Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CISA Exam Dumps - Isaca Certification Questions and Answers

Question # 4

Which of the following is the PRIMARY reason for an IS auditor to perform a risk assessment?

Options:

A.

It helps to identify areas with a relatively high probability of material problems.

B.

It provides a basis for the formulation of corrective action plans.

C.

It increases awareness of the types of management actions that may be inappropriate

D.

It helps to identify areas that are most sensitive to fraudulent or inaccurate practices

Buy Now
Question # 5

An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.

Which of the following is the BEST course of action to address this issue?

Options:

A.

Examine the workflow to identify gaps in asset-handling responsibilities.

B.

Escalate the finding to the asset owner for remediation.

C.

Recommend the drives be sent to the vendor for destruction.

D.

Evaluate the corporate asset-handling policy for potential gaps.

Buy Now
Question # 6

The PRIMARY responsibility of a project steering committee is to:

Options:

A.

sign off on the final build document.

B.

ensure that each project deadline is met.

C.

ensure that developed systems meet business needs.

D.

provide regular project updates and oversight.

Buy Now
Question # 7

An IS auditor learns that an organization's business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor's BEST course of action?

Options:

A.

Determine whether the business impact analysis (BIA) is current with the organization's structure and context.

B.

Determine the types of technologies used at the plant and how they may affect the BCP.

C.

Perform testing to determine the impact to the recovery time objective (R TO).

D.

Assess the risk to operations from the closing of the plant.

Buy Now
Question # 8

To reduce operational costs, IT management plans to reduce the number of servers currently used to run business applications. Which of the following is MOST helpful to review when identifying which servers are no longer required?

Options:

A.

Performance feedback from the user community

B.

Contract with the server vendor

C.

Server CPU usage trends

D.

Mean time between failure (MTBF) of each server

Buy Now
Question # 9

Which of the following is the MAIN responsibility of the IT steering committee?

Options:

A.

Reviewing and assisting with IT strategy integration efforts

B.

Developing and assessing the IT security strategy

C.

Implementing processes to integrate security with business objectives

D.

Developing and implementing the secure system development framework

Buy Now
Question # 10

A bank performed minor changes to the interest calculation computer program. Which of the following techniques would provide the STRONGEST evidence to determine whether the interest calculations are correct?

Options:

A.

Source code review

B.

Parallel simulation using audit software

C.

Manual verification of a sample of the results

D.

Review of the quality assurance (QA) test results

Buy Now
Question # 11

An IS auditor is planning an audit of an organization's risk management practices. Which of the following would provide the MOST useful information about

risk appetite?

Options:

A.

Risk policies

B.

Risk assessments

C.

Prior audit reports

D.

Management assertion

Buy Now
Question # 12

Which of the following controls is MOST important for ensuring the integrity of system interfaces?

Options:

A.

Periodic audits

B.

File counts

C.

File checksums

D.

IT operator monitoring

Buy Now
Question # 13

An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?

Options:

A.

Verify the disaster recovery plan (DRP) has been tested.

B.

Ensure the intrusion prevention system (IPS) is effective.

C.

Assess the security risks to the business.

D.

Confirm the incident response team understands the issue.

Buy Now
Question # 14

To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?

Options:

A.

Recipient's public key

B.

Sender's private key

C.

Sender's public key

D.

Recipient's private key

Buy Now
Question # 15

Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

Options:

A.

Balanced scorecard

B.

Enterprise dashboard

C.

Enterprise architecture (EA)

D.

Key performance indicators (KPIs)

Buy Now
Question # 16

Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

Options:

A.

Media recycling policy

B.

Media sanitization policy

C.

Media labeling policy

D.

Media shredding policy

Buy Now
Question # 17

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?

Options:

A.

Key performance indicators (KPIs)

B.

Maximum allowable downtime (MAD)

C.

Recovery point objective (RPO)

D.

Mean time to restore (MTTR)

Buy Now
Question # 18

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

Options:

A.

Incident monitoring togs

B.

The ISP service level agreement

C.

Reports of network traffic analysis

D.

Network topology diagrams

Buy Now
Question # 19

Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

Options:

A.

Ensuring unauthorized individuals do not tamper with evidence after it has been captured

B.

Ensuring evidence is sufficient to support audit conclusions

C.

Ensuring appropriate statistical sampling methods were used

D.

Ensuring evidence is labeled to show it was obtained from an approved source

Buy Now
Question # 20

Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

Options:

A.

Legacy data has not been purged.

B.

Admin account passwords are not set to expire.

C.

Default settings have not been changed.

D.

Database activity logging is not complete.

Buy Now
Question # 21

An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Review the list of end users and evaluate for authorization.

B.

Report this control process weakness to senior management.

C.

Verify managements approval for this exemption

D.

Obtain a verbal confirmation from IT for this exemption.

Buy Now
Question # 22

Which of the following strategies BEST optimizes data storage without compromising data retention practices?

Options:

A.

Limiting the size of file attachments being sent via email

B.

Automatically deleting emails older than one year

C.

Moving emails to a virtual email vault after 30 days

D.

Allowing employees to store large emails on flash drives

Buy Now
Question # 23

Which of the following demonstrates the use of data analytics for a loan origination process?

Options:

A.

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

Buy Now
Question # 24

Which of the following data would be used when performing a business impact analysis (BIA)?

Options:

A.

Projected impact of current business on future business

B.

Cost-benefit analysis of running the current business

C.

Cost of regulatory compliance

D.

Expected costs for recovering the business

Buy Now
Question # 25

An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?

Options:

A.

Examine the computer to search for evidence supporting the suspicions.

B.

Advise management of the crime after the investigation.

C.

Contact the incident response team to conduct an investigation.

D.

Notify local law enforcement of the potential crime before further investigation.

Buy Now
Question # 26

Which of the following is MOST helpful to an IS auditor reviewing the alignment of planned IT budget with the organization's goals and strategic objectives?

Options:

A.

Enterprise architecture (EA)

B.

Business impact analysis (BIA)

C.

Risk assessment report

D.

Audit recommendations

Buy Now
Question # 27

Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?

Options:

A.

Penetration testing

B.

Application security testing

C.

Forensic audit

D.

Server security audit

Buy Now
Question # 28

During an operational audit on the procurement department, the audit team encounters a key system that uses an artificial intelligence (Al) algorithm. The audit team does not have the necessary knowledge to proceed with the audit. Which of the following is the BEST way to handle this situation?

Options:

A.

Perform a skills assessment to identify members from other business units with knowledge of Al.

B.

Remove the Al portion from the audit scope and proceed with the audit.

C.

Delay the audit until the team receives training on Al.

D.

Engage external consultants who have audit experience and knowledge of Al.

Buy Now
Question # 29

Which of the following should be done FIRST when planning a penetration test?

Options:

A.

Execute nondisclosure agreements (NDAs).

B.

Determine reporting requirements for vulnerabilities.

C.

Define the testing scope.

D.

Obtain management consent for the testing.

Buy Now
Question # 30

Which of the following is an IS auditor's BEST recommendation to mitigate the risk of eavesdropping

associated with an application programming interface (API) integration implementation?

Options:

A.

Encrypt the extensible markup language (XML) file.

B.

Implement Transport Layer Security (TLS).

C.

Implement Simple Object Access Protocol (SOAP).

D.

Mask the API endpoints.

Buy Now
Question # 31

The decision to accept an IT control risk related to data quality should be the responsibility of the:

Options:

A.

information security team.

B.

IS audit manager.

C.

chief information officer (CIO).

D.

business owner.

Buy Now
Question # 32

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.

the Internet.

B.

the demilitarized zone (DMZ).

C.

the organization's web server.

D.

the organization's network.

Buy Now
Question # 33

During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:

Options:

A.

application test cases.

B.

acceptance testing.

C.

cost-benefit analysis.

D.

project plans.

Buy Now
Question # 34

Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?

Options:

A.

Performing a cyber resilience test

B.

Performing a full interruption test

C.

Performing a tabletop test

D.

Performing a parallel test

Buy Now
Question # 35

Which of the following is the MOST important control for virtualized environments?

Options:

A.

Regular updates of policies for the operation of the virtualized environment

B.

Hardening for the hypervisor and guest machines

C.

Redundancy of hardware resources and network components

D.

Monitoring utilization of resources at the guest operating system level

Buy Now
Question # 36

Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?

Options:

A.

Access to change testing strategy and results is not restricted to staff outside the IT team.

B.

Some user acceptance testing (IJAT) was completed by members of the IT team.

C.

IT administrators have access to the production and development environment

D.

Post-implementation testing is not conducted for all system releases.

Buy Now
Question # 37

Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:

Options:

A.

eliminated

B.

unchanged

C.

increased

D.

reduced

Buy Now
Question # 38

Which type of risk would MOST influence the selection of a sampling methodology?

Options:

A.

Inherent

B.

Residual

C.

Control

D.

Detection

Buy Now
Question # 39

Which of the following would be an auditor's GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?

Options:

A.

Undocumented code formats data and transmits directly to the database.

B.

There is not a complete inventory of spreadsheets, and file naming is inconsistent.

C.

The department data protection policy has not been reviewed or updated for two years.

D.

Spreadsheets are accessible by all members of the finance department.

Buy Now
Question # 40

Which of the following is an example of a preventive control for physical access?

Options:

A.

Keeping log entries for all visitors to the building

B.

Implementing a fingerprint-based access control system for the building

C.

Installing closed-circuit television (CCTV) cameras for all ingress and egress points

D.

Implementing a centralized logging server to record instances of staff logging into workstations

Buy Now
Question # 41

Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?

Options:

A.

Requiring users to save files in secured folders instead of a company-wide shared drive

B.

Reviewing data transfer logs to determine historical patterns of data flow

C.

Developing a DLP policy and requiring signed acknowledgment by users

D.

Identifying where existing data resides and establishing a data classification matrix

Buy Now
Question # 42

Which type of attack poses the GREATEST risk to an organization's most sensitive data?

Options:

A.

Password attack

B.

Eavesdropping attack

C.

Insider attack

D.

Spear phishing attack

Buy Now
Question # 43

When reviewing an IT strategic plan, the GREATEST concern would be that

Options:

A.

an IT strategy committee has not been created

B.

the plan does not support relevant organizational goals.

C.

there are no key performance indicators (KPls).

D.

the plan was not formally approved by the board of directors

Buy Now
Question # 44

Which of the following helps to ensure the integrity of data for a system interface?

Options:

A.

System interface testing

B.

user acceptance testing (IJAT)

C.

Validation checks

D.

Audit logs

Buy Now
Question # 45

The BEST way to evaluate the effectiveness of a newly developed application is to:

Options:

A.

perform a post-implementation review-

B.

analyze load testing results.

C.

perform a secure code review.

D.

review acceptance testing results.

Buy Now
Question # 46

During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

Options:

A.

Require the auditee to address the recommendations in full.

B.

Adjust the annual risk assessment accordingly.

C.

Evaluate senior management's acceptance of the risk.

D.

Update the audit program based on management's acceptance of risk.

Buy Now
Question # 47

Which of the following is MOST important when planning a network audit?

Options:

A.

Determination of IP range in use

B.

Analysis of traffic content

C.

Isolation of rogue access points

D.

Identification of existing nodes

Buy Now
Question # 48

Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?

Options:

A.

Critical business applications

B.

Business processes

C.

Existing IT controls

D.

Recent audit results

Buy Now
Question # 49

Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?

Options:

A.

Restricting program functionality according to user security profiles

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator’s user ID as a field in every transaction record created

D.

Ensuring that audit trails exist for transactions

Buy Now
Question # 50

Which of the following is MOST important for an IS auditor to look

for in a project feasibility study?

Options:

A.

An assessment of whether requirements will be fully met

B.

An assessment indicating security controls will operateeffectively

C.

An assessment of whether the expected benefits can beachieved

D.

An assessment indicating the benefits will exceed the implement

Buy Now
Question # 51

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

Options:

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Buy Now
Question # 52

When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary. What should the auditor do NEXT?

Options:

A.

Report that the changes make it impractical to determine whether the risks have been addressed.

B.

Accept management's assertion and report that the risks have been addressed.

C.

Determine whether the changes have introduced new risks that need to be addressed.

D.

Review the changes and determine whether the risks have been addressed.

Buy Now
Question # 53

Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Options:

A.

Identify approved data workflows across the enterprise.

B.

Conduct a threat analysis against sensitive data usage.

C.

Create the DLP pcJc.es and templates

D.

Conduct a data inventory and classification exercise

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Apr 1, 2025
Questions: 1404
CISA pdf

CISA PDF

$59.7  $199
CISA Engine

CISA Testing Engine

$67.5  $225
CISA PDF + Engine

CISA PDF + Testing Engine

$74.7  $249