Practice Free CISA Exam Online Questions
Question #41
An IS auditor is evaluating the progress of a web-based customer service application development project.
Which of the following would be MOST helpful for this evaluation?
- A . Backlog consumption reports
- B . Critical path analysis reports
- C . Developer status reports
- D . Change management logs
Correct Answer: A
A
Explanation:
A backlog consumption report is a report that shows the amount of work that has been completed and the amount of work that remains to be done in a project. It is a useful tool for measuring the progress and performance of a web-based customer service application development project, as it can indicate whether the project is on track, ahead or behind schedule, and how much effort is required to finish the project. A backlog consumption report can also help identify any issues or risks that may affect the project delivery. Critical path analysis reports, developer status reports and change management logs are also helpful for evaluating a project, but they are not as helpful as a backlog consumption report, as they do not provide a clear picture of the overall project status and completion rate.
Reference: [Backlog Consumption Report Definition]
Backlog Consumption Report | ISACA
A
Explanation:
A backlog consumption report is a report that shows the amount of work that has been completed and the amount of work that remains to be done in a project. It is a useful tool for measuring the progress and performance of a web-based customer service application development project, as it can indicate whether the project is on track, ahead or behind schedule, and how much effort is required to finish the project. A backlog consumption report can also help identify any issues or risks that may affect the project delivery. Critical path analysis reports, developer status reports and change management logs are also helpful for evaluating a project, but they are not as helpful as a backlog consumption report, as they do not provide a clear picture of the overall project status and completion rate.
Reference: [Backlog Consumption Report Definition]
Backlog Consumption Report | ISACA
Question #42
What would be an IS auditor’s BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?
- A . Ensure the open issues are retained in the audit results.
- B . Terminate the follow-up because open issues are not resolved
- C . Recommend compensating controls for open issues.
- D . Evaluate the residual risk due to open issues.
Correct Answer: D
D
Explanation:
The best course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit is to evaluate the residual risk due to open issues. Residual risk is the risk that remains after the implementation of controls or mitigating actions. Evaluating the residual risk due to open issues can help the IS auditor assess the impact and likelihood of the potential threats and vulnerabilities that have not been addressed by the auditee, as well as the adequacy and effectiveness of the existing controls or mitigating actions. Evaluating the residual risk due to open issues can also help the IS auditor prioritize and communicate the open issues to the auditee and other stakeholders, such as senior management or audit committee, and recommend appropriate actions or escalation procedures.
Ensuring the open issues are retained in the audit results is a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but it is not the best one. Ensuring the open issues are retained in the audit results can help the IS auditor document and report the status and progress of the audit recommendations, as well as provide a basis for future follow-up audits. However, ensuring the open issues are retained in the audit results does not provide an analysis or evaluation of the residual risk due to open issues, which is more important for informing decision-making and action-taking.
Terminating the follow-up because open issues are not resolved is not a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but rather a consequence or outcome of it. Terminating the follow-up because open issues are not resolved may indicate that the auditee has failed to comply with the agreed-upon actions or deadlines, or that the IS auditor has encountered significant obstacles or resistance from the auditee. Terminating the follow-up because open issues are not resolved may also trigger further actions or sanctions from the IS auditor or other authorities, such as issuing a qualified or adverse opinion, withholding certification, or imposing penalties.
Recommending compensating controls for open issues is not a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but rather a possible outcome or result of it. Compensating controls are alternative or additional controls that are implemented to reduce or eliminate the risk associated with a weakness or deficiency in another control. Recommending compensating controls for open issues may be appropriate when the auditee is unable to implement the original audit recommendations due to technical, operational, financial, or other constraints, and when the compensating controls can provide a similar or equivalent level of assurance. However, recommending compensating controls for open issues requires a prior evaluation of the residual risk due to open issues, which is more important for determining whether compensating controls are necessary and feasible.
Reference: Follow-up Audits – Canadian Audit and Accountability Foundation 1
Conducting The Audit Follow-Up: When To Verify – The Auditor 2
Internal Audit Follow Ups: Are They Really Worth The Effort
D
Explanation:
The best course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit is to evaluate the residual risk due to open issues. Residual risk is the risk that remains after the implementation of controls or mitigating actions. Evaluating the residual risk due to open issues can help the IS auditor assess the impact and likelihood of the potential threats and vulnerabilities that have not been addressed by the auditee, as well as the adequacy and effectiveness of the existing controls or mitigating actions. Evaluating the residual risk due to open issues can also help the IS auditor prioritize and communicate the open issues to the auditee and other stakeholders, such as senior management or audit committee, and recommend appropriate actions or escalation procedures.
Ensuring the open issues are retained in the audit results is a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but it is not the best one. Ensuring the open issues are retained in the audit results can help the IS auditor document and report the status and progress of the audit recommendations, as well as provide a basis for future follow-up audits. However, ensuring the open issues are retained in the audit results does not provide an analysis or evaluation of the residual risk due to open issues, which is more important for informing decision-making and action-taking.
Terminating the follow-up because open issues are not resolved is not a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but rather a consequence or outcome of it. Terminating the follow-up because open issues are not resolved may indicate that the auditee has failed to comply with the agreed-upon actions or deadlines, or that the IS auditor has encountered significant obstacles or resistance from the auditee. Terminating the follow-up because open issues are not resolved may also trigger further actions or sanctions from the IS auditor or other authorities, such as issuing a qualified or adverse opinion, withholding certification, or imposing penalties.
Recommending compensating controls for open issues is not a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but rather a possible outcome or result of it. Compensating controls are alternative or additional controls that are implemented to reduce or eliminate the risk associated with a weakness or deficiency in another control. Recommending compensating controls for open issues may be appropriate when the auditee is unable to implement the original audit recommendations due to technical, operational, financial, or other constraints, and when the compensating controls can provide a similar or equivalent level of assurance. However, recommending compensating controls for open issues requires a prior evaluation of the residual risk due to open issues, which is more important for determining whether compensating controls are necessary and feasible.
Reference: Follow-up Audits – Canadian Audit and Accountability Foundation 1
Conducting The Audit Follow-Up: When To Verify – The Auditor 2
Internal Audit Follow Ups: Are They Really Worth The Effort
Question #43
Which of the following is the PRIMARY function of a data loss prevention (DLP) policy when implemented in an organization’s DLP solution?
- A . To encrypt sensitive data at rest and in transit
- B . To define rules for monitoring and protecting sensitive data
- C . To define rules and baselines for network performance
- D . To detect and block incoming network traffic
Correct Answer: B
Question #44
An IS auditor wants to inspect recent events in a system to observe failed authentications and password changes.
Which of the following is the MOST appropriate method to use for this purpose?
- A . Penetration testing
- B . Authenticated scanning
- C . Change management records
- D . System log review
Correct Answer: D
Question #45
Which of the following BEST demonstrates alignment of the IT department with the corporate mission?
- A . Analysis of IT department functionality
- B . Biweekly reporting to senior management
- C . Annual board meetings
- D . Quarterly steering committee meetings
Correct Answer: D
D
Explanation:
Quarterly steering committee meetings best demonstrate alignment of the IT department with the corporate mission because they provide a regular forum for strategic planning, decision making, and communication between IT leaders and business stakeholders12. Steering committee meetings help to ensure that IT goals and initiatives are aligned with the business vision, mission, and objectives, and that IT performance and value are monitored and evaluated34.
Reference
1: IT Governance and the Balanced Scorecard – ISACA Journal
2: IT Steering Committee Best Practices: A Recipe for Success
3: What is IT Governance? – Definition from Techopedia
4: CISA Cybersecurity Strategic Plan | CISA
D
Explanation:
Quarterly steering committee meetings best demonstrate alignment of the IT department with the corporate mission because they provide a regular forum for strategic planning, decision making, and communication between IT leaders and business stakeholders12. Steering committee meetings help to ensure that IT goals and initiatives are aligned with the business vision, mission, and objectives, and that IT performance and value are monitored and evaluated34.
Reference
1: IT Governance and the Balanced Scorecard – ISACA Journal
2: IT Steering Committee Best Practices: A Recipe for Success
3: What is IT Governance? – Definition from Techopedia
4: CISA Cybersecurity Strategic Plan | CISA
Question #46
An IS auditor is reviewing an organization’s incident management processes.
Which of the following observations should be the auditor’s GREATEST concern?
- A . Ineffective incident detection
- B . Ineffective incident dashboard
- C . Ineffective incident classification
- D . Ineffective post-incident review
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
Ineffective incident detectionis the greatest concern becauseearly detection is crucialfor minimizing damage from security incidents. If an organization fails to detect incidentspromptly, attackers may exploit vulnerabilities for extended periods.
Ineffective Incident Detection (Correct Answer C A)
Leads todelayed response, increasingpotential damage.
Example: A company fails to detect a ransomware attack forseveral days, allowing significant data loss.
Ineffective Incident Dashboard (Incorrect C B)
A dashboard helpsvisualizeincidents but doesnot impact detection.
Ineffective Incident Classification (Incorrect C C)
Important, butmisclassificationis asecondary issueif detection fails.
Ineffective Post-Incident Review (Incorrect C D)
Affectsfuture improvementsbut does notimpact immediate response.
Reference: ISACA CISA Review Manual
NIST 800-61 (Incident Response Guide)
A
Explanation:
Comprehensive and Detailed Step-by-Step
Ineffective incident detectionis the greatest concern becauseearly detection is crucialfor minimizing damage from security incidents. If an organization fails to detect incidentspromptly, attackers may exploit vulnerabilities for extended periods.
Ineffective Incident Detection (Correct Answer C A)
Leads todelayed response, increasingpotential damage.
Example: A company fails to detect a ransomware attack forseveral days, allowing significant data loss.
Ineffective Incident Dashboard (Incorrect C B)
A dashboard helpsvisualizeincidents but doesnot impact detection.
Ineffective Incident Classification (Incorrect C C)
Important, butmisclassificationis asecondary issueif detection fails.
Ineffective Post-Incident Review (Incorrect C D)
Affectsfuture improvementsbut does notimpact immediate response.
Reference: ISACA CISA Review Manual
NIST 800-61 (Incident Response Guide)
Question #47
An organization is concerned with meeting new regulations for protecting data confidentiality and asks an IS auditor to evaluate their procedures for transporting data.
Which of the following would BEST support the organization’s objectives?
- A . Cryptographic hashes
- B . Virtual local area network (VLAN)
- C . Encryption
- D . Dedicated lines
Correct Answer: C
C
Explanation:
The best option to support the organization’s objectives of protecting data confidentiality while transporting data is encryption. Encryption is a process of transforming data into an unreadable form using a secret key or algorithm, so that only authorized parties can access the original data. Encryption protects the confidentiality of data in transit by preventing unauthorized interception, modification, or disclosure of the data. Encryption can also help comply with data privacy and security regulations, such as the GDPR and HIPAA.
The other options are not as effective as encryption in protecting data confidentiality while transporting data. Cryptographic hashes are mathematical functions that generate a fixed-length output from an input, but they do not encrypt the data. Hashes are used to verify the integrity and authenticity of data, but they do not prevent unauthorized access to the data. Virtual local area network (VLAN) is a logical grouping of network devices that share the same broadcast domain, but they do not encrypt the data. VLANs can improve network performance and security by isolating traffic, but they do not protect the data from being intercepted or modified by external attackers. Dedicated lines are physical connections that provide exclusive access to a network or service, but they do not encrypt the data. Dedicated lines can offer higher bandwidth and reliability, but they do not guarantee the confidentiality of the data from being compromised by physical tampering or eavesdropping.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2471
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription2
Data Security and Confidentiality Guidelines – Centers for Disease Control and Prevention3
Information Security | Confidentiality – GeeksforGeeks4
C
Explanation:
The best option to support the organization’s objectives of protecting data confidentiality while transporting data is encryption. Encryption is a process of transforming data into an unreadable form using a secret key or algorithm, so that only authorized parties can access the original data. Encryption protects the confidentiality of data in transit by preventing unauthorized interception, modification, or disclosure of the data. Encryption can also help comply with data privacy and security regulations, such as the GDPR and HIPAA.
The other options are not as effective as encryption in protecting data confidentiality while transporting data. Cryptographic hashes are mathematical functions that generate a fixed-length output from an input, but they do not encrypt the data. Hashes are used to verify the integrity and authenticity of data, but they do not prevent unauthorized access to the data. Virtual local area network (VLAN) is a logical grouping of network devices that share the same broadcast domain, but they do not encrypt the data. VLANs can improve network performance and security by isolating traffic, but they do not protect the data from being intercepted or modified by external attackers. Dedicated lines are physical connections that provide exclusive access to a network or service, but they do not encrypt the data. Dedicated lines can offer higher bandwidth and reliability, but they do not guarantee the confidentiality of the data from being compromised by physical tampering or eavesdropping.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2471
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription2
Data Security and Confidentiality Guidelines – Centers for Disease Control and Prevention3
Information Security | Confidentiality – GeeksforGeeks4
Question #48
Which type of device sits on the perimeter of a corporate of home network, where it obtains a public IP address and then generates private IP addresses internally?
- A . Switch
- B . Intrusion prevention system (IPS)
- C . Gateway
- D . Router
Correct Answer: D
D
Explanation:
A router is a type of device that sits on the perimeter of a corporate or home network, where it obtains a public IP address and then generates private IP addresses internally. A router connects two or more networks and forwards packets between them based on routing rules. A router can also provide network address translation (NAT) functionality, which allows multiple devices to share a single public IP address and access the internet. A switch is a type of device that connects multiple devices within a network and forwards packets based on MAC addresses. An intrusion prevention system (IPS) is a type of device that monitors network traffic and blocks or modifies malicious packets based on predefined rules. A gateway is a type of device that acts as an interface between different networks or protocols, such as a modem or a firewall.
Reference: CISA Review Manual (Digital Version), [ISACA Glossary of Terms]
D
Explanation:
A router is a type of device that sits on the perimeter of a corporate or home network, where it obtains a public IP address and then generates private IP addresses internally. A router connects two or more networks and forwards packets between them based on routing rules. A router can also provide network address translation (NAT) functionality, which allows multiple devices to share a single public IP address and access the internet. A switch is a type of device that connects multiple devices within a network and forwards packets based on MAC addresses. An intrusion prevention system (IPS) is a type of device that monitors network traffic and blocks or modifies malicious packets based on predefined rules. A gateway is a type of device that acts as an interface between different networks or protocols, such as a modem or a firewall.
Reference: CISA Review Manual (Digital Version), [ISACA Glossary of Terms]
Question #49
Which of the following is the BEST performance indicator for the effectiveness of an incident management program?
- A . Average time between incidents
- B . Incident alert meantime
- C . Number of incidents reported
- D . Incident resolution meantime
Correct Answer: D
D
Explanation:
The best performance indicator for the effectiveness of an incident management program is the incident resolution meantime. This is the average time it takes to resolve an incident from the moment it is reported to the moment it is closed. The incident resolution meantime reflects how quickly and efficiently the incident management team can restore normal service and minimize the impact of incidents on the business operations and customer satisfaction.
The average time between incidents (option A) is not a good performance indicator for the effectiveness of an incident management program, as it does not measure how well the incidents are handled or resolved. It only shows how frequently the incidents occur, which may depend on various factors beyond the control of the incident management team, such as the complexity and reliability of the systems, the security threats and vulnerabilities, and the user behavior and expectations.
The incident alert meantime (option B) is the average time it takes to detect and report an incident. While this is an important metric for measuring the responsiveness and awareness of the incident management team, it does not indicate how effective the incident management program is in resolving the incidents and restoring normal service.
The number of incidents reported (option C) is also not a good performance indicator for the effectiveness of an incident management program, as it does not reflect how well the incidents are handled or resolved. It only shows how many incidents are identified and recorded, which may vary depending on the reporting channels, tools, and procedures used by the incident management team and the users.
Therefore, option D is the correct answer.
Reference: Incident Management: Processes, Best Practices & Tools – Atlassian.
What is backup and disaster recovery? | IBM
D
Explanation:
The best performance indicator for the effectiveness of an incident management program is the incident resolution meantime. This is the average time it takes to resolve an incident from the moment it is reported to the moment it is closed. The incident resolution meantime reflects how quickly and efficiently the incident management team can restore normal service and minimize the impact of incidents on the business operations and customer satisfaction.
The average time between incidents (option A) is not a good performance indicator for the effectiveness of an incident management program, as it does not measure how well the incidents are handled or resolved. It only shows how frequently the incidents occur, which may depend on various factors beyond the control of the incident management team, such as the complexity and reliability of the systems, the security threats and vulnerabilities, and the user behavior and expectations.
The incident alert meantime (option B) is the average time it takes to detect and report an incident. While this is an important metric for measuring the responsiveness and awareness of the incident management team, it does not indicate how effective the incident management program is in resolving the incidents and restoring normal service.
The number of incidents reported (option C) is also not a good performance indicator for the effectiveness of an incident management program, as it does not reflect how well the incidents are handled or resolved. It only shows how many incidents are identified and recorded, which may vary depending on the reporting channels, tools, and procedures used by the incident management team and the users.
Therefore, option D is the correct answer.
Reference: Incident Management: Processes, Best Practices & Tools – Atlassian.
What is backup and disaster recovery? | IBM
Question #50
Which of the following should be used as the PRIMARY basis for prioritizing IT projects and initiatives?
- A . Estimated cost and time
- B . Level of risk reduction
- C . Expected business value
- D . Available resources
Correct Answer: C