Practice Free CISA Exam Online Questions
Secure code reviews as part of a continuous deployment program are which type of control?
- A . Detective
- B . Logical
- C . Preventive
- D . Corrective
C
Explanation:
Secure code reviews as part of a continuous deployment program are preventive controls. Preventive controls are controls that aim to prevent or avoid undesirable events or outcomes from occurring, such as errors, defects, or incidents. Secure code reviews are activities that examine and evaluate the source code of a software or application to identify and eliminate any vulnerabilities, flaws, or weaknesses that may compromise its security, functionality, or performance. Secure code reviews as part of a continuous deployment program can help prevent or avoid security issues or incidents from occurring by ensuring that the code is secure and compliant before it is deployed to production. The other options are not correct types of controls for secure code reviews as part of a continuous deployment program, as they have different meanings and functions. Detective controls are controls that aim to detect or discover undesirable events or outcomes that have occurred, such as errors, defects, or incidents. Logical controls are controls that use software or hardware mechanisms to regulate or restrict access to IT resources, such as data, systems, or networks. Corrective controls are controls that aim to correct or rectify undesirable events or outcomes that have occurred, such as errors, defects, or incidents.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
Which of the following is the MOST important consideration when establishing operational log management?
- A . Types of data
- B . Log processing efficiency
- C . IT organizational structure
- D . Log retention period
An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access.
Which of the following is the GREATEST risk associated with this situation?
- A . Users can export application logs.
- B . Users can view sensitive data.
- C . Users can make unauthorized changes.
- D . Users can install open-licensed software.
C
Explanation:
The greatest risk associated with having most users with administrator access to an externally facing system containing sensitive data is that users can make unauthorized changes to the system or the data, which could compromise the integrity, confidentiality, and availability of the system and the data. Users can export application logs, view sensitive data, and install open-licensed software are also risks, but they are not as severe as unauthorized changes.
Reference: ISACA CISA Review Manual 27th Edition Chapter 4
An organization is establishing a steering committee for the implementation of a new enterprise resource planning (ERP) system that uses Agile project management methodology.
What is the MOST important criterion for the makeup of this committee?
- A . Senior management representation
- B . Ability to meet the time commitment required
- C . Agile project management experience
- D . ERP implementation experience
Email required for business purposes is being stored on employees’ personal devices.
Which of the following is an IS auditor’s BEST recommendation?
- A . Require employees to utilize passwords on personal devices
- B . Prohibit employees from storing company email on personal devices
- C . Ensure antivirus protection is installed on personal devices
- D . Implement an email containerization solution on personal devices
D
Explanation:
Implementing an email containerization solution on personal devices is the best recommendation for an IS auditor, because it allows the organization to separate and secure the email data from the rest of the device data. Email containerization creates a virtual environment that encrypts and isolates the email data, preventing unauthorized access, leakage, or loss of sensitive information12. Requiring passwords or antivirus protection on personal devices may not be sufficient or enforceable, while prohibiting employees from storing company email on personal devices may not be feasible or practical.
Reference: 1: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.3 2: CISA Online Review Course, Module 5, Lesson 4
Which of the following is the GREATEST advantage of maintaining an internal IS audit function within an organization?
- A . Increased independence and impartiality of recommendations
- B . Better understanding of the business and processes
- C . Ability to negotiate recommendations with management
- D . Increased IS audit staff visibility and availability throughout the year
In an area susceptible to unexpected increases in electrical power, which of the following would MOST effectively protect the system?
- A . Generator
- B . Voltage regulator
- C . Circuit breaker
- D . Alternate power supply line
An organization is planning to implement a control self-assessment (CSA) program for selected business processes.
Which of the following should be the role of the internal audit team for this program?
- A . Perform testing to validate the accuracy of management’s self-assessment.
- B . Advise management on the self-assessment process.
- C . Design testing procedures for management to assess process controls effectively.
- D . De-scope business processes to be covered by CSAs from future audit plans.
A
Explanation:
Comprehensive and Detailed Step-by-Step
Theinternal audit team’s roleinControl Self-Assessment (CSA) is toindependently validatemanagement’s assessment to ensure accuracy and effectiveness.
Perform Testing to Validate Management’s Assessment (Correct Answer C A) Ensures that self-assessments are reliable and comply with policies. Example:Internal audit conducts sample tests to verify self-reported compliance. Advising Management (Incorrect C B)
The audit teamreviewsrather than advises management. Designing Testing Procedures (Incorrect C C) Management should design CSA procedures, not auditors. De-Scoping Business Processes (Incorrect C D)
Internal auditshould notreduce audit scope due to CSAs.
Reference: ISACA CISA Review Manual
COBIT 2019: Control Self-Assessment
Which of the following would an IS auditor find to be the GREATEST risk associated with the server room in a remote office location?
- A . The server room is secured by a key lock instead of an electronic lock.
- B . The server room’s location is known by people who work in the area.
- C . The server room does not have temperature controls.
- D . The server room does not have biometric controls.
Which of the following would BEST facilitate the successful implementation of an IT-related framework?
- A . Aligning the framework to industry best practices
- B . Establishing committees to support and oversee framework activities
- C . Involving appropriate business representation within the framework
- D . Documenting IT-related policies and procedures