Certified Information Systems Auditor CISA (CISA) — Questions 676750

984 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQmedium

An administrator sees the above error after a failed backup job. What is the MOST likely cause?

A.The backup service account does not have write permissions to the destination
B.The network share \\BACKUPSRV\DBBackups\DB01\ is offline or unreachable
C.The SQL Server backup client is not installed
D.The backup destination disk is full
AnswerB

The error indicates the path specified does not exist or is unavailable.

Why this answer

The error message indicates that the backup destination path \BACKUPSRV\DBBackups\DB01\ is inaccessible. This is most commonly caused by the network share being offline, unreachable due to network issues, or the target server being down. Without connectivity to the UNC path, the backup job cannot proceed, even if permissions and disk space are adequate.

Exam trap

The trap here is that candidates often assume a failed backup is always due to permissions or disk space, but the error message's specific wording about the path being 'offline or unreachable' directly points to a network connectivity issue, not authorization or capacity.

How to eliminate wrong answers

Option A is wrong because the error message does not mention permission denial; a permissions issue would typically produce an 'access denied' or similar error, not a generic 'unreachable' failure. Option C is wrong because the SQL Server backup client is not required for backing up to a network share; SQL Server uses its native VDI or T-SQL BACKUP command, and the error points to connectivity, not missing client software. Option D is wrong because a full disk would generate a 'disk full' or 'insufficient space' error, not a failure to reach the destination path.

677
MCQeasy

An organization has a policy requiring strong passwords. Which additional control is most effective at preventing credential stuffing attacks?

A.Increasing password length and complexity requirements.
B.Implementing account lockout after 3 failed attempts.
C.Requiring multi-factor authentication (MFA) for all logins.
D.Conducting annual security awareness training.
AnswerC

MFA renders stolen passwords useless as the second factor is required for access.

Why this answer

Multi-factor authentication (MFA) stops attackers who have stolen passwords because they cannot provide the second factor.

678
MCQeasy

Which document is typically included in the permanent file of audit documentation?

A.Organizational chart
B.Management representation letter
C.Current year audit program
D.Working papers for testing
AnswerA

Organizational charts are carryforward items.

Why this answer

The permanent file contains information that is relevant for multiple audits, such as organizational charts and key contracts.

679
MCQhard

An auditor is reviewing IT policy compliance and finds that a critical policy was last updated three years ago. The organization has undergone significant changes. What is the auditor's PRIMARY concern?

A.Employees may not be aware of the policy
B.The policy may not have been approved by management
C.The policy may not be enforced
D.The policy may not be aligned with current business objectives
AnswerD

Outdated policies may not reflect current objectives, risks, or regulatory requirements, leading to governance gaps.

Why this answer

Policies should be reviewed and updated regularly to remain current and effective. The primary concern is that the policy may no longer be relevant or effective due to changes in the organization, technology, or regulatory environment.

680
MCQeasy

An IS auditor is reviewing a software development project that follows the waterfall model. Which of the following is the MAIN advantage of this methodology?

A.Reduced risk of requirements misinterpretation
B.Clear milestones and documentation at each phase
C.Early delivery of working software increments
D.Ability to accommodate changing requirements easily
AnswerB

Each phase produces deliverables and sign-offs.

Why this answer

Waterfall's sequential phases and formal sign-offs provide clear milestones and documentation.

681
Multi-Selecthard

Which THREE of the following are responsibilities of the board of directors regarding IT governance? (Choose three.)

Select 3 answers
A.Designing network security architecture
B.Setting IT risk appetite
C.Reviewing IT performance
D.Implementing IT controls
E.Approving IT strategy
AnswersB, C, E

Correct. Board defines risk tolerance.

Why this answer

Options A, B, and C are correct because setting IT risk appetite, approving IT strategy, and reviewing IT performance are board-level responsibilities. Option D is incorrect as implementing controls is management's role. Option E is incorrect as designing network security is an operational task.

682
MCQmedium

During a change management audit, an IS auditor finds that a critical system change was approved by the change manager without a CAB meeting. The change was categorized as a standard change. Which of the following should the auditor do FIRST?

A.Report a lack of segregation of duties
B.Recommend immediate rollback of the change
C.Escalate to senior management
D.Determine if the change was correctly classified as standard
AnswerD

If it is a standard change, the process was followed.

Why this answer

The auditor's first step must be to verify whether the change was correctly classified as a standard change, because standard changes are pre-approved and do not require a CAB meeting. If the classification is correct, the process was followed; if not, the lack of CAB approval is a control failure. This aligns with ITIL best practices, where standard changes are low-risk, pre-authorized changes with a defined procedure, and the auditor must confirm the classification before escalating or recommending action.

Exam trap

The trap here is that candidates assume any change approved without a CAB meeting is a control failure, but they overlook the critical first step of verifying whether the change was correctly classified as a standard change, which is pre-approved and does not require CAB involvement.

How to eliminate wrong answers

Option A is wrong because a lack of segregation of duties would involve the same person approving and implementing the change, but here the change manager approved a standard change, which is within their role; the issue is classification, not segregation. Option B is wrong because recommending an immediate rollback is premature without first confirming whether the change was correctly classified as standard; if it was standard, no rollback is needed. Option C is wrong because escalating to senior management is a reactive step that should only occur after the auditor has determined whether the change classification was correct, as the classification dictates the required approval process.

683
MCQmedium

An auditor is reviewing the encryption strategy for a healthcare application that stores protected health information (PHI) in a database. The database currently uses transparent data encryption (TDE). What is a key risk associated with TDE?

A.It requires complex key management
B.It significantly degrades database performance
C.It does not protect against privileged database users
D.It cannot be used with column-level encryption
AnswerC

TDE encrypts data at rest but decrypts when accessed by authorized users, so DBA's can still see data.

Why this answer

TDE generally does not protect data from users with database admin privileges because the decryption occurs at the database level and authorized users can access plaintext. Option A is wrong because performance impact is typically minor. Option C is wrong because key management is a consideration but not the key risk related to user access.

Option D is wrong because TDE can be implemented.

684
MCQmedium

Refer to the exhibit. A tester executes test case TC-101 and records the result shown. What is the NEXT appropriate step in the testing process?

A.Re-run the test case after the defect is fixed
B.Create a new test case to cover the error
C.Update the requirements to reflect the actual behavior
D.Log a defect in the defect tracking system
AnswerD

The discrepancy indicates a defect that should be logged for resolution.

Why this answer

The tester executed TC-101 and observed a result that deviates from the expected behavior, indicating a defect. The immediate next step in the structured testing process is to log the defect in the defect tracking system to formally document the issue, assign severity, and initiate the resolution workflow. This aligns with the CISA testing lifecycle, where defects are captured before any re-testing or requirement changes.

Exam trap

The trap here is that candidates may think re-running the test (Option A) is the logical next step, but CISA emphasizes that defects must be formally logged before any remediation actions to maintain audit trail and process integrity.

How to eliminate wrong answers

Option A is wrong because re-running the test case after a fix is premature; the defect must first be logged and triaged before any fix is applied. Option B is wrong because creating a new test case to cover the error is not the immediate next step; the existing test case already exposes the defect, and additional coverage is handled after defect logging. Option C is wrong because updating requirements to reflect actual behavior would incorrectly treat a defect as a feature, violating the principle that requirements drive expected outcomes, not the other way around.

685
MCQeasy

A small business lacks formal IT governance. What is the FIRST step to establish governance?

A.Assign an IT manager
B.Define IT policies
C.Conduct a risk assessment
D.Implement COBIT
AnswerC

Risk assessment reveals the starting point for governance.

Why this answer

Conducting a risk assessment identifies the most critical issues and guides the development of governance policies and structure. Defining policies or assigning roles without understanding risks may be premature.

686
MCQmedium

An organization is implementing a new IT governance framework. Which of the following is the BEST approach to ensure alignment between IT strategy and business goals?

A.Align IT budget with the previous year's business plan
B.Conduct annual IT strategy reviews independent of business cycles
C.Establish an IT steering committee with business representation
D.Delegate IT strategy to the CIO without business input
AnswerC

A steering committee with business leaders ensures ongoing alignment.

Why this answer

Option A is correct because a steering committee with both IT and business leaders ensures strategic alignment. Option B is wrong because it only involves IT. Option C is wrong because reactive alignment after budgeting is less effective.

Option D is wrong because annual reviews are insufficient for ongoing alignment.

687
MCQeasy

When implementing a commercial off-the-shelf (COTS) software package, which of the following is the MOST important activity to ensure the software meets business requirements?

A.Conducting a vendor demonstration
B.Developing a project plan with milestones
C.Performing a gap analysis between requirements and software features
D.Reviewing the software's technical architecture
AnswerC

Directly addresses requirements coverage.

Why this answer

Performing a gap analysis is the most important activity because it systematically maps each business requirement against the COTS software's delivered features, identifying any shortfalls that must be addressed through configuration, customization, or process adaptation. Without this structured comparison, the organization risks deploying software that fails to support critical business processes, leading to costly rework or project failure.

Exam trap

The trap here is that candidates often confuse vendor demonstrations with functional validation, assuming a demo proves the software fits all requirements, when in reality demos are scripted and omit edge cases that a gap analysis would expose.

How to eliminate wrong answers

Option A is wrong because a vendor demonstration is a marketing tool that showcases the software under ideal conditions, not a rigorous method to verify that every specific business requirement is met; it cannot uncover gaps in functionality or data handling. Option B is wrong because developing a project plan with milestones is a project management activity that ensures tasks are scheduled and tracked, but it does not directly assess whether the software's features align with business needs. Option D is wrong because reviewing the software's technical architecture focuses on infrastructure, scalability, and security design, not on functional fit; a technically sound system can still completely miss key business requirements.

688
Multi-Selecteasy

Which TWO of the following are examples of administrative controls for information security?

Select 2 answers
A.Intrusion detection system
B.Firewall configuration
C.Access control policy
D.Encryption algorithms
E.Security awareness training
AnswersC, E

Policies are administrative controls that define rules and procedures.

Why this answer

Access control policy is an administrative control because it defines the rules, roles, and responsibilities for granting or restricting access to information assets. It is a documented directive that governs user behavior and management processes, not a technical mechanism. Administrative controls are management-level safeguards, such as policies, procedures, and training, that guide the implementation of technical and physical controls.

Exam trap

ISACA often tests the distinction between administrative, technical, and physical controls, and the trap here is that candidates confuse policy documents (administrative) with the technical mechanisms that implement them, such as firewalls or encryption.

689
MCQhard

An organization uses the policy shown. Which of the following is an omission in the policy?

A.No definition of authorized users
B.No mention of backup frequency
C.No specification of data disposal methods after retention periods
D.Missing encryption requirement for log data
AnswerC

The policy defines retention but not deletion or archiving.

Why this answer

Option A is correct because there is no rule for data disposal after retention. Option B is present. Option C is addressed.

Option D is not mentioned but not an omission in this context.

690
MCQhard

An IS auditor is evaluating the design of controls over a new financial system. Which of the following is the BEST approach to assess control design?

A.Use analytical procedures to identify anomalies
B.Review system documentation and conduct walkthroughs
C.Perform detailed testing of transactions
D.Interview management and review policies
AnswerB

Correct; documentation and walkthroughs are primary methods for assessing design.

Why this answer

Reviewing system documentation and conducting walkthroughs allows the auditor to understand the intended design and compare it to actual implementation.

691
MCQmedium

During a penetration test, a tester discovers that an application stores passwords using a reversible encryption algorithm. Which of the following is the BEST remediation?

A.Use MD5 hashing with a salt
B.Replace the encryption algorithm with AES-256
C.Implement a strong one-way hashing algorithm such as bcrypt
D.Add a random salt before encryption
AnswerC

bcrypt is designed for password storage.

Why this answer

Storing passwords using reversible encryption is fundamentally flawed because any encryption key can be compromised, allowing an attacker to decrypt all passwords. The best remediation is to use a strong, one-way hashing algorithm like bcrypt, which is designed to be computationally expensive and includes a built-in salt to resist rainbow table attacks and brute-force attempts. Unlike encryption, hashing is irreversible, so even if the database is breached, the original passwords cannot be recovered.

Exam trap

The trap here is that candidates confuse encryption with hashing, thinking that a strong encryption algorithm like AES-256 is sufficient for password storage, when in fact any reversible method is insecure for this purpose.

How to eliminate wrong answers

Option A is wrong because MD5 is a broken hashing algorithm that is vulnerable to collision attacks and fast brute-force computation; even with a salt, it is not considered secure for password storage. Option B is wrong because AES-256 is a symmetric encryption algorithm, not a hashing algorithm; replacing one reversible encryption with another still leaves passwords recoverable if the encryption key is compromised. Option D is wrong because adding a salt before encryption does not address the core issue—the passwords remain reversible and can be decrypted if the key is obtained.

692
MCQmedium

According to ITIL 4, which guiding principle emphasizes understanding the current state before making improvements?

A.Progress iteratively
B.Focus on value
C.Start where you are
D.Keep it simple and practical
AnswerC

This principle emphasizes understanding the current state before making changes.

Why this answer

ITIL 4's guiding principle 'Start where you are' advises assessing the current state before embarking on improvements.

693
MCQhard

An IS auditor is reviewing the change management process for a financial institution. The auditor finds that emergency changes bypass normal approval but are documented and reviewed within 48 hours. Which of the following is the BEST recommendation?

A.Require a second administrator to approve during the emergency.
B.Implement a risk classification for changes and apply controls accordingly.
C.Increase the frequency of post-implementation reviews to every 24 hours.
D.Require all emergency changes to be approved by the change advisory board (CAB) before implementation.
AnswerB

Risk classification allows appropriate control for each change type.

Why this answer

Option B is correct because implementing a risk classification for changes allows the organization to apply appropriate controls based on the change's impact and urgency. Emergency changes inherently require speed, but a risk-based approach ensures that high-risk emergency changes receive more stringent controls (e.g., mandatory peer review) while low-risk changes can proceed with lighter oversight. This balances security with operational agility, which is critical in a financial institution where system availability and data integrity are paramount.

Exam trap

The trap here is that candidates assume all emergency changes must be treated equally and thus focus on adding more approval steps (A or D) or increasing review frequency (C), rather than recognizing that a risk-based classification is the most effective and efficient control to address varying levels of risk in emergency changes.

How to eliminate wrong answers

Option A is wrong because requiring a second administrator to approve during the emergency introduces a bottleneck that defeats the purpose of an emergency change process, which is to rapidly address critical incidents; it also does not address the root issue of varying risk levels across changes. Option C is wrong because increasing post-implementation reviews to every 24 hours does not solve the lack of pre-implementation controls for emergency changes; it only adds administrative overhead without ensuring that high-risk changes are properly vetted before deployment. Option D is wrong because requiring all emergency changes to be approved by the CAB before implementation is impractical for true emergencies, as CAB meetings are typically scheduled and cannot convene instantly; this would delay critical fixes and potentially cause service outages or security breaches.

694
MCQeasy

A company is experiencing frequent server crashes due to memory leaks. The operations team has implemented a monitoring solution. Which of the following is the BEST indicator to trigger an automated failover to a standby server?

A.Memory usage exceeding 90% for more than 5 minutes
B.Disk I/O latency greater than 10ms
C.CPU utilization spikes above 80% for 1 minute
D.Network packet loss exceeding 1%
AnswerA

Correct: Directly reflects memory leak condition.

Why this answer

Memory leaks cause gradual memory consumption; sustained high memory usage directly indicates the condition. CPU spikes, disk latency, and packet loss are less specific to memory leaks.

695
Multi-Selectmedium

An organization is adopting COBIT 2019. Which TWO of the following are components of the governance system?

Select 2 answers
A.Processes
B.IT hardware inventory
C.Information flows
D.Organizational structures
E.Employee satisfaction surveys
AnswersA, D

Processes are a core component in COBIT.

Why this answer

Options A and B are correct. COBIT 2019 defines governance system components including processes (A) and organizational structures (B). C (hardware inventory) is an asset, not a component.

D (information flows) is part of the information component but not a standalone component. E (employee satisfaction) is not a component.

696
MCQmedium

During system development, the project team discovers that the original requirements are incomplete. What is the BEST course of action?

A.Formally document the new requirements and follow the change management process
B.Inform the steering committee and continue as planned
C.Proceed with development and address changes during maintenance
D.Halt the project until all requirements are finalized
AnswerA

Change management ensures proper evaluation and approval of new requirements.

Why this answer

Option A is correct because formally documenting new requirements and following the change management process ensures that all changes are controlled, assessed for impact on scope, budget, and schedule, and approved by stakeholders. This aligns with the systems development lifecycle (SDLC) best practices and the ISACA standard for managing requirements changes, preventing scope creep and maintaining project integrity.

Exam trap

The trap here is that candidates often choose Option D (halting the project) because they assume all requirements must be fully finalized before development, but the CISA exam emphasizes that change management is the appropriate mechanism to handle evolving requirements without stopping the project entirely.

How to eliminate wrong answers

Option B is wrong because simply informing the steering committee without formally documenting and processing the new requirements through change management bypasses the necessary impact analysis and approval controls, risking unauthorized scope changes. Option C is wrong because deferring requirement changes to maintenance violates the principle of early defect detection and correction; addressing changes during maintenance is significantly more costly and can introduce technical debt and security vulnerabilities. Option D is wrong because halting the project entirely is an overreaction; incomplete requirements are common, and the proper response is to manage them through a structured change control process, not to stop all progress.

697
MCQmedium

An organization is implementing an automated job scheduling system. Which of the following is the PRIMARY benefit of using dependency management in job scheduling?

A.Reducing the need for backup procedures
B.Automatically rerunning failed jobs without notification
C.Eliminating the need for human operators
D.Ensuring jobs execute in the correct sequence based on prerequisites
AnswerD

This is the primary benefit of dependency management.

Why this answer

Dependency management ensures jobs run in the correct sequence based on prerequisites, reducing errors and manual intervention.

698
MCQmedium

An IS auditor is reviewing a change management process. A developer made an emergency change directly to production without following the standard change approval process. The change was later documented as a normal change. Which control weakness is MOST indicated by this scenario?

A.Inadequate segregation of duties between development and production environments
B.Absence of a rollback plan for emergency changes
C.Insufficient testing of emergency changes before deployment
D.Lack of a formal change documentation policy
AnswerA

Direct production access by developers violates segregation of duties.

Why this answer

The developer bypassed the standard change approval process by making an emergency change directly to production, then retroactively documenting it as a normal change. This directly violates the principle of segregation of duties (SoD), as the same individual who implemented the change also controlled the documentation and approval trail, eliminating independent oversight. In a properly segregated environment, developers should not have direct write access to production systems without a separate change authorization and deployment step.

Exam trap

The trap here is that candidates focus on the lack of testing or documentation, but the most critical control weakness is the violation of segregation of duties, as the developer both made the change and controlled its documentation, eliminating independent oversight.

How to eliminate wrong answers

Option B is wrong because the absence of a rollback plan, while a concern, is not the primary control weakness indicated; the core issue is the lack of segregation of duties, not the absence of a recovery procedure. Option C is wrong because insufficient testing of emergency changes is a risk, but the scenario does not mention whether testing occurred or not—the key failure is the unauthorized direct change and subsequent misdocumentation, not the testing process itself. Option D is wrong because a formal change documentation policy may exist (the change was documented as a normal change), but the weakness is that the documentation was falsified to hide the emergency bypass, not that the policy is missing.

699
MCQhard

A multinational corporation is adopting a hybrid cloud strategy. The IT governance board must decide on a framework to ensure alignment with business objectives and regulatory compliance. Which framework is MOST appropriate?

A.ITIL 4 Service Value System
B.COBIT 2019
C.ISO/IEC 27001 Information Security Management
D.PMBOK Guide
AnswerB

COBIT 2019 is a comprehensive framework for IT governance and management.

Why this answer

COBIT 2019 is the most appropriate framework because it is specifically designed for IT governance, providing a comprehensive set of controls and processes to align IT with business objectives and ensure regulatory compliance. In a hybrid cloud strategy, COBIT 2019's focus on governance objectives, stakeholder needs, and risk management directly addresses the board's need for oversight across on-premises and cloud environments, unlike frameworks that target service management, security, or project management.

Exam trap

The trap here is that candidates often confuse ITIL (service management) with governance, assuming that best practices for service delivery inherently cover board-level alignment and compliance, but ITIL lacks the governance objectives and stakeholder-driven goal cascade that COBIT provides for hybrid cloud strategies.

How to eliminate wrong answers

Option A is wrong because ITIL 4 Service Value System focuses on IT service management (ITSM) best practices, such as incident and change management, but lacks the governance and compliance alignment mechanisms required for board-level decision-making in a hybrid cloud strategy. Option C is wrong because ISO/IEC 27001 is an information security management standard that addresses security controls and risk management, but it does not provide a holistic governance framework for aligning IT with business objectives and regulatory compliance across the entire enterprise. Option D is wrong because PMBOK Guide is a project management framework that covers project lifecycle and processes, but it is not designed for ongoing IT governance or ensuring sustained alignment with business goals and compliance in a hybrid cloud environment.

700
Multi-Selecthard

Based on the backup logs, the backup administrator notices that the incremental backup job failed due to insufficient storage. Which TWO actions should the administrator take to resolve the immediate issue and prevent recurrence?

Select 2 answers
A.Free up space on the backup storage device by removing old backup sets manually
B.Check network bandwidth between the backup server and storage device
C.Increase the frequency of incremental backups to reduce data volume per job
D.Configure backup retention policies and enable data deduplication on the backup device
E.Investigate and resolve the file-in-use warnings from the full backup job
AnswersA, D

This addresses the immediate 'insufficient storage' error by freeing up space for the next backup.

Why this answer

Option A is correct because freeing up space on the backup storage device by removing old backup sets immediately resolves the insufficient storage issue that caused the incremental backup job to fail. This is a direct, short-term fix that reclaims capacity without altering backup schedules or configurations.

Exam trap

The trap here is that candidates may confuse a storage capacity issue with a performance issue (Option B) or incorrectly assume that increasing backup frequency (Option C) reduces data volume, when in fact it increases the number of backup objects and metadata overhead.

701
Multi-Selecthard

An IT auditor is reviewing the alignment of IT with business strategy. Which THREE of the following are indicators of effective IT strategy alignment? (Select THREE.)

Select 3 answers
A.IT budget is determined solely by IT department
B.IT department has its own independent strategy
C.IT steering committee includes business leaders
D.IT balanced scorecard includes business outcome metrics
E.IT projects are prioritized based on business value
AnswersC, D, E

Business involvement ensures alignment.

Why this answer

Strategic alignment is demonstrated when IT initiatives support business objectives, governance mechanisms are in place, and IT performance is measured.

702
MCQmedium

During an audit of a cloud service provider, the IS auditor discovers that the provider's data center access logs show an employee accessing the production environment outside of normal business hours without a change request. What should the auditor do FIRST?

A.Report the incident to the provider's management immediately
B.Recommend immediate remediation procedures
C.Obtain supporting evidence such as system logs and change tickets
D.Evaluate the potential impact and the effectiveness of compensating controls
AnswerD

Understanding the significance helps determine the appropriate response.

Why this answer

Option D is correct because the IS auditor's first priority is to assess risk. Without evaluating the potential impact of the unauthorized access and the effectiveness of any compensating controls (e.g., intrusion detection systems, session recording, or multi-factor authentication), the auditor cannot determine the severity of the finding or the urgency of subsequent actions. This aligns with the ISACA audit methodology, which mandates risk-based analysis before recommending remediation or reporting.

Exam trap

The trap here is that candidates often jump to 'gather evidence' (Option C) because it seems logical, but the CISA exam emphasizes that risk assessment (evaluating impact and controls) must precede evidence collection to avoid wasting resources on irrelevant data.

How to eliminate wrong answers

Option A is wrong because reporting to management immediately without first assessing the risk and impact is premature; the auditor must gather sufficient evidence and evaluate the situation to provide an informed report. Option B is wrong because recommending remediation procedures before understanding the full scope and compensating controls could lead to unnecessary or ineffective actions, violating the principle of risk-based auditing. Option C is wrong because while obtaining supporting evidence is important, it is not the first step; the auditor should first evaluate the potential impact and compensating controls to determine what evidence is most relevant and whether immediate escalation is needed.

703
MCQhard

During a spiral SDLC project, the project team has completed a risk analysis and created a prototype. What is the most likely next step in the spiral model?

A.Deploy the system to production
B.Obtain formal sign-off from the business owner on requirements
C.Develop the next level of the product based on the risk analysis
D.Conduct user acceptance testing (UAT)
AnswerC

In the spiral model, after risk analysis, the team proceeds to develop the next level of the product (e.g., a more refined prototype or increment).

Why this answer

In the spiral model, each iteration begins with identifying objectives, evaluating alternatives, and resolving risks through risk analysis. After completing risk analysis and building a prototype, the next step is to develop the next level of the product, incorporating the risk analysis findings to refine requirements and design. This ensures that high-risk areas are addressed incrementally before proceeding to subsequent phases.

Exam trap

The trap here is that candidates confuse the spiral model's iterative prototyping with a linear waterfall approach, mistakenly thinking that a prototype leads directly to deployment or formal sign-off, rather than understanding that the spiral model uses risk-driven iteration to progressively refine the product.

How to eliminate wrong answers

Option A is wrong because deploying to production occurs only after multiple iterations and final validation, not immediately after a single risk analysis and prototype. Option B is wrong because formal sign-off on requirements is typically done earlier in the planning phase, not after risk analysis and prototyping; the spiral model emphasizes iterative refinement over rigid sign-offs. Option D is wrong because user acceptance testing (UAT) is performed later in the development cycle, after the product has been built and tested, not directly after risk analysis and prototyping.

704
Multi-Selectmedium

Which TWO of the following are examples of analytical procedures used as audit evidence? (Select two.)

Select 2 answers
A.Ratio analysis
B.Inquiry of management
C.Inspection of documents
D.Trend analysis
E.Observation of process
AnswersA, D

Ratio analysis is an analytical procedure.

Why this answer

Analytical procedures include ratio analysis and trend analysis; inquiry and inspection are other types.

705
MCQmedium

An IS auditor is reviewing the system design phase of a project. Which of the following activities is most important to ensure that security is adequately addressed?

A.Creating a data flow diagram
B.Developing a detailed project schedule
C.Conducting a threat modeling exercise
D.Reviewing the budget for security tools
AnswerC

Threat modeling proactively identifies and mitigates security risks.

Why this answer

Threat modeling identifies potential security threats and informs the design of controls, ensuring security is built in.

706
MCQmedium

Which of the following is a characteristic of non-statistical (judgmental) sampling?

A.Every item has an equal chance of selection
B.The auditor uses professional judgment to select sample items
C.The sample size is determined using statistical formulas
D.The sample results can be projected to the population with known confidence
AnswerB

Judgmental sampling is based on auditor expertise.

Why this answer

Non-statistical sampling relies on the auditor's judgment and does not use probability theory.

707
MCQmedium

An IS auditor is reviewing the logical access controls for a critical database. Which of the following findings should be considered the HIGHEST risk?

A.Database administrators share a common user ID for maintenance tasks.
B.The default 'sa' account is enabled with the default password.
C.Access rights are reviewed on an annual basis.
D.The database has not undergone a vulnerability scan in six months.
AnswerB

Default accounts with default passwords are a critical vulnerability.

Why this answer

Default passwords are a well-known vulnerability that can be easily exploited.

708
MCQeasy

A company is implementing a new customer relationship management (CRM) system. The project team is currently defining user roles and permissions. Which of the following is the PRIMARY reason to enforce segregation of duties (SoD) within the CRM?

A.To reduce the risk of fraud and errors
B.To ensure data accuracy and completeness
C.To comply with regulatory requirements
D.To improve system performance and efficiency
AnswerA

SoD ensures no single individual has control over two or more phases of a transaction, reducing fraud and error risk.

Why this answer

Segregation of duties (SoD) in a CRM system is primarily enforced to prevent a single user from having conflicting capabilities, such as creating a customer record and also approving credit limits or processing refunds. Without SoD, an employee could both initiate and approve a fraudulent transaction, directly increasing the risk of fraud and undetected errors. While SoD can indirectly support data accuracy and compliance, the primary control objective is risk reduction through separation of conflicting functions.

Exam trap

The trap here is that candidates often choose 'compliance' (Option C) because SoD is a common regulatory requirement, but the question asks for the PRIMARY reason, which is the fundamental control objective of reducing fraud and error risk, not the secondary benefit of meeting external mandates.

How to eliminate wrong answers

Option B is wrong because ensuring data accuracy and completeness is a goal of input validation, data quality controls, and reconciliation processes, not the primary reason for enforcing SoD. Option C is wrong because while SoD may help meet regulatory requirements (e.g., SOX, GDPR), compliance is a secondary benefit; the primary reason is to reduce the risk of fraud and errors inherent in the system's design. Option D is wrong because SoD typically adds process steps and approval workflows, which can reduce system performance and efficiency, not improve them.

709
Multi-Selectmedium

Which TWO of the following are primary objectives of IT governance as defined by COBIT 5?

Select 2 answers
A.Resource optimization
B.Cost reduction
C.Incident response
D.Value delivery
E.Data encryption
AnswersA, D

Resource optimization is a key governance objective.

Why this answer

Options A and C are correct because COBIT 5 defines IT governance objectives as stakeholder value creation and resource optimization. Option B is a management objective, not governance. Option D is a goal of information security, not governance overall.

Option E is too narrow (cost reduction) and not a primary governance objective.

710
MCQmedium

A company's IT service desk receives multiple reports of users being unable to access a cloud-based CRM system. The network team confirms that internet connectivity is working. Which of the following should be the FIRST step in troubleshooting the issue?

A.Ask a user to try accessing from a different device
B.Restart the company's firewall and proxy servers
C.Check the vendor's service status page for any reported outages
D.Review recent change requests for the CRM system
AnswerC

This quickly identifies if the issue is widespread and outside the organization's control.

Why this answer

Option A is correct because checking the status of the CRM service provider helps determine if it is a known outage. Option B is premature; Option C is device-specific; Option D is a later step.

711
MCQeasy

A medium-sized financial services firm recently suffered a ransomware attack that encrypted critical servers and backups. The recovery process took three weeks because the backup tapes were stored in the same building (which was also infected) and the backup software had a vulnerability that allowed the ransomware to delete old backups. The firm's BCP did not account for simultaneous loss of primary and secondary data. As the IS auditor, you are asked to recommend the most effective improvement to the backup strategy to prevent recurrence and improve resilience. Which of the following actions should the firm implement?

A.Implement immutable backups and store them offsite or in a separate air-gapped environment
B.Increase the frequency of full backups to daily
C.Conduct quarterly tabletop exercises to test recovery procedures
D.Move all backups to a cloud storage provider with default settings
AnswerA

Immutable backups prevent unauthorized deletion or modification, directly mitigating the risk from ransomware.

Why this answer

Immutable backups prevent modification or deletion by ransomware, even if the backup software or administrative credentials are compromised. Storing them offsite or in an air-gapped environment ensures that a simultaneous physical or logical attack cannot destroy both primary and secondary data, directly addressing the root cause of the three-week recovery delay.

Exam trap

The trap here is that candidates often choose increased backup frequency or cloud migration, thinking they improve resilience, but they overlook the critical requirement that backups must be protected from deletion or encryption by the same attack that compromises the primary systems.

How to eliminate wrong answers

Option B is wrong because increasing the frequency of full backups to daily does not protect against ransomware that can encrypt or delete existing backups; it only reduces the recovery point objective, not the vulnerability to deletion. Option C is wrong because quarterly tabletop exercises test recovery procedures and team readiness but do not prevent the backup data from being encrypted or deleted by ransomware; they improve process, not data resilience. Option D is wrong because moving all backups to a cloud storage provider with default settings does not guarantee immutability or air-gapping; default cloud storage configurations often allow deletion or overwrite by compromised credentials, leaving backups vulnerable to the same attack vector.

712
MCQmedium

A multinational corporation is implementing a disaster recovery plan for its critical financial systems. The plan includes off-site backups and redundant hardware. During a recent test, the recovery time objective (RTO) was met, but the recovery point objective (RPO) was exceeded by 30 minutes due to delayed data replication. Which of the following is the BEST action to address this issue?

A.Extend the RPO to accommodate the delay.
B.Implement synchronous replication to the secondary site.
C.Reduce the bandwidth for replication to avoid congestion.
D.Increase the frequency of full backups to every 4 hours.
AnswerB

Synchronous replication ensures near-zero data loss, directly addressing the RPO exceedance.

Why this answer

Synchronous replication ensures that data is written to both primary and secondary sites simultaneously before the write is acknowledged, eliminating replication lag. This directly addresses the RPO exceedance by guaranteeing that the secondary site always has the most current data, whereas the current asynchronous replication caused a 30-minute delay.

Exam trap

The trap here is that candidates often confuse RTO and RPO, thinking that meeting RTO is sufficient, or they incorrectly assume that increasing backup frequency (Option D) can compensate for replication delays, when in fact backups are separate from continuous replication and still leave a recovery point gap equal to the backup interval.

How to eliminate wrong answers

Option A is wrong because extending the RPO to accommodate the delay accepts data loss of up to 30 minutes, which is not a corrective action and may violate business continuity requirements. Option C is wrong because reducing bandwidth for replication would increase latency and worsen the replication delay, making the RPO exceedance even larger. Option D is wrong because increasing the frequency of full backups to every 4 hours does not address the continuous replication delay; backups are point-in-time snapshots and still leave a gap of up to 4 hours of potential data loss, far exceeding the 30-minute RPO breach.

713
MCQeasy

Which of the following is the PRIMARY purpose of audit working papers?

A.To provide a permanent record of the organization's financial transactions.
B.To support the auditor's conclusions and provide evidence of the work performed.
C.To serve as a basis for the audit fee calculation.
D.To replace the need for management's representation letter.
AnswerB

Working papers serve as the primary evidence of the audit.

Why this answer

Working papers document the audit procedures performed, evidence obtained, and conclusions reached, supporting the audit opinion.

714
MCQeasy

During which phase of the waterfall SDLC should security requirements be formally documented and approved by the business owner?

A.Development phase
B.Requirements phase
C.Design phase
D.Testing phase
AnswerB

Requirements phase is the correct stage for documenting and approving security requirements.

Why this answer

In the waterfall model, security requirements must be defined during the requirements phase to ensure they are integrated into the design. Formal sign-off by the business owner ensures accountability.

715
MCQeasy

Which of the following is the primary purpose of conducting a static application security test (SAST) during the development phase of the SDLC?

A.To ensure the application is free of runtime errors
B.To validate that the application meets business requirements
C.To identify security vulnerabilities in the source code
D.To test the application's performance under load
AnswerC

SAST is a white-box test that finds coding flaws.

Why this answer

SAST analyzes source code for vulnerabilities early in development, allowing fixes before deployment.

716
Multi-Selectmedium

An IT auditor is reviewing the capacity management process. Which TWO of the following are key activities that should be performed?

Select 2 answers
A.Performing daily backup verification
B.Monitoring resource utilization trends
C.Reviewing incident response times
D.Setting threshold alerts for resource usage
E.Conducting annual disaster recovery tests
AnswersB, D

Essential for proactive capacity management.

Why this answer

Monitoring trends helps proactive planning; threshold alerts prevent overload.

717
MCQhard

A healthcare organization is required to comply with HIPAA regulations for data backup and disaster recovery. They operate a primary data center and a colocation facility for disaster recovery. The current backup strategy involves nightly full backups to tape, which are stored off-site monthly. The recovery time for the electronic health record (EHR) system is estimated at 8 hours, but the RTO required by the business is 2 hours. Additionally, the RPO requirement is 15 minutes. The IT manager proposes implementing a continuous data protection (CDP) solution. However, the CFO is concerned about the cost. Which of the following is the BEST argument to justify the CDP investment?

A.CDP can achieve an RPO of seconds and significantly reduce recovery time.
B.CDP is required by HIPAA for all healthcare systems.
C.CDP will reduce the need for IT staff to perform backups.
D.CDP eliminates the need for any off-site storage, reducing costs.
AnswerA

This directly addresses the gaps in RTO and RPO, justifying the investment.

Why this answer

Option A is correct because CDP provides near-zero RPO and can significantly reduce recovery time, directly meeting the RTO and RPO requirements. Option B is false; CDP still requires off-site storage for disaster recovery. Option C is incorrect; HIPAA does not mandate CDP.

Option D is a benefit but not the primary justification.

718
MCQhard

Refer to the exhibit. An IS auditor is reviewing the architecture. Which of the following is the MOST critical security weakness?

A.Application servers can initiate outbound internet connections.
B.The use of TLS between tiers.
C.Centralized logging to a SIEM.
D.Lack of encryption on the database server.
AnswerA

This bypasses security controls and can be exploited.

Why this answer

Option C is correct because allowing application servers to initiate outbound connections to the internet is a common attack vector (e.g., for command and control). Option A is acceptable; B is not a weakness; D is not mentioned or required.

719
Matchingmedium

Match each CISA domain to its focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Information System Auditing Process

Governance and Management of IT

Information Systems Acquisition, Development, and Implementation

Information Systems Operations and Business Resilience

Protection of Information Assets

Why these pairings

CISA exam covers five domains.

720
MCQmedium

A company is implementing a new ERP system. The project team plans to use a parallel conversion strategy. What is the PRIMARY advantage of this approach?

A.Immediate realization of benefits from the new system.
B.Risk mitigation by allowing fallback to the old system.
C.Lower total cost due to reduced training requirements.
D.Faster implementation compared to phased approach.
AnswerB

The main benefit is risk reduction via fallback capability.

Why this answer

The primary advantage of a parallel conversion strategy is risk mitigation. By running the new ERP system alongside the old system for a period, the organization can validate the new system's functionality and data integrity while retaining the ability to immediately fall back to the legacy system if critical failures occur. This approach ensures business continuity and reduces the impact of unforeseen issues during the transition.

Exam trap

The trap here is that candidates often confuse parallel conversion with phased conversion, mistakenly believing that parallel conversion is faster or cheaper, when in fact its primary value is risk reduction through fallback capability.

How to eliminate wrong answers

Option A is wrong because immediate realization of benefits is not a characteristic of parallel conversion; benefits are delayed until the new system is fully validated and the old system is decommissioned. Option C is wrong because parallel conversion typically increases total cost due to the need to operate and maintain both systems simultaneously, and training requirements are not reduced—staff must learn the new system while still using the old one. Option D is wrong because parallel conversion is generally slower than a phased approach, as it requires a full cutover after a parallel run, whereas a phased approach rolls out functionality incrementally.

721
MCQeasy

What is the PRIMARY purpose of conducting a feasibility study before acquiring a new information system?

A.To define detailed system requirements
B.To select a vendor through a bidding process
C.To assess the technical, operational, and economic viability
D.To determine the total cost of ownership
AnswerC

The primary purpose is to evaluate viability.

Why this answer

The primary purpose of a feasibility study is to evaluate whether a proposed information system is technically achievable, operationally compatible with existing processes, and economically justified before committing resources. This upfront assessment prevents investment in systems that cannot be successfully implemented or sustained, directly addressing risk management in the acquisition lifecycle.

Exam trap

The trap here is that candidates confuse the feasibility study with later phases like requirements gathering or vendor selection, leading them to pick A or B, when the core CISA focus is on the study's role as a go/no-go decision gate based on viability assessment.

How to eliminate wrong answers

Option A is wrong because defining detailed system requirements occurs after the feasibility study, typically during the requirements analysis phase, not as the primary purpose of the feasibility study. Option B is wrong because vendor selection through a bidding process happens later in the procurement cycle, after the feasibility study confirms the project is viable and requirements are defined. Option D is wrong because determining total cost of ownership is a component of the economic viability assessment within the feasibility study, not the primary purpose; the study must also evaluate technical and operational factors.

722
MCQhard

A company is implementing a privileged access management (PAM) system. Which of the following is the MOST important control to prevent lateral movement after a privileged account is compromised?

A.Implement just-in-time (JIT) privilege elevation
B.Enforce multi-factor authentication for all privileged accounts
C.Monitor and record all privileged sessions
D.Rotate passwords after each use
AnswerA

JIT reduces exposure time.

Why this answer

Just-in-time (JIT) privilege elevation is the most important control to prevent lateral movement because it eliminates standing privileged access. By granting temporary, time-bound privileges only when needed, JIT reduces the attack surface and ensures that even if an attacker compromises a privileged account, they cannot use those credentials to move laterally to other systems after the access window expires. This directly addresses the root cause of lateral movement: persistent privileged credentials that can be reused across the network.

Exam trap

The trap here is that candidates often choose MFA (option B) because it is a well-known security best practice, but they fail to recognize that MFA does not prevent lateral movement after the account is already compromised—it only protects against unauthorized initial access.

How to eliminate wrong answers

Option B is wrong because multi-factor authentication (MFA) is a strong authentication control that can prevent initial compromise, but it does not prevent lateral movement once the account is already compromised (e.g., via session hijacking or token theft). Option C is wrong because monitoring and recording privileged sessions is a detective control that helps identify lateral movement after it occurs, but it does not prevent it. Option D is wrong because rotating passwords after each use (password cycling) reduces the window of credential reuse but still leaves the account with standing privileges during the session; an attacker can still move laterally within that session before the password is rotated.

723
MCQmedium

An organization is developing a web application using an Agile methodology. The security team wants to integrate security testing early in the development lifecycle. Which of the following is the BEST approach to achieve this?

A.Implement static application security testing (SAST) in the continuous integration pipeline
B.Conduct a penetration test after each sprint
C.Schedule an annual vulnerability scan of the production environment
D.Perform dynamic application security testing (DAST) on deployed builds
AnswerA

SAST scans source code and can be integrated into CI to find vulnerabilities early.

Why this answer

Integrating SAST into the CI pipeline allows automated scanning of source code for vulnerabilities (e.g., SQL injection, XSS) as code is committed, aligning with Agile's iterative development. This shift-left approach catches flaws early, reducing remediation cost and effort compared to later stages.

Exam trap

The trap here is confusing 'early testing' with any security test performed during development, but only SAST in the CI pipeline provides automated, continuous analysis at the code level before builds are deployed.

How to eliminate wrong answers

Option B is wrong because penetration testing after each sprint is too late for early integration; it occurs after code is built and deployed, missing the opportunity to find issues during development. Option C is wrong because an annual vulnerability scan of production is far too infrequent and occurs post-deployment, violating the goal of early lifecycle testing. Option D is wrong because DAST on deployed builds tests the running application, which is still a later-stage activity and does not provide the same early feedback as source-level analysis.

724
MCQhard

An organization's business continuity plan includes a reciprocal agreement with another company. What is the PRIMARY risk of this arrangement?

A.The other company may be a competitor
B.Both companies may be affected by the same disaster
C.The agreement may not be legally enforceable
D.The other company may not have adequate security
AnswerB

If the companies are geographically close, a single disaster can impact both, rendering the agreement useless.

Why this answer

The primary risk of a reciprocal agreement is that both organizations may be located in the same geographic area or rely on the same infrastructure (e.g., power grid, network backbone, or transportation). If a regional disaster such as an earthquake, flood, or prolonged power outage occurs, both companies could be incapacitated simultaneously, rendering the agreement useless. This defeats the core purpose of business continuity, which requires geographic diversity and independence of resources.

Exam trap

The trap here is that candidates focus on legal or security concerns (options C and D) because they seem like obvious risks, but CISA emphasizes that the fundamental flaw in reciprocal agreements is the lack of geographic separation, which directly violates the principle of diversity in business continuity planning.

How to eliminate wrong answers

Option A is wrong because being a competitor is a secondary concern (e.g., data confidentiality) but not the primary risk to continuity; the agreement's failure due to simultaneous impact is more critical. Option C is wrong because legal enforceability is a contractual issue, but even an enforceable agreement cannot help if both sites are down; the primary risk is operational, not legal. Option D is wrong because inadequate security at the other company is a risk to data protection, but it does not directly threaten the availability of the alternate processing site during a disaster; the core continuity risk is co-location vulnerability.

725
Multi-Selecteasy

Which TWO of the following are key components of an IT governance framework?

Select 2 answers
A.IT strategy committee
B.IT asset inventory
C.IT risk management
D.IT project portfolio management
E.IT help desk ticketing system
AnswersA, C

Governance requires a steering or strategy committee.

Why this answer

Options A and E are correct. An IT governance framework includes structures like an IT strategy committee (A) and processes like IT risk management (E). B (project portfolio management) is a management practice, not a core governance component.

C (help desk) and D (asset inventory) are operational.

726
MCQhard

An IS auditor is preparing working papers. Which of the following items should be included in the permanent file rather than the current file?

A.Audit programme for the current year
B.Testing results from current audit
C.Management responses to current findings
D.Organization chart
AnswerD

Organization chart is a carryforward item.

Why this answer

The permanent file contains carryforward items like organizational charts and key contracts.

727
MCQeasy

In a RACI matrix, the person who is ultimately accountable for a process outcome is assigned which role?

A.Informed
B.Accountable
C.Consulted
D.Responsible
AnswerB

The accountable person has final authority and ownership.

Why this answer

Accountable (A) is the person ultimately answerable for the task or decision. Responsible (R) does the work.

728
MCQeasy

In ITIL incident management, which severity level typically indicates a critical incident that severely impacts business operations and requires immediate resolution?

A.P2
B.P3
C.P1
D.P4
AnswerC

P1 is the highest priority.

Why this answer

P1 (Priority 1) incidents are the highest severity, requiring immediate attention.

729
MCQeasy

An IS auditor is using statistical sampling to test a population of 10,000 transactions. The desired confidence level is 95%, and the tolerable error rate is 5%. Which of the following factors would MOST likely increase the required sample size?

A.An increase in the expected error rate to 6%
B.A decrease in the tolerable error rate to 3%
C.A decrease in the confidence level to 90%
D.An increase in the population size to 15,000
AnswerA

Higher expected error rate requires larger sample size for the same precision.

Why this answer

An increase in the expected error rate to 6% increases the required sample size because the sample size formula is directly proportional to the product of the expected error rate and its complement (p × (1-p)). At a 95% confidence level, the z-value is fixed (1.96), and as the expected error rate moves closer to 50%, the variance increases, requiring a larger sample to achieve the same precision. This is a core statistical sampling principle in audit testing.

Exam trap

The trap here is that candidates mistakenly think increasing population size always increases sample size, but in statistical sampling for large populations, the population size has a diminishing effect and is not the primary driver of sample size.

How to eliminate wrong answers

Option B is wrong because a decrease in the tolerable error rate to 3% actually increases the required sample size, not decreases it, as the auditor needs more precision to detect smaller deviations. Option C is wrong because a decrease in the confidence level to 90% reduces the z-value (from 1.96 to 1.645), which decreases the required sample size. Option D is wrong because for large populations (over 5,000), the population size has a negligible effect on sample size; increasing it to 15,000 does not materially increase the required sample size.

730
MCQeasy

Which of the following disaster recovery test types involves a full switch-over to the alternate site, resulting in actual disruption to normal operations?

A.Simulation test
B.Full interruption test
C.Parallel test
D.Tabletop test
AnswerB

Actual switch-over causing disruption.

Why this answer

The full interruption test (also known as a cold-start test) involves an actual shutdown of primary systems and a complete switch-over to the alternate site, causing real disruption to normal operations. This validates the entire recovery capability under realistic conditions, including failover, data synchronization, and user reconnection, but carries the highest risk of data loss or extended downtime.

Exam trap

The trap here is confusing a parallel test with a full interruption test, as both involve the alternate site processing live data, but only the full interruption test causes actual disruption by taking the primary site offline.

How to eliminate wrong answers

Option A is wrong because a simulation test models a disaster scenario without actually failing over or disrupting live systems; it typically uses walkthroughs or scripted exercises to validate procedures. Option C is wrong because a parallel test runs the alternate site in parallel with the primary site, processing live data but not switching over, so normal operations continue uninterrupted. Option D is wrong because a tabletop test is a discussion-based exercise where key personnel review plans and roles without any actual system failover or operational impact.

731
MCQeasy

Which of the following is a key performance indicator (KPI) for IT service management?

A.Number of security incidents
B.Help desk first-call resolution rate
C.Number of employees trained on security
D.Percentage of IT budget spent on new projects
AnswerB

First-call resolution rate measures service desk efficiency and is a common ITSM KPI.

Why this answer

IT service management KPIs often include help desk metrics such as average resolution time.

732
MCQmedium

An IS auditor is reviewing change management procedures and finds that standard changes are approved by the change manager without CAB review. What is the auditor's BEST conclusion?

A.This is acceptable provided that standard changes are clearly defined and low-risk
B.The change manager should be a member of the CAB
C.The auditor should recommend that all changes go through CAB
D.This is a control weakness because all changes should be reviewed by the CAB
AnswerA

ITIL allows standard changes to be handled via a pre-approved process to improve efficiency.

Why this answer

Standard changes are pre-approved, low-risk changes that do not require CAB review. This is acceptable if the criteria for standard changes are properly defined.

733
MCQhard

During an IT audit, the auditor discovers that the IT department has not conducted a business impact analysis (BIA) for three years. The organization's disaster recovery plan (DRP) is based on the previous BIA. The IT manager argues that the DRP is still valid because no major changes have occurred. What should the auditor recommend?

A.Recommend that a new BIA be conducted to validate and update the DRP.
B.Accept the IT manager's rationale and close the finding.
C.Recommend terminating the current DRP until the BIA is completed.
D.Recommend accepting the risk and documenting the decision.
AnswerA

A current BIA is essential to identify changes in business processes and threats, ensuring the DRP is aligned.

Why this answer

A business impact analysis (BIA) is the foundation of a valid disaster recovery plan (DRP). Without a current BIA, the DRP may not reflect the organization's current critical processes, recovery time objectives (RTOs), or recovery point objectives (RPOs). Even if no major changes are perceived, subtle shifts in dependencies, resource availability, or regulatory requirements can render the DRP ineffective.

Therefore, the auditor should recommend conducting a new BIA to validate and update the DRP.

Exam trap

The trap here is that candidates may assume the IT manager's claim of 'no major changes' is sufficient, but the CISA exam emphasizes that a BIA must be periodically reviewed (typically annually) regardless of perceived stability, because hidden dependencies or gradual changes can still affect recovery requirements.

How to eliminate wrong answers

Option B is wrong because accepting the IT manager's rationale without evidence ignores the risk that the DRP may be outdated; the auditor's role is to verify, not assume, that no changes have impacted recovery requirements. Option C is wrong because terminating the current DRP would leave the organization without any recovery plan until the BIA is completed, increasing operational risk unnecessarily. Option D is wrong because accepting the risk and documenting the decision without further action is premature; the auditor should first recommend a BIA to determine the actual risk level before deciding to accept it.

734
MCQhard

During an audit, the auditor uses a sampling method where the population is divided into subgroups, and samples are selected from each subgroup. This method is known as:

A.Systematic sampling
B.Judgmental sampling
C.Random sampling
D.Stratified sampling
AnswerD

Correct definition.

Why this answer

Stratified sampling divides the population into subgroups (strata) and samples from each.

735
Multi-Selecteasy

During a data migration from a legacy system to a new ERP, the following log entries were generated. Which TWO issues should the IS auditor flag as high risk?

Select 2 answers
A.Source system downtime
B.Rapid growth of rollback segment
C.Constraint violation due to missing parent records
D.Duplicate key violation
E.Data type mismatch between source and target
AnswersC, D

This error indicates a foreign key violation where a parent record is missing, compromising referential integrity.

Why this answer

Option C is correct because a constraint violation due to missing parent records indicates a referential integrity failure. In a data migration, this means child records are being inserted without their corresponding parent records, which can cause orphaned data and application logic errors. This is a high-risk issue as it compromises data consistency and may require complex reconciliation or rollback.

Exam trap

The trap here is that candidates often confuse operational issues (downtime, performance) with data integrity issues, or they underestimate the severity of referential integrity and duplicate key violations during migration.

736
MCQmedium

A company is migrating its on-premises data center to a public cloud provider. Which of the following is the MOST important control to implement before migration to ensure data security?

A.Enable multi-factor authentication (MFA) for all cloud accounts
B.Deploy a cloud access security broker (CASB)
C.Establish a virtual private network (VPN) between on-premises and cloud
D.Implement data encryption at rest and in transit
AnswerD

Encryption ensures data confidentiality and integrity during and after migration.

Why this answer

Data encryption at rest and in transit is the most important control before migration because it protects sensitive data from exposure during the transfer process and after it is stored in the cloud. Without encryption, data could be intercepted over the network or accessed by unauthorized parties in the cloud provider's infrastructure. This control directly addresses the core risk of data leakage during and after migration, which is a fundamental security requirement.

Exam trap

The trap here is that candidates often choose a VPN (Option C) thinking it fully secures data during migration, but they overlook that encryption at rest is equally critical and that a VPN only protects data in transit, not after it is stored in the cloud.

How to eliminate wrong answers

Option A is wrong because enabling MFA for cloud accounts is an important identity and access management control, but it does not protect data during the migration process itself or while at rest in the cloud. Option B is wrong because deploying a CASB is a monitoring and policy enforcement tool for cloud usage, but it is not a prerequisite for securing data during migration and does not provide the foundational encryption needed. Option C is wrong because establishing a VPN between on-premises and cloud secures the network channel during transit, but it does not address data at rest in the cloud, nor does it protect against threats within the cloud environment.

737
MCQhard

During an ERP implementation, data migration is a critical activity. Which of the following controls would be most effective in ensuring the accuracy and completeness of migrated data?

A.Using automated data extraction tools
B.Performing a trial migration and reconciling the results
C.Assigning a data owner for each data field
D.Running parallel processing for one month
AnswerB

Trial migration with reconciliation identifies discrepancies before final migration.

Why this answer

Reconciliation reports compare source and target data, providing evidence of completeness and accuracy. Other options are less direct.

738
MCQhard

Based on the exhibit, which of the following is the MOST likely result of the current firewall configuration?

A.Remote SSH connections are permitted from any IP address
B.SSH access is restricted to the internal network
C.HTTPS traffic from the internal network is blocked
D.HTTPS traffic from the internet is allowed
AnswerA

Rule 1 allows SSH from anywhere.

Why this answer

The exhibit shows an access control list (ACL) that permits TCP traffic on port 22 (SSH) from any source IP address (0.0.0.0/0) to the destination IP address of the firewall's external interface. Since there is no source restriction, remote SSH connections are allowed from any IP address on the internet. This is a significant security risk because it exposes the firewall's management interface to brute-force attacks from the entire internet.

Exam trap

ISACA often tests the concept that an ACL with a permit statement for a specific service from 'any' source overrides any implicit deny, and candidates may mistakenly think that the implicit deny blocks all traffic, forgetting that explicit permits take precedence.

How to eliminate wrong answers

Option B is wrong because the ACL explicitly permits SSH from any source (0.0.0.0/0), not just the internal network; there is no rule restricting SSH to internal IP ranges. Option C is wrong because the ACL does not block HTTPS (TCP port 443) traffic from the internal network; in fact, there is no deny rule for HTTPS from internal sources, and the implicit deny at the end of the ACL only blocks traffic not explicitly permitted, but the question asks about the 'current firewall configuration' which includes the implicit deny, but HTTPS from internal is not explicitly blocked—it would be allowed if a permit rule existed for it, but the exhibit only shows SSH rules, so HTTPS from internal is not affected by this ACL. Option D is wrong because the ACL does not contain any permit rule for HTTPS (TCP port 443) from the internet; without an explicit permit, the implicit deny at the end of the ACL blocks all HTTPS traffic from the internet.

739
MCQhard

A project uses a waterfall model. After design, the team discovers that the requirements have changed significantly. What is the BEST action?

A.Cancel the project and start over
B.Update the requirements and proceed with the design revision
C.Continue with original requirements as planned
D.Switch to an agile methodology for the remainder of the project
AnswerB

Updating requirements and adjusting design is necessary to ensure the final product aligns with current needs.

Why this answer

In a waterfall model, each phase must be completed before the next begins, but when requirements change significantly after design, the best action is to update the requirements and revise the design. This preserves the structured, sequential nature of the waterfall while ensuring the final product meets the new needs. Canceling or ignoring changes would waste resources, and switching methodologies mid-project introduces integration risks and process discontinuity.

Exam trap

The trap here is that candidates may think switching to agile is a flexible solution, but the CISA exam tests understanding that changing development methodologies mid-project violates the waterfall's sequential phase completion and introduces significant process and documentation risks.

How to eliminate wrong answers

Option A is wrong because canceling the project and starting over is an extreme, wasteful response that ignores the possibility of revising the design to accommodate the changed requirements, which is a standard practice in waterfall when changes are identified early. Option C is wrong because continuing with the original requirements as planned would deliver a product that no longer meets the stakeholder needs, leading to rework or project failure. Option D is wrong because switching to an agile methodology mid-project disrupts the established waterfall lifecycle, introduces process mismatches (e.g., no iterative feedback loops in place), and typically requires retraining and tooling changes that delay delivery.

740
MCQmedium

During an audit of the incident management process, the IS auditor finds that tabletop exercises have not been conducted in the past two years. What is the MOST significant risk associated with this finding?

A.The organization may fail to detect an incident in a timely manner
B.The organization may not comply with regulatory reporting requirements
C.The incident response plan may be outdated
D.Employees may not know their roles during an incident
AnswerD

Tabletop exercises help familiarize team members with their responsibilities.

Why this answer

Without regular testing, the incident response team may not be prepared to effectively handle a real incident.

741
Multi-Selecthard

An organization has implemented a database activity monitoring (DAM) solution. Which of the following are BEST practices for tuning the DAM to reduce false positives? (Choose TWO.)

Select 2 answers
A.Implement exclusions for routine maintenance activities
B.Enable alerts for all database queries
C.Increase the sensitivity of all detection rules
D.Review alerts in real-time only
E.Define a baseline of normal user behavior
AnswersA, E

Excluding known safe activities reduces false positives.

Why this answer

Implementing exclusions for routine maintenance activities (Option A) is a best practice because these activities often generate predictable database queries that are not indicative of security threats. By excluding them, the DAM solution avoids alerting on benign operations, thereby reducing false positives without compromising security coverage.

Exam trap

The trap here is that candidates may think increasing sensitivity (Option C) improves detection, but it actually amplifies false positives, whereas the correct approach is to establish a baseline (Option E) and exclude known benign activities (Option A).

742
MCQeasy

Which of the following backup types copies only data that has changed since the last full backup?

A.Mirror backup
B.Differential backup
C.Full backup
D.Incremental backup
AnswerB

Correct. Differential copies all changes since the last full backup.

Why this answer

A differential backup copies all data that has changed since the last full backup, regardless of how many incremental backups have been performed. This means each differential backup contains all changes accumulated since the most recent full backup, making it larger than an incremental backup but faster to restore (requiring only the full backup plus the latest differential).

Exam trap

The trap here is that candidates often confuse 'differential' with 'incremental' because both copy changed data, but the key differentiator is the reference point: differential uses the last full backup, while incremental uses the last backup of any type.

How to eliminate wrong answers

Option A is wrong because a mirror backup creates an exact, real-time copy of the source data, often using block-level replication (e.g., RAID 1 or rsync), and does not rely on a 'last full backup' marker; it continuously synchronizes changes. Option C is wrong because a full backup copies all selected data regardless of change status, serving as the baseline for differential and incremental backups. Option D is wrong because an incremental backup copies only data that has changed since the last backup of any type (full or incremental), not specifically since the last full backup; this is the key distinction from differential backups.

743
MCQhard

An IS auditor is evaluating the use of continuous auditing techniques. Which of the following is the most significant benefit of implementing continuous monitoring over traditional periodic audits?

A.Reduced need for substantive testing
B.Elimination of control risk assessments
C.Automated generation of audit reports
D.Timely detection of control deficiencies
AnswerD

Continuous monitoring detects issues in real time, allowing prompt corrective action.

Why this answer

Continuous monitoring provides timely detection of control deficiencies, enabling faster remediation.

744
Multi-Selectmedium

An IS auditor is reviewing a post-implementation review of a new payroll system. Which TWO findings should most concern the auditor? (Select two.)

Select 2 answers
A.The project was completed 10% over budget.
B.User acceptance testing did not include all payroll scenarios.
C.The vendor's implementation team was helpful.
D.The system's response time is slower than expected.
E.Some employees reported inaccurate pay calculations.
AnswersB, E

Missing test scenarios could result in undetected errors.

Why this answer

Inaccurate pay calculations and unresolved segregation of duties issues directly impact control objectives and financial accuracy.

745
MCQhard

A large enterprise is implementing a backup strategy for a critical database that requires an RTO of 2 hours and an RPO of 15 minutes. The database is 2 TB in size. Which backup method would BEST meet these requirements while minimizing storage costs?

A.Daily full backups
B.Continuous data protection (CDP) replicating to a remote site
C.Weekly full backups with transactional log backups every 15 minutes
D.A daily full backup and a differential backup every 4 hours
AnswerC

Log backups capture every transaction, achieving a 15-minute RPO, and storage cost is low compared to frequent full backups.

Why this answer

Option B is correct because incremental backups after a full backup minimize data loss and allow frequent backups with low storage overhead, meeting the 15-minute RPO. Option A does not meet RPO; Option C uses too much storage; Option D is for file-level, not databases.

746
Multi-Selecthard

Which THREE are indicators of a possible data exfiltration attempt via the network? (Choose three.)

Select 3 answers
A.Use of unauthorized encryption or tunneling protocols
B.Unusual outbound data transfer volumes during non-business hours
C.Increase in phishing emails targeting executives
D.Repeated access attempts to sensitive databases by unauthorized users
E.Large number of HTTPS connections to legitimate cloud services
AnswersA, B, D

Unauthorized encryption can hide exfiltration.

Why this answer

Option A is correct because data exfiltration often involves bypassing security controls by using unauthorized encryption or tunneling protocols (e.g., SSH over port 443, IPsec over UDP, or custom VPNs) to hide malicious traffic within legitimate-looking flows. Such protocols can encapsulate stolen data and evade deep packet inspection (DPI) or data loss prevention (DLP) systems, making them a strong indicator of exfiltration attempts.

Exam trap

ISACA often tests the distinction between precursors to an attack (like phishing) and actual indicators of exfiltration (like unauthorized tunneling or unusual outbound volumes), so candidates mistakenly choose phishing because it is a common attack vector, but it is not a network-level exfiltration indicator.

747
MCQeasy

Which of the following is the PRIMARY reason an external audit is considered more independent than an internal audit?

A.External auditors follow stricter standards.
B.External auditors have more technical expertise.
C.External auditors have access to more resources.
D.External auditors are not employees of the organization.
AnswerD

Third-party status enhances independence.

Why this answer

External auditors are third-party and not employees, reducing bias and enhancing independence.

748
MCQmedium

Which policy hierarchy document provides detailed steps for performing a specific task, such as resetting a user password?

A.Guideline
B.Work instruction
C.Policy
D.Standard
AnswerB

Work instruction is a detailed procedural document.

Why this answer

A work instruction is the most detailed document in the policy hierarchy, providing step-by-step guidance.

749
MCQmedium

During the acquisition of a new software package, the procurement team evaluates two vendors. Vendor A offers a lower upfront cost but higher annual maintenance fees. Vendor B has a higher upfront cost but includes three years of maintenance. What is the MOST important factor for the IS auditor to consider?

A.The upfront cost of each vendor.
B.The vendor's market reputation.
C.The total cost of ownership over the expected life of the system.
D.The organization's budget constraints.
AnswerC

TCO gives a comprehensive cost comparison.

Why this answer

Option D is correct because total cost of ownership (TCO) captures all costs over the system's life, providing a true comparison. Option A is wrong because upfront cost alone is misleading. Option B is wrong because vendor references are important but not the most critical for cost comparison.

Option C is wrong because the auditor should not make the decision; they should advise on cost analysis.

750
Multi-Selectmedium

Which TWO controls are most effective for protecting data at rest on a database server? (Choose two.)

Select 2 answers
A.Placing the database server behind a firewall
B.Enforcing role-based access control (RBAC)
C.Implementing transparent data encryption (TDE)
D.Enabling SSL/TLS for client connections
E.Using file-level encryption on the database files
AnswersB, C

RBAC ensures only authorized users can access data.

Why this answer

Role-based access control (RBAC) restricts data access to authorized users based on their roles, directly preventing unauthorized viewing or modification of data at rest. Transparent data encryption (TDE) encrypts the database files at the storage level, ensuring that even if the physical media is stolen, the data remains unreadable without the encryption keys. Both controls address the core requirement of protecting data while it is stored on the database server.

Exam trap

The trap here is that candidates often confuse network controls (firewall, SSL/TLS) with data-at-rest protection, mistakenly thinking perimeter security or transport encryption secures stored data, when in fact they only protect data in motion or the network layer.

Page 9

Page 10 of 14

Page 11
Certified Information Systems Auditor CISA CISA Questions 676–750 | Page 10/14 | Courseiva