CISA Practice Exam Questions and Answers

A.  

IT investments are implemented and monitored following a system development life cycle (SDLC)

B.  

IT investments are mapped to specific business objectives

C.  

Key performance indicators (KPIs) are defined for each business requiring IT Investment

D.  

The IT Investment budget is significantly below industry benchmarks

A.  

recommend that the option to directly modify the database be removed immediately.

B.  

recommend that the system require two persons to be involved in modifying the database.

C.  

determine whether the log of changes to the tables is backed up.

D.  

determine whether the audit trail is secured and reviewed.

A.  

File level encryption

B.  

File Transfer Protocol (FTP)

C.  

Instant messaging policy

D.  

Application-level firewalls

A.  

Explain to IT management that the new control will be evaluated during follow-up

B.  

Re-perform the audit before changing the conclusion.

C.  

Change the conclusion based on evidence provided by IT management.

D.  

Add comments about the action taken by IT management in the report.

A.  

Unrealistic milestones

B.  

Inadequate deliverables

C.  

Unclear benefits

D.  

Incomplete requirements

A.  

Additional firewall rules

B.  

Multi-factor authentication

C.  

Virtual private network (VPN)

D.  

Virtual desktop

A.  

Configuration management database (CMDB)

B.  

Enterprise architecture (EA)

C.  

IT portfolio management

D.  

IT service management

A.  

Source code review

B.  

Parallel simulation using audit software

C.  

Manual verification of a sample of the results

D.  

Review of the quality assurance (QA) test results

A.  

Creating a chain of custody to accompany the drive in transit

B.  

Ensuring data protection is aligned with the data classification policy

C.  

Encrypting the drive with strong protection standards

D.  

Ensuring the drive is placed in a tamper-evident mechanism

A.  

Multiple connects to the database are used and slow the process_

B.  

User accounts may remain active after a termination.

C.  

Users may be able to circumvent application controls.

D.  

Application may not capture a complete audit trail.

A.  

Risk management

B.  

Business management

C.  

IT manager

D.  

Internal auditor

A.  

The technical migration is planned for a holiday weekend and end users may not be available.

B.  

Five weeks prior to the target date, there are still numerous defects in the printing functionality.

C.  

A single implementation phase is planned and the legacy system will be immediately decommissioned.

D.  

Employees are concerned that data representation in the new system is completely different from the old system.

A.  

The tool is implemented in monitor mode rather than block mode.

B.  

Crawlers are used to discover sensitive data.

C.  

Deep packet inspection opens data packets in transit.

D.  

Encryption keys are not centrally managed.

A.  

updated before an independent audit review.

B.  

tested after an intrusion attempt into the organization's hot site.

C.  

tested whenever new applications are implemented.

D.  

updated based on changes to personnel and environments.

A.  

Reviewing results from simulated high-demand stress test scenarios

B.  

Performing a root cause analysis for past performance incidents

C.  

Anticipating current service level agreements (SLAs) will remain unchanged

D.  

Duplicating existing disk drive systems to improve redundancy and data storage

A.  

Amount of successfully migrated software changes

B.  

Reduction in the help desk budget

C.  

Number of defects discovered in production

D.  

Increase in quality assurance (QA) activities

A.  

loT devices should only be accessible from the host network.

B.  

loT devices should log and alert on access attempts.

C.  

IoT devices should require identification and authentication.

D.  

loT devices should monitor the use of device system accounts.

A.  

Ensure participants are selected from all cross-functional units in the organization.

B.  

Create exercises that are challenging enough to prove inadequacies in the current incident response plan.

C.  

Ensure the incident response team will have enough distractions to simulate real-life situations.

D.  

Identify the scope and scenarios that are relevant to current threats faced by the organization.

A.  

Potential for inaccurate audit findings

B.  

Compromise of IS audit independence

C.  

IS audit resources being shared with other IT functions

D.  

IS audit being isolated from other audit functions

A.  

Strictly managed software requirements baselines

B.  

Extensive project documentation

C.  

Automated software programming routines

D.  

Rapidly created working prototypes

A.  

Wi-Fi

B.  

Bluetooth

C.  

Long-term evolution (LTE)

D.  

Near-field communication (NFC)

A.  

Recommend the utilization of software licensing monitoring tools

B.  

Recommend the purchase of additional software license keys

C.  

Validate user need for shared software licenses

D.  

Verify whether the licensing agreement allows shared use

A.  

data classifications are automated.

B.  

a data dictionary is maintained.

C.  

data retention requirements are clearly defined.

D.  

data is correctly classified.

A.  

Time lag between changes to the configuration and the update of records

B.  

Number of system software changes

C.  

Time lag between changes and updates of documentation materials

D.  

Number of incidents resulting from changes

A.  

a host operating system.

B.  

a guest operating system.

C.  

any applications on the guest operating system.

D.  

any applications on the host operating system.

A.  

Data leakage as a result of employees leaving to work for competitors

B.  

Noncompliance fines related to storage of regulated information

C.  

Unauthorized logical access to information through an application interface

D.  

Physical theft of media on which information is stored

A.  

Define recovery point objectives (RPO)

B.  

Simulate a disaster recovery

C.  

Develop a business impact analysis (BIA)

D.  

Analyze capability maturity model gaps

A.  

Verify all patches have been applied to the software system's outdated version.

B.  

Close all unused ports on the outdated software system.

C.  

Monitor network traffic attempting to reach the outdated software system.

D.  

Segregate the outdated software system from the main network.

A.  

Configure a single server as a primary authentication server and a second server as a secondary authentication server.

B.  

Configure each authentication server as belonging to a cluster of authentication servers.

C.  

Configure each authentication server and ensure that each disk of its RAID is attached to the primary controller.

D.  

Configure each authentication server and ensure that the disks of each server form part of a duplex.

A.  

Percentage of new hires that have completed the training.

B.  

Number of new hires who have violated enterprise security policies.

C.  

Number of reported incidents by new hires.

D.  

Percentage of new hires who report incidents

A.  

The process does not require specifying the physical locations of assets.

B.  

Process ownership has not been established.

C.  

The process does not include asset review.

D.  

Identification of asset value is not included in the process.

A.  

perform a business impact analysis (BIA).

B.  

issue an intermediate report to management.

C.  

evaluate the impact on current disaster recovery capability.

D.  

conduct additional compliance testing.

A.  

business impact analysis (BIA).

B.  

threat and risk assessment.

C.  

business continuity plan (BCP).

D.  

disaster recovery plan (DRP).

A.  

governance of enterprise IT.

B.  

control effectiveness.

C.  

return on investment (ROI).

D.  

change management effectiveness.

A.  

re-prioritize the original issue as high risk and escalate to senior management.

B.  

schedule a follow-up audit in the next audit cycle.

C.  

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.  

determine whether the alternative controls sufficiently mitigate the risk.

A.  

Periodically reviewing log files

B.  

Configuring the router as a firewall

C.  

Using smart cards with one-time passwords

D.  

Installing biometrics-based authentication

A.  

firewall standards.

B.  

configuration of the firewall

C.  

firmware version of the firewall

D.  

location of the firewall within the network

A.  

Consulted

B.  

Informed

C.  

Responsible

D.  

Accountable

A.  

Review system and error logs to verify transaction accuracy.

B.  

Review input and output control reports to verify the accuracy of the system decisions.

C.  

Review signed approvals to ensure responsibilities for decisions of the system are well defined.

D.  

Review system documentation to ensure completeness.

A.  

A means of benchmarking the effectiveness of similar processes with peers

B.  

A means of comparing the effectiveness of other processes within the enterprise

C.  

Identification of older, more established processes to ensure timely review

D.  

Identification of processes with the most improvement opportunities

A.  

There is not a defined IT security policy.

B.  

The business strategy meeting minutes are not distributed.

C.  

IT is not engaged in business strategic planning.

D.  

There is inadequate documentation of IT strategic planning.

A.  

Execute nondisclosure agreements (NDAs).

B.  

Determine reporting requirements for vulnerabilities.

C.  

Define the testing scope.

D.  

Obtain management consent for the testing.

A.  

Update of security information event management (SIEM) rules

B.  

Regular review of the network security policy

C.  

Completeness of network asset inventory

D.  

Location of intrusion detection systems (IDS)

A.  

Insufficient processes to track ownership of each EUC application?

B.  

Insufficient processes to lest for version control

C.  

Lack of awareness training for EUC users

D.  

Lack of defined criteria for EUC applications

A.  

Judgmental sampling

B.  

Substantive testing

C.  

Compliance testing

D.  

Stop-or-go sampling

A.  

results are stated m terms of the frequency of items in error

B.  

it can easily be applied manually when computer resources are not available

C.  

large-value population items are segregated and audited separately

D.  

it increases the likelihood of selecting material items from the population

A.  

Increased number of false negatives in security logs

B.  

Decreased effectiveness of roof cause analysis

C.  

Decreased overall recovery time

D.  

Increased demand for storage space for logs

A.  

Key business process end users did not participate in the business impact " analysis (BIA)

B.  

Copies of the BCP have not been distributed to new business unit end users sjnce the reorganization

C.  

A test plan for the BCP has not been completed during the last two years

A.  

payment processing.

B.  

payroll processing.

C.  

procurement.

D.  

product registration.

A.  

Auditors are responsible for performing operational duties or activities.

B.  

The internal audit manager reports functionally to a senior management official.

C.  

The internal audit manager has a reporting line to the audit committee.

D.  

Auditors are responsible for assessing and operating a system of internal controls.