CISA Exam Sample Questions and Answers, Exams of Business Economics

A sample cisa (certified information systems auditor) exam, offering a series of multiple-choice questions designed to assess knowledge and understanding of is audit principles and practices. The questions cover various topics, including audit planning, risk assessment, controls, and security governance. Each question is followed by the correct answer, making it a valuable resource for exam preparation and self-assessment. This exam is useful for university students and professionals in the field of information systems auditing, providing a practical way to test their knowledge and identify areas for improvement. The questions are designed to promote critical thinking and deeper analysis of is audit concepts, enhancing the learning experience and preparing individuals for the cisa certification exam.

Typology: Exams

2024/2025

Available from 05/24/2025

locaz-turus-1
locaz-turus-1 šŸ‡ŗšŸ‡ø

5

(1)

13K documents

1 / 40

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Sample Exam CISA
Which of the following would an IS auditor FIRST reference when performing an IS audit?
1. Implemented procedures
2. Approved Policies
3. Documented practices
4. Internal standards correct answer Approved policies
De-normalization of the relational database would PRIMARILY result in (Review):
1. Referential integrity issues
2. Loss of table indexes
3. increased data redundancy
4. increased database optimization correct answer increased data redundancy
During the review of an enterprise's preventive maintenance process for systems at a data center, the IS
auditor has determined that adequate maintenance is being performed on all critical computing, power
and cooling systems. Additionally, it is MOST important for the IS auditor to ensure that the
organization:
1. has performed background checks on all service personnel
2. escorts service personnel at all times when performing their work
3. independently verifies that maintenance is being performed
4. performs maintenance during non-critical processing times correct answer performs maintenance
during non-critical processing times
Which of the following backup techniques is the MOST appropriate when an organization requires
extremely granular data restore points, as defined in the recovery point objective?
1. virtual tape libraries
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28

Partial preview of the text

Download CISA Exam Sample Questions and Answers and more Exams Business Economics in PDF only on Docsity!

Sample Exam CISA

Which of the following would an IS auditor FIRST reference when performing an IS audit?

  1. Implemented procedures
  2. Approved Policies
  3. Documented practices
  4. Internal standards correct answer Approved policies De-normalization of the relational database would PRIMARILY result in (Review):
  5. Referential integrity issues
  6. Loss of table indexes
  7. increased data redundancy
  8. increased database optimization correct answer increased data redundancy During the review of an enterprise's preventive maintenance process for systems at a data center, the IS auditor has determined that adequate maintenance is being performed on all critical computing, power and cooling systems. Additionally, it is MOST important for the IS auditor to ensure that the organization:
  9. has performed background checks on all service personnel
  10. escorts service personnel at all times when performing their work
  11. independently verifies that maintenance is being performed
  12. performs maintenance during non-critical processing times correct answer performs maintenance during non-critical processing times Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective?
  13. virtual tape libraries
  1. disk-based snapshots
  2. continuous data backup
  3. disk-to-tape backup correct answer continuous data backup During an audit, which of the following situations would be MOST concerning for an organization that significantly outsources IS processing to a private network? (Review)
  4. The contract was not reviewed by an information security subject matter expert prior to signing
  5. There is a lack of well-defined IS performance evaluation procedures
  6. The contract does not contain a right-to-audit clause for the third-party
  7. The IS outsourcing guidelines are not approved by the board of directors. correct answer The contract does not contain a right-to-audit clause for the third-party. Who should be accountable for ensuring access rights to corporate web applications are revoked when user termination occurs? (Review)
  8. Data custodians
  9. Data owners
  10. Security administrators
  11. Web administrators correct answer Data owners Which of the following is the MOST important critical success factor of implementing a risk-based approach to the IT system life cycle?
  12. Adewuate involvement of stakeholders
  13. Selection of a risk management framework
  14. Understanding of the regulatory environment
  15. Identification of risk mitigation strategies correct answer Adequate involvement of stakeholders (Review)
  1. Intrusion prevention system
  2. Workforce Education correct answer Regular backups (Review - but think "impact") An IS auditor reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data?
  3. Data retention, backup and recovery
  4. A patch management process
  5. Return or Destruction of information
  6. Network and intrusion detection correct answer Return or destruction of information (Review - very difficult Which of the following is the MOST appropriate action to take upon identifying that a computer may have been used to leak a confidential file?
  7. isolate the computer from the network
  8. install forensic tools on the target system
  9. report the incident to law enforcement
  10. make a duplicate image of the original media correct answer Make a duplicate image of the original image. (Review - think about computer forensics) An organization bought a new system to integrate its existing human resources and payroll systems in the environment. Which of the following tests ensure that the new system can operate successfully with existing systems?
  11. Sociability testing
  12. Parallel testing
  13. Integration testing
  14. Pilot Testing correct answer Sociability testing (Review but think "change management")

After identifying the findings, the IS auditor should FIRST:

  1. obtain remediation deadlines to close the findings
  2. determine mitigation measures for the findings
  3. gain agreement on the findings
  4. inform senior management of the findings correct answer gain agreement on the findings (Review) In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario?
  5. Logging of changes to development libraries
  6. Verifying that only approved program changes are implemented
  7. Preventing the release manager from making program modifications
  8. Hiring additional staff to provide segregation of duties correct answer Verifying the only approved program changes are implemented (Review) After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:
  9. expand activities to determine whether an investigation is warranted
  10. consult with external legal counsel to determine the course of action to be taken
  11. report the matter to the audit committee
  12. report the possibility of fraud to management correct answer expand activities to determine whether an investigation is warranted (review) The PRIMARY benefit of implementing a security program as part of a security governance framework is the:
  13. reduction of the cost for IT security
  14. aligning the IT strategy with the enterprise strategy

Which of the following would be the GREATEST concern if audit objectives are not established during the initial phase of an audit program?

  1. Important business risk may be overlooked
  2. Key stakeholders are incorrectly identified
  3. Previously audited areas may be inadvertently included
  4. Control costs will exceed planned budget correct answer 1. Important business risk may be overlooked (review) A system developer transferred to the audit department to serve as an IT auditor. When production systems are to be reviewed by this employee, which of the following will become the MOST SIGNIFICANT CONCERN?
  5. The employee may not have sufficient control assessment skills
  6. The employee's knowledge of business risk may be limited
  7. Audit points may largely shift to technical aspects
  8. The work may be construed as a self-audit correct answer The work may be constructed as a self- audit (these are all true but review) As part of audit planning, an IS auditor is designing various data validation tests to effectively detect transposition and transcription errors. Which of the following will BEST HELP in detecting these errors?
  9. Range check
  10. Duplicate check
  11. Validity check
  12. Check digit correct answer Check digit (Definitely Review) Which of the following would be MOST USEFUL for an IS auditor in accessing and analyzing digital data to collect relevant audit evidence from diverse software environments?
  1. Application software reports
  2. Computer-assisted auditing techniques
  3. Structured Query Language
  4. Data analytics controls correct answer Computer-assisted auditing techniques (CAATS) - Review An IS auditor has been asked to look at past projects to determine how future projects can better meet business requirements. With which of the following would the auditors MOST LIKELY CONSULT?
  5. Project Managers
  6. Project sponsors
  7. Business analysts
  8. End-user groups correct answer Project Sponsors (Review) Establishing a software baseline would have the GREATEST IMPACT on which of the following?
  9. System documentation
  10. Change management
  11. Software integrity
  12. Access controls correct answer Change Management (Review software baseline) An internal IT auditor is observing an organization's disaster recovery tests. It is found that the organization's ability to recover does not meet the management-approved recovery time objective (RTO). Which of the following is the BEST RECOMMENDATION for the auditor to include in the report?
  13. Recommend changing the RTO
  1. A robust vulnerability management program
  2. an up-to-date digital certificate
  3. Encryption keys stored in escrow
  4. A tested business continuity plan correct answer A Robust vulnerability management program (Review) Vulnerabilities associated with which of the following would pose the GREATEST RISK to an organization hosting a web application?
  5. JavaScript
  6. Domain Name System
  7. Cookies
  8. CGI Script correct answer CGI Script (Definitely review) Which of the following would MOST likely be considered a conflict of interest for an IS auditor who is reviewing a cybersecurity implementation?
  9. Delivering cybersecurity awareness training
  10. Conducting the vulnerability assessment
  11. Advising on the cybersecurity framework
  12. Designing the cybersecurity controls correct answer Designing the cybersecurity controls Which of the following is the MOST important input for decision making throughout the life of an IT project?
  13. IT resource management strategy
  14. Business impact analysis
  15. Firewall misconfiguration
  16. Business case correct answer Business Case (Review)

Errors in audit procedures would PRIMARILY IMPACT which of the following risks?

  1. Inherent risk
  2. Detection risk
  3. Business Risk
  4. Control Risk correct answer Detection Risk (Review) An auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT auditor to take? A. Discuss the finding with the IT auditor's manager. B. Retest the control to confirm the finding. C. Elevate the risk associated with the control. D. Discuss the finding with the auditee's manager. correct answer Discuss the finding with the IT auditor's manager
  • (Review but always think internally first before showing client or internal management auditee, etc.) The IS auditor learns a business application has extended the access from users of one department to other departments. The GREATEST concern for the IS auditor would be approval of:
  1. the business impact analysis
  2. an updated access rights matrix
  3. an updated IT security policy
  4. creation for new users correct answer An updated access rights matrix (Review) Which of the following would be expected to APPROVE THE AUDIT CHARTER?
  1. Defining roles and responsibilities
  2. Specifying an access control methodology
  3. Defining a security policy correct answer Defining a security policy (Review security architecture) Accountants are developing a temporary reporting solution using a spreadsheet and macro program. Which of the following will be the MOST SIGNIFICANT concern from a control perspective?
  4. The temporary solution becomes a permanent solution
  5. Development is done using an agile development methodology
  6. A tighter reconciliation process is required to ensure integrity
  7. The modifications do not follow standard change management process correct answer The modifications do not follow standard change management process (Review) Which of the following would be of the GREATEST CONCERN to an IS auditor inspecting an organization's computer room?
  8. Access to the computer room does not require biometrics (unncessary)
  9. Handheld fire extinguishers are present in the computer room (normal)
  10. The computer room is located in the basement (flood risk)
  11. The computer room is adjacent to an office area (normal) correct answer The computer room is located in the basement (If need be review physical security risks)

Which of the following should an IS auditor recommend the BEST ENFORCE ALIGNMENT of an IT project portfolio with strategic organizational priorities?

  1. Consider user satisfaction in the key performance indicators
  2. Select projects according to business benefits and risk
  3. Define a balanced scorecard for measuring performance
  4. Modify the yearly process of defining the project portfolio correct answer Select projects according to business benefits and risk (Review IT project portfolios) An IS auditor is reviewing an organization's business continuity plan. Which of the following would provide the BEST means of evaluating the systems supporting the organization's critical processes?
  5. Corporate business strategy
  6. Business Impact Analysis
  7. Recovery time objective
  8. Recovery point objective correct answer Business Impact Analysis
  • Review BCP An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following would be the MOST important for the auditor to ensure continued alignment with the enterprise's security requirements?
  1. The vendor agrees to implement controls in alignment with the enterprise
  1. Administrator access is provided for a limited period
  2. User accounts are created with expiration dates and are based on services provided.
  3. Vendor access corresponds to the service level agreement
  4. User IDs are deleted when the work is completed correct answer User accounts are created with expiration dates and are based on services provided. Which of the following countermeasures would the IS auditor MOST likely recommend for the risk mitigation of logic alteration vulnerabilities discovered during penetration testing of a public-facing web application?
  5. Use the HTTPS protocol to secure access towards the website
  6. Perform code review and server-side input validation
  7. Set the network firewall to allow traffic only from desired IP addresses 4. Change
  8. Change the application firewall rules to filter malicious inputs correct answer Perform code review and server-side input validation (Review but understand that faulty coding is almost always the big risk here) Which of the following is the PRIMARY purpose of a risk-based audit?
  9. Management concerns are prioritized
  10. Material areas are addressed first
  11. High-impact areas are addressed first
  12. Audit resources are allocated efficiently correct answer Material areas are addressed first (Review - risk-based audits are on here quite a bit) What is the GREATST advantage of performing penetration testing in addition to vulnerability assessment?
  1. Increased coverage of different technologies
  2. Better regulatory compliance
  3. Improved preparedness to cybersecurity incidents
  4. Confirmation of the ability to exploit vulnerabilities correct answer Confirmation of the ability to exploit vulnerabilities Which of the following business continuity activities is PRIMARILY the responsibility of the IT Department?
  5. Conducting the business impact analysis to determine critical systems
  6. Declaring the disaster and activating the business continuity plan
  7. Restoring systems and data after a business disruption
  8. Defining the recovery time objectives and recovery point objectives correct answer Restoring systems and data after a business disruption (Pretty straightforward) As result of profitability pressure, senior management of an enterprise has decided to keep investments in information security at an adequate level, which of the following would be the BEST recommendation of an IS auditor?
  9. Postpone low-priority security procedures
  10. Request that senior management accept the risk
  11. Use cloud providers for low-risk operations
  12. Revise compliance enforcement processes correct answer Request that senior management accept the risk (Sr. Management should always be involved in these decisions)
  1. Consent of the data subjects
  2. Limitation of access
  3. Encryption of personal data
  4. Signed agreements with data processors correct answer Consent of the data subjects (Review data privacy - very important to know concepts) When performing a post-implementation review of a software development project for a highly secure application, it is MOST important to confirm that:
  5. the project was formally closed
  6. the project schedule and budget were met
  7. vulnerability testing was performed
  8. business functional requirements were met correct answer Business functional requirements were met (Review software development and implementation - think about goal of project being around business needs, etc) Why would an organization MOST likely choose an agile systems development approach?
  9. to facilitate reuse of modules
  10. to enhance security of the system
  11. to speed up the rollout to the users
  12. to improve system performance correct answer To speed up the rollout to the users (Definitely review agile and other approaches) Which of the following would be of MOST INTEREST to an IS auditor reviewing an organization's risk strategy?
  1. all likely risks are identified and ranked
  2. all risks are mitigated effectively
  3. residual risk is zero after control implementation
  4. the organization uses an established risk framework correct answer all likely risks are identified and ranked. (Review risk strategy but this pretty straightforward) Which of the following methods would be the MOST effective way to ascertain that information security policies have been communicated to and understood by all IS users?
  5. User sign-off of policies
  6. Structured training programs
  7. Instances of policy deviations
  8. Personal interviews correct answer Personal interviews (Review - this can be rare; however, very effective and a sure way to see the knowledge base) Which of the following provides the BEST evidence of an organization's cyber incident response readiness?
  9. Recently updated incident response procedures
  10. Regular internal audits of incident response
  11. The results of annual tabletop exercises
  12. A documented disaster recovery plan correct answer The results of annual tabletop excercises The MAIN purpose of the annual IS audit plan is to:
  13. minimize the audit costs