Practice Free CISA Exam Online Questions
Question #191
Which of the following documents should specify roles and responsibilities within an IT audit organization?
- A . Organizational chart
- B . Audit charier
- C . Engagement letter
- D . Annual audit plan
Correct Answer: B
B
Explanation:
The audit charter is a document that defines the purpose, scope, authority, and responsibility of an IT audit organization. The audit charter should specify roles and responsibilities within an IT audit organization, such as who is accountable for approving the audit plan, who is responsible for conducting the audits, who is authorized to access the audit evidence, and who is accountable for reporting the audit results. The organizational chart, the engagement letter, and the annual audit plan are also important documents for an IT audit organization, but they do not specify roles and responsibilities as clearly and comprehensively as the audit charter.
B
Explanation:
The audit charter is a document that defines the purpose, scope, authority, and responsibility of an IT audit organization. The audit charter should specify roles and responsibilities within an IT audit organization, such as who is accountable for approving the audit plan, who is responsible for conducting the audits, who is authorized to access the audit evidence, and who is accountable for reporting the audit results. The organizational chart, the engagement letter, and the annual audit plan are also important documents for an IT audit organization, but they do not specify roles and responsibilities as clearly and comprehensively as the audit charter.
Question #192
To mitigate the risk of exposing data through application programming interface (API) queries.
Which of the following design considerations is MOST important?
- A . Data retention
- B . Data minimization
- C . Data quality
- D . Data integrity
Correct Answer: B
B
Explanation:
The answer B is correct because data minimization is the most important design consideration to mitigate the risk of exposing data through application programming interface (API) queries. An API is a set of rules and protocols that allows different software components or systems to communicate and exchange data. API queries are requests sent by users or applications to an API to retrieve or manipulate data. For example, a user may query an API to get information about a product, a service, or a location.
Data minimization is the principle of collecting, processing, and storing only the minimum amount of data that are necessary for a specific purpose. Data minimization can help to reduce the risk of exposing data through API queries by limiting the amount and type of data that are available or accessible through the API. Data minimization can also help to protect the privacy and security of the data subjects and the data providers, as well as to comply with the relevant laws and regulations.
Some of the benefits of data minimization for API design are:
Privacy: Data minimization can enhance the privacy of the data subjects by ensuring that only the data that are relevant and essential for the API purpose are collected and processed. This can prevent unnecessary or excessive collection or disclosure of personal or sensitive data, such as names, addresses, phone numbers, email addresses, etc. Data minimization can also help to comply with the privacy laws and regulations that require data protection by design and by default, such as GDPR (General Data Protection Regulation) or CCPA (California Consumer Privacy Act).
Security: Data minimization can improve the security of the data providers by reducing the attack surface and the potential damage of a data breach. If less data are stored or transmitted through the API, there are fewer opportunities for attackers to access or compromise the data. Data minimization can also help to implement security controls such as encryption, access control, or logging more
efficiently and effectively.
Performance: Data minimization can increase the performance of the API by optimizing the use of resources and bandwidth. If less data are stored or transmitted through the API, there are less storage space and network traffic required. Data minimization can also help to improve the speed and reliability of the API responses.
Some of the techniques for data minimization in API design are:
Define clear and specific purposes for the API and document them in the API specification or documentation.
Identify and classify the data that are needed for each purpose and assign them appropriate labels or levels, such as public, internal, confidential, or restricted.
Implement filters or parameters in the API queries that allow users or applications to specify or limit the data fields or attributes they want to retrieve or manipulate.
Use pagination or throttling in the API responses that limit the number or size of data items returned per request.
Use anonymization or pseudonymization techniques that remove or replace any identifying information from the data before sending them through the API.
Some examples of web resources that discuss data minimization in API design are:
Data Minimization in Web APIs – World Wide Web Consortium (W3C) Adding Privacy by Design in Secure Application Development Chung-ju/Data-Minimization: A repository of related papers. – GitHub
B
Explanation:
The answer B is correct because data minimization is the most important design consideration to mitigate the risk of exposing data through application programming interface (API) queries. An API is a set of rules and protocols that allows different software components or systems to communicate and exchange data. API queries are requests sent by users or applications to an API to retrieve or manipulate data. For example, a user may query an API to get information about a product, a service, or a location.
Data minimization is the principle of collecting, processing, and storing only the minimum amount of data that are necessary for a specific purpose. Data minimization can help to reduce the risk of exposing data through API queries by limiting the amount and type of data that are available or accessible through the API. Data minimization can also help to protect the privacy and security of the data subjects and the data providers, as well as to comply with the relevant laws and regulations.
Some of the benefits of data minimization for API design are:
Privacy: Data minimization can enhance the privacy of the data subjects by ensuring that only the data that are relevant and essential for the API purpose are collected and processed. This can prevent unnecessary or excessive collection or disclosure of personal or sensitive data, such as names, addresses, phone numbers, email addresses, etc. Data minimization can also help to comply with the privacy laws and regulations that require data protection by design and by default, such as GDPR (General Data Protection Regulation) or CCPA (California Consumer Privacy Act).
Security: Data minimization can improve the security of the data providers by reducing the attack surface and the potential damage of a data breach. If less data are stored or transmitted through the API, there are fewer opportunities for attackers to access or compromise the data. Data minimization can also help to implement security controls such as encryption, access control, or logging more
efficiently and effectively.
Performance: Data minimization can increase the performance of the API by optimizing the use of resources and bandwidth. If less data are stored or transmitted through the API, there are less storage space and network traffic required. Data minimization can also help to improve the speed and reliability of the API responses.
Some of the techniques for data minimization in API design are:
Define clear and specific purposes for the API and document them in the API specification or documentation.
Identify and classify the data that are needed for each purpose and assign them appropriate labels or levels, such as public, internal, confidential, or restricted.
Implement filters or parameters in the API queries that allow users or applications to specify or limit the data fields or attributes they want to retrieve or manipulate.
Use pagination or throttling in the API responses that limit the number or size of data items returned per request.
Use anonymization or pseudonymization techniques that remove or replace any identifying information from the data before sending them through the API.
Some examples of web resources that discuss data minimization in API design are:
Data Minimization in Web APIs – World Wide Web Consortium (W3C) Adding Privacy by Design in Secure Application Development Chung-ju/Data-Minimization: A repository of related papers. – GitHub
Question #193
Which of the following should be of MOST concern to an IS auditor reviewing an organization’s operational log management?
- A . Log file size has grown year over year.
- B . Critical events are being logged to immutable log files.
- C . Applications are logging events into multiple log files.
- D . Data formats have not been standardized across all logs.
Correct Answer: D
Question #194
Which of the following is the MOST important regulatory consideration for an organization determining whether to use its customer data to train AI algorithms?
- A . Documentation of AI algorithm accuracy during the training process
- B . Ethical and optimal utilization of data computing resources
- C . Collection of data and obtaining data subject consent
- D . Continuous monitoring of AI algorithm performance
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Step-by-Step
Data collection and obtaining consent is the most critical regulatory requirement when using customer data for AI training, especially under laws like GDPR, CCPA, and ISO 27701.
Collection of Data and Obtaining Consent (Correct Answer C C)
Ensures compliance with privacy laws that require explicit customer consent.
Example: Under GDPR, companies must inform users how their data will be used and allow them to opt out.
AI Algorithm Accuracy (Incorrect C A)
Important for model performance but not a primary legal concern.
Ethical Use of Computing Resources (Incorrect C B)
Ethical considerations are valuable but not a regulatory priority.
Continuous Monitoring of AI (Incorrect C D)
Ensures performance, but regulatory compliance focuses on data privacy.
References:
ISACA CISA Review Manual
GDPR & CCPA Compliance Guidelines
ISO 27701 (Privacy Information Management System)
C
Explanation:
Comprehensive and Detailed Step-by-Step
Data collection and obtaining consent is the most critical regulatory requirement when using customer data for AI training, especially under laws like GDPR, CCPA, and ISO 27701.
Collection of Data and Obtaining Consent (Correct Answer C C)
Ensures compliance with privacy laws that require explicit customer consent.
Example: Under GDPR, companies must inform users how their data will be used and allow them to opt out.
AI Algorithm Accuracy (Incorrect C A)
Important for model performance but not a primary legal concern.
Ethical Use of Computing Resources (Incorrect C B)
Ethical considerations are valuable but not a regulatory priority.
Continuous Monitoring of AI (Incorrect C D)
Ensures performance, but regulatory compliance focuses on data privacy.
References:
ISACA CISA Review Manual
GDPR & CCPA Compliance Guidelines
ISO 27701 (Privacy Information Management System)
Question #195
An organization considering the outsourcing of a business application should FIRST:
- A . define service level requirements.
- B . perform a vulnerability assessment.
- C . conduct a cost-benefit analysis.
- D . issue a request for proposal (RFP).
Correct Answer: C
C
Explanation:
An organization considering the outsourcing of a business application should first conduct a cost-benefit analysis to evaluate the feasibility, viability and desirability of the outsourcing decision. A cost-benefit analysis should compare the costs and benefits of outsourcing versus keeping the application in-house, taking into account factors such as financial, operational, strategic, legal, regulatory, security and quality aspects. A cost-benefit analysis should also identify the risks and opportunities associated with outsourcing, and provide a basis for defining the service level requirements, performing a vulnerability assessment, and issuing a request for proposal (RFP) in the subsequent stages of the outsourcing process.
References: Info Technology & Systems Resources | COBIT, Risk, Governance … – ISACA, CISA Certification | Certified Information Systems Auditor | ISACA
C
Explanation:
An organization considering the outsourcing of a business application should first conduct a cost-benefit analysis to evaluate the feasibility, viability and desirability of the outsourcing decision. A cost-benefit analysis should compare the costs and benefits of outsourcing versus keeping the application in-house, taking into account factors such as financial, operational, strategic, legal, regulatory, security and quality aspects. A cost-benefit analysis should also identify the risks and opportunities associated with outsourcing, and provide a basis for defining the service level requirements, performing a vulnerability assessment, and issuing a request for proposal (RFP) in the subsequent stages of the outsourcing process.
References: Info Technology & Systems Resources | COBIT, Risk, Governance … – ISACA, CISA Certification | Certified Information Systems Auditor | ISACA
Question #196
Which of the following is MOST helpful for understanding an organization’s key driver to modernize application platforms?
- A . Vendor software inventories
- B . Network architecture diagrams
- C . System-wide incident reports
- D . Inventory of end-of-life software
Correct Answer: D
Question #197
An IS auditor is reviewing processes for importing market price data from external data providers.
Which of the following findings should the auditor consider MOST critical?
- A . The quality of the data is not monitored.
- B . Imported data is not disposed frequently.
- C . The transfer protocol is not encrypted.
- D . The transfer protocol does not require authentication.
Correct Answer: A
A
Explanation:
The most critical finding that the IS auditor should consider when reviewing processes for importing market price data from external data providers is that the quality of the data is not monitored. This is because market price data is essential for financial transactions, risk management, valuation and reporting, and any errors or inaccuracies in the data can have significant impact on the organization’s performance, reputation and compliance. The IS auditor should ensure that the organization has established quality criteria and controls for the imported data, such as validity, completeness, timeliness, consistency and accuracy, and that the data is regularly checked and verified against these criteria. The other findings are also important, but not as critical as data quality.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7
A
Explanation:
The most critical finding that the IS auditor should consider when reviewing processes for importing market price data from external data providers is that the quality of the data is not monitored. This is because market price data is essential for financial transactions, risk management, valuation and reporting, and any errors or inaccuracies in the data can have significant impact on the organization’s performance, reputation and compliance. The IS auditor should ensure that the organization has established quality criteria and controls for the imported data, such as validity, completeness, timeliness, consistency and accuracy, and that the data is regularly checked and verified against these criteria. The other findings are also important, but not as critical as data quality.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7
Question #198
Which of the following is a PRIMARY responsibility of a quality assurance (QA) team?
- A . Creating test data to facilitate the user acceptance testing (IJAT) process
- B . Managing employee onboarding processes and background checks
- C . Advising the steering committee on quality management issues and remediation efforts
- D . Implementing procedures to facilitate adoption of quality management best practices
Correct Answer: D
D
Explanation:
A quality assurance (QA) team is a group of professionals who are responsible for ensuring that the products or services of an organization meet the quality standards and expectations of customers and
stakeholders1. A QA team performs various activities, such as:
Planning, designing, and executing quality tests and audits to verify the quality of the products or services1
Identifying, analyzing, and reporting quality issues, defects, or non-conformities1
Recommending and implementing corrective and preventive actions to resolve quality problems and prevent recurrence1
Monitoring and measuring the effectiveness and efficiency of the quality processes and improvements1
Establishing and maintaining quality documentation, records, and reports1 Providing quality training, guidance, and support to the staff and management1
One of the primary responsibilities of a QA team is to implement procedures to facilitate adoption of quality management best practices. Quality management best practices are the methods, techniques, or tools that have been proven to be effective in achieving and maintaining high-quality standards in an organization2. Some examples of quality management best practices are:
Adopting a customer-focused approach that aims to meet or exceed customer requirements and satisfaction2
Implementing a process approach that manages the interrelated activities as a coherent system2
Applying continuous improvement methods that seek to enhance the performance and value of the products or services2
Using evidence-based decision making that relies on factual data and information2
Developing a culture of engagement and empowerment that involves and motivates the people in the organization2
By implementing procedures to facilitate adoption of quality management best practices, a QA team can help the organization achieve the following benefits:
Improve the quality and reliability of the products or services2
Reduce the costs and risks associated with poor quality or non-compliance2
Increase the customer loyalty and retention2
Enhance the reputation and competitiveness of the organization2
Foster a culture of excellence and innovation in the organization2
The other options are not primary responsibilities of a QA team. Creating test data to facilitate the user acceptance testing (UAT) process is a task that can be performed by a QA team, but it is not their main duty. UAT is a process in which the end users test the product or service to ensure that it meets their needs and expectations before it is released or deployed3. A QA team can create test data to simulate real-world scenarios and conditions for UAT, but they are not directly involved in conducting UAT. Managing employee onboarding processes and background checks is not a responsibility of a QA team. Employee onboarding is a process in which new hires are integrated into the organization, while background checks are screenings that verify the identity, credentials, and history of potential employees4. These processes are usually handled by the human resources department or an external agency, not by a QA team. Advising the steering committee on quality management issues and remediation efforts is not a primary responsibility of a QA team. A steering committee is a group of senior executives or managers who provide strategic direction, oversight, and support for a project or program5. A QA team can advise the steering committee on quality management issues and remediation efforts, but they are not accountable for making decisions or implementing actions. Therefore, option D is the correct answer.
References:
Quality Assurance Team: Roles & Responsibilities What are the Best Practices in Quality Management? User Acceptance Testing (UAT): A Complete Guide Employee Onboarding Process: Definition & Best Practices What Is A Steering Committee? – The Basics
D
Explanation:
A quality assurance (QA) team is a group of professionals who are responsible for ensuring that the products or services of an organization meet the quality standards and expectations of customers and
stakeholders1. A QA team performs various activities, such as:
Planning, designing, and executing quality tests and audits to verify the quality of the products or services1
Identifying, analyzing, and reporting quality issues, defects, or non-conformities1
Recommending and implementing corrective and preventive actions to resolve quality problems and prevent recurrence1
Monitoring and measuring the effectiveness and efficiency of the quality processes and improvements1
Establishing and maintaining quality documentation, records, and reports1 Providing quality training, guidance, and support to the staff and management1
One of the primary responsibilities of a QA team is to implement procedures to facilitate adoption of quality management best practices. Quality management best practices are the methods, techniques, or tools that have been proven to be effective in achieving and maintaining high-quality standards in an organization2. Some examples of quality management best practices are:
Adopting a customer-focused approach that aims to meet or exceed customer requirements and satisfaction2
Implementing a process approach that manages the interrelated activities as a coherent system2
Applying continuous improvement methods that seek to enhance the performance and value of the products or services2
Using evidence-based decision making that relies on factual data and information2
Developing a culture of engagement and empowerment that involves and motivates the people in the organization2
By implementing procedures to facilitate adoption of quality management best practices, a QA team can help the organization achieve the following benefits:
Improve the quality and reliability of the products or services2
Reduce the costs and risks associated with poor quality or non-compliance2
Increase the customer loyalty and retention2
Enhance the reputation and competitiveness of the organization2
Foster a culture of excellence and innovation in the organization2
The other options are not primary responsibilities of a QA team. Creating test data to facilitate the user acceptance testing (UAT) process is a task that can be performed by a QA team, but it is not their main duty. UAT is a process in which the end users test the product or service to ensure that it meets their needs and expectations before it is released or deployed3. A QA team can create test data to simulate real-world scenarios and conditions for UAT, but they are not directly involved in conducting UAT. Managing employee onboarding processes and background checks is not a responsibility of a QA team. Employee onboarding is a process in which new hires are integrated into the organization, while background checks are screenings that verify the identity, credentials, and history of potential employees4. These processes are usually handled by the human resources department or an external agency, not by a QA team. Advising the steering committee on quality management issues and remediation efforts is not a primary responsibility of a QA team. A steering committee is a group of senior executives or managers who provide strategic direction, oversight, and support for a project or program5. A QA team can advise the steering committee on quality management issues and remediation efforts, but they are not accountable for making decisions or implementing actions. Therefore, option D is the correct answer.
References:
Quality Assurance Team: Roles & Responsibilities What are the Best Practices in Quality Management? User Acceptance Testing (UAT): A Complete Guide Employee Onboarding Process: Definition & Best Practices What Is A Steering Committee? – The Basics
Question #199
Which of the following is the BEST way to strengthen the security of smart devices to prevent data leakage?
- A . Enforce strong security settings on smart devices.
- B . Require employees to formally acknowledge security procedures.
- C . Review access logs to the organization’s sensitive data in a timely manner.
- D . Include usage restrictions in bring your own device (BYOD) security procedures.
Correct Answer: A
Question #199
Which of the following is the BEST way to strengthen the security of smart devices to prevent data leakage?
- A . Enforce strong security settings on smart devices.
- B . Require employees to formally acknowledge security procedures.
- C . Review access logs to the organization’s sensitive data in a timely manner.
- D . Include usage restrictions in bring your own device (BYOD) security procedures.
Correct Answer: A