Practice Free CISA Exam Online Questions
Question #141
Afire alarm system has been installed in the computer room The MOST effective location for the fire alarm control panel would be inside the
- A . computer room closest to the uninterruptible power supply (UPS) module
- B . computer room closest to the server computers
- C . system administrators’ office
- D . booth used by the building security personnel
Correct Answer: D
D
Explanation:
A fire alarm system is a device that detects and alerts people of the presence of fire or smoke in a building. A fire alarm control panel is the central unit that monitors and controls the fire alarm system. The most effective location for the fire alarm control panel would be inside the booth used by the building security personnel.
This is because:
The security personnel can quickly and easily access the fire alarm control panel in case of an emergency, and take appropriate actions such as notifying the fire department, evacuating the building, or resetting the system.
The fire alarm control panel can be protected from unauthorized access, tampering, or damage by the security personnel, who can also monitor its status and performance regularly.
The fire alarm control panel can be isolated from the computer room, which may be exposed to higher risks of fire or smoke due to the presence of electrical equipment, such as uninterruptible power supply (UPS) modules or server computers.
The fire alarm control panel can be connected to the computer room through a dedicated communication line, which can ensure reliable and timely transmission of signals and information between the two locations.
References:
[1]: Fire Alarm Control Panel – an overview | ScienceDirect Topics
[2]: Fire Alarm Control Panel – What is it and how does it work? | Fire Protection Online
[3]: Fire Alarm Control Panel Installation Guide – XLS3000 – Honeywell
D
Explanation:
A fire alarm system is a device that detects and alerts people of the presence of fire or smoke in a building. A fire alarm control panel is the central unit that monitors and controls the fire alarm system. The most effective location for the fire alarm control panel would be inside the booth used by the building security personnel.
This is because:
The security personnel can quickly and easily access the fire alarm control panel in case of an emergency, and take appropriate actions such as notifying the fire department, evacuating the building, or resetting the system.
The fire alarm control panel can be protected from unauthorized access, tampering, or damage by the security personnel, who can also monitor its status and performance regularly.
The fire alarm control panel can be isolated from the computer room, which may be exposed to higher risks of fire or smoke due to the presence of electrical equipment, such as uninterruptible power supply (UPS) modules or server computers.
The fire alarm control panel can be connected to the computer room through a dedicated communication line, which can ensure reliable and timely transmission of signals and information between the two locations.
References:
[1]: Fire Alarm Control Panel – an overview | ScienceDirect Topics
[2]: Fire Alarm Control Panel – What is it and how does it work? | Fire Protection Online
[3]: Fire Alarm Control Panel Installation Guide – XLS3000 – Honeywell
Question #142
An organization has recently acquired and implemented intelligent-agent software for granting loans to customers.
During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?
- A . Review system and error logs to verify transaction accuracy.
- B . Review input and output control reports to verify the accuracy of the system decisions.
- C . Review signed approvals to ensure responsibilities for decisions of the system are well defined.
- D . Review system documentation to ensure completeness.
Correct Answer: B
B
Explanation:
Reviewing input and output control reports to verify the accuracy of the system decisions is the most important procedure for the IS auditor to perform during the post-implementation review of intelligent-agent software for granting loans to customers, because it can help identify any errors or anomalies in the system logic or data that may affect the quality and reliability of the system outcomes. Reviewing system and error logs, signed approvals, and system documentation are also important procedures, but they are not as critical as verifying the accuracy of the system decisions.
References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.21
B
Explanation:
Reviewing input and output control reports to verify the accuracy of the system decisions is the most important procedure for the IS auditor to perform during the post-implementation review of intelligent-agent software for granting loans to customers, because it can help identify any errors or anomalies in the system logic or data that may affect the quality and reliability of the system outcomes. Reviewing system and error logs, signed approvals, and system documentation are also important procedures, but they are not as critical as verifying the accuracy of the system decisions.
References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.21
Question #143
Which of the following is the BEST justification for deferring remediation testing until the next audit?
- A . The auditor who conducted the audit and agreed with the timeline has left the organization.
- B . Management’s planned actions are sufficient given the relative importance of the observations.
- C . Auditee management has accepted all observations reported by the auditor.
- D . The audit environment has changed significantly.
Correct Answer: D
D
Explanation:
Deferring remediation testing until the next audit is justified only when there are significant changes in the audit environment that affect the relevance or validity of the audit observations and recommendations. For example, if there are changes in the business processes, systems, regulations, or risks that require a new audit scope or approach. The other options are not valid justifications for deferring remediation testing, as they do not address the timeliness or quality of the audit follow-up process. The auditor who conducted the audit and agreed with the timeline has left the organization does not affect the responsibility of the audit function to ensure that remediation testing is performed as planned. Management’s planned actions are sufficient given the relative importance of the observations does not guarantee that management will actually implement those actions or that they will be effective in addressing the audit issues. Auditee management has accepted all observations reported by the auditor does not eliminate the need for verification of remediation actions by an independent party.
References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4
D
Explanation:
Deferring remediation testing until the next audit is justified only when there are significant changes in the audit environment that affect the relevance or validity of the audit observations and recommendations. For example, if there are changes in the business processes, systems, regulations, or risks that require a new audit scope or approach. The other options are not valid justifications for deferring remediation testing, as they do not address the timeliness or quality of the audit follow-up process. The auditor who conducted the audit and agreed with the timeline has left the organization does not affect the responsibility of the audit function to ensure that remediation testing is performed as planned. Management’s planned actions are sufficient given the relative importance of the observations does not guarantee that management will actually implement those actions or that they will be effective in addressing the audit issues. Auditee management has accepted all observations reported by the auditor does not eliminate the need for verification of remediation actions by an independent party.
References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4
Question #144
Which of the following would BEST protect the confidentiality of sensitive data in transit between multiple offices?
- A . Hash algorithms
- B . Digital signatures
- C . Public key infrastructure (PKI)
- D . Kerberos
Correct Answer: C
Question #145
An accounting department uses a spreadsheet to calculate sensitive financial transactions.
Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?
- A . There Is a reconciliation process between the spreadsheet and the finance system
- B . A separate copy of the spreadsheet is routinely backed up
- C . The spreadsheet is locked down to avoid inadvertent changes
- D . Access to the spreadsheet is given only to those who require access
Correct Answer: D
D
Explanation:
Access to the spreadsheet is given only to those who require access is the most important control for maintaining the security of data in the spreadsheet. An IS auditor should ensure that the principle of least privilege is applied to limit the access to sensitive financial data and prevent unauthorized disclosure, modification, or deletion. The other options are less important controls that may enhance the accuracy, availability, or integrity of data in the spreadsheet, but not its security.
References:
CISA Review Manual (Digital Version), Chapter 6, Section 6.31
CISA Review Questions, Answers & Explanations Database, Question ID 210
D
Explanation:
Access to the spreadsheet is given only to those who require access is the most important control for maintaining the security of data in the spreadsheet. An IS auditor should ensure that the principle of least privilege is applied to limit the access to sensitive financial data and prevent unauthorized disclosure, modification, or deletion. The other options are less important controls that may enhance the accuracy, availability, or integrity of data in the spreadsheet, but not its security.
References:
CISA Review Manual (Digital Version), Chapter 6, Section 6.31
CISA Review Questions, Answers & Explanations Database, Question ID 210
Question #146
Which of the following is the PRIMARY purpose of a rollback plan for a system change?
- A . To ensure steps exist to remove the change if necessary
- B . To ensure testing can be re-performed if required
- C . To ensure a backup exists before implementing a change
- D . To ensure the system change is effective
Correct Answer: A
Question #147
In an IT organization where many responsibilities are shared which of the following is the BEST control for detecting unauthorized data changes?
- A . Users are required to periodically rotate responsibilities
- B . Segregation of duties conflicts are periodically reviewed
- C . Data changes are independently reviewed by another group
- D . Data changes are logged in an outside application
Correct Answer: C
C
Explanation:
The best control for detecting unauthorized data changes in an IT organization where many responsibilities are shared is to have data changes independently reviewed by another group. This is because an independent review can provide an objective and unbiased verification of the data changes and ensure that they are authorized, accurate, and complete. An independent review can also help to detect any errors, fraud, or malicious activities that may have occurred during the data changes. An independent review can also provide assurance that the data integrity and security are maintained.
References:
CISA Review Manual (Digital Version), Chapter 4, Section 4.31 CISA Online Review Course, Domain 1, Module 4, Lesson 22
C
Explanation:
The best control for detecting unauthorized data changes in an IT organization where many responsibilities are shared is to have data changes independently reviewed by another group. This is because an independent review can provide an objective and unbiased verification of the data changes and ensure that they are authorized, accurate, and complete. An independent review can also help to detect any errors, fraud, or malicious activities that may have occurred during the data changes. An independent review can also provide assurance that the data integrity and security are maintained.
References:
CISA Review Manual (Digital Version), Chapter 4, Section 4.31 CISA Online Review Course, Domain 1, Module 4, Lesson 22
Question #148
Which of the following must be in place before an IS auditor initiates audit follow-up activities?
- A . Available resources for the activities included in the action plan
- B . A management response in the final report with a committed implementation date
- C . A heal map with the gaps and recommendations displayed in terms of risk
- D . Supporting evidence for the gaps and recommendations mentioned in the audit report
Correct Answer: B
B
Explanation:
This must be in place before an IS auditor initiates audit follow-up activities, because it indicates that management has acknowledged and accepted the audit findings and recommendations, and has agreed to take corrective actions within a specified timeframe. Audit follow-up activities are the processes and procedures that the IS auditor performs to verify that management has implemented the agreed-upon actions effectively and in a timely manner, and that the audit findings have been resolved or mitigated.
The other options are not required to be in place before an IS auditor initiates audit follow-up activities:
Available resources for the activities included in the action plan. This is a factor that may affect the feasibility and success of the action plan, but it is not a prerequisite for the audit follow-up activities. The IS auditor should assess the availability and adequacy of the resources for the action plan during the audit planning and execution phases, and provide recommendations accordingly. However, the IS auditor does not need to wait for the resources to be available before initiating the audit follow-up activities.
A heat map with the gaps and recommendations displayed in terms of risk. This is a tool that may help the IS auditor prioritize and communicate the gaps and recommendations, but it is not a requirement for the audit follow-up activities. A heat map is a graphical representation of data that uses colors to indicate the level of risk or impact of each gap or recommendation. The IS auditor may use a heat map to support the audit report or presentation, but it does not replace the need for a management response with a committed implementation date.
Supporting evidence for the gaps and recommendations mentioned in the audit report. This is a component that should be included in the audit report, but it is not a condition for the audit follow-up activities. Supporting evidence is the information or data that supports or substantiates the audit findings and recommendations. The IS auditor should collect and document sufficient, reliable, relevant, and useful evidence during the audit execution phase, and present it in the audit report. However, the IS auditor does not need to have supporting evidence in place before initiating the audit follow-up activities.
B
Explanation:
This must be in place before an IS auditor initiates audit follow-up activities, because it indicates that management has acknowledged and accepted the audit findings and recommendations, and has agreed to take corrective actions within a specified timeframe. Audit follow-up activities are the processes and procedures that the IS auditor performs to verify that management has implemented the agreed-upon actions effectively and in a timely manner, and that the audit findings have been resolved or mitigated.
The other options are not required to be in place before an IS auditor initiates audit follow-up activities:
Available resources for the activities included in the action plan. This is a factor that may affect the feasibility and success of the action plan, but it is not a prerequisite for the audit follow-up activities. The IS auditor should assess the availability and adequacy of the resources for the action plan during the audit planning and execution phases, and provide recommendations accordingly. However, the IS auditor does not need to wait for the resources to be available before initiating the audit follow-up activities.
A heat map with the gaps and recommendations displayed in terms of risk. This is a tool that may help the IS auditor prioritize and communicate the gaps and recommendations, but it is not a requirement for the audit follow-up activities. A heat map is a graphical representation of data that uses colors to indicate the level of risk or impact of each gap or recommendation. The IS auditor may use a heat map to support the audit report or presentation, but it does not replace the need for a management response with a committed implementation date.
Supporting evidence for the gaps and recommendations mentioned in the audit report. This is a component that should be included in the audit report, but it is not a condition for the audit follow-up activities. Supporting evidence is the information or data that supports or substantiates the audit findings and recommendations. The IS auditor should collect and document sufficient, reliable, relevant, and useful evidence during the audit execution phase, and present it in the audit report. However, the IS auditor does not need to have supporting evidence in place before initiating the audit follow-up activities.
Question #149
An IS auditor is reviewing a client’s outsourced payroll system to assess whether the financial audit team can rely on the application.
Which of the following findings would be the auditor’s GREATEST concern?
- A . User access rights have not been periodically reviewed by the client.
- B . Payroll processing costs have not been included in the IT budget.
- C . The third-party contract has not been reviewed by the legal department.
- D . The third-party contract does not comply with the vendor management policy.
Correct Answer: C
C
Explanation:
The third-party contract has not been reviewed by the legal department is the auditor’s greatest concern because it poses a significant legal and financial risk to the client. A third-party contract is a legally binding agreement between the client and the outsourced payroll provider that defines the scope, terms, and conditions of the service. A third-party contract should be reviewed by the legal department to ensure that it complies with the applicable laws and regulations, protects the client’s interests and rights, and specifies the roles and responsibilities of both parties. A third-party contract that has not been reviewed by the legal department may contain clauses that are unfavorable, ambiguous, or contradictory to the client, such as:
Inadequate or unclear service level agreements (SLAs) that do not specify the quality, timeliness, and accuracy of the payroll service.
Insufficient or vague security and confidentiality provisions that do not safeguard the client’s data and information from unauthorized access, use, disclosure, or loss.
Unreasonable or excessive fees, penalties, or liabilities that may impose an undue financial burden on the client.
Limited or no audit rights that may prevent the client from verifying the effectiveness and compliance of the payroll provider’s internal controls.
Inflexible or restrictive termination clauses that may limit the client’s ability to cancel or switch to another payroll provider.
A third-party contract that has not been reviewed by the legal department may expose the client to various risks, such as:
Legal disputes or litigation with the payroll provider over contractual breaches or performance issues.
Regulatory fines or sanctions for noncompliance with tax, labor, or other laws and regulations related to payroll.
Financial losses or damages due to errors, fraud, or negligence by the payroll provider.
Reputation damage or customer dissatisfaction due to payroll errors or delays.
Therefore, an IS auditor should be highly concerned about a third-party contract that has not been reviewed by the legal department and recommend that the client seek legal advice before signing or renewing any contract with an outsourced payroll provider.
User access rights have not been periodically reviewed by the client is a moderate concern because it may indicate a lack of proper access control over the payroll system. User access rights are the permissions granted to users to access, view, modify, or delete data and information in the payroll system. User access rights should be periodically reviewed by the client to ensure that they are aligned with the user’s roles and responsibilities, and that they are revoked or modified when a user changes roles or leaves the organization. User access rights that are not periodically reviewed by the client may result in unauthorized or inappropriate access to payroll data and information, which may compromise its confidentiality, integrity, and availability.
Payroll processing costs have not been included in the IT budget is a minor concern because it may indicate a lack of proper planning and allocation of IT resources for payroll processing. Payroll processing costs are the expenses incurred by the client for using an outsourced payroll service, such as fees, charges, taxes, or penalties. Payroll processing costs should be included in the IT budget to
ensure that they are adequately estimated, monitored, and controlled. Payroll processing costs that are not included in the IT budget may result in unexpected or excessive costs for payroll processing, which may affect the client’s profitability and cash flow.
The third-party contract does not comply with the vendor management policy is a low concern because it may indicate a lack of alignment between the client’s vendor management policy and its actual vendor selection and evaluation process. A vendor management policy is a set of guidelines and procedures that governs how the client manages its relationship with its vendors, such as how to select, monitor, evaluate, and terminate vendors. A vendor management policy should be consistent with the client’s business objectives, risk appetite, and regulatory requirements. A third-party contract that does not comply with the vendor management policy may result in suboptimal vendor performance or service quality, but it does not necessarily imply a breach of contract or a violation of law.
C
Explanation:
The third-party contract has not been reviewed by the legal department is the auditor’s greatest concern because it poses a significant legal and financial risk to the client. A third-party contract is a legally binding agreement between the client and the outsourced payroll provider that defines the scope, terms, and conditions of the service. A third-party contract should be reviewed by the legal department to ensure that it complies with the applicable laws and regulations, protects the client’s interests and rights, and specifies the roles and responsibilities of both parties. A third-party contract that has not been reviewed by the legal department may contain clauses that are unfavorable, ambiguous, or contradictory to the client, such as:
Inadequate or unclear service level agreements (SLAs) that do not specify the quality, timeliness, and accuracy of the payroll service.
Insufficient or vague security and confidentiality provisions that do not safeguard the client’s data and information from unauthorized access, use, disclosure, or loss.
Unreasonable or excessive fees, penalties, or liabilities that may impose an undue financial burden on the client.
Limited or no audit rights that may prevent the client from verifying the effectiveness and compliance of the payroll provider’s internal controls.
Inflexible or restrictive termination clauses that may limit the client’s ability to cancel or switch to another payroll provider.
A third-party contract that has not been reviewed by the legal department may expose the client to various risks, such as:
Legal disputes or litigation with the payroll provider over contractual breaches or performance issues.
Regulatory fines or sanctions for noncompliance with tax, labor, or other laws and regulations related to payroll.
Financial losses or damages due to errors, fraud, or negligence by the payroll provider.
Reputation damage or customer dissatisfaction due to payroll errors or delays.
Therefore, an IS auditor should be highly concerned about a third-party contract that has not been reviewed by the legal department and recommend that the client seek legal advice before signing or renewing any contract with an outsourced payroll provider.
User access rights have not been periodically reviewed by the client is a moderate concern because it may indicate a lack of proper access control over the payroll system. User access rights are the permissions granted to users to access, view, modify, or delete data and information in the payroll system. User access rights should be periodically reviewed by the client to ensure that they are aligned with the user’s roles and responsibilities, and that they are revoked or modified when a user changes roles or leaves the organization. User access rights that are not periodically reviewed by the client may result in unauthorized or inappropriate access to payroll data and information, which may compromise its confidentiality, integrity, and availability.
Payroll processing costs have not been included in the IT budget is a minor concern because it may indicate a lack of proper planning and allocation of IT resources for payroll processing. Payroll processing costs are the expenses incurred by the client for using an outsourced payroll service, such as fees, charges, taxes, or penalties. Payroll processing costs should be included in the IT budget to
ensure that they are adequately estimated, monitored, and controlled. Payroll processing costs that are not included in the IT budget may result in unexpected or excessive costs for payroll processing, which may affect the client’s profitability and cash flow.
The third-party contract does not comply with the vendor management policy is a low concern because it may indicate a lack of alignment between the client’s vendor management policy and its actual vendor selection and evaluation process. A vendor management policy is a set of guidelines and procedures that governs how the client manages its relationship with its vendors, such as how to select, monitor, evaluate, and terminate vendors. A vendor management policy should be consistent with the client’s business objectives, risk appetite, and regulatory requirements. A third-party contract that does not comply with the vendor management policy may result in suboptimal vendor performance or service quality, but it does not necessarily imply a breach of contract or a violation of law.
Question #150
Which of the following is the PRIMARY reason to perform a risk assessment?
- A . To determine the current risk profile
- B . To ensure alignment with the business impact analysis (BIA)
- C . To achieve compliance with regulatory requirements
- D . To help allocate budget for risk mitigation controls
Correct Answer: A
A
Explanation:
The primary reason to perform a risk assessment is to determine the current risk profile of the organization, which is the level of risk exposure and the likelihood and impact of potential threats. This will help the organization to identify and prioritize the risks that need to be addressed and to align the risk management strategy with the business objectives. A risk assessment may also help to achieve compliance, support the BIA, and allocate budget, but these are not the primary reasons.
References: ISACA Glossary of Terms, section “risk assessment”
A
Explanation:
The primary reason to perform a risk assessment is to determine the current risk profile of the organization, which is the level of risk exposure and the likelihood and impact of potential threats. This will help the organization to identify and prioritize the risks that need to be addressed and to align the risk management strategy with the business objectives. A risk assessment may also help to achieve compliance, support the BIA, and allocate budget, but these are not the primary reasons.
References: ISACA Glossary of Terms, section “risk assessment”