Practice Free CISA Exam Online Questions
Question #361
How would an IS auditor BEST determine the effectiveness of a security awareness program?
- A . Review the results of social engineering tests.
- B . Evaluate management survey results.
- C . Interview employees to assess their security awareness.
- D . Review security awareness training quiz results.
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
Social engineering tests are the most effective way toassess real-world security awarenessby
measuring employees’ ability to recognize and resist security threats.
Review the Results of Social Engineering Tests (Correct Answer C A)
Simulated phishing attacks and pretexting exercises measure actual employee behavior.
Provides actionable insights into weaknesses in security awareness.
Example: If employees frequently click on phishing emails, the awareness program is ineffective. Evaluate Management Survey Results (Incorrect C B)
Management perception is subjective and does not reflect actual employee behavior.
Interview Employees (Incorrect C C)
Employees may provide inaccurate or rehearsed responses.
Review Security Training Quiz Results (Incorrect C D)
Tests knowledge but does not measure practical application.
Reference: ISACA CISA Review Manual
NIST 800-53 (Security Awareness and Training)
ISO 27001: Security Awareness Control
A
Explanation:
Comprehensive and Detailed Step-by-Step
Social engineering tests are the most effective way toassess real-world security awarenessby
measuring employees’ ability to recognize and resist security threats.
Review the Results of Social Engineering Tests (Correct Answer C A)
Simulated phishing attacks and pretexting exercises measure actual employee behavior.
Provides actionable insights into weaknesses in security awareness.
Example: If employees frequently click on phishing emails, the awareness program is ineffective. Evaluate Management Survey Results (Incorrect C B)
Management perception is subjective and does not reflect actual employee behavior.
Interview Employees (Incorrect C C)
Employees may provide inaccurate or rehearsed responses.
Review Security Training Quiz Results (Incorrect C D)
Tests knowledge but does not measure practical application.
Reference: ISACA CISA Review Manual
NIST 800-53 (Security Awareness and Training)
ISO 27001: Security Awareness Control
Question #362
An IS audit reveals that an organization is not proactively addressing known vulnerabilities.
Which of the following should the IS auditor recommend the organization do FIRST?
- A . Verify the disaster recovery plan (DRP) has been tested.
- B . Ensure the intrusion prevention system (IPS) is effective.
- C . Assess the security risks to the business.
- D . Confirm the incident response team understands the issue.
Correct Answer: C
C
Explanation:
If an IS audit reveals that an organization is not proactively addressing known vulnerabilities, the IS auditor should recommend that the organization assess the security risks to the business first, as this would help to prioritize the vulnerabilities based on their impact and likelihood, and determine the appropriate mitigation strategies. Verifying the disaster recovery plan (DRP) has been tested, ensuring the intrusion prevention system (IPS) is effective, and confirming the incident response team understands the issue are important steps, but they are not as urgent as assessing the security risks to the business.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.6
C
Explanation:
If an IS audit reveals that an organization is not proactively addressing known vulnerabilities, the IS auditor should recommend that the organization assess the security risks to the business first, as this would help to prioritize the vulnerabilities based on their impact and likelihood, and determine the appropriate mitigation strategies. Verifying the disaster recovery plan (DRP) has been tested, ensuring the intrusion prevention system (IPS) is effective, and confirming the incident response team understands the issue are important steps, but they are not as urgent as assessing the security risks to the business.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.6
Question #363
Which of the following is a PRIMARY objective of incident management?
- A . Restoring services based on criticality
- B . Reporting individual incidents to management
- C . Determining the root cause of the incident
- D . Repairing the program that caused the incident
Correct Answer: A
A
Explanation:
Comprehensive and Detailed
The primary objective of incident management is to restore IT services as quickly as possible based on business criticality, minimizing business disruption.
Root cause analysis (C) is more aligned with problem management, not incident management.
Reporting incidents (B) is important but not the primary objective.
Repairing programs (D) is a corrective activity, not the central goal.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 2 (IT Operations and Business Resilience), section on ITIL incident management process.
A
Explanation:
Comprehensive and Detailed
The primary objective of incident management is to restore IT services as quickly as possible based on business criticality, minimizing business disruption.
Root cause analysis (C) is more aligned with problem management, not incident management.
Reporting incidents (B) is important but not the primary objective.
Repairing programs (D) is a corrective activity, not the central goal.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 2 (IT Operations and Business Resilience), section on ITIL incident management process.
Question #364
A staff accountant regularly uploads spreadsheets with inventory levels to the organization’s financial reporting system. The transfers are executed through a customized interface created by an in-house developer.
Which of the following is MOST important for the IS auditor to confirm during a review of the interface?
- A . The data in the spreadsheet is correctly recorded in the financial system.
- B . The financial system transfers are performed by the accountant at predefined intervals.
- C . The spreadsheets do not contain malware or malicious macros.
- D . The data transfer connection does not support full duplex communication.
Correct Answer: A
A
Explanation:
Comprehensive and Detailed
The primary audit concern is data integrity―ensuring that the data uploaded via the custom
interface is accurately and completely transferred to the financial system.
Option A directly addresses data accuracy and integrity.
Option B (timing) is secondary compared to correctness.
Option C (malware checks) is important but handled by security controls, not the primary audit concern here.
Option D (duplex communication) is irrelevant to ensuring accurate financial records.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 3, section on interface controls and audit considerations.
A
Explanation:
Comprehensive and Detailed
The primary audit concern is data integrity―ensuring that the data uploaded via the custom
interface is accurately and completely transferred to the financial system.
Option A directly addresses data accuracy and integrity.
Option B (timing) is secondary compared to correctness.
Option C (malware checks) is important but handled by security controls, not the primary audit concern here.
Option D (duplex communication) is irrelevant to ensuring accurate financial records.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 3, section on interface controls and audit considerations.
Question #365
An IS auditor has learned that access privileges are not periodically reviewed or updated.
Which of the following would provide the BEST evidence to determine whether transactions have been executed by authorized employees?
- A . Audit trails
- B . Control totals
- C . Reconciliations
- D . Change logs
Correct Answer: A
A
Explanation:
The best evidence to determine whether transactions have been executed by authorized employees is audit trails. Audit trails are secure records that catalog events or procedures to provide support documentation. They are used to authenticate security and operational actions, mitigate challenges, or provide proof of compliance and operational integrity2.
Audit trails can track and trace the following information related to transactions:
Who initiated, approved, modified, or deleted a transaction
When a transaction occurred (date and time)
Where a transaction took place (location or device)
What type of transaction was performed (action or operation)
Why a transaction was executed (purpose or reason)
By analyzing audit trails, an IS auditor can verify whether transactions have been executed by authorized employees or not. Audit trails can also identify any unauthorized, fraudulent, or erroneous transactions that may have occurred. Audit trails can also help to resolve any disputes or discrepancies that may arise from transactions.
Reference: What Is an Audit Trail? Everything You Need to Know
A
Explanation:
The best evidence to determine whether transactions have been executed by authorized employees is audit trails. Audit trails are secure records that catalog events or procedures to provide support documentation. They are used to authenticate security and operational actions, mitigate challenges, or provide proof of compliance and operational integrity2.
Audit trails can track and trace the following information related to transactions:
Who initiated, approved, modified, or deleted a transaction
When a transaction occurred (date and time)
Where a transaction took place (location or device)
What type of transaction was performed (action or operation)
Why a transaction was executed (purpose or reason)
By analyzing audit trails, an IS auditor can verify whether transactions have been executed by authorized employees or not. Audit trails can also identify any unauthorized, fraudulent, or erroneous transactions that may have occurred. Audit trails can also help to resolve any disputes or discrepancies that may arise from transactions.
Reference: What Is an Audit Trail? Everything You Need to Know
Question #366
Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?
- A . Comparing code between old and new systems
- B . Running historical transactions through the new system
- C . Reviewing quality assurance (QA) procedures
- D . Loading balance and transaction data to the new system
Correct Answer: B
B
Explanation:
The most assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system can be obtained by running historical transactions through the new system. Historical transactions are transactions that have been processed and recorded by the old system in the past. Running historical transactions through the new system can provide the most assurance over the completeness and accuracy of loan application processing, bycomparing the results and outputs of the new system with those of the old system, and verifying whether they match or differ. This can help identify and resolve any errors or issues that may arise from the new system, such as data conversion, functionality, compatibility, etc. Comparing code between old and new systems is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. Code is a set of instructions or commands that define how a system operates or functions. Comparing code between old and new systems can provide some assurance over the completeness and accuracy of loan application processing, by checking whether the logic, algorithms, or functions of the new system are consistent or equivalent with those of the old system. However, this may not be sufficient or reliable, as code may not reflect the actual performance or outcomes of the system, and may not detect any errors or issues that may occur at the data or user level. Reviewing quality assurance (QA) procedures is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. QA procedures are steps or activities that ensure that a system meets its quality standards and requirements, such as testing, verification, validation, etc. Reviewing QA procedures can provide some assurance over the completeness and accuracy of loan application processing, by evaluating whether the new system has been properly tested and verified before implementation. However, this may not be adequate or accurate, as QA procedures may not cover all aspects or scenarios of loan application processing, and may not reveal any errors or issues that may arise after implementation. Loading balance and transaction data to the new system is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. Balance and transaction data are data that reflect the status and history of loan applications in a system, such as amounts, dates, payments, etc. Loading balance and transaction data to the new system can provide some assurance over the completeness and accuracy of loan application processing, by transferring data from the old system to the new system and ensuring that they are consistent and correct. However, this may not be enough or valid, as balance and transaction data may not represent all aspects or features of loan application processing, and may not indicate any errors or issues that may arise
B
Explanation:
The most assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system can be obtained by running historical transactions through the new system. Historical transactions are transactions that have been processed and recorded by the old system in the past. Running historical transactions through the new system can provide the most assurance over the completeness and accuracy of loan application processing, bycomparing the results and outputs of the new system with those of the old system, and verifying whether they match or differ. This can help identify and resolve any errors or issues that may arise from the new system, such as data conversion, functionality, compatibility, etc. Comparing code between old and new systems is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. Code is a set of instructions or commands that define how a system operates or functions. Comparing code between old and new systems can provide some assurance over the completeness and accuracy of loan application processing, by checking whether the logic, algorithms, or functions of the new system are consistent or equivalent with those of the old system. However, this may not be sufficient or reliable, as code may not reflect the actual performance or outcomes of the system, and may not detect any errors or issues that may occur at the data or user level. Reviewing quality assurance (QA) procedures is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. QA procedures are steps or activities that ensure that a system meets its quality standards and requirements, such as testing, verification, validation, etc. Reviewing QA procedures can provide some assurance over the completeness and accuracy of loan application processing, by evaluating whether the new system has been properly tested and verified before implementation. However, this may not be adequate or accurate, as QA procedures may not cover all aspects or scenarios of loan application processing, and may not reveal any errors or issues that may arise after implementation. Loading balance and transaction data to the new system is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. Balance and transaction data are data that reflect the status and history of loan applications in a system, such as amounts, dates, payments, etc. Loading balance and transaction data to the new system can provide some assurance over the completeness and accuracy of loan application processing, by transferring data from the old system to the new system and ensuring that they are consistent and correct. However, this may not be enough or valid, as balance and transaction data may not represent all aspects or features of loan application processing, and may not indicate any errors or issues that may arise
Question #367
Which of the following MOST effectively enables consistency across high-volume software changes?
- A . The use of continuous integration and deployment pipelines
- B . Management reviews of detailed exception reports for released code
- C . Publication of a refreshed policy on development and release management
- D . An ongoing awareness campaign for software deployment best practices
Correct Answer: A
Question #368
Which of the following is the GREATEST concern associated with IS risk-based auditing when audit resources are limited?
- A . The audit schedule may become too predictable.
- B . Some business processes may not be audited.
- C . There may be significant delays in responding to management audit requests.
- D . Conducting risk assessments may reduce the time available for auditing.
Correct Answer: B
Question #369
Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?
- A . Program coding standards have been followed
- B . Acceptance test criteria have been developed
- C . Data conversion procedures have been established.
- D . The design has been approved by senior management.
Correct Answer: B
B
Explanation:
The most important thing for an IS auditor to determine during the detailed design phase of a system development project is that acceptance test criteria have been developed. Acceptance test criteria define the expected functionality, performance and quality of the system, and are used to verify that the system meets the user requirements and specifications. The IS auditor should ensure that the acceptance test criteria are clear, measurable and agreed upon by all stakeholders. Program coding standards have been followed is something that the IS auditor should check during the coding or testing phase, not the detailed design phase. Data conversion procedures have been established or the design has been approved by senior management are things that the IS auditor should verify during the implementation phase, not the detailed design phase.
Reference: ISACA, CISA Review Manual, 27th Edition, 2018, page 323
B
Explanation:
The most important thing for an IS auditor to determine during the detailed design phase of a system development project is that acceptance test criteria have been developed. Acceptance test criteria define the expected functionality, performance and quality of the system, and are used to verify that the system meets the user requirements and specifications. The IS auditor should ensure that the acceptance test criteria are clear, measurable and agreed upon by all stakeholders. Program coding standards have been followed is something that the IS auditor should check during the coding or testing phase, not the detailed design phase. Data conversion procedures have been established or the design has been approved by senior management are things that the IS auditor should verify during the implementation phase, not the detailed design phase.
Reference: ISACA, CISA Review Manual, 27th Edition, 2018, page 323
Question #370
When planning an audit to assess controls for an application in the cloud environment, it is MOST important for an IS auditor to understand:
- A . The noncompliance fee for violating a service level agreement (SLA).
- B . Availability reports from the cloud platform architecture.
- C . The shared responsibility model between cloud provider and organization.
- D . Business process reengineering that is supported by the cloud system.
Correct Answer: C
C
Explanation:
In cloud environments, responsibility for controls is split between the provider and the customer. The division depends on the service model (IaaS, PaaS, SaaS). Misunderstanding the shared responsibility model can create gaps in control coverage, where critical risks may not be managed by either party.
SLA penalties (A) are contractual issues, not audit priorities. Availability reports (B) and business process redesign (D) are relevant but not as fundamental as defining control ownership. ISACA’s cloud audit guidelines stress that proper scoping begins with understanding shared responsibilities to avoid assurance gaps.
Reference (ISACA): ISACA Cloud Computing Audit Program; ISACA Journal C Shared Responsibility in Cloud.
C
Explanation:
In cloud environments, responsibility for controls is split between the provider and the customer. The division depends on the service model (IaaS, PaaS, SaaS). Misunderstanding the shared responsibility model can create gaps in control coverage, where critical risks may not be managed by either party.
SLA penalties (A) are contractual issues, not audit priorities. Availability reports (B) and business process redesign (D) are relevant but not as fundamental as defining control ownership. ISACA’s cloud audit guidelines stress that proper scoping begins with understanding shared responsibilities to avoid assurance gaps.
Reference (ISACA): ISACA Cloud Computing Audit Program; ISACA Journal C Shared Responsibility in Cloud.