Practice Free CISA Exam Online Questions
Question #101
During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed.
Who should be accountable for managing these risks?
- A . Enterprise risk manager
- B . Project sponsor
- C . Information security officer
- D . Project manager
Correct Answer: D
D
Explanation:
The project manager should be accountable for managing the risks to project benefits. Project benefits are the expected outcomes or value that a project delivers to its stakeholders, such as improved efficiency, quality, customer satisfaction, or revenue. Project risks are uncertain events or conditions that may affect the project objectives, scope, budget, schedule, or quality. The project manager is responsible for identifying, analyzing, prioritizing, responding to, and monitoring project risks throughout the project life cycle. The other options are not accountable for managing project risks, as they have different roles and responsibilities. The enterprise risk manager is responsible for overseeing the organization’s overall risk management framework and strategy, but not for managing specific project risks. The project sponsor is responsible for initiating, approving, and supporting the project, but not for managing project risks. The information security officer is responsible for ensuring that the project complies with the organization’s information security policies and standards, but not for managing project risks.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3
D
Explanation:
The project manager should be accountable for managing the risks to project benefits. Project benefits are the expected outcomes or value that a project delivers to its stakeholders, such as improved efficiency, quality, customer satisfaction, or revenue. Project risks are uncertain events or conditions that may affect the project objectives, scope, budget, schedule, or quality. The project manager is responsible for identifying, analyzing, prioritizing, responding to, and monitoring project risks throughout the project life cycle. The other options are not accountable for managing project risks, as they have different roles and responsibilities. The enterprise risk manager is responsible for overseeing the organization’s overall risk management framework and strategy, but not for managing specific project risks. The project sponsor is responsible for initiating, approving, and supporting the project, but not for managing project risks. The information security officer is responsible for ensuring that the project complies with the organization’s information security policies and standards, but not for managing project risks.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3
Question #102
An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes.
Which of the following recommendations would BEST help to reduce the risk of data leakage?
- A . Requiring policy acknowledgment and nondisclosure agreements signed by employees
- B . Providing education and guidelines to employees on use of social networking sites
- C . Establishing strong access controls on confidential data
- D . Monitoring employees’ social networking usage
Correct Answer: B
B
Explanation:
While all the options can help reduce the risk of data leakage, providing education and guidelines to employees on the use of social networking sites would be the most effective. This is because it directly addresses the issue at hand – the use of social networking sites for business purposes1. Education and guidelines can help employees understand the risks associated with social media use and teach them how to safely and responsibly use these platforms for business purposes1. This includes understanding privacy settings, recognizing phishing attempts, and knowing what information should not be shared on these platforms1.
References:
10 Social Media Guidelines for Employees in 2023 – Hootsuite
B
Explanation:
While all the options can help reduce the risk of data leakage, providing education and guidelines to employees on the use of social networking sites would be the most effective. This is because it directly addresses the issue at hand – the use of social networking sites for business purposes1. Education and guidelines can help employees understand the risks associated with social media use and teach them how to safely and responsibly use these platforms for business purposes1. This includes understanding privacy settings, recognizing phishing attempts, and knowing what information should not be shared on these platforms1.
References:
10 Social Media Guidelines for Employees in 2023 – Hootsuite
Question #103
Which of the following provides the BEST assurance of data integrity after file transfers?
- A . Check digits
- B . Monetary unit sampling
- C . Hash values
- D . Reasonableness check
Correct Answer: C
C
Explanation:
The best assurance of data integrity after file transfers is hash values. Hash values are unique strings that are generated by applying a mathematical function to the data. Hash values can be used to verify that the data has not been altered or corrupted during the transfer, as any change in the data would result in a different hash value. By comparing the hash values of the source and destination files, one can confirm that the data is identical and intact.
The other options are not as effective as hash values for ensuring data integrity after file transfers. Check digits are digits added to a number to detect errors in data entry or transmission, but they are not reliable for detecting intentional or complex modifications of the data. Monetary unit sampling is a statistical sampling technique used for auditing financial statements, but it is not applicable for verifying data integrity after file transfers. Reasonableness check is a validation method that checks whether the data falls within an expected range or format, but it does not guarantee that the data is accurate or consistent with the source.
References:
5: On Windows, how to check that data is unchanged after copying? – Super User
6: Data integrity | Cloud Storage Transfer Service Documentation | Google Cloud
7: Checking File Integrity – HECC Knowledge Base
8: How to setup File Transfer Integrity Checks – Progress.com
C
Explanation:
The best assurance of data integrity after file transfers is hash values. Hash values are unique strings that are generated by applying a mathematical function to the data. Hash values can be used to verify that the data has not been altered or corrupted during the transfer, as any change in the data would result in a different hash value. By comparing the hash values of the source and destination files, one can confirm that the data is identical and intact.
The other options are not as effective as hash values for ensuring data integrity after file transfers. Check digits are digits added to a number to detect errors in data entry or transmission, but they are not reliable for detecting intentional or complex modifications of the data. Monetary unit sampling is a statistical sampling technique used for auditing financial statements, but it is not applicable for verifying data integrity after file transfers. Reasonableness check is a validation method that checks whether the data falls within an expected range or format, but it does not guarantee that the data is accurate or consistent with the source.
References:
5: On Windows, how to check that data is unchanged after copying? – Super User
6: Data integrity | Cloud Storage Transfer Service Documentation | Google Cloud
7: Checking File Integrity – HECC Knowledge Base
8: How to setup File Transfer Integrity Checks – Progress.com
Question #104
An IS auditor has been tasked to review the processes that prevent fraud within a business expense claim system.
Which of the following stakeholders is MOST important to involve in this review?
- A . Information security manager
- B . Quality assurance (QA) manager
- C . Business department executive
- D . Business process owner
Correct Answer: D
D
Explanation:
The business process owner is the most important stakeholder to involve in the review of the processes that prevent fraud within a business expense claim system. This is because the business process owner is responsible for defining, implementing, and monitoring the business rules and policies that govern the expense claim process. The business process owner also has the authority and accountability to approve or reject expense claims, as well as to investigate and report any suspicious or fraudulent activities. The business process owner can provide valuable insights and feedback to the IS auditor on the effectiveness and efficiency of the current processes, as well as the potential risks and controls that need to be addressed12.
The information security manager is not the most important stakeholder because their role is mainly focused on ensuring the confidentiality, integrity, and availability of the information systems and data that support the expense claim process. The information security manager can help the IS auditor with assessing the technical aspects of the system, such as access controls, encryption, logging, and backup, but they may not have sufficient knowledge or authority over the business rules and policies that prevent fraud1.
The quality assurance (QA) manager is not the most important stakeholder because their role is mainly focused on ensuring the quality and reliability of the software applications and systems that support the expense claim process. The QA manager can help the IS auditor with testing and verifying the functionality and performance of the system, but they may not have sufficient knowledge or authority over the business rules and policies that prevent fraud1.
The business department executive is not the most important stakeholder because their role is mainly focused on overseeing the strategic objectives and financial performance of the business department that uses the expense claim system. The business department executive can help the IS auditor with understanding the business context and needs of the expense claim process, but they may not have sufficient knowledge or authority over the operational details and controls that prevent fraud
D
Explanation:
The business process owner is the most important stakeholder to involve in the review of the processes that prevent fraud within a business expense claim system. This is because the business process owner is responsible for defining, implementing, and monitoring the business rules and policies that govern the expense claim process. The business process owner also has the authority and accountability to approve or reject expense claims, as well as to investigate and report any suspicious or fraudulent activities. The business process owner can provide valuable insights and feedback to the IS auditor on the effectiveness and efficiency of the current processes, as well as the potential risks and controls that need to be addressed12.
The information security manager is not the most important stakeholder because their role is mainly focused on ensuring the confidentiality, integrity, and availability of the information systems and data that support the expense claim process. The information security manager can help the IS auditor with assessing the technical aspects of the system, such as access controls, encryption, logging, and backup, but they may not have sufficient knowledge or authority over the business rules and policies that prevent fraud1.
The quality assurance (QA) manager is not the most important stakeholder because their role is mainly focused on ensuring the quality and reliability of the software applications and systems that support the expense claim process. The QA manager can help the IS auditor with testing and verifying the functionality and performance of the system, but they may not have sufficient knowledge or authority over the business rules and policies that prevent fraud1.
The business department executive is not the most important stakeholder because their role is mainly focused on overseeing the strategic objectives and financial performance of the business department that uses the expense claim system. The business department executive can help the IS auditor with understanding the business context and needs of the expense claim process, but they may not have sufficient knowledge or authority over the operational details and controls that prevent fraud
Question #105
Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?
- A . Variable sampling
- B . Judgmental sampling
- C . Stop-or-go sampling
- D . Discovery sampling
Correct Answer: D
D
Explanation:
Discovery sampling is a type of statistical sampling that’s used when the expected error rate in the population is very low1. This method is designed to discover at least one instance of an attribute or condition in a population1. It’s often used in auditing to uncover fraud or noncompliance with rules and regulations1.
References:
What are sampling methods and how do you choose the best one?
D
Explanation:
Discovery sampling is a type of statistical sampling that’s used when the expected error rate in the population is very low1. This method is designed to discover at least one instance of an attribute or condition in a population1. It’s often used in auditing to uncover fraud or noncompliance with rules and regulations1.
References:
What are sampling methods and how do you choose the best one?
Question #106
Which of the following should be done FIRST when planning a penetration test?
- A . Execute nondisclosure agreements (NDAs).
- B . Determine reporting requirements for vulnerabilities.
- C . Define the testing scope.
- D . Obtain management consent for the testing.
Correct Answer: D
D
Explanation:
The first step when planning a penetration test is to obtain management consent for the testing. This is because a penetration test involves simulating a cyberattack against the organization’s systems and networks, which may have legal, ethical, and operational implications. Without proper authorization from management, a penetration test may violate laws, policies, contracts, or service level agreements. Management consent also helps define the objectives, scope, and boundaries of the test, as well as the roles and responsibilities of the testers and the stakeholders. Obtaining management consent for the testing also demonstrates due care and due diligence on the part of the testers and the organization.
Executing nondisclosure agreements (NDAs), determining reporting requirements for vulnerabilities, and defining the testing scope are important steps when planning a penetration test, but they are not the first step. These steps should be done after obtaining management consent for the testing, as they depend on the approval and involvement of management and other parties.
D
Explanation:
The first step when planning a penetration test is to obtain management consent for the testing. This is because a penetration test involves simulating a cyberattack against the organization’s systems and networks, which may have legal, ethical, and operational implications. Without proper authorization from management, a penetration test may violate laws, policies, contracts, or service level agreements. Management consent also helps define the objectives, scope, and boundaries of the test, as well as the roles and responsibilities of the testers and the stakeholders. Obtaining management consent for the testing also demonstrates due care and due diligence on the part of the testers and the organization.
Executing nondisclosure agreements (NDAs), determining reporting requirements for vulnerabilities, and defining the testing scope are important steps when planning a penetration test, but they are not the first step. These steps should be done after obtaining management consent for the testing, as they depend on the approval and involvement of management and other parties.
Question #107
An IS auditor has identified deficiencies within the organization’s software development life cycle policies.
Which of the following should be done NEXT?
- A . Document the findings in the audit report.
- B . Identify who approved the policies.
- C . Escalate the situation to the lead auditor.
- D . Communicate the observation to the auditee.
Correct Answer: D
D
Explanation:
An IS auditor has identified deficiencies within the organization’s software development life cycle (SDLC) policies. The SDLC is the process of planning, developing, testing, and deploying software applications1. SDLC policies are the guidelines and standards that govern the SDLC process and ensure its quality, security, and compliance2.
Deficiencies in SDLC policies can lead to various risks, such as:
Software errors, bugs, or vulnerabilities that can affect the functionality, reliability, or security of the applications3
Software failures, delays, or overruns that can affect the delivery, performance, or customer satisfaction of the applications3
Software non-compliance that can result in legal, regulatory, or contractual violations or penalties3
The next step that the IS auditor should do after identifying deficiencies in SDLC policies is to communicate the observation to the auditee. The auditee is the person or entity that is subject to the audit and is responsible for the area being audited4. In this case, the auditee could be the software development manager, the project manager, or the senior management of the organization.
Communicating the observation to the auditee is important for several reasons:
It allows the IS auditor to verify the accuracy and validity of the observation and gather additional evidence or information from the auditee4
It gives the auditee an opportunity to respond to the observation and provide their perspective, explanation, or justification for the deficiencies4
It enables the IS auditor to discuss with the auditee the potential impact, root cause, and remediation plan for the deficiencies4
It fosters a collaborative and constructive relationship between the IS auditor and the auditee and promotes transparency and accountability in the audit process4
The other options are not as appropriate as communicating the observation to the auditee. Documenting the findings in the audit report is a later step that should be done after communicating with the auditee and finalizing the observation. Identifying who approved the policies is not relevant for addressing the deficiencies and may imply blame or fault on a specific person or group. Escalating the situation to the lead auditor is not necessary unless there is a serious disagreement or conflict with the auditee that cannot be resolved by normal communication. Therefore, option D is the correct answer.
References:
What Is The Software Development Life Cycle? | PagerDuty
Software Development Life Cycle (SDLC) Policy | StrongDM
What Is SDLC? Best Phases, Methodologies, and Benefits Revealed – Kellton
Communicating Audit Findings
D
Explanation:
An IS auditor has identified deficiencies within the organization’s software development life cycle (SDLC) policies. The SDLC is the process of planning, developing, testing, and deploying software applications1. SDLC policies are the guidelines and standards that govern the SDLC process and ensure its quality, security, and compliance2.
Deficiencies in SDLC policies can lead to various risks, such as:
Software errors, bugs, or vulnerabilities that can affect the functionality, reliability, or security of the applications3
Software failures, delays, or overruns that can affect the delivery, performance, or customer satisfaction of the applications3
Software non-compliance that can result in legal, regulatory, or contractual violations or penalties3
The next step that the IS auditor should do after identifying deficiencies in SDLC policies is to communicate the observation to the auditee. The auditee is the person or entity that is subject to the audit and is responsible for the area being audited4. In this case, the auditee could be the software development manager, the project manager, or the senior management of the organization.
Communicating the observation to the auditee is important for several reasons:
It allows the IS auditor to verify the accuracy and validity of the observation and gather additional evidence or information from the auditee4
It gives the auditee an opportunity to respond to the observation and provide their perspective, explanation, or justification for the deficiencies4
It enables the IS auditor to discuss with the auditee the potential impact, root cause, and remediation plan for the deficiencies4
It fosters a collaborative and constructive relationship between the IS auditor and the auditee and promotes transparency and accountability in the audit process4
The other options are not as appropriate as communicating the observation to the auditee. Documenting the findings in the audit report is a later step that should be done after communicating with the auditee and finalizing the observation. Identifying who approved the policies is not relevant for addressing the deficiencies and may imply blame or fault on a specific person or group. Escalating the situation to the lead auditor is not necessary unless there is a serious disagreement or conflict with the auditee that cannot be resolved by normal communication. Therefore, option D is the correct answer.
References:
What Is The Software Development Life Cycle? | PagerDuty
Software Development Life Cycle (SDLC) Policy | StrongDM
What Is SDLC? Best Phases, Methodologies, and Benefits Revealed – Kellton
Communicating Audit Findings
Question #108
Which of the following is the MOST effective way for an organization to project against data loss?
- A . Limit employee internet access.
- B . Implement data classification procedures.
- C . Review firewall logs for anomalies.
- D . Conduct periodic security awareness training.
Correct Answer: D
D
Explanation:
Data loss can occur due to various reasons, such as accidental deletion, hardware failure, malware infection, theft, or unauthorized access. Data classification procedures can help to identify and protect sensitive data, but they are not sufficient to prevent data loss. The most effective way to protect against data loss is to conduct periodic security awareness training for employees, which can educate them on the importance of data security, the best practices for data handling and storage, and the common threats and risks to data.
D
Explanation:
Data loss can occur due to various reasons, such as accidental deletion, hardware failure, malware infection, theft, or unauthorized access. Data classification procedures can help to identify and protect sensitive data, but they are not sufficient to prevent data loss. The most effective way to protect against data loss is to conduct periodic security awareness training for employees, which can educate them on the importance of data security, the best practices for data handling and storage, and the common threats and risks to data.
Question #109
Coding standards provide which of the following?
- A . Program documentation
- B . Access control tables
- C . Data flow diagrams
- D . Field naming conventions
Correct Answer: D
D
Explanation:
Coding standards provide field naming conventions, which are rules for naming variables, constants, functions, classes, and other elements in a program. Coding standards help to ensure consistency, readability, maintainability, and portability of code. Program documentation, access control tables, and data flow diagrams are not part of coding standards.
References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.1
D
Explanation:
Coding standards provide field naming conventions, which are rules for naming variables, constants, functions, classes, and other elements in a program. Coding standards help to ensure consistency, readability, maintainability, and portability of code. Program documentation, access control tables, and data flow diagrams are not part of coding standards.
References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.1
Question #110
How does a continuous integration/continuous development (CI/CD) process help to reduce software failure risk?
- A . Easy software version rollback
- B . Smaller incremental changes
- C . Fewer manual milestones
- D . Automated software testing
Correct Answer: B
B
Explanation:
A continuous integration/continuous development (CI/CD) process helps to reduce software failure risk by enabling smaller incremental changes to the software code, rather than large and infrequent updates12. Smaller incremental changes allow developers to detect and fix errors, bugs, or vulnerabilities more quickly and easily, and to ensure that the software is always in a working state34. Smaller incremental changes also reduce the complexity and uncertainty of the software development process, and improve the quality and reliability of the software product5.
References
1: What is CI/CD? Continuous integration and continuous delivery explained1 2: 5 CI/CD challenges― and how to solve them | TechBeacon4 3: Continuous Integration vs Continuous Delivery vs Continuous Deployment2 4: 7 CI/CD Challenges & their Must-Know Solutions | BrowserStack3 5: 5 common pitfalls of CI/CD―and how to avoid them | InfoWorld5
B
Explanation:
A continuous integration/continuous development (CI/CD) process helps to reduce software failure risk by enabling smaller incremental changes to the software code, rather than large and infrequent updates12. Smaller incremental changes allow developers to detect and fix errors, bugs, or vulnerabilities more quickly and easily, and to ensure that the software is always in a working state34. Smaller incremental changes also reduce the complexity and uncertainty of the software development process, and improve the quality and reliability of the software product5.
References
1: What is CI/CD? Continuous integration and continuous delivery explained1 2: 5 CI/CD challenges― and how to solve them | TechBeacon4 3: Continuous Integration vs Continuous Delivery vs Continuous Deployment2 4: 7 CI/CD Challenges & their Must-Know Solutions | BrowserStack3 5: 5 common pitfalls of CI/CD―and how to avoid them | InfoWorld5