Practice Free CISA Exam Online Questions
Question #381
Which of the following would BEST prevent an arbitrary application of a patch?
- A . Database access control
- B . Established maintenance windows
- C . Network based access controls
- D . Change management
Correct Answer: D
Question #382
A programmer has made unauthorized changes to key fields in a payroll system report.
Which of the following control weaknesses would have contributed MOST to this problem?
- A . The programmer did not involve the user in testing.
- B . The user requirements were not documented.
- C . Payroll files were not under the control of a librarian.
- D . The programmer has access to the production programs.
Correct Answer: D
D
Explanation:
The programmer having access to the production programs is the most likely control weakness that would have contributed to the unauthorized changes to the payroll system report. This is because the programmer could modify the production code without proper authorization, documentation, or testing, and bypass the change management process. This could result in errors, fraud, or data integrity issues in the payroll system. The programmer should only have access to the development or test environment, and the production programs should be under the control of a librarian or a change manager.
References
ISACA CISA Review Manual, 27th Edition, page 254
4 Types of Internal Control Weaknesses
ACCT 4631 – Internal Auditing: CIA Quiz
D
Explanation:
The programmer having access to the production programs is the most likely control weakness that would have contributed to the unauthorized changes to the payroll system report. This is because the programmer could modify the production code without proper authorization, documentation, or testing, and bypass the change management process. This could result in errors, fraud, or data integrity issues in the payroll system. The programmer should only have access to the development or test environment, and the production programs should be under the control of a librarian or a change manager.
References
ISACA CISA Review Manual, 27th Edition, page 254
4 Types of Internal Control Weaknesses
ACCT 4631 – Internal Auditing: CIA Quiz
Question #383
Which of the following are BEST suited for continuous auditing?
- A . Low-value transactions
- B . Real-lime transactions
- C . Irregular transactions
- D . Manual transactions
Correct Answer: B
B
Explanation:
Continuous auditing is a method of performing audit-related activities on a real-time or near real-time basis. Continuous auditing is best suited for real-time transactions, such as online banking, e-commerce, or electronic funds transfer, that require immediate verification and assurance. Low-value transactions are not necessarily suitable for continuous auditing, as they may not pose significant risks or require frequent monitoring. Irregular transactions are not suitable for continuous auditing, as they may not occur frequently or consistently enough to justify the use of continuous auditing techniques. Manual transactions are not suitable for continuous auditing, as they may not be captured or processed by automated systems that enable continuous auditing.
References:
CISA Review Manual, 27th Edition, pages 307-3081
CISA Review Questions, Answers & Explanations Database, Question ID: 253
B
Explanation:
Continuous auditing is a method of performing audit-related activities on a real-time or near real-time basis. Continuous auditing is best suited for real-time transactions, such as online banking, e-commerce, or electronic funds transfer, that require immediate verification and assurance. Low-value transactions are not necessarily suitable for continuous auditing, as they may not pose significant risks or require frequent monitoring. Irregular transactions are not suitable for continuous auditing, as they may not occur frequently or consistently enough to justify the use of continuous auditing techniques. Manual transactions are not suitable for continuous auditing, as they may not be captured or processed by automated systems that enable continuous auditing.
References:
CISA Review Manual, 27th Edition, pages 307-3081
CISA Review Questions, Answers & Explanations Database, Question ID: 253
Question #384
An IS auditor should ensure that an application’s audit trail:
- A . has adequate security.
- B . logs ail database records.
- C . Is accessible online
- D . does not impact operational efficiency
Correct Answer: A
A
Explanation:
An application’s audit trail is a record of all actions or events that occur within or affect an application, such as user activities, system operations, data changes, errors, exceptions, etc. An audit trail can provide evidence and accountability for an application’s functionality and performance, and support auditing, monitoring, troubleshooting, and investigation purposes. An IS auditor should ensure that an application’s audit trail has adequate security, which means that it is protected from unauthorized access, modification, deletion, or disclosure. Adequate security can help ensure that an audit trail maintains its integrity, reliability, and availability, and prevents tampering or manipulation by attackers or insiders who want to hide their tracks or evidence of their actions. Logs all database records is a possible feature of an application’s audit trail, but it is not the most important thing for an IS auditor to ensure, as logging all database records may not be necessary or feasible for some applications, and may generate excessive or irrelevant data that can affect the storage or analysis of the audit trail. Is accessible online is a possible feature of an application’s audit trail, but it is not the most important thing for an IS auditor to ensure, as online accessibility may not be required or desirable for some applications, and may introduce security or privacy risks for the audit trail. Does not impact operational efficiency is a desirable outcome of an application’s audit trail, but it is not the most important thing for an IS auditor to ensure, as operational efficiency may not be the primary objective or concern of an application’s audit trail, and may depend on other factors or trade-offs such as storage capacity, performance speed, or data quality.
A
Explanation:
An application’s audit trail is a record of all actions or events that occur within or affect an application, such as user activities, system operations, data changes, errors, exceptions, etc. An audit trail can provide evidence and accountability for an application’s functionality and performance, and support auditing, monitoring, troubleshooting, and investigation purposes. An IS auditor should ensure that an application’s audit trail has adequate security, which means that it is protected from unauthorized access, modification, deletion, or disclosure. Adequate security can help ensure that an audit trail maintains its integrity, reliability, and availability, and prevents tampering or manipulation by attackers or insiders who want to hide their tracks or evidence of their actions. Logs all database records is a possible feature of an application’s audit trail, but it is not the most important thing for an IS auditor to ensure, as logging all database records may not be necessary or feasible for some applications, and may generate excessive or irrelevant data that can affect the storage or analysis of the audit trail. Is accessible online is a possible feature of an application’s audit trail, but it is not the most important thing for an IS auditor to ensure, as online accessibility may not be required or desirable for some applications, and may introduce security or privacy risks for the audit trail. Does not impact operational efficiency is a desirable outcome of an application’s audit trail, but it is not the most important thing for an IS auditor to ensure, as operational efficiency may not be the primary objective or concern of an application’s audit trail, and may depend on other factors or trade-offs such as storage capacity, performance speed, or data quality.
Question #385
Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?
- A . Server room access history
- B . Emergency change records
- C . IT security incidents
- D . Penetration test results
Correct Answer: D
D
Explanation:
The IS auditor should ensure that penetration test results are classified at the highest level of sensitivity, because they contain detailed information about the vulnerabilities and weaknesses of the IT systems and networks, as well as the methods and tools used by the testers to exploit them. Penetration test results can be used by malicious actors to launch cyberattacks or cause damage to the organization if they are disclosed or accessed without authorization. Therefore, they should be protected with the highest level of confidentiality, integrity and availability. The other options are not as sensitive as penetration test results, because they either do not reveal as much information about the IT security posture, or they are already known or reported by the organization.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.4
D
Explanation:
The IS auditor should ensure that penetration test results are classified at the highest level of sensitivity, because they contain detailed information about the vulnerabilities and weaknesses of the IT systems and networks, as well as the methods and tools used by the testers to exploit them. Penetration test results can be used by malicious actors to launch cyberattacks or cause damage to the organization if they are disclosed or accessed without authorization. Therefore, they should be protected with the highest level of confidentiality, integrity and availability. The other options are not as sensitive as penetration test results, because they either do not reveal as much information about the IT security posture, or they are already known or reported by the organization.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.4
Question #386
During the walk-through procedures for an upcoming audit, an IS auditor notes that the key application in scope is part of a Software as a Service (SaaS) agreement.
What should the auditor do NEXT?
- A . Verify whether IT management monitors the effectiveness of the environment.
- B . Verify whether a right-to-audit clause exists.
- C . Verify whether a third-party security attestation exists.
- D . Verify whether service level agreements (SLAs) are defined and monitored.
Correct Answer: B
B
Explanation:
The auditor should verify whether a right-to-audit clause exists (B) next, because it is a contractual provision that grants the auditor the right to access and examine the records, systems, and processes of the SaaS provider. A right-to-audit clause is important for ensuring transparency, accountability, and compliance of the SaaS provider with the customer’s requirements and expectations. A right-to-audit clause can also help the auditor to identify and mitigate any risks or issues related to the SaaS agreement12.
Verifying whether IT management monitors the effectiveness of the environment (A) is not the next step, because it is a part of the ongoing monitoring and evaluation process, not the initial walk-through procedures. The auditor should first establish the scope, objectives, and criteria of the audit before assessing the performance and controls of the SaaS provider.
Verifying whether a third-party security attestation exists © is not the next step, because it is not a mandatory requirement for a SaaS agreement. A third-party security attestation is a report or certificate issued by an independent auditor that evaluates and validates the security controls and practices of the SaaS provider. A third-party security attestation can provide assurance and confidence to the customer, but it does not replace or eliminate the need for a right-to-audit clause3.
Verifying whether service level agreements (SLAs) are defined and monitored (D) is not the next step, because it is not directly related to the audit process. SLAs are contractual agreements that specify the quality, availability, and performance standards of the SaaS provider. SLAs are important for measuring and managing the service delivery and customer satisfaction, but they do not grant or guarantee the right to audit4.
B
Explanation:
The auditor should verify whether a right-to-audit clause exists (B) next, because it is a contractual provision that grants the auditor the right to access and examine the records, systems, and processes of the SaaS provider. A right-to-audit clause is important for ensuring transparency, accountability, and compliance of the SaaS provider with the customer’s requirements and expectations. A right-to-audit clause can also help the auditor to identify and mitigate any risks or issues related to the SaaS agreement12.
Verifying whether IT management monitors the effectiveness of the environment (A) is not the next step, because it is a part of the ongoing monitoring and evaluation process, not the initial walk-through procedures. The auditor should first establish the scope, objectives, and criteria of the audit before assessing the performance and controls of the SaaS provider.
Verifying whether a third-party security attestation exists © is not the next step, because it is not a mandatory requirement for a SaaS agreement. A third-party security attestation is a report or certificate issued by an independent auditor that evaluates and validates the security controls and practices of the SaaS provider. A third-party security attestation can provide assurance and confidence to the customer, but it does not replace or eliminate the need for a right-to-audit clause3.
Verifying whether service level agreements (SLAs) are defined and monitored (D) is not the next step, because it is not directly related to the audit process. SLAs are contractual agreements that specify the quality, availability, and performance standards of the SaaS provider. SLAs are important for measuring and managing the service delivery and customer satisfaction, but they do not grant or guarantee the right to audit4.
Question #387
Stress testing should ideally be carried out under a:
- A . test environment with production workloads.
- B . test environment with test data.
- C . production environment with production workloads.
- D . production environment with test data.
Correct Answer: A
A
Explanation:
Stress testing is designed to evaluate a system’s performance under extreme conditions1. It is typically carried out in a test environment that closely mirrors the production environment, using production workloads1. This approach ensures that the test results accurately reflect how the system would perform under similar conditions in the production environment1. Using a test environment also prevents any disruptions or damage to the production environment during testing1.
References:
Stress Testing Best Practices: A Seven Steps Model
A
Explanation:
Stress testing is designed to evaluate a system’s performance under extreme conditions1. It is typically carried out in a test environment that closely mirrors the production environment, using production workloads1. This approach ensures that the test results accurately reflect how the system would perform under similar conditions in the production environment1. Using a test environment also prevents any disruptions or damage to the production environment during testing1.
References:
Stress Testing Best Practices: A Seven Steps Model
Question #388
An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities.
Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?
- A . Increasing the frequency of risk-based IS audits for each business entity
- B . Developing a risk-based plan considering each entity’s business processes
- C . Conducting an audit of newly introduced IT policies and procedures
- D . Revising IS audit plans to focus on IT changes introduced after the split
Correct Answer: B
B
Explanation:
: Developing a risk-based plan considering each entity’s business processes would best help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan. A risk-based plan is a plan that prioritizes the audit activities based on the level of risk associated with each area or process. A risk-based plan can help to allocate the audit resources more efficiently and effectively, and provide more assurance and value to the stakeholders1.
By considering each entity’s business processes, the IS audit can identify and assess the specific risks and controls that affect the IT environment of each entity, and tailor the audit objectives, scope, and procedures accordingly. This can help to address the unique needs and expectations of each entity, and ensure that the IS audit covers the key risk areas that are relevant and significant to each entity’s operations, performance, and compliance2.
The other options are not as effective as developing a risk-based plan considering each entity’s business processes in ensuring that IS audit still covers key risk areas within the IT environment as part of its annual plan.
Option A, increasing the frequency of risk-based IS audits for each business entity, is not a feasible or efficient solution, as it may increase the audit costs and workload, and create duplication or overlap of audit efforts.
Option C, conducting an audit of newly introduced IT policies and procedures, is a limited and narrow approach, as it may not cover all the aspects or dimensions of the IT environment that may have changed or been affected by the split.
Option D, revising IS audit plans to focus on IT changes introduced after the split, is a reactive and short-term approach, as it may not reflect the current or future state of the IT environment or the business objectives of each entity.
References:
ISACA, CISA Review Manual, 27th Edition, 2019
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
Risk-Based Audit Planning: A Guide for Internal Audit1
Risk-Based Audit Approach: Definition & Example
B
Explanation:
: Developing a risk-based plan considering each entity’s business processes would best help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan. A risk-based plan is a plan that prioritizes the audit activities based on the level of risk associated with each area or process. A risk-based plan can help to allocate the audit resources more efficiently and effectively, and provide more assurance and value to the stakeholders1.
By considering each entity’s business processes, the IS audit can identify and assess the specific risks and controls that affect the IT environment of each entity, and tailor the audit objectives, scope, and procedures accordingly. This can help to address the unique needs and expectations of each entity, and ensure that the IS audit covers the key risk areas that are relevant and significant to each entity’s operations, performance, and compliance2.
The other options are not as effective as developing a risk-based plan considering each entity’s business processes in ensuring that IS audit still covers key risk areas within the IT environment as part of its annual plan.
Option A, increasing the frequency of risk-based IS audits for each business entity, is not a feasible or efficient solution, as it may increase the audit costs and workload, and create duplication or overlap of audit efforts.
Option C, conducting an audit of newly introduced IT policies and procedures, is a limited and narrow approach, as it may not cover all the aspects or dimensions of the IT environment that may have changed or been affected by the split.
Option D, revising IS audit plans to focus on IT changes introduced after the split, is a reactive and short-term approach, as it may not reflect the current or future state of the IT environment or the business objectives of each entity.
References:
ISACA, CISA Review Manual, 27th Edition, 2019
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
Risk-Based Audit Planning: A Guide for Internal Audit1
Risk-Based Audit Approach: Definition & Example
Question #389
Which of the following will BEST ensure that archived electronic information of permanent importance remains accessible over time?
- A . Performing preventive maintenance on old hardware
- B . Acquiring applications that emulate old software
- C . Regularly migrating data to current technology
- D . Periodically backing up archived data
Correct Answer: C
Question #390
An IS auditor reviewing the system development life cycle (SDLC) finds there is no requirement for business cases.
Which of the following should be off GREATEST concern to the organization?
- A . Vendor selection criteria are not sufficiently evaluated.
- B . Business resources have not been optimally assigned.
- C . Business impacts of projects are not adequately analyzed.
- D . Project costs exceed established budgets.
Correct Answer: B