Certified Information Systems Auditor CISA Updated Questions

Text Material Preview

CISA Certified Information Systems Auditor exam dumps questions are the best
material for you to test all the related ISACA exam topics. By using the CISA
exam dumps questions and practicing your skills, you can increase your
confidence and chances of passing the CISA exam.
Features of Dumpsinfo’s products
Instant Download
Free Update in 3 Months
Money back guarantee
PDF and Software
24/7 Customer Support
Besides, Dumpsinfo also provides unlimited access. You can get all
Dumpsinfo files at lowest price.
Certified Information Systems Auditor CISA exam free dumps questions are
available below for you to study. 
Full version: CISA Exam Dumps Questions
1.Which of the following is MOST important to consider when scheduling follow-up audits?
A. The efforts required for independent verification with new auditors
B. The impact if corrective actions are not taken
C. The amount of time the auditee has agreed to spend with auditors
D. Controls and detection risks related to the observations
Answer: B
2.An organization has recently become aware of a pervasive chip-level security vulnerability that
affects all of its processors.
Which of the following is the BEST way to prevent this vulnerability from being exploited?
A. Implement security awareness training.
B. Install vendor patches
 1 / 22
https://www.dumpsinfo.com/unlimited-access/
https://www.dumpsinfo.com/exam/cisa
C. Review hardware vendor contracts.
D. Review security log incidents.
Answer: B
Explanation:
Vendor patches are updates released by hardware vendors that can fix security vulnerabilities,
making it less likely that attackers will be able to exploit them. Additionally, hardware vendors may
release patches for other security issues that have already been exploited, helping to protect the
organization from future attacks. It is important for organizations to regularly review the available
patches and install them as soon as possible in order to ensure their hardware and systems are
secure.
3.Which of the following BEST guards against the risk of attack by hackers?
A. Tunneling
B. Encryption
C. Message validation
D. Firewalls
Answer: B
4.Which of the following would lead an IS auditor to conclude that the evidence collected during a
digital forensic investigation would not be admissible in court?
A. The person who collected the evidence is not qualified to represent the case.
B. The logs failed to identify the person handling the evidence.
C. The evidence was collected by the internal forensics team.
D. The evidence was not fully backed up using a cloud-based solution prior to the trial.
Answer: B
5.Which of the following would be to MOST concern when determine if information assets are
adequately safequately safeguarded during transport and disposal?
A. Lack of appropriate labelling
B. Lack of recent awareness training.
C. Lack of password protection
D. Lack of appropriate data classification
Answer: D
6.A core system fails a week after a scheduled update, causing an outage that impacts service.
Which of the following is MOST important for incident management to focus on when addressing the
issue?
A. Analyzing the root cause of the outage to ensure the incident will not reoccur
B. Restoring the system to operational state as quickly as possible
C. Ensuring all resolution steps are fully documented prior to returning the system to service
D. Rolling back the unsuccessful change to the previous state
Answer: B
7.Which of the following should be of MOST concern to an IS auditor reviewing the information
systems acquisition, development, and implementation process?
A. Data owners are not trained on the use of data conversion tools.
B. A post-implementation lessons-learned exercise was not conducted.
 2 / 22
https://www.dumpsinfo.com/
C. There is no system documentation available for review.
D. System deployment is routinely performed by contractors.
Answer: B
Explanation:
It is important for an IS auditor to review the information systems acquisition, development, and
implementation process to ensure that it has been performed properly and that any errors or issues
have been identified and addressed. A lessons-learned exercise is an important part of this process,
as it allows for the identification and rectification of any issues that may have been missed during the
initial stages of the process. Without this exercise, any potential issues may go unnoticed and lead to
further problems down the line.
8.Which of the following provides the MOST assurance over the completeness and accuracy of loan
application processing with respect to the implementation of a new system?
A. Comparing code between old and new systems
B. Running historical transactions through the new system
C. Reviewing quality assurance (QA) procedures
D. Loading balance and transaction data to the new system
Answer: B
9.As part of business continuity planning, which of the following is MOST important to assess when
conducting a business impact analysis (B1A)?
A. Risk appetite
B. Critical applications m the cloud
C. Completeness of critical asset inventory
D. Recovery scenarios
Answer: C
10.Which of the following fire suppression systems needs to be combined with an automatic switch to
shut down the electricity supply in the event of activation?
A. Carbon dioxide
B. FM-200
C. Dry pipe
D. Halon
Answer: C
11.Which of the following is a social engineering attack method?
A. An unauthorized person attempts to gam access to secure premises by following an authonzed
person through a secure door.
B. An employee is induced to reveal confidential IP addresses and passwords by answering
questions over the phone.
C. A hacker walks around an office building using scanning tools to search for a wireless
network to gain access.
D. An intruder eavesdrops and collects sensitive information flowing through the network and sells it
to third parties.
Answer: B
12.A system administrator recently informed the IS auditor about the occurrence of several
 3 / 22
https://www.dumpsinfo.com/
unsuccessful intrusion attempts from outside the organization.
Which of the following is MOST effective in detecting such an intrusion?
A. Using smart cards with one-time passwords
B. Periodically reviewing log files
C. Configuring the router as a firewall
D. Installing biometrics-based authentication
Answer: C
13.Which of the following demonstrates the use of data analytics for a loan origination process?
A. Evaluating whether loan records are included in the batch file and are validated by the servicing
system
B. Comparing a population of loans input in the origination system to loans booked on the servicing
system
C. Validating whether reconciliations between the two systems are performed and discrepancies are
investigated
D. Reviewing error handling controls to notify appropriate personnel in the event of a transmission
failure
Answer: B
14.Which of the following Is the BEST way to ensure payment transaction data is restricted to the
appropriate users?
A. Implementing two-factor authentication
B. Restricting access to transactions using network security software
C. implementing role-based access at the application level
D. Using a single menu tor sensitive application transactions
Answer: C
15.Which of the following is the BEST reason for an IS auditor to emphasize to management the
importance of using an IT governance framework?
A. Frameworks enable IT benchmarks against competitors
B. Frameworks can be tailored and optimized for different organizations
C. Frameworks help facilitate control self assessments (CSAs)
D. Frameworks help organizations understand and manage IT risk
Answer: B
16.The decision to accept an IT control risk related to data quality should be the responsibility of the:
A. information security team.
B. IS audit manager.
C. chief information officer (CIO).
D. business owner.
Answer: D
17.Which of the following should be the PRIMARY basis for prioritizing follow-up audits?
A. Audit cycledefined in the audit plan
B. Complexity of management's action plans
C. Recommendation from executive management
D. Residual risk from the findings of previous audits
 4 / 22
https://www.dumpsinfo.com/
Answer: D
18.Which of the following is the BEST way to enforce the principle of least privilege on a server
containing data with different security classifications?
A. Limiting access to the data files based on frequency of use
B. Obtaining formal agreement by users to comply with the data classification policy
C. Applying access controls determined by the data owner
D. Using scripted access control lists to prevent unauthorized access to the server
Answer: C
19.Which of the following is MOST important for an IS auditor to look
for in a project feasibility study?
A. An assessment of whether requirements will be fully met
B. An assessment indicating security controls will operate effectively
C. An assessment of whether the expected benefits can be achieved
D. An assessment indicating the benefits will exceed the implement
Answer: C
20.Which of the following is the BEST way for an organization to mitigate the risk associated with third-
party application performance?
A. Ensure the third party allocates adequate resources to meet requirements.
B. Use analytics within the internal audit function
C. Conduct a capacity planning exercise
D. Utilize performance monitoring tools to verify service level agreements (SLAs)
Answer: D
21.To develop meaningful recommendations 'or findings, which of the following is MOST important 'or
an IS auditor to determine and understand?
A. Root cause
B. Responsible party
C. impact
D. Criteria
Answer: A
22.A company requires that all program change requests (PCRs) be approved and all modifications
be automatically logged.
Which of the following IS audit procedures will BEST determine whether unauthorized changes have
been made to production programs?
A. Trace a sample of complete PCR forms to the log of all program changes
B. Use source code comparison software to determine whether any changes have been made to a
sample of programs since the last audit date
C. Review a sample of PCRs for proper approval throughout the program change process
D. Trace a sample of program change from the log to completed PCR forms
Answer: D
23.Which of the following findings from an IT governance review should be of GREATEST concern?
 5 / 22
https://www.dumpsinfo.com/
A. The IT budget is not monitored
B. All IT services are provided by third parties.
C. IT value analysis has not been completed.
D. IT supports two different operating systems.
Answer: C
24.An IS auditor has found that a vendor has gone out of business and the escrow has an older
version of the source code.
What is the auditor's BEST recommendation for the organization?
A. Analyze a new application that moots the current re
B. Perform an analysis to determine the business risk
C. Bring the escrow version up to date.
D. Develop a maintenance plan to support the application using the existing code
Answer: C
25.During an external review, an IS auditor observes an inconsistent approach in classifying system
criticality within the organization.
Which of the following should be recommended as the PRIMARY factor to determine system
criticality?
A. Key performance indicators (KPIs)
B. Maximum allowable downtime (MAD)
C. Recovery point objective (RPO)
D. Mean time to restore (MTTR)
Answer: B
26.Which of the following is the MOST important responsibility of user departments associated with
program changes?
A. Providing unit test data
B. Analyzing change requests
C. Updating documentation lo reflect latest changes
D. Approving changes before implementation
Answer: A
27.An IS auditor is conducting a review of a data center.
Which of the following observations could indicate an access control Issue?
A. Security cameras deployed outside main entrance
B. Antistatic mats deployed at the computer room entrance
C. Muddy footprints directly inside the emergency exit
D. Fencing around facility is two meters high
Answer: C
28.Which of the following provides the MOST useful information to an IS auditor when selecting
projects for inclusion in an IT audit plan?
A. Project charter
B. Project plan
C. Project issue log
D. Project business case
 6 / 22
https://www.dumpsinfo.com/
Answer: D
Explanation:
The project business case provides the IS auditor with information on the purpose and objectives of
the project, the expected costs and benefits of the project, and the possible risks associated with the
project. This information can be used to help the IS auditor determine if the project is worth including
in the IT audit plan. For more information, please refer to the ISACA CISA Study Guide section
4.12.2.1.
29.An organization is planning to implement a work-from-home policy that allows users to work
remotely as needed.
Which of the following is the BEST solution for ensuring secure remote access to corporate
resources?
A. Additional firewall rules
B. Multi-factor authentication
C. Virtual private network (VPN)
D. Virtual desktop
Answer: C
30.A characteristic of a digital signature is that it
A. is under control of the receiver
B. is unique to the message
C. is validated when data are changed
D. has a reproducible hashing algorithm
Answer: B
31.Which of the following is the MOST important reason to implement version control for an end-user
computing (EUC) application?
A. To ensure that older versions are availability for reference
B. To ensure that only the latest approved version of the application is used
C. To ensure compatibility different versions of the application
D. To ensure that only authorized users can access the application
Answer: B
32.Backup procedures for an organization's critical data are considered to be which type of control?
A. Directive
B. Corrective
C. Detective
D. Compensating
Answer: B
33.Documentation of workaround processes to keep a business function operational during recovery
of IT systems is a core part of a:
A. business impact analysis (BIA).
B. threat and risk assessment.
C. business continuity plan (BCP).
D. disaster recovery plan (DRP).
Answer: C
 7 / 22
https://www.dumpsinfo.com/
34.Which of the following provides the BEST providence that outsourced provider services are being
properly managed?
A. The service level agreement (SLA) includes penalties for non-performance.
B. Adequate action is taken for noncompliance with the service level agreement (SLA).
C. The vendor provides historical data to demonstrate its performance.
D. Internal performance standards align with corporate strategy.
Answer: B
35.During a security audit, an IS auditor is tasked with reviewing log entries obtained from an
enterprise intrusion prevention system (IPS).
Which type of risk would be associated with the potential for the auditor to miss a sequence of logged
events that could indicate an error in the IPS configuration?
A. Sampling risk
B. Detection risk
C. Control risk
D. Inherent risk
Answer: B
36.Which of the following would be an IS auditor's GREATEST concern when reviewing the early
stages of a software development project?
A. The lack of technical documentation to support the program code
B. The lack of completion of all requirements at the end of each sprint
C. The lack of acceptance criteria behind user requirements.
D. The lack of a detailed unit and system test plan
Answer: C
37.During a review, an IS auditor discovers that corporate users are able to access cloud-based
applications and data any Internet-connected web browser.
Which Of the following is the auditors BEST recommendation to prevent unauthorized access?
A. Implement an intrusion detection system (IDS),
B. Update security policies and procedures.
C. Implement multi-factor authentication.
D. Utilize strong anti-malware controls on all computing devices.
Answer: C
Explanation:
The best recommendation to prevent unauthorized accessin this scenario is to implement multi-factor
authentication (MFA). According to the ISACA CISA Study Manual, "MFA is a security technique that
requires two or more independent credentials for user authentication. MFA can be used to provide
additional security for cloud-based services and applications." Thus, implementing MFA would be an
effective way to prevent unauthorized access and maintain a secure environment.
Multi-factor authentication (MFA) is a security measure that requires users to provide two or more
pieces of evidence to verify their identity before accessing cloud-based applications and data123.
MFA can prevent unauthorized access by making it harder for attackers to compromise user
credentials or bypass password protection
38.When reviewing an organization's information security policies, an IS auditor should verify that the
 8 / 22
https://www.dumpsinfo.com/
policies have been defined PRIMARILY on the basis of:
A. a risk management process.
B. an information security framework.
C. past information security incidents.
D. industry best practices.
Answer: B
39.During the discussion of a draft audit report IT management provided suitable evidence that a
process has been implemented for a control that had been concluded by the IS auditor as ineffective
Which of the following is the auditor's BEST action?
A. Explain to IT management that the new control will be evaluated during follow-up
B. Add comments about the action taken by IT management in the report
C. Change the conclusion based on evidence provided by IT management
D. Re-perform the audit before changing the conclusion
Answer: D
40.Which of the following is the BEST source of information tor an IS auditor to use when determining
whether an organization's information security policy is adequate?
A. Information security program plans
B. Penetration test results
C. Risk assessment results
D. Industry benchmarks
Answer: C
41.Which of the following testing methods is MOST appropriate for assessing whether system
integrity has been maintained after changes have been made?
A. Regression testing
B. Unit testing
C. Integration testing
D. Acceptance testing
Answer: A
42.What would be an IS auditor's BEST recommendation upon finding that a third-party IT service
provider hosts the organization's human resources (HR) system in a foreign country?
A. Perform background verification checks.
B. Review third-party audit reports.
C. Implement change management review.
D. Conduct a privacy impact analysis.
Answer: D
43.Which of the following is the BEST indicator for measuring performance of IT help desk function?
A. Percentage of problems raised from incidents
B. Mean time to categorize tickets
C. Number 0t incidents reported
D. Number of reopened tickets
Answer: D
Explanation:
 9 / 22
https://www.dumpsinfo.com/
The number of reopened tickets is a key performance indicator (KPI) that measures how
often the IT help desk function fails to resolve the issues or problems reported by the customers on
the first attempt123. A high number of reopened tickets indicates poor quality of service, low customer
satisfaction, and wasted resources
44.An IS auditor is evaluating the access controls for a shared customer relationship management
(CRM) system.
Which of the following would be the GREATEST concern?
A. Single sign-on is not enabled
B. Audit logging is not enabled
C. Security baseline is not consistently applied
D. Complex passwords are not required
Answer: B
45.A programmer has made unauthorized changes lo key fields in a payroll system report.
Which of the following control weaknesses would have contributed MOST to this problem?
A. The programmer did not involve the user in testing
B. The user requirements were not documented
C. The programmer has access to the production programs
D. Payroll files were not under the control of a librarian
Answer: C
46.Which of the following is the BEST source of information for assessing the effectiveness of IT
process monitoring?
A. Real-time audit software
B. Performance data
C. Quality assurance (QA) reviews
D. Participative management techniques
Answer: A
47.When verifying the accuracy and completeness of migrated data for a new application system
replacing a legacy system.
It is MOST effective for an IS auditor to review;
A. data analytics findings.
B. audit trails
C. acceptance lasting results
D. rollback plans
Answer: B
48.Which type of attack targets security vulnerabilities in web applications to gain access to data
sets?
A. Denial of service (DOS)
B. SQL injection
C. Phishing attacks
D. Rootkits
Answer: B
Explanation:
 10 / 22
https://www.dumpsinfo.com/
SQL injection is a type of attack that targets security vulnerabilities in web applications to gain access
to data sets. It is accomplished by injecting malicious SQL code into user-supplied data fields,
allowing the attacker to gain access to and manipulate the underlying database. In addition to gaining
access to data, SQL injection can also be used to modify existing data or even delete it. According to
ISACA's Certified Information Systems Auditor (CISA) Study Guide, "SQL injection attacks are the
most common type of attack against web applications and databases, and they are a major security
concern."
49.Which of the following is the MOST effective way to identify exfiltration of sensitive data by a
malicious insider?
A. Implement data loss prevention (DLP) software
B. Review perimeter firewall logs
C. Provide ongoing information security awareness training
D. Establish behavioral analytics monitoring
Answer: A
50.What should an IS auditor evaluate FIRST when reviewing an organization's response to new
privacy legislation?
A. Implementation plan for restricting the collection of personal information
B. Privacy legislation in other countries that may contain similar requirements
C. Operational plan for achieving compliance with the legislation
D. Analysis of systems that contain privacy components
Answer: D
Explanation:
This is according to the ISACA's IS Auditing Guideline G14 on Privacy and Data Protection, which
states that an IS auditor should first evaluate the organization's ability to identify and assess the
systems that contain privacy components, and then review the adequacy of the operational plan for
achieving compliance with the legislation.
51.An IS auditor assessing the controls within a newly implemented call center would First
A. gather information from the customers regarding response times and quality of service.
B. review the manual and automated controls in the call center.
C. test the technical infrastructure at the call center.
D. evaluate the operational risk associated with the call center.
Answer: D
52.An IS auditor who was instrumental in designing an application is called upon to review the
application.
The auditor should:
A. refuse the assignment to avoid conflict of interest.
B. use the knowledge of the application to carry out the audit.
C. inform audit management of the earlier involvement.
D. modify the scope of the audit.
Answer: C
53.Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the
organization's information cannot be accessed?
 11 / 22
https://www.dumpsinfo.com/
A. Re-partitioning
B. Degaussing
C. Formatting
D. Data wiping
Answer: D
54.Upon completion of audit work, an IS auditor should:
A. provide a report to senior management prior to discussion with the auditee.
B. distribute a summary of general findings to the members of the auditing team.
C. provide a report to the auditee stating the initial findings.
D. review the working papers with the auditee.
Answer: B
55.A credit card company has decided to outsource the printing of customer statements It Is MOST
important for the company to verify whether:
A. the provider has alternate service locations.
B. the contract includes compensation for deficient service levels.
C. the provider's informationsecurity controls are aligned with the company's.
D. the provider adheres to the company's data retention policies.
Answer: C
56.An IS auditor is reviewing the release management process for an in-house software development
solution.
In which environment Is the software version MOST likely to be the same as production?
A. Staging
B. Testing
C. Integration
D. Development
Answer: B
57.An organization has shifted from a bottom-up approach to a top-down approach in the
development of IT policies. This should result in:
A. greater consistency across the organization.
B. a synthesis of existing operational policies.
C. a more comprehensive risk assessment plan.
D. greater adherence to best practices.
Answer: A
Explanation:
A top-down approach to the development of IT policies typically involves setting goals at the top and
then developing policies to meet those goals. This type of approach results in greater consistency
across the organization, as all policies are developed in alignment with the overall goals. Additionally,
this approach may result in greater adherence to best practices, as the policies are developed with
the organization's long-term goals in mind. It may also result in a synthesis of existing operational
policies, as the goals set at the top are used to develop a unified IT policy. Finally, it may also result in
a more comprehensive risk assessment plan, as all policies must be evaluated for their potential risks
to the organization.
 12 / 22
https://www.dumpsinfo.com/
58.During the implementation of a new system, an IS auditor must assess whether certain automated
calculations comply with the regulatory requirements
Which of the following is the BEST way to obtain this assurance?
A. Review sign-off documentation
B. Review the source code related to the calculation
C. Re-perform the calculation with audit software
D. Inspect user acceptance lest (UAT) results
Answer: C
59.Which of the following IT service management activities is MOST likely to help with identifying the
root cause of repeated instances of network latency?
A. Change management
B. Problem management
C. incident management
D. Configuration management
Answer: C
60.Which of the following is the MOST important control for virualized environments?
A. Regular updates of policies for the operation of the virtualized environment
B. Hardening for the hypervisor and guest machines
C. Redundancy of hardware resources and network components
D. Monitoring utilization of resources at the guest operating system level
Answer: B
Explanation:
The most important control for virtualized environments is hardening for the hypervisor and guest
machines. Hardening the hypervisor and guest machines involves taking measures to ensure that the
system is secure and protected from external threats. This includes ensuring that all security patches
and updates are applied, that the systems are configured securely, and that only approved
applications are allowed to run. Additionally, it is important to ensure that the system is regularly
monitored for any malicious activity. For more information, please refer to the ISACA CISA Study
Guide section 4.13.4.1.
61.Which of the following is MOST important for an IS auditor to validate when auditing network
device management?
A. Devices cannot be accessed through service accounts.
B. Backup policies include device configuration files.
C. All devices have current security patches assessed.
D. All devices are located within a protected network segment.
Answer: C
Explanation:
The most important factor for an IS auditor to validate when auditing network device management is
C - that all devices have current security patches assessed. This is because security patches are
essential for ensuring that devices are protected from the latest threats, and that any vulnerabilities
are addressed quickly. While it is important to ensure that devices cannot be accessed through
service accounts, have backup policies that include device configuration files, and are located within a
protected network segment, these measures do not ensure that devices are protected from the latest
threats.
 13 / 22
https://www.dumpsinfo.com/
62.Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is
in place?
A. Frequent testing of backups
B. Annual walk-through testing
C. Periodic risk assessment
D. Full operational test
Answer: D
63.An IS auditor has been asked to audit the proposed acquisition of new computer hardware.
The auditor’s PRIMARY concern Is that:
A. the implementation plan meets user requirements.
B. a full, visible audit trail will be Included.
C. a dear business case has been established.
D. the new hardware meets established security standards
Answer: C
64.An IS auditor is reviewing an organization's business continuity plan (BCP) following a change in
organizational structure with significant impact to business processes.
Which of the following findings should be the auditor's GREATEST concern?
A. Key business process end users did not participate in the business impact " analysis (BIA)
B. Copies of the BCP have not been distributed to new business unit end users sjnce the
reorganization
C. A test plan for the BCP has not been completed during the last two years
Answer: C
65.Which of the following weaknesses would have the GREATEST impact on the effective operation
of a perimeter firewall?
A. Use of stateful firewalls with default configuration
B. Ad hoc monitoring of firewall activity
C. Misconfiguration of the firewall rules
D. Potential back doors to the firewall software
Answer: C
66.Which of the following is MOST important to consider when developing a service level agreement
(SLAP)?
A. Description of the services from the viewpoint of the provider
B. Detailed identification of work to be completed
C. Provisions for regulatory requirements that impact the end users' businesses
D. Description of the services from the viewpoint of the client organization
Answer: D
67.What is the MAIN reason to use incremental backups?
A. To improve key availability metrics
B. To reduce costs associates with backups
C. To increase backup resiliency and redundancy
D. To minimize the backup time and resources
Answer: D
 14 / 22
https://www.dumpsinfo.com/
68.During a follow-up audit, an IS auditor finds that senior management has implemented a different
remediation action plan than what was previously agreed upon.
Which of the following is the auditor's BEST course of action?
A. Report the deviation by the control owner in the audit report.
B. Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.
C. Cancel the follow-up audit and reschedule for the next audit period.
D. Request justification from management for not implementing the recommended control.
Answer: D
Explanation:
The auditor should understand the reason for the deviation and evaluate if the new control mitigates
the risk to an acceptable level. If necessary, the auditor can report the deviation in the audit report
and provide recommendations for improving the process in the future.
69.An IS auditor learns the organization has experienced several server failures in its distributed
environment.
Which of the following is the BEST recommendation to limit the potential impact of server failures in
the future?
A. Redundant pathways
B. Clustering
C. Failover power
D. Parallel testing
Answer: B
70.An organization has engaged a third party to implement an application to perform business-critical
calculations.
Which of the following is the MOST important process to help ensure the application provides
accurate calculations?
A. Key performance indicator (KPI) monitoring
B. Change management
C. Configuration management
D. Quality assurance (QA)
Answer: A
71.When an intrusion into an organization network is deleted, which of the following should be done
FIRST?
A. Block all compromised network nodes.
B. Contact law enforcement.C. Notify senior management.
D. Identity nodes that have been compromised.
Answer: D
72.An IS auditor has completed the fieldwork phase of a network security review and is preparing the
initial following findings should be ranked as the HIGHEST risk?
A. Network penetration tests are not performed
B. The network firewall policy has not been approved by the information security officer.
C. Network firewall rules have not been documented.
 15 / 22
https://www.dumpsinfo.com/
D. The network device inventory is incomplete.
Answer: A
73.Which of the following is MOST important for an IS auditor to determine during the detailed design
phase of a system development project?
A. Program coding standards have been followed
B. Acceptance test criteria have been developed
C. Data conversion procedures have been establish.
D. The design has been approved by senior management.
Answer: B
74.Which of the following is the PRIMARY advantage of using visualization technology for corporate
applications?
A. Improved disaster recovery
B. Better utilization of resources
C. Stronger data security
D. Increased application performance
Answer: A
75.One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:
A. basis for allocating indirect costs.
B. cost of replacing equipment.
C. estimated cost of ownership.
D. basis for allocating financial resources.
Answer: D
76.An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is
to ensure that
A. security parameters are set in accordance with the manufacturer s standards.
B. a detailed business case was formally approved prior to the purchase.
C. security parameters are set in accordance with the organization's policies.
D. the procurement project invited lenders from at least three different suppliers.
Answer: C
77.Which of the following is MOST important with regard to an application development acceptance
test?
A. The programming team is involved in the testing process.
B. All data files are tested for valid information before conversion.
C. User management approves the test design before the test is started.
D. The quality assurance (QA) team is in charge of the testing process.
Answer: B
78.An IS auditor concludes that an organization has a quality security policy.
Which of the following is MOST important to determine next? The policy must be:
A. well understand by all employees.
B. based on industry standards.
 16 / 22
https://www.dumpsinfo.com/
C. developed by process owners.
D. updated frequently.
Answer: A
79.Which of the following will BEST ensure that a proper cutoff has been established to reinstate
transactions and records to their condition just prior to a computer system failure?
A. Rotating backup copies of transaction files offsite
B. Using a database management system (DBMS) to dynamically back-out partially processed
transactions
C. Maintaining system console logs in electronic formal
D. Ensuring bisynchronous capabilities on all transmission lines
Answer: D
80.In which phase of penetration testing would host detection and domain name system (DNS)
interrogation be performed?
A. Discovery
B. Attacks
C. Planning
D. Reporting
Answer: A
81.Following a security breach in which a hacker exploited a well-known vulnerability in the domain
controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of
action would be to determine if:
A. the patches were updated.
B. The logs were monitored.
C. The network traffic was being monitored.
D. The domain controller was classified for high availability.
Answer: A
82.Which of the following provides an IS auditor assurance that the interface between a point-of-sale
(POS) system and the general ledger is transferring sales data completely and accurately?
A. Electronic copies of customer sales receipts are maintained.
B. Monthly bank statements are reconciled without exception.
C. Nightly batch processing has been replaced with real-time processing.
D. The data transferred over the POS interface is encrypted.
Answer: A
Explanation:
Electronic copies of customer sales receipts are records that show the details of each sales
transaction, such as the date, time, amount, item, and payment method12. Electronic copies of
customer sales receipts can provide an IS auditor assurance that the interface between a point-of-
sale (POS) system and the general ledger is transferring sales data completely and accurately,
because:
? Electronic copies of customer sales receipts can be used to verify and reconcile the sales data that
is captured by the POS system and posted to the general ledger12.
? Electronic copies of customer sales receipts can be used to detect and correct any errors,
discrepancies, or frauds that may occur during the data transfer process12.
? Electronic copies of customer sales receipts can be used to comply with accounting standards, tax
 17 / 22
https://www.dumpsinfo.com/
regulations, and audit requirements12.
83.Which of the following application input controls would MOST likely detect data input errors in the
customer account number field during the processing of an accounts receivable transaction?
A. Limit check
B. Parity check
C. Reasonableness check
D. Validity check
Answer: C
84.1.An IS auditor is examining a front-end subledger and a main ledger.
Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts
between the two systems?
A. Double-posting of a single journal entry
B. Inability to support new business transactions
C. Unauthorized alteration of account attributes
D. Inaccuracy of financial reporting
Answer: D
85.Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy
document?
A. Target architecture is defined at a technical level.
B. The previous year's IT strategic goals were not achieved.
C. Strategic IT goals are derived solely from the latest market trends.
D. Financial estimates of new initiatives are disclosed within the document.
Answer: B
Explanation:
This is because it is important to ensure that the organization's IT strategy is in line with its overall
business strategy, and that the IT goals are well-defined and achievable. If the previous year's goals
were not achieved, this indicates that the organization is not properly assessing its IT goals, or that
the goals are not realistic or achievable.
References: [1] ISACA - Certified Information Systems Auditor (CISA) -
https://www.isaca.org/certification/cisa [2] CISA Exam - ISACA -
https://www.isaca.org/credentialing/cisa-certification/cisa-exam [3] Certified Information Systems
Auditor (CISA) Certification - https://www.isaca.org/credentialing/cisa-certification
[4] 5 Reasons to Pursue the CISA Certification - https://blog.udemy.com/cisa-certification/
[5] Certified Information Systems Auditor (CISA) Certification -
https://www.isaca.org/credentialing/cisa-certification
86.Which of the following is the MOST effective method of destroying sensitive data stored on
electronic media?
A. Degaussing
B. Random character overwrite
C. Physical destruction
D. Low-level formatting
Answer: B
 18 / 22
https://www.dumpsinfo.com/
87.Which of the following is MOST important to consider when reviewing an organization's
defined data backup and restoration procedures?
A. Business continuity plan (BCP)
B. Recovery point objective (RPO)
C. Mean time to restore (MTTR)
D. Mean time between failures (MTBF)
Answer: B
Explanation:
The recovery point objective (RPO) is the maximum amount of time that can elapse between the last
successful backup and the time of restoration in the event of a data loss incident. When reviewing an
organization's defined data backup and restoration procedures, it is important to consider the RPO to
ensure that the organization is able to restore data up to the most recent successful backup.
88.An IS auditor is reviewinglogical access controls for an organization's financial business
application
Which of the following findings should be of GREATEST concern to the auditor?
A. Users are not required to change their passwords on a regular basis
B. Management does not review application user activity logs
C. User accounts are shared between users
D. Password length is set to eight characters
Answer: C
89.Which of the following provides the BEST assurance of data integrity after file transfers?
A. Check digits
B. Monetary unit sampling
C. Hash values
D. Reasonableness check
Answer: C
90.Which of the following should be of GREATEST concern to an IS auditor performing a review of
information security controls?
A. The information security policy has not been approved by the chief audit executive (CAE).
B. The information security policy does not include mobile device provisions
C. The information security policy is not frequently reviewed
D. The information security policy has not been approved by the policy owner
Answer: D
91.Which of the following is the MOST important prerequisite for the protection of physical information
assets in a data center?
A. Segregation of duties between staff ordering and staff receiving information assets
B. Complete and accurate list of information assets that have been deployed
C. Availability and testing of onsite backup generators
D. Knowledge of the IT staff regarding data protection requirements
Answer: B
92.During an audit which of the following would be MOST helpful in establishing a baseline for
measuring data quality?
 19 / 22
https://www.dumpsinfo.com/
A. Input from customers
B. Industry standard business definitions
C. Validation of rules by the business
D. Built-in data error prevention application controls
Answer: C
93.An IS auditor is performing a follow-up audit for findings identified in an organization's user
provisioning process.
Which of the following is the MOST appropriate population to sample from when testing for
remediation?
A. All users provisioned after the finding was originally identified
B. All users provisioned after management resolved the audit issue
C. All users provisioned after the final audit report was issued
D. All users who have followed user provisioning processes provided by management
Answer: C
94.Which of the following is an advantage of using agile software development methodology over the
waterfall methodology?
A. Less funding required overall
B. Quicker deliverables
C. Quicker end user acceptance
D. Clearly defined business expectations
Answer: B
95.Which of the following would be an appropriate role of internal audit in helping to establish an
organization’s privacy program?
A. Analyzing risks posed by new regulations
B. Developing procedures to monitor the use of personal data
C. Defining roles within the organization related to privacy
D. Designing controls to protect personal data
Answer: A
96.An IS auditor notes that IT and the business have different opinions on the availability of their
application servers.
Which of the following should the IS auditor review FIRST in order to understand the problem?
A. The exact definition of the service levels and their measurement
B. The alerting and measurement process on the application servers
C. The actual availability of the servers as part of a substantive test
D. The regular performance-reporting documentation
Answer: A
97.Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable
system.
Which of the following is the IS auditor's BEST recommendation for a compensating control?
A. Require written authorization for all payment transactions
B. Restrict payment authorization to senior staff members.
C. Reconcile payment transactions with invoices.
 20 / 22
https://www.dumpsinfo.com/
D. Review payment transaction history
Answer: A
98.An organization outsourced its IS functions To meet its responsibility for disaster recovery, the
organization should:
A. discontinue maintenance of the disaster recovery plan (DRP>
B. coordinate disaster recovery administration with the outsourcing vendor
C. delegate evaluation of disaster recovery to a third party
D. delegate evaluation of disaster recovery to internal audit
Answer: B
99.A new system is being developed by a vendor for a consumer service organization. The vendor
will provide its proprietary software once system development is completed.
Which of the following is the MOST important requirement to include
In the vendor contract to ensure continuity?
A. Continuous 24/7 support must be available.
B. The vendor must have a documented disaster recovery plan (DRP) in place.
C. Source code for the software must be placed in escrow.
D. The vendor must train the organization's staff to manage the new software
Answer: C
100.An organization's IT risk assessment should include the identification of:
A. vulnerabilities
B. compensating controls
C. business needs
D. business process owners
Answer: A
101.During the discussion of a draft audit report. IT management provided suitable evidence fiat a
process has been implemented for a control that had been concluded by the IS auditor as Ineffective.
Which of the following is the auditor's BEST action?
A. Explain to IT management that the new control will be evaluated during follow-up
B. Re-perform the audit before changing the conclusion.
C. Change the conclusion based on evidence provided by IT management.
D. Add comments about the action taken by IT management in the report.
Answer: B
102.Which of the following should be identified FIRST during the risk assessment process?
A. Vulnerability to threats
B. Existing controls
C. Information assets
D. Legal requirements
Answer: C
Explanation:
Based on the information provided, the first step in the risk assessment process should be to identify
C: Information assets. Information assets are the most important component of the risk assessment
process, as they are the basis for assessing the potential risks to the organization. Identifying
 21 / 22
https://www.dumpsinfo.com/
information assets allows the auditor to assess the value and criticality of the assets and determine
the level of risk associated with them. Once the information assets have been identified, the auditor
can then move on to assess the vulnerability of the assets to threats, evaluate existing controls, and
consider any relevant legal requirements.
103.An IT governance body wants to determine whether IT service delivery is based on consistently
effective processes.
Which of the following is the BEST approach?
A. implement a control self-assessment (CSA)
B. Conduct a gap analysis
C. Develop a maturity model
D. Evaluate key performance indicators (KPIs)
Answer: D
104.When assessing the overall effectiveness of an organization's disaster recovery planning
process, which of the following is MOST important for the IS auditor to verify?
A. Management contracts with a third party for warm site services.
B. Management schedules an annual tabletop exercise.
C. Management documents and distributes a copy of the plan to all personnel.
D. Management reviews and updates the plan annually or as changes occur.
Answer: D
Powered by TCPDF (www.tcpdf.org)
 22 / 22
https://www.dumpsinfo.com/
http://www.tcpdf.org