Practice Free CISA Exam Online Questions
Question #341
Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?
- A . Performing independent reviews of responsible parties engaged in the project
- B . Shortlisting vendors to perform renovations
- C . Ensuring the project progresses as scheduled and milestones are achieved
- D . Implementing data center operational controls
Correct Answer: A
A
Explanation:
IS auditors primarily provide assurance and oversight. In this context, independent reviews ensure that those responsible for the renovation project are meeting their obligations, following best practices, and managing risks appropriately.
References:
ISACA’s Code of Professional Ethics: Emphasizes the IS Auditor’s duty to be independent and objective.
The Role of IS Audit: IS Auditors are not project managers but provide objective assessment and guidance regarding controls and risk mitigation within projects.
CISA Review Manual (27th Edition): May have sections discussing the role of IS auditors in infrastructure projects or similar initiatives.
A
Explanation:
IS auditors primarily provide assurance and oversight. In this context, independent reviews ensure that those responsible for the renovation project are meeting their obligations, following best practices, and managing risks appropriately.
References:
ISACA’s Code of Professional Ethics: Emphasizes the IS Auditor’s duty to be independent and objective.
The Role of IS Audit: IS Auditors are not project managers but provide objective assessment and guidance regarding controls and risk mitigation within projects.
CISA Review Manual (27th Edition): May have sections discussing the role of IS auditors in infrastructure projects or similar initiatives.
Question #342
A manager Identifies active privileged accounts belonging to staff who have left the organization.
Which of the following is the threat actor In this scenario?
- A . Terminated staff
- B . Unauthorized access
- C . Deleted log data
- D . Hacktivists
Correct Answer: A
A
Explanation:
A threat actor is an entity or individual that poses a potential harm or danger to an organization’s information systems or data. Terminated staff are the threat actors in this scenario, as they are former employees who may still have active privileged accounts that grant them access to sensitive or critical information or resources of the organization. Terminated staff may abuse their access privileges or credentials to compromise the confidentiality, integrity, or availability of the information systems or data, either intentionally or unintentionally. Unauthorized access is a threat event or action that occurs when an unauthorized entity or individual gains access to an organization’s information systems or data without permission or authorization. Unauthorized access is not a threat actor, but rather a result of a threat actor’s activity. Deleted log data is a threat consequence or impact that occurs when log data, which are records of events or activities that occur on an information system or network, are erased or corrupted by a threat actor. Deleted log data can affect the auditability, accountability, and visibility of the information system or network, and prevent detection or investigation of security incidents. Deleted log data is not a threat actor, but rather a result of a threat actor’s activity. Hacktivists are threat actors who use hacking techniques to promote a political or social cause or agenda. Hacktivists are not the threat actors in this scenario, as there is no indication that they are involved in this case.
A
Explanation:
A threat actor is an entity or individual that poses a potential harm or danger to an organization’s information systems or data. Terminated staff are the threat actors in this scenario, as they are former employees who may still have active privileged accounts that grant them access to sensitive or critical information or resources of the organization. Terminated staff may abuse their access privileges or credentials to compromise the confidentiality, integrity, or availability of the information systems or data, either intentionally or unintentionally. Unauthorized access is a threat event or action that occurs when an unauthorized entity or individual gains access to an organization’s information systems or data without permission or authorization. Unauthorized access is not a threat actor, but rather a result of a threat actor’s activity. Deleted log data is a threat consequence or impact that occurs when log data, which are records of events or activities that occur on an information system or network, are erased or corrupted by a threat actor. Deleted log data can affect the auditability, accountability, and visibility of the information system or network, and prevent detection or investigation of security incidents. Deleted log data is not a threat actor, but rather a result of a threat actor’s activity. Hacktivists are threat actors who use hacking techniques to promote a political or social cause or agenda. Hacktivists are not the threat actors in this scenario, as there is no indication that they are involved in this case.
Question #343
Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?
- A . Data from the source and target system may be intercepted.
- B . Data from the source and target system may have different data formats.
- C . Records past their retention period may not be migrated to the new system.
- D . System performance may be impacted by the migration
Correct Answer: A
A
Explanation:
The greatest security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system is data from the source and target system may be intercepted. Data interception is an attack that occurs when an unauthorized entity or individual captures or accesses data that are being transmitted or stored on an information system or network. Data interception can compromise the confidentiality and integrity of data, and cause harm or damage to data owners or users. Data migration from a legacy HR system to a cloud-based system involves transferring data from one system or location to another system or location over a network connection. This poses a high risk of data interception, as data may be exposed or vulnerable during transit or storage on unsecured or untrusted networks or systems. Data from the source and target system may have different data formats is a possible challenge associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. Data formats are specifications that define how data are structured or encoded on an information system or network. Data formats may vary depending on different systems or platforms. Data migration may require converting data from one format to another format to ensure compatibility and interoperability between systems. Records past their retention period may not be migrated to the new system is a possible outcome associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. Retention period is a duration that defines how long data should be kept or stored on an information system or network before being deleted or destroyed. Retention period may depend on various factors such as legal requirements, business needs, storage capacity, etc. Data migration may involve deleting or destroying data that are past their retention period to reduce the volume or complexity of data to be transferred or to comply with regulations or policies. System performance may be impacted by the migration is a possible impact associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. System performance is a measure of how well an information system or network functions or operates, such as speed, reliability, availability, etc. System performance may be affected by data migration, as data migration may consume significant resources or bandwidth, cause interruptions or delays, or introduce errors or inconsistencies.
A
Explanation:
The greatest security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system is data from the source and target system may be intercepted. Data interception is an attack that occurs when an unauthorized entity or individual captures or accesses data that are being transmitted or stored on an information system or network. Data interception can compromise the confidentiality and integrity of data, and cause harm or damage to data owners or users. Data migration from a legacy HR system to a cloud-based system involves transferring data from one system or location to another system or location over a network connection. This poses a high risk of data interception, as data may be exposed or vulnerable during transit or storage on unsecured or untrusted networks or systems. Data from the source and target system may have different data formats is a possible challenge associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. Data formats are specifications that define how data are structured or encoded on an information system or network. Data formats may vary depending on different systems or platforms. Data migration may require converting data from one format to another format to ensure compatibility and interoperability between systems. Records past their retention period may not be migrated to the new system is a possible outcome associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. Retention period is a duration that defines how long data should be kept or stored on an information system or network before being deleted or destroyed. Retention period may depend on various factors such as legal requirements, business needs, storage capacity, etc. Data migration may involve deleting or destroying data that are past their retention period to reduce the volume or complexity of data to be transferred or to comply with regulations or policies. System performance may be impacted by the migration is a possible impact associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. System performance is a measure of how well an information system or network functions or operates, such as speed, reliability, availability, etc. System performance may be affected by data migration, as data migration may consume significant resources or bandwidth, cause interruptions or delays, or introduce errors or inconsistencies.
Question #344
An organization has an acceptable use policy in place, but users do not formally acknowledge the policy.
Which of the following is the MOST significant risk from this finding?
- A . Lack of data for measuring compliance
- B . Violation of industry standards
- C . Noncompliance with documentation requirements
- D . Lack of user accountability
Correct Answer: D
D
Explanation:
An acceptable use policy (AUP) is a document that defines the rules and guidelines for using an organization’s IT resources, such as networks, devices, and software. It aims to protect the organization’s assets, security, and productivity. An AUP should be formally acknowledged by users to ensure that they are aware of their responsibilities and obligations when using the IT resources.
Without formal acknowledgment, users may not be held accountable for violating the AUP or may claim ignorance of the policy. This can expose the organization to legal, regulatory, reputational, or operational risks. Lack of data for measuring compliance, violation of industry standards, and noncompliance with documentation requirements are also possible risks from not having users acknowledge the AUP, but they are less significant than lack of user accountability.
References: Workable: Acceptable use policy template, Wikipedia: Acceptable use policy
D
Explanation:
An acceptable use policy (AUP) is a document that defines the rules and guidelines for using an organization’s IT resources, such as networks, devices, and software. It aims to protect the organization’s assets, security, and productivity. An AUP should be formally acknowledged by users to ensure that they are aware of their responsibilities and obligations when using the IT resources.
Without formal acknowledgment, users may not be held accountable for violating the AUP or may claim ignorance of the policy. This can expose the organization to legal, regulatory, reputational, or operational risks. Lack of data for measuring compliance, violation of industry standards, and noncompliance with documentation requirements are also possible risks from not having users acknowledge the AUP, but they are less significant than lack of user accountability.
References: Workable: Acceptable use policy template, Wikipedia: Acceptable use policy
Question #345
Which of the following system redundancy configurations BEST improves system resiliency and reduces the possibility of a single cause of failure impacting system dependability?
- A . Active redundancy
- B . Homogeneous redundancy
- C . Diverse redundancy
- D . Passive redundancy
Correct Answer: C
Question #346
Which of the following documents should define roles and responsibilities within an IT audit organization?
- A . Audit charter
- B . Annual audit plan
- C . Engagement letter
- D . Audit scope letter
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
The audit charter is a formal document that defines the purpose, authority, and responsibilities of the internal audit function.
Audit Charter (Correct Answer C A)
Establishes roles, reporting structure, and independence of the audit team. Example: The IS audit team’s role in risk assessments is outlined in the charter. Annual Audit Plan (Incorrect C B)
Outlines audit activities but does not define roles and responsibilities.
Engagement Letter (Incorrect C C)
Used for specific audits, not the entire audit function.
Audit Scope Letter (Incorrect C D)
Details what is covered in an audit but does not define responsibilities.
References:
ISACA CISA Review Manual
COBIT 2019 (Audit Governance)
A
Explanation:
Comprehensive and Detailed Step-by-Step
The audit charter is a formal document that defines the purpose, authority, and responsibilities of the internal audit function.
Audit Charter (Correct Answer C A)
Establishes roles, reporting structure, and independence of the audit team. Example: The IS audit team’s role in risk assessments is outlined in the charter. Annual Audit Plan (Incorrect C B)
Outlines audit activities but does not define roles and responsibilities.
Engagement Letter (Incorrect C C)
Used for specific audits, not the entire audit function.
Audit Scope Letter (Incorrect C D)
Details what is covered in an audit but does not define responsibilities.
References:
ISACA CISA Review Manual
COBIT 2019 (Audit Governance)
Question #347
Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?
- A . Project segments are established.
- B . The work is separated into phases.
- C . The work is separated into sprints.
- D . Project milestones are created.
Correct Answer: C
C
Explanation:
The best way to enable the effectiveness of an agile project for the rapid development of a new software application is to separate the work into sprints. Sprints are short, time-boxed iterations that deliver a potentially releasable product increment at the end of each sprint. Sprints allow agile teams to work in a flexible and adaptive manner, respond quickly to changing customer needs and feedback, and deliver value faster and more frequently. Sprints also help teams to plan, execute, review, and improve their work in a collaborative and transparent way. Project segments, phases, and milestones are not specific to agile projects and do not necessarily enable the effectiveness of an agile project.
References: Agile Project Management [What is it & How to Start] – Atlassian, CISA Review Manual (Digital Version).
C
Explanation:
The best way to enable the effectiveness of an agile project for the rapid development of a new software application is to separate the work into sprints. Sprints are short, time-boxed iterations that deliver a potentially releasable product increment at the end of each sprint. Sprints allow agile teams to work in a flexible and adaptive manner, respond quickly to changing customer needs and feedback, and deliver value faster and more frequently. Sprints also help teams to plan, execute, review, and improve their work in a collaborative and transparent way. Project segments, phases, and milestones are not specific to agile projects and do not necessarily enable the effectiveness of an agile project.
References: Agile Project Management [What is it & How to Start] – Atlassian, CISA Review Manual (Digital Version).
Question #348
What is the PRIMARY reason to adopt a risk-based IS audit strategy?
- A . To achieve synergy between audit and other risk management functions
- B . To prioritize available resources and focus on areas with significant risk
- C . To reduce the time and effort needed to perform a full audit cycle
- D . To identify key threats, risks, and controls for the organization
Correct Answer: B
Question #349
Data from a system of sensors located outside of a network is received by the open ports on a server.
Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?
- A . Implement network address translation on the sensor system.
- B . Route the traffic from the sensor system through a proxy server.
- C . Hash the data that is transmitted from the sensor system.
- D . Transmit the sensor data via a virtual private network (VPN) to the server.
Correct Answer: D
Question #350
Which of the following is MOST important when defining the IS audit scope?
- A . Minimizing the time and cost to the organization of IS audit procedures
- B . Involving business in the formulation of the scope statement
- C . Aligning the IS audit procedures with IT management priorities
- D . Understanding the relationship between IT and business risks
Correct Answer: D
D
Explanation:
The most important factor when defining the IS audit scope is to understand the relationship between IT and business risks, as this helps to identify the areas that have the most potential impact on the organization’s objectives, performance, and value. By understanding the IT and business risks, the IS auditor can focus the audit scope on the key processes, systems, controls, and issues that need to be assessed and addressed.
References
ISACA CISA Review Manual, 27th Edition, page 256
Ten Factors to Consider when Setting the Scope of an Internal Audit
What Is an Audit Scope? | Auditing Basics | KirkpatrickPrice
D
Explanation:
The most important factor when defining the IS audit scope is to understand the relationship between IT and business risks, as this helps to identify the areas that have the most potential impact on the organization’s objectives, performance, and value. By understanding the IT and business risks, the IS auditor can focus the audit scope on the key processes, systems, controls, and issues that need to be assessed and addressed.
References
ISACA CISA Review Manual, 27th Edition, page 256
Ten Factors to Consider when Setting the Scope of an Internal Audit
What Is an Audit Scope? | Auditing Basics | KirkpatrickPrice