Free Exam/Cram Practice Materials - Best Exam Practice Materials

IT Certification Guaranteed, The Easy Way!

NO.1 When assessing a proposed project for the two-way replication of a customer database with a
remote call center, the IS auditor should ensure that:
A. end users are trained in the replication process.
B. database conflicts are managed during replication.
C. the source database is backed up on both sites.
D. user rights are identical on both databases.
Answer: B
Explanation:
When assessing a proposed project for the two-way replication of a customer database with a
remote call center, the IS auditor should ensure that database conflicts are managed during
replication. This should include verifying that the replication process is designed to reconcile any
discrepancies between the databases, such as conflicting data or duplicate records. Additionally, the
IS auditor should review the security and access controls in place to ensure that the replications are
performed securely and only authorized users have access to the replicated data.

NO.2 Following a breach, what is the BEST source to determine the maximum amount of time before
customers must be notified that their personal information may have been compromised?
A. Information security policy
B. Industry standards
C. Industry regulations
D. Incident response plan
Answer: D

NO.3 An IS auditor finds that capacity management for a key system is being performed by IT with
no input from the business The auditor's PRIMARY concern would be:
A. impact to future business project funding.
B. unanticipated increase in business s capacity needs.
C. cost of excessive data center storage capacity
D. failure to maximize the use of equipment
Answer: B

NO.4 Which of the following is the BEST detective control for a job scheduling process involving data
transmission?
A. Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer
Protocol (SFTP).
B. Metrics denoting the volume of monthly job failures are reported and reviewed by senior
management.
C. Job failure alerts are automatically generated and routed to support personnel.
D. Jobs are scheduled and a log of this activity is retained for subsequent review.
Answer: C

NO.5 Which of the following should be of GREATEST concern to an IS auditor conducting an audit of
an organization that recently experienced a ransomware attack?
A. Employees were not trained on cybersecurity policies and procedures

Get Latest & Valid CISA Exam's Question and Answers 2from Freecram.net. 1
https://www.freecram.net/exam/CISA-certified-information-systems-auditor-e2240.html
 Free Exam/Cram Practice Materials - Best Exam Practice Materials
IT Certification Guaranteed, The Easy Way!

B. Backups were only performed within the local network

C. The most recent security patches were not tested prior to implementation
D. Antivirus software was unable to prevent the attack even though it was properly updated
Answer: B

NO.6 A new regulation in one country of a global organization has recently prohibited cross-border
transfer of personal dat a. An IS auditor has been asked to determine the organization's level of
exposure In the affected country. Which of the following would be MOST helpful in making this
assessment?
A. Identifying business processes associated with personal data exchange with the affected
jurisdiction
B. Identifying data security threats in the affected jurisdiction
C. Reviewing data classification procedures associated with the affected jurisdiction
D. Developing an inventory of all business entities that exchange personal data with the affected
jurisdiction
Answer: A

NO.7 Which of the following is the BEST way to verify the effectiveness of a data restoration
process?
A. Validating off ne backups using software utilities
B. Reviewing and updating data restoration policies annually
C. Performing periodic reviews of physical access to backup media
D. Performing periodic complete data restorations
Answer: D

NO.8 Which of the following is the MOST important activity in the data classification process?
A. Determining the adequacy of privacy controls
B. Determining accountability of data owners
C. Identifying risk associated with the data
D. Labeling the data appropriately
Answer: D

NO.9 Which of the following is MOST important during software license audits?
A. Compliance testing
B. Substantive testing
C. Stop-or-go sampling
D. Judgmental sampling
Answer: A
Explanation:
Compliance testing is the most important during software license audits. This is because compliance
testing verifies that the organization is adhering to software licensing rules and regulations, and that
the organization is using the software legally. Compliance testing ensures that the organization is not
in violation of any software licenses, and that all software licenses are up to date and valid.

Get Latest & Valid CISA Exam's Question and Answers 3from Freecram.net. 2
https://www.freecram.net/exam/CISA-certified-information-systems-auditor-e2240.html
 Free Exam/Cram Practice Materials - Best Exam Practice Materials
IT Certification Guaranteed, The Easy Way!

During software license audits, it is important to assess the compliance of an organization with its
software license agreements. This includes verifying the number of licenses purchased, the terms of
the agreements, and the actual use of the software. Compliance testing is the process of evaluating
the organization's compliance with its software license agreements to determine if it is using the
software within the terms of the license agreement.
Reference:
ISACA. (2021). 2021 CISA Review Manual, 27th Edition. ISACA. (Chapter 6, Software Acquisition,
Development, and Maintenance)

NO.10 Which of the following is MOST important to consider when scheduling follow-up audits?
A. The impact if corrective actions are not taken
B. The efforts required for independent verification with new auditors
C. Controls and detection risks related to the observations
D. The amount of time the auditee has agreed to spend with auditors
Answer: A

NO.11 A now regulation requires organizations to report significant security incidents to the
regulator within 24 hours of identification. Which of the following is the IS auditors BEST
recommendation to facilitate compliance with the regulation?
A. Engage an external security incident response expert for incident handling.
B. Enhance the alert functionality of the intrusion detection system (IDS).
C. Include the requirement in the incident management response plan.
D. Establish key performance indicators (KPls) for timely identification of security incidents.
Answer: B

NO.12 Which of the following is the MOST appropriate control to ensure integrity of online orders?
A. Data Encryption Standard (DES)
B. Digital signature
C. Public key encryption
D. Multi-factor authentication
Answer: C

NO.13 Which of the following management decisions presents the GREATEST risk associated with
data leakage?
A. Security policies have not been updated in the past year
B. Security awareness training is not provided to staff
C. There is no requirement for desktops to be encrypted
D. Staff are allowed to work remotely
Answer: B

NO.14 Which of the following should be an IS auditor's GREATEST concern when reviewing an
organization's security controls for policy compliance?
A. End users are not required to acknowledge security policy training
B. The security policy has not been reviewed within the past year

Get Latest & Valid CISA Exam's Question and Answers 4from Freecram.net. 3
https://www.freecram.net/exam/CISA-certified-information-systems-auditor-e2240.html
 Free Exam/Cram Practice Materials - Best Exam Practice Materials
IT Certification Guaranteed, The Easy Way!

C. Security policies are not applicable across all business units

D. Security policy documents are available on a public domain website
Answer: C

NO.15 During audit framework. an IS auditor teams that employees are allowed to connect their
personal devices to company-owned computers. How can the auditor BEST validate that appropriate
security controls are in place to prevent data loss?
A. Verify employees have received appropriate mobile device security awareness training.
B. Verify the data loss prevention (DLP) tool is properly configured by the organization.
C. Conduct a walk-through to view results of an employee plugging in a device to transfer
confidential data.
D. Review compliance with data loss and applicable mobile device user acceptance policies.
Answer: D

NO.16 In an online application, which of the following would provide the MOST information about
the transaction audit trail?
A. Source code documentation
B. System/process flowchart
C. File layouts
D. Data architecture
Answer: D

NO.17 A web proxy server for corporate connections to external resources reduces organizational
risk by:
A. providing faster response than direct access.
B. anonymizing users through changed IP addresses.
C. load balancing traffic to optimize data pathways.
D. providing multi-factor authentication for additional security.
Answer: D

NO.18 An organization outsourced its IS functions To meet its responsibility for disaster recovery,
the organization should:
A. delegate evaluation of disaster recovery to internal audit
B. delegate evaluation of disaster recovery to a third party
C. discontinue maintenance of the disaster recovery plan (DRP>
D. coordinate disaster recovery administration with the outsourcing vendor
Answer: D

NO.19 During a database management evaluation an IS auditor discovers that some accounts with
database administrator (DBA) privileges have been assigned a default password with an unlimited
number of failed login attempts Which of the following is the auditor's BEST course of action?
A. Identify accounts that have had excessive failed login attempts and request they be disabled
B. Document the finding and explain the risk of having administrator accounts with inappropriate

Get Latest & Valid CISA Exam's Question and Answers 5from Freecram.net. 4
https://www.freecram.net/exam/CISA-certified-information-systems-auditor-e2240.html
 Free Exam/Cram Practice Materials - Best Exam Practice Materials
IT Certification Guaranteed, The Easy Way!

security settings
C. Request the IT manager to change administrator security parameters and update the finding
Answer: B

NO.20 An organization has outsourced the development of a core application. However, the
organization plans to bring the support and future maintenance of the application back in-house.
Which of the following findings should be the IS auditor's GREATEST concern?
A. The data model is not clearly documented.
B. A training plan for business users has not been developed.
C. The vendor development team is located overseas.
D. The cost of outsourcing is lower than in-house development.
Answer: A

NO.21 Due to limited storage capacity, an organization has decided to reduce the actual retention
period for media containing completed low-value transactions. Which of the following is MOST
important for the organization to ensure?
A. The retention period complies with data owner responsibilities.
B. The policy includes a strong risk-based approach.
C. The retention period allows for review during the year-end audit.
D. The total transaction amount has no impact on financial reporting.
Answer: A

NO.22 An IS auditor has been asked to audit the proposed acquisition of new computer hardware.
The auditor's PRIMARY concern Is that:
A. the implementation plan meets user requirements.
B. a full, visible audit trail will be Included.
C. the new hardware meets established security standards
D. a dear business case has been established.
Answer: D

NO.23 A computer forensic audit is MOST relevant in which of the following situations?
A. Inadequate controls in the IT environment
B. Missing server patches
C. Mismatches in transaction data
D. Data loss due to hacking of servers
Answer: D

NO.24 An IS auditor discovers that validation controls m a web application have been moved from
the server side into the browser to boost performance This would MOST likely increase the risk of a
successful attack by.
A. phishing.
B. denial of service (DoS)
C. structured query language (SQL) injection

Get Latest & Valid CISA Exam's Question and Answers 6from Freecram.net. 5
https://www.freecram.net/exam/CISA-certified-information-systems-auditor-e2240.html
 Free Exam/Cram Practice Materials - Best Exam Practice Materials
IT Certification Guaranteed, The Easy Way!

D. buffer overflow
Answer: D

NO.25 Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the
organization's information cannot be accessed?
A. Formatting
B. Data wiping
C. Degaussing
D. Re-partitioning
Answer: B

NO.26 An IS auditor has found that a vendor has gone out of business and the escrow has an older
version of the source code. What is the auditor's BEST recommendation for the organization?
A. Perform an analysis to determine the business risk
B. Bring the escrow version up to date.
C. Develop a maintenance plan to support the application using the existing code
D. Analyze a new application that moots the current re
Answer: B

NO.27 Backup procedures for an organization's critical data are considered to be which type of
control?
A. Directive
B. Detective
C. Compensating
D. Corrective
Answer: D

NO.28 Which of the following is MOST important for an IS auditor to verify when evaluating an
organization's data conversion and infrastructure migration plan?
A. Strategic: goals have been considered.
B. A code check review is included.
C. A rollback plan is included.
D. A migration steering committee has been formed.
Answer: C

NO.29 Prior to a follow-up engagement, an IS auditor learns that management has decided to accept
a level of residual risk related to an audit finding without remediation. The IS auditor is concerned
about management's decision. Which of the following should be the IS auditor's NEXT course of
action?
A. Present the issue to executive management.
B. Report the disagreement to the board.
C. Report the issue to IS audit management.
D. Accept management's decision and continue the follow-up.

Get Latest & Valid CISA Exam's Question and Answers 7from Freecram.net. 6
https://www.freecram.net/exam/CISA-certified-information-systems-auditor-e2240.html
 Free Exam/Cram Practice Materials - Best Exam Practice Materials
IT Certification Guaranteed, The Easy Way!

Answer: C

NO.30 Which of the following presents the GREATEST challenge to the alignment of business and IT?
A. Lack of information security involvement in business strategy development
B. An IT steering committee chaired by the chief information officer (CIO)
C. Lack of chief information officer (CIO) involvement in board meetings
D. Insufficient IT budget to execute new business projects
Answer: A

Get Latest & Valid CISA Exam's Question and Answers 8from Freecram.net. 7
https://www.freecram.net/exam/CISA-certified-information-systems-auditor-e2240.html