Updated CISA Certified Information Systems Auditor Dumps

Text Material Preview

CISA
Exam Name: Certified Information Systems Auditor
Full version: 1158 Q&As
Full version of CISA Dumps
Share some CISA exam dumps below.
1. During a follow-up engagement, an IS auditor confirms evidence of a problem that was not an
issue in the original audit.
Which of the following is the auditor's BEST course of action?
A. Include the evidence as part of a future audit.
B. Report only on the areas within the scope of the follow-up.
 1 / 107
https://www.certqueen.com/CISA.html
C. Report the risk to management in the follow-up report.
D. Expand the follow-up scope to include examining the evidence.
Answer: C
2. Which type of review is MOST important to conduct when an IS auditor is informed that a
recent internal exploitation of a bug has been discovered in a business application?
A. Penetration testing
B. Application security testing
C. Forensic audit
D. Server security audit
Answer: C
Explanation:
The type of review that is most important to conduct when an IS auditor is informed that a
recent internal exploitation of a bug has been discovered in a business application is C.
Forensic audit. A forensic audit is a type of audit that involves collecting, analyzing, and
preserving evidence of fraud, corruption, or other illegal or unethical activities1. A forensic audit
can help the IS auditor to identify and document the source, scope, and impact of the
exploitation, as well as the perpetrators, motives, and methods involved. A forensic audit can
also help the IS auditor to provide recommendations for preventing or mitigating future
exploitations, and to support any legal actions or investigations that may arise from the
incident2.
3. During an audit of a financial application, it was determined that many terminated users'
accounts were not disabled.
Which of the following should be the IS auditor's NEXT step?
A. Perform substantive testing of terminated users' access rights.
B. Perform a review of terminated users' account activity
C. Communicate risks to the application owner.
D. Conclude that IT general controls ate ineffective.
Answer: B
Explanation:
The IS auditor’s next step after determining that many terminated users’ accounts were not
disabled is to perform a review of terminated users’ account activity. This means that the IS
auditor should check whether any of the terminated users’ accounts were accessed or used
after their termination date, which could indicate unauthorized or fraudulent activity. The IS
auditor should also assess the impact and risk of such activity on the confidentiality, integrity,
 2 / 107
and availability of IT resources and data. The other options are not as appropriate as performing
a review of terminated users’ account activity, as they do not provide sufficient evidence or
assurance of the extent and effect of the problem.
Reference:
CISA Review Manual, 27th Edition, page 240
4. An organization has recently become aware of a pervasive chip-level security vulnerability
that affects all of its processors.
Which of the following is the BEST way to prevent this vulnerability from being exploited?
A. Implement security awareness training.
B. Install vendor patches
C. Review hardware vendor contracts.
D. Review security log incidents.
Answer: B
Explanation:
The best way to prevent a chip-level security vulnerability from being exploited is to install
vendor patches. A chip-level security vulnerability is a flaw in the design or implementation of a
processor that allows an attacker to bypass the normal security mechanisms and access
privileged information or execute malicious code. A vendor patch is a software update provided
by the manufacturer of the processor that fixes or mitigates the vulnerability. Installing vendor
patches can help to protect the system from known exploits and reduce the risk of data leakage
or compromise.
Security awareness training, reviewing hardware vendor contracts, and reviewing security log
incidents are not as effective as installing vendor patches for preventing a chip-level security
vulnerability from being exploited. Security awareness training is an educational program that
teaches users about the importance of security and how to avoid common threats. Reviewing
hardware vendor contracts is a legal process that evaluates the terms and conditions of the
agreement between the organization and the processor supplier. Reviewing security log
incidents is an analytical process that examines the records of security events and activities on
the system. These methods may be useful for other security purposes, but they do not directly
address the root cause of the chip-level vulnerability or prevent its exploitation.
Reference: Protecting your device against chip-related security vulnerabilities, New ‘Downfall’
Flaw Exposes Valuable Data in Generations of Intel Chips
5. Management has learned the implementation of a new IT system will not be completed on
time and has requested an audit.
 3 / 107
Which of the following audit findings should be of GREATEST concern?
A. The actual start times of some activities were later than originally scheduled.
B. Tasks defined on the critical path do not have resources allocated.
C. The project manager lacks formal certification.
D. Milestones have not been defined for all project products.
Answer: B
Explanation:
The audit finding that should be of greatest concern is that tasks defined on the critical path do
not have resources allocated, as this means that the project is likely to face significant delays
and cost overruns, since the critical path is the sequence of activities that determines the
minimum time required to complete the project. The actual start times of some activities being
later than originally scheduled may indicate some minor deviations from the project plan, but
they may not necessarily affect the overall project completion time if they are not on the critical
path. The project manager lacking formal certification may affect the quality and efficiency of the
project management process, but it does not necessarily imply that the project manager is
incompetent or unqualified. Milestones have been defined for all project products, but they may
not be realistic or achievable if they do not take into account the resource constraints and
dependencies of the critical path tasks.
Reference: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of
IT, Section 2.3: IT Project Management
6. An IS auditor found that operations personnel failed to run a script contributing to year-end
financial statements.
Which of the following is the BEST recommendation?
A. Retrain operations personnel.
B. Implement a closing checklist.
C. Update the operations manual.
D. Bring staff with financial experience into operations.
Answer: B
Explanation:
The best recommendation for the IS auditor to make is to implement a closing checklist, as this
will help to ensure that all the required tasks and scripts are performed and verified during the
year-end closing process12. A closing checklist can also help to prevent errors, omissions, and
delays that could affect the accuracy and timeliness of the financial statements3.
Reference
1: Year-end closing procedures for GL - Dynamics GP | Microsoft Learn1
 4 / 107
2: Year-end activities FAQ - Finance | Dynamics 365 | Microsoft Learn2
3: Year-End Closing Checklist: 10 Steps to Close Your Books3: Year End Closing Checklist: 7
Steps to Make it Easy
7. Which of the following is an example of a preventive control for physical access?
A. Keeping log entries for all visitors to the building
B. Implementing a fingerprint-based access control system for the building
C. Installing closed-circuit television (CCTV) cameras for all ingress and egress points
D. Implementing a centralized logging server to record instances of stafflogging into
workstations
Answer: B
Explanation:
A preventive control is a control that aims to deter or prevent undesirable events from occurring.
A fingerprint-based access control system for the building is an example of a preventive control
for physical access, as it restricts unauthorized persons from entering the premises. Keeping log
entries for all visitors to the building, installing CCTV cameras for all ingress and egress points,
and implementing a centralized logging server to record instances of staff logging into
workstations are examples of detective controls, which are controls that aim to discover or
detect undesirable events that have already occurred.
Reference: IS Audit and Assurance Tools and Techniques, CISA Certification | Certified
Information Systems Auditor | ISACA
8. Which of the following is a PRIMARY responsibility of a quality assurance (QA) team?
A. Creating test data to facilitate the user acceptance testing (IJAT) process
B. Managing employee onboarding processes and background checks
C. Advising the steering committee on quality management issues and remediation efforts
D. Implementing procedures to facilitate adoption of quality management best practices
Answer: D
Explanation:
A quality assurance (QA) team is a group of professionals who are responsible for ensuring that
the products or services of an organization meet the quality standards and expectations of
customers and stakeholders1.
A QA team performs various activities, such as:
Planning, designing, and executing quality tests and audits to verify the quality of the products
or services1
Identifying, analyzing, and reporting quality issues, defects, or non-conformities1
 5 / 107
Recommending and implementing corrective and preventive actions to resolve quality problems
and prevent recurrence1
Monitoring and measuring the effectiveness and efficiency of the quality processes and
improvements1
Establishing and maintaining quality documentation, records, and reports1 Providing quality
training, guidance, and support to the staff and management1
One of the primary responsibilities of a QA team is to implement procedures to facilitate
adoption of quality management best practices. Quality management best practices are the
methods, techniques, or tools that have been proven to be effective in achieving and
maintaining high-quality standards in an organization2.
Some examples of quality management best practices are:
Adopting a customer-focused approach that aims to meet or exceed customer requirements and
satisfaction2
Implementing a process approach that manages the interrelated activities as a coherent
system2 Applying continuous improvement methods that seek to enhance the performance and
value of the products or services2
Using evidence-based decision making that relies on factual data and information2
Developing a culture of engagement and empowerment that involves and motivates the people
in the organization2
By implementing procedures to facilitate adoption of quality management best practices, a QA
team can help the organization achieve the following benefits:
Improve the quality and reliability of the products or services2
Reduce the costs and risks associated with poor quality or non-compliance2 Increase the
customer loyalty and retention2
Enhance the reputation and competitiveness of the organization2 Foster a culture of excellence
and innovation in the organization2
The other options are not primary responsibilities of a QA team. Creating test data to facilitate
the user acceptance testing (UAT) process is a task that can be performed by a QA team, but it
is not their main duty. UAT is a process in which the end users test the product or service to
ensure that it meets their needs and expectations before it is released or deployed3. A QA team
can create test data to simulate real-world scenarios and conditions for UAT, but they are not
directly involved in conducting UAT. Managing employee onboarding processes and
background checks is not a responsibility of a QA team. Employee onboarding is a process in
which new hires are integrated into the organization, while background checks are screenings
that verify the identity, credentials, and history of potential employees4. These processes are
usually handled by the human resources department or an external agency, not by a QA team.
 6 / 107
Advising the steering committee on quality management issues and remediation efforts is not a
primary responsibility of a QA team. A steering committee is a group of senior executives or
managers who provide strategic direction, oversight, and support for a project or program5. A
QA team can advise the steering committee on quality management issues and remediation
efforts, but they are not accountable for making decisions or implementing actions.
Therefore, option D is the correct answer.
Reference: Quality Assurance Team: Roles & Responsibilities.
What are the Best Practices in Quality Management? User Acceptance Testing (UAT): A
Complete Guide Employee Onboarding Process: Definition & Best Practices.
What Is A Steering Committee? - The Basics
9. During a review of a production schedule, an IS auditor observes that a staff member is not
complying with mandatory operational procedures.
The auditor's NEXT step should be to:
A. note the noncompliance in the audit working papers.
B. issue an audit memorandum identifying the noncompliance.
C. include the noncompliance in the audit report.
D. determine why the procedures were not followed.
Answer: D
10. Which of the following should be the GREATEST concern to an IS auditor reviewing an
organization's method to transport sensitive data between offices?
A. The method relies exclusively on the use of public key infrastructure (PKI).
B. The method relies exclusively on the use of digital signatures.
C. The method relies exclusively on the use of asymmetric encryption algorithms.
D. The method relies exclusively on the use of 128-bit encryption.
Answer: C
Explanation:
The greatest concern to an IS auditor reviewing an organization’s method to transport sensitive
data between offices is that the method relies exclusively on the use of asymmetric encryption
algorithms. Asymmetric encryption algorithms, also known as public key encryption, use two
different keys for encryption and decryption: a public key that is shared with anyone who wants
to communicate with the sender, and a private key that is kept secret by the sender. Asymmetric
encryption algorithms are more secure than symmetric encryption algorithms, which use the
same key for both encryption and decryption, but they are also slower and more computationally
intensive. Therefore, relying exclusively on asymmetric encryption algorithms may not be
 7 / 107
efficient or practical for transporting large amounts of sensitive data between offices. A better
method would be to use a combination of symmetric and asymmetric encryption algorithms,
such as using asymmetric encryption to exchange a symmetric key and then using symmetric
encryption to encrypt and decrypt the data.
The other options are not as concerning as option C. The method relying exclusively on the use
of public key infrastructure (PKI) is not a concern, because PKI is a system that provides the
services and mechanisms for creating, managing, distributing, using, storing, and revoking
digital certificates that are based on asymmetric encryption algorithms. PKI enables secure and
authenticated communication between parties who do not have a prior trust relationship. The
method relying exclusively on the use of digital signatures is not a concern, because digital
signatures are a way of verifying the authenticity and integrity of a message or document by
using asymmetric encryption algorithms. Digital signatures ensure that the sender cannot deny
sending the messageor document, and that the receiver can detect any tampering or alteration
of the message or document. The method relying exclusively on the use of 128-bit encryption is
not a concern, because 128-bit encryption is a level of encryption that uses a 128-bit key to
encrypt and decrypt data. 128-bit encryption is considered to be strong enough to resist brute-
force attacks by modern computers.
Reference: Asymmetric vs Symmetric Encryption: What are differences?, Public Key
Infrastructure (PKI), Digital Signature, What is 128-bit Encryption?
11. An IS auditor finds that the process for removing access for terminated employees is not
documented.
What is the MOST significant risk from this observation?
A. Procedures may not align with best practices
B. Human resources (HR) records may not match system access.
C. Unauthorized access cannot he identified.
D. Access rights may not be removed in a timely manner.
Answer: D
Explanation:
The most significant risk from this observation is that access rights may not be removed in a
timely manner. If the process for removing access for terminated employees is not documented,
there is no clear guidance or accountability for who, how, when, and what actions should be
taken to revoke the access rights of the employees who leave the organization. This could
result in delays, inconsistencies, or omissions in removing access rights, which could allow
terminated employees to retain unauthorized access to the organization’s systems and data.
This could compromise the security, confidentiality, integrity, and availability of the information
 8 / 107
assets.
Reference:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
12. Which of the following provides an IS auditor assurance that the interface between a point-
of-sale (POS) system and the general ledger is transferring sales data completely and
accurately?
A. Electronic copies of customer sales receipts are maintained.
B. Monthly bank statements are reconciled without exception.
C. Nightly batch processing has been replaced with real-time processing.
D. The data transferred over the POS interface is encrypted.
Answer: A
Explanation:
The best option to provide an IS auditor assurance that the interface between a point-of-sale
(POS) system and the general ledger is transferring sales data completely and accurately is A.
Electronic copies of customer sales receipts are maintained. Electronic copies of customer
sales receipts are records of the transactions that occurred at the POS system, which can be
compared with the data transferred to the general ledger. This can help detect any errors,
omissions, or discrepancies in the data transfer process and ensure that the sales data is
complete and accurate.
The other options are not as effective as A in providing assurance that the interface between
the POS system and the general ledger is transferring sales data completely and accurately.
B. Monthly bank
statements are reconciled without exception. Monthly bank statements are records of the cash
inflows and outflows of the organization, which may not match with the sales data recorded by
the POS system and the general ledger. For example, there may be delays, discounts, returns,
or refunds that affect the cash flow but not the sales revenue. Therefore, reconciling monthly
bank statements without exception does not necessarily mean that the sales data is complete
and accurate.
C. Nightly batch processing has been replaced with real-time processing. Nightly batch
processing is a method of transferring data from the POS system to the general ledger in
batches at a scheduled time, usually at night. Real-time processing is a method of transferring
data from the POS system to the general ledger as soon as the transactions occur. Real-time
processing may improve the timeliness and efficiency of the data transfer process, but it does
not guarantee that the sales data is complete and accurate. There may still be errors,
 9 / 107
omissions, or discrepancies in the data transfer process that need to be detected and corrected.
D. The data transferred over the POS interface is encrypted.
Encryption is a process of transforming data into an unreadable form using a secret key or
algorithm, so that only authorized parties can access the original data. Encryption protects the
confidentiality and security of the data transferred over the POS interface, but it does not ensure
that the sales data is complete and accurate. There may still be errors, omissions, or
discrepancies in the data transfer process that need to be detected and corrected.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2471
ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription2
Sales Audit Overview - Oracle3
Notes on Audit of Ledgers - Guidelines to Auditors - Accountlearning
13. Which of the following is the BEST way to strengthen the security of smart devices to
prevent data leakage?
A. Enforce strong security settings on smart devices.
B. Require employees to formally acknowledge security procedures.
C. Review access logs to the organization's sensitive data in a timely manner.
D. Include usage restrictions in bring your own device (BYOD) security procedures.
Answer: A
14. What is the PRIMARY benefit of using one-time passwords?
A. An intercepted password cannot be reused
B. Security for applications can be automated
C. Users do not have to memorize complex passwords
D. Users cannot be locked out of an account
Answer: A
Explanation:
The primary benefit of using one-time passwords is that an intercepted password cannot be
reused, as it is valid only for a single login session or transaction. One-time passwords enhance
the security of authentication by preventing replay attacks or password guessing. The other
options are not the primary benefits of using one-time passwords. Security for applications can
be automated with or without one-time passwords. Users may still have to memorize complex
passwords or use a device or software to generate one-time passwords. Users can still be
locked out of an account if they enter an incorrect or expired one-time password.
Reference: CISA Review Manual (Digital Version), Chapter 6, Section 6.1
 10 / 107
15. An IT strategic plan that BEST leverages IT in achieving organizational goals will include:
A. a comparison of future needs against current capabilities.
B. a risk-based ranking of projects.
C. enterprise architecture (EA) impacts.
D. IT budgets linked to the organization's budget.
Answer: C
Explanation:
An IT strategic plan that best leverages IT in achieving organizational goals will include
enterprise architecture (EA) impacts. EA is the practice of analyzing, designing, planning, and
implementing enterprise analysis to successfully execute on business strategies1. EA helps
organizations structure IT projects and policies to align with business goals, to stay agile and
resilient in the face of rapid change, and to stay on top of industry trends and disruptions1. EA
also describes an organization’s processes, information processes and personnel and other
organizational subunits aligned with the organization’s core goals and strategies2. By including
EA impacts in the IT strategic plan, an organization can ensure that the IT initiatives are
consistent with the business vision, objectives, and tactics, and that they support the desired
business outcomes3.
A comparison of future needs against current capabilities, a risk-based ranking of projects, and
IT budgets linked to the organization’s budget are all important elements of an IT strategic plan,
but they do not necessarily leverage IT in achieving organizational goals. A comparison of
future needs against current capabilities can help identify gaps and opportunities for
improvement, but it does not providea clear direction or roadmap for how to achieve them. A
risk-based ranking of projects can help prioritize the most critical and beneficial projects, but it
does not ensure that they are aligned with the business strategy or that they deliver value to the
stakeholders. IT budgets linked to the organization’s budget can help allocate resources and
monitor costs, but they do not reflect the impact or contribution of IT to the business
performance or growth.
Reference: Implement Agile IT Strategic Planning with Enterprise Architecture - The Open
Group Blog.
What is enterprise architecture? A framework for transformation | CIO Strategic Planning and
Enterprise Architecture
16. An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the
organization's wider security threat and vulnerability management program.
Which of the following would BEST enable the organization to work toward improvement in this
area?
 11 / 107
A. Implementing security logging to enhance threat and vulnerability management
B. Maintaining a catalog of vulnerabilities that may impact mission-critical systems
C. Using a capability maturity model to identify a path to an optimized program
D. Outsourcing the threat and vulnerability management function to a third party
Answer: C
Explanation:
The best way to enable the organization to work toward improvement in its security threat and
vulnerability management program is to use a capability maturity model to identify a path to an
optimized program. A capability maturity model is a framework that helps organizations assess
their current level of performance and maturity in a specific domain, and provides guidance and
best practices to achieve higher levels of excellence12. A capability maturity model for
vulnerability management can help the organization to evaluate its current practices, identify
gaps and weaknesses, and implement improvement actions based on the defined criteria and
objectives34.
Reference
1: What is a Capability Maturity Model?1
2: Capability Maturity Model - Wikipedia2
3: Vulnerability Management Maturity Model - SANS Institute4
4: 5 Stages Of Vulnerability Management Maturity Model - SecPod Blog3
17. Which of the following should be the MOST important consideration when conducting a
review of IT portfolio management?
A. Assignment of responsibility for each project to an IT team member
B. Adherence to best practice and industry approved methodologies
C. Controls to minimize risk and maximize value for the IT portfolio
D. Frequency of meetings where the business discusses the IT portfolio
Answer: C
Explanation:
Controls to minimize risk and maximize value for the IT portfolio should be the most important
consideration when conducting a review of IT portfolio management, because they ensure that
the IT portfolio aligns with the business strategy, objectives, and priorities, and that the IT
investments deliver optimal benefits and outcomes. Assignment of responsibility for each project
to an IT team member, adherence to best practice and industry approved methodologies, and
frequency of meetings where the business discusses the IT portfolio are also relevant aspects
of IT portfolio management, but they are not as important as controls to minimize risk and
maximize value.
 12 / 107
Reference:
CISA Review Manual (Digital Version), Chapter 1, Section 1.2.3
18. Which of the following is MOST critical to the success of an information security program?
A. Alignment of information security with IT objectives
B. Management’s commitment to information security
C. Integration of business and information security
D. User accountability for information security
Answer: B
Explanation:
The correct answer is B. Management’s commitment to information security. Management’s
commitment to information security is the most critical factor for the success of an information
security program, as it provides the leadership, support, and resources needed to establish and
maintain a secure environment.
Management’s commitment to information security can be demonstrated by:
Setting the vision, mission, and goals for information security, and aligning them with the
organization’s strategies and objectives1.
Establishing and enforcing the policies, standards, and procedures for information security, and
ensuring compliance with relevant laws and regulations1.
Allocating sufficient budget, staff, and technology for information security, and investing in
training and awareness programs2.
Promoting a culture of security within the organization, and engaging with stakeholders and
partners to foster trust and collaboration2.
19. An IS auditor reviewing incident response management processes notices that resolution
times for reoccurring incidents have not shown improvement.
Which of the following is the auditor's BEST recommendation?
A. Harden IT system and application components based on best practices.
B. Incorporate a security information and event management (SIEM) system into incident
response
C. Implement a survey to determine future incident response training needs.
D. Introduce problem management into incident response.
Answer: D
Explanation:
The auditor’s best recommendation is D. Introduce problem management into incident
response. Problem management is a practice that aims to identify, analyze, and resolve the root
 13 / 107
causes of recurring incidents, and prevent or reduce their impact in the future1. Problem
management can help improve the resolution times for recurring incidents by eliminating or
mitigating the underlying problems that cause them, and by providing permanent solutions that
can be reused or automated2. Problem management can also help improve the quality and
efficiency of incident response by reducing the workload and complexity of dealing with
repetitive issues2.
20. Which of the following types of environmental equipment will MOST likely be deployed
below the
floor tiles of a data center?
A. Temperature sensors
B. Humidity sensors
C. Water sensors
D. Air pressure sensors
Answer: C
Explanation:
Water sensors are devices that can detect the presence of water or moisture in a given area.
They are often deployed below the floor tiles of a data center to monitor for any water leaks that
may damage the equipment or cause electrical hazards. Water sensors can alert the data
center staff or trigger an automatic response to prevent or mitigate the water leakage.
The other options are not likely to be deployed below the floor tiles of a data center.
Temperature sensors and humidity sensors are usually deployed above the floor tiles to
measure the ambient conditions of the data center and ensure optimal cooling and ventilation.
Air pressure sensors are typically deployed at the air vents or ducts to monitor the airflow and
pressure distribution in the data center.
Reference: Data Center Environmental Monitoring
Water Detection in Data Centers
21. An IS auditor has been asked to advise on measures to improve IT governance within the
organization.
Which of the following IS the BEST recommendation?
A. Benchmark organizational performance against industry peers
B. Implement key performance indicators (KPIs).
C. Require executive management to draft IT strategy
D. Implement annual third-party audits.
Answer: C
 14 / 107
Explanation:
The best recommendation to improve IT governance within the organization is C. Require
executive management to draft IT strategy. IT governance is the process of establishing and
maintaining the policies, roles, responsibilities, and accountabilities for managing technology
risks within an organization1. One of the key objectives of IT governance is to ensure alignment
and integration between technology and business strategies, leading to optimal outcomes and
value creation1. Therefore,it is essential that executive management, who are responsible for
setting the vision, mission, and goals of the organization, are also involved in drafting the IT
strategy that supports and enables them. By requiring executive management to draft IT
strategy, the organization can: Ensure that the IT strategy is consistent and coherent with the
business strategy, and reflects the organization’s priorities, values, and culture2.
Enhance communication and collaboration between IT and business functions, and foster a
shared understanding and commitment to the IT strategy2.
Increase accountability and transparency for IT performance and outcomes, and ensure that IT
investments are aligned with the organization’s risk appetite and value proposition2.
22. Which of the following should be the FIRST step when conducting an IT risk assessment?
A. Identify potential threats.
B. Assess vulnerabilities.
C. Identify assets to be protected.
D. Evaluate controls in place.
Answer: C
Explanation:
The first step when conducting an IT risk assessment is to identify assets to be protected, which
include hardware, software, data, processes, people, and facilities that support the business
objectives and operations of an organization. Identifying assets to be protected helps to
establish the scope and boundaries of the risk assessment, as well as the value and criticality of
each asset. Identifying potential threats, assessing vulnerabilities, and evaluating controls in
place are subsequent steps in the risk assessment process that depend on the identification of
assets to be protected.
Reference: CISA Review Manual (Digital Version), Chapter 2: Governance & Management of
IT, Section 2.3: IT Risk Management
23. An IS auditor is reviewing the release management process for an in-house software
development solution.
In which environment Is the software version MOST likely to be the same as production?
 15 / 107
A. Staging
B. Testing
C. Integration
D. Development
Answer: A
Explanation:
A staging environment is a replica of the production environment that is used to test and verify
software before deploying it to production. A staging environment is most likely to have the
same software version as production, as it mimics the real-world conditions and configurations
that will be encountered in production. A testing environment is a separate environment that is
used to perform various types of testing on software, such as functional testing, performance
testing, security testing, etc. A testing environment may not have the same software version as
production, as it may undergo frequent changes or updates based on testing results or
feedback. An integration environment is a separate environment that is used to combine and
test software components or modules from different developers or sources, to ensure that they
work together as expected. An integration environment may not have the same software version
as production, as it may involve different versions or branches of software from different
sources. A development environment is a separate environment that is used by developers to
create and modify software code. A development environment may not have the same software
version as production, as it may contain unfinished or untested code that has not been released
yet.
24. Data from a system of sensors located outside of a network is received by the open ports on
a server.
Which of the following is the BEST way to ensure the integrity of the data being collected from
the sensor system?
A. Route the traffic from the sensor system through a proxy server.
B. Hash the data that is transmitted from the sensor system.
C. Implement network address translation on the sensor system.
D. Transmit the sensor data via a virtual private network (VPN) to the server.
Answer: B
25. Demonstrated support from which of the following roles in an organization has the MOST
influence over information security governance?
A. Chief information security officer (CISO)
B. Information security steering committee
 16 / 107
C. Board of directors
D. Chief information officer (CIO)
Answer: C
Explanation:
Information security governance is the subset of enterprise governance that provides strategic
direction, ensures that objectives are achieved, manages risk appropriately, uses organizational
resources responsibly, and monitors the success or failure of the enterprise security program.
Information security governance is essential for ensuring that an organization’s information
assets are protected from internal and external threats, and that the organization complies with
relevant laws and standards.
Demonstrated support from which of the following roles in an organization has the most
influence over information security governance? The answer is C, the board of directors. The
board of directors is the highest governing body of an organization, responsible for overseeing
its strategic direction, performance, and accountability.
The board of directors sets the tone at the top for information security governance by:
Establishing a clear vision, mission, and values for information security
Approving and reviewing information security policies and standards
Allocating sufficient resources and budget for information security
Appointing and empowering a chief information security officer (CISO) or equivalent role
Holding management accountable for information security performance and compliance
Communicating and promoting information security awareness and culture
The board of directors has the most influence over information security governance because it
has the ultimate authority and responsibility for ensuring that information security is aligned with
the organization’s business objectives, risks, and stakeholder expectations.
Reference:
10: What is Information Security Governance? ? RiskOptics - Reciprocity
11: Information Security Governance and Risk Management | Moss Adams
12: ISO/IEC 27014:2020 - Information security, cybersecurity and privacy …
26. Which of the following is the MOST important advantage of participating in beta testing of
software products?
A. It increases an organization's ability to retain staff who prefer to work with new technology.
B. It improves vendor support and training.
C. It enhances security and confidentiality.
D. It enables an organization to gain familiarity with new products and their functionality.
Answer: D
 17 / 107
Explanation:
Beta testing is the process of releasing a near-final version of a software product to a group of
external users, known as beta testers, who provide feedback and report bugs based on their
real-world experiences. Beta testing offers various benefits for both the developers and the
users of the software product.
Some of these benefits are:
It reduces product failure risk via customer validation12.
It helps to test post-launch infrastructure1.
It helps to improve product quality via customer feedback12.
It allows for thorough bug detection and issue resolution3.
It enhances usability and user experience3.
It increases customer satisfaction and loyalty3.
Based on these benefits, the most important advantage of participating in beta testing of
software products is D. It enables an organization to gain familiarity with new products and their
functionality. By being involved in beta testing, an organization can learn how to use the new
product effectively, discover its features and benefits, and provide suggestions for improvement.
This can help the organization to adopt the new product faster, easier, and more efficiently
when it is officially released. It can also give the organization a competitive edge over other
users who are not familiar with the new product.
27. Which of the following MOST effectively minimizes downtime during system conversions?
A. Phased approach
B. Direct cutover
C. Pilotstudy
D. Parallel run
Answer: D
Explanation:
The most effective way to minimize downtime during system conversions is to use a parallel
run. A parallel run is a method of system conversion where both the old and new systems
operate simultaneously for a period of time until the new system is verified to be functioning
correctly. This reduces the risk of errors, data loss, or system failure during conversion and
allows for a smooth transition from one system to another.
Reference:
CISA Review Manual, 27th Edition, page 467
28. An organization's security policy mandates that all new employees must receive appropriate
 18 / 107
security awareness training.
Which of the following metrics would BEST assure compliance with this policy?
A. Percentage of new hires that have completed the training.
B. Number of new hires who have violated enterprise security policies.
C. Number of reported incidents by new hires.
D. Percentage of new hires who report incidents
Answer: A
Explanation:
The best metric to assure compliance with the policy of providing security awareness training to
all new employees is the percentage of new hires that have completed the training, as this
directly measures the extent to which the policy is implemented and enforced. The number of
new hires who have violated enterprise security policies, the number of reported incidents by
new hires, and the percentage of new hires who report incidents are not directly related to the
policy, as they may depend on other factors such as the nature and frequency of threats, the
effectiveness of security controls, and the reporting culture of the organization.
Reference:
CISA Review Manual (Digital Version), Chapter 5, Section 5.7
29. An IS auditor finds that firewalls are outdated and not supported by vendors.
Which of the following should be the auditor's NEXT course of action?
A. Report the mitigating controls.
B. Report the security posture of the organization.
C. Determine the value of the firewall.
D. Determine the risk of not replacing the firewall.
Answer: D
Explanation:
The IS auditor’s next course of action after finding that firewalls are outdated and not supported
by vendors should be to determine the risk of not replacing the firewall. Outdated firewalls may
have known vulnerabilities that can be exploited by attackers to bypass security controls and
access the network. They may also lack compatibility with newer technologies or standards that
are required for optimal network performance and protection. Not replacing the firewall could
expose the organization to various threats, such as data breaches, denial-of-service attacks,
malware infections, or regulatory non-compliance. The IS auditor should assess the likelihood
and impact of these threats and quantify the risk level for management to make informed
decisions.
 19 / 107
30. An IS auditor has discovered that a software system still in regular use is years out of date
and no longer supported the auditee has stated that it will take six months until the software is
running on the current version.
Which of the following is the BEST way to reduce the immediate risk associated with using an
unsupported version of the software?
A. Verify all patches have been applied to the software system's outdated version
B. Close all unused ports on the outdated software system.
C. Segregate the outdated software system from the main network.
D. Monitor network traffic attempting to reach the outdated software system.
Answer: C
Explanation:
The best way to reduce the immediate risk associated with using an unsupported version of the
software is to segregate the outdated software system from the main network. An unsupported
software system may have unpatched vulnerabilities that could be exploited by attackers to
compromise the system or access sensitive data. By isolating the system from the rest of the
network, the organization can limit the exposure and impact of a potential breach. Verifying all
patches have been applied to the outdated software system, closing all unused ports on the
outdated software system and monitoring network traffic attempting to reach the outdated
software system are also good practices, but they do not address the root cause of the risk,
which is the lack of vendor support and updates.
Reference:
CISA Review Manual, 27th Edition, page 2951
CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
31. Which of the following findings would be of GREATEST concern to an IS auditor reviewing
the security architecture of an organization that has just implemented a Zero Trust solution?
A. An increase in security-related costs
B. User complaints about the new mode of working
C. An increase in user identification errors
D. A noticeable drop in the performance of IT systems
Answer: C
32. Which of the following findings would be of GREATEST concern when auditing an
organization's end-user computing (EUC)?
A. Errors flowed through to financial statements
B. Reduced oversight by the IT department
 20 / 107
C. Inconsistency of patching processes being followed
D. Inability to monitor EUC audit logs and activities
Answer: C
33. Which of the following should be of GREATEST concern to an IS auditor reviewing an
organization's business continuity plan (BCP)?
A. The BCP's contact information needs to be updated
B. The BCP is not version controlled.
C. The BCP has not been approved by senior management.
D. The BCP has not been tested since it was first issued.
Answer: D
Explanation:
The greatest concern for an IS auditor reviewing an organization’s business continuity plan
(BCP) is that the BCP has not been tested since it was first issued. A BCP is a document that
describes how an organization will continue its critical business functions in the event of a
disruption or disaster. A BCP should include information such as roles and responsibilities,
recovery strategies, resources, procedures, communication plans, and backup arrangements3.
Testing the BCP is a vital step in ensuring its validity, effectiveness, and readiness. Testing the
BCP involves simulating various scenarios and executing the BCP to verify whether it meets its
objectives and requirements. Testing the BCP can also help to identify and correct any gaps,
errors, or weaknesses in the BCP before they become issues during a real incident4. Therefore,
an IS auditor should be concerned if the BCP has not been tested since it was first issued, as it
may indicate that the BCP is outdated, inaccurate, incomplete, or ineffective.
The other options are less concerning or incorrect because:
A. The BCP’s contact information needs to be updated is not a great concern for an IS auditor
reviewing an organization’s BCP, as it is a minor issue that can be easily fixed. Contact
information refers to the names, phone numbers, email addresses, or other details of the people
involved in the BCP execution or communication. Contact information needs to be updated
regularly to reflect any changes in personnel or roles. While having outdated contact information
may cause some delays or confusion during a BCP activation, it does not affect the overall
validity or effectiveness of the BCP. B. The BCP is not version controlled is not a great concern
for an IS auditor reviewing an organization’s BCP, as it is a moderate issue that can be
improved. Version control refers to the process of tracking and managing changes made to the
BCP over time. Version control helps to ensure that only authorized changes are made to the
BCP and that there is a clear record of who made what changes when and why. Version control
also helps to avoid conflicts or inconsistencies among different versions of the BCP. While
 21 / 107
having no version control may cause some difficulties or risks in maintaining and updating the
BCP,it does not affect the overall validity or effectiveness of the BCP.
C. The BCP has not been approved by senior management is not a great concern for an IS
auditor reviewing an organization’s BCP, as it is a high-level issue that can be resolved.
Approval by senior management refers to the formal endorsement and support of the BCP by
the top executives or leaders of the organization. Approval by senior management helps to
ensure that the BCP is aligned with the organization’s strategy, objectives, and priorities, and
that it has sufficient resources and authority to be implemented. Approval by senior
management also helps to increase the awareness and commitment of the organization’s
stakeholders to the BCP. While having no approval by senior management may affect the
credibility and acceptance of the BCP, it does not affect the overall validity or effectiveness of
the BCP.
Reference: Working Toward a Managed, Mature Business Continuity Plan - ISACA, ISACA
Introduces New Audit Programs for Business Continuity/Disaster …, Disaster Recovery and
Business Continuity Preparedness for Cloud-based …
34. What is the Most critical finding when reviewing an organization’s information security
management?
A. No dedicated security officer
B. No official charier for the information security management system
C. No periodic assessments to identify threats and vulnerabilities
D. No employee awareness training and education program
Answer: C
Explanation:
The most critical finding when reviewing an organization’s information security management is
no periodic assessments to identify threats and vulnerabilities. Periodic assessments are
essential for ensuring that the organization’s information security policies, procedures,
standards, and controls are aligned with the current and emerging risks and threats that may
affect its information assets.
Without periodic assessments, the organization may not be aware of its actual security posture,
gaps, or weaknesses, and may not be able to take appropriate measures to mitigate or prevent
potential security incidents. No dedicated security officer, no official charter for the information
security management system, and no employee awareness training and education program are
also findings that may indicate some deficiencies in the organization’s information security
management, but they are not as critical as no periodic assessments to identify threats and
vulnerabilities.
 22 / 107
Reference: ISACA CISA Review Manual 27th Edition, page 343.
35. Which of the following is the MOST important control for virtualized environments?
A. Regular updates of policies for the operation of the virtualized environment
B. Hardening for the hypervisor and guest machines
C. Redundancy of hardware resources and network components
D. Monitoring utilization of resources at the guest operating system level
Answer: B
Explanation:
The most important control for virtualized environments is hardening for the hypervisor and
guest machines. Hardening is the process of applying security measures and configurations to
reduce the vulnerabilities and risks of a system or device. Hardening for the hypervisor and
guest machines is essential for protecting the virtualized environments from attacks, as they are
exposed to various threats from both the physical and virtual layers.
Hardening for the hypervisor and guest machines involves the following steps:
Applying the latest patches and updates for the hypervisor and guest operating systems, as well
as the applications and drivers running on them.
Configuring the firewall and network settings for the hypervisor and guest machines, to restrict
and monitor the network traffic and prevent unauthorized access or communication.
Disabling or removing any unnecessary or unused features, services, accounts, or ports on the
hypervisor and guest machines, to minimize the attack surface and reduce the potential entry
points for attackers.
Enforcing strong authentication and authorization policies for the hypervisor and guest
machines, to ensure that only authorized users or administrators can access or manage them.
Encrypting the data and communication for the hypervisor and guest machines, to protect the
confidentiality and integrity of the information stored or transmitted on them.
Implementing logging and auditing mechanisms for the hypervisor and guest machines, to
record and track any activities or events that occur on them, and enable detection and
investigation of any incidents or anomalies.
Hardening for the hypervisor and guest machines can help prevent or mitigate common attacks
on virtualized environments, such as:
Hypervisor escape: An attack where a malicious guest machine breaks out of its isolated
environment and gains access to the hypervisor or other guest machines.
Hypervisor compromise: An attack where an attacker exploits a vulnerability or misconfiguration
in the hypervisor to gain control over it or its resources.
Guest compromise: An attack where an attacker exploits a vulnerability or misconfiguration in a
 23 / 107
guest machine to gain access to its data or applications.
Guest impersonation: An attack where an attacker creates a fake or cloned guest machine to
trick other guests or users into interacting with it.
Guest denial-of-service: An attack where an attacker consumes or exhausts the resources of a
guest machine to disrupt its availability or performance.
Therefore, hardening for the hypervisor and guest machines is the most important control for
virtualized environments, as it can enhance their security, reliability, and performance.
For more information about hardening for virtualized environments, you can refer to some of
these web sources:
Hypervisor security on the Azure fleet
Chapter 2: Hardening the Hyper-V host
Plan for Hyper-V security in Windows Server
36. When assessing whether an organization's IT performance measures are comparable to
other organizations in the same industry, which of the following would be MOST helpful to
review?
A. IT governance frameworks
B. Benchmarking surveys
C. Utilization reports
C. Balanced scorecard
Answer: B
Explanation:
IT performance measures are indicators of how well an organization is achieving its IT goals
and objectives. Benchmarking surveys are useful tools for comparing an organization’s IT
performance measures with those of other organizations in the same industry or sector.
Benchmarking surveys can provide insights into best practices, gaps, trends, and opportunities
for improvement. IT governance frameworks, utilization reports, and balanced scorecards are
not as helpful for comparing IT performance measures across organizations, as they may vary
in scope, methodology, and terminology.
Reference: IT Resources | Knowledge & Insights | ISACA, CISA Review Manual (Digital
Version)
37. During an external review, an IS auditor observes an inconsistent approach in classifying
system criticality within the organization.
Which of the following should be recommended as the PRIMARY factor to determine system
criticality?
 24 / 107
A. Recovery point objective (RPO)
B. Maximum allowable downtime (MAD)
C. Mean time to restore (MTTR)
D. Key performance indicators (KPls)
Answer: B
Explanation:
The primary factor to determine system criticality is the maximum allowable downtime (MAD),
which is the maximum period of time that a system can be unavailable before causing
significant damage or risk to the organization. The MAD reflects the business impact and the
recovery requirements of the system, and it can be used to prioritize the systems and allocate
the resources for disaster recovery planning. The other options are not as important as the
MAD, and they may vary depending on the system characteristics and the recovery strategy.
The recovery point objective (RPO) is the maximum amount of data lossthat is acceptable for a
system. The mean time to restore (MTTR) is the average time required to restore a system after
a failure. The key performance indicators (KPIs) are metrics that measure the performance and
effectiveness of a system.
Reference: CISA Review Manual (Digital Version) 1, page 468-469.
38. An IS auditor plans to review all access attempts to a video-monitored and proximity card-
controlled communications room.
Which of the following would be MOST useful to the auditor?
A. Manual sign-in and sign-out log
B. System electronic log
C. Alarm system with CCTV
D. Security incident log
Answer: B
Explanation:
A system electronic log is the most useful source of information for an IS auditor to review all
access attempts to a video-monitored and proximity card-controlled communications room. A
system electronic log can provide accurate and detailed records of the date, time, card number,
and status (success or failure) of each access attempt. A system electronic log can also be
easily searched, filtered, and analyzed by the auditor to identify any unauthorized or suspicious
access attempts.
A manual sign-in and sign-out log is not as reliable or useful as a system electronic log,
because it depends on the honesty and compliance of the users. A manual log can be easily
manipulated, forged, or omitted by the users or intruders. A manual log also does not capture
 25 / 107
the status of each access attempt, and it can be difficult to verify the identity of the users based
on their signatures. An alarm system with CCTV is not as useful as a system electronic log,
because it only captures the events that trigger the alarm, such as unauthorized or forced entry.
An alarm system with CCTV does not provide a complete record of all access attempts, and it
can be affected by factors such as camera angle, lighting, and resolution. An alarm system with
CCTV also requires more time and effort to review the video footage by the auditor.
A security incident log is not as useful as a system electronic log, because it only records the
incidents that are reported by the users or detected by the security staff. A security incident log
does not provide a comprehensive record of all access attempts, and it can be incomplete or
inaccurate depending on the reporting and detection mechanisms. A security incident log also
does not capture the details of each access attempt, such as the card number and status.
Reference: ISACA CISA Review Manual 27th Edition (2019), page 247
ISACA CISA Certified Information Systems Auditor Exam … - PUPUWEB
39. After the merger of two organizations, which of the following is the MOST important task for
an IS auditor to perform?
A. Verifying that access privileges have been reviewed
B. investigating access rights for expiration dates
C. Updating the continuity plan for critical resources
D. Updating the security policy
Answer: A
Explanation:
The most important task for an IS auditor to perform after the merger of two organizations is to
verify that access privileges have been reviewed. Access privileges are the permissions granted
to users, groups, or roles to access, modify, or manage IT resources, such as systems,
applications, data, or networks. After a merger, the IS auditor should ensure that the access
privileges of both organizations are aligned with the new business objectives, policies, and
processes, and that there are no conflicts, overlaps, or gaps in the access rights. The IS auditor
should also verify that the access privileges are based on the principle of least privilege, which
means that users are granted only the minimum level of access required to perform their tasks.
The other options are not as important as verifying that access privileges have been reviewed:
Investigating access rights for expiration dates is a useful task, but it is not the most important
one. Expiration dates are the dates when access rights are automatically revoked or suspended
after a certain period of time or after a specific event. The IS auditor should check that the
expiration dates are set appropriately and enforced consistently, but this is not as critical as
reviewing the access privileges themselves.
 26 / 107
Updating the continuity plan for critical resources is a necessary task, but it is not the most
urgent one. A continuity plan is a document that outlines the procedures and actions to be taken
in the event of a disruption or disaster that affects the availability of IT resources. The IS auditor
should update the continuity plan to reflect the changes and dependencies introduced by the
merger, but this can be done after verifying that the access privileges are secure and compliant.
Updating the security policy is an essential task, but it is not the most immediate one. A security
policy is a document that defines the rules and guidelines for securing IT resources and
protecting information assets. The IS auditor should update the security policy to incorporate the
best practices and standards of both organizations, and to address any new risks or threats
posed by the merger, but this can be done after verifying that the access privileges are aligned
with the policy.
40. Which of the following is the BEST evidence that an organization's IT strategy is aligned lo
its business objectives?
A. The IT strategy is modified in response to organizational change.
B. The IT strategy is approved by executive management.
C. The IT strategy is based on IT operational best practices.
D. The IT strategy has significant impact on the business strategy
Answer: B
Explanation:
The best evidence that an organization’s IT strategy is aligned to its business objectives is that
the IT strategy is approved by executive management. This implies that the IT strategy has
been reviewed and validated by the senior leaders of the organization, who are responsible for
setting and overseeing the business objectives. The IT strategy may be modified in response to
organizational change, based on IT operational best practices, or have significant impact on the
business strategy, but these are not sufficient indicators of alignment without executive
approval.
Reference: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.1
41. An organization is implementing a new data loss prevention (DLP) tool.
Which of the following will BEST enable the organization to reduce false positive alerts?
A. Using the default policy and tool rule sets
B. Configuring a limited set of rules
C. Deploying the tool in monitor mode
D. Reducing the number of detection points
Answer: B
 27 / 107
Explanation:
To reduce false positive alerts, it is essential to carefully configure a limited set of rules tailored
to the organization's specific data loss prevention needs. This ensures that the DLP tool
accurately identifies true positives and reduces the occurrence of false alarms.
Reference
ISACA CISA Review Manual 27th Edition, Page 304-305 (DLP Tool Configuration)
42. Which of the following should be of MOST concern to an IS auditor reviewing the
information systems acquisition, development, and implementation process?
A. Data owners are not trained on the use of data conversion tools.
B. A post-implementation lessons-learned exercise was not conducted.
C. There is no system documentation available for review.
D. System deployment is routinely performed by contractors.
Answer: C
43. Which of the following security measures will reduce the risk of propagation when a
cyberattack occurs?
A. Perimeter firewall
B. Data loss prevention (DLP) system
C. Web application firewall
D. Network segmentation
Answer: D
Explanation:
Network segmentation is the best security measure to reduce the risk of propagation when a
cyberattack occurs, because it divides the network into smaller subnetworks that are isolated
from each other and have differentaccess controls and security policies. This limits the spread
of malicious traffic and prevents attackers from accessing sensitive data or systems in other
segments. A perimeter firewall, a data loss prevention (DLP) system, and a web application
firewall are also useful security measures, but they do not prevent propagation within the
network as effectively as network segmentation does.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.3
44. Which of the following is the BEST source of information tor an IS auditor to use when
determining whether an organization's information security policy is adequate?
A. Information security program plans
B. Penetration test results
 28 / 107
C. Risk assessment results
D. Industry benchmarks
Answer: C
Explanation:
The best source of information for an IS auditor to use when determining whether an
organization’s information security policy is adequate is the risk assessment results. The risk
assessment results provide the auditor with an overview of the organization’s risk profile,
including the identification, analysis, and evaluation of the risks that affect the confidentiality,
integrity, and availability of the information assets. The auditor can use the risk assessment
results to compare the organization’s information security policy with the risk appetite, risk
tolerance, and risk treatment strategies of the organization. The auditor can also use the risk
assessment results to evaluate if the information security policy is aligned with the
organization’s objectives, requirements, and regulations.
Some of the web sources that support this answer are: Performance Measurement Guide for
Information Security ISO 27001 Annex A.5 - Information Security Policies
[CISA Certified Information Systems Auditor C Question0551]
45. Which of the following is the MAJOR advantage of automating internal controls?
A. To enable the review of large value transactions
B. To efficiently test large volumes of data
C. To help identity transactions with no segregation of duties
D. To assist in performing analytical reviews
Answer: B
Explanation:
The major advantage of automating internal controls is to efficiently test large volumes of data,
because automated controls can perform repetitive tasks faster, more accurately, and more
consistently than manual controls. Automated controls can also provide audit trails and
exception reports that facilitate the monitoring and evaluation of the control effectiveness12.
Reviewing large value transactions, identifying transactions with no segregation of duties, and
performing analytical reviews are possible benefits of automating internal controls, but not the
major advantage.
Reference:
1: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.2
2: CISA Online Review Course, Module 5, Lesson 2
46. Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts
 29 / 107
payable system.
Which of the following is the IS auditor's BEST recommendation for a compensating control?
A. Require written authorization for all payment transactions
B. Restrict payment authorization to senior staff members.
C. Reconcile payment transactions with invoices.
D. Review payment transaction history
Answer: A
Explanation:
Requiring written authorization for all payment transactions is the IS auditor’s best
recommendation for a compensating control in an environment where segregation of duties
(SoD) cannot be enforced in an accounts payable system. SoD is a principle that requires
different individuals or functions to perform different tasks or roles in a business process, such
as initiating, approving, recording and reconciling transactions. SoD reduces the risk of errors,
fraud and misuse of resources by preventing any single person or function from having
excessive or conflicting authority or responsibility. A compensating control is a control that
mitigates or reduces the risk associated with the absence or weakness of another control.
Requiring written authorization for all payment transactions is a compensating control that
provides an independent verification and approval of each transaction before it is processed by
the accounts payable system. This control can help to detect and prevent unauthorized,
duplicate or erroneous payments, and to ensure compliance with policies and procedures. The
other options are not as effective as option A, as they do not provide an independent verification
or approval of payment transactions. Restricting payment authorization to senior staff members
is a control that limits the number of people who can authorize payments, but it does not
prevent them from initiating or processing payments themselves, which could violate SoD.
Reconciling payment transactions with invoices is a control that verifies that the payments
match the invoices, but it does not prevent unauthorized, duplicate or erroneous payments from
being processed by the accounts payable system. Reviewing payment transaction history is a
control that monitors and analyzes the payment transactions after they have been processed by
the accounts payable system, but it does not prevent unauthorized, duplicate or erroneous
payments from occurring in the first place.
Reference: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets,
Section 5.2: Logical Access.
47. Which of the following is the BEST way to determine whether a test of a disaster recovery
plan (DRP) was successful?
A. Analyze whether predetermined test objectives were met.
 30 / 107
B. Perform testing at the backup data center.
C. Evaluate participation by key personnel.
D. Test offsite backup files.
Answer: A
Explanation:
The best way to determine whether a test of a disaster recovery plan (DRP) was successful is to
analyze whether predetermined test objectives were met. Test objectives are specific,
measurable, achievable, relevant, and time-bound (SMART) goals that define what the test
aims to accomplish and how it will be evaluated. Test objectives should be aligned with the DRP
objectives and scope, and should cover aspects such as recovery time objectives (RTOs),
recovery point objectives (RPOs), critical business functions, roles and responsibilities,
communication channels, backup systems, and contingency procedures. By comparing the
actual test results with the expected test objectives, the IS auditor can measure the
effectiveness and efficiency of the DRP and identify any gaps or weaknesses that need to be
addressed.
48. An IS auditor conducts a review of a third-party vendor's reporting of key performance
indicators (KPIs).
Which of the following findings should be of MOST concern to the auditor?
A. KPI data is not being analyzed
B. KPIs are not clearly defined
C. Some KPIs are not documented
D. KPIs have never been updated
Answer: B
Explanation:
KPIs are not clearly defined is the most concerning finding for an IS auditor, because it implies
that the third-party vendor does not have a clear understanding of what constitutes success or
failure in their performance. This can lead to inaccurate or misleading reporting, poor decision
making, and lack of accountability. KPIs should be SMART (specific, measurable, achievable,
relevant, and time-bound) and aligned with the business objectives and expectations of the
stakeholders12.
Reference:
1: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2
2: CISA Online Review Course, Module 5, Lesson 3
49. Which of the following is a concern associated with virtualization?
 31 / 107
A. The physical footprint of servers could decrease within the data center.
B. Performance issues with the host could impact the guest operating systems.
C. Processing capacity may be shared across multiple operating systems.
D. One host may have multiple versionsof the same operating system.
Answer: B
Explanation:
A concern associated with virtualization is that performance issues with the host could impact
the guest operating systems, which are the operating systems that run on virtual machines
within the host. For example, if the host has insufficient memory, CPU, disk space, or network
bandwidth, it could affect the performance and availability of the guest operating systems and
the applications running on them. The physical footprint of servers could decrease within the
data center, processing capacity may be shared across multiple operating systems, and one
host may have multiple versions of the same operating system are not concerns associated with
virtualization, but rather benefits or features of virtualization that can help reduce costs, improve
efficiency, and enhance flexibility.
Reference:
CISA Review Manual (Digital Version), Chapter 4: Information Systems
Operations and Business Resilience, Section 4.2: IT Service Delivery and Support
50. Which of the following is the BEST way to ensure that an application is performing according
to its specifications?
A. Unit testing
B. Pilot testing
C. System testing
D. Integration testing
Answer: D
Explanation:
Integration testing is the best way to ensure that an application is performing according to its
specifications, because it tests the interaction and compatibility of different modules or
components of the application. Unit testing, pilot testing and system testing are also important,
but they do not cover the whole functionality and integration of the application as well as
integration testing does.
Reference: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.3
51. What should be the PRIMARY basis for selecting which IS audits to perform in the coming
year?
 32 / 107
A. Senior management's request
B. Prior year's audit findings
C. Organizational risk assessment
D. Previous audit coverage and scope
Answer: C
Explanation:
The primary basis for selecting which IS audits to perform in the coming year is the
organizational risk assessment. An organizational risk assessment is a formal process for
identifying, evaluating, and controlling risks that may affect the achievement of the
organization’s goals and objectives3. An organizational risk assessment can help IS auditors
prioritize and plan their audit activities based on the level of risk exposure and impact of each
area or process within the organization. An organizational risk assessment can also help IS
auditors align their audit objectives and criteria with the organization’s strategy and
performance indicators. Senior management’s request, prior year’s audit findings, and
previous audit coverage and scope are also possible bases for selecting which IS audits to
perform in the coming year, but not as primary as the organizational risk assessment. These
factors are more secondary or supplementary sources of information that can help IS auditors
refine or adjust their audit plan based on specific needs or issues identified by management or
previous audits. However, these factors may not reflect the current or emerging risks that may
affect the organization’s operations or performance.
Reference: ISACA CISA Review Manual 27th Edition, page 295
52. An incident response team has been notified of a virus outbreak in a network subnet.
Which of the following should be the NEXT step?
A. Verify that the compromised systems are fully functional
B. Focus on limiting the damage
C. Document the incident
D. Remove and restore the affected systems
Answer: B
Explanation:
An incident response team has been notified of a virus outbreak in a network subnet. The next
step should be to focus on limiting the damage by containing the virus and preventing it from
spreading further. This may involve isolating the affected systems, disconnecting them from the
network, blocking malicious traffic or applying patches or antivirus updates. Verifying that the
compromised systems are fully functional, documenting the incident and removing and restoring
the affected systems are possible steps that could be taken after limiting the damage.
 33 / 107
Reference:
: [Incident Response Definition]
: [Incident Response Process | ISACA]
: [Virus Definition]
53. An IS auditor should look for which of the following to ensure the risk associated with scope
creep has been mitigated during software development?
A. Source code version control
B. Project change management controls
C. Existence of an architecture review board
D. Configuration management
Answer: B
Explanation:
Scope creep is the uncontrolled expansion of a project’s scope, which can result in delays, cost
overruns, and quality issues. To mitigate the risk of scope creep, an IS auditor should look for
project change management controls, which are processes and procedures for managing
changes to the project’s scope, schedule, budget, and quality. Project change management
controls ensure that changes are properly requested, approved, documented, communicated,
and implemented. Source code version control, existence of an architecture review board, and
configuration management are also important for software development, but they do not directly
address the risk of scope creep.
Reference: ISACA Frameworks: Blueprints for Success, Project Management Institute: A Guide
to the Project Management Body of Knowledge
54. Which of the following is the PRIMARY advantage of using visualization technology for
corporate applications?
A. Improved disaster recovery
B. Better utilization of resources
C. Stronger data security
D. Increased application performance
Answer: B
Explanation:
Visualization technology is the use of software and hardware to create graphical
representations of data, such as charts, graphs, maps, images, etc. Visualization technology
can help users to understand, analyze, and communicate complex and large amounts of data in
an intuitive and engaging way1.
 34 / 107
One of the primary advantages of using visualization technology for corporate applications is
that it can improve the utilization of resources, such as time, money, human capital, and
physical assets.
Some of the ways that visualization technology can achieve this are:
Visualization technology can help users to quickly and easily explore, filter, and interact with
data, reducing the need for manual data processing and analysis1. This can save time and
effort for both data producers and consumers, and allow them to focus on more value-added
tasks.
Visualization technology can help users to discover patterns, trends, outliers, correlations, and
causations in data that may otherwise be hidden or overlooked in traditional reports or tables1.
This can enable users to make better and faster decisions based on data-driven insights, and
optimize their strategies and actions accordingly.
Visualization technology can help users to communicate and share data more effectively and
persuasively with different audiences, such as customers, partners, investors, regulators, etc1.
This can enhance the reputation and credibility of the organization, and foster collaboration and
innovation among stakeholders.
Visualization technology can help users to monitor and measure the performance and impact of
their activities, products, services, or processes1. This can help users to identify problems or
opportunities for improvement, and adjust their plans or actions accordingly.
Visualization technology can help users to create engaging and interactive experiences for their
customers or end-users1. This can increase customer satisfaction and loyalty, and generate
more revenue or value for the organization.
Therefore, using visualization technology for corporate applications can help organizations to
better
utilize their resources and achieve their goals.
Reference: ISACA,CISA Review Manual, 27th Edition, 2019
ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
TechRadar Blog, Best data visualization tools of 20232 IBM Blog, What is Data Visualization?3
TDWI Blog, Data Visualization Technology4
Tableau Blog, What are the advantages and disadvantages of data visualization?
55. In reviewing the IT strategic plan, the IS auditor should consider whether it identifies the:
A. allocation of IT staff.
B. project management methodologies used.
C. major IT initiatives.
D. links to operational tactical plans.
 35 / 107
Answer: C
Explanation:
In reviewing the IT strategic plan, the IS auditor should consider whether it identifies the major
IT initiatives that are aligned with the organization’s vision, mission, and objectives, and that
support the business strategy and priorities12. The major IT initiatives should also be realistic,
measurable, and achievable, and should have clear timelines, budgets, and responsibilities34.
Reference
1: IT Strategy Template for a Successful Strategic Plan | Gartner2
2: IT Strategy Template for a Successful Strategic Plan | Gartner4
3: Conduct a Strategic Plan Review & Assessment - Governance3
4: Time To Conduct A Strategy Review? Here’s How To Get Started1
56. Which of the following would be an IS auditor's BEST recommendation to senior
management when several IT initiatives are found to be misaligned with the organization's
strategy?
A. Define key performance indicators (KPIs) for IT.
B. Modify IT initiatives that do not map to business strategies.
C. Reassess the return on investment (ROI) for the IT initiatives.
D. Reassess IT initiatives that do not map to business strategies.
Answer: D
57. Which of the following security risks can be reduced by a property configured network
firewall?
A. SQL injection attacks
B. Denial of service (DoS) attacks
C. Phishing attacks
D. Insider attacks
Answer: B
Explanation:
A network firewall is a device or software that monitors and controls the incoming and outgoing
network traffic based on predefined rules. A network firewall can help reduce the risk of denial of
service (DoS) attacks, which are attempts to overwhelm a system or network with excessive
requests or traffic, by filtering or blocking unwanted or malicious packets. A SQL injection attack
is a type of code injection attack that exploits a vulnerability in a web application’s database
query, by inserting malicious SQL statements into the input fields. A phishing attack is a type of
social engineering attack that attempts to trick users into revealing sensitive information or
 36 / 107
installing malware, by sending fraudulent emails or messages that impersonate legitimate
entities. An insider attack is a type of malicious activity that originates from within an
organization, such as employees, contractors, or partners, who abuse their access privileges or
credentials to compromise the confidentiality, integrity, or availability of information systems or
data. A network firewall cannot prevent these types of attacks, as they rely on exploiting human
or application weaknesses rather than network vulnerabilities.
58. Which of the following concerns is MOST effectively addressed by implementing an IT
framework for alignment between IT and business objectives?
A. Inaccurate business impact analysis (BIA)
B. Inadequate IT change management practices
C. Lack of a benchmark analysis
D. Inadequate IT portfolio management
Answer: D
Explanation:
An IT framework for alignment between IT and business objectives is a set of principles,
guidelines, and practices that help an organization to ensure that its IT investments support its
strategic goals, deliver value, manage risks, and optimize resources. One of the benefits of
implementing such a framework is that it enables an effective IT portfolio management, which is
the process of selecting, prioritizing, monitoring, and evaluating the IT projects and services that
comprise the IT portfolio. An IT portfolio is a collection of IT assets, such as applications,
infrastructure, data, and capabilities, that are aligned with the business needs and objectives.
An IT portfolio management helps an organization to achieve the following outcomes:
Align the IT portfolio with the business strategy and vision
Balance the IT portfolio among different types of investments, such as innovation, growth,
maintenance, and compliance
Optimize the IT portfolio performance, value, and risk
Enhance the IT portfolio decision-making and governance
Improve the IT portfolio communication and transparency
Therefore, an inadequate IT portfolio management is a major concern that can be addressed by
implementing an IT framework for alignment between IT and business objectives.
An inadequate IT portfolio management can result in the following issues:
Misalignment of the IT portfolio with the business needs and expectations
Imbalance of the IT portfolio among competing demands and priorities
Suboptimal use of the IT resources and capabilities
Lack of visibility and accountability of the IT portfolio outcomes and impacts
 37 / 107
Poor communication and collaboration among the IT portfolio stakeholders
The other possible options are:
Inaccurate business impact analysis (BIA): A BIA is a process of identifying and assessing the
potential effects of a disruption or disaster on the critical business functions and processes. A
BIA helps an organization to determine the recovery priorities, objectives, and strategies for its
business continuity plan. A BIA is not directly related to an IT framework for alignment between
IT and business objectives, although it may use some inputs from the IT portfolio management.
Therefore, an inaccurate BIA is not a concern that can be effectively addressed by
implementing an IT framework for alignment between IT and business objectives.
Inadequate IT change management practices: IT change management is a process of
controlling and managing the changes to the IT environment, such as hardware, software,
configuration, or documentation. IT change management helps an organization to minimize the
risks and disruptions caused by the changes, ensure the quality and consistency of the
changes, and align the changes with the business requirements. IT change management is not
directly related to an IT framework for alignment between IT and business objectives, although it
may support some aspects of the IT portfolio management. Therefore, inadequate IT change
management practices are not a concern that can be effectively addressed by implementing an
IT framework for alignment between IT and business objectives.
Lack of a benchmark analysis: A benchmark analysis is a process of comparing an
organization’s performance, processes, or practices with those of other organizations or
industry standards. A benchmark analysis helps an organization to identify its strengths and
weaknesses, set realistic goals and targets, and implement best practices for improvement. A
benchmark analysis is not directly related to an IT framework for alignment between IT and
business objectives, although it may provide some insights for the IT portfolio management.
Therefore, lack of a benchmark analysis is not a concern that can be effectively addressed by
implementing an IT framework for alignment between IT and business objectives.
Reference:
1: What is Portfolio Management? | Smartsheet
2: What Is Portfolio Management? - Definition from Techopedia
3: What Is Project Portfolio Management (PPM)? | ProjectManager.com
4: What Is Business Impact Analysis? | Smartsheet
5: What Is Change Management? - Definition from Techopedia
6: Benchmarking - Wikipedia
59. Management receives information indicating a high level of risk associated with potential
flooding near the organization's data center within the next few years. Asa result, a decision
 38 / 107
has been made to move data center operations to another facility on higher ground.
Which approach has been adopted?
A. Risk avoidance
B. Risk transfer
C. Risk acceptance
D. Risk reduction
Answer: A
Explanation:
The approach adopted by management in this scenario is risk avoidance. Risk avoidance is the
elimination of a risk by discontinuing or not undertaking an activity that poses a threat to the
organization3. By moving data center operations to another facility on higher ground,
management is avoiding the potential flooding risk that could disrupt or damage the data center.
Risk transfer, risk acceptance and risk reduction are other possible approaches for dealing with
risks, but they do not apply in this case.
Reference:
CISA Review Manual, 27th Edition, page 641
CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
60. An IS auditor notes that not all security tests were completed for an online sales system
recently promoted to production.
Which of the following is the auditor's BEST course of action?
A. Determine exposure to the business
B. Adjust future testing activities accordingly
C. Increase monitoring for security incidents
D. Hire a third party to perform security testing
Answer: A
Explanation:
The IS auditor’s best course of action when reviewing the use of an outsourcer for disposal of
storage media is to determine exposure to the business. Storage media, such as hard disks,
tapes, flash drives, or CDs, may contain sensitive or confidential information that needs to be
protected from unauthorized access, disclosure, or misuse. The IS auditor should verify that the
outsourcer has a process that appropriately sanitizes the media before disposal, such as wiping,
degaussing, shredding, or incinerating, and that the process is effective and compliant with the
organization’s policies and standards. The IS auditor should also assess the potential impact
and risk to the business if the storage media is not properly sanitized or disposed of, such as
data breaches, reputational damage, legal or regulatory penalties, or loss of competitive
 39 / 107
advantage. The other options are not the best course of action, because they either do not
address the root cause of the problem, or they are reactive rather than proactive measures.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7
61. During an ongoing audit, management requests a briefing on the findings to date.
Which of the following is the IS auditor's BEST course of action?
A. Review working papers with the auditee.
B. Request the auditee provide management responses.
C. Request management wait until a final report is ready for discussion.
D. Present observations for discussion only.
Answer: D
Explanation:
The IS auditor’s best course of action in this situation is to present observations for discussion
only. Observations are factual statements or findings that are based on the audit evidence
collected and analyzed during the audit. Observations can be presented to management for
discussion and feedback, but they should not be considered as final conclusions or
recommendations until the audit is completed and the audit report is issued. The other options
are not appropriate for presenting the findings to date, as they may compromise the audit
quality or integrity. Reviewing working papers with the auditee is not advisable, as working
papers are confidential documents that contain the auditor’s notes, calculations, and opinions
that may not be relevant or accurate for management’s review. Requesting the auditee provide
management responses is premature, as management responses should be obtained after the
audit report is issued and the audit findings and recommendations are finalized. Requesting
management wait until a final report is ready for discussion is impractical, as management may
have a legitimate interest or need to know the audit progress and results as soon as possible.
Reference:
CISA Review Manual (Digital Version), Chapter 2, Section 2.3
62. An IT balanced scorecard is the MOST effective means of monitoring:
A. governance of enterprise IT.
B. control effectiveness.
C. return on investment (ROI).
D. change management effectiveness.
Answer: A
Explanation:
An IT balanced scorecard is a strategic management tool that aligns IT objectives with business
 40 / 107
goals and measures the performance of IT processes using key performance indicators (KPIs).
It is the most effective means of monitoring governance of enterprise IT, which is the process of
ensuring that IT supports the organization’s strategy and objectives. Governance of enterprise
IT covers aspects such as IT value delivery, IT risk management, IT resource management, and
IT performance measurement. An IT balanced scorecard can help monitor these aspects and
provide feedback to improve IT governance.
Reference: ISACA Frameworks: Blueprints for Success, CISA Review Manual (Digital Version)
63. Afire alarm system has been installed in the computer room The MOST effective location for
the fire alarm control panel would be inside the
A. computer room closest to the uninterruptible power supply (UPS) module
B. computer room closest to the server computers
C. system administrators’ office
D. booth used by the building security personnel
Answer: D
Explanation:
A fire alarm system is a device that detects and alerts people of the presence of fire or smoke in
a building. A fire alarm control panel is the central unit that monitors and controls the fire alarm
system. The most effective location for the fire alarm control panel would be inside the booth
used by the building security personnel.
This is because:
The security personnel can quickly and easily access the fire alarm control panel in case of an
emergency, and take appropriate actions such as notifying the fire department, evacuating the
building, or resetting the system.
The fire alarm control panel can be protected from unauthorized access, tampering, or damage
by the security personnel, who can also monitor its status and performance regularly.
The fire alarm control panel can be isolated from the computer room, which may be exposed to
higher risks of fire or smoke due to the presence of electrical equipment, such as uninterruptible
power supply (UPS) modules or server computers.
The fire alarm control panel can be connected to the computer room through a dedicated
communication line, which can ensure reliable and timely transmission of signals and
information between the two locations.
Reference:
[1]: Fire Alarm Control Panel - an overview | ScienceDirect Topics
[2]: Fire Alarm Control Panel -.
What is it and how does it work? | Fire Protection Online
 41 / 107
[3]: Fire Alarm Control Panel Installation Guide - XLS3000 - Honeywell
64. Which of the following applications has the MOST inherent risk and should be prioritized
during audit planning?
A. A decommissioned legacy application
B. An onsite application that is unsupported
C. An outsourced accounting application
D. An internally developed application
Answer: C
Explanation:
An outsourced accounting application has the most inherent risk and should be prioritized
during audit planning because it involves external parties, sensitive data, and complex
transactions that are susceptible to material misstatement, error, or fraud12. An outsourced
accounting application also requires more oversight and monitoring from the internal audit
department to ensure compliance with the service level agreement and the organization’s
policies and standards3.
Reference
1: Inherent Risk: Definition, Examples, and 3 Types of Audit Risks
2: 3 Types of Audit Risk - Inherent, Control and Detection - Accountinguide
3: IS Audit Basics: The Core of IT Auditing
65. During an exitmeeting, an IS auditor highlights that backup cycles are being missed due to
operator error and that these exceptions are not being managed.
Which of the following is the BEST way to help management understand the associated risk?
A. Explain the impact to disaster recovery.
B. Explain the impact to resource requirements.
C. Explain the impact to incident management.
D. Explain the impact to backup scheduling.
Answer: A
Explanation:
The best way to help management understand the associated risk of missing backup cycles due
to operator error and lack of exception management is to explain the impact to disaster
recovery. Disaster recovery is the process of restoring normal operations and functions after a
disruptive event, such as a natural disaster, a cyberattack, or a hardware failure. Backup cycles
are essential for disaster recovery, because they ensure that the organization has copies of its
critical data and systems that can be restored in case of data loss or corruption. If backup cycles
 42 / 107
are missed due to operator error, and these exceptions are not managed, the organization may
not have the latest or complete backups available for disaster recovery, which can result in
prolonged downtime, reduced productivity, lost revenue, reputational damage, and legal or
regulatory penalties. The other options are not as effective as explaining the impact to disaster
recovery, because they either do not address the risk of data loss or corruption, or they focus on
operational or technical aspects rather than business outcomes.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.1
66. Which of the following activities provides an IS auditor with the MOST insight regarding
potential single person dependencies that might exist within the organization?
A. Reviewing vacation patterns
B. Reviewing user activity logs
C. Interviewing senior IT management
D. Mapping IT processes to roles
Answer: D
Explanation:
Mapping IT processes to roles is an activity that provides an IS auditor with the most insight
regarding potential single person dependencies that might exist within the organization. Single
person dependencies occur when only one person has the knowledge, skills, or access rights to
perform a critical IT function. Mapping IT processes to roles can help to identify such
dependencies and assess their impact on the continuity and security of IT operations. The other
activities do not provide as much insight into single person dependencies, as they do not show
the relationship between IT processes and roles.
Reference:
CISA Review Manual, 27th Edition, page 94
67. Which of the following staff should an IS auditor interview FIRST to obtain a general
overview of the various technologies used across different programs?
A. Technical architect
B. Enterprise architect
C. Program manager
D. Solution architect
Answer: B
68. The waterfall life cycle model of software development is BEST suited for which of the
following situations?
 43 / 107
A. The project will involve the use of new technology.
B. The project intends to apply an object-oriented design approach.
C. The project requirements are well understood.
D. The project is subject to time pressures.
Answer: C
69. An IS auditor reviewing the threat assessment tor a data center would be MOST concerned
if:
A. some of the identified throats are unlikely to occur.
B. all identified throats relate to external entities.
C. the exercise was completed by local management.
D. neighboring organizations operations have been included.
Answer: C
Explanation:
An IS auditor reviewing the threat assessment for a data center would be most concerned if the
exercise was completed by local management, because this could introduce bias, conflict of
interest, or lack of expertise in the assessment process. A threat assessment is a systematic
method of identifying and evaluating the potential threats that could affect the availability,
integrity, or confidentiality of the data center and its assets. A threat assessment should be
conducted by an independent and qualified team that has the necessary skills, knowledge, and
experience to perform a comprehensive and objective analysis of the data center’s
environment, vulnerabilities, and risks1. The other options are not as concerning as option C for
an IS auditor reviewing the threat assessment for a data center.
Option A, some of the identified threats are unlikely to occur, is not a problem as long as the
likelihood and impact of each threat are properly estimated and prioritized. A threat assessment
should consider all possible scenarios, even if they have a low probability of occurrence, to
ensure that the data center is prepared for any eventuality2.
Option B, all identified threats relate to external entities, is not a flaw as long as the assessment
also considers internal threats, such as human errors, malicious insiders, or equipment failures.
External threats are often more visible and severe than internal threats, but they are not the only
source of risk for a data center3.
Option D, neighboring organizations’ operations have been included, is not a mistake as long
as the assessment also focuses on the data center’s own operations. Neighboring
organizations’ operations may have an impact on the data center’s security and availability,
especially if they share physical or network infrastructure or resources. A threat assessment
should take into account the interdependencies and interactions between the data center and its
 44 / 107
external environment4.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019
ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
Data Center Threats and Vulnerabilities1
Datacenter threat, vulnerability, and risk assessment2
Data Centre Risk Assessment3
70. A proper audit trail of changes to server start-up procedures would include evidence of:
A. subsystem structure.
B. program execution.
C. security control options.
D. operator overrides.
Answer: D
Explanation:
A proper audit trail of changes to server start-up procedures would include evidence of operator
overrides, which are actions taken by the system operator to bypass or modify the normal
execution of the server start-up process. Operator overrides may indicate unauthorized or
improper changes that could affect the security, availability, or performance of the server.
Therefore, an audit trail should capture and document any operator overrides that occur during
the server start-up process. Evidence of subsystem structure, program execution, and security
control options are not directly related to changes to server start-up procedures. Subsystem
structure refers to the components and relationships of a subsystem within a larger system.
Program execution refers to the process of running a software program on a computer. Security
control options refer to the settings and parameters that define the security level and access
rights for a system or application. These are all important aspects of auditing a server, but they
do not provide evidence of changes to server start-up procedures.
71. Which of the following BEST facilitates the legal process in the event of an incident?
A. Right to perform e-discovery
B. Advice from legal counsel
C. Preserving the chain of custody
D. Results of a root cause analysis
Answer: C
Explanation:
The best way to facilitate the legal process in the event of an incident is to preserve the chain of
custody of the evidence. The chain of custody is a record of who handled, accessed, or
 45 / 107
modified the evidence, when, where, how, and why. The chain of custody helps to ensure the
integrity, authenticity, and admissibility of the evidence in a court of law. The chain of custody
also helps to prevent tampering, alteration, orloss of evidence that could compromise the
investigation or the prosecution.
Reference:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
72. Which of the following should an organization do to anticipate the effects of a disaster?
A. Define recovery point objectives (RPO)
B. Simulate a disaster recovery
C. Develop a business impact analysis (BIA)
D. Analyze capability maturity model gaps
Answer: C
Explanation:
A business impact analysis (BIA) is the process of identifying and assessing the potential
impacts a disruption or incident could have on an organization. A BIA helps organizations
understand and prepare for these potential obstacles, so they can act quickly and face
challenges head-on when they arise. A BIA tells the organization what to expect when
unforeseen roadblocks occur, so they can make a plan to get their business back on track as
quickly as possible. Therefore, a BIA is the best option to anticipate the effects of a disaster.
Reference: 10: Business Impact Analysis (BIA): Prepare for Anything [2023] • Asana 11:
Definition of Business Impact Analysis (BIA) - IT Glossary | Gartner Information Technology
12: Business impact analysis (BIA) is a method to predict the consequences of disruptions to a
business, its processes and systems by collecting relevant data.
73. Which of the following tests would provide the BEST assurance that a health care
organization is handling patient data appropriately?
A. Compliance with action plans resulting from recent audits
B. Compliance with local laws and regulations
C. Compliance with industry standards and best practice
D. Compliance with the organization's policies and procedures
Answer: B
Explanation:
The best test to provide assurance that a health care organization is handling patient data
appropriately is compliance with local laws and regulations, as these are the primary sources of
 46 / 107
authority and obligation for data protection and privacy. Compliance with action plans, industry
standards, or organizational policies and procedures are also important, but they may not cover
all the legal requirements or reflect the current best practices for handling patient data.
Reference:
CISA Review Manual (Digital Version), Chapter 2, Section 2.3
74. Which of the following BEST indicates the effectiveness of an organization's risk
management program?
A. Inherent risk is eliminated.
B. Residual risk is minimized.
C. Control risk is minimized.
D. Overall risk is quantified.
Answer: B
Explanation:
The effectiveness of a risk management program can be measured by how well it reduces the
residual risk, which is the risk that remains after applying controls, to an acceptable level.
Inherent risk is the risk that exists before applying any controls, and it cannot be eliminated
completely. Control risk is the risk that the controls fail to prevent or detect a risk event, and it is
a component of residual risk. Overall risk is not a meaningful metric for assessing the
effectiveness of a risk management program, as it does not account for the impact and
likelihood of different risk events.
Reference:
CISA Review Manual (Digital Version), Chapter 1, Section 1.2.2
75. Which of the following should be the PRIMARY basis for prioritizing follow-up audits?
A. Audit cycle defined in the audit plan
B. Complexity of management's action plans
C. Recommendation from executive management
D. Residual risk from the findings of previous audits
Answer: D
Explanation:
Residual risk from the findings of previous audits should be the primary basis for prioritizing
follow-up audits, because it reflects the level of exposure and potential impact that remains after
management has implemented corrective actions or accepted the risk. Follow-up audits should
focus on verifying whether the residual risk is within acceptable levels and whether the
corrective actions are effective and sustainable. Audit cycle defined in the audit plan, complexity
 47 / 107
of management’s action plans, and recommendation from executive management are not valid
criteria for prioritizing follow-up audits, because they do not consider the residual risk from
previous audits.
Reference:
CISA Review Manual (Digital Version), Chapter 2, Section 2.4.3
76. In an organization's feasibility study to acquire hardware to support a new web server,
omission of which of the following would be of MOST concern?
A. Alternatives for financing the acquisition
B. Financial stability of potential vendors
C. Reputation of potential vendors
D. Cost-benefit analysis of available products
Answer: D
Explanation:
The most important part of a feasibility study is the economics1. A cost-benefit analysis of
available products is crucial as it helps to understand the economic viability of the project1. It
compares the costs of the project with the benefits it is expected to deliver, which is essential for
making informed decisions1. Omitting this could lead to investments in hardware that may not
provide the expected returns or meet the organization’s needs.
Reference: The Components of a Feasibility Study - ProjectEngineer
77. An organization's information security policies should be developed PRIMARILY on the
basis of:
A. enterprise architecture (EA).
B. industry best practices.
C. a risk management process.
D. past information security incidents.
Answer: C
78. An IS auditor is reviewing a machine learning algorithm-based system for loan approvals
and is preparing a data set to test the algorithm for bias.
Which of the following is MOST important for the auditor’s test data set to include?
A. Applicants of all ages
B. Applicants from a range of geographic areas and income levels
C. Incomplete records and incorrectly formatted data
D. Duplicate records
 48 / 107
Answer: B
79. Which of the following is the BEST methodology to use for estimating the complexity of
developing a large business application?
A. Function point analysis
B. Work breakdown structure
C. Critical path analysts
D. Software cost estimation
Answer: A
Explanation:
Function point analysis (FPA) is the best methodology to use for estimating the complexity of
developing a large business application. FPA is a technique that measures the functionality of a
software system based on the user requirements and the business processes that the system
supports. FPA assigns a numerical value to each function or feature of the system, based on its
type, complexity, and relative size. The total number of function points represents the size and
complexity of the system, which can be used to estimate the development effort, cost, and time.
FPA has several advantages over other estimation methods, such as:
It is independent of the technology, programming language, or development methodology used
for the system. Therefore, it can be applied consistently across different platforms and
environments. It is based on the user perspective and the business value of the system, rather
than the technical details or implementation aspects. Therefore, it can be performed early in the
project life cycle, before the design or coding phases.
It is objective and standardized, as it follows a set of rules and guidelines defined by the
International Function Point Users Group (IFPUG). Therefore, it can reduce ambiguity and
improve accuracy and reliability of the estimates.
It is adaptable and scalable, as it can handle changes in the user requirements or the system
scope.
Therefore, it can support agile and iterative development approaches.
Reference:
1: Function Point Analysis C Introduction and Fundamentals
2: Software Engineering | Functional Point (FP) Analysis
80. Which of the following controls BEST ensures appropriate segregation of dudes within an
accounts payable department?
A. Ensuring that audit trails exist for transactions
B. Restrictingaccess to update programs to accounts payable staff only
 49 / 107
C. Including the creator's user ID as a field in every transaction record created
D. Restricting program functionality according to user security profiles
Answer: D
Explanation:
Restricting program functionality according to user security profiles is the best control for
ensuring appropriate segregation of duties within an accounts payable department. An IS
auditor should verify that the access rights and permissions of the accounts payable staff are
based on their roles and responsibilities, and that they are not able to perform incompatible or
conflicting functions such as creating, approving, or paying invoices. This will help to prevent
fraud, errors, or abuse of authority within the accounts payable process. The other options are
less effective controls for ensuring segregation of duties, as they may involve audit trails, access
restrictions, or user identification.
Reference:
CISA Review Manual (Digital Version), Chapter 6, Section 6.31
CISA Review Questions, Answers & Explanations Database, Question ID 223
81. An IS auditor should be MOST concerned if which of the following fire suppression systems
is utilized to protect an asset storage closet?
A. Deluge system
B. Wet pipe system
C. Preaction system
D. CO2 system
Answer: D
Explanation:
A CO2 system could be a concern for an IS auditor when used to protect an asset storage
closet. While CO2 systems are effective at suppressing fires, they can pose a significant safety
risk to personnel. In the event of a fire, the CO2 system would fill the room with carbon dioxide,
displacing the oxygen. This could be hazardous to anyone who might be in the room at the
time12.
Reference: ISACA’s Information Systems Auditor Study Materials1
82. Which of the following is the GREATEST concern related to an organization's data
classification processes?
A. Users responsible for managing records are unaware of the data classification processes.
B. Systems used to manage the data classification processes are not synchronized.
C. The data classification processes have not been updated in the last year.
 50 / 107
D. The data classification processes are not aligned with industry standards.
Answer: A
83. Which of the following is MOST important to consider when developing a service level
agreement (SLAP)?
A. Description of the services from the viewpoint of the provider
B. Detailed identification of work to be completed
C. Provisions for regulatory requirements that impact the end users' businesses
D. Description of the services from the viewpoint of the client organization
Answer: D
Explanation:
The most important factor to consider when developing a service level agreement (SLA) is the
description of the services from the viewpoint of the client organization, because the SLA should
reflect the needs and expectations of the client and specify the measurable outcomes and
performance indicators that the provider must deliver34. The description of the services from the
viewpoint of the provider, the detailed identification of work to be completed, and the provisions
for regulatory requirements that impact the end users’ businesses are also important elements
of an SLA, but not as crucial as the client’s perspective.
Reference:
3: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.1
4: CISA Online Review Course, Module 5, Lesson 3
84. During which process is regression testing MOST commonly used?
A. System modification
B. Unit testing
C. Stress testing
D. Program development
Answer: A
85. Which of the following are BEST suited for continuous auditing?
A. Low-value transactions
B. Real-lime transactions
C. Irregular transactions
D. Manual transactions
Answer: B
Explanation:
 51 / 107
Continuous auditing is a method of performing audit-related activities on a real-time or near real-
time basis. Continuous auditing is best suited for real-time transactions, such as online banking,
e-commerce, or electronic funds transfer, that require immediate verification and assurance.
Low-value transactions are not necessarily suitable for continuous auditing, as they may not
pose significant risks or require frequent monitoring. Irregular transactions are not suitable for
continuous auditing, as they may not occur frequently or consistently enough to justify the use
of continuous auditing techniques. Manual transactions are not suitable for continuous auditing,
as they may not be captured or processed by automated systems that enable continuous
auditing.
Reference:
CISA Review Manual, 27th Edition, pages 307-3081
CISA Review Questions, Answers & Explanations Database, Question ID: 253
86. Who should be the FIRST to evaluate an audit report prior to issuing it to the project
steering committee?
A. IS audit manager
B. Audit committee
C. Business owner
D. Project sponsor
Answer: A
87. In order for a firewall to effectively protect a network against external attacks, what
fundamental practice must be followed?
A. The firewall must be placed in the demilitarized zone (DMZ).
B. Only essential external services should be permitted.
C. Filters for external information must be defined.
D. All external communication must be via the firewall.
Answer: B
88. Which of the following is the PRIMARY role of the IS auditor m an organization's information
classification process?
A. Securing information assets in accordance with the classification assigned
B. Validating that assets are protected according to assigned classification
C. Ensuring classification levels align with regulatory guidelines
D. Defining classification levels for information assets within the organization
Answer: B
 52 / 107
Explanation:
Validating that assets are protected according to assigned classification is the primary role of
the IS auditor in an organization’s information classification process. An IS auditor should
evaluate whether the information security controls are adequate and effective in safeguarding
the information assets based on their classification levels. The other options are not the primary
role of the IS auditor, but rather the responsibilities of the information owners, custodians, or
security managers.
Reference:
CISA Review Manual (Digital Version), Chapter 6, Section 6.2.31
CISA Review Questions, Answers & Explanations Database, Question ID 206
89. What is the PRIMARY benefit of an audit approach which requires reported findings to be
issued together with related action plans, owners, and target dates?
A. it facilitates easier audit follow-up
B. it enforces action plan consensus between auditors and auditees
C. it establishes accountability for the action plans
D. it helps to ensure factual accuracy of findings
Answer: C
Explanation:
The primary benefit of an audit approach that requires reported findings to be issued together
with related action plans, owners, and target dates is that it establishes accountability for the
action plans. Accountability means that the individuals or groups who are responsible for
implementing the action plans are clearly identified and held liable for their completion within the
specified time frame. Accountability also implies that the action plans are monitored and
evaluated to ensure that they are effective and efficient in addressing the audit findings and
mitigating the associated risks1. Accountability helps to ensure that the audit recommendations
are taken seriously and implemented properly, and that the audit value is realized by the
organization2. The other options are less relevant or incorrect because:
A. It facilitates easier audit follow-up is not the primary benefit of an audit approach that requires
reported findings to be issued together with related action plans, owners, and target dates, as it
is more of a secondary or indirect benefit.Audit follow-up is the process of verifying whether the
action plans have been implemented and whether they have resolved the audit findings3. While
having clear action plans, owners, and target dates may facilitate easier audit follow-up by
providing a basis for tracking and reporting the progress and status of the action plans, it does
not necessarily guarantee that the action plans will be implemented or effective.
B. It enforces action plan consensus between auditors and auditees is not the primary benefit of
 53 / 107
an audit approach that requires reported findings to be issued together with related action plans,
owners, and target dates, as it is more of a prerequisite or condition for such an approach.
Action plan consensus means that the auditors and auditees agree on the audit findings and
recommendations, and on the action plans to address them4. While having action plan
consensus may enhance the credibility and acceptance of the audit approach, it does not
necessarily ensure that the action plans will be implemented or effective.
D. It helps to ensure factual accuracy of findings is not the primary benefit of an audit approach
that requires reported findings to be issued together with related action plans, owners, and
target dates, as it is more of an outcome or result of such an approach. Factual accuracy of
findings means that the audit findings are based on sufficient, reliable, relevant, and useful
evidence5. While having factual accuracy of findings may increase the confidence and trust in
the audit approach, it does not necessarily ensure that the action plans will be implemented or
effective.
Reference: Accountability - ISACA, Audit Value - ISACA, Audit Follow-up - ISACA, Action Plan
Consensus - ISACA, Factual Accuracy of Findings - ISACA
90. Which of the following is MOST important when planning a network audit?
A. Determination of IP range in use
B. Analysis of traffic content
C. Isolation of rogue access points
D. Identification of existing nodes
Answer: D
Explanation:
The most important factor when planning a network audit is to identify the existing nodes on the
network. Nodes are devices or systems that are connected to the network and can
communicate with each other. Nodes can include servers, workstations, routers, switches,
firewalls, printers, scanners, cameras, etc. Identifying the existing nodes on the network will help
the auditor to determine the scope, objectives, and methodology of the audit. It will also help the
auditor to assess the network topology, architecture, performance, security, and compliance.
Reference:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
91. Which of the following BEST guards against the risk of attack by hackers?
A. Tunneling
B. Encryption
 54 / 107
C. Message validation
D. Firewalls
Answer: B
Explanation:
The best guard against the risk of attack by hackers is encryption. Encryption is the process of
transforming data into an unreadable format using a secret key or algorithm. Encryption can
protect data in transit and at rest from unauthorized access, modification, or disclosure by
hackers. Encryption can also ensure the authenticity and integrity of data by using digital
signatures or hashes.
Tunneling, message validation, and firewalls are not the best guards against the risk of attack
by hackers. Tunneling is a technique that encapsulates one network protocol within another to
create a secure connection between two endpoints. Message validation is a process that
verifies the format, content, and origin of a message before accepting it. Firewalls are devices or
software that filter network traffic based on predefined rules. These controls may help reduce
the exposure or impact of hacker attacks, but they do not provide the same level of protection
as encryption.
92. Management has requested a post-implementation review of a newly implemented
purchasing package to determine to what extent business requirements are being met.
Which of the following is MOST likely to be assessed?
A. Purchasing guidelines and policies
B. Implementation methodology
C. Results of line processing
D. Test results
Answer: C
Explanation:
A post-implementation review is a process of evaluating the outcome and benefits of a project
or a system after it has been implemented. The main purpose of a post-implementation review
is to determine to what extent the business requirements are being met by the new system.
Therefore, the most likely aspect to be assessed is the results of line processing, which refers to
the actual performance and functionality of the system in the operational environment.
93. Which of the following is me GREATE ST impact as a result of the ongoing deterioration of a
detective control?
A. Increased number of false negatives in security logs
B. Decreased effectiveness of roof cause analysis
 55 / 107
C. Decreased overall recovery time
D. Increased demand for storage space for logs
Answer: A
Explanation:
The greatest impact as a result of the ongoing deterioration of a detective control is an
increased number of false negatives in security logs. A detective control is a control that
monitors and identifies any deviations or anomalies from the expected or normal behavior or
performance of a system or process. A security log is a record of events or activities that occur
within a system or network, such as user access, file changes, system errors, or security
incidents. A false negative is a situation where a security log fails to detect or report an actual
deviation or anomaly that has occurred, such as an unauthorized access, a malicious
modification, or a security breach. An increased number of false negatives in security logs can
have a significant impact on the organization’s security posture and risk management, because
it can prevent timely detection and response to security threats, compromise the accuracy and
reliability of security monitoring and reporting, and undermine the accountability and auditability
of user actions and transactions. The other options are not as impactful as an increased number
of false negatives in security logs, because they either do not affect the detection capability of a
detective control, or they have less severe consequences for security management.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.1
94. When physical destruction IS not practical, which of the following is the MOST effective
means of disposing of sensitive data on a hard disk?
A. Overwriting multiple times
B. Encrypting the disk
C. Reformatting
D. Deleting files sequentially
Answer: A
Explanation:
The correct answer is A. Overwriting multiple times. Overwriting is a method of securely erasing
data from a hard disk by replacing the existing data with random or meaningless data, making it
difficult or impossible to recover the original data1. Overwriting multiple times, also known as
multiple-pass overwriting, is a more effective way of disposing of sensitive data than overwriting
once, as it reduces the possibility of residual traces of data that could be recovered by
advanced techniques2. Overwriting multiple times can be done by using specialized software
tools that follow certain standards or algorithms, such as the US Department of Defense’s DoD
5220.22-M or the Gutmann method3.
 56 / 107
95. Which of the following would MOST effectively ensure the integrity of data transmitted over
a network?
A. Message encryption
B. Certificate authority (CA)
C. Steganography
D. Message digest
Answer: D
Explanation:
The most effective way to ensure the integrity of data transmitted over a network is to use a
message digest. A message digest is a cryptographic function that generates a unique and
fixed-length value (also known as a hash or checksum) from anyinput data. The message
digest can be used to verify that the data has not been altered or corrupted during transmission
by comparing it with the message digest generated at the destination. Message encryption is a
method of protecting the confidentiality of data transmitted over a network by transforming it into
an unreadable format using a secret key. Message encryption does not ensure the integrity of
data, as it does not prevent or detect unauthorized modifications. Certificate authority (CA) is an
entity that issues and manages digital certificates that bind public keys to identities. CA does not
ensure the integrity of data, as it does not prevent or detect unauthorized modifications.
Steganography is a technique of hiding data within other data, such as images or audio files.
Steganography does not ensure the integrity of data, as it does not prevent or detect
unauthorized modifications.
Reference:
CISA Review Manual, 27th Edition, pages 383-3841
CISA Review Questions, Answers & Explanations Database, Question ID: 258
96. One advantage of monetary unit sampling is the fact that
A. results are stated m terms of the frequency of items in error
B. it can easily be applied manually when computer resources are not available
C. large-value population items are segregated and audited separately
D. it increases the likelihood of selecting material items from the population
Answer: D
Explanation:
Monetary unit sampling (MUS) is a statistical sampling method that is used to determine if the
account balances or monetary amounts in a population contain any misstatements. MUS treats
each individual dollar in the population as a separate sampling unit, so that larger balances or
 57 / 107
amounts have a higher probability of being selected than smaller ones. MUS then projects the
results of testing the sample to the entire population in terms of dollar values, rather than error
rates.
One advantage of MUS is that it increases the likelihood of selecting material items from the
population. Material items are those that have a significant impact on the financial statements
and could influence the decisions of users. By giving more weight to larger items, MUS ensures
that material misstatements are more likely to be detected and reported. MUS also reduces the
sample size required to achieve a desired level of confidence and precision, as compared to
other sampling methods that do not consider the value of items.
Reference:
4: Monetary unit sampling definition ? AccountingTools
5: How Does Monetary Unit Sampling Work? - dummies
6: Audit sampling | ACCA Qualification | Students | ACCA Global
97. Which of the following strategies BEST optimizes data storage without compromising data
retention practices?
A. Limiting the size of file attachments being sent via email
B. Automatically deleting emails older than one year
C. Moving emails to a virtual email vault after 30 days
D. Allowing employees to store large emails on flash drives
Answer: A
Explanation:
The best strategy to optimize data storage without compromising data retention practices is to
limit the size of file attachments being sent via email. This strategy can reduce the amount of
storage space required for email messages, as well as the network bandwidth consumed by
email traffic. File attachments can be large and often contain redundant or unnecessary
information that can be compressed, converted, or removed before sending. By limiting the size
of file attachments, the sender can encourage the use of more efficient formats, such as PDF or
ZIP, or alternative methods of sharing files, such as cloud storage or web links. This can also
improve the security and privacy of email communications, as large attachments may pose a
higher risk of being intercepted, corrupted, or infected by malware.
Reference: Data Storage Optimization:
What is it and Why Does it Matter?
Data storage optimization 101: Everything you need to know
98. When evaluating information security governance within an organization, which of the
 58 / 107
following findings should be of MOST concern to an IS auditor?
A. The information security department has difficulty filling vacancies
B. An information security governance audit was not conducted within the past year
C. The data center manager has final sign-off on security projects
D. Information security policies are updated annually
Answer: C
Explanation:
The finding that should be of most concern to an IS auditor when evaluating information security
governance within an organization is that the data center manager has final sign-off on security
projects. This indicates a lack of segregation of duties and a potential conflict of interest
between the operational and security roles. The data center manager may have access to
sensitive information or systems that should be protected by security controls, or may influence
or override security decisions that are not in the best interest of the organization. This finding
also suggests that there is no clear accountability or authority for information security
governance at a higher level, such as senior management or board of directors. The other
findings are not as concerning as this one, although they may indicate some areas for
improvement or monitoring.
Reference:
ISACA, CISA Review Manual, 27th Edition, chapter 5, section 5.11
ISACA, IT Governance Using COBIT and Val IT: Student Booklet - 2nd Edition4
99. Which of the following is the PRIMARY purpose of obtaining a baseline image during an
operating system audit?
A. To identify atypical running processes
B. To verify antivirus definitions
C. To identify local administrator account access
D. To verify the integrity of operating system backups
Answer: A
Explanation:
The primary purpose of obtaining a baseline image during an operating system audit is to
identify atypical running processes. A baseline image is a snapshot of the normal state and
configuration of an operating system, including the processes that are expected to run on it. By
comparing the current state of the operating system with the baseline image, an IS auditor can
detect any deviations or anomalies that may indicate unauthorized or malicious activity, such as
malware infection, privilege escalation, or data exfiltration. A baseline image can also help an IS
auditor to assess the performance and efficiency of the operating system, as well as its
 59 / 107
compliance with security standards and policies.
Verifying antivirus definitions (option B) is not the primary purpose of obtaining a baseline
image, although it may be a part of the baseline configuration. Antivirus definitions are the files
that contain
the signatures and rules for detecting and removing malware. An IS auditor may verify that the
antivirus definitions are up to date and consistent across the operating system, but this does not
require obtaining a baseline image.
Identifying local administrator account access (option C) is not the primary purpose of obtaining
a baseline image, although it may be a part of the baseline configuration. Local administrator
accounts are user accounts that have full control over the operating system and its resources.
An IS auditor may identify and review the local administrator accounts to ensure that they are
properly secured and authorized, but this does not require obtaining a baseline image.
Verifying the integrity of operating system backups (option D) is not the primary purpose of
obtaining a baseline image, although it may be a part of the backup process. Operating system
backups are copies of the operating system data and settings that can be used to restore the
system in case of failure or disaster. An IS auditor may verify that the operating system backups
are complete, accurate, and accessible, but this does not require obtaining a baseline image.
Reference: : Linuxsecurity and system hardening checklist : CISA Certification | Certified
Information Systems Auditor | ISACA : CISA Certified Information Systems Auditor Study Guide,
4th Edition : CISA - Certified Information Systems Auditor Study Guide [Book]
100. When reviewing a business case for a proposed implementation of a third-party system,
which of the following should be an IS auditor's GREATEST concern?
A. Lack of ongoing maintenance costs
B. Lack of training materials
C. Lack of plan for pilot implementation
D. Lack of detailed work breakdown structure
Answer: A
Explanation:
The IS auditor’s greatest concern when reviewing a business case for a proposed
implementation of a third-party system should be A. Lack of ongoing maintenance costs. This is
because ongoing maintenance costs are an essential part of the total cost of ownership (TCO)
of a third-party system, and they can have a significant impact on the return on investment
(ROI) and the feasibility of the project. If the business case does not include ongoing
maintenance costs, it may underestimate the true cost of the project and overestimate the
benefits. This could lead to poor decision making and unrealistic expectations.
 60 / 107
Lack of training materials (B), lack of plan for pilot implementation ©, and lack of detailed work
breakdown structure (D) are also potential issues that could affect the quality and success of
the project, but they are not as critical as lack of ongoing maintenance costs. Training materials
can be developed or acquired later, pilot implementation can be planned during the project
initiation or planning phase, and work breakdown structure can be refined as the project
progresses. However, ongoing maintenance costs are difficult to change or estimate once the
project is approved and implemented, and they can have long-term implications for the
organization. Therefore, they should be included and analyzed in the business case.
101. Which of the following is the MOST important consideration when establishing operational
log management?
A. Types of data
B. Log processing efficiency
C. IT organizational structure
D. Log retention period
Answer: D
102. An IS auditor is reviewing a data conversion project.
Which of the following is the auditor's BEST recommendation prior to go-live?
A. Conduct a mock conversion test.
B. Review test procedures and scenarios.
C. Automate the test scripts.
D. Establish a configuration baseline.
Answer: A
103. An IS auditor is reviewing an organization's primary router access control list.
Which of the following should result in a finding?
A. There are conflicting permit and deny rules for the IT group.
B. The network security group can change network address translation (NAT).
C. Individual permissions are overriding group permissions.
D. There is only one rule per group with access privileges.
Answer: C
Explanation:
This should result in a finding because it violates the best practice of setting rules for groups
rather than users. According to one of the web search results1, using group permissions instead
of individual permissions can simplify the management and maintenance of ACLs, reduce the
 61 / 107
risk of human errors, and ensure consistency and compliance. Individual permissions can
create conflicts, confusion, and security gaps in the ACLs. Therefore, the IS auditor should
report this as a finding and recommend using group permissions instead.
104. An organization allows employees to retain confidential data on personal mobile devices.
Which of the following is the BEST recommendation to mitigate the risk of data leakage from
lost or stolen devices?
A. Require employees to attend security awareness training.
B. Password protect critical data files.
C. Configure to auto-wipe after multiple failed access attempts.
D. Enable device auto-lock function.
Answer: C
Explanation:
The best recommendation to mitigate the risk of data leakage from lost or stolen devices that
contain confidential data is to configure them to auto-wipe after multiple failed access attempts,
as this would prevent unauthorized access and erase sensitive information from the device.
Requiring employees to attend security awareness training, password protecting critical data
files, or enabling device auto-lock function are also good practices, but they may not be
sufficient or effective in preventing data leakage from lost or stolen devices.
Reference:
CISA Review Manual (Digital Version), Chapter 5, Section 5.3
105. An IS auditor is reviewing the service agreement with a technology company that provides
IT help desk services to the organization.
Which of the following monthly performance metrics is the BEST indicator of service quality?
A. The total number of users requesting help desk services
B. The average call waiting time on each request
C. The percent of issues resolved by the first contact
D. The average turnaround time spent on each reported issue
Answer: C
Explanation:
The percent of issues resolved by the first contact, also known as the first contact resolution
(FCR) rate, is a metric that measures the effectiveness and efficiency of the IT help desk
services. It indicates how many customer support issues are resolved on the first interaction
with the IT help desk, without requiring any follow-up calls, emails, chats, or escalations. The
FCR rate is calculated by dividing the number of issues resolved on the first contact by the total
 62 / 107
number of customer support issues, and multiplying by 100%1.
The FCR rate is the best indicator of service quality among the four monthly performance
metrics, because it reflects the following aspects of the IT help desk services:
Customer satisfaction: Customers are more likely to be satisfied with the IT help desk services if
their issues are resolved quickly and effectively on the first contact, without having to wait for a
response or repeat their problem to multiple agents. A high FCR rate can improve customer
loyalty, retention, and advocacy2.
Cost efficiency: Resolving issues on the first contact can reduce the operational costs of the IT
help desk services, such as labor costs, phone costs, or overhead costs. A high FCR rate can
also increase the productivity and utilization of the IT help desk agents, as they can handle
more issues in less time3.
Service level: Resolving issues on the first contact can improve the service level of the IT help
desk services, such as reducing the average handle time (AHT), increasing the service level
agreement (SLA) compliance, or decreasing the backlog of unresolved issues. A high FCR rate
can also enhance the reputation and credibility of the IT help desk services4.
Therefore, an IS auditor should review the FCR rate as a key performance indicator (KPI) of the
IT help desk services, and compare it with the industry standards and benchmarks. According to
MetricNet’s benchmarking database, the FCR industry standard is 74 percent. This number
varies widely, however, from a low of about 41 percent to a high of 94 percent5.
An IS auditor should also recommend ways to improve the FCR rate, such as:
Training and empowering the IT help desk agents to handle a wide range of issues and provide
accurate and consistent solutions
Implementing a knowledge base or a self-service portal that provides relevant and updated
information and guidance for common or simple issues
Improving communication and collaboration between different departments or teams that may
be involved in resolving complex or escalated issues
Using feedback and analytics tools to monitor and measure customer satisfaction and identify
areas for improvement
106. A system performance dashboard indicates several application servers are reaching the
defined threshold for maximum CPU allocation.
Which of the following would be the IS auditor's BEST recommendation for theIT department?
A. Increase the defined processing threshold to reflect capacity consumption during normal
operations.
B. Notify end users of potential disruptions caused by degradation of servers.
C. Terminate both ingress and egress connections of these servers to avoid overload.
 63 / 107
D. Validate the processing capacity of these servers is adequate to complete computing tasks.
Answer: D
107. A system development project is experiencing delays due to ongoing staff shortages.
Which of the following strategies would provide the GREATEST assurance of system quality at
implementation?
A. Implement overtime pay and bonuses for all development staff.
B. Utilize new system development tools to improve productivity.
C. Recruit IS staff to expedite system development.
D. Deliver only the core functionality on the initial target date.
Answer: D
Explanation:
The strategy that would provide the greatest assurance of system quality at implementation is
delivering only the core functionality on the initial target date. This strategy can help avoid
compromising the quality of the system by focusing on the essential features that meet the user
needs and expectations. Delivering only the core functionality can also help reduce the scope
creep, complexity, and testing efforts of the system development project.
Implementing overtime pay and bonuses for all development staff, utilizing new system
development tools to improve productivity, and recruiting IS staff to expedite system
development are not strategies that would provide the greatest assurance of system quality at
implementation. These strategies may help speed up the system development process, but they
may also introduce new risks or challenges such as burnout, learning curve, integration issues,
or communication gaps. These risks or challenges may adversely affect the quality of the
system.
108. During an audit of a reciprocal disaster recovery agreement between two companies, the
IS auditor would be MOST concerned with the:
A. allocation of resources during an emergency.
B. frequency of system testing.
C. differences in IS policies and procedures.
D. maintenance of hardware and software compatibility.
Answer: A
Explanation:
During an audit of a reciprocal disaster recovery agreement between two companies, the IS
auditor would be most concerned with the allocation of resources during an emergency. A
reciprocal disaster recovery agreement is an arrangement by which one organization agrees to
 64 / 107
use another’s resources in the event of a business continuity event or incident. The IS auditor
would need to ensure that both parties have clearly defined their roles and responsibilities, their
resource requirements, their priority levels, their communication channels, and their escalation
procedures in case of a disaster. The IS auditor would also need to verify that both parties have
tested their agreement and have updated it regularly to reflect any changes in their business
environments. The frequency of system testing is not as critical as the allocation of resources
during an emergency, because system testing can be performed periodically or on demand,
while resource allocation is a dynamic and complex process that requires careful planning and
coordination. The differences in IS policies and procedures are not as critical as the allocation of
resources during an emergency, because both parties can agree on common standards and
protocols for their disaster recovery operations, or they can adapt their policies and procedures
to suit each other’s needs. The maintenance of hardware and software compatibility is not as
critical as the allocation of resources during an emergency, because both parties can use
compatible or interoperable systems, or they can use virtualization or cloud computing
technologies to overcome any compatibility issues.
Reference: ISACA CISA Review Manual 27th Edition, page 281
109. 4: Audit Evidence, p. 31-32.
CISA Online Review Course2, Module 1: The Process of Auditing Information Systems, Lesson
4: Audit Evidence, slide 9-10.
CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_710.
110. Which of the following documents would be MOST useful in detecting a weakness in
segregation of duties?
A. System flowchart
B. Data flow diagram
C. Process flowchart
D. Entity-relationship diagram
Answer: C
Explanation:
The best document for an IS auditor to use in detecting a weakness in segregation of duties is a
process flowchart. A process flowchart is a diagram that illustrates the sequence of steps,
activities, tasks, or decisions involved in a business process. A process flowchart can help
detect a weakness in segregation of duties by showing who performs what actions or roles in a
process, and whether there is any overlap or conflict of interest among them. The other options
are not as useful as a process flowchart in detecting a weakness in segregation of duties, as
 65 / 107
they do not show who performs what actions or roles in a process. A system flowchart is a
diagram that illustrates the components, functions, interactions, or logic of an information
system. A data flow diagram is a diagram that illustrates how data flows from sources to
destinations through processes, stores, or external entities. An entity-relationship diagram is a
diagram that illustrates how entities (such as tables) are related to each other through attributes
(such as keys) in a database.
Reference:
CISA Review Manual (Digital Version), Chapter 3, Section 3.2
111. In a RAO model, which of the following roles must be assigned to only one individual?
A. Responsible
B. Informed
C. Consulted
D. Accountable
Answer: D
Explanation:
In a RAO model, which stands for Responsible, Accountable, Consulted, and Informed, the
accountable role must be assigned to only one individual. The accountable role is the person
who has the ultimate authority and responsibility for the outcome of the project or task, and who
approves or rejects the work done by the responsible role. The accountable role cannot be
delegated or shared, as it is essential to have a clear and single point of accountability for each
project or task.
The other roles can be assigned to more than one individual:
Responsible. This is the person who does the work or performs the task. There can be multiple
responsible roles for different aspects or phases of a project or task, as long as they are
coordinated and supervised by the accountable role.
Informed. This is the person who needs to be notified or updated about the progress or results
of the project or task. There can be multiple informed roles who have an interest or stake in the
project or task, but who do not need to be consulted or involved in the decision-making process.
Consulted. This is the person who provides input, feedback, or advice on the project or task.
There can be multiple consulted roles who have expertise or experience relevant to the project
or task, but who do not have the authority or responsibility to approve or reject the work done by
the responsible role.
112. An organizations audit charier PRIMARILY:
A. describes the auditors' authority to conduct audits.
 66 / 107
B. defines the auditors' code of conduct.
C. formally records the annual and quarterly audit plans.
D. documents the audit process and reporting standards.
Answer: A
Explanation:
An organization’s audit charter primarily describes the auditors’ authority to conduct audits.
The audit charter is a formal document that defines the purpose, scope, responsibilities, and
reporting relationships of the internal audit function. It also establishes the auditors’ right of
access to information, records, personnel, and physical properties relevant to their work. The
audit charter provides the basis for the auditors’ independenceand accountability to the
governing body and senior management.
113. Which of the following statements appearing in an organization's acceptable use policy
BEST demonstrates alignment with data classification standards related to the protection of
information assets?
A. Any information assets transmitted over a public network must be approved by executive
management.
B. All information assets must be encrypted when stored on the organization's systems.
C. Information assets should only be accessed by persons with a justified need.
D. All information assets will be assigned a clearly defined level to facilitate proper employee
handling.
Answer: D
Explanation:
The statement that BEST demonstrates alignment with data classification standards related to
the protection of information assets is D. All information assets will be assigned a clearly defined
level to facilitate proper employee handling. Data classification involves categorizing information
assets based on their sensitivity, importance, and usage. Assigning clearly defined levels (such
as public, internal, confidential, etc.) to information assets ensures that appropriate security
controls are applied based on their classification. By doing so, organizations can manage
access, encryption, and other protective measures effectively12.
Reference: IFRC. “Information Security: Acceptable Use Policy.” 1(https://www.ifrc.org/sites/def
ault/files/2021-11/IFRC-Information-Security-Acceptable-Use-Policy.pdf) UNSW Sydney. “Data
Classification
Standard.” 2(https://www.unsw.edu.au/content/dam/pdfs/governance/policy/2022-01-policies/da
tastandard.pdf)
Digital Guardian. “What is a Data Classification
 67 / 107
Policy?” 3(https://www.digitalguardian.com/blog/what-data-classification-policy)
Microsoft Service Trust Portal. “Data classification & sensitivity label taxonomy.” 4(https://learn.
microsoft.com/en-us/compliance/assurance/assurance-data-classification-and-labels)
Clark University ITS Policies. “Data Classification - Data Security
Policies.” 5(https://www2.clarku.edu/offices/its/policies/data_classification.cfm)
114. When assessing a proposed project for the two-way replication of a customer database
with a remote call center, the IS auditor should ensure that:
A. database conflicts are managed during replication.
B. end users are trained in the replication process.
C. the source database is backed up on both sites.
D. user rights are identical on both databases.
Answer: A
Explanation:
A database conflict occurs when the same data is modified at two separate servers, such as a
customer database and a remote call center database, and the changes are not consistent with
each other. For example, if a customer updates their phone number at the customer database,
and a call center agent updates the same customer’s address at the remote call center
database, there is a conflict between the two updates. Database conflicts can cause data
inconsistency, corruption, or loss if they are not detected and resolved properly.
Two-way replication is a process of synchronizing data between two databases, so that any
changes made in one database are reflected in the other database, and vice versa. Two-way
replication can improve data availability, performance, and scalability, but it also increases the
risk of database conflicts. Therefore, when assessing a proposed project for the two-way
replication of a customer database with a remote call center, the IS auditor should ensure that
database conflicts are managed during replication. This means that the project should have a
clear and effective strategy for: Preventing or minimizing database conflicts by using techniques
such as locking, timestamping, or partitioning.
Detecting or identifying database conflicts by using tools such as triggers, logs, or alerts.
Resolving or handling database conflicts by using methods such as priority-based, rule-based,
or user-based resolution.
The other possible options are:
B. end users are trained in the replication process: This is not a relevant or important factor for
the IS auditor to ensure when assessing a proposed project for the two-way replication of a
customer database with a remote call center. End users are not directly involved in the
replication process, and they do not need to have detailed knowledge or skills about how
 68 / 107
replication works. The replication process should be transparent and seamless to the end users,
and they should only interact with the data through their applications or interfaces.
C. the source database is backed up on both sites: This is not a sufficient or necessary factor
for the IS auditor to ensure when assessing a proposed project for the two-way replication of a
customer database with a remote call center. Backing up the source database on both sites can
provide some level of data protection and recovery, but it does not address the issue of
database conflicts that can occur during replication. Moreover, backing up the source database
on both sites may not be feasible or efficient, as it may consume more storage space and
network bandwidth, and introduce more complexity and overhead to the replication process.
D. user rights are identical on both databases: This is not a critical or relevant factor for the IS
auditor to ensure when assessing a proposed project for the two-way replication of a customer
database with a remote call center. User rights are the permissions or privileges that users have
to access or modify data in a database. User rights do not directly affect the occurrence or
resolution of database conflicts during replication. User rights may vary depending on the role or
function of the users in different databases, and they should be defined and enforced according
to the security policies and requirements of each database.
115. Which of the following should be of GREATEST concern to an IS auditor assessing the
effectiveness of an organization's information security governance?
A. Risk assessments of information assets are not periodically performed.
B. All Control Panel Items
C. The information security policy does not extend to service providers.
D. There is no process to measure information security performance.
E. The information security policy is not reviewed by executive management.
Answer: C
116. During a security audit, an IS auditor is tasked with reviewing log entries obtained from an
enterprise intrusion prevention system (IPS).
Which type of risk would be associated with the potential for the auditor to miss a sequence of
logged events that could indicate an error in the IPS configuration?
A. Sampling risk
B. Detection risk
C. Control risk
D. Inherent risk
Answer: B
Explanation:
 69 / 107
The type of risk associated with the potential for the auditor to miss a sequence of logged
events that could indicate an error in the IPS configuration is detection risk. Detection risk is the
risk that the auditor’s procedures will not detect a material misstatement or error that exists in
an assertion or a control. Detection risk can be affected by factors such as the nature, timing,
and extent of the audit procedures, the quality and sufficiency of the audit evidence, and the
auditor’s professional judgment and competence. Detection risk can be reduced by applying
appropriate audit techniques, such as sampling, testing, observation, inquiry, and analysis.
Reference:
CISA Review Manual (Digital Version) CISA Questions, Answers & Explanations Database
117. Which of the following BEST protects evidence in a forensic investigation?
A. imaging the affected system
B. Powering down the affected system
C. Protecting the hardware of the affected system
D. Rebooting the affected system
Answer: A
Explanation:
Imaging the affected system is the best way to protect evidence in a forensic investigation,
because it creates a bit-by-bitcopy of the original data that can be analyzed without altering or
compromising the original source. Imaging preserves the integrity and authenticity of the
evidence and allows for verification and validation of the results34. Powering down or rebooting
the affected system can cause data loss or corruption, while protecting the hardware does not
prevent unauthorized access or tampering with the software or data.
Reference:
3: CISA Review Manual (Digital Version), Chapter 6, Section 6.4.1
4: CISA Online Review Course, Module 6, Lesson 4
118. In an area susceptible to unexpected increases in electrical power, which of the following
would MOST effectively protect the system?
A. Generator
B. Voltage regulator
C. Circuit breaker
D. Alternate power supply line
Answer: B
119. Which of the following is MOST important for an effective control self-assessment (CSA)
 70 / 107
program?
A. Determining the scope of the assessment
B. Performing detailed test procedures
C. Evaluating changes to the risk environment
D. Understanding the business process
Answer: D
Explanation:
Understanding the business process is the most important factor for an effective control self-
assessment (CSA) program. A CSA program is a technique that allows managers and work
teams directly involved in business units, functions or processes to participate in assessing the
organization’s risk management and control processes1. A CSA program can help identify risks
and potential exposures to achieving strategic business objectives, evaluate the adequacy and
effectiveness of controls, and implement remediation plans to address any gaps or
weaknesses2. To conduct a successful CSA, it is essential to have a clear and comprehensive
understanding of the business process under review, including its objectives, inputs, outputs,
activities, resources, dependencies, stakeholders, performance indicators, etc. This will help to
identify the relevant risks and controls associated with the process, as well as to evaluate their
impact and likelihood. Determining the scope of the assessment, performing detailed test
procedures, and evaluating changes to the risk environment are also important factors for an
effective CSA program, but not as important as understanding the business process. These
factors are more related to the execution and monitoring phases of the CSA program, while
understanding the business process is related to the planning and preparation phase. Without a
solid understanding of the business process, the scope, testing, and evaluation of the CSA may
not be accurate or complete.
Reference: ISACA CISA Review Manual 27th Edition, page 310
120. During planning for a cloud service audit, audit management becomes aware that the
assigned IS auditor is unfamiliar with the technologies in use and their associated risks to the
business.
To ensure audit quality, which of the following actions should audit management consider
FIRST?
A. Conduct a follow-up audit after a suitable period has elapsed.
B. Reschedule the audit assignment for the next financial year.
C. Reassign the audit to an internal audit subject matter expert.
D. Extend the duration of the audit to give the auditor more time.
Answer: C
 71 / 107
Explanation:
The best action that audit management should consider first is to reassign the audit to an
internal audit subject matter expert. This is because cloud service audits require specialized
knowledge and skills to assess the risks and controls associated with the cloud service provider
and the cloud service customer. An IS auditor who is unfamiliar with the technologies in use and
their associated risks to the business may not be able to perform an effective and efficient audit,
and may miss important issues or provide inaccurate recommendations. Therefore, it is
important to ensure that the IS auditor assigned to the cloud service audit has the appropriate
competence and experience.
The other options are not as good as reassigning the audit to an internal audit subject matter
expert. Conducting a follow-up audit after a suitable period has elapsed may not address the
quality issues of the initial audit, and may also delay the identification and remediation of any
problems. Rescheduling the audit assignment for the next financial year may expose the
organization to unnecessary risks and may not meet the audit objectives or expectations.
Extending the duration of the audit to give the auditor more time may not be feasible or cost-
effective, and may not guarantee that the auditor will acquire the necessary knowledge and
skills in time.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 1391 ISACA, Cloud
Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2009,
p. 14
121. Which of the following technology trends can lead to more robust data loss prevention
(DLP) tools?
A. Cloud computing
B. Robotic process automation (RPA)
C. Internet of Things (IoT)
D. Machine learning algorithms
Answer: D
122. In a review of the organization standards and guidelines for IT management, which of the
following should be included in an IS development methodology?
A. Value-added activity analysis
B. Risk management techniques
C. Access control rules
D. Incident management techniques
Answer: B
 72 / 107
Explanation:
Risk management techniques should be included in an IS development methodology. An IS
development methodology is a set of guidelines, standards, and procedures that provide a
structured and consistent approach to developing information systems. A good IS development
methodology should cover all the phases of the system development life cycle (SDLC), from
planning and analysis to design, implementation, testing, and maintenance1.
Risk management techniques are an essential part of an IS development methodology, as they
help to identify, assess, prioritize, mitigate, monitor, and communicate the risks that may affect
the success of the system development project. Risk management techniques can also help to
ensure that the system meets the requirements and expectations of the stakeholders, complies
with the relevant laws and regulations, and delivers value to the organization2.
The other options are not as relevant or appropriate as risk management techniques for an IS
development methodology. Value-added activity analysis is a technique for evaluating the
efficiency and effectiveness of business processes, but it is not specific to IS development3.
Access control rules are policies and mechanisms for restricting or granting access to
information systems and resources, but they are more related to security management than IS
development4. Incident management techniques are methods for handling and resolving
incidents that disrupt the normal operation of information systems and services, but they are
more related to service management than IS development5.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 1911
ISACA, CISA Review Manual, 27th Edition, 2019, p. 1942
Value-Added Activity Analysis3
Access Control Rules4
Incident Management Techniques5
123. A telecommunications company has recently created a new fraud department with three
employees and acquired a fraud detection system that uses artificial intelligence (AI) modules.
Which of the following would be of GREATEST concern to an IS auditor reviewing the system?
A. A very large number of true negatives
B. A small number of false negatives
C. A small number of true positives
D. A large number of false positives
Answer: B
124. What is the BEST way to reduce the risk of inaccurate or misleading data proliferating
through business intelligence systems?
 73 / 107
A. Establish rules for converting data from one format to another
B. Implement data entry controls for new and existing applications
C. Implement aconsistent database indexing strategy
D. Develop a metadata repository to store and access metadata
Answer: A
Explanation:
The best way to reduce the risk of inaccurate or misleading data proliferating through business
intelligence systems is to establish rules for converting data from one format to another,
because this ensures that the data quality and integrity are maintained throughout the data
transformation process. Data conversion rules define the standards, procedures, and methods
for transforming data from different sources and formats into a common format and structure
that can be used by the business intelligence systems12. Implementing data entry controls for
new and existing applications, implementing a consistent database indexing strategy, and
developing a metadata repository to store and access metadata are not the best ways to reduce
the risk of inaccurate or misleading data proliferating through business intelligence systems,
because they do not address the issue of data conversion, which is a critical step in the data
integration process for business intelligence systems.
Reference:
1: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.3
2: CISA Online Review Course, Module 4, Lesson 3
125. The IS auditor has recommended that management test a new system before using it in
production mode.
The BEST approach for management in developing a test plan is to use processing parameters
that are:
A. randomly selected by a test generator.
B. provided by the vendor of the application.
C. randomly selected by the user.
D. simulated by production entities and customers.
Answer: D
Explanation:
The best approach for management in developing a test plan is to use processing parameters
that are simulated by production entities and customers. This is because using realistic data and
scenarios can help to evaluate the functionality, performance, reliability, and security of the new
system under actual operating conditions and expectations. Using processing parameters that
are randomly selected by a test generator, provided by the vendor of the application, or
 74 / 107
randomly selected by the user may not be sufficient or representative of the production
environment and may not reveal all the potential issues or defects of the new system.
Reference: [ISACA CISA Review Manual 27th Edition], page 266.
126. An organization is planning an acquisition and has engaged an IS auditor lo evaluate the
IT governance framework of the target company.
Which of the following would be MOST helpful In determining the effectiveness of the
framework?
A. Sell-assessment reports of IT capability and maturity
B. IT performance benchmarking reports with competitors
C. Recent third-party IS audit reports
D. Current and previous internal IS audit reports
Answer: C
Explanation:
Recent third-party IS audit reports would be most helpful in determining the effectiveness of the
IT governance framework of the target company. IT governance is a framework that defines the
roles, responsibilities, and processes for aligning IT strategy with business strategy. A third-
party IS audit is an independent and objective examination of an organization’s IT governance
framework by an external auditor. Recent third-party IS audit reports can provide reliable and
unbiased evidence of the strengths, weaknesses, and maturity of the IT governance framework
of the target company. The other options are not as helpful as recent third-party IS audit reports,
as they may not be as comprehensive, accurate, or current as external audits.
Reference:
CISA Review Manual, 27th Edition, page 94
127. In response to an audit finding regarding a payroll application, management implemented a
new automated control.
Which of the following would be MOST helpful to the IS auditor when evaluating the
effectiveness of the new control?
A. Approved test scripts and results prior to implementation
B. Written procedures defining processes and controls
C. Approved project scope document
D. A review of tabletop exercise results
Answer: B
Explanation:
The best way to evaluate the effectiveness of a new automated control is to review the written
 75 / 107
procedures that define the processes and controls. This will help the IS auditor to understand
the objectives, scope, roles, responsibilities, and expected outcomes of the control. The written
procedures will also provide a basis for testing the control and verifying its compliance with the
audit finding recommendations.
Reference: ISACA Frameworks: Blueprints for Success
CISA Review Manual (Digital Version)
128. Which of the following indicates that an internal audit organization is structured to support
the independence and clarity of the reporting process?
A. Auditors are responsible for performing operational duties or activities.
B. The internal audit manager reports functionally to a senior management official.
C. The internal audit manager has a reporting line to the audit committee.
D. Auditors are responsible for assessing and operating a system of internal controls.
Answer: C
Explanation:
The internal audit manager should have a reporting line to the audit committee, which is an
independent body that oversees the internal audit function and ensures its objectivity and
accountability. Reporting functionally to a senior management official may compromise the
independence and clarity of the internal audit reporting process, as senior management may
have a vested interest in the audit results or influence the audit scope and priorities.
*Reference: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools
and Techniques for IS Audit and Assurance Professionals, section 1002 Independence, “The
chief audit executive (CAE) should report functionally to the board or its equivalent (e.g., audit
committee) and administratively to executive management.” 1
129. Which of the following would be an IS auditor's GREATEST concern when reviewing the
early stages of a software development project?
A. The lack of technical documentation to support the program code
B. The lack of completion of all requirements at the end of each sprint
C. The lack of acceptance criteria behind user requirements.
D. The lack of a detailed unit and system test plan
Answer: C
Explanation:
User requirements are statements that describe what the users expect from the software
system in terms of functionality, quality, and usability. They are essential inputs for the software
development process, as they guide the design, implementation, testing, and deployment of the
 76 / 107
system.
Therefore, an IS auditor’s greatest concern when reviewing the early stages of a software
development project would be the lack of acceptance criteria behind user requirements.
Acceptance criteria are measurable conditions that define when a user requirement is met or
satisfied. They help ensure that the user requirements are clear, complete, consistent, testable,
and verifiable. Without acceptance criteria, it would be difficult to evaluate whether the system
meets the user expectations and delivers value to the organization. Technical documentation,
such as program code, is usually produced in later stages of the software development process.
Completion of all requirements at the end of each sprint is not mandatory in agile software
development methods, as long as there is a prioritized backlog of requirements that can be
delivered incrementally. A detailed unit and system test plan is also important for ensuring
software quality, but it depends on well-defined user requirements and acceptance criteria.
Reference: Information Systems Acquisition, Development & Implementation, CISA Review
Manual (Digital Version)
130. During the planning stage of a compliance audit, an IS auditor discovers that a bank's
inventory of compliance requirementsdoes not include recent regulatory changes related to
managing data risk.
What should the auditor do FIRST?
A. Ask management why the regulatory changes have not been Included.
B. Discuss potential regulatory issues with the legal department
C. Report the missing regulatory updates to the chief information officer (CIO).
D. Exclude recent regulatory changes from the audit scope.
Answer: A
Explanation:
Asking management why the regulatory changes have not been included is the first thing that
an IS auditor should do during the planning stage of a compliance audit. An IS auditor should
inquire about the reasons for not updating the inventory of compliance requirements with recent
regulatory changes related to managing data risk. This will help the IS auditor to understand
whether there is a gap in awareness, communication, or implementation of compliance
obligations within the organization. The other options are not the first things that an IS auditor
should do, but rather possible subsequent actions that may depend on management’s
response.
Reference:
CISA Review Manual (Digital Version), Chapter 2, Section 2.31
CISA Review Questions, Answers & Explanations Database, Question ID 214
 77 / 107
131. Which of the following is MOST important for an IS auditor to validate when auditing
network device management?
A. Devices cannot be accessed through service accounts.
B. Backup policies include device configuration files.
C. All devices have current security patches assessed.
D. All devices are located within a protected network segment.
Answer: C
Explanation:
The most important thing for an IS auditor to validate when auditing network device
management is that all devices have current security patches assessed. This is because
security patches are essential for fixing known vulnerabilities and preventing unauthorized
access, data breaches, or denial-of-service attacks on the network devices. If the network
devices are not patched regularly, they may expose the network to various cyber threats and
compromise the confidentiality, integrity, and availability of the network services and data12.
Devices cannot be accessed through service accounts is not the most important thing to
validate because service accounts are typically used for automated tasks or processes that
require privileged access to network devices. Service accounts can be secured by using strong
passwords, limiting their permissions, and monitoring their activities. However, service accounts
alone do not protect the network devices from external or internal attacks that exploit unpatched
vulnerabilities3.
Backup policies include device configuration files is not the most important thing to validate
because backup policies are mainly used for restoring the network devices in case of failure,
disaster, or corruption. Backup policies can help with recovering the network functionality and
data, but they do not prevent the network devices from being compromised or attacked in the
first place. Backup policies should be complemented by security policies that ensure the
network devices are patched and protected4.
All devices are located within a protected network segment is not the most important thing to
validate because network segmentation is a technique that divides the network into smaller
subnets or zones based on different criteria, such as function, security level, or access control.
Network segmentation can help isolate and contain the impact of a potential attack on a network
device, but it does not prevent the attack from happening. Network segmentation should be
combined with security patching and other security measures to ensure the network devices are
secure.
132. An IS auditor finds the log management system is overwhelmed with false positive alerts.
 78 / 107
The auditor's BEST recommendation would be to:
A. establish criteria for reviewing alerts.
B. recruit more monitoring personnel.
C. reduce the firewall rules.
D. fine tune the intrusion detection system (IDS).
Answer: D
Explanation:
Fine tuning the intrusion detection system (IDS) is the best recommendation to reduce the
number of false positive alerts that overwhelm the log management system, because it can help
adjust the sensitivity and accuracy of the IDS rules and signatures to match the network
environment and traffic patterns. Establishing criteria for reviewing alerts, recruiting more
monitoring personnel, and reducing the firewall rules are not effective solutions to address the
root cause of the false positive alerts, but rather ways to cope with the consequences.
Reference:
CISA Review Manual (Digital Version), Chapter 5, Section 5.4.3
133. Which of the following is an example of a preventative control in an accounts payable
system?
A. The system only allows payments to vendors who are included In the system's master
vendor list.
B. Backups of the system and its data are performed on a nightly basis and tested periodically.
C. The system produces daily payment summary reports that staff use to compare against
invoice totals.
D. Policies and procedures are clearly communicated to all members of the accounts payable
department
Answer: A
Explanation:
The system only allows payments to vendors who are included in the system’s master vendor
list is an example of a preventative control in an accounts payable system. A preventative
control is a control that aims to prevent errors or irregularities from occurring in the first place.
By restricting payments to vendors who are authorized and verified in the master vendor list, the
system prevents unauthorized or fraudulent payments from being made. The other options are
examples of other types of controls, such as backup (recovery), reconciliation (detective), and
communication (directive) controls.
Reference:
CISA Review Manual, 27th Edition, page 223
 79 / 107
134. When an IS audit reveals that a firewall was unable to recognize a number of attack
attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS)
between the firewall and:
A. the organization's web server.
B. the demilitarized zone (DMZ).
C. the organization's network.
D. the Internet
Answer: D
Explanation:
The best recommendation is to place an intrusion detection system (IDS) between the firewall
and the Internet. An IDS is a device or software that monitors network traffic for malicious
activity and alerts the network administrator or takes preventive action. By placing an IDS
between the firewall and the Internet, the IS auditor can enhance the security of the network
perimeter and detect any attack attempts that the firewall was unable to recognize.
The other options are not as effective as placing an IDS between the firewall and the Internet:
Placing an IDS between the firewall and the organization’s web server would not protect the
web server from external attacks that bypass the firewall. The web server should be placed in a
demilitarized zone (DMZ), which is a separate network segment that isolates public-facing
servers from the internal network.
Placing an IDS between the firewall and the demilitarized zone (DMZ) would not protect the
DMZ from external attacks that bypass the firewall. The DMZ should be protected by two
firewalls, one facing the Internet and one facing the internal network, with an IDS monitoring
both sides of each firewall.
Placing an IDS between the firewall and the organization’s network would not protect the
organization’s network from external attacks that bypass the firewall. The organization’s
network should be protected by a firewall that blocks unauthorized traffic from entering or
leaving the network, with an IDS monitoring both sides of the firewall.
135. The use of which of the following would BEST enhance a process improvement program?
A. Model-based design notations
B. Balanced scorecard
C.Capability maturity models
D. Project management methodologies
Answer: C
Explanation:
 80 / 107
Capability maturity models (CMMs) are frameworks that help organizations assess and improve
their processes in various domains, such as software development, project management,
service delivery, and cybersecurity1. CMMs define different levels of process maturity, from
initial to optimized, and describe the characteristics and best practices of each level. By using
CMMs, organizations can benchmark their current processes against a common standard,
identify gaps and weaknesses, and implement improvement actions to achieve higher levels of
process maturity2. CMMs can also help organizations align their processes with their strategic
goals, measure their performance, and increase their efficiency, quality, and customer
satisfaction3.
Therefore, the use of CMMs would best enhance a process improvement program, as they
provide a
systematic and structured approach to evaluate and improve processes based on proven
principles and practices.
Option C is the correct answer.
Option A is not correct because model-based design notations are graphical or textual
languages that help designers specify, visualize, and document the structure and behavior of
systems4. While they can be useful for designing and communicating complex systems, they do
not directly address the process improvement aspect of a program.
Option B is not correct because balanced scorecard is a strategic management tool that helps
organizations translate their vision and mission into measurable objectives and indicators. While
it can be useful for monitoring and evaluating the performance of a program, it does not provide
specific guidance on how to improve processes.
Option D is not correct because project management methodologies are sets of principles and
practices that help organizations plan, execute, and control projects. While they can be useful
for
managing the scope, schedule, cost, quality, and risk of a program, they do not focus on the
process
improvement aspect of a program.
Reference: Guide to Process Maturity Models2
What is CMMI? A model for optimizing development processes1 Capability Maturity Model
(CMM): A Definitive Guide3 Model-Based Design Notations4
Balanced Scorecard
Project Management Methodologies
136. Which of the following activities would allow an IS auditor to maintain independence while
facilitating a control sell-assessment (CSA)?
 81 / 107
A. Implementing the remediation plan
B. Partially completing the CSA
C. Developing the remediation plan
D. Developing the CSA questionnaire
Answer: D
Explanation:
Developing the CSA questionnaire is an activity that would allow an IS auditor to maintain
independence while facilitating a control self-assessment (CSA). An IS auditor can design and
provide a CSA questionnaire to help the business units or process owners to evaluate their own
controls and identify any issues or improvement opportunities. This will enable an IS auditor to
support and guide the CSA process without compromising their objectivity or independence.
The other options are activities that would impair an IS auditor’s independence while facilitating
a CSA, as they involve implementing, completing, or developing remediation actions for control
issues.
Reference:
CISA Review Manual (Digital Version), Chapter 2, Section 2.41
CISA Review Questions, Answers & Explanations Database, Question ID 215
137. Which of the following would an IS auditor find to be the GREATEST risk associated with
the server room in a remote office location?
A. The server room is secured by a key lock instead of an electronic lock.
B. The server room's location is known by people who work in the area.
C. The server room does not have temperature controls.
D. The server room does not have biometric controls.
Answer: C
138. Which of the following is the MOST effective way to identify exfiltration of sensitive data by
a malicious insider?
A. Implement data loss prevention (DLP) software
B. Review perimeter firewall logs
C. Provide ongoing information security awareness training
D. Establish behavioral analytics monitoring
Answer: D
Explanation:
The most effective way to identify exfiltration of sensitive data by a malicious insider is to
establish behavioral analytics monitoring. Behavioral analytics is the process of analyzing the
 82 / 107
patterns and anomalies in user behavior to detect and prevent insider threats. Behavioral
analytics can help identify unusual or suspicious activities, such as accessing sensitive data at
odd hours, transferring large amounts of data to external devices or locations, or using
unauthorized applications or protocols. Behavioral analytics can also help correlate data from
multiple sources, such as network logs, user profiles, and access rights, to provide a holistic
view of user activity and risk.
Data loss prevention (DLP) software is a tool that can help prevent exfiltration of sensitive data
by a malicious insider, but it is not the most effective way to identify it. DLP software can block
or alert on unauthorized data transfers based on predefined rules and policies, but it may not be
able to detect sophisticated or stealthy exfiltration techniques, such as encryption,
steganography, or data obfuscation.
Reviewing perimeter firewall logs is a way to identify exfiltration of sensitive data by a malicious
insider, but it is not the most effective way. Perimeter firewall logs can show the traffic volume
and destination of data transfers, but they may not be able to show the content or context of the
data. Perimeter firewall logs may also be overwhelmed by the amount of normal traffic and miss
the signals of malicious exfiltration.
Providing ongoing information security awareness training is a way to reduce the risk of
exfiltration of sensitive data by a malicious insider, but it is not a way to identify it. Information
security awareness training can help educate users on the importance of protecting sensitive
data and the consequences of violating policies and regulations, but it may not deter or detect
those who are intentionally or maliciously exfiltrating data.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 300
ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription 1
Cybersecurity Engineering for Legacy Systems: 6 Recommendations - SEI Blog 2 How to
Secure Your Company’s Legacy Applications - iCorps
139. Which of the following is MOST important for an IS auditor to look for in a project feasibility
study?
A. An assessment of whether requirements will be fully met
B. An assessment indicating security controls will operate effectively
C. An assessment of whether the expected benefits can be achieved
D. An assessment indicating the benefits will exceed the implement
Answer: C
Explanation:
The most important thing for an IS auditor to look for in a project feasibility study is an
assessment of whether the expected benefits can be achieved. A project feasibility study is a
 83 / 107
preliminary analysis that evaluates the viability and suitability of a proposed project based on
various criteria, such as technical, economic, legal, operational, and social factors. The
expected benefits are the positive outcomes and value that the project aims to deliver to the
organization and its stakeholders. The IS auditor should verify whether the project feasibility
study has clearly defined and quantified the expected benefits, and whether it has assessed the
likelihood and feasibility of achieving them within the project scope, budget, schedule, and
quality parameters. The other options are also important for an IS auditor to look for in a project
feasibility study, but not as important as an assessment of whether the expected benefits can
be achieved,because they either focus on specific aspects of the project rather than the overall
value proposition, or they assume that the project will be implemented rather than evaluating its
viability.
Reference: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.1
140. Which of the following is the PRIMARY reason for an IS audit manager to review the work
performed by a senior IS auditor prior to presentation of a report?
A. To ensure the conclusions are adequately supported
B. To ensure adequate sampling methods were used during fieldwork
C. To ensure the work is properly documented and filed
D. To ensure the work is conducted according to industry standards
Answer: A
Explanation:
The primary reason for an IS audit manager to review the work performed by a senior IS auditor
prior to presentation of a report is to ensure the conclusions are adequately supported. The IS
audit manager is responsible for overseeing and supervising the audit process, ensuring the
quality and consistency of the audit work, and approving the audit report and recommendations.
The IS audit manager should review the work performed by the senior IS auditor to verify that
the audit objectives, scope, and criteria have been met, that the audit evidence is sufficient,
reliable, and relevant, and that the audit conclusions are logical, objective, and based on the
audit evidence. The IS audit manager should also ensure that the audit report is clear, concise,
accurate, and complete, and that it communicates the audit findings, conclusions, and
recommendations effectively to the intended audience. The other options are not the primary
reason for an IS audit manager to review the work performed by a senior IS auditor prior to
presentation of a report, because they either relate to specific aspects or stages of the audit
work rather than the overall outcome, or they are part of the senior IS auditor’s responsibility
rather than the IS audit manager’s.
Reference: CISA Review Manual (Digital Version)1, Chapter 2, Section 2.2.5
 84 / 107
141. Which of the following is the BEST recommendation to prevent fraudulent electronic funds
transfers by accounts payable employees?
A. Periodic vendor reviews
B. Dual control
C. Independent reconciliation
D. Re-keying of monetary amounts
E. Engage an external security incident response expert for incident handling.
Answer: B
Explanation:
The best recommendation to prevent fraudulent electronic funds transfers by accounts payable
employees is dual control. Dual control is a segregation of duties control that requires two or
more individuals to perform or authorize a transaction or activity. Dual control can prevent
fraudulent electronic funds transfers by requiring independent verification and approval of
payment requests, amounts, and recipients by different accounts payable employees. The other
options are not as effective as dual control in preventing fraudulent electronic funds transfers,
as they do not involve independent checks or approvals. Periodic vendor reviews are detective
controls that can help identify any irregularities or anomalies in vendor payments, but they do
not prevent fraudulent electronic funds transfers from occurring. Independent reconciliation is a
detective control that can help compare and confirm payment records with bank statements, but
it does not prevent fraudulent electronic funds transfers from occurring. Re-keying of monetary
amounts is an input control that can help detect any errors or discrepancies in payment
amounts, but it does not prevent fraudulent electronic funds transfers from occurring.
Reference:
CISA Review Manual (Digital Version), Chapter 3, Section 3.2
142. Which of the following is the MOST important Issue for an IS auditor to consider with
regard to Voice-over IP (VoIP) communications?
A. Continuity of service
B. Identity management
C. Homogeneity of the network
D. Nonrepudiation
Answer: C
Explanation:
The most important issue for an IS auditor to consider with regard to Voice-over IP (VoIP)
communications is the homogeneity of the network, because it affects the quality, security, and
 85 / 107
reliability of the VoIP service. A homogeneous network is one that uses a single protocol or
standard for VoIP communication, such as Session Initiation Protocol (SIP) or H.32312. A
homogeneous network can reduce the complexity, latency, and interoperability issues that may
arise from using different or incompatible protocols or devices for VoIP communication12.
Continuity of service, identity management, and nonrepudiation are also important issues for
VoIP communications, but not as important as the homogeneity of the network.
Reference:
1: CISA Review Manual (Digital Version), Chapter 4, Section 4.4.3
2: CISA Online Review Course, Module 4, Lesson 4
143. Which of the following is the PRIMARY advantage of using an automated security log
monitoring tool instead of conducting a manual review to monitor the use of privileged access?
A. Reduced costs associated with automating the review
B. Increased likelihood of detecting suspicious activity
C. Ease of storing and maintaining log file
D. Ease of log retrieval for audit purposes
Answer: B
144. A national tax administration agency with a distributed network experiences service
disruptions due to a large influx of traffic to a regional office near the end of each year.
Which of the following would BEST enable the agency to improve the performance of its servers
during the busy period?
A. Virtual firewall
B. Proxy server
C. Load balancer
D. Virtual private network (VPN)
Answer: C
Explanation:
A load balancer is a tool or application that distributes incoming network traffic among multiple
servers in a server farm, so that no server is overwhelmed and the performance of the system is
optimized1. A load balancer can help the agency to handle the large influx of traffic to a regional
office by balancing the workload among the available servers and preventing service
disruptions. A load balancer can also provide high availability and fault tolerance by rerouting
traffic to online servers if a server becomes unavailable2.
A virtual firewall is a software-based firewall that protects a virtual network or environment from
unauthorized access and malicious attacks. A virtual firewall can enhance the security of the
 86 / 107
agency’s network, but it does not improve the performance of its servers.
A proxy server is an intermediary server that acts as a gateway between the client and the
destination server, hiding the client’s IP address and providing caching and filtering functions. A
proxy server can improve the security and privacy of the agency’s network, but it does not
improve the performance of its servers.
A virtual private network (VPN) is a secure connection between two or more devices over a
public network, such as the internet. A VPN can encrypt and protect the data transmitted over
the network, but it does not improve the performance of the agency’s servers.
145. Which of the following should be of GREATEST concern to an IS auditor reviewing a
network printer disposal process?
A. Disposal policies and procedures are not consistently implemented
B. Evidence is not available to verify printer hard drives have been sanitized prior to disposal.
C. Business units are allowed to dispose printers directly to
D. Inoperable printers are stored in an unsecured area.
Answer: B
Explanation:
The greatest concern for an IS auditor reviewing a network printer disposal process is that
evidence is not available to verify printer hard drives have been sanitized prior to disposal. This
can expose sensitive data to unauthorized parties and cause data breaches. Disposal policies
and procedures not being consistently implemented or business units being allowed to dispose
printers directly to vendors are compliance issues,but not as critical as data protection.
Inoperable printers being stored in an unsecured area is a physical security issue, but not as
severe as data leakage.
Reference: ISACA, CISA Review Manual, 27th Edition, 2018, page 387
146. An IS auditor learns that an in-house system development life cycle (SDLC) project has not
met user specifications.
The auditor should FIRST examine requirements from which of the following phases?
A. Configuration phase
B. User training phase
C. Quality assurance (QA) phase
D. Development phase
Answer: C
Explanation:
The quality assurance (QA) phase is the phase where the IS auditor should first examine
 87 / 107
requirements from an in-house SDLC project that has not met user specifications. This is
because the QA phase is the phase where the system is tested and verified against the user
specifications and the design specifications to ensure that it meets the functional and non-
functional requirements, as well as the quality standards and expectations. The QA phase
involves various testing activities, such as unit testing, integration testing, system testing,
acceptance testing, performance testing, security testing, etc., to identify and resolve any
defects, errors, or deviations from the specifications12.
The configuration phase is not the phase where the IS auditor should first examine
requirements from an in-house SDLC project that has not met user specifications. The
configuration phase is the phase where the system is installed and configured on the target
environment, such as hardware, software, network, etc., to prepare it for deployment and
operation. The configuration phase may involve activities such as installation, customization,
migration, integration, etc., to ensure that the system is compatible and interoperable with the
existing infrastructure and systems34.
The user training phase is not the phase where the IS auditor should first examine requirements
from an in-house SDLC project that has not met user specifications. The user training phase is
the phase where the end-users are trained and educated on how to use the system effectively
and efficiently. The user training phase may involve activities such as developing training
materials, conducting training sessions, providing feedback and support, etc., to ensure that the
users are familiar and comfortable with the system features and functions56.
The development phase is not the phase where the IS auditor should first examine
requirements from an in-house SDLC project that has not met user specifications. The
development phase is the phase where the system is coded and built based on the design
specifications and the user specifications. The development phase may involve activities such
as programming, debugging, documenting, etc., to create a working prototype or a final product
of the system
147. Which of the following is the MOST appropriate testing approach when auditing a daily
data flow between two systems via an automated interface to confirm that it is complete and
accurate?
A. Confirm that the encryption standard applied to the interface is in line with best practice.
B. Inspect interface configurations and an example output of the systems.
C. Perform data reconciliation between the two systems for a sample of 25 days.
D. Conduct code review for both systems and inspect design documentation.
Answer: C
Explanation:
 88 / 107
The most appropriate testing approach when auditing a daily data flow between two systems via
an automated interface is to perform data reconciliation between the two systems for a sample
of 25 days. Data reconciliation is a process of verifying that the data transferred from one
system to another is complete and accurate, and that there are no discrepancies or errors in the
data flow1. Data reconciliation can be performed by using generalized audit software, which is a
type of computer-assisted audit technique (CAAT) that allows the IS auditor to perform various
audit tasks on the data stored in different file formats and databases2. By performing data
reconciliation for a sample of 25 days, the IS auditor can test the reliability and consistency of
the data flow over a reasonable period of time, and identify any potential issues or anomalies
that could affect the quality of the data or the functionality of the systems.
Reference
1: Data Flow Testing - GeeksforGeeks
2: Generalized Audit Software (GAS) - ISACA
148. Which of the following provides the BEST assurance of data integrity after file transfers?
A. Check digits
B. Monetary unit sampling
C. Hash values
D. Reasonableness check
Answer: C
Explanation:
The best assurance of data integrity after file transfers is hash values. Hash values are unique
strings that are generated by applying a mathematical function to the data. Hash values can be
used to verify that the data has not been altered or corrupted during the transfer, as any change
in the data would result in a different hash value. By comparing the hash values of the source
and destination files, one can confirm that the data is identical and intact.
The other options are not as effective as hash values for ensuring data integrity after file
transfers.
Check digits are digits added to a number to detect errors in data entry or transmission, but they
are not reliable for detecting intentional or complex modifications of the data. Monetary unit
sampling is a statistical sampling technique used for auditing financial statements, but it is not
applicable for verifying data integrity after file transfers. Reasonableness check is a validation
method that checks whether the data falls within an expected range or format, but it does not
guarantee that the data is accurate or consistent with the source.
Reference:
5: On Windows, how to check that data is unchanged after copying? - Super User
 89 / 107
6: Data integrity | Cloud Storage Transfer Service Documentation | Google Cloud
7: Checking File Integrity - HECC Knowledge Base
8: How to setup File Transfer Integrity Checks - Progress.com
149. Which of the following components of a risk assessment is MOST helpful to management
in determining the level of risk mitigation to apply?
A. Risk identification
B. Risk classification
C. Control self-assessment (CSA)
D. Impact assessment
Answer: D
150. Which of the following is an IS auditor's BEST approach when prepanng to evaluate
whether the IT strategy supports the organization's vision and mission?
A. Review strategic projects tor return on investments (ROls)
B. Solicit feedback from other departments to gauge the organization's maturity
C. Meet with senior management to understand business goals
D. Review the organization's key performance indicators (KPls)
Answer: C
Explanation:
The best approach for an IS auditor to evaluate whether the IT strategy supports the
organization’s vision and mission is to meet with senior management to understand the
business goals and how IT can enable them. This will help the IS auditor to assess the
alignment and integration of IT with the business strategy and to identify any gaps or
opportunities for improvement. Reviewing ROIs, KPIs, or feedback from other departments may
provide some insights, but they are not sufficient to evaluate the IT strategy.
Reference: IS Audit and Assurance Standards, section “Standard 1201: Engagement Planning”
151. Which of the following is the GREATEST security risk associated with data migration from
a legacy human resources (HR) system to a cloud-based system?
A. Data from the source and target system may be intercepted.
B. Data from the source and target system may have different data formats.
C. Records past their retention period may not be migrated to the new system.
D. System performance may be impacted by the migration
Answer: A
Explanation:
 90 / 107
The greatest securityrisk associated with data migration from a legacy human resources (HR)
system to a cloud-based system is data from the source and target system may be intercepted.
Data interception is an attack that occurs when an unauthorized entity or individual captures or
accesses data that are being transmitted or stored on an information system or network. Data
interception can compromise the confidentiality and integrity of data, and cause harm or
damage to data owners or users. Data migration from a legacy HR system to a cloud-based
system involves transferring data from one system or location to another system or location over
a network connection. This poses a high risk of data interception, as data may be exposed or
vulnerable during transit or storage on unsecured or untrusted networks or systems. Data from
the source and target system may have different data formats is a possible challenge
associated with data migration from a legacy HR system to a cloud-based system, but it is not a
security risk. Data formats are specifications that define how data are structured or encoded on
an information system or network. Data formats may vary depending on different systems or
platforms. Data migration may require converting data from one format to another format to
ensure compatibility and interoperability between systems. Records past their retention period
may not be migrated to the new system is a possible outcome associated with data migration
from a legacy HR system to a cloud-based system, but it is not a security risk. Retention period
is a duration that defines how long data should be kept or stored on an information system or
network before being deleted or destroyed. Retention period may depend on various factors
such as legal requirements, business needs, storage capacity, etc. Data migration may involve
deleting or destroying data that are past their retention period to reduce the volume or
complexity of data to be transferred or to comply with regulations or policies. System
performance may be impacted by the migration is a possible impact associated with data
migration from a legacy HR system to a cloud-based system, but it is not a security risk. System
performance is a measure of how well an information system or network functions or operates,
such as speed, reliability, availability, etc. System performance may be affected by data
migration, as data migration may consume significant resources or bandwidth, cause
interruptions or delays, or introduce errors or inconsistencies.
152. What is the PRIMARY reason for an organization to classify the data stored on its internal
networks?
A. To determine data retention policy
B. To implement data protection requirements
C. To comply with the organization's data policies
D. To follow industry best practices
Answer: B
 91 / 107
Explanation:
The primary reason for an organization to classify the data stored on its internal networks is to
implement data protection requirements1234. Data classification helps organizations
understand what data they have, its characteristics, and what security and privacy requirements
it needs to meet so that the necessary protections can be achieved3. While determining data
retention policy56, complying with the organization’s data policies27, and following industry
best practices891011 are important aspects of data classification, they are secondary to the
fundamental requirement of implementing data protection requirements.
Reference:
What Is Data Classification & Why Is It Important? ? RiskOptics
Data Classification Policy: Definition, Examples, & Free Template - Hyperproof
Data Classification Policy: Benefits, Examples, and Techniques - Satori.
What is a Data Classification Policy? - Digital Guardian Data Classification and Practices - NIST
Data Classification as a Catalyst for Data Retention and Archiving ….
What is data classification? - Cloud Adoption Framework Data Classification - Data Security
Policies | ITS Policies …
IMPLEMENTING DATA CLASSIFICATION PRACTICES - NIST
Best Practices for Data Classification | Forcepoint
153. An organization has made a strategic decision to split into separate operating entities to
improve profitability. However, the IT infrastructure remains shared between the entities.
Which of the following would BEST help to ensure that IS audit still covers key risk areas within
the IT environment as part of its annual plan?
A. Increasing the frequency of risk-based IS audits for each business entity
B. Developing a risk-based plan considering each entity's business processes
C. Conducting an audit of newly introduced IT policies and procedures
D. Revising IS audit plans to focus on IT changes introduced after the split
Answer: B
Explanation:
: Developing a risk-based plan considering each entity’s business processes would best help to
ensure that IS audit still covers key risk areas within the IT environment as part of its annual
plan. A risk-based plan is a plan that prioritizes the audit activities based on the level of risk
associated with each area or process. A risk-based plan can help to allocate the audit resources
more efficiently and effectively, and provide more assurance and value to the stakeholders1.
By considering each entity’s business processes, the IS audit can identify and assess the
specific risks and controls that affect the IT environment of each entity, and tailor the audit
 92 / 107
objectives, scope, and procedures accordingly. This can help to address the unique needs and
expectations of each entity, and ensure that the IS audit covers the key risk areas that are
relevant and significant to each entity’s operations, performance, and compliance2.
The other options are not as effective as developing a risk-based plan considering each entity’s
business processes in ensuring that IS audit still covers key risk areas within the IT environment
as part of its annual plan.
Option A, increasing the frequency of risk-based IS audits for each business entity, is not a
feasible or efficient solution, as it may increase the audit costs and workload, and create
duplication or overlap of audit efforts.
Option C, conducting an audit of newly introduced IT policies and procedures, is a limited and
narrow approach, as it may not cover all the aspects or dimensions of the IT environment that
may have changed or been affected by the split.
Option D, revising IS audit plans to focus on IT changes introduced after the split, is a reactive
and short-term approach, as it may not reflect the current or future state of the IT environment
or the business objectives of each entity.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019 ISACA, CISA Review Questions,
Answers & Explanations Database - 12 Month Subscription Risk-Based Audit Planning: A Guide
for Internal Audit1 Risk-Based Audit Approach: Definition & Example
154. Which of the following network communication protocols is used by network devices such
as routers to send error messages and operational information indicating success or failure
when communicating with another IP address?
A. Transmission Control Protocol/Internet Protocol (TCP/IP)
B. Internet Control Message Protocol
C. Multipurpose Transaction Protocol
D. Point-to-Point Tunneling Protocol
Answer: B
155. An organization requires the use of a key card to enter its data center. Recently, a control
was implemented that requires biometric authentication for each employee.
Which type of control has been added?
A. Corrective
B. Compensating
C. Preventive
D. Detective
Answer: C
 93 / 107
156. Which of the following is an executive management concern that could be addressed by
the implementation of a security metrics dashboard?
A. Effectiveness of the security program
B. Security incidents vs. industry benchmarks
C. Total number of hours budgeted to security
D. Total number of false positivesAnswer: A
Explanation:
The executive management concern that could be addressed by the implementation of a
security metrics dashboard is the effectiveness of the security program. A security metrics
dashboard is a tool that provides a visual representation of key performance indicators (KPIs)
and key risk indicators (KRIs) related to the organization’s information security objectives and
activities. A security metrics dashboard can help executive management monitor and evaluate
the performance and value delivery of the security program, identify strengths and weaknesses,
assess compliance with policies and standards, and support decision making and improvement
initiatives. Security incidents vs. industry benchmarks, total number of hours budgeted to
security, and total number of false positives are not executive management concerns that could
be addressed by the implementation of a security metrics dashboard. These are more
operational or technical aspects of information security that could be measured and reported by
other means, such as incident reports, budget reports, or log analysis.
Reference: [ISACA CISA Review Manual 27th Edition], page 302
157. Audit frameworks cart assist the IS audit function by:
A. defining the authority and responsibility of the IS audit function.
B. providing details on how to execute the audit program.
C. providing direction and information regarding the performance of audits.
D. outlining the specific steps needed to complete audits
Answer: C
Explanation:
Audit frameworks can assist the IS audit function by providing direction and information
regarding the performance of audits. Audit frameworks are sets of standards, guidelines, and
best practices that help IS auditors plan, conduct, and report on their audit engagements. Audit
frameworks can help IS auditors ensure the quality, consistency, and professionalism of their
audit work, as well as comply with the expectations and requirements of the stakeholders and
regulators. Audit frameworks can also help IS auditors address the specific challenges and risks
 94 / 107
of auditing information systems and technology.
Defining the authority and responsibility of the IS audit function is not a way that audit
frameworks can assist the IS audit function, but rather a way that the IS audit charter can assist
the IS audit function. The IS audit charter is a document that defines the purpose, scope,
objectives, and authority of the IS audit function within the organization. The IS audit charter can
help IS auditors establish their role and position in relation to other functions and departments,
as well as clarify their rights and obligations.
Providing details on how to execute the audit program is not a way that audit frameworks can
assist the IS audit function, but rather a way that the audit methodology can assist the IS audit
function. The audit methodology is a set of procedures and techniques that guide IS auditors in
performing their audit tasks and activities. The audit methodology can help IS auditors apply a
systematic and structured approach to their audit work, as well as use appropriate tools and
methods to collect and analyze evidence.
Outlining the specific steps needed to complete audits is not a way that audit frameworks can
assist the IS audit function, but rather a way that the audit plan can assist the IS audit function.
The audit plan is a document that describes the scope, objectives, timeline, resources, and
deliverables of a specific audit engagement. The audit plan can help IS auditors organize and
manage their audit work, as well as communicate their expectations and responsibilities to the
auditees.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 51 1
Understanding Project Audit Frameworks - Wolters Kluwer 2
How to Implement a Robust Audit Framework - Insights - Metricstream 3
What Is The Internal Audit Function? An Accurate Definition Of The
158. Which of the following would be of GREATEST concern to an IS auditor reviewing an IT
strategy document?
A. Target architecture is defined at a technical level.
B. The previous year's IT strategic goals were not achieved.
C. Strategic IT goals are derived solely from the latest market trends.
D. Financial estimates of new initiatives are disclosed within the document.
Answer: C
Explanation:
The most concerning thing for an IS auditor reviewing an IT strategy document is that the
strategic IT goals are derived solely from the latest market trends. An IT strategy document is a
blueprint that defines how an organization will use technology to achieve its goals. It should be
based on a thorough analysis of the organization’s internal and external factors, such as its
 95 / 107
vision, mission, values, objectives, strengths, weaknesses, opportunities, threats, customers,
competitors, regulations, and industry standards. An IT strategy document should also align with
the organization’s business strategy and reflect its unique needs and capabilities. If an IT
strategy document is derived solely from the latest market trends, it may not be relevant or
appropriate for the organization’s specific situation. It may also lack coherence, consistency,
feasibility, or sustainability.
The other options are not as concerning as option C. Target architecture is defined at a
technical level is not a concern for an IS auditor reviewing an IT strategy document. Target
architecture is the desired state of an organization’s IT systems in terms of their structure,
functionality, performance, security, interoperability, and integration. Defining target architecture
at a technical level can help an IS auditor to understand how the organization plans to achieve
its strategic IT goals and what technical requirements and standards it needs to follow. The
previous year’s IT strategic goals were not achieved is not a concern for an IS auditor
reviewing an IT strategy document. The previous year’s IT strategic goals are the outcomes
that the organization intended to accomplish with its IT initiatives in the past year. Not achieving
these goals may indicate some challenges or gaps in the organization’s IT performance or
execution. However, this does not necessarily affect the quality or validity of the current IT
strategy document. An IS auditor should focus on evaluating whether the current IT strategy
document is realistic, measurable, achievable, relevant, and time-bound. Financial estimates of
new initiatives are disclosed within the document is not a concern for an IS auditor reviewing an
IT strategy document. Financial estimates are projections of the costs and benefits of new
initiatives that are part of the IT strategy document. Disclosing financial estimates within the
document can help an IS auditor to assess whether the new initiatives are aligned with the
organization’s budget and resources and whether they provide value for money.
Reference: IT Strategy Template for a Successful Strategic Plan | Gartner, Definitive Guide to
Developing an IT Strategy and Roadmap - CioPages, An Example of a Well-Developed IT
Strategy Plan - Resolute
159. An IS auditor discovers that backups of critical systems are not being performed in
accordance with the recovery point objective (RPO) established in the business continuity plan
(BCP).
What should the auditor do NEXT?
A. Request an immediate backup be performed.
B. Expand the audit scope.
C. Identify the root cause.
D. Include the observation in the report.
 96 / 107
Answer: C
160. An IS auditor is verifying the adequacy of an organization's internal controls and is
concerned about potential circumvention of regulations.
Which of the following is the BEST sampling method to use?
A. Variable sampling
B. Random sampling
C. Cluster sampling
D. Attribute sampling
Answer: B
Explanation:
The best sampling method to use for verifying the adequacyof an organization’s internal
controls and being concerned about potential circumvention of regulations is B. Random
sampling. Random sampling is a method of selecting a sample from a population in which each
item has an equal and independent chance of being selected1. Random sampling reduces the
risk of bias or manipulation in the sample selection, and ensures that the sample is
representative of the population. Random sampling can be used for both attribute and variable
sampling, which are two types of audit sampling that test for the occurrence rate or the
monetary value of errors, respectively2.
161. Which of the following is the BEST detective control for a job scheduling process involving
data transmission?
A. Metrics denoting the volume of monthly job failures are reported and reviewed by senior
management.
B. Jobs are scheduled to be completed daily and data is transmitted using a Secure File
Transfer Protocol (SFTP).
C. Jobs are scheduled and a log of this activity is retained for subsequent review.
D. Job failure alerts are automatically generated and routed to support personnel.
Answer: D
Explanation:
The best detective control for a job scheduling process involving data transmission is job failure
alerts that are automatically generated and routed to support personnel. Job failure alerts are
notifications that indicate when a scheduled job or task fails to execute or complete
successfully, such as due to errors, interruptions, or delays. Job failure alerts can help detect
and correct any issues or anomalies in the job scheduling process involving data transmission
by informing and alerting the support personnel who can investigate and resolve the problem.
 97 / 107
The other options are not as effective as job failure alerts in detecting issues or anomalies in the
job scheduling process involving data transmission, as they do not provide timely or specific
information or feedback. Metrics denoting the volume of monthly job failures are reported and
reviewed by senior management is a reporting technique that can help measure and improve
the performance and reliability of the job scheduling process, but it does not provide immediate
or detailed information on individual job failures. Jobs are scheduled to be completed daily and
data is transmitted using a Secure File Transfer Protocol (SFTP) is a preventive control that can
help ensure the timeliness and security of the job scheduling process involving data
transmission, but it does not detect any issues or anomalies that may occur during the process.
Jobs are scheduled and a log of this activity is retained for subsequent review is a logging
technique that can help record and track the status and results of the job scheduling process
involving data transmission, but it does not provide real-time or proactive information on job
failures.
Reference:
CISA Review Manual (Digital Version), Chapter 3, Section 3.2
162. Which of the following is a social engineering attack method?
A. An employee is induced to reveal confidential IP addresses and passwords by answering
questions over the phone.
B. A hacker walks around an office building using scanning tools to search for a wireless
network to gain access.
C. An intruder eavesdrops and collects sensitive information flowing through the network and
sells it to third parties.
D. An unauthorized person attempts to gain access to secure premises by following an
authorized person through a secure door.
Answer: A
Explanation:
Social engineering is a technique that exploits human weaknesses, such as trust, curiosity, or
greed, to obtain information or access from a target. An employee is induced to reveal
confidential IP addresses and passwords by answering questions over the phone is an example
of a social engineering attack method, as it involves manipulating the employee into divulging
sensitive information that can be used to compromise the network or system. A hacker walks
around an office building using scanning tools to search for a wireless network to gain access,
an intruder eavesdrops and collects sensitive information flowing through the network and sells
it to third parties, and an unauthorized person attempts to gain access to secure premises by
following an authorized person through a secure door are not examples of social engineering
 98 / 107
attack methods, as they do not involve human interaction or deception.
Reference: [ISACA CISA Review Manual 27th Edition], page 361.
163. Which of the following should be of MOST concern to an IS auditor reviewing an
organization's operational log management?
A. Log file size has grown year over year.
B. Critical events are being logged to immutable log files.
C. Applications are logging events into multiple log files.
D. Data formats have not been standardized across all logs.
Answer: D
164. Management has decided to accept a risk in response to a draft audit recommendation.
Which of the following should be the IS auditor’s NEXT course of action?
A. Document management's acceptance in the audit report.
B. Escalate the acceptance to the board.
C. Ensure a follow-up audit is on next year's plan.
D. Escalate acceptance to the audit committee.
Answer: A
165. Which of the following is the MOST important prerequisite for the protection of physical
information assets in a data center?
A. Segregation of duties between staff ordering and staff receiving information assets
B. Complete and accurate list of information assets that have been deployed
C. Availability and testing of onsite backup generators
D. Knowledge of the IT staff regarding data protection requirements
Answer: B
Explanation:
The most important prerequisite for the protection of physical information assets in a data center
is a complete and accurate list of information assets that have been deployed. Information
assets are any data, devices, systems, or software that have value for the organization and
need to be protected from unauthorized access, use, disclosure, modification, or destruction4. A
data center is a facility that houses various information assets such as servers, storage devices,
network equipment, etc., that support the organization’s IT operations and services5. A
complete and accurate list of information assets that have been deployed in a data center can
help to identify and classify the assets based on their importance, sensitivity, or criticality for the
organization. This can help to determine the appropriate level of protection and security
 99 / 107
measures that need to be applied to each asset. A complete and accurate list of information
assets can also help to track and monitor the location, status, ownership, usage, configuration,
maintenance, etc., of each asset. This can help to prevent or detect any unauthorized or
inappropriate changes or movements of assets that may compromise their security or integrity.
Segregation of duties between staff ordering and staff receiving information assets, availability
and testing of onsite backup generators, and knowledge of the IT staff regarding data protection
requirements are also important prerequisites for the protection of physical information assets in
a data center, but not as important as a complete and accurate list of information assets that
have been deployed. These factors are more related to the implementation and maintenance of
security controls and procedures that depend on having a complete and accurate list of
information assets as a starting point.
Reference: ISACA CISA Review Manual 27th Edition, page 308
166. Which of the following is the MOST appropriate responsibility of an IS auditor involved in a
data center renovation project?
A. Performing independent reviews of responsible parties engaged in the project
B. Shortlisting vendors to perform renovations
C. Ensuring the project progresses as scheduled and milestonesare achieved
D. Implementing data center operational controls
Answer: A
Explanation:
IS auditors primarily provide assurance and oversight. In this context, independent reviews
ensure that those responsible for the renovation project are meeting their obligations, following
best practices, and managing risks appropriately.
Reference: ISACA's Code of Professional Ethics: Emphasizes the IS Auditor's duty to be
independent and objective.
The Role of IS Audit: IS Auditors are not project managers but provide objective assessment
and guidance regarding controls and risk mitigation within projects.
CISA Review Manual (27th Edition): May have sections discussing the role of IS auditors in
infrastructure projects or similar initiatives.
167. What is the PRIMARY purpose of performing a parallel run of a now system?
A. To train the end users and supporting staff on the new system
B. To verify the new system provides required business functionality
C. To reduce the need for additional testing
D. To validate the new system against its predecessor
 100 / 107
Answer: D
Explanation:
The primary purpose of performing a parallel run of a new system is to validate the new system
against its predecessor. A parallel run is a strategy for system changeover where a new system
slowly assumes the roles of the older system while both systems operate simultaneously. This
allows for comparison of the results and outputs of both systems to ensure that the new system
is working correctly and reliably. A parallel run can also help identify and resolve any errors,
discrepancies, or inconsistencies in the new system before the old system is discontinued.
The other options are not the primary purpose of performing a parallel run of a new system.
A. To train the end users and supporting staff on the new system. Training is an important part
of system implementation, but it is not the main reason for doing a parallel run. Training can be
done before, during, or after the parallel run, depending on the needs and preferences of the
organization.
B. To verify the new system provides required business functionality. Verifying the business
functionality of the new system is part of user acceptance testing (UAT), which is a formal and
structured process of testing whether the new system meets the specifications and expectations
of the users and stakeholders. UAT is usually done before the parallel run, as a prerequisite for
system changeover.
C. To reduce the need for additional testing. Reducing the need for additional testing is not the
primary purpose of performing a parallel run, but rather a possible benefit or outcome of doing
so. A parallel run can help ensure that the new system is thoroughly tested and validated in a
real-world environment, which may reduce the likelihood of encountering major issues or
defects later on.
However, additional testing may still be needed after the parallel run, depending on the
feedback and evaluation of the users and stakeholders.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2471 IS
168. Which of the following technologies has the SMALLEST maximum range for data
transmission between devices?
A. Wi-Fi
B. Bluetooth
C. Long-term evolution (LTE)
D. Near-field communication (NFC)
Answer: D
Explanation:
The technology that has the smallest maximum range for data transmission between devices is
 101 / 107
near-field communication (NFC). NFC is a short-range wireless technology that enables two
devices to communicate when they are in close proximity, usually within a few centimeters. NFC
is commonly used for contactless payments, smart cards, and device pairing. According to the
Bluetooth® Technology Website1, the effective range of NFC is less than a meter, while the
other technologies have much longer ranges. Wi-Fi can reach up to 100 meters indoors and
300 meters outdoors2. Bluetooth can reach up to 800 feet with Bluetooth 5.0 specification3.
Long-term evolution (LTE) can reach up to several kilometers depending on the cell tower and
the device4.
Reference:
5: What is Wi-Fi? - Definition from. WhatIs.com
6: Understanding Bluetooth Range | Bluetooth® Technology Website
7: What is Bluetooth Range? What You Need to Know
8: How far can LTE signals travel? - Quora
169. Which of the following is a social engineering attack method?
A. An unauthorized person attempts to gam access to secure premises by following an
authonzed person through a secure door.
B. An employee is induced to reveal confidential IP addresses and passwords by answering
questions over the phone.
C. A hacker walks around an office building using scanning tools to search for a wireless
network to gain access.
D. An intruder eavesdrops and collects sensitive information flowing through the network and
sells it to third parties.
Answer: B
Explanation:
An employee is induced to reveal confidential IP addresses and passwords by answering
questions over the phone. This is a social engineering attack method that exploits the trust or
curiosity of the employee to obtain sensitive information that can be used to access or
compromise the network. According to the web search results, social engineering is a technique
that uses psychological manipulation to trick users into making security mistakes or giving away
sensitive information1. Phishing, whaling, baiting, and pretexting are some of the common forms
of social engineering attacks2. Social engineering attacks are often more effective and
profitable than purely technical attacks, as they rely on human error rather than system
vulnerabilities
170. Which of the following is MOST helpful to an IS auditor reviewing the alignment of planned
 102 / 107
IT budget with the organization's goals and strategic objectives?
A. Enterprise architecture (EA)
B. Business impact analysis (BIA)
C. Risk assessment report
D. Audit recommendations
Answer: A
Explanation:
Enterprise architecture (EA) is the most helpful to an IS auditor reviewing the alignment of
planned IT budget with the organization’s goals and strategic objectives. EA is a well-defined
practice for conducting enterprise analysis, design, planning, and implementation, using a
comprehensive approach at all times, for the successful development and execution of
strategy1. EA provides a blueprint for an effective IT strategy and guides the controlled
evolution of IT in a way that delivers business benefit in a cost-effective way2. By reviewing the
EA, the IS auditor can evaluate how well the planned IT budget supports the business vision,
strategy, objectives, and capabilities of the organization.
The other options are not as helpful as EA for reviewing the alignment of planned IT budget with
the organization’s goals and strategic objectives. BIA is a process of determining the criticality
of business activities and associated resource requirements to ensure operational resilience
and continuity of operations during and after a business disruption3. BIA quantifies the impacts
of disruptions on service delivery, risks to service delivery, and recovery time objectives (RTOs)
and recovery point objectives (RPOs)3. BIA is useful for developing strategies, solutions, and
plans for business continuity and disaster recovery, but it does not directly address the
alignment of planned IT budget with the organization’s goals and strategic objectives. Risk
assessment report is a document that contains the results of performing a risk assessment or
the formal output from the process of assessing risk4. Risk assessment is a method to identify,
analyze, and control hazards and risks present in a situation or a place5. Risk assessment
report is useful for identifying and mitigating potential threats and issues that are detrimental to
the business or an enterprise, but it does not directly address the alignment of planned IT
budget with the organization’s goalsand strategic objectives. Audit recommendations are
guidance that highlights actions to be taken by management6. When implemented, process
risks should be mitigated, and performance should be enhanced6. Audit recommendations are
useful for improving the quality and reliability of the information system and its outputs, but they
do not directly address the alignment of planned IT budget with the organization’s goals and
strategic objectives. Therefore, option A is the correct answer.
171. A bank has a combination of corporate customer accounts (higher monetary value) and
 103 / 107
small business accounts (lower monetary value) as part of online banking.
Which of the following is the BEST sampling approach for an IS auditor to use for these
accounts?
A. Difference estimation sampling
B. Stratified mean per unit sampling
C. Customer unit sampling
D. Unstratified mean per unit sampling
Answer: B
Explanation:
Stratified mean per unit sampling is a method of audit sampling that divides the population into
subgroups (strata) based on some characteristic, such as monetary value, and then selects a
sample from each stratum using mean per unit sampling. Mean per unit sampling is a method of
audit sampling that estimates the total value of a population by multiplying the average value of
the sample items by the number of items in the population. Stratified mean per unit sampling is
suitable for populations that have a high variability or a skewed distribution, such as the bank
accounts in this question. By stratifying the population, the auditor can reduce the sampling
error and increase the precision of the estimate.
Difference estimation sampling (option A) is not the best sampling approach for these accounts.
Difference estimation sampling is a method of audit sampling that estimates the total error or
misstatement in a population by multiplying the average difference between the book value and
the audited value of the sample items by the number of items in the population. Difference
estimation sampling is suitable for populations that have a low variability and a symmetrical
distribution, which is not the case for the bank accounts in this question.
Customer unit sampling (option C) is not a sampling approach, but a type of monetary unit
sampling. Monetary unit sampling is a method of audit sampling that selects sample items
based on their monetary value, rather than their physical units. Customer unit sampling is a
variation of monetary unit sampling that treats each customer account as a single unit,
regardless of how many transactions or balances it contains. Customer unit sampling may be
appropriate for testing existence or occurrence assertions, but not for estimating total values.
Unstratified mean per unit sampling (option D) is not the best sampling approach for these
accounts.
Unstratified mean per unit sampling is a method of audit sampling that applies mean per unit
sampling to the entire population without dividing it into subgroups. Unstratified mean per unit
sampling may result in a larger sample size and a lower precision than stratified mean per unit
sampling, especially for populations that have a high variability or a skewed distribution, such as
the bank accounts in this question.
 104 / 107
Therefore, option B is the correct answer.
Reference: Audit Sampling - AICPA
Audit Sampling: Examples and Guidance To The Sampling Methods Audit Sampling | Audit |
Financial Audit - Scribd
172. During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA)
has not been performed. The auditor should FIRST
A. perform a business impact analysis (BIA).
B. issue an intermediate report to management.
C. evaluate the impact on current disaster recovery capability.
D. conduct additional compliance testing.
Answer: C
Explanation:
The first step that an IS auditor should take when finding that a business impact analysis (BIA)
has not been performed is to evaluate the impact on current disaster recovery capability. A BIA
is a process that identifies and analyzes the potential effects of disruptions to critical business
functions and processes. A BIA helps determine the recovery priorities, objectives, and
strategies for the organization. Without a BIA, the disaster recovery plan may not be aligned
with the business needs and expectations, and may not provide adequate protection and
recovery for the most critical assets and activities. Therefore, an IS auditor should assess how
the lack of a BIA affects the current disaster recovery capability and identify any gaps or risks
that need to be addressed.
Performing a BIA, issuing an intermediate report to management, and conducting additional
compliance testing are not the first steps that an IS auditor should take when finding that a BIA
has not been performed. These steps may be done later in the audit process, after evaluating
the impact on current disaster recovery capability. Performing a BIA is not the responsibility of
the IS auditor, but of the business owners and managers. Issuing an intermediate report to
management may be premature without sufficient evidence and analysis. Conducting additional
compliance testing may not be relevant or necessary without a clear understanding of the
disaster recovery requirements and objectives.
173. Following a breach, what is the BEST source to determine the maximum amount of time
before customers must be notified that their personal information may have been compromised?
A. Industry regulations
B. Industry standards
C. Incident response plan
 105 / 107
D. Information security policy
Answer: A
Explanation:
Following a breach, the maximum amount of time before customers must be notified that their
personal information may have been compromised depends on the industry regulations that
apply to the organization. Different industries and jurisdictions may have different legal and
regulatory requirements for breach notification, such as the General Data Protection Regulation
(GDPR) in the European Union, the Health Insurance Portability and Accountability Act (HIPAA)
in the United States, or the Personal Information Protection and Electronic Documents Act
(PIPEDA) in Canada. Industry standards, incident response plans, and information security
policies are not as authoritative as industry regulations in determining the breach notification
time frame.
Reference: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program
Management Guide]
174. Which of the following should be done FIRST to minimize the risk of unstructured data?
A. Identify repositories of unstructured data.
B. Purchase tools to analyze unstructured data.
C. Implement strong encryption for unstructured data.
D. Implement user access controls to unstructured data.
Answer: A
Explanation:
Unstructured data is data that does not have a predefined model or organization, making it
difficult to store, process, and analyze using traditional relational databases or spreadsheets.
Unstructured data can pose a risk to an organization if it contains sensitive, confidential, or
regulated information that is not properly secured, managed, or governed. To minimize the risk
of unstructured data, the first step is to identify the repositories of unstructured data, such as file
servers, cloud storage, email systems, social media platforms, etc. This will help to understand
the scope, volume, and nature of unstructured data in the organization, and to prioritize the
areas that need further analysis and action.
Reference: Unstructured data - Wikipedia
 106 / 107
 
More Hot Exams are available.
350-401 ENCOR Exam Dumps
350-801 CLCOR Exam Dumps
200-301 CCNA Exam Dumps
Powered by TCPDF (www.tcpdf.org)
 107 / 107
https://www.certqueen.com/promotion.asp
https://www.certqueen.com/350-401.html
https://www.certqueen.com/350-801.htmlhttps://www.certqueen.com/200-301.html
http://www.tcpdf.org