Practice Free CISA Exam Online Questions
Question #281
Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?
- A . Walk-through reviews
- B . Substantive testing
- C . Compliance testing
- D . Design documentation reviews
Correct Answer: B
B
Explanation:
Substantive testing provides the most reliable audit evidence on the validity of transactions in a financial application. Substantive testing is an audit procedure that examines the financial statements and supporting documentation to see if they contain errors or misstatements. Substantive testing can help to verify that the transactions recorded in the financial application are authorized, complete, accurate, and properly classified. Substantive testing can include methods such as vouching, confirmation, analytical procedures, or physical examination.
B
Explanation:
Substantive testing provides the most reliable audit evidence on the validity of transactions in a financial application. Substantive testing is an audit procedure that examines the financial statements and supporting documentation to see if they contain errors or misstatements. Substantive testing can help to verify that the transactions recorded in the financial application are authorized, complete, accurate, and properly classified. Substantive testing can include methods such as vouching, confirmation, analytical procedures, or physical examination.
Question #282
A network analyst is monitoring the network after hours and detects activity that appears to be a brute-force attempt to compromise a critical server.
After reviewing the alerts to ensure their accuracy, what should be done NEXT?
- A . Perform a root cause analysis.
- B . Document all steps taken in a written report.
- C . Isolate the affected system.
- D . Invoke the incident response plan.
Correct Answer: D
Question #283
Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization’s patch management process?
- A . The organization’s software inventory is not complete.
- B . Applications frequently need to be rebooted for patches to take effect.
- C . Software vendors are bundling patches.
- D . Testing patches takes significant time.
Correct Answer: A
A
Explanation:
The organization’s software inventory is not complete. This finding would be of greatest concern to an IS auditor assessing an organization’s patch management process because:
A software inventory is a list of all the software assets that an organization owns, uses, or manages. A software inventory is essential for effective patch management, as it helps identify the software that needs to be updated, the patches that are available, and the dependencies and compatibility issues that may arise. Without a complete software inventory, an organization may miss some critical patches, expose itself to security risks, and waste resources on unnecessary or redundant patches.
Applications frequently need to be rebooted for patches to take effect. This finding would be of moderate concern to an IS auditor assessing an organization’s patch management process because:
Rebooting applications for patches to take effect is a common and expected practice in some cases, especially for operating system or kernel patches. However, frequent reboots may indicate that the organization is not applying patches in a timely or efficient manner, or that the patches are not well-designed or tested. Frequent reboots may also cause disruption to the business operations and user experience, and increase the risk of data loss or corruption.
Software vendors are bundling patches. This finding would be of low concern to an IS auditor assessing an organization’s patch management process because:
Bundling patches is a practice where software vendors combine multiple patches into a single package or update. Bundling patches can have some advantages, such as reducing the number of downloads and installations, simplifying the patch management process, and ensuring consistency and compatibility among patches. However, bundling patches can also have some disadvantages, such as increasing the size and complexity of the updates, delaying the delivery of critical patches, and introducing new bugs or vulnerabilities.
Testing patches takes significant time. This finding would be of low concern to an IS auditor assessing an organization’s patch management process because:
Testing patches is a vital step in the patch management process, as it helps ensure that the patches are functional, secure, and compatible with the existing software and hardware environment. Testing patches can take significant time, depending on the scope, complexity, and frequency of the patches. However, testing patches is a necessary investment to avoid potential problems or failures that could result from applying untested or faulty patches.
References:
Best practices for patch management
Server Patch Management: Best Practices and Tools
11 Key Steps of the Patch Management Process
A
Explanation:
The organization’s software inventory is not complete. This finding would be of greatest concern to an IS auditor assessing an organization’s patch management process because:
A software inventory is a list of all the software assets that an organization owns, uses, or manages. A software inventory is essential for effective patch management, as it helps identify the software that needs to be updated, the patches that are available, and the dependencies and compatibility issues that may arise. Without a complete software inventory, an organization may miss some critical patches, expose itself to security risks, and waste resources on unnecessary or redundant patches.
Applications frequently need to be rebooted for patches to take effect. This finding would be of moderate concern to an IS auditor assessing an organization’s patch management process because:
Rebooting applications for patches to take effect is a common and expected practice in some cases, especially for operating system or kernel patches. However, frequent reboots may indicate that the organization is not applying patches in a timely or efficient manner, or that the patches are not well-designed or tested. Frequent reboots may also cause disruption to the business operations and user experience, and increase the risk of data loss or corruption.
Software vendors are bundling patches. This finding would be of low concern to an IS auditor assessing an organization’s patch management process because:
Bundling patches is a practice where software vendors combine multiple patches into a single package or update. Bundling patches can have some advantages, such as reducing the number of downloads and installations, simplifying the patch management process, and ensuring consistency and compatibility among patches. However, bundling patches can also have some disadvantages, such as increasing the size and complexity of the updates, delaying the delivery of critical patches, and introducing new bugs or vulnerabilities.
Testing patches takes significant time. This finding would be of low concern to an IS auditor assessing an organization’s patch management process because:
Testing patches is a vital step in the patch management process, as it helps ensure that the patches are functional, secure, and compatible with the existing software and hardware environment. Testing patches can take significant time, depending on the scope, complexity, and frequency of the patches. However, testing patches is a necessary investment to avoid potential problems or failures that could result from applying untested or faulty patches.
References:
Best practices for patch management
Server Patch Management: Best Practices and Tools
11 Key Steps of the Patch Management Process
Question #284
In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?
- A . Implementation
- B . Development
- C . Feasibility
- D . Design
Correct Answer: D
D
Explanation:
The design phase of the system development life cycle (SDLC) is where an IS auditor would expect to find that controls have been incorporated into system specifications, because this is where the system requirements are translated into detailed design specifications that include the technical, functional, and security aspects of the system34. The implementation phase is where the system is deployed and tested, the development phase is where the system is coded and unit tested, and the feasibility phase is where the system objectives and scope are defined.
References: 3: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2 4: CISA Online Review Course, Module 4, Lesson 2
D
Explanation:
The design phase of the system development life cycle (SDLC) is where an IS auditor would expect to find that controls have been incorporated into system specifications, because this is where the system requirements are translated into detailed design specifications that include the technical, functional, and security aspects of the system34. The implementation phase is where the system is deployed and tested, the development phase is where the system is coded and unit tested, and the feasibility phase is where the system objectives and scope are defined.
References: 3: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2 4: CISA Online Review Course, Module 4, Lesson 2
Question #285
An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST
- A . document the exception in an audit report.
- B . review security incident reports.
- C . identify compensating controls.
- D . notify the audit committee.
Correct Answer: C
C
Explanation:
The first action that an IS auditor should take when finding a high-risk vulnerability in a public-facing web server used to process online customer payments is to identify compensating controls. Compensating controls are alternative or additional controls that provide reasonable assurance of mitigating the risk of exploiting the vulnerability. The IS auditor should assess the effectiveness of the compensating controls and determine whether they reduce the risk to an acceptable level. If not, the IS auditor should recommend remediation actions to address the vulnerability. Documenting the exception in an audit report is an important action, but it should not be the first action, as it does not address the urgency of the situation. Reviewing security incident reports is a useful action, but it should not be the first action, as it does not provide assurance of preventing future incidents. Notifying the audit committee is a necessary action, but it should not be the first action, as it does not involve taking any corrective measures.
References:
CISA Review Manual, 27th Edition, pages 295-2961
CISA Review Questions, Answers & Explanations Database, Question ID: 260
C
Explanation:
The first action that an IS auditor should take when finding a high-risk vulnerability in a public-facing web server used to process online customer payments is to identify compensating controls. Compensating controls are alternative or additional controls that provide reasonable assurance of mitigating the risk of exploiting the vulnerability. The IS auditor should assess the effectiveness of the compensating controls and determine whether they reduce the risk to an acceptable level. If not, the IS auditor should recommend remediation actions to address the vulnerability. Documenting the exception in an audit report is an important action, but it should not be the first action, as it does not address the urgency of the situation. Reviewing security incident reports is a useful action, but it should not be the first action, as it does not provide assurance of preventing future incidents. Notifying the audit committee is a necessary action, but it should not be the first action, as it does not involve taking any corrective measures.
References:
CISA Review Manual, 27th Edition, pages 295-2961
CISA Review Questions, Answers & Explanations Database, Question ID: 260
Question #286
An organization has both an IT strategy committee and an IT steering committee.
When reviewing the minutes of the IT steering committee, an IS auditor would expect to find that the committee:
- A . assessed the contribution of IT to the business.
- B . acquired and assigned appropriate resources for projects.
- C . compared the risk and return of IT investments.
- D . reviewed the achievement of the strategic IT objective.
Correct Answer: B
Question #287
An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data.
Which of the following is the PRIMARY advantage of this approach?
- A . Audit transparency
- B . Data confidentiality
- C . Professionalism
- D . Audit efficiency
Correct Answer: D
D
Explanation:
The primary advantage of this approach is that it improves audit efficiency. Audit efficiency is the measure of how well the audit resources are used to achieve the audit objectives. Audit efficiency can be enhanced by using methods or techniques that can save time, cost, or effort without compromising the quality or scope of the audit. By requesting direct access to data required to perform audit procedures instead of asking management to provide the data, the auditor can reduce the dependency on management’s cooperation, availability, or timeliness. The auditor can also avoid potential delays, errors, or biases that may occur when management provides the data.
References:
CISA Review Manual (Digital Version), Chapter 2, Section 2.41 CISA Online Review Course, Domain 1, Module 1, Lesson 42
D
Explanation:
The primary advantage of this approach is that it improves audit efficiency. Audit efficiency is the measure of how well the audit resources are used to achieve the audit objectives. Audit efficiency can be enhanced by using methods or techniques that can save time, cost, or effort without compromising the quality or scope of the audit. By requesting direct access to data required to perform audit procedures instead of asking management to provide the data, the auditor can reduce the dependency on management’s cooperation, availability, or timeliness. The auditor can also avoid potential delays, errors, or biases that may occur when management provides the data.
References:
CISA Review Manual (Digital Version), Chapter 2, Section 2.41 CISA Online Review Course, Domain 1, Module 1, Lesson 42
Question #288
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s IT process performance reports over the last quarter?
- A . Metrics are not aligned with industry benchmarks
- B . Performance reporting includes too many technical terms
- C . Key performance indicators (KPIs) were met in only one month
- D . Metrics were defined without stakeholder review
Correct Answer: C
Question #289
An IS auditor learns the organization has experienced several server failures in its distributed environment.
Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?
- A . Redundant pathways
- B . Clustering
- C . Failover power
- D . Parallel testing
Correct Answer: B
B
Explanation:
Clustering is a technique that allows multiple servers to work together as a single system, providing high availability, load balancing, and fault tolerance. Clustering can limit the potential impact of server failures in a distributed environment, as it can automatically switch the workload to another server in the cluster if one server fails, without interrupting the service. Redundant pathways, failover power, and parallel testing are also useful for improving the reliability and availability of servers, but they do not directly address the issue of server failures.
B
Explanation:
Clustering is a technique that allows multiple servers to work together as a single system, providing high availability, load balancing, and fault tolerance. Clustering can limit the potential impact of server failures in a distributed environment, as it can automatically switch the workload to another server in the cluster if one server fails, without interrupting the service. Redundant pathways, failover power, and parallel testing are also useful for improving the reliability and availability of servers, but they do not directly address the issue of server failures.
Question #290
Which of the following network topologies will provide the GREATEST fault tolerance?
- A . Bus configuration
- B . Mesh configuration
- C . Star configuration
- D . Ring configuration
Correct Answer: B