Practice Free CISA Exam Online Questions
Question #81
An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production.
Which of the following is the auditor’s BEST course of action?
- A . Determine exposure to the business
- B . Adjust future testing activities accordingly
- C . Increase monitoring for security incidents
- D . Hire a third party to perform security testing
Correct Answer: A
A
Explanation:
The IS auditor’s best course of action when reviewing the use of an outsourcer for disposal of storage media is to determine exposure to the business. Storage media, such as hard disks, tapes, flash drives, or CDs, may contain sensitive or confidential information that needs to be protected from unauthorized access, disclosure, or misuse. The IS auditor should verify that the outsourcer has a process that appropriately sanitizes the media before disposal, such as wiping, degaussing, shredding, or incinerating, and that the process is effective and compliant with the organization’s policies and standards. The IS auditor should also assess the potential impact and risk to the business if the storage media is not properly sanitized or disposed of, such as data breaches, reputational damage, legal or regulatory penalties, or loss of competitive advantage. The other options are not the best course of action, because they either do not address the root cause of the problem, or they are reactive rather than proactive measures.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7
A
Explanation:
The IS auditor’s best course of action when reviewing the use of an outsourcer for disposal of storage media is to determine exposure to the business. Storage media, such as hard disks, tapes, flash drives, or CDs, may contain sensitive or confidential information that needs to be protected from unauthorized access, disclosure, or misuse. The IS auditor should verify that the outsourcer has a process that appropriately sanitizes the media before disposal, such as wiping, degaussing, shredding, or incinerating, and that the process is effective and compliant with the organization’s policies and standards. The IS auditor should also assess the potential impact and risk to the business if the storage media is not properly sanitized or disposed of, such as data breaches, reputational damage, legal or regulatory penalties, or loss of competitive advantage. The other options are not the best course of action, because they either do not address the root cause of the problem, or they are reactive rather than proactive measures.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7
Question #82
An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.
What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted application?
- A . Financial regulations affecting the organization
- B . Data center physical access controls whore the application is hosted
- C . Privacy regulations affecting the organization
- D . Per-unit cost charged by the hosting services provider for storage
Correct Answer: C
C
Explanation:
This is because privacy regulations are laws or rules that protect the personal information of individuals from unauthorized access, use, disclosure, or transfer by third parties. Payroll audit documentation may contain sensitive and confidential data, such as employee names, salaries, benefits, taxes, deductions, and bank accounts. If the audit management application is hosted by a third party in a different country, the organization may need to comply with the privacy regulations of both its own country and the host country, as well as any international or regional agreements or frameworks that apply. Privacy regulations may impose various requirements and obligations on the organization, such as obtaining consent from the data subjects, implementing appropriate security measures, notifying data breaches, and ensuring data quality and accuracy. Privacy regulations may also grant various rights to the data subjects, such as accessing, correcting, deleting, or transferring their data. Failing to comply with privacy regulations may expose the organization to significant risks and consequences, such as legal actions, fines, sanctions, reputational damage, or loss of trust.
Some examples of privacy regulations affecting the organization are:
The General Data Protection Regulation (GDPR), which is a comprehensive and strict privacy regulation that applies to any organization that processes personal data of individuals in the European Union (EU) or offers goods or services to them, regardless of where the organization or the data is located1.
The California Consumer Privacy Act (CCPA), which is a broad and influential privacy regulation that applies to any organization that collects personal information of California residents and meets certain thresholds of revenue, data volume, or data sharing2.
The Health Insurance Portability and Accountability Act (HIPAA), which is a sector-specific privacy regulation that applies to any organization that handles protected health information (PHI) of individuals in the United States, such as health care providers, health plans, or health care clearinghouses3.
Therefore, before using an audit management application hosted by a third party in a different country, the internal audit team should conduct a thorough assessment of the privacy regulations affecting the organization and ensure that they have adequate policies, procedures, and controls in place to comply with them.
C
Explanation:
This is because privacy regulations are laws or rules that protect the personal information of individuals from unauthorized access, use, disclosure, or transfer by third parties. Payroll audit documentation may contain sensitive and confidential data, such as employee names, salaries, benefits, taxes, deductions, and bank accounts. If the audit management application is hosted by a third party in a different country, the organization may need to comply with the privacy regulations of both its own country and the host country, as well as any international or regional agreements or frameworks that apply. Privacy regulations may impose various requirements and obligations on the organization, such as obtaining consent from the data subjects, implementing appropriate security measures, notifying data breaches, and ensuring data quality and accuracy. Privacy regulations may also grant various rights to the data subjects, such as accessing, correcting, deleting, or transferring their data. Failing to comply with privacy regulations may expose the organization to significant risks and consequences, such as legal actions, fines, sanctions, reputational damage, or loss of trust.
Some examples of privacy regulations affecting the organization are:
The General Data Protection Regulation (GDPR), which is a comprehensive and strict privacy regulation that applies to any organization that processes personal data of individuals in the European Union (EU) or offers goods or services to them, regardless of where the organization or the data is located1.
The California Consumer Privacy Act (CCPA), which is a broad and influential privacy regulation that applies to any organization that collects personal information of California residents and meets certain thresholds of revenue, data volume, or data sharing2.
The Health Insurance Portability and Accountability Act (HIPAA), which is a sector-specific privacy regulation that applies to any organization that handles protected health information (PHI) of individuals in the United States, such as health care providers, health plans, or health care clearinghouses3.
Therefore, before using an audit management application hosted by a third party in a different country, the internal audit team should conduct a thorough assessment of the privacy regulations affecting the organization and ensure that they have adequate policies, procedures, and controls in place to comply with them.
Question #83
Which of the following approaches BEST enables an IS auditor to detect security vulnerabilities within an application?
- A . Threat modeling
- B . Concept mapping
- C . Prototyping
- D . Threat intelligence
Correct Answer: A
A
Explanation:
Threat modeling is an approach that enables IS auditors to identify, analyze, and mitigate potential security vulnerabilities within an application by understanding the threats, attacks, vulnerabilities, and countermeasures. This proactive technique helps in designing secure applications.
References
ISACA CISA Review Manual 27th Edition, Page 276-277 (Threat Modeling)
A
Explanation:
Threat modeling is an approach that enables IS auditors to identify, analyze, and mitigate potential security vulnerabilities within an application by understanding the threats, attacks, vulnerabilities, and countermeasures. This proactive technique helps in designing secure applications.
References
ISACA CISA Review Manual 27th Edition, Page 276-277 (Threat Modeling)
Question #84
Which of the following is the BEST indication that there are potential problems within an organization’s IT service desk function?
- A . Undocumented operating procedures
- B . Lack of segregation of duties
- C . An excessive backlog of user requests
- D . Lack of key performance indicators (KPIs)
Correct Answer: C
C
Explanation:
An IT service desk is a function that provides technical support and assistance to the users of an organization’s IT systems and services. An IT service desk typically handles issues such as software installation, hardware troubleshooting, network connectivity, password reset, system configuration, and user training. An IT service desk aims to ensure that the IT systems and services are available, reliable, secure, and efficient for the users.
One of the best indications that there are potential problems within an organization’s IT service desk function is an excessive backlog of user requests. A backlog is a list of user requests that have not been resolved or completed by the IT service desk within a specified time frame. An excessive backlog means that the IT service desk is unable to meet the demand or expectations of the users, and that the users are experiencing delays, dissatisfaction, or frustration with the IT service desk.
An excessive backlog of user requests can indicate various problems within the IT service desk function, such as:
Insufficient staff, resources, or capacity to handle the volume or complexity of user requests Ineffective processes, procedures, or tools for managing, prioritizing, or resolving user requests
Lack of skills, knowledge, or training among the IT service desk staff to deal with different types of user requests
Poor communication, collaboration, or coordination among the IT service desk staff or with other IT functions or stakeholders
Low quality, performance, or security of the IT systems or services that cause frequent or recurring user issues
Therefore, an excessive backlog of user requests is the best indication that there are potential problems within an organization’s IT service desk function.
References:
What is an IT Service Desk? Definition and Functions – Indeed
The Most Common IT Help Desk Issues – SherpaDesk
18 Common IT Help Desk Problems and Solutions – E-Pulse Blog
C
Explanation:
An IT service desk is a function that provides technical support and assistance to the users of an organization’s IT systems and services. An IT service desk typically handles issues such as software installation, hardware troubleshooting, network connectivity, password reset, system configuration, and user training. An IT service desk aims to ensure that the IT systems and services are available, reliable, secure, and efficient for the users.
One of the best indications that there are potential problems within an organization’s IT service desk function is an excessive backlog of user requests. A backlog is a list of user requests that have not been resolved or completed by the IT service desk within a specified time frame. An excessive backlog means that the IT service desk is unable to meet the demand or expectations of the users, and that the users are experiencing delays, dissatisfaction, or frustration with the IT service desk.
An excessive backlog of user requests can indicate various problems within the IT service desk function, such as:
Insufficient staff, resources, or capacity to handle the volume or complexity of user requests Ineffective processes, procedures, or tools for managing, prioritizing, or resolving user requests
Lack of skills, knowledge, or training among the IT service desk staff to deal with different types of user requests
Poor communication, collaboration, or coordination among the IT service desk staff or with other IT functions or stakeholders
Low quality, performance, or security of the IT systems or services that cause frequent or recurring user issues
Therefore, an excessive backlog of user requests is the best indication that there are potential problems within an organization’s IT service desk function.
References:
What is an IT Service Desk? Definition and Functions – Indeed
The Most Common IT Help Desk Issues – SherpaDesk
18 Common IT Help Desk Problems and Solutions – E-Pulse Blog
Question #85
Which of the following is MOST appropriate to review when determining if the work completed on an IT project is in alignment with budgeted costs?
- A . Return on investment (ROI) analysis
- B . Earned value analysis (EVA)
- C . Financial value analysis
- D . Business impact analysis (BIA)
Correct Answer: B
B
Explanation:
EVA is a project management technique that measures the performance of a project by comparing the actual work completed, the actual costs incurred, and the planned costs for the work scheduled. EVA can help determine if the project is on track, ahead of schedule, or behind schedule, and if the project is under budget, over budget, or on budget. EVA can also help forecast the final cost and schedule of the project based on the current performance.
References
ISACA CISA Review Manual, 27th Edition, page 255
B
Explanation:
EVA is a project management technique that measures the performance of a project by comparing the actual work completed, the actual costs incurred, and the planned costs for the work scheduled. EVA can help determine if the project is on track, ahead of schedule, or behind schedule, and if the project is under budget, over budget, or on budget. EVA can also help forecast the final cost and schedule of the project based on the current performance.
References
ISACA CISA Review Manual, 27th Edition, page 255
Question #86
Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?
- A . The IS auditor provided consulting advice concerning application system best practices.
- B . The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.
- C . The IS auditor designed an embedded audit module exclusively for auditing the application system.
- D . The IS auditor implemented a specific control during the development of the application system.
Correct Answer: D
D
Explanation:
The IS auditor’s independence would be most likely impaired if they implemented a specific control during the development of an application system. This is because the IS auditor would be auditing their own work, which creates a self-review threat that could compromise their objectivity and impartiality. The IS auditor should avoid participating in any operational or management activities that could affect their ability to perform an unbiased audit. The other options do not pose a significant threat to the IS auditor’s independence, as long as they follow the ethical standards and guidelines of the profession.
D
Explanation:
The IS auditor’s independence would be most likely impaired if they implemented a specific control during the development of an application system. This is because the IS auditor would be auditing their own work, which creates a self-review threat that could compromise their objectivity and impartiality. The IS auditor should avoid participating in any operational or management activities that could affect their ability to perform an unbiased audit. The other options do not pose a significant threat to the IS auditor’s independence, as long as they follow the ethical standards and guidelines of the profession.
Question #87
When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?
- A . Observing the execution of a daily backup run
- B . Evaluating the backup policies and procedures
- C . Interviewing key personnel evolved In the backup process
- D . Reviewing a sample of system-generated backup logs
Correct Answer: D
D
Explanation:
Reviewing a sample of system-generated backup logs is the best step to verify that regularly scheduled backups are timely and run to completion. Backup logs are records that document the details and results of backup operations, such as the date, time, duration, status, errors, and exceptions. By reviewing a sample of backup logs, the IS auditor can check whether the backups are performed according to the schedule and whether they are completed successfully or not. The other steps do not provide as much evidence or assurance as reviewing backup logs, as they do not show the actual outcome or performance of backup operations.
References: CISA Review Manual, 27th Edition, page 247
D
Explanation:
Reviewing a sample of system-generated backup logs is the best step to verify that regularly scheduled backups are timely and run to completion. Backup logs are records that document the details and results of backup operations, such as the date, time, duration, status, errors, and exceptions. By reviewing a sample of backup logs, the IS auditor can check whether the backups are performed according to the schedule and whether they are completed successfully or not. The other steps do not provide as much evidence or assurance as reviewing backup logs, as they do not show the actual outcome or performance of backup operations.
References: CISA Review Manual, 27th Edition, page 247
Question #88
Upon completion of audit work, an IS auditor should:
- A . provide a report to senior management prior to discussion with the auditee.
- B . distribute a summary of general findings to the members of the auditing team.
- C . provide a report to the auditee stating the initial findings.
- D . review the working papers with the auditee.
Correct Answer: B
B
Explanation:
Upon completion of audit work, an IS auditor should distribute a summary of general findings to the members of the auditing team. This is to ensure that the audit team members are aware of the audit results, have an opportunity to provide feedback, and can agree on the audit conclusions and recommendations. Providing a report to senior management prior to discussion with the auditee, providing a report to the auditee stating the initial findings, and reviewing the working papers with the auditee are not appropriate actions for an IS auditor to take upon completion of audit work, as they may compromise the audit independence, objectivity, and quality.
References: ISACA CISA Review Manual 27th Edition, page 221
B
Explanation:
Upon completion of audit work, an IS auditor should distribute a summary of general findings to the members of the auditing team. This is to ensure that the audit team members are aware of the audit results, have an opportunity to provide feedback, and can agree on the audit conclusions and recommendations. Providing a report to senior management prior to discussion with the auditee, providing a report to the auditee stating the initial findings, and reviewing the working papers with the auditee are not appropriate actions for an IS auditor to take upon completion of audit work, as they may compromise the audit independence, objectivity, and quality.
References: ISACA CISA Review Manual 27th Edition, page 221
Question #89
Which of the following findings would be of GREATEST concern to an IS auditor reviewing the security architecture of an organization that has just implemented a Zero Trust solution?
- A . An increase in security-related costs
- B . User complaints about the new mode of working
- C . An increase in user identification errors
- D . A noticeable drop in the performance of IT systems
Correct Answer: C
Question #90
An IS auditor is assigned to perform a post-implementation review of an application system.
Which of the following would impair the auditor’s independence?
- A . The auditor implemented a specific control during the development of the system.
- B . The auditor provided advice concerning best practices.
- C . The auditor participated as a member of the project team without operational responsibilities
- D . The auditor designed an embedded audit module exclusively for audit
Correct Answer: A
A
Explanation:
The auditor implemented a specific control during the development of the system. This would impair the auditor’s independence, as it would create a self-review threat, which is a situation where an auditor has to evaluate or review the results of his or her own work or judgment1. A self-review threat may compromise the auditor’s objectivity and impartiality, as the auditor may be biased or influenced by his or her own involvement or interest in the system1. The auditor may also face a conflict of interest or a loss of credibility if he or she has to report on any issues or deficiencies related to the control he or she implemented.
A
Explanation:
The auditor implemented a specific control during the development of the system. This would impair the auditor’s independence, as it would create a self-review threat, which is a situation where an auditor has to evaluate or review the results of his or her own work or judgment1. A self-review threat may compromise the auditor’s objectivity and impartiality, as the auditor may be biased or influenced by his or her own involvement or interest in the system1. The auditor may also face a conflict of interest or a loss of credibility if he or she has to report on any issues or deficiencies related to the control he or she implemented.