2023

Isaca
CISA Exam
Isaca Certification

Questions & Answers

(Full Version)

Thank you for Purchasing CISA Exam

QA:364
Questions and Answers PDF 1/105

Topic 1, Exam Pool A

Question: 1
An IT balanced scorecard is the MOST effective means of monitoring:

A. governance of enterprise IT.

B. control effectiveness.
C. return on investment (ROI).
D. change management effectiveness.

Answer: A
Explanation:

Question: 2
When reviewing an organization's information security policies, an IS auditor should verify that the
policies have been defined PRIMARILY on the basis of:

A. a risk management process.

B. an information security framework.
C. past information security incidents.
D. industry best practices.

Answer: B
Explanation:

Question: 3
Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages
of a software development project?

A. The lack of technical documentation to support the program code

B. The lack of completion of all requirements at the end of each sprint
C. The lack of acceptance criteria behind user requirements.
D. The lack of a detailed unit and system test plan
Questions and Answers PDF 2/105

Answer: C
Explanation:

Question: 4
Which of the following is the BEST data integrity check?

A. Counting the transactions processed per day

B. Performing a sequence check
C. Tracing data back to the point of origin
D. Preparing and running test data

Answer: C
Explanation:

Question: 5
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then
keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered
into the system?

A. Reconciliation of total amounts by project

B. Validity checks, preventing entry of character data
C. Reasonableness checks for each cost type
D. Display back of project detail after entry

Answer: C
Explanation:

Question: 6
An incorrect version of source code was amended by a development team. This MOST likely indicates
a weakness in:

A. incident management.
B. quality assurance (QA).
C. change management.
D. project management.

Answer: C
Explanation:

Question: 7
An organizations audit charier PRIMARILY:
Questions and Answers PDF 3/105

A. describes the auditors' authority to conduct audits.

B. defines the auditors' code of conduct.
C. formally records the annual and quarterly audit plans.
D. documents the audit process and reporting standards.

Answer: A
Explanation:

Question: 8
The decision to accept an IT control risk related to data quality should be the responsibility of the:

A. information security team.

B. IS audit manager.
C. chief information officer (CIO).
D. business owner.

Answer: D
Explanation:

Question: 9
Which of the following data would be used when performing a business impact analysis (BIA)?

A. Projected impact of current business on future business

B. Cost-benefit analysis of running the current business
C. Cost of regulatory compliance
D. Expected costs for recovering the business

Answer: A
Explanation:

Question: 10
Which of the following is the MOST important consideration for an IS auditor when assessing the
adequacy of an organization's information security policy?

A. Alignment with the IT tactical plan

B. IT steering committee minutes
C. Compliance with industry best practice
D. Business objectives

Answer: D
Explanation:

Question: 11
Questions and Answers PDF 4/105

During the evaluation of controls over a major application development project, the MOST effective
use of an IS auditor's time would be to review and evaluate:

A. application test cases.

B. acceptance testing.
C. cost-benefit analysis.
D. project plans.

Answer: A
Explanation:

Question: 12
An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following
should be the auditor's NEXT course of action?

A. Report the mitigating controls.

B. Report the security posture of the organization.
C. Determine the value of the firewall.
D. Determine the risk of not replacing the firewall.

Answer: D
Explanation:

Question: 13
Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP)
was successful?

A. Analyze whether predetermined test objectives were met.

B. Perform testing at the backup data center.
C. Evaluate participation by key personnel.
D. Test offsite backup files.

Answer: C
Explanation:

Question: 14
An IS auditor found that a company executive is encouraging employee use of social networking sites
for business purposes. Which of the following recommendations would BEST help to reduce the risk
of data leakage?

A. Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

B. Establishing strong access controls on confidential data
Questions and Answers PDF 5/105

C. Providing education and guidelines to employees on use of social networking sites

D. Monitoring employees' social networking usage

Answer: B
Explanation:

Question: 15
An IS auditor notes that several employees are spending an excessive amount of time using social
media sites for personal reasons. Which of the following should the auditor recommend be
performed FIRST?

A. Implement a process to actively monitor postings on social networking sites.

B. Adjust budget for network usage to include social media usage.
C. Use data loss prevention (DLP) tools on endpoints.
D. implement policies addressing acceptable usage of social media during working hours.

Answer: D
Explanation:

Question: 16
Which of the following fire suppression systems needs to be combined with an automatic switch to
shut down the electricity supply in the event of activation?

A. Carbon dioxide
B. FM-200
C. Dry pipe
D. Halon

Answer: C
Explanation:

Question: 17
Which of the following would MOST likely impair the independence of the IS auditor when
performing a post-implementation review of an application system?

A. The IS auditor provided consulting advice concerning application system best practices.
B. The IS auditor participated as a member of the application system project team, but did not have
operational responsibilities.
C. The IS auditor designed an embedded audit module exclusively for auditing the application
system.
D. The IS auditor implemented a specific control during the development of the application system.

Answer: D
Questions and Answers PDF 6/105

Explanation:

Question: 18
An organization plans to receive an automated data feed into its enterprise data warehouse from a
third-party service provider. Which of the following would be the BEST way to prevent accepting bad
data?

A. Obtain error codes indicating failed data feeds.

B. Appoint data quality champions across the organization.
C. Purchase data cleansing tools from a reputable vendor.
D. Implement business rules to reject invalid data.

Answer: D
Explanation:

Question: 19
An IS auditor suspects an organization's computer may have been used to commit a crime. Which of
the following is the auditor's BEST course of action?

A. Examine the computer to search for evidence supporting the suspicions.

B. Advise management of the crime after the investigation.
C. Contact the incident response team to conduct an investigation.
D. Notify local law enforcement of the potential crime before further investigation.

Answer: C
Explanation:

Question: 20
Which of the following access rights presents the GREATEST risk when granted to a new member of
the system development staff?

A. Write access to production program libraries

B. Write access to development data libraries
C. Execute access to production program libraries
D. Execute access to development program libraries

Answer: A
Explanation:

Question: 21
An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP)
system. End users indicated concerns with the accuracy of critical automatic calculations made by
Questions and Answers PDF 7/105

the system. The auditor's FIRST course of action should be to:

A. review recent changes to the system.

B. verify completeness of user acceptance testing (UAT).
C. verify results to determine validity of user concerns.
D. review initial business requirements.

Answer: C
Explanation:

Question: 22
Which of the following provides the MOST reliable audit evidence on the validity of transactions in a
financial application?

A. Walk-through reviews
B. Substantive testing
C. Compliance testing
D. Design documentation reviews

Answer: B
Explanation:

Question: 23
During an incident management audit, an IS auditor finds that several similar incidents were logged
during the audit period. Which of the following is the auditor's MOST important course of action?

A. Document the finding and present it to management.

B. Determine if a root cause analysis was conducted.
C. Confirm the resolution time of the incidents.
D. Validate whether all incidents have been actioned.

Answer: B
Explanation:

Question: 24
During an external review, an IS auditor observes an inconsistent approach in classifying system
criticality within the organization. Which of the following should be recommended as the PRIMARY
factor to determine system criticality?

A. Key performance indicators (KPIs)

B. Maximum allowable downtime (MAD)
C. Recovery point objective (RPO)
D. Mean time to restore (MTTR)
Questions and Answers PDF 8/105

Answer: B
Explanation:

Question: 25
An IS auditor discovers an option in a database that allows the administrator to directly modify any
table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables
are automatically logged. The IS auditor's FIRST action should be to:

A. recommend that the option to directly modify the database be removed immediately.
B. recommend that the system require two persons to be involved in modifying the database.
C. determine whether the log of changes to the tables is backed up.
D. determine whether the audit trail is secured and reviewed.

Answer: D
Explanation:

Question: 26
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not
available. What should the auditor recommend be done FIRST?

A. Implement a new system that can be patched.

B. Implement additional firewalls to protect the system.
C. Decommission the server.
D. Evaluate the associated risk.

Answer: D
Explanation:

Question: 27
IS management has recently disabled certain referential integrity controls in the database
management system (DBMS) software to provide users increased query performance. Which of the
following controls will MOST effectively compensate for the lack of referential integrity?

A. More frequent data backups

B. Periodic table link checks
C. Concurrent access controls
D. Performance monitoring tools

Answer: B
Explanation:

Question: 28
Questions and Answers PDF 9/105

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful
intrusion attempts from outside the organization. Which of the following is MOST effective in
detecting such an intrusion?

A. Periodically reviewing log files

B. Configuring the router as a firewall
C. Using smart cards with one-time passwords
D. Installing biometrics-based authentication

Answer: A
Explanation:

Question: 29
The PRIMARY advantage of object-oriented technology is enhanced:

A. efficiency due to the re-use of elements of logic.

B. management of sequential program execution for data access.
C. grouping of objects into methods for data access.
D. management of a restricted variety of data types for a data object.

Answer: C
Explanation:

Question: 30
From an IS auditor's perspective, which of the following would be the GREATEST risk associated with
an incomplete inventory of deployed software in an organization?

A. Inability to close unused ports on critical servers

B. Inability to identify unused licenses within the organization
C. Inability to deploy updated security patches
D. Inability to determine the cost of deployed software

Answer: C
Explanation:

Question: 31
Which of the following BEST minimizes performance degradation of servers used to authenticate
users of an e-commerce website?

A. Configure a single server as a primary authentication server and a second server as a secondary
authentication server.
B. Configure each authentication server as belonging to a cluster of authentication servers.
Questions and Answers PDF 10/105

C. Configure each authentication server and ensure that each disk of its RAID is attached to the
primary controller.
D. Configure each authentication server and ensure that the disks of each server form part of a
duplex.

Answer: B
Explanation:

Question: 32
During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor
would be MOST concerned with the:

A. allocation of resources during an emergency.

B. frequency of system testing.
C. differences in IS policies and procedures.
D. maintenance of hardware and software compatibility.

Answer: D
Explanation:

Question: 33
Which of the following attack techniques will succeed because of an inherent security weakness in
an Internet firewall?

A. Phishing
B. Using a dictionary attack of encrypted passwords
C. Intercepting packets and viewing passwords
D. Flooding the site with an excessive number of packets

Answer: D
Explanation:

Question: 34
Which of the following is an executive management concern that could be addressed by the
implementation of a security metrics dashboard?

A. Effectiveness of the security program

B. Security incidents vs. industry benchmarks
C. Total number of hours budgeted to security
D. Total number of false positives

Answer: A
Explanation: