Practice Free CISA Exam Online Questions
Question #391
Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?
- A . The exceptions are likely to continue indefinitely.
- B . The exceptions may result in noncompliance.
- C . The exceptions may elevate the level of operational risk.
- D . The exceptions may negatively impact process efficiency.
Correct Answer: B
B
Explanation:
The greatest concern associated with a high number of IT policy exceptions approved by management is that the exceptions may result in noncompliance. IT policy exceptions are deviations from the established IT policies that are granted by management for specific reasons and circumstances. However, if there are too many exceptions, it may indicate that the IT policies are not aligned with the business needs, regulatory requirements, or best practices. This may expose the organization to legal, contractual, or reputational risks due to noncompliance. The other options are not as concerning as noncompliance, as they do not have the same potential impact or consequences. The exceptions are likely to continue indefinitely is a possible outcome of a high number of exceptions, but it does not necessarily imply a negative effect on the organization. The exceptions may elevate the level of operational risk is a valid concern, but it can be mitigated by implementing compensating controls or monitoring mechanisms. The exceptions may negatively impact process efficiency is a minor concern, as it does not affect the effectiveness or reliability of the IT processes.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
B
Explanation:
The greatest concern associated with a high number of IT policy exceptions approved by management is that the exceptions may result in noncompliance. IT policy exceptions are deviations from the established IT policies that are granted by management for specific reasons and circumstances. However, if there are too many exceptions, it may indicate that the IT policies are not aligned with the business needs, regulatory requirements, or best practices. This may expose the organization to legal, contractual, or reputational risks due to noncompliance. The other options are not as concerning as noncompliance, as they do not have the same potential impact or consequences. The exceptions are likely to continue indefinitely is a possible outcome of a high number of exceptions, but it does not necessarily imply a negative effect on the organization. The exceptions may elevate the level of operational risk is a valid concern, but it can be mitigated by implementing compensating controls or monitoring mechanisms. The exceptions may negatively impact process efficiency is a minor concern, as it does not affect the effectiveness or reliability of the IT processes.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
Question #392
An IS auditor notes that IT and the business have different opinions on the availability of their application servers.
Which of the following should the IS auditor review FIRST in order to understand the problem?
- A . The exact definition of the service levels and their measurement
- B . The alerting and measurement process on the application servers
- C . The actual availability of the servers as part of a substantive test
- D . The regular performance-reporting documentation
Correct Answer: A
A
Explanation:
The exact definition of the service levels and their measurement is the first thing that the IS auditor should review in order to understand the problem of different opinions on the availability of their application servers. Service levels are the agreed-upon standards or targets for delivering IT services, such as availability, reliability, performance, and security. Service level measurement is the process of collecting, analyzing, and reporting data related to the achievement of service levels. By reviewing the exact definition of the service levels and their measurement, the IS auditor can identify any gaps, inconsistencies, or ambiguities that may cause confusion or disagreement among IT and the business. The other options are not as important as reviewing the exact definition of the service levels and their measurement, as they do not address the root cause of the problem.
Reference: CISA Review Manual, 27th Edition, page 372
A
Explanation:
The exact definition of the service levels and their measurement is the first thing that the IS auditor should review in order to understand the problem of different opinions on the availability of their application servers. Service levels are the agreed-upon standards or targets for delivering IT services, such as availability, reliability, performance, and security. Service level measurement is the process of collecting, analyzing, and reporting data related to the achievement of service levels. By reviewing the exact definition of the service levels and their measurement, the IS auditor can identify any gaps, inconsistencies, or ambiguities that may cause confusion or disagreement among IT and the business. The other options are not as important as reviewing the exact definition of the service levels and their measurement, as they do not address the root cause of the problem.
Reference: CISA Review Manual, 27th Edition, page 372
Question #393
A firewall between internal network segments improves security and reduces risk by:
- A . Jogging all packets passing through network segments
- B . inspecting all traffic flowing between network segments and applying security policies
- C . monitoring and reporting on sessions between network participants
- D . ensuring all connecting systems have appropriate security controls enabled.
Correct Answer: B
B
Explanation:
A firewall between internal network segments improves security and reduces risk by inspecting all traffic flowing between network segments and applying security policies. This will prevent unauthorized or malicious access, data leakage, or network attacks from compromising the network resources or data. Logging all packets passing through network segments may provide audit trails and evidence, but not prevent or mitigate security incidents. Monitoring and reporting on sessions between network participants may help to identify anomalous or suspicious activities, but not block or filter them. Ensuring all connecting systems have appropriate security controls enabled may enhance the overall network security posture, but not isolate or segregate different network segments.
Reference: Info Technology & Systems Resources | COBIT, Risk, Governance … – ISACA, section “Book COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution | Digital | English”
B
Explanation:
A firewall between internal network segments improves security and reduces risk by inspecting all traffic flowing between network segments and applying security policies. This will prevent unauthorized or malicious access, data leakage, or network attacks from compromising the network resources or data. Logging all packets passing through network segments may provide audit trails and evidence, but not prevent or mitigate security incidents. Monitoring and reporting on sessions between network participants may help to identify anomalous or suspicious activities, but not block or filter them. Ensuring all connecting systems have appropriate security controls enabled may enhance the overall network security posture, but not isolate or segregate different network segments.
Reference: Info Technology & Systems Resources | COBIT, Risk, Governance … – ISACA, section “Book COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution | Digital | English”
Question #394
Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees.
What is the MOST important task before implementing any associated email controls?
- A . Require all employees to sign nondisclosure agreements (NDAs).
- B . Develop an acceptable use policy for end-user computing (EUC).
- C . Develop an information classification scheme.
- D . Provide notification to employees about possible email monitoring.
Correct Answer: C
C
Explanation:
The most important task before implementing any associated email controls to prevent sensitive information from being emailed outside the organization by employees is to develop an information classification scheme. An information classification scheme is a framework that defines the categories and levels of sensitivity for different types of information, such as public, internal, confidential, or secret. An information classification scheme can help implement email controls by providing criteria and guidelines for identifying, labeling, handling, and protecting sensitive information in email attachments. The other options are not as important as developing an information classification scheme, as they do not address the root cause of the problem or provide the same benefits. Requiring all employees to sign nondisclosure agreements (NDAs) is a legal control that can help deter or penalize employees from disclosing sensitive information, but it does not prevent them from emailing it outside the organization. Developing an acceptable use policy for end-user computing (EUC) is a governance control that can help define and communicate the rules and expectations for using IT resources, such as email, but it does not prevent employees from emailing sensitive information outside the organization. Providing notification to employees about possible email monitoring is a transparency control that can help inform and warn employees about the potential consequences of emailing sensitive information outside the organization, but it does not prevent them from doing so.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2
C
Explanation:
The most important task before implementing any associated email controls to prevent sensitive information from being emailed outside the organization by employees is to develop an information classification scheme. An information classification scheme is a framework that defines the categories and levels of sensitivity for different types of information, such as public, internal, confidential, or secret. An information classification scheme can help implement email controls by providing criteria and guidelines for identifying, labeling, handling, and protecting sensitive information in email attachments. The other options are not as important as developing an information classification scheme, as they do not address the root cause of the problem or provide the same benefits. Requiring all employees to sign nondisclosure agreements (NDAs) is a legal control that can help deter or penalize employees from disclosing sensitive information, but it does not prevent them from emailing it outside the organization. Developing an acceptable use policy for end-user computing (EUC) is a governance control that can help define and communicate the rules and expectations for using IT resources, such as email, but it does not prevent employees from emailing sensitive information outside the organization. Providing notification to employees about possible email monitoring is a transparency control that can help inform and warn employees about the potential consequences of emailing sensitive information outside the organization, but it does not prevent them from doing so.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2
Question #395
An IS auditor is reviewing the security of a web-based customer relationship management (CRM) system that is directly accessed by customers via the Internet, which of the following should be a concern for the auditor?
- A . The system is hosted on an external third-party service provider’s server.
- B . The system is hosted in a hybrid-cloud platform managed by a service provider.
- C . The system is hosted within a demilitarized zone (DMZ) of a corporate network.
- D . The system is hosted within an internal segment of a corporate network.
Correct Answer: D
D
Explanation:
A web-based CRM system that is directly accessed by customers via the Internet should be hosted in a secure and isolated environment to protect it from external threats and unauthorized access. A web-based CRM system should also be reliable, trusted, and backed up regularly1.
Hosting the system on an external third-party service provider’s servers (A) or a hybrid-cloud platform managed by a service provider (B) may not be a concern for the auditor if the service provider has adequate security measures and service level agreements in place. The auditor should verify the security controls and contractual terms of the service provider before trusting them with the CRM data23.
Hosting the system within a demilitarized zone (DMZ) of a corporate network © is a common practice to provide an extra layer of security to the CRM system from untrusted networks, such as the Internet. A DMZ is a perimeter network that isolates the CRM system from the internal network and filters the incoming traffic from the external network using a security gateway4567.
Hosting the system within an internal segment of a corporate network (D) is a concern for the auditor because it exposes the CRM system and the internal network to potential attacks from the Internet. The CRM system should not be directly accessible from the Internet without a DMZ or a firewall to protect it. This could compromise the confidentiality, integrity, and availability of the CRM data and the internal network78.
D
Explanation:
A web-based CRM system that is directly accessed by customers via the Internet should be hosted in a secure and isolated environment to protect it from external threats and unauthorized access. A web-based CRM system should also be reliable, trusted, and backed up regularly1.
Hosting the system on an external third-party service provider’s servers (A) or a hybrid-cloud platform managed by a service provider (B) may not be a concern for the auditor if the service provider has adequate security measures and service level agreements in place. The auditor should verify the security controls and contractual terms of the service provider before trusting them with the CRM data23.
Hosting the system within a demilitarized zone (DMZ) of a corporate network © is a common practice to provide an extra layer of security to the CRM system from untrusted networks, such as the Internet. A DMZ is a perimeter network that isolates the CRM system from the internal network and filters the incoming traffic from the external network using a security gateway4567.
Hosting the system within an internal segment of a corporate network (D) is a concern for the auditor because it exposes the CRM system and the internal network to potential attacks from the Internet. The CRM system should not be directly accessible from the Internet without a DMZ or a firewall to protect it. This could compromise the confidentiality, integrity, and availability of the CRM data and the internal network78.
Question #396
Which of the following controls is the BEST recommendation to prevent the skimming of debit or credit card data in point of sale (POS) systems?
- A . Encryption
- B . Chip and PIN
- C . Hashing
- D . Biometric authentication
Correct Answer: B
Question #397
An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding.
Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?
- A . Project management
- B . Risk assessment results
- C . IT governance framework
- D . Portfolio management
Correct Answer: D
D
Explanation:
The most helpful tool in matching demand for projects and services with available resources in a way that supports business objectives is portfolio management. Portfolio management is the process of selecting, prioritizing, balancing and aligning IT projects and services with the strategic goals and value proposition of the organization3. Portfolio management helps the IT organization to allocate resources efficiently and effectively, to deliver value to the business units, and to align IT initiatives with business strategies. Project management, risk assessment results and IT governance framework are also important tools, but they are not as helpful as portfolio management in matching demand and supply of IT projects and services.
Reference: CISA Review Manual, 27th Edition, page 721
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
D
Explanation:
The most helpful tool in matching demand for projects and services with available resources in a way that supports business objectives is portfolio management. Portfolio management is the process of selecting, prioritizing, balancing and aligning IT projects and services with the strategic goals and value proposition of the organization3. Portfolio management helps the IT organization to allocate resources efficiently and effectively, to deliver value to the business units, and to align IT initiatives with business strategies. Project management, risk assessment results and IT governance framework are also important tools, but they are not as helpful as portfolio management in matching demand and supply of IT projects and services.
Reference: CISA Review Manual, 27th Edition, page 721
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
Question #398
When is it MOST important for an IS auditor to apply the concept of materiality in an audit?
- A . When planning an audit engagement
- B . When gathering information for the fieldwork
- C . When a violation of a regulatory requirement has been identified
- D . When evaluating representations from the auditee
Correct Answer: A
A
Explanation:
The concept of materiality is most important for an IS auditor to apply when planning an audit engagement, because it helps the auditor to determine the scope, objectives, procedures and resources of the audit. Materiality is the degree to which an omission or misstatement of information could affect the users’ decisions or the achievement of the audit objectives. By applying the concept of materiality, the auditor can focus on the most significant and relevant areas of the audit and avoid wasting time and effort on trivial or immaterial matters. The other options are not as important as planning an audit engagement, because they are either based on or affected by the materiality assessment done during the planning phase.
Reference: ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.31
ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12022
A
Explanation:
The concept of materiality is most important for an IS auditor to apply when planning an audit engagement, because it helps the auditor to determine the scope, objectives, procedures and resources of the audit. Materiality is the degree to which an omission or misstatement of information could affect the users’ decisions or the achievement of the audit objectives. By applying the concept of materiality, the auditor can focus on the most significant and relevant areas of the audit and avoid wasting time and effort on trivial or immaterial matters. The other options are not as important as planning an audit engagement, because they are either based on or affected by the materiality assessment done during the planning phase.
Reference: ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.31
ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12022
Question #399
Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?
- A . Review exception reports
- B . Review IT staffing schedules.
- C . Analyze help desk ticket logs
- D . Conduct IT management interviews
Correct Answer: A
A
Explanation:
The best way to identify whether the IT help desk is meeting service level agreements (SLAs) is A. Review exception reports. Exception reports are documents that highlight any deviations from the agreed service levels, such as breaches, delays, or failures. They can help the IT help desk to monitor their performance, identify root causes, and implement corrective actions. Reviewing exception reports can also help the IT help desk to communicate with the end users and stakeholders about any service issues and their resolution.
Reference: IT help desk support SLA, Section 4: Reporting and Reviewing Service Levels, Page 3.
A
Explanation:
The best way to identify whether the IT help desk is meeting service level agreements (SLAs) is A. Review exception reports. Exception reports are documents that highlight any deviations from the agreed service levels, such as breaches, delays, or failures. They can help the IT help desk to monitor their performance, identify root causes, and implement corrective actions. Reviewing exception reports can also help the IT help desk to communicate with the end users and stakeholders about any service issues and their resolution.
Reference: IT help desk support SLA, Section 4: Reporting and Reviewing Service Levels, Page 3.
Question #400
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy?
- A . IT steering committee minutes
- B . Business objectives
- C . Alignment with the IT tactical plan
- D . Compliance with industry best practice
Correct Answer: B
B
Explanation:
The most important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy is the business objectives. An information security policy is a document that defines the organization’s approach to protecting its information assets from internal and external threats. It should align with the organization’s mission, vision, values, and goals, and support its business processes and functions1. An information security policy should also be focused on the business needs and requirements of the organization, rather than on technical details or specific solutions2.
The other options are not as important as the business objectives, because they do not directly reflect the organization’s purpose and direction. IT steering committee minutes are records of the discussions and decisions made by a group of senior executives who oversee the IT strategy and governance of the organization. They may provide some insights into the information security policy, but they are not sufficient to evaluate its adequacy3. Alignment with the IT tactical plan is a measure of how well the information security policy supports the short-term actions and projects that implement the IT strategy. However, the IT tactical plan itself should be aligned with the business objectives, and not vice versa4. Compliance with industry best practice is a desirable quality of an information security policy, but it is not a guarantee of its effectiveness or suitability for the organization. Industry best practices are general guidelines or recommendations that may not apply to every organization or situation. An information security policy should be customized and tailored to the specific context and needs of the organization.
Reference: The 12 Elements of an Information Security Policy | Exabeam1
11 Key Elements of an Information Security Policy | Egnyte2
What is an IT steering committee? Definition, roles & responsibilities …3
What is IT Strategy? Definition, Components & Best Practices | BMC …4
IT Security Policy: Key Components & Best Practices for Every Business
B
Explanation:
The most important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy is the business objectives. An information security policy is a document that defines the organization’s approach to protecting its information assets from internal and external threats. It should align with the organization’s mission, vision, values, and goals, and support its business processes and functions1. An information security policy should also be focused on the business needs and requirements of the organization, rather than on technical details or specific solutions2.
The other options are not as important as the business objectives, because they do not directly reflect the organization’s purpose and direction. IT steering committee minutes are records of the discussions and decisions made by a group of senior executives who oversee the IT strategy and governance of the organization. They may provide some insights into the information security policy, but they are not sufficient to evaluate its adequacy3. Alignment with the IT tactical plan is a measure of how well the information security policy supports the short-term actions and projects that implement the IT strategy. However, the IT tactical plan itself should be aligned with the business objectives, and not vice versa4. Compliance with industry best practice is a desirable quality of an information security policy, but it is not a guarantee of its effectiveness or suitability for the organization. Industry best practices are general guidelines or recommendations that may not apply to every organization or situation. An information security policy should be customized and tailored to the specific context and needs of the organization.
Reference: The 12 Elements of an Information Security Policy | Exabeam1
11 Key Elements of an Information Security Policy | Egnyte2
What is an IT steering committee? Definition, roles & responsibilities …3
What is IT Strategy? Definition, Components & Best Practices | BMC …4
IT Security Policy: Key Components & Best Practices for Every Business