ISACA CISA Exam Questions

Page 2 of 50

21.

The management team of a cloud service provider is currently assigning job functions to individual personnel in the programming department. What category of policies is management addressing?

  • Roles and responsibilities

  • Development practices

  • Operational practices

  • IT processes, documents, and records

Correct answer: Roles and responsibilities

Policies are high-level statements of intent, expectations, and direction. Management can decide on roles and responsibilities, which can be for departments as well as individual members.

Policies for development practices include methodologies as well as security and testing policies. Operational practices are the high-level processes that need to be performed, such as system monitoring and daily backups. IT processes, documents, and records refer to important IT policies for incident management, vulnerability management, etc.

22.

Which of the following is NOT an ISACA IS Audit and Assurance Standards category?

  • Ethics

  • General

  • Performance

  • Reporting

Correct answer: Ethics

There are three categories of standards and guidelines:

  1. General: The guiding principles under which the IS assurance professional operates, applying to all conduct of the ISACA assignments and encompassing the IS audit and assurance professional's ethics, objectivity, knowledge, competency, and more.
  2. Performance: Deals with the conduct of the assignment, planning and supervision, scoping, risk, supervision, resource mobilization and assignment management, and audit and assurance evidence.
  3. Reporting: Covers the types of reports, means of communication, and the info shared or communicated.

Ethics is not one of three categories of standards and guidelines. It is covered in the Code of Professional Ethics.

23.

Which of the following statements accurately describes the relationship between ISACA standards, guidelines, and the code of ethics?

  • Audit guidelines are optional, while the standards and code of ethics are mandatory.

  • Audit guidelines and the code of ethics are optional, while the standards are mandatory.

  • Audit guidelines, the code of ethics, and standards are all optional.

  • Audit guidelines and standards are optional, while the code of ethics is mandatory.

Correct answer: Audit guidelines are optional, while the standards and code of ethics are mandatory.

ISACA's ITAF is composed of guidelines, standards, a code of ethics, and tools/techniques. The audit guidelines are optional, while the standards and code of ethics are mandatory.

24.

High-end and mid-range servers can vary in processing power, with the highest-capacity servers being comparable to the mainframe. The smaller devices probably have a Windows operating system, while larger devices generally use which system?

  • UNIX

  • Java-based programming languages

  • Microsoft cloud server

  • VMware

Correct answer: UNIX

High-end servers are usually running UNIX. These are often used as database servers. Small units are more likely to use Windows and to be used as application servers or file servers. In general, mid-range servers are likely to use commercial products for their operating systems and software, unlike large mainframes that often have their own proprietary operating systems.

25.

A healthcare organization outsources its development of software apps to a third party. While the organization has a long-term contract with the third party, it creates short-term projects and needs to outline them in detail to hand over. What type of documents should the healthcare organization use for these orders?

  • Statements of work

  • SLAs

  • Purchase orders

  • RFPs

Correct answer: Statements of work

A statement of work, or work order, is similar to a contract but for specific work that needs to be done. It can include details such as the work output, timeliness, quality, and remedies.

A service level agreement (SLA) is a broad document that outlines expectations. A purchase order is a document that intends to purchase goods or services that are on offer. A request for proposals (RFP) is a document that is meant to solicit proposals for a project from vendors.

26.

 Which tool is used to identify applications in an SLA that malfunctioned?

  • Exception reports

  • Operator problem reports

  • Operator work schedules

  • File-handling procedures

Correct answer: Exception reports

A service level agreement (SLA) is an agreement between the customer and the organization, detailing in non-technical terms what the customer can expect. Exception reports can be generated to identify applications that did not successfully complete or that malfunctioned.

Operator problem reports review user issues and their resolutions. Operator work schedules are used to ensure proper staffing. File-handling procedures ensure that files are handled properly.

27.

An ideal annual audit plan would include:

  • All the processes that are rated "high"

  • All the processes that are budgeted for within the next year

  • All the long-term issues

  • As many new acquisitions as possible

Correct answer: All the processes that are rated "high"

An ideal annual audit plan theoretically includes all the processes that are rated "high." Available resources are often inadequate for the execution of the entire ideal annual audit plan, but an audit plan that includes all "high" processes helps demonstrate to management the gap in resources and gives management an idea of the risks involved.

It is impractical to audit all the long-term issues or as many acquisitions as possible; therefore, they would not be included in an "ideal" annual audit plan. 

28.

Review the passage and answer the following question.

The IS auditor is set to review the dial-up connection and access controls. Which of the following tests should the auditor attempt during the review?

  • Attempt to access from authorized and unauthorized dial-up lines

  • Assess the maximum bandwidth of the dial-up connection and determine whether it supports the remote access service

  • Confirm availability of the dial-up line and ensure it is available any time as needed

  • Verify that the costs and authorized numbers are within the cost margins

Correct answer: Attempt to access from authorized and unauthorized dial-up lines

It is important to lock down remote access points to only the authorized telephone lines from the third party. The test of attempting access via authorized and unauthorized lines will verify whether an attacker could potentially have access to the remote access services on the line.

29.

All the following are types of penetration tests EXCEPT:

  • Unit testing

  • External testing

  • Blind testing

  • Targeted testing

Correct answer: Unit testing

Unit testing is a type of application test. 

Penetration tests are as follows: external testing, which usually tests internet attacks; internal testing, which tests what an attack from a user within the network would do; blind testing, which occurs when a tester is provided with little information about the network; double-blind testing, where the staff of the target site is unaware of the test; and targeted testing, which is designed to verify security in specific areas.

30.

Which part of a business case document includes information on how business objectives will be measured?

  • Metrics

  • Budget

  • Risks

  • Business problem

Correct answer: Metrics

A typical business case includes sections on the business problem, feasibility study results, high-level project plan, budgeting, metrics, and risks. The metrics section has information about how benefits will be measured.

The budget section includes the costs of the project. The risks section includes potential risks and mitigation. The business problem section describes the issue that is being solved.

31.

An auditor is auditing a technology firm that has a lot of proprietary data that should not be leaked. During the audit, the auditor discovers that employees can easily transfer files to USB drives and take them from the office. To address this, the auditor recommends a DLP system. What class of control is the auditor recommending?

  • Preventative

  • Detective

  • Deterrent

  • Corrective

Correct answer: Preventative

A data loss prevention (DLP) system is a preventative control that actively stops users from exfiltrating data. This can be implemented by analyzing files crossing the network or by monitoring individual systems.

Detective controls only detect exceptions but do not act against them. Deterrent controls try to convince users not to engage in a malicious act. Corrective controls are activated after an unwanted event occurs.

32.

An IS auditor logs onto a terminal and waits to see if it automatically logs off after a specified period of inactivity. What type of testing are they doing?

  • Minimizing unauthorized access

  • Confidentiality

  • Encryption

  • Access authorization

Correct answer: Minimizing unauthorized access

Account settings for minimizing unauthorized access are used to reduce the risk of an unauthorized user gaining access. Terminals should automatically log off in case a user steps away from their system for a while.

A test of confidentiality involves assessing whether users divulge their passwords. A test of encryption includes examining system files that should be encrypted. A test of access authorization consists of matching rules to documents.

33.

Part of protecting information is adopting a classification scheme. Which type of company information would be classified as sensitive?

  • Unpublished financials

  • Normal business emails

  • Company brochures

  • Employee handbooks

Correct answer: Unpublished financials

Sensitive information includes unpublished financials and company secrets. The information owner needs to decide on the appropriate classifications. 

Normal business emails and employee handbooks can be considered private but not sensitive. Company brochures can be considered public information.

34.

An integrated audit typically includes all the following EXCEPT:

  • Examination in detail of financial transactions

  • Identification of risks in various areas of an organization

  • Review of the designs of identified controls

  • Testing that controls are supported by IT systems

Correct answer: Examination of detailed financial records

The integrated approach seeks to get a complete understanding of an organization by combining operational and financial audits with regard to IS. However, a detailed audit of financials should be completed by financial audit specialists. The integrated audit will focus on the controls in financial departments but not probe into detailed financial transactions.

An integrated audit includes identifying risks, reviewing the design of implemented controls, and testing that controls are supported by IT systems.

35.

A company outsources its application hosting and wants to ensure that the third party has adequate controls. All the following are ways they can do this, EXCEPT

  • SLAs

  • Onsite visits

  • Questionnaires

  • SSAE 18

Correct answer: SLAs

Service level agreements (SLAs) define the level of service that a provider offers to a client. However, they are not a way of gaining assurance that controls are being implemented.

Onsite visits, questionnaires, and SSAE 18 can be used to gain assurance about controls at third parties.

36.

An IS auditor is working on a variable sampling because of the sheer number of transactions the organization being audited is performing. The auditor has divided the transactions into groups and drawn samples from each group. This is an ex/ample of which quantitative sampling model?

  • Stratified mean-per-unit

  • Unstratified mean-per-unit

  • Difference estimation

  • Stop-or-go sampling

Correct answer: Stratified mean-per-unit

Stratified mean per unit is a statistical model where the statistical data in question is broken down into various groups. From these groups, samples are drawn in order to produce a smaller overall sample size relative to the unstratified mean-per-unit.

Unstratified mean-per-unit is a statistical model where a sample mean is calculated and projected as an estimated total. Difference estimation is a statistical model used to estimate the total difference between audited values and book values based on differences obtained from sample observations. Stop-or-go sampling is an attribute sampling method. 

37.

An IS auditor is examining a feasibility study for a company's new project. The study identifies a critical business need that the project will fulfill. It also presents a single solution to achieve the objective. The reasonableness of this solution is evaluated based on its strengths and weaknesses. Next, the cost benefits are verified, and the document is reviewed. 

After looking through the feasibility study, what should an auditor recommend?

  • Include alternative solutions that could achieve the goal

  • Focus on multiple business needs to fulfill

  • Evaluate the solution based on time until completion

  • Remove the cost-benefit analysis

Correct answer: Include alternative solutions that could achieve the goal

In the feasibility study, multiple alternatives should be considered to achieve the solution. The chosen approach should be compared against these alternatives.

A feasibility study can focus on a single business need. Timelines and milestones do not need to be included in a feasibility study. A cost-benefit analysis is useful in a feasibility study.

38.

Fire-suppression systems can be divided into total flooding and local application systems. What is the PRIMARY difference between the two?

  • Local application systems lack physical barriers enclosing the fire space.

  • Total flooding systems rely on water.

  • Total flooding systems are appropriate for large office complexes.

  • Local application systems are more difficult to test.

Correct answer: Local application design lacks physical barriers enclosing the fire space.

Total flooding designs differ from local application systems in that local application designs do not have physical barriers enclosing the fire space. Total flooding designs apply the extinguishing agent in the enclosed space where the fire is, thereby achieving a concentration that extinguishes the fire. Local application design applies the extinguishing agent directly onto the fire or into the region immediately surrounding the fire.

39.

In order to grasp the operations and security of the LAN of an organization, an IS audit should identify and document a few things. Which of the following is NOT a detail the auditor should collect?

  • Usernames and passwords

  • Users or groups with privileged access rights

  • LAN topology and network design

  • Computer applications on the LAN

Correct answer: Usernames and passwords

Maintaining a list of usernames and passwords is extremely risky and should be avoided at all costs. An IS auditor should be looking for information about the privileges and users of those privileges on the network instead of items such as passwords. 

User accounts and groups with elevated access rights should be reviewed periodically to ensure they have the appropriate levels of access. The LAN topology and design are important to understand where nodes lie and how they are accessed to ensure there are no vulnerabilities. Applications used on the LAN are important, as they can have unintended interactions or vulnerabilities.

40.

A business continuity plan (BCP) should be written to minimize the impact of disruptions. What should be done FIRST when developing a disaster recovery plan (DRP) or a BCP?

  • Conduct a risk assessment

  • Choose appropriate controls and measures for recovering IT components

  • Test the plans

  • Develop a detailed plan for critical business functions

Correct answer: Conduct a risk assessment

The BCP should be based on the long-range IT plan and should support and align with the overall business continuity strategy. Therefore, the process of developing and maintaining an effective DRP/BCP would be to:

  • Conduct a risk assessment
  • Prepare a BIA of the effect of the loss of critical business processes and their supporting components
  • Choose appropriate controls and measures for recovering IT components
  • Develop a detailed plan for recovering IS facilities (DRP)
  • Develop a detailed plan for critical business functions to continue to operate at an acceptable level
  • Test the plans
  • Maintain the plans as the business changes and systems develop