Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CISA Exam Dumps - Isaca Certification Questions and Answers

Question # 204

An organization saves confidential information in a file with password protection and the file is placed in a shared folder. An attacker has stolen this information by obtaining the password through social engineering. Implementing which of the following would BEST enable the organization to prevent this type of incident in the future?

Options:

A.

Multi-factor authentication (MFA)

B.

Security awareness programs for employees

C.

Access history log review by the business manager

D.

File encryption along with password protection

Buy Now
Question # 205

Which of the following is the MAIN objective of enterprise architecture (EA) governance?

Options:

A.

To ensure new processes and technologies harmonize with existing processes

B.

To ensure the EA can adapt to emerging technology trends

C.

To ensure the EA is compliant with local laws and regulations

D.

To ensure new initiatives produce an acceptable return on investment (ROI)

Buy Now
Question # 206

Which of the following system redundancy configurations BEST improves system resiliency and reduces the possibility of a single cause of failure impacting system dependability?

Options:

A.

Active redundancy

B.

Homogeneous redundancy

C.

Diverse redundancy

D.

Passive redundancy

Buy Now
Question # 207

Before the release of a new application into an organization’s production environment, which of the following should be in place to ensure that proper testing has occurred and rollback plans are in place?

Options:

A.

Change approval board

B.

Standardized change requests

C.

Independent third-party approval

D.

Secure code review

Buy Now
Question # 208

An IS auditor has been tasked with analyzing an organization's capital expenditures against its repair and maintenance costs. Which of the following is the BEST reason to use a data analytics tool for this purpose?

Options:

A.

It reduces the error rate.

B.

It improves the reliability of the data.

C.

It enables the auditor to work with 100% of the transactions.

D.

It reduces the sample size required to perform the audit.

Buy Now
Question # 209

During a pre-implementation review, an IS auditor notes that some scenarios have not been tested. Management has indicated that the project is critical and cannot be postponed. Which of the following is the auditor's BEST course of action?

Options:

A.

Determine whether the tested scenarios covered the most significant project risks.

B.

Help management complete remaining scenario testing before implementation.

C.

Recommend project implementation be postponed until all scenarios have been tested.

D.

Perform remaining scenario testing in the production environment post implementation.

Buy Now
Question # 210

When planning a review of IT governance, an IS auditor is MOST likely to:

Options:

A.

assess whether business process owner responsibilities are consistent.

B.

obtain information about the control framework adopted by management.

C.

examine audit committee minutes for IT-related controls.

D.

define key performance indicators (KPIs).

Buy Now
Question # 211

An organization's business continuity plan (BCP) should be:

Options:

A.

updated before an independent audit review.

B.

tested after an intrusion attempt into the organization's hot site.

C.

tested whenever new applications are implemented.

D.

updated based on changes to personnel and environments.

Buy Now
Question # 212

Which of the following observations should be of GREATEST concern to an IS auditor assessing access controls for the accounts payable module of a finance system?

Options:

A.

Payment files are stored on a shared drive in a writable format prior to processing.

B.

Accounts payable staff have access to update vendor bank account details.

C.

The IS auditor was granted access to create purchase orders.

D.

Configured delegation limits do not align to the organization's delegation’s policy.

Buy Now
Question # 213

Which of the following should be of GREATEST concern to an IS auditor assessing an organization's patch management program?

Options:

A.

Patches are deployed from multiple deployment servers.

B.

There is no process in place to scan the network to identify missing patches.

C.

Patches for medium- and low-risk vulnerabilities are omitted.

D.

There is no process in place to quarantine servers that have not been patched.

Buy Now
Question # 214

An IS auditor is reviewing an organization that performs backups on local database servers every two weeks and does not have a formal policy to govern data backup and restoration procedures. Which of the following findings presents the GREATEST risk to the organization?

Options:

A.

Lack of offsite data backups

B.

Absence of a data backup policy

C.

Lack of periodic data restoration testing

D.

Insufficient data backup frequency

Buy Now
Question # 215

Management has requested a post-implementation review of a newly implemented purchasing package to determine the extent that business requirements are being met. Which of the following

is MOST likely to be assessed?

Options:

A.

Acceptance testing results

B.

Results of live processing

C.

Implementation methodology

D.

Purchasing guidelines and policies

Buy Now
Question # 216

A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?

Options:

A.

Business objectives

B.

Business impact analysis (BIA)

C.

Enterprise architecture (EA)

D.

Recent incident trends

Buy Now
Question # 217

An organization that has decided to approve the use of end-user computing (EUC) should FIRST ensure:

Options:

A.

a business impact analysis (BIA) is conducted.

B.

EUC controls are reviewed.

C.

EUC use cases are assessed and documented.

D.

an EUC policy is developed.

Buy Now
Question # 218

Which of the following threats is mitigated by a firewall?

Options:

A.

Intrusion attack

B.

Asynchronous attack

C.

Passive assault

D.

Trojan horse

Buy Now
Question # 219

An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated. Which of the following should be of

MOST concern?

Options:

A.

Confidentiality of the user list

B.

Timeliness of the user list review

C.

Completeness of the user list

D.

Availability of the user list

Buy Now
Question # 220

Which of the following is the BEST way to foster continuous improvement of IS audit processes and practices?

Options:

A.

Invite external auditors and regulators to perform regular assessments of the IS audit function.

B.

Implement rigorous managerial review and sign-off of IS audit deliverables.

C.

Frequently review IS audit policies, procedures, and instruction manuals.

D.

Establish and embed quality assurance (QA) within the IS audit function.

Buy Now
Question # 221

An organization has both an IT strategy committee and an IT steering committee. When reviewing the minutes of the IT steering committee, an IS auditor would expect to find that the

committee:

Options:

A.

assessed the contribution of IT to the business.

B.

acquired and assigned appropriate resources for projects.

C.

compared the risk and return of IT investments.

D.

reviewed the achievement of the strategic IT objective.

Buy Now
Question # 222

Which of the following is the PRIMARY advantage of using an automated security log monitoring tool instead of conducting a manual review to monitor the use of privileged access?

Options:

A.

Reduced costs associated with automating the review

B.

Increased likelihood of detecting suspicious activity

C.

Ease of storing and maintaining log file

D.

Ease of log retrieval for audit purposes

Buy Now
Question # 223

An IS auditor is reviewing a data conversion project. Which of the following is the auditor's BEST recommendation prior to go-live?

Options:

A.

Conduct a mock conversion test.

B.

Review test procedures and scenarios.

C.

Automate the test scripts.

D.

Establish a configuration baseline.

Buy Now
Question # 224

Which of the following is the BEST indicator that a third-party vendor adheres to the controls required by the organization?

Options:

A.

Review of monthly performance reports submitted by the vendor

B.

Certifications maintained by the vendor

C.

Regular independent assessment of the vendor

D.

Substantive log file review of the vendor's system

Buy Now
Question # 225

Which of the following provides the BEST evidence that all elements of a business continuity plan (BCP) are operating effectively?

Options:

A.

Walk-through test results

B.

Full operational test results

C.

Tabletop test results

D.

Simulation test results

Buy Now
Question # 226

An organization is implementing a new system that supports a month-end business process. Which of the following implementation strategies would be MOST efficient to decrease business downtime?

Options:

A.

Big bang

B.

Phased

C.

Cutover

D.

Parallel

Buy Now
Question # 227

How is nonrepudiation supported within a public key infrastructure (PKI) environment?

Options:

A.

Through the use of elliptical curve cryptography on transmitted messages

B.

Through the use of a certificate issued by a certificate authority (CA)

C.

Through the use of private keys to decrypt data received by a user

D.

Through the use of enterprise key management systems

Buy Now
Question # 228

Which of the following should an IS auditor recommend be done FIRST when an organization is planning to implement an IT compliance program?

Options:

A.

Identify staff training needs related to compliance requirements.

B.

Analyze historical compliance-related audit findings.

C.

Research and purchase an industry-recognized IT compliance tool

D.

Identify applicable laws, regulations, and standards.

Buy Now
Question # 229

An IS auditor is conducting an IT governance audit and notices many initiatives are managed informally by isolated project managers. Which of the following recommendations would have the GREATEST impact on improving the maturity of the IT team?

Options:

A.

Schedule a follow-up audit in the next year to confirm whether IT processes have matured.

B.

Create an interdisciplinary IT steering committee to oversee IT prioritization and spending.

C.

Document and track all IT decisions in a project management tool.

D.

Discontinue all current IT projects until formal approval is obtained and documented.

Buy Now
Question # 230

Which of the following controls is BEST implemented through system configuration?

    Network user accounts for temporary workers expire after 90 days.

    Application user access is reviewed every 180 days for appropriateness.

    Financial data in key reports is traced to source systems for completeness and accuracy.

Options:

A.

Computer operations personnel initiate batch processing jobs daily.

Buy Now
Question # 231

Which of the following should be of GREATEST concern to an IS auditor reviewing project documentation for a client relationship management (CRM) system migration project?

Options:

A.

The technical migration is planned for a holiday weekend and end users may not be available.

B.

Five weeks prior to the target date, there are still numerous defects in the printing functionality.

C.

A single implementation phase is planned and the legacy system will be immediately decommissioned.

D.

Employees are concerned that data representation in the new system is completely different from the old system.

Buy Now
Question # 232

An organization's sensitive data is stored in a cloud computing environment and is encrypted. Which of the following findings should be of GREATEST concern to an IS auditor?

Options:

A.

The encryption keys are not kept under dual control.

B.

The cloud vendor does not have multi-regional presence.

C.

Symmetric keys are used for encryption.

D.

Data encryption keys are accessible to the service provider.

Buy Now
Question # 233

Which of the following is the MOST effective way to detect as many abnormalities as possible during an IS audit?

Options:

A.

Conduct a walk-through of the process.

B.

Perform substantive testing on sampled records.

C.

Perform judgmental sampling of key processes.

D.

Use a data analytics tool to identify trends.

Buy Now
Question # 234

Which of the following is an effective way to ensure the integrity of file transfers in a peer-to-peer (P2P) computing environment?

Options:

A.

Associate a message authentication code with each file transferred.

B.

Ensure the files are transferred through an intrusion detection system (IDS).

C.

Encrypt the packets shared between peers within the environment.

D.

Connect the client computers in the environment to a jump server.

Buy Now
Question # 235

When conducting an audit of an organization's use of AI in its customer service chatbots, an IS auditor should PRIMARILY focus on the:

Options:

A.

Safeguarding of personal data processing by the AI system.

B.

AI system's compliance with industry security standards.

C.

Speed and accuracy of chatbot responses to customer queries.

D.

AI system's ability to handle multiple customer queries at once.

Buy Now
Question # 236

Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?

Options:

A.

A high percentage of stakeholders satisfied with the quality of IT

B.

A high percentage of IT processes reviewed by quality assurance (QA)

C.

A high percentage of incidents being quickly resolved

D.

A high percentage of IT employees attending quality training

Buy Now
Question # 237

Which of the following should be the PRIMARY focus when communicating an IS audit issue to management?

Options:

A.

The risk to which the organization is exposed due to the issue

B.

The nature, extent, and timing of subsequent audit follow-up

C.

How the issue was found and who bears responsibility

D.

A detailed solution for resolving the issue

Buy Now
Question # 238

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

Options:

A.

Imported data is not disposed of frequently.

B.

The transfer protocol is not encrypted.

C.

The transfer protocol does not require authentication.

D.

The quality of the data is not monitored.

Buy Now
Question # 239

Which of the following poses the GREATEST risk to an organization related to system interfaces?

Options:

A.

There is no process documentation for some system interfaces.

B.

Notifications of data transfers through the interfaces are not retained.

C.

Parts of the data transfer process are performed manually.

D.

There is no reliable inventory of system interfaces.

Buy Now
Question # 240

Which of the following should be the PRIMARY consideration when incorporating user training and awareness into a data loss prevention (DLP) strategy?

Options:

A.

Avoiding financial penalties and reputational risk

B.

Ensuring data availability

C.

Promoting secure data handling practices

D.

Adhering to data governance policies

Buy Now
Question # 241

Which of the following is the BEST review for an IS auditor to conduct when a vulnerability has been exploited by an employee?

Options:

A.

Compliance audit

B.

Application security testing

C.

Forensic audit

D.

Penetration testing

Buy Now
Question # 242

Which of the following is the MOST important consideration when relying on the work of the prior auditor?

Options:

A.

Qualifications of the prior auditor

B.

Management agreement with recommendations

C.

Duration of the prior audit

D.

Number of findings identified by the prior auditor

Buy Now
Question # 243

Which of the following is MOST important for an IS auditor to verify when reviewing the planned use of Benford's law as a data analytics technique to detect fraud in a set of credit card transactions?

Options:

A.

The transactions are in double integer format.

B.

The transaction amounts are selected randomly without restriction.

C.

The transaction analysis is limited to transactions within standard deviation.

D.

The transactions are all in the same currency.

Buy Now
Question # 244

An IS auditor is planning a review of an organizations cybersecurity incident response maturity Which of the following methodologies would provide the MOST reliable conclusions?

Options:

A.

Judgmental sampling

B.

Data analytics testing

C.

Variable sampling

D.

Compliance testing

Buy Now
Question # 245

When reviewing whether IT investments are meeting business objectives, which of the following evaluations would be MOST useful?

Options:

A.

A break-even analysis

B.

Realized return on investment (ROI) versus projected ROI

C.

Budgeted spend versus actual spend

D.

Actual return on investment (ROI) versus industry average ROI

Buy Now
Question # 246

Which of the following should be done FIRST following an incident that has caused internal servers to be inaccessible, disrupting normal business operations?

Options:

A.

Document the servers' dates, times, and locations, as well as the individual who last used them

B.

Make a bit-level copy of the affected servers and calculate the hash value of the copy.

C.

Copy all key directories and files on the affected servers and generate the hash value of the copy.

D.

Unplug all power cables immediately to prevent further actions of the attacker on the servers.

Buy Now
Question # 247

An IS auditor has been asked to review the quality of data in a general ledger system. Which of the following would provide the auditor with the MOST meaningful results?

Options:

A.

Discussion of the largest account values with business owners

B.

Integrity checks against source documentation

C.

System vulnerability assessment

D.

Interviews with system owners and operators

Buy Now
Question # 248

Audit frameworks can assist the IS audit function by:

Options:

A.

defining the authority and responsibility of the IS audit function.

B.

providing direction and information regarding the performance of audits.

C.

outlining the specific steps needed to complete audits.

D.

providing details on how to execute the audit program.

Buy Now
Question # 249

Which of the following procedures for testing a disaster recovery plan (DRP) is MOST effective?

Options:

A.

Testing at a secondary site using offsite data backups

B.

Performing a quarterly tabletop exercise

C.

Reviewing recovery time and recovery point objectives

D.

Reviewing documented backup and recovery procedures

Buy Now
Question # 250

Which type of testing is used to identify security vulnerabilities in source code in the development environment?

Options:

A.

Interactive application security testing (IAST)

B.

Runtime application self-protection (RASP)

C.

Dynamic analysis security testing (DAST)

D.

Static analysis security testing (SAST)

Buy Now
Question # 251

Which of the following is the GREATEST impact as a result of the ongoing deterioration of a detective control?

Options:

A.

Decreased effectiveness of root cause analysis

B.

Decreased overall recovery time

C.

Increased number of false negatives in security logs

D.

Increased demand for storage space for logs

Buy Now
Question # 252

Which of the following is MOST important to define within a disaster recovery plan (DRP)?

Options:

A.

A comprehensive list of disaster recovery scenarios and priorities

B.

Business continuity plan (BCP)

C.

Test results for backup data restoration

D.

Roles and responsibilities for recovery team members

Buy Now
Question # 253

An IS auditor is reviewing an artificial intelligence (Al) and expert system application. The system has produced several critical errors with severe impact. Which of the following should the IS auditor do NEXT to understand the cause of the errors?

Options:

A.

Review the decision-making logic built into the system.

B.

Interview the system owner.

C.

Understand the purpose and functionality of the system.

D.

Verify system adherence to corporate policy.

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Apr 3, 2025
Questions: 1404
CISA pdf

CISA PDF

$59.7  $199
CISA Engine

CISA Testing Engine

$67.5  $225
CISA PDF + Engine

CISA PDF + Testing Engine

$74.7  $249