Pass4sure Isaca CISA Dumps
Get ready to pass your exam right away with Isaca CISA Practice Questions. These Isaca CISA PDFs are specially designed to make passing easier without any difficulties!
PASS4SURE – BEST PRACTICE QUESTIONS FOR BEST RESULTS!
According to recent global reports, there is a considerable rise in demand for Isaca Isaca certification certified professionals. Every other professional is on the lookout to better their career. That is the reason why hundreds of candidates apply for the Certified Information Systems Auditor Exam every year.
Isaca has topped all other industries in development and progress for the last few years. That’s why they make their CISA Exam complex and up to the standards of day-to-day job tasks. We sensed the need for an accurate and reliable Pass4Sure Dumps PDF and jumped right in to provide a helping hand to struggling professionals.
If you are also one of the hopeful aspirants of Isaca certification certification, consider buying CISA Braindumps to pass your exam with distinction. Our experts are working hard daily to give you the best quality Certified Information Systems Auditor CISA Practice Questions. Hundreds of clients have benefitted from Pass4Sure Question Answers, and you can be next.
Pass4Sure team gives 100% for you so you can give your 100% in the exam. With our help, there is no reason left you couldn’t possibly meet your goals. Free CISA Dumps make passing Isaca certification Exam piece of cake. So, get ready for a glittering IT Career in your near future!
WHY US? – REASONS TO BUY Isaca CISA QUESTION ANSWERS
Pass4Sure offers an all-encompassing Dumps PDF set. It has everything an CISA exam candidate needs to pass with an incredible result. We give you a free demo, discounts, free updates for the first three months, and many more. Anyone who wishes to pass the Isaca Exam in the very first attempt must try Pass4Sure CISA Braindumps.
IT industry can always use a proficient and reliable professional to handle their daily jobs. A professional that is an expert in all required tasks is a much-needed asset to an organization. Employers are looking for professionals like that. And we aim to make you into one of the highest-paid, highly-skilled, and credible professionals. It can be possible with our CISA Practice Questions. Getting Isaca certification certified is not a far-fetched dream anymore.
Our focus is providing ease to our precious customers, and it shows in our dedication. After a long-and-hard data analysis, Pass4Sure came up with the best solution to aid failing Certified Information Systems Auditor candidates. Moreover, we make sure you are not left alone in any step of your training. Our reliable experts stay 24/7 active to help you in your success. With top-class Pass4sure CISA Question Answers, passing the Certified Information Systems Auditor exam is 100% guaranteed.
LET OUR FREE DUMPS BE YOUR BIGGEST ACHIEVEMENT!
Our team has curated the best study materials to ease the process of preparing for IT exams. For example, CISA Free Dumps are designed to reflect your exam pattern and format to offer real-like stimulation. The material is 100% tested and approved to get you the success you crave. Unlike others, we keep you updated on your progress. Your good and bad points are laid before you as they are. So, you can focus on bettering yourself accordingly.
The whole process is easy-peasy. For example, the website interface is user interactive. Plus, Accessing and downloading the Isaca CISA Dumps PDF is a matter of just a few clicks.
Pass4sure gives its customers the best, material created with the help of well-known experts, and Practice Questions draw positive results every single time. The CISA Braindumps are updated daily to avoid any difficulties for customers. The package comes in two different formats to meet different types of clients. PDF for candidates always on the go and online test engine for those who enjoy a real-like experience.
The feedback we receive from our valued customers is proof of our credibility. Our customer care service is always at your beck and call. Leave us an email or a message in the chatbox below, and we will be there for you within seconds.
Pass4sure NIST-COBIT-2019 dumps
ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019
50 Questions
Sample Questions
CISA Sample Question 1
An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?
A. Discovery sampling
B. Judgmental sampling
C. Variable sampling
D. Stratified sampling
ANSWER : A
CISA Sample Question 2
For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:
A. attributes for system passwords.
B. security training prior to implementation.
C. security requirements for the new application.
D. the firewall configuration for the web server.
ANSWER : C
CISA Sample Question 3
Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?
A. Service management standards are not followed.
B. Expected time to resolve incidents is not specified.
C. Metrics are not reported to senior management.
D. Prioritization criteria are not defined.
ANSWER : D
CISA Sample Question 4
Which of the following represents the HIGHEST level of maturity of an information security program?
A. A training program is in place to promote information security awareness.
B. A framework is in place to measure risks and track effectiveness.
C. Information security policies and procedures are established.
D. The program meets regulatory and compliance requirements.
ANSWER : B
CISA Sample Question 5
Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?
A. Reversing the hash function using the digest
B. Altering the plaintext message
C. Deciphering the receiver's public key
D. Obtaining the sender's private key
ANSWER : D
CISA Sample Question 6
Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?
A. Securing information assets in accordance with the classification assigned
B. Validating that assets are protected according to assigned classification
C. Ensuring classification levels align with regulatory guidelines
D. Defining classification levels for information assets within the organization
ANSWER : B
CISA Sample Question 7
Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?
A. Water sprinkler
B. Fire extinguishers
C. Carbon dioxide (CO2)
D. Dry pipe
ANSWER : C
CISA Sample Question 8
Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?
A. Circuit gateway
B. Application level gateway
C. Packet filtering router
D. Screening router
ANSWER : B
CISA Sample Question 9
During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?
A. Review sign-off documentation
B. Review the source code related to the calculation
C. Re-perform the calculation with audit software
D. Inspect user acceptance lest (UAT) results
ANSWER : C
CISA Sample Question 10
Which of the following is the MOST important activity in the data classification process?
A. Labeling the data appropriately
B. Identifying risk associated with the data
C. Determining accountability of data owners
D. Determining the adequacy of privacy controls
ANSWER : C
CISA Sample Question 11
Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?
A. Implementing the remediation plan
B. Partially completing the CSA
C. Developing the remediation plan
D. Developing the CSA questionnaire
ANSWER : D
CISA Sample Question 12
A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?
A. Terminated staff
B. Unauthorized access
C. Deleted log data
D. Hacktivists
ANSWER : A
CISA Sample Question 13
An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?
A. A single point of failure for both voice and data communications
B. Inability to use virtual private networks (VPNs) for internal traffic
C. Lack of integration of voice and data communications
D. Voice quality degradation due to packet toss
ANSWER : A
CISA Sample Question 14
An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?
A. Staging
B. Testing
C. Integration
D. Development
ANSWER : A
CISA Sample Question 15
Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?
A. The design of controls
B. Industry standards and best practices
C. The results of the previous audit
D. The amount of time since the previous audit
ANSWER : C
CISA Sample Question 16
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
A. the organization's web server.
B. the demilitarized zone (DMZ).
C. the organization's network.
D. the Internet
ANSWER : D
CISA Sample Question 17
Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?
A. An increase in the number of identified false positives
B. An increase in the number of detected Incidents not previously identified
C. An increase in the number of unfamiliar sources of intruders
D. An increase in the number of internally reported critical incidents
ANSWER : B
CISA Sample Question 18
Which of the following is an example of a preventative control in an accounts payable system
A. The system only allows payments to vendors who are included In the system's master vendor list.
B. Backups of the system and its data are performed on a nightly basis and tested periodically.
C. The system produces daily payment summary reports that staff use to compare against invoice totals.
D. Policies and procedures are clearly communicated to all members of the accounts payable department
ANSWER : A
CISA Sample Question 19
Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?
A. IT strategies are communicated to all Business stakeholders
B. Organizational strategies are communicated to the chief information officer (CIO).
C. Business stakeholders are Involved In approving the IT strategy.
D. The chief information officer (CIO) is involved In approving the organizational strategies
ANSWER : C
CISA Sample Question 20
The waterfall life cycle model of software development is BEST suited for which of the following situations?
A. The protect requirements are wall understood.
B. The project is subject to time pressures.
C. The project intends to apply an object-oriented design approach.
D. The project will involve the use of new technology.
ANSWER : A
CISA Sample Question 21
An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:
A. well understood by all employees.
B. based on industry standards.
C. developed by process owners.
D. updated frequently.
ANSWER : A
CISA Sample Question 22
An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?
A. Data encryption on the mobile device
B. Complex password policy for mobile devices
C. The triggering of remote data wipe capabilities
D. Awareness training for mobile device users
ANSWER : A
CISA Sample Question 23
An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?
A. There Is a reconciliation process between the spreadsheet and the finance system
B. A separate copy of the spreadsheet is routinely backed up
C. The spreadsheet is locked down to avoid inadvertent changes
D. Access to the spreadsheet is given only to those who require access
ANSWER : D
CISA Sample Question 24
Which of the following security risks can be reduced by a property configured network firewall?
A. SQL injection attacks
B. Denial of service (DoS) attacks
C. Phishing attacks
D. Insider attacks
ANSWER : B
CISA Sample Question 25
Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?
A. Use of stateful firewalls with default configuration
B. Ad hoc monitoring of firewall activity
C. Misconfiguration of the firewall rules
D. Potential back doors to the firewall software
ANSWER : C
CISA Sample Question 26
Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?
A. Human resources (HR) sourcing strategy
B. Records of actual time spent on projects
C. Peer organization staffing benchmarks
D. Budgeted forecast for the next financial year
ANSWER : B
CISA Sample Question 27
Stress testing should ideally be earned out under a:
A. test environment with production workloads.
B. production environment with production workloads.
C. production environment with test data.
D. test environment with test data.
ANSWER : A
CISA Sample Question 28
A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?
A. Data migration is not part of the contracted activities.
B. The replacement is occurring near year-end reporting
C. The user department will manage access rights.
D. Testing was performed by the third-party consultant
ANSWER : C
CISA Sample Question 29
Which of the following BEST enables the timely identification of risk exposure?
A. External audit review
B. Internal audit review
C. Control self-assessment (CSA)
D. Stress testing
ANSWER : C
CISA Sample Question 30
Which of the following is the BEST reason for an organization to use clustering?
A. To decrease system response time
B. To Improve the recovery lime objective (RTO)
C. To facilitate faster backups
D. To improve system resiliency
ANSWER : D
CISA Sample Question 31
Which of the following must be in place before an IS auditor initiates audit follow-up activities?
A. Available resources for the activities included in the action plan
B. A management response in the final report with a committed implementation date
C. A heal map with the gaps and recommendations displayed in terms of risk
D. Supporting evidence for the gaps and recommendations mentioned in the audit report
ANSWER : B
CISA Sample Question 32
Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?
A. Ensure that the facts presented in the report are correct
B. Communicate the recommendations lo senior management
C. Specify implementation dates for the recommendations.
D. Request input in determining corrective action.
ANSWER : A
CISA Sample Question 33
Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?
A. Comparing code between old and new systems
B. Running historical transactions through the new system
C. Reviewing quality assurance (QA) procedures
D. Loading balance and transaction data to the new system
ANSWER : B
CISA Sample Question 34
Which of the following is the GREATEST risk associated with storing customer data on a web server?
A. Data availability
B. Data confidentiality
C. Data integrity
D. Data redundancy
ANSWER : B
CISA Sample Question 35
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
A. The policy includes a strong risk-based approach.
B. The retention period allows for review during the year-end audit.
C. The retention period complies with data owner responsibilities.
D. The total transaction amount has no impact on financial reporting
ANSWER : C
CISA Sample Question 36
An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?
A. Long-term Internal audit resource planning
B. Ongoing monitoring of the audit activities
C. Analysis of user satisfaction reports from business lines
D. Feedback from Internal audit staff
ANSWER : B
CISA Sample Question 37
An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
A. Preserving the same data classifications
B. Preserving the same data inputs
C. Preserving the same data structure
D. Preserving the same data interfaces
ANSWER : C
CISA Sample Question 38
An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?
A. Sell-assessment reports of IT capability and maturity
B. IT performance benchmarking reports with competitors
C. Recent third-party IS audit reports
D. Current and previous internal IS audit reports
ANSWER : C
CISA Sample Question 39
Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?
A. Reviewing vacation patterns
B. Reviewing user activity logs
C. Interviewing senior IT management
D. Mapping IT processes to roles
ANSWER : D
CISA Sample Question 40
Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?
A. Ensure compliance with the data classification policy.
B. Protect the plan from unauthorized alteration.
C. Comply with business continuity best practice.
D. Reduce the risk of data leakage that could lead to an attack.
ANSWER : D
CISA Sample Question 41
During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?
A. Perform substantive testing of terminated users' access rights.
B. Perform a review of terminated users' account activity
C. Communicate risks to the application owner.
D. Conclude that IT general controls ate ineffective.
ANSWER : B
CISA Sample Question 42
Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?
A. Legal and compliance requirements
B. Customer agreements
C. Data classification
D. Organizational policies and procedures
ANSWER : D
CISA Sample Question 43
Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
A. Availability of IS audit resources
B. Remediation dates included in management responses
C. Peak activity periods for the business
D. Complexity of business processes identified in the audit
ANSWER : B
CISA Sample Question 44
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?
A. Obtain error codes indicating failed data feeds.
B. Purchase data cleansing tools from a reputable vendor.
C. Appoint data quality champions across the organization.
D. Implement business rules to reject invalid data.
ANSWER : D
CISA Sample Question 45
Capacity management enables organizations to:
A. forecast technology trends
B. establish the capacity of network communication links
C. identify the extent to which components need to be upgraded
D. determine business transaction volumes.
ANSWER : C
CISA Sample Question 46
An information systems security officer's PRIMARY responsibility for business process applications is to:
A. authorize secured emergency access
B. approve the organization's security policy
C. ensure access rules agree with policies
D. create role-based rules for each business process
ANSWER : C
CISA Sample Question 47
An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?
A. The security of the desktop PC is enhanced.
B. Administrative security can be provided for the client.
C. Desktop application software will never have to be upgraded.
D. System administration can be better managed
ANSWER : C
CISA Sample Question 48
The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed. Which of the following should the audit manager do FIRST?
A. Determine where delays have occurred
B. Assign additional resources to supplement the audit
C. Escalate to the audit committee
D. Extend the audit deadline
ANSWER : A
CISA Sample Question 49
An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
A. An imaging process was used to obtain a copy of the data from each computer.
B. The legal department has not been engaged.
C. The chain of custody has not been documented.
D. Audit was only involved during extraction of the Information
ANSWER : C
CISA Sample Question 50
What is the Most critical finding when reviewing an organization’s information security management?
A. No dedicated security officer
B. No official charier for the information security management system
C. No periodic assessments to identify threats and vulnerabilities
D. No employee awareness training and education program
ANSWER : C
CISA Sample Question 51
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
A. reflect current practices.
B. include new systems and corresponding process changes.
C. incorporate changes to relevant laws.
D. be subject to adequate quality assurance (QA).
ANSWER : A
CISA Sample Question 52
Upon completion of audit work, an IS auditor should:
A. provide a report to senior management prior to discussion with the auditee.
B. distribute a summary of general findings to the members of the auditing team
C. provide a report to the auditee stating the initial findings.
D. review the working papers with the auditee.
ANSWER : B
CISA Sample Question 53
Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?
A. Information security program plans
B. Penetration test results
C. Risk assessment results
D. Industry benchmarks
ANSWER : C
CISA Sample Question 54
An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?
A. Training was not provided to the department that handles intellectual property and patents
B. Logging and monitoring for content filtering is not enabled.
C. Employees can share files with users outside the company through collaboration tools.
D. The collaboration tool is hosted and can only be accessed via an Internet browser
ANSWER : B
CISA Sample Question 55
To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?
A. Review IT staff job descriptions for alignment
B. Develop quarterly training for each IT staff member.
C. Identify required IT skill sets that support key business processes
D. Include strategic objectives m IT staff performance objectives
ANSWER : C
CISA Sample Question 56
Which of the following would BEST help lo support an auditor’s conclusion about the effectiveness of an implemented data classification program?
A. Purchase of information management tools
B. Business use cases and scenarios
C. Access rights provisioned according to scheme
D. Detailed data classification scheme
ANSWER : C
CISA Sample Question 57
Which of the following documents should specify roles and responsibilities within an IT audit organization?
A. Organizational chart
B. Audit charier
C. Engagement letter
D. Annual audit plan
ANSWER : B
CISA Sample Question 58
The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:
A. randomly selected by a test generator.
B. provided by the vendor of the application.
C. randomly selected by the user.
D. simulated by production entities and customers.
ANSWER : D
CISA Sample Question 59
An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?
A. Data with customer personal information
B. Data reported to the regulatory body
C. Data supporting financial statements
D. Data impacting business objectives
ANSWER : B
CISA Sample Question 60
In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?
A. Configure data quality alerts to check variances between the data warehouse and the source system
B. Require approval for changes in the extract/Transfer/load (ETL) process between the two systems
C. Include the data warehouse in the impact analysis (or any changes m the source system
D. Restrict access to changes in the extract/transfer/load (ETL) process between the two systems
ANSWER : C
CISA Sample Question 61
Which of the following would MOST effectively ensure the integrity of data transmitted over a network?
A. Message encryption
B. Certificate authority (CA)
C. Steganography
D. Message digest
ANSWER : D
CISA Sample Question 62
A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?
A. Compare the agile process with previous methodology.
B. Identify and assess existing agile process control
C. Understand the specific agile methodology that will be followed.
D. Interview business process owners to compile a list of business requirements
ANSWER : C
CISA Sample Question 63
An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?
A. Security cameras deployed outside main entrance
B. Antistatic mats deployed at the computer room entrance
C. Muddy footprints directly inside the emergency exit
D. Fencing around facility is two meters high
ANSWER : C
CISA Sample Question 64
In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?
A. Discovery
B. Attacks
C. Planning
D. Reporting
ANSWER : A
CISA Sample Question 65
Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?
A. The certificate revocation list has not been updated.
B. The PKI policy has not been updated within the last year.
C. The private key certificate has not been updated.
D. The certificate practice statement has not been published
ANSWER : A
CISA Sample Question 66
After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?
A. Verifying that access privileges have been reviewed
B. investigating access rights for expiration dates
C. Updating the continuity plan for critical resources
D. Updating the security policy
ANSWER : A
CISA Sample Question 67
A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?
A. Continuous 24/7 support must be available.
B. The vendor must have a documented disaster recovery plan (DRP) in place.
C. Source code for the software must be placed in escrow.
D. The vendor must train the organization's staff to manage the new software
ANSWER : C
CISA Sample Question 68
Which of the following are BEST suited for continuous auditing?
A. Low-value transactions
B. Real-lime transactions
C. Irregular transactions
D. Manual transactions
ANSWER : B
CISA Sample Question 69
An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?
A. Availability of the user list reviewed
B. Confidentiality of the user list reviewed
C. Source of the user list reviewed
D. Completeness of the user list reviewed
ANSWER : C
CISA Sample Question 70
Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?
A. Ensuring that audit trails exist for transactions
B. Restricting access to update programs to accounts payable staff only
C. Including the creator's user ID as a field in every transaction record created
D. Restricting program functionality according to user security profiles
ANSWER : D
CISA Sample Question 71
Which of the following findings from an IT governance review should be of GREATEST concern?
A. The IT budget is not monitored
B. All IT services are provided by third parties.
C. IT value analysis has not been completed.
D. IT supports two different operating systems.
ANSWER : C
CISA Sample Question 72
Which of the following metrics would BEST measure the agility of an organization's IT function?
A. Average number of learning and training hours per IT staff member
B. Frequency of security assessments against the most recent standards and guidelines
C. Average time to turn strategic IT objectives into an agreed upon and approved initiative
D. Percentage of staff with sufficient IT-related skills for the competency required of their roles
ANSWER : C
CISA Sample Question 73
An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which ol the following is MOST important to meet the IS audit standard for proficiency?
A. The standard is met as long as one member has a globally recognized audit certification.
B. Technical co-sourcing must be used to help the new staff.
C. Team member assignments must be based on individual competencies.
D. The standard is met as long as a supervisor reviews the new auditors' work.
ANSWER : C
CISA Sample Question 74
An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?
A. Evaluate the appropriateness of the remedial action taken.
B. Conduct a risk analysis incorporating the change.
C. Report results of the follow-up to the audit committee.
D. Inform senior management of the change in approach.
ANSWER : A
CISA Sample Question 75
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?
A. Require written authorization for all payment transactions
B. Restrict payment authorization to senior staff members.
C. Reconcile payment transactions with invoices.
D. Review payment transaction history
ANSWER : A
CISA Sample Question 76
Which of the following BEST Indicates that an incident management process is effective?
A. Decreased time for incident resolution
B. Increased number of incidents reviewed by IT management
C. Decreased number of calls lo the help desk
D. Increased number of reported critical incidents
ANSWER : A
CISA Sample Question 77
To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?
A. Root cause
B. Responsible party
C. impact
D. Criteria
ANSWER : A
CISA Sample Question 78
In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?
A. Reviewing the last compile date of production programs
B. Manually comparing code in production programs to controlled copies
C. Periodically running and reviewing test data against production programs
D. Verifying user management approval of modifications
ANSWER : A
CISA Sample Question 79
An IS auditor Is reviewing a recent security incident and is seeking information about me approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?
A. System event correlation report
B. Database log
C. Change log
D. Security incident and event management (SIEM) report
ANSWER : C
CISA Sample Question 80
Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?
A. The person who collected the evidence is not qualified to represent the case.
B. The logs failed to identify the person handling the evidence.
C. The evidence was collected by the internal forensics team.
D. The evidence was not fully backed up using a cloud-based solution prior to the trial.
ANSWER : B
CISA Sample Question 81
While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?
A. Use automatic document classification based on content.
B. Have IT security staff conduct targeted training for data owners.
C. Publish the data classification policy on the corporate web portal.
D. Conduct awareness presentations and seminars for information classification policies.
ANSWER : B
CISA Sample Question 82
Which of the following is a social engineering attack method?
A. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.
B. A hacker walks around an office building using scanning tools to search for a wireless network to gain access.
C. An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.
D. An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door.
ANSWER : A
CISA Sample Question 83
An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?
A. Redundant pathways
B. Clustering
C. Failover power
D. Parallel testing
ANSWER : B
CISA Sample Question 84
Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?
A. Ensure the third party allocates adequate resources to meet requirements.
B. Use analytics within the internal audit function
C. Conduct a capacity planning exercise
D. Utilize performance monitoring tools to verify service level agreements (SLAs)
ANSWER : D
CISA Sample Question 85
Which of the following MUST be completed as part of the annual audit planning process?
A. Business impact analysis (BIA)
B. Fieldwork
C. Risk assessment
D. Risk control matrix
ANSWER : C
CISA Sample Question 86
The GREATEST benefit of using a polo typing approach in software development is that it helps to:
A. minimize scope changes to the system.
B. decrease the time allocated for user testing and review.
C. conceptualize and clarify requirements.
D. Improve efficiency of quality assurance (QA) testing
ANSWER : C
CISA Sample Question 87
The PRIMARY focus of a post-implementation review is to verify that:
A. enterprise architecture (EA) has been complied with.
B. user requirements have been met.
C. acceptance testing has been properly executed.
D. user access controls have been adequately designed.
ANSWER : B
CISA Sample Question 88
Which of the following should an IS auditor consider FIRST when evaluating firewall rules?
A. The organization's security policy
B. The number of remote nodes
C. The firewalls' default settings
D. The physical location of the firewalls
ANSWER : A
CISA Sample Question 89
Which of the following is MOST helpful for measuring benefits realization for a new system?
A. Function point analysis
B. Balanced scorecard review
C. Post-implementation review
D. Business impact analysis (BIA)
ANSWER : C
CISA Sample Question 90
An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST
A. document the exception in an audit report.
B. review security incident reports.
C. identify compensating controls.
D. notify the audit committee.
ANSWER : C
CISA Sample Question 91
An IS auditor should ensure that an application's audit trail:
A. has adequate security.
B. logs ail database records.
C. Is accessible online
D. does not impact operational efficiency
ANSWER : A
CISA Sample Question 92
The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
A. the access control system's log settings.
B. how the latest system changes were implemented.
C. the access control system's configuration.
D. the access rights that have been granted.
ANSWER : D
CISA Sample Question 93
During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?
A. Require documentation that the finding will be addressed within the new system
B. Schedule a meeting to discuss the issue with senior management
C. Perform an ad hoc audit to determine if the vulnerability has been exploited
D. Recommend the finding be resolved prior to implementing the new system
ANSWER : A
CISA Sample Question 94
Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?
A. Staff members who failed the test did not receive follow-up education
B. Test results were not communicated to staff members.
C. Staff members were not notified about the test beforehand.
D. Security awareness training was not provided prior to the test.
ANSWER : A
CISA Sample Question 95
When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.
A. architecture and cloud environment of the system.
B. business process supported by the system.
C. policies and procedures of the business area being audited.
D. availability reports associated with the cloud-based system.
ANSWER : B
CISA Sample Question 96
A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:
A. evaluate replacement systems and performance monitoring software.
B. restrict functionality of system monitoring software to security-related events.
C. re-install the system and performance monitoring software.
D. use analytical tools to produce exception reports from the system and performance monitoring software
ANSWER : D
CISA Sample Question 97
The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?
A. Technology risk
B. Detection risk
C. Control risk
D. Inherent risk
ANSWER : B
