Practice Free CISA Exam Online Questions
Question #391
During planning for a cloud service audit, audit management becomes aware that the assigned IS auditor is unfamiliar with the technologies in use and their associated risks to the business.
To ensure audit quality, which of the following actions should audit management consider FIRST?
- A . Conduct a follow-up audit after a suitable period has elapsed.
- B . Reschedule the audit assignment for the next financial year.
- C . Reassign the audit to an internal audit subject matter expert.
- D . Extend the duration of the audit to give the auditor more time.
Correct Answer: C
C
Explanation:
The best action that audit management should consider first is to reassign the audit to an internal audit subject matter expert. This is because cloud service audits require specialized knowledge and skills to assess the risks and controls associated with the cloud service provider and the cloud service customer. An IS auditor who is unfamiliar with the technologies in use and their associated risks to the business may not be able to perform an effective and efficient audit, and may miss important issues or provide inaccurate recommendations. Therefore, it is important to ensure that the IS auditor assigned to the cloud service audit has the appropriate competence and experience.
The other options are not as good as reassigning the audit to an internal audit subject matter expert. Conducting a follow-up audit after a suitable period has elapsed may not address the quality issues of the initial audit, and may also delay the identification and remediation of any problems. Rescheduling the audit assignment for the next financial year may expose the organization to unnecessary risks and may not meet the audit objectives or expectations. Extending the duration of the audit to give the auditor more time may not be feasible or cost-effective, and may not guarantee that the auditor will acquire the necessary knowledge and skills in time.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 1391
ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2009, p. 14
C
Explanation:
The best action that audit management should consider first is to reassign the audit to an internal audit subject matter expert. This is because cloud service audits require specialized knowledge and skills to assess the risks and controls associated with the cloud service provider and the cloud service customer. An IS auditor who is unfamiliar with the technologies in use and their associated risks to the business may not be able to perform an effective and efficient audit, and may miss important issues or provide inaccurate recommendations. Therefore, it is important to ensure that the IS auditor assigned to the cloud service audit has the appropriate competence and experience.
The other options are not as good as reassigning the audit to an internal audit subject matter expert. Conducting a follow-up audit after a suitable period has elapsed may not address the quality issues of the initial audit, and may also delay the identification and remediation of any problems. Rescheduling the audit assignment for the next financial year may expose the organization to unnecessary risks and may not meet the audit objectives or expectations. Extending the duration of the audit to give the auditor more time may not be feasible or cost-effective, and may not guarantee that the auditor will acquire the necessary knowledge and skills in time.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 1391
ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2009, p. 14
Question #392
The MOST important measure of the effectiveness of an organization’s security program is the:
- A . comparison with critical incidents experienced by competitors.
- B . number of vulnerability alerts escalated to senior management.
- C . number of new vulnerabilities reported.
- D . adverse impact of incidents on critical business activities.
Correct Answer: D
Question #393
Which of the following is an example of a preventive control for physical access?
- A . Keeping log entries for all visitors to the building
- B . Implementing a fingerprint-based access control system for the building
- C . Installing closed-circuit television (CCTV) cameras for all ingress and egress points
- D . Implementing a centralized logging server to record instances of staff logging into workstations
Correct Answer: B
B
Explanation:
A preventive control is a control that aims to deter or prevent undesirable events from occurring. A fingerprint-based access control system for the building is an example of a preventive control for physical access, as it restricts unauthorized persons from entering the premises. Keeping log entries for all visitors to the building, installing CCTV cameras for all ingress and egress points, and implementing a centralized logging server to record instances of staff logging into workstations are examples of detective controls, which are controls that aim to discover or detect undesirable events that have already occurred.
Reference: IS Audit and Assurance Tools and Techniques, CISA Certification | Certified Information Systems Auditor | ISACA
B
Explanation:
A preventive control is a control that aims to deter or prevent undesirable events from occurring. A fingerprint-based access control system for the building is an example of a preventive control for physical access, as it restricts unauthorized persons from entering the premises. Keeping log entries for all visitors to the building, installing CCTV cameras for all ingress and egress points, and implementing a centralized logging server to record instances of staff logging into workstations are examples of detective controls, which are controls that aim to discover or detect undesirable events that have already occurred.
Reference: IS Audit and Assurance Tools and Techniques, CISA Certification | Certified Information Systems Auditor | ISACA
Question #394
Which of the following would minimize the risk of losing transactions as a result of a disaster?
- A . Sending a copy of the transaction logs to offsite storage on a daily basis
- B . Storing a copy of the transaction logs onsite in a fireproof vault
- C . Encrypting a copy of the transaction logs and store on a local server
- D . Signing a copy of the transaction logs and store on a local server
Correct Answer: A
A
Explanation:
Sending a copy of the transaction logs to offsite storage on a daily basis would minimize the risk of losing transactions as a result of a disaster. This is because offsite storage provides a backup of the data that can be recovered in case of a catastrophic event that destroys or damages the onsite data. Storing a copy of the transaction logs onsite in a fireproof vault (B) would not protect the data from other types of disasters, such as floods, earthquakes, or theft. Encrypting © or signing (D) a copy of the transaction logs and storing them on a local server would not prevent the loss of data if the server is affected by the disaster. Encryption and digital signatures are security measures that protect the confidentiality and integrity of the data, but not the availability.
Reference: CISA – Certified Information Systems Auditor Study Guide1, Chapter 5: Protection of Information Assets, Section 5.2: Backup and Recovery Concepts, Page 353.
A
Explanation:
Sending a copy of the transaction logs to offsite storage on a daily basis would minimize the risk of losing transactions as a result of a disaster. This is because offsite storage provides a backup of the data that can be recovered in case of a catastrophic event that destroys or damages the onsite data. Storing a copy of the transaction logs onsite in a fireproof vault (B) would not protect the data from other types of disasters, such as floods, earthquakes, or theft. Encrypting © or signing (D) a copy of the transaction logs and storing them on a local server would not prevent the loss of data if the server is affected by the disaster. Encryption and digital signatures are security measures that protect the confidentiality and integrity of the data, but not the availability.
Reference: CISA – Certified Information Systems Auditor Study Guide1, Chapter 5: Protection of Information Assets, Section 5.2: Backup and Recovery Concepts, Page 353.
Question #395
A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.
- A . A formal request for proposal (RFP) process
- B . Business case development procedures
- C . An information asset acquisition policy
- D . Asset life cycle management.
Correct Answer: D
D
Explanation:
Asset life cycle management is a technique of asset management where facility managers maximize the usable life of assets throughplanning, purchasing, using, maintaining, and disposing of assets1. The mainaim of assetlife cycle management is to reduce costs and increase productivity by optimizing the performance, reliability, and lifespan of assets2. Asset life cycle management can help prevent the situation of having unused applications by ensuring that the applications are aligned with the business needs, objectives, and strategies, and that they are regularly reviewed, updated, or retired as necessary3.
The other options are not as effective as asset life cycle management for preventing unused applications. A formal request for proposal (RFP) process is a method of soliciting bids from potential vendors or suppliers for a project or service. A RFP process can help select the best application for a specific requirement, but it does not ensure that the application will be used or maintained throughout its lifecycle. Business case development procedures are a set of steps that involve defining the problem, analyzing the alternatives, and proposing a solution for a project or initiative. Business case development procedures can help justify the need and value of an application, but they do not guarantee that the application will be utilized or supported after its implementation. An information asset acquisition policy is a document that outlines the rules and standards for acquiring information assets such as applications. An information asset acquisition policy can help ensure that the applications are acquired in a consistent and compliant manner, but it does not address how the applications will be managed or disposed of after their acquisition.
D
Explanation:
Asset life cycle management is a technique of asset management where facility managers maximize the usable life of assets throughplanning, purchasing, using, maintaining, and disposing of assets1. The mainaim of assetlife cycle management is to reduce costs and increase productivity by optimizing the performance, reliability, and lifespan of assets2. Asset life cycle management can help prevent the situation of having unused applications by ensuring that the applications are aligned with the business needs, objectives, and strategies, and that they are regularly reviewed, updated, or retired as necessary3.
The other options are not as effective as asset life cycle management for preventing unused applications. A formal request for proposal (RFP) process is a method of soliciting bids from potential vendors or suppliers for a project or service. A RFP process can help select the best application for a specific requirement, but it does not ensure that the application will be used or maintained throughout its lifecycle. Business case development procedures are a set of steps that involve defining the problem, analyzing the alternatives, and proposing a solution for a project or initiative. Business case development procedures can help justify the need and value of an application, but they do not guarantee that the application will be utilized or supported after its implementation. An information asset acquisition policy is a document that outlines the rules and standards for acquiring information assets such as applications. An information asset acquisition policy can help ensure that the applications are acquired in a consistent and compliant manner, but it does not address how the applications will be managed or disposed of after their acquisition.
Question #396
Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?
- A . Staff were not involved in the procurement process, creating user resistance to the new system.
- B . Data is not converted correctly, resulting in inaccurate patient records.
- C . The deployment project experienced significant overruns, exceeding budget projections.
- D . The new system has capacity issues, leading to slow response times for users.
Correct Answer: B
B
Explanation:
The most significant risk associated with a new health records system that replaces a legacy system is data not being converted correctly, resulting in inaccurate patient records. Data conversion is the process of transferring data from one format or system to another. Data conversion is a critical step in implementing a new health records system, as it ensures that the patient data are consistent, complete, accurate, and accessible in the new system. Data not being converted correctly may cause errors, discrepancies, or losses in patient records, which may have serious implications for patient safety, quality of care, legal compliance, and privacy protection. Staff not being involved in the procurement process, creating user resistance to the new system; the deployment project experiencing significant overruns, exceeding budget projections; and the new system having capacity issues, leading to slow response times for users are also risks associated with a new health records system implementation, but they are not as significant as data not being converted correctly.
Reference: [ISACA CISA Review Manual 27th Edition], page 281.
B
Explanation:
The most significant risk associated with a new health records system that replaces a legacy system is data not being converted correctly, resulting in inaccurate patient records. Data conversion is the process of transferring data from one format or system to another. Data conversion is a critical step in implementing a new health records system, as it ensures that the patient data are consistent, complete, accurate, and accessible in the new system. Data not being converted correctly may cause errors, discrepancies, or losses in patient records, which may have serious implications for patient safety, quality of care, legal compliance, and privacy protection. Staff not being involved in the procurement process, creating user resistance to the new system; the deployment project experiencing significant overruns, exceeding budget projections; and the new system having capacity issues, leading to slow response times for users are also risks associated with a new health records system implementation, but they are not as significant as data not being converted correctly.
Reference: [ISACA CISA Review Manual 27th Edition], page 281.
Question #397
Which of the following is the PRIMARY benefit of effective implementation of appropriate data classification?
- A . Ability to meet business requirements
- B . Assurance that sensitive data is encrypted
- C . Increased accuracy of sensitive data
- D . Management of business risk to sensitive data
Correct Answer: D
Question #398
Which of the following BEST mitigates the risk associated with the deployment of a new production system?
- A . Problem management
- B . Incident management
- C . Configuration management
- D . Release management
Correct Answer: D
Question #399
Which of the following data would be used when performing a business impact analysis (BIA)?
- A . Projected impact of current business on future business
- B . Cost-benefit analysis of running the current business
- C . Cost of regulatory compliance
- D . Expected costs for recovering the business
Correct Answer: D
D
Explanation:
The expected costs for recovering the business would be used when performing a business impact analysis (BIA). A BIA is a process of identifying and evaluating the potential effects ofdisruptions to critical business functions or processes. A BIA helps to determine the recovery priorities, strategies, and resources needed to resume normal operations after a disruption. One of the key outputs of a BIA is an estimate of the financial losses or costs associated with different types of disruptions, such as lost revenue, increased expenses, contractual penalties, or regulatory fines.
D
Explanation:
The expected costs for recovering the business would be used when performing a business impact analysis (BIA). A BIA is a process of identifying and evaluating the potential effects ofdisruptions to critical business functions or processes. A BIA helps to determine the recovery priorities, strategies, and resources needed to resume normal operations after a disruption. One of the key outputs of a BIA is an estimate of the financial losses or costs associated with different types of disruptions, such as lost revenue, increased expenses, contractual penalties, or regulatory fines.
Question #400
An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner.
Which of the following is the auditor’s BEST recommendation?
- A . Increase the capacity of existing systems.
- B . Upgrade hardware to newer technology.
- C . Hire temporary contract workers for the IT function.
- D . Build a virtual environment.
Correct Answer: D
D
Explanation:
The best recommendation for an organization that is unable to add new servers on demand in a cost-efficient manner is to build a virtual environment. A virtual environment is a technology that allows multiple virtual machines to run on a single physical server, sharing its resources and capabilities. A virtual environment can help the organization add new servers on demand in a cost-efficient manner by reducing the need for hardware acquisition, maintenance, and power consumption. The other options are not as effective as building a virtual environment, as they do not address the root cause of the problem or provide the same benefits. Increasing the capacity of existing systems is a short-term solution that can help improve the performance and availability of the current servers, but it does not enable the organization to add new servers on demand in a cost-efficient manner. Upgrading hardware to newer technology is a costly solution that can help enhance the functionality and reliability of the servers, but it does not enable the organization to add new servers on demand in a cost-efficient manner. Hiring temporary contract workers for the IT function is an irrelevant solution that can help supplement the IT staff’s skills and knowledge, but it does not enable the organization to add new servers on demand in a cost-efficient manner.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.3.1
D
Explanation:
The best recommendation for an organization that is unable to add new servers on demand in a cost-efficient manner is to build a virtual environment. A virtual environment is a technology that allows multiple virtual machines to run on a single physical server, sharing its resources and capabilities. A virtual environment can help the organization add new servers on demand in a cost-efficient manner by reducing the need for hardware acquisition, maintenance, and power consumption. The other options are not as effective as building a virtual environment, as they do not address the root cause of the problem or provide the same benefits. Increasing the capacity of existing systems is a short-term solution that can help improve the performance and availability of the current servers, but it does not enable the organization to add new servers on demand in a cost-efficient manner. Upgrading hardware to newer technology is a costly solution that can help enhance the functionality and reliability of the servers, but it does not enable the organization to add new servers on demand in a cost-efficient manner. Hiring temporary contract workers for the IT function is an irrelevant solution that can help supplement the IT staff’s skills and knowledge, but it does not enable the organization to add new servers on demand in a cost-efficient manner.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.3.1