Practice Free CISA Exam Online Questions
Question #1
A system performance dashboard indicates several application servers are reaching the defined
threshold for maximum CPU allocation.
Which of the following would be the IS auditor’s BEST recommendation for the IT department?
- A . Increase the defined processing threshold to reflect capacity consumption during normal operations.
- B . Notify end users of potential disruptions caused by degradation of servers.
- C . Terminate both ingress and egress connections of these servers to avoid overload.
- D . Validate the processing capacity of these servers is adequate to complete computing tasks.
Correct Answer: D
Question #2
Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program’?
- A . Only new employees are required to attend the program
- B . Metrics have not been established to assess training results
- C . Employees do not receive immediate notification of results
- D . The timing for program updates has not been determined
Correct Answer: B
B
Explanation:
The greatest concern for an IS auditor reviewing an online security awareness program is that metrics have not been established to assess training results. Without metrics, it is difficult to measure the effectiveness of the program and identify areas for improvement. The other findings are also issues that need to be addressed, but they are not as significant as the lack of metrics.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.11
B
Explanation:
The greatest concern for an IS auditor reviewing an online security awareness program is that metrics have not been established to assess training results. Without metrics, it is difficult to measure the effectiveness of the program and identify areas for improvement. The other findings are also issues that need to be addressed, but they are not as significant as the lack of metrics.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.11
Question #3
Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:
- A . eliminated
- B . unchanged
- C . increased
- D . reduced
Correct Answer: B
B
Explanation:
Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is unchanged. This is because end users are still the ultimate customers and beneficiaries of the system, and they need to ensure that the software package meets their requirements, expectations, and satisfaction. End user testing, also known as user acceptance testing (UAT) or beta testing, is the final stage of testing performed by the user or client to determine whether the software can be accepted or not1. End user testing is important for both in-house developed and acquired software packages, as it helps to verify the functionality, usability, performance, and reliability of the system2. End user testing also helps to identify and resolve any defects, errors, or issues that may not have been detected by the developers or vendors3.
Therefore, option B is the correct answer.
Option A is not correct because end user testing is not eliminated by acquiring a software package. Even though the software package may have been tested by the vendor or supplier, it may still have bugs, compatibility issues, or configuration problems that need to be fixed before deployment4.
Option C is not correct because end user testing is not increased by acquiring a software package. The scope and extent of end user testing depend on various factors, such as the complexity, criticality, and customization of the system, and not on whether it is developed in-house or acquired.
Option D is not correct because end user testing is not reduced by acquiring a software package. The software package may still require modifications or integrations to suit the specific needs and environment of the organization, and these changes need to be tested by the end users.
References:
Chapter 4 Methods of Software Acquisition5
What is User Acceptance Testing (UAT): A Complete Guide1
What Is End-to-End Testing? (With How-To and Example)3
How to Evaluate New Software in 5 Steps4
User Acceptance Testing (UAT) in ERP Projects
User Acceptance Testing for Packaged Software
B
Explanation:
Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is unchanged. This is because end users are still the ultimate customers and beneficiaries of the system, and they need to ensure that the software package meets their requirements, expectations, and satisfaction. End user testing, also known as user acceptance testing (UAT) or beta testing, is the final stage of testing performed by the user or client to determine whether the software can be accepted or not1. End user testing is important for both in-house developed and acquired software packages, as it helps to verify the functionality, usability, performance, and reliability of the system2. End user testing also helps to identify and resolve any defects, errors, or issues that may not have been detected by the developers or vendors3.
Therefore, option B is the correct answer.
Option A is not correct because end user testing is not eliminated by acquiring a software package. Even though the software package may have been tested by the vendor or supplier, it may still have bugs, compatibility issues, or configuration problems that need to be fixed before deployment4.
Option C is not correct because end user testing is not increased by acquiring a software package. The scope and extent of end user testing depend on various factors, such as the complexity, criticality, and customization of the system, and not on whether it is developed in-house or acquired.
Option D is not correct because end user testing is not reduced by acquiring a software package. The software package may still require modifications or integrations to suit the specific needs and environment of the organization, and these changes need to be tested by the end users.
References:
Chapter 4 Methods of Software Acquisition5
What is User Acceptance Testing (UAT): A Complete Guide1
What Is End-to-End Testing? (With How-To and Example)3
How to Evaluate New Software in 5 Steps4
User Acceptance Testing (UAT) in ERP Projects
User Acceptance Testing for Packaged Software
Question #4
Which of the following BEST describes the role of the IS auditor in a control self-assessment (CSA)?
- A . Implementer
- B . Facilitator
- C . Approver
- D . Reviewer
Correct Answer: B
Question #5
Which of the following is the MOST important advantage of participating in beta testing of software products?
- A . It increases an organization’s ability to retain staff who prefer to work with new technology.
- B . It improves vendor support and training.
- C . It enhances security and confidentiality.
- D . It enables an organization to gain familiarity with new products and their functionality.
Correct Answer: D
D
Explanation:
Beta testing is the process of releasing a near-final version of a software product to a group of external users, known as beta testers, who provide feedback and report bugs based on their real-world experiences. Beta testing offers various benefits for both the developers and the users of the software product. Some of these benefits are:
It reduces product failure risk via customer validation12.
It helps to test post-launch infrastructure1.
It helps to improve product quality via customer feedback12.
It allows for thorough bug detection and issue resolution3.
It enhances usability and user experience3.
It increases customer satisfaction and loyalty3.
Based on these benefits, the most important advantage of participating in beta testing of software products is
D. It enables an organization to gain familiarity with new products and their functionality. By being involved in beta testing, an organization can learn how to use the new product effectively, discover its features and benefits, and provide suggestions for improvement. This can help the organization to adopt the new product faster, easier, and more efficiently when it is officially released. It can also give the organization a competitive edge over other users who are not familiar with the new product.
D
Explanation:
Beta testing is the process of releasing a near-final version of a software product to a group of external users, known as beta testers, who provide feedback and report bugs based on their real-world experiences. Beta testing offers various benefits for both the developers and the users of the software product. Some of these benefits are:
It reduces product failure risk via customer validation12.
It helps to test post-launch infrastructure1.
It helps to improve product quality via customer feedback12.
It allows for thorough bug detection and issue resolution3.
It enhances usability and user experience3.
It increases customer satisfaction and loyalty3.
Based on these benefits, the most important advantage of participating in beta testing of software products is
D. It enables an organization to gain familiarity with new products and their functionality. By being involved in beta testing, an organization can learn how to use the new product effectively, discover its features and benefits, and provide suggestions for improvement. This can help the organization to adopt the new product faster, easier, and more efficiently when it is officially released. It can also give the organization a competitive edge over other users who are not familiar with the new product.
Question #6
What is the FIRST step when creating a data classification program?
- A . Categorize and prioritize data.
- B . Develop data process maps.
- C . Categorize information by owner.
- D . Develop a policy.
Correct Answer: D
D
Explanation:
The first step when creating a data classification program is to develop a policy (D). A data classification policy is a document that defines the purpose, scope, objectives, roles, responsibilities, and procedures of the data classification program. A data classification policy is essential for establishing the governance framework, standards, and guidelines for the data classification process. A data classification policy also helps to communicate the expectations and benefits of the data classification program to the stakeholders, such as data owners, users, custodians, and auditors12.
Categorizing and prioritizing data (A) is not the first step when creating a data classification program, but the third step. Categorizing and prioritizing data involves defining and applying the criteria and labels for classifying data based on its sensitivity, value, and risk. For example, data can be categorized into public, internal, confidential, or restricted levels. Categorizing and prioritizing data helps to identify and protect the most critical and sensitive data assets of the organization12.
Developing data process maps (B) is not the first step when creating a data classification program, but the fourth step. Developing data process maps involves documenting and analyzing the flow and lifecycle of data within the organization. Data process maps show how data is created, collected, stored, processed, transmitted, used, shared, archived, and disposed of. Developing data process maps helps to understand the context and dependencies of data, as well as to identify and mitigate any potential risks or issues related to data quality, security, or compliance12.
Categorizing information by owner © is not the first step when creating a data classification program, but the second step. Categorizing information by owner involves assigning roles and responsibilities for each type of data based on its ownership and stewardship. Data owners are the individuals or entities that have the authority and accountability for the data. Data stewards are the individuals or entities that have the operational responsibility for managing and maintaining the data. Data custodians are the individuals or entities that have the technical responsibility for implementing and enforcing the security and access controls for the data12.
References:
7 Steps to Effective Data Classification | CDW
Data Classification: The Basics and a 6-Step Checklist – NetApp
D
Explanation:
The first step when creating a data classification program is to develop a policy (D). A data classification policy is a document that defines the purpose, scope, objectives, roles, responsibilities, and procedures of the data classification program. A data classification policy is essential for establishing the governance framework, standards, and guidelines for the data classification process. A data classification policy also helps to communicate the expectations and benefits of the data classification program to the stakeholders, such as data owners, users, custodians, and auditors12.
Categorizing and prioritizing data (A) is not the first step when creating a data classification program, but the third step. Categorizing and prioritizing data involves defining and applying the criteria and labels for classifying data based on its sensitivity, value, and risk. For example, data can be categorized into public, internal, confidential, or restricted levels. Categorizing and prioritizing data helps to identify and protect the most critical and sensitive data assets of the organization12.
Developing data process maps (B) is not the first step when creating a data classification program, but the fourth step. Developing data process maps involves documenting and analyzing the flow and lifecycle of data within the organization. Data process maps show how data is created, collected, stored, processed, transmitted, used, shared, archived, and disposed of. Developing data process maps helps to understand the context and dependencies of data, as well as to identify and mitigate any potential risks or issues related to data quality, security, or compliance12.
Categorizing information by owner © is not the first step when creating a data classification program, but the second step. Categorizing information by owner involves assigning roles and responsibilities for each type of data based on its ownership and stewardship. Data owners are the individuals or entities that have the authority and accountability for the data. Data stewards are the individuals or entities that have the operational responsibility for managing and maintaining the data. Data custodians are the individuals or entities that have the technical responsibility for implementing and enforcing the security and access controls for the data12.
References:
7 Steps to Effective Data Classification | CDW
Data Classification: The Basics and a 6-Step Checklist – NetApp
Question #7
Which of the following metrics is the BEST indicator of the performance of a web application
- A . HTTP server error rate
- B . Server thread count
- C . Average response time
- D . Server uptime
Correct Answer: C
C
Explanation:
The best indicator of the performance of a web application is the average response time. This metric measures how long it takes for the web server to process and deliver a request from the client. It reflects the user’s perception of how fast or slow the web application is, and it affects the user’s satisfaction, engagement, and conversion. A low average response time means that the web application is responsive and efficient, while a high average response time means that the web application is sluggish and unreliable.
HTTP server error rate, server thread count, and server uptime are not as good indicators of the performance of a web application as the average response time. HTTP server error rate measures how often the web server fails to handle a request and returns an error code, such as 404 (Not Found) or 500 (Internal Server Error). This metric indicates the reliability and availability of the web application, but it does not capture how fast or slow the web application is. Server thread count measures how many concurrent requests the web server can handle at a given time. This metric indicates the scalability and capacity of the web application, but it does not capture how long each request takes to process. Server uptime measures how long the web server has been running without interruption. This metric indicates the stability and resilience of the web application, but it does not capture how well the web application performs during that time.
References:
10 Key Application Performance Metrics & How to Measure Them – Stackify1
Measuring performance – Learn web development | MDN2
Understanding the Basics of Web Performance | BrowserStack3
14 Important Website Performance Metrics You Should Be Analyzing4
Top 8 Web Application Performance Metrics | MetricFire Blog5
Web Performance Monitoring: A How to Guide for Developers – Stackify6
C
Explanation:
The best indicator of the performance of a web application is the average response time. This metric measures how long it takes for the web server to process and deliver a request from the client. It reflects the user’s perception of how fast or slow the web application is, and it affects the user’s satisfaction, engagement, and conversion. A low average response time means that the web application is responsive and efficient, while a high average response time means that the web application is sluggish and unreliable.
HTTP server error rate, server thread count, and server uptime are not as good indicators of the performance of a web application as the average response time. HTTP server error rate measures how often the web server fails to handle a request and returns an error code, such as 404 (Not Found) or 500 (Internal Server Error). This metric indicates the reliability and availability of the web application, but it does not capture how fast or slow the web application is. Server thread count measures how many concurrent requests the web server can handle at a given time. This metric indicates the scalability and capacity of the web application, but it does not capture how long each request takes to process. Server uptime measures how long the web server has been running without interruption. This metric indicates the stability and resilience of the web application, but it does not capture how well the web application performs during that time.
References:
10 Key Application Performance Metrics & How to Measure Them – Stackify1
Measuring performance – Learn web development | MDN2
Understanding the Basics of Web Performance | BrowserStack3
14 Important Website Performance Metrics You Should Be Analyzing4
Top 8 Web Application Performance Metrics | MetricFire Blog5
Web Performance Monitoring: A How to Guide for Developers – Stackify6
Question #8
Which of the following would provide the BEST evidence that a cloud provider’s change management process is effective?
- A . Minutes from regular change management meetings with the vendor
- B . Written assurances from the vendor’s CEO and CIO
- C . The results of a third-party review provided by the vendor
- D . A copy of change management policies provided by the vendor
Correct Answer: C
C
Explanation:
The results of a third-party review provided by the vendor would provide the best evidence that a cloud provider’s change management process is effective, because it would be an independent and objective assessment of the vendor’s compliance with best practices and standards for managing changes in the cloud environment. A third-party review would also include testing of the vendor’s change management controls and procedures, and provide recommendations for improvement if needed.
Minutes from regular change management meetings with the vendor would not provide sufficient evidence, because they would only reflect the vendor’s self-reported information and may not capture all the changes that occurred or their impact on the cloud services. Written assurances from the vendor’s CEO and CIO would also not provide sufficient evidence, because they would be based on the vendor’s own opinion and may not be verified by external sources. A copy of change management policies provided by the vendor would not provide sufficient evidence, because it would only show the vendor’s intended approach to change management, but not how it is implemented or monitored in practice.
References:
ISACA Cloud Computing Audit Program, Section 4.5: Change Management
Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, Section
C
Explanation:
The results of a third-party review provided by the vendor would provide the best evidence that a cloud provider’s change management process is effective, because it would be an independent and objective assessment of the vendor’s compliance with best practices and standards for managing changes in the cloud environment. A third-party review would also include testing of the vendor’s change management controls and procedures, and provide recommendations for improvement if needed.
Minutes from regular change management meetings with the vendor would not provide sufficient evidence, because they would only reflect the vendor’s self-reported information and may not capture all the changes that occurred or their impact on the cloud services. Written assurances from the vendor’s CEO and CIO would also not provide sufficient evidence, because they would be based on the vendor’s own opinion and may not be verified by external sources. A copy of change management policies provided by the vendor would not provide sufficient evidence, because it would only show the vendor’s intended approach to change management, but not how it is implemented or monitored in practice.
References:
ISACA Cloud Computing Audit Program, Section 4.5: Change Management
Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, Section
Question #9
Which of the following BEST indicates the effectiveness of an organization’s risk management program?
- A . Inherent risk is eliminated.
- B . Residual risk is minimized.
- C . Control risk is minimized.
- D . Overall risk is quantified.
Correct Answer: B
B
Explanation:
The effectiveness of a risk management program can be measured by how well it reduces the residual risk, which is the risk that remains after applying controls, to an acceptable level. Inherent risk is the risk that exists before applying any controls, and it cannot be eliminated completely. Control risk is the risk that the controls fail to prevent or detect a risk event, and it is a component of residual risk. Overall risk is not a meaningful metric for assessing the effectiveness of a risk management program, as it does not account for the impact and likelihood of different risk events.
References: CISA Review Manual (Digital Version), Chapter 1, Section 1.2.2
B
Explanation:
The effectiveness of a risk management program can be measured by how well it reduces the residual risk, which is the risk that remains after applying controls, to an acceptable level. Inherent risk is the risk that exists before applying any controls, and it cannot be eliminated completely. Control risk is the risk that the controls fail to prevent or detect a risk event, and it is a component of residual risk. Overall risk is not a meaningful metric for assessing the effectiveness of a risk management program, as it does not account for the impact and likelihood of different risk events.
References: CISA Review Manual (Digital Version), Chapter 1, Section 1.2.2
Question #10
Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
- A . Availability of IS audit resources
- B . Remediation dates included in management responses
- C . Peak activity periods for the business
- D . Complexity of business processes identified in the audit
Correct Answer: B
B
Explanation:
The most important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings is the remediation dates included in management responses. The IS auditor should ensure that the follow-up activities are aligned with the agreed-upon action plans and deadlines that management has committed to in response to the audit findings. The follow-up activities should verify that management has implemented the corrective actions effectively and in a timely manner, and that the audit findings have been resolved or mitigated.
The other options are less important factors for establishing timeframes for follow-up activities:
Availability of IS audit resources. This is a practical factor that may affect the scheduling and execution of follow-up activities, but it should not override the priority and urgency of verifying management’s corrective actions.
Peak activity periods for the business. This is a factor that may affect the availability and cooperation of auditees during follow-up activities, but it should not delay or postpone the verification of management’s corrective actions beyond reasonable limits.
Complexity of business processes identified in the audit. This is a factor that may affect the scope and depth of follow-up activities, but it should not affect the timeframe for verifying management’s corrective actions.
B
Explanation:
The most important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings is the remediation dates included in management responses. The IS auditor should ensure that the follow-up activities are aligned with the agreed-upon action plans and deadlines that management has committed to in response to the audit findings. The follow-up activities should verify that management has implemented the corrective actions effectively and in a timely manner, and that the audit findings have been resolved or mitigated.
The other options are less important factors for establishing timeframes for follow-up activities:
Availability of IS audit resources. This is a practical factor that may affect the scheduling and execution of follow-up activities, but it should not override the priority and urgency of verifying management’s corrective actions.
Peak activity periods for the business. This is a factor that may affect the availability and cooperation of auditees during follow-up activities, but it should not delay or postpone the verification of management’s corrective actions beyond reasonable limits.
Complexity of business processes identified in the audit. This is a factor that may affect the scope and depth of follow-up activities, but it should not affect the timeframe for verifying management’s corrective actions.