New Year Day Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

CISA Questions and Answers

Question # 6

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simulation test administered for staff members?

Full Access
Question # 7

During an audit of an organization's financial statements, an IS auditor finds that the IT general controls are deficient. What should the IS auditor recommend?

A.

Increase the substantive testing of the financial balances.

B.

Place greater reliance on the framework of control.

C.

Place greater reliance on the application controls.

D.

Increase the compliance testing of the application controls.

Full Access
Question # 8

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

A.

service level agreement (SLA).

B.

balanced Scorecard.

C.

risk management review.

D.

control self-assessment (CSA).

Full Access
Question # 9

Which of the following is the PRIMARY protocol for protecting outbound content from tampering and eavesdropping?

A.

Transport Layer Security (TLS)

B.

Secure Shell (SSH)

C.

Point-to-Point Protocol (PPP)

D.

Internet Key Exchange (IKE)

Full Access
Question # 10

Internal audit is conducting an audit of customer transaction risk. Which of the following would be the BEST reason to use data analytics?

A.

Transactional data is contained in multiple discrete systems that have varying levels of reliability

B.

Anomalies and risk trends in the data set have yet to be defined

C.

The audit is being performed to comply with regulations requiring periodic random sample testing

D.

The audit focus is on a small number of predefined high-risk transactions

Full Access
Question # 11

Which of the following establishes the role of the internal audit function?

A.

Audit objectives

B.

Audit project plan

C.

Audit charter

D.

Audit governance

Full Access
Question # 12

An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

A.

The current business capabilities delivered by the legacy system.

B.

The proposed network topology to be used by the redesigned system

C.

The data flows between the components to be used by the redesigned system

D.

The database entity relationships within the legacy system

Full Access
Question # 13

Which cloud deployment model is MOST likely to be limited in scalability?

A.

Hybrid

B.

Private

C.

Public

D.

Community

Full Access
Question # 14

Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

A.

Logs are being collected in a separate protected host.

B.

Access to configuration files is restricted.

C.

Insider attacks are being controlled.

D.

Automated alerts are being sent when a risk is detected.

Full Access
Question # 15

An organization allows employees to use personally owned mobile devices to access customers' personal information. Which of the following Is MOST important for an IS auditor to verify?

A.

Devices have adequate storage and backup capabilities.

B.

Mobile device security policies have been implemented.

C.

Mobile devices are compatible with company infrastructure

D.

Employees have signed off on an acceptable use policy.

Full Access
Question # 16

Which of the following procedures for testing a disaster recovery plan (DRP) is MOST effective?

A.

Reviewing documented backup and recovery procedures

B.

Performing an unannounced shutdown of the computing facility after hours

C.

Testing at a secondary site using offsite data backups

D.

Performing a quarterly tabletop exercise

Full Access
Question # 17

Which of the following security risks can be reduced by a property configured network firewall?

A.

SQL injection attacks

B.

Insider attacks

C.

Phishing attacks

D.

Denial of service (DoS) attacks

Full Access
Question # 18

An organization is developing data classification standards and has asked internal audit for advice on aligning the standards with best practices. Internal audit would MOST likely recommend the standards should be:

A.

based on the results of an organization-wide risk assessment

B.

based on the business requirements for confidentiality of the information.

C.

aligned with the organization's segregation of duties requirements

D.

based on the business requirements for authentication of the information.

Full Access
Question # 19

After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

A.

Updating the continuity plan for critical resources

B.

Investigating access rights for expiration dates

C.

Verifying that access privileges have been reviewed

D.

Updating the security policy

Full Access
Question # 20

An organization needs to comply with data privacy regulations forbidding the display of personally identifiable information (Pll) on customer bills or receipts However it is a business requirement to display at least one attribute so that customers can verify the bills or receipts are intended for them What is the BEST recommendation?

A.

Data encryption

B.

Data tokenization

C.

Data masking

D.

Data sanitization

Full Access
Question # 21

Which of the following is the BEST way to ensure payment transaction data is restricted to the appropriate users?

A.

Implementing two-factor authentication

B.

Using a single menu for sensitive application transactions

C.

Implementing role-based access at the application level

D.

Restricting access to transactions using network security software

Full Access
Question # 22

Which of the following BEST enables an organization to quantify acceptable data loss in the event of a disaster?

A.

Availability of backup software

B.

Recovery point objective (RPO)

C.

Recovery time objective (RTO)

D.

Mean time to recover (MTTR)

Full Access
Question # 23

An IS auditor performing a review of a newly purchased software program notes that an escrow agreement has been executed for acquiring the source code. What is MOST important for the IS auditor to verify?

A.

The source code is being updated for each change

B.

The vendor Is financially viable

C.

The source code is being held by an independent third party

D.

Product acceptance testing has been completed.

Full Access
Question # 24

Which of the following should be defined in an audit charter?

A.

Audit methodology

B.

Audit schedule

C.

Audit results

D.

Audit authority

Full Access
Question # 25

AN IS auditor has been asked to perform an assurance review of an organization’s mobile computing security. To ensure the organization is able to centrally manage mobile devices to protect against data disclosure. It is MOST important for the auditor to determine whether:

A.

lost devices can be located remotely

B.

a mobile security awareness training program exists.

C.

procedures for lost devices include remote wiping of data

D.

a security exist for mobile devices.

Full Access
Question # 26

A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure in the affected country. Which of the following would be MOST helpful in making this assessment?

A.

Reviewing data classification procedures associated with the affected jurisdiction

B.

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

C.

Identifying business processes associated with personal data exchange with the affected jurisdiction

D.

Identifying data security threats in the affected jurisdiction

Full Access
Question # 27

Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change management process?

A.

The new functionality may not meet requirements

B.

The added functionality has not been documented

C.

The project may go over budget.

D.

The project may fail to meet the established deadline

Full Access
Question # 28

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

A.

Mandatory holidays

B.

Background checks

C.

Transaction log review

D.

User awareness training

Full Access
Question # 29

Which of the following is the BEST detective control for j job scheduling process involving data transmission?

A.

Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).

B.

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management

C.

Jobs are scheduled and a log of this activity Is retained for subsequent review.

D.

failure alerts are automatically generated and routed to support personnel

Full Access
Question # 30

Which type of control is being implemented when a biometric access device is installed at the entrance to a facility?

A.

Preventive

B.

Deterrent

C.

Corrective

D.

Detective

Full Access
Question # 31

Which of the following should be of GREATEST concern to an IS auditor reviewing a system software development project based on agile practices?

A.

Lack of change management documentation

B.

Lack of secure coding practices

C.

Lack of weekly production releases

D.

Lack of user acceptance testing (UAT) sign off

Full Access
Question # 32

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

A.

A formal request for proposal (RFP) process

B.

Business case development procedures

C.

An information asset acquisition policy

D.

Asset life cycle management.

Full Access
Question # 33

Which of the following should be the PRIMARY objective of conducting an audit follow-up of management action plans?

A.

To verify that risks listed in the audit report have been properly mitigated

B.

To identify new risks and controls for the organization

C.

To align the management action plans with business requirements

D.

To ensure senior management is aware of the audit finidings.

Full Access
Question # 34

An IS auditor is reviewing a sample of production incidents and notes that a root cause analysis is not being performed. Which of the following is the GREATEST risk associated with this finding?

A.

Future incidents may not be resolved in a timely manner.

B.

Service level agreements (SLAs) may not be met.

C.

Future incidents may be prioritized inappropriately.

D.

The same incident may occur in the future.

Full Access
Question # 35

An algorithm in an email program analyzes traffic to quarantine emails identified as spam The algorithm in the program is BEST characterized as which type of control?

A.

Directive

B.

Preventive

C.

Corrective

D.

Detective

Full Access
Question # 36

Which of me following is MOST important to ensure that electronic evidence corrected during a forensic investigation will be admissible m future legal proceedings?

A.

Documenting evidence handling by personnel throughout the forensic investigation

B.

Engaging an independent third party to perform the forensic investigation

C.

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.

Restricting evidence access to professionally certified forensic investigators

Full Access
Question # 37

Which of the following BEST facilitates detection of zero-day exploits?

A.

Intrusion detection systems (IDS)

B.

User behavior analytics

C.

Intrusion prevention systems (IPS)

D.

Anti-malware software

Full Access
Question # 38

Which of the following should be an IS auditor’s PRIMARY focus when developing a risk-based IS audit program?

A.

Business processes

B.

IT strategic plans

C.

Portfolio management

D.

Business plans

Full Access
Question # 39

An IS auditor is reviewing a recent security incident and is seeking information about the approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?

A.

System event correlation report

B.

Change log

C.

Database log

D.

Security incident and event management (SIEM) report

Full Access
Question # 40

The PRIMARY focus of audit follow-up reports should be to:

A.

assess if new risks have developed.

B.

determine if audit recommendations have been implemented.

C.

verify the completion date of the implementation.

D.

determine if past findings are still relevant.

Full Access
Question # 41

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor s BEST recommendation for a compensating control?

A.

Restrict payment authorization to senior staff members

B.

Review payment transaction history.

C.

Require written authorization for all payment transactions.

D.

Reconcile payment transactions with invoices.

Full Access
Question # 42

Which of the following is the MOST effective control to ensure electronic records beyond their retention periods are deleted from IT systems?

A.

Build in system logic to trigger data deletion at predefined times.

B.

Perform a sample check of current data against the retention schedule.

C.

Review the record retention register regularly to initiate data deletion.

D.

Execute all data deletions at a predefined month during the year.

Full Access
Question # 43

An organization has adopted a backup and recovery strategy that involves copying on-premise virtual machine (VM) images to a cloud service provider Which of the following provides the BEST assurance that VMs can be recovered in the event of a disaster?

A.

Periodic on-site restoration of VM images obtained from the cloud provider

B.

Inclusion of the right to audit in the cloud service provider contract

C.

Procurement of adequate storage for the VM images from the cloud service provider

D.

Existence of a disaster recovery plan (DRP) with specified roles for emergencies

Full Access
Question # 44

An organization's information security department has recently created a centralized governance model to ensure that network-related findings are remediated within the service level agreement (SLA). What should the IS auditor use to assess the maturity and capability of this governance model?

A.

Key performance indicators (KPIs)

B.

Key data elements

C.

Key risk indicators (KRIs)

D.

Key process controls

Full Access
Question # 45

As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (B1A)?

A.

Completeness of critical asset inventory

B.

Critical applications in the cloud

C.

Recovery scenarios

D.

Risk appetite

Full Access
Question # 46

Which of the following BEST enables system resiliency for an e-commerce organization that requires a low recovery time objective (RTO) and a few recovery point objective (RPO)?

A.

Remote backups

B.

Redundant arrays

C.

Nightly backups

D.

Mirrored sites

Full Access
Question # 47

An IS auditor is observing transaction processing and notes that a high-priority update job ran out of sequence

What is the MOST significant risk from this observation?

A.

Previous jobs may have failed

B.

The job may not have run to completion

C.

Daily schedules lack change control

D.

The job completes with invalid data

Full Access
Question # 48

The PRIMARY benefit to using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system

A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Full Access
Question # 49

Which of the following is the MOST useful information for an IS auditor to review when formulating an audit plan for the organization's outsourced service provider?

A.

The organization’s procurement policy

B.

Service level agreement (SLA) reports

C.

The service provider's control self-assessment (CSA)

D.

Independent audit reports

Full Access
Question # 50

Which of the following is the PRIMARY reason for using a digital signature?

A.

Provide confidentiality to the transmission

B.

Authenticate the sender of a message

C.

Verify the integrity of the data and the identity of the recipient

D.

Provide availability to the transmission

Full Access
Question # 51

When Is the BEST time to commence continuity planning for a new application system?

A.

Following successful user testing

B.

During the design phase

C.

Immediately after implementation

D.

Just prior to the handover to the system maintenance group

Full Access
Question # 52

When auditing the closing stages of a system development project, which of the following should be the MOST important consideration?

A.

Rollback procedures

B.

Control requirements

C.

Functional requirements documentation

D.

User acceptance test (UAT) results

Full Access
Question # 53

Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

A.

Complexity of management's action plans

B.

Recommendation from executive management

C.

Audit cycle defined in the audit plan

D.

Residual risk from the findings of previous audits

Full Access
Question # 54

The PRIMARY benefit of information asset classification is that it:

A.

facilitates budgeting accuracy.

B.

enables risk management decisions.

C.

prevents loss of assets.

D.

helps to align organizational objectives.

Full Access
Question # 55

When responding to an ongoing denial of service (DoS) attack, an organization's FIRST course of action should be to:

A.

analyze the attack path

B.

minimize impact

C.

Investigate damage

D.

restore service.

Full Access
Question # 56

Which of the following is the GREATEST risk associated with the lack of an effective data privacy program?

A.

Inability to obtain customer confidence

B.

Inability to manage access to private or sensitive data

C.

Failure to comply with data-related regulations

D.

Failure to prevent fraudulent transactions

Full Access
Question # 57

When evaluating the management practices at a third-party organization providing outsourced services, the IS auditor considers relying on an independent auditor’s report. The IS auditor would FIRST:

A.

determine if recommendations have been implemented

B.

review the objectives of the audit

C.

examine the independent auditor's workpapers.

D.

discuss the report with the independent auditor

Full Access
Question # 58

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

A.

the access control system's configuration.

B.

the access rights that have been granted

C.

the access control system's log settings.

D.

how the latest system changes were implemented

Full Access
Question # 59

Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?

A.

Entity-relationship diagram

B.

Process flowchart

C.

Data flow diagram

D.

Systems flowchart

Full Access
Question # 60

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organizations information security policy?

A.

Business objectives

B.

Alignment with the IT tactical plan

C.

Compliance with industry best practice

D.

IT steering committee minutes

Full Access
Question # 61

An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner Which of the following is the auditor s BEST recommendation?

A.

Upgrade hardware to newer technology.

B.

Increase the capacity of existing systems.

C.

Build a virtual environment

D.

Hire temporary contract workers for the IT function.

Full Access
Question # 62

An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

A.

security parameters are set in accordance with the manufacturer s standards.

B.

a detailed business case was formally approved prior to the purchase.

C.

security parameters are set in accordance with the organization's policies.

D.

the procurement project invited lenders from at least three different suppliers.

Full Access
Question # 63

Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?

A.

Increased application performance

B.

Improved disaster recovery

C.

Stronger data security

D.

Better utilization of resources

Full Access
Question # 64

Which of the following findings would be of GREATEST concern when auditing an organization's end-user computing (EUC)?

A.

Inability to monitor EUC audit logs and activities

B.

Inconsistency of patching processes being followed

C.

Reduced oversight by the IT department

D.

Errors flowed through to financial statements

Full Access
Question # 65

The PRIMARY role of a control self-assessment (CSA) facilitator is lo:

A.

conduct interviews to gain background information.

B.

focus the team on internal controls.

C.

provide solutions (or control weaknesses

D.

report on the internal control weaknesses

Full Access
Question # 66

What is the BEST method for securing credit card numbers stored temporarily on a file server prior to transmission to the downstream system for payment processing?

A.

Encryption with strong cryptography

B.

Truncating the credit card number

C.

One-way hash with strong cryptography

D.

Masking the full credit card number

Full Access