Tips to Pass Certified Information Systems Auditor (CISA) Certification Exam

test2022-09-22T03:50:46+00:00

Looking for the tips to pass Certified Information Systems Auditor (CISA) Certification Exam. CISA is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems. FreeTestShare CISA Certification exam dumps have been compiled by our team of specialists to assist you in determining your readiness for the CISA exam by highlighting areas of knowledge and skills. You will find that all of the questions are quite similar to those you would encounter on the actual Certified Information Systems Auditor (CISA) Certification Exam.

Try CISA Practice Exam to assess yourself.

Page 1 of 10

1. An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider.

Which of the following would be the BEST way to prevent accepting bad data?

Obtain error codes indicating failed data feeds.

Purchase data cleansing tools from a reputable vendor.

Appoint data quality champions across the organization.

Implement business rules to reject invalid data.

2. An IS auditor is reviewing an organization's information asset management process.

Which of the following would be of GREATEST concern to the auditor?

The process does not require specifying the physical locations of assets.

Process ownership has not been established.

The process does not include asset review.

Identification of asset value is not included in the process.

3. An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit.

Which of the following should be the auditor's NEXT course of action?

Evaluate the appropriateness of the remedial action taken.

Conduct a risk analysis incorporating the change.

Report results of the follow-up to the audit committee.

Inform senior management of the change in approach.

4. During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

Business case

Rollback strategy

Test cases

Post-implementation review objectives

5. A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification.

Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?

Include the requirement in the incident management response plan.

Establish key performance indicators (KPIs) for timely identification of security incidents.

Enhance the alert functionality of the intrusion detection system (IDS).

Engage an external security incident response expert for incident handling.

6. Stress testing should ideally be earned out under a:

test environment with production workloads.

production environment with production workloads.

production environment with test data.

test environment with test data.

7. An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments.

The IS auditor should FIRST

document the exception in an audit report.

review security incident reports.

identify compensating controls.

notify the audit committee.

8. An organization has virtualized its server environment without making any other changes to the network or security infrastructure.

Which of the following is the MOST significant risk?

Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications

Vulnerability in the virtualization platform affecting multiple hosts

Data center environmental controls not aligning with new configuration

System documentation not being updated to reflect changes in the environment

9. Which of the following is MOST important to ensure when developing an effective security awareness program?

Training personnel are information security professionals.

Phishing exercises are conducted post-training.

Security threat scenarios are included in the program content.

Outcome metrics for the program are established.

10. What Is the BEST method to determine if IT resource spending is aligned with planned project spending?

Earned value analysis (EVA)

Return on investment (ROI) analysis

Gantt chart

Critical path analysis

Page 2 of 10

11. Which of the following BEST guards against the risk of attack by hackers?

Tunneling

Encryption

Message validation

Firewalls

12. An IS auditor finds that the process for removing access for terminated employees is not documented.

What is the MOST significant risk from this observation?

Procedures may not align with best practices

Human resources (HR) records may not match system access.

Unauthorized access cannot he identified.

Access rights may not be removed in a timely manner.

13. An IS auditor suspects an organization's computer may have been used to commit a crime.

Which of the following is the auditor's BEST course of action?

Examine the computer to search for evidence supporting the suspicions.

Advise management of the crime after the investigation.

Contact the incident response team to conduct an investigation.

Notify local law enforcement of the potential crime before further investigation.

14. To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

Root cause

Responsible party

impact

Criteria

15. Which of the following is MOST important for an effective control self-assessment (CSA) program?

Determining the scope of the assessment

Performing detailed test procedures

Evaluating changes to the risk environment

Understanding the business process

16. Which of the following should be GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?

Data conversion was performed using manual processes.

Backups of the old system and data are not available online.

Unauthorized data modifications occurred during conversion.

The change management process was not formally documented

17. Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?

Limit check

Parity check

Reasonableness check

Validity check

18. During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

perform a business impact analysis (BIA).

issue an intermediate report to management.

evaluate the impact on current disaster recovery capability.

conduct additional compliance testing.

19. CORRECT TEXT

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simulation test administered for staff members?

Staff members who failed the test did not receive follow-up education

Test results were not communicated to staff members.

Staff members were not notified about the test beforehand.

Security awareness training was not provided prior to the test.

20. What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

To address the overall risk associated with the activity under review

To identify areas with relatively high probability of material problems

To help ensure maximum use of audit resources during the engagement

To help prioritize and schedule auditee meetings

Page 3 of 10

21. An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has stated that it will take six months until the software is running on the current version.

Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Verify all patches have been applied to the software system's outdated version

Close all unused ports on the outdated software system.

Segregate the outdated software system from the main network.

Monitor network traffic attempting to reach the outdated software system.

22. Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:

business impact analysis (BIA).

threat and risk assessment.

business continuity plan (BCP).

disaster recovery plan (DRP).

23. Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?

Ensure the third party allocates adequate resources to meet requirements.

Use analytics within the internal audit function

Conduct a capacity planning exercise

Utilize performance monitoring tools to verify service level agreements (SLAs)

24. Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

The organization's systems inventory is kept up to date.

Vulnerability scanning results are reported to the CIS

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

Access to the vulnerability scanning tool is periodically reviewed

25. An organization has recently implemented a Voice-over IP (VoIP) communication system.

Which of the following should be the IS auditor's PRIMARY concern?

A single point of failure for both voice and data communications

Inability to use virtual private networks (VPNs) for internal traffic

Lack of integration of voice and data communications

Voice quality degradation due to packet toss

26. Which of the following BEST facilitates the legal process in the event of an incident?

Right to perform e-discovery

Advice from legal counsel

Preserving the chain of custody

Results of a root cause analysis

27. Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

Rotate job duties periodically.

Perform an independent audit.

Hire temporary staff.

Implement compensating controls.

28. Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?

Implementing two-factor authentication

Restricting access to transactions using network security software

implementing role-based access at the application level

Using a single menu tor sensitive application transactions

29. Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

Audit charier

IT steering committee

Information security policy

Audit best practices

30. During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:

application test cases.

acceptance testing.

cost-benefit analysis.

project plans.

Page 4 of 10

31. Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Ensure compliance with the data classification policy.

Protect the plan from unauthorized alteration.

Comply with business continuity best practice.

Reduce the risk of data leakage that could lead to an attack.

32. Which of the following provides the BEST providence that outsourced provider services are being properly managed?

The service level agreement (SLA) includes penalties for non-performance.

Adequate action is taken for noncompliance with the service level agreement (SLA).

The vendor provides historical data to demonstrate its performance.

Internal performance standards align with corporate strategy.

33. Which of the following findings from an IT governance review should be of GREATEST concern?

The IT budget is not monitored

All IT services are provided by third parties.

IT value analysis has not been completed.

IT supports two different operating systems.

34. 1.Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?

Lack of appropriate labelling

Lack of recent awareness training.

Lack of password protection

Lack of appropriate data classification

35. An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit.

What should the auditor consider the MOST significant concern?

Attack vectors are evolving for industrial control systems.

There is a greater risk of system exploitation.

Disaster recovery plans (DRPs) are not in place.

Technical specifications are not documented.

36. During an incident management audit, an IS auditor finds that several similar incidents

were logged during the audit period.

Which of the following is the auditor's MOST important course of action?

Document the finding and present it to management.

Determine if a root cause analysis was conducted.

Confirm the resolution time of the incidents.

Validate whether all incidents have been actioned.

37. What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?

Notify law enforcement of the finding.

Require the third party to notify customers.

The audit report with a significant finding.

Notify audit management of the finding.

38. Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?

File level encryption

File Transfer Protocol (FTP)

Instant messaging policy

Application level firewalls

39. After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

Verifying that access privileges have been reviewed

investigating access rights for expiration dates

Updating the continuity plan for critical resources

Updating the security policy

40. The decision to accept an IT control risk related to data quality should be the responsibility of the:

information security team.

IS audit manager.

chief information officer (CIO).

business owner.

Page 5 of 10

41. The IS quality assurance (OA) group is responsible for:

ensuring that program changes adhere to established standards.

designing procedures to protect data against accidental disclosure.

ensuring that the output received from system processing is complete.

monitoring the execution of computer processing tasks.

42. Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

Restricting evidence access to professionally certified forensic investigators

Documenting evidence handling by personnel throughout the forensic investigation

Performing investigative procedures on the original hard drives rather than images of the hard drives

Engaging an independent third party to perform the forensic investigation

43. Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?

Effectiveness of the security program

Security incidents vs. industry benchmarks

Total number of hours budgeted to security

Total number of false positives

44. Which of the following demonstrates the use of data analytics for a loan origination process?

Evaluating whether loan records are included in the batch file and are validated by the servicing system

Comparing a population of loans input in the origination system to loans booked on the servicing system

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

45. During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective.

Which of the following is the auditor's BEST action?

Explain to IT management that the new control will be evaluated during follow-up

Re-perform the audit before changing the conclusion.

Change the conclusion based on evidence provided by IT management.

Add comments about the action taken by IT management in the report.

46. Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?

Improved disaster recovery

Better utilization of resources

Stronger data security

Increased application performance

47. Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

IT steering committee minutes

Business objectives

Alignment with the IT tactical plan

Compliance with industry best practice

48. Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Background checks

User awareness training

Transaction log review

Mandatory holidays

49. When auditing the security architecture of an online application, an IS auditor should FIRST review the:

firewall standards.

configuration of the firewall

firmware version of the firewall

location of the firewall within the network

50. An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider.

Which of the following would be the BEST way to prevent accepting bad data?

Obtain error codes indicating failed data feeds.

Appoint data quality champions across the organization.

Purchase data cleansing tools from a reputable vendor.

Implement business rules to reject invalid data.

Page 6 of 10

51. Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

Mobile device tracking program

Mobile device upgrade program

Mobile device testing program

Mobile device awareness program

52. The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

the access control system's log settings.

how the latest system changes were implemented.

the access control system's configuration.

the access rights that have been granted.

53. Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?

Information security program plans

Penetration test results

Risk assessment results

Industry benchmarks

54. Which of the following conditions would be of MOST concern to an IS auditor assessing the

risk of a successful brute force attack against encrypted data at test?

Short key length

Random key generation

Use of symmetric encryption

Use of asymmetric encryption

55. An IS auditor finds the log management system is overwhelmed with false positive alerts.

The auditor's BEST recommendation would be to:

establish criteria for reviewing alerts.

recruit more monitoring personnel.

reduce the firewall rules.

fine tune the intrusion detection system (IDS).

56. A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed

Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?

Continuous 24/7 support must be available.

The vendor must have a documented disaster recovery plan (DRP) in place.

Source code for the software must be placed in escrow.

The vendor must train the organization's staff to manage the new software

57. Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

Walk-through reviews

Substantive testing

Compliance testing

Design documentation reviews

58. Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

Reviewing vacation patterns

Reviewing user activity logs

Interviewing senior IT management

Mapping IT processes to roles

59. Which of the following is MOST important to consider when scheduling follow-up audits?

The efforts required for independent verification with new auditors

The impact if corrective actions are not taken

The amount of time the auditee has agreed to spend with auditors

Controls and detection risks related to the observations

60. An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process.

To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?

Data with customer personal information

Data reported to the regulatory body

Data supporting financial statements

Data impacting business objectives

Page 7 of 10

61. When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

Implementation plan

Project budget provisions

Requirements analysis

Project plan

62. An IS auditor Is reviewing a recent security incident and is seeking information about me approval of a recent modification to a database system's security settings.

Where would the auditor MOST likely find this information?

System event correlation report

Database log

Change log

Security incident and event management (SIEM) report

63. When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

the Internet.

the demilitarized zone (DMZ).

the organization's web server.

the organization's network.

64. Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?

Reviewing the parameter settings

Reviewing the system log

Interviewing the firewall administrator

Reviewing the actual procedures

65. Which of the following metrics would BEST measure the agility of an organization's IT function?

Average number of learning and training hours per IT staff member

Frequency of security assessments against the most recent standards and guidelines

Average time to turn strategic IT objectives into an agreed upon and approved initiative

Percentage of staff with sufficient IT-related skills for the competency required of their roles

66. During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk.

What should the auditor do FIRST?

Ask management why the regulatory changes have not been Included.

Discuss potential regulatory issues with the legal department

Report the missing regulatory updates to the chief information officer (CIO).

Exclude recent regulatory changes from the audit scope.

67. An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business.

The auditor's PRIMARY concern would be:

failure to maximize the use of equipment

unanticipated increase in business s capacity needs.

cost of excessive data center storage capacity

impact to future business project funding.

68. Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

Assurance that the new system meets functional requirements

More time for users to complete training for the new system

Significant cost savings over other system implemental or approaches

Assurance that the new system meets performance requirements

69. Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

Compliance with action plans resulting from recent audits

Compliance with local laws and regulations

Compliance with industry standards and best practice

Compliance with the organization's policies and procedures

70. What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?

Full test results

Completed test plans

Updated inventory of systems

Change management processes

Page 8 of 10

71. Which of the following should an IS auditor consider FIRST when evaluating firewall rules?

The organization's security policy

The number of remote nodes

The firewalls' default settings

The physical location of the firewalls

72. Which of the following is MOST helpful for measuring benefits realization for a new system?

Function point analysis

Balanced scorecard review

Post-implementation review

Business impact analysis (BIA)

73. Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?

Inability to utilize the site when required

Inability to test the recovery plans onsite

Equipment compatibility issues at the site

Mismatched organizational security policies

74. Which of the following BEST Indicates that an incident management process is effective?

Decreased time for incident resolution

Increased number of incidents reviewed by IT management

Decreased number of calls lo the help desk

Increased number of reported critical incidents

75. Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?

Analyzing risks posed by new regulations

Designing controls to protect personal data

Defining roles within the organization related to privacy

Developing procedures to monitor the use of personal data

76. Which of the following is MOST important to include in forensic data collection and preservation procedures?

Assuring the physical security of devices

Preserving data integrity

Maintaining chain of custody

Determining tools to be used

77. Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

Expected deliverables meeting project deadlines

Sign-off from the IT team

Ongoing participation by relevant stakeholders

Quality assurance (OA) review

78. Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?

The person who collected the evidence is not qualified to represent the case.

The logs failed to identify the person handling the evidence.

The evidence was collected by the internal forensics team.

The evidence was not fully backed up using a cloud-based solution prior to the trial.

79. An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes.

Which of the following recommendations would BEST help to reduce the risk of data leakage?

Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

Establishing strong access controls on confidential data

Providing education and guidelines to employees on use of social networking sites

Monitoring employees' social networking usage

80. Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

The job scheduler application has not been designed to display pop-up error messages.

Access to the job scheduler application has not been restricted to a maximum of two staff members

Operations shift turnover logs are not utilized to coordinate and control the processing environment

Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor

Page 9 of 10

81. During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS).

Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?

Sampling risk

Detection risk

Control risk

Inherent risk

82. Which of the following is the PRIMARY concern when negotiating a contract for a hot site?

Availability of the site in the event of multiple disaster declarations

Coordination with the site staff in the event of multiple disaster declarations

Reciprocal agreements with other organizations

Complete testing of the recovery plan

83. Which of the following strategies BEST optimizes data storage without compromising data retention practices?

Limiting the size of file attachments being sent via email

Automatically deleting emails older than one year

Moving emails to a virtual email vault after 30 days

Allowing employees to store large emails on flash drives

84. An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers.

Which of the following controls is MOST important for the auditor to confirm is in place?

The default configurations have been changed.

All tables in the database are normalized.

The service port used by the database server has been changed.

The default administration account is used after changing the account password.

85. Which of the following features of a library control software package would protect against unauthorized updating of source code?

Required approvals at each life cycle step

Date and time stamping of source and object code

Access controls for source libraries

Release-to-release comparison of source code

86. In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire.

Which of the following recommendations would BEST address the risk with minimal disruption to the business?

Modify applications to no longer require direct access to the database.

Introduce database access monitoring into the environment

Modify the access management policy to make allowances for application accounts.

Schedule downtime to implement password changes.

87. The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

risk management review

control self-assessment (CSA).

service level agreement (SLA).

balanced scorecard.

88. An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company.

Which of the following would be MOST helpful In determining the effectiveness of the framework?

Sell-assessment reports of IT capability and maturity

IT performance benchmarking reports with competitors

Recent third-party IS audit reports

Current and previous internal IS audit reports

89. Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse formal?

Testing

Replication

Staging

Development

90. Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground.

Which approach has been adopted?

Risk avoidance

Risk transfer

Risk acceptance

Risk reduction

Page 10 of 10

91. An organizations audit charier PRIMARILY:

describes the auditors' authority to conduct audits.

defines the auditors' code of conduct.

formally records the annual and quarterly audit plans.

documents the audit process and reporting standards.