Practice Free CISA Exam Online Questions
Question #61
When reviewing the functionality of an intrusion detection system (IDS), the IS auditor should be MOST concerned if:
- A . legitimate packets blocked by the system have increased
- B . actual attacks have not been identified
- C . detected events have increased
- D . false positives have been reported
Correct Answer: B
B
Explanation:
The main purpose of an IDS is to detect and report malicious or suspicious activity on a network or a host. If an IDS fails to identify actual attacks, it means that the IDS is not functioning properly or effectively, and it exposes the organization to serious security risks and potential damage. This is the most concerning scenario for an IS auditor, as it indicates a major deficiency in the IDS performance and configuration.
Reference. What is an intrusion detection system (IDS)? What is Intrusion Detection Systems (IDS)?How does it Work? When reviewing an intrusion detection system (IDS), an IS auditor …Intrusion Detection Systems (IDS)―An Overview with a Generalized …An overview of issues in testing intrusion detection systems – NISTA Review of Intrusion Detection Systems and Their …
B
Explanation:
The main purpose of an IDS is to detect and report malicious or suspicious activity on a network or a host. If an IDS fails to identify actual attacks, it means that the IDS is not functioning properly or effectively, and it exposes the organization to serious security risks and potential damage. This is the most concerning scenario for an IS auditor, as it indicates a major deficiency in the IDS performance and configuration.
Reference. What is an intrusion detection system (IDS)? What is Intrusion Detection Systems (IDS)?How does it Work? When reviewing an intrusion detection system (IDS), an IS auditor …Intrusion Detection Systems (IDS)―An Overview with a Generalized …An overview of issues in testing intrusion detection systems – NISTA Review of Intrusion Detection Systems and Their …
Question #62
Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?
- A . Review the third party’s monitoring logs and incident handling
- B . Review the roles and responsibilities of the third-party provider
- C . Evaluate the organization’s third-party monitoring process
- D . Determine if the organization has a secure connection to the provider
Correct Answer: B
B
Explanation:
The first step when planning an IS audit of a third-party service provider that monitors network activities is to review the roles and responsibilities of the third-party provider. This will help to establish the scope, objectives, and expectations of the audit, as well as to identify any potential risks, issues, or gaps in the service level agreement (SLA) between the organization and the provider. Reviewing the third party’s monitoring logs and incident handling, evaluating the organization’s third-party monitoring process, and determining if the organization has a secure connection to the provider are important steps, but they should be performed after reviewing the roles and responsibilities of the provider.
Reference: CISA Review Manual (Digital Version)1, page 269.
B
Explanation:
The first step when planning an IS audit of a third-party service provider that monitors network activities is to review the roles and responsibilities of the third-party provider. This will help to establish the scope, objectives, and expectations of the audit, as well as to identify any potential risks, issues, or gaps in the service level agreement (SLA) between the organization and the provider. Reviewing the third party’s monitoring logs and incident handling, evaluating the organization’s third-party monitoring process, and determining if the organization has a secure connection to the provider are important steps, but they should be performed after reviewing the roles and responsibilities of the provider.
Reference: CISA Review Manual (Digital Version)1, page 269.
Question #63
Which of the following would be of GREATEST concern to an IS auditor reviewing the feasibility study for a new application system?
- A . Security requirements have not been defined.
- B . Conditions under which the system will operate are unclear.
- C . The business case does not include well-defined strategic benefits.
- D . System requirements and expectations have not been clarified.
Correct Answer: D
Question #64
Which of the following should be an IS auditor’s GREATEST concern when a data owner assigns an incorrect classification level to data?
- A . Controls to adequately safeguard the data may not be applied.
- B . Data may not be encrypted by the system administrator.
- C . Competitors may be able to view the data.
- D . Control costs may exceed the intrinsic value of the IT asset.
Correct Answer: A
A
Explanation:
The answer A is correct because the greatest concern for an IS auditor when a data owner assigns an incorrect classification level to data is that controls to adequately safeguard the data may not be applied. Data classification is the process of categorizing data assets based on their information sensitivity and business impact. Data classification helps organizations to identify, protect, and manage their data according to their value and risk. Data owners are the individuals or entities who have the authority and responsibility to define, classify, and control the access and use of their data.
Data classification typically involves assigning labels or tags to data assets, such as public, internal, confidential, or restricted. These labels indicate the level of protection and handling required for the data. Based on the data classification, organizations can implement appropriate controls to safeguard the data, such as encryption, access control lists, audit logs, backup policies, etc. These controls help to prevent unauthorized access, disclosure, modification, or loss of data, and to ensure compliance with relevant laws and regulations.
If a data owner assigns an incorrect classification level to data, it can result in either under protection or overprotection of the data. Under protection means that the data is classified at a lower level than it should be, which exposes it to higher risks of compromise or breach. For example, if a data owner classifies personal health information (PHI) as public instead of confidential, it may allow anyone to access or share the data without proper authorization or consent. This can violate the privacy rights of the data subjects and the compliance requirements of regulations such as HIPAA (Health Insurance Portability and Accountability Act). Overprotection means that the data is classified at a higher level than it should be, which limits its availability or usability. For example, if a data owner classifies marketing materials as restricted instead of public, it may prevent potential customers or partners from accessing or viewing the data. This can reduce the business value and opportunities of the data.
Therefore, an IS auditor should be concerned about the accuracy and consistency of data classification by data owners, as it affects the security and efficiency of data management. An IS auditor should review the policies and procedures for data classification, verify that the data owners have adequate knowledge and skills to classify their data, and test that the data classification labels match with the actual sensitivity and impact of the data.
Reference: Data Classification: What It Is and How to Implement It.
What Is Data Classification? – Definition, Levels & Examples …
Data Classification: A Guide for Data Security Leaders
A
Explanation:
The answer A is correct because the greatest concern for an IS auditor when a data owner assigns an incorrect classification level to data is that controls to adequately safeguard the data may not be applied. Data classification is the process of categorizing data assets based on their information sensitivity and business impact. Data classification helps organizations to identify, protect, and manage their data according to their value and risk. Data owners are the individuals or entities who have the authority and responsibility to define, classify, and control the access and use of their data.
Data classification typically involves assigning labels or tags to data assets, such as public, internal, confidential, or restricted. These labels indicate the level of protection and handling required for the data. Based on the data classification, organizations can implement appropriate controls to safeguard the data, such as encryption, access control lists, audit logs, backup policies, etc. These controls help to prevent unauthorized access, disclosure, modification, or loss of data, and to ensure compliance with relevant laws and regulations.
If a data owner assigns an incorrect classification level to data, it can result in either under protection or overprotection of the data. Under protection means that the data is classified at a lower level than it should be, which exposes it to higher risks of compromise or breach. For example, if a data owner classifies personal health information (PHI) as public instead of confidential, it may allow anyone to access or share the data without proper authorization or consent. This can violate the privacy rights of the data subjects and the compliance requirements of regulations such as HIPAA (Health Insurance Portability and Accountability Act). Overprotection means that the data is classified at a higher level than it should be, which limits its availability or usability. For example, if a data owner classifies marketing materials as restricted instead of public, it may prevent potential customers or partners from accessing or viewing the data. This can reduce the business value and opportunities of the data.
Therefore, an IS auditor should be concerned about the accuracy and consistency of data classification by data owners, as it affects the security and efficiency of data management. An IS auditor should review the policies and procedures for data classification, verify that the data owners have adequate knowledge and skills to classify their data, and test that the data classification labels match with the actual sensitivity and impact of the data.
Reference: Data Classification: What It Is and How to Implement It.
What Is Data Classification? – Definition, Levels & Examples …
Data Classification: A Guide for Data Security Leaders
Question #65
An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release.
Which of the following should the IS auditor review FIRST?
- A . Capacity management plan
- B . Training plans
- C . Database conversion results
- D . Stress testing results
Correct Answer: D
D
Explanation:
The first thing that an IS auditor should review when finding that transaction processing times in an order processing system have significantly increased after a major release is stress testing results. Stress testing is a type of testing that evaluates how a system performs under extreme or abnormal conditions, such as high volume, load, or concurrency of transactions. Stress testing results can help explain why transaction processing times in an order processing system have significantly increased after a major release by revealing any bottlenecks, limitations, or errors in the system’s capacity, performance, or functionality under stress. The other options are not as relevant as stress testing results in explaining why transaction processing times in an order processing system have significantly increased after a major release, as they do not directly measure how the systemperforms under extreme or abnormal conditions. Capacity management plan is a document that defines and implements the processes and activities for ensuring that the system has adequate resources and capabilities to meet current and future demands. Training plans are documents that define and implement the processes and activities for ensuring that the system users have adequate skills and knowledge to use the system effectively and efficiently. Database conversion results are outcomes or outputs of transforming data from one format or structure to another to suit the system’s requirements or specifications.
Reference: CISA Review Manual (DigitalVersion), Chapter 3, Section 3.3
D
Explanation:
The first thing that an IS auditor should review when finding that transaction processing times in an order processing system have significantly increased after a major release is stress testing results. Stress testing is a type of testing that evaluates how a system performs under extreme or abnormal conditions, such as high volume, load, or concurrency of transactions. Stress testing results can help explain why transaction processing times in an order processing system have significantly increased after a major release by revealing any bottlenecks, limitations, or errors in the system’s capacity, performance, or functionality under stress. The other options are not as relevant as stress testing results in explaining why transaction processing times in an order processing system have significantly increased after a major release, as they do not directly measure how the systemperforms under extreme or abnormal conditions. Capacity management plan is a document that defines and implements the processes and activities for ensuring that the system has adequate resources and capabilities to meet current and future demands. Training plans are documents that define and implement the processes and activities for ensuring that the system users have adequate skills and knowledge to use the system effectively and efficiently. Database conversion results are outcomes or outputs of transforming data from one format or structure to another to suit the system’s requirements or specifications.
Reference: CISA Review Manual (DigitalVersion), Chapter 3, Section 3.3
Question #66
Which of the following is the BEST source of information to determine the required level of data protection on a file server?
- A . Data classification policy and procedures
- B . Access rights of similar file servers
- C . Previous data breach incident reports
- D . Acceptable use policy and privacy statements
Correct Answer: A
A
Explanation:
The best source of information to determine the required level of data protection on a file server is the data classification policy and procedures, which define the criteria and methods for classifying data according to its sensitivity, value, and criticality, and specify the appropriate security measures and controls for each data category. Data classification policy and procedures help to ensure that data is protected in proportion to its importance and risk exposure. Access rights of similar file servers, previous data breach incident reports, and acceptable use policy and privacy statements are not sufficient or reliable sources of information to determine the required level of data protection on a file server, as they do not provide clear and consistent guidance on how to classify and protectdata.
Reference: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.1: Information Asset Security Framework
A
Explanation:
The best source of information to determine the required level of data protection on a file server is the data classification policy and procedures, which define the criteria and methods for classifying data according to its sensitivity, value, and criticality, and specify the appropriate security measures and controls for each data category. Data classification policy and procedures help to ensure that data is protected in proportion to its importance and risk exposure. Access rights of similar file servers, previous data breach incident reports, and acceptable use policy and privacy statements are not sufficient or reliable sources of information to determine the required level of data protection on a file server, as they do not provide clear and consistent guidance on how to classify and protectdata.
Reference: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.1: Information Asset Security Framework
Question #67
A transaction processing system interfaces with the general ledger. Data analytics has identified that some transactions are being recorded twice in the general ledger.
While management states a system fix has been implemented, what should the IS auditor recommend to validate the interface is working in the future?
- A . Perform periodic reconciliations.
- B . Ensure system owner sign-off for the system fix.
- C . Conduct functional testing.
- D . Improve user acceptance testing (UAT).
Correct Answer: A
A
Explanation:
A transaction processing system (TPS) is a system that captures, processes, and stores data related to business transactions1. A general ledger is a system that records the financial transactions of an organization in different accounts2. An interface is a connection point between two systems that allows data exchange3. A system fix is a change or update to a system that resolves a problem or improves its functionality4.
The IS auditor should recommend to perform periodic reconciliations to validate the interface between the TPS and the general ledger is working in the future. A reconciliation is a process of comparing and verifying the data in two systems to ensure accuracy and consistency1. By performing periodic reconciliations, the IS auditor can detect and correct any errors or discrepancies in the data, such as duplicate transactions, missing transactions, or incorrect amounts. This way, the IS auditor can ensure the reliability and integrity of the financial data in both systems.
The other options are not as effective as periodic reconciliations to validate the interface. System owner sign-off for the system fix is a form of approval that indicates the system owner agrees with the change and its expected outcome4. However, this does not guarantee that the system fix will work as intended or prevent future errors. Conducting functional testing is a process of verifying that the system performs its intended functions correctly and meets its requirements4. However, this is usually done before or after the system fix is implemented, not on an ongoing basis. Improving user acceptance testing (UAT) is a process of evaluating whether the system meets the needs and expectations of the end users4. However, this is also done before or after the system fix is implemented, not on an ongoing basis. Therefore, option A is the correct answer.
Reference: Transaction Interface: Organization, Process, and System
Validation of Interfaces – Ensuring Data Integrity and Quality across Systems
Oracle Payments Implementation Guide
Receiving Transactions Inserted Into Interface Table as BATCH And PENDING Are Not Processed By Receiving Transaction Processor
What Is a Transaction Processing System (TPS)? (Plus Types)
A
Explanation:
A transaction processing system (TPS) is a system that captures, processes, and stores data related to business transactions1. A general ledger is a system that records the financial transactions of an organization in different accounts2. An interface is a connection point between two systems that allows data exchange3. A system fix is a change or update to a system that resolves a problem or improves its functionality4.
The IS auditor should recommend to perform periodic reconciliations to validate the interface between the TPS and the general ledger is working in the future. A reconciliation is a process of comparing and verifying the data in two systems to ensure accuracy and consistency1. By performing periodic reconciliations, the IS auditor can detect and correct any errors or discrepancies in the data, such as duplicate transactions, missing transactions, or incorrect amounts. This way, the IS auditor can ensure the reliability and integrity of the financial data in both systems.
The other options are not as effective as periodic reconciliations to validate the interface. System owner sign-off for the system fix is a form of approval that indicates the system owner agrees with the change and its expected outcome4. However, this does not guarantee that the system fix will work as intended or prevent future errors. Conducting functional testing is a process of verifying that the system performs its intended functions correctly and meets its requirements4. However, this is usually done before or after the system fix is implemented, not on an ongoing basis. Improving user acceptance testing (UAT) is a process of evaluating whether the system meets the needs and expectations of the end users4. However, this is also done before or after the system fix is implemented, not on an ongoing basis. Therefore, option A is the correct answer.
Reference: Transaction Interface: Organization, Process, and System
Validation of Interfaces – Ensuring Data Integrity and Quality across Systems
Oracle Payments Implementation Guide
Receiving Transactions Inserted Into Interface Table as BATCH And PENDING Are Not Processed By Receiving Transaction Processor
What Is a Transaction Processing System (TPS)? (Plus Types)
Question #68
Which of the following BEST facilitates the successful implementation of IT performance monitoring?
- A . Determining goals for IT resources and processes
- B . Identifying tools to automate performance measurement
- C . Establishing templates for periodic reporting to management
- D . Adopting global standards and measurement norms
Correct Answer: B
Question #69
An external IS auditor is reviewing the continuous monitoring system for a large bank and notes several potential issues.
Which of the following would present the GREATEST concern regarding the reliability of the monitoring system?
- A . The system results are not reviewed by senior management.
- B . The alert threshold is updated periodically.
- C . The monitoring thresholds are not subject to change management.
- D . The monitoring system was configured by a third party.
Correct Answer: C
C
Explanation:
Monitoring systems rely heavily on thresholds to detect anomalies or incidents. If thresholds can be changed without proper change management controls, the entire system’s reliability is compromised because unauthorized or improper changes could either suppress critical alerts or generate excessive
false positives. While senior management review (A) is important for governance, it does not directly affect the accuracy of monitoring results. Periodic threshold updates (B) are actually good practice as long as they are controlled. Third-party configuration (D) can be acceptable if properly governed.
ISACA’s COBIT BAI06 (Managed IT Changes) stresses that all changes to production systems― including monitoring thresholds―must follow formal change control processes to maintain integrity and reliability.
Reference (ISACA): COBIT® 2019, BAI06 Managed IT Changes.
C
Explanation:
Monitoring systems rely heavily on thresholds to detect anomalies or incidents. If thresholds can be changed without proper change management controls, the entire system’s reliability is compromised because unauthorized or improper changes could either suppress critical alerts or generate excessive
false positives. While senior management review (A) is important for governance, it does not directly affect the accuracy of monitoring results. Periodic threshold updates (B) are actually good practice as long as they are controlled. Third-party configuration (D) can be acceptable if properly governed.
ISACA’s COBIT BAI06 (Managed IT Changes) stresses that all changes to production systems― including monitoring thresholds―must follow formal change control processes to maintain integrity and reliability.
Reference (ISACA): COBIT® 2019, BAI06 Managed IT Changes.
Question #70
Which of the following findings would be of GREATEST concern when auditing an organization’s end-user computing (EUC)?
- A . Errors flowed through to financial statements
- B . Reduced oversight by the IT department
- C . Inconsistency of patching processes being followed
- D . Inability to monitor EUC audit logs and activities
Correct Answer: A