Practice Free CISA Exam Online Questions
Question #291
An organization with many desktop PCs is considering moving to a thin client architecture.
Which of the following is the MAJOR advantage?
- A . The security of the desktop PC is enhanced.
- B . Administrative security can be provided for the client.
- C . Desktop application software will never have to be upgraded.
- D . System administration can be better managed
Correct Answer: C
C
Explanation:
The major advantage of moving from many desktop PCs to a thin client architecture is that desktop application software will never have to be upgraded. A thin client architecture is a type of client-server architecture that uses lightweight or minimal devices (thin clients) as clients that connect to a central server that provides most of the processing and storage functions. A thin client architecture can offer several benefits over a traditional desktop PC architecture, such as lower cost, higher security, easier maintenance, etc. One of these benefits is that desktop application software will never have to be upgraded on thin clients, as all the applications are installed and updated on the server, and accessed by thin clients through a network connection. This can save time and money for installing and upgrading software on individual devices, and ensure consistency and compatibility among different devices. The security of the desktop PC is enhanced is a possible advantage of moving from many desktop PCs to a thin client architecture, but it is not the major one. A thin client architecture can enhance the security of desktop PCs by reducing the exposure or vulnerability of data and applications on individual devices, and centralizing the security management and control on the server. However, this advantage may depend on other factors such as network security, server security, user authentication, etc. Administrative security can be provided for the client is a possible advantage of moving from many desktop PCs to a thin client architecture, but it is not the major one. A thin client architecture can provide administrative security for clients by allowing administrators to configure and manage client devices remotely from the server, and enforce policies and restrictions on client access or usage. However, this advantage may depend on other factors such as network reliability, server availability, user compliance, etc. System administration can be better managed is a possible advantage of moving from many desktop PCs to a thin client architecture, but it is not the major one. A thin client architecture can improve system administration by simplifying and streamlining the tasks and activities involved in maintaining and supporting client devices, such as backup, recovery, troubleshooting, etc., and consolidating them on the server. However, this advantage may depend on other factors such as network bandwidth, server capacity, user satisfaction
C
Explanation:
The major advantage of moving from many desktop PCs to a thin client architecture is that desktop application software will never have to be upgraded. A thin client architecture is a type of client-server architecture that uses lightweight or minimal devices (thin clients) as clients that connect to a central server that provides most of the processing and storage functions. A thin client architecture can offer several benefits over a traditional desktop PC architecture, such as lower cost, higher security, easier maintenance, etc. One of these benefits is that desktop application software will never have to be upgraded on thin clients, as all the applications are installed and updated on the server, and accessed by thin clients through a network connection. This can save time and money for installing and upgrading software on individual devices, and ensure consistency and compatibility among different devices. The security of the desktop PC is enhanced is a possible advantage of moving from many desktop PCs to a thin client architecture, but it is not the major one. A thin client architecture can enhance the security of desktop PCs by reducing the exposure or vulnerability of data and applications on individual devices, and centralizing the security management and control on the server. However, this advantage may depend on other factors such as network security, server security, user authentication, etc. Administrative security can be provided for the client is a possible advantage of moving from many desktop PCs to a thin client architecture, but it is not the major one. A thin client architecture can provide administrative security for clients by allowing administrators to configure and manage client devices remotely from the server, and enforce policies and restrictions on client access or usage. However, this advantage may depend on other factors such as network reliability, server availability, user compliance, etc. System administration can be better managed is a possible advantage of moving from many desktop PCs to a thin client architecture, but it is not the major one. A thin client architecture can improve system administration by simplifying and streamlining the tasks and activities involved in maintaining and supporting client devices, such as backup, recovery, troubleshooting, etc., and consolidating them on the server. However, this advantage may depend on other factors such as network bandwidth, server capacity, user satisfaction
Question #292
An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?
- A . Directive
- B . Detective
- C . Preventive
- D . Compensating
Correct Answer: C
C
Explanation:
An organization is shifting to a remote workforce. In preparation, the IT department is performing stress and capacity testing of remote access infrastructure and systems. This type of control is being implemented to direct or guide actions to achieve a desired outcome. Therefore, it is a directive control. Directive controls are proactive controls that seek to prevent undesirable events from occurring. They include policies, standards, procedures, guidelines, training, and testing. Detective controls are reactive controls that seek to identify undesirable events that have already occurred. They include monitoring, logging, auditing, and reporting. Preventive controls are proactive controls that seek to avoid undesirable events from occurring. They include authentication, encryption, firewalls, and antivirus software. Compensating controls are alternative controls that provide a similar level of protection as the primary controls when the primary controls are not feasible or cost-effective. They include segregation of duties, manual reviews, and backup systems.
References: CISA Review Manual (Digital Version), [ISACA Glossary of Terms]
C
Explanation:
An organization is shifting to a remote workforce. In preparation, the IT department is performing stress and capacity testing of remote access infrastructure and systems. This type of control is being implemented to direct or guide actions to achieve a desired outcome. Therefore, it is a directive control. Directive controls are proactive controls that seek to prevent undesirable events from occurring. They include policies, standards, procedures, guidelines, training, and testing. Detective controls are reactive controls that seek to identify undesirable events that have already occurred. They include monitoring, logging, auditing, and reporting. Preventive controls are proactive controls that seek to avoid undesirable events from occurring. They include authentication, encryption, firewalls, and antivirus software. Compensating controls are alternative controls that provide a similar level of protection as the primary controls when the primary controls are not feasible or cost-effective. They include segregation of duties, manual reviews, and backup systems.
References: CISA Review Manual (Digital Version), [ISACA Glossary of Terms]
Question #293
One advantage of monetary unit sampling is the fact that
- A . results are stated m terms of the frequency of items in error
- B . it can easily be applied manually when computer resources are not available
- C . large-value population items are segregated and audited separately
- D . it increases the likelihood of selecting material items from the population
Correct Answer: D
D
Explanation:
Monetary unit sampling (MUS) is a statistical sampling method that is used to determine if the account balances or monetary amounts in a population contain any misstatements. MUS treats each individual dollar in the population as a separate sampling unit, so that larger balances or amounts have a higher probability of being selected than smaller ones. MUS then projects the results of testing the sample to the entire population in terms of dollar values, rather than error rates.
One advantage of MUS is that it increases the likelihood of selecting material items from the population. Material items are those that have a significant impact on the financial statements and could influence the decisions of users. By giving more weight to larger items, MUS ensures that material misstatements are more likely to be detected and reported. MUS also reduces the sample size required to achieve a desired level of confidence and precision, as compared to other sampling methods that do not consider the value of items.
References:
4: Monetary unit sampling definition ― AccountingTools
5: How Does Monetary Unit Sampling Work? – dummies
6: Audit sampling | ACCA Qualification | Students | ACCA Global
D
Explanation:
Monetary unit sampling (MUS) is a statistical sampling method that is used to determine if the account balances or monetary amounts in a population contain any misstatements. MUS treats each individual dollar in the population as a separate sampling unit, so that larger balances or amounts have a higher probability of being selected than smaller ones. MUS then projects the results of testing the sample to the entire population in terms of dollar values, rather than error rates.
One advantage of MUS is that it increases the likelihood of selecting material items from the population. Material items are those that have a significant impact on the financial statements and could influence the decisions of users. By giving more weight to larger items, MUS ensures that material misstatements are more likely to be detected and reported. MUS also reduces the sample size required to achieve a desired level of confidence and precision, as compared to other sampling methods that do not consider the value of items.
References:
4: Monetary unit sampling definition ― AccountingTools
5: How Does Monetary Unit Sampling Work? – dummies
6: Audit sampling | ACCA Qualification | Students | ACCA Global
Question #294
An IS auditor finds that a number of key patches have not been applied in a timely manner due to re-source constraints.
Which of the following is the GREATEST risk to the organization in this situation?
- A . Systems may not be supported by the vendor.
- B . Known security vulnerabilities may not be mitigated.
- C . Different systems may not be compatible.
- D . The systems may not meet user requirements.
Correct Answer: B
Question #295
The PRIMARY role of an IS auditor in the remediation of problems found during an audit engagement is to:
- A . help auditee management by providing the solution.
- B . explain the findings and provide general advice.
- C . present updated policies to management for approval.
- D . take ownership of the problems and oversee remediation efforts.
Correct Answer: B
Question #296
Which of the following findings related to segregation of duties should be of GREATEST concern to an IS auditor?
- A . The person who tests source code also approves changes.
- B . The person who administers servers is also part of the infrastructure management team.
- C . The person who creates new user accounts also modifies user access levels.
- D . The person who edits source code also has write access to production.
Correct Answer: D
Question #297
An IS auditor is reviewing documentation from a change that was applied to an application.
Which of the following findings would be the GREATEST concern?
- A . Testing documentation does not show manager approval.
- B . Testing documentation is dated three weeks before the system implementation date.
- C . Testing documentation is approved prior to completion of user acceptance testing (UAT).
- D . Testing documentation is kept in hard copy format.
Correct Answer: C
Question #298
Data Loss Prevention (DLP) tools provide the MOST protection against:
- A . The installation of unknown malware.
- B . Malicious programs running on organizational systems.
- C . The downloading of sensitive information to devices by employees.
- D . The sending of corrupt data files to external parties via email.
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Step-by-Step
DLP (Data Loss Prevention) tools are designed to prevent unauthorized access, transfer, or leakage of sensitive data, especially by insider threats or unauthorized downloads.
Preventing Unauthorized Downloads (Correct Answer C C) DLP solutions block or log attempts to transfer sensitive files.
Example: A DLP tool detects and blocks an employee from copying confidential data to a USB drive. Preventing Malware Installation (Incorrect C A, B)
Antivirus and endpoint protection tools, not DLP, handle malware threats.
Preventing Corrupt Data Transmission (Incorrect C D)
DLP focuses on data protection, not detecting corrupt files.
References:
ISACA CISA Review Manual
NIST 800-53 (Data Protection Controls)
CIS (Center for Internet Security) DLP Best Practices
C
Explanation:
Comprehensive and Detailed Step-by-Step
DLP (Data Loss Prevention) tools are designed to prevent unauthorized access, transfer, or leakage of sensitive data, especially by insider threats or unauthorized downloads.
Preventing Unauthorized Downloads (Correct Answer C C) DLP solutions block or log attempts to transfer sensitive files.
Example: A DLP tool detects and blocks an employee from copying confidential data to a USB drive. Preventing Malware Installation (Incorrect C A, B)
Antivirus and endpoint protection tools, not DLP, handle malware threats.
Preventing Corrupt Data Transmission (Incorrect C D)
DLP focuses on data protection, not detecting corrupt files.
References:
ISACA CISA Review Manual
NIST 800-53 (Data Protection Controls)
CIS (Center for Internet Security) DLP Best Practices
Question #299
Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?
- A . Limit check
- B . Parity check
- C . Reasonableness check
- D . Validity check
Correct Answer: D
D
Explanation:
The most likely application input control that would detect data input errors in the customer account number field during the processing of an accounts receivable transaction is a validity check. A validity check is a type of application control that verifies whether the data entered in an application matches a predefined set of values or criteria1. For example, a validity check can compare the customer account number entered by the user with a list of existing customer account numbers stored in a database, and reject any input that does not match any of the valid values2.
The other options are not as likely to detect data input errors in the customer account number field, because they do not compare the input with a predefined set of values or criteria. A limit check is a type of application control that verifies whether the data entered in an application falls within a specified range or limit1. For example, a limit check can ensure that the amount entered for an invoice does not exceed a certain maximum value2. A parity check is a type of application control that verifies whether the data entered in an application has an even or odd number of bits1. For example, a parity check can detect transmission errors in binary data by adding an extra bit to the data and checking whether the number of bits is consistent3. A reasonableness check is a type of application control that verifies whether the data entered in an application is logical or sensible based on other related data or information1. For example, a reasonableness check can ensure that the date entered for an order is not in the future or before the date of creation of the customer account2.
References:
What are application controls? Definition, examples & best practices1
General Control Vs Application Control: Key Differences and Example …4
Parity Check – an overview | ScienceDirect Topics
D
Explanation:
The most likely application input control that would detect data input errors in the customer account number field during the processing of an accounts receivable transaction is a validity check. A validity check is a type of application control that verifies whether the data entered in an application matches a predefined set of values or criteria1. For example, a validity check can compare the customer account number entered by the user with a list of existing customer account numbers stored in a database, and reject any input that does not match any of the valid values2.
The other options are not as likely to detect data input errors in the customer account number field, because they do not compare the input with a predefined set of values or criteria. A limit check is a type of application control that verifies whether the data entered in an application falls within a specified range or limit1. For example, a limit check can ensure that the amount entered for an invoice does not exceed a certain maximum value2. A parity check is a type of application control that verifies whether the data entered in an application has an even or odd number of bits1. For example, a parity check can detect transmission errors in binary data by adding an extra bit to the data and checking whether the number of bits is consistent3. A reasonableness check is a type of application control that verifies whether the data entered in an application is logical or sensible based on other related data or information1. For example, a reasonableness check can ensure that the date entered for an order is not in the future or before the date of creation of the customer account2.
References:
What are application controls? Definition, examples & best practices1
General Control Vs Application Control: Key Differences and Example …4
Parity Check – an overview | ScienceDirect Topics
Question #300
A national tax administration agency with a distributed network experiences service disruptions due to a large influx of traffic to a regional office near the end of each year.
Which of the following would BEST enable the agency to improve the performance of its servers during the busy period?
- A . Virtual firewall
- B . Proxy server
- C . Load balancer
- D . Virtual private network (VPN)
Correct Answer: C
C
Explanation:
A load balancer is a tool or application that distributes incoming network traffic among multiple servers in a server farm, so that no server is overwhelmed and the performance of the system is optimized1. A load balancer can help the agency to handle the large influx of traffic to a regional office by balancing the workload among the available servers and preventing service disruptions. A load balancer can also provide high availability and fault tolerance by rerouting traffic to online servers if a server becomes unavailable2.
A virtual firewall is a software-based firewall that protects a virtual network or environment from unauthorized access and malicious attacks. A virtual firewall can enhance the security of the agency’s network, but it does not improve the performance of its servers.
A proxy server is an intermediary server that acts as a gateway between the client and the destination server, hiding the client’s IP address and providing caching and filtering functions. A proxy server can improve the security and privacy of the agency’s network, but it does not improve the performance of its servers.
A virtual private network (VPN) is a secure connection between two or more devices over a public network, such as the internet. A VPN can encrypt and protect the data transmitted over the network, but it does not improve the performance of the agency’s servers.
C
Explanation:
A load balancer is a tool or application that distributes incoming network traffic among multiple servers in a server farm, so that no server is overwhelmed and the performance of the system is optimized1. A load balancer can help the agency to handle the large influx of traffic to a regional office by balancing the workload among the available servers and preventing service disruptions. A load balancer can also provide high availability and fault tolerance by rerouting traffic to online servers if a server becomes unavailable2.
A virtual firewall is a software-based firewall that protects a virtual network or environment from unauthorized access and malicious attacks. A virtual firewall can enhance the security of the agency’s network, but it does not improve the performance of its servers.
A proxy server is an intermediary server that acts as a gateway between the client and the destination server, hiding the client’s IP address and providing caching and filtering functions. A proxy server can improve the security and privacy of the agency’s network, but it does not improve the performance of its servers.
A virtual private network (VPN) is a secure connection between two or more devices over a public network, such as the internet. A VPN can encrypt and protect the data transmitted over the network, but it does not improve the performance of the agency’s servers.