also lack the skills or training to use the EUC tools effectively and efficiently3.
The other options are not as great as data inaccuracy when relying on EUC reports. Reports may not
work efficiently, reports may not be timely, and historical data may not be available are all potential risks associated with EUC tools, but they are less severe and less frequent than data inaccuracy. Moreover, these risks can be mitigated by improving the performance, scheduling, and storage of the EUC tools. However, data inaccuracy can have a pervasive and lasting impact on the quality and credibility of the reports and the decisions based on them. Therefore, option A is the correct answer.
Reference: What is Data Accuracy?
What Is End User Computing (EUC) Risk?
End-user computing
End-User Computing (EUC) Risks: A Comprehensive Guide
Question #364
Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program”
- A . Steps taken to address identified vulnerabilities are not formally documented
- B . Results are not reported to individuals with authority to ensure resolution
- C . Scans are performed less frequently than required by the organization’s vulnerability scanning schedule
- D . Results are not approved by senior management
Correct Answer: B
B
Explanation:
The finding that should be of greatest concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program is that results are not reported to individuals with authority to ensure resolution. This indicates a lack of accountability and communication for vulnerability management, which may result in unresolved or delayed remediation of identified vulnerabilities. This may expose the organization to increased risk of cyberattacks or breaches. The other findings are also concerning, but not as much as this one, because they may affect the completeness, accuracy or timeliness of the vulnerability scanning process, but not necessarily its effectiveness.
Reference: ISACA, CISA Review Manual, 27th Edition, chapter 4, section 4.41
ISACA, COBIT 2019 Framework: Introduction and Methodology, section 3.2
B
Explanation:
The finding that should be of greatest concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program is that results are not reported to individuals with authority to ensure resolution. This indicates a lack of accountability and communication for vulnerability management, which may result in unresolved or delayed remediation of identified vulnerabilities. This may expose the organization to increased risk of cyberattacks or breaches. The other findings are also concerning, but not as much as this one, because they may affect the completeness, accuracy or timeliness of the vulnerability scanning process, but not necessarily its effectiveness.
Reference: ISACA, CISA Review Manual, 27th Edition, chapter 4, section 4.41
ISACA, COBIT 2019 Framework: Introduction and Methodology, section 3.2
Question #365
In an annual audit cycle, the audit of an organization’s IT department resulted in many findings.
Which of the following would be the MOST important consideration when planning the next audit?
- A . Postponing the review until all of the findings have been rectified
- B . Limiting the review to the deficient areas
- C . Verifying that all recommendations have been implemented
- D . Following up on the status of all recommendations
Correct Answer: D
D
Explanation:
The most important consideration when planning the next audit after many findings is to follow up on the status of all recommendations, as this will ensure that the audit findings are addressed in a timely and effective manner, and that the root causes of the issues are resolved12. Following up on the status of all recommendations will also help to assess the progress and performance of the IT department, and to identify any new or emerging risks or challenges34.
Reference
1: What to consider when resolving internal audit findings3 2: A brief guide to follow up4 3: Guidance on auditing planning for Internal Audit2 4: Corrective Action Plan (CAP): How to Manage Audit Findings1
D
Explanation:
The most important consideration when planning the next audit after many findings is to follow up on the status of all recommendations, as this will ensure that the audit findings are addressed in a timely and effective manner, and that the root causes of the issues are resolved12. Following up on the status of all recommendations will also help to assess the progress and performance of the IT department, and to identify any new or emerging risks or challenges34.
Reference
1: What to consider when resolving internal audit findings3 2: A brief guide to follow up4 3: Guidance on auditing planning for Internal Audit2 4: Corrective Action Plan (CAP): How to Manage Audit Findings1
Question #366
An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance.
This would MOST likely increase the risk of a successful attack by:
- A . structured query language (SQL) injection
- B . buffer overflow.
- C . denial of service (DoS).
- D . phishing.
Correct Answer: A
A
Explanation:
Validation controls are used to check the input data from the user before processing it on the server. If the validation controls are moved from the server side to the browser, it means that the user can modify or bypass them using tools such as browser developer tools, JavaScript console, or proxy tools. This would increase the risk of a successful attack by structured query language (SQL) injection, which is a technique that exploits a security vulnerability in an application’s software layer that allows an attacker to execute arbitrary SQL commands on the underlying database. SQL injection can result in data theft, data corruption, or unauthorized access to the system.
Buffer overflow, denial of service (DoS), and phishing are not directly related to the validation controls in a web application. Buffer overflow is a type of attack that exploits a memory management flaw in an application or system that allows an attacker to write data beyond the allocated buffer size and overwrite adjacent memory locations. DoS is a type of attack that prevents legitimate users from accessing a service or resource by overwhelming it with requests or traffic. Phishing is a type of attack that uses fraudulent emails or websites to trick users into revealing sensitive information or installing malware.
Reference: Client-side form validation – Learn web development | MDN
JavaScript: client-side vs. server-side validation – Stack Overflow
SQL Injection – OWASP
A
Explanation:
Validation controls are used to check the input data from the user before processing it on the server. If the validation controls are moved from the server side to the browser, it means that the user can modify or bypass them using tools such as browser developer tools, JavaScript console, or proxy tools. This would increase the risk of a successful attack by structured query language (SQL) injection, which is a technique that exploits a security vulnerability in an application’s software layer that allows an attacker to execute arbitrary SQL commands on the underlying database. SQL injection can result in data theft, data corruption, or unauthorized access to the system.
Buffer overflow, denial of service (DoS), and phishing are not directly related to the validation controls in a web application. Buffer overflow is a type of attack that exploits a memory management flaw in an application or system that allows an attacker to write data beyond the allocated buffer size and overwrite adjacent memory locations. DoS is a type of attack that prevents legitimate users from accessing a service or resource by overwhelming it with requests or traffic. Phishing is a type of attack that uses fraudulent emails or websites to trick users into revealing sensitive information or installing malware.
Reference: Client-side form validation – Learn web development | MDN
JavaScript: client-side vs. server-side validation – Stack Overflow
SQL Injection – OWASP
Question #367
An IS auditor has validated that an organization’s IT department runs several low-priority automated tasks.
Which of the following is the BEST recommendation for an automated job schedule?
- A . Low-priority jobs should be avoided.
- B . Low-priority jobs should include the major functions.
- C . Low-priority jobs should be provided with optimal resources.
- D . Low-priority jobs should be scheduled subject to resource availability.
Correct Answer: D
D
Explanation:
Low-priority jobs typically involve non-critical processes or tasks that do not immediately impact business operations. The best approach to handling such jobs is to schedule them subject to resource availability. This ensures that high-priority tasks can access resources when needed without being affected by the execution of low-priority tasks.
Avoiding Low-Priority Jobs (Option A) is not feasible because even low-priority tasks may be necessary for maintenance or support activities.
Including Major Functions in Low-Priority Jobs (Option B) contradicts the classification of "low-priority" because major functions are usually critical.
Allocating Optimal Resources to Low-Priority Jobs (Option C) is inefficient as resources should primarily be allocated to high-priority tasks.
Scheduling based on resource availability optimizes the use of resources, avoids unnecessary delays in high-priority activities, and ensures that low-priority tasks are executed without disrupting overall operations. This aligns with best practices in IT resource management and scheduling.
Reference: ISACA CISA Review Manual, Job Practice Area 3: Information Systems Operations and Business Resilience.
D
Explanation:
Low-priority jobs typically involve non-critical processes or tasks that do not immediately impact business operations. The best approach to handling such jobs is to schedule them subject to resource availability. This ensures that high-priority tasks can access resources when needed without being affected by the execution of low-priority tasks.
Avoiding Low-Priority Jobs (Option A) is not feasible because even low-priority tasks may be necessary for maintenance or support activities.
Including Major Functions in Low-Priority Jobs (Option B) contradicts the classification of "low-priority" because major functions are usually critical.
Allocating Optimal Resources to Low-Priority Jobs (Option C) is inefficient as resources should primarily be allocated to high-priority tasks.
Scheduling based on resource availability optimizes the use of resources, avoids unnecessary delays in high-priority activities, and ensures that low-priority tasks are executed without disrupting overall operations. This aligns with best practices in IT resource management and scheduling.
Reference: ISACA CISA Review Manual, Job Practice Area 3: Information Systems Operations and Business Resilience.
Question #368
Which of the following provides the MOST reliable method of preventing unauthonzed logon?
- A . issuing authentication tokens
- B . Reinforcing current security policies
- C . Limiting after-hours usage
- D . Installing an automatic password generator
Correct Answer: A
A
Explanation:
Issuing authentication tokens is the most reliable method of preventing unauthorized logon, as it provides a strong form of authentication that requires users to present something they have (the token) and something they know (the personal identification number or PIN) to access the system. Authentication tokens are physical devices that generate a one-time password or code that changes periodically and is synchronized with the authentication server. This makes it difficult for attackers to steal or guess the credentials of legitimate users. Reinforcing current security policies, limiting after-hours usage and installing an automatic password generator are not as reliable as issuing authentication tokens, as they do not provide a strong form of authentication and may still be vulnerable to unauthorized logon attempts.
Reference: [Authentication Token Definition]
Authentication | ISACA
A
Explanation:
Issuing authentication tokens is the most reliable method of preventing unauthorized logon, as it provides a strong form of authentication that requires users to present something they have (the token) and something they know (the personal identification number or PIN) to access the system. Authentication tokens are physical devices that generate a one-time password or code that changes periodically and is synchronized with the authentication server. This makes it difficult for attackers to steal or guess the credentials of legitimate users. Reinforcing current security policies, limiting after-hours usage and installing an automatic password generator are not as reliable as issuing authentication tokens, as they do not provide a strong form of authentication and may still be vulnerable to unauthorized logon attempts.
Reference: [Authentication Token Definition]
Authentication | ISACA
Question #369
Which of the following provides the MOST assurance of the integrity of a firewall log?
- A . The log is reviewed on a monthly basis.
- B . Authorized access is required to view the log.
- C . The log cannot be modified.
- D . The log is retained per policy.
Correct Answer: C
C
Explanation:
The best way to provide assurance of the integrity of a firewall log is to ensure that the log cannot be modified. A firewall log is a record of the traffic and events that occur at the firewall, which is a device or software that controls and filters the incoming and outgoing network traffic based on predefined rules and policies. The integrity of a firewall log means that the log is accurate, complete, consistent, and valid, and that it has not been altered, deleted, or corrupted by unauthorized or malicious parties. The IS auditor should verify that the firewall log has adequate controls to prevent or detect any modification of the log, such as encryption, hashing, digital signatures, write-once media, or tamper-evident seals. The other options are not as effective as ensuring that the log cannot be modified, because they either do not address the integrity of the log data, or they are monitoring or retention measures rather than preventive or detective controls.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.4
C
Explanation:
The best way to provide assurance of the integrity of a firewall log is to ensure that the log cannot be modified. A firewall log is a record of the traffic and events that occur at the firewall, which is a device or software that controls and filters the incoming and outgoing network traffic based on predefined rules and policies. The integrity of a firewall log means that the log is accurate, complete, consistent, and valid, and that it has not been altered, deleted, or corrupted by unauthorized or malicious parties. The IS auditor should verify that the firewall log has adequate controls to prevent or detect any modification of the log, such as encryption, hashing, digital signatures, write-once media, or tamper-evident seals. The other options are not as effective as ensuring that the log cannot be modified, because they either do not address the integrity of the log data, or they are monitoring or retention measures rather than preventive or detective controls.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.4
Question #370
Which of the following should be the GREATEST concern for an IS auditor assessing an organization’s disaster recovery plan (DRP)?
- A . The DRP was developed by the IT department.
- B . The DRP has not been tested during the past three years.
- C . The DRP has not been updated for two years.
- D . The DRP does not include the recovery the time objective (RTO) for a key system.
Correct Answer: B
B
Explanation:
The DRP is a set of procedures and resources that enable an organization to restore its critical IT functions and operations in the event of a disaster or disruption. The DRP should be tested regularly to ensure its effectiveness, validity, and readiness. Testing the DRP can help to identify and resolve any gaps, issues, or weaknesses in the plan, as well as to evaluate the performance and capability of the recovery team and resources. If the DRP has not been tested during the past three years, it may not reflect the current IT environment, business requirements, or recovery objectives, and it may fail to meet the expectations and needs of the stakeholders.
Reference
ISACA CISA Review Manual, 27th Edition, page 255
Disaster Recovery Plan Testing: The Ultimate Checklist
What is a Disaster Recovery Plan (DRP) and How Do You Write One?
B
Explanation:
The DRP is a set of procedures and resources that enable an organization to restore its critical IT functions and operations in the event of a disaster or disruption. The DRP should be tested regularly to ensure its effectiveness, validity, and readiness. Testing the DRP can help to identify and resolve any gaps, issues, or weaknesses in the plan, as well as to evaluate the performance and capability of the recovery team and resources. If the DRP has not been tested during the past three years, it may not reflect the current IT environment, business requirements, or recovery objectives, and it may fail to meet the expectations and needs of the stakeholders.
Reference
ISACA CISA Review Manual, 27th Edition, page 255
Disaster Recovery Plan Testing: The Ultimate Checklist
What is a Disaster Recovery Plan (DRP) and How Do You Write One?