Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CISA Exam Dumps - Isaca Certification Questions and Answers

Question # 154

An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which ol the following is MOST important to meet the IS audit standard for proficiency?

Options:

A.

The standard is met as long as one member has a globally recognized audit certification.

B.

Technical co-sourcing must be used to help the new staff.

C.

Team member assignments must be based on individual competencies.

D.

The standard is met as long as a supervisor reviews the new auditors' work.

Buy Now
Question # 155

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

Options:

A.

The policy includes a strong risk-based approach.

B.

The retention period allows for review during the year-end audit.

C.

The retention period complies with data owner responsibilities.

D.

The total transaction amount has no impact on financial reporting

Buy Now
Question # 156

Which of the following BEST Indicates that an incident management process is effective?

Options:

A.

Decreased time for incident resolution

B.

Increased number of incidents reviewed by IT management

C.

Decreased number of calls lo the help desk

D.

Increased number of reported critical incidents

Buy Now
Question # 157

Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?

Options:

A.

Water sprinkler

B.

Fire extinguishers

C.

Carbon dioxide (CO2)

D.

Dry pipe

Buy Now
Question # 158

Which of the following is the MAIN purpose of an information security management system?

Options:

A.

To identify and eliminate the root causes of information security incidents

B.

To enhance the impact of reports used to monitor information security incidents

C.

To keep information security policies and procedures up-to-date

D.

To reduce the frequency and impact of information security incidents

Buy Now
Question # 159

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

Options:

A.

the access control system's log settings.

B.

how the latest system changes were implemented.

C.

the access control system's configuration.

D.

the access rights that have been granted.

Buy Now
Question # 160

Which of the following business continuity activities prioritizes the recovery of critical functions?

Options:

A.

Business continuity plan (BCP) testing

B.

Business impact analysis (BIA)

C.

Disaster recovery plan (DRP) testing

D.

Risk assessment

Buy Now
Question # 161

An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?

Options:

A.

The security of the desktop PC is enhanced.

B.

Administrative security can be provided for the client.

C.

Desktop application software will never have to be upgraded.

D.

System administration can be better managed

Buy Now
Question # 162

In an online application, which of the following would provide the MOST information about the transaction audit trail?

Options:

A.

System/process flowchart

B.

File layouts

C.

Data architecture

D.

Source code documentation

Buy Now
Question # 163

Which of the following is an example of a preventative control in an accounts payable system?

Options:

A.

The system only allows payments to vendors who are included In the system's master vendor list.

B.

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.

Policies and procedures are clearly communicated to all members of the accounts payable department

Buy Now
Question # 164

An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?

Options:

A.

A single point of failure for both voice and data communications

B.

Inability to use virtual private networks (VPNs) for internal traffic

C.

Lack of integration of voice and data communications

D.

Voice quality degradation due to packet toss

Buy Now
Question # 165

During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

Options:

A.

Ask management why the regulatory changes have not been Included.

B.

Discuss potential regulatory issues with the legal department

C.

Report the missing regulatory updates to the chief information officer (CIO).

D.

Exclude recent regulatory changes from the audit scope.

Buy Now
Question # 166

Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?

Options:

A.

Short key length

B.

Random key generation

C.

Use of symmetric encryption

D.

Use of asymmetric encryption

Buy Now
Question # 167

An IS auditor Is reviewing a recent security incident and is seeking information about me approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?

Options:

A.

System event correlation report

B.

Database log

C.

Change log

D.

Security incident and event management (SIEM) report

Buy Now
Question # 168

An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?

Options:

A.

Conduct security awareness training.

B.

Implement an acceptable use policy

C.

Create inventory records of personal devices

D.

Configure users on the mobile device management (MDM) solution

Buy Now
Question # 169

Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?

Options:

A.

The design of controls

B.

Industry standards and best practices

C.

The results of the previous audit

D.

The amount of time since the previous audit

Buy Now
Question # 170

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.

the organization's web server.

B.

the demilitarized zone (DMZ).

C.

the organization's network.

D.

the Internet

Buy Now
Question # 171

An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?

Options:

A.

Redundant pathways

B.

Clustering

C.

Failover power

D.

Parallel testing

Buy Now
Question # 172

In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?

Options:

A.

Reviewing the last compile date of production programs

B.

Manually comparing code in production programs to controlled copies

C.

Periodically running and reviewing test data against production programs

D.

Verifying user management approval of modifications

Buy Now
Question # 173

Capacity management enables organizations to:

Options:

A.

forecast technology trends

B.

establish the capacity of network communication links

C.

identify the extent to which components need to be upgraded

D.

determine business transaction volumes.

Buy Now
Question # 174

Which of the following represents the HIGHEST level of maturity of an information security program?

Options:

A.

A training program is in place to promote information security awareness.

B.

A framework is in place to measure risks and track effectiveness.

C.

Information security policies and procedures are established.

D.

The program meets regulatory and compliance requirements.

Buy Now
Question # 175

An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?

Options:

A.

Data encryption on the mobile device

B.

Complex password policy for mobile devices

C.

The triggering of remote data wipe capabilities

D.

Awareness training for mobile device users

Buy Now
Question # 176

An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?

Options:

A.

Security cameras deployed outside main entrance

B.

Antistatic mats deployed at the computer room entrance

C.

Muddy footprints directly inside the emergency exit

D.

Fencing around facility is two meters high

Buy Now
Question # 177

Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?

Options:

A.

Data from the source and target system may be intercepted.

B.

Data from the source and target system may have different data formats.

C.

Records past their retention period may not be migrated to the new system.

D.

System performance may be impacted by the migration

Buy Now
Question # 178

A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:

Options:

A.

evaluate replacement systems and performance monitoring software.

B.

restrict functionality of system monitoring software to security-related events.

C.

re-install the system and performance monitoring software.

D.

use analytical tools to produce exception reports from the system and performance monitoring software

Buy Now
Question # 179

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

Options:

A.

Staging

B.

Testing

C.

Integration

D.

Development

Buy Now
Question # 180

In a RAO model, which of the following roles must be assigned to only one individual?

Options:

A.

Responsible

B.

Informed

C.

Consulted

D.

Accountable

Buy Now
Question # 181

Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

Options:

A.

The job scheduler application has not been designed to display pop-up error messages.

B.

Access to the job scheduler application has not been restricted to a maximum of two staff members

C.

Operations shift turnover logs are not utilized to coordinate and control the processing environment

D.

Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor

Buy Now
Question # 182

Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?

Options:

A.

Information security program plans

B.

Penetration test results

C.

Risk assessment results

D.

Industry benchmarks

Buy Now
Question # 183

Upon completion of audit work, an IS auditor should:

Options:

A.

provide a report to senior management prior to discussion with the auditee.

B.

distribute a summary of general findings to the members of the auditing team.

C.

provide a report to the auditee stating the initial findings.

D.

review the working papers with the auditee.

Buy Now
Question # 184

Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?

Options:

A.

Statement of work (SOW)

B.

Nondisclosure agreement (NDA)

C.

Service level agreement (SLA)

D.

Privacy agreement

Buy Now
Question # 185

An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:

Options:

A.

violation reports may not be reviewed in a timely manner.

B.

a significant number of false positive violations may be reported.

C.

violations may not be categorized according to the organization's risk profile.

D.

violation reports may not be retained according to the organization's risk profile.

Buy Now
Question # 186

Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

Options:

A.

Comparing code between old and new systems

B.

Running historical transactions through the new system

C.

Reviewing quality assurance (QA) procedures

D.

Loading balance and transaction data to the new system

Buy Now
Question # 187

An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST

Options:

A.

document the exception in an audit report.

B.

review security incident reports.

C.

identify compensating controls.

D.

notify the audit committee.

Buy Now
Question # 188

Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?

Options:

A.

Service management standards are not followed.

B.

Expected time to resolve incidents is not specified.

C.

Metrics are not reported to senior management.

D.

Prioritization criteria are not defined.

Buy Now
Question # 189

An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?

Options:

A.

Discovery sampling

B.

Judgmental sampling

C.

Variable sampling

D.

Stratified sampling

Buy Now
Question # 190

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

Options:

A.

Compare the agile process with previous methodology.

B.

Identify and assess existing agile process control

C.

Understand the specific agile methodology that will be followed.

D.

Interview business process owners to compile a list of business requirements

Buy Now
Question # 191

Which of the following would MOST effectively ensure the integrity of data transmitted over a network?

Options:

A.

Message encryption

B.

Certificate authority (CA)

C.

Steganography

D.

Message digest

Buy Now
Question # 192

Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?

Options:

A.

Implementing two-factor authentication

B.

Restricting access to transactions using network security software

C.

implementing role-based access at the application level

D.

Using a single menu tor sensitive application transactions

Buy Now
Question # 193

Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

Options:

A.

The certificate revocation list has not been updated.

B.

The PKI policy has not been updated within the last year.

C.

The private key certificate has not been updated.

D.

The certificate practice statement has not been published

Buy Now
Question # 194

During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?

Options:

A.

Require documentation that the finding will be addressed within the new system

B.

Schedule a meeting to discuss the issue with senior management

C.

Perform an ad hoc audit to determine if the vulnerability has been exploited

D.

Recommend the finding be resolved prior to implementing the new system

Buy Now
Question # 195

During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?

Options:

A.

Review sign-off documentation

B.

Review the source code related to the calculation

C.

Re-perform the calculation with audit software

D.

Inspect user acceptance lest (UAT) results

Buy Now
Question # 196

Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

Options:

A.

Audit charter

B.

IT steering committee

C.

Information security policy

D.

Audit best practices

Buy Now
Question # 197

An IS auditor should ensure that an application's audit trail:

Options:

A.

has adequate security.

B.

logs ail database records.

C.

Is accessible online

D.

does not impact operational efficiency

Buy Now
Question # 198

An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?

Options:

A.

Availability of the user list reviewed

B.

Confidentiality of the user list reviewed

C.

Source of the user list reviewed

D.

Completeness of the user list reviewed

Buy Now
Question # 199

The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:

Options:

A.

randomly selected by a test generator.

B.

provided by the vendor of the application.

C.

randomly selected by the user.

D.

simulated by production entities and customers.

Buy Now
Question # 200

To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

Options:

A.

Root cause

B.

Responsible party

C.

impact

D.

Criteria

Buy Now
Question # 201

Which of the following is a social engineering attack method?

Options:

A.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

B.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

C.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

D.

An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door.

Buy Now
Question # 202

An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?

Options:

A.

Long-term Internal audit resource planning

B.

Ongoing monitoring of the audit activities

C.

Analysis of user satisfaction reports from business lines

D.

Feedback from Internal audit staff

Buy Now
Question # 203

Which of the following provides the BEST evidence of effective IT portfolio managements?

Options:

A.

IT portfolio updates are communicated when approved.

B.

Programs in the IT portfolio are prioritized by each business function.

C.

The IT portfolio is updated as business strategy changes.

D.

The IT portfolio is updated on the basis of current industry benchmarks.

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Apr 3, 2025
Questions: 1404
CISA pdf

CISA PDF

$59.7  $199
CISA Engine

CISA Testing Engine

$67.5  $225
CISA PDF + Engine

CISA PDF + Testing Engine

$74.7  $249