Weekend Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

Free Isaca CISA Practice Exam with Questions & Answers | Set: 7

Questions 301

During the review of a system disruption incident, an IS auditor notes that IT support staff were put in a position to make decisions beyond their level of authority.

Which of the following is the BEST recommendation to help prevent this situation in the future?

Options:
A.

Introduce escalation protocols.

B.

Develop a competency matrix.

C.

Implement fallback options.

D.

Enable an emergency access ID.

Isaca CISA Premium Access
Questions 302

What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?

Options:
A.

Determine service level requirements.

B.

Complete a risk assessment.

C.

Perform a business impact analysis (BIA)

D.

Conduct a vendor audit.

Questions 303

Which of the following is the BEST reason to implement a data retention policy?

Options:
A.

To establish a recovery point objective (RPO) for disaster recovery procedures

B.

To limit the liability associated with storing and protecting information

C.

To document business objectives for processing data within the organization

D.

To assign responsibility and ownership for data protection outside IT

Questions 304

An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?

Options:
A.

Hardware configurations

B.

Access control requirements

C.

Help desk availability

D.

Perimeter network security diagram

Questions 305

An IS auditor should be MOST concerned if which of the following fire suppression systems is utilized to protect an asset storage closet?

Options:
A.

Deluge system

B.

Wet pipe system

C.

Preaction system

D.

CO2 system

Questions 306

An organization has partnered with a third party to transport backup drives to an offsite storage facility. Which of the following is MOST important before sending the drives?

Options:
A.

Creating a chain of custody to accompany the drive in transit

B.

Ensuring data protection is aligned with the data classification policy

C.

Encrypting the drive with strong protection standards

D.

Ensuring the drive is placed in a tamper-evident mechanism

Questions 307

The BEST way to evaluate the effectiveness of a newly developed application is to:

Options:
A.

perform a post-implementation review-

B.

analyze load testing results.

C.

perform a secure code review.

D.

review acceptance testing results.

Questions 308

Which type of risk would MOST influence the selection of a sampling methodology?

Options:
A.

Inherent

B.

Residual

C.

Control

D.

Detection

Questions 309

Aligning IT strategy with business strategy PRIMARILY helps an organization to:

Options:
A.

optimize investments in IT.

B.

create risk awareness across business units.

C.

increase involvement of senior management in IT.

D.

monitor the effectiveness of IT.

Questions 310

Which type of attack targets security vulnerabilities in web applications to gain access to data sets?

Options:
A.

Denial of service (DOS)

B.

SQL injection

C.

Phishing attacks

D.

Rootkits

Questions 311

Which of the following is MOST important for the successful establishment of a security vulnerability management program?

Options:
A.

A robust tabletop exercise plan

B.

A comprehensive asset inventory

C.

A tested incident response plan

D.

An approved patching policy

Questions 312

An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor's NEXT course of action?

Options:
A.

Review the list of end users and evaluate for authorization.

B.

Report this control process weakness to senior management.

C.

Verify managements approval for this exemption

D.

Obtain a verbal confirmation from IT for this exemption.

Questions 313

Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:

Options:
A.

eliminated

B.

unchanged

C.

increased

D.

reduced

Questions 314

The PRIMARY objective of a control self-assessment (CSA) is to:

Options:
A.

educate functional areas on risks and controls.

B.

ensure appropriate access controls are implemented.

C.

eliminate the audit risk by leveraging management's analysis.

D.

gain assurance for business functions that cannot be audited.

Questions 315

Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?

Options:
A.

To prevent confidential data loss

B.

To comply with legal and regulatory requirements

C.

To identify data at rest and data in transit for encryption

D.

To provide options to individuals regarding use of their data

Questions 316

The PRIMARY purpose of an incident response plan is to:

Options:
A.

reduce the impact of an adverse event on information assets.

B.

increase the effectiveness of preventive controls.

C.

reduce the maximum tolerable downtime (MTD) of impacted systems.

D.

increase awareness of impacts from adverse events to IT systems.

Questions 317

Which of the following is the MAIN responsibility of the IT steering committee?

Options:
A.

Reviewing and assisting with IT strategy integration efforts

B.

Developing and assessing the IT security strategy

C.

Implementing processes to integrate security with business objectives

D.

Developing and implementing the secure system development framework

Questions 318

An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following would impair the auditor's independence?

Options:
A.

The auditor implemented a specific control during the development of the system.

B.

The auditor provided advice concerning best practices.

C.

The auditor participated as a member of the project team without operational responsibilities

D.

The auditor designed an embedded audit module exclusively for audit

Questions 319

An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?

Options:
A.

Document the findings in the audit report.

B.

Identify who approved the policies.

C.

Escalate the situation to the lead auditor.

D.

Communicate the observation to the auditee.

Questions 320

An IS audit reveals an IT application is experiencing poor performance including data inconsistency and integrity issues. What is the MOST likely cause?

Options:
A.

Database clustering

B.

Data caching

C.

Reindexing of the database table

D.

Load balancing

Questions 321

An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?

Options:
A.

To collect digital evidence of cyberattacks

B.

To attract attackers in order to study their behavior

C.

To provide training to security managers

D.

To test the intrusion detection system (IDS)

Questions 322

The use of which of the following would BEST enhance a process improvement program?

Options:
A.

Model-based design notations

B.

Balanced scorecard

C.

Capability maturity models

D.

Project management methodologies

Questions 323

An IS auditor is reviewing enterprise governance and finds there is no defined organizational structure for technology risk governance. Which of the following is the GREATEST concern with this lack of structure?

Options:
A.

Software developers may adopt inappropriate technology.

B.

Project managers may accept technology risks exceeding the organization's risk appetite.

C.

Key decision-making entities for technology risk have not been identified

D.

There is no clear approval entity for organizational security standards.

Questions 324

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

Options:
A.

Target architecture is defined at a technical level.

B.

The previous year's IT strategic goals were not achieved.

C.

Strategic IT goals are derived solely from the latest market trends.

D.

Financial estimates of new initiatives are disclosed within the document.

Questions 325

In an organization's feasibility study to acquire hardware to support a new web server, omission of which of the following would be of MOST concern?

Options:
A.

Alternatives for financing the acquisition

B.

Financial stability of potential vendors

C.

Reputation of potential vendors

D.

Cost-benefit analysis of available products

Questions 326

An IS auditor is conducting a physical security audit of a healthcare facility and finds closed-circuit television (CCTV) systems located in a patient care area. Which of the following is the GREATEST concern?

Options:
A.

Cameras are not monitored 24/7.

B.

There are no notices indicating recording IS in progress.

C.

The retention period for video recordings is undefined

D.

There are no backups of the videos.

Questions 327

Which of the following is BEST used for detailed testing of a business application's data and configuration files?

Options:
A.

Version control software

B.

Audit hooks

C.

Utility software

D.

Audit analytics tool

Questions 328

The following findings are the result of an IS auditor's post-implementation review of a newly implemented system. Which of the following findings is of GREATEST significance?

Options:
A.

A lessons-learned session was never conducted.

B.

The projects 10% budget overrun was not reported to senior management.

C.

Measurable benefits were not defined.

D.

Monthly dashboards did not always contain deliverables.

Questions 329

Which of the following is MOST important for an IS auditor to verify when evaluating tne upgrade of an organization's enterprise resource planning (ERP) application?

Options:
A.

Application related documentation was updated to reflect the changes in the new version

B.

Security configurations were appropriately applied to the new version

C.

Users were provided security training on the new version

D.

Lessons teamed analysis was documented after the upgrade

Questions 330

Which of the following is the MOST important consideration when establishing operational log management?

Options:
A.

Types of data

B.

Log processing efficiency

C.

IT organizational structure

D.

Log retention period

Questions 331

Data from a system of sensors located outside of a network is received by the open ports on a server. Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?

Options:
A.

Route the traffic from the sensor system through a proxy server.

B.

Hash the data that is transmitted from the sensor system.

C.

Implement network address translation on the sensor system.

D.

Transmit the sensor data via a virtual private network (VPN) to the server.

Questions 332

Which of the following should be of GREATEST concern to an IS auditor when auditing an organization's IT strategy development process?

Options:
A.

The IT strategy was developed before the business plan

B.

A business impact analysis (BIA) was not performed to support the IT strategy

C.

The IT strategy was developed based on the current IT capability

D.

Information security was not included as a key objective m the IT strategic plan.

Questions 333

Capacity management tools are PRIMARILY used to ensure that:

Options:
A.

available resources are used efficiently and effectively

B.

computer systems are used to their maximum capacity most of the time

C.

concurrent use by a large number of users is enabled

D.

proposed hardware acquisitions meet capacity requirements

Questions 334

Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?

Options:
A.

Re-partitioning

B.

Degaussing

C.

Formatting

D.

Data wiping

Questions 335

Which of the following is MOST important to consider when reviewing an organization's defined data backup and restoration procedures?

Options:
A.

Business continuity plan (BCP)

B.

Recovery point objective (RPO)

C.

Mean time to restore (MTTR)

D.

Mean time between failures (MTBF)

Questions 336

A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?

Options:
A.

Include the requirement in the incident management response plan.

B.

Establish key performance indicators (KPIs) for timely identification of security incidents.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Engage an external security incident response expert for incident handling.

Questions 337

Which of the following is the BEST method to prevent wire transfer fraud by bank employees?

Options:
A.

Independent reconciliation

B.

Re-keying of wire dollar amounts

C.

Two-factor authentication control

D.

System-enforced dual control

Questions 338

An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:

Options:
A.

recommend that the option to directly modify the database be removed immediately.

B.

recommend that the system require two persons to be involved in modifying the database.

C.

determine whether the log of changes to the tables is backed up.

D.

determine whether the audit trail is secured and reviewed.

Questions 339

An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?

Options:
A.

Verify the disaster recovery plan (DRP) has been tested.

B.

Ensure the intrusion prevention system (IPS) is effective.

C.

Assess the security risks to the business.

D.

Confirm the incident response team understands the issue.

Questions 340

During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:

Options:
A.

note the noncompliance in the audit working papers.

B.

issue an audit memorandum identifying the noncompliance.

C.

include the noncompliance in the audit report.

D.

determine why the procedures were not followed.

Questions 341

A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

Options:
A.

Implement overtime pay and bonuses for all development staff.

B.

Utilize new system development tools to improve productivity.

C.

Recruit IS staff to expedite system development.

D.

Deliver only the core functionality on the initial target date.

Questions 342

Which audit approach is MOST helpful in optimizing the use of IS audit resources?

Options:
A.

Agile auditing

B.

Continuous auditing

C.

Outsourced auditing

D.

Risk-based auditing

Questions 343

The decision to accept an IT control risk related to data quality should be the responsibility of the:

Options:
A.

information security team.

B.

IS audit manager.

C.

chief information officer (CIO).

D.

business owner.

Questions 344

What is the BEST control to address SQL injection vulnerabilities?

Options:
A.

Unicode translation

B.

Secure Sockets Layer (SSL) encryption

C.

Input validation

D.

Digital signatures

Questions 345

Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

Options:
A.

Monitor access to stored images and snapshots of virtual machines.

B.

Restrict access to images and snapshots of virtual machines.

C.

Limit creation of virtual machine images and snapshots.

D.

Review logical access controls on virtual machines regularly.

Questions 346

Which of the following BEST indicates the effectiveness of an organization's risk management program?

Options:
A.

Inherent risk is eliminated.

B.

Residual risk is minimized.

C.

Control risk is minimized.

D.

Overall risk is quantified.

Questions 347

An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

Options:
A.

phishing.

B.

denial of service (DoS)

C.

structured query language (SQL) injection

D.

buffer overflow

Questions 348

Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?

Options:
A.

To determine whether project objectives in the business case have been achieved

B.

To ensure key stakeholder sign-off has been obtained

C.

To align project objectives with business needs

D.

To document lessons learned to improve future project delivery

Questions 349

An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?

Options:
A.

Assessment of the personnel training processes of the provider

B.

Adequacy of the service provider's insurance

C.

Review of performance against service level agreements (SLAs)

D.

Periodic audits of controls by an independent auditor

Questions 350

From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

Options:
A.

Inability to close unused ports on critical servers

B.

Inability to identify unused licenses within the organization

C.

Inability to deploy updated security patches

D.

Inability to determine the cost of deployed software

Exam Code: CISA
Certification Provider: Isaca
Exam Name: Certified Information Systems Auditor
Last Update: Jul 13, 2025
Questions: 1407

Isaca Free Exams

Isaca Free Exams
Examstrack offers comprehensive free resources and practice tests for Isaca exams.