Practice Free CISA Exam Online Questions
Question #71
Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?
- A . Implement controls to prohibit downloads of unauthorized software.
- B . Conduct periodic software scanning.
- C . Perform periodic counting of licenses.
- D . Require senior management approval when installing licenses.
Correct Answer: B
B
Explanation:
The best way to detect unauthorized copies of licensed software on systems is to conduct periodic software scanning. Software scanning is a process of using specialized tools or programs to scan the systems and identify the software installed, the license status, the usage, and the compliance with the software policies and agreements. Software scanning can help to detect any unauthorized, unlicensed, or illegal copies of software on the systems, as well as any discrepancies or violations of the software licenses. Software scanning can also help to optimize the software inventory, reduce the software costs, and improve the security and performance of the systems12.
Some examples of software scanning tools are:
Microsoft Software Inventory Analyzer (MSIA): A free tool that scans Windows-based computers and servers and generates reports on the Microsoft products installed, such as operating systems, applications, and updates3.
Belarc Advisor: A free tool that scans Windows-based computers and generates reports on the hardware and software installed, including license keys, versions, usage, and security status4.
Lansweeper: A paid tool that scans Windows, Linux, Mac, and other network devices and generates reports on the hardware and software inventory, license compliance, configuration, and vulnerabilities5.
To conduct periodic software scanning, you need to:
Choose a suitable software scanning tool that meets your needs and budget.
Define the scope and frequency of the software scanning, such as which systems to scan, how often to scan, and what information to collect.
Configure and run the software scanning tool according to the instructions and settings.
Review and analyze the software scanning reports and identify any unauthorized copies of licensed software on the systems.
Take appropriate actions to remove or regularize the unauthorized copies of licensed software on the systems.
Document and report the results and findings of the software scanning.
B
Explanation:
The best way to detect unauthorized copies of licensed software on systems is to conduct periodic software scanning. Software scanning is a process of using specialized tools or programs to scan the systems and identify the software installed, the license status, the usage, and the compliance with the software policies and agreements. Software scanning can help to detect any unauthorized, unlicensed, or illegal copies of software on the systems, as well as any discrepancies or violations of the software licenses. Software scanning can also help to optimize the software inventory, reduce the software costs, and improve the security and performance of the systems12.
Some examples of software scanning tools are:
Microsoft Software Inventory Analyzer (MSIA): A free tool that scans Windows-based computers and servers and generates reports on the Microsoft products installed, such as operating systems, applications, and updates3.
Belarc Advisor: A free tool that scans Windows-based computers and generates reports on the hardware and software installed, including license keys, versions, usage, and security status4.
Lansweeper: A paid tool that scans Windows, Linux, Mac, and other network devices and generates reports on the hardware and software inventory, license compliance, configuration, and vulnerabilities5.
To conduct periodic software scanning, you need to:
Choose a suitable software scanning tool that meets your needs and budget.
Define the scope and frequency of the software scanning, such as which systems to scan, how often to scan, and what information to collect.
Configure and run the software scanning tool according to the instructions and settings.
Review and analyze the software scanning reports and identify any unauthorized copies of licensed software on the systems.
Take appropriate actions to remove or regularize the unauthorized copies of licensed software on the systems.
Document and report the results and findings of the software scanning.
Question #72
Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?
- A . Server room access history
- B . Emergency change records
- C . IT security incidents
- D . Penetration test results
Correct Answer: D
D
Explanation:
The IS auditor should ensure that penetration test results are classified at the highest level of sensitivity, because they contain detailed information about the vulnerabilities and weaknesses of the IT systems and networks, as well as the methods and tools used by the testers to exploit them. Penetration test results can be used by malicious actors to launch cyberattacks or cause damage to the organization if they are disclosed or accessed without authorization. Therefore, they should be protected with the highest level of confidentiality, integrity and availability. The other options are not as sensitive as penetration test results, because they either do not reveal as muchinformation aboutthe IT security posture, or they are already known or reported by the organization.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.4
D
Explanation:
The IS auditor should ensure that penetration test results are classified at the highest level of sensitivity, because they contain detailed information about the vulnerabilities and weaknesses of the IT systems and networks, as well as the methods and tools used by the testers to exploit them. Penetration test results can be used by malicious actors to launch cyberattacks or cause damage to the organization if they are disclosed or accessed without authorization. Therefore, they should be protected with the highest level of confidentiality, integrity and availability. The other options are not as sensitive as penetration test results, because they either do not reveal as muchinformation aboutthe IT security posture, or they are already known or reported by the organization.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.4
Question #73
Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?
- A . Align service level agreements (SLAs) with current needs.
- B . Monitor customer satisfaction with the change.
- C . Minimize costs related to the third-party agreement.
- D . Ensure right to audit is included within the contract.
Correct Answer: A
A
Explanation:
The primary area of focus when an organization decides to outsource technical support for its external customers is to align service level agreements (SLAs) with current needs. SLAs are contracts that define the scope, quality, and expectations of the services provided by the vendor, as well as the remedies or penalties for non-compliance. SLAs are essential for ensuring that the outsourced technical support meets the customer’s requirements and satisfaction, as well as the organization’s objectives and standards. By aligning SLAs with current needs, the organization can specify the key performance indicators (KPIs), metrics, and targets that reflect the desired outcomes and value of the technical support. This can also help to monitor and evaluate the vendor’s performance, identify gaps or issues, and implement corrective actions or improvements.
Reference: Service Level Agreement (SLA)Examples and Template.
What is an SLA? Best practices for service-level agreements
A
Explanation:
The primary area of focus when an organization decides to outsource technical support for its external customers is to align service level agreements (SLAs) with current needs. SLAs are contracts that define the scope, quality, and expectations of the services provided by the vendor, as well as the remedies or penalties for non-compliance. SLAs are essential for ensuring that the outsourced technical support meets the customer’s requirements and satisfaction, as well as the organization’s objectives and standards. By aligning SLAs with current needs, the organization can specify the key performance indicators (KPIs), metrics, and targets that reflect the desired outcomes and value of the technical support. This can also help to monitor and evaluate the vendor’s performance, identify gaps or issues, and implement corrective actions or improvements.
Reference: Service Level Agreement (SLA)Examples and Template.
What is an SLA? Best practices for service-level agreements
Question #74
Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change management process?
- A . The added functionality has not been documented.
- B . The new functionality may not meet requirements.
- C . The project may fail to meet the established deadline.
- D . The project may go over budget.
Correct Answer: B
Question #75
An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room.
Which of the following would be MOST useful to the auditor?
- A . Alarm system with CCTV
- B . Access control log
- C . Security incident log
- D . Access card allocation records
Correct Answer: B
B
Explanation:
A system electronic log is the most useful source of information for an IS auditor to review all access attempts to a video-monitored and proximity card-controlled communications room. A system electronic log can provide accurate and detailed records of the date, time, card number, and status (success or failure) of each access attempt. A system electronic log can also be easily searched, filtered, and analyzed by the auditor to identify any unauthorized or suspicious access attempts.
A manual sign-in and sign-out log is not as reliable or useful as a system electronic log, because it depends on the honesty and compliance of the users. A manual log can be easily manipulated, forged, or omitted by the users or intruders. A manual log also does not capture the status of each access attempt, and it can be difficult to verify the identity of the users based on their signatures.
An alarm system with CCTV is not as useful as a system electronic log, because it only captures the events that trigger the alarm, such as unauthorized or forced entry. An alarm system with CCTV does not provide a complete record of all access attempts, and it can be affected by factors such as camera angle, lighting, and resolution. An alarm system with CCTV also requires more time and effort to review the video footage by the auditor.
A security incident log is not as useful as a system electronic log, because it only records the incidents that are reported by the users or detected by the security staff. A security incident log does not provide a comprehensive record of all access attempts, and it can be incomplete or inaccurate depending on the reporting and detection mechanisms. A security incident log also does not capture the details of each access attempt, such as the card number and status.
Reference: ISACA CISA Review Manual 27th Edition (2019), page 247
ISACA CISA Certified Information Systems Auditor Exam … – PUPUWEB
B
Explanation:
A system electronic log is the most useful source of information for an IS auditor to review all access attempts to a video-monitored and proximity card-controlled communications room. A system electronic log can provide accurate and detailed records of the date, time, card number, and status (success or failure) of each access attempt. A system electronic log can also be easily searched, filtered, and analyzed by the auditor to identify any unauthorized or suspicious access attempts.
A manual sign-in and sign-out log is not as reliable or useful as a system electronic log, because it depends on the honesty and compliance of the users. A manual log can be easily manipulated, forged, or omitted by the users or intruders. A manual log also does not capture the status of each access attempt, and it can be difficult to verify the identity of the users based on their signatures.
An alarm system with CCTV is not as useful as a system electronic log, because it only captures the events that trigger the alarm, such as unauthorized or forced entry. An alarm system with CCTV does not provide a complete record of all access attempts, and it can be affected by factors such as camera angle, lighting, and resolution. An alarm system with CCTV also requires more time and effort to review the video footage by the auditor.
A security incident log is not as useful as a system electronic log, because it only records the incidents that are reported by the users or detected by the security staff. A security incident log does not provide a comprehensive record of all access attempts, and it can be incomplete or inaccurate depending on the reporting and detection mechanisms. A security incident log also does not capture the details of each access attempt, such as the card number and status.
Reference: ISACA CISA Review Manual 27th Edition (2019), page 247
ISACA CISA Certified Information Systems Auditor Exam … – PUPUWEB
Question #76
A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged.
Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?
- A . Trace a sample of complete PCR forms to the log of all program changes
- B . Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date
- C . Review a sample of PCRs for proper approval throughout the program change process
- D . Trace a sample of program change from the log to completed PCR forms
Correct Answer: B
B
Explanation:
The best way to determine whether unauthorized changes have been made to production programs is to use source code comparison software to compare the current version of the programs with the previous version or the approved version. This will identify any changes that have been made without proper authorization or documentation. Tracing PCRs to logs or vice versa will only verify that the authorized changes have been recorded, but not detect any unauthorized changes.
Reference: Standards, Guidelines, Tools and Techniques – ISACA, section “IS Audit and Assurance Tools and Techniques”
B
Explanation:
The best way to determine whether unauthorized changes have been made to production programs is to use source code comparison software to compare the current version of the programs with the previous version or the approved version. This will identify any changes that have been made without proper authorization or documentation. Tracing PCRs to logs or vice versa will only verify that the authorized changes have been recorded, but not detect any unauthorized changes.
Reference: Standards, Guidelines, Tools and Techniques – ISACA, section “IS Audit and Assurance Tools and Techniques”
Question #77
The PRIMARY benefit of automating application testing is to:
- A . provide test consistency.
- B . provide more flexibility.
- C . replace all manual test processes.
- D . reduce the time to review code.
Correct Answer: A
A
Explanation:
The primary benefit of automating application testing is to provide test consistency. Automated testing can ensure that the same test cases are executed in the same manner and order every time, which can improve the reliability and accuracy of the test results. Providing more flexibility, replacing all manual test processes, and reducing the time to review code are possible benefits of automating application testing, but they are not the primary benefit.
Reference: ISACA, CISA Review Manual, 27th Edition, 2020, p. 3091
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
A
Explanation:
The primary benefit of automating application testing is to provide test consistency. Automated testing can ensure that the same test cases are executed in the same manner and order every time, which can improve the reliability and accuracy of the test results. Providing more flexibility, replacing all manual test processes, and reducing the time to review code are possible benefits of automating application testing, but they are not the primary benefit.
Reference: ISACA, CISA Review Manual, 27th Edition, 2020, p. 3091
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
Question #78
Which of the following staff should an IS auditor interview FIRST to obtain a general overview of the various technologies used across different programs?
- A . Technical architect
- B . Enterprise architect
- C . Program manager
- D . Solution architect
Correct Answer: B
Question #79
Which of the following is MOST important to define within a disaster recovery plan (DRP)?
- A . Business continuity plan (BCP)
- B . Test results for backup data restoration
- C . A comprehensive list of disaster recovery scenarios and priorities
- D . Roles and responsibilities for recovery team members
Correct Answer: D
D
Explanation:
The most important thing to define within a disaster recovery plan (DRP) is the roles and responsibilities for recovery team members, as this ensures that everyone knows what to do, who to report to, and how to communicate in the event of a disaster. A business continuity plan (BCP) is a broader document that covers the overall strategy and objectives for maintaining or resuming business operations after a disaster. Test results for backup data restoration are important to verify the integrity and availability of backup data, but they are not part of the DRP itself. A comprehensive list of disaster recovery scenarios and priorities is useful to identify the potential risks and impacts of different types of disasters, but it is not as critical as defining the roles and responsibilities for recovery team members.
Reference: CISA Review Manual (Digital Version), Chapter 4: Information Systems Operations, Maintenance and Service Management, Section 4.3: Disaster Recovery Planning1
D
Explanation:
The most important thing to define within a disaster recovery plan (DRP) is the roles and responsibilities for recovery team members, as this ensures that everyone knows what to do, who to report to, and how to communicate in the event of a disaster. A business continuity plan (BCP) is a broader document that covers the overall strategy and objectives for maintaining or resuming business operations after a disaster. Test results for backup data restoration are important to verify the integrity and availability of backup data, but they are not part of the DRP itself. A comprehensive list of disaster recovery scenarios and priorities is useful to identify the potential risks and impacts of different types of disasters, but it is not as critical as defining the roles and responsibilities for recovery team members.
Reference: CISA Review Manual (Digital Version), Chapter 4: Information Systems Operations, Maintenance and Service Management, Section 4.3: Disaster Recovery Planning1
Question #80
In a large organization, IT deadlines on important projects have been missed because IT resources are not prioritized properly.
Which of the following is the BEST recommendation to address this problem?
- A . Revisit the IT strategic plan.
- B . Implement project portfolio management.
- C . Implement an integrated resource management system.
- D . Implement a comprehensive project scorecard.
Correct Answer: B
B
Explanation:
The best recommendation to address the problem of missing IT deadlines on important projects because IT resources are not prioritized properly is to implement project portfolio management (PPM). PPM is the process of analyzing and optimizing the costs, resources, technologies, and processes for all the projects and programs within a portfolio. A portfolio is a collection of projects, programs, and processes that are managed together and aligned with the strategic goals and objectives of the organization.
PPM can help the organization to:
Prioritize the most valuable and relevant projects and programs based on their alignment with the organizational strategy, vision, and mission.
Balance the portfolio to ensure that the projects and programs are diversified, feasible, and sustainable, and that they meet the needs and expectations of the stakeholders.
Optimize the allocation, utilization, and coordination of IT resources across the portfolio, such as staff, budget, time, equipment, and software.
Monitor and control the performance and progress of the projects and programs within the portfolio, and evaluate their outcomes and benefits.
By implementing PPM, the organization can improve its IT project delivery and avoid missing deadlines. PPM can also help the organization to increase its efficiency, effectiveness, quality, and value.
For more information about PPM, you can refer to the following web search results:
Project Portfolio Management (PPM): The Ultimate Guide – ProjectManager1 A Complete Overview of Project Portfolio Management – Smartsheet2 PPM 101: What Is Project Portfolio Management?3
B
Explanation:
The best recommendation to address the problem of missing IT deadlines on important projects because IT resources are not prioritized properly is to implement project portfolio management (PPM). PPM is the process of analyzing and optimizing the costs, resources, technologies, and processes for all the projects and programs within a portfolio. A portfolio is a collection of projects, programs, and processes that are managed together and aligned with the strategic goals and objectives of the organization.
PPM can help the organization to:
Prioritize the most valuable and relevant projects and programs based on their alignment with the organizational strategy, vision, and mission.
Balance the portfolio to ensure that the projects and programs are diversified, feasible, and sustainable, and that they meet the needs and expectations of the stakeholders.
Optimize the allocation, utilization, and coordination of IT resources across the portfolio, such as staff, budget, time, equipment, and software.
Monitor and control the performance and progress of the projects and programs within the portfolio, and evaluate their outcomes and benefits.
By implementing PPM, the organization can improve its IT project delivery and avoid missing deadlines. PPM can also help the organization to increase its efficiency, effectiveness, quality, and value.
For more information about PPM, you can refer to the following web search results:
Project Portfolio Management (PPM): The Ultimate Guide – ProjectManager1 A Complete Overview of Project Portfolio Management – Smartsheet2 PPM 101: What Is Project Portfolio Management?3