Certified Information Systems Auditor Exam
(CISA) UPDATED VERSION QUESTIONS AND
CORRECT ANSWERS LATEST UPDATE THIS YEAR
Question: Biometrics is a security technique used in modern systems and implementations to verify
identity by analyzing a unique physical attribute of an individual such as a handprint. Identify a valid
example of a biometric replay attack from the following.
Use in multi-factor authentication (MFA) to authorize access
Using a copy of the impression left on the thumbprint scanner
Use of stolen biometric information to launch a brute force
Use of shoulder surfing to gain unauthorized access - CORRECT ANSWER✔✔B A biometric replay attack
is carried out using residual biometric information such as a thumb impression on a biometric scanner.
Other options are incorrect.
Question: The information system auditor discovers that both the technology and accounting functions
are being performed by the same user of the financial system during a compliance audit of a small local
cooperative bank. Identify the best supervisor review control from the following:
1
,Database table dump containing audit trails of date/time of each transaction
Daily summary of number of transactions and sum total of value of each transaction
User account administration report
Computer log files that show individual transactions in the financial system - CORRECT ANSWER✔✔D,
While other supervisory review controls are important, the most important in this situation is to review
the computer log files that show individual transactions in the financial system
Question: Lisa, an information systems auditor at the AZ Systems, while conducting the review of the
UNIX system administration function, observed that shared user id is used by the team of ten
administrators. Identify the concern that Lisa may have with this observation
Risk of passwords not being reset on the desired frequency
Risk of an outsider be able to gain unauthorized access
No concern since the user ids are only shared amongst the administrators
Difficulty in tracing admin actions and dilution of accountability - CORRECT ANSWER✔✔D. If one user id
is shared amongst multiple administrators, there is no clear traceability of performed activities to an
identifiable individual. This leads to the dilution of accountability and is a risk. Additionally, this may lead
to weak account lifecycle management and also exposes to the risk of passwords being leaked to an
outsider due to dilution of accountability.
2
,Question: Manuel, CFO at Evergreen Bank, has requested reviewing and updating business continuity
plans (BCP) as needed. As part of this exercise business impact analysis (BIA) is also being reviewed and
re-validated. Identify from following the primary purpose of BIA in business continuity planning.
Identify business and operational continuity impacting events
Ensuring adequate coverage to diverse operations resumption requirements
Senior management emphasis on physical and logical security
Emphasize information security and data privacy requirements - CORRECT ANSWER✔✔A, Business
impact analysis (BIA) is a key step in the business continuity strategy development and implementation
of countermeasures, known as the business continuity plan (BCP) altogether. BIA identifies business and
operational continuity impacting events that are then used in the development of an effective business
continuity plan
Question: Frank, an information security analyst at Micro Lending Inc, has been tasked to classify
enterprise information assets. Identify from following the primary control objective for this classification.
Establish information assets access controls guidelines
Ensure all information assets have the same level of rigorous access controls
3
, Input to a risk assessment performed by the management and auditors
Determine information assets be insured - CORRECT ANSWER✔✔A Information asset classification helps
to establish information assets access controls guidelines in the firm. Information assets need to have
access control based on the sensitivity and criticality of systems and data in order to meet business
objectives and regulatory requirements.
Question: Bily is an information systems auditor at Easy Micropayments. The organization has been
recently downsized. In addition, an organizational restacking exercise has also taken place. Identify Bily's
primary focus in a logical access controls review initiated soon after this event
The auditor is concerned about all system access is authorized and appropriate for an individual's role
and responsibilities considering the leavers/movers in the organization
The auditor wants to ensure that the management has authorized appropriate access for all newly-hired
individuals
The auditor wants to ensure that the existing process of access authorization forms, that is used to grant
or modify access to individuals, remains operational
The auditor wants to ensure that only the system administrators have the authority to grant or modify
access to individuals - CORRECT ANSWER✔✔A The auditor's primary focus will be test logical access
control to ensure that access for all leavers have been revoked and those who have changed is
concerned about all system access is authorized and appropriate for an individual's role and
4
(CISA) UPDATED VERSION QUESTIONS AND
CORRECT ANSWERS LATEST UPDATE THIS YEAR
Question: Biometrics is a security technique used in modern systems and implementations to verify
identity by analyzing a unique physical attribute of an individual such as a handprint. Identify a valid
example of a biometric replay attack from the following.
Use in multi-factor authentication (MFA) to authorize access
Using a copy of the impression left on the thumbprint scanner
Use of stolen biometric information to launch a brute force
Use of shoulder surfing to gain unauthorized access - CORRECT ANSWER✔✔B A biometric replay attack
is carried out using residual biometric information such as a thumb impression on a biometric scanner.
Other options are incorrect.
Question: The information system auditor discovers that both the technology and accounting functions
are being performed by the same user of the financial system during a compliance audit of a small local
cooperative bank. Identify the best supervisor review control from the following:
1
,Database table dump containing audit trails of date/time of each transaction
Daily summary of number of transactions and sum total of value of each transaction
User account administration report
Computer log files that show individual transactions in the financial system - CORRECT ANSWER✔✔D,
While other supervisory review controls are important, the most important in this situation is to review
the computer log files that show individual transactions in the financial system
Question: Lisa, an information systems auditor at the AZ Systems, while conducting the review of the
UNIX system administration function, observed that shared user id is used by the team of ten
administrators. Identify the concern that Lisa may have with this observation
Risk of passwords not being reset on the desired frequency
Risk of an outsider be able to gain unauthorized access
No concern since the user ids are only shared amongst the administrators
Difficulty in tracing admin actions and dilution of accountability - CORRECT ANSWER✔✔D. If one user id
is shared amongst multiple administrators, there is no clear traceability of performed activities to an
identifiable individual. This leads to the dilution of accountability and is a risk. Additionally, this may lead
to weak account lifecycle management and also exposes to the risk of passwords being leaked to an
outsider due to dilution of accountability.
2
,Question: Manuel, CFO at Evergreen Bank, has requested reviewing and updating business continuity
plans (BCP) as needed. As part of this exercise business impact analysis (BIA) is also being reviewed and
re-validated. Identify from following the primary purpose of BIA in business continuity planning.
Identify business and operational continuity impacting events
Ensuring adequate coverage to diverse operations resumption requirements
Senior management emphasis on physical and logical security
Emphasize information security and data privacy requirements - CORRECT ANSWER✔✔A, Business
impact analysis (BIA) is a key step in the business continuity strategy development and implementation
of countermeasures, known as the business continuity plan (BCP) altogether. BIA identifies business and
operational continuity impacting events that are then used in the development of an effective business
continuity plan
Question: Frank, an information security analyst at Micro Lending Inc, has been tasked to classify
enterprise information assets. Identify from following the primary control objective for this classification.
Establish information assets access controls guidelines
Ensure all information assets have the same level of rigorous access controls
3
, Input to a risk assessment performed by the management and auditors
Determine information assets be insured - CORRECT ANSWER✔✔A Information asset classification helps
to establish information assets access controls guidelines in the firm. Information assets need to have
access control based on the sensitivity and criticality of systems and data in order to meet business
objectives and regulatory requirements.
Question: Bily is an information systems auditor at Easy Micropayments. The organization has been
recently downsized. In addition, an organizational restacking exercise has also taken place. Identify Bily's
primary focus in a logical access controls review initiated soon after this event
The auditor is concerned about all system access is authorized and appropriate for an individual's role
and responsibilities considering the leavers/movers in the organization
The auditor wants to ensure that the management has authorized appropriate access for all newly-hired
individuals
The auditor wants to ensure that the existing process of access authorization forms, that is used to grant
or modify access to individuals, remains operational
The auditor wants to ensure that only the system administrators have the authority to grant or modify
access to individuals - CORRECT ANSWER✔✔A The auditor's primary focus will be test logical access
control to ensure that access for all leavers have been revoked and those who have changed is
concerned about all system access is authorized and appropriate for an individual's role and
4
