Practice Free CISA Exam Online Questions
Question #211
Which of the following is the MOST efficient control to reduce the risk associated with a systems administrator having network administrator responsibilities?
- A . The administrator must obtain temporary access to make critical changes.
- B . The administrator will need to request additional approval for critical changes.
- C . The administrator must sign a due diligence agreement.
- D . The administrator will be subject to unannounced audits.
Correct Answer: B
Question #212
During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization.
Which of the following should be recommended as the PRIMARY factor to determine system criticality?
- A . Key performance indicators (KPIs)
- B . Mean time to restore (MTTR)
- C . Maximum allowable downtime (MAD)
- D . Recovery point objective (RPO)
Correct Answer: C
Question #213
Which of the following cloud capabilities BEST enables an organization to meet unexpectedly high service demand?
- A . Scalability
- B . High availability
- C . Alternate routing
- D . Flexibility
Correct Answer: A
Question #214
Which of the following controls is the BEST recommendation to prevent the skimming of debit or credit card data in point of sale (POS) systems?
- A . Encryption
- B . Chip and PIN
- C . Hashing
- D . Biometric authentication
Correct Answer: B
Question #215
Which of the following provides the MOST useful information to an IS auditor when selecting projects for inclusion in an IT audit plan?
- A . Project charter
- B . Project plan
- C . Project issue log
- D . Project business case
Correct Answer: D
D
Explanation:
A project business case is a document that describes the rationale and justification for initiating a project, based on its expected costs, benefits, risks, and feasibility. A project business case provides the most useful information to an IS auditor when selecting projects for inclusion in an IT audit plan, because it helps the IS auditor to:
Understand the purpose, scope, objectives, and deliverables of the project
Assess the alignment of the project with the organization’s strategy, vision, and goals
Evaluate the value proposition and return on investment of the project
Identify the key stakeholders, sponsors, and owners of the project
Analyze the potential risks and issues associated with the project
Compare and prioritize the project with other competing projects
The other possible options are:
D
Explanation:
A project business case is a document that describes the rationale and justification for initiating a project, based on its expected costs, benefits, risks, and feasibility. A project business case provides the most useful information to an IS auditor when selecting projects for inclusion in an IT audit plan, because it helps the IS auditor to:
Understand the purpose, scope, objectives, and deliverables of the project
Assess the alignment of the project with the organization’s strategy, vision, and goals
Evaluate the value proposition and return on investment of the project
Identify the key stakeholders, sponsors, and owners of the project
Analyze the potential risks and issues associated with the project
Compare and prioritize the project with other competing projects
The other possible options are:
Question #216
Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change
management process?
- A . The added functionality has not been documented.
- B . The new functionality may not meet requirements.
- C . The project may fail to meet the established deadline.
- D . The project may go over budget.
Correct Answer: B
B
Explanation:
The main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B).
This is because:
A project change management process is a set of procedures that defines how changes to the project scope, schedule, budget, quality, or resources are requested, evaluated, approved, implemented, and controlled12.
A project change management process helps to ensure that the changes are aligned with the project objectives, stakeholders’ expectations, and business needs12.
Adding a new system functionality during the development phase without following a project change management process can introduce risks such as:
The added functionality has not been documented (option A), which can lead to confusion, inconsistency, errors, and rework3.
The project may fail to meet the established deadline (option C), which can result in delays, penalties, and customer dissatisfaction3.
The project may go over budget (option D), which can cause cost overruns, financial losses, and reduced profitability3.
However, the main risk is that the new functionality may not meet requirements (option B), which can have serious consequences such as:
The new functionality may not be compatible with the existing system or other components3.
The new functionality may not be tested or verified for quality, performance, security, or usability3.
The new functionality may not deliver the expected value or benefits to the users or customers3.
The new functionality may not comply with the regulatory or contractual obligations3.
The new functionality may cause dissatisfaction, complaints, or litigation from the stakeholders3.
Therefore, the main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B), as this can jeopardize the success and acceptance of the project.
References: 1: How to Make a Change Management Plan (Templates Included) – ProjectManager 2:
What Is Change Management? Process & Models Explained – ProjectManager 3: 8 Steps for an Effective Change Management Process – Smartsheet
B
Explanation:
The main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B).
This is because:
A project change management process is a set of procedures that defines how changes to the project scope, schedule, budget, quality, or resources are requested, evaluated, approved, implemented, and controlled12.
A project change management process helps to ensure that the changes are aligned with the project objectives, stakeholders’ expectations, and business needs12.
Adding a new system functionality during the development phase without following a project change management process can introduce risks such as:
The added functionality has not been documented (option A), which can lead to confusion, inconsistency, errors, and rework3.
The project may fail to meet the established deadline (option C), which can result in delays, penalties, and customer dissatisfaction3.
The project may go over budget (option D), which can cause cost overruns, financial losses, and reduced profitability3.
However, the main risk is that the new functionality may not meet requirements (option B), which can have serious consequences such as:
The new functionality may not be compatible with the existing system or other components3.
The new functionality may not be tested or verified for quality, performance, security, or usability3.
The new functionality may not deliver the expected value or benefits to the users or customers3.
The new functionality may not comply with the regulatory or contractual obligations3.
The new functionality may cause dissatisfaction, complaints, or litigation from the stakeholders3.
Therefore, the main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B), as this can jeopardize the success and acceptance of the project.
References: 1: How to Make a Change Management Plan (Templates Included) – ProjectManager 2:
What Is Change Management? Process & Models Explained – ProjectManager 3: 8 Steps for an Effective Change Management Process – Smartsheet
Question #217
Which of the following BEST indicates a need to review an organization’s information security policy?
- A . High number of low-risk findings in the audit report
- B . Increasing exceptions approved by management
- C . Increasing complexity of business transactions
- D . Completion of annual IT risk assessment
Correct Answer: B
Question #218
In an online application which of the following would provide the MOST information about the transaction audit trail?
- A . File layouts
- B . Data architecture
- C . System/process flowchart
- D . Source code documentation
Correct Answer: C
C
Explanation:
The most information about the transaction audit trail in an online application can be obtained by reviewing the system/process flowchart. A system/process flowchart is a diagram that illustrates the sequence of steps, activities, or events that occur within or affect a system or process. A system/process flowchart can provide the most information about the transaction audit trail in an online application, by showing how transactions are initiated, processed, recorded, and completed, and identifying the inputs, outputs, controls, and dependencies involved in each transaction. File layouts are specifications that define how data are structured or organized on a file or database. File layouts can provide some information about the transaction audit trail in an online application, by showing what data elements are stored or retrieved for each transaction, but they do not provide information about how transactions are executed or tracked. Data architecture is a framework that defines how data are collected, stored, managed, and used within an organization or system. Data architecture can provide some information about the transaction audit trail in an online application, by showing what data sources, models, standards, and policies are used for each transaction, but they do not provide information about how transactions are performed or monitored. Source code documentation is a description or explanation of the source code of a software program or application. Source code documentation can provide some information about the transaction audit trail in an online application, by showing what logic, algorithms, or functions are used for each transaction, but they do not provide information about how transactions are handled or audited.
C
Explanation:
The most information about the transaction audit trail in an online application can be obtained by reviewing the system/process flowchart. A system/process flowchart is a diagram that illustrates the sequence of steps, activities, or events that occur within or affect a system or process. A system/process flowchart can provide the most information about the transaction audit trail in an online application, by showing how transactions are initiated, processed, recorded, and completed, and identifying the inputs, outputs, controls, and dependencies involved in each transaction. File layouts are specifications that define how data are structured or organized on a file or database. File layouts can provide some information about the transaction audit trail in an online application, by showing what data elements are stored or retrieved for each transaction, but they do not provide information about how transactions are executed or tracked. Data architecture is a framework that defines how data are collected, stored, managed, and used within an organization or system. Data architecture can provide some information about the transaction audit trail in an online application, by showing what data sources, models, standards, and policies are used for each transaction, but they do not provide information about how transactions are performed or monitored. Source code documentation is a description or explanation of the source code of a software program or application. Source code documentation can provide some information about the transaction audit trail in an online application, by showing what logic, algorithms, or functions are used for each transaction, but they do not provide information about how transactions are handled or audited.
Question #219
Which of the following is the BEST testing approach to facilitate rapid identification of application interface errors?
- A . Integration testing
- B . Regression testing
- C . Automated testing
- D . User acceptance testing (UAT)
Correct Answer: C
C
Explanation:
The best testing approach to facilitate rapid identification of application interface errors is automated testing. Automated testing is the use of software tools or scripts to execute predefined test cases, compare expected and actual outcomes, and report any discrepancies. Automated testing can help to speed up the testing process, increase test coverage, reduce human errors, and improve test accuracy and consistency. Automated testing can also help to detect interface errors that may occur due to incompatible data formats, communication protocols, or system configurations.
References:
CISA Review Manual (Digital Version), Chapter 3, Section 3.3.11 CISA Online Review Course, Domain 2, Module 2, Lesson 1
C
Explanation:
The best testing approach to facilitate rapid identification of application interface errors is automated testing. Automated testing is the use of software tools or scripts to execute predefined test cases, compare expected and actual outcomes, and report any discrepancies. Automated testing can help to speed up the testing process, increase test coverage, reduce human errors, and improve test accuracy and consistency. Automated testing can also help to detect interface errors that may occur due to incompatible data formats, communication protocols, or system configurations.
References:
CISA Review Manual (Digital Version), Chapter 3, Section 3.3.11 CISA Online Review Course, Domain 2, Module 2, Lesson 1
Question #220
When reviewing the functionality of an intrusion detection system (IDS), the IS auditor should be
MOST concerned if:
- A . legitimate packets blocked by the system have increased
- B . actual attacks have not been identified
- C . detected events have increased
- D . false positives have been reported
Correct Answer: B
B
Explanation:
The main purpose of an IDS is to detect and report malicious or suspicious activity on a network or a host. If an IDS fails to identify actual attacks, it means that the IDS is not functioning properly or effectively, and it exposes the organization to serious security risks and potential damage. This is the most concerning scenario for an IS auditor, as it indicates a major deficiency in the IDS performance and configuration.
References
What is an intrusion detection system (IDS)?
What is Intrusion Detection Systems (IDS)? How does it Work?
When reviewing an intrusion detection system (IDS), an IS auditor …
Intrusion Detection Systems (IDS)―An Overview with a Generalized …
An overview of issues in testing intrusion detection systems – NIST
A Review of Intrusion Detection Systems and Their …
B
Explanation:
The main purpose of an IDS is to detect and report malicious or suspicious activity on a network or a host. If an IDS fails to identify actual attacks, it means that the IDS is not functioning properly or effectively, and it exposes the organization to serious security risks and potential damage. This is the most concerning scenario for an IS auditor, as it indicates a major deficiency in the IDS performance and configuration.
References
What is an intrusion detection system (IDS)?
What is Intrusion Detection Systems (IDS)? How does it Work?
When reviewing an intrusion detection system (IDS), an IS auditor …
Intrusion Detection Systems (IDS)―An Overview with a Generalized …
An overview of issues in testing intrusion detection systems – NIST
A Review of Intrusion Detection Systems and Their …