Practice Free CISA Exam Online Questions
Question #161
An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?
- A . Project management
- B . Risk assessment results
- C . IT governance framework
- D . Portfolio management
Correct Answer: D
D
Explanation:
The most helpful tool in matching demand for projects and services with available resources in a way that supports business objectives is portfolio management. Portfolio management is the process of selecting, prioritizing, balancing and aligning IT projects and services with the strategic goals and value proposition of the organization3. Portfolio management helps the IT organization to allocate resources efficiently and effectively, to deliver value to the business units, and to align IT initiatives with business strategies. Project management, risk assessment results and IT governance framework are also important tools, but they are not as helpful as portfolio management in matching demand and supply of IT projects and services.
References:
CISA Review Manual, 27th Edition, page 721
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
D
Explanation:
The most helpful tool in matching demand for projects and services with available resources in a way that supports business objectives is portfolio management. Portfolio management is the process of selecting, prioritizing, balancing and aligning IT projects and services with the strategic goals and value proposition of the organization3. Portfolio management helps the IT organization to allocate resources efficiently and effectively, to deliver value to the business units, and to align IT initiatives with business strategies. Project management, risk assessment results and IT governance framework are also important tools, but they are not as helpful as portfolio management in matching demand and supply of IT projects and services.
References:
CISA Review Manual, 27th Edition, page 721
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
Question #162
An IS auditor should be MOST concerned if which of the following fire suppression systems is utilized to protect an asset storage closet?
- A . Deluge system
- B . Wet pipe system
- C . Preaction system
- D . CO2 system
Correct Answer: D
D
Explanation:
A CO2 system could be a concern for an IS auditor when used to protect an asset storage closet. While CO2 systems are effective at suppressing fires, they can pose a significant safety risk to personnel. In the event of a fire, the CO2 system would fill the room with carbon dioxide, displacing the oxygen. This could be hazardous to anyone who might be in the room at the time12.
References: ISACA’s Information Systems Auditor Study Materials1
D
Explanation:
A CO2 system could be a concern for an IS auditor when used to protect an asset storage closet. While CO2 systems are effective at suppressing fires, they can pose a significant safety risk to personnel. In the event of a fire, the CO2 system would fill the room with carbon dioxide, displacing the oxygen. This could be hazardous to anyone who might be in the room at the time12.
References: ISACA’s Information Systems Auditor Study Materials1
Question #163
Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?
- A . The organization’s systems inventory is kept up to date.
- B . Vulnerability scanning results are reported to the CISO.
- C . The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities
- D . Access to the vulnerability scanning tool is periodically reviewed
Correct Answer: A
A
Explanation:
The completeness of the vulnerability scanning process depends on the accuracy and currency of the organization’s systems inventory, which is a list of all the hardware and software assets that are owned or used by the organization. A complete and up-to-date systems inventory can help ensure that all the systems are identified and scanned for vulnerabilities, and that no system is missed or overlooked. Vulnerability scanning results are reported to the CISO is a good practice for ensuring accountability and visibility of the vulnerability management process, but it is not the most important thing to verify when determining the completeness of the vulnerability scanning process, as reporting does not guarantee that all the systems are scanned. The organization is using a cloud-hosted scanning tool for identification of vulnerabilities is a possible option for conducting vulnerability scanning, but it is not the most important thing to verify when determining the completeness of the vulnerability scanning process, as the type of scanning tool does not affect the scope or coverage of the scanning. Access to the vulnerability scanning tool is periodically reviewed is a critical control for ensuring the security and integrity of the vulnerability scanning tool, but it is not the most important thing to verify when determining the completeness of the vulnerability scanning process, as access review does not ensure that all the systems are scanned.
A
Explanation:
The completeness of the vulnerability scanning process depends on the accuracy and currency of the organization’s systems inventory, which is a list of all the hardware and software assets that are owned or used by the organization. A complete and up-to-date systems inventory can help ensure that all the systems are identified and scanned for vulnerabilities, and that no system is missed or overlooked. Vulnerability scanning results are reported to the CISO is a good practice for ensuring accountability and visibility of the vulnerability management process, but it is not the most important thing to verify when determining the completeness of the vulnerability scanning process, as reporting does not guarantee that all the systems are scanned. The organization is using a cloud-hosted scanning tool for identification of vulnerabilities is a possible option for conducting vulnerability scanning, but it is not the most important thing to verify when determining the completeness of the vulnerability scanning process, as the type of scanning tool does not affect the scope or coverage of the scanning. Access to the vulnerability scanning tool is periodically reviewed is a critical control for ensuring the security and integrity of the vulnerability scanning tool, but it is not the most important thing to verify when determining the completeness of the vulnerability scanning process, as access review does not ensure that all the systems are scanned.
Question #164
A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization.
Which of the following is MOST effective in detecting such an intrusion?
- A . Periodically reviewing log files
- B . Configuring the router as a firewall
- C . Using smart cards with one-time passwords
- D . Installing biometrics-based authentication
Correct Answer: A
A
Explanation:
The most effective way to detect an intrusion attempt is to periodically review log files, which record the activities and events on a system or network. Log files can provide evidence of unauthorized access attempts, malicious activities, or system errors. Configuring the router as a firewall, using smart cards with one-time passwords, and installing biometrics-based authentication are preventive controls that can reduce the likelihood of an intrusion, but they do not detect it.
References: ISACA CISA Review Manual 27th Edition, page 301
A
Explanation:
The most effective way to detect an intrusion attempt is to periodically review log files, which record the activities and events on a system or network. Log files can provide evidence of unauthorized access attempts, malicious activities, or system errors. Configuring the router as a firewall, using smart cards with one-time passwords, and installing biometrics-based authentication are preventive controls that can reduce the likelihood of an intrusion, but they do not detect it.
References: ISACA CISA Review Manual 27th Edition, page 301
Question #165
Which of the following should be of GREATEST concern for an IS auditor reviewing an organization’s disaster recovery plan (DRP)?
- A . The DRP has not been formally approved by senior management.
- B . The DRP has not been distributed to end users.
- C . The DRP has not been updated since an IT infrastructure upgrade.
- D . The DRP contains recovery procedures for critical servers only.
Correct Answer: C
C
Explanation:
The greatest concern for an IS auditor reviewing an organization’s disaster recovery plan (DRP) is that the DRP has not been updated since an IT infrastructure upgrade. This could render the DRP obsolete or ineffective, as it may not reflect the current configuration, dependencies or recovery requirements of the IT systems. The IS auditor should ensure that the DRP is reviewed and updated regularly to align with any changes in the IT environment. The DRP has not been formally approved by senior management is a concern for an IS auditor reviewing an organization’s DRP, but it is not as critical as ensuring that the DRP is up to date and valid. The DRP has not been distributed to end users or the DRP contains recovery procedures for critical servers only are issues that relate to the communication or scope of the DRP, but not to its validity or effectiveness.
References: ISACA, CISA Review Manual, 27th Edition, 2018, page 389
C
Explanation:
The greatest concern for an IS auditor reviewing an organization’s disaster recovery plan (DRP) is that the DRP has not been updated since an IT infrastructure upgrade. This could render the DRP obsolete or ineffective, as it may not reflect the current configuration, dependencies or recovery requirements of the IT systems. The IS auditor should ensure that the DRP is reviewed and updated regularly to align with any changes in the IT environment. The DRP has not been formally approved by senior management is a concern for an IS auditor reviewing an organization’s DRP, but it is not as critical as ensuring that the DRP is up to date and valid. The DRP has not been distributed to end users or the DRP contains recovery procedures for critical servers only are issues that relate to the communication or scope of the DRP, but not to its validity or effectiveness.
References: ISACA, CISA Review Manual, 27th Edition, 2018, page 389
Question #166
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit.
What should the auditor consider the MOST significant concern?
- A . Attack vectors are evolving for industrial control systems.
- B . There is a greater risk of system exploitation.
- C . Disaster recovery plans (DRPs) are not in place.
- D . Technical specifications are not documented.
Correct Answer: B
B
Explanation:
The most significant concern for an IS auditor when reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit is that there is a greater risk of system exploitation. System exploitation is an attack that occurs when an unauthorized entity or individual takes advantage of a vulnerability or weakness in a system to compromise its security or functionality. System exploitation can cause harm or damage to the system or its users, such as data loss, corruption, theft, manipulation, denial of service (DoS), etc. An ICS that uses older unsupported technology poses a high risk of system exploitation, as older technology may have known or unknown vulnerabilities or defects that have not been patched or fixed by the vendor or manufacturer, and unsupported technology may not receive any updates or support from the vendor or manufacturer in case of issues or incidents. Attack vectors are evolving for industrial control systems is a possible concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit, but it is not the most significant one. Attack vectors are methods or pathways that attackers use to gain access to or attack a system. Attack vectors are evolving for industrial control systems, as attackers are developing new techniques or tools to target ICSs that are increasingly connected and complex. However, this concern may not be specific to older unsupported technology, as it may affect any ICS regardless of its technology level. Disaster recovery plans (DRPs) are not in place is a possible concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit, but it is not the most significant one. DRPs are documents that outline the technical and operational steps for restoring the IT systems and infrastructure that support critical functions or processes in the event of a disruption or disaster. DRPs are not in place, as they may affect the availability and continuity of the ICS and its functions or processes in case of a failure or incident. However, this concern may not be related to older unsupported technology, as it may apply to any ICS regardless of its technology level. Technical specifications are not documented is a possible concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit, but it is not the most significant one. Technical specifications are documents that describe the technical characteristics or requirements of a system or component, such as functionality, performance, design, etc. Technical specifications are not documented, as they may affect the understanding, maintenance, and improvement of the ICS and its components. However, this concern may not be associated with older unsupported technology, as it may affect any ICS regardless of its technology level.
B
Explanation:
The most significant concern for an IS auditor when reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit is that there is a greater risk of system exploitation. System exploitation is an attack that occurs when an unauthorized entity or individual takes advantage of a vulnerability or weakness in a system to compromise its security or functionality. System exploitation can cause harm or damage to the system or its users, such as data loss, corruption, theft, manipulation, denial of service (DoS), etc. An ICS that uses older unsupported technology poses a high risk of system exploitation, as older technology may have known or unknown vulnerabilities or defects that have not been patched or fixed by the vendor or manufacturer, and unsupported technology may not receive any updates or support from the vendor or manufacturer in case of issues or incidents. Attack vectors are evolving for industrial control systems is a possible concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit, but it is not the most significant one. Attack vectors are methods or pathways that attackers use to gain access to or attack a system. Attack vectors are evolving for industrial control systems, as attackers are developing new techniques or tools to target ICSs that are increasingly connected and complex. However, this concern may not be specific to older unsupported technology, as it may affect any ICS regardless of its technology level. Disaster recovery plans (DRPs) are not in place is a possible concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit, but it is not the most significant one. DRPs are documents that outline the technical and operational steps for restoring the IT systems and infrastructure that support critical functions or processes in the event of a disruption or disaster. DRPs are not in place, as they may affect the availability and continuity of the ICS and its functions or processes in case of a failure or incident. However, this concern may not be related to older unsupported technology, as it may apply to any ICS regardless of its technology level. Technical specifications are not documented is a possible concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit, but it is not the most significant one. Technical specifications are documents that describe the technical characteristics or requirements of a system or component, such as functionality, performance, design, etc. Technical specifications are not documented, as they may affect the understanding, maintenance, and improvement of the ICS and its components. However, this concern may not be associated with older unsupported technology, as it may affect any ICS regardless of its technology level.
Question #167
An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards.
Which of the following should be the auditor’s NEXT action1?
- A . Make recommendations to IS management as to appropriate quality standards
- B . Postpone the audit until IS management implements written standards
- C . Document and lest compliance with the informal standards
- D . Finalize the audit and report the finding
Correct Answer: C
C
Explanation:
The auditor’s next action after finding that there is an informal unwritten set of standards in the IS department is to document and test compliance with the informal standards. This is because the auditor’s role is to evaluate the adequacy and effectiveness of the existing controls, regardless of whether they are formal or informal, written or unwritten. The auditor should also assess the risks and implications of having informal standards, such as lack of consistency, accountability, or traceability. The auditor should not make recommendations, postpone the audit, or finalize the audit without performing the audit procedures.
References:
CISA Review Manual (Digital Version), Chapter 2, Section 2.21 CISA Online Review Course, Domain 1, Module 1, Lesson 12
C
Explanation:
The auditor’s next action after finding that there is an informal unwritten set of standards in the IS department is to document and test compliance with the informal standards. This is because the auditor’s role is to evaluate the adequacy and effectiveness of the existing controls, regardless of whether they are formal or informal, written or unwritten. The auditor should also assess the risks and implications of having informal standards, such as lack of consistency, accountability, or traceability. The auditor should not make recommendations, postpone the audit, or finalize the audit without performing the audit procedures.
References:
CISA Review Manual (Digital Version), Chapter 2, Section 2.21 CISA Online Review Course, Domain 1, Module 1, Lesson 12
Question #168
The PRIMARY objective of value delivery in reference to IT governance is to:
- A . promote best practices
- B . increase efficiency.
- C . optimize investments.
- D . ensure compliance.
Correct Answer: C
C
Explanation:
The primary objective of value delivery in reference to IT governance is to optimize investments. Value delivery is one of the five focus areas of IT governance that aims to ensure that IT delivers expected benefits to stakeholders and enables business value creation. Value delivery involves aligning IT investments with business objectives and strategies, managing IT performance and benefits realization, optimizing IT costs and risks, and enhancing IT innovation and agility. Value delivery helps to maximize the return on investment (ROI) and value for money (VFM) of IT resources and capabilities.
References:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
C
Explanation:
The primary objective of value delivery in reference to IT governance is to optimize investments. Value delivery is one of the five focus areas of IT governance that aims to ensure that IT delivers expected benefits to stakeholders and enables business value creation. Value delivery involves aligning IT investments with business objectives and strategies, managing IT performance and benefits realization, optimizing IT costs and risks, and enhancing IT innovation and agility. Value delivery helps to maximize the return on investment (ROI) and value for money (VFM) of IT resources and capabilities.
References:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
Question #169
Which of the following is the MOST important course of action to ensure a cloud access security broker (CASB) effectively detects and responds to threats?
- A . Monitoring data movement
- B . Implementing a long-term CASB contract
- C . Reviewing the information security policy
- D . Evaluating firewall effectiveness
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
A Cloud Access Security Broker (CASB) ensures visibility, compliance, and security of cloud applications, and monitoring data movement is the key to detecting threats.
Option A (Correct): Monitoring data movement allows organizations to detect and prevent unauthorized access, data exfiltration, and cloud-based threats.
Option B (Incorrect): A long-term contract does not inherently improve security monitoring.
Option C (Incorrect): Reviewing policies helps with governance, but it does not actively detect threats.
Option D (Incorrect): Firewalls protect network perimeters, while CASBs focus on cloud security, making this an ineffective measure for CASB threat detection.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers CASB, cloud security, and threat detection best practices.
A
Explanation:
Comprehensive and Detailed Step-by-Step
A Cloud Access Security Broker (CASB) ensures visibility, compliance, and security of cloud applications, and monitoring data movement is the key to detecting threats.
Option A (Correct): Monitoring data movement allows organizations to detect and prevent unauthorized access, data exfiltration, and cloud-based threats.
Option B (Incorrect): A long-term contract does not inherently improve security monitoring.
Option C (Incorrect): Reviewing policies helps with governance, but it does not actively detect threats.
Option D (Incorrect): Firewalls protect network perimeters, while CASBs focus on cloud security, making this an ineffective measure for CASB threat detection.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers CASB, cloud security, and threat detection best practices.
Question #170
An IS auditor learns that an organization’s business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant.
Which of the following is the auditor’s BEST course of action?
- A . Determine whether the business impact analysis (BIA) is current with the organization’s structure and context.
- B . Determine the types of technologies used at the plant and how they may affect the BCP.
- C . Perform testing to determine the impact to the recovery time objective (R TO).
- D . Assess the risk to operations from the closing of the plant.
Correct Answer: A
A
Explanation:
The IS auditor should first determine whether the business impact analysis (BIA) is current with the organization’s structure and context. The BIA is a critical component of the BCP and should reflect the current state of the organization. If the BIA is not up-to-date, it may not accurately reflect the impact of a disruption to the organization’s operations, including the closure of a production plant12.
References: ISACA’s Information Systems Auditor Study Materials1
A
Explanation:
The IS auditor should first determine whether the business impact analysis (BIA) is current with the organization’s structure and context. The BIA is a critical component of the BCP and should reflect the current state of the organization. If the BIA is not up-to-date, it may not accurately reflect the impact of a disruption to the organization’s operations, including the closure of a production plant12.
References: ISACA’s Information Systems Auditor Study Materials1