CISA Updated Dumps - Certified Information Systems Auditor

Text Material Preview

<p>CISA</p><p>Exam Name: Certified Information Systems Auditor</p><p>Full version: 1196 Q&As</p><p>Full version of CISA Dumps</p><p>Share some CISA exam dumps below.</p><p>1. If a source code is not recompiled when program changes are implemented, which of the</p><p>following is a compensating control to ensure synchronization of source and object?</p><p>A. Comparison of object and executable code</p><p>B. Review of audit trail of compile dates</p><p>C. Comparison of date stamping of source and object code</p><p>1 / 110</p><p>https://www.certqueen.com/CISA.html</p><p>D. Review of developer comments in executable code</p><p>Answer: C</p><p>Explanation:</p><p>Source code synchronization is the process of ensuring that the source code and the object</p><p>code (the compiled version of the source code) are consistent and up-to-date1. When program</p><p>changes are implemented, the source code should be recompiled to generate a new object</p><p>code that reflects the changes. However, if the source code is not recompiled, there is a risk</p><p>that the object code may be outdated or incorrect. A compensating control is a measure that</p><p>reduces the risk of an existing control weakness or deficiency2. A compensating control for</p><p>source code synchronization is to compare the date stamping of the source and object code.</p><p>Date stamping is a method of recording the date and time when a file is created or modified3.</p><p>By comparing the date stamping of the source and object code, one can verify if they are</p><p>synchronized or not. If the date stamping of the source code is newer than the object code, it</p><p>means that the source code has been changed but not recompiled. If the date stamping of the</p><p>object code is newer than the source code, it means that the object code has been compiled</p><p>from a different source code. If the date stamping of both files are identical, it means that they</p><p>are synchronized.</p><p>2. Which of the following is the BEST way to ensure a vendor complies with system security</p><p>requirements?</p><p>A. Require security training for vendor staff.</p><p>B. Review past incidents reported by the vendor.</p><p>C. Review past audits on the vendor's security compliance.</p><p>D. Require a compliance clause in the vendor contract.</p><p>Answer: D</p><p>3. Upon completion of audit work, an IS auditor should:</p><p>A. provide a report to senior management prior to discussion with the auditee.</p><p>B. distribute a summary of general findings to the members of the auditing team.</p><p>C. provide a report to the auditee stating the initial findings.</p><p>D. review the working papers with the auditee.</p><p>Answer: B</p><p>Explanation:</p><p>Upon completion of audit work, an IS auditor should distribute a summary of general findings to</p><p>the members of the auditing team. This is to ensure that the audit team members are aware of</p><p>the audit results, have an opportunity to provide feedback, and can agree on the audit</p><p>2 / 110</p><p>conclusions and recommendations. Providing a report to senior management prior to discussion</p><p>with the auditee, providing a report to the auditee stating the initial findings, and reviewing the</p><p>working papers with the auditee are not appropriate actions for an IS auditor to take upon</p><p>completion of audit work, as they may compromise the audit independence, objectivity, and</p><p>quality.</p><p>References: ISACA CISA Review Manual 27th Edition, page 221</p><p>4. Documentation of workaround processes to keep a business function operational during</p><p>recovery of IT systems is a core part of a:</p><p>A. business impact analysis (BIA).</p><p>B. threat and risk assessment.</p><p>C. business continuity plan (BCP).</p><p>D. disaster recovery plan (DRP).</p><p>Answer: C</p><p>Explanation:</p><p>A business continuity plan (BCP) is a system of prevention and recovery from potential threats</p><p>to a company. The plan ensures that personnel and assets are protected and are able to</p><p>function quickly in the event of a disaster1. A core part of a BCP is the documentation of</p><p>workaround processes to keep a business function operational during recovery of IT systems.</p><p>Workaround processes are alternative methods or procedures that can be used to perform a</p><p>business function when the normal IT systems are unavailable or disrupted2. For example, if an</p><p>online payment system is down, a workaround process could be to accept manual payments or</p><p>use a backup system. Workaround processes help to minimize the impact of IT disruptions on</p><p>the business operations and ensure continuity of service to customers and stakeholders3.</p><p>References:</p><p>1 explains what is a business continuity plan and why it is important.</p><p>2 defines what is a workaround process and how it can be used in a BCP.</p><p>3 provides examples of workaround processes for different business functions.</p><p>5. Which type of attack targets security vulnerabilities in web applications to gain access to data</p><p>sets?</p><p>A. Denial of service (DOS)</p><p>B. SQL injection</p><p>C. Phishing attacks</p><p>D. Rootkits</p><p>Answer: B</p><p>3 / 110</p><p>Explanation:</p><p>A SQL injection attack is a type of attack that targets security vulnerabilities in web applications</p><p>to gain access to data sets. A SQL injection attack exploits a flaw in the web application code</p><p>that allows an attacker to inject malicious SQL statements into the input fields or parameters of</p><p>the web application. These SQL statements can then execute on the underlying database</p><p>server and manipulate or retrieve sensitive data from the database. A SQL injection attack can</p><p>result in data theft, data corruption, unauthorized access, denial of service or even complete</p><p>takeover of the database server. A denial of service (DOS) attack is a type of attack that aims to</p><p>disrupt the availability or functionality of a web application or a network service by overwhelming</p><p>it with excessive requests or traffic. A phishing attack is a type of attack that uses deceptive</p><p>emails or websites to trick users into revealing their personal or financial information or</p><p>credentials. A rootkit is a type of malware that hides itself from detection and grants</p><p>unauthorized access or control over a compromised system.</p><p>References: IS Audit and Assurance Tools and Techniques, CISA Certification | Certified</p><p>Information Systems Auditor | ISACA</p><p>6. From an IS auditor's perspective, which of the following would be the GREATEST risk</p><p>associated with an incomplete inventory of deployed software in an organization?</p><p>A. Inability to close unused ports on critical servers</p><p>B. Inability to identify unused licenses within the organization</p><p>C. Inability to deploy updated security patches</p><p>D. Inability to determine the cost of deployed software</p><p>Answer: C</p><p>Explanation:</p><p>The greatest risk associated with an incomplete inventory of deployed software in an</p><p>organization is the inability to deploy updated security patches. Security patches are updates</p><p>that fix vulnerabilities or bugs in software that could be exploited by attackers. Without an</p><p>accurate inventory of software versions and configurations, it is difficult to identify and apply the</p><p>relevant patches in a timely manner, which exposes the organization to increased security risks.</p><p>Inability to close unused ports on critical servers, inability to identify unused licenses within the</p><p>organization, and inability to determine the cost of deployed software are not as critical as</p><p>security risks.</p><p>References: ISACA CISA Review Manual 27th Edition, page 308</p><p>7. Which of the following is the BEST performance indicator for the effectiveness of an incident</p><p>management program?</p><p>4 / 110</p><p>A. Average time between incidents</p><p>B. Incident alert meantime</p><p>C. Number of incidents reported</p><p>D. Incident resolution meantime</p><p>Answer: D</p><p>Explanation:</p><p>The best performance indicator for the effectiveness of an incident management program is the</p><p>incident resolution meantime. This is the average time it takes to resolve an incident from the</p><p>moment it is reported to the moment it is closed. The incident resolution meantime reflects how</p><p>quickly and efficiently the incident management team can restore normal service and minimize</p><p>the impact of</p><p>The IS auditor should obtain written approval from</p><p>management and verify that it is aligned with the organization’s policies and standards.</p><p>References:</p><p>CISA Review Manual (Digital Version)1, Chapter 1: The Process of Auditing Information</p><p>Systems, Section 1.4: Audit Evidence, p. 31-32.</p><p>CISA Review Manual (Print Version), Chapter 1: The Process of Auditing Information Systems,</p><p>Section 1.4: Audit Evidence, p. 31-32.</p><p>CISA Online Review Course2, Module 1: The Process of Auditing Information Systems, Lesson</p><p>4: Audit Evidence, slide 9-10.</p><p>CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_710.</p><p>31 / 110</p><p>50. Which of the following is the MOST appropriate indicator of change management</p><p>effectiveness?</p><p>A. Time lag between changes to the configuration and the update of records</p><p>B. Number of system software changes</p><p>C. Time lag between changes and updates of documentation materials</p><p>D. Number of incidents resulting from changes</p><p>Answer: D</p><p>Explanation:</p><p>Change management is the process of planning, implementing, monitoring, and evaluating</p><p>changes to an organization’s information systems and related components. Change</p><p>management aims to ensure that changes are aligned with the business objectives, minimize</p><p>risks and disruptions, and maximize benefits and value.</p><p>One of the key aspects of change management is measuring its effectiveness, which means</p><p>assessing whether the changes have achieved the desired outcomes and met the expectations</p><p>of the stakeholders. There are various indicators that can be used to measure change</p><p>management effectiveness, such as time, cost, quality, scope, satisfaction, and performance.</p><p>Among the four options given, the most appropriate indicator of change management</p><p>effectiveness is the number of incidents resulting from changes. An incident is an unplanned</p><p>event or interruption that affects the normal operation or service delivery of an information</p><p>system. Incidents can be caused by various factors, such as errors, defects, failures,</p><p>malfunctions, or malicious attacks. Incidents can have negative impacts on the organization,</p><p>such as loss of data, productivity, reputation, or revenue.</p><p>The number of incidents resulting from changes is a direct measure of how well the changes</p><p>have been planned, implemented, monitored, and evaluated. A high number of incidents</p><p>indicates that the changes have not been properly tested, verified, communicated, or controlled.</p><p>A low number of incidents indicates that the changes have been executed smoothly and</p><p>successfully. Therefore, the number of incidents resulting from changes reflects the quality and</p><p>effectiveness of the change management process.</p><p>The other three options are not as appropriate indicators of change management effectiveness</p><p>as the number of incidents resulting from changes. The time lag between changes to the</p><p>configuration and the update of records is a measure of how timely and accurate the</p><p>configuration management process is. Configuration management is a subset of change</p><p>management that focuses on identifying, documenting, and controlling the configuration items</p><p>(CIs) that make up an information system. The time lag between changes and updates of</p><p>documentation materials is a measure of how well the documentation process is aligned with</p><p>32 / 110</p><p>the change management process. Documentation is an important aspect of change</p><p>management that provides information and guidance to the stakeholders involved in or affected</p><p>by the changes. The number of system software changes is a measure of how frequently and</p><p>extensively the system software is modified or updated. System software changes are a type of</p><p>change that affects the operating system, middleware, or utilities that support an information</p><p>system.</p><p>While these three indicators are relevant and useful for measuring certain aspects of change</p><p>management, they do not directly measure the outcomes or impacts of the changes on the</p><p>organization. They are more related to the inputs or activities of change management than to its</p><p>outputs or results. Therefore, they are not as appropriate indicators of change management</p><p>effectiveness as the number of incidents resulting from changes.</p><p>References:</p><p>Metrics for Measuring Change Management - Prosci</p><p>How to Measure Change Management Effectiveness: Metrics, Tools & Processes</p><p>Metrics for Measuring Change Management 2023 - Zendesk</p><p>51. An IS auditor has been asked to review the quality of data in a general ledger system.</p><p>Which of the following would provide the auditor with the MOST meaningful results?</p><p>A. Discussion of the largest account values with business owners</p><p>B. Integrity checks against source documentation</p><p>C. System vulnerability assessment</p><p>D. Interviews with system owners and operators</p><p>Answer: B</p><p>52. Which of the following strategies BEST optimizes data storage without compromising data</p><p>retention practices?</p><p>A. Limiting the size of file attachments being sent via email</p><p>B. Automatically deleting emails older than one year</p><p>C. Moving emails to a virtual email vault after 30 days</p><p>D. Allowing employees to store large emails on flash drives</p><p>Answer: A</p><p>Explanation:</p><p>The best strategy to optimize data storage without compromising data retention practices is to</p><p>limit the size of file attachments being sent via email. This strategy can reduce the amount of</p><p>storage space required for email messages, as well as the network bandwidth consumed by</p><p>email traffic. File attachments can be large and often contain redundant or unnecessary</p><p>33 / 110</p><p>information that can be compressed, converted, or removed before sending. By limiting the size</p><p>of file attachments, the sender can encourage the use of more efficient formats, such as PDF or</p><p>ZIP, or alternative methods of sharing files, such as cloud storage or web links. This can also</p><p>improve the security and privacy of email communications, as large attachments may pose a</p><p>higher risk of being intercepted, corrupted, or infected by malware.</p><p>References:</p><p>Data Storage Optimization: What is it and Why Does it Matter?</p><p>Data storage optimization 101: Everything you need to know</p><p>53. An IS auditor is reviewing documentation from a change that was applied to an application.</p><p>Which of the following findings would be the GREATEST concern?</p><p>A. Testing documentation does not show manager approval.</p><p>B. Testing documentation is dated three weeks before the system implementation date.</p><p>C. Testing documentation is approved prior to completion of user acceptance testing (UAT).</p><p>D. Testing documentation is kept in hard copy format.</p><p>Answer: C</p><p>54. Which of the following is the BEST indicator that a third-party vendor adheres to the controls</p><p>required by the organization?</p><p>A. Review of monthly performance reports submitted by the vendor</p><p>B. Certifications maintained by the vendor</p><p>C. Regular independent assessment of the vendor</p><p>D. Substantive log file review of the vendor's system</p><p>Answer: C</p><p>55. Which of the following threats is mitigated by a firewall?</p><p>A. Intrusion attack</p><p>B. Asynchronous attack</p><p>C. Passive assault</p><p>D. Trojan horse</p><p>Answer: A</p><p>56. Users are complaining that a newly released enterprise resource planning (ERP) system is</p><p>functioning too slowly.</p><p>Which of the following tests during the quality assurance (QA) phase would have identified this</p><p>concern?</p><p>34 / 110</p><p>A. Stress</p><p>B. Regression</p><p>C. Interface</p><p>D. Integration</p><p>Answer: A</p><p>Explanation:</p><p>Stress testing is a type of performance testing that evaluates how a system behaves under</p><p>extreme load conditions, such as high user traffic, large data volumes, or limited resources. It is</p><p>useful for identifying potential bottlenecks, errors, or failures that may affect the system’s</p><p>functionality or availability. Stress testing during the quality assurance (QA) phase would have</p><p>identified the concern of users complaining that a newly released ERP system is functioning too</p><p>slowly.</p><p>The other options are not as relevant for this concern, as they relate to different aspects</p><p>of testing, such as regression testing (verifying that existing functionality is not affected by new</p><p>changes), interface testing (verifying that the system interacts correctly with other systems or</p><p>components), or integration testing (verifying that the system works as a whole after combining</p><p>different modules or units).</p><p>References: CISA Review Manual (Digital Version), Domain 5: Protection of Information Assets,</p><p>Section 5.4 Testing Techniques1</p><p>57. An IS auditor finds that the process for removing access for terminated employees is not</p><p>documented What is the MOST significant risk from this observation?</p><p>A. Procedures may not align with best practices</p><p>B. Human resources (HR) records may not match system access.</p><p>C. Unauthorized access cannot he identified.</p><p>D. Access rights may not be removed in a timely manner.</p><p>Answer: D</p><p>Explanation:</p><p>The most significant risk from this observation is that access rights may not be removed in a</p><p>timely manner. If the process for removing access for terminated employees is not documented,</p><p>there is no clear guidance or accountability for who, how, when, and what actions should be</p><p>taken to revoke the access rights of the employees who leave the organization. This could</p><p>result in delays, inconsistencies, or omissions in removing access rights, which could allow</p><p>terminated employees to retain unauthorized access to the organization’s systems and data.</p><p>This could compromise the security, confidentiality, integrity, and availability of the information</p><p>assets.</p><p>References:</p><p>35 / 110</p><p>CISA Review Manual (Digital Version)</p><p>CISA Questions, Answers & Explanations Database</p><p>58. How does a continuous integration/continuous development (CI/CD) process help to reduce</p><p>software failure risk?</p><p>A. Easy software version rollback</p><p>B. Smaller incremental changes</p><p>C. Fewer manual milestones</p><p>D. Automated software testing</p><p>Answer: B</p><p>Explanation:</p><p>A continuous integration/continuous development (CI/CD) process helps to reduce software</p><p>failure risk by enabling smaller incremental changes to the software code, rather than large and</p><p>infrequent updates12. Smaller incremental changes allow developers to detect and fix errors,</p><p>bugs, or vulnerabilities more quickly and easily, and to ensure that the software is always in a</p><p>working state34. Smaller incremental changes also reduce the complexity and uncertainty of the</p><p>software development process, and improve the quality and reliability of the software product5.</p><p>References</p><p>1: What is CI/CD? Continuous integration and continuous delivery explained1 2: 5 CI/CD</p><p>challenges? and how to solve them | TechBeacon4 3: Continuous Integration vs Continuous</p><p>Delivery vs Continuous Deployment2 4: 7 CI/CD Challenges & their Must-Know Solutions |</p><p>BrowserStack3 5: 5 common pitfalls of CI/CD?and how to avoid them | InfoWorld5</p><p>59. Which type of review is MOST important to conduct when an IS auditor is informed that a</p><p>recent internal exploitation of a bug has been discovered in a business application?</p><p>A. Penetration testing</p><p>B. Application security testing</p><p>C. Forensic audit</p><p>D. Server security audit</p><p>Answer: C</p><p>Explanation:</p><p>The type of review that is most important to conduct when an IS auditor is informed that a</p><p>recent internal exploitation of a bug has been discovered in a business application is C.</p><p>Forensic audit. A forensic audit is a type of audit that involves collecting, analyzing, and</p><p>preserving evidence of fraud, corruption, or other illegal or unethical activities1. A forensic audit</p><p>can help the IS auditor to identify and document the source, scope, and impact of the</p><p>36 / 110</p><p>exploitation, as well as the perpetrators, motives, and methods involved. A forensic audit can</p><p>also help the IS auditor to provide recommendations for preventing or mitigating future</p><p>exploitations, and to support any legal actions or investigations that may arise from the</p><p>incident2.</p><p>60. Which of the following is the PRIMARY reason an IS auditor would recommend offsite</p><p>backups although critical data is already on a redundant array of inexpensive disks (RAID)?</p><p>A. Disks of the array cannot be hot-swapped for quick recovery.</p><p>B. The array cannot offer protection against disk corruption.</p><p>C. The array relies on proper maintenance.</p><p>D. The array cannot recover from a natural disaster.</p><p>Answer: D</p><p>61. The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:</p><p>A. risk management review</p><p>B. control self-assessment (CSA).</p><p>C. service level agreement (SLA).</p><p>D. balanced scorecard.</p><p>Answer: C</p><p>Explanation:</p><p>A service level agreement (SLA) is a contract between a service provider and a customer that</p><p>defines the expected level of performance, risks, and capabilities of an IT infrastructure. An IS</p><p>auditor can use an SLA to measure how well the IT infrastructure meets the business needs</p><p>and objectives, as well as to identify any gaps or issues that need to be addressed. The other</p><p>options are not directly related to measuring the performance, risks, and capabilities of an IT</p><p>infrastructure.</p><p>References: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.11</p><p>CISA Review Questions, Answers & Explanations Database, Question ID 203</p><p>62. Which of the following BEST protects an organization's proprietary code during a joint-</p><p>development activity involving a third party?</p><p>A. Statement of work (SOW)</p><p>B. Nondisclosure agreement (NDA)</p><p>C. Service level agreement (SLA)</p><p>D. Privacy agreement</p><p>Answer: B</p><p>37 / 110</p><p>Explanation:</p><p>A nondisclosure agreement (NDA) is the best way to protect an organization’s proprietary code</p><p>during a joint-development activity involving a third party. An NDA is a legal contract that binds</p><p>the parties involved in a joint-development activity to keep confidential any information, data or</p><p>materials that are shared or exchanged during the activity. An NDA specifies what constitutes</p><p>confidential information, how it can be used, disclosed or protected, how long it remains</p><p>confidential, what are the exceptions and remedies for breach of confidentiality, and other terms</p><p>and conditions. An NDA can help to protect an organization’s proprietary code from being</p><p>copied, modified, distributed or exploited by unauthorized parties without its consent or</p><p>knowledge. The other options are not as effective as option B, as they do not address</p><p>confidentiality issues specifically. A statement of work (SOW) is a document that defines the</p><p>scope, objectives, deliverables, tasks, roles, responsibilities, timelines and costs of a joint-</p><p>development activity, but it does not cover confidentiality issues explicitly. A service level</p><p>agreement (SLA) is a document that defines the quality, performance and availability standards</p><p>and metrics for a service provided by one party to another party in a joint-development activity,</p><p>but it does not cover confidentiality issues explicitly. A privacy agreement is a document that</p><p>defines how personal information collected from customers or users is collected, used,</p><p>disclosed and protected by one party or both parties in a joint-development activity, but it does</p><p>not cover confidentiality issues related to proprietary code.</p><p>References: CISA Review Manual (Digital Version) , Chapter 3: Information Systems</p><p>Acquisition, Development & Implementation, Section 3.2: Project Management Practices.</p><p>63. Which of the following practices associated with capacity planning provides the GREATEST</p><p>assurance that future incidents related to existing server performance will be prevented?</p><p>A. Reviewing results from simulated high-demand stress test scenarios</p><p>B. Performing a root cause analysis for past performance incidents</p><p>C. Anticipating current service level agreements (SLAs) will remain unchanged</p><p>D. Duplicating existing disk drive systems to improve redundancy and data storage</p><p>Answer: A</p><p>64. During the design</p><p>phase of a software development project, the PRIMARY responsibility of</p><p>an IS auditor is to evaluate the:</p><p>A. Future compatibility of the application.</p><p>B. Proposed functionality of the application.</p><p>C. Controls incorporated into the system specifications.</p><p>D. Development methodology employed.</p><p>38 / 110</p><p>Answer: C</p><p>Explanation:</p><p>The primary responsibility of an IS auditor during the design phase of a software development</p><p>project is to evaluate the controls incorporated into the system specifications. Controls are</p><p>mechanisms or procedures that aim to ensure the security, reliability, or performance of a</p><p>system or process. System specifications are documents that define and describe the</p><p>requirements, features, functions, or components of a system or software. Evaluating the</p><p>controls incorporated into the system specifications is a key responsibility of an IS auditor during</p><p>the design phase of a software development project, as it helps ensure that the system or</p><p>software meets the organization’s objectives, standards, and expectations for security,</p><p>reliability, or performance. The other options are not primary responsibilities of an IS auditor</p><p>during the design phase of a software development project, as they do not directly relate to</p><p>evaluating the controls incorporated into the system specifications. Future compatibility of the</p><p>application is a possible factor that may affect the functionality or usability of the application in</p><p>different environments or platforms, but it is not a primary responsibility of an IS auditor during</p><p>the design phase of a software development project. Proposed functionality of the application is</p><p>a possible factor that may affect the suitability or value of the application for meeting user needs</p><p>or expectations, but it is not a primary responsibility of an IS auditor during the design phase of</p><p>a software development project. Development methodology employed is a possible factor that</p><p>may affect the quality or consistency of the software development process, but it is not a</p><p>primary responsibility of an IS auditor during the design phase of a software development</p><p>project.</p><p>References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3</p><p>65. An IS auditor observes that a business-critical application does not currently have any level</p><p>of fault tolerance.</p><p>Which of the following is the GREATEST concern with this situation?</p><p>A. Decreased mean time between failures (MTBF)</p><p>B. Degradation of services</p><p>C. Limited tolerance for damage</p><p>D. Single point of failure</p><p>Answer: D</p><p>66. Which of the following BEST addresses the availability of an online store?</p><p>A. RAID level 5 storage devices</p><p>B. Online backups</p><p>39 / 110</p><p>C. A mirrored site at another location</p><p>D. Clustered architecture</p><p>Answer: C</p><p>Explanation:</p><p>The primary benefit of automating application testing is to provide test consistency. Automated</p><p>testing can ensure that the same test cases are executed in the same manner and order every</p><p>time, which can improve the reliability and accuracy of the test results. Providing more flexibility,</p><p>replacing all manual test processes, and reducing the time to review code are possible benefits</p><p>of automating application testing, but they are not the primary benefit.</p><p>References: ISACA, CISA Review Manual, 27th Edition, 2020, p. 3091</p><p>ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription</p><p>67. During an IT general controls audit of a high-risk area where both internal and external audit</p><p>teams are reviewing the same approach to optimize resources?</p><p>A. Leverage the work performed by external audit for the internal audit testing.</p><p>B. Ensure both the internal and external auditors perform the work simultaneously.</p><p>C. Request that the external audit team leverage the internal audit work.</p><p>D. Roll forward the general controls audit to the subsequent audit year.</p><p>Answer: A</p><p>Explanation:</p><p>The best approach to optimize resources when both internal and external audit teams are</p><p>reviewing the same IT general controls area is to leverage the work performed by external audit</p><p>for the internal audit testing. This can avoid duplication of efforts, reduce audit costs and</p><p>enhance coordination between the audit teams. The internal audit team should evaluate the</p><p>quality and reliability of the external audit work before relying on it. Ensuring both the internal</p><p>and external auditors perform the work simultaneously is not an efficient use of resources, as it</p><p>would create redundancy and possible interference. Requesting that the external audit team</p><p>leverage the internal audit work may not be feasible or acceptable, as the external audit team</p><p>may have different objectives, standards and independence requirements. Rolling forward the</p><p>general controls audit to the subsequent audit year is not a good practice, as it would delay the</p><p>identification and remediation of any control weaknesses in a high-risk area.</p><p>References: ISACA, CISA Review Manual, 27th Edition, 2018, page 247</p><p>68. Which of the following would MOST effectively help to reduce the number of repealed</p><p>incidents in an organization?</p><p>A. Testing incident response plans with a wide range of scenarios</p><p>40 / 110</p><p>B. Prioritizing incidents after impact assessment.</p><p>C. Linking incidents to problem management activities</p><p>D. Training incident management teams on current incident trends</p><p>Answer: C</p><p>Explanation:</p><p>Linking incidents to problem management activities would most effectively help to reduce the</p><p>number of repeated incidents in an organization, because problem management aims to identify</p><p>and eliminate the root causes of incidents and prevent their recurrence. Testing incident</p><p>response plans, prioritizing incidents, and training incident management teams are all good</p><p>practices, but they do not directly address the issue of repeated incidents.</p><p>References: ISACA ITAF 3rd Edition Section 3600</p><p>69. Which of following areas is MOST important for an IS auditor to focus on when reviewing the</p><p>maturity model for a technology organization?</p><p>A. Standard operating procedures</p><p>B. Service level agreements (SLAs)</p><p>C. Roles and responsibility matrix</p><p>D. Business resiliency</p><p>Answer: C</p><p>Explanation:</p><p>A maturity model for a technology organization is a tool that measures the progress and</p><p>capability of the IT function in relation to its goals, processes, and practices. A maturity model</p><p>can help identify gaps and areas for improvement, as well as benchmark the IT function against</p><p>industry standards or best practices. One of the key aspects of a maturity model is the definition</p><p>and clarity of roles and responsibilities for the IT function and its stakeholders. A roles and</p><p>responsibility matrix, such as a RACI matrix, is a document that clarifies who is responsible,</p><p>accountable, consulted, and informed for each task or deliverable in a project or process. A</p><p>roles and responsibility matrix can help avoid confusion, duplication, or omission of work, as</p><p>well as ensure accountability and communication among the IT function and its customers,</p><p>partners, and suppliers. Therefore, an IS auditor should focus on reviewing the roles and</p><p>responsibility matrix when evaluating the maturity model for a technology organization.</p><p>A standard operating procedure (SOP) is a document that describes the steps and instructions</p><p>for performing a routine or repetitive task or process. SOPs are important for ensuring</p><p>consistency, quality, and compliance in the IT function, but they are not directly related to the</p><p>maturity model. A service level agreement (SLA) is a contract that defines the expectations and</p><p>obligations between an IT service provider and its customers. SLAs are important for ensuring</p><p>41 / 110</p><p>customer satisfaction, performance measurement, and dispute resolution in the IT function, but</p><p>they are not directly related to the maturity model. A business resiliency plan is a document that</p><p>outlines</p><p>how an IT function will continue to operate or recover from a disruption or disaster.</p><p>Business resiliency is important for ensuring availability, reliability, and security in the IT</p><p>function, but it is not directly related to the maturity model.</p><p>References: 1: Maturity Models for IT & Technology | Splunk 2: Responsibility assignment</p><p>matrix - Wikipedia 3: Roles and Responsibilities Matrix - SDLCforms</p><p>70. An internal audit team is deciding whether to use an audit management application hosted</p><p>by a third party in a different country.</p><p>What should be the MOST important consideration related to the uploading of payroll audit</p><p>documentation in the hosted application?</p><p>A. Financial regulations affecting the organization</p><p>B. Data center physical access controls whore the application is hosted</p><p>C. Privacy regulations affecting the organization</p><p>D. Per-unit cost charged by the hosting services provider for storage</p><p>Answer: C</p><p>Explanation:</p><p>This is because privacy regulations are laws or rules that protect the personal information of</p><p>individuals from unauthorized access, use, disclosure, or transfer by third parties. Payroll audit</p><p>documentation may contain sensitive and confidential data, such as employee names, salaries,</p><p>benefits, taxes, deductions, and bank accounts. If the audit management application is hosted</p><p>by a third party in a different country, the organization may need to comply with the privacy</p><p>regulations of both its own country and the host country, as well as any international or regional</p><p>agreements or frameworks that apply. Privacy regulations may impose various requirements</p><p>and obligations on the organization, such as obtaining consent from the data subjects,</p><p>implementing appropriate security measures, notifying data breaches, and ensuring data quality</p><p>and accuracy. Privacy regulations may also grant various rights to the data subjects, such as</p><p>accessing, correcting, deleting, or transferring their data. Failing to comply with privacy</p><p>regulations may expose the organization to significant risks and consequences, such as legal</p><p>actions, fines, sanctions, reputational damage, or loss of trust.</p><p>Some examples of privacy regulations affecting the organization are:</p><p>The General Data Protection Regulation (GDPR), which is a comprehensive and strict privacy</p><p>regulation that applies to any organization that processes personal data of individuals in the</p><p>European Union (EU) or offers goods or services to them, regardless of where the organization</p><p>or the data is located1.</p><p>42 / 110</p><p>The California Consumer Privacy Act (CCPA), which is a broad and influential privacy regulation</p><p>that applies to any organization that collects personal information of California residents and</p><p>meets certain thresholds of revenue, data volume, or data sharing2.</p><p>The Health Insurance Portability and Accountability Act (HIPAA), which is a sector-specific</p><p>privacy regulation that applies to any organization that handles protected health information</p><p>(PHI) of individuals in the United States, such as health care providers, health plans, or health</p><p>care clearinghouses3.</p><p>Therefore, before using an audit management application hosted by a third party in a different</p><p>country, the internal audit team should conduct a thorough assessment of the privacy</p><p>regulations affecting the organization and ensure that they have adequate policies, procedures,</p><p>and controls in place to comply with them.</p><p>71. Which of the following is MOST critical to the success of an information security program?</p><p>A. Management's commitment to information security</p><p>B. User accountability for information security</p><p>C. Alignment of information security with IT objectives</p><p>D. Integration of business and information security</p><p>Answer: A</p><p>Explanation:</p><p>The most critical factor for the success of an information security program is management’s</p><p>commitment to information security. Management’s commitment to information security means</p><p>that the senior management supports, sponsors, funds, monitors and enforces the information</p><p>security program within the organization. Management’s commitment to information security</p><p>also demonstrates leadership, sets the tone and culture, and establishes the strategic direction</p><p>and objectives for information security. User accountability for information security, alignment of</p><p>information security with IT objectives, and integration of business and information security are</p><p>also important factors for the success of an information security program, but they are not as</p><p>critical as management’s commitment to information security, as they depend on or derive from</p><p>it.</p><p>References: Info Technology & Systems Resources | COBIT, Risk, Governance … - ISACA, IT</p><p>Governance and Process Maturity</p><p>72. An organization considering the outsourcing of a business application should FIRST:</p><p>A. define service level requirements.</p><p>B. perform a vulnerability assessment.</p><p>C. conduct a cost-benefit analysis.</p><p>43 / 110</p><p>D. issue a request for proposal (RFP).</p><p>Answer: C</p><p>Explanation:</p><p>An organization considering the outsourcing of a business application should first conduct a</p><p>cost-benefit analysis to evaluate the feasibility, viability and desirability of the outsourcing</p><p>decision. A cost-benefit analysis should compare the costs and benefits of outsourcing versus</p><p>keeping the application in-house, taking into account factors such as financial, operational,</p><p>strategic, legal, regulatory, security and quality aspects. A cost-benefit analysis should also</p><p>identify the risks and opportunities associated with outsourcing, and provide a basis for defining</p><p>the service level requirements, performing a vulnerability assessment, and issuing a request for</p><p>proposal (RFP) in the subsequent stages of the outsourcing process.</p><p>References: Info Technology & Systems Resources | COBIT, Risk, Governance … - ISACA,</p><p>CISA Certification | Certified Information Systems Auditor | ISACA</p><p>73. During a review, an IS auditor discovers that corporate users are able to access cloud-</p><p>based applications and data any Internet-connected web browser.</p><p>Which Of the following is the auditor’s BEST recommendation to prevent unauthorized access?</p><p>A. Implement an intrusion detection system (IDS),</p><p>B. Update security policies and procedures.</p><p>C. Implement multi-factor authentication.</p><p>D. Utilize strong anti-malware controls on all computing devices.</p><p>Answer: C</p><p>Explanation:</p><p>The best recommendation to prevent unauthorized access to cloud-based applications and data</p><p>is to implement multi-factor authentication (MFA). MFA is a method of verifying the identity of a</p><p>user by requiring two or more pieces of evidence, such as a password, a code sent to a phone,</p><p>or a biometric factor. MFA adds an extra layer of security to prevent unauthorized access, even</p><p>if the user’s password is compromised or stolen. MFA can also help comply with data privacy</p><p>and security regulations, such as the General Data Protection Regulation (GDPR) and the</p><p>Health Insurance Portability and Accountability Act (HIPAA).</p><p>The other options are not as effective as MFA in preventing unauthorized access. An intrusion</p><p>detection system (IDS) is a tool that monitors network traffic and alerts administrators of</p><p>suspicious or malicious activity, but it does not prevent access by itself. Updating security</p><p>policies and procedures is a good practice, but it does not ensure that users follow them or that</p><p>they are enforced. Utilizing strong anti-malware controls on all computing devices can help</p><p>protect against malware infections, but it does not prevent users from accessing cloud-based</p><p>44 / 110</p><p>applications and data from any Internet-connected web browser.</p><p>References:</p><p>ISACA, CISA Review Manual, 27th Edition, 2019, p. 2471</p><p>ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription2</p><p>What Is Cloud Security? | Google Cloud3</p><p>5 Cloud Application Security Best Practices | Snyk4</p><p>74. Which of the following</p><p>BEST enables alignment of IT with business objectives?</p><p>A. Benchmarking against peer organizations</p><p>B. Developing key performance indicators (KPIs)</p><p>C. Completing an IT risk assessment</p><p>D. Leveraging an IT governance framework</p><p>Answer: D</p><p>Explanation:</p><p>Leveraging an IT governance framework is the best way to enable alignment of IT with business</p><p>objectives, as it provides a set of principles, standards, processes, and practices that guide the</p><p>effective delivery of IT services that support the organization’s strategy and goals.</p><p>Benchmarking against peer organizations, developing key performance indicators (KPIs), and</p><p>completing an IT risk assessment are useful activities that can help measure and improve the</p><p>performance and value of IT, but they are not sufficient to ensure alignment without a</p><p>governance framework.</p><p>References: CISA Review Manual (Digital Version), Chapter 1: Information Systems Auditing</p><p>Process, Section 1.2: IT Governance</p><p>75. Which of the following provides the BEST evidence of the validity and integrity of logs in an</p><p>organization's security information and event management (SIEM) system?</p><p>A. Compliance testing</p><p>B. Stop-or-go sampling</p><p>C. Substantive testing</p><p>D. Variable sampling</p><p>Answer: C</p><p>Explanation:</p><p>Substantive testing © provides the best evidence of the validity and integrity of logs in an</p><p>organization’s security information and event management (SIEM) system, because it is a type</p><p>of audit testing that directly examines the accuracy, completeness, and reliability of the data and</p><p>transactions recorded in the logs. Substantive testing can involve various methods, such as re-</p><p>45 / 110</p><p>performance, inspection, observation, inquiry, or computer-assisted audit techniques (CAATs),</p><p>to verify the existence, occurrence, valuation, ownership, presentation, and disclosure of the log</p><p>data1. Substantive testing can also detect any errors, omissions, alterations, or manipulations of</p><p>the log data that may indicate fraud or misstatement2.</p><p>Compliance testing (A) is not the best evidence of the validity and integrity of logs in an</p><p>organization’s SIEM system, because it is a type of audit testing that evaluates the design and</p><p>effectiveness of the internal controls that are implemented to ensure compliance with laws,</p><p>regulations, policies, and procedures. Compliance testing can involve various methods, such as</p><p>walkthroughs, questionnaires, checklists, or flowcharts, to assess the adequacy, consistency,</p><p>and operation of the internal controls1. Compliance testing can provide assurance that the log</p><p>data are generated and processed in accordance with the established rules and standards, but</p><p>it does not directly verify the accuracy and reliability of the log data itself2.</p><p>Stop-or-go sampling (B) is not a type of audit testing, but a type of sampling technique that</p><p>auditors use to select a sample from a population for testing. Stop-or-go sampling is a</p><p>sequential sampling technique that allows auditors to stop testing before reaching the</p><p>predetermined sample size if the results are satisfactory or conclusive. Stop-or-go sampling can</p><p>reduce the audit cost and time by avoiding unnecessary testing, but it can also increase the</p><p>sampling risk and uncertainty by relying on a smaller sample3. Stop-or-go sampling does not</p><p>provide any evidence of the validity and integrity of logs in an organization’s SIEM system by</p><p>itself; it depends on the type and quality of the audit tests performed on the selected sample.</p><p>Variable sampling (D) is not a type of audit testing, but a type of sampling technique that</p><p>auditors use to estimate a numerical characteristic of a population for testing. Variable sampling</p><p>is a statistical sampling technique that allows auditors to measure the amount or rate of error or</p><p>deviation in a population by using quantitative methods. Variable sampling can provide precise</p><p>and objective results by using mathematical formulas and confidence intervals4. Variable</p><p>sampling does not provide any evidence of the validity and integrity of logs in an organization’s</p><p>SIEM system by itself; it depends on the type and quality of the audit tests performed on the</p><p>selected sample.</p><p>References:</p><p>Audit Testing Procedures - 5 Types and Their Use Cases</p><p>5 Types of Testing Methods Used During Audit Procedures | I.S. Partners Stop-or-Go Sampling</p><p>Definition</p><p>Variable Sampling Definition</p><p>76. In an IT organization where many responsibilities are shared which of the following is the</p><p>BEST control for detecting unauthorized data changes?</p><p>46 / 110</p><p>A. Users are required to periodically rotate responsibilities</p><p>B. Segregation of duties conflicts are periodically reviewed</p><p>C. Data changes are independently reviewed by another group</p><p>D. Data changes are logged in an outside application</p><p>Answer: C</p><p>Explanation:</p><p>The best control for detecting unauthorized data changes in an IT organization where many</p><p>responsibilities are shared is to have data changes independently reviewed by another group.</p><p>This is because an independent review can provide an objective and unbiased verification of the</p><p>data changes and ensure that they are authorized, accurate, and complete. An independent</p><p>review can also help to detect any errors, fraud, or malicious activities that may have occurred</p><p>during the data changes. An independent review can also provide assurance that the data</p><p>integrity and security are maintained.</p><p>References:</p><p>CISA Review Manual (Digital Version), Chapter 4, Section 4.31 CISA Online Review Course,</p><p>Domain 1, Module 4, Lesson 22</p><p>77. Having knowledge in which of the following areas is MOST relevant for an IS auditor</p><p>reviewing public key infrastructure (PKI)?</p><p>A. Design and application of key controls in public audit</p><p>B. Security strategy in public cloud Infrastructure as a Service (IaaS)</p><p>C. Modern encoding methods for digital communications</p><p>D. Technology and process life cycle for digital certificates and key pairs</p><p>Answer: D</p><p>78. Which of the following should be the FIRST step m managing the impact of a recently</p><p>discovered zero-day attack?</p><p>A. Evaluating the likelihood of attack</p><p>B. Estimating potential damage</p><p>C. Identifying vulnerable assets</p><p>D. Assessing the Impact of vulnerabilities</p><p>Answer: C</p><p>Explanation:</p><p>The first step in managing the impact of a recently discovered zero-day attack is to identify</p><p>vulnerable assets. A zero-day attack is a cyberattack that exploits a previously unknown or</p><p>unpatched vulnerability in a software or system, before the vendor or developer has had time to</p><p>47 / 110</p><p>fix it. Identifying vulnerable assets is crucial for managing the impact of a zero-day attack,</p><p>because it helps to determine the scope and severity of the attack, prioritize the protection and</p><p>mitigation measures, and isolate or quarantine the affected assets from further damage or</p><p>compromise. The other options are not the first steps in managing the impact of a zero-day</p><p>attack, because they either require more information about the vulnerable assets, or they are</p><p>part of the subsequent steps of assessing, responding, or recovering from the attack.</p><p>References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.4</p><p>79. An IS auditor is reviewing the security of a web-based customer relationship management</p><p>(CRM) system that is directly accessed by customers via the Internet, which of the following</p><p>should be a concern for the auditor?</p><p>A. The system is hosted on an external third-party service provider’s server.</p><p>B. The system is hosted in a hybrid-cloud platform managed by a service provider.</p><p>C. The system is hosted within a demilitarized zone (DMZ) of a corporate network.</p><p>D. The system is hosted within an internal segment of a corporate network.</p><p>Answer: D</p><p>Explanation:</p><p>A web-based CRM system that is directly accessed by customers via the Internet should be</p><p>hosted in a secure and isolated environment to protect it from external threats and unauthorized</p><p>access. A web-based</p><p>CRM system should also be reliable, trusted, and backed up regularly1.</p><p>Hosting the system on an external third-party service provider’s servers (A) or a hybrid-cloud</p><p>platform managed by a service provider (B) may not be a concern for the auditor if the service</p><p>provider has adequate security measures and service level agreements in place. The auditor</p><p>should verify the security controls and contractual terms of the service provider before trusting</p><p>them with the CRM data23.</p><p>Hosting the system within a demilitarized zone (DMZ) of a corporate network © is a common</p><p>practice to provide an extra layer of security to the CRM system from untrusted networks, such</p><p>as the Internet. A DMZ is a perimeter network that isolates the CRM system from the internal</p><p>network and filters the incoming traffic from the external network using a security gateway4567.</p><p>Hosting the system within an internal segment of a corporate network (D) is a concern for the</p><p>auditor because it exposes the CRM system and the internal network to potential attacks from</p><p>the Internet. The CRM system should not be directly accessible from the Internet without a DMZ</p><p>or a firewall to protect it. This could compromise the confidentiality, integrity, and availability of</p><p>the CRM data and the internal network78.</p><p>80. During an external review, an IS auditor observes an inconsistent approach in classifying</p><p>48 / 110</p><p>system criticality within the organization.</p><p>Which of the following should be recommended as the PRIMARY factor to determine system</p><p>criticality?</p><p>A. Key performance indicators (KPIs)</p><p>B. Mean time to restore (MTTR)</p><p>C. Maximum allowable downtime (MAD)</p><p>D. Recovery point objective (RPO)</p><p>Answer: C</p><p>81. Following a breach, what is the BEST source to determine the maximum amount of time</p><p>before customers must be notified that their personal information may have been compromised?</p><p>A. Information security policy</p><p>B. Industry standards</p><p>C. Incident response plan</p><p>D. Industry regulations</p><p>Answer: D</p><p>82. Which of the following is the PRIMARY reason an IS auditor would recommend offsite</p><p>backups although critical data is already on a redundant array of inexpensive disks (RAID)?</p><p>A. The array cannot offer protection against disk corruption.</p><p>B. The array cannot recover from a natural disaster.</p><p>C. The array relies on proper maintenance.</p><p>D. Disks of the array cannot be hot-swapped for quick recovery.</p><p>Answer: B</p><p>83. Which of the following should be an IS auditor's PRIMARY consideration when determining</p><p>which issues to include in an audit report?</p><p>A. Professional skepticism</p><p>B. Management's agreement</p><p>C. Materiality</p><p>D. Inherent risk</p><p>Answer: C</p><p>Explanation:</p><p>Materiality is the primary consideration when determining which issues to include in an audit</p><p>report, as it reflects the significance or importance of the issues to the users of the report.</p><p>Materiality is a relative concept that depends on the nature, context, and amount of the issues,</p><p>49 / 110</p><p>as well as the expectations and needs of the users. Materiality helps the auditor to prioritize the</p><p>issues and communicate them clearly and concisely.</p><p>References</p><p>ISACA CISA Review Manual, 27th Edition, page 256</p><p>Materiality in Auditing - AICPA</p><p>Materiality in Planning and Performing an Audit - IAASB</p><p>84. During audit planning, the IS audit manager is considering whether to budget for audits of</p><p>entities regarded by the business as having low risk.</p><p>Which of the following is the BEST course of action in this situation?</p><p>A. Outsource low-risk audits to external audit service providers.</p><p>B. Conduct limited-scope audits of low-risk business entities.</p><p>C. Validate the low-risk entity ratings and apply professional judgment.</p><p>D. Challenge the risk rating and include the low-risk entities in the plan.</p><p>Answer: C</p><p>Explanation:</p><p>Audit planning is the process of developing an overall strategy and approach for conducting an</p><p>audit. Audit planning involves identifying the objectives, scope, criteria, and methodology of the</p><p>audit, as well as the resources, schedule, and reporting requirements. Audit planning also</p><p>involves performing a risk assessment to identify and prioritize the areas of highest risk and</p><p>significance for the audit1. Risk assessment is a systematic process of evaluating the potential</p><p>risks that may be involved in a projected activity or undertaking. Risk assessment involves</p><p>identifying the sources and causes of risk, analyzing the likelihood and impact of risk, and</p><p>determining the level of risk and the appropriate response2.</p><p>During audit planning, the IS audit manager is considering whether to budget for audits of</p><p>entities regarded by the business as having low risk. The best course of action in this situation is</p><p>C. Validate the low-risk entity ratings and apply professional judgment.</p><p>This is because validating the low-risk entity ratings can help to ensure that the risk assessment</p><p>is accurate, reliable, and consistent with the business objectives and expectations. Validating</p><p>the low-risk entity ratings can also help to identify any changes or developments that may affect</p><p>the risk profile of the entities since the last assessment. Applying professional judgment can</p><p>help to determine whether the low-risk entities should be included or excluded from the audit</p><p>plan, based on factors such as materiality, relevance, significance, and assurance needs3.</p><p>85. In a RAO model, which of the following roles must be assigned to only one individual?</p><p>A. Responsible</p><p>50 / 110</p><p>B. Informed</p><p>C. Consulted</p><p>D. Accountable</p><p>Answer: D</p><p>Explanation:</p><p>In a RAO model, which stands for Responsible, Accountable, Consulted, and Informed, the</p><p>accountable role must be assigned to only one individual. The accountable role is the person</p><p>who has the ultimate authority and responsibility for the outcome of the project or task, and who</p><p>approves or rejects the work done by the responsible role. The accountable role cannot be</p><p>delegated or shared, as it is essential to have a clear and single point of accountability for each</p><p>project or task. The other roles can be assigned to more than one individual:</p><p>Responsible. This is the person who does the work or performs the task. There can be multiple</p><p>responsible roles for different aspects or phases of a project or task, as long as they are</p><p>coordinated and supervised by the accountable role.</p><p>Informed. This is the person who needs to be notified or updated about the progress or results</p><p>of the project or task. There can be multiple informed roles who have an interest or stake in the</p><p>project or task, but who do not need to be consulted or involved in the decision-making process.</p><p>Consulted. This is the person who provides input, feedback, or advice on the project or task.</p><p>There can be multiple consulted roles who have expertise or experience relevant to the project</p><p>or task, but who do not have the authority or responsibility to approve or reject the work done by</p><p>the responsible role.</p><p>86. Which of the following is the GREATEST advantage of maintaining an internal IS audit</p><p>function within an organization?</p><p>A. Increased independence and impartiality of recommendations</p><p>B. Better understanding of the business and processes</p><p>C. Ability to negotiate recommendations with management</p><p>D. Increased IS audit staff visibility and availability throughout the year</p><p>Answer: B</p><p>87. During the planning stage of a compliance audit, an IS auditor discovers that a bank's</p><p>inventory of compliance requirements does not include recent regulatory changes related to</p><p>managing data risk.</p><p>What should the auditor do FIRST?</p><p>A. Ask management why the regulatory changes have not been Included.</p><p>B. Discuss potential regulatory issues with the legal department</p><p>51 / 110</p><p>C. Report the missing regulatory updates to the chief information officer (CIO).</p><p>D. Exclude recent regulatory changes from the audit scope.</p><p>Answer: A</p><p>Explanation:</p><p>Asking management why the</p><p>regulatory changes have not been included is the first thing that</p><p>an IS auditor should do during the planning stage of a compliance audit. An IS auditor should</p><p>inquire about the reasons for not updating the inventory of compliance requirements with recent</p><p>regulatory changes related to managing data risk. This will help the IS auditor to understand</p><p>whether there is a gap in awareness, communication, or implementation of compliance</p><p>obligations within the organization. The other options are not the first things that an IS auditor</p><p>should do, but rather possible subsequent actions that may depend on management’s</p><p>response.</p><p>References:</p><p>CISA Review Manual (Digital Version), Chapter 2, Section 2.31</p><p>CISA Review Questions, Answers & Explanations Database, Question ID 214</p><p>88. Following a breach, what is the BEST source to determine the maximum amount of time</p><p>before customers must be notified that their personal information may have been compromised?</p><p>A. Industry regulations</p><p>B. Industry standards</p><p>C. Incident response plan</p><p>D. Information security policy</p><p>Answer: A</p><p>Explanation:</p><p>Following a breach, the maximum amount of time before customers must be notified that their</p><p>personal information may have been compromised depends on the industry regulations that</p><p>apply to the organization. Different industries and jurisdictions may have different legal and</p><p>regulatory requirements for breach notification, such as the General Data Protection Regulation</p><p>(GDPR) in the European Union, the Health Insurance Portability and Accountability Act (HIPAA)</p><p>in the United States, or the Personal Information Protection and Electronic Documents Act</p><p>(PIPEDA) in Canada. Industry standards, incident response plans, and information security</p><p>policies are not as authoritative as industry regulations in determining the breach notification</p><p>time frame.</p><p>References: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program</p><p>Management Guide]</p><p>52 / 110</p><p>89. Which of the following provides the MOST assurance over the completeness and accuracy</p><p>ol loan application processing with respect to the implementation of a new system?</p><p>A. Comparing code between old and new systems</p><p>B. Running historical transactions through the new system</p><p>C. Reviewing quality assurance (QA) procedures</p><p>D. Loading balance and transaction data to the new system</p><p>Answer: B</p><p>Explanation:</p><p>The most assurance over the completeness and accuracy of loan application processing with</p><p>respect to the implementation of a new system can be obtained by running historical</p><p>transactions through the new system. Historical transactions are transactions that have been</p><p>processed and recorded by the old system in the past. Running historical transactions through</p><p>the new system can provide the most assurance over the completeness and accuracy of loan</p><p>application processing, by comparing the results and outputs of the new system with those of</p><p>the old system, and verifying whether they match or differ. This can help identify and resolve</p><p>any errors or issues that may arise from the new system, such as data conversion, functionality,</p><p>compatibility, etc. Comparing code between old and new systems is a possible way to obtain</p><p>some assurance over the completeness and accuracy of loan application processing with</p><p>respect to the implementation of a new system, but it is not the most effective one. Code is a set</p><p>of instructions or commands that define how a system operates or functions. Comparing code</p><p>between old and new systems can provide some assurance over the completeness and</p><p>accuracy of loan application processing, by checking whether the logic, algorithms, or functions</p><p>of the new system are consistent or equivalent with those of the old system. However, this may</p><p>not be sufficient or reliable, as code may not reflect the actual performance or outcomes of the</p><p>system, and may not detect any errors or issues that may occur at the data or user level.</p><p>Reviewing quality assurance (QA) procedures is a possible way to obtain some assurance over</p><p>the completeness and accuracy of loan application processing with respect to the</p><p>implementation of a new system, but it is not the most effective one. QA procedures are steps</p><p>or activities that ensure that a system meets its quality standards and requirements, such as</p><p>testing, verification, validation, etc. Reviewing QA procedures can provide some assurance over</p><p>the completeness and accuracy of loan application processing, by evaluating whether the new</p><p>system has been properly tested and verified before implementation. However, this may not be</p><p>adequate or accurate, as QA procedures may not cover all aspects or scenarios of loan</p><p>application processing, and may not reveal any errors or issues that may arise after</p><p>implementation. Loading balance and transaction data to the new system is a possible way to</p><p>obtain some assurance over the completeness and accuracy of loan application processing with</p><p>53 / 110</p><p>respect to the implementation of a new system, but it is not the most effective one. Balance and</p><p>transaction data are data that reflect the status and history of loan applications in a system,</p><p>such as amounts, dates, payments, etc. Loading balance and transaction data to the new</p><p>system can provide some assurance over the completeness and accuracy of loan application</p><p>processing, by transferring data from the old system to the new system and ensuring that they</p><p>are consistent and correct. However, this may not be enough or valid, as balance and</p><p>transaction data may not represent all aspects or features of loan application processing, and</p><p>may not indicate any errors or issues that may arise</p><p>90. In a high-volume, real-time system, the MOST effective technique by which to continuously</p><p>monitor and analyze transaction processing is:</p><p>A. integrated test facility (ITF).</p><p>B. parallel simulation.</p><p>C. transaction tagging.</p><p>D. embedded audit modules.</p><p>Answer: C</p><p>Explanation:</p><p>Explanation:</p><p>Transaction tagging is a technique by which transactions are marked with unique identifiers or</p><p>headers and traced through the system using agents or sensors at each processing point1.</p><p>Transaction tagging allows for continuous monitoring and analysis of transaction processing in a</p><p>high-volume, real-time system by providing visibility into the performance, availability, and</p><p>reliability of each transaction and its components1. Transaction tagging can also help to identify</p><p>and isolate errors, bottlenecks, anomalies, and security issues in the system1.</p><p>91. From a risk management perspective, which of the following is the BEST approach when</p><p>implementing a large and complex data center IT infrastructure?</p><p>A. Simulating the new infrastructure before deployment</p><p>B. Prototyping and a one-phase deployment</p><p>C. A deployment plan based on sequenced phases</p><p>D. A big bang deployment with a successful proof of concept</p><p>Answer: C</p><p>Explanation:</p><p>The best approach from a risk management perspective when implementing a large and</p><p>complex data center IT infrastructure is to use a deployment plan based on sequenced phases,</p><p>as this will allow the organization to break down the project into manageable and measurable</p><p>54 / 110</p><p>stages, and to monitor and control the progress, quality, and outcomes of each phase12. A</p><p>phased deployment plan can also help to reduce the risks of errors, failures, or disruptions that</p><p>could affect the entire infrastructure, and to implement corrective actions or contingency plans</p><p>as needed34.</p><p>References</p><p>1: Data Center Project Planning: A Guide to Success2 2: Data Center Project Planning: A Guide</p><p>to Success4 3: Data Center Migration: A Step-by-Step Guide3 4: Data Center Migration: A Step-</p><p>by-Step Guide1</p><p>92. Which of the following is the BEST data integrity check?</p><p>A. Counting the transactions processed per day</p><p>B. Performing a sequence check</p><p>C. Tracing data back to the point of origin</p><p>D. Preparing and running test data</p><p>Answer: C</p><p>Explanation:</p><p>Data integrity is the property that ensures that data is accurate, complete, consistent, and</p><p>reliable throughout its lifecycle. The best data integrity check is tracing data back to the point of</p><p>origin, which is the source where the data was originally created or captured. This check can</p><p>verify that data has not been altered or corrupted during transmission, processing, or storage. It</p><p>can also identify any errors or discrepancies in data entry or conversion. Counting the</p><p>transactions processed per day is a performance measure that does not directly assess data</p><p>integrity. Performing a sequence check is a validity check that ensures that data follows a</p><p>predefined order or pattern. It can detect missing or out-of-order data elements, but it cannot</p><p>verify their accuracy or completeness. Preparing and running test data is a testing technique</p><p>that simulates real data to evaluate how a system handles different scenarios. It can help</p><p>identify errors or bugs in the system logic or functionality, but it cannot ensure data integrity in</p><p>production environments.</p><p>References: Information Systems Operations and Business Resilience, CISA Review Manual</p><p>(Digital Version)</p><p>93. During a closing meeting, the IT manager disagrees with a valid audit finding presented by</p><p>the IS auditor and requests the finding be excluded from the final report.</p><p>Which of the following is the auditor's BEST course of action?</p><p>A. Request that the IT manager be removed from the remaining meetings and future audits.</p><p>B. Modify the finding to include the IT manager's comments and inform the audit manager of the</p><p>55 / 110</p><p>changes.</p><p>C. Remove the finding from the report and continue presenting the remaining findings.</p><p>D. Provide the evidence which supports the finding and keep the finding in the report.</p><p>Answer: D</p><p>94. An IS auditor is reviewing processes for importing market price data from external data</p><p>providers.</p><p>Which of the following findings should the auditor consider MOST critical?</p><p>A. Imported data is not disposed of frequently.</p><p>B. The transfer protocol is not encrypted.</p><p>C. The transfer protocol does not require authentication.</p><p>D. The quality of the data is not monitored.</p><p>Answer: D</p><p>95. Which of the following is MOST important to determine when conducting an audit Of an</p><p>organization's data privacy practices?</p><p>A. Whether a disciplinary process is established for data privacy violations</p><p>B. Whether strong encryption algorithms are deployed for personal data protection</p><p>C. Whether privacy technologies are implemented for personal data protection</p><p>D. Whether the systems inventory containing personal data is maintained</p><p>Answer: D</p><p>Explanation:</p><p>The answer D is correct because the most important thing to determine when conducting an</p><p>audit of an organization’s data privacy practices is whether the systems inventory containing</p><p>personal data is maintained. A systems inventory is a list of all the systems, applications,</p><p>databases, and devices that store, process, or transmit personal data within the organization.</p><p>Maintaining a systems inventory is essential for data privacy because it helps the organization</p><p>to identify, classify, and protect the personal data it holds, as well as to comply with the relevant</p><p>privacy laws and regulations. A systems inventory also enables the organization to perform data</p><p>protection impact assessments (DPIAs), data breach notifications, data subject access</p><p>requests, and data retention and disposal policies.</p><p>The other options are not as important as option D. Whether a disciplinary process is</p><p>established for data privacy violations (option A) is a policy issue that may deter or sanction the</p><p>employees who violate the data privacy rules, but it does not directly affect the data privacy</p><p>practices of the organization. Whether strong encryption algorithms are deployed for personal</p><p>data protection (option B) is a technical issue that may enhance the security and confidentiality</p><p>56 / 110</p><p>of the personal data, but it does not address the other aspects of data privacy, such as</p><p>accuracy, consent, and purpose limitation. Whether privacy technologies are implemented for</p><p>personal data protection (option C) is also a technical issue that may support the data privacy</p><p>practices of the organization, but it does not guarantee that the organization follows the best</p><p>practices or complies with the applicable laws and regulations.</p><p>References:</p><p>IS Audit Basics: Auditing Data Privacy</p><p>Best Practices for Privacy Audits</p><p>ISACA Produces New Audit and Assurance Programs for Data Privacy and Mobile Computing</p><p>96. Which of the following observations would an IS auditor consider the GREATEST risk when</p><p>conducting an audit of a virtual server farm tor potential software vulnerabilities?</p><p>A. Guest operating systems are updated monthly</p><p>B. The hypervisor is updated quarterly.</p><p>C. A variety of guest operating systems operate on one virtual server</p><p>D. Antivirus software has been implemented on the guest operating system only.</p><p>Answer: D</p><p>Explanation:</p><p>Antivirus software has been implemented on the guest operating system only is the observation</p><p>that an IS auditor would consider the greatest risk when conducting an audit of a virtual server</p><p>farm for potential software vulnerabilities. A virtual server farm is a collection of servers that run</p><p>multiple virtual machines (VMs) on a single physical host using a software layer called a</p><p>hypervisor. A guest operating system is the operating system installed on each VM. Antivirus</p><p>software is a software program that detects and removes malicious software from a computer</p><p>system. If antivirus software has been implemented on the guest operating system only, it</p><p>means that the hypervisor and the host operating system are not protected from malware</p><p>attacks, which could compromise the security and availability of all VMs running on the same</p><p>host. Therefore, antivirus software should be implemented on both the guest and host operating</p><p>systems as well as on the hypervisor.</p><p>References: CISA Review Manual, 27th Edition, page 378</p><p>97. Which of the following is the BEST disposal method for flash drives that previously stored</p><p>confidential data?</p><p>A. Destruction</p><p>B. Degaussing</p><p>C. Cryptographic erasure</p><p>57 / 110</p><p>D. Overwriting</p><p>Answer: A</p><p>98. During an external review, an IS auditor observes an inconsistent approach in classifying</p><p>system criticality within the organization.</p><p>Which of the following should be recommended as the PRIMARY factor to determine system</p><p>criticality?</p><p>A. Recovery point objective (RPO)</p><p>B. Maximum allowable downtime (MAD)</p><p>C. Mean time to restore (MTTR)</p><p>D. Key performance indicators (KPls)</p><p>Answer: B</p><p>Explanation:</p><p>The primary factor to determine system criticality is the maximum allowable downtime (MAD),</p><p>which is the maximum period of time that a system can be unavailable before causing</p><p>significant damage or risk to the organization. The MAD reflects the business impact and the</p><p>recovery requirements of the system, and it can be used to prioritize the systems and allocate</p><p>the resources for disaster recovery planning. The other options are not as important as the</p><p>MAD, and they may vary depending on the system characteristics and the recovery strategy.</p><p>The recovery point objective (RPO) is the maximum amount of data loss that is acceptable for a</p><p>system. The mean time to restore (MTTR) is the average time required to restore a system after</p><p>a failure. The key performance indicators (KPIs) are metrics that measure the performance and</p><p>effectiveness of a system.</p><p>References: CISA Review Manual (Digital Version) 1, page 468-469.</p><p>99. Which of the following should an IS auditor ensure is classified at the HIGHEST level of</p><p>sensitivity?</p><p>A. Server room access history</p><p>B. Emergency change records</p><p>C. IT security incidents</p><p>D. Penetration test results</p><p>Answer: D</p><p>Explanation:</p><p>The IS auditor should ensure that penetration test results are classified</p><p>at the highest level of</p><p>sensitivity, because they contain detailed information about the vulnerabilities and weaknesses</p><p>of the IT systems and networks, as well as the methods and tools used by the testers to exploit</p><p>58 / 110</p><p>them. Penetration test results can be used by malicious actors to launch cyberattacks or cause</p><p>damage to the organization if they are disclosed or accessed without authorization. Therefore,</p><p>they should be protected with the highest level of confidentiality, integrity and availability. The</p><p>other options are not as sensitive as penetration test results, because they either do not reveal</p><p>as much information about the IT security posture, or they are already known or reported by the</p><p>organization.</p><p>References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.4</p><p>100. Following an IT audit, management has decided to accept the risk highlighted in the audit</p><p>report.</p><p>Which of the following would provide the MOST assurance to the IS auditor that management is</p><p>adequately balancing the needs of the business with the need to manage risk?</p><p>A. A communication plan exists for informing parties impacted by the risk.</p><p>B. Potential impact and likelihood are adequately documented.</p><p>C. Identified risk is reported into the organization's risk committee.</p><p>D. Established criteria exist for accepting and approving risk.</p><p>Answer: D</p><p>Explanation:</p><p>Clear criteria ensure a consistent, rational approach to risk acceptance decisions,</p><p>demonstrating management's deliberate and informed approach to risk management.</p><p>References</p><p>ISACA CISA Review Manual (Current Edition) - Chapter on Risk Management</p><p>Risk Management Frameworks (e.g., ISO 31000, NIST SP 800-39) - Emphasize the importance</p><p>of defined risk assessment and decision-making processes.</p><p>101. Which of the following is MOST important to consider when developing a service level</p><p>agreement (SLAP)?</p><p>A. Description of the services from the viewpoint of the provider</p><p>B. Detailed identification of work to be completed</p><p>C. Provisions for regulatory requirements that impact the end users' businesses</p><p>D. Description of the services from the viewpoint of the client organization</p><p>Answer: D</p><p>Explanation:</p><p>The most important factor to consider when developing a service level agreement (SLA) is the</p><p>description of the services from the viewpoint of the client organization, because the SLA should</p><p>reflect the needs and expectations of the client and specify the measurable outcomes and</p><p>59 / 110</p><p>performance indicators that the provider must deliver34. The description of the services from the</p><p>viewpoint of the provider, the detailed identification of work to be completed, and the provisions</p><p>for regulatory requirements that impact the end users’ businesses are also important elements</p><p>of an SLA, but not as crucial as the client’s perspective.</p><p>References: 3: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.1 4: CISA Online</p><p>Review Course, Module 5, Lesson 3</p><p>102. Management receives information indicating a high level of risk associated with potential</p><p>flooding near the organization's data center within the next few years. As a result, a decision</p><p>has been made to move data center operations to another facility on higher ground.</p><p>Which approach has been adopted?</p><p>A. Risk acceptance</p><p>B. Risk transfer</p><p>C. Risk reduction</p><p>D. Risk avoidance</p><p>Answer: D</p><p>103. A sample for testing must include the 80 largest client balances and a random sample of</p><p>the rest.</p><p>What should the IS auditor recommend?</p><p>A. Query the database.</p><p>B. Develop an integrated test facility (ITF).</p><p>C. Use generalized audit software.</p><p>D. Leverage a random number generator.</p><p>Answer: C</p><p>Explanation:</p><p>Generalized audit software is a type of computer-assisted audit technique (CAAT) that allows</p><p>the IS auditor to perform various audit tasks on the data stored in different file formats and</p><p>databases1. Generalized audit software can help the IS auditor to select a sample for testing</p><p>that includes the 80 largest client balances and a random sample of the rest, by using functions</p><p>such as sorting, filtering, stratifying, and randomizing the data23. Generalized audit software</p><p>can also help the IS auditor to perform other audit procedures on the sample, such as verifying</p><p>the accuracy, completeness, and validity of the data4.</p><p>References</p><p>1: Generalized Audit Software (GAS) - ISACA 2: Audit Sampling - ISACA 3: How to use</p><p>generalized audit software to perform audit sampling 4: Generalized Audit Software: A Review</p><p>60 / 110</p><p>of Five Packages</p><p>104. As part of business continuity planning, which of the following is MOST important to assess</p><p>when conducting a business impact analysis (B1A)?</p><p>A. Risk appetite</p><p>B. Critical applications m the cloud</p><p>C. Completeness of critical asset inventory</p><p>D. Recovery scenarios</p><p>Answer: C</p><p>Explanation:</p><p>The most important thing to assess when conducting a business impact analysis (BIA) is the</p><p>completeness of critical asset inventory. This is because the critical asset inventory is the basis</p><p>for identifying and prioritizing the business processes, functions, and resources that are</p><p>essential for the continuity of operations. The critical asset inventory should include both</p><p>tangible and intangible assets, such as hardware, software, data, personnel, facilities, contracts,</p><p>and reputation. The critical asset inventory should also be updated regularly to reflect any</p><p>changes in the business environment or needs.</p><p>References: CISA Review Manual (Digital Version), Chapter 5, Section 5.41 CISA Online</p><p>Review Course, Domain 3, Module 3, Lesson 12</p><p>105. Which of the following is the MOST appropriate responsibility of an IS auditor involved in a</p><p>data center renovation project?</p><p>A. Performing independent reviews of responsible parties engaged in the project</p><p>B. Shortlisting vendors to perform renovations</p><p>C. Ensuring the project progresses as scheduled and milestones are achieved</p><p>D. Implementing data center operational controls</p><p>Answer: A</p><p>Explanation:</p><p>IS auditors primarily provide assurance and oversight. In this context, independent reviews</p><p>ensure that those responsible for the renovation project are meeting their obligations, following</p><p>best practices, and managing risks appropriately.</p><p>References:</p><p>ISACA's Code of Professional Ethics: Emphasizes the IS Auditor's duty to be independent and</p><p>objective.</p><p>The Role of IS Audit: IS Auditors are not project managers but provide objective assessment</p><p>and guidance regarding controls and risk mitigation within projects.</p><p>61 / 110</p><p>CISA Review Manual (27th Edition): May have sections discussing the role of IS auditors in</p><p>infrastructure projects or similar initiatives.</p><p>106. A checksum is classified as which type of control?</p><p>A. Corrective control</p><p>B. Administrative control</p><p>C. Detective control</p><p>D. Preventive control</p><p>Answer: D</p><p>107. An IS auditor engaged in developing the annual internal audit plan learns that the chief</p><p>information officer (CIO) has requested there be no IS audits in the upcoming year as more time</p><p>is needed to address a large number of recommendations from the previous year.</p><p>Which of the following should the auditor do FIRST</p><p>A. Escalate to audit management to discuss the audit plan</p><p>B. Notify the chief operating officer (COO) and discuss the audit plan risks</p><p>C. Exclude IS audits from the upcoming year's plan</p><p>D. Increase the number of IS audits in the clan</p><p>Answer: A</p><p>Explanation:</p><p>The auditor should first escalate to audit management to discuss the audit plan. This is because</p><p>the audit plan should be based on a risk assessment and aligned with the organization’s</p><p>objectives and strategies. The auditor should not accept the CIO’s request without proper</p><p>justification and approval from the audit management, who are responsible for ensuring the</p><p>audit plan’s quality and independence. The auditor should also communicate the potential risks</p><p>and implications of not conducting</p><p>IS audits in the upcoming year, such as missing new or</p><p>emerging threats, vulnerabilities, or compliance issues.</p><p>References: CISA Review Manual (Digital Version), Chapter 2, Section 2.11 CISA Online</p><p>Review Course, Domain 1, Module 1, Lesson 22</p><p>108. A system administrator recently informed the IS auditor about the occurrence of several</p><p>unsuccessful intrusion attempts from outside the organization.</p><p>Which of the following is MOST effective in detecting such an intrusion?</p><p>A. Using smart cards with one-time passwords</p><p>B. Periodically reviewing log files</p><p>C. Configuring the router as a firewall</p><p>62 / 110</p><p>D. Installing biometrics-based authentication</p><p>Answer: B</p><p>Explanation:</p><p>Periodically reviewing log files is the most effective way to detect intrusion attempts from outside</p><p>the organization, as they can provide evidence of unauthorized access attempts, source IP</p><p>addresses, timestamps and other relevant information. Using smart cards with one-time</p><p>passwords or installing biometrics-based authentication can prevent unauthorized access, but</p><p>not detect it. Configuring the router as a firewall can block unwanted traffic, but not log it.</p><p>References: ISACA, CISA Review Manual, 27th Edition, 2018, page 361</p><p>109. An IS auditor found that a company executive is encouraging employee use of social</p><p>networking sites for business purposes.</p><p>Which of the following recommendations would BEST help to reduce the risk of data leakage?</p><p>A. Requiring policy acknowledgment and nondisclosure agreements signed by employees</p><p>B. Providing education and guidelines to employees on use of social networking sites</p><p>C. Establishing strong access controls on confidential data</p><p>D. Monitoring employees' social networking usage</p><p>Answer: B</p><p>Explanation:</p><p>While all the options can help reduce the risk of data leakage, providing education and</p><p>guidelines to employees on the use of social networking sites would be the most effective. This</p><p>is because it directly addresses the issue at hand - the use of social networking sites for</p><p>business purposes1. Education and guidelines can help employees understand the risks</p><p>associated with social media use and teach them how to safely and responsibly use these</p><p>platforms for business purposes1. This includes understanding privacy settings, recognizing</p><p>phishing attempts, and knowing what information should not be shared on these platforms1.</p><p>References:</p><p>10 Social Media Guidelines for Employees in 2023 - Hootsuite</p><p>110. Which of the following business continuity activities prioritizes the recovery of critical</p><p>functions?</p><p>A. Business continuity plan (BCP) testing</p><p>B. Business impact analysis (BIA)</p><p>C. Disaster recovery plan (DRP) testing</p><p>D. Risk assessment</p><p>Answer: B</p><p>63 / 110</p><p>Explanation:</p><p>A business impact analysis (BIA) is a process that identifies and evaluates the potential effects</p><p>or consequences of disruptions or disasters on an organization’s critical business functions or</p><p>processes. A BIA can help prioritize the recovery of critical functions by assessing their</p><p>importance and urgency for the organization’s operations, objectives, and stakeholders, and</p><p>determining their recovery time objectives (RTOs), which are the maximum acceptable time for</p><p>restoring a function after a disruption. A business continuity plan (BCP) testing is a process that</p><p>verifies and validates the effectiveness and readiness of a BCP, which is a document that</p><p>outlines the strategies and procedures for ensuring the continuity of critical business functions in</p><p>the event of a disruption or disaster. A BCP testing does not prioritize the recovery of critical</p><p>functions, but rather evaluates how well they are recovered according to the BCP. A disaster</p><p>recovery plan (DRP) testing is a process that verifies and validates the effectiveness and</p><p>readiness of a DRP, which is a document that outlines the technical and operational steps for</p><p>restoring the IT systems and infrastructure that support critical business functions in the event of</p><p>a disruption or disaster. A DRP testing does not prioritize the recovery of critical functions, but</p><p>rather evaluates how well they are supported by the IT systems and infrastructure according to</p><p>the DRP. A risk assessment is a process that identifies and analyzes the potential threats and</p><p>vulnerabilities that could affect an organization’s critical business functions or processes. A risk</p><p>assessment does not prioritize the recovery of critical functions, but rather estimates their</p><p>likelihood and impact of being disrupted by various risk scenarios.</p><p>111. What should an IS auditor do FIRST when management responses to an in-person internal</p><p>control questionnaire indicate a key internal control is no longer effective?</p><p>A. Determine the resources required to make the control effective.</p><p>B. Validate the overall effectiveness of the internal control.</p><p>C. Verify the impact of the control no longer being effective.</p><p>D. Ascertain the existence of other compensating controls.</p><p>Answer: D</p><p>Explanation:</p><p>The first thing that an IS auditor should do when management responses to an in-person</p><p>internal control questionnaire indicate a key internal control is no longer effective is to ascertain</p><p>the existence of other compensating controls. Compensating controls are alternative controls</p><p>that provide reasonable assurance of achieving the same objective as the original control. The</p><p>IS auditor should verify whether there are any compensating controls in place that can mitigate</p><p>the risk of the key control being ineffective, and evaluate their adequacy and effectiveness. The</p><p>other options are not the first steps, because they either require more information about the</p><p>64 / 110</p><p>compensating controls, or they are actions to be taken after identifying and assessing the</p><p>compensating controls.</p><p>References: CISA Review Manual (Digital Version)1, Chapter 2, Section 2.2.3</p><p>112. The operations team of an organization has reported an IS security attack.</p><p>Which of the following should be the FIRST step for the security incident response team?</p><p>A. Report results to management</p><p>B. Document lessons learned</p><p>C. Perform a damage assessment</p><p>D. Prioritize resources for corrective action</p><p>Answer: C</p><p>Explanation:</p><p>The first step for the security incident response team after an IS security attack is reported is to</p><p>perform a damage assessment. This involves identifying the scope, impact and root cause of</p><p>the incident, as well as collecting and preserving evidence for further analysis and investigation.</p><p>Reporting results to management, documenting lessons learned and prioritizing resources for</p><p>corrective action are important steps, but they should be done after the damage assessment is</p><p>completed.</p><p>References: CISA Review Manual (Digital Version), Chapter 6, Section 6.31</p><p>113. Which of the following will be the MOST effective method to verify that a service vendor</p><p>keeps control levels as required by the client?</p><p>A. Conduct periodic on-site assessments using agreed-upon criteria.</p><p>B. Periodically review the service level agreement (SLA) with the vendor.</p><p>C. Conduct an unannounced vulnerability assessment of vendor's IT systems.</p><p>D. Obtain evidence of the vendor's control self-assessment (CSA).</p><p>Answer: A</p><p>Explanation:</p><p>The most effective method to verify that a service vendor keeps control levels as required by the</p><p>client is to conduct periodic on-site assessments using agreed-upon criteria. On-site</p><p>assessments can provide direct evidence of whether the vendor’s controls are operating</p><p>effectively and consistently in accordance with the client’s expectations and requirements.</p><p>Agreed-upon criteria can ensure that the assessments are objective, relevant, and reliable. The</p><p>other options are not as effective as on-site assessments in verifying the vendor’s control</p><p>levels. Periodically reviewing the SLA with the vendor can help monitor whether the vendor</p><p>meets its contractual obligations and service standards, but</p><p>incidents on the business operations and customer satisfaction.</p><p>The average time between incidents (option A) is not a good performance indicator for the</p><p>effectiveness of an incident management program, as it does not measure how well the</p><p>incidents are handled or resolved. It only shows how frequently the incidents occur, which may</p><p>depend on various factors beyond the control of the incident management team, such as the</p><p>complexity and reliability of the systems, the security threats and vulnerabilities, and the user</p><p>behavior and expectations.</p><p>The incident alert meantime (option B) is the average time it takes to detect and report an</p><p>incident. While this is an important metric for measuring the responsiveness and awareness of</p><p>the incident management team, it does not indicate how effective the incident management</p><p>program is in resolving the incidents and restoring normal service.</p><p>The number of incidents reported (option C) is also not a good performance indicator for the</p><p>effectiveness of an incident management program, as it does not reflect how well the incidents</p><p>are handled or resolved. It only shows how many incidents are identified and recorded, which</p><p>may vary depending on the reporting channels, tools, and procedures used by the incident</p><p>management team and the users.</p><p>Therefore, option D is the correct answer.</p><p>References:</p><p>Incident Management: Processes, Best Practices & Tools - Atlassian What is backup and</p><p>disaster recovery? | IBM</p><p>8. Which of the following is the GREATEST advantage of outsourcing the development of an e-</p><p>banking solution when in-house technical expertise is not available?</p><p>A. Lower start-up costs</p><p>B. Reduced risk of system downtime</p><p>C. Direct oversight of risks</p><p>5 / 110</p><p>D. Increased ability to adapt the system</p><p>Answer: A</p><p>Explanation:</p><p>Outsourcing the development of an e-banking solution when in-house technical expertise is not</p><p>available can significantly reduce start-up costs. This is because the organization can avoid the</p><p>expenses associated with hiring and training a full-time development team, purchasing</p><p>necessary hardware and software, and maintaining the system1. While outsourcing can also</p><p>potentially reduce the risk of system downtime, increase the ability to adapt the system, and</p><p>provide direct oversight of risks, these benefits are not as immediate or guaranteed as the cost</p><p>savings123.</p><p>References: Maxicus1, Forbes2, Strategy& - PwC3</p><p>9. Which of the following is the MOST effective way to maintain network integrity when using</p><p>mobile devices?</p><p>A. Implement network access control.</p><p>B. Implement outbound firewall rules.</p><p>C. Perform network reviews.</p><p>D. Review access control lists.</p><p>Answer: A</p><p>Explanation:</p><p>The most effective way to maintain network integrity when using mobile devices is to implement</p><p>network access control. Network access control is a security control that regulates and restricts</p><p>access to network resources based on predefined policies and criteria, such as device type,</p><p>identity, location, or security posture. Network access control can help maintain network integrity</p><p>when using mobile devices by preventing unauthorized or compromised devices from accessing</p><p>or affecting network systems or data. The other options are not as effective as network access</p><p>control in maintaining network integrity when using mobile devices, as they do not address all</p><p>aspects of network access or security. Implementing outbound firewall rules is a security control</p><p>that filters and blocks network traffic based on source, destination, protocol, or port, but it does</p><p>not regulate or restrict network access based on device characteristics or conditions. Performing</p><p>network reviews is a monitoring activity that evaluates and reports on the performance,</p><p>availability, or security of network resources, but it does not regulate or restrict network access</p><p>based on device characteristics or conditions. Reviewing access control lists is a verification</p><p>activity that validates and confirms the access rights and privileges of network users or devices,</p><p>but it does not regulate or restrict network access based on device characteristics or conditions.</p><p>References: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.2</p><p>6 / 110</p><p>10. A company has implemented an IT segregation of duties policy. In a role-based</p><p>environment, which of the following roles may be assigned to an application developer?</p><p>A. IT operator</p><p>B. System administration</p><p>C. Emergency support</p><p>D. Database administration</p><p>Answer: C</p><p>Explanation:</p><p>Segregation of duties (SOD) is a core internal control and an essential component of an</p><p>effective risk management strategy. SOD emphasizes sharing the responsibilities of key</p><p>business processes by distributing the discrete functions of these processes to multiple people</p><p>and departments, helping to reduce the risk of possible errors and fraud1.</p><p>SOD is especially important in IT security, where granting excessive system access to one</p><p>person or group can lead to harmful consequences, such as data breaches, identity theft, or</p><p>bypassing security controls2. SOD breaks IT-related tasks into four separate function</p><p>categories: authorization, custody, recordkeeping, and reconciliation1. Ideally, no one person or</p><p>department holds responsibility in</p><p>multiple categories.</p><p>In a role-based environment, where access privileges are granted based on predefined roles, it</p><p>is important to ensure that the roles are designed and assigned in a way that supports SOD. For</p><p>example, the person who develops an application should not also be the one who tests it,</p><p>deploys it, or maintains it.</p><p>Therefore, an application developer should not be assigned the roles of IT operator, system</p><p>administration, or database administration, as these roles may conflict with their development</p><p>role and create opportunities for misuse or abuse of the system. The only role that may be</p><p>assigned to an application developer without violating SOD is emergency support, which is a</p><p>temporary role that allows the developer to access the system in case of a critical issue that</p><p>requires immediate resolution3. However, even this role should be granted with caution and</p><p>monitored closely to ensure compliance with SOD policies.</p><p>References:</p><p>ISACA, CISA Review Manual, 27th Edition, 2019, page 2824</p><p>ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription,</p><p>QID 1066692</p><p>Hyperproof Blog, Segregation of Duties: What it is and Why it’s Important1 Advisera Blog,</p><p>Segregation of duties in your ISMS according to ISO 27001 A.6.1.23</p><p>7 / 110</p><p>11. An organization requires the use of a key card to enter its data center. Recently, a control</p><p>was implemented that requires biometric authentication for each employee.</p><p>Which type of control has been added?</p><p>A. Detective</p><p>B. Preventive</p><p>C. Compensating</p><p>D. Corrective</p><p>Answer: B</p><p>12. Which of the following would BEST demonstrate that an effective disaster recovery plan</p><p>(DRP) is in place?</p><p>A. Frequent testing of backups</p><p>B. Annual walk-through testing</p><p>C. Periodic risk assessment</p><p>D. Full operational test</p><p>Answer: D</p><p>Explanation:</p><p>A disaster recovery plan (DRP) is a set of procedures and resources that enable an</p><p>organization to restore its critical operations, data, and applications in the event of a disaster1.</p><p>A DRP should be aligned with the organization’s business continuity plan (BCP), which defines</p><p>the strategies and objectives for maintaining business functions during and after a disaster1.</p><p>To ensure that a DRP is effective, it should be tested regularly and thoroughly to identify and</p><p>resolve</p><p>any issues or gaps that might hinder its execution2345. Testing a DRP can help evaluate its</p><p>feasibility, validity, reliability, and compatibility with the organization’s environment and needs4.</p><p>Testing can also help prepare the staff, stakeholders, and vendors involved in the DRP for their</p><p>roles and responsibilities during a disaster3.</p><p>it does not provide assurance of</p><p>65 / 110</p><p>whether the vendor’s controls are adequate or sufficient. Conducting an unannounced</p><p>vulnerability assessment of vendor’s IT systems can help identify any weaknesses or gaps in</p><p>the vendor’s security controls, but it may violate the terms and conditions of the vendor-client</p><p>relationship or cause operational disruptions. Obtaining evidence of the vendor’s CSA can</p><p>provide some indication of whether the vendor’s controls are self-monitored and reported, but it</p><p>does not verify whether the vendor’s controls are independent or accurate.</p><p>References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4</p><p>114. An IS auditor reviewing the throat assessment for a data cantor would be MOST</p><p>concerned if:</p><p>A. some of the identified threats are unlikely to occur.</p><p>B. all identified threats relate to external entities.</p><p>C. the exercise was completed by local management.</p><p>D. neighboring organizations' operations have been included.</p><p>Answer: B</p><p>Explanation:</p><p>: An IS auditor reviewing the threat assessment for a data center would be most concerned if all</p><p>identified threats relate to external entities. This indicates that the threat assessment is</p><p>incomplete and biased, as it ignores the potential threats from internal sources, such as</p><p>employees, contractors, vendors, or authorized visitors. Internal threats can pose significant</p><p>risks to the data center, as they may have access to sensitive information, systems, or facilities,</p><p>and may exploit their privileges for malicious or fraudulent purposes. According to a study by</p><p>IBM, 60% of cyberattacks in 2015 were carried out by insiders1</p><p>Some of the identified threats are unlikely to occur is not a cause for concern, as it shows that</p><p>the threat assessment is comprehensive and realistic, and considers all possible scenarios,</p><p>regardless of their probability. A threat assessment should not exclude any potential threats</p><p>based on subjective judgments or assumptions, as they may still have a high impact if they</p><p>materialize.</p><p>The exercise was completed by local management is not a cause for concern, as it shows that</p><p>the threat assessment is conducted by the people who are most familiar with the data center’s</p><p>operations, environment, and risks. Local management may have more relevant and accurate</p><p>information and insights than external parties, and may be more invested in the outcome of the</p><p>threat assessment.</p><p>Neighboring organizations’ operations have been included is not a cause for concern, as it</p><p>shows that the threat assessment is holistic and contextual, and considers the</p><p>interdependencies and influences of external factors on the data center’s security. Neighboring</p><p>66 / 110</p><p>organizations’ operations may pose direct or indirect threats to the data center, such as</p><p>physical damage, network interference, or shared vulnerabilities.</p><p>References:</p><p>IBM Security Services 2016 Cyber Security Intelligence Index 1</p><p>115. Which of the following should an organization do to anticipate the effects of a disaster?</p><p>A. Define recovery point objectives (RPO)</p><p>B. Simulate a disaster recovery</p><p>C. Develop a business impact analysis (BIA)</p><p>D. Analyze capability maturity model gaps</p><p>Answer: C</p><p>Explanation:</p><p>A business impact analysis (BIA) is the process of identifying and assessing the potential</p><p>impacts a disruption or incident could have on an organization. A BIA helps organizations</p><p>understand and prepare for these potential obstacles, so they can act quickly and face</p><p>challenges head-on when they arise. A BIA tells the organization what to expect when</p><p>unforeseen roadblocks occur, so they can make a plan to get their business back on track as</p><p>quickly as possible. Therefore, a BIA is the best option to anticipate the effects of a disaster.</p><p>References:</p><p>10: Business Impact Analysis (BIA): Prepare for Anything [2023] • Asana</p><p>11: Definition of Business Impact Analysis (BIA) - IT Glossary | Gartner Information Technology</p><p>12: Business impact analysis (BIA) is a method to predict the consequences of disruptions to a</p><p>business, its processes and systems by collecting relevant data.</p><p>116. An IS auditor is evaluating the progress of a web-based customer service application</p><p>development project.</p><p>Which of the following would be MOST helpful for this evaluation?</p><p>A. Backlog consumption reports</p><p>B. Critical path analysis reports</p><p>C. Developer status reports</p><p>D. Change management logs</p><p>Answer: A</p><p>Explanation:</p><p>A backlog consumption report is a report that shows the amount of work that has been</p><p>completed and the amount of work that remains to be done in a project. It is a useful tool for</p><p>measuring the progress and performance of a web-based customer service application</p><p>67 / 110</p><p>development project, as it can indicate whether the project is on track, ahead or behind</p><p>schedule, and how much effort is required to finish the project. A backlog consumption report</p><p>can also help identify any issues or risks that may affect the project delivery. Critical path</p><p>analysis reports, developer status reports and change management logs are also helpful for</p><p>evaluating a project, but they are not as helpful as a backlog consumption report, as they do not</p><p>provide a clear picture of the overall project status and completion rate.</p><p>References:</p><p>: [Backlog Consumption Report Definition]</p><p>: Backlog Consumption Report | ISACA</p><p>117. Which of the following findings would be of GREATEST concern to an IS auditor reviewing</p><p>firewall security for an organization's corporate network?</p><p>A. The production configuration does not conform to corporate policy.</p><p>B. Responsibility for the firewall administration rests with two different divisions.</p><p>C. Industry hardening guidance has not been considered.</p><p>D. The firewall configuration file is extremely long and complex.</p><p>Answer: A</p><p>118. Which of the following poses the GREATEST risk to an organization when employees use</p><p>public social networking sites?</p><p>A. Cross-site scripting (XSS)</p><p>B. Copyright violations</p><p>C. Social engineering</p><p>D. Adverse posts about the organization</p><p>Answer: C</p><p>Explanation:</p><p>Social engineering is the manipulation of people to perform actions or divulge confidential</p><p>information. It is a common technique used by attackers to gain unauthorized access to systems</p><p>or data. Employees who use public social networking sites may be vulnerable to social</p><p>engineering attacks, such as phishing, baiting, or pretexting, which pose the greatest risk to the</p><p>organization’s security. The other options are not as serious as social engineering, as they</p><p>relate to web application vulnerabilities, intellectual property rights, and reputation management,</p><p>which are less likely to compromise the organization’s assets or operations.</p><p>References: CISA Review Manual (Digital Version), Domain 5: Protection of Information Assets,</p><p>Section 5.3 Security Awareness Training1</p><p>68 / 110</p><p>119. Which of the following constitutes an effective detective control in a distributed processing</p><p>environment?</p><p>A. A log of privileged account use is reviewed.</p><p>B. A disaster recovery plan (DRP)4% in place for the entire system.</p><p>C. User IDs are suspended after three incorrect passwords have been entered.</p><p>D. Users are required to request additional access via an electronic mail system.</p><p>Answer: A</p><p>120. Which of following is MOST important to determine when conducting a post-</p><p>implementation review?</p><p>A. Whether the solution architecture compiles with IT standards</p><p>B. Whether success criteria have been achieved</p><p>C. Whether the project has been delivered within the approved budget</p><p>D. Whether lessons teamed have been documented</p><p>Answer: B</p><p>Explanation:</p><p>The most important thing to determine when conducting a post-implementation review is</p><p>whether success criteria have been achieved. A post-implementation review is a process of</p><p>evaluating the results and outcomes of a project or initiative after it has been completed and</p><p>implemented.</p><p>The success criteria are the measurable indicators that define what constitutes a</p><p>successful project or initiative in terms of its objectives, benefits, quality, performance, and</p><p>stakeholder satisfaction. The IS auditor should verify whether the success criteria have been</p><p>achieved by comparing the actual results and outcomes with the expected or planned ones, and</p><p>by assessing whether they meet or exceed the expectations and requirements of the</p><p>stakeholders. The IS auditor should also identify any gaps, issues, or risks that may affect the</p><p>sustainability or scalability of the project or initiative, and provide recommendations for</p><p>improvement or remediation. The other options are not as important as determining whether</p><p>success criteria have been achieved when conducting a post-implementation review, because</p><p>they either focus on specific aspects or components of the project or initiative rather than the</p><p>overall value proposition, or they are part of the pre-implementation or implementation phases</p><p>rather than the post-implementation phase.</p><p>References: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.3</p><p>121. An IS auditor who was instrumental in designing an application is called upon to review the</p><p>application.</p><p>The auditor should:</p><p>69 / 110</p><p>A. refuse the assignment to avoid conflict of interest.</p><p>B. use the knowledge of the application to carry out the audit.</p><p>C. inform audit management of the earlier involvement.</p><p>D. modify the scope of the audit.</p><p>Answer: C</p><p>Explanation:</p><p>The IS auditor should inform audit management of the earlier involvement in designing the</p><p>application. This is to ensure that there is no conflict of interest or bias that may affect the</p><p>objectivity or independence of the audit. Audit management can then decide whether to assign</p><p>a different auditor or to proceed with the same auditor with appropriate safeguards. The other</p><p>options are not appropriate for the IS auditor to do in this situation. Refusing the assignment to</p><p>avoid conflict of interest is an extreme measure that may not be necessary or feasible,</p><p>especially if there are no other qualified auditors available. Using the knowledge of the</p><p>application to carry out the audit is risky, as it may lead to overlooking or ignoring potential</p><p>issues or errors in the application. Modifying the scope of the audit is not advisable, as it may</p><p>compromise the quality or completeness of the audit.</p><p>References: CISA Review Manual (Digital Version), Chapter 2, Section 2.1</p><p>122. Which of the following is the MAIN purpose of an information security management</p><p>system?</p><p>A. To identify and eliminate the root causes of information security incidents</p><p>B. To enhance the impact of reports used to monitor information security incidents</p><p>C. To keep information security policies and procedures up-to-date</p><p>D. To reduce the frequency and impact of information security incidents</p><p>Answer: D</p><p>Explanation:</p><p>: The main purpose of an information security management system (ISMS) is to reduce the</p><p>frequency and impact of information security incidents. An ISMS is a systematic approach to</p><p>managing information security risks, policies, procedures, and controls within an organization.</p><p>An ISMS aims to ensure the confidentiality, integrity, and availability of information assets, as</p><p>well as to comply with relevant laws and regulations. The other options are not the main</p><p>purpose of an ISMS, but rather some of its possible benefits or components.</p><p>References:</p><p>CISA Review Manual (Digital Version), Chapter 7, Section 7.11</p><p>CISA Review Questions, Answers & Explanations Database, Question ID 205</p><p>70 / 110</p><p>123. Due to limited storage capacity, an organization has decided to reduce the actual retention</p><p>period for media containing completed low-value transactions.</p><p>Which of the following is MOST important for the organization to ensure?</p><p>A. The policy includes a strong risk-based approach.</p><p>B. The retention period allows for review during the year-end audit.</p><p>C. The retention period complies with data owner responsibilities.</p><p>D. The total transaction amount has no impact on financial reporting</p><p>Answer: C</p><p>Explanation:</p><p>The most important factor for the organization to ensure when reducing the retention period for</p><p>media containing completed low-value transactions is that the retention period complies with</p><p>data owner responsibilities. Data owners are accountable for defining the retention and disposal</p><p>requirements for the data under their custody, based on business, legal, regulatory, and</p><p>contractual obligations. The policy should reflect the data owner’s decisions and obtain their</p><p>approval. The policy should also include a risk-based approach, but this is not as important as</p><p>complying with data owner responsibilities. The retention period should allow for review during</p><p>the year-end audit, but this may not be necessary for low-value transactions that have minimal</p><p>impact on financial reporting. The total transaction amount may have some impact on financial</p><p>reporting, but this is not a direct consequence of reducing the retention period.</p><p>References:</p><p>CISA Review Manual, 27th Edition, pages 414-4151</p><p>CISA Review Questions, Answers & Explanations Database, Question ID: 255</p><p>124. Which of the following findings related to segregation of duties should be of GREATEST</p><p>concern to an IS auditor?</p><p>A. The person who tests source code also approves changes.</p><p>B. The person who administers servers is also part of the infrastructure management team.</p><p>C. The person who creates new user accounts also modifies user access levels.</p><p>D. The person who edits source code also has write access to production.</p><p>Answer: D</p><p>125. Which of the following attack techniques will succeed because of an inherent security</p><p>weakness in an Internet firewall?</p><p>A. Phishing</p><p>B. Using a dictionary attack of encrypted passwords</p><p>C. Intercepting packets and viewing passwords</p><p>71 / 110</p><p>D. Flooding the site with an excessive number of packets</p><p>Answer: D</p><p>Explanation:</p><p>Flooding the site with an excessive number of packets is an attack technique that will succeed</p><p>because of an inherent security weakness in an Internet firewall. This type of attack is also</p><p>known as a denial-of-service (DoS) attack or a distributed denial-of-service (DDoS) attack if it</p><p>involves multiple sources. The aim of this attack is to overwhelm the network bandwidth or the</p><p>processing capacity of the firewall or the target system, rendering it unable to respond to</p><p>legitimate requests or perform its normal functions. An Internet firewall is a device or software</p><p>that monitors and controls incoming and outgoing network traffic based on predefined rules. A</p><p>firewall can block or allow traffic based on various criteria, such as source address, destination</p><p>address, port number, protocol type, application type, etc. However, a firewall cannot prevent</p><p>traffic from reaching its interface or distinguish between legitimate and malicious traffic based on</p><p>its content or behavior. Therefore, a firewall is vulnerable to flooding attacks that exploit its</p><p>limited resources. Phishing is an attack technique that involves sending fraudulent emails or</p><p>messages that appear to come from legitimate sources, such as banks, government agencies,</p><p>online services, etc., in order to trick recipients into revealing their personal or financial</p><p>information, such as passwords, credit card numbers, bank account details, etc., or into clicking</p><p>on malicious links or attachments that can infect their systems with malware or ransomware.</p><p>Phishing does not exploit an inherent security weakness in an Internet firewall, but rather</p><p>exploits human psychology and social engineering techniques. A firewall cannot prevent</p><p>phishing emails or messages from reaching their intended targets, unless they contain some</p><p>identifiable features that can be filtered out by the firewall rules. However, a firewall cannot</p><p>detect or prevent users from responding</p><p>to phishing emails or messages or from opening</p><p>malicious links or attachments. Using a dictionary attack of encrypted passwords is an attack</p><p>technique that involves trying to guess or crack passwords by using a list of common or likely</p><p>passwords or by using a brute-force method that tries all possible combinations of characters.</p><p>This type of attack does not exploit an inherent security weakness in an Internet firewall, but</p><p>rather exploits weak or poorly chosen passwords or weak encryption algorithms. A firewall</p><p>cannot prevent a dictionary attack of encrypted passwords, unless it has some mechanisms to</p><p>detect and block repeated or suspicious login attempts or to enforce strong password policies.</p><p>However, a firewall cannot protect passwords from being stolen or intercepted by other means,</p><p>such as phishing, malware, keylogging, etc. Intercepting packets and viewing passwords is an</p><p>attack technique that involves capturing and analyzing network traffic that contains sensitive</p><p>information, such as passwords, credit card numbers, bank account details, etc., in order to use</p><p>them for malicious purposes. This type of attack does not exploit an inherent security weakness</p><p>72 / 110</p><p>in an Internet firewall, but rather exploits insecure or unencrypted network communication</p><p>protocols or channels. A firewall cannot prevent packets from being intercepted and viewed by</p><p>unauthorized parties, unless it has some mechanisms to encrypt or obfuscate the network traffic</p><p>or to authenticate the source and destination of the traffic. However, a firewall cannot protect</p><p>packets from being modified or tampered with by other means, such as man-in-the-middle</p><p>attacks, replay attacks, etc.</p><p>References: ISACA CISA Review Manual 27th Edition, page 300</p><p>126. Management is concerned about sensitive information being intentionally or unintentionally</p><p>emailed as attachments outside the organization by employees.</p><p>What is the MOST important task before implementing any associated email controls?</p><p>A. Provide notification to employees about possible email monitoring.</p><p>B. Develop an information classification scheme.</p><p>C. Require all employees to sign nondisclosure agreements (NDAs).</p><p>D. Develop an acceptable use policy for end-user computing (EUC).</p><p>Answer: B</p><p>127. When an IS audit reveals that a firewall was unable to recognize a number of attack</p><p>attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS)</p><p>between the firewall and:</p><p>A. the organization's web server.</p><p>B. the demilitarized zone (DMZ).</p><p>C. the organization's network.</p><p>D. the Internet</p><p>Answer: D</p><p>Explanation:</p><p>The best recommendation is to place an intrusion detection system (IDS) between the firewall</p><p>and the Internet. An IDS is a device or software that monitors network traffic for malicious</p><p>activity and alerts the network administrator or takes preventive action. By placing an IDS</p><p>between the firewall and the Internet, the IS auditor can enhance the security of the network</p><p>perimeter and detect any attack attempts that the firewall was unable to recognize.</p><p>The other options are not as effective as placing an IDS between the firewall and the Internet:</p><p>Placing an IDS between the firewall and the organization’s web server would not protect the</p><p>web server from external attacks that bypass the firewall. The web server should be placed in a</p><p>demilitarized zone (DMZ), which is a separate network segment that isolates public-facing</p><p>servers from the internal network.</p><p>73 / 110</p><p>Placing an IDS between the firewall and the demilitarized zone (DMZ) would not protect the</p><p>DMZ from external attacks that bypass the firewall. The DMZ should be protected by two</p><p>firewalls, one facing the Internet and one facing the internal network, with an IDS monitoring</p><p>both sides of each firewall.</p><p>Placing an IDS between the firewall and the organization’s network would not protect the</p><p>organization’s network from external attacks that bypass the firewall. The organization’s</p><p>network should be protected by a firewall that blocks unauthorized traffic from entering or</p><p>leaving the network, with an IDS monitoring both sides of the firewall.</p><p>128. Which of the following should be used as the PRIMARY basis for prioritizing IT projects</p><p>and initiatives?</p><p>A. Estimated cost and time</p><p>B. Level of risk reduction</p><p>C. Expected business value</p><p>D. Available resources</p><p>Answer: C</p><p>129. An IS auditor is reviewing a client's outsourced payroll system to assess whether the</p><p>financial audit team can rely on the application.</p><p>Which of the following findings would be the auditor's GREATEST concern?</p><p>A. User access rights have not been periodically reviewed by the client.</p><p>B. Payroll processing costs have not been included in the IT budget.</p><p>C. The third-party contract has not been reviewed by the legal department.</p><p>D. The third-party contract does not comply with the vendor management policy.</p><p>Answer: C</p><p>Explanation:</p><p>The third-party contract has not been reviewed by the legal department is the auditor’s greatest</p><p>concern because it poses a significant legal and financial risk to the client. A third-party contract</p><p>is a legally binding agreement between the client and the outsourced payroll provider that</p><p>defines the scope, terms, and conditions of the service. A third-party contract should be</p><p>reviewed by the legal department to ensure that it complies with the applicable laws and</p><p>regulations, protects the client’s interests and rights, and specifies the roles and responsibilities</p><p>of both parties.</p><p>A third-party contract that has not been reviewed by the legal department may contain clauses</p><p>that are unfavorable, ambiguous, or contradictory to the client, such as:</p><p>Inadequate or unclear service level agreements (SLAs) that do not specify the quality,</p><p>74 / 110</p><p>timeliness, and accuracy of the payroll service.</p><p>Insufficient or vague security and confidentiality provisions that do not safeguard the client’s</p><p>data and information from unauthorized access, use, disclosure, or loss.</p><p>Unreasonable or excessive fees, penalties, or liabilities that may impose an undue financial</p><p>burden on the client.</p><p>Limited or no audit rights that may prevent the client from verifying the effectiveness and</p><p>compliance of the payroll provider’s internal controls.</p><p>Inflexible or restrictive termination clauses that may limit the client’s ability to cancel or switch to</p><p>another payroll provider.</p><p>A third-party contract that has not been reviewed by the legal department may expose the client</p><p>to various risks, such as:</p><p>Legal disputes or litigation with the payroll provider over contractual breaches or performance</p><p>issues.</p><p>Regulatory fines or sanctions for noncompliance with tax, labor, or other laws and regulations</p><p>related to payroll.</p><p>Financial losses or damages due to errors, fraud, or negligence by the payroll provider.</p><p>Reputation damage or customer dissatisfaction due to payroll errors or delays.</p><p>Therefore, an IS auditor should be highly concerned about a third-party contract that has not</p><p>been reviewed by the legal department and recommend that the client seek legal advice before</p><p>signing or renewing any contract with an outsourced payroll provider.</p><p>User access rights have not been periodically reviewed by the client is a moderate concern</p><p>because it may indicate a lack of proper access control over the payroll system. User access</p><p>rights are the permissions granted to users to access, view, modify, or delete data and</p><p>information in the payroll system. User access rights should be periodically reviewed by the</p><p>client to ensure that they are aligned with the user’s roles and responsibilities, and that they are</p><p>revoked or modified when a user changes roles or leaves the organization. User access rights</p><p>that are not periodically reviewed by the client may result in unauthorized or inappropriate</p><p>access to payroll data and information, which may compromise its confidentiality, integrity, and</p><p>availability.</p><p>Payroll processing costs have not been included in the IT budget is a minor concern because it</p><p>may indicate a lack of proper planning and allocation of IT resources for payroll processing.</p><p>Payroll processing costs are the expenses incurred by the client for using an outsourced payroll</p><p>service, such as fees, charges, taxes, or penalties. Payroll processing costs should be included</p><p>in the IT budget to ensure that they are adequately estimated, monitored, and controlled. Payroll</p><p>processing costs that are not included in the IT budget may result in unexpected or excessive</p><p>costs for payroll processing, which may affect the client’s profitability and cash flow.</p><p>75 / 110</p><p>The third-party contract does not comply with the vendor management policy is a low concern</p><p>because it may indicate a lack of alignment between the client’s vendor management policy</p><p>and its actual vendor selection and evaluation process. A vendor management policy is a set of</p><p>guidelines and procedures that governs how the client manages its relationship with its vendors,</p><p>such as how to select, monitor, evaluate, and terminate vendors. A vendor management policy</p><p>should be consistent with the client’s business objectives, risk appetite, and regulatory</p><p>requirements. A third-party contract that does not comply with the vendor management policy</p><p>may result in suboptimal vendor performance or service quality, but it does not necessarily imply</p><p>a breach of contract or a violation of law.</p><p>130. Demonstrated support from which of the following roles in an organization has the MOST</p><p>influence over information security governance?</p><p>A. Chief information security officer (CISO)</p><p>B. Information security steering committee</p><p>C. Board of directors</p><p>D. Chief information officer (CIO)</p><p>Answer: C</p><p>Explanation:</p><p>Information security governance is the subset of enterprise governance that provides strategic</p><p>direction, ensures that objectives are achieved, manages risk appropriately, uses organizational</p><p>resources responsibly, and monitors the success or failure of the enterprise security program.</p><p>Information security governance is essential for ensuring that an organization’s information</p><p>assets are protected from internal and external threats, and that the organization complies with</p><p>relevant laws and standards.</p><p>Demonstrated support from which of the following roles in an organization has the most</p><p>influence over information security governance? The answer is C, the board of directors. The</p><p>board of directors is the highest governing body of an organization, responsible for overseeing</p><p>its strategic direction, performance, and accountability.</p><p>The board of directors sets the tone at the top for information security governance by:</p><p>Establishing a clear vision, mission, and values for information security</p><p>Approving and reviewing information security policies and standards</p><p>Allocating sufficient resources and budget for information security</p><p>Appointing and empowering a chief information security officer (CISO) or equivalent role</p><p>Holding management accountable for information security performance and compliance</p><p>Communicating and promoting information security awareness and culture</p><p>The board of directors has the most influence over information security governance because it</p><p>76 / 110</p><p>has the ultimate authority and responsibility for ensuring that information security is aligned with</p><p>the organization’s business objectives, risks, and stakeholder expectations.</p><p>References:</p><p>10: What is Information Security Governance? ? RiskOptics - Reciprocity</p><p>11: Information Security Governance and Risk Management | Moss Adams</p><p>12: ISO/IEC 27014:2020 - Information security, cybersecurity and privacy …</p><p>131. An IT governance body wants to determine whether IT service delivery is based on</p><p>consistently effective processes.</p><p>Which of the following is the BEST approach?</p><p>A. implement a control self-assessment (CSA)</p><p>B. Conduct a gap analysis</p><p>C. Develop a maturity model</p><p>D. Evaluate key performance indicators (KPIs)</p><p>Answer: D</p><p>Explanation:</p><p>The best approach to determine whether IT service delivery is based on consistently effective</p><p>processes is to evaluate key performance indicators (KPIs). KPIs are measurable values that</p><p>demonstrate how effectively an organization is achieving its key objectives. KPIs can help the IT</p><p>governance body to monitor and assess the performance, quality, and efficiency of the IT</p><p>service delivery processes. KPIs can also help to identify areas for improvement and</p><p>benchmark against best practices or industry standards.</p><p>References:</p><p>CISA Review Manual (Digital Version), Chapter 1, Section 1.3.21 CISA Online Review Course,</p><p>Domain 5, Module 2, Lesson 22</p><p>132. An IS auditor is reviewing the perimeter security design of a network.</p><p>Which of the following provides the GREATEST assurance outgoing Internet traffic is</p><p>controlled?</p><p>A. Intrusion detection system (IDS)</p><p>B. Security information and event management (SIEM) system</p><p>C. Stateful firewall</p><p>D. Load balancer</p><p>Answer: C</p><p>Explanation:</p><p>A stateful firewall provides the greatest assurance that outgoing Internet traffic is controlled, as</p><p>77 / 110</p><p>it monitors and filters packets based on their source, destination and connection state. A stateful</p><p>firewall can prevent unauthorized or malicious traffic from leaving the network, as well as block</p><p>incoming traffic that does not match an established connection. An intrusion detection system</p><p>(IDS) can detect and alert on suspicious or anomalous traffic, but it does not block or control it.</p><p>A security information and event management (SIEM) system can collect and analyze logs and</p><p>events from various sources, but it does not directly control traffic. A load balancer can distribute</p><p>traffic among multiple servers, but it does not filter or monitor it.</p><p>References: CISA Review Manual (Digital Version), Chapter 6, Section 6.2</p><p>133. Which of the following is an IS auditor's BEST recommendation to mitigate the risk of</p><p>eavesdropping associated with an application programming interface (API) integration</p><p>implementation?</p><p>A. Encrypt the extensible markup language (XML) file.</p><p>B. Implement Transport Layer Security (TLS).</p><p>C. Mask the API endpoints.</p><p>D. Implement Simple Object Access Protocol (SOAP).</p><p>Answer: B</p><p>134. Which of the following is the BEST way to mitigate the risk associated with unintentional</p><p>modifications of complex calculations in end-user computing (EUC)?</p><p>A. Have an independent party review the source calculations</p><p>B. Execute copies of EUC programs out of a secure library</p><p>C. implement complex password controls</p><p>D. Verify EUC results through manual calculations</p><p>Answer: B</p><p>Explanation:</p><p>The best way to mitigate the risk associated with unintentional modifications of complex</p><p>calculations in end-user computing (EUC) is to execute copies of EUC programs out of a secure</p><p>library. This will ensure that the original EUC programs are protected from unauthorized</p><p>changes and that the copies are run in a controlled environment. A secure library is a repository</p><p>of EUC programs that have been tested, validated, and approved by the appropriate authority.</p><p>Executing copies of EUC programs out of a secure library can also help with version control,</p><p>backup, and recovery of EUC programs. Having an independent party review the source</p><p>calculations, implementing complex password controls, and verifying EUC results through</p><p>manual calculations are not as effective as executing copies of EUC programs out of a secure</p><p>library, as they do not prevent or detect unintentional modifications of complex calculations in</p><p>78 / 110</p><p>EUC.</p><p>References: End-User Computing (EUC) Risks: A Comprehensive Guide, End User Computing</p><p>(EUC) Risk Management</p><p>135. Which of the following tests is MOST likely to detect an error in one subroutine resulting</p><p>from a recent change in another subroutine?</p><p>A. User acceptance testing (UAT)</p><p>B. Black-box testing</p><p>C. Regression testing</p><p>D. Stress testing</p><p>Answer: C</p><p>136. An organization has made a strategic decision to split into separate operating entities to</p><p>improve profitability. However, the IT infrastructure remains shared between the entities.</p><p>Which of the following would BEST help to ensure that IS audit still covers key risk areas within</p><p>the IT environment as part of its annual plan?</p><p>A. Increasing the frequency of risk-based IS audits for each business entity</p><p>B. Developing a risk-based plan considering each entity's business processes</p><p>C. Conducting an audit of newly introduced IT policies and procedures</p><p>D. Revising IS audit plans to focus on IT changes introduced after the split</p><p>Answer: B</p><p>Explanation:</p><p>: Developing a risk-based plan considering each entity’s business processes would best help to</p><p>ensure that IS audit still covers key risk areas within the IT environment as part of its annual</p><p>plan. A risk-based plan is a plan that prioritizes the audit activities based on the level of risk</p><p>associated with each area or process. A risk-based plan can help to allocate the audit resources</p><p>more efficiently and effectively, and provide more assurance and value to the stakeholders1.</p><p>By considering each entity’s business processes, the IS audit can identify and assess the</p><p>specific risks and controls that affect the IT environment of each entity, and tailor the audit</p><p>objectives, scope, and procedures accordingly. This can help to address the unique needs and</p><p>expectations of each entity, and ensure that the IS audit covers the key risk areas that are</p><p>relevant and significant to each entity’s operations, performance, and compliance2.</p><p>The other options are not as effective as developing a risk-based plan considering each entity’s</p><p>business processes in ensuring that IS audit still covers key risk areas within the IT environment</p><p>as part of its annual plan. Option A, increasing the frequency of risk-based IS audits for each</p><p>business entity, is not a feasible or efficient solution, as it may increase the audit costs and</p><p>79 / 110</p><p>workload, and create duplication or overlap of audit efforts. Option C, conducting an audit of</p><p>newly introduced IT policies and procedures, is a limited and narrow approach, as it may not</p><p>cover all the aspects or dimensions of the IT environment that may have changed or been</p><p>affected by the split.</p><p>Option D, revising IS audit plans to focus on IT changes introduced after the split, is a reactive</p><p>and short-term approach, as it may not reflect the current or future state of the IT environment</p><p>or the business objectives of each entity.</p><p>References:</p><p>ISACA, CISA Review Manual, 27th Edition, 2019</p><p>ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription</p><p>Risk-Based Audit Planning: A Guide for Internal Audit1 Risk-Based Audit Approach: Definition &</p><p>Example</p><p>137. Which of the following is a PRIMARY responsibility of an IT steering committee?</p><p>A. Prioritizing IT projects in accordance with business requirements</p><p>B. Reviewing periodic IT risk assessments</p><p>C. Validating and monitoring the skill sets of IT department staff</p><p>D. Establishing IT budgets for the business</p><p>Answer: A</p><p>Explanation:</p><p>A primary responsibility of an IT steering committee is prioritizing IT projects in accordance with</p><p>business requirements, as this ensures that IT resources are allocated to support the strategic</p><p>objectives and needs of the organization. Reviewing periodic IT risk assessments, validating</p><p>and monitoring the skill sets of IT department staff, and establishing IT budgets for the business</p><p>are important activities, but they are not the primary responsibility of an IT steering committee.</p><p>They may be delegated to other IT governance bodies or functions within the organization.</p><p>References: CISA Review Manual (Digital Version), Chapter 1: Information Systems</p><p>Auditing Process, Section 1.2: IT Governance</p><p>138. Which of the following is MOST likely to be a project deliverable of an agile software</p><p>development methodology?</p><p>A. Strictly managed software requirements baselines</p><p>B. Extensive project documentation</p><p>C. Automated software programming routines</p><p>D. Rapidly created working prototypes</p><p>Answer: D</p><p>80 / 110</p><p>Explanation:</p><p>A project deliverable is a tangible or intangible product or service that is produced as a result of</p><p>a project and delivered to the customer or stakeholder. A project deliverable can be either an</p><p>intermediate deliverable that is part of the project process or a final deliverable that is the</p><p>outcome of the project.</p><p>An agile software development methodology is a project management approach that involves</p><p>breaking the project into phases and emphasizes continuous collaboration and improvement.</p><p>Teams follow a cycle of planning, executing, and evaluating. Agile software development</p><p>methodologies value working software over comprehensive documentation and respond to</p><p>change over following a plan.</p><p>Rapidly created working prototypes are most likely to be a project deliverable of an agile</p><p>software development methodology because they:</p><p>Provide early and frequent feedback from customers and stakeholders on the functionality and</p><p>usability of the software product</p><p>Allow for rapid validation and verification of the software requirements and design</p><p>Enable continuous improvement and adaptation of the software product based on changing</p><p>customer needs and expectations</p><p>Reduce the risk of delivering a software product that does not meet customer needs or</p><p>expectations Increase customer satisfaction and trust by delivering working software products</p><p>frequently and consistently</p><p>Some examples of agile software development methodologies that use rapidly created working</p><p>prototypes as project deliverables are:</p><p>Scrum - a framework that organizes the work into fixed-length sprints (usually 2-4 weeks) and</p><p>delivers potentially shippable increments of the software product at the end of each sprint1</p><p>Extreme Programming (XP) - a methodology that focuses on delivering high-quality software</p><p>products through practices such as test-driven development, pair programming, continuous</p><p>integration, and frequent releases2</p><p>Rapid Application Development (RAD) - a methodology that emphasizes rapid prototyping and</p><p>user involvement throughout the software development process3</p><p>The other options are not likely to be project deliverables of an agile software development</p><p>methodology.</p><p>Strictly managed software requirements baselines are not likely to be project deliverables of an</p><p>agile software development methodology. A software requirements baseline is a set of agreed-</p><p>upon and approved software requirements that serve as the basis for the software design,</p><p>development, testing, and delivery. A strictly managed software requirements baseline is a</p><p>software requirements baseline that is controlled and changed only through a formal change</p><p>81 / 110</p><p>management process. Strictly managed software requirements baselines are more suitable for</p><p>traditional or waterfall software development methodologies that follow a linear and sequential</p><p>process of defining, designing, developing, testing, and delivering software products. Strictly</p><p>managed software requirements baselines are not compatible with agile software development</p><p>methodologies that embrace change and flexibility in the software requirements based on</p><p>customer feedback and evolving needs. Extensive project documentation is not likely to be</p><p>project deliverables of an agile software development methodology. Project documentation is</p><p>any written or electronic information that describes or records the activities, processes, results,</p><p>or decisions of a project. Extensive project documentation is project documentation that covers</p><p>every aspect of the project in detail and requires significant time and effort to produce and</p><p>maintain. Extensive project documentation is more suitable for traditional or waterfall software</p><p>development</p><p>methodologies that rely on comprehensive documentation to communicate and</p><p>document the project scope, requirements, design, testing, and delivery. Extensive project</p><p>documentation is not compatible with agile software development methodologies that value</p><p>working software over comprehensive documentation and use minimal documentation to</p><p>support the communication and collaboration among the project team members.</p><p>Automated software programming routines are not likely to be project deliverables of an agile</p><p>software development methodology. Automated software programming routines are programs</p><p>or scripts that perform repetitive or complex tasks in the software development process without</p><p>human intervention. Automated software programming routines can improve the efficiency,</p><p>quality, and consistency of the software development process by reducing human errors, saving</p><p>time, and enforcing standards. Automated software programming routines can be used in any</p><p>software development methodology, but they are not specific to agile software development</p><p>methodologies. Automated software programming routines are not considered as project</p><p>deliverables because they are not part of the final product that is delivered to the customer.</p><p>139. Capacity management enables organizations to:</p><p>A. forecast technology trends</p><p>B. establish the capacity of network communication links</p><p>C. identify the extent to which components need to be upgraded</p><p>D. determine business transaction volumes.</p><p>Answer: C</p><p>Explanation:</p><p>Capacity management is a process that ensures that the IT resources of an organization are</p><p>sufficient to meet the current and future demands of the business. Capacity management</p><p>enables organizations to identify the extent to which components need to be upgraded, by</p><p>82 / 110</p><p>monitoring and analyzing the performance, utilization, and availability of the IT components,</p><p>such as servers, networks, storage, applications, etc., and identifying any bottlenecks, gaps, or</p><p>risks that may affect the service level agreements (SLAs) or quality of service (QoS). Capacity</p><p>management also helps organizations to plan and optimize the use of IT resources, by</p><p>forecasting the future demand and growth of the business, and aligning the IT capacity with the</p><p>business needs and objectives. Forecasting technology trends is a possible outcome of</p><p>capacity management, but it is not its main purpose. Establishing the capacity of network</p><p>communication links is a part of capacity management, but it is not its main goal. Determining</p><p>business transaction volumes is an input for capacity management, but it is not its main</p><p>objective.</p><p>140. An organization that has suffered a cyber-attack is performing a forensic analysis of the</p><p>affected users' computers.</p><p>Which of the following should be of GREATEST concern for the IS auditor reviewing this</p><p>process?</p><p>A. An imaging process was used to obtain a copy of the data from each computer.</p><p>B. The legal department has not been engaged.</p><p>C. The chain of custody has not been documented.</p><p>D. Audit was only involved during extraction of the Information</p><p>Answer: C</p><p>Explanation:</p><p>The chain of custody has not been documented is a finding that should be of greatest concern</p><p>for an IS auditor reviewing a forensic analysis process of an organization that has suffered a</p><p>cyber attack. The chain of custody is a record of who handled, accessed, or modified the</p><p>evidence during a forensic investigation. Documenting the chain of custody is essential to</p><p>preserve the integrity, authenticity, and admissibility of the evidence in a court of law. The other</p><p>options are less concerning findings that may not affect the validity or reliability of the forensic</p><p>analysis process.</p><p>References:</p><p>CISA Review Manual (Digital Version), Chapter 7, Section 7.51</p><p>CISA Review Questions, Answers & Explanations Database, Question ID 220</p><p>141. Which of the following is the BEST reason to implement a data retention policy?</p><p>A. To establish a recovery point objective (RPO) for disaster recovery procedures</p><p>B. To limit the liability associated with storing and protecting information</p><p>C. To document business objectives for processing data within the organization</p><p>83 / 110</p><p>D. To assign responsibility and ownership for data protection outside IT</p><p>Answer: B</p><p>Explanation:</p><p>The best reason to implement a data retention policy is to limit the liability associated with</p><p>storing and protecting information. A data retention policy is a business’ established protocol for</p><p>maintaining information, typically defining what data needs to be retained, the format in which it</p><p>should be kept, how long it should be stored for, whether it should eventually be archived or</p><p>deleted, who has the authority to dispose of it, and what procedure to follow in the event of a</p><p>policy violation1.</p><p>A data retention policy can help an organization to:</p><p>Comply with legal and regulatory requirements that mandate the retention and disposal of</p><p>certain types of data, such as financial records, health records, or personal data</p><p>Reduce the risk of data breaches, theft, loss, or corruption by minimizing the amount of data</p><p>stored and ensuring proper security measures are in place</p><p>Save costs and resources by optimizing the use of storage space and reducing the need for</p><p>backup and recovery operations</p><p>Enhance operational efficiency and performance by eliminating unnecessary or outdated data</p><p>and improving data quality and accessibility</p><p>Support business continuity and disaster recovery plans by ensuring critical data is available</p><p>and recoverable in case of an emergency</p><p>Facilitate audit trails and investigations by providing evidence of data authenticity, integrity, and</p><p>provenance</p><p>Therefore, by implementing a data retention policy, an organization can limit its liability</p><p>associated with storing and protecting information, as well as improve its data governance and</p><p>management practices.</p><p>References:</p><p>Data Retention Policy 101: Best Practices, Examples & More</p><p>142. Which of the following is the MOST important outcome of an information security program?</p><p>A. Operating system weaknesses are more easily identified.</p><p>B. Emerging security technologies are better understood and accepted.</p><p>C. The cost to mitigate information security risk is reduced.</p><p>D. Organizational awareness of security responsibilities is improved.</p><p>Answer: D</p><p>Explanation:</p><p>The most important outcome of an information security program is to improve the organizational</p><p>84 / 110</p><p>awareness of security responsibilities, as this will foster a culture of security and ensure that all</p><p>stakeholders are aware of their roles and obligations in protecting the information assets of the</p><p>organization. An information security program should also aim to achieve other outcomes, such</p><p>as identifying operating system weaknesses, understanding and accepting emerging security</p><p>technologies, and reducing the cost to mitigate information security risk, but these are not as</p><p>important as improving the awareness of security responsibilities, which is the foundation of any</p><p>effective information security program. *References: According to the ISACA IT Audit and</p><p>Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance</p><p>Professionals, section 2402 Planning, “The IS audit and assurance professional should identify</p><p>and assess risk relevant to the area under review.” 1 One of the risk factors to consider is “the</p><p>level of awareness of management and staff regarding IT risk management” 1. According to the</p><p>ISACA IT Audit and Assurance Guideline G13 Information Security Management, “The</p><p>objective of an information security management audit/assurance review is to provide</p><p>management with an independent assessment relating to the effectiveness of information</p><p>security management within the enterprise.” The guideline also states that “the audit/assurance</p><p>professional should evaluate whether there is an appropriate</p><p>level of awareness throughout the</p><p>enterprise regarding information security policies, standards, procedures and guidelines.”</p><p>According to a web search result from Microsoft Security, “Information security programs need</p><p>to: … Support the execution of decisions.” 2 One of the ways to support the execution of</p><p>decisions is to ensure that everyone in the organization understands their security</p><p>responsibilities and follows the security policies and procedures.</p><p>143. Management receives information indicating a high level of risk associated with potential</p><p>flooding near the organization's data center within the next few years. As a result, a decision</p><p>has been made</p><p>to move data center operations to another facility on higher ground.</p><p>Which approach has been adopted?</p><p>A. Risk avoidance</p><p>B. Risk transfer</p><p>C. Risk acceptance</p><p>D. Risk reduction</p><p>Answer: A</p><p>Explanation:</p><p>The approach adopted by management in this scenario is risk avoidance. Risk avoidance is the</p><p>elimination of a risk by discontinuing or not undertaking an activity that poses a threat to the</p><p>organization3. By moving data center operations to another facility on higher ground,</p><p>85 / 110</p><p>management is avoiding the potential flooding risk that could disrupt or damage the data center.</p><p>Risk transfer, risk acceptance and risk reduction are other possible approaches for dealing with</p><p>risks, but they do not apply in this case.</p><p>References:</p><p>CISA Review Manual, 27th Edition, page 641</p><p>CISA Review Questions, Answers & Explanations Database - 12 Month Subscription</p><p>144. An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported</p><p>technology in the scope of an upcoming audit.</p><p>What should the auditor consider the MOST significant concern?</p><p>A. Attack vectors are evolving for industrial control systems.</p><p>B. There is a greater risk of system exploitation.</p><p>C. Disaster recovery plans (DRPs) are not in place.</p><p>D. Technical specifications are not documented.</p><p>Answer: B</p><p>Explanation:</p><p>The most significant concern for an IS auditor when reviewing an industrial control system (ICS)</p><p>that uses older unsupported technology in the scope of an upcoming audit is that there is a</p><p>greater risk of system exploitation. System exploitation is an attack that occurs when an</p><p>unauthorized entity or individual takes advantage of a vulnerability or weakness in a system to</p><p>compromise its security or functionality. System exploitation can cause harm or damage to the</p><p>system or its users, such as data loss, corruption, theft, manipulation, denial of service (DoS),</p><p>etc. An ICS that uses older unsupported technology poses a high risk of system exploitation, as</p><p>older technology may have known or unknown vulnerabilities or defects that have not been</p><p>patched or fixed by the vendor or manufacturer, and unsupported technology may not receive</p><p>any updates or support from the vendor or manufacturer in case of issues or incidents. Attack</p><p>vectors are evolving for industrial control systems is a possible concern for an IS auditor when</p><p>reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit,</p><p>but it is not the most significant one. Attack vectors are methods or pathways that attackers use</p><p>to gain access to or attack a system. Attack vectors are evolving for industrial control systems,</p><p>as attackers are developing new techniques or tools to target ICSs that are increasingly</p><p>connected and complex. However, this concern may not be specific to older unsupported</p><p>technology, as it may affect any ICS regardless of its technology level. Disaster recovery plans</p><p>(DRPs) are not in place is a possible concern for an IS auditor when reviewing an ICS that uses</p><p>older unsupported technology in the scope of an upcoming audit, but it is not the most</p><p>significant one. DRPs are documents that outline the technical and operational steps for</p><p>86 / 110</p><p>restoring the IT systems and infrastructure that support critical functions or processes in the</p><p>event of a disruption or disaster. DRPs are not in place, as they may affect the availability and</p><p>continuity of the ICS and its functions or processes in case of a failure or incident. However, this</p><p>concern may not be related to older unsupported technology, as it may apply to any ICS</p><p>regardless of its technology level. Technical specifications are not documented is a possible</p><p>concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the</p><p>scope of an upcoming audit, but it is not the most significant one. Technical specifications are</p><p>documents that describe the technical characteristics or requirements of a system or</p><p>component, such as functionality, performance, design, etc. Technical specifications are not</p><p>documented, as they may affect the understanding, maintenance, and improvement of the ICS</p><p>and its components. However, this concern may not be associated with older unsupported</p><p>technology, as it may affect any ICS regardless of its technology level.</p><p>145. Which of the following is MOST important for an IS auditor to confirm when reviewing an</p><p>organization's plans to implement robotic process automation (RPA> to automate routine</p><p>business tasks?</p><p>A. The end-to-end process is understood and documented.</p><p>B. Roles and responsibilities are defined for the business processes in scope.</p><p>C. A benchmarking exercise of industry peers who use RPA has been completed.</p><p>D. A request for proposal (RFP) has been issued to qualified vendors.</p><p>Answer: A</p><p>Explanation:</p><p>The most important thing for an IS auditor to confirm when reviewing an organization’s plans to</p><p>implement robotic process automation (RPA) to automate routine business tasks is that the end-</p><p>to-end process is understood and documented. This is because RPA involves the use of</p><p>software robots or digital workers to mimic human actions and execute predefined rules and</p><p>workflows. Therefore, it is essential that the IS auditor verifies that the organization has a clear</p><p>and accurate understanding of the current state of the process, the desired state of the process,</p><p>the inputs and outputs, the exceptions and errors, the roles and responsibilities, and the</p><p>performance measures12. Without a proper documentation of the end-to-end process, the</p><p>organization may face challenges in designing, developing, testing, deploying, and monitoring</p><p>the RPA solution3.</p><p>References: 1: CISA Review Manual (Digital Version), Chapter 4: Information Systems</p><p>Operations and Business Resilience, Section 4.2: IT Service Delivery and Support, page 211 2:</p><p>CISA Online Review Course, Module 4: Information Systems Operations and Business</p><p>Resilience, Lesson 4.2: IT Service Delivery and Support 3: ISACA Journal Volume 5, 2019,</p><p>87 / 110</p><p>Article: Robotic Process Automation: Benefits, Risks and Controls</p><p>146. The PRIMARY objective of value delivery in reference to IT governance is to:</p><p>A. promote best practices</p><p>B. increase efficiency.</p><p>C. optimize investments.</p><p>D. ensure compliance.</p><p>Answer: C</p><p>Explanation:</p><p>The primary objective of value delivery in reference to IT governance is to optimize investments.</p><p>Value delivery is one of the five focus areas of IT governance that aims to ensure that IT</p><p>delivers expected benefits to stakeholders and enables business value creation. Value delivery</p><p>involves aligning IT investments with business objectives and strategies, managing IT</p><p>performance and benefits realization, optimizing IT costs and risks, and enhancing IT innovation</p><p>and agility. Value delivery helps to maximize the return on investment (ROI) and value for</p><p>money (VFM) of IT resources and capabilities.</p><p>References:</p><p>CISA Review Manual (Digital Version)</p><p>CISA Questions, Answers & Explanations Database</p><p>147. Management has learned the implementation of a new IT system will not be completed on</p><p>time and has requested an audit.</p><p>Which of the following audit findings should be of GREATEST concern?</p><p>A. The actual start times of some activities</p><p>were later than originally scheduled.</p><p>B. Tasks defined on the critical path do not have resources allocated.</p><p>C. The project manager lacks formal certification.</p><p>D. Milestones have not been defined for all project products.</p><p>Answer: B</p><p>Explanation:</p><p>The audit finding that should be of greatest concern is that tasks defined on the critical path do</p><p>not have resources allocated, as this means that the project is likely to face significant delays</p><p>and cost overruns, since the critical path is the sequence of activities that determines the</p><p>minimum time required to complete the project. The actual start times of some activities being</p><p>later than originally scheduled may indicate some minor deviations from the project plan, but</p><p>they may not necessarily affect the overall project completion time if they are not on the critical</p><p>path. The project manager lacking formal certification may affect the quality and efficiency of the</p><p>88 / 110</p><p>project management process, but it does not necessarily imply that the project manager is</p><p>incompetent or unqualified. Milestones have been defined for all project products, but they may</p><p>not be realistic or achievable if they do not take into account the resource constraints and</p><p>dependencies of the critical path tasks.</p><p>References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management</p><p>of</p><p>IT, Section 2.3: IT Project Management</p><p>148. A database administrator (DBA) should be prevented from having end user responsibilities:</p><p>A. having end user responsibilities</p><p>B. accessing sensitive information</p><p>C. having access to production files</p><p>D. using an emergency user ID</p><p>Answer: A</p><p>Explanation:</p><p>A database administrator (DBA) should be prevented from having end user responsibilities to</p><p>avoid a conflict of interest and a violation of the principle of segregation of duties. End user</p><p>responsibilities may include initiating transactions, authorizing transactions, recording</p><p>transactions or reconciling transactions. A DBA who has end user responsibilities may</p><p>compromise the integrity, confidentiality and availability of the data and the database systems.</p><p>Accessing sensitive information, having access to production files and using an emergency user</p><p>ID are not end user responsibilities, but rather potential risks or controls associated with the</p><p>DBA role.</p><p>References:</p><p>: Database Administrator (DBA) Definition</p><p>: Segregation of Duties | ISACA</p><p>: [End User Definition]</p><p>149. Which of the following would be an IS auditor's BEST recommendation to senior</p><p>management when several IT initiatives are found to be misaligned with the organization's</p><p>strategy?</p><p>A. Define key performance indicators (KPIs) for IT.</p><p>B. Modify IT initiatives that do not map to business strategies.</p><p>C. Reassess the return on investment (ROI) for the IT initiatives.</p><p>D. Reassess IT initiatives that do not map to business strategies.</p><p>Answer: D</p><p>89 / 110</p><p>150. During an audit of a multinational bank's disposal process, an IS auditor notes several</p><p>findings.</p><p>Which of the following should be the auditor's GREATEST concern?</p><p>A. Backup media are not reviewed before disposal.</p><p>B. Degaussing is used instead of physical shredding.</p><p>C. Backup media are disposed before the end of the retention period</p><p>D. Hardware is not destroyed by a certified vendor.</p><p>Answer: C</p><p>Explanation:</p><p>During an audit of a multinational bank’s disposal process, an IS auditor should be most</p><p>concerned about backup media being disposed before the end of the retention period. This is</p><p>because backup media contain sensitive and critical data that may be required for business</p><p>continuity, legal compliance, or forensic purposes. Disposing backup media prematurely may</p><p>result in data loss, unavailability, or corruption, which may have severe consequences for the</p><p>bank’s reputation, operations, and security. Backup media not being reviewed before disposal,</p><p>degaussing being used instead of physical shredding, and hardware not being destroyed by a</p><p>certified vendor are also findings that may pose some risks to the bank’s disposal process, but</p><p>they are not as critical as backup media being disposed before the end of the retention period.</p><p>References: ISACA CISA Review Manual 27th Edition, page 302.</p><p>151. Which of the following is the MOST important privacy consideration for an organization that</p><p>uses a cloud service provider to process customer data?</p><p>A. Data privacy must be managed in accordance with the regulations applicable to the</p><p>organization.</p><p>B. Data privacy must be monitored in accordance with industry standards and best practices.</p><p>C. No personal information may be transferred to the service provider without notifying the</p><p>customer.</p><p>D. Customer data transferred to the service provider must be reported to the regulatory</p><p>authority.</p><p>Answer: D</p><p>152. A web proxy server for corporate connections to external resources reduces organizational</p><p>risk by:</p><p>A. anonymizing users through changed IP addresses.</p><p>B. providing multi-factor authentication for additional security.</p><p>90 / 110</p><p>C. providing faster response than direct access.</p><p>D. load balancing traffic to optimize data pathways.</p><p>Answer: A</p><p>Explanation:</p><p>A web proxy server for corporate connections to external resources reduces organizational risk</p><p>by anonymizing users through changed IP addresses. A web proxy server is an intermediary</p><p>between the web and client devices, that can provide proxy services to a client or a group of</p><p>clients1. One of the main benefits of using a web proxy server is that it allows users to change</p><p>their IP address and location, circumventing geoblocking and hiding their identity from the target</p><p>website2.</p><p>Anonymizing internal IP addresses is important for online security, as it helps protect the</p><p>organization from several threats. If an attacker controls a server that employees connect to, the</p><p>outgoing IP address of the organization’s router is logged on the server. This IP address can be</p><p>used by the attacker to launch a denial-of-service (DoS) attack or to create more targeted</p><p>attacks such as phishing2. With a web proxy server, the IP shown in web logs is the web</p><p>proxy’s, which means an attacker would not have access to the organization’s router outgoing</p><p>IP address2.</p><p>Anonymizing outgoing IP addresses is also important when carrying out sensitive actions online,</p><p>such as law enforcement investigations or competitive intelligence. A web proxy server can help</p><p>users avoid exposing their internal IP address that leads back to their organization, and instead</p><p>use a third-party web proxy that provides more anonymity2.</p><p>The other options are not directly related to reducing organizational risk by using a web proxy</p><p>server. Providing multi-factor authentication for additional security (option B) is a benefit of some</p><p>web proxy servers, but it is not the main purpose of using a web proxy server3. Providing faster</p><p>response than direct access (option C) is a benefit of some web proxy servers that cache</p><p>content for better data transfer speeds and less bandwidth usage, but it is not directly related to</p><p>reducing organizational risk1. Load balancing traffic to optimize data pathways (option D) is a</p><p>benefit of some web proxy servers that distribute traffic across multiple servers, but it is not</p><p>directly related to reducing organizational risk4.</p><p>References: 1: Proxy servers and tunneling 2: Multi-factor authentication: How to enable 2FA</p><p>and boost your security 3: What Is Multi-factor Authentication (MFA) Security? 4: How it works:</p><p>Microsoft Entra multifactor authentication</p><p>153. Data Backups:</p><p>While data backups are critical for recovery, they depend on a working infrastructure.</p><p>If the OS is not operational, restoring data backups becomes challenging.</p><p>91 / 110</p><p>Data backups should follow the OS restoration.</p><p>154. Which of the following is the MOST important factor when an organization is developing</p><p>information security policies and</p><p>procedures?</p><p>A. Consultation with security staff</p><p>B. Inclusion of mission and objectives</p><p>C. Compliance with relevant regulations</p><p>D. Alignment with an information security framework</p><p>Answer: D</p><p>Explanation:</p><p>Information security policies and procedures are the foundation of an organization’s information</p><p>security program. They define the roles, responsibilities, rules, and standards for protecting</p><p>information assets from unauthorized access, use, disclosure, modification, or destruction. The</p><p>most important factor when developing information security policies and procedures is to align</p><p>them with an information security framework that provides a comprehensive and consistent</p><p>approach to managing information security risks. An information security framework can also</p><p>help ensure compliance with relevant regulations, inclusion of mission and objectives, and</p><p>consultation with security staff. However, these factors are secondary to alignment with an</p><p>information security framework.</p><p>References: CISA Certification | Certified Information Systems Auditor | ISACA, CISA Review</p><p>Manual (Digital Version)</p><p>155. In an organization's feasibility study to acquire hardware to support a new web server,</p><p>omission of which of the following would be of MOST concern?</p><p>A. Alternatives for financing the acquisition</p><p>B. Financial stability of potential vendors</p><p>C. Reputation of potential vendors</p><p>D. Cost-benefit analysis of available products</p><p>Answer: D</p><p>Explanation:</p><p>The most important part of a feasibility study is the economics1. A cost-benefit analysis of</p><p>available products is crucial as it helps to understand the economic viability of the project1. It</p><p>compares the costs of the project with the benefits it is expected to deliver, which is essential for</p><p>making informed decisions1. Omitting this could lead to investments in hardware that may not</p><p>provide the expected returns or meet the organization’s needs.</p><p>References:</p><p>The Components of a Feasibility Study - ProjectEngineer</p><p>92 / 110</p><p>156. Which of the following concerns is BEST addressed by securing production source</p><p>libraries?</p><p>A. Programs are not approved before production source libraries are updated.</p><p>B. Production source and object libraries may not be synchronized.</p><p>C. Changes are applied to the wrong version of production source libraries.</p><p>D. Unauthorized changes can be moved into production.</p><p>Answer: D</p><p>Explanation:</p><p>Unauthorized changes can be moved into production is the best concern that is addressed by</p><p>securing production source libraries. Production source libraries contain the source code of</p><p>programs that are used in the production environment. Securing production source libraries</p><p>means implementing access controls, change management procedures, and audit trails to</p><p>prevent unauthorized or improper changes to the source code that could affect the functionality,</p><p>performance, or security of the production programs. The other options are less relevant</p><p>concerns that may not be directly addressed by securing production source libraries, but rather</p><p>by other controls such as program approval, version control, or change testing.</p><p>References:</p><p>CISA Review Manual (Digital Version), Chapter 4, Section 4.2.3.21</p><p>CISA Review Questions, Answers & Explanations Database, Question ID 213</p><p>157. When a data center is attempting to restore computing facilities at an alternative site</p><p>following a disaster, which of the following should be restored FIRST?</p><p>A. Data backups</p><p>B. Decision support system</p><p>C. Operating system</p><p>D. Applications</p><p>Answer: C</p><p>Explanation:</p><p>When a data center is attempting to restore computing facilities at an alternative site following a</p><p>disaster, the operating system should be restored FIRST.</p><p>Here’s why:</p><p>158. Which of the following is MOST important to consider when assessing the scope of privacy</p><p>concerns for an IT project?</p><p>A. Data ownership</p><p>B. Applicable laws and regulations</p><p>93 / 110</p><p>C. Business requirements and data flows</p><p>D. End-user access rights</p><p>Answer: B</p><p>Explanation:</p><p>When assessing the scope of privacy concerns for an IT project, the most important factor to</p><p>consider is the applicable laws and regulations. These laws and regulations define the legal</p><p>requirements for data privacy and protection that the project must comply with. They can vary</p><p>greatly depending on the jurisdiction and the type of data being processed, and non-compliance</p><p>can result in significant penalties123. While data ownership, business requirements and data</p><p>flows, and end-user access rights are also important considerations, they are typically guided by</p><p>these legal requirements.</p><p>References: ISACA’s Information Systems Auditor Study Materials1</p><p>159. When protecting the confidentiality of information assets, the MOST effective control</p><p>practice is the:</p><p>A. Awareness training of personnel on regulatory requirements</p><p>B. Utilization of a dual-factor authentication mechanism</p><p>C. Configuration of read-only access to all users</p><p>D. Enforcement of a need-to-know access control philosophy</p><p>Answer: D</p><p>160. An IS auditor requests direct access to data required to perform audit procedures instead</p><p>of asking management to provide the data.</p><p>Which of the following is the PRIMARY advantage of this approach?</p><p>A. Audit transparency</p><p>B. Data confidentiality</p><p>C. Professionalism</p><p>D. Audit efficiency</p><p>Answer: D</p><p>Explanation:</p><p>The primary advantage of this approach is that it improves audit efficiency. Audit efficiency is</p><p>the measure of how well the audit resources are used to achieve the audit objectives. Audit</p><p>efficiency can be enhanced by using methods or techniques that can save time, cost, or effort</p><p>without compromising the quality or scope of the audit. By requesting direct access to data</p><p>required to perform audit procedures instead of asking management to provide the data, the</p><p>auditor can reduce the dependency on management’s cooperation, availability, or timeliness.</p><p>94 / 110</p><p>The auditor can also avoid potential delays, errors, or biases that may occur when management</p><p>provides the data.</p><p>References: CISA Review Manual (Digital Version), Chapter 2, Section 2.41 CISA Online</p><p>Review Course, Domain 1, Module 1, Lesson 42</p><p>161. Which audit approach is MOST helpful in optimizing the use of IS audit resources?</p><p>A. Agile auditing</p><p>B. Continuous auditing</p><p>C. Outsourced auditing</p><p>D. Risk-based auditing</p><p>Answer: D</p><p>Explanation:</p><p>Risk-based auditing is an audit approach that focuses on the analysis and management of risk</p><p>within an organization. Risk-based auditing helps identify and prioritize the areas or processes</p><p>that pose the highest risk to the organization’s objectives and allocate audit resources</p><p>accordingly. Risk-based auditing also helps provide assurance and advisory services related to</p><p>the organization’s risk management processes and controls. By using risk-based auditing,</p><p>internal auditors can optimize the use of their audit resources and add value to the organization.</p><p>Agile auditing, continuous auditing, and outsourced auditing are not audit approaches that are</p><p>most helpful in optimizing the use of IS audit resources. Agile auditing is a flexible and iterative</p><p>audit methodology that adapts to changing circumstances and stakeholder needs. Continuous</p><p>auditing is a method of performing audit activities on a real-time or near-real-time basis using</p><p>automated tools and techniques. Outsourced auditing is a practice of contracting external</p><p>auditors to perform some or all of the internal audit functions. These audit methods may have</p><p>some advantages or disadvantages depending on the context and objectives of the audit, but</p><p>they do not necessarily optimize the use of IS audit resources.</p><p>162. Which of the following should be the PRIMARY objective of conducting an audit follow-up</p><p>of management action plans?</p><p>A. To verify that risks listed in the audit report have been properly mitigated</p><p>B. To identify new risks and controls for the organization</p><p>To ensure senior</p><p>management is aware of the audit findings</p><p>To align the management action plans with business requirements</p><p>Answer: A</p><p>163. Which of the following would a digital signature MOST likely prevent?</p><p>95 / 110</p><p>A. Repudiation</p><p>B. Unauthorized change</p><p>C. Corruption</p><p>D. Disclosure</p><p>Answer: B</p><p>Explanation:</p><p>A digital signature is a cryptographic technique that uses the sender’s private key to generate a</p><p>unique code for a message or document. The receiver can use the sender’s public key to verify</p><p>the authenticity and integrity of the message or document. A digital signature can prevent</p><p>unauthorized change, as any modification to the message or document will invalidate the</p><p>signature and alert the receiver of tampering.</p><p>References</p><p>What is a digital signature?</p><p>Digital Signature - an overview | ScienceDirect Topics</p><p>ISACA CISA Review Manual, 27th Edition, page 253</p><p>164. During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA)</p><p>has not been performed. The auditor should FIRST</p><p>A. perform a business impact analysis (BIA).</p><p>B. issue an intermediate report to management.</p><p>C. evaluate the impact on current disaster recovery capability.</p><p>D. conduct additional compliance testing.</p><p>Answer: C</p><p>Explanation:</p><p>The first step that an IS auditor should take when finding that a business impact analysis (BIA)</p><p>has not been performed is to evaluate the impact on current disaster recovery capability. A BIA</p><p>is a process that identifies and analyzes the potential effects of disruptions to critical business</p><p>functions and processes. A BIA helps determine the recovery priorities, objectives, and</p><p>strategies for the organization. Without a BIA, the disaster recovery plan may not be aligned</p><p>with the business needs and expectations, and may not provide adequate protection and</p><p>recovery for the most critical assets and activities. Therefore, an IS auditor should assess how</p><p>the lack of a BIA affects the current disaster recovery capability and identify any gaps or risks</p><p>that need to be addressed.</p><p>Performing a BIA, issuing an intermediate report to management, and conducting additional</p><p>compliance testing are not the first steps that an IS auditor should take when finding that a BIA</p><p>has not been performed. These steps may be done later in the audit process, after evaluating</p><p>96 / 110</p><p>the impact on current disaster recovery capability. Performing a BIA is not the responsibility of</p><p>the IS auditor, but of the business owners and managers. Issuing an intermediate report to</p><p>management may be premature without sufficient evidence and analysis. Conducting additional</p><p>compliance testing may not be relevant or necessary without a clear understanding of the</p><p>disaster recovery requirements and objectives.</p><p>165. Which of the following technologies has the SMALLEST maximum range for data</p><p>transmission between devices?</p><p>A. Wi-Fi</p><p>B. Bluetooth</p><p>C. Long-term evolution (LTE)</p><p>D. Near-field communication (NFC)</p><p>Answer: D</p><p>Explanation:</p><p>The technology that has the smallest maximum range for data transmission between devices is</p><p>near-field communication (NFC). NFC is a short-range wireless technology that enables two</p><p>devices to communicate when they are in close proximity, usually within a few centimeters. NFC</p><p>is commonly used for contactless payments, smart cards, and device pairing. According to the</p><p>Bluetooth® Technology Website1, the effective range of NFC is less than a meter, while the</p><p>other technologies have much longer ranges. Wi-Fi can reach up to 100 meters indoors and</p><p>300 meters outdoors2. Bluetooth can reach up to 800 feet with Bluetooth 5.0 specification3.</p><p>Long-term evolution (LTE) can reach up to several kilometers depending on the cell tower and</p><p>the device4.</p><p>References:</p><p>5: What is Wi-Fi? - Definition from WhatIs.com</p><p>6: Understanding Bluetooth Range | Bluetooth® Technology Website</p><p>7: What is Bluetooth Range? What You Need to Know</p><p>8: How far can LTE signals travel? - Quora</p><p>166. Which of the following should be the FIRST step to successfully implement a corporate</p><p>data classification program?</p><p>A. Approve a data classification policy.</p><p>B. Select a data loss prevention (DLP) product.</p><p>C. Confirm that adequate resources are available for the project.</p><p>D. Check for the required regulatory requirements.</p><p>Answer: A</p><p>97 / 110</p><p>Explanation:</p><p>The first step to successfully implement a corporate data classification program is to approve a</p><p>data classification policy. A data classification policy is a document that defines the objectives,</p><p>scope, principles, roles, responsibilities, and procedures for classifying data based on its</p><p>sensitivity and value to the organization. A data classification policy is essential for establishing</p><p>a common understanding and a consistent approach for data classification across the</p><p>organization, as well as for ensuring compliance with relevant regulatory and contractual</p><p>requirements.</p><p>Selecting a data loss prevention (DLP) product (option B) is not the first step to implement a</p><p>data classification program, as it is a technical solution that supports the enforcement of the</p><p>data classification policy, not the definition of it. A DLP product can help prevent unauthorized</p><p>access, use, or disclosure of sensitive data by monitoring, detecting, and blocking data flows</p><p>that violate the data classification policy. However, before selecting a DLP product, the</p><p>organization needs to have a clear and approved data classification policy that specifies the</p><p>criteria and rules for data classification. Confirming that adequate resources are available for the</p><p>project (option C) is also not the first step to implement a data classification program, as it is a</p><p>project management activity that ensures the feasibility and sustainability of the project, not the</p><p>design of it. Confirming that adequate resources are available for the project involves estimating</p><p>and securing the necessary budget, staff, time, and tools for implementing and maintaining the</p><p>data classification program. However, before confirming that adequate resources are available</p><p>for the project, the organization needs to have a clear and approved data classification policy</p><p>that defines the scope and objectives of the project.</p><p>Checking for the required regulatory requirements (option D) is also not the first step to</p><p>implement a data classification program, as it is an input to the development of the data</p><p>classification policy, not an output of it. Checking for the required regulatory requirements</p><p>involves identifying and analyzing the applicable laws, regulations, standards, and contracts that</p><p>govern the protection and handling of sensitive data. However, checking for the required</p><p>regulatory requirements is not enough to implement a data classification program; the</p><p>organization also needs to have a clear and approved data classification policy that</p><p>incorporates and complies with those requirements. Therefore, option A is the correct answer.</p><p>References:</p><p>Data Classification: What It Is and How to Implement It</p><p>Create a well-designed data classification framework</p><p>7 Steps to Effective Data Classification | CDW</p><p>Data Classification: The Basics and a 6-Step Checklist - NetApp Private and confidential</p><p>February 2021 - Deloitte US</p><p>98 / 110</p><p>167. Which of the following is the BEST justification for deferring remediation testing until the</p><p>next audit?</p><p>A. The auditor who conducted the audit and agreed with the timeline has left the organization.</p><p>B. Management's planned actions are sufficient given the relative importance of the</p><p>observations.</p><p>C. Auditee management has accepted all observations reported by the auditor.</p><p>D. The audit environment has changed significantly.</p><p>Answer: D</p><p>Explanation:</p><p>Deferring remediation testing until the next audit is justified only when there are significant</p><p>changes in the audit environment that affect the relevance or validity of the audit observations</p><p>There are different methods and levels of testing a DRP, depending on the scope, complexity,</p><p>and objectives of the test4.</p><p>Some of the common testing methods are:</p><p>Walkthrough testing: This is a step-by-step review of the DRP by the disaster recovery team</p><p>and relevant stakeholders. It aims to verify the completeness and accuracy of the plan, as well</p><p>as to clarify any doubts or questions among the participants45.</p><p>Simulation testing: This is a mock exercise of the DRP in a simulated disaster scenario. It aims</p><p>to assess the readiness and effectiveness of the plan, as well as to identify any challenges or</p><p>8 / 110</p><p>weaknesses that might arise during a real disaster45.</p><p>Checklist testing: This is a verification of the availability and functionality of the resources and</p><p>equipment required for the DRP. It aims to ensure that the backup systems, data, and</p><p>documentation are accessible and up-to-date45.</p><p>Full interruption testing: This is the most realistic and rigorous method of testing a DRP. It</p><p>involves shutting down the primary site and activating the backup site for a certain period of</p><p>time. It aims to measure the actual impact and performance of the DRP under real conditions45.</p><p>Parallel testing: This is a less disruptive method of testing a DRP. It involves running the backup</p><p>site in parallel with the primary site without affecting the normal operations. It aims to compare</p><p>and validate the results and outputs of both sites45.</p><p>Among these methods, full interruption testing would best demonstrate that an effective DRP is</p><p>in place, as it provides the most accurate and comprehensive evaluation of the plan’s</p><p>capabilities and limitations4. Full interruption testing can reveal any hidden or unforeseen issues</p><p>or risks that might affect the recovery process, such as data loss, system failure, compatibility</p><p>problems, or human errors4. Full interruption testing can also verify that the backup site can</p><p>support the critical operations and services of the organization without compromising its quality</p><p>or security4. However, full interruption testing also has some drawbacks, such as being costly,</p><p>time-consuming, risky, and disruptive to the normal operations4. Therefore, it should be planned</p><p>carefully and conducted periodically with proper coordination and communication among all</p><p>parties involved4. The other options are not as effective as full interruption testing in</p><p>demonstrating that an effective DRP is in place. Frequent testing of backups is only one aspect</p><p>of checklist testing, which does not cover other components or scenarios of the DRP4. Annual</p><p>walk-through testing is only a theoretical review of the DRP, which does not test its practical</p><p>implementation or outcomes4. Periodic risk assessment is only a preparatory step for</p><p>developing or updating the DRP, which does not test its functionality or performance4.</p><p>References: 2: Best Practices For Disaster Recovery Testing | Snyk 3: Disaster Recovery Plan</p><p>(DR)</p><p>Testing ? Methods and Must-haves - US Signal 4: Disaster Recovery Testing: What You Need</p><p>to Know</p><p>- Enterprise Storage Forum 5: Disaster Recovery Testing Best Practices - MSP360 1: How to</p><p>Test a Disaster Recovery Plan - Abacus</p><p>13. Which of the following is the MOST important prerequisite for the protection of physical</p><p>information assets in a data center?</p><p>A. Segregation of duties between staff ordering and staff receiving information assets</p><p>B. Complete and accurate list of information assets that have been deployed</p><p>9 / 110</p><p>C. Availability and testing of onsite backup generators</p><p>D. Knowledge of the IT staff regarding data protection requirements</p><p>Answer: B</p><p>Explanation:</p><p>The most important prerequisite for the protection of physical information assets in a data center</p><p>is a complete and accurate list of information assets that have been deployed. Information</p><p>assets are any data, devices, systems, or software that have value for the organization and</p><p>need to be protected from unauthorized access, use, disclosure, modification, or destruction4. A</p><p>data center is a facility that houses various information assets such as servers, storage devices,</p><p>network equipment, etc., that support the organization’s IT operations and services5. A</p><p>complete and accurate list of information assets that have been deployed in a data center can</p><p>help to identify and classify the assets based on their importance, sensitivity, or criticality for the</p><p>organization. This can help to determine the appropriate level of protection and security</p><p>measures that need to be applied to each asset. A complete and accurate list of information</p><p>assets can also help to track and monitor the location, status, ownership, usage, configuration,</p><p>maintenance, etc., of each asset. This can help to prevent or detect any unauthorized or</p><p>inappropriate changes or movements of assets that may compromise their security or integrity.</p><p>Segregation of duties between staff ordering and staff receiving information assets, availability</p><p>and testing of onsite backup generators, and knowledge of the IT staff regarding data protection</p><p>requirements are also important prerequisites for the protection of physical information assets in</p><p>a data center, but not as important as a complete and accurate list of information assets that</p><p>have been deployed. These factors are more related to the implementation and maintenance of</p><p>security controls and procedures that depend on having a complete and accurate list of</p><p>information assets as a starting point.</p><p>References: ISACA CISA Review Manual 27th Edition, page 308</p><p>14. An organization's business continuity plan (BCP) should be:</p><p>A. updated before an independent audit review.</p><p>B. tested after an intrusion attempt into the organization's hot site.</p><p>C. tested whenever new applications are implemented.</p><p>D. updated based on changes to personnel and environments.</p><p>Answer: D</p><p>Explanation:</p><p>A BCP must stay current with organizational changes to ensure its effectiveness during a</p><p>disruption.</p><p>Personnel changes and environmental updates are directly relevant to how the BCP would be</p><p>10 / 110</p><p>executed.</p><p>References</p><p>ISACA CISA Review Manual (Current Edition) - Chapter on Business Continuity and Disaster</p><p>Recovery Industry Standards (e.g., ISO 22301, NIST SP 800-34) - Guidelines for maintaining</p><p>and updating a Business Continuity Plan</p><p>15. When evaluating the design of controls related to network monitoring, which of the following</p><p>is MOST important for an IS auditor to review?</p><p>A. Incident monitoring togs</p><p>B. The ISP service level agreement</p><p>C. Reports of network traffic analysis</p><p>D. Network topology diagrams</p><p>Answer: D</p><p>Explanation:</p><p>Network topology diagrams are the most important for an IS auditor to review when evaluating</p><p>the design of controls related to network monitoring, because they show how the network</p><p>components are connected and configured, and what security measures are in place to protect</p><p>the network from unauthorized access or attacks. Incident monitoring logs, the ISP service level</p><p>agreement, and reports of network traffic analysis are useful for evaluating the effectiveness</p><p>and performance of network monitoring, but not the design of controls.</p><p>References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.3</p><p>16. Which of the following is the MOST effective method of destroying sensitive data stored on</p><p>electronic media?</p><p>A. Degaussing</p><p>B. Random character overwrite</p><p>C. Physical destruction</p><p>D. Low-level formatting</p><p>Answer: C</p><p>Explanation:</p><p>The most effective method of destroying sensitive data stored on electronic media is physical</p><p>destruction, which involves breaking, shredding, melting, or incinerating the media to make it</p><p>unreadable and unrecoverable. Degaussing, random character overwrite, and low-level</p><p>formatting are methods of sanitizing or erasing data from electronic media, but they do not</p><p>guarantee complete destruction of data and may leave some traces that can be</p><p>and recommendations. For example, if there are changes in the business processes, systems,</p><p>regulations,</p><p>or risks that require a new audit scope or approach. The other options are not valid justifications</p><p>for deferring remediation testing, as they do not address the timeliness or quality of the audit</p><p>follow-up process. The auditor who conducted the audit and agreed with the timeline has left the</p><p>organization does not affect the responsibility of the audit function to ensure that remediation</p><p>testing is performed as planned. Management’s planned actions are sufficient given the relative</p><p>importance of the observations does not guarantee that management will actually implement</p><p>those actions or that they will be effective in addressing the audit issues. Auditee management</p><p>has accepted all observations reported by the auditor does not eliminate the need for</p><p>verification of remediation actions by an independent party.</p><p>References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4</p><p>168. An organization conducted an exercise to test the security awareness level of users by</p><p>sending an email offering a cash reward 10 those who click on a link embedded in the body of</p><p>the email.</p><p>Which of the following metrics BEST indicates the effectiveness of awareness training?</p><p>A. The number of users deleting the email without reporting because it is a phishing email</p><p>B. The number of users clicking on the link to learn more about the sender of the email</p><p>C. The number of users forwarding the email to their business unit managers</p><p>D. The number of users reporting receipt of the email to the information security team</p><p>Answer: D</p><p>Explanation:</p><p>The metric that best indicates the effectiveness of awareness training is the number of users</p><p>99 / 110</p><p>reporting receipt of the email to the information security team. This shows that the users are</p><p>able to recognize and report a phishing email, which is a common social engineering technique</p><p>used by attackers to trick users into revealing sensitive information or installing malicious</p><p>software. The other metrics do not demonstrate a high level of security awareness, as they</p><p>either ignore, follow, or forward the phishing email, which could expose the organization to</p><p>potential risks.</p><p>References: CISA Review Manual, 27th Edition, page 326</p><p>169. An organization's senior management thinks current security controls may be excessive</p><p>and requests an IS auditor's advice on how to assess the adequacy of current measures.</p><p>What is the auditor's BEST recommendation to management?</p><p>A. Perform correlation analysis between incidents and investments.</p><p>B. Downgrade security controls on low-risk systems.</p><p>C. Introduce automated security monitoring tools.</p><p>D. Re-evaluate the organization's risk and control framework.</p><p>Answer: D</p><p>Explanation:</p><p>Explanation:</p><p>A risk and control framework is a set of principles, processes, and tools that guide an</p><p>organization in identifying, assessing, managing, and monitoring the risks and controls that</p><p>affect its objectives and performance. A risk and control framework helps an organization to</p><p>align its risk appetite and tolerance with its strategy, culture, and values, and to ensure that its</p><p>security controls are appropriate, effective, and efficient1.</p><p>Re-evaluating the organization’s risk and control framework is the best recommendation to</p><p>management because it can help them to:</p><p>Review the current risk environment and the sources, causes, and impacts of potential threats</p><p>and vulnerabilities.</p><p>Update the risk assessment and analysis methods and criteria, such as likelihood, impact,</p><p>severity, and priority.</p><p>Reconsider the risk response and treatment options, such as avoidance, reduction, transfer, or</p><p>acceptance.</p><p>Realign the security controls with the risk profile and the business needs and expectations.</p><p>Evaluate the performance and effectiveness of the security controls using key indicators and</p><p>metrics. Identify the gaps, weaknesses, or inefficiencies in the security controls and implement</p><p>corrective or improvement actions.</p><p>Communicate and report the risk and control status and results to relevant stakeholders. Re-</p><p>100 / 110</p><p>evaluating the organization’s risk and control framework can help management to determine</p><p>whether the current security controls are excessive or not, and to make informed and rational</p><p>decisions on how to adjust them accordingly.</p><p>170. During the course of fieldwork, an internal IS auditor observes a critical vulnerability within</p><p>a newly deployed application.</p><p>What is the auditor's BEST course of action?</p><p>A. Document the finding in the report.</p><p>B. Identify other potential vulnerabilities.</p><p>C. Notify IT management.</p><p>D. Report the finding to the external auditors.</p><p>Answer: C</p><p>171. Which of the following is a PRIMARY function of an intrusion detection system (IDS)?</p><p>A. Predicting an attack before it occurs</p><p>B. Alerting when a scheduled backup job fails</p><p>C. Blocking malicious network traffic</p><p>D. Warning when executable programs are modified</p><p>Answer: D</p><p>172. Which of the following is the BEST source of information tor an IS auditor to use when</p><p>determining whether an organization's information security policy is adequate?</p><p>A. Information security program plans</p><p>B. Penetration test results</p><p>C. Risk assessment results</p><p>D. Industry benchmarks</p><p>Answer: C</p><p>Explanation:</p><p>The best source of information for an IS auditor to use when determining whether an</p><p>organization’s information security policy is adequate is the risk assessment results. The risk</p><p>assessment results provide the auditor with an overview of the organization’s risk profile,</p><p>including the identification, analysis, and evaluation of the risks that affect the confidentiality,</p><p>integrity, and availability of the information assets. The auditor can use the risk assessment</p><p>results to compare the organization’s information security policy with the risk appetite, risk</p><p>tolerance, and risk treatment strategies of the organization. The auditor can also use the risk</p><p>assessment results to evaluate if the information security policy is aligned with the</p><p>101 / 110</p><p>organization’s objectives, requirements, and regulations.</p><p>Some of the web sources that support this answer are: Performance Measurement Guide for</p><p>Information Security ISO 27001 Annex A.5 - Information Security Policies</p><p>[CISA Certified Information Systems Auditor C Question0551]</p><p>173. Which of the following audit procedures would be MOST conclusive in evaluating the</p><p>effectiveness of an e-commerce application system's edit routine?</p><p>A. Review of program documentation</p><p>B. Use of test transactions</p><p>C. Interviews with knowledgeable users</p><p>D. Review of source code</p><p>Answer: B</p><p>Explanation:</p><p>The most conclusive audit procedure for evaluating the effectiveness of an e-commerce</p><p>application system’s edit routine is to use test transactions. A test transaction is a simulated</p><p>input that is processed by the system to verify its output and performance1. By using test</p><p>transactions, an auditor can directly observe how the edit routine checks the validity, accuracy,</p><p>and completeness of data entered by users, and how it handles incorrect or invalid data. A test</p><p>transaction can also help measure the efficiency, reliability, and security of the edit routine, as</p><p>well as identify any errors or weaknesses in the system.</p><p>The other options are not as conclusive as using test transactions, as they rely on indirect or</p><p>secondary sources of information. Reviewing program documentation is an audit procedure that</p><p>involves examining the written description of the system’s design, specifications, and</p><p>functionality2. However, program documentation may not reflect the actual implementation or</p><p>operation of the system, and it may not reveal any discrepancies or defects in the edit routine.</p><p>Interviews with knowledgeable users is an audit procedure that involves asking questions to the</p><p>people who use or manage the system3. However, interviews</p><p>with knowledgeable users may</p><p>not provide sufficient or objective evidence of the edit routine’s effectiveness, and they may be</p><p>influenced by personal opinions or biases. Reviewing source code is an audit procedure that</p><p>involves analyzing the programming language and logic of the system4. However, reviewing</p><p>source code may not be feasible or practical for complex or large systems, and it may not</p><p>demonstrate how the edit routine performs in real scenarios.</p><p>174. Stress testing should ideally be carried out under a:</p><p>A. test environment with production workloads.</p><p>B. test environment with test data.</p><p>102 / 110</p><p>C. production environment with production workloads.</p><p>D. production environment with test data.</p><p>Answer: A</p><p>Explanation:</p><p>Stress testing is designed to evaluate a system’s performance under extreme conditions1. It is</p><p>typically carried out in a test environment that closely mirrors the production environment, using</p><p>production workloads1. This approach ensures that the test results accurately reflect how the</p><p>system would perform under similar conditions in the production environment1. Using a test</p><p>environment also prevents any disruptions or damage to the production environment during</p><p>testing1.</p><p>References:</p><p>Stress Testing Best Practices: A Seven Steps Model</p><p>175. Which of the following should an IS auditor review when evaluating information systems</p><p>governance for a large organization?</p><p>A. Approval processes for new system implementations</p><p>B. Procedures for adding a new user to the invoice processing system</p><p>C. Approval processes for updating the corporate website</p><p>D. Procedures for regression testing system changes</p><p>Answer: A</p><p>Explanation:</p><p>Information systems governance is the set of policies, processes, structures, and practices that</p><p>ensure the alignment of IT with business objectives, the delivery of value from IT investments,</p><p>the management of IT risks, and the optimization of IT resources1. Information systems</p><p>governance is a strategic and high-level function that covers the entire organization and its IT</p><p>portfolio. Therefore, an IS auditor should review the aspects of information systems governance</p><p>that are relevant to the organization’s vision, mission, goals, and strategies.</p><p>One of the aspects that an IS auditor should review when evaluating information systems</p><p>governance for a large organization is the approval processes for new system implementations.</p><p>This is because new system implementations are significant IT investments that require careful</p><p>planning, analysis, design, development, testing, deployment, and evaluation to ensure that</p><p>they meet the business requirements, deliver the expected benefits, comply with the relevant</p><p>standards and regulations, and minimize the potential risks2. The approval processes for new</p><p>system implementations should involve the appropriate stakeholders, such as senior</p><p>management, business owners, IT managers, project managers, users, and auditors, who have</p><p>the authority and responsibility to approve or reject the proposed system implementations based</p><p>103 / 110</p><p>on predefined criteria and metrics3. The approval processes for new system implementations</p><p>should also be documented, transparent, consistent, and timely to ensure accountability and</p><p>traceability4. Therefore, an IS auditor should review the approval processes for new system</p><p>implementations to assess whether they are aligned with the information systems governance</p><p>framework and objectives.</p><p>The other possible options are:</p><p>Procedures for adding a new user to the invoice processing system: This is an operational task</p><p>that involves granting access rights and permissions to a specific user for a specific system</p><p>based on the principle of least privilege. This is not a strategic or high-level function that falls</p><p>under information systems governance. Therefore, an IS auditor should not review this aspect</p><p>when evaluating information systems governance for a large organization.</p><p>Approval processes for updating the corporate website: This is a tactical task that involves</p><p>making changes or enhancements to the content or design of the corporate website based on</p><p>the business needs and feedback. This is not a strategic or high-level function that falls under</p><p>information systems governance. Therefore, an IS auditor should not review this aspect when</p><p>evaluating information systems governance for a large organization.</p><p>Procedures for regression testing system changes: This is a technical task that involves</p><p>verifying that existing system functionalities are not adversely affected by new system changes</p><p>or updates. This is not a strategic or high-level function that falls under information systems</p><p>governance. Therefore, an IS auditor should not review this aspect when evaluating information</p><p>systems governance for a large organization.</p><p>References: 1: What is IT Governance? - Definition from Techopedia 2: System Implementation</p><p>- an overview | ScienceDirect Topics 3: Project Approval Process - Project Management</p><p>Knowledge 4: 5 Best Practices For A Successful Project Approval Process | Kissflow Project:</p><p>Principle of Least Privilege (POLP) | Imperva: How to Update Your Website Content - 7 Step</p><p>Guide | HostGator Blog: What Is Regression Testing? Definition & Best Practices |</p><p>BrowserStack</p><p>176. Which of the following should be the GREATEST concern to an IS auditor reviewing the</p><p>information security framework of an organization?</p><p>A. The information security policy has not been updated in the last two years.</p><p>B. Senior management was not involved in the development of the information security policy.</p><p>C. A list of critical information assets was not included in the information security policy.</p><p>D. The information security policy is not aligned with regulatory requirements.</p><p>Answer: D</p><p>Explanation:</p><p>104 / 110</p><p>The effectiveness of an organization’s security awareness program can be measured by</p><p>capturing data on changes in the way people react to threats, such as the ability to recognize</p><p>and avoid social engineering attacks1. An increase in the number of phishing emails reported</p><p>by employees indicates that they are more aware of the signs and risks of phishing, and are</p><p>more likely to take appropriate actions to prevent or mitigate the impact of such attacks23.</p><p>References</p><p>1: The Importance Of Measuring Security Awareness 2: Measuring the effectiveness of your</p><p>security awareness program 3: How effective is security awareness training?</p><p>177. Transaction records from a business database were inadvertently deleted, and system</p><p>operators decided to restore from a snapshot copy.</p><p>Which of the following provides assurance that the BEST transactions were recovered</p><p>successfully?</p><p>A. Review transaction recovery logs to ensure no errors were recorded.</p><p>B. Recount the transaction records to ensure no records are missing.</p><p>C. Rerun the process on a backup machine to verify the results are the same.</p><p>D. Compare transaction values against external statements to verify accuracy.</p><p>Answer: B</p><p>Explanation:</p><p>Recounting the transaction records to ensure no records are missing provides assurance that</p><p>the best transactions were recovered successfully from a snapshot copy. This is because</p><p>recounting the transaction records can verify that the number of records in the restored</p><p>database matches the number of records in the snapshot copy, which represents the state of</p><p>the database before the deletion occurred. Recounting the transaction records can also detect</p><p>any data corruption or inconsistency that may have occurred during the restore process1.</p><p>Reviewing transaction recovery logs to ensure no errors were recorded is not the best answer,</p><p>because transaction recovery logs may not capture all the details or issues that may affect the</p><p>data quality or integrity. Transaction recovery logs are mainly used to monitor and troubleshoot</p><p>the restore process, but they may not reflect the actual content or accuracy of</p><p>the restored</p><p>data2. Rerunning the process on a backup machine to verify the results are the same is not the</p><p>best answer, because rerunning the process may introduce additional errors or inconsistencies</p><p>that may affect the data quality or integrity. Rerunning the process may also consume more time</p><p>and resources than necessary, and it may not guarantee that the results are identical to the</p><p>original data3.</p><p>Comparing transaction values against external statements to verify accuracy is not the best</p><p>answer, because external statements may not be available or reliable for all transactions.</p><p>105 / 110</p><p>External statements are documents or reports that provide information about transactions from</p><p>a third-party source, such as a bank, a vendor, or a customer. However, external statements</p><p>may not cover all transactions, or they may have different formats, standards, or timeliness than</p><p>the internal data</p><p>178. Which of the following types of firewalls provides the GREATEST degree of control against</p><p>hacker intrusion?</p><p>A. Packet filtering router</p><p>B. Circuit gateway</p><p>C. Application-level gateway</p><p>D. Screening router.</p><p>Answer: C</p><p>179. During a project assessment, an IS auditor finds that business owners have been removed</p><p>from the project initiation phase.</p><p>Which of the following should be the auditor's GREATEST concern with this situation?</p><p>A. Unrealistic milestones</p><p>B. Inadequate deliverables</p><p>C. Unclear benefits</p><p>D. Incomplete requirements</p><p>Answer: D</p><p>Explanation:</p><p>The answer D is correct because the greatest concern for an IS auditor with the situation of</p><p>business owners being removed from the project initiation phase is that the requirements may</p><p>be incomplete. The project initiation phase is the first step in starting a new project, where the</p><p>project’s purpose, scope, objectives, and deliverables are defined and documented. The</p><p>project initiation phase also involves identifying and engaging the key stakeholders who have an</p><p>interest or influence in the project, such as sponsors, customers, users, or business owners.</p><p>Business owners are the individuals or entities who have the authority and responsibility to</p><p>define the business needs and expectations for the project. They are also the primary</p><p>beneficiaries of the project outcomes and benefits. Business owners play a crucial role in the</p><p>project initiation phase, as they provide valuable input and feedback on the requirements and</p><p>specifications of the project. Requirements are the statements that describe what the project</p><p>should accomplish or deliver to meet the business needs and expectations. Requirements are</p><p>essential for guiding the project planning, execution, monitoring, and closure phases.</p><p>If business owners are removed from the project initiation phase, it can result in incomplete or</p><p>106 / 110</p><p>inaccurate requirements, which can have negative impacts on the project’s quality, scope, time,</p><p>cost, and risk.</p><p>Some of the possible consequences of incomplete requirements are:</p><p>Misalignment: The project may not align with the business strategy, vision, or goals, which can</p><p>reduce its value or relevance.</p><p>Confusion: The project team may not have a clear understanding of what the project should</p><p>achieve or deliver, which can affect their performance or productivity.</p><p>Rework: The project may need to undergo frequent changes or revisions to accommodate new</p><p>or modified requirements, which can increase the time and cost of the project.</p><p>Dissatisfaction: The project may not meet the expectations or satisfaction of the business</p><p>owners or other stakeholders, which can affect their acceptance or support of the project.</p><p>Failure: The project may not deliver the expected outcomes or benefits, which can affect its</p><p>success or viability.</p><p>Therefore, an IS auditor should be concerned about the involvement and participation of</p><p>business owners in the project initiation phase, as it affects the completeness and quality of</p><p>requirements. An IS auditor should review the policies and procedures for stakeholder</p><p>identification and engagement, verify that the business owners have adequate knowledge and</p><p>skills to define their requirements, and test that the requirements are well-defined, documented,</p><p>approved, and communicated.</p><p>References:</p><p>Project Initiation: The First Step to Project Management [2023] • Asana Everything you need to</p><p>know about the project initiation phase Project Initiation Phase - The Business Professor Project</p><p>Initiation: A Guide to Starting a Project Right Way - Kissflow</p><p>180. Which of the following is a threat to IS auditor independence?</p><p>A. Internal auditors share the audit plan and control test plans with management prior to audit</p><p>commencement.</p><p>B. Internal auditors design remediation plans to address control gaps identified by internal audit.</p><p>C. Internal auditors attend IT steering committee meetings.</p><p>D. Internal auditors recommend appropriate controls for systems in development.</p><p>Answer: B</p><p>181. Which of the following is the PRIMARY reason for using a digital signature?</p><p>A. Provide availability to the transmission</p><p>B. Authenticate the sender of a message</p><p>C. Provide confidentiality to the transmission</p><p>107 / 110</p><p>D. Verify the integrity of the data and the identity of the recipient</p><p>Answer: B</p><p>Explanation:</p><p>A digital signature is a mathematical algorithm that validates the authenticity and integrity of a</p><p>message or document by generating a unique hash of the message or document and</p><p>encrypting it using the sender’s private key1. The primary reason for using a digital signature is</p><p>to authenticate the sender of a message, as only the sender has access to their private key and</p><p>can produce a valid signature2. A digital signature also verifies the integrity of the data, as any</p><p>modification to the message or document will result in a different hash value and invalidate the</p><p>signature1. However, a digital signature does not provide availability or confidentiality to the</p><p>transmission, as it does not prevent denial-of-service attacks or encrypt the entire message or</p><p>document3.</p><p>References</p><p>1: Understanding Digital Signatures | CISA</p><p>2: Signature Verification | CISA</p><p>3: SECFND: Digital Signatures from Skillsoft | NICCS</p><p>182. Which of the following is the MOST effective way to identify exfiltration of sensitive data by</p><p>a malicious insider?</p><p>A. Implement data loss prevention (DLP) software</p><p>B. Review perimeter firewall logs</p><p>C. Provide ongoing information security awareness training</p><p>D. Establish behavioral analytics monitoring</p><p>Answer: D</p><p>Explanation:</p><p>The most effective way to identify exfiltration of sensitive data by a malicious insider is to</p><p>establish behavioral analytics monitoring. Behavioral analytics is the process of analyzing the</p><p>patterns and anomalies in user behavior to detect and prevent insider threats. Behavioral</p><p>analytics can help identify unusual or suspicious activities, such as accessing sensitive data at</p><p>odd hours, transferring large amounts of data to external devices or locations, or using</p><p>unauthorized applications or protocols. Behavioral analytics can also help correlate data from</p><p>multiple sources, such as network logs, user profiles, and access rights, to provide a holistic</p><p>view of user activity and risk.</p><p>Data loss prevention (DLP) software is a tool that can help prevent exfiltration of sensitive data</p><p>by a malicious insider, but it is not the most effective way to identify it. DLP software can block</p><p>or alert on unauthorized data transfers based on predefined rules and policies, but it may not be</p><p>108 / 110</p><p>able to detect sophisticated or stealthy exfiltration techniques, such as encryption,</p><p>steganography, or data obfuscation.</p><p>Reviewing perimeter firewall logs is a way to identify exfiltration of sensitive data by a malicious</p><p>insider, but it is not the most effective way. Perimeter firewall logs can show the traffic volume</p><p>and destination of data transfers, but they may not be able</p><p>to show the content or context of the</p><p>data. Perimeter firewall logs may also be overwhelmed by the amount of normal traffic and miss</p><p>the signals of malicious exfiltration.</p><p>Providing ongoing information security awareness training is a way to reduce the risk of</p><p>exfiltration of sensitive data by a malicious insider, but it is not a way to identify it. Information</p><p>security awareness training can help educate users on the importance of protecting sensitive</p><p>data and the consequences of violating policies and regulations, but it may not deter or detect</p><p>those who are intentionally or maliciously exfiltrating data.</p><p>References:</p><p>ISACA, CISA Review Manual, 27th Edition, 2019, p. 300</p><p>ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription 1</p><p>Cybersecurity Engineering for Legacy Systems: 6 Recommendations - SEI Blog 2 How to</p><p>Secure Your Company’s Legacy Applications - iCorps</p><p>109 / 110</p><p>https://www.certqueen.com/promotion.asp</p><p>More Hot Exams are available.</p><p>350-401 ENCOR Exam Dumps</p><p>350-801 CLCOR Exam Dumps</p><p>200-301 CCNA Exam Dumps</p><p>Powered by TCPDF (www.tcpdf.org)</p><p>110 / 110</p><p>https://www.certqueen.com/350-401.html</p><p>https://www.certqueen.com/350-801.html</p><p>https://www.certqueen.com/200-301.html</p><p>http://www.tcpdf.org</p><p>recovered by</p><p>advanced techniques. Therefore, physical destruction is the most secure and reliable method of</p><p>11 / 110</p><p>data disposal for sensitive data.</p><p>References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets,</p><p>Section 5.4: Data Disposal</p><p>17. With regard to resilience, which of the following is the GREATEST risk to an organization</p><p>that has implemented a new critical system?</p><p>A. A business impact analysis (BIA) has not been performed</p><p>B. Business data is not sanitized in the development environment</p><p>C. There is no plan for monitoring system downtime</p><p>D. The process owner has not signed off on user acceptance testing (UAT)</p><p>Answer: A</p><p>Explanation:</p><p>Resilience is the ability of an organization to continue to operate effectively during or after a</p><p>disruptive event. A business impact analysis (BIA) is a key process to identify the critical</p><p>systems and processes that support the organization’s objectives and determine the impact of</p><p>their disruption. Without a BIA, the organization may not be able to prioritize the recovery of the</p><p>most important systems and processes, which poses the greatest risk to its resilience. The other</p><p>options are not as significant as a BIA, as they relate to data quality, system monitoring, and</p><p>user acceptance testing, which are important but not essential for resilience.</p><p>References: CISA Review Manual (Digital Version), Domain 4: Information Systems Operations</p><p>and Business Resilience, Section 4.2 Business Continuity Planning1</p><p>18. Which of the following occurs during the issues management process for a system</p><p>development</p><p>project?</p><p>A. Contingency planning</p><p>B. Configuration management</p><p>C. Help desk management</p><p>D. Impact assessment</p><p>Answer: D</p><p>Explanation:</p><p>Impact assessment is an activity that occurs during the issues management process for a</p><p>system development project. Issues management is a process of identifying, analyzing,</p><p>resolving, and monitoring issues that may affect the project scope, schedule, budget, or quality.</p><p>Impact assessment is a technique of evaluating the severity and priority of an issue, as well as</p><p>its implications for the project objectives and deliverables. The other options are not activities</p><p>12 / 110</p><p>that occur during the issues management process, but rather related to other processes such</p><p>as contingency planning, configuration management, or help desk management.</p><p>References:</p><p>CISA Review Manual (Digital Version), Chapter 4, Section 4.3.31</p><p>CISA Review Questions, Answers & Explanations Database, Question ID 217</p><p>19. Which of the following BEST addresses the availability of an online store?</p><p>A. RAID level 5 storage devices</p><p>B. A mirrored site at another location</p><p>C. Online backups</p><p>D. Clustered architecture</p><p>Answer: B</p><p>20. Data from a system of sensors located outside of a network is received by the open ports on</p><p>a server.</p><p>Which of the following is the BEST way to ensure the integrity of the data being collected from</p><p>the sensor system?</p><p>A. Implement network address translation on the sensor system.</p><p>B. Route the traffic from the sensor system through a proxy server.</p><p>C. Hash the data that is transmitted from the sensor system.</p><p>D. Transmit the sensor data via a virtual private network (VPN) to the server.</p><p>Answer: D</p><p>21. IT disaster recovery time objectives (RTOs) should be based on the:</p><p>A. maximum tolerable loss of data.</p><p>B. nature of the outage</p><p>C. maximum tolerable downtime (MTD).</p><p>D. business-defined criticality of the systems.</p><p>Answer: D</p><p>Explanation:</p><p>IT disaster recovery time objectives (RTOs) are the maximum acceptable time that an IT system</p><p>can be unavailable after a disaster before it causes unacceptable consequences for the</p><p>business. IT RTOs should be based on the business-defined criticality of the systems, which</p><p>reflects how important they are for supporting the business processes and functions. The</p><p>maximum tolerable loss of data, the nature of the outage, and the maximum tolerable downtime</p><p>(MTD) are also factors that affect the IT RTOs, but they are not the primary basis for</p><p>13 / 110</p><p>determining them.</p><p>22. An IS auditor discovers an option in a database that allows the administrator to directly</p><p>modify any table. This option is necessary to overcome bugs in the software, but is rarely used.</p><p>Changes to tables are automatically logged.</p><p>The IS auditor's FIRST action should be to:</p><p>A. recommend that the option to directly modify the database be removed immediately.</p><p>B. recommend that the system require two persons to be involved in modifying the database.</p><p>C. determine whether the log of changes to the tables is backed up.</p><p>D. determine whether the audit trail is secured and reviewed.</p><p>Answer: D</p><p>Explanation:</p><p>The IS auditor’s first action after discovering an option in a database that allows the</p><p>administrator to directly modify any table should be to determine whether the audit trail is</p><p>secured and reviewed.</p><p>This is because direct modification of database tables can pose a significant risk to data</p><p>integrity, security, and accountability. An audit trail is a record of all changes made to database</p><p>tables, including who made them, when they were made, and what was changed. An audit trail</p><p>can help to detect unauthorized or erroneous changes, provide evidence for investigations or</p><p>audits, and support data recovery or restoration. The IS auditor should assess whether the audit</p><p>trail is protected from tampering or deletion, and whether it is regularly reviewed for anomalies</p><p>or exceptions.</p><p>23. In an online application, which of the following would provide the MOST information about</p><p>the transaction audit trail?</p><p>A. System/process flowchart</p><p>B. File layouts</p><p>C. Data architecture</p><p>D. Source code documentation</p><p>Answer: C</p><p>Explanation:</p><p>In an online application, data architecture provides the most information about the transaction</p><p>audit trail, as it describes how data are created, stored, processed, accessed and exchanged</p><p>among different components of the application. Data architecture includes data models,</p><p>schemas, dictionaries, metadata, standards and policies that define the structure, quality,</p><p>integrity, security and governance of data. Data architecture can help the IS auditor to trace the</p><p>14 / 110</p><p>origin, flow, transformation and destination of data in an online transaction, and to identify the</p><p>key data elements, attributes and relationships that are relevant for audit purposes. A</p><p>system/process flowchart is a graphical representation of the sequence of steps or activities that</p><p>are performed by a system or process. A system/process flowchart can provide some</p><p>information about the transaction audit trail, but it is not as detailed or comprehensive as data</p><p>architecture. A system/process flowchart shows the inputs, outputs, decisions and actions of a</p><p>system or process, but it does not show the data elements, attributes and relationships that are</p><p>involved in each step or activity. A file layout is a specification of the format and structure of a</p><p>data file. A file layout can provide some information about the transaction audit trail, but it is not</p><p>as detailed or comprehensive as data architecture. A file layout shows the fields, types, lengths</p><p>and positions of data in a file, but it does not show the origin, flow, transformation and</p><p>destination of data in an online transaction. Source code documentation is a description of the</p><p>logic, functionality and purpose of a program or module written in a programming language.</p><p>Source code documentation can provide some information about the transaction audit trail, but</p><p>it is not as detailed or comprehensive as data architecture. Source code documentation shows</p><p>the instructions, variables and parameters that are used to perform calculations and operations</p><p>on data, but it does not show the data elements, attributes and relationships that are involved in</p><p>each instruction or operation.</p><p>References: CISA</p><p>Review Manual (Digital Version) 1, Chapter 4: Information Systems</p><p>Operations and Business Resilience, Section 4.2: Data Administration Practices.</p><p>24. Which of the following tasks would cause the GREATEST segregation of duties (SoD)</p><p>concern if performed by the person who reconciles the organization's device inventory?</p><p>A. Tracking devices used for spare parts</p><p>B. Creating the device policy</p><p>C. vIssuing devices to employees</p><p>D. Approving the issuing of devices</p><p>Answer: C</p><p>25. During the planning phase of a data loss prevention (DLP) audit, management expresses a</p><p>concern about mobile computing.</p><p>Which of the following should the IS auditor identity as the associated risk?</p><p>A. The use of the cloud negatively impacting IT availably</p><p>B. Increased need for user awareness training</p><p>C. Increased vulnerability due to anytime, anywhere accessibility</p><p>D. Lack of governance and oversight for IT infrastructure and applications</p><p>15 / 110</p><p>Answer: C</p><p>Explanation:</p><p>The associated risk of mobile computing that an IS auditor should identify during the planning</p><p>phase of a data loss prevention (DLP) audit is increased vulnerability due to anytime, anywhere</p><p>accessibility. Mobile computing refers to the use of portable devices, such as laptops, tablets,</p><p>smartphones, or wearable devices, that can access data and applications over wireless</p><p>networks from any location6. Mobile computing enables greater flexibility, productivity, and</p><p>convenience for users, but also poses significant security challenges for organizations. One of</p><p>these challenges is increased vulnerability due to anytime, anywhere accessibility. This means</p><p>that mobile devices are exposed to a higher risk of loss, theft, damage, or unauthorized access</p><p>than stationary devices7. If mobile devices contain or access sensitive data without proper</p><p>protection, such as encryption or authentication, they could result in data leakage or breach in</p><p>case of compromise8. Therefore, an IS auditor should identify this risk as part of a DLP audit.</p><p>The other options are less relevant or incorrect because:</p><p>A. The use of cloud negatively impacting IT availability is not an associated risk of mobile</p><p>computing that an IS auditor should identify during the planning phase of a DLP audit, as it is</p><p>more related to cloud computing than mobile computing. Cloud computing refers to the delivery</p><p>of computing services, such as data storage or processing, over the Internet from remote</p><p>servers. Cloud computing may enable or support mobile computing by providing access to data</p><p>and applications from any device or location, but it does not necessarily imply mobile</p><p>computing. The use of cloud may negatively impact IT availability if there are disruptions or</p><p>outages in the cloud service provider’s network or infrastructure, but this is not a direct</p><p>consequence of mobile computing.</p><p>B. Increased need for user awareness training is not an associated risk of mobile computing</p><p>that an IS auditor should identify during the planning phase of a DLP audit, as it is more of a</p><p>control or mitigation measure than a risk. User awareness training refers to educating users</p><p>about security policies, procedures, and best practices for using mobile devices and protecting</p><p>data. User awareness training may help to reduce the risk of data loss or breach due to mobile</p><p>computing by increasing user knowledge and responsibility, but it does not eliminate or prevent</p><p>the risk.</p><p>D. Lack of governance and oversight for IT infrastructure and applications is not an associated</p><p>risk of mobile computing that an IS auditor should identify during the planning phase of a DLP</p><p>audit, as it is more of a general or organizational risk than a specific or technical risk.</p><p>Governance and oversight refer to the establishment and implementation of policies, standards,</p><p>and procedures for managing IT resources and aligning them with business objectives. Lack of</p><p>governance and oversight for IT infrastructure and applications may affect the security and</p><p>16 / 110</p><p>performance of mobile devices and data, but it is not a direct or inherent result of mobile</p><p>computing.</p><p>References: Mobile Computing - ISACA, Mobile Computing Device Threats, Vulnerabilities and</p><p>Risk Factors Are Ubiquitous - ISACA, Data Loss Prevention?Next Steps - ISACA, [Cloud</p><p>Computing - ISACA], [Cloud Computing Risk Assessment - ISACA], [User Awareness Training -</p><p>ISACA], [Governance and Oversight - ISACA]</p><p>26. The implementation of an IT governance framework requires that the board of directors of</p><p>an organization:</p><p>A. Address technical IT issues.</p><p>B. Be informed of all IT initiatives.</p><p>C. Have an IT strategy committee.</p><p>D. Approve the IT strategy.</p><p>Answer: D</p><p>Explanation:</p><p>IT governance is a framework that defines the roles, responsibilities, and processes for aligning</p><p>IT strategy with business strategy. The board of directors of an organization is ultimately</p><p>accountable for IT governance and has the authority to approve the IT strategy. The board of</p><p>directors does not need to address technical IT issues, be informed of all IT initiatives, or have</p><p>an IT strategy committee, as these tasks can be delegated to other stakeholders or committees</p><p>within the organization.</p><p>27. An IS auditor is reviewing security controls related to collaboration tools for a business unit</p><p>responsible for intellectual property and patents.</p><p>Which of the following observations should be of MOST concern to the auditor?</p><p>A. Training was not provided to the department that handles intellectual property and patents</p><p>B. Logging and monitoring for content filtering is not enabled.</p><p>C. Employees can share files with users outside the company through collaboration tools.</p><p>D. The collaboration tool is hosted and can only be accessed via an Internet browser</p><p>Answer: B</p><p>Explanation:</p><p>The observation that should be of most concern to the auditor when reviewing security controls</p><p>related to collaboration tools for a business unit responsible for intellectual property and patents</p><p>is that employees can share files with users outside the company through collaboration tools.</p><p>Collaboration tools are software or hardware devices that enable users to communicate,</p><p>cooperate, and coordinate with each other on a common task or project. Collaboration tools can</p><p>17 / 110</p><p>facilitate information sharing and knowledge exchange among users, but they can also pose</p><p>security risks if not properly controlled or managed. Employees can share files with users</p><p>outside the company through collaboration tools, as this can compromise the security and</p><p>confidentiality of intellectual property and patents, which are valuable and sensitive assets of</p><p>the organization. Employees may share files with unauthorized or untrusted users who may</p><p>misuse or disclose the intellectual property and patents, either intentionally or unintentionally.</p><p>This can cause harm or damage to the organization, such as loss of competitive advantage,</p><p>reputation, revenue, or legal rights. Training was not provided to the department that handles</p><p>intellectual property and patents is a possible observation that could indicate a security issue</p><p>related to collaboration tools for a business unit responsible for intellectual property and patents,</p><p>but it is not the most concerning one. Training is an activity that educates and instructs users on</p><p>how to use collaboration tools effectively and securely, such as how to access, share, store,</p><p>and protect information using collaboration tools. Training was not provided to the department</p><p>that handles intellectual property and patents, as this can affect the awareness and competence</p><p>of users on collaboration tools, and increase the likelihood of errors or mistakes that may</p><p>compromise the security or quality of information. However, this observation may not be directly</p><p>related to collaboration tools, as it may apply to any information system or resource used by the</p><p>department. Logging and monitoring</p><p>for content filtering is not enabled is a possible observation</p><p>that could indicate a security issue related to collaboration tools for a business unit responsible</p><p>for intellectual property and patents, but it is not the most concerning one. Logging and</p><p>monitoring are processes that record and analyze the events or activities that occur on an</p><p>information system or network, such as user actions, system operations, data changes, errors,</p><p>alerts, etc. Content filtering is a technique that blocks or allows access to certain types of</p><p>information based on predefined criteria or rules, such as keywords, categories, sources, etc.</p><p>Logging and monitoring for content filtering is not enabled, as this can affect the auditability,</p><p>accountability, and visibility of collaboration tools, and prevent detection or investigation of</p><p>security incidents or violations related to information sharing using collaboration tools. However,</p><p>this observation may not be specific to collaboration tools, as it may affect any information</p><p>system or network that uses content filtering. The collaboration tool is hosted and can only be</p><p>accessed via an Internet browser is a possible observation that could indicate a security issue</p><p>related to collaboration tools for a business unit responsible for intellectual property and patents,</p><p>but it is not the most concerning one. A hosted collaboration tool is a type of cloud-based</p><p>service that provides collaboration functionality over the Internet without requiring installation or</p><p>maintenance on local devices. An Internet browser is a software application that enables users</p><p>to access and interact with web-based content or services. The collaboration tool is hosted and</p><p>can only be accessed via an Internet browser, as this can affect the availability and reliability of</p><p>18 / 110</p><p>collaboration tools, and introduce security or privacy risks for information sharing using</p><p>collaboration tools. However, this observation may not be unique to</p><p>collaboration tools, as it may apply to any cloud-based service that uses an Internet browser.</p><p>28. When reviewing a business case for a proposed implementation of a third-party system,</p><p>which of the following should be an IS auditor's GREATEST concern?</p><p>A. Lack of ongoing maintenance costs</p><p>B. Lack of training materials</p><p>C. Lack of plan for pilot implementation</p><p>D. Lack of detailed work breakdown structure</p><p>Answer: A</p><p>Explanation:</p><p>The IS auditor’s greatest concern when reviewing a business case for a proposed</p><p>implementation of a third-party system should be</p><p>A. Lack of ongoing maintenance costs. This is because ongoing maintenance costs are an</p><p>essential part of the total cost of ownership (TCO) of a third-party system, and they can have a</p><p>significant impact on the return on investment (ROI) and the feasibility of the project. If the</p><p>business case does not include ongoing maintenance costs, it may underestimate the true cost</p><p>of the project and overestimate the benefits. This could lead to poor decision making and</p><p>unrealistic expectations.</p><p>Lack of training materials (B), lack of plan for pilot implementation ©, and lack of detailed work</p><p>breakdown structure (D) are also potential issues that could affect the quality and success of</p><p>the project, but they are not as critical as lack of ongoing maintenance costs. Training materials</p><p>can be developed or acquired later, pilot implementation can be planned during the project</p><p>initiation or planning phase, and work breakdown structure can be refined as the project</p><p>progresses. However, ongoing maintenance costs are difficult to change or estimate once the</p><p>project is approved and implemented, and they can have long-term implications for the</p><p>organization. Therefore, they should be included and analyzed in the business case.</p><p>29. The use of access control lists (ACLs) is the MOST effective method to mitigate security risk</p><p>for routers because they: (Identify Correct answer and related explanation/references from CISA</p><p>Certification - Information Systems Auditor official Manual or book)</p><p>A. are recommended by security standards.</p><p>B. can limit Telnet and traffic from the open Internet.</p><p>C. act as fitters between the world and the network.</p><p>D. can detect cyberattacks.</p><p>19 / 110</p><p>Answer: B</p><p>Explanation:</p><p>The use of access control lists (ACLs) is the most effective method to mitigate security risk for</p><p>routers because they can limit Telnet and traffic from the open Internet. Telnet is a protocol that</p><p>allows remote access to a device, which can pose a security threat if not properly controlled.</p><p>Traffic from the open Internet can also contain malicious packets that can harm the network or</p><p>the router itself. ACLs act as filters that can block or allow specific types of traffic based on</p><p>predefined criteria, such as source and destination addresses, protocols, ports, and flags. By</p><p>using ACLs, routers can prevent unauthorized access and reduce the exposure to potential</p><p>attacks.</p><p>References:</p><p>Protecting Your Core: Infrastructure Protection Access Control Lists</p><p>Definition, purposes, benefits, and functions of ACL</p><p>CISA Review Manual 27th Edition, page 336</p><p>30. Which of the following is the PRIMARY role of the IS auditor m an organization's information</p><p>classification process?</p><p>A. Securing information assets in accordance with the classification assigned</p><p>B. Validating that assets are protected according to assigned classification</p><p>C. Ensuring classification levels align with regulatory guidelines</p><p>D. Defining classification levels for information assets within the organization</p><p>Answer: B</p><p>Explanation:</p><p>Validating that assets are protected according to assigned classification is the primary role of</p><p>the IS auditor in an organization’s information classification process. An IS auditor should</p><p>evaluate whether</p><p>the information security controls are adequate and effective in safeguarding the information</p><p>assets based on their classification levels. The other options are not the primary role of the IS</p><p>auditor, but rather the responsibilities of the information owners, custodians, or security</p><p>managers.</p><p>References:</p><p>CISA Review Manual (Digital Version), Chapter 6, Section 6.2.31</p><p>CISA Review Questions, Answers & Explanations Database, Question ID 206</p><p>31. The PRIMARY goal of capacity management is to:</p><p>A. minimize data storage needs across the organization.</p><p>20 / 110</p><p>B. provide necessary IT resources to meet business requirements.</p><p>C. minimize system idle time to optimize cost.</p><p>D. ensure that IT teams have sufficient personnel.</p><p>Answer: B</p><p>32. During an operational audit on the procurement department, the audit team encounters a</p><p>key</p><p>system that uses an artificial intelligence (Al) algorithm. The audit team does not have the</p><p>necessary knowledge to proceed with the audit.</p><p>Which of the following is the BEST way to handle this situation?</p><p>A. Perform a skills assessment to identify members from other business units with knowledge of</p><p>Al.</p><p>B. Remove the Al portion from the audit scope and proceed with the audit.</p><p>C. Delay the audit until the team receives training on Al.</p><p>D. Engage external consultants who have audit experience and knowledge of Al.</p><p>Answer: D</p><p>Explanation:</p><p>If the audit team lacks the necessary knowledge to audit a system that uses an AI algorithm,</p><p>engaging external consultants who have audit experience and knowledge of AI would be the</p><p>best approach12. These consultants can provide the expertise needed to effectively audit the AI</p><p>system12. This approach ensures that the audit is conducted thoroughly and accurately, without</p><p>requiring the audit team to acquire new skills or knowledge12.</p><p>References:</p><p>Auditing Guidelines for Artificial Intelligence - ISACA</p><p>An In-Depth Guide To Audit AI Models - Censius</p><p>33. Which of the following is the MOST efficient way to identify segregation of duties violations</p><p>in a new system?</p><p>A. Review a report of security rights in the system.</p><p>B. Observe the performance of business</p><p>processes.</p><p>C. Develop a process to identify authorization conflicts.</p><p>D. Examine recent system access rights violations.</p><p>Answer: A</p><p>Explanation:</p><p>The most efficient way to identify segregation of duties violations in a new system is to review a</p><p>report of security rights in the system. Segregation of duties is a control principle that aims to</p><p>21 / 110</p><p>prevent or detect errors, fraud, or abuse by ensuring that no single individual has the ability to</p><p>perform incompatible or conflicting functions or activities within a system or process. A report of</p><p>security rights in the system can provide a comprehensive and accurate overview of the roles,</p><p>responsibilities, and access levels assigned to different users or groups in the system, and can</p><p>help to identify any potential segregation of duties violations or risks. The other options are not</p><p>as efficient as reviewing a report of security rights in the system, because they either rely on</p><p>observation or testing rather than analysis, or they focus on existing rather than potential</p><p>violations.</p><p>References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.2</p><p>34. In an annual audit cycle, the audit of an organization's IT department resulted in many</p><p>findings.</p><p>Which of the following would be the MOST important consideration when planning the next</p><p>audit?</p><p>A. Postponing the review until all of the findings have been rectified</p><p>B. Limiting the review to the deficient areas</p><p>C. Verifying that all recommendations have been implemented</p><p>D. Following up on the status of all recommendations</p><p>Answer: D</p><p>Explanation:</p><p>The most important consideration when planning the next audit after many findings is to follow</p><p>up on the status of all recommendations, as this will ensure that the audit findings are</p><p>addressed in a timely and effective manner, and that the root causes of the issues are</p><p>resolved12. Following up on the status of all recommendations will also help to assess the</p><p>progress and performance of the IT department, and to identify any new or emerging risks or</p><p>challenges34.</p><p>References 1: What to consider when resolving internal audit findings3 2: A brief guide to follow</p><p>up4 3: Guidance on auditing planning for Internal Audit2 4: Corrective Action Plan (CAP): How</p><p>to Manage Audit Findings1</p><p>35. Which of the following should be an IS auditor's PRIMARY focus when developing a risk-</p><p>based IS audit program?</p><p>A. Portfolio management</p><p>B. Business plans</p><p>C. Business processes</p><p>D. IT strategic plans</p><p>22 / 110</p><p>Answer: C</p><p>Explanation:</p><p>Business processes should be the primary focus of an IS auditor when developing a risk-based</p><p>IS audit program, because they represent the core activities and functions of the organization</p><p>that support its objectives and goals. Business processes also involve the use of IT resources</p><p>and systems that may pose risks to the organization’s performance and compliance. A risk-</p><p>based IS audit program should identify and assess the risks associated with the business</p><p>processes and determine the appropriate audit scope and procedures to provide assurance on</p><p>their effectiveness and efficiency. Portfolio management, business plans, and IT strategic plans</p><p>are also relevant factors for developing a risk-based IS audit program, but they are not as</p><p>important as business processes.</p><p>References: CISA Review Manual (Digital Version), Chapter 2, Section 2.2.1</p><p>36. An IS auditor learns that an in-house system development life cycle (SDLC) project has not</p><p>met user specifications.</p><p>The auditor should FIRST examine requirements from which of the following phases?</p><p>A. Configuration phase</p><p>B. User training phase</p><p>C. Quality assurance (QA) phase</p><p>D. Development phase</p><p>Answer: C</p><p>The quality assurance (QA) phase is the phase where the IS auditor should first examine</p><p>requirements from an in-house SDLC project that has not met user specifications. This is</p><p>because the QA phase is the phase where the system is tested and verified against the user</p><p>specifications and the design specifications to ensure that it meets the functional and non-</p><p>functional requirements, as well as the quality standards and expectations. The QA phase</p><p>involves various testing activities, such as unit testing, integration testing, system testing,</p><p>acceptance testing, performance testing, security testing, etc., to identify and resolve any</p><p>defects, errors, or deviations from the specifications12.</p><p>The configuration phase is not the phase where the IS auditor should first examine</p><p>requirements from an in-house SDLC project that has not met user specifications. The</p><p>configuration phase is the phase where the system is installed and configured on the target</p><p>environment, such as hardware, software, network, etc., to prepare it for deployment and</p><p>operation. The configuration phase may involve activities such as installation, customization,</p><p>migration, integration, etc., to ensure that the system is compatible and interoperable with the</p><p>existing infrastructure and systems34.</p><p>23 / 110</p><p>The user training phase is not the phase where the IS auditor should first examine requirements</p><p>from an in-house SDLC project that has not met user specifications. The user training phase is</p><p>the phase where the end-users are trained and educated on how to use the system effectively</p><p>and efficiently. The user training phase may involve activities such as developing training</p><p>materials, conducting training sessions, providing feedback and support, etc., to ensure that the</p><p>users are familiar and comfortable with the system features and functions56.</p><p>The development phase is not the phase where the IS auditor should first examine</p><p>requirements from an in-house SDLC project that has not met user specifications. The</p><p>development phase is the phase where the system is coded and built based on the design</p><p>specifications and the user specifications. The development phase may involve activities such</p><p>as programming, debugging, documenting, etc., to create a working prototype or a final product</p><p>of the system</p><p>37. Which of the following is MOST likely to be reduced when implementing optimal risk</p><p>management strategies?</p><p>A. Sampling risk</p><p>B. Residual risk</p><p>C. Detection risk</p><p>D. Inherent risk</p><p>Answer: D</p><p>38. An IS audit manager is preparing the staffing plan for an audit engagement of a cloud</p><p>service provider.</p><p>What should be the manager's PRIMARY concern when being made aware that a new auditor</p><p>in the department previously worked for this provider?</p><p>A. Independence</p><p>B. Professional conduct</p><p>C. Subject matter expertise</p><p>D. Resource availability</p><p>Answer: A</p><p>39. Which of the following is the MOST effective control to mitigate against the risk of</p><p>inappropriate activity by employees?</p><p>A. User activity monitoring</p><p>B. Two-factor authentication</p><p>C. Network segmentation</p><p>24 / 110</p><p>D. Access recertification</p><p>Answer: A</p><p>Explanation:</p><p>The answer A is correct because user activity monitoring is the most effective control to mitigate</p><p>against the risk of inappropriate activity by employees. User activity monitoring (UAM) is the</p><p>process of tracking and recording the actions and behaviors of users on devices, networks, or</p><p>applications that belong to an organization. UAM can help to prevent, detect, and respond to</p><p>insider threats, such as data theft, fraud, sabotage, or misuse of resources. UAM can also help</p><p>to enforce policies, ensure compliance, and improve productivity and performance.</p><p>Some of the benefits of UAM are:</p><p>Prevention: UAM can deter employees from engaging in inappropriate activity by making them</p><p>aware that their actions are monitored and recorded. UAM can also prevent unauthorized</p><p>access or use of sensitive data or resources by implementing access controls, encryption, or</p><p>alerts. Detection: UAM can detect any anomalies, deviations, or violations in user activity by</p><p>analyzing the data collected from various sources, such as logs, keystrokes, screenshots, or</p><p>video</p><p>recordings. UAM can also use artificial intelligence or machine learning to identify</p><p>patterns, trends, or risks in user behavior.</p><p>Response: UAM can respond to any incidents or issues related to user activity by notifying the</p><p>relevant stakeholders, such as managers, security teams, or auditors. UAM can also provide</p><p>evidence or proof of user activity for investigation or remediation purposes.</p><p>Some examples of UAM tools are:</p><p>Teramind: Teramind is a cloud-based UAM platform that offers features such as user behavior</p><p>analytics, risk scoring, policy enforcement, data loss prevention, and productivity optimization.</p><p>Digital Guardian: Digital Guardian is a data protection platform that offers UAM capabilities such</p><p>as endpoint detection and response, data classification and tagging, and threat hunting and</p><p>incident response.</p><p>XPLG: XPLG is a log management and analysis platform that offers UAM features such as log</p><p>aggregation and correlation, user behavior profiling and anomaly detection, and real-time alerts</p><p>and dashboards.</p><p>The other options are not as effective as option A. Two-factor authentication (option B) is a</p><p>security mechanism that requires users to provide two pieces of evidence to verify their identity</p><p>before accessing a system or resource. Two-factor authentication can enhance the security and</p><p>privacy of user accounts, but it does not monitor or record the user activity after the</p><p>authentication. Network segmentation (option C) is a technique that divides a network into</p><p>smaller subnetworks based on criteria such as function, location, or security level. Network</p><p>segmentation can improve the performance, security, and manageability of a network by</p><p>25 / 110</p><p>reducing congestion, isolating threats, and enforcing policies. However, network segmentation</p><p>does not track or record the user activity within each segment of the network. Access</p><p>recertification (option D) is a process that verifies and validates the access rights of users to</p><p>systems or resources periodically or on-demand. Access recertification can ensure that users</p><p>have the appropriate level of access based on their roles and responsibilities, but it does not</p><p>monitor or record the user activity with the access rights.</p><p>References:</p><p>[User Activity Monitoring: Examples and Best Practices | SEON]</p><p>Top 10 user activity monitoring tools: software features and tracking price - Dashly blog</p><p>What is User Activity Monitoring? How It Works, Benefits, Best Practices and More - Digital</p><p>Guardian What Is User Activity Monitoring? Learn the What, Why, and How - XPLG</p><p>40. Which of the following would BEST manage the risk of changes in requirements after the</p><p>analysis phase of a business application development project?</p><p>A. Expected deliverables meeting project deadlines</p><p>B. Sign-off from the IT team</p><p>C. Ongoing participation by relevant stakeholders</p><p>D. Quality assurance (OA) review</p><p>Answer: B</p><p>41. UNSW Sydney. “Data Classification Standard.” 2(https://www.unsw.edu.au/content/dam/pd</p><p>fs/governance/policy/2022-01-policies/datastandard.pdf)</p><p>42. During a project audit, an IS auditor notes that project reporting does not accurately reflect</p><p>current progress.</p><p>Which of the following is the GREATEST resulting impact?</p><p>A. The project manager will have to be replaced.</p><p>B. The project reporting to the board of directors will be incomplete.</p><p>C. The project steering committee cannot provide effective governance.</p><p>D. The project will not withstand a quality assurance (QA) review.</p><p>Answer: C</p><p>Explanation:</p><p>The greatest resulting impact of project reporting not accurately reflecting current progress is</p><p>that</p><p>the project steering committee cannot provide effective governance. The project steering</p><p>committee is a group of senior executives or stakeholders who oversee the project and provide</p><p>strategic direction, guidance, and support. The project steering committee relies on accurate</p><p>26 / 110</p><p>and timely project reporting to monitor the project’s status, performance, risks, issues, and</p><p>changes. If the project reporting is inaccurate, the project steering committee cannot make</p><p>informed decisions, resolve problems, allocate resources, or ensure alignment with the</p><p>organizational goals and objectives.</p><p>The other options are not as impactful as option C. The project manager will have to be</p><p>replaced is a possible consequence, but not the greatest impact, of inaccurate project reporting.</p><p>The project manager is responsible for planning, executing, monitoring, controlling, and closing</p><p>the project. The project manager may face disciplinary actions or termination if they fail to</p><p>provide accurate and honest project reporting. However, this does not necessarily affect the</p><p>overall governance of the project. The project reporting to the board of directors will be</p><p>incomplete is a potential risk, but not the greatest impact, of inaccurate project reporting. The</p><p>board of directors is the highest governing body of an organization that sets the vision, mission,</p><p>values, and policies. The board of directors may receive periodic or ad hoc project reporting to</p><p>ensure that the project is aligned with the organizational strategy and delivers value. If the</p><p>project reporting is inaccurate, the board of directors may lose confidence in the project or</p><p>intervene in its management. However, this does not directly affect the day-to-day governance</p><p>of the project. The project will not withstand a quality assurance (QA) review is a possible</p><p>outcome, but not the greatest impact, of inaccurate project reporting. A quality assurance review</p><p>is a process to evaluate the quality of the project’s processes and deliverables against</p><p>predefined standards and criteria. A quality assurance review may reveal discrepancies or</p><p>errors in the project reporting that may affect the credibility and reliability of the project.</p><p>However, this does not necessarily affect the governance of the project.</p><p>References: Project Steering Committee - Roles & Responsibilities, Project Reporting Best</p><p>Practices, Quality Assurance in Project Management</p><p>43. Which of the following responsibilities of an organization's quality assurance (QA) function</p><p>should raise concern for an IS auditor?</p><p>A. Ensuring standards are adhered to within the development process</p><p>B. Ensuring the test work supports observations</p><p>C. Updating development methodology</p><p>D. Implementing solutions to correct defects</p><p>Answer: D</p><p>Explanation:</p><p>Implementing solutions to correct defects is a responsibility of the development function, not the</p><p>quality assurance (QA) function. The QA function should ensure that the development process</p><p>follows the established standards and methodologies, and that the defects are identified and</p><p>27 / 110</p><p>reported. The QA function should not be involved in fixing the defects, as this would</p><p>compromise its independence and objectivity. The other options are valid responsibilities of the</p><p>QA function, and they should not raise concern for an IS auditor.</p><p>References: CISA Review Manual (Digital Version) 1, page 300.</p><p>44. A new system development project is running late against a critical implementation deadline.</p><p>Which of the following is the MOST important activity?</p><p>A. Document last-minute enhancements</p><p>B. Perform a pre-implementation audit</p><p>C. Perform user acceptance testing (UAT)</p><p>D. Ensure that code has been reviewed</p><p>Answer: A</p><p>Explanation:</p><p>Performing user acceptance testing (UAT) is the most important activity before implementing a</p><p>new system, as it ensures that the system meets the user requirements and expectations, and</p><p>that it is free of major defects. Documenting last-minute enhancements, performing a pre-</p><p>implementation audit, and ensuring that code has been reviewed are also important activities,</p><p>but they are not as critical as UAT.</p><p>References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2</p><p>45. During the implementation of a new system, an IS auditor must assess whether certain</p><p>automated</p><p>calculations comply with the regulatory requirements.</p><p>Which of the following is the BEST way to obtain this assurance?</p><p>A. Review sign-off documentation</p><p>B. Review the source code related to the calculation</p><p>C. Re-perform the calculation with audit software</p><p>D. Inspect user acceptance lest (UAT) results</p><p>Answer: C</p><p>Explanation:</p><p>The best way to obtain assurance that certain automated calculations comply with the</p><p>regulatory requirements is to re-perform the calculation with audit software. This will allow the</p><p>auditor to independently verify the accuracy and validity of the calculation and compare it with</p><p>the expected results. Reviewing sign-off documentation, source code, or user acceptance test</p><p>results may not provide sufficient evidence or assurance that the calculation is correct and</p><p>compliant.</p><p>28 / 110</p><p>References: CISA Review Manual (Digital Version), page 325</p><p>CISA Questions, Answers & Explanations Database, question ID 3335</p><p>46. Which of the following is MOST important for an IS auditor to verify when evaluating an</p><p>organization's firewall?</p><p>A. Logs are being collected in a separate protected host</p><p>B. Automated alerts are being sent when a risk is detected</p><p>C. Insider attacks are being controlled</p><p>D. Access to configuration files Is restricted.</p><p>Answer: A</p><p>Explanation:</p><p>A firewall is a device or software that monitors and controls the incoming and outgoing network</p><p>traffic based on predefined rules. A firewall can help protect an organization’s network and</p><p>information systems from unauthorized or malicious access, by filtering or blocking unwanted or</p><p>harmful packets. The most important thing for an IS auditor to verify when evaluating an</p><p>organization’s firewall is that the logs are being collected in a separate protected host. Logs are</p><p>records of events or activities that occur on a system or network, such as connections, requests,</p><p>responses, errors, and alerts. Logs can provide valuable information for auditing, monitoring,</p><p>troubleshooting, and investigating security incidents. However, logs can also be tampered with,</p><p>deleted, or corrupted by attackers or insiders who want to hide their tracks or evidence of their</p><p>actions. Therefore, it is essential that logs are stored in a separate host that is isolated and</p><p>secured from the network and the firewall itself, to prevent unauthorized access or modification</p><p>of the logs. Automated alerts are being sent when a risk is detected is a good practice for</p><p>enhancing the security and efficiency of a firewall, but it is not the most important thing for an IS</p><p>auditor to verify, as alerts may not always be accurate, timely, or actionable. Insider attacks are</p><p>being controlled is a desirable outcome for a firewall, but it is not the most important thing for an</p><p>IS auditor to verify, as insider attacks may involve other factors or methods that bypass or</p><p>compromise the firewall, such as social engineering, credential theft, or physical access. Access</p><p>to configuration files is restricted is a critical control for ensuring the security and integrity of a</p><p>firewall, but it is not the most important thing for an IS auditor to verify, as configuration files may</p><p>not reflect the actual state or performance of the firewall.</p><p>47. Which of the following is an advantage of using agile software development methodology</p><p>over the waterfall methodology?</p><p>A. Less funding required overall</p><p>B. Quicker deliverables</p><p>29 / 110</p><p>C. Quicker end user acceptance</p><p>D. Clearly defined business expectations</p><p>Answer: B</p><p>Explanation:</p><p>The advantage of using agile software development methodology over the waterfall</p><p>methodology is that it allows for quicker deliverables. Agile software development is an iterative</p><p>and incremental approach that emphasizes customer feedback, collaboration, and adaptation.</p><p>Agile software development delivers working software in short cycles, called sprints, that</p><p>typically last from two to four weeks. This enables the development team to respond to</p><p>changing requirements, deliver value faster, and improve quality. Waterfall software</p><p>development is a linear and sequential approach that follows a predefined set of phases, such</p><p>as planning, analysis, design, implementation, testing, and maintenance. Waterfall software</p><p>development requires a clear and stable definition of the project scope, deliverables, and</p><p>expectations before starting the development process. Waterfall software development can be</p><p>slow, rigid, and costly, especially if changes occur during the later stages of the project.</p><p>References: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition,</p><p>Development & Implementation, Section 3.1: Project Management Practices</p><p>48. Which of the following is the MOST important consideration for patching mission critical</p><p>business application servers against known vulnerabilities?</p><p>A. Patches are implemented in a test environment prior to rollout into production.</p><p>B. Network vulnerability scans are conducted after patches are implemented.</p><p>C. Vulnerability assessments are periodically conducted according to defined schedules.</p><p>D. Roles and responsibilities for implementing patches are defined</p><p>Answer: A</p><p>Explanation:</p><p>The most important consideration for patching mission critical business application servers</p><p>against known vulnerabilities is A. Patches are implemented in a test environment prior to rollout</p><p>into production. This is because patching mission critical business application servers involves a</p><p>high level of risk and complexity, and requires careful planning and testing before applying the</p><p>patches to the live environment. Patches may introduce new bugs, errors, or conflicts that could</p><p>affect the functionality, performance, or security of the application servers, and cause system</p><p>downtime, data loss, or business disruption1. Therefore, it is essential to implement patches in a</p><p>test environment first, where the patches can be verified and validated for their effectiveness</p><p>and compatibility, and any issues or defects can be identified and resolved before they impact</p><p>the production environment2.</p><p>30 / 110</p><p>49. An IS auditor finds that periodic reviews of read-only users for a reporting system are not</p><p>being performed.</p><p>Which of the following should be the IS auditor's NEXT course of action?</p><p>A. Review the list of end users and evaluate for authorization.</p><p>B. Report this control process weakness to senior management.</p><p>C. Verify managements approval for this exemption</p><p>D. Obtain a verbal confirmation from IT for this exemption.</p><p>Answer: B</p><p>Explanation:</p><p>The IS auditor’s next course of action should be to report this control process weakness to</p><p>senior management, as it may indicate a lack of oversight and accountability for the reporting</p><p>system. Read-only users may have access to sensitive or confidential information that should</p><p>be restricted or monitored. Periodic reviews of read-only users are a good practice to ensure</p><p>that the access rights are still valid and appropriate for the users’ roles and responsibilities.</p><p>Reporting this weakness to senior management will also allow them to take corrective actions or</p><p>implement compensating controls if needed.</p><p>Option A is incorrect because reviewing the list of end users and evaluating for authorization is</p><p>not the IS auditor’s responsibility, but rather the system owner’s or administrator’s. The IS</p><p>auditor should only verify that such reviews are performed and documented by the responsible</p><p>parties.</p><p>Option C is incorrect because verifying management’s approval for this exemption is not</p><p>sufficient to address the control process weakness. Even if there is a valid reason for not</p><p>performing periodic reviews of read-only users, the IS auditor should still report this as a</p><p>potential risk and recommend mitigating controls.</p><p>Option D is incorrect because obtaining a verbal confirmation from IT for this exemption is not</p><p>adequate evidence or documentation.</p>