Practice Free CISA Exam Online Questions
Question #31
Which of the following would be an IS auditor’s GREATEST concern when reviewing the early stages of a software development project?
- A . The lack of technical documentation to support the program code
- B . The lack of completion of all requirements at the end of each sprint
- C . The lack of acceptance criteria behind user requirements.
- D . The lack of a detailed unit and system test plan
Correct Answer: C
C
Explanation:
User requirements are statements that describe what the users expect from the software system in terms of functionality, quality, and usability. They are essential inputs for the software development process, as they guide the design, implementation, testing, and deployment of the system.
Therefore, an IS auditor’s greatest concern when reviewing the early stages of a software development project would be the lack of acceptance criteria behind user requirements. Acceptance criteria are measurable conditions that define when a user requirement is met or satisfied. They help ensure that the user requirements are clear, complete, consistent, testable, and verifiable. Without acceptance criteria, it would be difficult to evaluate whether the system meets the user expectations and delivers value to the organization. Technical documentation, such as program code, is usually produced in later stages of the software development process. Completion of all requirements at the end of each sprint is not mandatory in agile software development methods, as long as there is a prioritized backlog of requirements that can be delivered incrementally. A detailed unit and system test plan is also important for ensuring software quality, but it depends on well-defined user requirements andacceptance criteria.
Reference: Information Systems Acquisition, Development & Implementation, CISA ReviewManual (Digital Version)
C
Explanation:
User requirements are statements that describe what the users expect from the software system in terms of functionality, quality, and usability. They are essential inputs for the software development process, as they guide the design, implementation, testing, and deployment of the system.
Therefore, an IS auditor’s greatest concern when reviewing the early stages of a software development project would be the lack of acceptance criteria behind user requirements. Acceptance criteria are measurable conditions that define when a user requirement is met or satisfied. They help ensure that the user requirements are clear, complete, consistent, testable, and verifiable. Without acceptance criteria, it would be difficult to evaluate whether the system meets the user expectations and delivers value to the organization. Technical documentation, such as program code, is usually produced in later stages of the software development process. Completion of all requirements at the end of each sprint is not mandatory in agile software development methods, as long as there is a prioritized backlog of requirements that can be delivered incrementally. A detailed unit and system test plan is also important for ensuring software quality, but it depends on well-defined user requirements andacceptance criteria.
Reference: Information Systems Acquisition, Development & Implementation, CISA ReviewManual (Digital Version)
Question #32
Which of the following procedures for testing a disaster recovery plan (DRP) is MOST effective?
- A . Testing at a secondary site using offsite data backups
- B . Performing a quarterly tabletop exercise
- C . Reviewing recovery time and recovery point objectives
- D . Reviewing documented backup and recovery procedures
Correct Answer: A
Question #33
Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?
- A . IT value analysis
- B . Prior audit reports
- C . IT balanced scorecard
- D . Vulnerability assessment report
Correct Answer: C
C
Explanation:
An IT balanced scorecard (BSC) is a performance metric that is used to identify, improve, and control the various functions and outcomes of an IT department or organization. An IT BSC is based on the concept of the balanced scorecard, which was introduced by Robert Kaplan and David Norton in 1992 as a strategic management system that translates the vision and strategy of an organization into measurable objectives and actions. An IT BSC adapts the balanced scorecard framework to the specific needs and goals of the IT function, aligning it with the business strategy and value proposition.
An IT BSC typically consists of four perspectives that help managers plan, implement, and evaluate the IT performance: customer, internal process, learning and growth, and financial. Each perspective defines a set of objectives, measures, targets, and initiatives that reflect the IT contribution to the organization’s success. For example, the customer perspective may measure the satisfaction and retention of internal and external customers who use IT services or products; the internal process perspective may measure the efficiency and effectiveness of IT processes such as development, delivery, support, or security; the learning and growth perspective may measure the skills, knowledge, innovation, and culture of the IT staff; and the financial perspective may measure the costs, benefits, and return on investment of IT projects or assets.
An IT BSC provides a new IS auditor with the most useful information to evaluate overall IT performance because it:
Provides a comprehensive and balanced view of the IT function from multiple angles and stakeholders
Links the IT objectives and activities to the business strategy and value creation
Enables a clear communication and alignment of expectations and priorities among IT managers, staff, customers, and other stakeholders
Facilitates a continuous monitoring and improvement of IT performance based on data-driven feedback and analysis
Supports a holistic and integrated approach to IT governance, risk management, and compliance
Therefore, an IT BSC is a valuable tool for a new IS auditor to assess how well the IT function is fulfilling its mission and delivering value to the organization.
Reference: The IT Balanced Scorecard (BSC) Explained – BMC Software
What Is a Balanced Scorecard (BSC), How Is it Used in Business?
Lost in the Woods: COBIT 2019 and the IT Balanced Scorecard – ISACA
C
Explanation:
An IT balanced scorecard (BSC) is a performance metric that is used to identify, improve, and control the various functions and outcomes of an IT department or organization. An IT BSC is based on the concept of the balanced scorecard, which was introduced by Robert Kaplan and David Norton in 1992 as a strategic management system that translates the vision and strategy of an organization into measurable objectives and actions. An IT BSC adapts the balanced scorecard framework to the specific needs and goals of the IT function, aligning it with the business strategy and value proposition.
An IT BSC typically consists of four perspectives that help managers plan, implement, and evaluate the IT performance: customer, internal process, learning and growth, and financial. Each perspective defines a set of objectives, measures, targets, and initiatives that reflect the IT contribution to the organization’s success. For example, the customer perspective may measure the satisfaction and retention of internal and external customers who use IT services or products; the internal process perspective may measure the efficiency and effectiveness of IT processes such as development, delivery, support, or security; the learning and growth perspective may measure the skills, knowledge, innovation, and culture of the IT staff; and the financial perspective may measure the costs, benefits, and return on investment of IT projects or assets.
An IT BSC provides a new IS auditor with the most useful information to evaluate overall IT performance because it:
Provides a comprehensive and balanced view of the IT function from multiple angles and stakeholders
Links the IT objectives and activities to the business strategy and value creation
Enables a clear communication and alignment of expectations and priorities among IT managers, staff, customers, and other stakeholders
Facilitates a continuous monitoring and improvement of IT performance based on data-driven feedback and analysis
Supports a holistic and integrated approach to IT governance, risk management, and compliance
Therefore, an IT BSC is a valuable tool for a new IS auditor to assess how well the IT function is fulfilling its mission and delivering value to the organization.
Reference: The IT Balanced Scorecard (BSC) Explained – BMC Software
What Is a Balanced Scorecard (BSC), How Is it Used in Business?
Lost in the Woods: COBIT 2019 and the IT Balanced Scorecard – ISACA
Question #34
During which stage of the penetration test cycle does the tester utilize identified vulnerabilities to attempt to access the target system?
- A . Exfiltration
- B . Exploitation
- C . Reconnaissance
- D . Scanning
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Step-by-Step
Exploitationis the phase where testersleverage identified vulnerabilitiestogain unauthorized accessto systems.
Exploitation (Correct Answer C B)
Attackers use techniques such as SQL injection, buffer overflow, or privilege escalation.
Example: A tester exploits a weak password to gain admin access.
Exfiltration (Incorrect C A)
The process of stealing dataaftergaining access.
Reconnaissance (Incorrect C C)
The initial stage where attackers gather information about the target.
Scanning (Incorrect C D)
Involves identifying open ports and services but does not involve actual attacks.
Reference: ISACA CISA Review Manual
NIST 800-115 (Technical Guide to Security Testing)
B
Explanation:
Comprehensive and Detailed Step-by-Step
Exploitationis the phase where testersleverage identified vulnerabilitiestogain unauthorized accessto systems.
Exploitation (Correct Answer C B)
Attackers use techniques such as SQL injection, buffer overflow, or privilege escalation.
Example: A tester exploits a weak password to gain admin access.
Exfiltration (Incorrect C A)
The process of stealing dataaftergaining access.
Reconnaissance (Incorrect C C)
The initial stage where attackers gather information about the target.
Scanning (Incorrect C D)
Involves identifying open ports and services but does not involve actual attacks.
Reference: ISACA CISA Review Manual
NIST 800-115 (Technical Guide to Security Testing)
Question #35
Which of the following would be of MOST concern to an IS auditor reviewing a data loss prevention (DLP) solution implementation for endpoints?
- A . The DLP solution does not support all types of servers.
- B . The solution has been implemented in blocking mode prior to performing tuning.
- C . The organization has never finished tuning the solution.
- D . The solution does not prevent data leakage because it is still in the monitoring phase.
Correct Answer: C
C
Explanation:
Comprehensive and Detailed
The most concerning issue in DLP implementations is when tuning has never been completed.
DLP solutions require fine-tuning to properly recognize sensitive data patterns and avoid false positives/false negatives.
If tuning is incomplete, the solution will either block legitimate business processes (too restrictive) or fail to detect actual leaks (too permissive).
Now let’s break down the options:
Option A: Server support limitations may be an issue, but DLP is primarily endpoint-focused here.
Option B: Implementing blocking mode without tuning can cause disruptions, but it is not as bad as never completing tuning.
Option D: Running in monitoring mode is acceptable in early stages of deployment (testing phase).
Therefore, never completing tuning (C) represents a fundamental control weakness and is the greatest concern.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5, section on data leakage prevention and monitoring tools.
C
Explanation:
Comprehensive and Detailed
The most concerning issue in DLP implementations is when tuning has never been completed.
DLP solutions require fine-tuning to properly recognize sensitive data patterns and avoid false positives/false negatives.
If tuning is incomplete, the solution will either block legitimate business processes (too restrictive) or fail to detect actual leaks (too permissive).
Now let’s break down the options:
Option A: Server support limitations may be an issue, but DLP is primarily endpoint-focused here.
Option B: Implementing blocking mode without tuning can cause disruptions, but it is not as bad as never completing tuning.
Option D: Running in monitoring mode is acceptable in early stages of deployment (testing phase).
Therefore, never completing tuning (C) represents a fundamental control weakness and is the greatest concern.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5, section on data leakage prevention and monitoring tools.
Question #36
An organization using a cloud provider for its online billing system requires the website to be accessible to customers at all times.
What is the BEST way to verify the organization’s business requirements are met?
- A . Invoke the right-to-audit clause.
- B . Require the vendor to report any outages longer than five minutes
- C . Monitor the service level agreement (SLA) with the vendor.
- D . Agree on periodic performance discussions with the vendor
Correct Answer: C
Question #37
An outsourced recruitment vendor processes personally identifiable information (PII) related to an organization’s new hires.
Which of the following would be the GREATEST concern to an IS auditor reviewing the third-party risk management process?
- A . The vendor collects data using an external-facing web service.
- B . The vendor lacks a team of dedicated privacy professionals.
- C . The vendor uses a fourth party to host client data.
- D . The vendor is excluded from the third-party due diligence process.
Correct Answer: D
D
Explanation:
Comprehensive and Detailed
The greatest concern is if the vendor is excluded from the organization’s third-party due diligence process. Without proper due diligence, the organization has no assurance that the vendor meets minimum security and privacy requirements, exposing PII to significant risk.
Option A: External-facing services carry risk but can be mitigated by proper controls.
Option B: Lack of dedicated privacy staff may increase risk, but controls may still exist.
Option C: Fourth-party hosting adds risk but is acceptable if included in due diligence.
Option D: Correct ― exclusion from due diligence represents a fundamental breakdown in vendor risk management.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5, section on third-party/vendor risk management and data privacy.
D
Explanation:
Comprehensive and Detailed
The greatest concern is if the vendor is excluded from the organization’s third-party due diligence process. Without proper due diligence, the organization has no assurance that the vendor meets minimum security and privacy requirements, exposing PII to significant risk.
Option A: External-facing services carry risk but can be mitigated by proper controls.
Option B: Lack of dedicated privacy staff may increase risk, but controls may still exist.
Option C: Fourth-party hosting adds risk but is acceptable if included in due diligence.
Option D: Correct ― exclusion from due diligence represents a fundamental breakdown in vendor risk management.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5, section on third-party/vendor risk management and data privacy.
Question #38
An IS auditor is auditing the operating effectiveness of weekly user access reviews. Of the five weekly reviews sampled, one has not been signed or dated.
What is the MAIN reason to note this observation as a finding?
- A . The review may not be accurate.
- B . The review may not contain the appropriate content.
- C . The review may not be in compliance with industry standards.
- D . The review may not have been performed.
Correct Answer: D
D
Explanation:
Evidence of a control’s performance must be verifiable. A missing signature or date means there is no confirmation that the review was actually performed. This undermines the completeness and reliability of the control. Accuracy (A) and content (B) relate to quality but do not address the missing attestation. Industry standards (C) may be relevant, but the auditor’s main concern is that the absence of sign-off creates doubt about whether the control occurred at all. ISACA audit guidance highlights that sufficient and appropriate evidence is required to support the conclusion that a control is operating as designed.
Reference (ISACA): ISACA Standards C Evidence Collection; ISACA ITAF Guidelines.
D
Explanation:
Evidence of a control’s performance must be verifiable. A missing signature or date means there is no confirmation that the review was actually performed. This undermines the completeness and reliability of the control. Accuracy (A) and content (B) relate to quality but do not address the missing attestation. Industry standards (C) may be relevant, but the auditor’s main concern is that the absence of sign-off creates doubt about whether the control occurred at all. ISACA audit guidance highlights that sufficient and appropriate evidence is required to support the conclusion that a control is operating as designed.
Reference (ISACA): ISACA Standards C Evidence Collection; ISACA ITAF Guidelines.
Question #39
To reduce operational costs, IT management plans to reduce the number of servers currently used to run business applications.
Which of the following is MOST helpful to review when identifying which servers are no longer required?
- A . Performance feedback from the user community
- B . Contract with the server vendor
- C . Server CPU usage trends
- D . Mean time between failure (MTBF) of each server
Correct Answer: C
C
Explanation:
When identifying which servers are no longer required, reviewing server CPU usage trends is the most helpful approach. Monitoring the CPU usage over time provides insights into how actively a server is being utilized. Servers with consistently low CPU usage may be candidates for consolidation or decommissioning. By analyzing CPU utilization patterns, IT management can make informed decisions about which servers can be retired without impacting performance or availability1.
Reference: 1. ISACA. “Technical Guide on IT Migration
Audit.” 1(http://kb.icai.org/pdfs/PDFFile5b278a12a66758.27269499.pdf)
C
Explanation:
When identifying which servers are no longer required, reviewing server CPU usage trends is the most helpful approach. Monitoring the CPU usage over time provides insights into how actively a server is being utilized. Servers with consistently low CPU usage may be candidates for consolidation or decommissioning. By analyzing CPU utilization patterns, IT management can make informed decisions about which servers can be retired without impacting performance or availability1.
Reference: 1. ISACA. “Technical Guide on IT Migration
Audit.” 1(http://kb.icai.org/pdfs/PDFFile5b278a12a66758.27269499.pdf)
Question #40
A contract for outsourcing IS functions should always include:
- A . Full details of security procedures to be observed by the contractor.
- B . A provision for an independent audit of the contractor’s operations.
- C . The names and roles of staff to be employed in the operation.
- D . Data transfer protocols.
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Step-by-Step
When outsourcingIS functions, independent audit provisionsensure thatcontractors meet security, compliance, and operational standards.
Option A (Incorrect): Security procedures should be included but are subject tochangeandmay not be detailedin the contract.
Option B (Correct): Independent audit rightsallow the organization toverifythat the vendor complies with security, operational, and regulatory requirements.
Option C (Incorrect): Naming specific staff isimpracticaland not acore contractual requirement.
Option D (Incorrect): Data transfer protocols are important, but they are atechnical detailrather than aprimary contract requirement.
Reference: ISACA CISA Review Manual CDomain 3: Information Systems Acquisition, Development, and ImplementationC Covers outsourcing, SLAs, and audit requirements.
B
Explanation:
Comprehensive and Detailed Step-by-Step
When outsourcingIS functions, independent audit provisionsensure thatcontractors meet security, compliance, and operational standards.
Option A (Incorrect): Security procedures should be included but are subject tochangeandmay not be detailedin the contract.
Option B (Correct): Independent audit rightsallow the organization toverifythat the vendor complies with security, operational, and regulatory requirements.
Option C (Incorrect): Naming specific staff isimpracticaland not acore contractual requirement.
Option D (Incorrect): Data transfer protocols are important, but they are atechnical detailrather than aprimary contract requirement.
Reference: ISACA CISA Review Manual CDomain 3: Information Systems Acquisition, Development, and ImplementationC Covers outsourcing, SLAs, and audit requirements.