Practice Free CISA Exam Online Questions
Question #201
Which of the following presents the GREATEST risk associated with end-user computing (EUC) applications over financial reporting?
- A . Inability to quickly modify and deploy a solution
- B . Lack of portability for users
- C . Loss of time due to manual processes
- D . Calculation errors in spreadsheets
Correct Answer: D
D
Explanation:
Spreadsheets, often used in EUC, are prone to manual input errors and formula mistakes. These errors can significantly compromise the accuracy and integrity of financial reporting.
References
ISACA CISA Review Manual (Current Edition) – Chapter on End-User Computing (EUC) risks
Industry Research on Spreadsheet Errors: Multiple studies highlight the prevalence of errors in spreadsheets, especially those used for financial purposes.
D
Explanation:
Spreadsheets, often used in EUC, are prone to manual input errors and formula mistakes. These errors can significantly compromise the accuracy and integrity of financial reporting.
References
ISACA CISA Review Manual (Current Edition) – Chapter on End-User Computing (EUC) risks
Industry Research on Spreadsheet Errors: Multiple studies highlight the prevalence of errors in spreadsheets, especially those used for financial purposes.
Question #202
Which type of testing is used to identify security vulnerabilities in source code in the development environment?
- A . Interactive application security testing (IAST)
- B . Runtime application self-protection (RASP)
- C . Dynamic analysis security testing (DAST)
- D . Static analysis security testing (SAST)
Correct Answer: D
Question #203
An organization has implemented a new data classification scheme and asks the IS auditor to evaluate its effectiveness.
Which of the following would be of GREATEST concern to the auditor?
- A . End-user managers determine who should access what information.
- B . The organization has created a dozen different classification categories.
- C . The compliance manager decides how the information should be classified.
- D . The organization classifies most of its information as confidential.
Correct Answer: D
Question #204
An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank’s customers.
Which of the following controls is MOST important for the auditor to confirm is in place?
- A . The default configurations have been changed.
- B . All tables in the database are normalized.
- C . The service port used by the database server has been changed.
- D . The default administration account is used after changing the account password.
Correct Answer: A
A
Explanation:
Changing the default configurations of a database system is a critical control for securing it from unauthorized access or exploitation. Default configurations often include weak passwords, unnecessary services, open ports, or known vulnerabilities that can be easily exploited by attackers. The other options are not as important as changing the default configurations, as they do not address the root cause of the security risks. Normalizing tables in the database is a design technique for improving data quality and performance, but it does not affect security. Changing the service port used by the database server is a form of security by obscurity, which can be easily bypassed by port scanning tools. Using the default administration account after changing the account password is still risky, as the account name may be known or guessed by attackers.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.4
A
Explanation:
Changing the default configurations of a database system is a critical control for securing it from unauthorized access or exploitation. Default configurations often include weak passwords, unnecessary services, open ports, or known vulnerabilities that can be easily exploited by attackers. The other options are not as important as changing the default configurations, as they do not address the root cause of the security risks. Normalizing tables in the database is a design technique for improving data quality and performance, but it does not affect security. Changing the service port used by the database server is a form of security by obscurity, which can be easily bypassed by port scanning tools. Using the default administration account after changing the account password is still risky, as the account name may be known or guessed by attackers.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.4
Question #205
Which of the following should be the GREATEST concern for an IS auditor assessing an organization’s disaster recovery plan (DRP)?
- A . The DRP was developed by the IT department.
- B . The DRP has not been tested during the past three years.
- C . The DRP has not been updated for two years.
- D . The DRP does not include the recovery the time objective (RTO) for a key system.
Correct Answer: B
B
Explanation:
The DRP is a set of procedures and resources that enable an organization to restore its critical IT functions and operations in the event of a disaster or disruption. The DRP should be tested regularly to ensure its effectiveness, validity, and readiness. Testing the DRP can help to identify and resolve any gaps, issues, or weaknesses in the plan, as well as to evaluate the performance and capability of the recovery team and resources. If the DRP has not been tested during the past three years, it may not reflect the current IT environment, business requirements, or recovery objectives, and it may fail to meet the expectations and needs of the stakeholders.
References
ISACA CISA Review Manual, 27th Edition, page 255
Disaster Recovery Plan Testing: The Ultimate Checklist
What is a Disaster Recovery Plan (DRP) and How Do You Write One?
B
Explanation:
The DRP is a set of procedures and resources that enable an organization to restore its critical IT functions and operations in the event of a disaster or disruption. The DRP should be tested regularly to ensure its effectiveness, validity, and readiness. Testing the DRP can help to identify and resolve any gaps, issues, or weaknesses in the plan, as well as to evaluate the performance and capability of the recovery team and resources. If the DRP has not been tested during the past three years, it may not reflect the current IT environment, business requirements, or recovery objectives, and it may fail to meet the expectations and needs of the stakeholders.
References
ISACA CISA Review Manual, 27th Edition, page 255
Disaster Recovery Plan Testing: The Ultimate Checklist
What is a Disaster Recovery Plan (DRP) and How Do You Write One?
Question #206
Which of the following would present the GREATEST risk within a release management process for a new application?
- A . Procedures are not updated to coincide with the production release schedule.
- B . Code is deployed to production without authorization.
- C . A newly added program may overwrite existing production files.
- D . An identified bug was not resolved.
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Step-by-Step
Unauthorized code deployment presents a critical security and operational risk.
Option A (Incorrect): While documentation issues can cause confusion, they do not directly jeopardize security or system stability.
Option B (Correct): Deploying code without authorization bypasses change management controls, potentially leading to security vulnerabilities, system failures, or compliance violations. This is the greatest risk.
Option C (Incorrect): Overwriting files can cause issues but is less severe than unauthorized deployment, which may introduce malware or untested features.
Option D (Incorrect): An unresolved bug may cause performance issues, but unauthorized deployment poses a higher security and compliance risk.
Reference: ISACA CISA Review Manual C Domain 3: Information Systems Acquisition, Development, and Implementation C Covers change management, release processes, and risk assessment.
B
Explanation:
Comprehensive and Detailed Step-by-Step
Unauthorized code deployment presents a critical security and operational risk.
Option A (Incorrect): While documentation issues can cause confusion, they do not directly jeopardize security or system stability.
Option B (Correct): Deploying code without authorization bypasses change management controls, potentially leading to security vulnerabilities, system failures, or compliance violations. This is the greatest risk.
Option C (Incorrect): Overwriting files can cause issues but is less severe than unauthorized deployment, which may introduce malware or untested features.
Option D (Incorrect): An unresolved bug may cause performance issues, but unauthorized deployment poses a higher security and compliance risk.
Reference: ISACA CISA Review Manual C Domain 3: Information Systems Acquisition, Development, and Implementation C Covers change management, release processes, and risk assessment.
Question #207
Which of the following can BEST reduce the impact of a long-term power failure?
- A . Power conditioning unit
- B . Emergency power-off switches
- C . Battery bank
- D . Redundant power source
Correct Answer: D
Question #208
During the audit of an enterprise resource planning (ERP) system, an IS auditor found an application patch was applied to the production environment. It is MOST important for the IS auditor to verify approval from the:
- A . information security officer.
- B . system administrator.
- C . information asset owner.
- D . project manager.
Correct Answer: D
Question #209
An organization’s software developers need access to personally identifiable information (Pll) stored in a particular data format.
Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?
- A . Data masking
- B . Data tokenization
- C . Data encryption
- D . Data abstraction
Correct Answer: A
A
Explanation:
The best way to protect sensitive information such as personally identifiable information (PII) stored in a particular data format while allowing the software developers to use it in development and test environments is data masking. Data masking is a technique that replaces or obscures sensitive data elements with fictitious or modified data elements that retain the original format and characteristics of the data. Data masking can help protect sensitive information such as PII stored in a particular data format while allowing the software developers to use it in development and test environments by preventing the exposure or disclosure of the real data values without affecting the functionality or performance of the software or application. The other options are not as effective as data masking in protecting sensitive information such as PII stored in a particular data format while allowing the software developers to use it in development and test environments, as they have different limitations or drawbacks. Data tokenization is a technique that replaces sensitive data elements with non-sensitive tokens that have no intrinsic value or meaning. Data tokenization can protect sensitive information such as PII from unauthorized access or theft, but it may not retain the original format and characteristics of the data, which may affect the functionality or performance of the software or application. Data encryption is a technique that transforms sensitive data elements into unreadable or unintelligible ciphertext using an algorithm and a key. Data encryption can protect sensitive information such as PII from unauthorized access or modification, but it requires decryption to restore the original data values, which may introduce additional complexity or overhead to the software development process. Data abstraction is a technique that hides the details or complexity of data structures or operations from users or programmers by providing a simplified representation or interface. Data abstraction can help improve the usability or maintainability of software or applications, but it does not protect sensitive information such as PII from exposure or disclosure.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2
A
Explanation:
The best way to protect sensitive information such as personally identifiable information (PII) stored in a particular data format while allowing the software developers to use it in development and test environments is data masking. Data masking is a technique that replaces or obscures sensitive data elements with fictitious or modified data elements that retain the original format and characteristics of the data. Data masking can help protect sensitive information such as PII stored in a particular data format while allowing the software developers to use it in development and test environments by preventing the exposure or disclosure of the real data values without affecting the functionality or performance of the software or application. The other options are not as effective as data masking in protecting sensitive information such as PII stored in a particular data format while allowing the software developers to use it in development and test environments, as they have different limitations or drawbacks. Data tokenization is a technique that replaces sensitive data elements with non-sensitive tokens that have no intrinsic value or meaning. Data tokenization can protect sensitive information such as PII from unauthorized access or theft, but it may not retain the original format and characteristics of the data, which may affect the functionality or performance of the software or application. Data encryption is a technique that transforms sensitive data elements into unreadable or unintelligible ciphertext using an algorithm and a key. Data encryption can protect sensitive information such as PII from unauthorized access or modification, but it requires decryption to restore the original data values, which may introduce additional complexity or overhead to the software development process. Data abstraction is a technique that hides the details or complexity of data structures or operations from users or programmers by providing a simplified representation or interface. Data abstraction can help improve the usability or maintainability of software or applications, but it does not protect sensitive information such as PII from exposure or disclosure.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2
Question #210
An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release.
Which of the following should the IS auditor review FIRST?
- A . Capacity management plan
- B . Training plans
- C . Database conversion results
- D . Stress testing results
Correct Answer: D
D
Explanation:
The first thing that an IS auditor should review when finding that transaction processing times in an order processing system have significantly increased after a major release is stress testing results. Stress testing is a type of testing that evaluates how a system performs under extreme or abnormal conditions, such as high volume, load, or concurrency of transactions. Stress testing results can help explain why transaction processing times in an order processing system have significantly increased after a major release by revealing any bottlenecks, limitations, or errors in the system’s capacity, performance, or functionality under stress. The other options are not as relevant as stress testing results in explaining why transaction processing times in an order processing system have significantly increased after a major release, as they do not directly measure how the system performs under extreme or abnormal conditions. Capacity management plan is a document that defines and implements the processes and activities for ensuring that the system has adequate resources and capabilities to meet current and future demands. Training plans are documents that define and implement the processes and activities for ensuring that the system users have adequate skills and knowledge to use the system effectively and efficiently. Database conversion results are outcomes or outputs of transforming data from one format or structure to another to suit the system’s requirements or specifications.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3
D
Explanation:
The first thing that an IS auditor should review when finding that transaction processing times in an order processing system have significantly increased after a major release is stress testing results. Stress testing is a type of testing that evaluates how a system performs under extreme or abnormal conditions, such as high volume, load, or concurrency of transactions. Stress testing results can help explain why transaction processing times in an order processing system have significantly increased after a major release by revealing any bottlenecks, limitations, or errors in the system’s capacity, performance, or functionality under stress. The other options are not as relevant as stress testing results in explaining why transaction processing times in an order processing system have significantly increased after a major release, as they do not directly measure how the system performs under extreme or abnormal conditions. Capacity management plan is a document that defines and implements the processes and activities for ensuring that the system has adequate resources and capabilities to meet current and future demands. Training plans are documents that define and implement the processes and activities for ensuring that the system users have adequate skills and knowledge to use the system effectively and efficiently. Database conversion results are outcomes or outputs of transforming data from one format or structure to another to suit the system’s requirements or specifications.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3