Practice Free CISA Exam Online Questions
Question #81
Which of the following is the BEST indication that an information security awareness program is effective?
- A . A reduction in the number of reported information security incidents
- B . A reduction in the success rate of social engineering attacks
- C . A reduction in the cost of maintaining the information security program
- D . A reduction in the number of information security attacks
Correct Answer: B
B
Explanation:
The success rate of social engineering attacks directly measures the behavioral changes resulting from an information security awareness program. Employees who are aware and informed are better equipped to identify and thwart such attacks.
Reduction in Reported Incidents (Option A): This may indicate underreporting rather than program
effectiveness.
Reduction in Cost of Maintaining the Program (Option C): This reflects cost efficiency, not program effectiveness.
Reduction in Number of Attacks (Option D): The number of attacks is beyond the control of awareness programs and does not reflect their impact.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
B
Explanation:
The success rate of social engineering attacks directly measures the behavioral changes resulting from an information security awareness program. Employees who are aware and informed are better equipped to identify and thwart such attacks.
Reduction in Reported Incidents (Option A): This may indicate underreporting rather than program
effectiveness.
Reduction in Cost of Maintaining the Program (Option C): This reflects cost efficiency, not program effectiveness.
Reduction in Number of Attacks (Option D): The number of attacks is beyond the control of awareness programs and does not reflect their impact.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
Question #82
An IS auditor notes that IT and the business have different opinions on the availability of their application servers.
Which of the following should the IS auditor review FIRST in order to understand the problem?
- A . The exact definition of the service levels and their measurement
- B . The alerting and measurement process on the application servers
- C . The actual availability of the servers as part of a substantive test
- D . The regular performance-reporting documentation
Correct Answer: A
A
Explanation:
The exact definition of the service levels and their measurement is the first thing that the IS auditor should review in order to understand the problem of different opinions on the availability of their application servers. Service levels are the agreed-upon standards or targets for delivering IT services, such as availability, reliability, performance, and security. Service level measurement is the process of collecting, analyzing, and reporting data related to the achievement of service levels. By reviewing the exact definition of the service levels and their measurement, the IS auditor can identify any gaps, inconsistencies, or ambiguities that may cause confusion or disagreement among IT and the business. The other options are not as important as reviewing the exact definition of the service levels and their measurement, as they do not address the root cause of the problem.
Reference: CISA Review Manual, 27th Edition, page 372
A
Explanation:
The exact definition of the service levels and their measurement is the first thing that the IS auditor should review in order to understand the problem of different opinions on the availability of their application servers. Service levels are the agreed-upon standards or targets for delivering IT services, such as availability, reliability, performance, and security. Service level measurement is the process of collecting, analyzing, and reporting data related to the achievement of service levels. By reviewing the exact definition of the service levels and their measurement, the IS auditor can identify any gaps, inconsistencies, or ambiguities that may cause confusion or disagreement among IT and the business. The other options are not as important as reviewing the exact definition of the service levels and their measurement, as they do not address the root cause of the problem.
Reference: CISA Review Manual, 27th Edition, page 372
Question #83
An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie.
Which of the following would be of GREATEST concern to the auditor?
- A . When the model was tested with data drawn from a different population, the accuracy decreased.
- B . The data set for training the model was obtained from an unreliable source.
- C . An open-source programming language was used to develop the model.
- D . The model was tested with data drawn from the same population as the training data.
Correct Answer: B
Question #84
Management has decided to accept a risk in response to a draft audit recommendation.
Which of the following should be the IS auditor’s NEXT course of action?
- A . Document management’s acceptance in the audit report.
- B . Escalate the acceptance to the board.
- C . Ensure a follow-up audit is on next year’s plan.
- D . Escalate acceptance to the audit committee.
Correct Answer: A
Question #85
A security administrator is called in the middle of the night by the on-call programmer A number of programs have failed, and the programmer has asked for access to the live system.
What IS the BEST course of action?
- A . Require that a change request be completed and approved
- B . Give the programmer an emergency ID for temporary access and review the activity
- C . Give the programmer read-only access to investigate the problem
- D . Review activity logs the following day and investigate any suspicious activity
Correct Answer: B
B
Explanation:
The best course of action for a security administrator who is called in the middle of the night by the on-call programmer who needs access to the live system is to give the programmer an emergency ID for temporary access and review the activity.
This is because:
Requiring that a change request be completed and approved may delay the resolution of the problem and cause further damage or disruption to the system or business operations. A change request is a formal document that describes the proposed change, its rationale, impact, benefits, risks, costs, and approval process. A change request is usually required for planned or scheduled changes, not for emergency or urgent changes.
Giving the programmer read-only access to investigate the problem may not be sufficient or effective, as the programmer may need to perform actions or tests that require write or execute permissions. Read-only access means that the user can only view or copy data or files, but cannot modify or delete them.
Reviewing activity logs the following day and investigating any suspicious activity may not prevent or detect any unauthorized or malicious actions by the programmer in real time. Activity logs are records of events and actions that occur within a system or network. Activity logs can provide evidence and accountability for system activities, but they are not proactive or preventive controls.
Therefore, giving the programmer an emergency ID for temporary access and reviewing the activity is the best course of action, as it allows the programmer to access the live system and resolve the problem quickly, while also ensuring that the security administrator can monitor and verify the programmer’s activity and revoke the access when it is no longer needed. An emergency ID is a temporary account that grants a user elevated privileges or access to a system or resource for a specific purpose and duration. An emergency ID should be:
Created and authorized by a security administrator or manager
Assigned to a specific user and purpose
Limited in scope and time
Logged and audited
Revoked and deleted after use
Some of the best practices for emergency access to live systems are12:
Establish clear policies and procedures for requesting, approving, granting, monitoring, reviewing, and revoking emergency access
Define criteria and scenarios for emergency access, such as severity, impact, urgency, and risk
Implement controls to prevent unauthorized or unnecessary use of emergency access, such as multifactor authentication, approval workflows, alerts, notifications, and time restrictions
Implement controls to track and audit emergency access activities, such as logging, reporting, analysis, and investigation
Implement controls to ensure accountability and responsibility for emergency access users, such as attestation, justification, documentation, and feedback
B
Explanation:
The best course of action for a security administrator who is called in the middle of the night by the on-call programmer who needs access to the live system is to give the programmer an emergency ID for temporary access and review the activity.
This is because:
Requiring that a change request be completed and approved may delay the resolution of the problem and cause further damage or disruption to the system or business operations. A change request is a formal document that describes the proposed change, its rationale, impact, benefits, risks, costs, and approval process. A change request is usually required for planned or scheduled changes, not for emergency or urgent changes.
Giving the programmer read-only access to investigate the problem may not be sufficient or effective, as the programmer may need to perform actions or tests that require write or execute permissions. Read-only access means that the user can only view or copy data or files, but cannot modify or delete them.
Reviewing activity logs the following day and investigating any suspicious activity may not prevent or detect any unauthorized or malicious actions by the programmer in real time. Activity logs are records of events and actions that occur within a system or network. Activity logs can provide evidence and accountability for system activities, but they are not proactive or preventive controls.
Therefore, giving the programmer an emergency ID for temporary access and reviewing the activity is the best course of action, as it allows the programmer to access the live system and resolve the problem quickly, while also ensuring that the security administrator can monitor and verify the programmer’s activity and revoke the access when it is no longer needed. An emergency ID is a temporary account that grants a user elevated privileges or access to a system or resource for a specific purpose and duration. An emergency ID should be:
Created and authorized by a security administrator or manager
Assigned to a specific user and purpose
Limited in scope and time
Logged and audited
Revoked and deleted after use
Some of the best practices for emergency access to live systems are12:
Establish clear policies and procedures for requesting, approving, granting, monitoring, reviewing, and revoking emergency access
Define criteria and scenarios for emergency access, such as severity, impact, urgency, and risk
Implement controls to prevent unauthorized or unnecessary use of emergency access, such as multifactor authentication, approval workflows, alerts, notifications, and time restrictions
Implement controls to track and audit emergency access activities, such as logging, reporting, analysis, and investigation
Implement controls to ensure accountability and responsibility for emergency access users, such as attestation, justification, documentation, and feedback
Question #86
Which of the following is MOST important for an IS auditor to examine when reviewing an organization’s privacy policy?
- A . Whether there is explicit permission from regulators to collect personal data
- B . The organization’s legitimate purpose for collecting personal data
- C . Whether sharing of personal information with third-party service providers is prohibited
- D . The encryption mechanism selected by the organization for protecting personal data
Correct Answer: B
B
Explanation:
The most important thing for an IS auditor to examine when reviewing an organization’s privacy policy is its legitimate purpose for collecting personal data. A legitimate purpose is a clear and specific reason for collecting personal data that is necessary for the organization’s business operations or legal obligations, and that respects the rights and interests of the data subjects. A legitimate purpose is the basis for establishing a lawful and fair processing of personal data, and it should be communicated to the data subjects in the privacy policy. The other options are not as important as the legitimate purpose in reviewing the privacy policy. Explicit permission from regulators to collect personal data is not always required, as there may be other lawful bases for data collection, such as consent, contract, or public interest. Sharing of personal information with third-party service providers is not prohibited, as long as there are adequate safeguards and agreements in place to protect the data. The encryption mechanism selected by the organization for protecting personal data is a technical control that can enhance data security, but it does not determine the legality or fairness of data collection.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2
B
Explanation:
The most important thing for an IS auditor to examine when reviewing an organization’s privacy policy is its legitimate purpose for collecting personal data. A legitimate purpose is a clear and specific reason for collecting personal data that is necessary for the organization’s business operations or legal obligations, and that respects the rights and interests of the data subjects. A legitimate purpose is the basis for establishing a lawful and fair processing of personal data, and it should be communicated to the data subjects in the privacy policy. The other options are not as important as the legitimate purpose in reviewing the privacy policy. Explicit permission from regulators to collect personal data is not always required, as there may be other lawful bases for data collection, such as consent, contract, or public interest. Sharing of personal information with third-party service providers is not prohibited, as long as there are adequate safeguards and agreements in place to protect the data. The encryption mechanism selected by the organization for protecting personal data is a technical control that can enhance data security, but it does not determine the legality or fairness of data collection.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2
Question #87
Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?
- A . Utilize a network-based firewall.
- B . Conduct regular user security awareness training.
- C . Perform domain name system (DNS) server security hardening.
- D . Enforce a strong password policy meeting complexity requirement.
Correct Answer: C
C
Explanation:
The best control to mitigate attacks that redirect Internet traffic to an unauthorized website is to perform domain name system (DNS) server security hardening. DNS servers are responsible for resolving domain names into IP addresses, and they are often targeted by attackers who want to manipulate or spoof DNS records to redirect users to malicious websites4. By applying security best practices to DNS servers, such as encrypting DNS traffic, implementing DNSSEC, restricting access and updating patches, the organization can reduce the risk of DNS hijacking attacks. A network-based firewall, user security awareness training and a strong password policy are also important controls, but they are not as effective as DNS server security hardening in preventing this specific type of attack.
Reference: CISA Review Manual, 27th Edition, page 4021
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
C
Explanation:
The best control to mitigate attacks that redirect Internet traffic to an unauthorized website is to perform domain name system (DNS) server security hardening. DNS servers are responsible for resolving domain names into IP addresses, and they are often targeted by attackers who want to manipulate or spoof DNS records to redirect users to malicious websites4. By applying security best practices to DNS servers, such as encrypting DNS traffic, implementing DNSSEC, restricting access and updating patches, the organization can reduce the risk of DNS hijacking attacks. A network-based firewall, user security awareness training and a strong password policy are also important controls, but they are not as effective as DNS server security hardening in preventing this specific type of attack.
Reference: CISA Review Manual, 27th Edition, page 4021
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
Question #88
A checksum is classified as which type of control?
- A . Detective control
- B . Preventive control
- C . Corrective control
- D . Administrative control
Correct Answer: A
A
Explanation:
A checksum is classified as a detective control. A checksum is a mathematical value that is calculated from a data set and used to verify the integrity of the data. A checksum can detect if the data has been altered or corrupted during transmission or storage. A checksum does not prevent or correct the data corruption, but it alerts the user or system of the problem. Therefore, it is a detective control. A preventive control is a control that prevents an error or incident from occurring. A corrective control is a control that restores normal operations after an error or incident has occurred. An administrative control is a control that involves policies, procedures, standards, guidelines, or organizational structures.
Reference: CISA Review Manual (Digital Version)1, page 439.
A
Explanation:
A checksum is classified as a detective control. A checksum is a mathematical value that is calculated from a data set and used to verify the integrity of the data. A checksum can detect if the data has been altered or corrupted during transmission or storage. A checksum does not prevent or correct the data corruption, but it alerts the user or system of the problem. Therefore, it is a detective control. A preventive control is a control that prevents an error or incident from occurring. A corrective control is a control that restores normal operations after an error or incident has occurred. An administrative control is a control that involves policies, procedures, standards, guidelines, or organizational structures.
Reference: CISA Review Manual (Digital Version)1, page 439.
Question #89
In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?
- A . Planning phase
- B . Execution phase
- C . Follow-up phase
- D . Selection phase
Correct Answer: A
A
Explanation:
The planning phase is the stage of the internal audit process where contact is established with the individuals responsible for the business processes in scope for review. The planning phase involves defining the objectives, scope, and criteria of the audit, as well as identifying the key risks and controls related to the audited area. The planning phase also involves communicating with the auditee to obtain relevant information, documents, and data, as well as to schedule interviews, walkthroughs, and meetings. The planning phase aims to ensure that the audit team has a clear understanding of the audited area and its context, and that the audit plan is aligned with the expectations and needs of the auditee and other stakeholders.
The execution phase is the stage of the internal audit process where the audit team performs the audit procedures according to the audit plan. The execution phase involves testing the design and operating effectiveness of the controls, collecting and analyzing evidence, documenting the audit work and results, and identifying any issues or findings. The execution phase aims to provide sufficient and appropriate evidence to support the audit conclusions and recommendations.
The follow-up phase is the stage of the internal audit process where the audit team monitors and verifies the implementation of the corrective actions agreed upon by the auditee in response to the audit findings. The follow-up phase involves reviewing the evidence provided by the auditee, conducting additional tests or interviews if necessary, and evaluating whether the corrective actions have adequately addressed the root causes of the findings. The follow-up phase aims to ensure that the auditee has taken timely and effective actions to improve its processes and controls.
The selection phase is not a standard stage of the internal audit process, but it may refer to the process of selecting which areas or functions to audit based on a risk assessment or an annual audit plan. The selection phase involves evaluating the inherent and residual risks of each potential auditable area, considering the impact, likelihood, and frequency of those risks, as well as other factors such as regulatory requirements, stakeholder expectations, previous audit results, and available resources. The selection phase aims to prioritize and allocate the audit resources to those areas that present the highest risks or opportunities for improvement.
Therefore, option A is the correct answer.
Reference: Stages and phases of internal audit – piranirisk.com
Step-by-Step Internal Audit Checklist | AuditBoard
AuditProcess | The Office of Internal Audit – University of Oregon
A
Explanation:
The planning phase is the stage of the internal audit process where contact is established with the individuals responsible for the business processes in scope for review. The planning phase involves defining the objectives, scope, and criteria of the audit, as well as identifying the key risks and controls related to the audited area. The planning phase also involves communicating with the auditee to obtain relevant information, documents, and data, as well as to schedule interviews, walkthroughs, and meetings. The planning phase aims to ensure that the audit team has a clear understanding of the audited area and its context, and that the audit plan is aligned with the expectations and needs of the auditee and other stakeholders.
The execution phase is the stage of the internal audit process where the audit team performs the audit procedures according to the audit plan. The execution phase involves testing the design and operating effectiveness of the controls, collecting and analyzing evidence, documenting the audit work and results, and identifying any issues or findings. The execution phase aims to provide sufficient and appropriate evidence to support the audit conclusions and recommendations.
The follow-up phase is the stage of the internal audit process where the audit team monitors and verifies the implementation of the corrective actions agreed upon by the auditee in response to the audit findings. The follow-up phase involves reviewing the evidence provided by the auditee, conducting additional tests or interviews if necessary, and evaluating whether the corrective actions have adequately addressed the root causes of the findings. The follow-up phase aims to ensure that the auditee has taken timely and effective actions to improve its processes and controls.
The selection phase is not a standard stage of the internal audit process, but it may refer to the process of selecting which areas or functions to audit based on a risk assessment or an annual audit plan. The selection phase involves evaluating the inherent and residual risks of each potential auditable area, considering the impact, likelihood, and frequency of those risks, as well as other factors such as regulatory requirements, stakeholder expectations, previous audit results, and available resources. The selection phase aims to prioritize and allocate the audit resources to those areas that present the highest risks or opportunities for improvement.
Therefore, option A is the correct answer.
Reference: Stages and phases of internal audit – piranirisk.com
Step-by-Step Internal Audit Checklist | AuditBoard
AuditProcess | The Office of Internal Audit – University of Oregon
Question #90
What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?
- A . To address the overall risk associated with the activity under review
- B . To identify areas with relatively high probability of material problems
- C . To help ensure maximum use of audit resources during the engagement
- D . To help prioritize and schedule auditee meetings
Correct Answer: B
B
Explanation:
The primary purpose of documenting audit objectives when preparing for an engagement is to identify areas with relatively high probability of material problems. Audit objectives are statements that describe what the audit intends to accomplish or verify during the engagement. Audit objectives help the IS auditor to focus on the key areas of risk or concern, to design appropriate audit procedures and tests, and to evaluate audit evidence and results. By documenting audit objectives, the IS auditor can identify areas with relatively high probability of material problems that may affect the achievement of audit goals or business objectives. Addressing the overall risk associated with the activity under review, ensuring maximum use of audit resources during the engagement and prioritizing and scheduling auditee meetings are also purposes of documenting audit objectives, but they are not as primary as identifying areas with high probability of material problems.
Reference: CISA Review Manual, 27th Edition, page 1111
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
B
Explanation:
The primary purpose of documenting audit objectives when preparing for an engagement is to identify areas with relatively high probability of material problems. Audit objectives are statements that describe what the audit intends to accomplish or verify during the engagement. Audit objectives help the IS auditor to focus on the key areas of risk or concern, to design appropriate audit procedures and tests, and to evaluate audit evidence and results. By documenting audit objectives, the IS auditor can identify areas with relatively high probability of material problems that may affect the achievement of audit goals or business objectives. Addressing the overall risk associated with the activity under review, ensuring maximum use of audit resources during the engagement and prioritizing and scheduling auditee meetings are also purposes of documenting audit objectives, but they are not as primary as identifying areas with high probability of material problems.
Reference: CISA Review Manual, 27th Edition, page 1111
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription