Practice Free CISA Exam Online Questions
Question #421
Which of the following would MOST effectively ensure the integrity of data transmitted over a network?
- A . Message encryption
- B . Certificate authority (CA)
- C . Steganography
- D . Message digest
Correct Answer: D
D
Explanation:
The most effective way to ensure the integrity of data transmitted over a network is to use a message digest. A message digest is a cryptographic function that generates a unique and fixed-length value (also known as a hash or checksum) from any input data. The message digest can be used to verify that the data has not been altered or corrupted during transmission by comparing it with the message digest generated at the destination. Message encryption is a method of protecting the confidentiality of data transmitted over a network by transforming it into an unreadable format using a secret key. Message encryption does not ensure the integrity of data, as it does not prevent or detect unauthorized modifications. Certificate authority (CA) is an entity that issues and manages digital certificates that bind public keys to identities. CA does not ensure the integrity of data, as it does not prevent or detect unauthorized modifications. Steganography is a technique of hiding data within other data, such as images or audio files. Steganography does not ensure the integrity of data, as it does not prevent or detect unauthorized modifications.
Reference: CISA Review Manual, 27th Edition, pages 383-3841
CISA Review Questions, Answers & Explanations Database, Question ID: 258
D
Explanation:
The most effective way to ensure the integrity of data transmitted over a network is to use a message digest. A message digest is a cryptographic function that generates a unique and fixed-length value (also known as a hash or checksum) from any input data. The message digest can be used to verify that the data has not been altered or corrupted during transmission by comparing it with the message digest generated at the destination. Message encryption is a method of protecting the confidentiality of data transmitted over a network by transforming it into an unreadable format using a secret key. Message encryption does not ensure the integrity of data, as it does not prevent or detect unauthorized modifications. Certificate authority (CA) is an entity that issues and manages digital certificates that bind public keys to identities. CA does not ensure the integrity of data, as it does not prevent or detect unauthorized modifications. Steganography is a technique of hiding data within other data, such as images or audio files. Steganography does not ensure the integrity of data, as it does not prevent or detect unauthorized modifications.
Reference: CISA Review Manual, 27th Edition, pages 383-3841
CISA Review Questions, Answers & Explanations Database, Question ID: 258
Question #422
Which of the following recommendations would BEST prevent the implementation of IT projects without collaborating with the business?
- A . Partner with the business units to evaluate IT projects.
- B . Review the projects to identify similarities and eliminate duplication.
- C . Periodically review the projects’ return on investment (ROI).
- D . Prioritize protects based on business and IT resource availability.
Correct Answer: A
Question #423
During an ongoing audit, management requests a briefing on the findings to date.
Which of the following is the IS auditor’s BEST course of action?
- A . Review working papers with the auditee.
- B . Request the auditee provide management responses.
- C . Request management wait until a final report is ready for discussion.
- D . Present observations for discussion only.
Correct Answer: D
D
Explanation:
The IS auditor’s best course of action in this situation is to present observations for discussion only. Observations are factual statements or findings that are based on the audit evidence collected and analyzed during the audit. Observations can be presented to management for discussion and feedback, but they should not be considered as final conclusions or recommendations until the audit is completed and the audit report is issued. The other options are not appropriate for presenting the findings to date, as they may compromise the audit quality or integrity. Reviewing working papers with the auditee is not advisable, as working papers are confidential documents that contain the auditor’s notes, calculations, and opinions that may not be relevant or accurate for management’s review. Requesting the auditee provide management responses is premature, as management responses should be obtained after the audit report is issued and the audit findings andrecommendations are finalized. Requesting management wait until a final report is ready for discussion is impractical, as management may have a legitimate interest or need to know the audit progress and results as soon as possible.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.3
D
Explanation:
The IS auditor’s best course of action in this situation is to present observations for discussion only. Observations are factual statements or findings that are based on the audit evidence collected and analyzed during the audit. Observations can be presented to management for discussion and feedback, but they should not be considered as final conclusions or recommendations until the audit is completed and the audit report is issued. The other options are not appropriate for presenting the findings to date, as they may compromise the audit quality or integrity. Reviewing working papers with the auditee is not advisable, as working papers are confidential documents that contain the auditor’s notes, calculations, and opinions that may not be relevant or accurate for management’s review. Requesting the auditee provide management responses is premature, as management responses should be obtained after the audit report is issued and the audit findings andrecommendations are finalized. Requesting management wait until a final report is ready for discussion is impractical, as management may have a legitimate interest or need to know the audit progress and results as soon as possible.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.3
Question #424
Which of the following BEST enables an IS auditor to confirm the batch processing to post transactions from an input source is successful?
- A . Error log review
- B . Total number of items
- C . Hash totals
- D . Aggregate monetary amount
Correct Answer: C
C
Explanation:
Hash totals are a control technique used to ensure data integrity during batch processing. A hash total is a calculated value based on the data in a batch. This value is compared to a pre-calculated hash total to confirm that all data has been processed correctly and without alteration.
Reference
ISACA CISA Review Manual (27th Edition): Hash totals are discussed within the context of batch processing controls.
Other Auditing Resources: Hash totals are a fundamental control technique discussed in various audit and information security publications.
C
Explanation:
Hash totals are a control technique used to ensure data integrity during batch processing. A hash total is a calculated value based on the data in a batch. This value is compared to a pre-calculated hash total to confirm that all data has been processed correctly and without alteration.
Reference
ISACA CISA Review Manual (27th Edition): Hash totals are discussed within the context of batch processing controls.
Other Auditing Resources: Hash totals are a fundamental control technique discussed in various audit and information security publications.
Question #425
In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:
- A . integrated test facility (ITF).
- B . parallel simulation.
- C . transaction tagging.
- D . embedded audit modules.
Correct Answer: C
C
Explanation:
Transaction tagging is a technique by which transactions are marked with unique identifiers or headers and traced through the system using agents or sensors at each processing point1. Transaction tagging allows for continuous monitoring and analysis of transaction processing in a high-volume, real-time system by providing visibility into the performance, availability, and reliability of each transaction and its components1. Transaction tagging can also help to identify and isolate errors, bottlenecks, anomalies, and security issues in the system1.
C
Explanation:
Transaction tagging is a technique by which transactions are marked with unique identifiers or headers and traced through the system using agents or sensors at each processing point1. Transaction tagging allows for continuous monitoring and analysis of transaction processing in a high-volume, real-time system by providing visibility into the performance, availability, and reliability of each transaction and its components1. Transaction tagging can also help to identify and isolate errors, bottlenecks, anomalies, and security issues in the system1.
Question #426
How does public key infrastructure (PKI) help to verify that a digitally signed document is not a forgery?
- A . By decrypting the signature with the signer’s public key
- B . By verifying the signature with the signer’s private key
- C . By checking the signature against the receiver’s public key
- D . By checking the signed document’s audit history
Correct Answer: A
A
Explanation:
Comprehensive and Detailed
In PKI, when a document is digitally signed:
The signer uses their private key to create the signature.
The recipient uses the signer’s public key to decrypt and verify the signature.
If the decrypted hash matches the document’s computed hash, the document is authentic and unaltered.
Option A: Correct ― verification is done with the public key.
Option B: Incorrect ― the private key is only used to sign, not verify.
Option C: Wrong ― the receiver’s public key is irrelevant.
Option D: Not applicable ― audit history is not part of PKI validation.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5, section on PKI and digital signatures.
A
Explanation:
Comprehensive and Detailed
In PKI, when a document is digitally signed:
The signer uses their private key to create the signature.
The recipient uses the signer’s public key to decrypt and verify the signature.
If the decrypted hash matches the document’s computed hash, the document is authentic and unaltered.
Option A: Correct ― verification is done with the public key.
Option B: Incorrect ― the private key is only used to sign, not verify.
Option C: Wrong ― the receiver’s public key is irrelevant.
Option D: Not applicable ― audit history is not part of PKI validation.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5, section on PKI and digital signatures.
Question #427
Which of the following statements appearing in an organization’s acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?
- A . Any information assets transmitted over a public network must be approved by executive management.
- B . All information assets must be encrypted when stored on the organization’s systems.
- C . Information assets should only be accessed by persons with a justified need.
- D . All information assets will be assigned a clearly defined level to facilitate proper employee handling.
Correct Answer: D
Question #428
Which of the following is a PRIMARY responsibility of a quality assurance (QA) team?
- A . Creating test data to facilitate the user acceptance testing (IJAT) process
- B . Managing employee onboarding processes and background checks
- C . Advising the steering committee on quality management issues and remediation efforts
- D . Implementing procedures to facilitate adoption of quality management best practices
Correct Answer: D
D
Explanation:
A quality assurance (QA) team is a group of professionals who are responsible for ensuring that the products or services of an organization meet the quality standards and expectations of customers and stakeholders1.
A QA team performs various activities, such as:
Planning, designing, and executing quality tests and audits to verify the quality of the products or services1
Identifying, analyzing, and reporting quality issues, defects, or non-conformities1
Recommending and implementing corrective and preventive actions to resolve quality problems and prevent recurrence1
Monitoring and measuring the effectiveness and efficiency of the quality processes and improvements1
Establishing and maintaining quality documentation, records, and reports1 Providing quality training, guidance, and support to the staff and management1
One of the primary responsibilities of a QA team is to implement procedures to facilitate adoption of quality management best practices. Quality management best practices are the methods, techniques, or tools that have been proven to be effective in achieving and maintaining high-quality standards in an organization2.
Some examples of quality management best practices are:
Adopting a customer-focused approach that aims to meet or exceed customer requirements and satisfaction2
Implementing a process approach that manages the interrelated activities as a coherent system2
Applying continuous improvement methods that seek to enhance the performance and value of the products or services2
Using evidence-based decision making that relies on factual data and information2
Developing a culture of engagement and empowerment that involves and motivates the people in the organization2
By implementing procedures to facilitate adoption of quality management best practices, a QA team can help the organization achieve the following benefits:
Improve the quality and reliability of the products or services2
Reduce the costs and risks associated with poor quality or non-compliance2
Increase the customer loyalty and retention2
Enhance the reputation and competitiveness of the organization2
Foster a culture of excellence and innovation in the organization2
The other options are not primary responsibilities of a QA team. Creating test data to facilitate the user acceptance testing (UAT) process is a task that can be performed by a QA team, but it is not their main duty. UAT is a process in which the end users test the product or service to ensure that it meets their needs and expectations before it is released or deployed3. A QA team can create test data to simulate real-world scenarios and conditions for UAT, but they are not directly involved in conducting UAT. Managing employee onboarding processes and background checks is not a responsibility of a QA team. Employee onboarding is a process in which new hires are integrated into the organization, while background checks are screenings that verify the identity, credentials, and history of potential employees4. These processes are usually handled by the human resources department or an external agency, not by a QA team. Advising the steering committee on quality management issues and remediation efforts is not a primary responsibility of a QA team. A steering committee is a group of senior executives or managers who provide strategic direction, oversight, and support for a project or program5. A QA team can advise the steering committee on quality management issues and remediation efforts, but they are not accountable for making decisions or implementing actions. Therefore, option D is the correct answer.
Reference: Quality Assurance Team: Roles & Responsibilities.
What are the Best Practices in Quality Management? User Acceptance Testing (UAT): A Complete Guide Employee Onboarding Process: Definition & Best Practices.
What Is A Steering Committee? – The Basics
D
Explanation:
A quality assurance (QA) team is a group of professionals who are responsible for ensuring that the products or services of an organization meet the quality standards and expectations of customers and stakeholders1.
A QA team performs various activities, such as:
Planning, designing, and executing quality tests and audits to verify the quality of the products or services1
Identifying, analyzing, and reporting quality issues, defects, or non-conformities1
Recommending and implementing corrective and preventive actions to resolve quality problems and prevent recurrence1
Monitoring and measuring the effectiveness and efficiency of the quality processes and improvements1
Establishing and maintaining quality documentation, records, and reports1 Providing quality training, guidance, and support to the staff and management1
One of the primary responsibilities of a QA team is to implement procedures to facilitate adoption of quality management best practices. Quality management best practices are the methods, techniques, or tools that have been proven to be effective in achieving and maintaining high-quality standards in an organization2.
Some examples of quality management best practices are:
Adopting a customer-focused approach that aims to meet or exceed customer requirements and satisfaction2
Implementing a process approach that manages the interrelated activities as a coherent system2
Applying continuous improvement methods that seek to enhance the performance and value of the products or services2
Using evidence-based decision making that relies on factual data and information2
Developing a culture of engagement and empowerment that involves and motivates the people in the organization2
By implementing procedures to facilitate adoption of quality management best practices, a QA team can help the organization achieve the following benefits:
Improve the quality and reliability of the products or services2
Reduce the costs and risks associated with poor quality or non-compliance2
Increase the customer loyalty and retention2
Enhance the reputation and competitiveness of the organization2
Foster a culture of excellence and innovation in the organization2
The other options are not primary responsibilities of a QA team. Creating test data to facilitate the user acceptance testing (UAT) process is a task that can be performed by a QA team, but it is not their main duty. UAT is a process in which the end users test the product or service to ensure that it meets their needs and expectations before it is released or deployed3. A QA team can create test data to simulate real-world scenarios and conditions for UAT, but they are not directly involved in conducting UAT. Managing employee onboarding processes and background checks is not a responsibility of a QA team. Employee onboarding is a process in which new hires are integrated into the organization, while background checks are screenings that verify the identity, credentials, and history of potential employees4. These processes are usually handled by the human resources department or an external agency, not by a QA team. Advising the steering committee on quality management issues and remediation efforts is not a primary responsibility of a QA team. A steering committee is a group of senior executives or managers who provide strategic direction, oversight, and support for a project or program5. A QA team can advise the steering committee on quality management issues and remediation efforts, but they are not accountable for making decisions or implementing actions. Therefore, option D is the correct answer.
Reference: Quality Assurance Team: Roles & Responsibilities.
What are the Best Practices in Quality Management? User Acceptance Testing (UAT): A Complete Guide Employee Onboarding Process: Definition & Best Practices.
What Is A Steering Committee? – The Basics
Question #429
An IS auditor determines that the vendor’s deliverables do not include the source code for a newly acquired product.
To address this issue, which of the following should the auditor recommend be included in the contract?
- A . Confidentiality and data protection clauses
- B . Service level agreement (SLA)
- C . Software escrow agreement
- D . Right-to-audit clause
Correct Answer: C
C
Explanation:
The correct answer is
C. Software escrow agreement. A software escrow agreement is a legal arrangement between three parties: the software developer (licensor), the end-user (licensee), and an escrow agent. The agreement ensures that the software’s source code and other relevant assets are securely stored with the escrow agent, and can be released to the licensee under certain conditions, such as the licensor’s bankruptcy, insolvency, or failure to provide support or maintenance1. A software escrow agreement can provide the licensee with assurance and continuity for the software they depend on, and protect them from losing access or functionality in case of any unforeseen events or disputes with the licensor1.
C
Explanation:
The correct answer is
C. Software escrow agreement. A software escrow agreement is a legal arrangement between three parties: the software developer (licensor), the end-user (licensee), and an escrow agent. The agreement ensures that the software’s source code and other relevant assets are securely stored with the escrow agent, and can be released to the licensee under certain conditions, such as the licensor’s bankruptcy, insolvency, or failure to provide support or maintenance1. A software escrow agreement can provide the licensee with assurance and continuity for the software they depend on, and protect them from losing access or functionality in case of any unforeseen events or disputes with the licensor1.
Question #430
The use of control totals satisfies which of the following control objectives?
- A . Transaction integrity
- B . Processing integrity
- C . Distribution control
- D . System recoverability
Correct Answer: B
B
Explanation:
The use of control totals satisfies the control objective of processing integrity. Processing integrity refers to the accuracy, completeness, timeliness, and validity of data processing. Control totals are a method of verifying the correctness of data processing by comparing the total value or count of a batch of transactions before and after processing. For example, if a batch of 100 invoices is entered into an accounting system, the total amount and number of invoices should match before and after processing. If there is a discrepancy, it indicates an error in data entry, transmission, or processing. Control totals help to ensure that no transactions are lost, duplicated, or altered during processing.
Reference: Control Objectives & Activities: Examples, Appropriateness Levels and Types of Control | Principles of Management CISA Review Manual 27th Edition, page 337
B
Explanation:
The use of control totals satisfies the control objective of processing integrity. Processing integrity refers to the accuracy, completeness, timeliness, and validity of data processing. Control totals are a method of verifying the correctness of data processing by comparing the total value or count of a batch of transactions before and after processing. For example, if a batch of 100 invoices is entered into an accounting system, the total amount and number of invoices should match before and after processing. If there is a discrepancy, it indicates an error in data entry, transmission, or processing. Control totals help to ensure that no transactions are lost, duplicated, or altered during processing.
Reference: Control Objectives & Activities: Examples, Appropriateness Levels and Types of Control | Principles of Management CISA Review Manual 27th Edition, page 337