CISA 27e Sample Exam Answers and Justifications

CISA Sample Exam Answers and
Justifications
1. Which of the following would an IS auditor FIRST reference when performing an IS audit?
A. Implemented procedures
B. Approved policies
C. Internal standards
D. Documented practices
B is the correct answer.
Justifications:
A. Procedures are implemented in accordance with policy.
B. Policies are high-level documents that represent the corporate philosophy of an
organization. Internal standards, procedures and practices are subordinate to
policy.
C. Standards are subordinate to policy.
D. Practices are subordinate to policy.
2. De-normalization of the relational database would PRIMARILY result in:
A. referential integrity issues.

B. increased database optimization.
C. increased data redundancy.
D. loss of table indexes.
C is the correct answer.
Justifications:
A. De-normalization may affect data integrity, but it would not affect referential integrity.
Referential integrity is affected by the use of primary and foreign keys.
B. Databases are not optimized by de-normalization. Although performance may improve,
data redundancy may result in other non-optimal consequences.
C. When a database is normalized, the data is spread across tables. When the database
is de-normalized, the tables will have duplicate data as there is a fewer number of
tables to store the data. An IS auditor would expect to see an increased size in the
database as a result of the data redundancy.
D. Indexing is independent of normalization.
©2019 ISACA. All Rights Reserved. Page 1

3. During the review of an enterprise’s preventive maintenance process for systems at a data
center, the IS auditor has determined that adequate maintenance is being performed on all
critical computing, power and cooling systems. Additionally, it is MOST important for the
IS auditor to ensure that the organization:
A. has performed background checks on all service personnel.

B. escorts service personnel at all times when performing their work.
C. performs maintenance during noncritical processing times.
D. independently verifies that maintenance is being performed.
Justification:
A. While the trustworthiness of the service personnel is important, it is normal practice for
these individuals to be escorted and supervised by the data center personnel. It is also
expected that the service provider would perform this background check, not the
customer.
B. Escorting service personnel is common and a good practice, but the greater risk in this
case would be if work were performed during critical processing times.
C. The biggest risk to normal operations in a data center would be if an incident or
mishap were to happen during critical peak processing times; therefore, it would be
prudent to ensure that no type of system maintenance be performed at these critical
times.
D. It is possible that the service provider is performing inadequate maintenance; therefore,
this issue may need to be investigated; however, the bigger risk is maintenance being
performed at critical processing times.

4. Which of the following backup techniques is the MOST appropriate when an organization
requires extremely granular data restore points, as defined in the recovery point objective?
A. Virtual tape libraries

B. Disk-based snapshots
C. Continuous data backup
D. Disk-to-tape backup
Justification:
A. Virtual tape libraries would require time to complete the backup, while continuous data
backup happens online (in real time).
B. Disk-based snapshots would require time to complete the backup and would lose some
data between the times of the backup and the failure, while continuous data backup
happens online (in real time).
C. Recovery point objective (RPO) is based on the acceptable data loss in the case of a
disruption. In this scenario the organization needs a short RPO and continuous data
backup is the best option.
D. Disk-to-tape backup would require time to complete the backup, while continuous data
backup happens online (in real time).

5. During an audit, which of the following situations would be MOST concerning for an
organization that significantly outsources IS processing to a private network?
A. The contract does not contain a right-to-audit clause for the third party.
B. The contract was not reviewed by an information security subject matter expert prior to
signing.
C. The IS outsourcing guidelines are not approved by the board of directors.
D. There is a lack of well-defined IS performance evaluation procedures.
A is the correct answer.
Justifications:
A. Lack of a right-to-audit clause in the contract would impact the IS auditor’s ability
to perform the IS audit. Hence, the IS auditor would be most concerned with such a
situation. In the case of outsourcing to a private network, the organization should
ensure that the third party has a minimum set of IT security controls in place and
that they are operating effectively.
B. Having an information security subject matter expert review a contract is a good practice,
but it is not a requirement in all industries.
C. Approval of the IS outsourcing guidelines by the board is a good practice of governance,
and lack of approval is an audit issue. However, it would not impact the IS auditor’s
ability to perform IS audit.
D. Lack of well-defined procedures would not enable objective evaluation of IS
performance and is an audit issue. However, it would not result into major risk or
repercussions and also would not impact the IS auditor’s ability to perform an IS audit.

6. Who should be accountable for ensuring access rights to corporate web applications are
revoked when user termination occurs?
A. Security administrators
B. Data owners
C. Data custodians
D. Web administrators
Justifications:
A. Security administrators have the ability to implement changes requested by the data
owners.
B. Data owners are accountable for alignment of access rights with workforce
requirements. In general data, owners do not make such changes themselves, but
they must make sure the changes are made.
C. Data custodians (e.g., system analysts or computer operators) are responsible for storing
and safeguarding corporate data. Ultimately, the data owner is accountable for ensuring
access is revoked.
D. Web administrators are responsible for the maintenance of the web servers and not access
rights.

7. Which of the following is the MOST important critical success factor of implementing a
risk-based approach to the IT system life cycle?
A. Adequate involvement of stakeholders

B. Selection of a risk management framework
C. Identification of risk mitigation strategies
D. Understanding of the regulatory environment
Justification:
A. The most important critical success factor (CSF) is the adequate involvement and
support of the various quality assurance, privacy, legal, audit, regulatory affairs or
compliance teams in high regulatory risk situations. Some IT system changes may,
based on risk ratings, require sign-off from key stakeholders before proceeding.
B. Selecting a risk management framework helps the organization define the approach to
addressing risk but still requires adequate involvement of stakeholders to be successful.
C. Identifying risk mitigation strategies helps the organization define the approach to
addressing risk, but still requires adequate involvement of stakeholders to be successful.
D. Having an understanding of the regulatory environment is important to ensure that risk is
addressed in the context of the applicable regulation, but adequate stakeholder
involvement is more important and once engaged the regulatory requirements would also
be covered.

8. Which of the following carries the LOWEST risk when managing failures while
transitioning from legacy applications to new applications?
A. Phased changeover
B. Abrupt changeover
C. Rollback procedure
D. Parallel changeover
D is the correct answer.
Justification:
A. Phased changeover involves the changeover from the old system to the new system in a
phased manner. Therefore, at no time will the old system and the new system both be
fully operational as one integrated system.
B. In abrupt changeover, the new system is changed from the old system on a cutoff date
and time, and the old system is discontinued after changeover to the new system takes
place. Therefore, the old system is not available as a backup if there are problems when
the new system is implemented.
C. Rollback procedures involve restoring all systems to their previous working state;
however, parallel changeover is the better strategy.
D. Parallel changeover involves first running the old system, then running both the old
and new systems in parallel, and finally fully changing to the new system after
gaining confidence in the functionality of the new system.
9. An employee who has access to highly confidential information has resigned. Upon
departure, which of the following should be done FIRST?
A. Conduct an exit interview with the employee.

B. Ensure succession plans are in place.
C. Revoke the employee’s access to all systems.
D. Review the employee’s job history.
Justifications:
A. It is important to have an exit interview with any employee; however, this would not be
the first step to take upon the employee’s departure to protect the confidentiality of
information.
B. Succession plans are important to prevent disruption of operations. This would address
availability and not confidentiality of information.
C. If an employee has dealt with highly classified information, the first step would be to
revoke their access to all systems to prevent exfiltration of data and restrict access to
the information.
D. Keeping a record of the job history is important; however, its effectiveness may be
limited.

10. Which of the following sampling methods is the MOST appropriate for testing automated
invoice authorization controls to ensure that exceptions are not made for specific users?
A. Variable sampling
B. Judgmental sampling
C. Stratified random sampling
D. Systematic sampling
Justifications:
A. Variable sampling is used for substantive testing to determine the monetary or volumetric
impact of characteristics of a population. This would not be most appropriate in this case.
B. In judgmental sampling, professionals place a bias on the sample (e.g., all sampling units
over a certain value, all for a specific type of exception, all negatives, etc.). It should be
noted that a judgmental sample is not statistically based, and results should not be
extrapolated over the population because the sample is unlikely to be representative of
the population as a whole.
C. Stratification is the process of dividing a population into sub-populations with
similar characteristics explicitly defined, so that each sampling unit can belong to
only one stratum. This method of sampling ensures that all sampling units in each
subgroup have a known, non-zero chance of selection. It would be most appropriate
in this case.
D. Systematic sampling involves selecting sampling units using a fixed interval between
selections with the first interval having a random start. This would not be most
appropriate in this case.

11. Which of the following controls would be the MOST effective to reduce the impact of a
successful ransomware attack?
A. Updated antivirus
B. Workforce education
C. Intrusion prevention system
D. Regular backups
Justifications:
A. Most ransomware attacks are a result of activity that the system sees as legitimately
initiated by a user, such as through a phishing attack. Therefore, antivirus software may
not always be effective to stop the payload from executing.
B. Workforce education is a good preventative control for ransomware attacks because it
creates awareness, and most ransomware attacks are the result of user activity. However,
it does not reduce the impact of a successful attack.
C. Intrusion prevention systems may partially mitigate the spread of a ransomware attack,
but they are less effective than backups.
D. Regular backups are the only method of ensuring recovery of data after a successful
ransomware attack. Even if the ransom is paid, it is possible that the data may not
be recoverable and the possibility of data contamination with other malware exists.
How a backup is stored and maintained can influence the effectiveness as a means
for recovering from ransomware. Backups that are easily accessible may be
compromised before they can be put to use. Designing a proper backup
methodology with ransomware in mind is important.

12. An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service
provider. Which of the following considerations is the MOST important with regard to the
privacy of the accounting data?
A. Data retention, backup and recovery

B. Return or destruction of information
C. Network and intrusion detection
D. A patch management process
Justification:
A. Data retention, backup and recovery are important controls; however, they do not
guarantee data privacy.
B. When reviewing a third-party agreement, the most important consideration with
regard to the privacy of the data is the clause concerning the return or secure
destruction of information at the end of the contract.
C. Network and intrusion detection are helpful when securing the data, but on their own,
they do not guarantee data privacy stored at a third-party provider.
D. A patch management process helps secure servers and may prohibit unauthorized
disclosure of data; however, it does not affect the privacy of the data.
13. Which of the following is the MOST appropriate action to take upon identifying that a
computer may have been used to leak a confidential file?
A. Isolate the computer from the network.

B. Make a duplicate image of the original media.
C. Install forensic tools on the target system.
D. Report the incident to law enforcement.
Justifications:
A. Isolation is not a primary concern for an event believed to have already occurred. Making
a backup of the original media will preserve the evidence in the target system.
B. For forensic analysis, it is first and foremost important to make a full backup of the
original media to preserve the evidence inside the target system.
C. While forensic tools may be used to analyze the media, the first step is to a make a
backup of the original media to preserve any forensic.
D. Senior management would decide whether or not to involve law enforcement. Making a
backup of the original media would ensure that this remains an option for the
organization.

14. An organization bought a new system to integrate its existing human resources and payroll
systems in the environment. Which of the following tests ensures that the new system can
operate successfully with existing systems?
A. Parallel testing
B. Pilot testing
C. Sociability testing
D. Integration testing
Justification:
A. Parallel testing is the process of feeding data into two systems—the modified system and
an alternate system—and computing the results in parallel. In this approach, the old and
new systems operate concurrently for a period of time and perform the same processing
functions.
B. Pilot testing takes place first at one location and is then extended to other locations. The
purpose is to see whether the new system operates satisfactorily in one place before
implementing it at other locations.
C. The purpose of sociability testing is to ensure that a new or modified system can
operate in its target environment without adversely impacting existing systems. This
should cover the platform that will perform primary application processing and
interface with other systems, as well as changes to the desktop in a client-server or
web development.
D. Integration testing is a hardware or software test that evaluates the connection of two or
more components that pass information from one area to another. The objective is to take
unit-tested modules and build an integrated structure. In this case, the tests are not
necessarily between systems that interact with one another so sociability testing is a
better answer.

15. After identifying the findings, the IS auditor should FIRST:
A. gain agreement on the findings.

B. determine mitigation measures for the findings.
C. inform senior management of the findings.
D. obtain remediation deadlines to close the findings.
Justifications:
A. If findings are not agreed upon and confirmed by both parties, then there may be an
issue during sign-off on the final audit report or while discussing findings with
management. When agreement is obtained with the auditee, it implies the finding is
understood and a clear plan of action can be determined.
B. While the auditor may recommend mitigation measures, the organization ultimately
decides and implements the mitigation strategies as a function of risk management.
C. Before senior management is informed, it is imperative that the auditor inform the auditee
and gain agreement on the audit findings in order to correctly communicate the risk.
D. Obtaining remediation deadlines to close the findings is not the first step in
communicating the audit findings.
16. In a small organization, the function of release manager and application programmer are
performed by the same employee. What is the BEST compensating control in this scenario?
A. Hiring additional staff to provide segregation of duties

B. Preventing the release manager from making program modifications
C. Logging of changes to development libraries
D. Verifying that only approved program changes are implemented
Justifications:
A. Establishing segregation of duties is not a compensating control; it is a preventive
control. In a small organization, it may not be feasible to hire new staff, which is why a
compensating control may be necessary.
B. Since the release manager is performing dual roles, preventing them from making
program modifications is not feasible, and in a small organization, segregation of duties
may not be possible.
C. Logging changes to development libraries will not detect changes to production libraries.
D. Compensating controls are used to mitigate risk when proper controls are not
feasible or practical. In a small organization, it may not be feasible to hire new staff,
which is why a compensating control may be necessary. Verifying program changes
has roughly the same effect as intended by full segregation of duties.

17. After initial investigation, an IS auditor has reasons to believe that fraud may be present. The
IS auditor should:
A. expand activities to determine whether an investigation is warranted.

B. report the matter to the audit committee.
C. report the possibility of fraud to management.
D. consult with external legal counsel to determine the course of action to be taken.
Justification:
A. An IS auditor’s responsibilities for detecting fraud include evaluating fraud
indicators and deciding whether any additional action is necessary or whether an
investigation should be recommended.
B. The IS auditor should notify the appropriate authorities within the organization only if it
has determined that the indicators of fraud are sufficient to recommend an investigation.
C. The IS auditor should report the possibility of fraud to top management only after there is
sufficient evidence to launch an investigation. This may be affected by whether
management may be involved in the fraud.
D. Normally, the IS auditor does not have authority to consult with external legal counsel.
18. The PRIMARY benefit of implementing a security program as part of a security governance
framework is the:
A. alignment of the IT activities with IS audit recommendations.

B. enforcement of the management of security risk.
C. implementation of the chief information security officer’s recommendations.
D. reduction of the cost for IT security.
Justification:
A. Recommendations, visions and objectives of the IS auditor are usually addressed within a
security program, but they would not be the major benefit.
B. The major benefit of implementing a security program is management’s assessment
of risk and its mitigation to an appropriate level, and monitoring of the residual
risk.
C. Recommendations, visions and objectives of the chief information security officer are
usually included within a security program, but they would not be the major benefit.
D. The cost of IT security may or may not be reduced.

19. An internal audit function is reviewing an internally developed common gateway interface
script for a web application. The IS auditor discovers that the script was not reviewed and
tested by the quality control function. Which of the following types of risk is of GREATEST
concern?
A. System unavailability
B. Exposure to malware
C. Unauthorized access
D. System integrity
Justification:
A. While untested common gateway interfaces (CGIs) can cause the end-user web
application to be compromised, this is not likely to make the system unavailable to other
users.
B. Untested CGI scripts do not inherently lead to malware exposures.
C. Untested CGIs can have security weaknesses that allow unauthorized access to
private systems because CGIs are typically executed on publicly available Internet
servers.
D. While untested CGIs can cause the end-user web application to be compromised, this is
not likely to significantly impact system integrity.
20. Which of the following is the FIRST step in an IT risk assessment for a risk-based audit?
A. Identify all IT systems and controls relevant to audit objectives

B. List all controls from the audit program to select ones matching with audit objectives
C. Review the results of a risk self-assessment
D. Understand the business, its operating model and key processes
Justifications:
A. Understanding the business environment comes first; this is followed by understanding
the IT environment.
B. Listing controls and matching them to audit objectives is not the first step of risk
assessment. This step follows understanding the business environment and the IT
systems.
C. A risk self-assessment is optional and applicable for some types of audit engagements.
D. Risk-based auditing must be based on the understanding of the business, operating
model and environment. This is the first step to pointing the audit in the right
direction.

21. Which of the following controls would BEST help protect an organization from successful
phishing attacks?
A. A data loss protection system

B. Intrusion detection system
C. Role-based access controls
D. Employee awareness training
Justifications:
A. This control is applicable after the users have authenticated to the system.
B. Intrusion detection systems will not always detect phishing attacks because of delays of
updating signatures and zero-day exploits.
C. Role-based access controls focus on the user’s job function within the organization. This
controls could limit access after an attacker gains access, but the human weakness has
already been exploited.
D. Phishing exploits the human weakness. Therefore, awareness training creates a
sense of security and enforces the alertness prior to opening emails. The other
options are technology focuses and typically do not address the human factor.
22. Which of the following would be the GREATEST concern if audit objectives are not
established during the initial phase of an audit program?
A. Key stakeholders are incorrectly identified.

B. Control costs will exceed planned budget.
C. Important business risk may be overlooked.
D. Previously audited areas may be inadvertently included.
Justifications:
A. In certain cases, it may be more difficult to discuss findings when incorrect stakeholders
are identified, thus delaying the communication of audit findings. However, this is not as
concerning as if important business risks were not included in audit scope.
B. Many factors determine the cost of controls. Therefore, it is difficult to state that only
audit objectives will determine the control cost. However, this is not as important if key
risks are not identified.
C. Without an audit scope, the appropriate risk assessment has not be performed, and
therefore, the auditor might not audit those areas of highest risk for the
organization.
D. Auditing previously audited areas would not be an efficient use of resources; however,
this is not as big of a concern as key risks not being identified.

23. A system developer transferred to the audit department to serve as an IT auditor. When
production systems are to be reviewed by this employee, which of the following will become
the MOST significant concern?
A. The work may be construed as a self-audit.

B. Audit points may largely shift to technical aspects.
C. The employee may not have sufficient control assessment skills.
D. The employee’s knowledge of business risk may be limited.
Justifications:
A. Because the employee had been a developer, it is recommended that the audit
coverage should exclude the systems developed by this employee in order to avoid
any conflicts of interests.
B. As the employee has a technical background, it could be possible that their audit findings
would tend to focus on technical matters. However, this would normally be corrected in
the review process before it is carried out in production.
C. As auditing is a new role for this employee, they may not have adequate control
assessment skills. However, it would be addressed by on-the-job training and would not
be as big of a concern as a potential conflict of interest.
D. Because this employee was previous employed in the company’s IT department, it is
possible to build upon the employee’s current understanding of the business to address
any gaps in knowledge.

24. As part of audit planning, an IS auditor is designing various data validation tests to
effectively detect transposition and transcription errors. Which of the following will BEST
help in detecting these errors?
A. Range check
B. Validity check
C. Duplicate check
D. Check digit
Justifications:
A. Range checks can only ensure that data fall within a predetermined range but can’t detect
transposition errors.
B. Validity checks are generally programmed checking of data validity in accordance with
predetermined criteria.
C. Duplicate check analysis is used to test defined or selected primary keys for duplicate
primary key values.
D. A check digit is a numeric value, which has been calculated mathematically, is
added to data to ensure that original data have not been altered or that an incorrect,
but valid match has occurred. The check digit control is effective in detecting
transposition and transcription errors.

25. Which of the following would be MOST useful for an IS auditor in accessing and analyzing
digital data to collect relevant audit evidence from diverse software environments?
A. Structured Query Language

B. Application software reports
C. Data analytics controls
D. Computer-assisted auditing techniques
Justifications:
A. Structured Query Language provides options for auditors to query specific tables of a
database as per audit objectives. However, skills are required to query specific databases,
and a user has to understand the record structure in order to access the data.
B. Reports from application software may be useful, but they would not be as beneficial as
computer-assisted auditing techniques (CAATs).
C. Data analytics controls might be a good technique to use for control testing, but they are
not as comprehensive as CAATs.
D. CAATs are tools used for accessing data in an electronic form from diverse software
environments, record formats, etc. They serve as a useful tool for collecting and
evaluating audit evidence as per audit objectives and can create efficiencies for
collecting this evidence.

26. An IS auditor has been asked to look at past projects to determine how future projects can
better meet business requirements. With which of the following would the auditors MOST
likely consult?
A. Project sponsors
B. Project managers
C. End-user groups
D. Business analysts
Justification:
A. The project sponsor is the owner of the project, and therefore, the most appropriate
person to discuss whether the business requirements defined as part of the project
objectives have been met.
B. Project managers organize and ensure that the direction of the project aligns to the overall
direction, complies with standards and monitors project milestones. The sponsor is in a
better position to determine whether requirements have been met and is most likely to be
consulted by the IS auditor.
C. End-user groups can be a valuable resource; however, the project sponsor has managerial
authority and is involved in strategic planning and is therefore a better answer.
D. Although business analysts have detailed knowledge of business requirements, the
project sponsor has a more accurate view of actual past project performance.
27. Establishing a software baseline would have the GREATEST impact on which of the
following?
A. Software integrity
B. Change management
C. Access controls
D. System documentation
Justifications:
A. Software integrity is not a direct result of having a software baseline.
B. A baseline is a reference point in the software development life cycle marked by the
completion and formal approval of a set of predefined work products. Change
management is easier when there is a baseline from which to work by helping to
identify deviations from established minimum requirements in scope or other
factors.
C. Access controls are a subset of the software baseline and not its principle focus.
D. Baselining may enhance the documentation process, but it has a far greater impact on
change management.

28. An internal IT auditor is observing an organization’s disaster recovery tests. It is found that
the organization’s ability to recover does not meet the management-approved recovery time
objective (RTO). Which of the following is the BEST recommendation for the auditor to
include in the report?
A. Recommend changing the RTO

B. Recommend mirror backup systems
C. Recommend a retesting of the backup process
D. Recommend an alternative recovery method
Justifications:
A. The recovery time objective (RTO) is the result of the business impact analysis (BIA),
management’s approval, and the organization’s goals and objectives. The best option
would be to find an alternative recovery method that meets the RTO.
B. A mirror backup is just a single option for recovery and may not be the best option in this
case.
C. A retest would not be efficient especially if the BIA has been established and
management approved the recovery method and the RTO.
D. The RTO is established as a result of the BIA and the organization’s company goals
and objectives. An alternative recovery method would be the best option to ensure
the RTO is met.

29. Which of the following is the BEST choice to ensure confidentiality of transmissions in a
public-facing web application?
A. Transport Layer Security

B. Secure Sockets Layer
C. Secure Shell
D. IP Security
Justifications:
A. Transport Layer Security is a connection-layered protocol widely used for
communication between browsers and web servers to provide secure transmissions
over the Internet. It is more secure than the Secure Sockets Layer (SSL) protocol it
replaced and should be used over SSL in all cases.
B. Secure Socket Layer protocol is now deprecated as significant vulnerability was
discovered in 2014.
C. Secure Shell is a protocol that uses cryptography to secure remote command line login
and command execution between two networked computers
D. IP Security is used to encrypt all traffic (e.g., packets) between endpoints and is typically
used in virtual private networks. Thus, it is not related with web-based level applications.
30. When developing a disaster recovery plan, the criteria for determining the acceptable
downtime should be the:
A. annual loss expectancy.

B. service delivery objective.
C. quantity of orphan data.
D. maximum tolerable outage.
Justification:
A. The acceptable downtime would not be determined by the annual loss expectancy (ALE);
ALE is related to risk management calculations, not disaster recovery.
B. The service delivery objective is relevant to business continuity, but it is not determined
by acceptable downtime.
C. The quantity of orphan data is relevant to business continuity, but it is not determined by
acceptable downtime.
D. Recovery time objective is determined based on the acceptable downtime in case of
a disruption of operations. It indicates the maximum tolerable outage that an
organization considers to be acceptable before a system or process must resume
following a disaster.

31. Which of the following BEST ensures that business requirements are met prior to go-live?
A. Feasibility study
B. User acceptance testing
C. Post-implementation review
D. Implementation plan
Justification:
A. A feasibility study describes the key alternative courses of action that will satisfy the
business and functional requirements of a project, including an evaluation of the
technological and economic feasibility. A feasibility study is conducted at the
commencement of the project. However, the final user acceptance testing (UAT) happens
after the feasibility study and therefore is of greater value.
B. UAT ensures that business process owners and IT stakeholders evaluate the
outcome of the testing process to ensure that business requirements are met.
C. The post-implementation review occurs after the implementation.
D. The implementation plan formally defines expectations and performance measurement,
and the effective recovery in the event of implementation failure. It does not ensure that
business requirements are met.
32. An IS auditor is reviewing an e-commerce site. Which of the following is MOST important
to ensure controls are in place to protect the consumer?
A. A robust vulnerability management program

B. A tested business continuity plan
C. An up-to-date digital certificate
D. Encryption keys stored in escrow
Justifications:
A. A robust vulnerability management program could identify programming design
flaws and other vulnerabilities that go beyond whether traffic to and from the
website is encrypted.
B. While the business continuity plan (BCP) will ensure availability of services to the
consumer, the primary benefit of a tested BCP goes to the business, not the consumer.
C. An up-to-date digital certificate provides assurance of vendor identity and encryption of
traffic to and from the website, but if design flaws exist in the underlying application, the
consumer may still be at risk.
D. Keys stored in escrow will allow the company to access the keys if the provider goes out
of business. The keys could be used to add new systems to the network. This benefits the
business and not the consumer.

33. Vulnerabilities associated with which of the following would pose the GREATEST risk to
an organization hosting a web application?
A. Domain Name System

B. CGI script
C. JavaScript
D. Cookies
Justifications:
A. A vulnerability on the Domain Name System would typically not pose a direct threat to
an organization as the system resides on the Internet and allows names to be resolved into
IP address thus routing traffic to the correct location. The threat in this case would be to
the user who might be routed to a spoofed website.
B. A vulnerability in a CGI script can allow unauthorized access to the organization’s
system as CGIs are executable programs run on the server side of a web application.
C. JavaScript executes on the web browser; thus, a vulnerability would impact the user and
not the organization.
D. Cookies reside on the user’s web browser for the purpose of identifying the user to the
web site. As such, any information associated with cookies would pose a threat to the
user and not the organization.

34. Which of the following would MOST likely be considered a conflict of interest for an IS
auditor who is reviewing a cybersecurity implementation?
A. Delivering cybersecurity awareness training

B. Designing the cybersecurity controls
C. Advising on the cybersecurity framework
D. Conducting the vulnerability assessment
Justifications:
A. Delivering cybersecurity awareness training is typically an operational responsibility, but
it would not be nearly as strong as a conflict of interest as the auditor designing controls
and then reviewing them.
B. If an auditor designs the controls, a conflict of interest would arise in the neutrality
of the auditor to address deficiencies during an audit. This would be in violation of
the ISACA Code of Ethics.
C. Part of the role of an IS auditor could be to advise on a cybersecurity framework,
provided that such advice does not rise to the level of designing specific controls that the
auditor would later review.
D. Conducting a vulnerability assessment could be the responsibility of the IS auditor and
does not present a conflict of interest.
35. Which of the following is the MOST important input for decision making throughout the life
of an IT project?
A. Business impact analysis

B. IT investment plan
C. IT resource management strategy
D. Business case
Justifications:
A. A business impact analysis is the process to determine the impact of losing the support of
any resource. It is useful for recovery strategy, but it would not be used for decision
making throughout the life of an IT project.
B. An IT investment plan is useful for investment strategy, but it would not be used for
decision making throughout the life of an IT project.
C. An IT resource management strategy is useful for resource management, but it would be
used for decision making within IT but may not be useful from an audit perspective.
D. The business case is the documentation of the rationale for making an IT investment
and is used throughout the project lifecycle. It should be continuously maintained to
justify the usefulness of the IT project.

36. Errors in audit procedures would PRIMARILY impact which of the following risks?
A. Detection risk
B. Inherent risk
C. Control risk
D. Business risk
Justifications:
A. Detection risk is the probability that the audit procedures may fail to detect
existence of a material error or fraud.
B. Inherent risk refers to the risk involved in the nature of business or transaction and is not
affected by human error.
C. Control risk is the risk that a material error exists that would not be prevented or detected
on a timely basis by the system of internal controls.
D. Business risk is not a component of audit risk.
37. An auditee disagrees with an audit finding. Which of the following is the BEST course of
action for the IT auditor to take?
A. Discuss the finding with the IT auditor's manager

B. Retest the control to confirm the finding
C. Elevate the risks associated with the control
D. Discuss the finding with the auditee's manager
Justifications:
A. Discussing the disagreement with the auditor's senior would be the best course of
action because other actions could weaken relationships with the auditee and
auditor.
B. This may unnecessarily expend human and time resources. The audit manager should
determine if controls need to be retested.
C. Elevating the risk will not address the disagreement.
D. It is usually best to consult the audit manager prior to escalating the issue the auditee’s
manager. This could prove to be an adversarial action.

38. The IS auditor learns a business application has extended the access from users of one
department to other departments. The GREATEST concern for the IS auditor would be
approval of:
A. the business impact analysis

B. creation forms for new users
C. an updated IT security policy
D. an updated access rights matrix
Justifications:
A. A business impact analysis is used in the development of the business continuity plan and
would not need to be necessary to be reviewed here.
B. While management approval through the creation form for a new user is important, it
does not create as much risk as multiple roles assigned to a user that create segregation of
duties (SoD) conflicts.
C. The IT security policy is a high-level document and would not include details such as
SoD matrices.
D. The security access risk is a SoD issue when extending an application from one
department to multiple departments. Potential controls include SoD review,
updated access rights matrix, etc. Users may end up with unacceptable
combinations of privileges with the extension, thus the access rights matrix must be
reviews.

39. Which of the following would be expected to approve the audit charter?
A. Chief financial officer

B. Chief executive officer
C. Audit steering committee
D. Audit committee
Justifications:
A. The chief financial officer (CFO) does not approve the audit charter but may be
responsible for allocating funds in support of the audit charter. The CFO may also be a
part of the audit committee or audit steering committee but would not approve the charter
on their own.
B. The chief executive officer (CEO) does not approve the audit charter. The CEO may be
informed, but they are independent of the audit committee.
C. The steering committee would most likely be composed of various members of senior
management whose purpose is to work under the framework of the audit charter and
would not approve the charter itself.
D. One of the primary functions of the audit committee is to create and approve the
audit charter.
40. Which of the following is MOST important to ensure before communicating the audit
findings to top management during the closing meeting?
A. Risk statement includes an explanation of a business impact

B. Findings are clearly tracked back to evidence
C. Recommendations address root causes of findings
D. Remediation plans have been provided by responsible parties
Justifications:
A. It is important to have a well-elaborated risk statement; however, it might not be relevant
if findings are not accurate.
B. Without adequate evidence, the findings would hold no ground; therefore, this must
be verified before communicating the findings.
C. It is important to address the root causes of findings, and it may be not included in the
report. However, it might not be relevant if findings are not accurate.
D. In some cases, top-management might expect to see remediation plans during debriefing
of the findings; however, the accuracy of findings should be proved first.

41. When performing a risk analysis, the IS auditor should FIRST:
A. review the data classification program.

B. identify the organization’s information assets.
C. identify the inherent risk of the system.
D. perform a cost-benefit analysis for controls.
Justifications:
A. Once the business objectives and the underlying systems have been identified, greatest
degree of risk management effort should be focused towards those assets containing data
considered most sensitive to the organization. The data classification program will assist
the IS auditor in identifying these assets.
B. The first step of the risk assessment process is to identify the systems and processes
that support the business objectives as risk to those processes will impact the
achievement of business goals.
C. Inherent risk is the exposure without considering the actions that management has taken
or might take. The purpose of a risk assessment is to identify vulnerabilities so that
mitigating controls can be established. However, one must first understand the business
and its supporting systems to best identify systems requiring the most risk assessment
effort.
D. Designing and implementing controls to mitigate inherent risk of critical systems can
only be performed once the above steps have been taken.

42. When developing a security architecture, which of the following steps should be executed
FIRST?
A. Developing security procedures

B. Defining a security policy
C. Specifying an access control methodology
D. Defining roles and responsibilities
Justification:
A. Policy is used to provide direction for procedures, standards and baselines. Therefore,
developing security procedures should be executed only after defining a security policy.
B. Defining a security policy for information and related technology is the first step
toward building a security architecture. A security policy communicates a coherent
security standard to users, management and technical staff. Security policies will
often set the stage in terms of what tools and procedures are needed for an
organization.
C. Specifying an access control methodology is an implementation concern and should be
executed only after defining a security policy.
D. Defining roles and responsibilities should be executed only after defining a security
policy.

43. Accountants are developing a temporary reporting solution using a spreadsheet and macro
program. Which of the following will be the MOST significant concern from a control
perspective?
A. The temporary solution becomes a permanent solution.

B. The modifications do not follow standard change management process.
C. A tighter reconciliation process is required to ensure integrity.
D. Development is done using an agile development methodology.
Justifications:
A. It is often likely that a spreadsheet and macro-based temporary solution becomes a more
permanent solution. However, as long as the change process has followed appropriate
approvals, this situation may not stand as the major concern.
B. This is a typical case of an end-user computing solution. In this approach, the
biggest concern from a control perspective is the solution bypasses the change
management process specifically regarding segregation of duties over creating and
approving the modification.
C. This depends on how the temporary solution is built. As long as the solution is designed
in a controllable manner, tighter reconciliation may not necessarily be required.
D. The methodology used to make modifications is irrelevant as long as some change
process has been followed to reduce risks.

44. Which of the following would be of GREATEST concern to an IS auditor inspecting an
organization’s computer room?
A. Handheld fire extinguishers are present in the computer room.

B. Access to the computer room does not require biometrics.
C. The computer room is located in the basement.
D. The computer room is adjacent to an office area.
Justifications:
A. Handheld fire extinguishers are an effective means of controlling a small localized fire.
They should not be used to replace a fire suppression system, but they can supplement it.
B. Biometrics may be used to control access to the computer room, but whether this is
appropriate depends on the risk posture of the organization. Adequate physical security
can often be achieved without the use of biometrics.
C. Studies show that the best location for a computer room located in a multi-story
building is on the middle floors. The top floor and basement are the two most
vulnerable areas with the basement being most subject to flooding.
D. As long as adequate physical access controls exist that prevent unauthorized access to the
computer room, it is acceptable to have the room adjacent to an office area. In fact, many
organizations house their operators and systems engineers adjacent to their computer
rooms.
45. Which of the following should an IS auditor recommend to BEST enforce alignment of an IT
project portfolio with strategic organizational priorities?
A. Define a balanced scorecard for measuring performance.

B. Consider user satisfaction in the key performance indicators.
C. Select projects according to business benefits and risk.
D. Modify the yearly process of defining the project portfolio.
Justification:
A. Measures such as a balanced scorecard are helpful, but do not guarantee that the projects
are aligned with business strategy.
B. Key performance indicators are helpful to monitor and measure IT performance, but they
do not guarantee that the projects are aligned with business strategy.
C. Prioritization of projects on the basis of their expected benefit(s) to business, and the
related risk, is the best measure for achieving alignment of the project portfolio to
an organization’s strategic priorities.
D. Modifying the yearly process of the project portfolio definition might improve the
situation, but only if the portfolio definition process is closely tied to organizational
strategies.

46. An IS auditor is reviewing an organization’s business continuity plan. Which of the
following would provide the BEST means of evaluating the systems supporting the
organization’s critical processes?
A. Business impact analysis

B. Recovery point objective
C. Recovery time objective
D. Corporate business strategy
Justifications:
A. The business impact analysis (BIA) is a process that determines the impact of losing
the support of any resource. By reviewing BIAs, the IS auditor can identify those
systems that are critical to supporting the business.
B. The recovery point objective (RPO) quantifies the acceptable amount of data loss in case
of interruption and is the earliest point in time in which it is acceptable to recover data.
Alone, the RPO is insufficient to determine the criticality of a system.
C. The recovery time objective (RTO) is the acceptable amount of downtime acceptable
before the system is recovered. Alone, the RTO is insufficient to determine the criticality
of a system.
D. The corporate business strategy influences the BIA, but review of the BCP requires the
BIA. Relying on the corporate business strategy to review the BCP is inadequate.

47. An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high
level of maturity. Which of the following would be the MOST important for the auditor to
ensure continued alignment with the enterprise's security requirements?
A. The vendor provides the latest third-party audit report for verification.
B. The vendor provides the latest internal audit report for verification.
C. The vendor agrees to implement controls in alignment with the enterprise.
D. The vendor agrees to provide annual external audit reports in the contract.
Justifications:
A. Although the vendor is providing the most recent third-party audit report for review, there
is no agreement contractually that would require the vendor to continue to provide annual
reports for verification and review.
B. Although the vendor is providing the most recent internal audit report for review, there is
no agreement contractually that would require the vendor to continue to provide annual
reports for verification and review.
C. Without a clause in the contract, an agreement to implement controls does not provide
assurance that controls will continue to be implemented in alignment with the enterprise.
D. The only way to ensure any potential risk are mitigated today and in the future is to
include a clause within the contract that the vendor will provide future external
audit reports. Without the audit clause the vendor could choose to forego future
audits.

48. Which of the following should be of the GREATEST concern to an IS auditor when
analyzing the baseline security of a corporate desktop personal computer?
A. Local user password expiration is not defined.

B. Local user password hash is not applied.
C. Patches are not automatically installed.
D. Patches are not downloaded from the vendor.
Justifications:
A. The date of user password expiration is important when there are certain business
requirements (e.g., temporary staffing). However, this would not be the greatest concern
of an IS auditor.
B. Password hashes play an important role in protecting systems, but generally, an
unpatched system would leave the device more susceptible to security breaches.
C. Corporate desktop personal computers should be configured to automatically install
critical patches to the device-based patch management policy. Furthermore,
personal computers should be configured to enable system administrators to
schedule updates for a time to minimize the impact on services offered, which may
include delaying installation by a brief period. It is common in corporate
environments for patch management to be brokered by an internal repository
rather than downloaded from the vendor.
D. In many environments, patches are downloaded to central repositories and are distributed
after testing.

49. An enterprise has selected a vendor to develop and implement a new software system. To
ensure that the enterprise’s investment in software is protected, which of the following
security clauses is MOST important to include in the master services agreement?
A. Limitation of liability
B. Service level requirements
C. Software escrow
D. Version control
Justifications:
A. A limitation of liability clause protects the financial exposure of the organization but not
its software investment.
B. Service level requirements specify financial penalties for not meeting standards, but these
do not address issues of vendor insolvency.
C. Software escrow clauses in a contract ensure that the software source code will still
be available to the organization in the event of a vendor issue such as insolvency,
copyright issues, etc.
D. Version control is related to the software development life cycle and not the software
investment.

50. Which of the following is the MOST effective control when granting temporary access to
vendors?
A. Vendor access corresponds to the service level agreement.

B. User accounts are created with expiration dates and are based on services provided.
C. Administrator access is provided for a limited period.
D. User IDs are deleted when the work is completed.
Justification:
A. The service level agreement may have a provision for providing access, but this is not a
control; it would merely define the need for access.
B. The most effective control is to ensure that the granting of temporary access is based
on services to be provided and that there is an expiration date (automated is best)
associated with each unique ID. The use of an identity management system enforces
temporary and permanent access for users, at the same time ensuring proper
accounting of their activities.
C. Vendors may require administrator access for a limited period during the time of service.
However, it is important to ensure that the level of access granted is set according to least
privilege and that access during this period is monitored.
D. Deleting these user IDs after the work is completed is necessary, but if not automated, the
deletion could be overlooked. The access should only be granted at the level of work
required.
51. Which of the following countermeasures would the IS auditor MOST likely recommend for
the risk mitigation of logic alteration vulnerabilities discovered during penetration testing of
a public-facing web application?
A. Change the application firewall rules to filter malicious inputs

B. Set the network firewall to allow traffic only from desired IP addresses
C. Perform code review and server-side input validation
D. Use the HTTPS protocol to secure access towards the website
Justifications:
A. While firewall rules that filter inputs may mitigate rules in the short term, vulnerabilities
that exist in code can only be permanently and completely eliminated through code
changes that require code review.
B. It is infeasible to use IP filtering to control access to a public web-facing application.
C. Most application vulnerabilities are the result of poor coding; therefore, performing
a code review would be the most appropriate recommendation.
D. The HTTPS protocol will encrypt all traffic between browser and the website. This will
not prevent scripts reaching the vulnerable website.

52. Which of the following is the PRIMARY purpose of a risk-based audit?
A. High-impact areas are addressed first.

B. Audit resources are allocated efficiently.
C. Material areas are addressed first.
D. Management concerns are prioritized.
Justifications:
A. High-impact does not necessarily indicate high risk. Risk also takes into consideration
probability.
B. Although a risk-based audit approach does address allocation of resources, that is not the
primary function of a risk-based audit approach.
C. Material risks are audited according to the risk ranking, thus enabling the audit
team to concentrate on high-risk areas first.
D. Management concerns may not be aligned with high-risk areas.
53. What is the GREATEST advantage of performing penetration testing in addition to

vulnerability assessment?
A. Increased coverage of different technologies.

B. Better regulatory compliance.
C. Improved preparedness to cybersecurity incidents.
D. Confirmation of the ability to exploit vulnerabilities.
Justifications:
A. The majority of vulnerability management tools available on the market provide an
adequate coverage of technologies. While penetration test might increase the coverage, it
will not be significant improvement. The key advantage of penetration testing is the
ability to confirm ability to use identified vulnerabilities.
B. Regulatory requirements for regular penetration testing depends on industries and
countries (banking, military, etc.), thus might not be applicable in different contexts.
C. While penetration testing exercise might be used to increase preparedness of teams for
cybersecurity incidents, it is a secondary measure compared to cybersecurity incident
response exercises.
D. Penetration testing is usually executed by qualified experts with an objective to
obtain a privilege access to IT systems using vulnerabilities. Vulnerability
assessment alone does not provide an accurate picture on level of organization’s
protection from cybersecurity attacks as the existence of a vulnerability alone does
not mean it can be exploited.

54. Which of the following business continuity activities is PRIMARILY the responsibility of
the IT department?
A. Declaring the disaster and activating the business continuity plan

B. Restoring systems and data after a business disruption
C. Conducting the business impact analysis to determine critical systems
D. Defining the recovery time objectives and recovery point objectives
Justifications:
A. Disaster declaration is typically a management responsibility and not the responsibility of
the IT department.
B. The IT department is primarily responsible for information systems and data
including restoration to normal operations after a disruption.
C. Conducting the business impact analysis is not the responsibility of IT. This is typically a
business function.
D. Although IT is responsible for making sure that the systems meet the defined recovery
time objectives and recovery point objectives, defining these objectives is primarily a
business function.
55. As result of profitability pressure, senior management of an enterprise has decided to keep
investments in information security at an inadequate level, which of the following would be
the BEST recommendation of an IS auditor?
A. Use cloud providers for low-risk operations.

B. Revise compliance enforcement processes.
C. Request that senior management accept the risk.
D. Postpone low-priority security procedures.
Justifications:
A. The use of cloud providers may or may not provide cost savings or lower risk.
B. Compliance enforcement processes that identify high levels of residual risk are working
as intended and should not be revised.
C. Senior management determines resource allocations. Having established that the
level of security is inadequate, it is imperative that senior management accept the
risk resulting from their decisions.
D. The IS auditor should not recommend postponing any procedures. This is a management
decision, and management should first accept the risk.

56. An IS auditor has found numerous users emailing confidential information to unauthorized
recipients. The BEST course of action is to prevent this from recurring is to:
A. assign the violators additional security awareness training.

B. integrate data security into the employees’ performance reviews.
C. implement a data protection program.
D. implement an outgoing anti-email phishing system.
Justifications:
A. Addressing the violators alone will not prevent data exfiltration in the future.
Additionally, the violators could be malicious actors within the organization; in which
case, training will not deter repeat behavior.
B. Incorporating data security into the employees’ reviews is a deterrent and does not
prevent future exfiltration regardless of intent.
C. A data protection program includes controls to detect and prevent data exfiltration
as well as investigate potential malicious insider activity. The scope of such a
program can be tailored to align with the organization’s risk appetite and available
resources.
D. A spam prevention and detection solution would prevent a user from sending spam and
not prevent users from exfiltrating sensitive information.
57. In a public key infrastructure, certificate authorities are intended to PRIMARILY address:
A. man-in-the-middle attacks.
B. brute force attacks.
C. confidentiality of secret keys.
D. faster generation of digital certificates.
Justifications:
A. An attacker may become party to the secret exchange using an asymmetric key,
creating a man-in-the-middle attack. Certificate authorities (CAs) are designed to
provide the public and private key pair (part of the certificate) after authentication
thereby addressing the attack.
B. CAs offer no particular protection to an organization against brute force attacks. Their
role is to enhance the validation process.
C. Secret keys are held with the respective certificate subscriber, so the CA is not
responsible for the confidentiality of secret keys.
D. The speed at which digital certificates are generated is dependent on the processor and
other systems and is not impacted by the CA.

58. Which of the following would BEST help an IS auditor determine the adequacy of user
privileges set up in an application system?
A. Organizational chart of the target business area

B. Roles and responsibilities assigned to operators
C. Test results of an IT compliance self-assessment
D. Change management record of user profiles
Justifications:
A. An organizational chart may help as part of the preliminary study of the target business
area. However, it is not vital information to support an application control review; roles
and responsibilities would better assist the auditor in determining adequacy of the user
privilege.
B. Access privileges set up in an application system need to be in line with the roles and
responsibilities of users defined by business management. Thus, it is most effective
to compare user privilege against those roles and responsibilities.
C. Self-assessment results would provide secondary information to the audit work. Roles
and responsibilities would be the primary source.
D. Review of change management records is primarily for the verification of the
authorization process involved in a change to privileges. It may not provide useful
information to assess the adequacy of user privilege.
59. Which of the following would be of MAIN concern to the IS auditor reviewing the
transborder flow of personal data?
A. Consent of the data subjects

B. Signed agreements with data processors
C. Encryption of personal data
D. Limitation of access
Justifications:
A. The way personal data is handled may be subject jurisdictional requirements.
However, with explicit consent from the data subject, data can generally be handled
in any way.
B. Signed agreements with data processors do not take the place of consent from the data
owners. Substantial restrictions may still exist if consent has not been obtained.
C. Insurance would be obtained based on asset classification.
D. Restricting access of personal data to the smallest group with need-to-know is a good
practice; however, it is far more concerning to an auditor to know whether consent has
been provided for the way in which data is being stored or used.

60. When performing a post-implementation review of a software development project for a
highly secure application, it is MOST important to confirm that:
A. vulnerability testing was performed.

B. the project was formally closed.
C. the project schedule and budget were met.
D. business functional requirements were met.
Justification:
A. Vulnerability testing may be incorporated into the system development process; however,
it is most important that business functional requirements were met. As stated in the
question, the business requirements in this case included adequate security.
B. Formally closing the project is important, but the primary goal of meeting business
requirements is most important.
C. Although meeting the designated project time line and budget is an important goal, the
overall purpose of the project is to fulfill a business need. Therefore, validating that the
project met the business functional requirements is the most important task for the IS
auditor.
D. Established procedures for post-implementation review should primarily ensure
that business functional requirements were met. (Security is a non-functional
requirement required by the business.)
61. Why would an organization MOST likely choose an agile systems development approach?
A. To facilitate reuse of modules

B. To enhance security of the system
C. To improve system performance
D. To speed up the rollout to the users
Justifications:
A. Agile may include the reuse of modules, but this is no more likely in agile development
than in other development methodologies.
B. Agile development is not more likely to enhance the security of the system as compared
with other development methodologies.
C. More user feedback may result in superior system performance, but this is not
guaranteed. Clearly defined performance metrics can be obtain with any development
methodology.
D. What distinguishes agile development from other methodologies is that it prioritizes
putting a minimum viable product in front of users as soon as possible in order to
gain their feedback early in the production process.

62. Which of the following would be of MOST interest to an IS auditor reviewing an
organization's risk strategy?
A. All risks are mitigated effectively.

B. Residual risk is zero after control implementation.
C. All likely risks are identified and ranked.
D. The organization uses an established risk framework.
Justifications:
A. Risk mitigation can only occur after all risks are identified and ranked.
B. It is highly unlikely residual risk would be zero.
C. Risks likely to impact the organization should be identified and documented as part
of the risk strategy. Without knowing what your risks are, there is no risk strategy.
D. It is not as important to use an established risk framework as it is to identify and rank all
likely risks so that they can be addressed.
63. Which of the following methods would be the MOST effective way to ascertain that
information security policies have been communicated to and understood by all IS users?
A. Personal interviews
B. User sign-off of policies
C. Structured training programs
D. Instances of policy deviations
Justifications:
A. Personal interviews will help elicit relatively sufficient, appropriate and more
reliable evidence about understanding of contents and intents of policies.
B. User sign-off of policies is often a routine procedure and may not necessarily indicate
that they have read and understood the policies.
C. Structured training programs may help increase the awareness of users to the policy.
However, these cannot produce much reliable evidence that users have understood the
contents and intent of policies.
D. Existence of policy deviations can be not taken as a suggestive indicator of
misunderstanding of policy contents and intents. Deviations might be due to user
ignorance or may be intentional.

64. Which of the following provides the BEST evidence of an organization’s cyber incident
response readiness?
A. Recently updated incident response procedures

B. A documented disaster recovery plan
C. Regular internal audits of incident response
D. The results of annual tabletop exercises
Justifications:
A. Although procedures are an important part of an incident response plan, they do not
provide evidence of effectiveness.
B. The presence of a documented disaster recovery plan with no testing is not evidence of
adequate preparedness.
C. Internal audits do not provide evidence of incident response readiness.
D. Tabletop exercises are the most cost-effective means of testing an incident response
readiness plans and provides the best evidence of effectiveness.
65. The MAIN purpose of the annual IS audit plan is to:
A. allocate resources for audits.

B. reduce the impact of audit risk.
C. develop a training plan for auditors.
D. minimize the audit costs.
Justifications:
A. As IS audit assignments need to be accomplished with limited time and human
resources, audits are scheduled and prioritized as determined by IS audit
management.
B. Audit risk is inherent to all audits, and the schedule has no bearing on the impact to audit
risk.
C. Developing a training plan for auditors is important, but it is not the main purpose of an
IS audit plan.
D. Minimizing the audit costs could be one of the objectives of annual IS audit plan.
However, this would be a result of ensuring audit resources are used effectively.

66. Which of the following will be the MOST cost-effective way to evaluate the completeness of
the disaster recovery plan?
A. Organize a paper test with actual members of the response team.

B. Arrange for a review of the procedures by an independent consultant.
C. Ensure that all likely cyber attack disaster scenarios are covered in procedures.
D. Include senior management in a disaster recovery exercise.
Justifications:
A. It is not possible to envision all possible cyber attack scenarios as technology, and the
threat landscape is always evolving. Not all disaster recovery scenarios are linked to
cyber attack.
B. Bringing in an independent consultant is less cost effective than conducting a paper test
with the response team and yield similar results.
C. A paper test will ensure that various scenarios are played out with the actual
members of the response team and is more cost effective than bringing an outside
auditor (or conducting a full interruption test).
D. Including senior management in a disaster recovery exercise would not impact the cost
effectiveness of the test and would not identify flaws in the technical procedures.
67. An IS auditor is reviewing an organization’s change management process and finds that
after-hours emergency changes are made, and approval is obtained subsequent to the change.
Which of the following is the BEST course of action for the auditor?
A. Record the finding in the report.

B. Recommend an after-hours approval team.
C. Recommend that changes are not made until approval is obtained.
D. Document the practice in the report.
Justifications:
A. Emergency changes occur, and if the organization is experiencing a network attack, an
emergency change could limit the impact of the attack and may be a necessary exception
to the standard practice.
B. Recommending an after-hours approval team would be inefficient.
C. This is an inefficient process as there may be situations, such as a network attack, where
emergency changes may need to be made outside of the normal approval process.
D. Emergency changes occur, and it may be appropriate to enable changes and obtain
approval subsequent to the change. Reporting the practice, and not recording as a
finding in the report, is appropriate.

68. The MOST important element for the effective design of an information security policy is
the:
A. threat landscape.
B. prior security incidents.
C. emerging technologies.
D. enterprise risk appetite.
Justifications:
A. The threat landscape is dynamic. It should be considered when developing policy, but it
is not the primary factor as policy is not meant to change as often as the threat landscape.
B. Prior security incidents may provide insight into the risk appetite statement; however,
they are more likely to affect security standards and procedures.
C. Emerging technologies are continually evolving. They should be considered when
developing policy, but they are not the primary factor as policy is not meant to change as
often as technology.
D. The risk appetite is the amount of risk on a broad level an entity is willing to accept
in pursuit of its mission to meet its strategic objectives. The purpose of the
information security policy is to manage information risk to an acceptable level, so
the policy is principally aligned with the risk appetite.

69. Which of the following scenarios would an IS auditor MOST likely expect an application
team to employ when a system change to a mission-critical application with a low tolerance
to failure causes a disruption in operations?
A. Backup
B. Fallback
C. Migration
D. Failover
Justifications:
A. Backups are replicas of data that are available for use in the event of data corruption or
loss. Unless the system change destroyed or corrupted data, backups would not be
employed. The system would still require a restoration to its prior state via fallback
(rollback) to ensure continued operations while the development team determines the
cause of the disruption. Backup requires more time than fallback, which may be
unacceptable for mission-critical systems.
B. A fallback (or rollback) is a plan of action to be performed of a system
implementation, upgrade or modification/change does not work as intended.
Fallback restores the system to the state prior to the change. This is the most
common and effective method of mitigating the risk of downtime for mission critical
systems. All changes should have a fallback plan that includes instructions on
restoring the system to the prior state.
C. A migration is the process of transferring a system from one environment, platform, or
server to another. Migration would not address the underlying cause of a disruption
resulting from a system change. Thus fallback (rollback) would still be the best option for
quick recovery.
D. Failover to the disaster recovery system might not be an option if the change was released
to all environments simultaneously. In addition, unless the system uses a hot site, the time
to recovery would be greater than simply restoring the system to its prior steady state
through the use of fallback (rollback) procedures.

70. An IS auditor is conducting a postimplementation review of an enterprise’s network.
Which of the following findings would be of MOST concern?
A. Wireless mobile devices are not password-protected.

B. Default passwords are not changed when installing network devices.
C. An outbound web proxy does not exist.
D. All communication links do not use encryption.
Justification:
A. While mobile devices that are not password-protected would be a risk, it would not be as
significant as unsecured network devices.
B. The most significant risk in this case would be if the factory default passwords are
not changed on critical network equipment. This could allow anyone to change the
configurations of network equipment.
C. The use of a web proxy is a good practice but may not be required depending on the
enterprise.
D. Encryption is a good control for data security but is not appropriate to use for all
communication links due to cost and complexity.
71. Which of the following is MOST important to consider when reviewing the classification
levels of information assets?
A. Potential loss
B. Financial cost
C. Potential threats
D. Cost of insurance
Justifications:
A. The best basis for asset classification is an understanding of the total losses a
business may incur if the asset is compromised. Typically, estimating these losses
would require a review of criticality and sensitivity beyond financial cost, such as
operational, strategic, etc.
B. The value of an asset can be greater than its monetary cost, such as impact to reputation
and brand, etc.
C. The classification of an asset does not change based on potential threats.
D. Insurance would be obtained based on asset classification.

72. Which of the following is MOST important when system patches need to be applied to
application servers at the disaster recovery site?
A. Approval from the disaster recovery site manager

B. Approval from respective system owners
C. Approval from the information security manager
D. Approval from the business continuity coordinator
Justifications:
A. The person in this role does not own risks, and so without the system owner approving
any changes, their decision would be not accepted by business.
B. The approval of the system owner is most important as this is the person that best
understands the risk regardless if it is in a production site or disaster recovery site.
C. It is not the role of the information security manager to approve patches, and so without
the asset owner approving any changes, their decision would be not accepted by business.
D. It is not the role of the business continuity coordinator to approve patches, and so without
the system owner approving any changes, their decision would be not accepted by
business.
73. Which of the following is the FIRST step in determining the appropriate level of protection
for the enterprise information systems?
A. Security baseline
B. Data classification
C. Risk assessment
D. Asset inventory
Justifications:
A. A security baseline is an implementation mechanism driven by data classification, which
can be performed at a later stage.
B. Data classification is based on data sensitivity and criticality and should be implemented
after an asset inventory.
C. Risk assessment requires assets to be classified, thus the appropriate level of protection
for the information systems is determined.
D. Although data classification determines protection levels, effective control requires a
detailed inventory of information assets. Creating this list is the first step in
classifying assets and determining the level of protection needed for each asset.

74. A digital hash ensures:
A. Authenticity
B. Confidentiality
C. Availability
D. Integrity
Justifications:
A. Digital hashes may play a secondary role in authenticity when used as part of digital
signatures, but this is not their primary function.
B. Confidentiality is not affected by hashing.
C. Hashing ensures integrity and not availability.
D. A digital hash reveals whether the data has been altered, thus ensuring its integrity.
75. Which of the following would be the GREATEST concern when an IS auditor notices an
increasing number of emergency changes?
A. Fast-tracking of releases into production

B. Increased number of production incidents
C. High chance of introducing security deficiencies
D. Insufficient documentation of changes
Justifications:
A. High number of emergency changes might indicate an attempt to bypass standard
change management process controls, such as approval of changes by business,
proper testing, and validation of installation into production environment.
Bypassing of those controls might result in increased number of production
incidents, security deficiencies and improper changes installed into production
environment.
B. It might be a reason for increased number of emergency changes; however, it is of lesser
concern because it will drop once the production environment is stabilized.
C. It might be a result of increased number of emergency changes; however, it is more
important to fix the root cause of emergency changes to prevent the introduction of the
deficiencies.
D. Emergency changes usually have less documentation than standard changes; however, it
is a secondary risk comparing to other options.

CISA 27e Sample Exam Answers and Justifications

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISA 27e Sample Exam Answers and Justifications

Uploaded by

Copyright:

Available Formats

CISA Sample Exam Answers and

B is the correct answer.

2. De-normalization of the relational database would PRIMARILY result in:

A. referential integrity issues.

C is the correct answer.

©2019 ISACA. All Rights Reserved. Page 1

A. has performed background checks on all service personnel.

C is the correct answer.

©2019 ISACA. All Rights Reserved. Page 2

A. Virtual tape libraries

C is the correct answer.

©2019 ISACA. All Rights Reserved. Page 3

A is the correct answer.

©2019 ISACA. All Rights Reserved. Page 4

B is the correct answer.

©2019 ISACA. All Rights Reserved. Page 5

A. Adequate involvement of stakeholders

A is the correct answer.

©2019 ISACA. All Rights Reserved. Page 6

D is the correct answer.

A. Conduct an exit interview with the employee.

C is the correct answer.

©2019 ISACA. All Rights Reserved. Page 7

C is the correct answer.

©2019 ISACA. All Rights Reserved. Page 8

D is the correct answer.

©2019 ISACA. All Rights Reserved. Page 9

A. Data retention, backup and recovery

B is the correct answer.

A. Isolate the computer from the network.

B is the correct answer.

©2019 ISACA. All Rights Reserved. Page 10

C is the correct answer.

©2019 ISACA. All Rights Reserved. Page 11

A. gain agreement on the findings.

A is the correct answer.

A. Hiring additional staff to provide segregation of duties

D is the correct answer.

©2019 ISACA. All Rights Reserved. Page 12

A. expand activities to determine whether an investigation is warranted.

A is the correct answer.

A. alignment of the IT activities with IS audit recommendations.

B is the correct answer.

©2019 ISACA. All Rights Reserved. Page 13

C is the correct answer.

A. Identify all IT systems and controls relevant to audit objectives

D is the correct answer.

©2019 ISACA. All Rights Reserved. Page 14

A. A data loss protection system

D is the correct answer.

A. Key stakeholders are incorrectly identified.

C is the correct answer.

©2019 ISACA. All Rights Reserved. Page 15

A. The work may be construed as a self-audit.

A is the correct answer.

©2019 ISACA. All Rights Reserved. Page 16

D is the correct answer.

©2019 ISACA. All Rights Reserved. Page 17

A. Structured Query Language

D is the correct answer.

©2019 ISACA. All Rights Reserved. Page 18

A is the correct answer.

B is the correct answer.

©2019 ISACA. All Rights Reserved. Page 19