This PDF contains a set of carefully selected practice questions for the

CISA exam. These questions are designed to reflect the structure,

difficulty, and topics covered in the actual exam, helping you reinforce
your understanding and identify areas for improvement.

What's Inside:

1. Topic-focused questions based on the latest exam objectives

2. Accurate answer keys to support self-review
3. Designed to simulate the real test environment
4. Ideal for final review or daily practice

Important Note:

This material is for personal study purposes only. Please do not

redistribute or use for commercial purposes without permission.

For full access to the complete question bank and topic-wise explanations, visit:
CertQuestionsBank.com

Our YouTube: https://www.youtube.com/@CertQuestionsBank

FB page: https://www.facebook.com/certquestionsbank
Share some CISA exam online questions below.
1.Which of the following is an IS auditor's BEST recommendation to help an organization increase the
efficiency of computing resources?
A. Virtualization
B. Hardware upgrades
C. Overclocking the central processing unit (CPU)
D. Real-time backups
Answer: A

2.Which of the following would be MOST impacted if an IS auditor were to assist with the
implementation of recommended control enhancements?
A. Independence
B. Integrity
C. Materiality
D. Accountability
Answer: A
Explanation:
Independence would be most impacted if an IS auditor were to assist with the implementation of
recommended control enhancements, as this would create a conflict of interest and impair the
objectivity and credibility of the IS auditor. Integrity, materiality, and accountability are important
attributes of an IS auditor, but they are not directly affected by the involvement in the implementation
of control enhancements.
References: CISA Review Manual (Digital Version), Chapter 1: Information Systems Auditing
Process, Section 1.1: IS Audit Standards, Guidelines and Codes of Ethics

3.Which of the following is the STRONGEST indication of a mature risk management program?
A. Risk assessment results are used for informed decision-making.
B. All attributes of risk are evaluated by the risk owner.
C. A metrics dashboard has been approved by senior management.
D. The risk register is regularly updated by risk practitioners.
Answer: A
Explanation:
Comprehensive and Detailed Step-by-Step
A mature risk management program ensures that risk assessments directly influence decision-making
to align IT risks with business objectives.
Risk Assessment Results Used for Decision-Making (Correct Answer C A) Demonstrates that risk
management is embedded in business processes. Enables proactive risk mitigation strategies.
Example: A company identifies a cybersecurity risk and delays the launch of a new cloud service until
additional controls are in place.
Risk Owner Evaluating All Risk Attributes (Incorrect C B) Important, but risk management is a shared
responsibility. Metrics Dashboard Approved by Management (Incorrect C C) A useful tool, but does
not indicate effective risk management. Regular Updates to the Risk Register (Incorrect C D)
Keeping records updated is necessary but not a strong indicator of maturity.
References:
ISACA CISA Review Manual
COBIT 2019: Risk Governance
ISO 31000 (Risk Management Framework)
4.To confirm integrity for a hashed message, the receiver should use:
A. the same hashing algorithm as the sender's to create a binary image of the file.
B. a different hashing algorithm from the sender's to create a binary image of the file.
C. the same hashing algorithm as the sender's to create a numerical representation of the file.
D. a different hashing algorithm from the sender's to create a numerical representation of the file.
Answer: A
Explanation:
To confirm integrity for a hashed message, the receiver should use the same hashing algorithm as
the sender’s to create a binary image of the file. A hashing algorithm is a mathematical function that
transforms an input data into a fixed-length output value, called a hash or a digest. A hashing
algorithm has two main properties: it is one-way, meaning that it is easy to compute the hash from the
input, but hard to recover the input from the hash; and it is collision-resistant, meaning that it is very
unlikely to find two different inputs that produce the same hash. These properties make hashing
algorithms useful for verifying the integrity of data, as any change in the input data will result in a
different hash value. Therefore, to confirm integrity for a hashed message, the receiver should use
the same hashing algorithm as the sender’s to create a binary image of the file, which is a
representation of the file in bits (0s and 1s). The receiver should then compare this binary image with
the hash value sent by the sender. If they match, then the message has not been altered in transit. If
they do not match, then the message has been corrupted or tampered with.
References:
Ensuring Data Integrity with Hash Codes
Message Integrity

5.Which of the following should be the PRIMARY focus when communicating an IS audit issue to
management?
A. The risk to which the organization is exposed due to the issue
B. The nature, extent, and timing of subsequent audit follow-up
C.
How the issue was found and who bears responsibility
D. A detailed solution for resolving the issue
Answer: A

6.The FIRST step in auditing a data communication system is to determine:

A. traffic volumes and response-time criteria
B. physical security for network equipment
C. the level of redundancy in the various communication paths
D. business use and types of messages to be transmitted
Answer: D
Explanation:
The first step in auditing a data communication system is to determine the business use and types of
messages to be transmitted. This is because the auditor needs to understand the purpose, scope,
and objectives of the data communication system, as well as the nature, volume, and sensitivity of the
data being transmitted. This will help the auditor to identify the risks, controls, and audit criteria for the
data communication system. Traffic volumes and response-time criteria, physical security for network
equipment, and the level of redundancy in the various communication paths are important aspects of
a data communication system, but they are not the first step in auditing it. They depend on the
business use and types of messages to be transmitted, and they may vary according to different
scenarios and requirements.
References: CISA Review Manual (Digital Version), [ISACA Auditing Standards]
7.Which of the following is the PRIMARY basis on which audit objectives are established?
A. Audit risk
B. Consideration of risks
C. Assessment of prior audits
D. Business strategy
Answer: B
Explanation:
The primary basis on which audit objectives are established is the consideration of risks12. This
involves identifying and assessing the risks that could prevent the organization from achieving its
objectives12. The audit objectives are then designed to address these risks and provide assurance
that the organization’s controls are effective in managing them12. While audit risk, assessment of
prior audits, and business strategy are important factors in the audit process, they are secondary to
the fundamental requirement of considering risks12.
References:
Objectives of Auditing - Primary and Secondary Objectives of Auditing | Auditing Management Notes
Audit Objectives | Primary and Subsidiary Audit Objectives - EDUCBA

8.What is the MAIN reason to use incremental backups?

A. To improve key availability metrics
B. To reduce costs associates with backups
C. To increase backup resiliency and redundancy
D. To minimize the backup time and resources
Answer: D
Explanation:
Incremental backups are backups that only copy the data that has changed since the last backup,
whether it was a full or incremental backup. The main reason to use incremental backups is to
minimize the backup time and resources, as they require less storage space and network bandwidth
than full backups. Incremental backups can also improve key availability metrics, such as recovery
point objective (RPO) and recovery time objective (RTO), but that is not their primary purpose.
Reducing costs associated with backups and increasing backup resiliency and redundancy are
possible benefits of incremental backups, but they depend on other factors, such as the backup
frequency, retention policy, and media type.
References: CISA Review Manual (Digital Version): Chapter 5 - Information Systems Operations and
Business Resilience

9.An organization used robotic process automation (RPA) technology to develop software bots that
extract data from various sources for input into a legacy financial application.
Which of the following should be of GREATEST concern to an IS auditor when reviewing the software
bot job scheduling and production process automation?
A. Minor overrides were not authorized by the business
B. Software bots were incapable of learning from training data
C. Software bots were programmed to record all user interactions, including mouse tracking
D. Unauthorized modifications were made to the scripts to improve performance
Answer: D
Explanation:
Unauthorized modifications to scripts (D) pose the greatest risk because they can lead to unintended
processing errors, security vulnerabilities, or fraudulent activities. Change management controls
should be in place to prevent unauthorized script changes.
Other options:
Minor overrides not authorized (A) is a concern but does not pose as much risk as unauthorized script
changes.
Bots incapable of learning (B) is a limitation but not a security risk.
Recording user interactions (C) raises privacy concerns but is not as critical as unauthorized script
modifications.
Reference: ISACA CISA Review Manual, Information Systems Operations and Business Resilience

10.When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the
auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall
and:
A. the Internet.
B. the demilitarized zone (DMZ).
C. the organization's web server.
D. the organization's network.
Answer: A
Explanation:
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the
auditor’s best recommendation is to place an intrusion detection system (IDS) between the firewall
and the Internet, as this would provide an additional layer of security and alert the organization of any
malicious traffic that bypasses or penetrates the firewall. Placing an IDS between the firewall and the
demilitarized zone (DMZ), the organization’s web server, or the organization’s network would not be
as effective, as it would only monitor the traffic that has already passed through the firewall.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.3

11.Which of the following is the MOST appropriate testing approach when auditing a daily data flow
between two systems via an automated interface to confirm that it is complete and accurate?
A. Confirm that the encryption standard applied to the interface is in line with best practice.
B. Inspect interface configurations and an example output of the systems.
C. Perform data reconciliation between the two systems for a sample of 25 days.
D. Conduct code review for both systems and inspect design documentation.
Answer: C
Explanation:
The most appropriate testing approach when auditing a daily data flow between two systems via an
automated interface is to perform data reconciliation between the two systems for a sample of 25
days. Data reconciliation is a process of verifying that the data transferred from one system to another
is complete and accurate, and that there are no discrepancies or errors in the data flow1. Data
reconciliation can be performed by using generalized audit software, which is a type of computer-
assisted audit technique (CAAT) that allows the IS auditor to perform various audit tasks on the data
stored in different file formats and databases2. By performing data reconciliation for a sample of 25
days, the IS auditor can test the reliability and consistency of the data flow over a reasonable period
of time, and identify any potential issues or anomalies that could affect the quality of the data or the
functionality of the systems.
References
1: Data Flow Testing - GeeksforGeeks 2: Generalized Audit Software (GAS) - ISACA

12.An IS auditor is reviewing an organization's information asset management process.

Which of the following would be of GREATEST concern to the auditor?
A. The process does not require specifying the physical locations of assets.
B. Process ownership has not been established.
C. The process does not include asset review.
D. Identification of asset value is not included in the process.
Answer: B
Explanation:
An IS auditor would be most concerned if process ownership has not been established for the
information asset management process, as this would indicate a lack of accountability, responsibility,
and authority for managing the assets throughout their lifecycle. The process owner should also
ensure that the process is aligned with the organization’s objectives, policies, and standards. The
process should require specifying the physical locations of assets, include asset review, and identify
asset value, but these are less critical than establishing process ownership.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3

13.Which of the following is MOST important to consider when assessing the scope of privacy
concerns for an IT project?
A. Data ownership
B. Applicable laws and regulations
C. Business requirements and data flows
D. End-user access rights
Answer: B
Explanation:
When assessing the scope of privacy concerns for an IT project, the most important factor to consider
is the applicable laws and regulations. These laws and regulations define the legal requirements for
data privacy and protection that the project must comply with. They can vary greatly depending on the
jurisdiction and the type of data being processed, and non-compliance can result in significant
penalties123. While data ownership, business requirements and data flows, and end-user access
rights are also important considerations, they are typically guided by these legal requirements.
References: ISACA’s Information Systems Auditor Study Materials1

14.What should an IS auditor do FIRST upon discovering that a service provider did not notify its
customers of a security breach?
A. Notify law enforcement of the finding.
B. Require the third party to notify customers.
C. The audit report with a significant finding.
D. Notify audit management of the finding.
Answer: D
Explanation:
The IS auditor should notify audit management of the finding first, as this is a significant issue that
may affect the audit scope and objectives. The IS auditor should not notify law enforcement or require
the third party to notify customers without consulting audit management first. The audit report with a
significant finding should be issued after the audit is completed and the findings are validated.
References: ISACA, CISA Review Manual, 27th Edition, 2018, page 247

15.An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and
identifies one transaction with a value five times as high as the average transaction.
Which of the following should the auditor do NEXT?
A. Report the variance immediately to the audit committee
B. Request an explanation of the variance from the auditee
C. Increase the sample size to 100% of the population
D. Exclude the transaction from the sample population
Answer: B
Explanation:
An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and
identifies one transaction with a value five times as high as the average transaction. The next step
that the auditor should do is to request an explanation of the variance from the auditee. This is
because the variance may indicate an error, fraud, or an unusual but legitimate transaction that
requires further investigation. The auditor should not report the variance immediately to the audit
committee without verifying its cause and significance. The auditor should not increase the sample
size to 100% of the population without considering the cost-benefit analysis and the sampling
methodology. The auditor should not exclude the transaction from the sample population without
justification, as it may affect the validity and reliability of the audit results.
References: CISA Review Manual (Digital Version), [ISACA Auditing Standards]

16.Which of the following activities provides an IS auditor with the MOST insight regarding potential
single person dependencies that might exist within the organization?
A. Reviewing vacation patterns
B. Reviewing user activity logs
C. Interviewing senior IT management
D. Mapping IT processes to roles
Answer: D
Explanation:
Mapping IT processes to roles is an activity that provides an IS auditor with the most insight regarding
potential single person dependencies that might exist within the organization. Single person
dependencies occur when only one person has the knowledge, skills, or access rights to perform a
critical IT function. Mapping IT processes to roles can help to identify such dependencies and assess
their impact on the continuity and security of IT operations. The other activities do not provide as
much insight into single person dependencies, as they do not show the relationship between IT
processes and roles.
References: CISA Review Manual, 27th Edition, page 94

17.An IS auditor discovers that backups of critical systems are not being performed in accordance
with the recovery point objective (RPO) established in the business continuity plan (BCP).
What should the auditor do NEXT?
A. Request an immediate backup be performed.
B. Expand the audit scope.
C. Identify the root cause.
D. Include the observation in the report.
Answer: C

18.Which of the following would provide the BEST evidence that a cloud provider's change
management process is effective?
A. Minutes from regular change management meetings with the vendor
B. Written assurances from the vendor's CEO and CIO
C. The results of a third-party review provided by the vendor
D. A copy of change management policies provided by the vendor
Answer: C
Explanation:
The results of a third-party review provided by the vendor would provide the best evidence that a
cloud provider’s change management process is effective, because it would be an independent and
objective assessment of the vendor’s compliance with best practices and standards for managing
changes in the cloud environment. A third-party review would also include testing of the vendor’s
change management controls and procedures, and provide recommendations for improvement if
needed.
Minutes from regular change management meetings with the vendor would not provide sufficient
evidence, because they would only reflect the vendor’s self-reported information and may not capture
all the changes that occurred or their impact on the cloud services. Written assurances from the
vendor’s CEO and CIO would also not provide sufficient evidence, because they would be based on
the vendor’s own opinion and may not be verified by external sources. A copy of change
management policies provided by the vendor would not provide sufficient evidence, because it would
only show the vendor’s intended approach to change management, but not how it is implemented or
monitored in practice.
References:
ISACA Cloud Computing Audit Program, Section 4.5: Change Management
Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives,
Section

19.Upon completion of audit work, an IS auditor should:

A. provide a report to senior management prior to discussion with the auditee.
B. distribute a summary of general findings to the members of the auditing team.
C. provide a report to the auditee stating the initial findings.
D. review the working papers with the auditee.
Answer: B
Explanation:
Upon completion of audit work, an IS auditor should distribute a summary of general findings to the
members of the auditing team. This is to ensure that the audit team members are aware of the audit
results, have an opportunity to provide feedback, and can agree on the audit conclusions and
recommendations. Providing a report to senior management prior to discussion with the auditee,
providing a report to the auditee stating the initial findings, and reviewing the working papers with the
auditee are not appropriate actions for an IS auditor to take upon completion of audit work, as they
may compromise the audit independence, objectivity, and quality.
References: ISACA CISA Review Manual 27th Edition, page 221

20.Which of the following provides the BEST evidence of the validity and integrity of logs in an
organization's security information and event management (SIEM) system?
A. Compliance testing
B. Stop-or-go sampling
C. Substantive testing
D. Variable sampling
Answer: C
Explanation:
Substantive testing © provides the best evidence of the validity and integrity of logs in an
organization’s security information and event management (SIEM) system, because it is a type of
audit testing that directly examines the accuracy, completeness, and reliability of the data and
transactions recorded in the logs. Substantive testing can involve various methods, such as re-
performance, inspection, observation, inquiry, or computer-assisted audit techniques (CAATs), to
verify the existence, occurrence, valuation, ownership, presentation, and disclosure of the log data1.
Substantive testing can also detect any errors, omissions, alterations, or manipulations of the log data
that may indicate fraud or misstatement2.
Compliance testing (A) is not the best evidence of the validity and integrity of logs in an
organization’s SIEM system, because it is a type of audit testing that evaluates the design and
effectiveness of the internal controls that are implemented to ensure compliance with laws,
regulations, policies, and procedures. Compliance testing can involve various methods, such as
walkthroughs, questionnaires, checklists, or flowcharts, to assess the adequacy, consistency, and
operation of the internal controls1. Compliance testing can provide assurance that the log data are
generated and processed in accordance with the established rules and standards, but it does not
directly verify the accuracy and reliability of the log data itself2.
Stop-or-go sampling (B) is not a type of audit testing, but a type of sampling technique that auditors
use to select a sample from a population for testing. Stop-or-go sampling is a sequential sampling
technique that allows auditors to stop testing before reaching the predetermined sample size if the
results are satisfactory or conclusive. Stop-or-go sampling can reduce the audit cost and time by
avoiding unnecessary testing, but it can also increase the sampling risk and uncertainty by relying on
a smaller sample3. Stop-or-go sampling does not provide any evidence of the validity and integrity of
logs in an organization’s SIEM system by itself; it depends on the type and quality of the audit tests
performed on the selected sample.
Variable sampling (D) is not a type of audit testing, but a type of sampling technique that auditors use
to estimate a numerical characteristic of a population for testing. Variable sampling is a statistical
sampling technique that allows auditors to measure the amount or rate of error or deviation in a
population by using quantitative methods. Variable sampling can provide precise and objective results
by using mathematical formulas and confidence intervals4. Variable sampling does not provide any
evidence of the validity and integrity of logs in an organization’s SIEM system by itself; it depends on
the type and quality of the audit tests performed on the selected sample.
References:
Audit Testing Procedures - 5 Types and Their Use Cases
5 Types of Testing Methods Used During Audit Procedures | I.S. Partners
Stop-or-Go Sampling Definition
Variable Sampling Definition

21.Which of the following is the MOST appropriate indicator of change management effectiveness?
A. Time lag between changes to the configuration and the update of records
B. Number of system software changes
C. Time lag between changes and updates of documentation materials
D. Number of incidents resulting from changes
Answer: D
Explanation:
Change management is the process of planning, implementing, monitoring, and evaluating changes
to an organization’s information systems and related components. Change management aims to
ensure that changes are aligned with the business objectives, minimize risks and disruptions, and
maximize benefits and value.
One of the key aspects of change management is measuring its effectiveness, which means
assessing whether the changes have achieved the desired outcomes and met the expectations of the
stakeholders. There are various indicators that can be used to measure change management
effectiveness, such as time, cost, quality, scope, satisfaction, and performance.
Among the four options given, the most appropriate indicator of change management effectiveness is
the number of incidents resulting from changes. An incident is an unplanned event or interruption that
affects the normal operation or service delivery of an information system. Incidents can be caused by
various factors, such as errors, defects, failures, malfunctions, or malicious attacks. Incidents can
have negative impacts on the organization, such as loss of data, productivity, reputation, or revenue.
The number of incidents resulting from changes is a direct measure of how well the changes have
been planned, implemented, monitored, and evaluated. A high number of incidents indicates that the
changes have not been properly tested, verified, communicated, or controlled. A low number of
incidents indicates that the changes have been executed smoothly and successfully. Therefore, the
number of incidents resulting from changes reflects the quality and effectiveness of the change
management process.
The other three options are not as appropriate indicators of change management effectiveness as the
number of incidents resulting from changes. The time lag between changes to the configuration and
the update of records is a measure of how timely and accurate the configuration management
process is. Configuration management is a subset of change management that focuses on
identifying, documenting, and controlling the configuration items (CIs) that make up an information
system. The time lag between changes and updates of documentation materials is a measure of how
well the documentation process is aligned with the change management process. Documentation is
an important aspect of change management that provides information and guidance to the
stakeholders involved in or affected by the changes. The number of system software changes is a
measure of how frequently and extensively the system software is modified or updated. System
software changes are a type of change that affects the operating system, middleware, or utilities that
support an information system.
While these three indicators are relevant and useful for measuring certain aspects of change
management, they do not directly measure the outcomes or impacts of the changes on the
organization. They are more related to the inputs or activities of change management than to its
outputs or results. Therefore, they are not as appropriate indicators of change management
effectiveness as the number of incidents resulting from changes.
References:
Metrics for Measuring Change Management - Prosci
How to Measure Change Management Effectiveness: Metrics, Tools & Processes
Metrics for Measuring Change Management 2023 - Zendesk

22.Which of the following would MOST effectively ensure the integrity of data transmitted over a
network?
A. Message encryption
B. Certificate authority (CA)
C. Steganography
D. Message digest
Answer: D
Explanation:
The most effective way to ensure the integrity of data transmitted over a network is to use a message
digest. A message digest is a cryptographic function that generates a unique and fixed-length value
(also known as a hash or checksum) from any input data. The message digest can be used to verify
that the data has not been altered or corrupted during transmission by comparing it with the message
digest generated at the destination. Message encryption is a method of protecting the confidentiality
of data transmitted over a network by transforming it into an unreadable format using a secret key.
Message encryption does not ensure the integrity of data, as it does not prevent or detect
unauthorized modifications. Certificate authority (CA) is an entity that issues and manages digital
certificates that bind public keys to identities. CA does not ensure the integrity of data, as it does not
prevent or detect unauthorized modifications. Steganography is a technique of hiding data within
other data, such as images or audio files. Steganography does not ensure the integrity of data, as it
does not prevent or detect unauthorized modifications.
References:
CISA Review Manual, 27th Edition, pages 383-3841
CISA Review Questions, Answers & Explanations Database, Question ID: 258

23.An organization has partnered with a third party to transport backup drives to an offsite storage
facility.
Which of the following is MOST important before sending the drives?
A. Creating a chain of custody to accompany the drive in transit
B. Ensuring data protection is aligned with the data classification policy
C. Encrypting the drive with strong protection standards
D. Ensuring the drive is placed in a tamper-evident mechanism
Answer: C
Explanation:
Before sending backup drives to an offsite storage facility, the most important thing to do is to encrypt
the drive with strong protection standards. This is because encryption ensures effective security
where information cannot be intercepted and used to harm the organization or its customers.
Encryption also protects the data from unauthorized access, modification, or deletion in case the drive
is lost, stolen, or damaged during transit or storage. Encryption of backup drives is especially
important for public safety organizations that handle sensitive or personally identifiable information,
such as medical records, criminal records, or emergency communications12.

24.Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then
keyed into the job-costing system.
What is the BEST control to ensure that data is accurately entered into the system?
A. Reconciliation of total amounts by project
B. Validity checks, preventing entry of character data
C. Reasonableness checks for each cost type
D. Display the back of the project detail after the entry
Answer: A
Explanation:
Reconciliation of total amounts by project is the best control to ensure that data is accurately entered
into the job-costing system from spreadsheets. Reconciliation is a process of comparing two sets of
data to identify any differences or discrepancies between them. By reconciling the total amounts by
project from spreadsheets with those from the job-costing system, any errors or omissions in data
entry can be detected and corrected. Validity checks are controls that verify that data conforms to
predefined formats or ranges. They can prevent entry of character data into numeric fields, but they
cannot ensure that the numeric data is correct or complete. Reasonableness checks are controls that
verify that data is within expected or acceptable limits. They can detect outliers or anomalies in data,
but they cannot ensure that the data matches the source. Display back of project detail after entry is a
control that allows the user to review and confirm the data entered into the system. It can help reduce
human errors, but it cannot guarantee that the data is accurate or consistent with the source.
References: Information Systems Operations and Business Resilience, CISA Review Manual (Digital
Version)

25.Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?
A. Inability to utilize the site when required
B. Inability to test the recovery plans onsite
C. Equipment compatibility issues at the site
D. Mismatched organizational security policies
Answer: A
Explanation:
The greatest risk of using a reciprocal site for disaster recovery is the inability to utilize the site when
required. A reciprocal site is an agreement between two organizations to provide backup facilities for
each other in case of a disaster. However, this arrangement may not be reliable or enforceable,
especially if both organizations are affected by the same disaster or have conflicting priorities.
Therefore, the IS auditor should recommend that management consider alternative options for
disaster recovery, such as dedicated sites or cloud services12.
References:
CISA Review Manual, 27th Edition, page 3381
CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

26.Which of the following is MOST important to determine when conducting an audit Of an

organization's data privacy practices?
A. Whether a disciplinary process is established for data privacy violations
B. Whether strong encryption algorithms are deployed for personal data protection
C. Whether privacy technologies are implemented for personal data protection
D. Whether the systems inventory containing personal data is maintained
Answer: D
Explanation:
The answer D is correct because the most important thing to determine when conducting an audit of
an organization’s data privacy practices is whether the systems inventory containing personal data is
maintained. A systems inventory is a list of all the systems, applications, databases, and devices that
store, process, or transmit personal data within the organization. Maintaining a systems inventory is
essential for data privacy because it helps the organization to identify, classify, and protect the
personal data it holds, as well as to comply with the relevant privacy laws and regulations. A systems
inventory also enables the organization to perform data protection impact assessments (DPIAs), data
breach notifications, data subject access requests, and data retention and disposal policies.
The other options are not as important as option D. Whether a disciplinary process is established for
data privacy violations (option A) is a policy issue that may deter or sanction the employees who
violate the data privacy rules, but it does not directly affect the data privacy practices of the
organization. Whether strong encryption algorithms are deployed for personal data protection
(option B) is a technical issue that may enhance the security and confidentiality of the personal data,
but it does not address the other aspects of data privacy, such as accuracy, consent, and purpose
limitation. Whether privacy technologies are implemented for personal data protection (option C) is
also a technical issue that may support the data privacy practices of the organization, but it does not
guarantee that the organization follows the best practices or complies with the applicable laws and
regulations.
References:
IS Audit Basics: Auditing Data Privacy
Best Practices for Privacy Audits
ISACA Produces New Audit and Assurance Programs for Data Privacy and Mobile Computing

27.Which of the following areas of responsibility would cause the GREATEST segregation of duties
conflict if the individual who performs the related tasks also has approval authority?
A. Purchase requisitions and purchase orders
B. Invoices and reconciliations
C. Vendor selection and statements of work
D. Good receipts and payments
Answer: D
Explanation:
The greatest segregation of duties conflict would occur if the individual who performs the related tasks
also has approval authority for purchase requisitions and purchase orders. This is because these two
tasks are directly related to each other and involve financial transactions. If the same person is
responsible for both tasks, it could lead to potential fraud or error12. For instance, the individual could
approve a purchase order for a personal need and then also approve the payment for it, leading to
misuse of company funds12.
References:
Segregation of Duties: Examples of Roles, Duties & Violations - Pathlock
Functions in the Purchasing Process and how to Segregate Purchasing Duties

28.An organization is implementing a new system that supports a month-end business process.
Which of the following implementation strategies would be MOST efficient to decrease business
downtime?
A. Big bang
B. Phased
C. Cutover
D. Parallel
Answer: B
Explanation:
Comprehensive and Detailed Step-by-Step
Minimizing business downtime is critical when implementing a new system that supports an essential
process like month-end closing.
Option A (Incorrect): The big bang approach involves replacing the old system with the new system
all at once. This method carries a high risk because if issues arise, they may cause significant
downtime and disruption.
Option B (Correct): A phased approach gradually implements the system in stages, allowing users to
adapt and minimizing the risk of complete failure. This strategy is ideal for critical systems that cannot
afford extended downtime.
Option C (Incorrect): The cutover approach is a variation of big bang, where the old system is shut
down, and the new system is activated. This method is risky for month-end processes because errors
can cause business delays.
Option D (Incorrect): The parallel approach runs both old and new systems simultaneously to verify
accuracy, but it is resource-intensive and may not be practical for a high-volume month-end process.
Reference: ISACA CISA Review Manual C Domain 3: Information Systems Acquisition, Development,
and Implementation C Covers system implementation strategies, risk management, and best
practices.

29.An IS auditor has been asked to provide support to the control self-assessment (CSA) program.
Which of the following BEST represents the scope of the auditor’s role in the program?
A. The auditor should act as a program facilitator.
B. The auditor should focus on improving process productivity
C. The auditor should perform detailed audit procedures
D. The auditor's presence replaces the audit responsibilities of other team members.
Answer: A

30.The PRIMARY objective of a control self-assessment (CSA) is to:

A. educate functional areas on risks and controls.
B. ensure appropriate access controls are implemented.
C. eliminate the audit risk by leveraging management's analysis.
D. gain assurance for business functions that cannot be audited.
Answer: A
Explanation:
The primary objective of a control self-assessment (CSA) is to educate functional areas on risks and
controls. CSA is a technique that allows managers and work teams directly involved in business units,
functions or processes to participate in assessing the organization’s risk management and control
processes1. CSA can help functional areas to obtain a clear and shared understanding of their major
activities and objectives, to foster an improved awareness of risk and controls among management
and staff, to enhance responsibility and accountability for risks and controls, and to highlight best
practices and opportunities to improve business performance2.
The other options are not the primary objective of a CSA. Ensuring appropriate access controls are
implemented is a specific type of control that may be assessed by a CSA, but it is not the main goal of
the technique. Eliminating the audit risk by leveraging management’s analysis is not a realistic or
desirable outcome of a CSA, as audit risk can never be completely eliminated, and management’s
analysis may not be sufficient or reliable without independent verification. Gaining assurance for
business functions that cannot be audited is not a valid reason for conducting a CSA, as all business
functions should be subject to audit, and a CSA is not a substitute for an audit.
References:
Control Self Assessments - PwC
Control self-assessment - Wikipedia
Control Self Assessment - AuditNet

31.Which of the following should an IS auditor use when verifying a three-way match has occurred in
an enterprise resource planning (ERR) system?
A. Bank confirmation
B. Goods delivery notification
C. Purchase requisition
D. Purchase order
Answer: D
Explanation:
A three-way match is a process of verifying that a purchase order, a goods receipt and an invoice are
consistent before making a payment1. A three-way match ensures that the organization only pays for
the goods or services that it ordered and received, and that the prices and quantities are accurate. A
three-way match can prevent errors, fraud and overpayments in the accounts payable process.
An IS auditor should use a purchase order when verifying a three-way match has occurred in an
enterprise resource planning (ERP) system. A purchase order is a document that authorizes a
purchase transaction and specifies the items, quantities, prices and terms of the order2. A purchase
order is the first document in the three-way match process, and it serves as the basis for comparing
the goods receipt and the invoice. An IS auditor can use a purchase order to check if the ERP system
has correctly recorded, matched and approved the three documents before making a payment.
The other options are not as useful for verifying a three-way match. A bank confirmation is a
document that verifies the balance and activity of a bank account3. A bank confirmation can be used
to confirm that a payment has been made or received, but it does not provide information about the
details of the purchase transaction or the three-way match process. A goods delivery notification is a
document that informs the buyer that the goods have been shipped or delivered by the seller4. A
goods delivery notification can be used to track the status of the delivery, but it does not provide
information about the quantity or quality of the goods or the invoice amount. A purchase requisition is
a document that requests authorization to purchase goods or services from a specific supplier2. A
purchase requisition can be used to initiate the purchasing process, but it does not provide
information about the actual purchase order, goods receipt or invoice.
References:
Bank Confirmation - Overview, How It Works, Importance3
What is Goods Delivery Note? | Definition & Example4
What Is Three-Way Matching & Why Is It Important? | NetSuite1
Enterprise Resource Planning (ERP) - Definition, Types, Uses2
32.Which of the following is the MOST important responsibility of data owners when implementing a
data classification process?
A. Reviewing emergency changes to data
B. Authorizing application code changes
C. Determining appropriate user access levels
D. Implementing access rules over database tables
Answer: C
Explanation:
The most important responsibility of data owners when implementing a data classification process is
determining appropriate user access levels (option C). This is because:
Data owners are the persons or entities that have the authority and responsibility for the business
processes and functions that collect, use, store, and dispose of data1.
Data owners are accountable for ensuring that the data is handled in compliance with the applicable
laws, regulations, policies, and standards, such as the GDPR and the PIPEDA1234.
Data owners are in the best position to determine the purpose and necessity of collecting and
retaining data, as well as the risks and benefits associated with it1.
Data owners should consult with other stakeholders, such as the risk manager, the database
administrator (DBA), and the privacy manager, to establish and implement appropriate data
classification policies and procedures2.
Data classification is the process of organizing data in groups based on their attributes and
characteristics, and then assigning class labels that describe a set of attributes that hold true for the
corresponding data sets345.
Data classification helps organizations to identify, manage, protect, and understand their data, as well
as to comply with modern data privacy regulations345.
Data classification also helps to determine appropriate user access levels, which means defining who
can access, modify, share, or delete data based on their roles, responsibilities, and needs345.
Determining appropriate user access levels is the most important responsibility of data owners when
implementing a data classification process, as it ensures that only authorized and legitimate users
can access sensitive or important data. This provides confidentiality, integrity, availability, and
accountability of data345.
Reviewing emergency changes to data (option A), authorizing application code changes (option B),
and implementing access rules over database tables (option D) are not the most important
responsibilities of data owners when implementing a data classification process. These are more
related to the operational aspects of data management, which are usually delegated to other roles,
such as the DBA or the IT staff. The data owner should oversee and approve these activities, but not
perform them directly1.

33.What is the PRIMARY reason to adopt a risk-based IS audit strategy?

A. To achieve synergy between audit and other risk management functions
B. To prioritize available resources and focus on areas with significant risk
C. To reduce the time and effort needed to perform a full audit cycle
D. To identify key threats, risks, and controls for the organization
Answer: B

34.Which of the following is MOST important to ensure when developing an effective security
awareness program?
A. Training personnel are information security professionals.
B. Outcome metrics for the program are established.
C. Security threat scenarios are included in the program content.
D. Phishing exercises are conducted post-training
Answer: B
Explanation:
The most important factor to ensure when developing an effective security awareness program is
B. Outcome metrics for the program are established. This is because outcome metrics are measures
that evaluate the impact and results of the security awareness program on the behavior and
performance of the users, and the security posture and objectives of the organization1.
Outcome metrics can help ensure the effectiveness of the security awareness program by:
Providing feedback and evidence on whether the security awareness program is achieving its goals
and expectations, such as reducing the number of incidents, improving the compliance rate, or
increasing the reporting rate1.
Identifying and quantifying the strengths and weaknesses of the security awareness program, and
enabling continuous improvement and optimization of the program content, delivery, and frequency1.
Demonstrating and communicating the value and return on investment of the security awareness
program to the stakeholders and management, and securing their support and commitment for the
program1.

35.Based on best practices, which types of accounts should be disabled for interactive login?
A. Local accounts
B. Administrator accounts
C. Console accounts
D. Service accounts
Answer: D
Explanation:
Comprehensive and Detailed Step-by-Step
Service accounts are used by applications or systems to perform automated tasks and should not be
allowed for interactive login, as they present security risks if compromised.
Service Accounts (Correct Answer C D)
Used for running background tasks (e.g., database services, scheduled jobs).
Should have minimal permissions and be denied interactive logins.
Example: A compromised service account with interactive login could allow attackers to gain system
access.
Local Accounts (Incorrect C A)
Local administrator accounts should be restricted but may still be required for some systems.
Administrator Accounts (Incorrect C B)
Should be restricted, but disabling them entirely could lock out system management.
Console Accounts (Incorrect C C)
Console access is sometimes needed for system recovery and troubleshooting.
References:
ISACA CISA Review Manual
NIST 800-63B (Digital Identity Guidelines)
CIS (Center for Internet Security) Best Practices

36.Backup procedures for an organization's critical data are considered to be which type of control?
A. Directive
B. Corrective
C. Detective
D. Compensating
Answer: B
Explanation:
Backup procedures for an organization’s critical data are considered to be corrective controls, as
they are designed to restore normal operations after a disruption or failure. Corrective controls aim to
minimize the impact of an incident and prevent recurrence. Directive, detective and compensating
controls are not related to backup procedures. Directive controls are intended to guide or instruct
users to follow policies and procedures. Detective controls are intended to identify and report
incidents or violations. Compensating controls are intended to mitigate the risk of a missing or
ineffective primary control.
References: CISA Review Manual (Digital Version), Chapter 2, Section 2.11

37.During recent post-implementation reviews, an IS auditor has noted that several deployed
applications are not being used by the business.
The MOST likely cause would be the lack of:
A. IT portfolio management.
B. IT resource management.
C. system support documentation.
D. change management.
Answer: B

38.Which of the following observations should be of GREATEST concern to an IS auditor reviewing

an organization's enterprise architecture (EA) program?
A. IT application owners have sole responsibility for architecture approval.
B. The architecture review board is chaired by the CIO.
C. Information security requirements are reviewed by the EA program.
D. The EA program governs projects that are not IT-related.
Answer: A
Explanation:
Comprehensive and Detailed Step-by-Step
Enterprise Architecture (EA) governance requires proper oversight and separation of duties to ensure
strategic alignment and risk management.
Option A (Correct): If IT application owners have sole authority over architecture approval, there is a
high risk of inadequate governance, lack of strategic alignment, and potential conflicts of interest.
Architecture decisions should involve multiple stakeholders, including business and security teams, to
ensure compliance, security, and business alignment.
Option B (Incorrect): While having the CIO chair the architecture review board might not be ideal, it is
not the greatest concern. The CIO is a senior leader who can provide oversight and direction, even if
additional governance mechanisms should be in place.
Option C (Incorrect): Reviewing security requirements within the EA program is a best practice, as it
ensures that security is embedded into enterprise architecture rather than treated as an afterthought.
Option D (Incorrect): Enterprise architecture should ideally encompass both IT and business
processes. Governing non-IT-related projects is not inherently problematic, as EA is designed to align
business strategy with IT infrastructure.
Reference: ISACA CISA Review Manual C Domain 1: Information Systems Auditing Process C
Covers IT governance and EA program structure.

39.Which of the following provides the BE ST method for maintaining the security of corporate
applications pushed to employee-owned mobile devices?
A. Enabling remote data destruction capabilities
B. Implementing mobile device management (MDM)
C. Disabling unnecessary network connectivity options
D. Requiring security awareness training for mobile users
Answer: B
Explanation:
The best method for maintaining the security of corporate applications pushed to employee-owned
mobile devices is implementing mobile device management (MDM). MDM is a software solution that
allows an organization to remotely manage, configure, and secure the mobile devices that access its
network and data. MDM can help protect corporate applications on employee-owned devices by:
Enforcing security policies and settings, such as encryption, password, firewall, antivirus, and VPN.
Controlling the installation, update, and removal of corporate applications and data.
Separating corporate and personal data and applications on the device using containers or profiles.
Monitoring and auditing the device’s compliance status, activity, and location.
Performing remote actions, such as lock, wipe, backup, or restore, in case of loss, theft, or
compromise.
MDM can provide a comprehensive and centralized approach to maintain the security of corporate
applications on employee-owned devices, regardless of the device type, platform, or ownership. MDM
can also help the organization comply with regulatory and industry standards for data protection and
privacy.
Enabling remote data destruction capabilities is a useful feature for maintaining the security of
corporate applications on employee-owned devices, but it is not the best method by itself. Remote
data destruction allows the organization to erase the corporate data and applications from the device
in case of loss, theft, or compromise. However, this feature does not prevent unauthorized access or
misuse of the corporate data and applications before they are destroyed. Remote data destruction is
usually part of an MDM solution.
Disabling unnecessary network connectivity options is a good practice for maintaining the security of
corporate applications on employee-owned devices, but it is not the best method by itself. Network
connectivity options, such as Wi-Fi, Bluetooth, NFC, or USB, can expose the device to potential
attacks or data leakage. Disabling these options when they are not needed can reduce the attack
surface and improve battery life. However, this practice does not address other security risks or
requirements for the corporate applications on the device. Disabling network connectivity options can
also be part of an MDM solution.
Requiring security awareness training for mobile users is an important measure for maintaining the
security of corporate applications on employee-owned devices, but it is not the best method by itself.
Security awareness training can educate the users about the potential threats and best practices for
using their devices securely. It can also help foster a culture of security and responsibility among the
users. However, security awareness training cannot guarantee that the users will follow the security
policies and guidelines consistently and correctly. Security awareness training should be
complemented by technical controls, such as MDM.
References:
Protecting Corporate Data on Mobile Devices for All Companies1 Mobile Device Security: Corporate-
Owned Personally-Enabled (COPE)23

40.3: Mandatory Guidance, p. 24-25.

CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_711.

41.Which of the following is the BEST way to verify the effectiveness of a data restoration process?
A. Performing periodic reviews of physical access to backup media
B. Performing periodic complete data restorations
C. Validating off ne backups using software utilities
D. Reviewing and updating data restoration policies annually
Answer: B
Explanation:
The best way to verify the effectiveness of a data restoration process is to perform periodic complete
data restorations. This is the process of transferring backup data to the primary system or data center
and verifying that the restored data is accurate, complete, and functional. By performing periodic
complete data restorations, the auditee can test the reliability and validity of the backup data, the
functionality and performance of the restoration tools and procedures, and the compatibility and
integrity of the restored data with the primary system. This will also help identify and resolve any
issues or errors that may occur during the restoration process, such as corrupted or missing files,
incompatible formats, or configuration problems.
Performing periodic reviews of physical access to backup media (option A) is not the best way to
verify the effectiveness of a data restoration process, as it only ensures the security and availability of
the backup media, not the quality or usability of the backup data. Physical access reviews are
important for preventing unauthorized access, theft, damage, or loss of backup media, but they do not
test the actual restoration process or verify that the backup data can be successfully restored.
Validating offline backups using software utilities (option C) is also not the best way to verify the
effectiveness of a data restoration process, as it only checks the integrity and consistency of the
backup data, not the functionality or compatibility of the restored data. Software utilities can help
detect and correct any errors or inconsistencies in the backup data, such as checksum errors,
duplicate files, or incomplete backups, but they do not test the actual restoration process or verify that
the restored data can work with the primary system.
Reviewing and updating data restoration policies annually (option D) is also not the best way to verify
the effectiveness of a data restoration process, as it only ensures that the policies are current and
relevant, not that they are implemented and followed. Data restoration policies are important for
defining roles and responsibilities, objectives and scope, standards and procedures, and metrics and
reporting for the restoration process, but they do not test the actual restoration process or verify that it
meets the expected outcomes.
Therefore, option B is the correct answer.
References:
What is backup and disaster recovery? | IBM
Backup and Recovery of Data: The Essential Guide | Veritas
Database Backup and Recovery Best Practices - ISACA

42.Which of the following is MOST important for an IS auditor to verify when evaluating an
organization's data conversion and infrastructure migration plan?
A. Strategic: goals have been considered.
B. A rollback plan is included.
C. A code check review is included.
D. A migration steering committee has been formed.
Answer: B
Explanation:
The most important thing for an IS auditor to verify when evaluating an organization’s data
conversion and infrastructure migration plan is that a rollback plan is included. A rollback plan is a
contingency plan that describes the steps and actions to be taken in case the data conversion or
infrastructure migration fails or causes unacceptable problems or risks. A rollback plan can help to
restore the original data and infrastructure, minimize the impact on the business operations and
functions, and ensure the continuity and availability of the IT services. The IS auditor should verify
that the rollback plan is feasible, tested, documented, and approved, and that it covers all the possible
scenarios and outcomes of the data conversion or infrastructure migration. The other options are not
as important as verifying the rollback plan, because they either do not address the potential failure or
disruption of the data conversion or infrastructure migration, or they are part of the normal planning
and execution process rather than a contingency plan.
References: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.3

43.An IS audit reveals that an organization operating in business continuity mode during a pandemic
situation has not performed a simulation test of the business continuity plan (BCP).
Which of the following is the auditor's BEST course of action?
A. Confirm the BCP has been recently updated.
B. Review the effectiveness of the business response.
C. Raise an audit issue for the lack of simulated testing.
D. Interview staff members to obtain commentary on the BCP's effectiveness.
Answer: B
Explanation:
This is because the auditor’s primary objective is to evaluate the adequacy and performance of the
business continuity plan (BCP) in ensuring the continuity and resilience of the organization’s critical
functions and processes during a disruption. The auditor should review the actual results and
outcomes of the business response, such as the recovery time, recovery point, service level,
customer satisfaction, and incident management, and compare them with the predefined objectives
and criteria of the BCP. The auditor should also identify and analyze any gaps, issues, or lessons
learned from the business response, and provide recommendations for improvement12.
Answer
A. Confirm the BCP has been recently updated. is not the best answer, because it is not directly
related to the auditor’s course of action. Confirming the BCP has been recently updated is a part of
the audit planning and scoping process, not the audit execution or reporting process. The auditor
should confirm the BCP has been recently updated before conducting the audit, not after revealing
that a simulation test has not been performed. Moreover, confirming the BCP has been recently
updated does not provide sufficient evidence of the effectiveness of the business response12.
Answer
C. Raise an audit issue for the lack of simulated testing. is not the best answer, because it is not
relevant to the auditor’s course of action. Raising an audit issue for the lack of simulated testing is a
part of the audit reporting and follow-up process, not the audit execution or evaluation process. The
auditor should raise an audit issue for the lack of simulated testing after reviewing the effectiveness of
the business response, not before or instead of doing so. Furthermore, raising an audit issue for the
lack of simulated testing does not address the root cause or impact of the problem, nor does it
provide any constructive feedback or guidance for improvement12.
Answer
D. Interview staff members to obtain commentary on the BCP’s effectiveness. is not the best answer,
because it is not sufficient to guide the auditor’s course of action. Interviewing staff members to
obtain commentary on the BCP’s effectiveness is a part of the audit evidence collection and analysis
process, not the audit evaluation or conclusion process. The auditor should interview staff members
to obtain commentary on the BCP’s effectiveness as one of the sources of information, not as the
only or main source of information. Additionally, interviewing staff members to obtain commentary on
the BCP’s effectiveness may be subjective, biased, or incomplete, and may
not reflect the actual performance or outcomes of the business response12.
References:
Business Continuity Management Audit/Assurance Program Business Continuity Plan Testing: Types
and Best Practices

44.Which of the following is the BEST reason to implement a data retention policy?
A. To limit the liability associated with storing and protecting information
B. To document business objectives for processing data within the organization
C. To assign responsibility and ownership for data protection outside IT
D. To establish a recovery point detective (RPO) for (toaster recovery procedures
Answer: A
Explanation:
The best reason to implement a data retention policy is to limit the liability associated with storing and
protecting information. A data retention policy is a document that defines how long data should be
kept by an organization and how they should be disposed of when they are no longer needed. A data
retention policy should comply with the applicable laws and regulations that govern the data retention
requirements and obligations of organizations, such as tax laws, privacy laws, or industry standards4.
Implementing a data retention policy can help to limit the liability associated with storing and
protecting information by reducing the amount of data that need to be stored and secured, minimizing
the risk of data breaches or leaks, ensuring compliance with legal or contractual obligations, and
avoiding potential fines or penalties for non-compliance5. The other options are less relevant or
incorrect because:
B. Documenting business objectives for processing data within the organization is not a reason to
implement a data retention policy, as it is more related to data governance than data retention. Data
governance refers to the policies, procedures, and controls that define how data are collected, used,
managed, and shared within an organization. Data governance helps to ensure that data are aligned
with business objectives and support decision making6.
C. Assigning responsibility and ownership for data protection outside IT is not a reason to implement
a data retention policy, as it is more related to data accountability than data retention. Data
accountability refers to the identification and assignment of roles and responsibilities for data
protection among different stakeholders within an organization. Data accountability helps to ensure
that data are handled appropriately and securely by authorized parties7.
D. Establishing a recovery point objective (RPO) for disaster recovery procedures is not a reason to
implement a data retention policy, as it is more related to data backup than data retention. Data
backup refers to the process of creating copies of data that can be restored in case of data loss or
corruption. Data backup helps to ensure that data are available and recoverable in case of disaster8.
RPO is a measure of the maximum amount of data that can be lost or acceptable in case of disaster9.
References: Data Retention Policy - ISACA, Data Retention - ISACA, Data Governance - ISACA,
Data Accountability - ISACA, Data Backup - ISACA, Recovery Point Objective - ISACA

45.Which of the following would be MOST effective in detecting the presence of an unauthorized
wireless access point on an internal network?
A. Continuous network monitoring
B. Periodic network vulnerability assessments
C. Review of electronic access logs
D. Physical security reviews
Answer: A
Explanation:
The most effective method for detecting the presence of an unauthorized wireless access point on an
internal network is A. Continuous network monitoring. This is because continuous network monitoring
can capture and analyze all the wireless traffic in the network and identify any rogue or spoofed
devices that may be connected to the network without authorization. Continuous network monitoring
can also alert the system administrator of any suspicious or anomalous activities on the network and
help to locate and remove the unauthorized wireless access point quickly.
Periodic network vulnerability assessments (B) can also help to detect unauthorized wireless access
points, but they are not as effective as continuous network monitoring, because they are performed at
fixed intervals and may miss some devices that are added or removed between the assessments.
Review of electronic access logs © can provide some information about the devices that access the
network, but they may not be able to detect devices that use fake or stolen credentials or devices that
do not generate any logs. Physical security reviews (D) can help to prevent unauthorized physical
access to the network ports or devices, but they may not be able to detect wireless access points that
are hidden or disguised as legitimate devices.

46.Which of the following will be the MOST effective method to verify that a service vendor keeps
control levels as required by the client?
A. Conduct periodic on-site assessments using agreed-upon criteria.
B. Periodically review the service level agreement (SLA) with the vendor.
C. Conduct an unannounced vulnerability assessment of vendor's IT systems.
D. Obtain evidence of the vendor's control self-assessment (CSA).
Answer: A
Explanation:
The most effective method to verify that a service vendor keeps control levels as required by the
client is to conduct periodic on-site assessments using agreed-upon criteria. On-site assessments
can provide direct evidence of whether the vendor’s controls are operating effectively and
consistently in accordance with the client’s expectations and requirements. Agreed-upon criteria can
ensure that the assessments are objective, relevant, and reliable. The other options are not as
effective as on-site assessments in verifying the vendor’s control levels. Periodically reviewing the
SLA with the vendor can help monitor whether the vendor meets its contractual obligations and
service standards, but it does not provide assurance of whether the vendor’s controls are adequate
or sufficient. Conducting an unannounced vulnerability assessment of vendor’s IT systems can help
identify any weaknesses or gaps in the vendor’s security controls, but it may violate the terms and
conditions of the vendor-client relationship or cause operational disruptions. Obtaining evidence of the
vendor’s CSA can provide some indication of whether the vendor’s controls are self-monitored and
reported, but it does not verify whether the vendor’s controls are independent or accurate.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4

47.An IS auditor assessing the controls within a newly implemented call center would First
A. gather information from the customers regarding response times and quality of service.
B. review the manual and automated controls in the call center.
C. test the technical infrastructure at the call center.
D. evaluate the operational risk associated with the call center.
Answer: D
Explanation:
The first step in assessing the controls within a newly implemented call center is to evaluate the
operational risk associated with the call center. This will help the IS auditor to identify the potential
threats, vulnerabilities, and impacts that could affect the call center’s objectives, performance, and
availability. The evaluation of operational risk will also provide a basis for determining the scope,
objectives, and approach of the audit. The other options are possible audit procedures, but they are
not the first step in the audit process.
References: ISACA Frameworks: Blueprints for Success, CISA Review Manual (Digital Version)

48.An IS auditor learns that an in-house system development life cycle (SDLC) project has not met
user specifications.
The auditor should FIRST examine requirements from which of the following phases?
A. Configuration phase
B. User training phase
C. Quality assurance (QA) phase
D. Development phase
Answer: C
The quality assurance (QA) phase is the phase where the IS auditor should first examine
requirements from an in-house SDLC project that has not met user specifications. This is because the
QA phase is the phase where the system is tested and verified against the user specifications and the
design specifications to ensure that it meets the functional and non-functional requirements, as well
as the quality standards and expectations. The QA phase involves various testing activities, such as
unit testing, integration testing, system testing, acceptance testing, performance testing, security
testing, etc., to identify and resolve any defects, errors, or deviations from the specifications12.
The configuration phase is not the phase where the IS auditor should first examine requirements from
an in-house SDLC project that has not met user specifications. The configuration phase is the phase
where the system is installed and configured on the target environment, such as hardware, software,
network, etc., to prepare it for deployment and operation. The configuration phase may involve
activities such as installation, customization, migration, integration, etc., to ensure that the system is
compatible and interoperable with the existing infrastructure and systems34.
The user training phase is not the phase where the IS auditor should first examine requirements from
an in-house SDLC project that has not met user specifications. The user training phase is the phase
where the end-users are trained and educated on how to use the system effectively and efficiently.
The user training phase may involve activities such as developing training materials, conducting
training sessions, providing feedback and support, etc., to ensure that the users are familiar and
comfortable with the system features and functions56.
The development phase is not the phase where the IS auditor should first examine requirements from
an in-house SDLC project that has not met user specifications. The development phase is the phase
where the system is coded and built based on the design specifications and the user specifications.
The development phase may involve activities such as programming, debugging, documenting, etc.,
to create a working prototype or a final product of the system

49.Which of the following BEST facilitates the legal process in the event of an incident?
A. Right to perform e-discovery
B. Advice from legal counsel
C. Preserving the chain of custody
D. Results of a root cause analysis
Answer: C
Explanation:
The best way to facilitate the legal process in the event of an incident is to preserve the chain of
custody of the evidence. The chain of custody is a record of who handled, accessed, or modified the
evidence, when, where, how, and why. The chain of custody helps to ensure the integrity,
authenticity, and admissibility of the evidence in a court of law. The chain of custody also helps to
prevent tampering, alteration, or loss of evidence that could compromise the investigation or the
prosecution.
References:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database

50.An IS auditor is evaluating an organization's IT strategy and plans.

Which of the following would be of GREATEST concern?
A. There is not a defined IT security policy.
B. The business strategy meeting minutes are not distributed.
C. IT is not engaged in business strategic planning.
D. There is inadequate documentation of IT strategic planning.
Answer: C
Explanation:
The greatest concern for an IS auditor when evaluating an organization’s IT strategy and plans is that
IT is not engaged in business strategic planning, as this indicates a lack of alignment between IT and
business objectives, which could result in inefficient and ineffective use of IT resources and
capabilities. The absence of a defined IT security policy, the nondistribution of business strategy
meeting minutes, and the inadequate documentation of IT strategic planning are also issues that
should be addressed by an IS auditor, but they are not as significant as IT’s noninvolvement in
business strategic planning.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.1

51.Which of the following should be of GREATEST concern to an IS auditor assessing the

effectiveness of an organization's vulnerability scanning program''
A. Steps taken to address identified vulnerabilities are not formally documented
B. Results are not reported to individuals with authority to ensure resolution
C. Scans are performed less frequently than required by the organization's vulnerability scanning
schedule
D. Results are not approved by senior management
Answer: B
Explanation:
The finding that should be of greatest concern to an IS auditor assessing the effectiveness of an
organization’s vulnerability scanning program is that results are not reported to individuals with
authority to ensure resolution. This indicates a lack of accountability and communication for
vulnerability management, which may result in unresolved or delayed remediation of identified
vulnerabilities. This may expose the organization to increased risk of cyberattacks or breaches. The
other findings are also concerning, but not as much as this one, because they may affect the
completeness, accuracy or timeliness of the vulnerability scanning process, but not necessarily its
effectiveness.
References:
ISACA, CISA Review Manual, 27th Edition, chapter 4, section 4.41
ISACA, COBIT 2019 Framework: Introduction and Methodology, section 3.2

52.When reviewing an organization's information security policies, an IS auditor should verify that the
policies have been defined PRIMARILY on the basis of:
A. a risk management process.
B. an information security framework.
C. past information security incidents.
D. industry best practices.
Answer: A
Explanation:
Information security policies are high-level statements that define the organization’s approach to
protecting its information assets from threats and risks. They should be based primarily on a risk
management process, which is a systematic method of identifying, analyzing, evaluating, treating,
and monitoring information security risks. A risk management process can help ensure that the
policies are aligned with the organization’s risk appetite, business objectives, legal and regulatory
requirements, and stakeholder expectations. An information security framework is a set of standards,
guidelines, and best practices that provide a structure for implementing information security policies. It
can support the risk management process, but it is not the primary basis for defining the policies. Past
information security incidents and industry best practices can also provide valuable inputs for defining
the policies, but they are not sufficient to address the organization’s specific context and needs.
References: Insights and Expertise, CISA Review Manual (Digital Version)
53.During a follow-up engagement, an IS auditor confirms evidence of a problem that was not an
issue in the original audit.
Which of the following is the auditor's BEST course of action?
A. Include the evidence as part of a future audit.
B. Report only on the areas within the scope of the follow-up.
C. Report the risk to management in the follow-up report.
D. Expand the follow-up scope to include examining the evidence.
Answer: C

54.Which of the following is MOST important during software license audits?

A. Judgmental sampling
B. Substantive testing
C. Compliance testing
D. Stop-or-go sampling
Answer: B
Explanation:
Substantive testing is the most important type of testing during software license audits, as it provides
evidence of the accuracy and completeness of the software inventory and licensing records.
Substantive testing involves examining transactions, balances, and other data to verify their validity,
existence, accuracy, and valuation. Compliance testing, on the other hand, is more focused on
assessing the adequacy and effectiveness of internal controls over software licensing, such as
policies, procedures, and monitoring mechanisms. Compliance testing alone cannot provide sufficient
assurance that the software license audit objectives are met, as it does not verify the actual software
usage and compliance status. Judgmental sampling and stop-or-go sampling are methods of
selecting samples for testing, not types of testing themselves. *References: According to the ISACA
IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance
Professionals, section 1206 Testing, “The IS audit and assurance professional should perform
sufficient testing to obtain sufficient appropriate evidence to support conclusions reached.” 1 The
section also defines substantive testing as “testing performed to obtain audit evidence to detect
material misstatements in transactions or balances” and compliance testing as “testing performed to
obtain audit evidence on the operating effectiveness of controls.” 1 According to the ISACA IT Audit
and Assurance Guideline G15 Software License Management, “The objective of a software license
audit is to provide management with an independent assessment relating to compliance with software
license agreements.” 2 The guideline also states that “substantive tests should be performed on a
sample basis to verify that all software installed on devices within scope has been appropriately
licensed.” 2

55.A telecommunications company has recently created a new fraud department with three
employees and acquired a fraud detection system that uses artificial intelligence (AI) modules.
Which of the following would be of GREATEST concern to an IS auditor reviewing the system?
A. A very large number of true negatives
B. A small number of false negatives
C. A small number of true positives
D. A large number of false positives
Answer: B

56.An organization is concerned with meeting new regulations for protecting data confidentiality and
asks an IS auditor to evaluate their procedures for transporting data.
Which of the following would BEST support the organization's objectives?
A. Cryptographic hashes
B. Virtual local area network (VLAN)
C. Encryption
D. Dedicated lines
Answer: C
Explanation:
The best option to support the organization’s objectives of protecting data confidentiality while
transporting data is encryption. Encryption is a process of transforming data into an unreadable form
using a secret key or algorithm, so that only authorized parties can access the original data.
Encryption protects the confidentiality of data in transit by preventing unauthorized interception,
modification, or disclosure of the data. Encryption can also help comply with data privacy and security
regulations, such as the GDPR and HIPAA.
The other options are not as effective as encryption in protecting data confidentiality while
transporting data. Cryptographic hashes are mathematical functions that generate a fixed-length
output from an input, but they do not encrypt the data. Hashes are used to verify the integrity and
authenticity of data, but they do not prevent unauthorized access to the data. Virtual local area
network (VLAN) is a logical grouping of network devices that share the same broadcast domain, but
they do not encrypt the data. VLANs can improve network performance and security by isolating
traffic, but they do not protect the data from being intercepted or modified by external attackers.
Dedicated lines are physical connections that provide exclusive access to a network or service, but
they do not encrypt the data. Dedicated lines can offer higher bandwidth and reliability, but they do
not guarantee the confidentiality of the data from being compromised by physical tampering or
eavesdropping.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, p. 2471
ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription2 Data
Security and Confidentiality Guidelines - Centers for Disease Control and Prevention3 Information
Security | Confidentiality - GeeksforGeeks4

57.During which process is regression testing MOST commonly used?

A. System modification
B. Unit testing
C. Stress testing
D. Program development
Answer: A

58.The PRIMARY focus of a post-implementation review is to verify that:

A. enterprise architecture (EA) has been complied with.
B. user requirements have been met.
C. acceptance testing has been properly executed.
D. user access controls have been adequately designed.
Answer: B
Explanation:
The primary focus of a post-implementation review is to verify that user requirements have been met.
User requirements are specifications that define what users need or expect from a system or service,
such as functionality, usability, reliability, etc. User requirements are usually gathered and
documented at the beginning of a project, and used as a basis for designing, developing, testing, and
implementing a system or service. A post-implementation review is an evaluation that assesses
whether a system or service meets its objectives and delivers its expected benefits after it has been
implemented. The primary focus of a post-implementation review is to verify that user requirements
have been met, as this can indicate whether the system or service satisfies the user needs and
expectations, provides value and quality to the users, and supports the user goals and tasks.
Enterprise architecture (EA) has been complied with is a possible focus of a post-implementation
review, but it is not the primary one. EA is a framework that defines how an organization’s business
processes, information systems, and technology infrastructure are aligned and integrated to support
its vision and strategy. EA has been complied with, as this can indicate whether the system or service
fits with the organization’s current and future state, and follows the organization’s standards and
principles. Acceptance testing has been properly executed is a possible focus of a post-
implementation review, but it is not the primary one. Acceptance testing is a process that verifies
whether a system or service meets the user requirements and expectations before it is accepted by
the users or stakeholders. Acceptance testing has been properly executed, as this can indicate
whether the system or service has been tested and validated by the users or stakeholders, and
whether any issues or defects have been identified and resolved. User access controls have been
adequately designed is a possible focus of a post-implementation review, but it is not the primary one.
User access controls are mechanisms that ensure that only authorized users can access or use a
system or service, and prevent unauthorized access or use. User access controls have been
adequately designed, as this can indicate whether the system or service has appropriate security and
privacy measures in place, and whether any risks or threats have been mitigated.

59.Users are complaining that a newly released enterprise resource planning (ERP) system is
functioning too slowly.
Which of the following tests during the quality assurance (QA) phase would have identified this
concern?
A. Stress
B. Parallel
C. Regression
D. Interface
Answer: A
Explanation:
Comprehensive and Detailed Step-by-Step
A stress test evaluates system performance under extreme conditions, such as high user loads, to
determine how the system behaves under peak traffic or resource exhaustion.
Stress Testing (Correct Answer C A)
Identifies performance bottlenecks in software applications.
Helps ensure the ERP system can handle expected workloads.
Example: Simulating thousands of concurrent users accessing the ERP system to test response
times and server load capacity.
Parallel Testing (Incorrect C B)
Compares a new system with an old one but does not test system performance under load.
Regression Testing (Incorrect C C)
Tests whether recent code changes have affected existing functionality but does not focus on
performance.
Interface Testing (Incorrect C D)
Checks interactions between system components but does not measure performance.
References:
ISACA CISA Review Manual
COBIT 2019: Performance and Capacity Planning
NIST 800-37 (Risk Management Framework)
60.Which of the following should be the GREATEST concern to an IS auditor reviewing an
organization's method to transport sensitive data between offices?
A. The method relies exclusively on the use of asymmetric encryption algorithms.
B. The method relies exclusively on the use of 128-bit encryption.
C. The method relies exclusively on the use of digital signatures.
D. The method relies exclusively on the use of public key infrastructure (PKI).
Answer: D
Explanation:
The greatest concern to an IS auditor reviewing an organization’s method to transport sensitive data
between offices is that the method relies exclusively on the use of public key infrastructure (PKI). PKI
is a set of tools and procedures that are used to create, manage, and revoke digital certificates and
public keys for encryption and authentication1. PKI can provide secure and trustworthy
communication over the internet, but it also has some limitations and risks that need to be
considered.
One of the main limitations of PKI is that it depends on the trustworthiness and security of the
certificate authority (CA), which is the entity that issues and verifies the digital certificates2. If the CA
is compromised or malicious, it can issue fake or fraudulent certificates that can be used to
impersonate legitimate parties or intercept sensitive data. For example, in 2011, a hacker breached
the CA DigiNotar and issued hundreds of rogue certificates for domains such as Google, Yahoo, and
Microsoft3. This allowed the hacker to conduct man-in-the-middle attacks and spy on the online
activities of users in Iran3.
Another limitation of PKI is that it requires a complex and costly infrastructure to maintain and
operate. PKI involves multiple components, such as servers, software, hardware, policies, and
procedures, that need to be configured, updated, and monitored regularly1. PKI also requires a high
level of technical expertise and coordination among different parties, such as users, administrators,
CAs, and registration authorities (RAs)1. PKI can be vulnerable to human errors or negligence that
can compromise its security or functionality. For example, in 2018, a software bug in Apple’s macOS
High Sierra caused the system to accept any certificate as valid without checking its validity period.
This could have allowed attackers to use expired or revoked certificates to bypass security checks.
Therefore, an IS auditor should be concerned if an organization relies exclusively on PKI for
transporting sensitive data between offices. PKI can provide a high level of security and trust, but it
also has some inherent risks and challenges that need to be addressed. An IS auditor should
evaluate whether the organization has implemented adequate controls and measures to ensure the
reliability and integrity of its PKI system. An IS auditor should also consider whether the organization
has alternative or complementary methods for securing its data transmission, such as using
symmetric encryption algorithms or digital signatures. Symmetric encryption algorithms use the same
key for both encryption and decryption, which can offer faster performance and lower overhead than
asymmetric encryption algorithms used by PKI4. Digital signatures use cryptographic techniques to
verify the identity and authenticity of the sender and the integrity of the data5.

61.Which of the following is an IS auditor's BEST recommendation to mitigate the risk of

eavesdropping associated with an application programming interface (API) integration
implementation?
A. Encrypt the extensible markup language (XML) file.
B. Implement Transport Layer Security (TLS).
C. Mask the API endpoints.
D. Implement Simple Object Access Protocol (SOAP).
Answer: B

62.Which of the following is the BEST recommendation to include in an organization's bring your own
device (BYOD)
policy to help prevent data leakage?
A. Require employees to waive privacy rights related to data on BYOD devices.
B. Require multi-factor authentication on BYOD devices,
C. Specify employee responsibilities for reporting lost or stolen BYOD devices.
D. Allow only registered BYOD devices to access the network.
Answer: B
Explanation:
The best recommendation to include in an organization’s bring your own device (BYOD) policy to
help prevent data leakage is to require multi-factor authentication on BYOD devices. BYOD is a
practice that allows employees to use their own personal devices, such as smartphones, tablets, or
laptops, to access the organization’s network, data, and systems. Data leakage is a risk that involves
the unauthorized or accidental disclosure or transfer of sensitive or confidential data from the
organization to external parties or devices. Multi-factor authentication is a security measure that
requires users to provide two or more pieces of evidence to verify their identity and access rights,
such as passwords, tokens, biometrics, or codes. Multi-factor authentication can help prevent data
leakage by reducing the likelihood of unauthorized access to the organization’s data and systems
through BYOD devices, especially if they are lost, stolen, or compromised. The other options are not
as effective as requiring multi-factor authentication on BYOD devices, because they either do not
prevent data leakage directly, or they are reactive rather than proactive measures.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.3

63.Which of the following would BEST facilitate the successful implementation of an IT-related
framework?
A. Aligning the framework to industry best practices
B. Establishing committees to support and oversee framework activities
C. Involving appropriate business representation within the framework
D. Documenting IT-related policies and procedures
Answer: C

64.Due to limited storage capacity, an organization has decided to reduce the actual retention period
for media containing completed low-value transactions.
Which of the following is MOST important for the organization to ensure?
A. The policy includes a strong risk-based approach.
B. The retention period allows for review during the year-end audit.
C. The retention period complies with data owner responsibilities.
D. The total transaction amount has no impact on financial reporting
Answer: C
Explanation:
The most important factor for the organization to ensure when reducing the retention period for media
containing completed low-value transactions is that the retention period complies with data owner
responsibilities. Data owners are accountable for defining the retention and disposal requirements for
the data under their custody, based on business, legal, regulatory, and contractual obligations. The
policy should reflect the data owner’s decisions and obtain their approval. The policy should also
include a risk-based approach, but this is not as important as complying with data owner
responsibilities. The retention period should allow for review during the year-end audit, but this may
not be necessary for low-value transactions that have minimal impact on financial reporting. The total
transaction amount may have some impact on financial reporting, but this is not a direct consequence
of reducing the retention period.
References:
CISA Review Manual, 27th Edition, pages 414-4151
CISA Review Questions, Answers & Explanations Database, Question ID: 255

65.An IS auditor is providing input to an RFP to acquire a financial application system.

Which of the following is MOST important for the auditor to recommend?
A. The application should meet the organization's requirements.
B. Audit trails should be included in the design.
C. Potential suppliers should have experience in the relevant area.
D. Vendor employee background checks should be conducted regularly.
Answer: B
Explanation:
This is because audit trails are records of system activity and user actions that can provide evidence
of the validity and integrity of transactions and data in a financial application system. Audit trails can
help to ensure compliance with laws, regulations, policies, and standards, as well as to detect and
prevent fraud, errors, or misuse of information. Audit trails can also facilitate auditing, monitoring, and
evaluation of the financial application system’s performance and controls1.
The application should meet the organization’s requirements (A) is not the best answer, because it is
a general and obvious criterion that applies to any application system acquisition, not a specific and
important recommendation for a financial application system. The organization’s requirements should
be clearly defined and documented in the RFP, but they may not necessarily include audit trails as a
design feature.
Potential suppliers should have experience in the relevant area © is not the best answer, because it is
a factor that affects the selection of the supplier, not the design of the financial application system.
The experience and reputation of potential suppliers should be evaluated and verified during the RFP
process, but they may not guarantee that the supplier will include audit trails in the design.
Vendor employee background checks should be conducted regularly (D) is not the best answer,
because it is a measure that affects the security and trustworthiness of the vendor, not the design of
the financial application system. Vendor employee background checks should be performed as part of
the vendor management and due diligence process, but they may not ensure that the vendor will
include audit trails in the design.

66.Which of the following should be performed FIRST before key performance indicators (KPIs) can
be implemented?
A. Analysis of industry benchmarks
B. Identification of organizational goals
C. Analysis of quantitative benefits
D. Implementation of a balanced scorecard
Answer: B
Explanation:
The first thing that should be performed before key performance indicators (KPIs) can be
implemented is the identification of organizational goals. This is because KPIs are measurable values
that demonstrate how effectively an organization is achieving its key business objectives4. Therefore,
it is necessary that the organization defines its goals clearly and aligns them with its vision, mission,
and strategy. By identifying its goals, the organization can then determine what KPIs are relevant and
meaningful to measure its progress and performance.
References: 4: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of
IT, Section 2.3: Benefits Realization, page 77: CISA Online Review Course, Module 2: Governance
and Management of IT, Lesson 2.3: Benefits Realization : ISACA Journal Volume 1, 2020, Article:
How to Measure Anything in IT Governance
67.Which of the following BEST helps data loss prevention (DLP) tools detect movement of sensitive
data m transit?
A. Network traffic logs
B. Deep packet inspection
C. Data inventory
D. Proprietary encryption
Answer: B
Explanation:
Deep packet inspection (DPI) is a core capability of data loss prevention (DLP) tools that allows the
analysis of the content of data packets in transit. This helps detect the unauthorized movement of
sensitive data by examining packet-level details.
Network Traffic Logs (Option A): These provide historical data but do not actively detect data in
transit.
Data Inventory (Option C): Useful for identifying where sensitive data resides but not for monitoring its
movement.
Proprietary Encryption (Option D): Protects data but does not detect unauthorized transmission.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.

68.Which of the following is the PRIMARY reason to follow a configuration management process to
maintain application?
A. To optimize system resources
B. To follow system hardening standards
C. To optimize asset management workflows
D. To ensure proper change control
Answer: D
Explanation:
Following a configuration management process to maintain applications is the primary reason for
ensuring proper change control. Configuration management is a process of identifying, documenting,
controlling, and verifying the configuration items and their interrelationships within an IT system or
environment. Following a configuration management process can help to ensure that any changes to
the applications are authorized, tested, documented, and tracked throughout their lifecycle. This will
help to prevent unauthorized or improper changes that could affect the functionality, performance, or
security of the applications. The other options are not the primary reasons for following a
configuration management process, but rather possible benefits or outcomes of doing so.
References:
CISA Review Manual (Digital Version), Chapter 4, Section 4.3.31
CISA Review Questions, Answers & Explanations Database, Question ID 225

69.Which of the following is the BEST indicator that a third-party vendor adheres to the controls
required by the organization?
A. Review of monthly performance reports submitted by the vendor
B. Certifications maintained by the vendor
C. Regular independent assessment of the vendor
D. Substantive log file review of the vendor's system
Answer: C

70.Which of the following is a social engineering attack method?

A. An unauthorized person attempts to gam access to secure premises by following an authonzed
person through a secure door.
B. An employee is induced to reveal confidential IP addresses and passwords by answering
questions over the phone.
C. A hacker walks around an office building using scanning tools to search for a wireless network to
gain access.
D. An intruder eavesdrops and collects sensitive information flowing through the network and sells it
to third parties.
Answer: B
Explanation:
An employee is induced to reveal confidential IP addresses and passwords by answering questions
over the phone. This is a social engineering attack method that exploits the trust or curiosity of the
employee to obtain sensitive information that can be used to access or compromise the network.
According to the web search results, social engineering is a technique that uses psychological
manipulation to trick users into making security mistakes or giving away sensitive information1.
Phishing, whaling, baiting, and pretexting are some of the common forms of social engineering
attacks2. Social engineering attacks are often more effective and profitable than purely technical
attacks, as they rely on human error rather than system vulnerabilities

71.Which of the following BEST indicates that the effectiveness of an organization's security
awareness program has improved?
A. A decrease in the number of information security audit findings
B. An increase in the number of staff who complete awareness training
C. An increase in the number of phishing emails reported by employees
D. A decrease in the number of malware outbreaks
Answer: C
Explanation:
The effectiveness of an organization’s security awareness program can be measured by capturing
data on changes in the way people react to threats, such as the ability to recognize and avoid social
engineering attacks1. An increase in the number of phishing emails reported by employees indicates
that they are more aware of the signs and risks of phishing, and are more likely to take appropriate
actions to prevent or mitigate the impact of such attacks23.
References
1: The Importance Of Measuring Security Awareness 2: Measuring the effectiveness of your security
awareness program 3: How effective is security awareness training?
The effectiveness of an organization’s security awareness program can be measured by capturing
data on changes in the way people react to threats, such as the ability to recognize and avoid social
engineering attacks1. An increase in the number of phishing emails reported by employees indicates
that they are more aware of the signs and risks of phishing, and are more likely to take appropriate
actions to prevent or mitigate the impact of such attacks23.
References
1: The Importance Of Measuring Security Awareness 2: Measuring the effectiveness of your security
awareness program 3: How effective is security awareness training?

72.When reviewing an IT strategic plan, the GREATEST concern would be that

A. an IT strategy committee has not been created
B. the plan does not support relevant organizational goals.
C. there are no key performance indicators (KPls).
D. the plan was not formally approved by the board of directors
Answer: B
Explanation:
The greatest concern when reviewing an IT strategic plan is B. The plan does not support relevant
organizational goals. This is because an IT strategic plan should align and integrate the IT goals and
objectives with the organization’s overall strategy and vision, and ensure that IT supports and
enables the business processes and functions1.
If the IT strategic plan does not support relevant organizational goals, it may lead to:
Suboptimal or negative outcomes and value for the organization, as IT investments and initiatives
may not align with the organization’s priorities, needs, or expectations1.
Conflicts or inconsistencies between IT and business functions, as IT may not deliver the expected
level of service, quality, or performance2.
Wasted or inefficient use of resources, as IT may spend time, money, or effort on projects or activities
that are not relevant or beneficial for the organization2.

73.Which of the following is MOST likely to be a project deliverable of an agile software development
methodology?
A. Strictly managed software requirements baselines
B. Extensive project documentation
C. Automated software programming routines
D. Rapidly created working prototypes
Answer: D
Explanation:
A project deliverable is a tangible or intangible product or service that is produced as a result of a
project and delivered to the customer or stakeholder. A project deliverable can be either an
intermediate deliverable that is part of the project process or a final deliverable that is the outcome of
the project.
An agile software development methodology is a project management approach that involves
breaking the project into phases and emphasizes continuous collaboration and improvement. Teams
follow a cycle of planning, executing, and evaluating. Agile software development methodologies
value working software over comprehensive documentation and respond to change over following a
plan.
Rapidly created working prototypes are most likely to be a project deliverable of an agile software
development methodology because they:
Provide early and frequent feedback from customers and stakeholders on the functionality and
usability of the software product
Allow for rapid validation and verification of the software requirements and design
Enable continuous improvement and adaptation of the software product based on changing customer
needs and expectations
Reduce the risk of delivering a software product that does not meet customer needs or expectations
Increase customer satisfaction and trust by delivering working software products frequently and
consistently
Some examples of agile software development methodologies that use rapidly created working
prototypes as project deliverables are:
Scrum - a framework that organizes the work into fixed-length sprints (usually 2-4 weeks) and delivers
potentially shippable increments of the software product at the end of each sprint1
Extreme Programming (XP) - a methodology that focuses on delivering high-quality software products
through practices such as test-driven development, pair programming, continuous integration, and
frequent releases2
Rapid Application Development (RAD) - a methodology that emphasizes rapid prototyping and user
involvement throughout the software development process3
The other options are not likely to be project deliverables of an agile software development
methodology.
Strictly managed software requirements baselines are not likely to be project deliverables of an agile
software development methodology. A software requirements baseline is a set of agreed-upon and
approved software requirements that serve as the basis for the software design, development,
testing, and delivery. A strictly managed software requirements baseline is a software requirements
baseline that is controlled and changed only through a formal change management process. Strictly
managed software requirements baselines are more suitable for traditional or waterfall software
development methodologies that follow a linear and sequential process of defining, designing,
developing, testing, and delivering software products. Strictly managed software requirements
baselines are not compatible with agile software development methodologies that embrace change
and flexibility in the software requirements based on customer feedback and evolving needs.
Extensive project documentation is not likely to be project deliverables of an agile software
development methodology. Project documentation is any written or electronic information that
describes or records the activities, processes, results, or decisions of a project. Extensive project
documentation is project documentation that covers every aspect of the project in detail and requires
significant time and effort to produce and maintain. Extensive project documentation is more suitable
for traditional or waterfall software development methodologies that rely on comprehensive
documentation to communicate and document the project scope, requirements, design, testing, and
delivery. Extensive project documentation is not compatible with agile software development
methodologies that value working software over comprehensive documentation and use minimal
documentation to support the communication and collaboration among the project team members.
Automated software programming routines are not likely to be project deliverables of an agile
software development methodology. Automated software programming routines are programs or
scripts that perform repetitive or complex tasks in the software development process without human
intervention. Automated software programming routines can improve the efficiency, quality, and
consistency of the software development process by reducing human errors, saving time, and
enforcing standards. Automated software programming routines can be used in any software
development methodology, but they are not specific to agile software development methodologies.
Automated software programming routines are not considered as project deliverables because they
are not part of the final product that is delivered to the customer.

74.Which of the following would be MOST useful to an IS auditor when making recommendations to
enable continual improvement of IT processes over time?
A. IT incident log
B. Benchmarking studies
C. Maturity model
D. IT risk register
Answer: C

75.Which of the following control measures is the MOST effective against unauthorized access of
confidential information on stolen or lost laptops?
A. Remote wipe capabilities
B. Disk encryption
C. User awareness
D. Password-protected files
Answer: B
Explanation:
Comprehensive and Detailed Step-by-Step
The best protection for a stolen laptop is full disk encryption, which prevents unauthorized access
even if the device is lost.
Option A (Incorrect): Remote wipe capabilities are useful, but they require an internet connection to
function, which is not always available when a device is stolen.
Option B (Correct): Full disk encryption (FDE) ensures that data remains unreadable without the
correct decryption key, even if the hard drive is removed.
Option C (Incorrect): User awareness is helpful, but it does not physically secure data on a lost
device.
Option D (Incorrect): Password-protected files can be bypassed by copying them to another system,
making them an inadequate security measure.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers
encryption, data security, and endpoint protection.

76.Which of the following occurs during the issues management process for a system development
project?
A. Contingency planning
B. Configuration management
C. Help desk management
D. Impact assessment
Answer: D
Explanation:
Impact assessment is an activity that occurs during the issues management process for a system
development project. Issues management is a process of identifying, analyzing, resolving, and
monitoring issues that may affect the project scope, schedule, budget, or quality. Impact assessment
is a technique of evaluating the severity and priority of an issue, as well as its implications for the
project objectives and deliverables. The other options are not activities that occur during the issues
management process, but rather related to other processes such as contingency planning,
configuration management, or help desk management.
References:
CISA Review Manual (Digital Version), Chapter 4, Section 4.3.31
CISA Review Questions, Answers & Explanations Database, Question ID 217

77.Which of the following findings would be of GREATEST concern to an IS auditor assessing an

organization's patch management process?
A. The organization's software inventory is not complete.
B. Applications frequently need to be rebooted for patches to take effect.
C. Software vendors are bundling patches.
D. Testing patches takes significant time.
Answer: A
Explanation:
The organization’s software inventory is not complete. This finding would be of greatest concern to
an IS auditor assessing an organization’s patch management process because:
A software inventory is a list of all the software assets that an organization owns, uses, or manages.
A software inventory is essential for effective patch management, as it helps identify the software that
needs to be updated, the patches that are available, and the dependencies and compatibility issues
that may arise. Without a complete software inventory, an organization may miss some critical
patches, expose itself to security risks, and waste resources on unnecessary or redundant patches.
Applications frequently need to be rebooted for patches to take effect. This finding would be of
moderate concern to an IS auditor assessing an organization’s patch management process because:
Rebooting applications for patches to take effect is a common and expected practice in some cases,
especially for operating system or kernel patches. However, frequent reboots may indicate that the
organization is not applying patches in a timely or efficient manner, or that the patches are not well-
designed or tested. Frequent reboots may also cause disruption to the business operations and user
experience, and increase the risk of data loss or corruption.
Software vendors are bundling patches. This finding would be of low concern to an IS auditor
assessing an organization’s patch management process because:
Bundling patches is a practice where software vendors combine multiple patches into a single
package or update. Bundling patches can have some advantages, such as reducing the number of
downloads and installations, simplifying the patch management process, and ensuring consistency
and compatibility among patches. However, bundling patches can also have some disadvantages,
such as increasing the size and complexity of the updates, delaying the delivery of critical patches,
and introducing new bugs or vulnerabilities.
Testing patches takes significant time. This finding would be of low concern to an IS auditor
assessing an organization’s patch management process because:
Testing patches is a vital step in the patch management process, as it helps ensure that the patches
are functional, secure, and compatible with the existing software and hardware environment. Testing
patches can take significant time, depending on the scope, complexity, and frequency of the patches.
However, testing patches is a necessary investment to avoid potential problems or failures that could
result from applying untested or faulty patches.
References:
Best practices for patch management
Server Patch Management: Best Practices and Tools
11 Key Steps of the Patch Management Process

78.An IS auditor is supporting a forensic investigation. An image of affected storage media has been
captured while collecting digital forensic evidence.
Which of the following techniques would BEST enable an IS auditor to verify that the captured image
is an exact, unchanged replica of the original media?
A. Hash value
B. Access control list
C. File allocation table
D. Size of the file
Answer: A

79.Which of the following is found in an audit charter?

A. The process of developing the annual audit plan
B. The authority given to the audit function
C. Required training for audit staff
D. Audit objectives and scope
Answer: B
Explanation:
The authority given to the audit function is one of the components that is found in an audit charter.
According to the IIA, the audit charter is a formal document that defines internal audit’s purpose,
authority, responsibility and position within the organization1. The authority given to the audit function
includes the scope of its activities, the access to records, personnel and physical properties relevant
to its work, and the independence and objectivity of its staff2. The authority given to the audit function
helps to ensure that internal auditors can perform their duties effectively and efficiently, and that they
can provide assurance and consulting services that add value and improve the organization’s
operations3.
The other options are not found in an audit charter. The process of developing the annual audit plan
is not part of the audit charter, but rather a separate document that outlines the methodology,
criteria and resources for selecting and prioritizing audit engagements based on a risk assessment4.
Required training for audit staff is not part of the audit charter, but rather a component of the quality
assurance and improvement program that evaluates the competence and performance of internal
auditors and provides them with opportunities for professional development5. Audit objectives and
scope are not part of the audit charter, but rather specific elements of each individual audit
engagement that define the expected outcomes and the boundaries of the audit work.

80.Which of the following would be of GREATEST concern to an IS auditor reviewing the feasibility
study for a new application system?
A. Security requirements have not been defined.
B. Conditions under which the system will operate are unclear.
C. The business case does not include well-defined strategic benefits.
D. System requirements and expectations have not been clarified.
Answer: D

81.Which of the following is the MOST effective control when granting access to a service provider for
a ctoud-6ased application?
A. Administrator access is provided for a limited period with an expiration date.
B. Access has been provided on a need-to-know basis.
C. User IDs are deleted when work is completed.
D. Access is provided to correspond with the service level agreement (SLA).
Answer: B
Explanation:
Granting access on a need-to-know basis ensures that a service provider only has the permissions
necessary to perform their specific tasks. This principle minimizes the risk of unauthorized access or
accidental misuse of the system by restricting access to essential areas only. It aligns with the least
privilege principle, a cornerstone of effective access control.
Limited Administrator Access with Expiration (Option A): This is helpful but does not ensure that the
access granted aligns with the specific job requirements.
Deleting User IDs After Completion (Option C): This is a good practice but applies after the task, not
during access.
Access Corresponding to the SLA (Option D): While important, this focuses on timeframes and does
not restrict permissions effectively.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.

82.An organization's security team created a simulated production environment with multiple
vulnerable applications.
What would be the PRIMARY purpose of creating such an environment?
A. To test the intrusion detection system (IDS)
B. To provide training to security managers
C. To collect digital evidence of cyberattacks
D. To attract attackers in order to study their behavior
Answer: D
Explanation:
The primary purpose of creating a simulated production environment with multiple vulnerable
applications is D. To attract attackers in order to study their behavior. This is also known as a
honeypot, which is a decoy system that mimics a real target and lures attackers into revealing their
techniques, tools, and motives1. A honeypot can help the organization’s security team to improve
their defense strategies, identify new threats, and collect digital evidence of cyberattacks1.

83.Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an

organization that recently experienced a ransomware attack?
A. Antivirus software was unable to prevent the attack even though it was properly updated
B. The most recent security patches were not tested prior to implementation
C. Backups were only performed within the local network
D. Employees were not trained on cybersecurity policies and procedures
Answer: C
Explanation:
The greatest concern to an IS auditor conducting an audit of an organization that recently
experienced a ransomware attack is that backups were only performed within the local network. This
means that the backups could have been encrypted or deleted by the ransomware, making it
impossible to restore the data and systems without paying the ransom or losing the data. Backups are
a critical part of the recovery process from a ransomware attack, and they should be performed
frequently, securely, and off-site or in the cloud to ensure their availability and integrity.
The other options are not as concerning as option C, although they may also indicate some security
weaknesses. Antivirus software was unable to prevent the attack even though it was properly
updated, but this is not surprising given that ransomware variants are constantly evolving and
antivirus software may not be able to detect them all. The most recent security patches were not
tested prior to implementation, but this is a trade-off between security and availability that may be
justified depending on the severity and urgency of the patches. Employees were not trained on
cybersecurity policies and procedures, but this is a preventive measure that may not have prevented
the attack if it was initiated by other means such as phishing or exploiting vulnerabilities.
References:
10: Infrastructure-as-a-Service Security Responsibilities - CloudTweaks
5: 3 steps to prevent and recover from ransomware | Microsoft Security Blog
7: How to Recover From a Ransomware Attack - eSecurityPlanet

84.An IS auditor has been tasked with analyzing an organization's capital expenditures against its
repair and maintenance costs.
Which of the following is the BEST reason to use a data analytics tool for this purpose?
A. It reduces the error rate.
B. It improves the reliability of the data.
C. It enables the auditor to work with 100% of the transactions.
D. It reduces the sample size required to perform the audit.
Answer: C

85.An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators
(KPIs)
Which of the following findings should be of MOST concern to the auditor?
A. KPI data is not being analyzed
B. KPIs are not clearly defined
C. Some KPIs are not documented
D. KPIs have never been updated
Answer: B
Explanation:
KPIs are not clearly defined is the most concerning finding for an IS auditor, because it implies that
the third-party vendor does not have a clear understanding of what constitutes success or failure in
their performance. This can lead to inaccurate or misleading reporting, poor decision making, and
lack of accountability. KPIs should be SMART (specific, measurable, achievable, relevant, and time-
bound) and aligned with the business objectives and expectations of the stakeholders12.
References: 1: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2 2: CISA Online
Review Course, Module 5, Lesson 3

86.Which of the following would be MOST helpful to an IS auditor performing a risk assessment of an
application programming interface (API) that feeds credit scores from a well-known commercial credit
agency into an organizational system?
A. A data dictionary of the transferred data
B. A technical design document for the interface configuration
C. The most recent audit report from the credit agency
D. The approved business case for the API
Answer: B

87.Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy

document?
A. The previous year’s IT strategic goals were not achieved.
B. Target architecture is defined at a technical level.
C. Financial estimates of new initiatives are disclosed within the document.
D. Strategic IT goals are derived solely from the latest market trends.
Answer: D
Explanation:
Comprehensive and Detailed Step-by-Step
An IT strategy must be aligned with business objectives, not solely based on market trends. Strategic
IT Goals Derived Solely from Market Trends (Correct Answer C D)
IT strategy should support organizational goals, not just follow industry trends.
Example: A company investing in AI just because it’s trendy, without considering business needs.
Previous Year’s IT Goals Not Achieved (Incorrect C A)
A concern, but does not indicate a fundamental strategy flaw. Target Architecture Defined at a
Technical Level (Incorrect C B) Technical details are important for implementation. Financial
Estimates Included (Incorrect C C)
Cost transparency is a good practice.
References:
ISACA CISA Review Manual
COBIT 2019 (IT Governance)

88.Which of the following should be of GREATEST concern to an IS auditor assessing an

organization's patch management program?
A. Patches are deployed from multiple deployment servers.
B. There is no process in place to scan the network to identify missing patches.
C. Patches for medium- and low-risk vulnerabilities are omitted.
D. There is no process in place to quarantine servers that have not been patched.
Answer: B

89.When an intrusion into an organization network is deleted, which of the following should be done
FIRST?
A. Block all compromised network nodes.
B. Contact law enforcement.
C. Notify senior management.
D. Identity nodes that have been compromised.
Answer: D
Explanation:
The first thing that should be done when an intrusion into an organization network is detected is to
identify nodes that have been compromised. Identifying nodes that have been compromised is a
critical step in responding to an intrusion, as it helps determine the scope, impact, and source of the
attack, and enables the implementation of appropriate containment and recovery measures. The
other options are not the first things that should be done when an intrusion into an organization
network is detected, as they may be premature or ineffective without identifying nodes that have been
compromised. Blocking all compromised network nodes is a containment measure that can help
isolate and prevent the spread of the attack, but it may not be possible or feasible without identifying
nodes that have been compromised. Contacting law enforcement is a reporting measure that can
help seek external assistance and comply with legal obligations, but it may not be necessary or
appropriate without identifying nodes that have been compromised. Notifying senior management is a
communication measure that can help inform and escalate the incident, but it may not be urgent or
accurate without identifying nodes that have been compromised.
References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2

90.Which of the following should be used as the PRIMARY basis for prioritizing IT projects and
initiatives?
A. Estimated cost and time
B. Level of risk reduction
C. Expected business value
D. Available resources
Answer: C

91.An organization is migrating its HR application to an Infrastructure as a Service (laaS) model in a

private cloud.
Who is PRIMARILY responsible for the security configurations of the deployed application's operating
system?
A. The cloud provider's external auditor
B. The cloud provider
C. The operating system vendor
D. The organization
Answer: D
Explanation:
The organization is primarily responsible for the security configurations of the deployed application’s
operating system when migrating its HR application to an Infrastructure as a Service (IaaS) model in
a private cloud. This is because in an IaaS model, the cloud provider is responsible for the security of
the underlying infrastructure that they lease to their customers, such as servers, storage, and
networks, while the customer is responsible for the security of the areas of the cloud infrastructure
over which they have control, such as operating systems, middleware, and applications. Therefore,
the organization needs to ensure that the operating system is properly configured, patched,
hardened, and monitored to protect the HR application from unauthorized access or malicious
attacks.
The other options are not primarily responsible for the security configurations of the deployed
application’s operating system. The cloud provider’s external auditor is not responsible for any
security configurations, but rather for verifying and reporting on the cloud provider’s compliance with
relevant standards and regulations. The cloud provider is responsible for the security of the
underlying infrastructure, but not for the operating system or any software installed on it by the
customer. The operating system vendor is responsible for providing updates and patches for the
operating system, but not for configuring or securing it according to the customer’s needs.
References:
11: What Is IaaS (Infrastructure As A Service)? - Forbes
12: What is Shared Responsibility Model? - Check Point Software
13: Who Is Responsible for Cloud Security? - Security Intelligence

92.An IS auditor discovers a box of hard drives in a secured location that are overdue for physical
destruction. The vendor responsible for this task was never made aware of these hard drives.
Which of the following is the BEST course of action to address this issue?
A. Examine the workflow to identify gaps in asset-handling responsibilities.
B. Escalate the finding to the asset owner for remediation.
C. Recommend the drives be sent to the vendor for destruction.
D. Evaluate the corporate asset-handling policy for potential gaps.
Answer: A
Explanation:
The issue seems to stem from a breakdown in the workflow or process for handling assets that are
due for destruction12. By examining the workflow, the IS auditor can identify where the process failed,
such as why the vendor was not notified about the hard drives12. This could involve reviewing
procedures for inventory management, communication with vendors, and tracking of assets due for
destruction12. The findings can then be used to improve the workflow and prevent similar issues in
the future12.
References:
How To Properly Destroy A Hard Drive - Tech News Today
How to safely and securely destroy hard disk data - iFixit

93.Following a merger, a review of an international organization determines the IT steering

committee's decisions do not extend to regional offices as required in the consolidated IT operating
model.
Which of the following is the IS auditor's BEST recommendation?
A. Create regional centers of excellence.
B. Engage an IT governance consultant.
C. Create regional IT steering committees.
D. Update the IT steering committee's formal charter.
Answer: D

94.Which of the following would provide the BEST evidence of an IT strategy corrections
effectiveness?
A. The minutes from the IT strategy committee meetings
B. Synchronization of IT activities with corporate objectives
C. The IT strategy committee charier
D. Business unit satisfaction survey results
Answer: B
Explanation:
The best evidence of an IT strategy correction’s effectiveness is the synchronization of IT activities
with corporate objectives. The IT strategy correction is a process of reviewing and adjusting the IT
strategy to ensure that it aligns with and supports the corporate strategy and objectives. The
synchronization of IT activities with corporate objectives means that the IT activities are consistent
with and contribute to the achievement of the corporate goals and vision. The IS auditor can measure
and evaluate the IT strategy correction’s effectiveness by comparing the IT activities with the
corporate objectives, and assessing whether they are aligned, integrated, and coordinated. The other
options are not as good evidence of an IT strategy correction’s effectiveness, because they either do
not reflect the alignment of IT and business, or they are inputs or outputs of the IT strategy correction
process rather than outcomes or results.
References: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.1

95.A new regulation in one country of a global organization has recently prohibited cross-border
transfer of personal data. An IS auditor has been asked to determine the organization's level of
exposure In the affected country.
Which of the following would be MOST helpful in making this
assessment?
A. Developing an inventory of all business entities that exchange personal data with the affected
jurisdiction
B. Identifying data security threats in the affected jurisdiction
C. Reviewing data classification procedures associated with the affected jurisdiction
D. Identifying business processes associated with personal data exchange with the affected
jurisdiction
Answer: D
Explanation:
Identifying business processes associated with personal data exchange with the affected jurisdiction
is the most helpful activity in making an assessment of the organization’s level of exposure in the
affected country. An IS auditor should understand how the organization’s business operations and
functions rely on or involve the cross-border transfer of personal data, as well as the potential impacts
and risks of the new regulation on the business continuity and compliance. The other options are less
helpful activities that may provide additional information or context for the assessment, but not its
primary focus.
References:
CISA Review Manual (Digital Version), Chapter 7, Section 7.4.21
CISA Review Questions, Answers & Explanations Database, Question ID 221

96.The use of which of the following is an inherent risk in the application container infrastructure?
A. Shared registries
B. Host operating system
C. Shared data
D. Shared kernel
Answer: D
Explanation:
Application containers are a form of operating system virtualization that share the same kernel as the
host operating system. This means that any vulnerability or compromise in the kernel can affect all
the containers running on the same host, as well as the host itself. Additionally, containers may have
privileged access to the kernel resources and functions, which can pose a risk of unauthorized or
malicious actions by the container processes. Therefore, securing the kernel is a critical aspect of
application container security.
Shared registries (option A) are not an inherent risk in the application container infrastructure, but
they are a potential risk that depends on how they are configured and managed. Shared registries are
repositories that store and distribute container images. They can be public or private, and they can
have different levels of security and access controls. Shared registries can pose a risk of exposing
sensitive data, distributing malicious or vulnerable images, or allowing unauthorized access to
images. However, these risks can be mitigated by using secure connections, authentication and
authorization mechanisms, image signing and scanning, and encryption.
Host operating system (option B) is not an inherent risk in the application container infrastructure, but
it is a potential risk that depends on how it is configured and maintained. Host operating system is the
underlying platform that runs the application containers and provides them with the necessary
resources and services. Host operating system can pose a risk of exposing vulnerabilities,
misconfigurations, or malware that can affect the containers or the host itself. However, these risks
can be mitigated by using minimal and hardened operating systems, applying patches and updates,
enforcing security policies and controls, and isolating and monitoring the host.
Shared data (option C) is not an inherent risk in the application container infrastructure, but it is a
potential risk that depends on how it is stored and accessed. Shared data is the information that is
used or generated by the application containers and that may be shared among them or with external
entities. Shared data can pose a risk of leaking confidential or sensitive data, corrupting or losing data
integrity, or violating data privacy or compliance requirements. However, these risks can be mitigated
by using secure storage solutions, encryption and decryption mechanisms, access control and
auditing policies, and backup and recovery procedures.
Therefore, option D is the correct answer.
References:
Application Container Security Guide | NIST
CSA for a Secure Application Container Architecture
Application Container Security: Risks and Countermeasures

97.Which of the following biometric access controls has the HIGHEST rate of false negatives?
A. Iris recognition
B. Fingerprint scanning
C. Face recognition
D. Retina scanning
Answer: B
Explanation:
Among the options provided, fingerprint scanning has the highest rate of false negatives. False
negatives occur when a biometric system fails to recognize an authentic individual. Factors such as
skin conditions (wet, dry, greasy), finger injuries, and inadequate scanning can contribute to false
negatives in fingerprint scanning1. In comparison, iris recognition23, face recognition45, and retina
scanning67 generally have lower rates of false negatives.
References:
How Accurate are today’s Fingerprint Scanners? - Bayometric
25 Advantages and Disadvantages of Iris Recognition - Biometric Today
Iris Recognition Technology (or, Musings While Going through Airport …
The Critics Were Wrong: NIST Data Shows the Best Facial Recognition Algorithms Are Neither Racist
Nor Sexist | ITIF
NIST Launches Studies into Masks’ Effect on Face Recognition Software
Retinal scan - Wikipedia
How accurate are retinal security scans - Smart Eye Technology

98.In an organization's feasibility study to acquire hardware to support a new web server, omission of
which of the following would be of MOST concern?
A. Alternatives for financing the acquisition
B. Financial stability of potential vendors
C. Reputation of potential vendors
D. Cost-benefit analysis of available products
Answer: D
Explanation:
The most important part of a feasibility study is the economics1. A cost-benefit analysis of available
products is crucial as it helps to understand the economic viability of the project1. It compares the
costs of the project with the benefits it is expected to deliver, which is essential for making informed
decisions1. Omitting this could lead to investments in hardware that may not provide the expected
returns or meet the organization’s needs.
References:
The Components of a Feasibility Study - ProjectEngineer

99.Which of the following BEST reflects a mature strategic planning process?

A. Action plans with IT requirements built into all projects
B. An IT strategic plan with specifications of controls and safeguards
C. An IT strategic plan that supports the corporate strategy
D. IT projects from the strategic plan are approved by management
Answer: C

100.An IS auditor engaged in developing the annual internal audit plan learns that the chief
information officer (CIO) has requested there be no IS audits in the upcoming year as more time is
needed to address a large number of recommendations from the previous year.
Which of the following should the auditor do FIRST
A. Escalate to audit management to discuss the audit plan
B. Notify the chief operating officer (COO) and discuss the audit plan risks
C. Exclude IS audits from the upcoming year's plan
D. Increase the number of IS audits in the clan
Answer: A
Explanation:
The auditor should first escalate to audit management to discuss the audit plan. This is because the
audit plan should be based on a risk assessment and aligned with the organization’s objectives and
strategies. The auditor should not accept the CIO’s request without proper justification and approval
from the audit management, who are responsible for ensuring the audit plan’s quality and
independence. The auditor should also communicate the potential risks and implications of not
conducting IS audits in the upcoming year, such as missing new or emerging threats, vulnerabilities,
or compliance issues.
References:
CISA Review Manual (Digital Version), Chapter 2, Section 2.11
CISA Online Review Course, Domain 1, Module 1, Lesson 22

101.An IS auditor is reviewing processes for importing market price data from external data providers.
Which of the following findings should the auditor consider MOST critical?
A. Imported data is not disposed of frequently.
B. The transfer protocol is not encrypted.
C. The transfer protocol does not require authentication.
D. The quality of the data is not monitored.
Answer: D

102.Which of the following provides re BEST evidence that outsourced provider services are being
properly managed?
A. Adequate action is taken for noncompilance with the service level agreement (SLA).
B. The service level agreement (SLA) includes penalties tor non-performance.
C. Internal performance standards align with corporate strategy.
D. The vendor provides historical data to demonstrate its performance.
Answer: A

103.Which of the following is the BEST indicator of the effectiveness of signature-based intrusion
detection systems (lDS)?
A. An increase in the number of identified false positives
B. An increase in the number of detected Incidents not previously identified
C. An increase in the number of unfamiliar sources of intruders
D. An increase in the number of internally reported critical incidents
Answer: B
Explanation:
Signature-based intrusion detection systems (IDS) are systems that compare network traffic with
predefined patterns of known attacks, called signatures. The effectiveness of signature-based IDS
depends on how well they can detect new or unknown attacks that are not in their signature
database. Therefore, an increase in the number of detected incidents not previously identified is the
best indicator of the effectiveness of signature-based IDS, as it shows that they can recognize novel
or modified attacks.

104.Which of the following is MOST important when defining the IS audit scope?
A. Minimizing the time and cost to the organization of IS audit procedures
B. Involving business in the formulation of the scope statement
C. Aligning the IS audit procedures with IT management priorities
D. Understanding the relationship between IT and business risks
Answer: D
Explanation:
The most important factor when defining the IS audit scope is to understand the relationship between
IT and business risks, as this helps to identify the areas that have the most potential impact on the
organization’s objectives, performance, and value. By understanding the IT and business risks, the
IS auditor can focus the audit scope on the key processes, systems, controls, and issues that need to
be assessed and addressed.
References
ISACA CISA Review Manual, 27th Edition, page 256
Ten Factors to Consider when Setting the Scope of an Internal Audit
What Is an Audit Scope? | Auditing Basics | KirkpatrickPrice

105.Which of the following observations regarding change management should be considered the
MOST serious risk by an IS auditor?
A. There is no software used to track change management.
B. The change is not approved by the business owners.
C. The change is deployed two weeks after approval.
D. The development of the change is not cost-effective.
Answer: B

106.An organization's security policy mandates that all new employees must receive appropriate
security awareness training.
Which of the following metrics would BEST assure compliance with this policy?
A. Percentage of new hires that have completed the training.
B. Number of new hires who have violated enterprise security policies.
C. Number of reported incidents by new hires.
D. Percentage of new hires who report incidents
Answer: A
Explanation:
The best metric to assure compliance with the policy of providing security awareness training to all
new employees is the percentage of new hires that have completed the training, as this directly
measures the extent to which the policy is implemented and enforced. The number of new hires who
have violated enterprise security policies, the number of reported incidents by new hires, and the
percentage of new hires who report incidents are not directly related to the policy, as they may
depend on other factors such as the nature and frequency of threats, the effectiveness of security
controls, and the reporting culture of the organization.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.7

107.Which of the following is the GREATEST risk if two users have concurrent access to the same
database record?
A. Data integrity
B. Entity integrity
C. Referential integrity
D. Availability integrity
Answer: A

108. Project Completion C Project Management C 2nd Edition How to Measure Project Success |
Smartsheet

109.Which of the following is the BEST way to mitigate risk to an organization's network associated
with
devices permitted under a bring your own device (BYOD) policy?
A. Require personal devices to be reviewed by IT staff.
B. Enable port security on all network switches.
C. Implement a network access control system.
D. Ensure the policy requires antivirus software on devices.
Answer: C
Explanation:
The best way to mitigate risk to an organization’s network associated with devices permitted under a
BYOD policy is to implement a network access control system, as this will allow the organization to
monitor, authenticate, and authorize the devices that connect to the network, and to enforce security
policies and compliance requirements12. A network access control system can help to prevent
unauthorized or compromised devices from accessing sensitive data or resources, and to detect and
isolate any potential threats or vulnerabilities34.
References
1: Network Access Control (NAC) - ISACA 2: Network Access Control (NAC) - Cisco 3: BYOD
Security Risks: 6 Ways to Protect Your Organization - ReliaQuest5 4: How to Mitigate BYOD Risks
and Challenges - CIOReview6

110.Which of the following is the BEST way for an IS auditor to assess the design of an automated
application control?
A. Interview the application developer.
B. Obtain management attestation and sign-off.
C. Review the application implementation documents.
D. Review system configuration parameters and output.
Answer: C
Explanation:
Reviewing the application implementation documents is the best way for an IS auditor to assess the
design of an automated application control. An automated application control is a control that is
embedded in the application software and is executed by the system without human intervention. An
automated application control is designed to ensure the accuracy, completeness, validity, and
authorization of transactions and data processed by the application. Examples of automated
application controls are input validation, edit checks, calculations, reconciliations, and exception
reports.
The application implementation documents are the documents that describe the design specifications,
logic, and functionality of the application and its controls. The application implementation documents
may include:
Business requirements document - a document that defines the business objectives, needs, and
expectations of the application.
Functional specifications document - a document that describes the features, functions, and
interfaces of the application and its controls.
Technical specifications document - a document that details the technical architecture, design, and
configuration of the application and its controls.
Test plan and test cases - a document that outlines the testing strategy, methodology, and scenarios
for verifying the functionality and performance of the application and its controls.
User manual and training material - a document that provides instructions and guidance on how to
use the application and its controls.
By reviewing the application implementation documents, an IS auditor can:
Gain an understanding of the purpose, scope, and nature of the application and its controls.
Evaluate whether the application and its controls are designed to meet the business requirements
and objectives.
Identify any gaps, inconsistencies, or errors in the design of the application and its controls.
Compare the design of the application and its controls with the best practices and standards in the
industry.
Determine whether the application and its controls are adequately tested and documented.
Interviewing the application developer is not the best way for an IS auditor to assess the design of an
automated application control. An interview is a verbal communication technique that involves asking
questions and listening to responses. An interview can be useful for obtaining general information or
clarifying specific issues related to the application and its controls. However, an interview alone
cannot provide sufficient evidence or documentation to support the auditor’s assessment of the
design of an automated application control. An interview may also be subject to bias,
misunderstanding, or misinterpretation by either party.
Obtaining management attestation and sign-off is not the best way for an IS auditor to assess the
design of an automated application control. Management attestation and sign-off is a formal process
that involves obtaining written confirmation from management that they have reviewed and approved
the design of the application and its controls. Management attestation and sign-off can indicate
management’s commitment and accountability for the quality and effectiveness of the application and
its controls. However, management attestation and sign-off cannot substitute for an independent and
objective evaluation by an IS auditor. Management attestation and sign-off may also be influenced by
pressure, conflict of interest, or fraud.
Reviewing system configuration parameters and output is not the best way for an IS auditor to assess
the design of an automated application control. System configuration parameters are settings that
define how the system operates or interacts with other components. System output is data or
information that is produced by the system as a result of processing transactions or performing
functions. Reviewing system configuration parameters and output can help an IS auditor to verify
whether the system is configured correctly and whether it produces accurate and reliable output.
However, reviewing system configuration parameters and output cannot provide a comprehensive
view of how the application and its controls are designed to achieve their objectives. Reviewing
system configuration parameters and output may also require technical expertise or access rights that
may not be available to an IS auditor.

111.The waterfall life cycle model of software development is BEST suited for which of the following
situations?
A. The protect requirements are wall understood.
B. The project is subject to time pressures.
C. The project intends to apply an object-oriented design approach.
D. The project will involve the use of new technology.
Answer: A
Explanation:
The waterfall life cycle model of software development is best suited for situations where the project
requirements are well understood. The waterfall life cycle model is a sequential and linear approach
to software development that consists of several phases, such as planning, analysis, design,
implementation, testing, and maintenance. Each phase depends on the completion and approval of
the previous phase before proceeding to the next phase. The waterfall life cycle model is best suited
for situations where the project requirements are well understood, as it assumes that the
requirements are clear, stable, and fixed at the beginning of the project, and do not change
significantly throughout the project. The project is subject to time pressures is not a situation where
the waterfall life cycle model of software development is best suited, as it may not be flexible or agile
enough to accommodate changes or adjustments in the project schedule or timeline. The waterfall life
cycle model may involve long delays or dependencies between phases, and may not allow for early
feedback or delivery of software products. The project intends to apply an object-oriented design
approach is not a situation where the waterfall life cycle model of software development is best suited,
as it may not be compatible or effective with the object-oriented design approach. The object-oriented
design approach is a technique that models software as a collection of interacting objects that have
attributes and behaviors. The object-oriented design approach may require iterative and incremental
development methods that allow for dynamic and adaptive changes in software design and
functionality. The project will involve the use of new technology is not a situation where the waterfall
life cycle model of software development is best suited, as it may not be able to cope with the
uncertainty or complexity of new technology. The waterfall life cycle model may not allow for sufficient
exploration or experimentation with new technology, and may not be able to handle changes or
issues that arise from new technology.

112.To mitigate the risk of exposing data through application programming interface (API) queries.
Which of the following design considerations is MOST important?
A. Data retention
B. Data minimization
C. Data quality
D. Data integrity
Answer: B
Explanation:
The answer B is correct because data minimization is the most important design consideration to
mitigate the risk of exposing data through application programming interface (API) queries. An API is
a set of rules and protocols that allows different software components or systems to communicate
and exchange data. API queries are requests sent by users or applications to an API to retrieve or
manipulate data. For example, a user may query an API to get information about a product, a service,
or a location.
Data minimization is the principle of collecting, processing, and storing only the minimum amount of
data that are necessary for a specific purpose. Data minimization can help to reduce the risk of
exposing data through API queries by limiting the amount and type of data that are available or
accessible through the API. Data minimization can also help to protect the privacy and security of the
data subjects and the data providers, as well as to comply with the relevant laws and regulations.
Some of the benefits of data minimization for API design are:
Privacy: Data minimization can enhance the privacy of the data subjects by ensuring that only the
data that are relevant and essential for the API purpose are collected and processed. This can
prevent unnecessary or excessive collection or disclosure of personal or sensitive data, such as
names, addresses, phone numbers, email addresses, etc. Data minimization can also help to comply
with the privacy laws and regulations that require data protection by design and by default, such as
GDPR (General Data Protection Regulation) or CCPA (California Consumer Privacy Act).
Security: Data minimization can improve the security of the data providers by reducing the attack
surface and the potential damage of a data breach. If less data are stored or transmitted through the
API, there are fewer opportunities for attackers to access or compromise the data. Data minimization
can also help to implement security controls such as encryption, access control, or logging more
efficiently and effectively.
Performance: Data minimization can increase the performance of the API by optimizing the use of
resources and bandwidth. If less data are stored or transmitted through the API, there are less
storage space and network traffic required. Data minimization can also help to improve the speed and
reliability of the API responses.
Some of the techniques for data minimization in API design are:
Define clear and specific purposes for the API and document them in the API specification or
documentation.
Identify and classify the data that are needed for each purpose and assign them appropriate labels or
levels, such as public, internal, confidential, or restricted.
Implement filters or parameters in the API queries that allow users or applications to specify or limit
the data fields or attributes they want to retrieve or manipulate.
Use pagination or throttling in the API responses that limit the number or size of data items returned
per request.
Use anonymization or pseudonymization techniques that remove or replace any identifying
information from the data before sending them through the API.
Some examples of web resources that discuss data minimization in API design are:
Data Minimization in Web APIs - World Wide Web Consortium (W3C) Adding Privacy by Design in
Secure Application Development Chung-ju/Data-Minimization: A repository of related papers. -
GitHub

113.In which phase of the audit life cycle process should an IS auditor initially discuss observations
with management?
A. Planning phase
B. Reporting phase
C. Follow-up phase
D. Fieldwork phase
Answer: D
Explanation:
Comprehensive and Detailed Step-by-Step
Audit findings should be communicated as early as possible to avoid misunderstandings, provide an
opportunity for corrective action, and ensure transparency.
Option A (Incorrect): The planning phase involves defining audit scope, objectives, and methodology,
but findings are not yet available to discuss with management.
Option B (Incorrect): The reporting phase formalizes audit results, but discussing issues only at this
stage may lead to delays in corrective action.
Option C (Incorrect): The follow-up phase ensures that management has implemented corrective
actions, but this occurs after the initial discussion of findings.
Option D (Correct): The fieldwork phase is when auditors actively gather evidence, analyze data, and
identify issues. Discussing observations during this phase allows for immediate clarification,
validation, and resolution of misunderstandings before the final report.
Reference: ISACA CISA Review Manual C Domain 1: Information Systems Auditing Process C
Discusses audit engagement, reporting, and communication best practices.

114.An IS auditor concludes that an organization has a quality security policy.

Which of the following is
MOST important to determine next? The policy must be:
A. well understood by all employees.
B. based on industry standards.
C. developed by process owners.
D. updated frequently.
Answer: A
Explanation:
The most important thing to determine next after concluding that an organization has a quality
security policy is whether the policy is well understood by all employees. A security policy is a
document that defines the objectives, scope, roles, responsibilities, and rules for information security
within an organization. A quality security policy is one that is clear, concise, consistent,
comprehensive, and aligned with business goals and requirements. However, a quality security policy
is useless if it is not well understood by all employees who are expected to comply with it. Therefore,
the IS auditor should assess the level of awareness and understanding of the security policy among
employees and identify any gaps or issues that need to be addressed. The other options are not as
important as ensuring that the security policy is well understood by all employees, as they do not
directly affect the implementation and effectiveness of the security policy.
References: CISA Review Manual, 27th Edition, page 317

115.Which of the following should be the MOST important consideration when conducting a review of
IT portfolio management?
A. Assignment of responsibility for each project to an IT team member
B. Adherence to best practice and industry approved methodologies
C. Controls to minimize risk and maximize value for the IT portfolio
D. Frequency of meetings where the business discusses the IT portfolio
Answer: C
Explanation:
Controls to minimize risk and maximize value for the IT portfolio should be the most important
consideration when conducting a review of IT portfolio management, because they ensure that the IT
portfolio aligns with the business strategy, objectives, and priorities, and that the IT investments
deliver optimal benefits and outcomes. Assignment of responsibility for each project to an IT team
member, adherence to best practice and industry approved methodologies, and frequency of
meetings where the business discusses the IT portfolio are also relevant aspects of IT portfolio
management, but they are not as important as controls to minimize risk and maximize value.
References: CISA Review Manual (Digital Version), Chapter 1, Section 1.2.3

116.Which of the following should be given GREATEST consideration when implementing the use of
an open-source product?
A. Support
B. Performance
C. Confidentiality
D. Usability
Answer: A
Explanation:
Support should be given the greatest consideration when implementing the use of an open-source
product, as open-source software may not have the same level of technical support, maintenance,
and updates as proprietary software1. Open-source software users may have to rely on the
community of developers and users, online forums, or third-party vendors for support, which may not
be timely, reliable, or consistent2. Therefore, before implementing an open-source product, users
should evaluate the availability and quality of support options, such as documentation, forums,
mailing lists, bug trackers, chat channels, etc.3

117.An IS auditor is tasked to review an organization's plan-do-check-act (PDCA) method for

improving
IT-related processes and wants to determine the accuracy of defined targets to be achieved.
Which of the following steps in the PDCA process should the auditor PRIMARILY focus on in this
situation?
A. Check
B. Plan
C. Do
D. Act
Answer: B
Explanation:
In the PDCA cycle, the "Plan" phase is where targets and objectives are defined. Focusing on this
phase allows the auditor to evaluate the accuracy and appropriateness of the defined targets before
they are implemented and measured in subsequent phases.
References
ISACA CISA Review Manual 27th Edition, Page 315-316 (PDCA Cycle)

118.Which of the following is an analytical review procedure for a payroll system?

A. Performing reasonableness tests by multiplying the number of employees by the average wage
rate
B. Evaluating the performance of the payroll system using benchmarking software
C. Performing penetration attempts on the payroll system
D. Testing hours reported on time sheets
Answer: A

119.Which of the following is the PRIMARY advantage of using an automated security log monitoring
tool instead of conducting a manual review to monitor the use of privileged access?
A. Reduced costs associated with automating the review
B. Increased likelihood of detecting suspicious activity
C. Ease of storing and maintaining log file
D. Ease of log retrieval for audit purposes
Answer: B
120.During a physical security audit, an IS auditor was provided a proximity badge that granted
access to three specific floors in a corporate office building.
Which of the following issues should be of MOST concern?
A. The proximity badge did not work for the first two days of audit fieldwork.
B. There was no requirement for an escort during fieldwork.
C. There was no follow-up for unsuccessful attempted access violations.
D. The proximity badge incorrectly granted access to restricted areas.
Answer: D
Explanation:
The proximity badge incorrectly granting access to restricted areas is the most concerning issue, as it
indicates a failure of the access control system to enforce the principle of least privilege and protect
the sensitive or critical assets of the organization. The proximity badge should only grant access to
the areas that are necessary for the IS auditor to perform the audit fieldwork, and not to any other
areas that may contain confidential information, valuable equipment, or hazardous materials. The
incorrect access could result in unauthorized disclosure, modification, or destruction of the assets, as
well as potential safety or legal issues.
References
ISACA CISA Review Manual, 27th Edition, page 254
Office & Workplace Physical Security Assessment Checklist
Physical Security: Planning, Measures & Examples

121.Which of the following is the MOST significant risk that IS auditors are required to consider for
each engagement?
A. Process and resource inefficiencies
B. Irregularities and illegal acts
C. Noncompliance with organizational policies
D. Misalignment with business objectives
Answer: D
Explanation:
The most significant risk that IS auditors are required to consider for each engagement is the
misalignment with business objectives. This is because IS audit engagements are intended to provide
assurance that the IT systems and processes support the achievement of the business objectives and
strategies. If there is a misalignment, it could result in wasted resources, missed opportunities,
inefficiencies, errors, or failures that could adversely affect the organization’s performance and
reputation12.
References: 1: CISA Review Manual (Digital Version), Chapter 1: The Process of Auditing Information
Systems, Section 1.3: Audit Risk, page 28 2: CISA Online Review Course, Module 1: The Process of
Auditing Information Systems, Lesson 1.3: Audit Risk

122.Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an
unauthorized website?
A. Utilize a network-based firewall.
B. Conduct regular user security awareness training.
C. Perform domain name system (DNS) server security hardening.
D. Enforce a strong password policy meeting complexity requirement.
Answer: C
Explanation:
The best control to mitigate attacks that redirect Internet traffic to an unauthorized website is to
perform domain name system (DNS) server security hardening. DNS servers are responsible for
resolving domain names into IP addresses, and they are often targeted by attackers who want to
manipulate or spoof DNS records to redirect users to malicious websites4. By applying security best
practices to DNS servers, such as encrypting DNS traffic, implementing DNSSEC, restricting access
and updating patches, the organization can reduce the risk of DNS hijacking attacks. A network-
based firewall, user security awareness training and a strong password policy are also important
controls, but they are not as effective as DNS server security hardening in preventing this specific
type of attack.
References:
CISA Review Manual, 27th Edition, page 4021
CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

123.Which of the following is MOST important to define within a disaster recovery plan (DRP)?
A. Business continuity plan (BCP)
B. Test results for backup data restoration
C. A comprehensive list of disaster recovery scenarios and priorities
D. Roles and responsibilities for recovery team members
Answer: D
Explanation:
The most important thing to define within a disaster recovery plan (DRP) is the roles and
responsibilities for recovery team members, as this ensures that everyone knows what to do, who to
report to, and how to communicate in the event of a disaster. A business continuity plan (BCP) is a
broader document that covers the overall strategy and objectives for maintaining or resuming
business operations after a disaster. Test results for backup data restoration are important to verify
the integrity and availability of backup data, but they are not part of the DRP itself. A comprehensive
list of disaster recovery scenarios and priorities is useful to identify the potential risks and impacts of
different types of disasters, but it is not as critical as defining the roles and responsibilities for
recovery team members.
References: CISA Review Manual (Digital Version), Chapter 4: Information Systems Operations,
Maintenance and Service Management, Section 4.3: Disaster Recovery Planning1

124.An organization is considering allowing users to connect personal devices to the corporate
network.
Which of the following should be done FIRST?
A. Conduct security awareness training.
B. Implement an acceptable use policy
C. Create inventory records of personal devices
D. Configure users on the mobile device management (MDM) solution
Answer: B
Explanation:
The first thing that should be done before allowing users to connect personal devices to the corporate
network is to implement an acceptable use policy. An acceptable use policy is a document that
defines the rules and guidelines for using personal devices on the corporate network, such as security
requirements, access rights, responsibilities, and consequences. An acceptable use policy can help
to protect the organization from potential risks such as data leakage, malware infection, or legal
liability. The other options are not as important as implementing an acceptable use policy, as they do
not establish the boundaries and expectations for using personal devices on the corporate network.
References: CISA Review Manual, 27th Edition, page 318

125.An IS auditor is planning a review of an organizations cybersecurity incident response maturity

Which of the following methodologies would provide the MOST reliable conclusions?
A. Judgmental sampling
B. Data analytics testing
C. Variable sampling
D. Compliance testing
Answer: D
Explanation:
Compliance testing ensures that the organization's incident response processes align with
established cybersecurity frameworks and policies. This methodology provides objective and reliable
conclusions about the maturity of incident response capabilities.
Judgmental Sampling (Option A): Relies on subjective judgment and is less reliable.
Data Analytics Testing (Option B): Useful for identifying trends but may not assess process maturity
comprehensively.
Variable Sampling (Option C): Appropriate for statistical analysis but less effective in process maturity
assessments.
Reference: ISACA CISA Review Manual, Job Practice Area 2: Information Systems Audit and
Assurance.

126.Which of the following should be the FIRST step to successfully implement a corporate data
classification program?
A. Approve a data classification policy.
B. Select a data loss prevention (DLP) product.
C. Confirm that adequate resources are available for the project.
D. Check for the required regulatory requirements.
Answer: A
Explanation:
The first step to successfully implement a corporate data classification program is to approve a data
classification policy. A data classification policy is a document that defines the objectives, scope,
principles, roles, responsibilities, and procedures for classifying data based on its sensitivity and value
to the organization. A data classification policy is essential for establishing a common understanding
and a consistent approach for data classification across the organization, as well as for ensuring
compliance with relevant regulatory and contractual requirements.
Selecting a data loss prevention (DLP) product (option B) is not the first step to implement a data
classification program, as it is a technical solution that supports the enforcement of the data
classification policy, not the definition of it. A DLP product can help prevent unauthorized access, use,
or disclosure of sensitive data by monitoring, detecting, and blocking data flows that violate the data
classification policy. However, before selecting a DLP product, the organization needs to have a clear
and approved data classification policy that specifies the criteria and rules for data classification.
Confirming that adequate resources are available for the project (option C) is also not the first step to
implement a data classification program, as it is a project management activity that ensures the
feasibility and sustainability of the project, not the design of it. Confirming that adequate resources are
available for the project involves estimating and securing the necessary budget, staff, time, and tools
for implementing and maintaining the data classification program. However, before confirming that
adequate resources are available for the project, the organization needs to have a clear and
approved data classification policy that defines the scope and objectives of the project.
Checking for the required regulatory requirements (option D) is also not the first step to implement a
data classification program, as it is an input to the development of the data classification policy, not an
output of it. Checking for the required regulatory requirements involves identifying and analyzing the
applicable laws, regulations, standards, and contracts that govern the protection and handling of
sensitive data. However, checking for the required regulatory requirements is not enough to
implement a data classification program; the organization also needs to have a clear and approved
data classification policy that incorporates and complies with those requirements.
Therefore, option A is the correct answer.
References:
Data Classification: What It Is and How to Implement It
Create a well-designed data classification framework
7 Steps to Effective Data Classification | CDW
Data Classification: The Basics and a 6-Step Checklist - NetApp
Private and confidential February 2021 - Deloitte US

127. Microsoft Service Trust Portal. “Data classification & sensitivity label taxonomy.”
4(https://learn.microsoft.com/en-us/compliance/assurance/assurance-data-classification-and-labels)

128.Which of the following management decisions presents the GREATEST risk associated with data
leakage?
A. There is no requirement for desktops to be encrypted
B. Staff are allowed to work remotely
C. Security awareness training is not provided to staff
D. Security policies have not been updated in the past year
Answer: C
Explanation:
The management decision that presents the greatest risk associated with data leakage is not
providing security awareness training to staff. This is because staff are often the weakest link in the
information security chain, and they may unintentionally or maliciously leak sensitive data through
various channels, such as email, social media, cloud storage, or removable media. Security
awareness training is essential to educate staff on the importance of protecting data, the policies and
procedures for handling data, and the best practices for preventing and reporting data leakage
incidents. Not requiring desktops to be encrypted, allowing staff to work remotely, and not updating
security policies in the past year are also management decisions that may increase the risk of data
leakage, but they are not as significant as not providing security awareness training to staff.
Encryption, remote work, and security policies are technical or administrative controls that can be
implemented or enforced by management, but they cannot fully prevent or mitigate human errors or
malicious actions by staff.
References: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program
Management Guide]

129.During a closing meeting, the IT manager disagrees with a valid audit finding presented by the IS
auditor and requests the finding be excluded from the final report.
Which of the following is the auditor's BEST course of action?
A. Request that the IT manager be removed from the remaining meetings and future audits.
B. Modify the finding to include the IT manager's comments and inform the audit manager of the
changes.
C. Remove the finding from the report and continue presenting the remaining findings.
D. Provide the evidence which supports the finding and keep the finding in the report.
Answer: D

130.Which of the following metrics is the BEST indicator of the performance of a web application?
A. Server thread count
B. Server uptime
C. Average response time
D. HTTP server error rate
Answer: C

131.Which of the following cloud capabilities BEST enables an organization to meet unexpectedly
high service demand?
A. Scalability
B. High availability
C. Alternate routing
D. Flexibility
Answer: A

132.Which of the following is the BEST method to maintain an audit trail of changes made to the
source code of a program?
A. Embed details within source code.
B. Standardize file naming conventions.
C. Utilize automated version control.
D. Document details on a change register.
Answer: C
Explanation:
Automated version control systems are the best method to maintain an audit trail of changes made to
the source code of a program. They automatically track and manage changes to the source code over
time, allowing you to see what changes were made, when they were made, and who made them1.
This provides a clear and detailed audit trail that can be invaluable for debugging, understanding the
evolution of the code, and ensuring accountability23.

133.A contract for outsourcing IS functions should always include:

A. Full details of security procedures to be observed by the contractor.
B. A provision for an independent audit of the contractor’s operations.
C. The names and roles of staff to be employed in the operation.
D. Data transfer protocols.
Answer: B
Explanation:
Comprehensive and Detailed Step-by-Step
When outsourcing IS functions, independent audit provisions ensure that contractors meet security,
compliance, and operational standards.
Option A (Incorrect): Security procedures should be included but are subject to change and may not
be detailed in the contract.
Option B (Correct): Independent audit rights allow the organization to verify that the vendor complies
with security, operational, and regulatory requirements.
Option C (Incorrect): Naming specific staff is impractical and not a core contractual requirement.
Option D (Incorrect): Data transfer protocols are important, but they are a technical detail rather than
a primary contract requirement.
Reference: ISACA CISA Review Manual C Domain 3: Information Systems Acquisition, Development,
and Implementation C Covers outsourcing, SLAs, and audit requirements.

134.Which of the following BEST mitigates the risk of SQL injection attacks against applications
exposed to the internet?
A. Web application firewall (WAF)
B. SQL server hardening
C. Patch management program
D. SQL server physical controls
Answer: A
Explanation:
A Web Application Firewall (WAF) (A) is the best control to mitigate SQL injection attacks because it
can detect and block malicious SQL queries before they reach the application. WAFs analyze
incoming requests, filter SQL injection attempts, and provide an additional layer of security for web
applications.
Other options:
SQL server hardening (B) improves security but does not specifically address SQL injection. Patch
management (C) is necessary but does not provide immediate protection against new SQL injection
attacks.
Physical controls (D) are unrelated to application-layer threats like SQL injection.
Reference: ISACA CISA Review Manual, Information Security

135.How would an IS auditor BEST determine the effectiveness of a security awareness program?
A. Review the results of social engineering tests.
B. Evaluate management survey results.
C. Interview employees to assess their security awareness.
D. Review security awareness training quiz results.
Answer: A
Explanation:
Comprehensive and Detailed Step-by-Step
Social engineering tests are the most effective way to assess real-world security awareness by
measuring employees' ability to recognize and resist security threats.
Review the Results of Social Engineering Tests (Correct Answer C A)
Simulated phishing attacks and pretexting exercises measure actual employee behavior.
Provides actionable insights into weaknesses in security awareness.
Example: If employees frequently click on phishing emails, the awareness program is ineffective.
Evaluate Management Survey Results (Incorrect C B)
Management perception is subjective and does not reflect actual employee behavior.
Interview Employees (Incorrect C C)
Employees may provide inaccurate or rehearsed responses.
Review Security Training Quiz Results (Incorrect C D)
Tests knowledge but does not measure practical application.
References:
ISACA CISA Review Manual
NIST 800-53 (Security Awareness and Training)
ISO 27001: Security Awareness Control

136.Which of the following criteria is MOST important for the successful delivery of benefits from an
IT project?
A. Assessing the impact of changes to individuals and business units within the organization
B. Involving key stakeholders during the development and execution phases of the project
C. Ensuring that IT project managers have sign-off authority on the business case
D. Quantifying the size of the software development effort required by the project
Answer: B

137.Which of the following is the BEST way to minimize sampling risk?

A. Use a larger sample size
B. Perform statistical sampling
C. Perform judgmental sampling
D. Enhance audit testing procedures
Answer: B
Explanation:
Sampling risk is the risk that the auditor’s conclusion based on a sample may be different from the
conclusion that would be reached if the entire population was tested using the same audit procedure.
Sampling risk can lead to either incorrect rejection or incorrect acceptance of the audit objective. The
best way to minimize sampling risk is to perform statistical sampling. Statistical sampling is a method
of selecting and evaluating a sample using probability theory and mathematical calculations.
Statistical sampling allows auditors to measure and control the sampling risk by determining the
appropriate sample size and selection method, and evaluating the results using confidence levels and
precision intervals. Statistical sampling can also provide more objective and consistent results than
judgmental sampling, which relies on the auditor’s professional judgment and experience.
References:
6: Sampling Risks: Definition, Example, and Explanation - Wikiaccounting
7: Sampling Risk in Audit | Sampling vs non sampling risk - Accountinguide
9: Audit sampling | ACCA Qualification | Students | ACCA Global

138.An IS auditor is conducting a physical security audit of a healthcare facility and finds closed-
circuit television (CCTV) systems located in a patient care area.
Which of the following is the GREATEST concern?
A. Cameras are not monitored 24/7.
B. There are no notices indicating recording IS in progress.
C. The retention period for video recordings is undefined
D. There are no backups of the videos.
Answer: B
Explanation:
The greatest concern with finding closed-circuit television (CCTV) systems located in a patient care
area is that there are no notices indicating recording is in progress. This is because CCTV systems in
healthcare settings can pose a threat to the privacy and confidentiality of patients, staff, and visitors,
especially in sensitive areas where personal or medical information may be exposed. According to the
government’s Surveillance camera code of practice1, CCTV operators must be as transparent as
possible in the use of CCTV, and inform people that they are being recorded by using clear and
visible signs. The signs should also provide contact details of the CCTV operator and the purpose of
the surveillance. By providing notices, CCTV operators can comply with data protection law and
respect the rights and expectations of individuals.
Option B is correct because the lack of notices indicating recording is in progress is a clear violation
of the Surveillance camera code of practice1, which applies to local authorities and the police, and is
encouraged to be adopted by other CCTV operators in England and Wales. The code also applies to
Scotland, along with the National Strategy for Public Space CCTV2. The code is intended to be used
in
conjunction with the guidance provided by the Information Commissioner’s Office (ICO)3, which
applies across the UK. The ICO states that CCTV operators must inform people that they are being
recorded by using prominent signs at the entrance of the CCTV zone and reinforcing this with further
signs inside the area.
Option A is incorrect because cameras not being monitored 24/7 is not the greatest concern, as it
does not necessarily affect the privacy and confidentiality of individuals. CCTV systems may have
different purposes and objectives, such as deterring or monitoring crime, enhancing security, or
improving patient care. Depending on the purpose, CCTV systems may not require constant
monitoring, but rather periodic review or analysis. However, CCTV operators should still ensure that
they have adequate security measures to protect the CCTV systems from unauthorized access or
tampering.
Option C is incorrect because the retention period for video recordings being undefined is not the
greatest concern, as it does not directly affect the privacy and confidentiality of individuals. However,
CCTV operators should still define and document their retention policy, and ensure that they do not
keep video recordings for longer than necessary, unless they are needed for a specific purpose or as
evidence. The retention period should be based on a clear and justifiable rationale, and comply with
data protection law and industry guidelines.
Option D is incorrect because there being no backups of the videos is not the greatest concern, as it
does not affect the privacy and confidentiality of individuals. However, CCTV operators should still
consider having backups of their videos, especially if they are needed for a specific purpose or as
evidence. Backups can help to prevent data loss or corruption due to system failures, disasters, or
malicious attacks. Backups should also be stored securely and encrypted to prevent unauthorized
access or disclosure.

139.When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not
have been reported and independence may not have been maintained.
Which of the following is the auditor's BEST course of action?
A. Inform senior management.
B. Reevaluate internal controls.
C. Inform audit management.
D. Re-perform past audits to ensure independence.
Answer: C
Explanation:
If an IS auditor suspects that independence may not have been maintained in past audits, the best
course of action is to inform audit management. Audit management has the responsibility and
authority to address such issues. They can review the situation, determine if there was indeed a lack
of independence, and decide on the appropriate actions to take123. While informing senior
management, reevaluating internal controls, and re-performing past audits might be necessary at
some point, the first step should be to inform audit management.

140.In which phase of penetration testing would host detection and domain name system (DNS)
interrogation be performed?
A. Discovery
B. Attacks
C. Planning
D. Reporting
Answer: A
Explanation:
Penetration testing is a method of evaluating the security of a system or network by simulating an
attack from a malicious source. Penetration testing typically consists of four phases: planning,
discovery, attacks, and reporting. In the discovery phase, penetration testers gather information about
the target system or network, such as host detection, domain name system (DNS) interrogation, port
scanning, service identification, operating system fingerprinting, vulnerability scanning, etc. This
information can help to identify potential entry points, weaknesses, or vulnerabilities that can be
exploited in the subsequent attack phase. Host detection and DNS interrogation are techniques that
can be used in the discovery phase to determine the active hosts and their IP addresses and
hostnames on the target network.
References: [ISACA CISA Review Manual 27th Edition], page 368.
141.A small organization is experiencing rapid growth and plans to create a new information security
policy.
Which of the following is MOST relevant to creating the policy?
A. Business objectives
B. Business impact analysis (BIA)
C. Enterprise architecture (EA)
D. Recent incident trends
Answer: A

142.An IS auditor is reviewing how password resets are performed for users working remotely.
Which type of documentation should be requested to understand the detailed steps required for this
activity?
A. Standards
B. Guidelines
C. Policies
D. Procedures
Answer: D

143.An IS auditor Is renewing the deployment of a new automated system

Which of the following findings presents the MOST significant risk?
A. The new system has resulted m layoffs of key experienced personnel.
B. Users have not been trained on the new system.
C. Data from the legacy system is not migrated correctly to the new system.
D. The new system is not platform agnostic
Answer: C
Explanation:
The finding that presents the most significant risk when reviewing the deployment of a new automated
system is that data from the legacy system is not migrated correctly to the new system. Data
migration is a critical process that involves transferring data from one system to another, ensuring its
accuracy, completeness, integrity, and usability. If data migration is not performed correctly, it can
result in data loss, corruption, inconsistency, or duplication, which can affect the functionality,
performance, reliability, and security of the new system. Data migration errors can also have serious
business implications, such as affecting decision making, reporting, compliance, customer service,
and revenue. The other findings (A, B and D) are less significant risks, as they can be mitigated by
rehiring or retraining personnel, providing user training, or adapting the system to different platforms.

144.When reviewing the disaster recovery strategy, IT management identified an application that
requires a short recovery point objective (RPO).
Which of the following data restoration strategies would BEST enable the organization to meet this
objective?
A. Snapshots
B. Mirroring
C. Log shipping
D. Data backups
Answer: B
Explanation:
Mirroring (Option B) is the best choice for applications requiring a short Recovery Point Objective
(RPO) because it provides real-time replication of data, ensuring minimal data loss.
ISACA CISA
Reference: Data replication strategies in disaster recovery planning emphasize mirroring for high-
availability systems.
Risk Implication: If mirroring is not implemented for critical systems, significant data loss may occur in
the event of a failure.
Alternative Choices:
Option A: Snapshots capture data at specific points in time, leading to potential data loss.
Option C: Log shipping has delays due to batch processing.
Option D: Backups are periodic and not suitable for short RPO needs.

145.An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial
audit team can rely on the application.
Which of the following findings would be the auditor's GREATEST concern?
A. User access rights have not been periodically reviewed by the client.
B. Payroll processing costs have not been included in the IT budget.
C. The third-party contract has not been reviewed by the legal department.
D. The third-party contract does not comply with the vendor management policy.
Answer: C
Explanation:
The third-party contract has not been reviewed by the legal department is the auditor’s greatest
concern because it poses a significant legal and financial risk to the client. A third-party contract is a
legally binding agreement between the client and the outsourced payroll provider that defines the
scope, terms, and conditions of the service. A third-party contract should be reviewed by the legal
department to ensure that it complies with the applicable laws and regulations, protects the client’s
interests and rights, and specifies the roles and responsibilities of both parties. A third-party contract
that has not been reviewed by the legal department may contain clauses that are unfavorable,
ambiguous, or contradictory to the client, such as:
Inadequate or unclear service level agreements (SLAs) that do not specify the quality, timeliness, and
accuracy of the payroll service.
Insufficient or vague security and confidentiality provisions that do not safeguard the client’s data and
information from unauthorized access, use, disclosure, or loss.
Unreasonable or excessive fees, penalties, or liabilities that may impose an undue financial burden
on the client.
Limited or no audit rights that may prevent the client from verifying the effectiveness and compliance
of the payroll provider’s internal controls.
Inflexible or restrictive termination clauses that may limit the client’s ability to cancel or switch to
another payroll provider.
A third-party contract that has not been reviewed by the legal department may expose the client to
various risks, such as:
Legal disputes or litigation with the payroll provider over contractual breaches or performance issues.
Regulatory fines or sanctions for noncompliance with tax, labor, or other laws and regulations related
to payroll.
Financial losses or damages due to errors, fraud, or negligence by the payroll provider.
Reputation damage or customer dissatisfaction due to payroll errors or delays.
Therefore, an IS auditor should be highly concerned about a third-party contract that has not been
reviewed by the legal department and recommend that the client seek legal advice before signing or
renewing any contract with an outsourced payroll provider.
User access rights have not been periodically reviewed by the client is a moderate concern because it
may indicate a lack of proper access control over the payroll system. User access rights are the
permissions granted to users to access, view, modify, or delete data and information in the payroll
system. User access rights should be periodically reviewed by the client to ensure that they are
aligned with the user’s roles and responsibilities, and that they are revoked or modified when a user
changes roles or leaves the organization. User access rights that are not periodically reviewed by the
client may result in unauthorized or inappropriate access to payroll data and information, which may
compromise its confidentiality, integrity, and availability.
Payroll processing costs have not been included in the IT budget is a minor concern because it may
indicate a lack of proper planning and allocation of IT resources for payroll processing. Payroll
processing costs are the expenses incurred by the client for using an outsourced payroll service, such
as fees, charges, taxes, or penalties. Payroll processing costs should be included in the IT budget to
ensure that they are adequately estimated, monitored, and controlled. Payroll processing costs that
are not included in the IT budget may result in unexpected or excessive costs for payroll processing,
which may affect the client’s profitability and cash flow.
The third-party contract does not comply with the vendor management policy is a low concern
because it may indicate a lack of alignment between the client’s vendor management policy and its
actual vendor selection and evaluation process. A vendor management policy is a set of guidelines
and procedures that governs how the client manages its relationship with its vendors, such as how to
select, monitor, evaluate, and terminate vendors. A vendor management policy should be consistent
with the client’s business objectives, risk appetite, and regulatory requirements. A third-party contract
that does not comply with the vendor management policy may result in suboptimal vendor
performance or service quality, but it does not necessarily imply a breach of contract or a violation of
law.

146.Which of the following is an advantage of using agile software development methodology over
the waterfall methodology?
A. Less funding required overall
B. Quicker deliverables
C. Quicker end user acceptance
D. Clearly defined business expectations
Answer: B
Explanation:
The advantage of using agile software development methodology over the waterfall methodology is
that it allows for quicker deliverables. Agile software development is an iterative and incremental
approach that emphasizes customer feedback, collaboration, and adaptation. Agile software
development delivers working software in short cycles, called sprints, that typically last from two to
four weeks. This enables the development team to respond to changing requirements, deliver value
faster, and improve quality. Waterfall software development is a linear and sequential approach that
follows a predefined set of phases, such as planning, analysis, design, implementation, testing, and
maintenance. Waterfall software development requires a clear and stable definition of the project
scope, deliverables, and expectations before starting the development process. Waterfall software
development can be slow, rigid, and costly, especially if changes occur during the later stages of the
project.
References: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition,
Development & Implementation, Section 3.1: Project Management Practices

147.Which of the following is MOST helpful for understanding an organization’s key driver to
modernize application platforms?
A. Vendor software inventories
B. Network architecture diagrams
C. System-wide incident reports
D. Inventory of end-of-life software
Answer: D

148.An organization allows programmers to change production systems in emergency situations

without seeking prior approval.
Which of the following controls should an IS auditor consider MOST important?
A. Programmers' subsequent reports
B. Limited number of super users
C. Operator logs
D. Automated log of changes
Answer: D

149.While evaluating the data classification process of an organization, an IS auditor's PRIMARY

focus should be on whether:
A. data classifications are automated.
B. a data dictionary is maintained.
C. data retention requirements are clearly defined.
D. data is correctly classified.
Answer: D
Explanation:
Data classification is the process of organizing and labeling data into categories based on file type,
contents, and other metadata. Data classification helps organizations answer important questions
about their data that inform how they mitigate risk and manage data governance policies. Data
classification also enables appropriate protection measures, and efficient search, retrieval and use of
each data category12.
While evaluating the data classification process of an organization, an IS auditor’s primary focus
should be on whether data is correctly classified. This means that the data is assigned to the
appropriate classification level based on its sensitivity, importance, integrity, availability, compliance
requirements, and business value. Correct data classification ensures that the data is protected
according to its risk level, and that the organization can comply with relevant laws and regulations that
apply to different types of data3.
The other three options are not the primary focus of an IS auditor while evaluating the data
classification process, although they may be relevant or useful for certain aspects of data
management. Data classifications are automated means that the organization uses software tools or
algorithms to analyze and label data based on predefined rules or criteria. This can improve the
efficiency and consistency of data classification, but it does not guarantee that the data is correctly
classified. The IS auditor still needs to verify the accuracy and validity of the automated
classifications, and check for any errors or anomalies.
A data dictionary is maintained means that the organization keeps a record of the definitions, formats,
sources, and relationships of the data elements in its systems or databases. This can enhance the
understanding and usability of the data, but it does not ensure that the data is correctly classified. The
IS auditor still needs to examine the content and context of the data, and compare it with the
classification criteria and policies.
Data retention requirements are clearly defined means that the organization specifies how long it will
keep different types of data, and when it will delete or archive them. This can help reduce storage
costs, improve performance, and comply with legal obligations, but it does not ensure that the data is
correctly classified. The IS auditor still needs to assess whether the data is stored and protected
according to its classification level, and whether the retention periods are appropriate for each type of
data.
Therefore, data is correctly classified is the best answer.
References:
Data Classification: The Basics and a 6-Step Checklist - NetApp What is Data Classification?
Guidelines and Process - Varonis Data Classification and Handling Procedures Guide

150.Which of the following BEST describes an audit risk?

A. The company is being sued for false accusations.
B. The financial report may contain undetected material errors.
C. Employees have been misappropriating funds.
D. Key employees have not taken vacation for 2 years.
Answer: B
Explanation:
The best description of an audit risk is that the financial report may contain undetected material
errors. Audit risk is the risk that the auditor expresses an inappropriate opinion on the financial report
when it contains material misstatements or errors. Audit risk consists of three components: inherent
risk, control risk, and detection risk. Inherent risk is the susceptibility of an assertion or a control to a
material misstatement or error due to factors such as complexity, volatility, fraud, or human error.
Control risk is the risk that a material misstatement or error will not be prevented or detected by the
internal controls. Detection risk is the risk that the auditor’s procedures will not detect a material
misstatement or error that exists in an assertion or a control.
References:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database

151.Which of the following is MOST important for an IS auditor to review when determining whether
IT investments are providing value to tie business?
A. Return on investment (ROI)
B. Business strategy
C. Business cases
D. Total cost of ownership (TCO)
Answer: B
Explanation:
The answer B is correct because the most important thing for an IS auditor to review when
determining whether IT investments are providing value to the business is the business strategy. The
business strategy is the plan or direction that guides the organization’s decisions and actions to
achieve its goals and objectives. The business strategy defines the organization’s vision, mission,
values, competitive advantage, target market, value proposition, and key performance indicators
(KPIs).
IT investments are the expenditures or costs incurred by the organization to acquire, develop,
maintain, or improve its IT assets, such as hardware, software, network, data, or services. IT
investments can help the organization to support its business processes, operations, functions, and
capabilities. IT investments can also help the organization to create or enhance its products, services,
or solutions for its customers or stakeholders.
To determine whether IT investments are providing value to the business, an IS auditor needs to
review how well the IT investments align with and contribute to the business strategy. Alignment
means that the IT investments are consistent and compatible with the business strategy, and that
they support and enable the achievement of the strategic goals and objectives. Contribution means
that the IT investments are effective and efficient in delivering the expected outcomes and benefits for
the business, and that they generate a positive return on investment (ROI) or value for money.
An IS auditor can use various methods or frameworks to review the alignment and contribution of IT
investments to the business strategy, such as:
Balanced scorecard: A balanced scorecard is a tool that measures and monitors the performance of
an organization across four perspectives: financial, customer, internal process, and learning and
growth. A balanced scorecard can help an IS auditor to evaluate how well the IT investments support
and improve each perspective of the organization’s performance, and how they link to the
organization’s vision and strategy.
Value chain analysis: A value chain analysis is a tool that identifies and analyzes the primary and
support activities that add value to an organization’s products or services. A value chain analysis can
help an IS auditor to assess how well the IT investments enhance or optimize each activity of the
value chain, and how they create or sustain a competitive advantage for the organization.
Business case analysis: A business case analysis is a tool that evaluates the feasibility, viability, and
desirability of a proposed project or initiative. A business case analysis can help an IS auditor to
examine how well the IT investments address a business problem or opportunity, how they deliver the
expected benefits and outcomes for the stakeholders, and how they compare with alternative options
or solutions.
The other options are not as important as option B. Return on investment (ROI) (option A) is a metric
that measures the profitability or efficiency of an investment by comparing its benefits or returns with
its costs or expenses. ROI can help an IS auditor to quantify the value of IT investments for the
business, but it does not capture all aspects of value, such as quality, satisfaction, or impact. ROI also
depends on how well the IT investments align with the business strategy in the first place. Business
cases (option C) are documents that justify and support a proposed project or initiative by describing
its objectives, scope, benefits, costs, risks, and alternatives. Business cases can help an IS auditor to
understand the rationale and expectations for IT investments, but they do not guarantee that the IT
investments will actually deliver the desired value for the business. Business cases also need to be
aligned with the business strategy to ensure their relevance and validity. Total cost of ownership
(TCO) (option D) is a metric that measures the total costs incurred by an organization to acquire,
operate, maintain, and dispose of an IT asset over its life cycle. TCO can help an IS auditor to
estimate the financial impact of IT investments for the business, but it does not reflect the benefits or
outcomes of IT investments, nor does it indicate how well the IT investments support or enable the
business strategy.
References:
IT Strategy: Aligning IT & Business Strategy
How To Measure The Value Of Your Technology Investments
IT Investment Management: A Framework for Assessing … - GAO
How To Align Your Technology Investments With Your Business Strategy

152.Capacity management tools are PRIMARILY used to ensure that:

A. available resources are used efficiently and effectively
B. computer systems are used to their maximum capacity most of the time
C. concurrent use by a large number of users is enabled
D. proposed hardware acquisitions meet capacity requirements
Answer: A
Explanation:
Capacity management tools are primarily used to ensure that available resources are used efficiently
and effectively to meet the current and future demands of the business. Capacity management tools
can help monitor, analyze and optimize the performance and utilization of IT resources such as CPU,
memory, disk, network, etc. The other options are not the primary purpose of capacity management
tools, although they may be related or derived from them.
References:
ISACA, CISA Review Manual, 27th Edition, chapter 4, section 4.32
ISACA, COBIT 2019 Framework: Introduction and Methodology, section 3.2
153.Which of the following is the MOST important consideration when establishing operational log
management?
A. Types of data
B. Log processing efficiency
C. IT organizational structure
D. Log retention period
Answer: D

154.Which of the following is the PRIMARY purpose of a rollback plan for a system change?
A. To ensure steps exist to remove the change if necessary
B. To ensure testing can be re-performed if required
C. To ensure a backup exists before implementing a change
D. To ensure the system change is effective
Answer: A

155.Which of the following is the GREATEST advantage of utilizing guest operating systems m a
virtual environment?
A. They can be logged into and monitored from any location.
B. They prevent access to the greater environment via Transmission Control Protocol/Internet
Protocol (TCP/IP).
C. They are easier to containerize with minimal impact to the rest of the environment .
D. They can be wiped quickly in the event of a security breach.
Answer: C

156.Which of the following is an IS auditor’s BEST approach when low-risk anomalies have been
identified?
A. Reprioritize further testing of the anomalies and refocus on issues with higher risk
B. Update the audit plan to include the information collected during the audit
C. Ask auditees to promptly remediate the anomalies
D. Document the anomalies in audit workpapers
Answer: D
Explanation:
Documenting anomalies in audit workpapers (D) is the best approach because it ensures traceability,
supports findings in the audit report, and allows for future reference if similar issues arise. Even if an
anomaly is low-risk, proper documentation is a fundamental audit practice.
Other options:
Reprioritizing testing (A) is a valid audit approach but does not address documentation needs.
Updating the audit plan (B) may be necessary but does not replace documentation.
Prompt remediation (C) is an operational concern but is not always the auditor’s primary role.
Reference: ISACA CISA Review Manual, Audit Process

157.Which of the following should be the FIRST step in the incident response process for a suspected
breach?
A. Inform potentially affected customers of the security breach
B. Notify business management of the security breach.
C. Research the validity of the alerted breach
D. Engage a third party to independently evaluate the alerted breach.
Answer: C
Explanation:
The first step in the incident response process for a suspected breach is to research the validity of the
alerted breach. An incident response process is a set of procedures that defines how to handle
security incidents in a timely and effective manner. The first step in this process is to research the
validity of the alerted breach, which means to verify whether the alert is genuine or false positive, to
determine the scope and impact of the incident, and to gather relevant information for further analysis
and action. Informing potentially affected customers of the security breach, notifying business
management of the security breach, and engaging a third party to independently evaluate the alerted
breach are also steps in the incident response process, but they are not the first step.
References:
CISA Review Manual, 27th Edition, page 4251
CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

158.When auditing the alignment of IT to the business strategy, it is MOST Important for the IS
auditor to:
A. compare the organization's strategic plan against industry best practice.
B. interview senior managers for their opinion of the IT function.
C. ensure an IT steering committee is appointed to monitor new IT projects.
D. evaluate deliverables of new IT initiatives against planned business services.
Answer: D
Explanation:
When auditing the alignment of IT to the business strategy, it is most important for the IS auditor to
evaluate deliverables of new IT initiatives against planned business services. This can help the IS
auditor to assess whether the IT initiatives are meeting the business needs and expectations,
delivering value and benefits, and supporting the business objectives and goals. Comparing the
organization’s strategic plan against industry best practice is a possible technique for auditing the
alignment of IT to the business strategy, but it is not the most important thing for the IS auditor to do,
as industry best practice may not be applicable or relevant to the specific context or situation of the
organization. Interviewing senior managers for their opinion of the IT function is a possible technique
for auditing the alignment of IT to the business strategy, but it is not the most important thing for the
IS auditor to do, as senior managers’ opinions may be subjective or biased, and may not reflect the
actual performance or outcomes of the IT function. Ensuring an IT steering committee is appointed to
monitor new IT projects is a possible control for ensuring the alignment of IT to the business strategy,
but it is not the most important thing for the IS auditor to do, as an IT steering committee may not be
effective or efficient in monitoring new IT projects, and may not have sufficient authority or influence
over the IT function.

159.Which of the following BEST enables an IS auditor to combine and compare access control lists
from various applications and devices?
A. Integrated test facility (ITF)
B. Snapshots
C. Data analytics
D. Audit hooks
Answer: C
Explanation:
Data analytics is the process of analyzing large and complex data sets to discover patterns, trends,
and insights that can support decision making and problem solving. Data analytics can enable an IS
auditor to combine and compare access control lists from various applications and devices by using
techniques such as data extraction, transformation, loading, cleansing, integration, aggregation,
visualization, and reporting. Data analytics can help an IS auditor to identify and assess the risks and
controls related to access management, such as unauthorized or excessive access, segregation of
duties violations, access policy compliance, access activity monitoring, and access review and
remediation.
The other options are not as effective or relevant as data analytics for combining and comparing
access control lists from various applications and devices. Integrated test facility (ITF) is a technique
for testing the validity and accuracy of application processing by inserting fictitious transactions into
the system and verifying the results. ITF does not directly involve the analysis of access control lists.
Snapshots are records of selected information at a specific point in time that can be used to monitor
system activity or performance. Snapshots can provide some information about access control lists,
but they are not sufficient to combine and compare them across different sources. Audit hooks are
software routines embedded in an application that can trigger an alert or a report when certain
conditions are met. Audit hooks can help to detect anomalies or exceptions in access control lists, but
they do not provide a comprehensive or integrated view of them.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, p. 2361
ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 3rd Edition, 2014, p. 882
Data Analytics for Auditing Access Control3

160.An employee loses a mobile device resulting in loss of sensitive corporate data.
Which of the following would have BEST prevented data leakage?
A. Data encryption on the mobile device
B. Complex password policy for mobile devices
C. The triggering of remote data wipe capabilities
D. Awareness training for mobile device users
Answer: A
Explanation:
The best way to prevent data leakage from a lost mobile device is data encryption on the mobile
device. Data encryption is a technique that transforms data into an unreadable format using a secret
key or algorithm. Data encryption protects data from unauthorized access or disclosure in case of loss
or theft of a mobile device. Complex password policy for mobile devices, triggering of remote data
wipe capabilities, and awareness training for mobile device users are useful measures to enhance
data security on mobile devices, but they do not prevent data leakage as effectively as data
encryption. A complex password policy can be bypassed by brute force attacks or password cracking
tools. Remote data wipe capabilities depend on network connectivity and device power availability.
Awareness training for mobile device users can reduce human errors or negligence, but it cannot
guarantee compliance or behavior change.
References: CISA Review Manual (Digital Version): Chapter 5 - Information Systems Operations and
Business Resilience

161.An IS auditor reviewing the throat assessment for a data cantor would be MOST concerned if:
A. some of the identified threats are unlikely to occur.
B. all identified threats relate to external entities.
C. the exercise was completed by local management.
D. neighboring organizations' operations have been included.
Answer: B
Explanation:
: An IS auditor reviewing the threat assessment for a data center would be most concerned if all
identified threats relate to external entities. This indicates that the threat assessment is incomplete
and biased, as it ignores the potential threats from internal sources, such as employees, contractors,
vendors, or authorized visitors. Internal threats can pose significant risks to the data center, as they
may have access to sensitive information, systems, or facilities, and may exploit their privileges for
malicious or fraudulent purposes. According to a study by IBM, 60% of cyberattacks in 2015 were
carried out by insiders1
Some of the identified threats are unlikely to occur is not a cause for concern, as it shows that the
threat assessment is comprehensive and realistic, and considers all possible scenarios, regardless of
their probability. A threat assessment should not exclude any potential threats based on subjective
judgments or assumptions, as they may still have a high impact if they materialize.
The exercise was completed by local management is not a cause for concern, as it shows that the
threat assessment is conducted by the people who are most familiar with the data center’s
operations, environment, and risks. Local management may have more relevant and accurate
information and insights than external parties, and may be more invested in the outcome of the threat
assessment.
Neighboring organizations’ operations have been included is not a cause for concern, as it shows
that the threat assessment is holistic and contextual, and considers the interdependencies and
influences of external factors on the data center’s security. Neighboring organizations’ operations
may pose direct or indirect threats to the data center, such as physical damage, network interference,
or shared vulnerabilities.
References:
IBM Security Services 2016 Cyber Security Intelligence Index 1

162.An organization allows its employees lo use personal mobile devices for work.
Which of the following would BEST maintain information security without compromising employee
privacy?
A. Installing security software on the devices
B. Partitioning the work environment from personal space on devices
C. Preventing users from adding applications
D. Restricting the use of devices for personal purposes during working hours
Answer: B
Explanation:
Partitioning the work environment from personal space on devices. This would best maintain
information security without compromising employee privacy by creating a separate and secure area
on the personal mobile devices for work-related data and applications. This way, the organization can
protect its information from unauthorized access, loss, or leakage, while respecting the employees’
personal data and preferences on their own devices.
The other options are not as effective as option B in balancing information security and employee
privacy.
Option A, installing security software on the devices, is a good practice but may not be sufficient to
prevent data breaches or comply with regulatory requirements.
Option C, preventing users from adding applications, is too restrictive and may interfere with the
employees’ personal use of their devices.
Option D, restricting the use of devices for personal purposes during working hours, is impractical and
difficult to enforce.
References:
ISACA, CISA Review Manual, 27th Edition, 2019
ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
Personal Cellphone Privacy at Work1
Protecting your personal information and privacy on a company phone2
Mobile Devices and Protected Health Information (PHI)3
Using your personal phone for work? Here’s how to separate your apps and data4
9 Ways to Improve Mobile Security and Privacy in the Age of Remote Work5
163.Which of the following is the MOST significant impact to an organization that does not use an IT
governance framework?
A. adequate measurement of key risk indicators (KRIS)
B. Inadequate alignment of IT plans and business objectives
C. Inadequate business impact analysis (BIA) results and predictions
D. Inadequate measurement of key performance indicators (KPls)
Answer: B
Explanation:
The most significant impact to an organization that does not use an IT governance framework is
inadequate alignment of IT plans and business objectives. IT governance is a framework for the
governance and management of enterprise information and technology (I&T) that supports enterprise
goal achievement1. IT governance helps to ensure that IT investments and activities are aligned with
the business strategy, vision, and values of the organization. IT governance also helps to optimize the
value of IT, manage IT-related risks, and measure and monitor IT performance1.
Without an IT governance framework, an organization may face challenges such as:
Lack of clarity and direction for IT decision making
Inconsistent or conflicting IT priorities and demands
Inefficient or ineffective use of IT resources and capabilities
Poor quality or delivery of IT services and products
Increased exposure to IT-related threats and vulnerabilities
Reduced customer satisfaction and trust in IT
Missed opportunities for innovation and competitive advantage
Therefore, an organization that does not use an IT governance framework may fail to achieve its
business objectives and may lose its competitive edge in the market.
References:
COBIT 2019 Framework Introduction and Methodology, Section 1.1: What Is Governance of
Enterprise I&T?
IT Governance: Definitions, Frameworks and Planning, Section 1: What Is IT Governance?

164.Which of the following is MOST important to consider when scheduling follow-up audits?
A. The efforts required for independent verification with new auditors
B. The impact if corrective actions are not taken
C. The amount of time the auditee has agreed to spend with auditors
D. Controls and detection risks related to the observations
Answer: B
Explanation:
The impact if corrective actions are not taken is the most important factor to consider when
scheduling follow-up audits. An IS auditor should prioritize the follow-up audits based on the risk and
potential consequences of not addressing the audit findings and recommendations. The other options
are less important factors that may affect the timing and scope of the follow-up audits, but not their
necessity or urgency.
References:
CISA Review Manual (Digital Version), Chapter 2, Section 2.5.31
CISA Review Questions, Answers & Explanations Database, Question ID 207

165.Which of the following documents would be MOST useful in detecting a weakness in segregation
of duties?
A. System flowchart
B. Data flow diagram
C. Process flowchart
D. Entity-relationship diagram
Answer: C
Explanation:
The best document for an IS auditor to use in detecting a weakness in segregation of duties is a
process flowchart. A process flowchart is a diagram that illustrates the sequence of steps, activities,
tasks, or decisions involved in a business process. A process flowchart can help detect a weakness in
segregation of duties by showing who performs what actions or roles in a process, and whether there
is any overlap or conflict of interest among them. The other options are not as useful as a process
flowchart in detecting a weakness in segregation of duties, as they do not show who performs what
actions or roles in a process. A system flowchart is a diagram that illustrates the components,
functions, interactions, or logic of an information system. A data flow diagram is a diagram that
illustrates how data flows from sources to destinations through processes, stores, or external entities.
An entity-relationship diagram is a diagram that illustrates how entities (such as tables) are related to
each other through attributes (such as keys) in a database.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

166.An IS auditor finds a user account where privileged access is not appropriate for the user’s role.
Which of the following would provide the BEST evidence to determine whether the risk of this access
has been exploited?
A. Activity log for the account
B. Interview with the user's manager
C. Last logon date for the account
D. Documented approval for the account
Answer: A

167.Which of the following should be considered when examining fire suppression systems as part of
a data center environmental controls review?
A. Installation manuals
B. Onsite replacement availability
C. Insurance coverage
D. Maintenance procedures
Answer: D
Explanation:
The correct answer is D. Maintenance procedures should be considered when examining fire
suppression systems as part of a data center environmental controls review. Fire suppression
systems are critical for protecting the data center equipment and personnel from fire hazards.
Therefore, they should be regularly maintained and tested to ensure their proper functioning and
compliance with safety standards. Maintenance procedures should include inspection, cleaning,
replacement, and repair of the fire suppression system components, as well as documentation of the
maintenance activities and results. Installation manuals, onsite replacement availability, and
insurance coverage are not directly related to the fire suppression system performance and
effectiveness, and therefore are not relevant for the audit review.
References: CISA Review Manual (Digital Version)1, page 403.

168.Which of the following is the PRIMARY purpose of obtaining a baseline image during an
operating system audit?
A. To identify atypical running processes
B. To verify antivirus definitions
C. To identify local administrator account access
D. To verify the integrity of operating system backups
Answer: A
Explanation:
The primary purpose of obtaining a baseline image during an operating system audit is to identify
atypical running processes. A baseline image is a snapshot of the normal state and configuration of
an operating system, including the processes that are expected to run on it. By comparing the current
state of the operating system with the baseline image, an IS auditor can detect any deviations or
anomalies that may indicate unauthorized or malicious activity, such as malware infection, privilege
escalation, or data exfiltration. A baseline image can also help an IS auditor to assess the
performance and efficiency of the operating system, as well as its compliance with security standards
and policies.
Verifying antivirus definitions (option B) is not the primary purpose of obtaining a baseline image,
although it may be a part of the baseline configuration. Antivirus definitions are the files that contain
the signatures and rules for detecting and removing malware. An IS auditor may verify that the
antivirus definitions are up to date and consistent across the operating system, but this does not
require obtaining a baseline image.
Identifying local administrator account access (option C) is not the primary purpose of obtaining a
baseline image, although it may be a part of the baseline configuration. Local administrator accounts
are user accounts that have full control over the operating system and its resources. An IS auditor
may identify and review the local administrator accounts to ensure that they are properly secured and
authorized, but this does not require obtaining a baseline image.
Verifying the integrity of operating system backups (option D) is not the primary purpose of obtaining
a baseline image, although it may be a part of the backup process. Operating system backups are
copies of the operating system data and settings that can be used to restore the system
in case of failure or disaster. An IS auditor may verify that the operating system backups are
complete, accurate, and accessible, but this does not require obtaining a baseline image.
References: Linux security and system hardening checklist : CISA Certification | Certified Information
Systems Auditor | ISACA : CISA Certified Information Systems Auditor Study Guide, 4 th Edition :
CISA - Certified Information Systems Auditor Study Guide [Book]

169.Which of the following methods BEST enforces data leakage prevention in a multi-tenant cloud
environment?
A. Monitoring tools are configured to alert in case of downtime
B. A comprehensive security review is performed every quarter.
C. Data for different tenants is segregated by database schema
D. Tenants are required to implement data classification polices
Answer: D
Explanation:
Data leakage prevention (DLP) is the process of preventing unauthorized access, disclosure, or
transfer of sensitive data. In a multi-tenant cloud environment, where multiple customers share the
same infrastructure and resources, DLP is a critical challenge. One of the best methods to enforce
DLP in such an environment is to require tenants to implement data classification policies. Data
classification policies define the types and levels of sensitivity of data, and the corresponding security
controls and measures to protect them. By implementing data classification policies, tenants can
ensure that their data is properly labeled, encrypted, segregated, and monitored according to their
specific requirements and compliance standards. This can help prevent data leakage from accidental
or malicious actions by other tenants, cloud service providers, or external parties.
References:
2: How Do I Secure my Data in a Multi-Tenant Cloud Environment? | Thales
3: Protecting Sensitive Customer Data in a Cloud-Based Multi-Tenant Environment | Saturn Cloud
4: Microsoft 365 isolation controls - Microsoft Service Assurance

170.Which of the following is the MAIN objective of enterprise architecture (EA) governance?
A. To ensure new processes and technologies harmonize with existing processes
B. To ensure the EA can adapt to emerging technology trends
C. To ensure the EA is compliant with local laws and regulations
D. To ensure new initiatives produce an acceptable return on investment (ROI)
Answer: A
Explanation:
Comprehensive and Detailed Step-by-Step
Enterprise architecture (EA) governance ensures that IT and business alignment is maintained and
that new processes and technologies integrate well with existing structures.
Option A (Correct): The primary purpose of EA governance is to ensure that new technologies,
processes, and systems align and harmonize with existing architecture to maintain operational
efficiency and consistency.
Option B (Incorrect): While adaptability to emerging technology trends is important, EA governance
focuses more on structure, consistency, and compliance rather than just adaptability.
Option C (Incorrect): Compliance with regulations is crucial, but it is just one component of
governance. EA governance has a broader scope, including strategic alignment and process
integration.
Option D (Incorrect): Ensuring ROI is an important financial consideration, but it is not the main
objective of EA governance.
Reference: ISACA CISA Review Manual C Domain 1: Information Systems Auditing Process C
Covers governance, risk management, and ensuring alignment of EA with business objectives.

171.What would be an IS auditor's BEST recommendation upon finding that a third-party IT service
provider hosts the organization's human resources (HR) system in a foreign country?
A. Perform background verification checks.
B. Review third-party audit reports.
C. Implement change management review.
D. Conduct a privacy impact analysis.
Answer: D
Explanation:
The best recommendation for an IS auditor when finding that a third-party IT service provider hosts
the organization’s HR system in a foreign country is to conduct a privacy impact analysis. A privacy
impact analysis is a systematic process that identifies and evaluates the potential risks and impacts of
collecting, using, disclosing, and storing personal information. A privacy impact analysis will help the
IS auditor to assess the legal, regulatory, contractual, and ethical obligations of the organization and
the service provider regarding the protection of personal information. A privacy impact analysis will
also help to identify and mitigate any privacy risks and gaps in the service level agreement.
References:
CISA Certification | Certified Information Systems Auditor | ISACA CISA Questions, Answers &
Explanations Database

172.An organization has made a strategic decision to split into separate operating entities to improve
profitability. However, the IT infrastructure remains shared between the entities.
Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT
environment as part of its annual plan?
A. Increasing the frequency of risk-based IS audits for each business entity
B. Developing a risk-based plan considering each entity's business processes
C. Conducting an audit of newly introduced IT policies and procedures
D. Revising IS audit plans to focus on IT changes introduced after the split
Answer: B
Explanation:
: Developing a risk-based plan considering each entity’s business processes would best help to
ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan. A
risk-based plan is a plan that prioritizes the audit activities based on the level of risk associated with
each area or process. A risk-based plan can help to allocate the audit resources more efficiently and
effectively, and provide more assurance and value to the stakeholders1.
By considering each entity’s business processes, the IS audit can identify and assess the specific
risks and controls that affect the IT environment of each entity, and tailor the audit objectives, scope,
and procedures accordingly. This can help to address the unique needs and expectations of each
entity, and ensure that the IS audit covers the key risk areas that are relevant and significant to each
entity’s operations, performance, and compliance2.
The other options are not as effective as developing a risk-based plan considering each entity’s
business processes in ensuring that IS audit still covers key risk areas within the IT environment as
part of its annual plan.
Option A, increasing the frequency of risk-based IS audits for each business entity, is not a feasible or
efficient solution, as it may increase the audit costs and workload, and create duplication or overlap of
audit efforts.
Option C, conducting an audit of newly introduced IT policies and procedures, is a limited and narrow
approach, as it may not cover all the aspects or dimensions of the IT environment that may have
changed or been affected by the split.
Option D, revising IS audit plans to focus on IT changes introduced after the split, is a reactive and
short-term approach, as it may not reflect the current or future state of the IT environment or the
business objectives of each entity.
References:
ISACA, CISA Review Manual, 27th Edition, 2019
ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
Risk-Based Audit Planning: A Guide for Internal Audit1
Risk-Based Audit Approach: Definition & Example

173.Which of the following is the MOST effective control to mitigate unintentional misuse of
authorized access?
A. Annual sign-off of acceptable use policy
B. Regular monitoring of user access logs
C. Security awareness training
D. Formalized disciplinary action
Answer: C
Explanation:
The most effective control to mitigate unintentional misuse of authorized access is security awareness
training. This is because security awareness training can educate users on the proper use of their
access rights, the potential consequences of misuse, and the best practices to protect the
confidentiality, integrity, and availability of information systems. Security awareness training can also
help users recognize and avoid common threats such as phishing, malware, and social engineering.
Annual sign-off of acceptable use policy, regular monitoring of user access logs, and formalized
disciplinary action are not the most effective controls to mitigate unintentional misuse of authorized
access. These controls may help deter or detect intentional misuse, but they do not address the root
cause of unintentional misuse, which is often a lack of knowledge or awareness of security policies
and procedures.
174.Afire alarm system has been installed in the computer room The MOST effective location for the
fire alarm control panel would be inside the
A. computer room closest to the uninterruptible power supply (UPS) module
B. computer room closest to the server computers
C. system administrators’ office
D. booth used by the building security personnel
Answer: D
Explanation:
A fire alarm system is a device that detects and alerts people of the presence of fire or smoke in a
building. A fire alarm control panel is the central unit that monitors and controls the fire alarm system.
The most effective location for the fire alarm control panel would be inside the booth used by the
building security personnel.
This is because:
The security personnel can quickly and easily access the fire alarm control panel in case of an
emergency, and take appropriate actions such as notifying the fire department, evacuating the
building, or resetting the system.
The fire alarm control panel can be protected from unauthorized access, tampering, or damage by the
security personnel, who can also monitor its status and performance regularly.
The fire alarm control panel can be isolated from the computer room, which may be exposed to higher
risks of fire or smoke due to the presence of electrical equipment, such as uninterruptible power
supply (UPS) modules or server computers.
The fire alarm control panel can be connected to the computer room through a dedicated
communication line, which can ensure reliable and timely transmission of signals and information
between the two locations.
References:
[1]: Fire Alarm Control Panel - an overview | ScienceDirect Topics
[2]: Fire Alarm Control Panel - What is it and how does it work? | Fire Protection Online
[3]: Fire Alarm Control Panel Installation Guide - XLS3000 - Honeywell

175.Which of the following BEST Indicates that an incident management process is effective?
A. Decreased time for incident resolution
B. Increased number of incidents reviewed by IT management
C. Decreased number of calls lo the help desk
D. Increased number of reported critical incidents
Answer: A
Explanation:
Decreased time for incident resolution is the best indicator that an incident management process is
effective. Incident management is a process that aims to restore normal service operation as quickly
as possible after an incident, which is an unplanned interruption or reduction in quality of an IT
service. Decreased time for incident resolution means that the incident management process is able
to identify, analyze, respond to, and resolve incidents efficiently and effectively. The other indicators
do not necessarily reflect the effectiveness of the incident management process, as they may depend
on other factors such as the nature, frequency, and severity of incidents.
References: CISA Review Manual, 27th Edition, page 372

176.Which of the following controls BEST ensures appropriate segregation of dudes within an
accounts payable department?
A. Ensuring that audit trails exist for transactions
B. Restricting access to update programs to accounts payable staff only
C. Including the creator's user ID as a field in every transaction record created
D. Restricting program functionality according to user security profiles
Answer: D
Explanation:
Restricting program functionality according to user security profiles is the best control for ensuring
appropriate segregation of duties within an accounts payable department. An IS auditor should verify
that the access rights and permissions of the accounts payable staff are based on their roles and
responsibilities, and that they are not able to perform incompatible or conflicting functions such as
creating, approving, or paying invoices. This will help to prevent fraud, errors, or abuse of authority
within the accounts payable process. The other options are less effective controls for ensuring
segregation of duties, as they may involve audit trails, access restrictions, or user identification.
References:
CISA Review Manual (Digital Version), Chapter 6, Section 6.31
CISA Review Questions, Answers & Explanations Database, Question ID 223

177.An organization has recently become aware of a pervasive chip-level security vulnerability that
affects all of its processors.
Which of the following is the BEST way to prevent this vulnerability from being exploited?
A. Implement security awareness training.
B. Install vendor patches
C. Review hardware vendor contracts.
D. Review security log incidents.
Answer: B
Explanation:
The best way to prevent a chip-level security vulnerability from being exploited is to install vendor
patches. A chip-level security vulnerability is a flaw in the design or implementation of a processor
that allows an attacker to bypass the normal security mechanisms and access privileged information
or execute malicious code. A vendor patch is a software update provided by the manufacturer of the
processor that fixes or mitigates the vulnerability. Installing vendor patches can help to protect the
system from known exploits and reduce the risk of data leakage or compromise.
Security awareness training, reviewing hardware vendor contracts, and reviewing security log
incidents are not as effective as installing vendor patches for preventing a chip-level security
vulnerability from being exploited. Security awareness training is an educational program that teaches
users about the importance of security and how to avoid common threats. Reviewing hardware
vendor contracts is a legal process that evaluates the terms and conditions of the agreement between
the organization and the processor supplier. Reviewing security log incidents is an analytical process
that examines the records of security events and activities on the system. These methods may be
useful for other security purposes, but they do not directly address the root cause of the chip-level
vulnerability or prevent its exploitation.
References: Protecting your device against chip-related security vulnerabilities, New ‘Downfall’ Flaw
Exposes Valuable Data in Generations of
Intel Chips

178.Which of the following would BEST indicate the effectiveness of a security awareness training
program?
A. Results of third-party social engineering tests
B. Employee satisfaction with training
C. Increased number of employees completing training
D. Reduced unintentional violations
Answer: D
Explanation:
The effectiveness of a security awareness training program is best indicated by a reduction in
unintentional violations. When employees are well-trained and aware of security practices, they are
less likely to inadvertently violate security policies or make mistakes that could lead to breaches.
While other factors (such as third-party social engineering tests, employee satisfaction, and
completion rates) provide valuable insights, the ultimate goal of security awareness training is to
minimize unintentional errors and improve overall security
posture12.
References: 1(https://www.isaca.org/resources/isaca-journal/issues/2023/volume-2/considerations-for-
developing-cybersecurity-awareness-training) 2(https://www.isaca.org/resources/news-and-
trends/isaca-now-blog/2023/security-awareness-training-a-critical-success-factor-for-organizations)

179.Which of the following is MOST important for the successful establishment of a security
vulnerability management program?
A. A robust tabletop exercise plan
B. A comprehensive asset inventory
C. A tested incident response plan
D. An approved patching policy
Answer: B
Explanation:
A comprehensive asset inventory is the most important factor for the successful establishment of a
security vulnerability management program. A security vulnerability management program is a
systematic process of identifying, assessing, prioritizing, and remediating vulnerabilities in the
organization’s IT environment1. A comprehensive asset inventory is a complete and accurate record
of all the hardware, software, and network components that the organization owns or uses2.
A comprehensive asset inventory helps the organization to:
Know what assets are in scope for vulnerability scanning and assessment3.
Identify the vulnerabilities that affect each asset and their severity level4.
Prioritize the remediation of vulnerabilities based on the criticality and value of each asset.
Track the status and progress of vulnerability remediation for each asset.
Measure the effectiveness and maturity of the vulnerability management program.
A robust tabletop exercise plan is a simulated scenario that tests the organization’s preparedness
and response capabilities for a potential cyberattack or incident. A tabletop exercise plan is useful for
validating and improving the organization’s incident response plan, but it is not essential for
establishing a security vulnerability management program.
A tested incident response plan is a documented process that defines the roles, responsibilities, and
actions of the organization’s personnel in the event of a cyberattack or incident. A tested incident
response plan is important for minimizing the impact and restoring normal operations after a security
breach, but it is not critical for establishing a security vulnerability management program.
An approved patching policy is a set of rules and guidelines that governs how the organization
applies patches and updates to its IT systems and applications. An approved patching policy is a key
component of the remediation phase of the vulnerability management program, but it is not sufficient
for establishing a security vulnerability management program.

180.Which of the following key performance indicators (KPIs) provides stakeholders with the MOST
useful information about whether information security risk is being managed?
A. Time from identifying security threats to implementing solutions
B. The number of security controls audited
C. Time from security log capture to log analysis
D. The number of entries in the security risk register
Answer: A
Explanation:
Comprehensive and Detailed Step-by-Step
The speed at which security threats are mitigated is a key indicator of an organization's risk
management effectiveness.
Option A (Correct): Response time to security threats measures how efficiently security teams detect,
analyze, and mitigate risks, providing clear insight into security operations.
Option B (Incorrect): The number of security controls audited does not indicate how well risk is being
managed, only that reviews are taking place.
Option C (Incorrect): Log analysis speed is useful, but it does not directly measure risk mitigation
effectiveness.
Option D (Incorrect): Risk register entries indicate known risks but do not provide insight into how well
those risks are managed.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers
security metrics, KPIs, and risk management evaluation.

181.Which of the following technologies BEST assists in protection of digital evidence as part of
forensic investigation acquisition?
A. Hardware-based media write blocker
B. Data encryption
C. Differential backups
D. Source media sanitization
Answer: A
Explanation:
A hardware-based media write blocker (Option A) ensures that forensic investigators can acquire
digital evidence without altering the original data, maintaining its integrity for legal proceedings.
ISACA CISA
Reference: Digital forensics best practices emphasize write-blocking devices to prevent
contamination of evidence.
Risk Implication: Without a write blocker, evidence may be tampered with, compromising its
admissibility in court.

182.Which of the following is the GREATEST security risk associated with data migration from a
legacy human resources (HR) system to a cloud-based system?
A. Data from the source and target system may be intercepted.
B. Data from the source and target system may have different data formats.
C. Records past their retention period may not be migrated to the new system.
D. System performance may be impacted by the migration
Answer: A
Explanation:
The greatest security risk associated with data migration from a legacy human resources (HR) system
to a cloud-based system is data from the source and target system may be intercepted. Data
interception is an attack that occurs when an unauthorized entity or individual captures or accesses
data that are being transmitted or stored on an information system or network. Data interception can
compromise the confidentiality and integrity of data, and cause harm or damage to data owners or
users. Data migration from a legacy HR system to a cloud-based system involves transferring data
from one system or location to another system or location over a network connection. This poses a
high risk of data interception, as data may be exposed or vulnerable during transit or storage on
unsecured or untrusted networks or systems. Data from the source and target system may have
different data formats is a possible challenge associated with data migration from a legacy HR system
to a cloud-based system, but it is not a security risk. Data formats are specifications that define how
data are structured or encoded on an information system or network. Data formats may vary
depending on different systems or platforms. Data migration may require converting data from one
format to another format to ensure compatibility and interoperability between systems. Records past
their retention period may not be migrated to the new system is a possible outcome associated with
data migration from a legacy HR system to a cloud-based system, but it is not a security risk.
Retention period is a duration that defines how long data should be kept or stored on an information
system or network before being deleted or destroyed. Retention period may depend on various
factors such as legal requirements, business needs, storage capacity, etc. Data migration may
involve deleting or destroying data that are past their retention period to reduce the volume or
complexity of data to be transferred or to comply with regulations or policies. System performance
may be impacted by the migration is a possible impact associated with data migration from a legacy
HR system to a cloud-based system, but it is not a security risk. System performance is a measure of
how well an information system or network functions or operates, such as speed, reliability,
availability, etc. System performance may be affected by data migration, as data migration may
consume significant resources or bandwidth, cause interruptions or delays, or introduce errors or
inconsistencies.

183.When auditing the closing stages of a system development protect which of the following should
be the MOST important consideration?
A. Control requirements
B. Rollback procedures
C. Functional requirements documentation
D. User acceptance lest (UAT) results
Answer: D
Explanation:
When auditing the closing stages of a system development project, the most important consideration
should be the user acceptance test (UAT) results. The UAT is a critical phase of the system
development life cycle (SDLC) that ensures that the system meets the functional requirements and
expectations of the end users. The UAT results provide evidence of the system’s quality,
performance, usability, and reliability. Control requirements, rollback procedures, and functional
requirements documentation are also important considerations, but they are not as crucial as the UAT
results in determining if the system is ready for deployment.
References: CISA Review Manual (Digital Version)1, page 325.

184.An internal audit department recently established a quality assurance (QA) program.
Which of the following activities Is MOST important to include as part of the QA program
requirements?
A. Long-term Internal audit resource planning
B. Ongoing monitoring of the audit activities
C. Analysis of user satisfaction reports from business lines
D. Feedback from Internal audit staff
Answer: B
Explanation:
Ongoing monitoring of the audit activities is the most important activity to include as part of the quality
assurance (QA) program requirements for an internal audit department. An IS auditor should perform
regular reviews and evaluations of the audit processes, methods, standards, and outcomes to ensure
that they comply with the QA program objectives and criteria. This will help to maintain and improve
the quality and consistency of the audit services and deliverables. The other options are less
important activities to include as part of the QA program requirements, as they may involve long-term
resource planning, user satisfaction reports, or feedback from internal audit staff.
References:
CISA Review Manual (Digital Version), Chapter 2, Section 2.61
CISA Review Questions, Answers & Explanations Database, Question ID 224

185.An organization plans to replace its nightly batch processing backup to magnetic tape with real-
time replication to a second data center.
Which of the following is the GREATEST risk associated with this change?
A. Version control issues
B. Reduced system performance
C. Inability to recover from cybersecurity attacks
D. Increase in IT investment cost
Answer: C
Explanation:
Real-time replication to a second data center means that any changes made to the primary data
center are immediately copied to the secondary data center. This can improve data availability and
performance, but also introduces the risk of propagating malicious or erroneous changes to the
backup data center. If a cybersecurity attack compromises the primary data center, it may also affect
the secondary data center, making it difficult or impossible to recover from the attack using the
replicated data. Therefore, option C is the greatest risk associated with this change.
Option A is not correct because version control issues are more likely to occur with batch processing
backup, which may create inconsistencies between different versions of the data.
Option B is not correct because real-time replication may reduce system performance at the primary
data center, but it may also improve system performance at the secondary data center by reducing
latency and network traffic.
Option D is not correct because although real-time replication may increase IT investment cost, this is
not a risk but a trade-off that the organization has to consider.
References:
Data Replication: The Basics, Risks, and Best Practices1 Best Practices for Data Replication
Between Data Centers2 The Good, Bad, and Ugly of Data Replication3

186.An IS auditor is conducting a post-implementation review of an enterprise resource planning

(ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made
by the system.
The auditor's FIRST course of action should be to:
A. review recent changes to the system.
B. verify completeness of user acceptance testing (UAT).
C. verify results to determine validity of user concerns.
D. review initial business requirements.
Answer: C
Explanation:
The IS auditor’s first course of action should be to verify the results of the critical automatic
calculations made by the system to determine the validity of user concerns. This is because the IS
auditor needs to obtain sufficient and appropriate audit evidence to support the audit findings and
conclusions. By verifying the results, the IS auditor can assess whether there are any errors or
discrepancies in the system’s calculations that could affect the accuracy and reliability of the financial
data. The IS auditor can use various techniques to verify the results, such as re-performing the
calculations, comparing them with expected values, or tracing them to source documents.
187.While auditing a small organization's data classification processes and procedures, an IS auditor
noticed that data is often classified at the incorrect level.
What is the MOST effective way for the organization to improve this situation?
A. Use automatic document classification based on content.
B. Have IT security staff conduct targeted training for data owners.
C. Publish the data classification policy on the corporate web portal.
D. Conduct awareness presentations and seminars for information classification policies.
Answer: B
Explanation:
This is the most effective way for the organization to improve its data classification processes and
procedures, because data owners are the ones who are responsible for assigning the appropriate
level of classification to the data they create, collect, or manage. Data owners should be aware of the
data classification policy, the criteria for each level of classification, and the implications of
misclassification. IT security staff can provide tailored training for data owners based on their roles,
functions, and types of data they handle.
The other options are not as effective as having IT security staff conduct targeted training for data
owners:
Use automatic document classification based on content. This is a possible option, but it may not be
feasible or accurate for a small organization. Automatic document classification is a process that uses
artificial intelligence or machine learning to analyze the content of a document and assign a class
label based on predefined rules or models. However, this process may require a lot of resources,
expertise, and maintenance, and it may not capture all the nuances and context of the data. The IS
auditor should also verify the reliability and validity of the automatic document classification system.
Publish the data classification policy on the corporate web portal. This is a good practice, but it is not
enough to improve the data classification situation. Publishing the data classification policy on the
corporate web portal can increase the visibility and accessibility of the policy, but it does not ensure
that data owners will read, understand, and follow it. The IS auditor should also monitor and enforce
the compliance with the policy.
Conduct awareness presentations and seminars for information classification policies. This is a useful
measure, but it is not the most effective one. Conducting awareness presentations and seminars can
raise the general awareness and knowledge of information classification policies among all
employees, but it may not address the specific needs and challenges of data owners. The IS auditor
should also provide more in-depth and practical training for data owners.

188.An organization is establishing a steering committee for the implementation of a new enterprise
resource planning (ERP) system that uses Agile project management methodology.
What is the MOST important criterion for the makeup of this committee?
A. Senior management representation
B. Ability to meet the time commitment required
C. Agile project management experience
D. ERP implementation experience
Answer: C

189.Which of the following demonstrates the use of data analytics for a loan origination process?
A. Evaluating whether loan records are included in the batch file and are validated by the servicing
system
B. Comparing a population of loans input in the origination system to loans booked on the servicing
system
C. Validating whether reconciliations between the two systems are performed and discrepancies are
investigated
D. Reviewing error handling controls to notify appropriate personnel in the event of a transmission
failure
Answer: B
Explanation:
Data analytics can be used to compare data from different sources and identify any discrepancies or
anomalies. In this case, comparing a population of loans input in the origination system to loans
booked on the servicing system can help detect any errors or frauds in the loan origination process.
The other options are not examples of data analytics, but rather controls for data integrity,
reconciliation, and error handling.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3.2

190.Which of the following is the MOST significant risk to an organization migrating its onsite
application servers to a public cloud service provider?
A. Service provider access to organizational data
B. Account hacking from other clients using the same provider
C. Increased dependency on an external provider
D. Service provider limiting the right to audit
Answer: A
Explanation:
Comprehensive and Detailed Step-by-Step
The biggest risk in cloud migration is data security, especially unauthorized access by the cloud
provider.
Option A (Correct): The cloud provider manages and stores organizational data, meaning that a
breach, insider threat, or improper access poses a major risk. Proper encryption and access controls
are critical.
Option B (Incorrect): While multi-tenancy risks exist, cloud providers typically implement strong
isolation mechanisms between clients.
Option C (Incorrect): Increased dependency on the provider is a concern, but the impact depends on
service agreements and redundancy measures.
Option D (Incorrect): Limiting the right to audit is a compliance issue, but data security risks are more
critical.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers
cloud computing risks and security considerations.

191.An IS auditor is reviewing an organization's system development life cycle (SDLC).

Which of the following MUST be included in the review?
A. Ownership of the system quality management plan
B. Utilization of standards in the system development processes and procedures
C. Validation that system development processes adhere to quality standards
D. Definition of quality attributes to be associated with the system
Answer: B

192.Which of the following is an IS auditor's BEST approach when prepanng to evaluate whether the
IT strategy supports the organization's vision and mission?
A. Review strategic projects tor return on investments (ROls)
B. Solicit feedback from other departments to gauge the organization's maturity
C. Meet with senior management to understand business goals
D. Review the organization's key performance indicators (KPls)
Answer: C
Explanation:
The best approach for an IS auditor to evaluate whether the IT strategy supports the organization’s
vision and mission is to meet with senior management to understand the business goals and how IT
can enable them. This will help the IS auditor to assess the alignment and integration of IT with the
business strategy and to identify any gaps or opportunities for improvement. Reviewing ROIs, KPIs,
or feedback from other departments may provide some insights, but they are not sufficient to evaluate
the IT strategy.
References: IS Audit and Assurance Standards, section “Standard 1201: Engagement Planning”

193.Management receives information indicating a high level of risk associated with potential flooding
near the organization's data center within the next few years. As a result, a decision has been made
to move data center operations to another facility on higher ground.
Which approach has been adopted?
A. Risk acceptance
B. Risk transfer
C. Risk reduction
D. Risk avoidance
Answer: D

194.Which of the following should be of GREATEST concern to an IS auditor when auditing an

organization's IT strategy development process?
A. The IT strategy was developed before the business plan
B. A business impact analysis (BIA) was not performed to support the IT strategy
C. The IT strategy was developed based on the current IT capability
D. Information security was not included as a key objective m the IT strategic plan.
Answer: D
Explanation:
The greatest concern for an IS auditor when auditing an organization’s IT strategy development
process is that information security was not included as a key objective in the IT strategic plan.
Information security is a vital component of IT strategy, as it ensures the confidentiality, integrity and
availability of information assets, and supports the business objectives and regulatory compliance.
The other options are not as significant as the lack of information security in the IT strategic plan.
References: CISA Review Manual (Digital Version), Chapter 1, Section 1.31

195.In an online application, which of the following would provide the MOST information about the
transaction audit trail?
A. System/process flowchart
B. File layouts
C. Data architecture
D. Source code documentation
Answer: C
Explanation:
In an online application, data architecture provides the most information about the transaction audit
trail, as it describes how data are created, stored, processed, accessed and exchanged among
different components of the application. Data architecture includes data models, schemas,
dictionaries, metadata, standards and policies that define the structure, quality, integrity, security and
governance of data. Data architecture can help the IS auditor to trace the origin, flow, transformation
and destination of data in an online transaction, and to identify the key data elements, attributes and
relationships that are relevant for audit purposes. A system/process flowchart is a graphical
representation of the sequence of steps or activities that are performed by a system or process. A
system/process flowchart can provide some information about the transaction audit trail, but it is not
as detailed or comprehensive as data architecture. A system/process flowchart shows the inputs,
outputs, decisions and actions of a system or process, but it does not show the data elements,
attributes and relationships that are involved in each step or activity. A file layout is a specification of
the format and structure of a data file. A file layout can provide some information about the
transaction audit trail, but it is not as detailed or comprehensive as data architecture. A file layout
shows the fields, types, lengths and positions of data in a file, but it does not show the origin, flow,
transformation and destination of data in an online transaction. Source code documentation is a
description of the logic, functionality and purpose of a program or module written in a programming
language. Source code documentation can provide some information about the transaction audit trail,
but it is not as detailed or comprehensive as data architecture. Source code documentation shows the
instructions, variables and parameters that are used to perform calculations and operations on data,
but it does not show the data elements, attributes and relationships that are involved in each
instruction or operation.
References: CISA
Review Manual (Digital Version) 1, Chapter 4: Information Systems Operations and Business
Resilience, Section 4.2: Data Administration Practices.

196.Which of the following is MOST important for an IS auditor to confirm when reviewing an
organization's incident response management program?
A. All incidents have a severity level assigned.
B. All identified incidents are escalated to the CEO and the CISO.
C. Incident response is within defined service level agreements (SLAs).
D. The alerting tools and incident response team can detect incidents.
Answer: D
Explanation:
The most important aspect of an incident response management program is the ability to detect
incidents in a timely and accurate manner. Without effective detection, the organization cannot
respond to incidents, mitigate their impact, or prevent their recurrence. The alerting tools and incident
response team are responsible for monitoring the IT environment, identifying anomalies or threats,
and notifying the appropriate stakeholders.
References
ISACA CISA Review Manual, 27th Edition, page 255
What is an incident response plan? And why do you need one?
ISACA CISA Certified Information Systems Auditor Exam … - PUPUWEB

197.Which of the following is the BEST data integrity check?

A. Counting the transactions processed per day
B. Performing a sequence check
C. Tracing data back to the point of origin
D. Preparing and running test data
Answer: C
Explanation:
Data integrity is the property that ensures that data is accurate, complete, consistent, and reliable
throughout its lifecycle. The best data integrity check is tracing data back to the point of origin, which
is the source where the data was originally created or captured. This check can verify that data has
not been altered or corrupted during transmission, processing, or storage. It can also identify any
errors or discrepancies in data entry or conversion. Counting the transactions processed per day is a
performance measure that does not directly assess data integrity. Performing a sequence check is a
validity check that ensures that data follows a predefined order or pattern. It can detect missing or out-
of-order data elements, but it cannot verify their accuracy or completeness. Preparing and running
test data is a testing technique that simulates real data to evaluate how a system handles different
scenarios. It can help identify errors or bugs in the system logic or functionality, but it cannot ensure
data integrity in production environments.
References: Information Systems Operations and Business Resilience, CISA Review Manual (Digital
Version)

198.An IS auditor is planning an audit of an organization's accounts payable processes.

Which of the following controls is MOST important to assess in the audit?
A. Segregation of duties between issuing purchase orders and making payments.
B. Segregation of duties between receiving invoices and setting authorization limits
C. Management review and approval of authorization tiers
D. Management review and approval of purchase orders
Answer: A
Explanation:
The most important control to assess in an audit of an organization’s accounts payable processes is
segregation of duties between issuing purchase orders and making payments. Segregation of duties
is a principle that requires different individuals or departments to perform different tasks or functions
within a process, in order to prevent fraud, errors, or conflicts of interest. In the accounts payable
process, segregation of duties between issuing purchase orders and making payments ensures that
no one person can initiate and complete a transaction without proper authorization and verification.
This reduces the risk of duplicate payments, overpayments, unauthorized payments, or payments to
fictitious vendors.
References:
Accounts payable controls
Accounts Payable Internal Controls: A Simple Checklist

199.Which of the following provides IS audit professionals with the BEST source of direction for
performing audit functions?
A. Audit charter
B. IT steering committee
C. Information security policy
D. Audit best practices
Answer: A
Explanation:
The audit charter is the document that defines the purpose, authority and responsibility of the IS audit
function. It provides IS audit professionals with the best source of direction for performing audit
functions, as it establishes the scope, objectives, reporting lines, independence, accountability and
resources of the IS audit function. The IT steering committee is a governance body that oversees the
strategic alignment, prioritization and direction of IT initiatives, but it does not provide specific
guidance for IS audit functions. The information security policy is a document that defines the rules
and principles for protecting information assets in the organization, but it does not cover all aspects of
IS audit functions. Audit best practices are general guidelines and recommendations for conducting
effective and efficient audits, but they are not binding or authoritative sources of direction for IS audit
functions.
References: CISA Review Manual (Digital Version) 1, Chapter 1:
Information Systems Auditing Process, Section 1.1: Audit Charter.
200.An organization has recently implemented a Voice-over IP (VoIP) communication system.
Which of the following should be the IS auditor's PRIMARY concern?
A. A single point of failure for both voice and data communications
B. Inability to use virtual private networks (VPNs) for internal traffic
C. Lack of integration of voice and data communications
D. Voice quality degradation due to packet toss
Answer: A
Explanation:
The IS auditor’s primary concern when an organization has recently implemented a Voice-over IP
(VoIP) communication system is a single point of failure for both voice and data communications.
VoIP is a technology that allows voice communication over IP networks such as the internet. VoIP
can offer benefits such as lower costs, higher flexibility, and better integration with other applications.
However, VoIP also introduces risks such as dependency on network availability, performance, and
security. If both voice and data communications share the same network infrastructure and devices,
then a single point of failure can affect both services simultaneously and cause significant disruption
to business operations. Therefore, the IS auditor should evaluate the availability and redundancy of
the network components and devices that support VoIP communication. The other options are not as
critical as a single point of failure for both voice and data communications, as they do not pose a
direct threat to business continuity.
References: CISA Review Manual, 27th Edition, page 385

201.An IS auditor determines that the vendor's deliverables do not include the source code for a
newly acquired product.
To address this issue, which of the following should the auditor recommend be included in the
contract?
A. Confidentiality and data protection clauses
B. Service level agreement (SLA)
C. Software escrow agreement
D. Right-to-audit clause
Answer: C
Explanation:
The correct answer is
C. Software escrow agreement. A software escrow agreement is a legal arrangement between three
parties: the software developer (licensor), the end-user (licensee), and an escrow agent. The
agreement ensures that the software’s source code and other relevant assets are securely stored
with the escrow agent, and can be released to the licensee under certain conditions, such as the
licensor’s bankruptcy, insolvency, or failure to provide support or maintenance1. A software escrow
agreement can provide the licensee with assurance and continuity for the software they depend on,
and protect them from losing access or functionality in case of any unforeseen events or disputes with
the licensor1.

202.When classifying information, it is MOST important to align the classification to:

A. business risk
B. security policy
C. data retention requirements
D. industry standards
Answer: A
Explanation:
When classifying information, it is most important to align the classification to business risk, because
it ensures that the information is protected according to its value and impact to the organization34.
Business risk considers factors such as legal, regulatory, contractual, operational, reputational, and
financial implications of information disclosure or compromise34. Aligning information classification to
business risk also helps to prioritize and allocate resources for information security measures.
Security policy, data retention requirements, and industry standards are important considerations for
information classification, but not as important as business risk.
References: 3: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2 4: CISA Online
Review Course, Module 5, Lesson 4

203.Which of the following weaknesses would have the GREATEST impact on the effective operation
of a perimeter firewall?
A. Use of stateful firewalls with default configuration
B. Ad hoc monitoring of firewall activity
C. Misconfiguration of the firewall rules
D. Potential back doors to the firewall software
Answer: C

204.During a project audit, an IS auditor notes that project reporting does not accurately reflect
current progress.
Which of the following is the GREATEST resulting impact?
A. The project manager will have to be replaced.
B. The project reporting to the board of directors will be incomplete.
C. The project steering committee cannot provide effective governance.
D. The project will not withstand a quality assurance (QA) review.
Answer: C
Explanation:
The greatest resulting impact of project reporting not accurately reflecting current progress is that the
project steering committee cannot provide effective governance. The project steering committee is a
group of senior executives or stakeholders who oversee the project and provide strategic direction,
guidance, and support. The project steering committee relies on accurate and timely project reporting
to monitor the project’s status, performance, risks, issues, and changes. If the project reporting is
inaccurate, the project steering committee cannot make informed decisions, resolve problems,
allocate resources, or ensure alignment with the organizational goals and objectives.
The other options are not as impactful as option C. The project manager will have to be replaced is a
possible consequence, but not the greatest impact, of inaccurate project reporting. The project
manager is responsible for planning, executing, monitoring, controlling, and closing the project. The
project manager may face disciplinary actions or termination if they fail to provide accurate and
honest project reporting. However, this does not necessarily affect the overall governance of the
project. The project reporting to the board of directors will be incomplete is a potential risk, but not the
greatest impact, of inaccurate project reporting. The board of directors is the highest governing body
of an organization that sets the vision, mission, values, and policies. The board of directors may
receive periodic or ad hoc project reporting to ensure that the project is aligned with the organizational
strategy and delivers value. If the project reporting is inaccurate, the board of directors may lose
confidence in the project or intervene in its management. However, this does not directly affect the
day-to-day governance of the project. The project will not withstand a quality assurance (QA) review
is a possible outcome, but not the greatest impact, of inaccurate project reporting. A quality
assurance review is a process to evaluate the quality of the project’s processes and deliverables
against predefined standards and criteria. A quality assurance review may reveal discrepancies or
errors in the project reporting that may affect the credibility and reliability of the project. However, this
does not necessarily affect the governance of the project.
 References: Project Steering Committee - Roles & Responsibilities, Project Reporting Best Practices,
Quality Assurance in Project Management

205.What is the MOST effective way to manage contractors' access to a data center?
A. Badge identification worn by visitors
B. Escort requirement for visitor access
C. Management approval of visitor access
D. Verification of visitor identification
Answer: B

206.What is the BEST control to address SQL injection vulnerabilities?

A. Unicode translation
B. Secure Sockets Layer (SSL) encryption
C. Input validation
D. Digital signatures
Answer: C
Explanation:
Input validation is the best control to address SQL injection vulnerabilities, because it can prevent
malicious users from entering SQL commands or statements into input fields that are intended for
data entry, such as usernames or passwords. SQL injection is a technique that exploits a security
vulnerability in an application’s software by inserting SQL code into a query string that can execute
commands on a database server. Unicode translation, SSL encryption, and digital signatures are not
effective controls against SQL injection, because they do not prevent or detect SQL code injection
into input fields.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2

Get CISA exam dumps full version.

Powered by TCPDF (www.tcpdf.org)