Practice Free CISA Exam Online Questions
Question #71
Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?
- A . Rotate job duties periodically.
- B . Perform an independent audit.
- C . Hire temporary staff.
- D . Implement compensating controls.
Correct Answer: D
D
Explanation:
The best way to address segregation of duties issues in an organization with budget constraints is to implement compensating controls, which are alternative controls that reduce or eliminate the risk of errors or fraud due to inadequate segregation of duties. Compensating controls may include independent reviews, reconciliations, approvals, or supervisions. Rotating job duties periodically may reduce the risk of collusion or abuse of privileges, but it may also affect operational efficiency and continuity. Performing an independent audit may detect segregation of duties issues, but it does not prevent them. Hiring temporary staff may increase operational costs and introduce new risks.
References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4
D
Explanation:
The best way to address segregation of duties issues in an organization with budget constraints is to implement compensating controls, which are alternative controls that reduce or eliminate the risk of errors or fraud due to inadequate segregation of duties. Compensating controls may include independent reviews, reconciliations, approvals, or supervisions. Rotating job duties periodically may reduce the risk of collusion or abuse of privileges, but it may also affect operational efficiency and continuity. Performing an independent audit may detect segregation of duties issues, but it does not prevent them. Hiring temporary staff may increase operational costs and introduce new risks.
References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4
Question #72
Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?
- A . Documentation of exit routines
- B . System initialization logs
- C . Change control log
- D . Security system parameters
Correct Answer: C
C
Explanation:
Operating system parameters are settings or values that affect the behavior or performance of the operating system1. Modifications to the operating system parameters may be necessary to improve the system functionality, security, or efficiency. However, such modifications may also introduce risks or errors that can affect the system stability, compatibility, or integrity. Therefore, modifications to the operating system parameters should be authorized and documented by the appropriate authority2.
A change control log is a record of all changes made to the system, including the date, time, description, reason, authorization, and impact of each change3. A change control log can help the IS auditor to verify whether modifications to the operating system parameters were authorized by comparing the log entries with the actual system settings and the change approval documents4.
C
Explanation:
Operating system parameters are settings or values that affect the behavior or performance of the operating system1. Modifications to the operating system parameters may be necessary to improve the system functionality, security, or efficiency. However, such modifications may also introduce risks or errors that can affect the system stability, compatibility, or integrity. Therefore, modifications to the operating system parameters should be authorized and documented by the appropriate authority2.
A change control log is a record of all changes made to the system, including the date, time, description, reason, authorization, and impact of each change3. A change control log can help the IS auditor to verify whether modifications to the operating system parameters were authorized by comparing the log entries with the actual system settings and the change approval documents4.
Question #73
An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions.
Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?
- A . Computer-assisted audit technique (CAAT)
- B . Stratified sampling
- C . Statistical sampling
- D . Process walk-through
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
To efficiently detect duplicate payments, data analytics and automated checks are required due to the high volume of transactions.
Option A (Correct): Computer-Assisted Audit Techniques (CAATs) allow auditors to automatically scan large datasets for duplicate payments based on invoice numbers, vendor names, and payment amounts.
Option B (Incorrect): Stratified sampling groups data into categories, which helps in analysis but does not directly detect duplicates.
Option C (Incorrect): Statistical sampling is useful for extrapolating results, but it does not systematically find duplicate transactions.
Option D (Incorrect): Process walk-throughs review procedures but do not analyze transactions at scale.
Reference: ISACA CISA Review Manual C Domain 2: Governance and Management of IT C Covers CAATs, data analytics, and fraud detection techniques.
A
Explanation:
Comprehensive and Detailed Step-by-Step
To efficiently detect duplicate payments, data analytics and automated checks are required due to the high volume of transactions.
Option A (Correct): Computer-Assisted Audit Techniques (CAATs) allow auditors to automatically scan large datasets for duplicate payments based on invoice numbers, vendor names, and payment amounts.
Option B (Incorrect): Stratified sampling groups data into categories, which helps in analysis but does not directly detect duplicates.
Option C (Incorrect): Statistical sampling is useful for extrapolating results, but it does not systematically find duplicate transactions.
Option D (Incorrect): Process walk-throughs review procedures but do not analyze transactions at scale.
Reference: ISACA CISA Review Manual C Domain 2: Governance and Management of IT C Covers CAATs, data analytics, and fraud detection techniques.
Question #74
in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:
- A . application programmer
- B . systems programmer
- C . computer operator
- D . quality assurance (QA) personnel
Correct Answer: A
A
Explanation:
In a controlled application development environment, the most important segregation of duties should be between the person who implements changes into the production environment and the application programmer. This segregation of duties ensures that no one person can create and deploy code without proper review, testing, and approval. This reduces the risk of errors, fraud, or malicious code being introduced into the production environment.
The other options are not as important as the segregation between the application programmer and the person who implements changes into production, but they are still relevant for achieving a secure and reliable application development environment. The segregation of duties between the person who implements changes into production and the systems programmer is important to prevent unauthorized or untested changes to system software or configuration. The segregation of duties between the person who implements changes into production and the computer operator is important to prevent unauthorized or uncontrolled access to production data or resources. The segregation of duties between the person who implements changes into production and the quality assurance (QA) personnel is important to ensure independent verification and validation of code quality and functionality.
References:
ISACA CISA Review Manual 27th Edition (2019), page 247
Segregation of Duties in an Agile Environment | AKF Partners3 Separation of Duties: How to Conform in a DevOps World4
A
Explanation:
In a controlled application development environment, the most important segregation of duties should be between the person who implements changes into the production environment and the application programmer. This segregation of duties ensures that no one person can create and deploy code without proper review, testing, and approval. This reduces the risk of errors, fraud, or malicious code being introduced into the production environment.
The other options are not as important as the segregation between the application programmer and the person who implements changes into production, but they are still relevant for achieving a secure and reliable application development environment. The segregation of duties between the person who implements changes into production and the systems programmer is important to prevent unauthorized or untested changes to system software or configuration. The segregation of duties between the person who implements changes into production and the computer operator is important to prevent unauthorized or uncontrolled access to production data or resources. The segregation of duties between the person who implements changes into production and the quality assurance (QA) personnel is important to ensure independent verification and validation of code quality and functionality.
References:
ISACA CISA Review Manual 27th Edition (2019), page 247
Segregation of Duties in an Agile Environment | AKF Partners3 Separation of Duties: How to Conform in a DevOps World4
Question #75
Which of the following is an IS auditor’s BEST recommendation after identifying that HR staff create new employees in the payroll system as well as process payroll due to limited staffing?
- A . Document roles and responsibilities of payroll staff.
- B . Implement a payroll system user awareness training program.
- C . Implement independent periodic review of payroll transactions.
- D . Rotate payroll responsibilities within HR.
Correct Answer: C
Question #76
Which of the following is the BEST disposal method for flash drives that previously stored confidential data?
- A . Destruction
- B . Degaussing
- C . Cryptographic erasure
- D . Overwriting
Correct Answer: A
Question #77
An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner.
Which of the following is the auditor’s BEST recommendation?
- A . Increase the capacity of existing systems.
- B . Upgrade hardware to newer technology.
- C . Hire temporary contract workers for the IT function.
- D . Build a virtual environment.
Correct Answer: D
D
Explanation:
The best recommendation for an organization that is unable to add new servers on demand in a cost-efficient manner is to build a virtual environment. A virtual environment is a technology that allows multiple virtual machines to run on a single physical server, sharing its resources and capabilities. A virtual environment can help the organization add new servers on demand in a cost-efficient manner by reducing the need for hardware acquisition, maintenance, and power consumption. The other options are not as effective as building a virtual environment, as they do not address the root cause of the problem or provide the same benefits. Increasing the capacity of existing systems is a short-term solution that can help improve the performance and availability of the current servers, but it does not enable the organization to add new servers on demand in a cost-efficient manner. Upgrading hardware to newer technology is a costly solution that can help enhance the functionality and reliability of the servers, but it does not enable the organization to add new servers on demand in a cost-efficient manner. Hiring temporary contract workers for the IT function is an irrelevant solution that can help supplement the IT staff’s skills and knowledge, but it does not enable the organization to add new servers on demand in a cost-efficient manner.
References: CISA Review
Manual (Digital Version), Chapter 3, Section 3.3.1
D
Explanation:
The best recommendation for an organization that is unable to add new servers on demand in a cost-efficient manner is to build a virtual environment. A virtual environment is a technology that allows multiple virtual machines to run on a single physical server, sharing its resources and capabilities. A virtual environment can help the organization add new servers on demand in a cost-efficient manner by reducing the need for hardware acquisition, maintenance, and power consumption. The other options are not as effective as building a virtual environment, as they do not address the root cause of the problem or provide the same benefits. Increasing the capacity of existing systems is a short-term solution that can help improve the performance and availability of the current servers, but it does not enable the organization to add new servers on demand in a cost-efficient manner. Upgrading hardware to newer technology is a costly solution that can help enhance the functionality and reliability of the servers, but it does not enable the organization to add new servers on demand in a cost-efficient manner. Hiring temporary contract workers for the IT function is an irrelevant solution that can help supplement the IT staff’s skills and knowledge, but it does not enable the organization to add new servers on demand in a cost-efficient manner.
References: CISA Review
Manual (Digital Version), Chapter 3, Section 3.3.1
Question #78
Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?
- A . Segregation of duties between staff ordering and staff receiving information assets
- B . Complete and accurate list of information assets that have been deployed
- C . Availability and testing of onsite backup generators
- D . Knowledge of the IT staff regarding data protection requirements
Correct Answer: B
B
Explanation:
The most important prerequisite for the protection of physical information assets in a data center is a complete and accurate list of information assets that have been deployed. Information assets are any data, devices, systems, or software that have value for the organization and need to be protected from unauthorized access, use, disclosure, modification, or destruction4. A data center is a facility that houses various information assets such as servers, storage devices, network equipment, etc., that support the organization’s IT operations and services5. A complete and accurate list of information assets that have been deployed in a data center can help to identify and classify the assets based on their importance, sensitivity, or criticality for the organization. This can help to determine the appropriate level of protection and security measures that need to be applied to each asset. A complete and accurate list of information assets can also help to track and monitor the location, status, ownership, usage, configuration, maintenance, etc., of each asset. This can help to prevent or detect any unauthorized or inappropriate changes or movements of assets that may compromise their security or integrity. Segregation of duties between staff ordering and staff receiving information assets, availability and testing of onsite backup generators, and knowledge of the IT staff regarding data protection requirements are also important prerequisites for the protection of physical information assets in a data center, but not as important as a complete and accurate list of information assets that have been deployed. These factors are more related to the implementation and maintenance of security controls and procedures that depend on having a complete and accurate list of information assets as a starting point.
References: ISACA CISA Review Manual 27th Edition, page 308
B
Explanation:
The most important prerequisite for the protection of physical information assets in a data center is a complete and accurate list of information assets that have been deployed. Information assets are any data, devices, systems, or software that have value for the organization and need to be protected from unauthorized access, use, disclosure, modification, or destruction4. A data center is a facility that houses various information assets such as servers, storage devices, network equipment, etc., that support the organization’s IT operations and services5. A complete and accurate list of information assets that have been deployed in a data center can help to identify and classify the assets based on their importance, sensitivity, or criticality for the organization. This can help to determine the appropriate level of protection and security measures that need to be applied to each asset. A complete and accurate list of information assets can also help to track and monitor the location, status, ownership, usage, configuration, maintenance, etc., of each asset. This can help to prevent or detect any unauthorized or inappropriate changes or movements of assets that may compromise their security or integrity. Segregation of duties between staff ordering and staff receiving information assets, availability and testing of onsite backup generators, and knowledge of the IT staff regarding data protection requirements are also important prerequisites for the protection of physical information assets in a data center, but not as important as a complete and accurate list of information assets that have been deployed. These factors are more related to the implementation and maintenance of security controls and procedures that depend on having a complete and accurate list of information assets as a starting point.
References: ISACA CISA Review Manual 27th Edition, page 308
Question #79
Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?
- A . Encryption of the spreadsheet
- B . Version history
- C . Formulas within macros
- D . Reconciliation of key calculations
Correct Answer: C
C
Explanation:
The most important thing for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros is the formulas within macros. Macros are sequences of commands or instructions that can automate tasks or calculations in a spreadsheet. Formulas are expressions that perform calculations on values or data in a spreadsheet. The accuracy of a spreadsheet depends largely on whether the formulas within macros are correct, consistent, and complete. The IS auditor should review the formulas within macros to verify that they produce the expected results and do not contain any errors or inconsistencies. The other options are not as important as formulas within macros, as they do not directly affect the accuracy of a spreadsheet. Encryption of the spreadsheet is a security control that can protect the confidentiality and integrity of the spreadsheet, but it does not ensure its accuracy. Version history is a document control feature that can track and manage changes to the spreadsheet, but it does not verify its accuracy. Reconciliation of key calculations is a validation technique that can compare and confirm the results of calculations with other sources, but it does not evaluate the accuracy of formulas within macros.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
C
Explanation:
The most important thing for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros is the formulas within macros. Macros are sequences of commands or instructions that can automate tasks or calculations in a spreadsheet. Formulas are expressions that perform calculations on values or data in a spreadsheet. The accuracy of a spreadsheet depends largely on whether the formulas within macros are correct, consistent, and complete. The IS auditor should review the formulas within macros to verify that they produce the expected results and do not contain any errors or inconsistencies. The other options are not as important as formulas within macros, as they do not directly affect the accuracy of a spreadsheet. Encryption of the spreadsheet is a security control that can protect the confidentiality and integrity of the spreadsheet, but it does not ensure its accuracy. Version history is a document control feature that can track and manage changes to the spreadsheet, but it does not verify its accuracy. Reconciliation of key calculations is a validation technique that can compare and confirm the results of calculations with other sources, but it does not evaluate the accuracy of formulas within macros.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2
Question #80
Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks?
- A . Average the business units’ IT risk levels
- B . Identify the highest-rated IT risk level among the business units
- C . Prioritize the organization’s IT risk scenarios
- D . Establish a global IT risk scoring criteria
Correct Answer: C
C
Explanation:
The best approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks is to prioritize the organization’s IT risk scenarios. IT risk appetite is the amount and type of IT risk that an organization is willing to accept in pursuit of its objectives. IT risk scenarios are hypothetical situations that describe the potential impact of IT risk events on the organization’s objectives, processes, and resources. By prioritizing the organization’s IT risk scenarios, the IS auditor can identify the most significant IT risks that affect the organization as a whole, and align them with the organization’s strategic goals, values, and culture. Prioritizing the organization’s IT risk scenarios can also help to communicate and monitor the IT risk appetite across the organization, and facilitate consistent and informed decision making. The other approaches (A, B and D) are not effective for determining the overall IT risk appetite of an organization, as they do not consider the impact and likelihood of IT risks on the organization’s objectives, nor do they account for the diversity and complexity of IT risks across different business units.
References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of Information Technology, Section 2.3: Information Technology Risk Management
C
Explanation:
The best approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks is to prioritize the organization’s IT risk scenarios. IT risk appetite is the amount and type of IT risk that an organization is willing to accept in pursuit of its objectives. IT risk scenarios are hypothetical situations that describe the potential impact of IT risk events on the organization’s objectives, processes, and resources. By prioritizing the organization’s IT risk scenarios, the IS auditor can identify the most significant IT risks that affect the organization as a whole, and align them with the organization’s strategic goals, values, and culture. Prioritizing the organization’s IT risk scenarios can also help to communicate and monitor the IT risk appetite across the organization, and facilitate consistent and informed decision making. The other approaches (A, B and D) are not effective for determining the overall IT risk appetite of an organization, as they do not consider the impact and likelihood of IT risks on the organization’s objectives, nor do they account for the diversity and complexity of IT risks across different business units.
References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of Information Technology, Section 2.3: Information Technology Risk Management