Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CISA Exam Dumps - Isaca Certification Questions and Answers

Question # 104

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Options:

A.

Background checks

B.

User awareness training

C.

Transaction log review

D.

Mandatory holidays

Buy Now
Question # 105

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

Options:

A.

Periodically reviewing log files

B.

Configuring the router as a firewall

C.

Using smart cards with one-time passwords

D.

Installing biometrics-based authentication

Buy Now
Question # 106

An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?

Options:

A.

Implement a process to actively monitor postings on social networking sites.

B.

Adjust budget for network usage to include social media usage.

C.

Use data loss prevention (DLP) tools on endpoints.

D.

implement policies addressing acceptable usage of social media during working hours.

Buy Now
Question # 107

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Report the mitigating controls.

B.

Report the security posture of the organization.

C.

Determine the value of the firewall.

D.

Determine the risk of not replacing the firewall.

Buy Now
Question # 108

The implementation of an IT governance framework requires that the board of directors of an organization:

Options:

A.

Address technical IT issues.

B.

Be informed of all IT initiatives.

C.

Have an IT strategy committee.

D.

Approve the IT strategy.

Buy Now
Question # 109

Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

Options:

A.

Implement network access control.

B.

Implement outbound firewall rules.

C.

Perform network reviews.

D.

Review access control lists.

Buy Now
Question # 110

Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?

Options:

A.

Blocking attachments in IM

B.

Blocking external IM traffic

C.

Allowing only corporate IM solutions

D.

Encrypting IM traffic

Buy Now
Question # 111

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Options:

A.

Identifying relevant roles for an enterprise IT governance framework

B.

Making decisions regarding risk response and monitoring of residual risk

C.

Verifying that legal, regulatory, and contractual requirements are being met

D.

Providing independent and objective feedback to facilitate improvement of IT processes

Buy Now
Question # 112

Which of the following is the BEST indication of effective governance over IT infrastructure?

Options:

A.

The ability to deliver continuous, reliable performance

B.

A requirement for annual security awareness programs

C.

An increase in the number of IT infrastructure servers

D.

A decrease in the number of information security incidents

Buy Now
Question # 113

IT governance should be driven by:

Options:

A.

business unit initiatives.

B.

balanced scorecards.

C.

policies and standards.

D.

organizational strategies.

Buy Now
Question # 114

Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

Options:

A.

The method relies exclusively on the use of public key infrastructure (PKI).

B.

The method relies exclusively on the use of digital signatures.

C.

The method relies exclusively on the use of asymmetric encryption algorithms.

D.

The method relies exclusively on the use of 128-bit encryption.

Buy Now
Question # 115

A bank wants to outsource a system to a cloud provider residing in another country. Which of the following would be the MOST appropriate IS audit recommendation?

Options:

A.

Find an alternative provider in the bank's home country.

B.

Ensure the provider's internal control system meets bank requirements.

C.

Proceed as intended, as the provider has to observe all laws of the clients’ countries.

D.

Ensure the provider has disaster recovery capability.

Buy Now
Question # 116

An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. Which of the following is the GREATEST risk to the organization related to data backup and retrieval?

Options:

A.

The organization may be locked into an unfavorable contract with the vendor.

B.

The vendor may be unable to restore critical data.

C.

The vendor may be unable to restore data by recovery time objective (RTO) requirements.

D.

The organization may not be allowed to inspect the vendor's data center.

Buy Now
Question # 117

During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor's NEXT step should be to:

Options:

A.

recommend a control to automatically update access rights.

B.

determine the reason why access rights have not been revoked.

C.

direct management to revoke current access rights.

D.

determine if access rights are in violation of software licenses.

Buy Now
Question # 118

A national tax administration agency with a distributed network experiences service disruptions due to a large influx of traffic to a regional office near the end of each year. Which of the following would BEST enable the agency to improve the performance of its servers during the busy period?

Options:

A.

Virtual firewall

B.

Proxy server

C.

Load balancer

D.

Virtual private network (VPN)

Buy Now
Question # 119

What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?

Options:

A.

Determine service level requirements.

B.

Complete a risk assessment.

C.

Perform a business impact analysis (BIA)

D.

Conduct a vendor audit.

Buy Now
Question # 120

During a pre-deployment assessment, what is the BEST indication that a business case will lead to the achievement of business objectives?

Options:

A.

The business case reflects stakeholder requirements.

B.

The business case is based on a proven methodology.

C.

The business case passed a quality review by an independent party.

D.

The business case identifies specific plans for cost allocation.

Buy Now
Question # 121

Which of the following is MOST important for the successful establishment of a security vulnerability management program?

Options:

A.

A robust tabletop exercise plan

B.

A comprehensive asset inventory

C.

A tested incident response plan

D.

An approved patching policy

Buy Now
Question # 122

Which of the following provides the BEST evidence of the validity and integrity of logs in an organization's security information and event management (SIEM) system?

Options:

A.

Compliance testing

B.

Stop-or-go sampling

C.

Substantive testing

D.

Variable sampling

Buy Now
Question # 123

An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following would impair the auditor's independence?

Options:

A.

The auditor implemented a specific control during the development of the system.

B.

The auditor provided advice concerning best practices.

C.

The auditor participated as a member of the project team without operational responsibilities

D.

The auditor designed an embedded audit module exclusively for audit

Buy Now
Question # 124

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

Options:

A.

Requiring policy acknowledgment and nondisclosure agreements signed by employees

B.

Providing education and guidelines to employees on use of social networking sites

C.

Establishing strong access controls on confidential data

D.

Monitoring employees' social networking usage

Buy Now
Question # 125

In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

Options:

A.

integrated test facility (ITF).

B.

parallel simulation.

C.

transaction tagging.

D.

embedded audit modules.

Buy Now
Question # 126

Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?

Options:

A.

Documentation of exit routines

B.

System initialization logs

C.

Change control log

D.

Security system parameters

Buy Now
Question # 127

Which of the following is the MOST important advantage of participating in beta testing of software products?

Options:

A.

It increases an organization's ability to retain staff who prefer to work with new technology.

B.

It improves vendor support and training.

C.

It enhances security and confidentiality.

D.

It enables an organization to gain familiarity with new products and their functionality.

Buy Now
Question # 128

Which of the following is the BEST way to ensure an organization's data classification policies are preserved during the process of data transformation?

Options:

A.

Map data classification controls to data sets.

B.

Control access to extract, transform, and load (ETL) tools.

C.

Conduct a data discovery exercise across all business applications.

D.

Implement classification labels in metadata during data creation.

Buy Now
Question # 129

Which type of control is being implemented when a biometric access device is installed at the entrance to a facility?

Options:

A.

Preventive

B.

Deterrent

C.

Corrective

D.

Detective

Buy Now
Question # 130

Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?

Options:

A.

Purchase requisitions and purchase orders

B.

Invoices and reconciliations

C.

Vendor selection and statements of work

D.

Good receipts and payments

Buy Now
Question # 131

Which of the following responses to risk associated with segregation of duties would incur the LOWEST initial cost?

Options:

A.

Risk acceptance

B.

Risk mitigation

C.

Risk transference

D.

Risk reduction

Buy Now
Question # 132

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?

Options:

A.

Reviewing the parameter settings

B.

Reviewing the system log

C.

Interviewing the firewall administrator

D.

Reviewing the actual procedures

Buy Now
Question # 133

Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?

Options:

A.

The person who collected the evidence is not qualified to represent the case.

B.

The logs failed to identify the person handling the evidence.

C.

The evidence was collected by the internal forensics team.

D.

The evidence was not fully backed up using a cloud-based solution prior to the trial.

Buy Now
Question # 134

Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?

Options:

A.

Ensuring that audit trails exist for transactions

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator's user ID as a field in every transaction record created

D.

Restricting program functionality according to user security profiles

Buy Now
Question # 135

An information systems security officer's PRIMARY responsibility for business process applications is to:

Options:

A.

authorize secured emergency access

B.

approve the organization's security policy

C.

ensure access rules agree with policies

D.

create role-based rules for each business process

Buy Now
Question # 136

Which of the following is a detective control?

Options:

A.

Programmed edit checks for data entry

B.

Backup procedures

C.

Use of pass cards to gain access to physical facilities

D.

Verification of hash totals

Buy Now
Question # 137

Which of the following is MOST helpful for measuring benefits realization for a new system?

Options:

A.

Function point analysis

B.

Balanced scorecard review

C.

Post-implementation review

D.

Business impact analysis (BIA)

Buy Now
Question # 138

IT disaster recovery time objectives (RTOs) should be based on the:

Options:

A.

maximum tolerable loss of data.

B.

nature of the outage

C.

maximum tolerable downtime (MTD).

D.

business-defined criticality of the systems.

Buy Now
Question # 139

After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

Options:

A.

Verifying that access privileges have been reviewed

B.

investigating access rights for expiration dates

C.

Updating the continuity plan for critical resources

D.

Updating the security policy

Buy Now
Question # 140

In an online application which of the following would provide the MOST information about the transaction audit trail?

Options:

A.

File layouts

B.

Data architecture

C.

System/process flowchart

D.

Source code documentation

Buy Now
Question # 141

A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?

Options:

A.

Data migration is not part of the contracted activities.

B.

The replacement is occurring near year-end reporting

C.

The user department will manage access rights.

D.

Testing was performed by the third-party consultant

Buy Now
Question # 142

To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?

Options:

A.

Review IT staff job descriptions for alignment

B.

Develop quarterly training for each IT staff member.

C.

Identify required IT skill sets that support key business processes

D.

Include strategic objectives m IT staff performance objectives

Buy Now
Question # 143

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

Options:

A.

risk management review

B.

control self-assessment (CSA).

C.

service level agreement (SLA).

D.

balanced scorecard.

Buy Now
Question # 144

In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

Options:

A.

Configure data quality alerts to check variances between the data warehouse and the source system

B.

Require approval for changes in the extract/Transfer/load (ETL) process between the two systems

C.

Include the data warehouse in the impact analysis (or any changes m the source system

D.

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems

Buy Now
Question # 145

A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?

Options:

A.

Continuous 24/7 support must be available.

B.

The vendor must have a documented disaster recovery plan (DRP) in place.

C.

Source code for the software must be placed in escrow.

D.

The vendor must train the organization's staff to manage the new software

Buy Now
Question # 146

When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

Options:

A.

architecture and cloud environment of the system.

B.

business process supported by the system.

C.

policies and procedures of the business area being audited.

D.

availability reports associated with the cloud-based system.

Buy Now
Question # 147

Which of the following documents should specify roles and responsibilities within an IT audit organization?

Options:

A.

Organizational chart

B.

Audit charier

C.

Engagement letter

D.

Annual audit plan

Buy Now
Question # 148

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

Options:

A.

the implementation plan meets user requirements.

B.

a full, visible audit trail will be Included.

C.

a dear business case has been established.

D.

the new hardware meets established security standards

Buy Now
Question # 149

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

Options:

A.

Legal and compliance requirements

B.

Customer agreements

C.

Data classification

D.

Organizational policies and procedures

Buy Now
Question # 150

Which of the following must be in place before an IS auditor initiates audit follow-up activities?

Options:

A.

Available resources for the activities included in the action plan

B.

A management response in the final report with a committed implementation date

C.

A heal map with the gaps and recommendations displayed in terms of risk

D.

Supporting evidence for the gaps and recommendations mentioned in the audit report

Buy Now
Question # 151

Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?

Options:

A.

Staff were not involved in the procurement process, creating user resistance to the new system.

B.

Data is not converted correctly, resulting in inaccurate patient records.

C.

The deployment project experienced significant overruns, exceeding budget projections.

D.

The new system has capacity issues, leading to slow response times for users.

Buy Now
Question # 152

Which of the following is MOST important to consider when scheduling follow-up audits?

Options:

A.

The efforts required for independent verification with new auditors

B.

The impact if corrective actions are not taken

C.

The amount of time the auditee has agreed to spend with auditors

D.

Controls and detection risks related to the observations

Buy Now
Question # 153

Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Designing controls to protect personal data

C.

Defining roles within the organization related to privacy

D.

Developing procedures to monitor the use of personal data

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Apr 2, 2025
Questions: 1404
CISA pdf

CISA PDF

$59.7  $199
CISA Engine

CISA Testing Engine

$67.5  $225
CISA PDF + Engine

CISA PDF + Testing Engine

$74.7  $249