Practice Free CISA Exam Online Questions
Question #321
Following an IT audit, management has decided to accept the risk highlighted in the audit report.
Which of the following would provide the MOST assurance to the IS auditor that management is adequately balancing the needs of the business with the need to manage risk?
- A . A communication plan exists for informing parties impacted by the risk.
- B . Potential impact and likelihood are adequately documented.
- C . Identified risk is reported into the organization’s risk committee.
- D . Established criteria exist for accepting and approving risk.
Correct Answer: D
D
Explanation:
Clear criteria ensure a consistent, rational approach to risk acceptance decisions, demonstrating management’s deliberate and informed approach to risk management.
References
ISACA CISA Review Manual (Current Edition) – Chapter on Risk Management
Risk Management Frameworks (e.g., ISO 31000, NIST SP 800-39) – Emphasize the importance of defined risk assessment and decision-making processes.
D
Explanation:
Clear criteria ensure a consistent, rational approach to risk acceptance decisions, demonstrating management’s deliberate and informed approach to risk management.
References
ISACA CISA Review Manual (Current Edition) – Chapter on Risk Management
Risk Management Frameworks (e.g., ISO 31000, NIST SP 800-39) – Emphasize the importance of defined risk assessment and decision-making processes.
Question #322
During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations.
What is the auditor’s BEST course of action?
- A . Notify the chair of the audit committee.
- B . Notify the audit manager.
- C . Retest the control.
- D . Close the audit finding.
Correct Answer: B
B
Explanation:
The auditor’s best course of action in this situation is to notify the audit manager. The audit manager is responsible for overseeing the audit follow-up process and ensuring that audit issues are resolved in a timely and satisfactory manner. The audit manager can then decide whether to escalate the matter to higher authorities, such as the chair of the audit committee, or to accept management’s decision and close the audit finding. The other options are not appropriate for the auditor to do without consulting with the audit manager first. Notifying the chair of the audit committee is a drastic step that may undermine the relationship between the auditor and management, and it should be done only after exhausting other means of resolving the issue. Retesting the control is not necessary, as management has already decided not to implement the recommendations. Closing the audit finding is premature, as management’s decision may not be aligned with the audit objectives or risk appetite.
References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4
B
Explanation:
The auditor’s best course of action in this situation is to notify the audit manager. The audit manager is responsible for overseeing the audit follow-up process and ensuring that audit issues are resolved in a timely and satisfactory manner. The audit manager can then decide whether to escalate the matter to higher authorities, such as the chair of the audit committee, or to accept management’s decision and close the audit finding. The other options are not appropriate for the auditor to do without consulting with the audit manager first. Notifying the chair of the audit committee is a drastic step that may undermine the relationship between the auditor and management, and it should be done only after exhausting other means of resolving the issue. Retesting the control is not necessary, as management has already decided not to implement the recommendations. Closing the audit finding is premature, as management’s decision may not be aligned with the audit objectives or risk appetite.
References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4
Question #323
Which of the following should be the FIRST step m managing the impact of a recently discovered zero-day attack?
- A . Evaluating the likelihood of attack
- B . Estimating potential damage
- C . Identifying vulnerable assets
- D . Assessing the Impact of vulnerabilities
Correct Answer: C
C
Explanation:
The first step in managing the impact of a recently discovered zero-day attack is to identify vulnerable assets. A zero-day attack is a cyberattack that exploits a previously unknown or unpatched vulnerability in a software or system, before the vendor or developer has had time to fix it. Identifying vulnerable assets is crucial for managing the impact of a zero-day attack, because it helps to determine the scope and severity of the attack, prioritize the protection and mitigation measures, and isolate or quarantine the affected assets from further damage or compromise. The other options are not the first steps in managing the impact of a zero-day attack, because they either require more information about the vulnerable assets, or they are part of the subsequent steps of assessing, responding, or recovering from the attack.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.4
C
Explanation:
The first step in managing the impact of a recently discovered zero-day attack is to identify vulnerable assets. A zero-day attack is a cyberattack that exploits a previously unknown or unpatched vulnerability in a software or system, before the vendor or developer has had time to fix it. Identifying vulnerable assets is crucial for managing the impact of a zero-day attack, because it helps to determine the scope and severity of the attack, prioritize the protection and mitigation measures, and isolate or quarantine the affected assets from further damage or compromise. The other options are not the first steps in managing the impact of a zero-day attack, because they either require more information about the vulnerable assets, or they are part of the subsequent steps of assessing, responding, or recovering from the attack.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.4
Question #324
Which of the following is the BEST reason for an IS auditor to emphasize to management the importance of using an IT governance framework?
- A . Frameworks enable IT benchmarks against competitors
- B . Frameworks can be tailored and optimized for different organizations
- C . Frameworks help facilitate control self-assessments (CSAs)
- D . Frameworks help organizations understand and manage IT risk
Correct Answer: B
B
Explanation:
The best reason for an IS auditor to emphasize to management the importance of using an IT governance framework is that frameworks can be tailored and optimized for different organizations. An IT governance framework is a set of principles, guidelines, and processes that help an organization align its IT strategy with its business goals, manage IT risks and performance, and deliver value from IT investments. An IT governance framework can be adapted and customized to suit the specific needs, context, and culture of each organization, taking into account factors such as size, industry, maturity, objectives, and stakeholders. An IT governance framework can also help an organization adopt best practices and standards from various sources, such as COBIT2, ITIL3, ISO/IEC 200004, and others.
The other options are not as good as option B, as they may not capture the full scope or benefits of using an IT governance framework. Frameworks enable IT benchmarks against competitors, but this is not the main purpose or advantage of using an IT governance framework. Frameworks help facilitate control self-assessments (CSAs), but this is only one aspect or tool of an IT governance framework. Frameworks help organizations understand and manage IT risk, but this is also only one outcome or objective of an IT governance framework.
References:
1: What is ITIL? Your guide to the IT Infrastructure Library | CIO
2: IT Governance Framework | Components | Framework | Terminology – EDUCBA
3: IT Governance: Definitions, Frameworks and Planning – ProjectManager
4: What Is IT Governance? – Definition from Techopedia
5: What is IT Governance? A formal way to align IT & business strategy | CIO
6: What Is IT Governance? – Definition from WhatIs.com
7: ISO/IEC 20000 Information Technology Service Management Systems Standard – ISO/IEC 20000
Portal
8: COBIT | Control Objectives for Information Technologies | ISACA
B
Explanation:
The best reason for an IS auditor to emphasize to management the importance of using an IT governance framework is that frameworks can be tailored and optimized for different organizations. An IT governance framework is a set of principles, guidelines, and processes that help an organization align its IT strategy with its business goals, manage IT risks and performance, and deliver value from IT investments. An IT governance framework can be adapted and customized to suit the specific needs, context, and culture of each organization, taking into account factors such as size, industry, maturity, objectives, and stakeholders. An IT governance framework can also help an organization adopt best practices and standards from various sources, such as COBIT2, ITIL3, ISO/IEC 200004, and others.
The other options are not as good as option B, as they may not capture the full scope or benefits of using an IT governance framework. Frameworks enable IT benchmarks against competitors, but this is not the main purpose or advantage of using an IT governance framework. Frameworks help facilitate control self-assessments (CSAs), but this is only one aspect or tool of an IT governance framework. Frameworks help organizations understand and manage IT risk, but this is also only one outcome or objective of an IT governance framework.
References:
1: What is ITIL? Your guide to the IT Infrastructure Library | CIO
2: IT Governance Framework | Components | Framework | Terminology – EDUCBA
3: IT Governance: Definitions, Frameworks and Planning – ProjectManager
4: What Is IT Governance? – Definition from Techopedia
5: What is IT Governance? A formal way to align IT & business strategy | CIO
6: What Is IT Governance? – Definition from WhatIs.com
7: ISO/IEC 20000 Information Technology Service Management Systems Standard – ISO/IEC 20000
Portal
8: COBIT | Control Objectives for Information Technologies | ISACA
Question #325
An IS auditor discovers that a developer has used the same key to grant access to multiple applications making calls to an application programming interface (API).
Which of the following is the BEST recommendation to address this situation?
- A . Replace the API key with time-limited tokens that grant least privilege access.
- B . Authorize the API key to allow read-only access by all applications.
- C . Implement a process to expire the API key after a previously agreed-upon period of time.
- D . Coordinate an API key rotation exercise with all impacted application owners.
Correct Answer: A
Question #326
An organization has developed mature risk management practices that are followed across all departments.
What is the MOST effective way for the audit team to leverage this risk management maturity?
- A . Implementing risk responses on management’s behalf
- B . Integrating the risk register for audit planning purposes
- C . Providing assurances to management regarding risk
- D . Facilitating audit risk identification and evaluation workshops
Correct Answer: B
B
Explanation:
The most effective way for the audit team to leverage the risk management maturity of the organization is to integrate the risk register for audit planning purposes. The risk register is a document that records the identified risks, their likelihood, impact, and mitigation strategies for a project or an organization. By using the risk register, the audit team can align their audit objectives, scope, and procedures with the organization’s risk profile and priorities. This will help the audit team to provide more value-added and relevant assurance and recommendations to the management and stakeholders.
Some of the web sources that support this answer are:
Audit Maturity And Risk Management | Ideagen
Building a Mature Enterprise Risk Management Plan | AuditBoard CISA Certified Information Systems Auditor C Question0551
B
Explanation:
The most effective way for the audit team to leverage the risk management maturity of the organization is to integrate the risk register for audit planning purposes. The risk register is a document that records the identified risks, their likelihood, impact, and mitigation strategies for a project or an organization. By using the risk register, the audit team can align their audit objectives, scope, and procedures with the organization’s risk profile and priorities. This will help the audit team to provide more value-added and relevant assurance and recommendations to the management and stakeholders.
Some of the web sources that support this answer are:
Audit Maturity And Risk Management | Ideagen
Building a Mature Enterprise Risk Management Plan | AuditBoard CISA Certified Information Systems Auditor C Question0551
Question #327
What is the MAIN purpose of an organization’s internal IS audit function?
- A . Identify and initiate necessary changes in the control environment to help ensure sustainable improvement.
- B . Independently attest the organization’s compliance with applicable legal and regulatory requirements.
- C . Review the organization’s policies and procedures against industry best practices and standards.
- D . Provide assurance to management about the effectiveness of the organization’s risk management and internal controls.
Correct Answer: D
D
Explanation:
Comprehensive and Detailed Step-by-Step
The primary role of an internal IS audit function is to provide independent assurance on risk management, internal controls, and governance processes.
Option A (Incorrect): While audits may identify control improvements, they do not initiate changes; management is responsible for implementation.
Option B (Incorrect): Compliance audits are part of IS auditing, but the main focus is assurance on risk and controls, not just compliance.
Option C (Incorrect): Best practices and standards reviews are useful, but they do not define the core objective of an internal audit.
Option D (Correct): The internal audit function’s main goal is to assess and assure the effectiveness of an organization’s risk management and internal controls.
Reference: ISACA CISA Review Manual C Domain 1: Information Systems Auditing Process C Covers audit objectives, assurance functions, and risk management.
D
Explanation:
Comprehensive and Detailed Step-by-Step
The primary role of an internal IS audit function is to provide independent assurance on risk management, internal controls, and governance processes.
Option A (Incorrect): While audits may identify control improvements, they do not initiate changes; management is responsible for implementation.
Option B (Incorrect): Compliance audits are part of IS auditing, but the main focus is assurance on risk and controls, not just compliance.
Option C (Incorrect): Best practices and standards reviews are useful, but they do not define the core objective of an internal audit.
Option D (Correct): The internal audit function’s main goal is to assess and assure the effectiveness of an organization’s risk management and internal controls.
Reference: ISACA CISA Review Manual C Domain 1: Information Systems Auditing Process C Covers audit objectives, assurance functions, and risk management.
Question #328
When classifying information, it is MOST important to align the classification to:
- A . business risk
- B . security policy
- C . data retention requirements
- D . industry standards
Correct Answer: A
A
Explanation:
When classifying information, it is most important to align the classification to business risk, because it ensures that the information is protected according to its value and impact to the organization34. Business risk considers factors such as legal, regulatory, contractual, operational, reputational, and financial implications of information disclosure or compromise34. Aligning information classification to business risk also helps to prioritize and allocate resources for information security measures. Security policy, data retention requirements, and industry standards are important considerations for information classification, but not as important as business risk.
References: 3: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2 4: CISA Online Review Course, Module 5, Lesson 4
A
Explanation:
When classifying information, it is most important to align the classification to business risk, because it ensures that the information is protected according to its value and impact to the organization34. Business risk considers factors such as legal, regulatory, contractual, operational, reputational, and financial implications of information disclosure or compromise34. Aligning information classification to business risk also helps to prioritize and allocate resources for information security measures. Security policy, data retention requirements, and industry standards are important considerations for information classification, but not as important as business risk.
References: 3: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2 4: CISA Online Review Course, Module 5, Lesson 4
Question #329
Which of the following is MOST important to include in forensic data collection and preservation procedures?
- A . Assuring the physical security of devices
- B . Preserving data integrity
- C . Maintaining chain of custody
- D . Determining tools to be used
Correct Answer: B
B
Explanation:
The most important thing to include in forensic data collection and preservation procedures is preserving data integrity. Data integrity is the property that ensures that data is accurate, complete, and consistent throughout its lifecycle. Preserving data integrity is essential for forensic data collection and preservation procedures because it ensures that the data can be used as valid and reliable evidence in legal proceedings or investigations. Preserving data integrity can be achieved by using methods such as hashing, checksums, digital signatures, write blockers, tamper-evident seals, or timestamps. The other options are not as important as preserving data integrity in forensic data collection and preservation procedures, as they do not affect the validity or reliability of the data. Assuring the physical security of devices is a security measure that protects devices from unauthorized access, theft, damage, or destruction, but it does not ensure that the data on the devices is accurate, complete, and consistent. Maintaining chain of custody is a documentation technique that records and tracks the handling and transfer of devices or data among different parties involved in forensic activities, but it does not ensure that the data on the devices is accurate, complete, and consistent. Determining tools to be used is a planning activity that selects and prepares the appropriate tools for forensic data collection and preservation procedures, but it does not ensure that the data collected and preserved by the tools is accurate, complete, and consistent.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4
B
Explanation:
The most important thing to include in forensic data collection and preservation procedures is preserving data integrity. Data integrity is the property that ensures that data is accurate, complete, and consistent throughout its lifecycle. Preserving data integrity is essential for forensic data collection and preservation procedures because it ensures that the data can be used as valid and reliable evidence in legal proceedings or investigations. Preserving data integrity can be achieved by using methods such as hashing, checksums, digital signatures, write blockers, tamper-evident seals, or timestamps. The other options are not as important as preserving data integrity in forensic data collection and preservation procedures, as they do not affect the validity or reliability of the data. Assuring the physical security of devices is a security measure that protects devices from unauthorized access, theft, damage, or destruction, but it does not ensure that the data on the devices is accurate, complete, and consistent. Maintaining chain of custody is a documentation technique that records and tracks the handling and transfer of devices or data among different parties involved in forensic activities, but it does not ensure that the data on the devices is accurate, complete, and consistent. Determining tools to be used is a planning activity that selects and prepares the appropriate tools for forensic data collection and preservation procedures, but it does not ensure that the data collected and preserved by the tools is accurate, complete, and consistent.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4
Question #330
An organization is disposing of removable onsite media which contains sensitive information.
Which of the following is the MOST effective method to prevent disclosure of sensitive data?
- A . Encrypting and destroying keys
- B . Machine shredding
- C . Software formatting
- D . Wiping and rewriting three times
Correct Answer: B
B
Explanation:
Machine shredding is the process of using a shredding machine to physically destroy the media and make the data unrecoverable. This is more effective than software formatting, which only erases the data logically and may leave traces that can be recovered by special tools1. Encrypting and destroying keys may prevent unauthorized access to the data, but it does not erase the data from the media. Wiping and rewriting three times is unnecessary and may reduce the lifespan of the media, especially for solid state drives2. Machine shredding is also recommended by various security standards and guidelines for media disposal345.
B
Explanation:
Machine shredding is the process of using a shredding machine to physically destroy the media and make the data unrecoverable. This is more effective than software formatting, which only erases the data logically and may leave traces that can be recovered by special tools1. Encrypting and destroying keys may prevent unauthorized access to the data, but it does not erase the data from the media. Wiping and rewriting three times is unnecessary and may reduce the lifespan of the media, especially for solid state drives2. Machine shredding is also recommended by various security standards and guidelines for media disposal345.