Practice Free CISA Exam Online Questions
Question #351
Which of the following is the GREATEST risk associated with hypervisors in virtual environments?
- A . Availability issues
- B . Virtual sprawl
- C . Single point of failure
- D . Lack of patches
Correct Answer: C
C
Explanation:
A single point of failure is a component or system that, if it fails, will cause the entire system to stop functioning. In virtual environments, the hypervisor is the software layer that enables multiple virtual machines to run on a single physical host. If the hypervisor is compromised, corrupted, or unavailable, all the virtual machines running on that host will be affected. This can result in data loss, downtime, or security breaches.
References
ISACA CISA Review Manual, 27th Edition, page 254
Virtualization: What are the security risks?
What Is a Hypervisor? (Definition, Types, Risks)
C
Explanation:
A single point of failure is a component or system that, if it fails, will cause the entire system to stop functioning. In virtual environments, the hypervisor is the software layer that enables multiple virtual machines to run on a single physical host. If the hypervisor is compromised, corrupted, or unavailable, all the virtual machines running on that host will be affected. This can result in data loss, downtime, or security breaches.
References
ISACA CISA Review Manual, 27th Edition, page 254
Virtualization: What are the security risks?
What Is a Hypervisor? (Definition, Types, Risks)
Question #352
An organization has decided to build a data warehouse using source data from several disparate systems to support strategic decision-making.
Which of the following is the BEST way to ensure the accuracy and completeness of the data used to support business decisions?
- A . The source data is pre-selected so that it already supports senior management’s desired business decision outcome.
- B . The source data is from the current year of operations so that irrelevant data from prior years is not included.
- C . The source data is modified in the data warehouse to remove confidential or sensitive
information. - D . The source data is standardized and cleansed before loading into the data warehouse.
Correct Answer: D
Question #353
During an IT general controls audit of a high-risk area where both internal and external audit teams
are reviewing the same approach to optimize resources?
- A . Leverage the work performed by external audit for the internal audit testing.
- B . Ensure both the internal and external auditors perform the work simultaneously.
- C . Request that the external audit team leverage the internal audit work.
- D . Roll forward the general controls audit to the subsequent audit year.
Correct Answer: A
A
Explanation:
The best approach to optimize resources when both internal and external audit teams are reviewing the same IT general controls area is to leverage the work performed by external audit for the internal audit testing. This can avoid duplication of efforts, reduce audit costs and enhance coordination between the audit teams. The internal audit team should evaluate the quality and reliability of the external audit work before relying on it. Ensuring both the internal and external auditors perform the work simultaneously is not an efficient use of resources, as it would create redundancy and possible interference. Requesting that the external audit team leverage the internal audit work may not be feasible or acceptable, as the external audit team may have different objectives, standards and independence requirements. Rolling forward the general controls audit to the subsequent audit year is not a good practice, as it would delay the identification and remediation of any control weaknesses in a high-risk area.
References: ISACA, CISA Review Manual, 27th Edition, 2018, page 247
A
Explanation:
The best approach to optimize resources when both internal and external audit teams are reviewing the same IT general controls area is to leverage the work performed by external audit for the internal audit testing. This can avoid duplication of efforts, reduce audit costs and enhance coordination between the audit teams. The internal audit team should evaluate the quality and reliability of the external audit work before relying on it. Ensuring both the internal and external auditors perform the work simultaneously is not an efficient use of resources, as it would create redundancy and possible interference. Requesting that the external audit team leverage the internal audit work may not be feasible or acceptable, as the external audit team may have different objectives, standards and independence requirements. Rolling forward the general controls audit to the subsequent audit year is not a good practice, as it would delay the identification and remediation of any control weaknesses in a high-risk area.
References: ISACA, CISA Review Manual, 27th Edition, 2018, page 247
Question #354
Which of the following provides the BEST evidence that system requirements are met when evaluating a project before implementation?
- A . Integration testing results
- B . Sign-off from senior management
- C . User acceptance testing (UAT) results
- D . Regression testing results
Correct Answer: C
Question #355
An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities.
Which of the following is the BEST recommendation by the IS auditor?
- A . Improve the change management process
- B . Establish security metrics.
- C . Perform a penetration test
- D . Perform a configuration review
Correct Answer: D
D
Explanation:
The best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities is to perform a configuration review. A configuration review is an audit procedure that involves examining and verifying the security settings and parameters of application servers against predefined standards or best practices. A configuration review can help to identify and remediate any deviations, inconsistencies, or misconfigurations that may expose the application servers to unauthorized access, exploitation, or compromise6. A configuration review can also help to ensure compliance with security policies and regulations, as well as enhance the performance and availability of application servers.
The other options are less effective or incorrect because:
D
Explanation:
The best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities is to perform a configuration review. A configuration review is an audit procedure that involves examining and verifying the security settings and parameters of application servers against predefined standards or best practices. A configuration review can help to identify and remediate any deviations, inconsistencies, or misconfigurations that may expose the application servers to unauthorized access, exploitation, or compromise6. A configuration review can also help to ensure compliance with security policies and regulations, as well as enhance the performance and availability of application servers.
The other options are less effective or incorrect because:
Question #356
An information systems security officer’s PRIMARY responsibility for business process applications is to:
- A . authorize secured emergency access
- B . approve the organization’s security policy
- C . ensure access rules agree with policies
- D . create role-based rules for each business process
Correct Answer: C
C
Explanation:
Ensuring access rules agree with policies is an information systems security officer’s primary responsibility for business process applications. An information systems security officer should verify that the access controls implemented for the business process applications are consistent with the organization’s security policy and objectives. The other options are not the primary responsibility of an information systems security officer, but rather the tasks of an application owner, a senior management, or a business analyst.
References:
CISA Review Manual (Digital Version), Chapter 7, Section 7.3.11
CISA Review Questions, Answers & Explanations Database, Question ID 208
C
Explanation:
Ensuring access rules agree with policies is an information systems security officer’s primary responsibility for business process applications. An information systems security officer should verify that the access controls implemented for the business process applications are consistent with the organization’s security policy and objectives. The other options are not the primary responsibility of an information systems security officer, but rather the tasks of an application owner, a senior management, or a business analyst.
References:
CISA Review Manual (Digital Version), Chapter 7, Section 7.3.11
CISA Review Questions, Answers & Explanations Database, Question ID 208
Question #357
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s mobile device policies and controls in its corporate environment?
- A . The mobile authentication policy requires biometrics.
- B . The virtual private network (VPN) policy is not enabled for the internal corporate network.
- C . Not all active devices are enrolled in mobile device management (MDM).
- D . Remote wipe and lock features are only available with access to the internet.
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Step-by-Step
A lack of Mobile Device Management (MDM) enrollment is the biggest concern, as unmanaged devices pose a serious security risk.
Not All Devices Enrolled in MDM (Correct Answer C C)
Unenrolled devices can bypass security policies.
Example: A stolen, unenrolled device may lack encryption, exposing corporate data.
Biometric Authentication Required (Incorrect C A)
Biometrics are an enhanced security measure, not a concern.
VPN Not Required for Internal Network (Incorrect C B)
VPNs are typically used for external access, not always needed internally.
Remote Wipe Requires Internet (Incorrect C D)
A limitation but still less risky than allowing unsecured devices.
References:
ISACA CISA Review Manual
NIST 800-124 (Mobile Device Security)
C
Explanation:
Comprehensive and Detailed Step-by-Step
A lack of Mobile Device Management (MDM) enrollment is the biggest concern, as unmanaged devices pose a serious security risk.
Not All Devices Enrolled in MDM (Correct Answer C C)
Unenrolled devices can bypass security policies.
Example: A stolen, unenrolled device may lack encryption, exposing corporate data.
Biometric Authentication Required (Incorrect C A)
Biometrics are an enhanced security measure, not a concern.
VPN Not Required for Internal Network (Incorrect C B)
VPNs are typically used for external access, not always needed internally.
Remote Wipe Requires Internet (Incorrect C D)
A limitation but still less risky than allowing unsecured devices.
References:
ISACA CISA Review Manual
NIST 800-124 (Mobile Device Security)
Question #358
An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year.
Which of the following should the auditor do FIRST
- A . Escalate to audit management to discuss the audit plan
- B . Notify the chief operating officer (COO) and discuss the audit plan risks
- C . Exclude IS audits from the upcoming year’s plan
- D . Increase the number of IS audits in the clan
Correct Answer: A
A
Explanation:
The auditor should first escalate to audit management to discuss the audit plan. This is because the audit plan should be based on a risk assessment and aligned with the organization’s objectives and strategies. The auditor should not accept the CIO’s request without proper justification and approval from the audit management, who are responsible for ensuring the audit plan’s quality and independence. The auditor should also communicate the potential risks and implications of not conducting IS audits in the upcoming year, such as missing new or emerging threats, vulnerabilities, or compliance issues.
References:
CISA Review Manual (Digital Version), Chapter 2, Section 2.11
CISA Online Review Course, Domain 1, Module 1, Lesson 22
A
Explanation:
The auditor should first escalate to audit management to discuss the audit plan. This is because the audit plan should be based on a risk assessment and aligned with the organization’s objectives and strategies. The auditor should not accept the CIO’s request without proper justification and approval from the audit management, who are responsible for ensuring the audit plan’s quality and independence. The auditor should also communicate the potential risks and implications of not conducting IS audits in the upcoming year, such as missing new or emerging threats, vulnerabilities, or compliance issues.
References:
CISA Review Manual (Digital Version), Chapter 2, Section 2.11
CISA Online Review Course, Domain 1, Module 1, Lesson 22
Question #359
During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST
- A . perform a business impact analysis (BIA).
- B . issue an intermediate report to management.
- C . evaluate the impact on current disaster recovery capability.
- D . conduct additional compliance testing.
Correct Answer: C
C
Explanation:
The first step that an IS auditor should take when finding that a business impact analysis (BIA) has not been performed is to evaluate the impact on current disaster recovery capability. A BIA is a process that identifies and analyzes the potential effects of disruptions to critical business functions and processes. A BIA helps determine the recovery priorities, objectives, and strategies for the organization. Without a BIA, the disaster recovery plan may not be aligned with the business needs and expectations, and may not provide adequate protection and recovery for the most critical assets and activities. Therefore, an IS auditor should assess how the lack of a BIA affects the current disaster recovery capability and identify any gaps or risks that need to be addressed.
Performing a BIA, issuing an intermediate report to management, and conducting additional compliance testing are not the first steps that an IS auditor should take when finding that a BIA has not been performed. These steps may be done later in the audit process, after evaluating the impact on current disaster recovery capability. Performing a BIA is not the responsibility of the IS auditor, but of the business owners and managers. Issuing an intermediate report to management may be premature without sufficient evidence and analysis. Conducting additional compliance testing may not be relevant or necessary without a clear understanding of the disaster recovery requirements and objectives.
C
Explanation:
The first step that an IS auditor should take when finding that a business impact analysis (BIA) has not been performed is to evaluate the impact on current disaster recovery capability. A BIA is a process that identifies and analyzes the potential effects of disruptions to critical business functions and processes. A BIA helps determine the recovery priorities, objectives, and strategies for the organization. Without a BIA, the disaster recovery plan may not be aligned with the business needs and expectations, and may not provide adequate protection and recovery for the most critical assets and activities. Therefore, an IS auditor should assess how the lack of a BIA affects the current disaster recovery capability and identify any gaps or risks that need to be addressed.
Performing a BIA, issuing an intermediate report to management, and conducting additional compliance testing are not the first steps that an IS auditor should take when finding that a BIA has not been performed. These steps may be done later in the audit process, after evaluating the impact on current disaster recovery capability. Performing a BIA is not the responsibility of the IS auditor, but of the business owners and managers. Issuing an intermediate report to management may be premature without sufficient evidence and analysis. Conducting additional compliance testing may not be relevant or necessary without a clear understanding of the disaster recovery requirements and objectives.
Question #360
A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system.
Which of the following is the IS auditor’s BEST recommendation?
- A . Enable automatic encryption, decryption, and electronic signing of data files.
- B . Automate the transfer of data between systems as much as is feasible.
- C . Have coders perform manual reconciliation of data between systems.
- D . Implement software to perform automatic reconciliations of data between systems.
Correct Answer: D