Practice Free CISA Exam Online Questions
Question #61
Which of the following provides the BEST evidence that a third-party service provider’s information security controls are effective?
- A . An audit report of the controls by the service provider’s external auditor
- B . Documentation of the service provider’s security configuration controls
- C . An interview with the service provider’s information security officer
- D . A review of the service provider’s policies and procedures
Correct Answer: A
A
Explanation:
An audit report of the controls by the service provider’s external auditor provides the best evidence that a third-party service provider’s information security controls are effective. An external auditor is an independent and objective party that can assess the design and operating effectiveness of the service provider’s information security controls based on established standards and criteria. An external auditor can also provide an opinion on the adequacy and compliance of the service provider’s information security controls, as well as recommendations for improvement.
Documentation of the service provider’s security configuration controls is a source of evidence that a third-party service provider’s information security controls are effective, but it is not the best evidence. Documentation of the security configuration controls can show the settings and parameters of the service provider’s information systems and networks, but it may not reflect the actual implementation and operation of the controls. Documentation of the security configuration controls may also be outdated, incomplete, or inaccurate.
An interview with the service provider’s information security officer is a source of evidence that a third-party service provider’s information security controls are effective, but it is not the best evidence. An interview with the information security officer can provide insights into the service provider’s information security strategy, policies, and procedures, but it may not verify the actual performance and compliance of the information security controls. An interview with the information security officer may also be biased, subjective, or misleading.
A review of the service provider’s policies and procedures is a source of evidence that a third-party service provider’s information security controls are effective, but it is not the best evidence. A review of the policies and procedures can show the service provider’s information security objectives, requirements, and guidelines, but it may not demonstrate the actual execution and enforcement of the information security controls. A review of the policies and procedures may also be insufficient, inconsistent, or outdated.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 284
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
A
Explanation:
An audit report of the controls by the service provider’s external auditor provides the best evidence that a third-party service provider’s information security controls are effective. An external auditor is an independent and objective party that can assess the design and operating effectiveness of the service provider’s information security controls based on established standards and criteria. An external auditor can also provide an opinion on the adequacy and compliance of the service provider’s information security controls, as well as recommendations for improvement.
Documentation of the service provider’s security configuration controls is a source of evidence that a third-party service provider’s information security controls are effective, but it is not the best evidence. Documentation of the security configuration controls can show the settings and parameters of the service provider’s information systems and networks, but it may not reflect the actual implementation and operation of the controls. Documentation of the security configuration controls may also be outdated, incomplete, or inaccurate.
An interview with the service provider’s information security officer is a source of evidence that a third-party service provider’s information security controls are effective, but it is not the best evidence. An interview with the information security officer can provide insights into the service provider’s information security strategy, policies, and procedures, but it may not verify the actual performance and compliance of the information security controls. An interview with the information security officer may also be biased, subjective, or misleading.
A review of the service provider’s policies and procedures is a source of evidence that a third-party service provider’s information security controls are effective, but it is not the best evidence. A review of the policies and procedures can show the service provider’s information security objectives, requirements, and guidelines, but it may not demonstrate the actual execution and enforcement of the information security controls. A review of the policies and procedures may also be insufficient, inconsistent, or outdated.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 284
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
Question #62
An IT balanced scorecard is the MOST effective means of monitoring:
- A . governance of enterprise IT.
- B . control effectiveness.
- C . return on investment (ROI).
- D . change management effectiveness.
Correct Answer: A
A
Explanation:
An IT balanced scorecard is a strategic management tool that aligns IT objectives with business goals and measures the performance of IT processes using key performance indicators (KPIs). It is the most effective means of monitoring governance of enterprise IT, which is the process of ensuring that IT supports the organization’s strategy and objectives. Governance of enterprise IT covers aspects such as IT value delivery, IT risk management, IT resource management, and IT performance measurement. An IT balanced scorecard can help monitor these aspects and provide feedback to improve IT governance.
Reference: ISACA Frameworks: Blueprints for Success, CISA Review Manual (Digital Version)
A
Explanation:
An IT balanced scorecard is a strategic management tool that aligns IT objectives with business goals and measures the performance of IT processes using key performance indicators (KPIs). It is the most effective means of monitoring governance of enterprise IT, which is the process of ensuring that IT supports the organization’s strategy and objectives. Governance of enterprise IT covers aspects such as IT value delivery, IT risk management, IT resource management, and IT performance measurement. An IT balanced scorecard can help monitor these aspects and provide feedback to improve IT governance.
Reference: ISACA Frameworks: Blueprints for Success, CISA Review Manual (Digital Version)
Question #63
A staff accountant regularly uploads spreadsheets with inventory levels to the organization’s financial reporting system. The transfers are executed through a customized interface created by an in-house developer.
Which of the following is MOST important for the IS auditor to confirm during a review of the interface?
- A . The data in the spreadsheet is correctly recorded in the financial system.
- B . The financial system transfers are performed by the accountant at predefined intervals.
- C . The spreadsheets do not contain malware or malicious macros.
- D . The data transfer connection does not support full duplex communication.
Correct Answer: A
A
Explanation:
Comprehensive and Detailed
The primary audit concern is data integrity―ensuring that the data uploaded via the custom
interface is accurately and completely transferred to the financial system.
Option A directly addresses data accuracy and integrity.
Option B (timing) is secondary compared to correctness.
Option C (malware checks) is important but handled by security controls, not the primary audit concern here.
Option D (duplex communication) is irrelevant to ensuring accurate financial records.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 3, section on interface controls and audit considerations.
A
Explanation:
Comprehensive and Detailed
The primary audit concern is data integrity―ensuring that the data uploaded via the custom
interface is accurately and completely transferred to the financial system.
Option A directly addresses data accuracy and integrity.
Option B (timing) is secondary compared to correctness.
Option C (malware checks) is important but handled by security controls, not the primary audit concern here.
Option D (duplex communication) is irrelevant to ensuring accurate financial records.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 3, section on interface controls and audit considerations.
Question #64
A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system.
Which of the following is the IS auditors BEST recommendation?
- A . Enable automatic encryption decryption and electronic signing of data files
- B . implement software to perform automatic reconciliations of data between systems
- C . Have coders perform manual reconciliation of data between systems
- D . Automate the transfer of data between systems as much as feasible
Correct Answer: B
Question #65
An IS auditor finds that a number of key patches have not been applied in a timely manner due to re-source constraints.
Which of the following is the GREATEST risk to the organization in this situation?
- A . Systems may not be supported by the vendor.
- B . Known security vulnerabilities may not be mitigated.
- C . Different systems may not be compatible.
- D . The systems may not meet user requirements.
Correct Answer: B
Question #66
An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions.
Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?
- A . Computer-assisted technique
- B . Stratified sampling
- C . Statistical sampling
- D . Process walk-through
Correct Answer: A
A
Explanation:
A computer-assisted technique is the most helpful method for an IS auditor to determine whether duplicate vendor payments exist on a complex system with a high volume of transactions. A computer-assisted technique is a tool or procedure that can be used to perform audit tests or procedures on data stored in electronic form. Examples of computer-assisted techniques include data analysis software, query tools, scripting languages, and specialized audit software. A computer-assisted technique can help an IS auditor to identify and extract duplicate payments from a large data set, perform calculations and comparisons, and generate reports and summaries. A computer-assisted technique can also provide more accuracy, efficiency, and coverage than manual methods.
Stratified sampling, statistical sampling, and process walk-through are not as helpful as a computer-assisted technique for this purpose. Stratified sampling is a sampling method that divides the population into subgroups based on certain characteristics and selects samples from each subgroup. Statistical sampling is a sampling method that uses probability theory to determine the sample size and selection criteria. Process walk-through is a review technique that involves following a transaction or process from start to finish and observing the inputs, outputs, controls, and documentation. These methods may be useful for other audit objectives, but they are not as effective as a computer-assisted technique for detecting duplicate payments in a complex and high-volume system.
Reference: ISACA Frameworks: Blueprints for Success, [ISACA Glossary of Terms]
A
Explanation:
A computer-assisted technique is the most helpful method for an IS auditor to determine whether duplicate vendor payments exist on a complex system with a high volume of transactions. A computer-assisted technique is a tool or procedure that can be used to perform audit tests or procedures on data stored in electronic form. Examples of computer-assisted techniques include data analysis software, query tools, scripting languages, and specialized audit software. A computer-assisted technique can help an IS auditor to identify and extract duplicate payments from a large data set, perform calculations and comparisons, and generate reports and summaries. A computer-assisted technique can also provide more accuracy, efficiency, and coverage than manual methods.
Stratified sampling, statistical sampling, and process walk-through are not as helpful as a computer-assisted technique for this purpose. Stratified sampling is a sampling method that divides the population into subgroups based on certain characteristics and selects samples from each subgroup. Statistical sampling is a sampling method that uses probability theory to determine the sample size and selection criteria. Process walk-through is a review technique that involves following a transaction or process from start to finish and observing the inputs, outputs, controls, and documentation. These methods may be useful for other audit objectives, but they are not as effective as a computer-assisted technique for detecting duplicate payments in a complex and high-volume system.
Reference: ISACA Frameworks: Blueprints for Success, [ISACA Glossary of Terms]
Question #67
Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?
- A . Encryption of the spreadsheet
- B . Version history
- C . Formulas within macros
- D . Reconciliation of key calculations
Correct Answer: C
C
Explanation:
The most important thing for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros is the formulas within macros. Macros are sequences of commands or instructions that can automate tasks or calculations in a spreadsheet. Formulas are expressions that perform calculations on values or data in a spreadsheet. The accuracy of a spreadsheet depends largely on whether the formulas within macros are correct, consistent, and complete. The IS auditor should review the formulas within macros to verify that they produce the expected results and do not contain any errors or inconsistencies. The other options are not as important as formulas within macros, as they do not directly affect the accuracy of a spreadsheet. Encryption of the spreadsheet is a security control that can protect the confidentiality and integrity of the spreadsheet, but it does not ensure its accuracy. Version history is a document control feature that can track and manage changes to the spreadsheet, but it does not verify its accuracy. Reconciliation of key calculations is a validation technique that can compare and confirm the results of calculations with other sources, but it does not evaluate the accuracy of formulas within macros.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
C
Explanation:
The most important thing for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros is the formulas within macros. Macros are sequences of commands or instructions that can automate tasks or calculations in a spreadsheet. Formulas are expressions that perform calculations on values or data in a spreadsheet. The accuracy of a spreadsheet depends largely on whether the formulas within macros are correct, consistent, and complete. The IS auditor should review the formulas within macros to verify that they produce the expected results and do not contain any errors or inconsistencies. The other options are not as important as formulas within macros, as they do not directly affect the accuracy of a spreadsheet. Encryption of the spreadsheet is a security control that can protect the confidentiality and integrity of the spreadsheet, but it does not ensure its accuracy. Version history is a document control feature that can track and manage changes to the spreadsheet, but it does not verify its accuracy. Reconciliation of key calculations is a validation technique that can compare and confirm the results of calculations with other sources, but it does not evaluate the accuracy of formulas within macros.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
Question #68
Which of the following is MOST important to consider when scheduling follow-up audits?
- A . The efforts required for independent verification with new auditors
- B . The impact if corrective actions are not taken
- C . The amount of time the auditee has agreed to spend with auditors
- D . Controls and detection risks related to the observations
Correct Answer: B
B
Explanation:
The impact if corrective actions are not taken is the most important factor to consider when scheduling follow-up audits. An IS auditor should prioritize the follow-up audits based on the risk and potential consequences of not addressing the audit findings and recommendations. The other options are less important factors that may affect the timing and scope of the follow-up audits, but not their necessity or urgency.
Reference: CISA Review Manual(Digital Version), Chapter 2, Section 2.5.31
CISA Review Questions, Answers & Explanations Database, Question ID 207
B
Explanation:
The impact if corrective actions are not taken is the most important factor to consider when scheduling follow-up audits. An IS auditor should prioritize the follow-up audits based on the risk and potential consequences of not addressing the audit findings and recommendations. The other options are less important factors that may affect the timing and scope of the follow-up audits, but not their necessity or urgency.
Reference: CISA Review Manual(Digital Version), Chapter 2, Section 2.5.31
CISA Review Questions, Answers & Explanations Database, Question ID 207
Question #69
One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:
- A . basis for allocating indirect costs.
- B . cost of replacing equipment.
- C . estimated cost of ownership.
- D . basis for allocating financial resources.
Correct Answer: D
D
Explanation:
One benefit of return on investment (ROI) analysis in IT decision making is that it provides the basis for allocating financial resources. ROI analysis is a method of evaluating the profitability or cost-effectiveness of an IT project or investment by comparing the expected benefits with the required costs. ROI analysis can help IT decision makers prioritize and justify their IT initiatives, allocate their financial resources optimally, and demonstrate the value contribution of IT to the organization’s goals and objectives. Basis for allocating indirect costs, cost of replacing equipment, and estimated cost of ownership are not benefits of ROI analysis in IT decision making. These are more inputs or outputs of ROI analysis that could be used to calculate or estimate the costs or benefits of an IT project or investment.
Reference: [ISACA CISA Review Manual 27th Edition], page 307
D
Explanation:
One benefit of return on investment (ROI) analysis in IT decision making is that it provides the basis for allocating financial resources. ROI analysis is a method of evaluating the profitability or cost-effectiveness of an IT project or investment by comparing the expected benefits with the required costs. ROI analysis can help IT decision makers prioritize and justify their IT initiatives, allocate their financial resources optimally, and demonstrate the value contribution of IT to the organization’s goals and objectives. Basis for allocating indirect costs, cost of replacing equipment, and estimated cost of ownership are not benefits of ROI analysis in IT decision making. These are more inputs or outputs of ROI analysis that could be used to calculate or estimate the costs or benefits of an IT project or investment.
Reference: [ISACA CISA Review Manual 27th Edition], page 307
Question #70
Which of the following would be of GREATEST concern to an IS auditor reviewing the resiliency of an organizational network that has two internet connections?
- A . Network capacity testing has not been performed.
- B . The business continuity plan (BCP) has not been tested in the past six months.
- C . Non-critical applications are also connected to both connections.
- D . Both connections are from the same provider.
Correct Answer: D