CISA V31.65.pdf

Full Transcript

IT Certification Guaranteed, The Easy Way!

Exam : CISA

Title : Certified Information
Systems Auditor

Vendor : ISACA

Version : V31.65

1
 IT Certification Guaranteed, The Easy Way!

QUESTION NO: 1
During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has
not been performed. The auditor should FIRST
A. perform a business impact analysis (BIA).
B. issue an intermediate report to management.
C. evaluate the impact on current disaster recovery capability.
D. conduct additional compliance testing.
Answer: C
Explanation
The first step that an IS auditor should take when finding that a business impact analysis
(BIA) has not been performed is to evaluate the impact on current disaster recovery
capability. A BIA is a process that identifies and analyzes the potential effects of disruptions
to critical business functions and processes. A BIA helps determine the recovery priorities,
objectives, and strategies for the organization. Without a BIA, the disaster recovery plan may
not be aligned with the business needs and expectations, and may not provide adequate
protection and recovery for the most critical assets and activities. Therefore, an IS auditor
should assess how the lack of a BIA affects the current disaster recovery capability and
identify any gaps or risks that need to be addressed.
Performing a BIA, issuing an intermediate report to management, and conducting additional
compliance testing are not the first steps that an IS auditor should take when finding that a
BIA has not been performed.
These steps may be done later in the audit process, after evaluating the impact on current
disaster recovery capability. Performing a BIA is not the responsibility of the IS auditor, but of
the business owners and managers. Issuing an intermediate report to management may be
premature without sufficient evidence and analysis. Conducting additional compliance testing
may not be relevant or necessary without a clear understanding of the disaster recovery
requirements and objectives.

QUESTION NO: 2
An organization's security policy mandates that all new employees must receive appropriate
security awareness training. Which of the following metrics would BEST assure compliance
with this policy?
A. Percentage of new hires that have completed the training.
B. Number of new hires who have violated enterprise security policies.
C. Number of reported incidents by new hires.
D. Percentage of new hires who report incidents
Answer: A
Explanation
The best metric to assure compliance with the policy of providing security awareness training
to all new employees is the percentage of new hires that have completed the training, as this
directly measures the extent to which the policy is implemented and enforced. The number of
new hires who have violated enterprise security policies, the number of reported incidents by
new hires, and the percentage of new hires who report incidents are not directly related to the
policy, as they may depend on other factors such as the nature and frequency of threats, the

2
 IT Certification Guaranteed, The Easy Way!

effectiveness of security controls, and the reporting culture of the organization.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.7

QUESTION NO: 3
Which of the following is the BEST data integrity check?
A. Counting the transactions processed per day
B. Performing a sequence check
C. Tracing data back to the point of origin
D. Preparing and running test data
Answer: C
Explanation
Data integrity is the property that ensures that data is accurate, complete, consistent, and
reliable throughout its lifecycle. The best data integrity check is tracing data back to the point
of origin, which is the source where the data was originally created or captured. This check
can verify that data has not been altered or corrupted during transmission, processing, or
storage. It can also identify any errors or discrepancies in data entry or conversion. Counting
the transactions processed per day is a performance measure that does not directly assess
data integrity. Performing a sequence check is a validity check that ensures that data follows
a predefined order or pattern. It can detect missing or out-of-order data elements, but it
cannot verify their accuracy or completeness. Preparing and running test data is a testing
technique that simulates real data to evaluate how a system handles different scenarios. It
can help identify errors or bugs in the system logic or functionality, but it cannot ensure data
integrity in production environments. References: Information Systems Operations and
Business Resilience, CISA Review Manual (Digital Version)

QUESTION NO: 4
An IS auditor is reviewing an organization's information asset management process. Which
of the following would be of GREATEST concern to the auditor?
A. The process does not require specifying the physical locations of assets.
B. Process ownership has not been established.
C. The process does not include asset review.
D. Identification of asset value is not included in the process.
Answer: B
Explanation
An IS auditor would be most concerned if process ownership has not been established for
the information asset management process, as this would indicate a lack of accountability,
responsibility, and authority for managing the assets throughout their lifecycle. The process
owner should also ensure that the process is aligned with the organization's objectives,
policies, and standards. The process should require specifying the physical locations of
assets, include asset review, and identify asset value, but these are less critical than
establishing process ownership. References: CISA Review Manual (Digital Version), Chapter
3, Section 3.3

QUESTION NO: 5
An IS auditor will be testing accounts payable controls by performing data analytics on the

3
 IT Certification Guaranteed, The Easy Way!

entire population of transactions. Which of the following is MOST important for the auditor to
confirm when sourcing the population data?
A. The data is taken directly from the system.
B. There is no privacy information in the data.
C. The data can be obtained in a timely manner.
D. The data analysis tools have been recently updated.
Answer: A
Explanation
The most important thing for the auditor to confirm when sourcing the population data for
testing accounts payable controls by performing data analytics is that the data is taken
directly from the system. Taking the data directly from the system can help ensure that the
data is authentic, complete, and accurate, and that it has not been manipulated or modified
by any intermediary sources or processes. The other options are not as important as taking
the data directly from the system, as they do not affect the validity or reliability of the data.
There is no privacy information in the data is a privacy concern that can help protect the
confidentiality and integrity of personal or sensitive data, but it does not affect the accuracy or
completeness of the data. The data can be obtained in a timely manner is a logistical concern
that can help facilitate the efficiency and effectiveness of the data analytics process, but it
does not affect the authenticity or accuracy of the data. The data analysis tools have been
recently updated is a technical concern that can help enhance the functionality and
performance of the data analytics tools, but it does not affect the validity or reliability of the
data.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

QUESTION NO: 6
Which of the following is the BEST recommendation to prevent fraudulent electronic funds
transfers by accounts payable employees?
A. Periodic vendor reviews
B. Dual control
C. Independent reconciliation
D. Re-keying of monetary amounts
E. Engage an external security incident response expert for incident handling.
Answer: B
Explanation
The best recommendation to prevent fraudulent electronic funds transfers by accounts
payable employees is dual control. Dual control is a segregation of duties control that
requires two or more individuals to perform or authorize a transaction or activity. Dual control
can prevent fraudulent electronic funds transfers by requiring independent verification and
approval of payment requests, amounts, and recipients by different accounts payable
employees. The other options are not as effective as dual control in preventing fraudulent
electronic funds transfers, as they do not involve independent checks or approvals. Periodic
vendor reviews are detective controls that can help identify any irregularities or anomalies in
vendor payments, but they do not prevent fraudulent electronic funds transfers from
occurring. Independent reconciliation is a detective control that can help compare and

4
 IT Certification Guaranteed, The Easy Way!

confirm payment records with bank statements, but it does not prevent fraudulent electronic
funds transfers from occurring. Re-keying of monetary amounts is an input control that can
help detect any errors or discrepancies in payment amounts, but it does not prevent
fraudulent electronic funds transfers from occurring. References: CISA Review Manual
(Digital Version), Chapter 3, Section 3.2

QUESTION NO: 7
When determining whether a project in the design phase will meet organizational objectives,
what is BEST to compare against the business case?
A. Implementation plan
B. Project budget provisions
C. Requirements analysis
D. Project plan
Answer: C
Explanation
Requirements analysis should be the best thing to compare against the business case when
determining whether a project in the design phase will meet organizational objectives,
because it defines the functional and non-functional specifications of the project deliverables
that should satisfy the business needs and expectations. Requirements analysis can help
evaluate whether the project design is aligned with the business case and whether it can
achieve the desired outcomes and benefits. Implementation plan, project budget provisions,
and project plan are also important aspects of a project in the design phase, but they are not
as relevant as requirements analysis for comparing against the business case. References:
CISA Review Manual (Digital Version), Chapter 4, Section 4.2.1

QUESTION NO: 8
During a new system implementation, an IS auditor has been assigned to review risk
management at each milestone. The auditor finds that several risks to project benefits have
not been addressed. Who should be accountable for managing these risks?
A. Enterprise risk manager
B. Project sponsor
C. Information security officer
D. Project manager
Answer: D
Explanation
The project manager should be accountable for managing the risks to project benefits.
Project benefits are the expected outcomes or value that a project delivers to its
stakeholders, such as improved efficiency, quality, customer satisfaction, or revenue. Project
risks are uncertain events or conditions that may affect the project objectives, scope, budget,
schedule, or quality. The project manager is responsible for identifying, analyzing, prioritizing,
responding to, and monitoring project risks throughout the project life cycle. The other options
are not accountable for managing project risks, as they have different roles and
responsibilities. The enterprise risk manager is responsible for overseeing the organization's
overall risk management framework and strategy, but not for managing specific project risks.
The project sponsor is responsible for initiating, approving, and supporting the project, but not

5
 IT Certification Guaranteed, The Easy Way!

for managing project risks. The information security officer is responsible for ensuring that the
project complies with the organization's information security policies and standards, but not
for managing project risks. References: CISA Review Manual (Digital Version), Chapter 3,
Section 3.3

QUESTION NO: 9
Management has requested a post-implementation review of a newly implemented
purchasing package to determine to what extent business requirements are being met.
Which of the following is MOST likely to be assessed?
A. Purchasing guidelines and policies
B. Implementation methodology
C. Results of line processing
D. Test results
Answer: C
Explanation
A post-implementation review is a process of evaluating the outcome and benefits of a
project or a system after it has been implemented. The main purpose of a post-
implementation review is to determine to what extent the business requirements are being
met by the new system. Therefore, the most likely aspect to be assessed is the results of line
processing, which refers to the actual performance and functionality of the system in the
operational environment.

QUESTION NO: 10
During the design phase of a software development project, the PRIMARY responsibility of
an IS auditor is to evaluate the:
A. Future compatibility of the application.
B. Proposed functionality of the application.
C. Controls incorporated into the system specifications.
D. Development methodology employed.
Answer: C
Explanation
The primary responsibility of an IS auditor during the design phase of a software
development project is to evaluate the controls incorporated into the system specifications.
Controls are mechanisms or procedures that aim to ensure the security, reliability, or
performance of a system or process. System specifications are documents that define and
describe the requirements, features, functions, or components of a system or software.
Evaluating the controls incorporated into the system specifications is a key responsibility of
an IS auditor during the design phase of a software development project, as it helps ensure
that the system or software meets the organization's objectives, standards, and expectations
for security, reliability, or performance. The other options are not primary responsibilities of
an IS auditor during the design phase of a software development project, as they do not
directly relate to evaluating the controls incorporated into the system specifications. Future
compatibility of the application is a possible factor that may affect the functionality or usability
of the application in different environments or platforms, but it is not a primary responsibility
of an IS auditor during the design phase of a software development project. Proposed

6
 IT Certification Guaranteed, The Easy Way!

functionality of the application is a possible factor that may affect the suitability or value of the
application for meeting user needs or expectations, but it is not a primary responsibility of an
IS auditor during the design phase of a software development project. Development
methodology employed is a possible factor that may affect the quality or consistency of the
software development process, but it is not a primary responsibility of an IS auditor during the
design phase of a software development project. References: CISA Review Manual (Digital
Version), Chapter 3, Section 3.3

QUESTION NO: 11
Which of the following is MOST important to include in forensic data collection and
preservation procedures?
A. Assuring the physical security of devices
B. Preserving data integrity
C. Maintaining chain of custody
D. Determining tools to be used
Answer: B
Explanation
The most important thing to include in forensic data collection and preservation procedures is
preserving data integrity. Data integrity is the property that ensures that data is accurate,
complete, and consistent throughout its lifecycle. Preserving data integrity is essential for
forensic data collection and preservation procedures because it ensures that the data can be
used as valid and reliable evidence in legal proceedings or investigations. Preserving data
integrity can be achieved by using methods such as hashing, checksums, digital signatures,
write blockers, tamper-evident seals, or timestamps. The other options are not as important
as preserving data integrity in forensic data collection and preservation procedures, as they
do not affect the validity or reliability of the data. Assuring the physical security of devices is a
security measure that protects devices from unauthorized access, theft, damage, or
destruction, but it does not ensure that the data on the devices is accurate, complete, and
consistent. Maintaining chain of custody is a documentation technique that records and
tracks the handling and transfer of devices or data among different parties involved in
forensic activities, but it does not ensure that the data on the devices is accurate, complete,
and consistent. Determining tools to be used is a planning activity that selects and prepares
the appropriate tools for forensic data collection and preservation procedures, but it does not
ensure that the data collected and preserved by the tools is accurate, complete, and
consistent. References: CISA Review Manual (Digital Version), Chapter 5, Section
5.4

QUESTION NO: 12
A system development project is experiencing delays due to ongoing staff shortages. Which
of the following strategies would provide the GREATEST assurance of system quality at
implementation?
A. Implement overtime pay and bonuses for all development staff.
B. Utilize new system development tools to improve productivity.
C. Recruit IS staff to expedite system development.
D. Deliver only the core functionality on the initial target date.

7
 IT Certification Guaranteed, The Easy Way!

Answer: D
Explanation
The strategy that would provide the greatest assurance of system quality at implementation is
delivering only the core functionality on the initial target date. This strategy can help avoid
compromising the quality of the system by focusing on the essential features that meet the
user needs and expectations. Delivering only the core functionality can also help reduce the
scope creep, complexity, and testing efforts of the system development project.
Implementing overtime pay and bonuses for all development staff, utilizing new system
development tools to improve productivity, and recruiting IS staff to expedite system
development are not strategies that would provide the greatest assurance of system quality
at implementation. These strategies may help speed up the system development process,
but they may also introduce new risks or challenges such as burnout, learning curve,
integration issues, or communication gaps. These risks or challenges may adversely affect
the quality of the system.

QUESTION NO: 13
Malicious program code was found in an application and corrected prior to release into
production. After the release, the same issue was reported. Which of the following is the IS
auditor's BEST recommendation?
A. Ensure corrected program code is compiled in a dedicated server.
B. Ensure change management reports are independently reviewed.
C. Ensure programmers cannot access code after the completion of program edits.
D. Ensure the business signs off on end-to-end user acceptance test (UAT) results.
Answer: C
Explanation
The IS auditor's best recommendation is to ensure that programmers cannot access code
after the completion of program edits. This is because programmers who have access to
code after editing may introduce unauthorized or malicious changes that could compromise
the security, functionality, or performance of the application. By restricting access to code
after editing, the organization can ensure that only authorized and tested code is released
into production, and prevent any tampering or reoccurrence of the same issue.
References:
1 discusses the importance of controlling access to code after editing and testing, and
provides some best practices for doing so.
2 explains how programmers can introduce malicious code into applications, and how to
prevent and detect such attacks.
3 describes the role of IS auditors in reviewing and assessing the security and quality of
application code.

QUESTION NO: 14
An IS auditor has found that an organization is unable to add new servers on demand in a
cost-efficient manner. Which of the following is the auditor's BEST recommendation?
A. Increase the capacity of existing systems.
B. Upgrade hardware to newer technology.
C. Hire temporary contract workers for the IT function.

8
 IT Certification Guaranteed, The Easy Way!

D. Build a virtual environment.
Answer: D
Explanation
The best recommendation for an organization that is unable to add new servers on demand
in a cost-efficient manner is to build a virtual environment. A virtual environment is a
technology that allows multiple virtual machines to run on a single physical server, sharing its
resources and capabilities. A virtual environment can help the organization add new servers
on demand in a cost-efficient manner by reducing the need for hardware acquisition,
maintenance, and power consumption. The other options are not as effective as building a
virtual environment, as they do not address the root cause of the problem or provide the
same benefits. Increasing the capacity of existing systems is a short-term solution that can
help improve the performance and availability of the current servers, but it does not enable
the organization to add new servers on demand in a cost-efficient manner. Upgrading
hardware to newer technology is a costly solution that can help enhance the functionality and
reliability of the servers, but it does not enable the organization to add new servers on
demand in a cost-efficient manner. Hiring temporary contract workers for the IT function is an
irrelevant solution that can help supplement the IT staff's skills and knowledge, but it does not
enable the organization to add new servers on demand in a cost-efficient manner.
References: CISA Review Manual (Digital Version), Chapter 3, Section
3.3.1

QUESTION NO: 15
Prior to a follow-up engagement, an IS auditor learns that management has decided to
accept a level of residual risk related to an audit finding without remediation. The IS auditor is
concerned about management's decision. Which of the following should be the IS auditor's
NEXT course of action?
A. Accept management's decision and continue the follow-up.
B. Report the issue to IS audit management.
C. Report the disagreement to the board.
D. Present the issue to executive management.
Answer: B
Explanation
Prior to a follow-up engagement, if an IS auditor learns that management has decided to
accept a level of residual risk related to an audit finding without remediation, the IS auditor
should report the issue to IS audit management. This is because IS audit management is
responsible for ensuring that audit findings are properly communicated and resolved.
Accepting management's decision and continuing the follow-up would not address the IS
auditor's concern. Reporting the disagreement to the board or executive management would
be premature and inappropriate without consulting IS audit management first. References:
CISA Review Manual (Digital Version), Chapter 1, Section 1.6

QUESTION NO: 16
A system administrator recently informed the IS auditor about the occurrence of several
unsuccessful intrusion attempts from outside the organization. Which of the following is
MOST effective in detecting such an intrusion?

9
 IT Certification Guaranteed, The Easy Way!

A. Periodically reviewing log files
B. Configuring the router as a firewall
C. Using smart cards with one-time passwords
D. Installing biometrics-based authentication
Answer: A
Explanation
The most effective way to detect an intrusion attempt is to periodically review log files, which
record the activities and events on a system or network. Log files can provide evidence of
unauthorized access attempts, malicious activities, or system errors. Configuring the router
as a firewall, using smart cards with one-time passwords, and installing biometrics-based
authentication are preventive controls that can reduce the likelihood of an intrusion, but they
do not detect it. References: ISACA CISA Review Manual 27th Edition, page 301

QUESTION NO: 17
What should be the PRIMARY basis for selecting which IS audits to perform in the coming
year?
A. Senior management's request
B. Prior year's audit findings
C. Organizational risk assessment
D. Previous audit coverage and scope
Answer: C
Explanation
The primary basis for selecting which IS audits to perform in the coming year is the
organizational risk assessment. An organizational risk assessment is a formal process for
identifying, evaluating, and controlling risks that may affect the achievement of the
organization's goals and objectives3. An organizational risk assessment can help IS auditors
prioritize and plan their audit activities based on the level of risk exposure and impact of each
area or process within the organization. An organizational risk assessment can also help IS
auditors align their audit objectives and criteria with the organization's strategy and
performance indicators. Senior management's request, prior year's audit findings, and
previous audit coverage and scope are also possible bases for selecting which IS audits to
perform in the coming year, but not as primary as the organizational risk assessment. These
factors are more secondary or supplementary sources of information that can help IS
auditors refine or adjust their audit plan based on specific needs or issues identified by
management or previous audits. However, these factors may not reflect the current or
emerging risks that may affect the organization's operations or performance. References:
ISACA CISA Review Manual 27th Edition, page 295

QUESTION NO: 18
Which of the following is the MOST important reason to implement version control for an end-
user computing (EUC) application?
A. To ensure that older versions are availability for reference
B. To ensure that only the latest approved version of the application is used
C. To ensure compatibility different versions of the application

10
 IT Certification Guaranteed, The Easy Way!

D. To ensure that only authorized users can access the application
Answer: B
Explanation
Version control is a process of managing changes to an application or a document. It ensures
that only the latest approved version of the application is used by end-users, which reduces
the risk of errors, inconsistencies, and unauthorized modifications. Version control also
allows tracking the history of changes and restoring previous versions if needed.

QUESTION NO: 19
Which of the following would BEST determine whether a post-implementation review (PIR)
performed by the project management office (PMO) was effective?
A. Lessons learned were implemented.
B. Management approved the PIR report.
C. The review was performed by an external provider.
D. Project outcomes have been realized.
Answer: D
Explanation
The best indicator of whether a PIR performed by the PMO was effective is whether project
outcomes have been realized. Project outcomes are the benefits or value that a project
delivers to its stakeholders, such as improved efficiency, quality, customer satisfaction, or
revenue. A PIR should evaluate whether project outcomes have been achieved in
accordance with project objectives, scope, budget, and schedule. The other options are not
as good as project outcomes in determining the effectiveness of a PIR. Lessons learned are
valuable inputs for improving future projects, but they do not measure whether project
outcomes have been realized. Management approval of the PIR report is a sign of
acceptance and support for the PIR findings and recommendations, but it does not reflect
whether project outcomes have been achieved. The review performed by an external
provider is a way of ensuring objectivity and independence for the PIR, but it does not
guarantee whether project outcomes have been realized. References: CISA Review Manual
(Digital Version), Chapter 3, Section 3.3

QUESTION NO: 20
Which of the following documents would be MOST useful in detecting a weakness in
segregation of duties?
A. System flowchart
B. Data flow diagram
C. Process flowchart
D. Entity-relationship diagram
Answer: C
Explanation
The best document for an IS auditor to use in detecting a weakness in segregation of duties
is a process flowchart. A process flowchart is a diagram that illustrates the sequence of
steps, activities, tasks, or decisions involved in a business process. A process flowchart can
help detect a weakness in segregation of duties by showing who performs what actions or

11
 IT Certification Guaranteed, The Easy Way!

roles in a process, and whether there is any overlap or conflict of interest among them. The
other options are not as useful as a process flowchart in detecting a weakness in segregation
of duties, as they do not show who performs what actions or roles in a process. A system
flowchart is a diagram that illustrates the components, functions, interactions, or logic of an
information system. A data flow diagram is a diagram that illustrates how data flows from
sources to destinations through processes, stores, or external entities. An entity-relationship
diagram is a diagram that illustrates how entities (such as tables) are related to each other
through attributes (such as keys) in a database. References: CISA Review Manual (Digital
Version), Chapter 3, Section 3.2

QUESTION NO: 21
When implementing Internet Protocol security (IPsec) architecture, the servers involved in
application delivery:
A. communicate via Transport Layer Security (TLS),
B. block authorized users from unauthorized activities.
C. channel access only through the public-facing firewall.
D. channel access through authentication.
Answer: A
Explanation
When implementing Internet Protocol security (IPsec) architecture, the servers involved in
application delivery communicate via Transport Layer Security (TLS), which is a protocol that
provides encryption and authentication for data transmitted over a network. IPsec operates at
the network layer and provides security for IP packets, while TLS operates at the transport
layer and provides security for TCP connections. Blocking authorized users from
unauthorized activities, channeling access only through the public-facing firewall, and
channeling access through authentication are not functions of IPsec architecture.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2

QUESTION NO: 22
An IS auditor found that a company executive is encouraging employee use of social
networking sites for business purposes. Which of the following recommendations would
BEST help to reduce the risk of data leakage?
A. Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by
employees
B. Establishing strong access controls on confidential data
C. Providing education and guidelines to employees on use of social networking sites
D. Monitoring employees' social networking usage
Answer: C
Explanation
The best recommendation to reduce the risk of data leakage from employee use of social
networking sites for business purposes is to provide education and guidelines to employees
on use of social networking sites.
Education and guidelines can help employees understand the benefits and risks of using
social media for business purposes, such as enhancing brand awareness, engaging with
customers, or sharing industry insights.

12
 IT Certification Guaranteed, The Easy Way!

They can also inform employees about the dos and don'ts of social media etiquette, such as
respecting privacy, protecting intellectual property, avoiding conflicts of interest, or complying
with legal obligations. Education and guidelines can also raise awareness of potential data
leakage scenarios, such as phishing attacks, malicious links, fake profiles, or oversharing
sensitive information, and provide tips on how to prevent or respond to them.

QUESTION NO: 23
Which of the following is a social engineering attack method?
A. An unauthorized person attempts to gam access to secure premises by following an
authonzed person through a secure door.
B. An employee is induced to reveal confidential IP addresses and passwords by answering
questions over the phone.
C. A hacker walks around an office building using scanning tools to search for a wireless
network to gain access.
D. An intruder eavesdrops and collects sensitive information flowing through the network and
sells it to third parties.
Answer: B
Explanation
An employee is induced to reveal confidential IP addresses and passwords by answering
questions over the phone. This is a social engineering attack method that exploits the trust or
curiosity of the employee to obtain sensitive information that can be used to access or
compromise the network. According to the web search results, social engineering is a
technique that uses psychological manipulation to trick users into making security mistakes
or giving away sensitive information1. Phishing, whaling, baiting, and pretexting are some of
the common forms of social engineering attacks2. Social engineering attacks are often more
effective and profitable than purely technical attacks, as they rely on human error rather than
system vulnerabilities

QUESTION NO: 24
In a small IT web development company where developers must have write access to
production, the BEST recommendation of an IS auditor would be to:
A. hire another person to perform migration to production.
B. implement continuous monitoring controls.
C. remove production access from the developers.
D. perform a user access review for the development team
Answer: C
Explanation
The best recommendation for a small IT web development company where developers must
have write access to production is to remove production access from the developers.
Production access is the ability to modify or update the live systems or applications that are
used by customers or end users. Production access should be restricted to authorized and
qualified personnel only, as any changes or errors in production can affect the functionality,
performance, or security of the systems or applications. Developers should not have write
access to production, as they may introduce bugs, vulnerabilities, or inconsistencies in the
code that can compromise the quality or reliability of the systems or applications. The other

13
 IT Certification Guaranteed, The Easy Way!

options are not as effective as removing production access from the developers, as they do
not address the root cause of the problem or provide the same benefits. Hiring another
person to perform migration to production is a costly solution that can help segregate the
roles and responsibilities of developers and migrators, but it does not remove production
access from the developers. Implementing continuous monitoring controls is a good practice
that can help detect and correct any issues or anomalies in production, but it does not
remove production access from the developers.
Performing a user access review for the development team is a detective control that can
help verify and validate the access rights and privileges of developers, but it does not remove
production access from the developers. References: CISA Review Manual (Digital Version),
Chapter 3, Section 3.2

QUESTION NO: 25
During an audit of a reciprocal disaster recovery agreement between two companies, the IS
auditor would be MOST concerned with the:
A. allocation of resources during an emergency.
B. frequency of system testing.
C. differences in IS policies and procedures.
D. maintenance of hardware and software compatibility.
Answer: A
Explanation
During an audit of a reciprocal disaster recovery agreement between two companies, the IS
auditor would be most concerned with the allocation of resources during an emergency. A
reciprocal disaster recovery agreement is an arrangement by which one organization agrees
to use another's resources in the event of a business continuity event or incident. The IS
auditor would need to ensure that both parties have clearly defined their roles and
responsibilities, their resource requirements, their priority levels, their communication
channels, and their escalation procedures in case of a disaster. The IS auditor would also
need to verify that both parties have tested their agreement and have updated it regularly to
reflect any changes in their business environments. The frequency of system testing is not as
critical as the allocation of resources during an emergency, because system testing can be
performed periodically or on demand, while resource allocation is a dynamic and complex
process that requires careful planning and coordination. The differences in IS policies and
procedures are not as critical as the allocation of resources during an emergency, because
both parties can agree on common standards and protocols for their disaster recovery
operations, or they can adapt their policies and procedures to suit each other's needs. The
maintenance of hardware and software compatibility is not as critical as the allocation of
resources during an emergency, because both parties can use compatible or interoperable
systems, or they can use virtualization or cloud computing technologies to overcome any
compatibility issues. References: ISACA CISA Review Manual 27th Edition, page 281

QUESTION NO: 26
When an IS audit reveals that a firewall was unable to recognize a number of attack
attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS)
between the firewall and:

14
 IT Certification Guaranteed, The Easy Way!

A. the Internet.
B. the demilitarized zone (DMZ).
C. the organization's web server.
D. the organization's network.
Answer: A
Explanation
When an IS audit reveals that a firewall was unable to recognize a number of attack
attempts, the auditor's best recommendation is to place an intrusion detection system (IDS)
between the firewall and the Internet, as this would provide an additional layer of security and
alert the organization of any malicious traffic that bypasses or penetrates the firewall. Placing
an IDS between the firewall and the demilitarized zone (DMZ), the organization's web server,
or the organization's network would not be as effective, as it would only monitor the traffic
that has already passed through the firewall. References: CISA Review Manual (Digital
Version), Chapter 5, Section 5.4.3

QUESTION NO: 27
An IS auditor notes the transaction processing times in an order processing system have
significantly increased after a major release. Which of the following should the IS auditor
review FIRST?
A. Capacity management plan
B. Training plans
C. Database conversion results
D. Stress testing results
Answer: D
Explanation
The first thing that an IS auditor should review when finding that transaction processing times
in an order processing system have significantly increased after a major release is stress
testing results. Stress testing is a type of testing that evaluates how a system performs under
extreme or abnormal conditions, such as high volume, load, or concurrency of transactions.
Stress testing results can help explain why transaction processing times in an order
processing system have significantly increased after a major release by revealing any
bottlenecks, limitations, or errors in the system's capacity, performance, or functionality under
stress. The other options are not as relevant as stress testing results in explaining why
transaction processing times in an order processing system have significantly increased after
a major release, as they do not directly measure how the system performs under extreme or
abnormal conditions. Capacity management plan is a document that defines and implements
the processes and activities for ensuring that the system has adequate resources and
capabilities to meet current and future demands. Training plans are documents that define
and implement the processes and activities for ensuring that the system users have
adequate skills and knowledge to use the system effectively and efficiently. Database
conversion results are outcomes or outputs of transforming data from one format or structure
to another to suit the system's requirements or specifications. References: CISA Review
Manual (Digital Version), Chapter 3, Section 3.3

QUESTION NO: 28

15
 IT Certification Guaranteed, The Easy Way!

When reviewing an organization's information security policies, an IS auditor should verify
that the policies have been defined PRIMARILY on the basis of:
A. a risk management process.
B. an information security framework.
C. past information security incidents.
D. industry best practices.
Answer: A
Explanation
Information security policies are high-level statements that define the organization's approach
to protecting its information assets from threats and risks. They should be based primarily on
a risk management process, which is a systematic method of identifying, analyzing,
evaluating, treating, and monitoring information security risks. A risk management process
can help ensure that the policies are aligned with the organization's risk appetite, business
objectives, legal and regulatory requirements, and stakeholder expectations. An information
security framework is a set of standards, guidelines, and best practices that provide a
structure for implementing information security policies. It can support the risk management
process, but it is not the primary basis for defining the policies. Past information security
incidents and industry best practices can also provide valuable inputs for defining the
policies, but they are not sufficient to address the organization's specific context and needs.
References: Insights and Expertise, CISA Review Manual (Digital Version)

QUESTION NO: 29
Which of the following would be a result of utilizing a top-down maturity model process?
A. A means of benchmarking the effectiveness of similar processes with peers
B. A means of comparing the effectiveness of other processes within the enterprise
C. Identification of older, more established processes to ensure timely review
D. Identification of processes with the most improvement opportunities
Answer: D
Explanation
A top-down maturity model process is a method of assessing and improving the maturity
level of a process or a set of processes within an organization. A maturity level is a measure
of how well-defined, controlled, measured, and optimized a process is. A top-down maturity
model process starts with defining the desired maturity level and then identifying the gaps
and improvement opportunities for each process. This helps prioritize the processes that
need the most attention and improvement. Therefore, a result of utilizing a top-down maturity
model process is identification of processes with the most improvement opportunities.
A means of benchmarking the effectiveness of similar processes with peers, a means of
comparing the effectiveness of other processes within the enterprise, and identification of
older, more established processes to ensure timely review are not results of utilizing a top-
down maturity model process. These are possible benefits or objectives of using other types
of maturity models or assessment methods, but they are not specific to a top-down approach.

QUESTION NO: 30
What is MOST important to verify during an external assessment of network vulnerability?

16
 IT Certification Guaranteed, The Easy Way!

A. Update of security information event management (SIEM) rules
B. Regular review of the network security policy
C. Completeness of network asset inventory
D. Location of intrusion detection systems (IDS)
Answer: C
Explanation
An external assessment of network vulnerability is a process of identifying and evaluating the
weaknesses and risks that affect the security and availability of a network from an outsider's
perspective. The most important factor to verify during this process is the completeness of
network asset inventory, which is a list of all the devices, systems, and software that are
connected to or part of the network. A complete and accurate network asset inventory can
help identify the scope and boundaries of the network, the potential attack vectors and entry
points, the critical assets and dependencies, and the existing security controls and gaps.
Without a complete network asset inventory, an external assessment of network vulnerability
may miss some important assets or vulnerabilities, leading to inaccurate or incomplete
results and recommendations.
References:
1 explains what is an external vulnerability scan and why it is important to have a complete
network asset inventory.
2 provides a guide on how to conduct a full network vulnerability assessment and
emphasizes the importance of knowing the network assets.
3 compares internal and external vulnerability scanning and highlights the need for a
comprehensive network asset inventory for both types.

QUESTION NO: 31
During a review of a production schedule, an IS auditor observes that a staff member is not
complying with mandatory operational procedures. The auditor's NEXT step should be to:
A. note the noncompliance in the audit working papers.
B. issue an audit memorandum identifying the noncompliance.
C. include the noncompliance in the audit report.
D. determine why the procedures were not followed.
Answer: D

QUESTION NO: 32
Which of the following is the BEST control to mitigate the malware risk associated with an
instant messaging (IM) system?
A. Blocking attachments in IM
B. Blocking external IM traffic
C. Allowing only corporate IM solutions
D. Encrypting IM traffic
Answer: C
Explanation
Allowing only corporate IM solutions is the best control to mitigate the malware risk
associated with an IM system, because it can prevent unauthorized or malicious IM

17
 IT Certification Guaranteed, The Easy Way!

applications from accessing the network and infecting the system with malware. Corporate IM
solutions can also enforce security policies and standards, such as encryption,
authentication, and logging, to protect the IM system from malware attacks. Blocking
attachments in IM, blocking external IM traffic, and encrypting IM traffic are also possible
controls to mitigate the malware risk, but they are not as effective as allowing only corporate
IM solutions. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.4

QUESTION NO: 33
During an external review, an IS auditor observes an inconsistent approach in classifying
system criticality within the organization. Which of the following should be recommended as
the PRIMARY factor to determine system criticality?
A. Key performance indicators (KPIs)
B. Maximum allowable downtime (MAD)
C. Recovery point objective (RPO)
D. Mean time to restore (MTTR)
Answer: B
Explanation
The primary factor to determine system criticality within an organization is the maximum
allowable downtime (MAD). MAD is the maximum time frame during which recovery must
become effective before an outage compromises the ability of an organization to achieve its
business objectives and/or survival. MAD reflects the business impact of a system outage on
the organization's operations, reputation, compliance, and finances.
MAD can help to prioritize system recovery efforts, allocate resources, and establish recovery
objectives.

QUESTION NO: 34
Which of the following is the PRIMARY advantage of parallel processing for a new system
implementation?
A. Assurance that the new system meets functional requirements
B. More time for users to complete training for the new system
C. Significant cost savings over other system implemental or approaches
D. Assurance that the new system meets performance requirements
Answer: D
Explanation
Parallel processing is a system implementation approach that involves running the new
system and the old system simultaneously for a period of time until the new system is verified
and accepted. The primary advantage of parallel processing is that it provides assurance that
the new system meets performance requirements and produces the same or better results as
the old system. Parallel processing also minimizes the risk of system failure and data loss, as
the old system can be used as a backup or fallback option in case of any problems with the
new system.

QUESTION NO: 35
Which of the following is MOST important to ensure when planning a black box penetration
test?

18
 IT Certification Guaranteed, The Easy Way!

A. The management of the client organization is aware of the testing.
B. The test results will be documented and communicated to management.
C. The environment and penetration test scope have been determined.
D. Diagrams of the organization's network architecture are available.
Answer: C
Explanation
A black box penetration test is a type of security assessment that simulates an attack on a
system or network without any prior knowledge of its configuration or architecture. The main
objective of this test is to identify vulnerabilities and weaknesses that can be exploited by
external or internal threat actors. To plan a black box penetration test, it is most important to
ensure that the environment and penetration test scope have been determined. This means
that the tester and the client organization have agreed on the boundaries, objectives,
methods, and deliverables of the test, as well as the legal and ethical aspects of the
engagement. Without a clear definition of the environment and scope, the test may not be
effective, efficient, or compliant with relevant standards and regulations. Additionally, the
tester may cause unintended damage or disruption to the client's systems or networks, or
violate their privacy or security policies.
References:
What are black box, grey box, and white box penetration testing?
What Is Black-Box Penetration Testing and Why Should You Choose It?

QUESTION NO: 36
When evaluating the design of controls related to network monitoring, which of the following
is MOST important for an IS auditor to review?
A. Incident monitoring togs
B. The ISP service level agreement
C. Reports of network traffic analysis
D. Network topology diagrams
Answer: D
Explanation
Network topology diagrams are the most important for an IS auditor to review when
evaluating the design of controls related to network monitoring, because they show how the
network components are connected and configured, and what security measures are in place
to protect the network from unauthorized access or attacks. Incident monitoring logs, the ISP
service level agreement, and reports of network traffic analysis are useful for evaluating the
effectiveness and performance of network monitoring, but not the design of controls.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.3

QUESTION NO: 37
Which of the following would BEST facilitate the successful implementation of an IT-related
framework?
A. Aligning the framework to industry best practices
B. Establishing committees to support and oversee framework activities
C. Involving appropriate business representation within the framework

19
 IT Certification Guaranteed, The Easy Way!

D. Documenting IT-related policies and procedures
Answer: C

QUESTION NO: 38
An IS auditor finds the log management system is overwhelmed with false positive alerts.
The auditor's BEST recommendation would be to:
A. establish criteria for reviewing alerts.
B. recruit more monitoring personnel.
C. reduce the firewall rules.
D. fine tune the intrusion detection system (IDS).
Answer: D
Explanation
Fine tuning the intrusion detection system (IDS) is the best recommendation to reduce the
number of false positive alerts that overwhelm the log management system, because it can
help adjust the sensitivity and accuracy of the IDS rules and signatures to match the network
environment and traffic patterns. Establishing criteria for reviewing alerts, recruiting more
monitoring personnel, and reducing the firewall rules are not effective solutions to address
the root cause of the false positive alerts, but rather ways to cope with the consequences.
References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.3

QUESTION NO: 39
Which of the following is the BEST way to determine whether a test of a disaster recovery
plan (DRP) was successful?
A. Analyze whether predetermined test objectives were met.
B. Perform testing at the backup data center.
C. Evaluate participation by key personnel.
D. Test offsite backup files.
Answer: A
Explanation
The best way to determine whether a test of a disaster recovery plan (DRP) was successful
is to analyze whether predetermined test objectives were met. Test objectives are specific,
measurable, achievable, relevant, and time-bound (SMART) goals that define what the test
aims to accomplish and how it will be evaluated.
Test objectives should be aligned with the DRP objectives and scope, and should cover
aspects such as recovery time objectives (RTOs), recovery point objectives (RPOs), critical
business functions, roles and responsibilities, communication channels, backup systems, and
contingency procedures. By comparing the actual test results with the expected test
objectives, the IS auditor can measure the effectiveness and efficiency of the DRP and
identify any gaps or weaknesses that need to be addressed.

QUESTION NO: 40
A proper audit trail of changes to server start-up procedures would include evidence of:
A. subsystem structure.
B. program execution.

20
 IT Certification Guaranteed, The Easy Way!

C. security control options.
D. operator overrides.
Answer: D
Explanation
A proper audit trail of changes to server start-up procedures would include evidence of
operator overrides, which are actions taken by the system operator to bypass or modify the
normal execution of the server start-up process. Operator overrides may indicate
unauthorized or improper changes that could affect the security, availability, or performance
of the server. Therefore, an audit trail should capture and document any operator overrides
that occur during the server start-up process.
Evidence of subsystem structure, program execution, and security control options are not
directly related to changes to server start-up procedures. Subsystem structure refers to the
components and relationships of a subsystem within a larger system. Program execution
refers to the process of running a software program on a computer. Security control options
refer to the settings and parameters that define the security level and access rights for a
system or application. These are all important aspects of auditing a server, but they do not
provide evidence of changes to server start-up procedures.

QUESTION NO: 41
While executing follow-up activities, an IS auditor is concerned that management has
implemented corrective actions that are different from those originally discussed and agreed
with the audit function. In order to resolve the situation, the IS auditor's BEST course of
action would be to:
A. re-prioritize the original issue as high risk and escalate to senior management.
B. schedule a follow-up audit in the next audit cycle.
C. postpone follow-up activities and escalate the alternative controls to senior audit
management.
D. determine whether the alternative controls sufficiently mitigate the risk.
Answer: D
Explanation
The IS auditor's best course of action in this situation is to determine whether the alternative
controls sufficiently mitigate the risk. Alternative controls are different from those originally
discussed and agreed with the audit function, but they may still achieve the same objective of
addressing the audit issue or reducing the risk to an acceptable level. The IS auditor should
evaluate whether the alternative controls are appropriate, effective, and sustainable before
closing the audit finding or escalating it to senior management. The other options are not
appropriate for resolving this situation, as they do not consider whether the alternative
controls are adequate or reasonable. Re-prioritizing the original issue as high risk and
escalating to senior management is a drastic step that may undermine the relationship
between the auditor and management, and it should be done only after exhausting other
means of resolving the issue. Scheduling a follow-up audit in the next audit cycle is
unnecessary, as follow-up activities should be performed as soon as possible after
management has implemented corrective actions. Postponing follow-up activities and
escalating the alternative controls to senior audit management is premature, as follow-up
activities should be completed before reporting any findings or recommendations to senior

21
 IT Certification Guaranteed, The Easy Way!

audit management. References: CISA Review Manual (Digital Version), Chapter 2, Section
2.4

QUESTION NO: 42
Documentation of workaround processes to keep a business function operational during
recovery of IT systems is a core part of a:
A. business impact analysis (BIA).
B. threat and risk assessment.
C. business continuity plan (BCP).
D. disaster recovery plan (DRP).
Answer: C
Explanation
A business continuity plan (BCP) is a system of prevention and recovery from potential
threats to a company. The plan ensures that personnel and assets are protected and are
able to function quickly in the event of a disaster1. A core part of a BCP is the documentation
of workaround processes to keep a business function operational during recovery of IT
systems. Workaround processes are alternative methods or procedures that can be used to
perform a business function when the normal IT systems are unavailable or disrupted2. For
example, if an online payment system is down, a workaround process could be to accept
manual payments or use a backup system. Workaround processes help to minimize the
impact of IT disruptions on the business operations and ensure continuity of service to
customers and stakeholders3.
References:
1 explains what is a business continuity plan and why it is important.
2 defines what is a workaround process and how it can be used in a BCP.
3 provides examples of workaround processes for different business functions.

QUESTION NO: 43
Which of the following would MOST likely impair the independence of the IS auditor when
performing a post-implementation review of an application system?
A. The IS auditor provided consulting advice concerning application system best practices.
B. The IS auditor participated as a member of the application system project team, but did
not have operational responsibilities.
C. The IS auditor designed an embedded audit module exclusively for auditing the application
system.
D. The IS auditor implemented a specific control during the development of the application
system.
Answer: D
Explanation
The IS auditor's independence would be most likely impaired if they implemented a specific
control during the development of an application system. This is because the IS auditor
would be auditing their own work, which creates a self-review threat that could compromise
their objectivity and impartiality. The IS auditor should avoid participating in any operational
or management activities that could affect their ability to perform an unbiased audit. The
other options do not pose a significant threat to the IS auditor's independence, as long as

22
 IT Certification Guaranteed, The Easy Way!

they follow the ethical standards and guidelines of the profession.

QUESTION NO: 44
Which of the following tests would provide the BEST assurance that a health care
organization is handling patient data appropriately?
A. Compliance with action plans resulting from recent audits
B. Compliance with local laws and regulations
C. Compliance with industry standards and best practice
D. Compliance with the organization's policies and procedures
Answer: B
Explanation
The best test to provide assurance that a health care organization is handling patient data
appropriately is compliance with local laws and regulations, as these are the primary sources
of authority and obligation for data protection and privacy. Compliance with action plans,
industry standards, or organizational policies and procedures are also important, but they
may not cover all the legal requirements or reflect the current best practices for handling
patient data. References: CISA Review Manual (Digital Version), Chapter 2, Section
2.3

QUESTION NO: 45
Which audit approach is MOST helpful in optimizing the use of IS audit resources?
A. Agile auditing
B. Continuous auditing
C. Outsourced auditing
D. Risk-based auditing
Answer: D
Explanation
Risk-based auditing is an audit approach that focuses on the analysis and management of
risk within an organization. Risk-based auditing helps identify and prioritize the areas or
processes that pose the highest risk to the organization's objectives and allocate audit
resources accordingly. Risk-based auditing also helps provide assurance and advisory
services related to the organization's risk management processes and controls.
By using risk-based auditing, internal auditors can optimize the use of their audit resources
and add value to the organization.
Agile auditing, continuous auditing, and outsourced auditing are not audit approaches that
are most helpful in optimizing the use of IS audit resources. Agile auditing is a flexible and
iterative audit methodology that adapts to changing circumstances and stakeholder needs.
Continuous auditing is a method of performing audit activities on a real-time or near-real-time
basis using automated tools and techniques. Outsourced auditing is a practice of contracting
external auditors to perform some or all of the internal audit functions. These audit methods
may have some advantages or disadvantages depending on the context and objectives of
the audit, but they do not necessarily optimize the use of IS audit resources.

QUESTION NO: 46
Coding standards provide which of the following?

23
 IT Certification Guaranteed, The Easy Way!

A. Program documentation
B. Access control tables
C. Data flow diagrams
D. Field naming conventions
Answer: D
Explanation
Coding standards provide field naming conventions, which are rules for naming variables,
constants, functions, classes, and other elements in a program. Coding standards help to
ensure consistency, readability, maintainability, and portability of code. Program
documentation, access control tables, and data flow diagrams are not part of coding
standards. References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.1

QUESTION NO: 47
An organization plans to receive an automated data feed into its enterprise data warehouse
from a third-party service provider. Which of the following would be the BEST way to prevent
accepting bad data?
A. Obtain error codes indicating failed data feeds.
B. Appoint data quality champions across the organization.
C. Purchase data cleansing tools from a reputable vendor.
D. Implement business rules to reject invalid data.
Answer: D
Explanation
The best way to prevent accepting bad data from a third-party service provider is to
implement business rules to reject invalid data. Business rules are logical expressions that
define the business requirements and constraints for specific data elements. They can be
used to validate, transform, or filter incoming data from external sources, ensuring that only
high-quality data is accepted into the enterprise data warehouse. Business rules can also
help to identify and resolve data quality issues, such as missing values, duplicates, outliers,
or inconsistencies.

QUESTION NO: 48
When auditing the security architecture of an online application, an IS auditor should FIRST
review the:
A. firewall standards.
B. configuration of the firewall
C. firmware version of the firewall
D. location of the firewall within the network
Answer: D
Explanation
The security architecture of an online application is a design that describes how various
security components and controls are integrated and configured to protect the application
from internal and external threats. When auditing the security architecture of an online
application, an IS auditor should first review the location of the firewall within the network, as
this determines how effectively the firewall can filter and monitor the traffic between different

24
 IT Certification Guaranteed, The Easy Way!

network segments and zones. The firewall standards, configuration, and firmware version are
also important aspects to review, but they are secondary to the location of the firewall.

QUESTION NO: 49
What is the BEST control to address SQL injection vulnerabilities?
A. Unicode translation
B. Secure Sockets Layer (SSL) encryption
C. Input validation
D. Digital signatures
Answer: C
Explanation
Input validation is the best control to address SQL injection vulnerabilities, because it can
prevent malicious users from entering SQL commands or statements into input fields that are
intended for data entry, such as usernames or passwords. SQL injection is a technique that
exploits a security vulnerability in an application's software by inserting SQL code into a
query string that can execute commands on a database server. Unicode translation, SSL
encryption, and digital signatures are not effective controls against SQL injection, because
they do not prevent or detect SQL code injection into input fields. References: CISA Review
Manual (Digital Version), Chapter 5, Section 5.4.2

QUESTION NO: 50
Which of the following is the BEST way to address segregation of duties issues in an
organization with budget constraints?
A. Rotate job duties periodically.
B. Perform an independent audit.
C. Hire temporary staff.
D. Implement compensating controls.
Answer: D
Explanation
The best way to address segregation of duties issues in an organization with budget
constraints is to implement compensating controls, which are alternative controls that reduce
or eliminate the risk of errors or fraud due to inadequate segregation of duties. Compensating
controls may include independent reviews, reconciliations, approvals, or supervisions.
Rotating job duties periodically may reduce the risk of collusion or abuse of privileges, but it
may also affect operational efficiency and continuity. Performing an independent audit may
detect segregation of duties issues, but it does not prevent them. Hiring temporary staff may
increase operational costs and introduce new risks. References: CISA Review Manual
(Digital Version), Chapter 2, Section 2.4

QUESTION NO: 51
Which of the following should be done FIRST when planning a penetration test?
A. Execute nondisclosure agreements (NDAs).
B. Determine reporting requirements for vulnerabilities.
C. Define the testing scope.

25
 IT Certification Guaranteed, The Easy Way!

D. Obtain management consent for the testing.
Answer: D
Explanation
The first step when planning a penetration test is to obtain management consent for the
testing. This is because a penetration test involves simulating a cyberattack against the
organization's systems and networks, which may have legal, ethical, and operational
implications. Without proper authorization from management, a penetration test may violate
laws, policies, contracts, or service level agreements. Management consent also helps define
the objectives, scope, and boundaries of the test, as well as the roles and responsibilities of
the testers and the stakeholders. Obtaining management consent for the testing also
demonstrates due care and due diligence on the part of the testers and the organization.
Executing nondisclosure agreements (NDAs), determining reporting requirements for
vulnerabilities, and defining the testing scope are important steps when planning a
penetration test, but they are not the first step.
These steps should be done after obtaining management consent for the testing, as they
depend on the approval and involvement of management and other parties.

QUESTION NO: 52
An IS auditor suspects an organization's computer may have been used to commit a crime.
Which of the following is the auditor's BEST course of action?
A. Examine the computer to search for evidence supporting the suspicions.
B. Advise management of the crime after the investigation.
C. Contact the incident response team to conduct an investigation.
D. Notify local law enforcement of the potential crime before further investigation.
Answer: C
Explanation
The IS auditor's best course of action if they suspect an organization's computer may have
been used to commit a crime is to contact the incident response team to conduct an
investigation. The incident response team is a group of experts who are responsible for
responding to security incidents, such as data breaches, ransomware attacks, or
cybercrimes. The incident response team can help to preserve and collect digital evidence,
determine the scope and impact of the incident, contain and eradicate the threat, and restore
normal operations. The IS auditor should not examine the computer themselves, as they may
inadvertently alter or destroy potential evidence, or compromise the chain of custody. The IS
auditor should also not notify local law enforcement before further investigation, as this may
escalate the situation unnecessarily or interfere with the internal investigation process. The IS
auditor should advise management of the crime after the investigation, or as soon as
possible if there is an imminent risk or legal obligation to do so.

QUESTION NO: 53
Which of the following is the MOST effective way to maintain network integrity when using
mobile devices?
A. Implement network access control.
B. Implement outbound firewall rules.
C. Perform network reviews.

26
 IT Certification Guaranteed, The Easy Way!

D. Review access control lists.
Answer: A
Explanation
The most effective way to maintain network integrity when using mobile devices is to
implement network access control. Network access control is a security control that regulates
and restricts access to network resources based on predefined policies and criteria, such as
device type, identity, location, or security posture.
Network access control can help maintain network integrity when using mobile devices by
preventing unauthorized or compromised devices from accessing or affecting network
systems or data. The other options are not as effective as network access control in
maintaining network integrity when using mobile devices, as they do not address all aspects
of network access or security. Implementing outbound firewall rules is a security control that
filters and blocks network traffic based on source, destination, protocol, or port, but it does
not regulate or restrict network access based on device characteristics or conditions.
Performing network reviews is a monitoring activity that evaluates and reports on the
performance, availability, or security of network resources, but it does not regulate or restrict
network access based on device characteristics or conditions. Reviewing access control lists
is a verification activity that validates and confirms the access rights and privileges of network
users or devices, but it does not regulate or restrict network access based on device
characteristics or conditions. References: CISA Review Manual (Digital Version), Chapter 5,
Section 5.2.2

QUESTION NO: 54
The decision to accept an IT control risk related to data quality should be the responsibility of
the:
A. information security team.
B. IS audit manager.
C. chief information officer (CIO).
D. business owner.
Answer: D
Explanation
The decision to accept an IT control risk related to data quality should be the responsibility of
the business owner. The business owner is the person who has the authority and
accountability for the business process that relies on the data quality. The business owner
should understand the impact of data quality issues on the business objectives, performance,
and compliance. The business owner should also be involved in defining the data quality
requirements, assessing the data quality risks, and implementing the data quality controls or
mitigation strategies.

QUESTION NO: 55
Which of the following is MOST useful for determining whether the goals of IT are aligned
with the organization's goals?
A. Balanced scorecard
B. Enterprise dashboard
C. Enterprise architecture (EA)

27
 IT Certification Guaranteed, The Easy Way!

D. Key performance indicators (KPIs)
Answer: A
Explanation
The most useful tool for determining whether the goals of IT are aligned with the
organization's goals is a balanced scorecard. A balanced scorecard is a strategic
management system that translates an organization's vision and mission into a set of
objectives and measures across four perspectives: financial, customer, internal process, and
learning and growth. A balanced scorecard helps align IT goals with organizational goals by
linking them to a common strategy map that shows how IT contributes to value creation and
performance improvement in each perspective. A balanced scorecard also helps monitor and
evaluate IT performance against predefined targets and indicators.
Enterprise dashboard, enterprise architecture (EA), and key performance indicators (KPIs)
are not the most useful tools for determining whether the goals of IT are aligned with the
organization's goals. These tools may help communicate, design, or measure IT goals or
activities, but they do not provide a comprehensive framework for aligning IT goals with
organizational goals across multiple dimensions.

QUESTION NO: 56
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches
are not available.
What should the auditor recommend be done FIRST?
A. Implement a new system that can be patched.
B. Implement additional firewalls to protect the system.
C. Decommission the server.
D. Evaluate the associated risk.
Answer: D
Explanation
The first step in addressing a vulnerability is to evaluate the associated risk, which involves
assessing the likelihood and impact of a potential exploit. Based on the risk assessment, the
appropriate mitigation strategy can be determined, such as implementing a new system,
adding firewalls, or decommissioning the server.
References: ISACA CISA Review Manual 27th Edition, page 280

QUESTION NO: 57
Which of the following is the BEST way to mitigate the impact of ransomware attacks?
A. Invoking the disaster recovery plan (DRP)
B. Backing up data frequently
C. Paying the ransom
D. Requiring password changes for administrative accounts
Answer: B
Explanation
Ransomware is a type of malicious software that encrypts the victim's data and demands a
ransom for its decryption1. Ransomware attacks can cause significant damage to an
organization's operations, reputation, and finances1. Therefore, it is important to mitigate the

28
 IT Certification Guaranteed, The Easy Way!

impact of ransomware attacks by implementing effective prevention and recovery strategies.
One of the best ways to mitigate the impact of ransomware attacks is to back up data
frequently12345. Data backups are copies of the organization's data that are stored in a
separate location or medium, such as an external hard drive, cloud storage, or tape2. Data
backups can help the organization restore its data in case of a ransomware attack, without
paying the ransom or losing valuable information2. Data backups should be performed
regularly, preferably daily or weekly, depending on the criticality and volume of the data2.
Data backups should also be tested periodically to ensure their integrity and usability2.
The other options are not as effective as backing up data frequently in mitigating the impact
of ransomware attacks. Invoking the disaster recovery plan (DRP) is a reactive measure that
can help the organization resume its operations after a ransomware attack, but it does not
prevent or reduce the damage caused by the attack3.
Paying the ransom is not a recommended option, as it does not guarantee the decryption of
the data or the deletion of the stolen data by the attackers. Paying the ransom also
encourages further attacks and funds criminal activities14. Requiring password changes for
administrative accounts is a good security practice, but it is not sufficient to prevent or
recover from ransomware attacks. Ransomware attacks can exploit other vulnerabilities,
such as phishing emails, outdated software, or weak network security15.
References: 1: How to Mitigate the Risk of Ransomware Attacks: The Definitive Guide 2:
Mitigating malware and ransomware attacks - The National Cyber Security Centre 3: 3 steps
to prevent and recover from ransomware 4: Ransomware Epidemic: Use these 8 Strategies
to Mitigate Risk 5: Practical Steps to Mitigate Ransomware Attacks - ITSecurityWire

QUESTION NO: 58
An IS auditor is evaluating an organization's IT strategy and plans. Which of the following
would be of GREATEST concern?
A. There is not a defined IT security policy.
B. The business strategy meeting minutes are not distributed.
C. IT is not engaged in business strategic planning.
D. There is inadequate documentation of IT strategic planning.
Answer: C
Explanation
The greatest concern for an IS auditor when evaluating an organization's IT strategy and
plans is that IT is not engaged in business strategic planning, as this indicates a lack of
alignment between IT and business objectives, which could result in inefficient and ineffective
use of IT resources and capabilities. The absence of a defined IT security policy, the
nondistribution of business strategy meeting minutes, and the inadequate documentation of
IT strategic planning are also issues that should be addressed by an IS auditor, but they are
not as significant as IT's noninvolvement in business strategic planning. References: CISA
Review Manual (Digital Version), Chapter 3, Section 3.1

QUESTION NO: 59
During the implementation of an upgraded enterprise resource planning (ERP) system, which
of the following is the MOST important consideration for a go-live decision?
A. Rollback strategy

29
 IT Certification Guaranteed, The Easy Way!

B. Test cases
C. Post-implementation review objectives
D. Business case
Answer: D
Explanation
The most important consideration for a go-live decision when implementing an upgraded
enterprise resource planning (ERP) system is the business case. The business case is the
document that defines and justifies the need, value, feasibility, and risks of the project. It also
outlines the expected costs, benefits, outcomes, and impacts of the project. The business
case provides the basis for measuring and evaluating the success of the project. Therefore,
before deciding to go live with an upgraded ERP system, it is essential to review and validate
the business case to ensure that it is still relevant, accurate, realistic, and achievable.
A rollback strategy, test cases, and post-implementation review objectives are not the most
important considerations for a go-live decision when implementing an upgraded ERP system.
These are important elements of project planning, execution, and evaluation, but they are not
sufficient to determine whether the project is worth pursuing or delivering. These elements
should be aligned with and derived from the business case.

QUESTION NO: 60
IS management has recently disabled certain referential integrity controls in the database
management system (DBMS) software to provide users increased query performance. Which
of the following controls will MOST effectively compensate for the lack of referential integrity?
A. More frequent data backups
B. Periodic table link checks
C. Concurrent access controls
D. Performance monitoring tools
Answer: B
Explanation
Referential integrity is a property of data that ensures that all references between tables are
valid and consistent. Disabling referential integrity controls can result in orphaned records,
data anomalies, and inaccurate queries. The most effective way to compensate for the lack
of referential integrity is to perform periodic table link checks, which verify that all foreign keys
match existing primary keys in the related tables.
More frequent data backups, concurrent access controls, and performance monitoring tools
do not address the issue of data consistency and accuracy. References: ISACA CISA
Review Manual 27th Edition, page 291

QUESTION NO: 61
An organization has outsourced its data processing function to a service provider. Which of
the following would BEST determine whether the service provider continues to meet the
organization s objectives?
A. Assessment of the personnel training processes of the provider
B. Adequacy of the service provider's insurance
C. Review of performance against service level agreements (SLAs)

30
 IT Certification Guaranteed, The Easy Way!

D. Periodic audits of controls by an independent auditor
Answer: C
Explanation
Reviewing the performance against service level agreements (SLAs) would best determine
whether the service provider continues to meet the organization's objectives, as SLAs define
the expected level of service, quality, availability, and responsibilities of both parties.
Assessment of the personnel training processes of the provider, adequacy of the service
provider's insurance, and periodic audits of controls by an independent auditor are important
aspects of outsourcing, but they do not directly measure the performance of the service
provider against the organization's objectives. References: CISA Review Manual (Digital
Version), Chapter 3, Section 3.5.2

QUESTION NO: 62
Secure code reviews as part of a continuous deployment program are which type of control?
A. Detective
B. Logical
C. Preventive
D. Corrective
Answer: C
Explanation
Secure code reviews as part of a continuous deployment program are preventive controls.
Preventive controls are controls that aim to prevent or avoid undesirable events or outcomes
from occurring, such as errors, defects, or incidents. Secure code reviews are activities that
examine and evaluate the source code of a software or application to identify and eliminate
any vulnerabilities, flaws, or weaknesses that may compromise its security, functionality, or
performance. Secure code reviews as part of a continuous deployment program can help
prevent or avoid security issues or incidents from occurring by ensuring that the code is
secure and compliant before it is deployed to production. The other options are not correct
types of controls for secure code reviews as part of a continuous deployment program, as
they have different meanings and functions. Detective controls are controls that aim to detect
or discover undesirable events or outcomes that have occurred, such as errors, defects, or
incidents. Logical controls are controls that use software or hardware mechanisms to
regulate or restrict access to IT resources, such as data, systems, or networks.
Corrective controls are controls that aim to correct or rectify undesirable events or outcomes
that have occurred, such as errors, defects, or incidents. References: CISA Review Manual
(Digital Version), Chapter 3, Section 3.2

QUESTION NO: 63
Which of the following is the BEST method to safeguard data on an organization's laptop
computers?
A. Disabled USB ports
B. Full disk encryption
C. Biometric access control
D. Two-factor authentication

31
 IT Certification Guaranteed, The Easy Way!

Answer: B
Explanation
The best method to safeguard data on an organization's laptop computers is full disk
encryption. Full disk encryption is a technique that encrypts all the data stored on a hard
drive, including the operating system, applications, files, and folders. This means that if the
laptop is lost, stolen, or accessed by an unauthorized person, they will not be able to read or
modify any data without knowing the encryption key or password. Full disk encryption
provides a strong level of protection for data at rest, as it prevents data leakage or exposure
in case of physical theft or loss of the device.
References:
How to Protect the Data on Your Laptop
6 Steps to Practice Strong Laptop Security

QUESTION NO: 64
Which of the following is the BEST compensating control when segregation of duties is
lacking in a small IS department?
A. Background checks
B. User awareness training
C. Transaction log review
D. Mandatory holidays
Answer: C
Explanation
The best compensating control when segregation of duties is lacking in a small IS
department is transaction log review. Transaction log review can help detect any
unauthorized or fraudulent activities performed by IS staff who have access to multiple
functions or systems. Transaction log review can also provide an audit trail for accountability
and investigation purposes. The other options are not as effective as transaction log review in
compensating for the lack of segregation of duties. Background checks are preventive
controls that can help screen potential employees for any criminal records or dishonest
behavior, but they do not prevent existing employees from abusing their access privileges.
User awareness training is a detective control that can help educate users on how to report
any suspicious or abnormal activities in the IS environment, but it does not monitor or verify
the actions of IS staff. Mandatory holidays are deterrent controls that can discourage IS staff
from engaging in fraudulent activities by requiring them to take periodic leave, but they do not
prevent or detect such activities when they occur. References: CISA Review Manual (Digital
Version), Chapter 3, Section 3.2

QUESTION NO: 65
An IS audit reveals that an organization is not proactively addressing known vulnerabilities.
Which of the following should the IS auditor recommend the organization do FIRST?
A. Verify the disaster recovery plan (DRP) has been tested.
B. Ensure the intrusion prevention system (IPS) is effective.
C. Assess the security risks to the business.
D. Confirm the incident response team understands the issue.

32
 IT Certification Guaranteed, The Easy Way!

Answer: C
Explanation
If an IS audit reveals that an organization is not proactively addressing known vulnerabilities,
the IS auditor should recommend that the organization assess the security risks to the
business first, as this would help to prioritize the vulnerabilities based on their impact and
likelihood, and determine the appropriate mitigation strategies. Verifying the disaster recovery
plan (DRP) has been tested, ensuring the intrusion prevention system (IPS) is effective, and
confirming the incident response team understands the issue are important steps, but they
are not as urgent as assessing the security risks to the business. References: CISA Review
Manual (Digital Version), Chapter 5, Section 5.6

QUESTION NO: 66
The PRIMARY advantage of object-oriented technology is enhanced:
A. efficiency due to the re-use of elements of logic.
B. management of sequential program execution for data access.
C. grouping of objects into methods for data access.
D. management of a restricted variety of data types for a data object.
Answer: A
Explanation
The primary advantage of object-oriented technology is enhanced efficiency due to the re-
use of elements of logic. Object-oriented technology is a software design model that uses
objects, which contain both data and code, to create modular and reusable programs.
Objects can be inherited from other objects, which reduces duplication and improves
maintainability. Grouping objects into methods for data access, managing sequential program
execution for data access, and managing a restricted variety of data types for a data object
are not advantages of object-oriented technology. References: ISACA CISA Review Manual
27th Edition, page 304

QUESTION NO: 67
An organizations audit charier PRIMARILY:
A. describes the auditors' authority to conduct audits.
B. defines the auditors' code of conduct.
C. formally records the annual and quarterly audit plans.
D. documents the audit process and reporting standards.
Answer: A
Explanation
An organization's audit charter primarily describes the auditors' authority to conduct audits.
The audit charter is a formal document that defines the purpose, scope, responsibilities, and
reporting relationships of the internal audit function. It also establishes the auditors' right of
access to information, records, personnel, and physical properties relevant to their work. The
audit charter provides the basis for the auditors' independence and accountability to the
governing body and senior management.

QUESTION NO: 68
During an ongoing audit, management requests a briefing on the findings to date. Which of

33
 IT Certification Guaranteed, The Easy Way!

the following is the IS auditor's BEST course of action?
A. Review working papers with the auditee.
B. Request the auditee provide management responses.
C. Request management wait until a final report is ready for discussion.
D. Present observations for discussion only.
Answer: D
Explanation
The IS auditor's best course of action in this situation is to present observations for
discussion only.
Observations are factual statements or findings that are based on the audit evidence
collected and analyzed during the audit. Observations can be presented to management for
discussion and feedback, but they should not be considered as final conclusions or
recommendations until the audit is completed and the audit report is issued. The other
options are not appropriate for presenting the findings to date, as they may compromise the
audit quality or integrity. Reviewing working papers with the auditee is not advisable, as
working papers are confidential documents that contain the auditor's notes, calculations, and
opinions that may not be relevant or accurate for management's review. Requesting the
auditee provide management responses is premature, as management responses should be
obtained after the audit report is issued and the audit findings and recommendations are
finalized. Requesting management wait until a final report is ready for discussion is
impractical, as management may have a legitimate interest or need to know the audit
progress and results as soon as possible. References: CISA Review Manual (Digital
Version), Chapter 2, Section 2.3

QUESTION NO: 69
Which of the following would be to MOST concern when determine if information assets are
adequately safequately safeguarded during transport and disposal?
A. Lack of appropriate labelling
B. Lack of recent awareness training.
C. Lack of password protection
D. Lack of appropriate data classification
Answer: D
Explanation
The most concerning issue when determining if information assets are adequately
safeguarded during transport and disposal is lack of appropriate data classification. Data
classification is a process that assigns categories or levels of sensitivity to different types of
information assets based on their value, criticality, or risk to the organization. Data
classification can help safeguard information assets during transport and disposal by
providing criteria and guidelines for identifying, labeling, handling, and protecting information
assets according to their sensitivity. Lack of appropriate data classification can compromise
the security and confidentiality of information assets during transport and disposal by
exposing them to unauthorized access, disclosure, theft, damage, or destruction. The other
options are not as concerning as lack of appropriate data classification in safeguarding
information assets during transport and disposal, as they do not affect the identification,

34
 IT Certification Guaranteed, The Easy Way!

labeling, handling, or protection of information assets according to their sensitivity. Lack of
appropriate labeling is a possible factor that may increase the risk of misplacing, losing, or
mishandling information assets during transport and disposal, but it does not affect the
classification of information assets according to their sensitivity. Lack of recent awareness
training is a possible factor that may affect the knowledge or behavior of staff involved in
transporting or disposing of information assets, but it does not affect the classification of
information assets according to their sensitivity. Lack of password protection is a possible
factor that may affect the security or confidentiality of information assets stored on devices
during transport and disposal, but it does not affect the classification of information assets
according to their sensitivity. References: CISA Review Manual (Digital Version), Chapter 5,
Section 5.3.2

QUESTION NO: 70
Which of the following is the BEST source of information for assessing the effectiveness of IT
process monitoring?
A. Real-time audit software
B. Performance data
C. Quality assurance (QA) reviews
D. Participative management techniques
Answer: B
Explanation
The best source of information for assessing the effectiveness of IT process monitoring is
performance data.
Performance data is a type of information that measures and reports on the results or
outcomes of IT processes, such as availability, reliability, throughput, response time, or error
rate. Performance data can help assess the effectiveness of IT process monitoring by
providing quantitative and qualitative indicators of whether IT processes are meeting their
objectives, standards, or expectations. The other options are not as good as performance
data in assessing the effectiveness of IT process monitoring, as they do not provide direct or
objective evidence of IT process results or outcomes. Real-time audit software is a type of
tool that can help automate and facilitate audit activities, such as data collection, analysis, or
reporting, but it does not provide information on IT process performance. Quality assurance
(QA) reviews are a type of activity that can help evaluate and improve the quality of IT
processes, products, or services, but they do not provide information on IT process
performance. Participative management techniques are a type of method that can help
involve and motivate IT staff in decision-making and problem-solving processes, but they do
not provide information on IT process performance. References: CISA Review Manual
(Digital Version), Chapter 3, Section 3.3

QUESTION NO: 71
An organization's software developers need access to personally identifiable information (Pll)
stored in a particular data format. Which of the following is the BEST way to protect this
sensitive information while allowing the developers to use it in development and test
environments?
A. Data masking

35
 IT Certification Guaranteed, The Easy Way!

B. Data tokenization
C. Data encryption
D. Data abstraction
Answer: A
Explanation
The best way to protect sensitive information such as personally identifiable information (PII)
stored in a particular data format while allowing the software developers to use it in
development and test environments is data masking. Data masking is a technique that
replaces or obscures sensitive data elements with fictitious or modified data elements that
retain the original format and characteristics of the data. Data masking can help protect
sensitive information such as PII stored in a particular data format while allowing the software
developers to use it in development and test environments by preventing the exposure or
disclosure of the real data values without affecting the functionality or performance of the
software or application. The other options are not as effective as data masking in protecting
sensitive information such as PII stored in a particular data format while allowing the software
developers to use it in development and test environments, as they have different limitations
or drawbacks. Data tokenization is a technique that replaces sensitive data elements with
non-sensitive tokens that have no intrinsic value or meaning. Data tokenization can protect
sensitive information such as PII from unauthorized access or theft, but it may not retain the
original format an