Practice Free CISA Exam Online Questions
Question #111
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated.
The GREATEST concern to the IS auditor is that policies and procedures might not:
- A . reflect current practices.
- B . include new systems and corresponding process changes.
- C . incorporate changes to relevant laws.
- D . be subject to adequate quality assurance (QA).
Correct Answer: A
A
Explanation:
The greatest concern for an IS auditor when reviewing IT policies and procedures that are not regularly reviewed and updated is that policies and procedures might not reflect current practices. Policies are documents that define the goals, objectives, and guidelines for an organization’s information systems and resources. Procedures are documents that describe the steps, tasks, or activities for implementing or executing policies. Policies and procedures should be regularly reviewed and updated to ensure that they are relevant, accurate, consistent, and effective for the organization’s information systems and resources. Policies and procedures that are not regularly reviewed and updated might not reflect current practices, as they might be outdated, obsolete, or incompatible with the current state or needs of the organization’s information systems and resources. This can cause confusion, inconsistency, inefficiency, or noncompliance among users or stakeholders who rely on policies and procedures for guidance or direction. Policies and procedures might not include new systems and corresponding process changes is a possible concern for an IS auditor when reviewing IT policies and procedures that are not regularly reviewed and updated, but it is not the greatest one. Policies and procedures might not include new systems and corresponding process changes, as they might be unaware of or unresponsive to the introduction or modification of information systems or resources within the organization. This can cause gaps, overlaps, or conflicts among policies and procedures that affect different information systems or resources.
A
Explanation:
The greatest concern for an IS auditor when reviewing IT policies and procedures that are not regularly reviewed and updated is that policies and procedures might not reflect current practices. Policies are documents that define the goals, objectives, and guidelines for an organization’s information systems and resources. Procedures are documents that describe the steps, tasks, or activities for implementing or executing policies. Policies and procedures should be regularly reviewed and updated to ensure that they are relevant, accurate, consistent, and effective for the organization’s information systems and resources. Policies and procedures that are not regularly reviewed and updated might not reflect current practices, as they might be outdated, obsolete, or incompatible with the current state or needs of the organization’s information systems and resources. This can cause confusion, inconsistency, inefficiency, or noncompliance among users or stakeholders who rely on policies and procedures for guidance or direction. Policies and procedures might not include new systems and corresponding process changes is a possible concern for an IS auditor when reviewing IT policies and procedures that are not regularly reviewed and updated, but it is not the greatest one. Policies and procedures might not include new systems and corresponding process changes, as they might be unaware of or unresponsive to the introduction or modification of information systems or resources within the organization. This can cause gaps, overlaps, or conflicts among policies and procedures that affect different information systems or resources.
Question #112
Which of the following is the MAIN purpose of an information security management system?
- A . To identify and eliminate the root causes of information security incidents
- B . To enhance the impact of reports used to monitor information security incidents
- C . To keep information security policies and procedures up-to-date
- D . To reduce the frequency and impact of information security incidents
Correct Answer: D
D
Explanation:
: The main purpose of an information security management system (ISMS) is to reduce the frequency and impact of information security incidents. An ISMS is a systematic approach to managing information security risks, policies, procedures, and controls within an organization. An ISMS aims to ensure the confidentiality, integrity, and availability of information assets, as well as to comply with relevant laws and regulations. The other options are not the main purpose of an ISMS, but rather some of its possible benefits or components.
References:
CISA Review Manual (Digital Version), Chapter 7, Section 7.11
CISA Review Questions, Answers & Explanations Database, Question ID 205
D
Explanation:
: The main purpose of an information security management system (ISMS) is to reduce the frequency and impact of information security incidents. An ISMS is a systematic approach to managing information security risks, policies, procedures, and controls within an organization. An ISMS aims to ensure the confidentiality, integrity, and availability of information assets, as well as to comply with relevant laws and regulations. The other options are not the main purpose of an ISMS, but rather some of its possible benefits or components.
References:
CISA Review Manual (Digital Version), Chapter 7, Section 7.11
CISA Review Questions, Answers & Explanations Database, Question ID 205
Question #113
A small organization is experiencing rapid growth and plans to create a new information security policy.
Which of the following is MOST relevant to creating the policy?
- A . Business objectives
- B . Business impact analysis (BIA)
- C . Enterprise architecture (EA)
- D . Recent incident trends
Correct Answer: A
Question #114
Which of the following controls BEST provides confidentiality and nonrepudiation for an online business looking for digital payment data security?
- A . Data Encryption Standard (DES)
- B . Advanced Encryption Standard (AES)
- C . Public Key Infrastructure (PKI)
- D . Virtual Private Network (VPN)
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Step-by-Step
For online payment security, both confidentiality (protection of data) and nonrepudiation (ensuring the sender cannot deny a transaction) are essential.
Option A (Incorrect): DES is outdated and insecure for modern encryption needs. It has been replaced by stronger algorithms.
Option B (Incorrect): AES provides strong encryption (confidentiality) but does not handle nonrepudiation on its own.
Option C (Correct): PKI (Public Key Infrastructure) is the best solution because it provides encryption for confidentiality and digital signatures for nonrepudiation, ensuring both secure transactions and authentication of parties involved.
Option D (Incorrect): A VPN secures network traffic, but it does not address nonrepudiation, which is critical in online payments.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers encryption, PKI, and secure payment processing.
C
Explanation:
Comprehensive and Detailed Step-by-Step
For online payment security, both confidentiality (protection of data) and nonrepudiation (ensuring the sender cannot deny a transaction) are essential.
Option A (Incorrect): DES is outdated and insecure for modern encryption needs. It has been replaced by stronger algorithms.
Option B (Incorrect): AES provides strong encryption (confidentiality) but does not handle nonrepudiation on its own.
Option C (Correct): PKI (Public Key Infrastructure) is the best solution because it provides encryption for confidentiality and digital signatures for nonrepudiation, ensuring both secure transactions and authentication of parties involved.
Option D (Incorrect): A VPN secures network traffic, but it does not address nonrepudiation, which is critical in online payments.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers encryption, PKI, and secure payment processing.
Question #115
An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center.
Which of the following is the GREATEST risk associated with this change?
- A . Version control issues
- B . Reduced system performance
- C . Inability to recover from cybersecurity attacks
- D . Increase in IT investment cost
Correct Answer: C
C
Explanation:
Real-time replication to a second data center means that any changes made to the primary data center are immediately copied to the secondary data center. This can improve data availability and performance, but also introduces the risk of propagating malicious or erroneous changes to the backup data center. If a cybersecurity attack compromises the primary data center, it may also affect the secondary data center, making it difficult or impossible to recover from the attack using the replicated data. Therefore, option C is the greatest risk associated with this change.
Option A is not correct because version control issues are more likely to occur with batch processing backup, which may create inconsistencies between different versions of the data.
Option B is not correct because real-time replication may reduce system performance at the primary data center, but it may also improve system performance at the secondary data center by reducing latency and network traffic.
Option D is not correct because although real-time replication may increase IT investment cost, this is not a risk but a trade-off that the organization has to consider.
References:
Data Replication: The Basics, Risks, and Best Practices1 Best Practices for Data Replication Between Data Centers2 The Good, Bad, and Ugly of Data Replication3
C
Explanation:
Real-time replication to a second data center means that any changes made to the primary data center are immediately copied to the secondary data center. This can improve data availability and performance, but also introduces the risk of propagating malicious or erroneous changes to the backup data center. If a cybersecurity attack compromises the primary data center, it may also affect the secondary data center, making it difficult or impossible to recover from the attack using the replicated data. Therefore, option C is the greatest risk associated with this change.
Option A is not correct because version control issues are more likely to occur with batch processing backup, which may create inconsistencies between different versions of the data.
Option B is not correct because real-time replication may reduce system performance at the primary data center, but it may also improve system performance at the secondary data center by reducing latency and network traffic.
Option D is not correct because although real-time replication may increase IT investment cost, this is not a risk but a trade-off that the organization has to consider.
References:
Data Replication: The Basics, Risks, and Best Practices1 Best Practices for Data Replication Between Data Centers2 The Good, Bad, and Ugly of Data Replication3
Question #116
An IS auditor determines that the vendor’s deliverables do not include the source code for a newly acquired product.
To address this issue, which of the following should the auditor recommend be included in the contract?
- A . Confidentiality and data protection clauses
- B . Service level agreement (SLA)
- C . Software escrow agreement
- D . Right-to-audit clause
Correct Answer: C
C
Explanation:
The correct answer is
C. Software escrow agreement. A software escrow agreement is a legal arrangement between three parties: the software developer (licensor), the end-user (licensee), and an escrow agent. The agreement ensures that the software’s source code and other relevant assets are securely stored with the escrow agent, and can be released to the licensee under certain conditions, such as the licensor’s bankruptcy, insolvency, or failure to provide support or maintenance1. A software escrow agreement can provide the licensee with assurance and continuity for the software they depend on, and protect them from losing access or functionality in case of any unforeseen events or disputes with the licensor1.
C
Explanation:
The correct answer is
C. Software escrow agreement. A software escrow agreement is a legal arrangement between three parties: the software developer (licensor), the end-user (licensee), and an escrow agent. The agreement ensures that the software’s source code and other relevant assets are securely stored with the escrow agent, and can be released to the licensee under certain conditions, such as the licensor’s bankruptcy, insolvency, or failure to provide support or maintenance1. A software escrow agreement can provide the licensee with assurance and continuity for the software they depend on, and protect them from losing access or functionality in case of any unforeseen events or disputes with the licensor1.
Question #117
A transaction processing system interfaces with the general ledger. Data analytics has identified that some transactions are being recorded twice in the general ledger.
While management states a system fix has been implemented, what should the IS auditor recommend to validate the interface is working in the future?
- A . Perform periodic reconciliations.
- B . Ensure system owner sign-off for the system fix.
- C . Conduct functional testing.
- D . Improve user acceptance testing (UAT).
Correct Answer: A
A
Explanation:
A transaction processing system (TPS) is a system that captures, processes, and stores data related to business transactions1. A general ledger is a system that records the financial transactions of an organization in different accounts2. An interface is a connection point between two systems that allows data exchange3. A system fix is a change or update to a system that resolves a problem or improves its functionality4.
The IS auditor should recommend to perform periodic reconciliations to validate the interface between the TPS and the general ledger is working in the future. A reconciliation is a process of comparing and verifying the data in two systems to ensure accuracy and consistency1. By performing periodic reconciliations, the IS auditor can detect and correct any errors or discrepancies in the data, such as duplicate transactions, missing transactions, or incorrect amounts. This way, the IS auditor can ensure the reliability and integrity of the financial data in both systems.
The other options are not as effective as periodic reconciliations to validate the interface. System owner sign-off for the system fix is a form of approval that indicates the system owner agrees with the change and its expected outcome4. However, this does not guarantee that the system fix will work as intended or prevent future errors. Conducting functional testing is a process of verifying that the system performs its intended functions correctly and meets its requirements4. However, this is usually done before or after the system fix is implemented, not on an ongoing basis. Improving user acceptance testing (UAT) is a process of evaluating whether the system meets the needs and expectations of the end users4. However, this is also done before or after the system fix is implemented, not on an ongoing basis. Therefore, option A is the correct answer.
References:
Transaction Interface: Organization, Process, and System
Validation of Interfaces – Ensuring Data Integrity and Quality across Systems
Oracle Payments Implementation Guide
Receiving Transactions Inserted Into Interface Table as BATCH And PENDING Are Not Processed By Receiving Transaction Processor
What Is a Transaction Processing System (TPS)? (Plus Types)
A
Explanation:
A transaction processing system (TPS) is a system that captures, processes, and stores data related to business transactions1. A general ledger is a system that records the financial transactions of an organization in different accounts2. An interface is a connection point between two systems that allows data exchange3. A system fix is a change or update to a system that resolves a problem or improves its functionality4.
The IS auditor should recommend to perform periodic reconciliations to validate the interface between the TPS and the general ledger is working in the future. A reconciliation is a process of comparing and verifying the data in two systems to ensure accuracy and consistency1. By performing periodic reconciliations, the IS auditor can detect and correct any errors or discrepancies in the data, such as duplicate transactions, missing transactions, or incorrect amounts. This way, the IS auditor can ensure the reliability and integrity of the financial data in both systems.
The other options are not as effective as periodic reconciliations to validate the interface. System owner sign-off for the system fix is a form of approval that indicates the system owner agrees with the change and its expected outcome4. However, this does not guarantee that the system fix will work as intended or prevent future errors. Conducting functional testing is a process of verifying that the system performs its intended functions correctly and meets its requirements4. However, this is usually done before or after the system fix is implemented, not on an ongoing basis. Improving user acceptance testing (UAT) is a process of evaluating whether the system meets the needs and expectations of the end users4. However, this is also done before or after the system fix is implemented, not on an ongoing basis. Therefore, option A is the correct answer.
References:
Transaction Interface: Organization, Process, and System
Validation of Interfaces – Ensuring Data Integrity and Quality across Systems
Oracle Payments Implementation Guide
Receiving Transactions Inserted Into Interface Table as BATCH And PENDING Are Not Processed By Receiving Transaction Processor
What Is a Transaction Processing System (TPS)? (Plus Types)
Question #118
When physical destruction IS not practical, which of the following is the MOST effective means of disposing of sensitive data on a hard disk?
- A . Overwriting multiple times
- B . Encrypting the disk
- C . Reformatting
- D . Deleting files sequentially
Correct Answer: A
A
Explanation:
The correct answer is A. Overwriting multiple times. Overwriting is a method of securely erasing data from a hard disk by replacing the existing data with random or meaningless data, making it difficult or impossible to recover the original data1. Overwriting multiple times, also known as multiple-pass overwriting, is a more effective way of disposing of sensitive data than overwriting once, as it reduces the possibility of residual traces of data that could be recovered by advanced techniques2. Overwriting multiple times can be done by using specialized software tools that follow certain standards or algorithms, such as the US Department of Defense’s DoD 5220.22-M or the Gutmann method3.
A
Explanation:
The correct answer is A. Overwriting multiple times. Overwriting is a method of securely erasing data from a hard disk by replacing the existing data with random or meaningless data, making it difficult or impossible to recover the original data1. Overwriting multiple times, also known as multiple-pass overwriting, is a more effective way of disposing of sensitive data than overwriting once, as it reduces the possibility of residual traces of data that could be recovered by advanced techniques2. Overwriting multiple times can be done by using specialized software tools that follow certain standards or algorithms, such as the US Department of Defense’s DoD 5220.22-M or the Gutmann method3.
Question #119
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions.
Which of the following is MOST important for the organization to ensure?
- A . The policy includes a strong risk-based approach.
- B . The retention period allows for review during the year-end audit.
- C . The total transaction amount has no impact on financial reporting.
- D . The retention period complies with data owner responsibilities.
Correct Answer: D
D
Explanation:
The most important thing for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions is that the retention period complies with data owner responsibilities. Data owners are accountable for the quality, security, and availability of the data under their control. They are also responsible for defining and enforcing data retention policies that comply with legal, regulatory, contractual, and business requirements. Data owners should be consulted and involved in any decision that affects the retention period of their data, as they are ultimately liable for any consequences of data loss or breach.
The policy includes a strong risk-based approach, the retention period allows for review during the year-end audit, and the total transaction amount has no impact on financial reporting are not the most important things for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions. These are possible factors or benefits that may influence or justify the decision, but they do not override or replace the data owner responsibilities.
D
Explanation:
The most important thing for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions is that the retention period complies with data owner responsibilities. Data owners are accountable for the quality, security, and availability of the data under their control. They are also responsible for defining and enforcing data retention policies that comply with legal, regulatory, contractual, and business requirements. Data owners should be consulted and involved in any decision that affects the retention period of their data, as they are ultimately liable for any consequences of data loss or breach.
The policy includes a strong risk-based approach, the retention period allows for review during the year-end audit, and the total transaction amount has no impact on financial reporting are not the most important things for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions. These are possible factors or benefits that may influence or justify the decision, but they do not override or replace the data owner responsibilities.
Question #120
An IS auditor discovers that backups of critical systems are not being performed in accordance with the recovery point objective (RPO) established in the business continuity plan (BCP).
What should the auditor do NEXT?
- A . Request an immediate backup be performed.
- B . Expand the audit scope.
- C . Identify the root cause.
- D . Include the observation in the report.
Correct Answer: C