Practice Free CISA Exam Online Questions
Question #61
The PRIMARY purpose of a configuration management system is to:
- A . track software updates.
- B . define baselines for software.
- C . support the release procedure.
- D . standardize change approval.
Correct Answer: B
B
Explanation:
A configuration management system is a process that establishes and maintains the consistency of a product’s attributes throughout its life cycle. It helps to identify and control the functional and physical characteristics of a product, and to record and report any changes to those characteristics. A configuration management system also supports the audit of the product to verify its conformance to requirements.
One of the key activities of a configuration management system is to define baselines for software. A baseline is a fixed reference point that serves as a basis for comparison and measurement. A baseline can be established for any configuration item, such as a requirement, a design document, a test plan, or a software component. A baseline helps to ensure that the software product meets its intended purpose and quality standards, and that any changes to the software are controlled and documented.
A configuration management system also supports other activities, such as tracking software updates, supporting the release procedure, and standardizing change approval, but these are not its primary purpose. Therefore, the other options are incorrect.
References: : What is configuration management – Red Hat : Configuration Management | Definition, Importance & Benefits – ServerWatch
B
Explanation:
A configuration management system is a process that establishes and maintains the consistency of a product’s attributes throughout its life cycle. It helps to identify and control the functional and physical characteristics of a product, and to record and report any changes to those characteristics. A configuration management system also supports the audit of the product to verify its conformance to requirements.
One of the key activities of a configuration management system is to define baselines for software. A baseline is a fixed reference point that serves as a basis for comparison and measurement. A baseline can be established for any configuration item, such as a requirement, a design document, a test plan, or a software component. A baseline helps to ensure that the software product meets its intended purpose and quality standards, and that any changes to the software are controlled and documented.
A configuration management system also supports other activities, such as tracking software updates, supporting the release procedure, and standardizing change approval, but these are not its primary purpose. Therefore, the other options are incorrect.
References: : What is configuration management – Red Hat : Configuration Management | Definition, Importance & Benefits – ServerWatch
Question #62
Which of the following would an IS auditor find to be the GREATEST risk associated with the server room in a remote office location?
- A . The server room is secured by a key lock instead of an electronic lock.
- B . The server room’s location is known by people who work in the area.
- C . The server room does not have temperature controls.
- D . The server room does not have biometric controls.
Correct Answer: C
Question #63
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system.
Which of the following is the IS auditor’s BEST recommendation for a compensating control?
- A . Require written authorization for all payment transactions
- B . Restrict payment authorization to senior staff members.
- C . Reconcile payment transactions with invoices.
- D . Review payment transaction history
Correct Answer: A
A
Explanation:
Requiring written authorization for all payment transactions is the IS auditor’s best recommendation for a compensating control in an environment where segregation of duties (SoD) cannot be enforced in an accounts payable system. SoD is a principle that requires different individuals or functions to perform different tasks or roles in a business process, such as initiating, approving, recording and reconciling transactions. SoD reduces the risk of errors, fraud and misuse of resources by preventing any single person or function from having excessive or conflicting authority or responsibility. A compensating control is a control that mitigates or reduces the risk associated with the absence or weakness of another control. Requiring written authorization for all payment transactions is a compensating control that provides an independent verification and approval of each transaction before it is processed by the accounts payable system. This control can help to detect and prevent unauthorized, duplicate or erroneous payments, and to ensure compliance with policies and procedures. The other options are not as effective as option A, as they do not provide an independent verification or approval of payment transactions. Restricting payment authorization to senior staff members is a control that limits the number of people who can authorize payments, but it does not prevent them from initiating or processing payments themselves, which could violate SoD. Reconciling payment transactions with invoices is a control that verifies that the payments match the invoices, but it does not prevent unauthorized, duplicate or erroneous payments from being processed by the accounts payable system. Reviewing payment transaction history is a control that monitors and analyzes the payment transactions after they have been processed by the accounts payable system, but it does not prevent unauthorized, duplicate or erroneous payments from occurring in the first place.
References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.2: Logical Access.
A
Explanation:
Requiring written authorization for all payment transactions is the IS auditor’s best recommendation for a compensating control in an environment where segregation of duties (SoD) cannot be enforced in an accounts payable system. SoD is a principle that requires different individuals or functions to perform different tasks or roles in a business process, such as initiating, approving, recording and reconciling transactions. SoD reduces the risk of errors, fraud and misuse of resources by preventing any single person or function from having excessive or conflicting authority or responsibility. A compensating control is a control that mitigates or reduces the risk associated with the absence or weakness of another control. Requiring written authorization for all payment transactions is a compensating control that provides an independent verification and approval of each transaction before it is processed by the accounts payable system. This control can help to detect and prevent unauthorized, duplicate or erroneous payments, and to ensure compliance with policies and procedures. The other options are not as effective as option A, as they do not provide an independent verification or approval of payment transactions. Restricting payment authorization to senior staff members is a control that limits the number of people who can authorize payments, but it does not prevent them from initiating or processing payments themselves, which could violate SoD. Reconciling payment transactions with invoices is a control that verifies that the payments match the invoices, but it does not prevent unauthorized, duplicate or erroneous payments from being processed by the accounts payable system. Reviewing payment transaction history is a control that monitors and analyzes the payment transactions after they have been processed by the accounts payable system, but it does not prevent unauthorized, duplicate or erroneous payments from occurring in the first place.
References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.2: Logical Access.
Question #64
Which of the following is MOST important to the effectiveness of smoke detectors installed in a data processing facility?
- A . Detectors trigger audible alarms when activated.
- B . Detectors have the correct industry certification.
- C . Detectors are linked to dry pipe fire suppression systems.
- D . Detectors are linked to wet pipe fire suppression systems.
Correct Answer: A
Question #65
Which of the following would be an IS auditor’s BEST recommendation to senior management when several IT initiatives are found to be misaligned with the organization’s strategy?
- A . Define key performance indicators (KPIs) for IT.
- B . Modify IT initiatives that do not map to business strategies.
- C . Reassess the return on investment (ROI) for the IT initiatives.
- D . Reassess IT initiatives that do not map to business strategies.
Correct Answer: D
Question #66
Which of the following is the BEST way to verify the effectiveness of a data restoration process?
- A . Performing periodic reviews of physical access to backup media
- B . Performing periodic complete data restorations
- C . Validating off ne backups using software utilities
- D . Reviewing and updating data restoration policies annually
Correct Answer: B
B
Explanation:
The best way to verify the effectiveness of a data restoration process is to perform periodic complete data restorations. This is the process of transferring backup data to the primary system or data center and verifying that the restored data is accurate, complete, and functional. By performing periodic complete data restorations, the auditee can test the reliability and validity of the backup data, the functionality and performance of the restoration tools and procedures, and the compatibility and integrity of the restored data with the primary system. This will also help identify and resolve any issues or errors that may occur during the restoration process, such as corrupted or missing files, incompatible formats, or configuration problems.
Performing periodic reviews of physical access to backup media (option A) is not the best way to verify the effectiveness of a data restoration process, as it only ensures the security and availability of the backup media, not the quality or usability of the backup data. Physical access reviews are important for preventing unauthorized access, theft, damage, or loss of backup media, but they do not test the actual restoration process or verify that the backup data can be successfully restored.
Validating offline backups using software utilities (option C) is also not the best way to verify the effectiveness of a data restoration process, as it only checks the integrity and consistency of the backup data, not the functionality or compatibility of the restored data. Software utilities can help detect and correct any errors or inconsistencies in the backup data, such as checksum errors, duplicate files, or incomplete backups, but they do not test the actual restoration process or verify that the restored data can work with the primary system.
Reviewing and updating data restoration policies annually (option D) is also not the best way to verify the effectiveness of a data restoration process, as it only ensures that the policies are current and relevant, not that they are implemented and followed. Data restoration policies are important for defining roles and responsibilities, objectives and scope, standards and procedures, and metrics and reporting for the restoration process, but they do not test the actual restoration process or verify that it meets the expected outcomes.
Therefore, option B is the correct answer.
References:
What is backup and disaster recovery? | IBM
Backup and Recovery of Data: The Essential Guide | Veritas
Database Backup and Recovery Best Practices – ISACA
B
Explanation:
The best way to verify the effectiveness of a data restoration process is to perform periodic complete data restorations. This is the process of transferring backup data to the primary system or data center and verifying that the restored data is accurate, complete, and functional. By performing periodic complete data restorations, the auditee can test the reliability and validity of the backup data, the functionality and performance of the restoration tools and procedures, and the compatibility and integrity of the restored data with the primary system. This will also help identify and resolve any issues or errors that may occur during the restoration process, such as corrupted or missing files, incompatible formats, or configuration problems.
Performing periodic reviews of physical access to backup media (option A) is not the best way to verify the effectiveness of a data restoration process, as it only ensures the security and availability of the backup media, not the quality or usability of the backup data. Physical access reviews are important for preventing unauthorized access, theft, damage, or loss of backup media, but they do not test the actual restoration process or verify that the backup data can be successfully restored.
Validating offline backups using software utilities (option C) is also not the best way to verify the effectiveness of a data restoration process, as it only checks the integrity and consistency of the backup data, not the functionality or compatibility of the restored data. Software utilities can help detect and correct any errors or inconsistencies in the backup data, such as checksum errors, duplicate files, or incomplete backups, but they do not test the actual restoration process or verify that the restored data can work with the primary system.
Reviewing and updating data restoration policies annually (option D) is also not the best way to verify the effectiveness of a data restoration process, as it only ensures that the policies are current and relevant, not that they are implemented and followed. Data restoration policies are important for defining roles and responsibilities, objectives and scope, standards and procedures, and metrics and reporting for the restoration process, but they do not test the actual restoration process or verify that it meets the expected outcomes.
Therefore, option B is the correct answer.
References:
What is backup and disaster recovery? | IBM
Backup and Recovery of Data: The Essential Guide | Veritas
Database Backup and Recovery Best Practices – ISACA
Question #67
An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration.
Which of the following should be the IS auditor’s NEXT course of action?
- A . Identify existing mitigating controls.
- B . Disclose the findings to senior management.
- C . Assist in drafting corrective actions.
- D . Attempt to exploit the weakness.
Correct Answer: A
A
Explanation:
When an IS auditor discovers a security weakness in the database configuration, the next course of action should be to identify existing mitigating controls. This involves assessing whether any controls are already in place to address the weakness and mitigate the risk. Understanding the current state of controls helps the auditor determine the severity of the issue and whether additional corrective actions are necessary1.
References: 1(https://www.isaca.org/resources/insights-and-expertise/audit-programs-and-tools)
A
Explanation:
When an IS auditor discovers a security weakness in the database configuration, the next course of action should be to identify existing mitigating controls. This involves assessing whether any controls are already in place to address the weakness and mitigate the risk. Understanding the current state of controls helps the auditor determine the severity of the issue and whether additional corrective actions are necessary1.
References: 1(https://www.isaca.org/resources/insights-and-expertise/audit-programs-and-tools)
Question #68
During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective.
Which of the following is the auditor’s BEST action?
- A . Explain to IT management that the new control will be evaluated during follow-up
- B . Re-perform the audit before changing the conclusion.
- C . Change the conclusion based on evidence provided by IT management.
- D . Add comments about the action taken by IT management in the report.
Correct Answer: B
B
Explanation:
The auditor’s best action when IT management provides suitable evidence for a control that had been concluded as ineffective is to re-perform the audit before changing the conclusion. This means that the auditor should verify the validity, completeness, and timeliness of the evidence provided by IT management and test the effectiveness of the new control in meeting the audit objectives. The auditor should not change the conclusion based on evidence provided by IT management without re-performing the audit, as this could compromise the auditor’s independence and objectivity. The auditor should also not explain to IT management that the new control will be evaluated during follow-up or add comments about the action taken by IT management in the report, as these actions do not address the original audit finding.
References: CISA Review Manual, 27th Edition, page 439
B
Explanation:
The auditor’s best action when IT management provides suitable evidence for a control that had been concluded as ineffective is to re-perform the audit before changing the conclusion. This means that the auditor should verify the validity, completeness, and timeliness of the evidence provided by IT management and test the effectiveness of the new control in meeting the audit objectives. The auditor should not change the conclusion based on evidence provided by IT management without re-performing the audit, as this could compromise the auditor’s independence and objectivity. The auditor should also not explain to IT management that the new control will be evaluated during follow-up or add comments about the action taken by IT management in the report, as these actions do not address the original audit finding.
References: CISA Review Manual, 27th Edition, page 439
Question #69
During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report.
Which of the following would be the auditor’s BEST course of action?
- A . Revise the assessment based on senior management’s objections.
- B . Escalate the issue to audit management.
- C . Finalize the draft audit report without changes.
- D . Gather evidence to analyze senior management’s objections
Correct Answer: D
D
Explanation:
The auditor’s best course of action when senior management disagrees with some of the facts presented in the draft audit report is to gather evidence to analyze senior management’s objections. The auditor should not revise the assessment, escalate the issue, or finalize the report without changes until they have evaluated the validity and relevance of senior management’s objections and resolved any discrepancies or misunderstandings. The auditor should maintain a professional and objective attitude and seek to present a fair and accurate audit report based on sufficient and appropriate evidence.
References:
CISA Review Manual (Digital Version), page 372
CISA Questions, Answers & Explanations Database, question ID 3338
D
Explanation:
The auditor’s best course of action when senior management disagrees with some of the facts presented in the draft audit report is to gather evidence to analyze senior management’s objections. The auditor should not revise the assessment, escalate the issue, or finalize the report without changes until they have evaluated the validity and relevance of senior management’s objections and resolved any discrepancies or misunderstandings. The auditor should maintain a professional and objective attitude and seek to present a fair and accurate audit report based on sufficient and appropriate evidence.
References:
CISA Review Manual (Digital Version), page 372
CISA Questions, Answers & Explanations Database, question ID 3338
Question #70
Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees.
What is the MOST important task before implementing any associated email controls?
- A . Require all employees to sign nondisclosure agreements (NDAs).
- B . Develop an acceptable use policy for end-user computing (EUC).
- C . Develop an information classification scheme.
- D . Provide notification to employees about possible email monitoring.
Correct Answer: C
C
Explanation:
The most important task before implementing any associated email controls to prevent sensitive information from being emailed outside the organization by employees is to develop an information classification scheme. An information classification scheme is a framework that defines the categories and levels of sensitivity for different types of information, such as public, internal, confidential, or secret. An information classification scheme can help implement email controls by providing criteria and guidelines for identifying, labeling, handling, and protecting sensitive information in email attachments. The other options are not as important as developing an information classification scheme, as they do not address the root cause of the problem or provide the same benefits. Requiring all employees to sign nondisclosure agreements (NDAs) is a legal control that can help deter or penalize employees from disclosing sensitive information, but it does not prevent them from emailing it outside the organization. Developing an acceptable use policy for end-user computing (EUC) is a governance control that can help define and communicate the rules and expectations for using IT resources, such as email, but it does not prevent employees from emailing sensitive information outside the organization. Providing notification to employees about possible email monitoring is a transparency control that can help inform and warn employees about the potential consequences of emailing sensitive information outside the organization, but it does not prevent them from doing so.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2
C
Explanation:
The most important task before implementing any associated email controls to prevent sensitive information from being emailed outside the organization by employees is to develop an information classification scheme. An information classification scheme is a framework that defines the categories and levels of sensitivity for different types of information, such as public, internal, confidential, or secret. An information classification scheme can help implement email controls by providing criteria and guidelines for identifying, labeling, handling, and protecting sensitive information in email attachments. The other options are not as important as developing an information classification scheme, as they do not address the root cause of the problem or provide the same benefits. Requiring all employees to sign nondisclosure agreements (NDAs) is a legal control that can help deter or penalize employees from disclosing sensitive information, but it does not prevent them from emailing it outside the organization. Developing an acceptable use policy for end-user computing (EUC) is a governance control that can help define and communicate the rules and expectations for using IT resources, such as email, but it does not prevent employees from emailing sensitive information outside the organization. Providing notification to employees about possible email monitoring is a transparency control that can help inform and warn employees about the potential consequences of emailing sensitive information outside the organization, but it does not prevent them from doing so.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2