CISA EXAM QUESTIONS AND ANSWERS
(GRADED A+)
A system development project is experiencing delays due to ongoing staff shortages.
Which of the following strategies would provide the GREATEST assurance of system
quality at implementation?
A. Implement overtime pay and bonuses for all development staff.
B. Utilize new system development tools to improve productivity.
C. Recruit IS staff to expedite system development.
D. Deliver only the core functionality on the initial target date. - Answer- C. Recruit IS
staff to expedite system development.
Which of the following should be done FIRST when planning a penetration test?
A. Execute nondisclosure agreements (NDAs).
B. Determine reporting requirements for vulnerabilities.
C. Define the testing scope.
D. Obtain management consent for the testing. - Answer- D. Obtain management
consent for the testing.
Due to limited storage capacity, an organization has decided to reduce the actual
retention period for media containing completed low-value transactions. Which of the
following is MOST important for the organization to ensure?
A. The policy includes a strong risk-based approach.
B. The retention period allows for review during the year-end audit.
C. The total transaction amount has no impact on financial reporting.
D. The retention period complies with data owner responsibilities. - Answer- D. The
retention period complies with data owner responsibilities.
During the implementation of an upgraded enterprise resource planning (ERP) system,
which of the following is the MOST important consideration for a go-live decision?
A. Rollback strategy
B. Test cases
C. Post-implementation review objectives
D. Business case - Answer- A. Rollback strategy
,Which of the following is MOST useful for determining whether the goals of IT are
aligned with the organization's goals?
A. Balanced scorecard
B. Enterprise dashboard
C. Enterprise architecture (EA)
D. Key performance indicators (KPIs) - Answer- B. Enterprise dashboard
During a disaster recovery audit, an IS auditor finds that a business impact analysis
(BIA) has not
been performed. The auditor should FIRST
A. perform a business impact analysis (BIA).
B. issue an intermediate report to management.
C. evaluate the impact on current disaster recovery capability.
D. conduct additional compliance testing. - Answer- C. evaluate the impact on current
disaster recovery capability.
Which of the following is the MOST effective control for protecting the confidentiality and
integrity of data stored unencrypted on virtual machines?
A. Monitor access to stored images and snapshots of virtual machines.
B. Restrict access to images and snapshots of virtual machines.
C. Limit creation of virtual machine images and snapshots.
D. Review logical access controls on virtual machines regularly. - Answer- A. Monitor
access to stored images and snapshots of virtual machines.
An IS auditor is examining a front-end subledger and a main ledger. Which of the
following would be the GREATEST concern if there are flaws in the mapping of
accounts between the two systems?
A. Double-posting of a single journal entry
B. Inability to support new business transactions
C. Unauthorized alteration of account attributes
D. Inaccuracy of financial reporting - Answer- D. Inaccuracy of financial reporting
What is MOST important to verify during an external assessment of network
vulnerability?
A. Update of security information event management (SIEM) rules
B. Regular review of the network security policy
C. Completeness of network asset inventory
D. Location of intrusion detection systems (IDS) - Answer- C. Completeness of network
asset inventory
,A data breach has occurred due lo malware. Which of the following should be the
FIRST course of action?
A. Notify the cyber insurance company.
B. Shut down the affected systems.
C. Quarantine the impacted systems.
D. Notify customers of the breach. - Answer- C. Quarantine the impacted systems.
Which of the following should an IS auditor be MOST concerned with during a post-
implementation review?
A. The system does not have a maintenance plan.
B. The system contains several minor defects.
C. The system deployment was delayed by three weeks.
D. The system was over budget by 15%. - Answer- A. The system does not have a
maintenance plan.
Which of the following would BEST demonstrate that an effective disaster recovery plan
(DRP) is in place?
A. Frequent testing of backups
B. Annual walk-through testing
C. Periodic risk assessment
D. Full operational test - Answer- D. Full operational test
Which of the following is the BEST way to mitigate the impact of ransomware attacks?
A. Invoking the disaster recovery plan (DRP)
B. Backing up data frequently
C. Paying the ransom
D. Requiring password changes for administrative accounts - Answer- B. Backing up
data frequently
An IT balanced scorecard is the MOST effective means of monitoring:
A. governance of enterprise IT.
B. control effectiveness.
C. return on investment (ROI).
D. change management effectiveness. - Answer- A. governance of enterprise IT.
When reviewing an organization's information security policies, an IS auditor should
verify that the policies have been defined PRIMARILY on the basis of:
A. a risk management process.
B. an information security framework.
, C. past information security incidents.
D. industry best practices. - Answer- B. an information security framework.
Which of the following would be an IS auditor's GREATEST concern when reviewing the
early stages of a software development project?
A. The lack of technical documentation to support the program code
B. The lack of completion of all requirements at the end of each sprint
C. The lack of acceptance criteria behind user requirements.
D. The lack of a detailed unit and system test plan - Answer- C. The lack of acceptance
criteria behind user requirements.
Which of the following is the BEST data integrity check?
A. Counting the transactions processed per day
B. Performing a sequence check
C. Tracing data back to the point of origin
D. Preparing and running test data - Answer- C. Tracing data back to the point of origin
Spreadsheets are used to calculate project cost estimates. Totals for each cost
category are then keyed into the job-costing system. What is the BEST control to
ensure that data is accurately entered
into the system?
A. Reconciliation of total amounts by project
B. Validity checks, preventing entry of character data
C. Reasonableness checks for each cost type
D. Display back of project detail after entry - Answer- C. Reasonableness checks for
each cost type
An incorrect version of source code was amended by a development team. This MOST
likely indicates a weakness in:
A. incident management.
B. quality assurance (QA).
C. change management.
D. project management. - Answer- C. change management.
An organizations audit charter PRIMARILY:
A. describes the auditors' authority to conduct audits.
B. defines the auditors' code of conduct.
C. formally records the annual and quarterly audit plans.
D. documents the audit process and reporting standards. - Answer- A. describes the
auditors' authority to conduct audits.
(GRADED A+)
A system development project is experiencing delays due to ongoing staff shortages.
Which of the following strategies would provide the GREATEST assurance of system
quality at implementation?
A. Implement overtime pay and bonuses for all development staff.
B. Utilize new system development tools to improve productivity.
C. Recruit IS staff to expedite system development.
D. Deliver only the core functionality on the initial target date. - Answer- C. Recruit IS
staff to expedite system development.
Which of the following should be done FIRST when planning a penetration test?
A. Execute nondisclosure agreements (NDAs).
B. Determine reporting requirements for vulnerabilities.
C. Define the testing scope.
D. Obtain management consent for the testing. - Answer- D. Obtain management
consent for the testing.
Due to limited storage capacity, an organization has decided to reduce the actual
retention period for media containing completed low-value transactions. Which of the
following is MOST important for the organization to ensure?
A. The policy includes a strong risk-based approach.
B. The retention period allows for review during the year-end audit.
C. The total transaction amount has no impact on financial reporting.
D. The retention period complies with data owner responsibilities. - Answer- D. The
retention period complies with data owner responsibilities.
During the implementation of an upgraded enterprise resource planning (ERP) system,
which of the following is the MOST important consideration for a go-live decision?
A. Rollback strategy
B. Test cases
C. Post-implementation review objectives
D. Business case - Answer- A. Rollback strategy
,Which of the following is MOST useful for determining whether the goals of IT are
aligned with the organization's goals?
A. Balanced scorecard
B. Enterprise dashboard
C. Enterprise architecture (EA)
D. Key performance indicators (KPIs) - Answer- B. Enterprise dashboard
During a disaster recovery audit, an IS auditor finds that a business impact analysis
(BIA) has not
been performed. The auditor should FIRST
A. perform a business impact analysis (BIA).
B. issue an intermediate report to management.
C. evaluate the impact on current disaster recovery capability.
D. conduct additional compliance testing. - Answer- C. evaluate the impact on current
disaster recovery capability.
Which of the following is the MOST effective control for protecting the confidentiality and
integrity of data stored unencrypted on virtual machines?
A. Monitor access to stored images and snapshots of virtual machines.
B. Restrict access to images and snapshots of virtual machines.
C. Limit creation of virtual machine images and snapshots.
D. Review logical access controls on virtual machines regularly. - Answer- A. Monitor
access to stored images and snapshots of virtual machines.
An IS auditor is examining a front-end subledger and a main ledger. Which of the
following would be the GREATEST concern if there are flaws in the mapping of
accounts between the two systems?
A. Double-posting of a single journal entry
B. Inability to support new business transactions
C. Unauthorized alteration of account attributes
D. Inaccuracy of financial reporting - Answer- D. Inaccuracy of financial reporting
What is MOST important to verify during an external assessment of network
vulnerability?
A. Update of security information event management (SIEM) rules
B. Regular review of the network security policy
C. Completeness of network asset inventory
D. Location of intrusion detection systems (IDS) - Answer- C. Completeness of network
asset inventory
,A data breach has occurred due lo malware. Which of the following should be the
FIRST course of action?
A. Notify the cyber insurance company.
B. Shut down the affected systems.
C. Quarantine the impacted systems.
D. Notify customers of the breach. - Answer- C. Quarantine the impacted systems.
Which of the following should an IS auditor be MOST concerned with during a post-
implementation review?
A. The system does not have a maintenance plan.
B. The system contains several minor defects.
C. The system deployment was delayed by three weeks.
D. The system was over budget by 15%. - Answer- A. The system does not have a
maintenance plan.
Which of the following would BEST demonstrate that an effective disaster recovery plan
(DRP) is in place?
A. Frequent testing of backups
B. Annual walk-through testing
C. Periodic risk assessment
D. Full operational test - Answer- D. Full operational test
Which of the following is the BEST way to mitigate the impact of ransomware attacks?
A. Invoking the disaster recovery plan (DRP)
B. Backing up data frequently
C. Paying the ransom
D. Requiring password changes for administrative accounts - Answer- B. Backing up
data frequently
An IT balanced scorecard is the MOST effective means of monitoring:
A. governance of enterprise IT.
B. control effectiveness.
C. return on investment (ROI).
D. change management effectiveness. - Answer- A. governance of enterprise IT.
When reviewing an organization's information security policies, an IS auditor should
verify that the policies have been defined PRIMARILY on the basis of:
A. a risk management process.
B. an information security framework.
, C. past information security incidents.
D. industry best practices. - Answer- B. an information security framework.
Which of the following would be an IS auditor's GREATEST concern when reviewing the
early stages of a software development project?
A. The lack of technical documentation to support the program code
B. The lack of completion of all requirements at the end of each sprint
C. The lack of acceptance criteria behind user requirements.
D. The lack of a detailed unit and system test plan - Answer- C. The lack of acceptance
criteria behind user requirements.
Which of the following is the BEST data integrity check?
A. Counting the transactions processed per day
B. Performing a sequence check
C. Tracing data back to the point of origin
D. Preparing and running test data - Answer- C. Tracing data back to the point of origin
Spreadsheets are used to calculate project cost estimates. Totals for each cost
category are then keyed into the job-costing system. What is the BEST control to
ensure that data is accurately entered
into the system?
A. Reconciliation of total amounts by project
B. Validity checks, preventing entry of character data
C. Reasonableness checks for each cost type
D. Display back of project detail after entry - Answer- C. Reasonableness checks for
each cost type
An incorrect version of source code was amended by a development team. This MOST
likely indicates a weakness in:
A. incident management.
B. quality assurance (QA).
C. change management.
D. project management. - Answer- C. change management.
An organizations audit charter PRIMARILY:
A. describes the auditors' authority to conduct audits.
B. defines the auditors' code of conduct.
C. formally records the annual and quarterly audit plans.
D. documents the audit process and reporting standards. - Answer- A. describes the
auditors' authority to conduct audits.
