Practice Free CISA Exam Online Questions
Question #221
Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects Reviewing the IT staffing plan against which of the following would BEST guide IT
management when estimating resource requirements for future projects?
- A . Human resources (HR) sourcing strategy
- B . Records of actual time spent on projects
- C . Peer organization staffing benchmarks
- D . Budgeted forecast for the next financial year
Correct Answer: B
B
Explanation:
The best source of information for IT management to estimate resource requirements for future projects is the records of actual time spent on projects. This data can provide a realistic and reliable basis for forecasting future resource needs based on historical trends and patterns. The records of actual time spent on projects can also help IT management to identify any gaps or inefficiencies in resource allocation and utilization. The human resources (HR) sourcing strategy is not a good source of information for estimating resource requirements for future projects, as it may not reflect the actual demand and availability of IT resources. The peer organization staffing benchmarks are not a good source of information for estimating resource requirements for future projects, as they may not account for the specific characteristics and needs of each organization. The budgeted forecast for the next financial year is not a good source of information for estimating resource requirements for future projects, as it may not be based on accurate or realistic assumptions.
References:
CISA Review Manual, 27th Edition, pages 465-4661
CISA Review Questions, Answers & Explanations Database, Question ID: 263
B
Explanation:
The best source of information for IT management to estimate resource requirements for future projects is the records of actual time spent on projects. This data can provide a realistic and reliable basis for forecasting future resource needs based on historical trends and patterns. The records of actual time spent on projects can also help IT management to identify any gaps or inefficiencies in resource allocation and utilization. The human resources (HR) sourcing strategy is not a good source of information for estimating resource requirements for future projects, as it may not reflect the actual demand and availability of IT resources. The peer organization staffing benchmarks are not a good source of information for estimating resource requirements for future projects, as they may not account for the specific characteristics and needs of each organization. The budgeted forecast for the next financial year is not a good source of information for estimating resource requirements for future projects, as it may not be based on accurate or realistic assumptions.
References:
CISA Review Manual, 27th Edition, pages 465-4661
CISA Review Questions, Answers & Explanations Database, Question ID: 263
Question #222
During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights.
The auditor’s NEXT step should be to:
- A . recommend a control to automatically update access rights.
- B . determine the reason why access rights have not been revoked.
- C . direct management to revoke current access rights.
- D . determine if access rights are in violation of software licenses.
Correct Answer: B
B
Explanation:
The NEXT step for the IS auditor after noting that an employee who has recently changed roles within the organization still has previous access rights should be to B. determine the reason why access rights have not been revoked. Identifying the cause of this situation is crucial for understanding whether it’s due to oversight, process gaps, or other factors. Once the reason is determined, appropriate corrective actions can be recommended to ensure that access rights are aligned with the employee’s current role and responsibilities1.
B
Explanation:
The NEXT step for the IS auditor after noting that an employee who has recently changed roles within the organization still has previous access rights should be to B. determine the reason why access rights have not been revoked. Identifying the cause of this situation is crucial for understanding whether it’s due to oversight, process gaps, or other factors. Once the reason is determined, appropriate corrective actions can be recommended to ensure that access rights are aligned with the employee’s current role and responsibilities1.
Question #223
An IS auditor Is renewing the deployment of a new automated system
Which of the following findings presents the MOST significant risk?
- A . The new system has resulted m layoffs of key experienced personnel.
- B . Users have not been trained on the new system.
- C . Data from the legacy system is not migrated correctly to the new system.
- D . The new system is not platform agnostic
Correct Answer: C
C
Explanation:
The finding that presents the most significant risk when reviewing the deployment of a new automated system is that data from the legacy system is not migrated correctly to the new system. Data migration is a critical process that involves transferring data from one system to another, ensuring its accuracy, completeness, integrity, and usability. If data migration is not performed correctly, it can result in data loss, corruption, inconsistency, or duplication, which can affect the functionality, performance, reliability, and security of the new system. Data migration errors can also have serious business implications, such as affecting decision making, reporting, compliance, customer service, and revenue. The other findings (A, B and D) are less significant risks, as they can be mitigated by rehiring or retraining personnel, providing user training, or adapting the system to different platforms.
C
Explanation:
The finding that presents the most significant risk when reviewing the deployment of a new automated system is that data from the legacy system is not migrated correctly to the new system. Data migration is a critical process that involves transferring data from one system to another, ensuring its accuracy, completeness, integrity, and usability. If data migration is not performed correctly, it can result in data loss, corruption, inconsistency, or duplication, which can affect the functionality, performance, reliability, and security of the new system. Data migration errors can also have serious business implications, such as affecting decision making, reporting, compliance, customer service, and revenue. The other findings (A, B and D) are less significant risks, as they can be mitigated by rehiring or retraining personnel, providing user training, or adapting the system to different platforms.
Question #224
Which of the following BEST enables an IS auditor to confirm the batch processing to post transactions from an input source is successful?
- A . Error log review
- B . Total number of items
- C . Hash totals
- D . Aggregate monetary amount
Correct Answer: C
C
Explanation:
Hash totals are a control technique used to ensure data integrity during batch processing. A hash total is a calculated value based on the data in a batch. This value is compared to a pre-calculated hash total to confirm that all data has been processed correctly and without alteration.
References
ISACA CISA Review Manual (27th Edition): Hash totals are discussed within the context of batch processing controls.
Other Auditing Resources: Hash totals are a fundamental control technique discussed in various audit and information security publications.
C
Explanation:
Hash totals are a control technique used to ensure data integrity during batch processing. A hash total is a calculated value based on the data in a batch. This value is compared to a pre-calculated hash total to confirm that all data has been processed correctly and without alteration.
References
ISACA CISA Review Manual (27th Edition): Hash totals are discussed within the context of batch processing controls.
Other Auditing Resources: Hash totals are a fundamental control technique discussed in various audit and information security publications.
Question #225
Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?
- A . Progress updates indicate that the implementation of agreed actions is on track.
- B . Sufficient time has elapsed since implementation to provide evidence of control operation.
- C . Business management has completed the implementation of agreed actions on schedule.
- D . Regulators have announced a timeline for an inspection visit.
Correct Answer: B
B
Explanation:
This is because the follow-up of agreed corrective actions for reported audit issues should be done after the auditee has had enough time to implement the corrective actions and demonstrate their effectiveness and sustainability. The follow-up audit should not be too soon or too late, but based on a reasonable and realistic timeframe that allows for adequate testing and verification of the control operation12.
Answer
B
Explanation:
This is because the follow-up of agreed corrective actions for reported audit issues should be done after the auditee has had enough time to implement the corrective actions and demonstrate their effectiveness and sustainability. The follow-up audit should not be too soon or too late, but based on a reasonable and realistic timeframe that allows for adequate testing and verification of the control operation12.
Answer
Question #226
Which of the following is MOST important for an IS auditor to assess during a post-implementation review of a newly modified IT application developed in-house?
- A . Sufficiency of implemented controls
- B . Resource management plan
- C . Updates required for end-user manuals
- D . Rollback plans for changes
Correct Answer: A
A
Explanation:
A post-implementation review (PIR) of a newly modified IT application focuses on ensuring that the system meets business and security requirements effectively. The sufficiency of implemented controls (A) is the most critical aspect because it ensures that security, operational, and compliance controls are functioning correctly. These controls include access controls, data integrity checks, and audit logs to prevent unauthorized access, data corruption, or security breaches.
Other options:
Resource management plan (B) is important for project management but is not the primary concern for an IS auditor in a post-implementation review.
Updates required for end-user manuals (C) are necessary for usability but do not impact the security or operational integrity of the system.
Rollback plans for changes (D) are important for change management but are typically assessed before deployment, not in a PIR.
Reference: ISACA CISA Review Manual, IT Governance and Management of IT
A
Explanation:
A post-implementation review (PIR) of a newly modified IT application focuses on ensuring that the system meets business and security requirements effectively. The sufficiency of implemented controls (A) is the most critical aspect because it ensures that security, operational, and compliance controls are functioning correctly. These controls include access controls, data integrity checks, and audit logs to prevent unauthorized access, data corruption, or security breaches.
Other options:
Resource management plan (B) is important for project management but is not the primary concern for an IS auditor in a post-implementation review.
Updates required for end-user manuals (C) are necessary for usability but do not impact the security or operational integrity of the system.
Rollback plans for changes (D) are important for change management but are typically assessed before deployment, not in a PIR.
Reference: ISACA CISA Review Manual, IT Governance and Management of IT
Question #227
Which of the following is the MOST important consideration when establishing vulnerability scanning on critical IT infrastructure?
- A . The scanning will be performed during non-peak hours.
- B . The scanning will be followed by penetration testing.
- C . The scanning will be cost-effective.
- D . The scanning will not degrade system performance.
Correct Answer: B
B
Explanation:
The scanning will not degrade system performance. This is the most important consideration when establishing vulnerability scanning on critical IT infrastructure, because any degradation of system performance could affect the availability, reliability, and functionality of the IT services that depend on the infrastructure. Scanning during non-peak hours (A) could reduce the impact of scanning on system performance, but it does not guarantee that the scanning will not cause any degradation. Scanning followed by penetration testing (B) could provide more in-depth information about the vulnerabilities and their exploitability, but it does not address the potential impact of scanning on system performance. Scanning cost-effectiveness © is a relevant factor for choosing a scanning service or tool, but it is not as important as ensuring that the scanning will not compromise the system performance.
Reference: CISA Vulnerability Scanning, Description.
B
Explanation:
The scanning will not degrade system performance. This is the most important consideration when establishing vulnerability scanning on critical IT infrastructure, because any degradation of system performance could affect the availability, reliability, and functionality of the IT services that depend on the infrastructure. Scanning during non-peak hours (A) could reduce the impact of scanning on system performance, but it does not guarantee that the scanning will not cause any degradation. Scanning followed by penetration testing (B) could provide more in-depth information about the vulnerabilities and their exploitability, but it does not address the potential impact of scanning on system performance. Scanning cost-effectiveness © is a relevant factor for choosing a scanning service or tool, but it is not as important as ensuring that the scanning will not compromise the system performance.
Reference: CISA Vulnerability Scanning, Description.
Question #228
Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?
- A . Reviewing vacation patterns
- B . Reviewing user activity logs
- C . Interviewing senior IT management
- D . Mapping IT processes to roles
Correct Answer: D
D
Explanation:
Mapping IT processes to roles is an activity that provides an IS auditor with the most insight regarding potential single person dependencies that might exist within the organization. Single person dependencies occur when only one person has the knowledge, skills, or access rights to perform a critical IT function. Mapping IT processes to roles can help to identify such dependencies and assess their impact on the continuity and security of IT operations. The other activities do not provide as much insight into single person dependencies, as they do not show the relationship between IT processes and roles.
References: CISA Review Manual, 27th Edition, page 94
D
Explanation:
Mapping IT processes to roles is an activity that provides an IS auditor with the most insight regarding potential single person dependencies that might exist within the organization. Single person dependencies occur when only one person has the knowledge, skills, or access rights to perform a critical IT function. Mapping IT processes to roles can help to identify such dependencies and assess their impact on the continuity and security of IT operations. The other activities do not provide as much insight into single person dependencies, as they do not show the relationship between IT processes and roles.
References: CISA Review Manual, 27th Edition, page 94
Question #229
An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts.
Which of the following is the BEST
recommendation to address this situation?
- A . Suspend contracts with third-party providers that handle sensitive data.
- B . Prioritize contract amendments for third-party providers.
- C . Review privacy requirements when contracts come up for renewal.
- D . Require third-party providers to sign nondisclosure agreements (NDAs).
Correct Answer: B
B
Explanation:
The best recommendation to address the situation of inconsistencies in privacy requirements across third-party service provider contracts is to prioritize contract amendments for third-party providers. This is because:
Privacy requirements are essential to ensure the protection of personal information and compliance with relevant laws and regulations, such as the GDPR and the CCPA123.
Inconsistencies in privacy requirements can create risks of data breaches, legal liabilities, reputational damage, and consumer distrust for the organization that outsources its data processing to third-party providers123.
Suspending contracts with third-party providers that handle sensitive data (option A) is not a feasible or effective solution, as it may disrupt the business operations and cause contractual penalties or disputes4.
Reviewing privacy requirements when contracts come up for renewal (option C) is not a proactive or timely approach, as it may leave the organization exposed to privacy risks for a long period of time until the contracts expire4.
Requiring third-party providers to sign nondisclosure agreements (NDAs) (option D) is not a sufficient measure, as NDAs only cover the confidentiality of information, but not other aspects of privacy, such as data minimization, retention, access, deletion, and security4.
Therefore, the best recommendation is to prioritize contract amendments for third-party providers (option B), as this would allow the organization to align the privacy requirements with its own policies and standards, as well as with the applicable laws and regulations. This would also enable the organization to monitor and audit the compliance of third-party providers with the privacy requirements and enforce appropriate remedies or sanctions in case of noncompliance45.
References: 1: Understanding CPRA service provider contract requirements – Transcend 2: What you
must know about ‘third parties’ under GDPR and CCPA 3: Data Privacy Implications for Service
Provider & Third-Party Contracts 4: Privacy and outsourcing for businesses – Office of the Privacy Commissioner of Canada 5: Data Security Guidelines for outsourcing and third party compliance – European Union Agency for Network and Information Security
B
Explanation:
The best recommendation to address the situation of inconsistencies in privacy requirements across third-party service provider contracts is to prioritize contract amendments for third-party providers. This is because:
Privacy requirements are essential to ensure the protection of personal information and compliance with relevant laws and regulations, such as the GDPR and the CCPA123.
Inconsistencies in privacy requirements can create risks of data breaches, legal liabilities, reputational damage, and consumer distrust for the organization that outsources its data processing to third-party providers123.
Suspending contracts with third-party providers that handle sensitive data (option A) is not a feasible or effective solution, as it may disrupt the business operations and cause contractual penalties or disputes4.
Reviewing privacy requirements when contracts come up for renewal (option C) is not a proactive or timely approach, as it may leave the organization exposed to privacy risks for a long period of time until the contracts expire4.
Requiring third-party providers to sign nondisclosure agreements (NDAs) (option D) is not a sufficient measure, as NDAs only cover the confidentiality of information, but not other aspects of privacy, such as data minimization, retention, access, deletion, and security4.
Therefore, the best recommendation is to prioritize contract amendments for third-party providers (option B), as this would allow the organization to align the privacy requirements with its own policies and standards, as well as with the applicable laws and regulations. This would also enable the organization to monitor and audit the compliance of third-party providers with the privacy requirements and enforce appropriate remedies or sanctions in case of noncompliance45.
References: 1: Understanding CPRA service provider contract requirements – Transcend 2: What you
must know about ‘third parties’ under GDPR and CCPA 3: Data Privacy Implications for Service
Provider & Third-Party Contracts 4: Privacy and outsourcing for businesses – Office of the Privacy Commissioner of Canada 5: Data Security Guidelines for outsourcing and third party compliance – European Union Agency for Network and Information Security
Question #230
During the planning stage of a compliance audit, an IS auditor discovers that a bank’s inventory of compliance requirements does not include recent regulatory changes related to managing data risk.
What should the auditor do FIRST?
- A . Ask management why the regulatory changes have not been Included.
- B . Discuss potential regulatory issues with the legal department
- C . Report the missing regulatory updates to the chief information officer (CIO).
- D . Exclude recent regulatory changes from the audit scope.
Correct Answer: A
A
Explanation:
Asking management why the regulatory changes have not been included is the first thing that an IS
auditor should do during the planning stage of a compliance audit. An IS auditor should inquire about the reasons for not updating the inventory of compliance requirements with recent regulatory changes related to managing data risk. This will help the IS auditor to understand whether there is a gap in awareness, communication, or implementation of compliance obligations within the organization. The other options are not the first things that an IS auditor should do, but rather possible subsequent actions that may depend on management’s response.
References:
CISA Review Manual (Digital Version), Chapter 2, Section 2.31
CISA Review Questions, Answers & Explanations Database, Question ID 214
A
Explanation:
Asking management why the regulatory changes have not been included is the first thing that an IS
auditor should do during the planning stage of a compliance audit. An IS auditor should inquire about the reasons for not updating the inventory of compliance requirements with recent regulatory changes related to managing data risk. This will help the IS auditor to understand whether there is a gap in awareness, communication, or implementation of compliance obligations within the organization. The other options are not the first things that an IS auditor should do, but rather possible subsequent actions that may depend on management’s response.
References:
CISA Review Manual (Digital Version), Chapter 2, Section 2.31
CISA Review Questions, Answers & Explanations Database, Question ID 214