Practice Free CISA Exam Online Questions
Question #171
A data center’s physical access log system captures each visitor’s identification document numbers along with the visitor’s photo.
Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?
- A . Quota sampling
- B . Haphazard sampling
- C . Attribute sampling
- D . Variable sampling
Correct Answer: C
C
Explanation:
Attribute sampling is a method of audit sampling that is used to test the effectiveness of controls by measuring the rate of deviation from a prescribed procedure or attribute. Attribute sampling is suitable for testing compliance with the data center’s physical access log system, as the auditor can compare the identification document numbers and photos of the visitors with the records in the system and determine whether there are any discrepancies or errors. Attribute sampling can also provide an estimate of the deviation rate in the population and allow the auditor to draw a conclusion about the operating effectiveness of the control.
Variable sampling, on the other hand, is a method of audit sampling that is used to estimate the
amount or value of a population by measuring a characteristic of interest, such as monetary value, quantity, or size. Variable sampling is not appropriate for testing compliance with the data center’s physical access log system, as the auditor is not interested in estimating the value of the population, but rather in testing whether the system is operating as intended.
Quota sampling and haphazard sampling are both examples of non-statistical sampling methods that do not use probability theory to select a sample. Quota sampling involves selecting a sample based on certain criteria or quotas, such as age, gender, or location. Haphazard sampling involves selecting a sample without any specific plan or method. Both methods are not suitable for testing compliance with the data center’s physical access log system, as they do not ensure that the sample is representative of the population and do not allow the auditor to measure the sampling risk or project the results to the population.
Therefore, attribute sampling is the most useful sampling method for an IS auditor conducting compliance testing for the effectiveness of the data center’s physical access log system.
References:
Audit Sampling – What Is It, Methods, Example, Advantage, Reason ISA 530: Audit sampling | ICAEW
C
Explanation:
Attribute sampling is a method of audit sampling that is used to test the effectiveness of controls by measuring the rate of deviation from a prescribed procedure or attribute. Attribute sampling is suitable for testing compliance with the data center’s physical access log system, as the auditor can compare the identification document numbers and photos of the visitors with the records in the system and determine whether there are any discrepancies or errors. Attribute sampling can also provide an estimate of the deviation rate in the population and allow the auditor to draw a conclusion about the operating effectiveness of the control.
Variable sampling, on the other hand, is a method of audit sampling that is used to estimate the
amount or value of a population by measuring a characteristic of interest, such as monetary value, quantity, or size. Variable sampling is not appropriate for testing compliance with the data center’s physical access log system, as the auditor is not interested in estimating the value of the population, but rather in testing whether the system is operating as intended.
Quota sampling and haphazard sampling are both examples of non-statistical sampling methods that do not use probability theory to select a sample. Quota sampling involves selecting a sample based on certain criteria or quotas, such as age, gender, or location. Haphazard sampling involves selecting a sample without any specific plan or method. Both methods are not suitable for testing compliance with the data center’s physical access log system, as they do not ensure that the sample is representative of the population and do not allow the auditor to measure the sampling risk or project the results to the population.
Therefore, attribute sampling is the most useful sampling method for an IS auditor conducting compliance testing for the effectiveness of the data center’s physical access log system.
References:
Audit Sampling – What Is It, Methods, Example, Advantage, Reason ISA 530: Audit sampling | ICAEW
Question #172
During a physical security audit, an IS auditor was provided a proximity badge that granted access to three specific floors in a corporate office building.
Which of the following issues should be of MOST concern?
- A . The proximity badge did not work for the first two days of audit fieldwork.
- B . There was no requirement for an escort during fieldwork.
- C . There was no follow-up for unsuccessful attempted access violations.
- D . The proximity badge incorrectly granted access to restricted areas.
Correct Answer: D
D
Explanation:
The proximity badge incorrectly granting access to restricted areas is the most concerning issue, as it indicates a failure of the access control system to enforce the principle of least privilege and protect the sensitive or critical assets of the organization. The proximity badge should only grant access to the areas that are necessary for the IS auditor to perform the audit fieldwork, and not to any other areas that may contain confidential information, valuable equipment, or hazardous materials. The incorrect access could result in unauthorized disclosure, modification, or destruction of the assets, as well as potential safety or legal issues.
References
ISACA CISA Review Manual, 27th Edition, page 254
Office & Workplace Physical Security Assessment Checklist
Physical Security: Planning, Measures & Examples
D
Explanation:
The proximity badge incorrectly granting access to restricted areas is the most concerning issue, as it indicates a failure of the access control system to enforce the principle of least privilege and protect the sensitive or critical assets of the organization. The proximity badge should only grant access to the areas that are necessary for the IS auditor to perform the audit fieldwork, and not to any other areas that may contain confidential information, valuable equipment, or hazardous materials. The incorrect access could result in unauthorized disclosure, modification, or destruction of the assets, as well as potential safety or legal issues.
References
ISACA CISA Review Manual, 27th Edition, page 254
Office & Workplace Physical Security Assessment Checklist
Physical Security: Planning, Measures & Examples
Question #173
An IS auditor reviewing the throat assessment for a data cantor would be MOST concerned if:
- A . some of the identified threats are unlikely to occur.
- B . all identified threats relate to external entities.
- C . the exercise was completed by local management.
- D . neighboring organizations’ operations have been included.
Correct Answer: B
B
Explanation:
: An IS auditor reviewing the threat assessment for a data center would be most concerned if all identified threats relate to external entities. This indicates that the threat assessment is incomplete and biased, as it ignores the potential threats from internal sources, such as employees, contractors, vendors, or authorized visitors. Internal threats can pose significant risks to the data center, as they may have access to sensitive information, systems, or facilities, and may exploit their privileges for malicious or fraudulent purposes. According to a study by IBM, 60% of cyberattacks in 2015 were carried out by insiders1
Some of the identified threats are unlikely to occur is not a cause for concern, as it shows that the threat assessment is comprehensive and realistic, and considers all possible scenarios, regardless of their probability. A threat assessment should not exclude any potential threats based on subjective judgments or assumptions, as they may still have a high impact if they materialize.
The exercise was completed by local management is not a cause for concern, as it shows that the threat assessment is conducted by the people who are most familiar with the data center’s operations, environment, and risks. Local management may have more relevant and accurate information and insights than external parties, and may be more invested in the outcome of the threat assessment.
Neighboring organizations’ operations have been included is not a cause for concern, as it shows that the threat assessment is holistic and contextual, and considers the interdependencies and influences of external factors on the data center’s security. Neighboring organizations’ operations may pose direct or indirect threats to the data center, such as physical damage, network interference, or shared vulnerabilities.
References:
IBM Security Services 2016 Cyber Security Intelligence Index 1
B
Explanation:
: An IS auditor reviewing the threat assessment for a data center would be most concerned if all identified threats relate to external entities. This indicates that the threat assessment is incomplete and biased, as it ignores the potential threats from internal sources, such as employees, contractors, vendors, or authorized visitors. Internal threats can pose significant risks to the data center, as they may have access to sensitive information, systems, or facilities, and may exploit their privileges for malicious or fraudulent purposes. According to a study by IBM, 60% of cyberattacks in 2015 were carried out by insiders1
Some of the identified threats are unlikely to occur is not a cause for concern, as it shows that the threat assessment is comprehensive and realistic, and considers all possible scenarios, regardless of their probability. A threat assessment should not exclude any potential threats based on subjective judgments or assumptions, as they may still have a high impact if they materialize.
The exercise was completed by local management is not a cause for concern, as it shows that the threat assessment is conducted by the people who are most familiar with the data center’s operations, environment, and risks. Local management may have more relevant and accurate information and insights than external parties, and may be more invested in the outcome of the threat assessment.
Neighboring organizations’ operations have been included is not a cause for concern, as it shows that the threat assessment is holistic and contextual, and considers the interdependencies and influences of external factors on the data center’s security. Neighboring organizations’ operations may pose direct or indirect threats to the data center, such as physical damage, network interference, or shared vulnerabilities.
References:
IBM Security Services 2016 Cyber Security Intelligence Index 1
Question #174
Which of the following is a threat to IS auditor independence?
- A . Internal auditors share the audit plan and control test plans with management prior to audit commencement.
- B . Internal auditors design remediation plans to address control gaps identified by internal audit.
- C . Internal auditors attend IT steering committee meetings.
- D . Internal auditors recommend appropriate controls for systems in development.
Correct Answer: B
Question #175
Secure code reviews as part of a continuous deployment program are which type of control?
- A . Detective
- B . Logical
- C . Preventive
- D . Corrective
Correct Answer: C
C
Explanation:
Secure code reviews as part of a continuous deployment program are preventive controls. Preventive controls are controls that aim to prevent or avoid undesirable events or outcomes from occurring, such as errors, defects, or incidents. Secure code reviews are activities that examine and evaluate the source code of a software or application to identify and eliminate any vulnerabilities, flaws, or weaknesses that may compromise its security, functionality, or performance. Secure code reviews as part of a continuous deployment program can help prevent or avoid security issues or incidents from occurring by ensuring that the code is secure and compliant before it is deployed to production. The other options are not correct types of controls for secure code reviews as part of a continuous deployment program, as they have different meanings and functions. Detective controls are controls that aim to detect or discover undesirable events or outcomes that have occurred, such as errors, defects, or incidents. Logical controls are controls that use software or hardware mechanisms to regulate or restrict access to IT resources, such as data, systems, or networks. Corrective controls are controls that aim to correct or rectify undesirable events or outcomes that have occurred, such as errors, defects, or incidents.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
C
Explanation:
Secure code reviews as part of a continuous deployment program are preventive controls. Preventive controls are controls that aim to prevent or avoid undesirable events or outcomes from occurring, such as errors, defects, or incidents. Secure code reviews are activities that examine and evaluate the source code of a software or application to identify and eliminate any vulnerabilities, flaws, or weaknesses that may compromise its security, functionality, or performance. Secure code reviews as part of a continuous deployment program can help prevent or avoid security issues or incidents from occurring by ensuring that the code is secure and compliant before it is deployed to production. The other options are not correct types of controls for secure code reviews as part of a continuous deployment program, as they have different meanings and functions. Detective controls are controls that aim to detect or discover undesirable events or outcomes that have occurred, such as errors, defects, or incidents. Logical controls are controls that use software or hardware mechanisms to regulate or restrict access to IT resources, such as data, systems, or networks. Corrective controls are controls that aim to correct or rectify undesirable events or outcomes that have occurred, such as errors, defects, or incidents.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
Question #176
An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization’s data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process.
To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?
- A . Data with customer personal information
- B . Data reported to the regulatory body
- C . Data supporting financial statements
- D . Data impacting business objectives
Correct Answer: B
B
Explanation:
To ensure that management concerns are addressed, internal audit should recommend that the data quality team review the data reported to the regulatory body first. This is because this data set is the most relevant and critical to the issue that triggered the enhancement of the data quality program.
The data reported to the regulatory body should be accurate, complete, consistent, and timely, as any discrepancies could result in fines, penalties, or reputational damage for the organization. Data with customer personal information is important for data quality, but it is not directly related to the regulatory reporting issue. Data supporting financial statements is important for data quality, but it may not be the same as the data reported to the regulatory body. Data impacting business objectives is important for data quality, but it may not be as urgent or sensitive as the data reported to the regulatory body.
References:
CISA Review Manual, 27th Edition, pages 404-4051
CISA Review Questions, Answers & Explanations Database, Question ID: 262
B
Explanation:
To ensure that management concerns are addressed, internal audit should recommend that the data quality team review the data reported to the regulatory body first. This is because this data set is the most relevant and critical to the issue that triggered the enhancement of the data quality program.
The data reported to the regulatory body should be accurate, complete, consistent, and timely, as any discrepancies could result in fines, penalties, or reputational damage for the organization. Data with customer personal information is important for data quality, but it is not directly related to the regulatory reporting issue. Data supporting financial statements is important for data quality, but it may not be the same as the data reported to the regulatory body. Data impacting business objectives is important for data quality, but it may not be as urgent or sensitive as the data reported to the regulatory body.
References:
CISA Review Manual, 27th Edition, pages 404-4051
CISA Review Questions, Answers & Explanations Database, Question ID: 262
Question #177
Which of the following should be an IS auditor’s PRIMARY consideration when determining which issues to include in an audit report?
- A . Professional skepticism
- B . Management’s agreement
- C . Materiality
- D . Inherent risk
Correct Answer: C
C
Explanation:
Materiality is the primary consideration when determining which issues to include in an audit report, as it reflects the significance or importance of the issues to the users of the report. Materiality is a relative concept that depends on the nature, context, and amount of the issues, as well as the expectations and needs of the users. Materiality helps the auditor to prioritize the issues and communicate them clearly and concisely.
References
ISACA CISA Review Manual, 27th Edition, page 256
Materiality in Auditing – AICPA
Materiality in Planning and Performing an Audit – IAASB
C
Explanation:
Materiality is the primary consideration when determining which issues to include in an audit report, as it reflects the significance or importance of the issues to the users of the report. Materiality is a relative concept that depends on the nature, context, and amount of the issues, as well as the expectations and needs of the users. Materiality helps the auditor to prioritize the issues and communicate them clearly and concisely.
References
ISACA CISA Review Manual, 27th Edition, page 256
Materiality in Auditing – AICPA
Materiality in Planning and Performing an Audit – IAASB
Question #178
When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;
- A . data analytics findings.
- B . audit trails
- C . acceptance lasting results
- D . rollback plans
Correct Answer: A
A
Explanation:
When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system, it is most effective for an IS auditor to review data analytics findings. Data analytics is a technique that uses software tools and statistical methods to analyze large volumes of data and identify patterns, anomalies, errors or inconsistencies. Data analytics can help to compare the source and target data sets, validate the data quality and integrity, and detect any data loss or corruption during the migration process. The other options are not as effective, because audit trails only record the actions performed on the data, acceptance testing results only verify the functionality of the new system, and rollback plans only provide contingency measures in case of migration failure.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.6
A
Explanation:
When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system, it is most effective for an IS auditor to review data analytics findings. Data analytics is a technique that uses software tools and statistical methods to analyze large volumes of data and identify patterns, anomalies, errors or inconsistencies. Data analytics can help to compare the source and target data sets, validate the data quality and integrity, and detect any data loss or corruption during the migration process. The other options are not as effective, because audit trails only record the actions performed on the data, acceptance testing results only verify the functionality of the new system, and rollback plans only provide contingency measures in case of migration failure.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.6
Question #179
An IS audit manager is preparing the staffing plan for an audit engagement of a cloud service provider.
What should be the manager’s PRIMARY concern when being made aware that a new auditor in the department previously worked for this provider?
- A . Independence
- B . Professional conduct
- C . Subject matter expertise
- D . Resource availability
Correct Answer: A
Question #180
A vendor requires privileged access to a key business application.
Which of the following is the BEST recommendation to reduce the risk of data leakage?
- A . Implement real-time activity monitoring for privileged roles
- B . Include the right-to-audit in the vendor contract
- C . Perform a review of privileged roles and responsibilities
- D . Require the vendor to implement job rotation for privileged roles
Correct Answer: A
A
Explanation:
A vendor requires privileged access to a key business application. The best recommendation to reduce the risk of data leakage is to implement real-time activity monitoring for privileged roles. This is because real-time activity monitoring can provide visibility and accountability for the actions performed by the vendor with privileged access, such as creating, modifying, deleting, or copying data. Real-time activity monitoring can also enable timely detection and response to any unauthorized or suspicious activities that may indicate data leakage. Including the right-to-audit in the vendor contract is a good practice, but it may not be sufficient to prevent or detect data leakage in a timely manner, as audits are usually performed periodically or on-demand. Performing a review of privileged roles and responsibilities is also a good practice, but it may not address the specific risk of data leakage by the vendor with privileged access. Requiring the vendor to implement job rotation for privileged roles may reduce the risk of collusion or fraud, but it may not prevent or detect data leakage by any individual with privileged access.
References: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program Management Guide]
A
Explanation:
A vendor requires privileged access to a key business application. The best recommendation to reduce the risk of data leakage is to implement real-time activity monitoring for privileged roles. This is because real-time activity monitoring can provide visibility and accountability for the actions performed by the vendor with privileged access, such as creating, modifying, deleting, or copying data. Real-time activity monitoring can also enable timely detection and response to any unauthorized or suspicious activities that may indicate data leakage. Including the right-to-audit in the vendor contract is a good practice, but it may not be sufficient to prevent or detect data leakage in a timely manner, as audits are usually performed periodically or on-demand. Performing a review of privileged roles and responsibilities is also a good practice, but it may not address the specific risk of data leakage by the vendor with privileged access. Requiring the vendor to implement job rotation for privileged roles may reduce the risk of collusion or fraud, but it may not prevent or detect data leakage by any individual with privileged access.
References: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program Management Guide]