Certified Information Systems Auditor CISA (CISA) — Questions 601675

984 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
Multi-Selecthard

Which THREE of the following are valid reasons for implementing a service level management process? (Select THREE.)

Select 3 answers
A.To ensure all IT staff are certified
B.To monitor and report on service performance
C.To eliminate the need for IT support
D.To provide a basis for continuous improvement
E.To define and agree on service level targets
AnswersB, D, E

SLM includes monitoring and reporting.

Why this answer

Service level management ensures alignment with business needs, monitors performance, and provides a basis for improvement.

602
Multi-Selectmedium

Which TWO of the following are physical security controls to prevent unauthorized access to a data center?

Select 2 answers
A.Uninterruptible power supply
B.Cable locks
C.Mantrap
D.Biometric readers
E.Fire suppression system
AnswersC, D

Mantraps prevent tailgating and unauthorized entry.

Why this answer

Mantraps and biometric readers are physical access controls. Fire suppression and UPS are environmental controls. Cable locks secure equipment but do not prevent entry to the data center.

603
Multi-Selecteasy

During a disaster recovery test, the team discovers that the backup server is unable to restore data because of incompatible software versions. Which TWO controls should have been implemented to prevent this?

Select 2 answers
A.Maintaining a configuration management database
B.Using cloud-based backup solutions
C.Implementing intrusion detection systems
D.Increasing the frequency of full backups
E.Performing regular patch management
AnswersA, E

Correct: CMDB tracks software versions across environments.

Why this answer

A configuration management database (CMDB) is the correct control because it maintains a detailed record of software versions, patches, and configurations across all IT assets. By referencing the CMDB during disaster recovery planning, the team ensures that backup and restore environments are compatible, preventing version mismatch failures. Without this, the backup server may have outdated or incompatible software, as seen in the scenario.

Exam trap

The trap here is that candidates confuse operational controls like backup frequency or security tools with the configuration and version management controls needed to ensure restore compatibility, leading them to select options that improve data availability but not data recoverability.

604
MCQeasy

An IS auditor is reviewing the physical access controls at a data center. Which of the following is the MOST effective control to prevent tailgating?

A.Badge access system with PIN
B.Visitor sign-in log
C.Mantrap entry system
D.CCTV surveillance at entrances
AnswerC

A mantrap physically restricts entry to one person at a time, preventing tailgating.

Why this answer

A mantrap is a small room with two sets of interlocking doors, designed to prevent tailgating by allowing only one person to enter at a time. CCTV, badge access, and visitor logs are supportive but do not directly prevent tailgating.

605
MCQhard

An IS auditor is reviewing the audit documentation from a prior year and finds that a material weakness was reported but not remediated. According to ISACA standards, which audit phase should address this?

A.Reporting
B.Fieldwork
C.Planning
D.Follow-up
AnswerD

Follow-up ensures that corrective actions have been implemented effectively.

Why this answer

Follow-up is the phase dedicated to verifying that management has implemented corrective actions for previous findings.

606
MCQmedium

Which of the following is a potential risk in this RACI matrix?

A.The IT Director is accountable but not informed of all changes.
B.IT Operations is informed, but should be responsible for implementation.
C.The Business Process Owner is consulted, which may delay approvals.
D.The Change Manager is responsible but lacks authority to approve.
AnswerD

If the Change Manager is responsible but not accountable, they may not have approval authority, leading to bypassed controls.

Why this answer

Option B is correct because the Change Manager is marked as Responsible but typically the Responsible party performs the work; for approval, the Responsible party may lack the authority to approve (which would be Accountable). This creates a risk of unauthorized approvals. Option A is not a risk because Accountable can be informed later.

Option C is fine; consultation is normal. Option D is not a concern because IT Operations is informed appropriately.

607
MCQeasy

An IS auditor is reviewing the system development life cycle (SDLC) methodology. Which phase should include the development of detailed test plans?

A.Requirements definition.
B.System design.
C.Coding and unit testing.
D.User acceptance testing.
AnswerB

Design phase specifies how the system will work, enabling detailed test plans.

Why this answer

Detailed test plans should be developed during the system design phase because this is when the system's architecture, interfaces, and data flows are fully specified. Creating test plans at this stage ensures that tests are aligned with the design specifications and can validate that the implemented system meets the intended technical requirements, rather than waiting until after coding.

Exam trap

The trap here is that candidates confuse the creation of test plans with the execution of tests, incorrectly assuming that test plans are written during user acceptance testing or coding, when in fact they are a design-phase deliverable that drives all subsequent testing activities.

How to eliminate wrong answers

Option A is wrong because the requirements definition phase focuses on gathering and documenting business and functional requirements, not on the technical design details needed to create specific test cases. Option C is wrong because coding and unit testing occur after the test plans are developed; unit tests are typically created by developers during coding, not as part of a formal detailed test plan. Option D is wrong because user acceptance testing is the final validation phase where users execute pre-defined test scripts, not the phase where detailed test plans are originally authored.

608
MCQmedium

During a post-implementation review of a system, an IS auditor finds that the actual transaction processing time is 30% slower than projected. What should the auditor recommend FIRST?

A.Upgrade the server hardware immediately
B.Reject the system and revert to the legacy system
C.Conduct a performance analysis to identify bottlenecks
D.Adjust user expectations to match actual performance
AnswerC

Diagnosis is the first step.

Why this answer

The root cause should be identified before recommending specific actions. Performance testing or analysis will reveal the cause.

609
MCQeasy

An organization is implementing a new financial system using the waterfall SDLC model. Which of the following is the MOST critical control to ensure that business requirements are met?

A.Automated unit testing results
B.Code reviews by the development team
C.Detailed technical design documents
D.Formal user acceptance testing (UAT) sign-off
AnswerD

UAT is the phase where end users validate that the system meets their requirements, and formal sign-off provides documented acceptance.

Why this answer

In the waterfall model, requirements are defined upfront and formal sign-off at each phase is critical. Formal user acceptance testing (UAT) is the key control to ensure the system meets business needs before deployment.

610
MCQhard

A government agency is developing a case management system for law enforcement. The project follows an agile approach, releasing iterations every two weeks. During a sprint demo, users discover that the system does not redact personally identifiable information (PII) in documents shared with external parties, violating privacy laws. The development team says they planned to add redaction in a future sprint. The product owner wants to prioritize PII redaction immediately. The project manager is concerned that this will disrupt the release schedule. The IS auditor is assessing the project's risk management. Which of the following is the BEST recommendation?

A.Implement network-level restrictions to prevent external sharing.
B.Provide users with training on manual redaction as a workaround.
C.Re-estimate the sprint and include PII redaction as a top priority, adjusting the schedule accordingly.
D.Document the risk and accept the compliance exposure until the planned sprint.
AnswerC

Balances compliance and schedule.

Why this answer

Option C is correct because it aligns with agile risk management principles: when a critical compliance vulnerability (PII exposure) is discovered, the highest-priority user story must be re-estimated and inserted into the current sprint backlog, even if it means adjusting the release schedule. The IS auditor’s focus is on ensuring that the risk is actively mitigated, not deferred, and re-prioritization is the standard agile response to newly identified high-severity risks.

Exam trap

The trap here is that candidates may confuse risk acceptance (Option D) with a valid agile practice, but the IS auditor must prioritize compliance over schedule, and deferring a legal violation is not acceptable risk management when a feasible mitigation exists.

How to eliminate wrong answers

Option A is wrong because network-level restrictions (e.g., firewall rules or DLP policies) do not address the core requirement of redacting PII within documents; they only block external sharing at the transport layer, which is an incomplete and overly restrictive workaround that could hinder legitimate law enforcement data sharing. Option B is wrong because training users on manual redaction introduces human error, is not scalable, and does not provide an auditable, automated control for PII protection, which is required for compliance with privacy laws. Option D is wrong because accepting compliance exposure by deferring the fix to a future sprint violates the principle of timely risk mitigation; an IS auditor would not recommend accepting a known legal violation without a compensating control, especially when the risk is high and the fix is feasible.

611
MCQmedium

Which of the following BEST describes the role of threat modeling in the design phase of the SDLC?

A.To define functional requirements for the system
B.To analyze the system architecture for potential security threats
C.To test the application's resilience to attacks
D.To identify and mitigate security vulnerabilities in the code
AnswerB

This is the main purpose of threat modeling.

Why this answer

Threat modeling proactively identifies potential security threats and vulnerabilities in the system architecture to design appropriate controls.

612
MCQhard

An organization is deploying a major system upgrade. The change request has been approved by CAB, but the deployment plan does not include a rollback procedure. As an IS auditor, what should you recommend?

A.Perform the deployment during off-peak hours to minimize impact
B.Document the decision to skip rollback in the change record
C.Proceed with deployment as CAB approval is sufficient
D.Delay the deployment until a rollback plan is created and tested
AnswerD

A rollback plan is essential for high-risk changes; deployment should be deferred.

Why this answer

Without a rollback plan, if the deployment fails, the system may be unavailable for an extended period, impacting business operations.

613
MCQmedium

An IT manager notices that the CPU utilization of a critical server consistently exceeds 90% during peak hours. Which is the BEST course of action?

A.Implement load balancing
B.Immediately add more CPUs
C.Increase monitoring frequency
D.Schedule batch jobs during off-peak
AnswerA

Load balancing distributes traffic and reduces CPU utilization on a single server.

Why this answer

Option A is correct because implementing load balancing distributes the workload across multiple servers, addressing the performance issue. Options B, C, and D are not the best; B is hasty, C helps but is not best, D does not fix the problem.

614
MCQeasy

Which of the following is the PRIMARY objective of a penetration test?

A.To test the incident response capability
B.To validate the effectiveness of security controls
C.To ensure compliance with security standards
D.To identify vulnerabilities that could be exploited by an attacker
AnswerD

The primary goal is to discover exploitable vulnerabilities.

Why this answer

Penetration testing aims to identify exploitable vulnerabilities that could be used by an attacker.

615
Multi-Selecthard

An IS auditor is reviewing the human resources practices in the IT department. Which THREE of the following controls are most effective in reducing the risk of fraud?

Select 3 answers
A.Annual security awareness training
B.Background checks on new hires
C.Job rotation among IT roles
D.Segregation of duties in IT processes
E.Mandatory vacation for IT staff
AnswersC, D, E

Reduces the opportunity for fraud by limiting the time any one person controls a process.

Why this answer

Job rotation (C) is effective because it prevents any single employee from maintaining exclusive control over critical IT functions over time, reducing the window for concealing fraudulent activities. By periodically rotating roles, anomalies or unauthorized actions that might otherwise go unnoticed are more likely to be detected by the incoming staff member, thereby deterring fraud.

Exam trap

The trap here is that candidates often mistake background checks and training as the most direct fraud controls, overlooking that job rotation, mandatory vacation, and segregation of duties are the classic triad of fraud deterrence and detection in IT audit, as emphasized by COBIT and ISACA guidelines.

616
MCQmedium

A company performs daily full backups of its database and weekly incremental backups. The backup retention policy requires keeping full backups for 30 days and incremental backups for 7 days. An auditor reviews the backup schedule. Which backup type provides the fastest restore?

A.Log backup
B.Full backup
C.Incremental backup
D.Differential backup
AnswerB

Correct: Restoring from a full backup is fastest because it does not require applying subsequent incremental or differential backups.

Why this answer

A full backup contains all data and requires only one restore operation, making it faster than restoring from incremental or differential backups.

617
MCQeasy

Which of the following is the PRIMARY purpose of an IT strategy committee?

A.To monitor IT project timelines
B.To manage IT vendor contracts
C.To approve IT project budgets
D.To ensure IT investments support business objectives
AnswerD

Strategic alignment is the primary goal.

Why this answer

Option B is correct because the committee's role is to align IT with business strategy. Option A is operational. Option C is project-specific.

Option D is too narrow.

618
MCQmedium

During the follow-up phase of an audit, the auditor discovers that a previous finding has not been remediated. What is the auditor's BEST course of action?

A.Perform additional testing to confirm the finding
B.Report the lack of remediation to senior management
C.Ignore the finding since it was previously reported
D.Close the finding as accepted risk
AnswerB

Escalation ensures accountability and corrective action.

Why this answer

If remediation has not occurred, the auditor should escalate the issue to management to ensure action is taken.

619
MCQeasy

In a waterfall SDLC, when should user acceptance testing (UAT) typically occur?

A.After deployment
B.After coding but before unit testing
C.After system testing and before deployment
D.During the requirements phase
AnswerC

This is the correct sequence in waterfall.

Why this answer

UAT is performed after system testing is complete and before deployment to ensure the system meets user requirements.

620
Multi-Selectmedium

An auditor is evaluating the IT governance framework of a large bank. Which TWO of the following are components of COBIT 2019's governance system? (Select TWO.)

Select 2 answers
A.Key Performance Indicators
B.Change Management Process
C.Organizational Structures
D.Principles, Policies, and Frameworks
E.Service Level Agreements
AnswersC, D

Structures like committees are part of governance.

Why this answer

COBIT 2019 includes governance components such as principles, policies, frameworks, processes, organizational structures, culture, ethics, behavior, information, services, infrastructure, and applications.

621
Multi-Selecteasy

An IS auditor is evaluating the reliability of audit evidence. Which TWO of the following are characteristics of reliable audit evidence?

Select 2 answers
A.Independent source
B.Timely
C.Complex
D.Relevant
E.Large quantity
AnswersA, B

Evidence from independent sources is more reliable.

Why this answer

Audit evidence from an independent source is considered more reliable because it is obtained from a third party outside the audited entity, reducing the risk of bias or manipulation. For example, a system-generated log from a SIEM tool is more reliable than a manually created spreadsheet from the IT department. Independence directly supports the objectivity and verifiability of the evidence.

Exam trap

The trap here is confusing relevance (Option D) with reliability, as candidates often assume evidence that is directly related to the audit objective must be reliable, but relevance and reliability are distinct attributes in audit evidence evaluation.

622
Multi-Selecteasy

An organization is implementing a new release management process. Which TWO activities are essential components of a successful release?

Select 2 answers
A.Service desk operations
B.Release planning
C.Capacity management
D.Incident management
E.Testing
AnswersB, E

Planning coordinates resources and timelines.

Why this answer

Release planning defines the scope and schedule; testing ensures the release meets quality standards. Deployment is part of release, but planning and testing are foundational.

623
MCQeasy

An organization is planning to replace its legacy accounting system with a commercial off-the-shelf (COTS) software package. Which of the following is the PRIMARY risk of using a COTS solution?

A.The total cost of ownership is likely to be higher than custom development
B.The software may not fully align with the organization's business processes
C.The software may have inherent security vulnerabilities
D.Vendor support may be discontinued after a few years
AnswerB

COTS is generic; customization may be limited or costly.

Why this answer

The primary risk of a COTS solution is that it is designed for a broad market and may not fully align with the organization's specific business processes. This misalignment can force the organization to change its workflows or perform costly customizations, which can negate the benefits of a packaged solution and introduce project delays or failures.

Exam trap

The trap here is that candidates often focus on security or vendor support as the primary risk, but the CISA exam emphasizes that the most immediate and impactful risk in COTS acquisition is the mismatch between the software's capabilities and the organization's business processes.

How to eliminate wrong answers

Option A is wrong because COTS solutions typically have a lower total cost of ownership than custom development, as development, testing, and maintenance costs are shared across many customers. Option C is wrong while security vulnerabilities are a concern, they are not the primary risk; COTS vendors often have dedicated security teams and patch cycles, whereas custom code may have more undetected flaws. Option D is wrong because vendor support discontinuation is a risk, but it is a secondary, longer-term risk that can be mitigated through escrow agreements or transition plans, whereas business process misalignment directly threatens project success from the start.

624
MCQhard

A healthcare organization has implemented a data classification policy with three levels: Public, Internal, and Restricted. The IT department recently received a report of a potential data breach. An internal auditor discovered that a database containing Protected Health Information (PHI) classified as Restricted was accessible via a web application that did not enforce encryption in transit. The web application uses HTTPS, but the auditor found that the connection was downgraded to HTTP due to a misconfiguration in the load balancer. Additionally, the database logs show that an external IP address queried the database for thousands of patient records over a two-hour period. The database was configured to allow only specific internal application servers, but the firewall rule was incorrectly set to allow connections from any IP address. The security team needs to determine the most effective immediate action to prevent further unauthorized access and protect the data. Which course of action should the security team take FIRST?

A.Correct the firewall rule to restrict database access to only the application servers.
B.Redesign the network architecture to place the database in a separate subnet.
C.Block the external IP address at the network perimeter.
D.Apply a security patch to the web application to enforce HTTPS.
AnswerA

Directly addresses the misconfiguration that allowed exposure.

Why this answer

The firewall rule is the root cause of the unauthorized access — it allowed connections from any IP address, directly enabling the external attacker to query the database. Correcting this rule immediately cuts off all external access to the database, stopping the ongoing breach at the network layer. This is the most effective immediate action because it addresses the misconfiguration that allowed the attack to succeed, regardless of the encryption or web application issues.

Exam trap

The trap here is that candidates focus on the encryption downgrade (HTTPS to HTTP) or the external IP address, but the core vulnerability is the misconfigured firewall rule that allows any IP to access the database directly — a classic 'defense in depth' failure where the network layer control was missing.

How to eliminate wrong answers

Option B is wrong because redesigning the network architecture (e.g., placing the database in a separate subnet) is a longer-term security improvement, not an immediate action to stop the current unauthorized access. Option C is wrong because blocking the external IP address is a reactive, temporary measure — the attacker can easily change IP addresses, and it does not fix the underlying misconfigured firewall rule that allows any IP to connect. Option D is wrong because applying a security patch to enforce HTTPS would prevent future downgrade attacks but does not address the fact that the database is already exposed to any IP address; the attacker can still query the database directly without using the web application.

625
MCQeasy

An organization has outsourced its IT operations to a third-party provider. The IS auditor is planning an audit of the outsourced services. What is the most appropriate source of audit evidence?

A.Service provider's financial statements
B.Interviews with provider's staff
C.Service auditor's SOC 2 report
D.Internal audit reports from the provider
AnswerC

SOC 2 reports provide a reliable, independent evaluation of controls relevant to security, availability, etc.

Why this answer

A SOC 2 report (Service Organization Control 2) is specifically designed to provide assurance over a service provider's controls related to security, availability, processing integrity, confidentiality, and privacy. It is issued by an independent service auditor and is the most reliable and relevant source of audit evidence when auditing outsourced IT operations, as it directly addresses the controls in place at the provider.

Exam trap

The trap here is that candidates often choose interviews with provider's staff (Option B) because they seem like direct evidence, but they lack the independence and systematic testing that a SOC 2 report provides, which is the gold standard for third-party assurance.

How to eliminate wrong answers

Option A is wrong because the service provider's financial statements are irrelevant to the operational effectiveness of IT controls; they provide financial health information, not assurance over IT processes or security. Option B is wrong because interviews with the provider's staff are subjective, lack independent verification, and are not considered sufficient audit evidence on their own for control effectiveness. Option D is wrong because internal audit reports from the provider are not independent; they are prepared by the provider's own internal audit function, which lacks the objectivity and external scrutiny required for reliable audit evidence.

626
MCQeasy

Refer to the exhibit. A developer is inserting a new employee record. What is the cause of this error?

A.The column 'email' does not exist
B.The email 'john.doe@example.com' already exists in the table
C.The table is full
D.The employee_id 101 already exists
AnswerB

Unique constraint violation.

Why this answer

The error message indicates a violation of a UNIQUE constraint on the 'email' column. The INSERT statement attempts to add 'john.doe@example.com', but that value already exists in the table. The database rejects the operation because the constraint ensures no duplicate email addresses are allowed.

Exam trap

The trap here is that candidates may misread the error message and assume it refers to a primary key violation (employee_id) rather than recognizing the specific wording of a UNIQUE constraint violation on the email column.

How to eliminate wrong answers

Option A is wrong because the error message explicitly references a UNIQUE constraint violation, not a missing column; if the column did not exist, the error would be 'column not found' or similar. Option C is wrong because a full table would produce a 'table is full' or disk-full error, not a constraint violation. Option D is wrong because the error message does not mention a primary key or unique constraint on employee_id; the violation is specifically on the email column, not the employee_id.

627
MCQeasy

Which of the following is a key objective of the design phase in the SDLC?

A.To conduct user acceptance testing
B.To define system architecture and integrate security controls
C.To develop code
D.To gather business requirements
AnswerB

Design phase is where architecture and security-by-design are addressed.

Why this answer

The design phase defines the system architecture and ensures security controls are incorporated rather than added later.

628
Multi-Selecteasy

Which TWO of the following are phases of the audit process? (Select two.)

Select 2 answers
A.Budgeting
B.Planning
C.Risk assessment
D.Training
E.Reporting
AnswersB, E

Correct phase.

Why this answer

The audit process includes planning, fieldwork, reporting, and follow-up.

629
MCQhard

An organization's IT service desk is the single point of contact for all incidents. The SLA for resolving P2 incidents is 8 hours. The auditor finds that the service desk frequently reassigns P2 incidents to second-level support without updating the incident record, causing delays in resolution. The average resolution time for P2 incidents is 10 hours. What is the primary control weakness?

A.Inadequate training of service desk staff.
B.SLA targets are too aggressive for P2 incidents.
C.Insufficient number of second-level support staff.
D.Lack of automated escalation and tracking for incident reassignments.
AnswerD

Automation would ensure updates and track SLA compliance.

Why this answer

The primary control weakness is the lack of automated escalation and tracking for incident reassignments. Without automated mechanisms (e.g., workflow triggers, timestamped reassignment logs, or integration with IT service management tools), the service desk can reassign P2 incidents to second-level support without updating the incident record, leading to untracked delays. This directly violates the SLA of 8 hours, as the average resolution time of 10 hours indicates that incidents are not being monitored or escalated properly, causing them to exceed the target.

Exam trap

The trap here is that candidates may focus on the symptom (delays) and choose a seemingly logical cause like inadequate training or insufficient staff, rather than recognizing that the root cause is the lack of automated controls to enforce proper incident tracking and escalation procedures.

How to eliminate wrong answers

Option A is wrong because inadequate training of service desk staff, while potentially contributing to procedural errors, is not the primary control weakness; the core issue is the absence of automated controls to enforce record updates and escalation, not a lack of knowledge. Option B is wrong because SLA targets being too aggressive for P2 incidents is a design issue, but the auditor's finding specifically points to a process failure (reassignment without record updates) that causes delays, not that the target itself is unachievable under proper controls. Option C is wrong because an insufficient number of second-level support staff could cause delays, but the auditor's observation is about the reassignment process lacking tracking, not about staffing levels; even with adequate staff, the lack of automated tracking would still allow untracked reassignments and delays.

630
Multi-Selectmedium

An IS auditor is reviewing the data subject rights fulfillment process for GDPR compliance. Which TWO of the following are required to be completed within the one-month response period?

Select 2 answers
A.Right to erasure (deleting personal data).
B.Right to object to processing (ceasing processing).
C.Right to rectification (correcting inaccurate data).
D.Right of access (providing a copy of personal data).
E.Right to data portability (transferring data to another controller).
AnswersA, D

Erasure requests must be addressed without undue delay, generally within one month.

Why this answer

GDPR requires responses to access requests and erasure requests within one month, subject to certain conditions.

631
MCQeasy

Which IT sourcing model involves using an external provider to manage some IT functions while retaining others in-house?

A.Cloud services
B.Co-sourcing
C.Insourcing
D.Outsourcing
AnswerB

Co-sourcing involves sharing responsibility between internal and external teams.

Why this answer

Co-sourcing is a hybrid model where certain IT functions are outsourced and others are kept in-house.

632
MCQhard

Based on the exhibit, the IS auditor is reviewing access to the payroll folder. Which of the following is the MOST significant finding?

A.Internal_Audit group has Read access to payroll data
B.User asmith has only Read access to payroll
C.HR_Managers group has Full Control over payroll
D.Potential excessive privileges for user jdoe due to overlapping permissions
AnswerD

Overlapping permissions may grant unintended access.

Why this answer

Option D is the most significant finding because user jdoe has overlapping permissions from multiple group memberships (e.g., HR_Managers and Payroll_Admin), which can result in unintended cumulative effective permissions. In Windows NTFS, effective permissions are the sum of all allowed permissions from each group, minus any explicit denies, so overlapping group memberships often grant more access than intended, violating the principle of least privilege.

Exam trap

The trap here is that candidates may focus on individual permission levels (Read vs. Full Control) rather than the cumulative effect of overlapping group memberships, which is the more critical security concern in access control auditing.

How to eliminate wrong answers

Option A is wrong because the Internal_Audit group having Read access to payroll is appropriate for audit purposes and does not represent a security risk; auditors need read-only access to review data without modifying it. Option B is wrong because user asmith having only Read access is a proper restriction and not excessive; it aligns with least privilege if asmith's role only requires viewing payroll data. Option C is wrong because HR_Managers having Full Control over payroll is expected for their job function to manage employee records; this is not a finding unless the group membership is improperly broad.

633
MCQhard

An organization uses a third-party cloud service for data storage. Which of the following is the BEST way to ensure data confidentiality in the event of a cloud provider breach?

A.Rely on the cloud provider's encryption at rest
B.Use TLS for data in transit
C.Implement client-side encryption before uploading data
D.Deploy a cloud access security broker (CASB) with DLP
AnswerC

Client-side encryption ensures only the organization controls keys.

Why this answer

Client-side encryption ensures that data is encrypted before it leaves the organization's control, so the cloud provider never has access to the plaintext or the encryption keys. In the event of a provider breach, the encrypted data remains confidential because only the organization holds the keys to decrypt it. This is the only option that guarantees confidentiality regardless of the cloud provider's security posture.

Exam trap

ISACA often tests the distinction between encryption at rest (provider-managed) and client-side encryption, where candidates mistakenly assume that any encryption at rest is sufficient to protect against a provider breach.

How to eliminate wrong answers

Option A is wrong because relying on the cloud provider's encryption at rest means the provider manages the encryption keys; if the provider is breached, an attacker could potentially access those keys or the decrypted data. Option B is wrong because TLS protects data only while it is in transit between the client and the cloud; once the data reaches the cloud storage, it is no longer protected by TLS and would be exposed in a breach. Option D is wrong because a CASB with DLP can monitor and enforce policies but does not encrypt the data itself; if the cloud provider is breached, the stored data (even if monitored) remains in plaintext or provider-managed encrypted form and could be accessed by the attacker.

634
MCQeasy

A company requires employees to use smart cards for facility access. Which additional control would BEST prevent tailgating?

A.Require biometric authentication
B.Use keypad locks on doors
C.Conduct random audits of access logs
D.Install mantraps at entry points
AnswerD

Mantraps create a physical barrier that allows only one authenticated person to enter at a time, preventing tailgating.

Why this answer

Mantraps prevent tailgating by allowing only one person per authentication. Biometrics address identity, not tailgating. Random audits are detective.

Keypad locks are simple and do not prevent tailgating.

635
MCQmedium

During a change management audit, the IS auditor notes that an emergency change was implemented to fix a critical security vulnerability. Which of the following should the auditor expect to find in the change documentation?

A.A post-implementation review scheduled six months later
B.A formal change request approved by the Change Advisory Board (CAB) before implementation
C.A rollback plan
D.A complete test plan executed before deployment
AnswerC

A rollback plan is critical for emergency changes to mitigate risk.

Why this answer

Emergency changes require a rollback plan to ensure the system can be restored if the change fails. A full test plan may be abbreviated.

636
MCQmedium

An organization's IT security policy requires background checks for all IT staff handling sensitive data. Which of the following is the PRIMARY reason for this requirement?

A.To ensure employees have the necessary technical skills
B.To reduce employee turnover
C.To reduce the risk of insider threats by verifying the trustworthiness of personnel
D.To comply with industry regulations
AnswerC

Background checks help identify individuals with a history of fraudulent or malicious behavior.

Why this answer

Background checks help verify the trustworthiness of employees who have access to sensitive information, reducing the risk of insider threats.

637
MCQhard

A company has been developing a custom inventory management system using Scrum. In the current sprint, the team discovered that the integration module with the legacy ERP system has severe performance issues: under peak load, transactions time out and fail. The product owner is concerned because the release is scheduled in two weeks. The development team estimates that a proper fix will take three weeks. A similar issue occurred in a previous sprint and was temporarily resolved by reducing the number of concurrent transactions, which lowered performance but kept the system operational. The stakeholders are anxious about the deadline because the legacy ERP will be retired shortly after the planned go-live. What is the BEST action for the team to take?

A.Reduce the scope of the release to exclude the ERP integration feature entirely
B.Delay the release by one week to complete the proper fix (three weeks total)
C.Add two additional developers to the team to complete the fix within the original two-week timeline
D.Apply the same workaround for the go-live and plan a permanent fix in a later release
AnswerB

A one-week delay allows a proper fix, ensuring system reliability.

Why this answer

Option B is correct because delaying the release by one week allows the team to implement a proper, permanent fix for the ERP integration module's performance issue, which is critical given that the legacy ERP will be retired shortly after go-live. A temporary workaround would risk system instability and transaction failures under peak load, potentially causing data loss or corruption during the transition. The three-week estimate for a proper fix addresses the root cause, ensuring the system can handle peak loads reliably before the legacy system is decommissioned.

Exam trap

The trap here is that candidates may choose Option D (workaround) because it seems pragmatic and avoids delaying the release, but they fail to recognize that the legacy ERP's imminent retirement makes a later permanent fix impossible, leaving the system with a critical, unresolved performance flaw.

How to eliminate wrong answers

Option A is wrong because completely excluding the ERP integration feature would render the inventory management system unable to communicate with the legacy ERP, breaking core business functionality and likely making the release unusable. Option C is wrong because adding two developers to a Scrum team mid-sprint typically disrupts velocity, introduces ramp-up time, and does not linearly reduce development time for a complex performance fix; Brooks' law suggests this could delay rather than accelerate the fix. Option D is wrong because applying the same workaround (reducing concurrent transactions) would lower system performance and risk transaction timeouts under peak load, and with the legacy ERP being retired soon, there would be no opportunity for a later permanent fix, leaving the system vulnerable to failure.

638
MCQeasy

The IT governance objective 'Evaluate-Direct-Monitor' in COBIT 2019 is primarily associated with which role?

A.Board of directors
B.Internal audit
C.IT management
D.IT steering committee
AnswerA

The EDM domain is for the governing body to evaluate, direct, and monitor IT.

Why this answer

The Evaluate-Direct-Monitor (EDM) domain in COBIT 2019 is focused on governance responsibilities typically performed by the board of directors and executive management.

639
MCQmedium

A retail company is merging with a competitor. The IT departments of both organizations have different IT governance structures: Company A uses a centralized model with strict change management, while Company B uses a decentralized model with autonomous business unit IT. The CIO has been tasked with integrating the IT functions post-merger. The board expects cost synergies and improved service levels. The integration team is facing resistance from Company B's business heads who fear loss of agility. The CIO needs to propose a governance model for the merged entity. Which approach would BEST meet the board's expectations while addressing resistance?

A.Keep both models separate and allow business units to choose their preferred model.
B.Adopt Company B's decentralized model to preserve agility.
C.Immediately impose Company A's centralized model across the merged entity.
D.Implement a phased integration with a transitional governance structure that includes representatives from both sides.
AnswerD

Phased integration respects both cultures and reduces resistance.

Why this answer

Option B is correct because a phased integration with interim governance allows gradual convergence, managing change and resistance while building toward synergy. Option A is wrong because immediate full centralization may cause disruption and strong resistance. Option C is wrong because adopting the weaker model (decentralized) may not achieve synergies.

Option D is wrong because maintaining both models permanently does not achieve integration.

640
Multi-Selecthard

An IS auditor is assessing the effectiveness of an organization's IT governance framework. Which THREE of the following are key indicators of a mature governance process?

Select 3 answers
A.Defined roles and responsibilities for IT decisions
B.Annual IT budget approval by senior management
C.Existence of an IT steering committee
D.Outsourcing of all IT operations
E.Regular measurement of IT performance against metrics
AnswersA, C, E

Clear accountability is a hallmark of governance maturity.

Why this answer

Defined roles and responsibilities for IT decisions (Option A) are a key indicator of a mature IT governance process because they establish clear accountability and authority, aligning with frameworks like COBIT 5. This ensures that decision-making rights are assigned to specific roles (e.g., IT steering committee, CIO, business process owners), reducing ambiguity and enabling effective oversight. Without such definition, governance lacks the structural foundation needed for consistent and auditable decision-making.

Exam trap

The trap here is that candidates often mistake basic financial oversight (annual budget approval) for a sign of governance maturity, when in reality mature governance requires continuous monitoring, defined decision rights, and performance measurement beyond periodic approvals.

641
MCQhard

The exhibit shows a log entry from a domain controller. The IS auditor is investigating account lockout issues. What is the MOST likely cause of this event?

A.Multiple failed authentication attempts from the backup server
B.The service account password has expired
C.The service account does not exist
D.The service account has been disabled by an administrator
AnswerA

Account lockout is triggered by multiple failed attempts.

Why this answer

The log entry shows a failed authentication attempt from the backup server's IP address (10.0.0.15) using the service account 'svc_backup'. The event ID 4625 indicates an account logon failure, and the 'Failure Reason' field explicitly states 'Unknown user name or bad password'. Since the account name is correct, the most likely cause is multiple failed authentication attempts (e.g., due to a stale or incorrect password cached in the backup software) leading to account lockout, not a single event.

Exam trap

The trap here is that candidates assume a single failed logon event directly indicates lockout, but the question asks for the 'MOST likely cause' of the lockout issue, which is the accumulation of multiple failed attempts from the same source (the backup server) due to a mismatched password.

How to eliminate wrong answers

Option B is wrong because a password expiration would generate a different event (e.g., event ID 4739 or a 'password must change' prompt), not a 'bad password' failure with event ID 4625. Option C is wrong because if the service account did not exist, the failure reason would be 'No such user' or 'user name not found', not 'Unknown user name or bad password' which implies the account exists but the password is wrong. Option D is wrong because a disabled account would produce a failure reason of 'Account disabled' or 'Account currently disabled', not 'Unknown user name or bad password'.

642
MCQmedium

An IS auditor is reviewing a system development project and notices that user acceptance testing (UAT) is being conducted in the production environment due to lack of a separate test environment. What is the primary risk?

A.System availability issues
B.Performance degradation
C.Security breaches due to unauthorized access
D.Data integrity violations
AnswerC

UAT in production exposes sensitive data and may lead to breaches.

Why this answer

Conducting UAT in production exposes sensitive production data and live systems to test scripts and users who may not have proper authorization, creating a direct path for security breaches. Production environments typically have broader access controls and audit trails that are not designed to isolate test activities, increasing the risk of unauthorized data exposure or modification. This violates the principle of segregation of duties and can lead to compliance issues with standards like PCI DSS or HIPAA.

Exam trap

The trap here is that candidates focus on operational impacts like performance or availability, but the CISA exam emphasizes that the highest risk from using production for testing is the compromise of sensitive data and unauthorized access, not just system slowdowns.

How to eliminate wrong answers

Option A is wrong because system availability issues are a secondary concern; the primary risk is not that the system becomes unavailable but that unauthorized access or data leakage occurs. Option B is wrong because performance degradation is a potential side effect but not the primary risk; the core issue is the security and integrity of production data. Option D is wrong because while data integrity violations could occur, they are a consequence of unauthorized access or modification, not the primary risk itself; the root cause is the lack of a separate test environment leading to security breaches.

643
Multi-Selectmedium

An IS auditor is evaluating the effectiveness of a backup strategy for a critical database. Which TWO of the following are essential controls to ensure data recoverability?

Select 2 answers
A.Storing backups offsite
B.Encrypting backup tapes
C.Performing regular restoration tests
D.Labeling tapes with dates
E.Using high-capacity media
AnswersA, C

Correct: Offsite storage protects against site-level disasters.

Why this answer

Regular restoration tests verify that backups are recoverable, and offsite storage ensures availability after a site disaster. Encryption, labeling, and capacity are security or operational considerations but not essential for recoverability.

644
MCQhard

An organization has decentralized IT management with each business unit making its own technology decisions. Which of the following is the BEST way to maintain enterprise-wide governance?

A.Deploy a single enterprise resource planning (ERP) system across all units.
B.Require all IT projects to be approved by the corporate IT department.
C.Create a central IT budget that allocates funds to business units.
D.Establish an enterprise architecture review board with representatives from all business units.
AnswerD

This provides governance without removing unit autonomy.

Why this answer

Option A is correct because an enterprise architecture review board with unit representatives ensures alignment while respecting decentralization. Option B is too centralized. Option C forces a single system, which may not suit all units.

Option D is budgeting, not governance of decisions.

645
Multi-Selectmedium

Which TWO of the following are examples of detective controls? (Choose two.)

Select 2 answers
A.Firewall rules that block unauthorized traffic.
B.Regular review of security incident logs.
C.Intrusion detection system (IDS) alerts.
D.Encryption of sensitive data at rest.
E.Access control lists (ACLs) on network devices.
AnswersB, C

Log review is a detective control that identifies past events.

Why this answer

Intrusion detection systems (A) and review of security incident logs (C) are detective controls that identify events after they occur.

646
MCQeasy

A company's backup policy requires that backup media be stored offsite. Which of the following is the PRIMARY reason for this requirement?

A.To ensure data is available in case of a site disaster
B.To reduce backup storage costs
C.To comply with regulatory requirements
D.To protect against theft
AnswerA

Offsite storage preserves data integrity when the primary site is compromised.

Why this answer

The primary reason for storing backup media offsite is to ensure data availability and recoverability in the event of a site-level disaster, such as a fire, flood, or physical destruction of the primary data center. This aligns with the core business continuity principle of geographic separation to avoid a single point of failure. Without offsite storage, a site disaster would destroy both primary and backup data, making recovery impossible.

Exam trap

The trap here is that candidates often confuse compliance or cost as the primary driver, but the CISA exam emphasizes that business continuity and disaster recovery (BC/DR) requirements—specifically ensuring data survival after a site disaster—are the fundamental reason for offsite backup storage.

How to eliminate wrong answers

Option B is wrong because offsite storage typically increases costs due to transportation, secure facilities, and logistics, not reduce them. Option C is wrong because while regulatory compliance may mandate offsite storage, it is not the primary reason; compliance is a derived requirement from the need for disaster recovery. Option D is wrong because protection against theft is a secondary benefit; the primary goal is to survive a site-wide disaster, not just physical theft of media.

647
MCQhard

An organization is disposing of old servers. The IS auditor reviews the asset disposition process and finds that hard drives are being erased using a standard format command. What is the auditor's primary concern?

A.The drives are not being tested for functionality.
B.The data on the hard drives may still be recoverable.
C.The software licenses are not being transferred.
D.The servers are not being recycled for environmental compliance.
AnswerB

Standard format does not overwrite data securely.

Why this answer

Standard format commands do not securely erase data; data can still be recovered. Secure sanitization methods (e.g., degaussing, shredding) should be used.

648
MCQmedium

During an audit of a cloud service provider, the IS auditor finds that the provider's datacenter access logs show multiple successful logins by an employee during non-business hours over several weeks. The employee works in the sales department. What should the auditor do first?

A.Recommend disabling the employee's access immediately.
B.Review the access rights policy and compare with actual access.
C.Discuss with the employee's supervisor to verify if access was authorized.
D.Report the finding immediately to senior management.
AnswerC

This is the appropriate first step to confirm authorization.

Why this answer

Option C is correct because the IS auditor's first priority is to gather evidence and understand the context before taking action. The employee's sales role and non-business hours access may be legitimate (e.g., supporting a client in a different time zone). Discussing with the supervisor is a standard audit procedure to verify authorization, aligning with ISACA's audit evidence collection and due professional care.

Exam trap

The trap here is that candidates confuse the auditor's role with that of a security incident responder, leading them to choose immediate disabling or escalation without first performing due diligence through inquiry and evidence gathering.

How to eliminate wrong answers

Option A is wrong because immediately disabling access is a management action, not an auditor's role; the auditor should first verify if the access was authorized before recommending any changes. Option B is wrong because reviewing the access rights policy and comparing with actual access is a subsequent step after confirming the context; the policy review alone does not determine if this specific instance was authorized or an anomaly. Option D is wrong because reporting to senior management is premature without first understanding the situation; escalation should occur after initial verification and if unauthorized access is confirmed.

649
MCQeasy

An organization is considering replacing its legacy financial system with a new ERP solution. Which of the following is the PRIMARY advantage of purchasing a commercial off-the-shelf (COTS) ERP package over building a custom system?

A.Greater control over customization
B.Lower total cost of ownership
C.Complete alignment with business processes
D.Faster implementation
AnswerD

Reduced development time as the system is pre-built.

Why this answer

COTS packages typically have a faster implementation timeline because the core functionality already exists, reducing development time.

650
MCQmedium

An e-commerce company stores customer payment card data in a tokenized database. The tokenization system replaces credit card numbers with tokens, and the actual card numbers are stored in a separate, highly restricted vault. The company is audited for Payment Card Industry Data Security Standard (PCI DSS) compliance. During the audit, it is discovered that the tokenization system sometimes fails due to high load, causing the application to fall back to storing actual card numbers temporarily. This fallback mechanism was not documented or approved. The company also uses the same encryption key for the vault as for other non-sensitive data. The auditor identifies several non-compliances. Which of the following should the company prioritize to remediate?

A.Replace the tokenization system with end-to-end encryption
B.Remove the fallback mechanism and ensure the tokenization system has appropriate redundancy
C.Use a separate encryption key for the vault
D.Increase the capacity of the tokenization server to handle peak loads
AnswerB

Eliminating the fallback prevents storage of raw card numbers.

Why this answer

Option D is correct because the fallback mechanism directly exposes cardholder data, violating PCI DSS requirement to protect stored card data. Correcting this eliminates the risk. Option A is important but not as immediate.

Option B (redundancy) is a performance issue. Option C (key separation) is also critical, but the fallback is a direct data exposure.

651
MCQmedium

During an ERP implementation, the project team decides to customize the software to align with existing business processes. Which of the following risks is MOST likely to increase as a result of extensive customization?

A.Increased vendor lock-in
B.Simpler data migration
C.Reduced user acceptance
D.Higher costs for future upgrades
AnswerD

Custom code must be adapted for each new version.

Why this answer

Extensive customization of an ERP system typically involves modifying the core code or configuration beyond standard parameters. This creates a custom code base that diverges from the vendor's standard release, making future upgrades significantly more complex and costly because each upgrade requires re-applying and testing all customizations against the new version, often requiring specialized skills and extensive regression testing.

Exam trap

The trap here is that candidates often confuse customization with configuration; customization modifies source code or adds custom objects, while configuration uses built-in parameters, and only customization significantly increases upgrade costs.

How to eliminate wrong answers

Option A is wrong because vendor lock-in is primarily driven by reliance on proprietary data formats, APIs, or licensing models, not by customization itself; in fact, customizations can sometimes reduce lock-in by making the system more tailored to the organization's unique needs. Option B is wrong because extensive customization often complicates data migration, as custom fields, tables, and logic must be mapped and transformed, increasing the risk of data loss or corruption. Option C is wrong because user acceptance typically increases when the system is customized to align with existing business processes, as it reduces the need for users to adapt to new workflows.

652
MCQmedium

Which of the following is a key difference between internal and external auditors?

A.Internal auditors are required for regulatory compliance
B.Internal auditors focus only on financial controls
C.External auditors have deeper organizational knowledge
D.External auditors are more independent than internal auditors
AnswerD

External auditors are independent of the organization.

Why this answer

External auditors are independent third parties, while internal auditors are employees of the organization.

653
MCQmedium

An organization is implementing a disaster recovery plan. The DR team wants to test the plan with minimal risk and without impacting production operations. Which type of test is most appropriate?

A.Walkthrough
B.Full interruption test
C.Simulation
D.Parallel test
AnswerA

A walkthrough is a discussion-based review, no production impact.

Why this answer

A walkthrough test involves reviewing the plan step by step in a meeting, with no actual failover or impact on production, making it low-risk.

654
MCQeasy

An organization has defined an RTO of 4 hours for its critical financial system. During a disaster recovery test, the system was recovered in 3.5 hours, but data loss was 30 minutes. Which metric is most directly addressed by the recovery time?

A.RPO
B.MTBF
C.RTO
D.MTTR
AnswerC

RTO is the target time for recovery, directly addressed by the recovery time.

Why this answer

The Recovery Time Objective (RTO) defines the maximum acceptable downtime for a system after a disaster. Since the organization's RTO is 4 hours and the system was recovered in 3.5 hours, the recovery time directly satisfies the RTO metric. The 30 minutes of data loss is irrelevant to RTO; it pertains to the Recovery Point Objective (RPO).

Exam trap

The trap here is confusing RTO with RPO: candidates see 'data loss was 30 minutes' and incorrectly assume the recovery time metric is RPO, but the question explicitly asks which metric is 'most directly addressed by the recovery time,' which is RTO.

How to eliminate wrong answers

Option A is wrong because RPO (Recovery Point Objective) measures the maximum acceptable data loss in time, not the time to recover; the 30-minute data loss is what RPO addresses. Option B is wrong because MTBF (Mean Time Between Failures) is a reliability metric measuring average time between system failures, unrelated to recovery time after a disaster. Option D is wrong because MTTR (Mean Time To Repair) measures the average time to fix a failed component, not the time to restore the entire system from a disaster scenario.

655
MCQmedium

During the planning phase of an IS audit, the auditor identifies that the organization has recently implemented a new ERP system. The audit team has limited experience with this ERP. Which of the following is the BEST course of action?

A.Limit the audit scope to exclude the new ERP system.
B.Proceed with the audit using existing staff and hope for the best.
C.Postpone the audit until the team gains sufficient experience.
D.Engage an external specialist with ERP expertise to supplement the audit team.
AnswerD

Using a specialist ensures adequate coverage of the new system.

Why this answer

Incorporating an external specialist with ERP expertise ensures the audit is conducted effectively despite the team's lack of experience.

656
MCQhard

An organization outsources its data center operations. What is the BEST way to ensure the service provider's controls are effective?

A.Conduct periodic third-party audits
B.Rely on the provider's internal audit reports
C.Monitor service level agreements only
D.Require the provider to implement all organizational controls
AnswerA

Correct. Independent audits validate control design and operation.

Why this answer

Option A is correct because independent third-party audits provide objective verification of controls. Option B is incorrect because relying solely on the provider's internal audit may lack independence. Option C is incorrect because requiring all controls may be impractical and expensive.

Option D is incorrect because SLAs focus on performance, not control effectiveness.

657
MCQeasy

Which of the following is the PRIMARY benefit of conducting a tabletop exercise for disaster recovery?

A.Measuring the recovery time objective (RTO)
B.Improving communication and decision-making among key personnel
C.Validating the technical recovery procedures
D.Testing the actual restoration of systems
AnswerB

This is the primary benefit.

Why this answer

Tabletop exercises focus on discussion and coordination among participants without technical testing.

658
MCQhard

You are an IS auditor reviewing the remote access configuration for a medium-sized enterprise. The company uses a VPN concentrator to allow employees to connect from home. The VPN is configured with IPsec using pre-shared keys (PSK) and requires no multi-factor authentication. Employees use company-issued laptops with full disk encryption. The VPN logs show that connections are coming from a wide range of IP addresses, including some from countries where the company has no business operations. The IT manager argues that the PSK is changed monthly and that full disk encryption mitigates any risk. However, during the audit, you find that the PSK is stored in a shared document on an internal file server accessible to all employees. Additionally, the VPN concentrator uses a single PSK for all users. Which of the following is the MOST critical finding?

A.The PSK is changed monthly, but the change interval is too long
B.The VPN uses a single pre-shared key for all users, increasing the risk of widespread compromise
C.Full disk encryption on laptops is not sufficient to protect VPN credentials
D.VPN connections from unexpected countries indicate possible unauthorized access
AnswerB

Single PSK creates a single point of failure.

Why this answer

The use of a single pre-shared key (PSK) for all VPN users is the most critical finding because it creates a single point of failure: if that key is compromised, an attacker can impersonate any authorized user and gain full network access. The fact that the PSK is stored in a shared document accessible to all employees dramatically increases the likelihood of exposure, and changing it monthly does not remediate the fundamental lack of user-level authentication. Without per-user credentials or multi-factor authentication, the VPN concentrator cannot distinguish between legitimate employees and an attacker who possesses the shared key.

Exam trap

The trap here is that candidates focus on the visible symptom (unexpected IP addresses) or the partial control (monthly PSK rotation) rather than recognizing that a single shared secret for all users is a fundamental architectural flaw that undermines all other controls.

How to eliminate wrong answers

Option A is wrong because the monthly PSK change interval is not the core issue; even a daily change would not fix the lack of per-user authentication and the risk of a single shared secret being exposed. Option C is wrong because full disk encryption protects data at rest on the laptop, but it does not protect the PSK when it is stored in a shared document on a file server or when it is transmitted or used during VPN authentication. Option D is wrong while connections from unexpected countries are suspicious and warrant investigation, they are not as critical as the fundamental authentication weakness; the single PSK means that any external attacker who obtains the key can connect from anywhere, making the geographic anomaly a symptom rather than the root cause.

659
MCQeasy

An IS auditor is planning an audit of a newly implemented financial system. Which of the following is the PRIMARY consideration when determining the audit scope?

A.Management's request to include all modules
B.Previous audit findings and recommendations
C.Risk assessment of the financial system
D.Regulatory requirements applicable to the system
AnswerC

Risk assessment identifies areas with highest impact and likelihood, guiding scope.

Why this answer

The primary consideration for determining audit scope is a risk assessment of the financial system. ISACA standards require auditors to use a risk-based approach to focus audit efforts on areas with the highest residual risk, ensuring that resources are allocated to the most critical controls and processes. Without a risk assessment, the scope may be too broad or miss key vulnerabilities, such as segregation of duties or access control weaknesses in the new system.

Exam trap

The trap here is that candidates often select regulatory requirements (Option D) as primary because they are mandatory, but the IS auditor must first perform a risk assessment to determine which regulatory requirements are most relevant and how to scope the audit effectively.

How to eliminate wrong answers

Option A is wrong because management's request to include all modules is a stakeholder preference, not a risk-based scoping criterion; including all modules without risk analysis can lead to inefficient audits and missed high-risk areas. Option B is wrong because previous audit findings and recommendations are historical inputs that inform the risk assessment but are not the primary driver for scoping a newly implemented system, which may have different risks. Option D is wrong because regulatory requirements are mandatory compliance factors that must be included in the scope, but they are a subset of the broader risk assessment; the risk assessment determines which regulatory requirements are most relevant and how deeply to test them.

660
MCQmedium

Refer to the exhibit. An IS auditor reviewing backup logs notices this error. Which of the following is the MOST likely root cause?

A.Backup script has a syntax error
B.Incorrect database credentials
C.Storage array is offline
D.Insufficient disk space on backup target
AnswerC

Correct: Offline array prevents mounting.

Why this answer

The error indicates failure to mount the backup target, implying a connectivity issue with the storage array. A syntax error would produce a script error; disk space would show a different error; authentication would show a credentials error.

661
MCQhard

During an audit, an IS auditor finds that a system administrator has not taken mandatory vacation in three years. Which control is most likely being violated?

A.Access control
B.Separation of duties
C.Mandatory vacation policy
D.Job rotation
AnswerC

Mandatory vacation is designed to detect fraudulent activities by forcing absence.

Why this answer

Mandatory vacation is a fraud detection control that helps uncover irregularities when an employee is away.

662
Multi-Selecteasy

Which TWO of the following are essential elements of a business continuity plan (BCP) for a newly developed system?

Select 2 answers
A.Testing schedule for the BCP
B.List of incident response team members
C.Detailed system architecture
D.Recovery time objectives (RTOs)
E.Backup and recovery procedures
AnswersD, E

RTOs define maximum acceptable downtime.

Why this answer

Recovery time objectives (RTOs) are essential because they define the maximum acceptable downtime for the system, directly driving the design of backup and recovery strategies. Without RTOs, the BCP cannot prioritize recovery actions or allocate resources effectively, making them a foundational element for any newly developed system.

Exam trap

The trap here is confusing operational components (testing schedule, incident response team) with the core strategic elements (RTOs and recovery procedures) that must be defined before a BCP can be considered complete for a new system.

663
MCQmedium

An IT policy exception is requested to allow a legacy system that cannot be patched to remain in operation. What is the BEST way to manage this exception?

A.Approve with compensating controls and a sunset date
B.Reject the request and force the system to be patched
C.Escalate to the board for decision
D.Approve the exception indefinitely to avoid disruption
AnswerA

This mitigates risk and ensures eventual compliance.

Why this answer

Proper exception management requires compensating controls and a time-bound approval with periodic review.

664
MCQmedium

Refer to the exhibit. A cloud load balancer uses this JSON configuration. A request arrives from source IP 10.0.1.100 to port 80. Which backend pool will receive the request?

A.The request is dropped
B.backend-pool-1
C.The request is sent to both pools
D.backend-pool-2
AnswerA

No matching rule and no default.

Why this answer

The JSON configuration shows a load balancer rule that only forwards requests to backend-pool-1 when the source IP matches 10.0.1.0/24 AND the destination port is 80. The request from source IP 10.0.1.100 to port 80 satisfies both conditions, so it should be forwarded to backend-pool-1. However, the exhibit (not fully shown) likely includes a default deny or a missing rule for this specific combination, causing the request to be dropped.

Option A is correct because the configuration explicitly drops unmatched traffic.

Exam trap

ISACA often tests the misconception that a matching rule automatically forwards traffic, ignoring that a default deny or missing listener action can override the rule and drop the request.

How to eliminate wrong answers

Option B is wrong because backend-pool-1 is the intended target for this request based on the rule, but the exhibit's configuration (e.g., a missing listener or a default action) causes the request to be dropped instead. Option C is wrong because load balancers do not send a single request to multiple pools unless configured for multicast or anycast, which is not shown here; the rule specifies a single pool. Option D is wrong because backend-pool-2 is not matched by the source IP or port condition in the rule; it would only receive traffic from different source ranges or ports.

665
MCQmedium

An organization is acquiring a third-party SaaS application. Which of the following should be included in the contract to ensure data protection?

A.Right to audit the vendor's security practices
B.Service level agreement (SLA) for uptime
C.Data ownership and location specification
D.Data encryption clause for data at rest and in transit
AnswerA

Right to audit enables verification of data protection controls.

Why this answer

A right to audit the vendor's security practices is essential in a SaaS contract because it allows the organization to independently verify that the vendor's controls (e.g., access management, patch management, incident response) meet contractual and regulatory requirements. Without this clause, the organization must rely solely on the vendor's self-assessments or third-party reports like SOC 2, which may not cover all relevant risks or may be outdated. This right is a key mechanism for ensuring ongoing data protection in a shared responsibility model.

Exam trap

The trap here is that candidates often choose a specific technical control like encryption (Option D) because it seems directly related to data protection, but they overlook that the right to audit is the overarching governance mechanism that ensures all controls, including encryption, are actually implemented and effective.

How to eliminate wrong answers

Option B is wrong because an SLA for uptime addresses service availability, not data protection; it does not cover confidentiality, integrity, or security controls. Option C is wrong because data ownership and location specification, while important for compliance (e.g., GDPR), does not by itself ensure that the vendor implements adequate security measures to protect the data. Option D is wrong because a data encryption clause for data at rest and in transit is a necessary security requirement but is insufficient on its own; it does not provide the organization with a mechanism to verify that encryption is properly implemented or that other critical controls (e.g., key management, access controls) are in place.

666
MCQhard

Refer to the exhibit. An IT operator receives this error message from an automated backup job. What is the MOST likely cause of this failure?

A.The FinanceDB database is corrupted
B.The network link between servers is down
C.The backup server's disk is full
D.The LUN presenting the virtual disk is not zoned or masked to the backup server
AnswerD

The error 'Unable to mount virtual disk' strongly suggests a SAN zoning/LUN masking issue.

Why this answer

Option D is correct because the error indicates that the backup server cannot access the virtual disk, which is typically a LUN masking or zoning issue. Option A is plausible but the message specifically points to storage access; Option B is not indicated; Option C is possible but less direct.

667
MCQmedium

An organization has the S3 bucket policy shown. Which of the following is the MOST likely intent of this policy?

A.Prevent deletion of objects from the bucket over unencrypted connections.
B.Prevent all deletion of objects from the bucket.
C.Prevent access to the bucket over HTTP.
D.Allow deletion only over HTTPS.
AnswerA

The policy denies s3:DeleteObject when SecureTransport is false.

Why this answer

Option A is correct because the policy denies DeleteObject when the request is not over HTTPS (SecureTransport false), thereby blocking deletion over HTTP but allowing deletion over HTTPS. Option B is incorrect because deletion over HTTPS is still allowed. Option C is incorrect because other actions like read are not restricted.

Option D is incorrect because it does not specifically allow deletion only over HTTPS; it denies over HTTP, so deletion over HTTPS is allowed implicitly.

668
MCQhard

You are the lead IT auditor for a multinational corporation that recently completed a merger with another company. During the post-merger integration audit, you discover that the acquired company's legacy HR system contains sensitive personal data of 20,000 employees and has been directly accessible from the internet for the last 18 months. The system runs on an unsupported operating system (Windows Server 2008) and uses a custom-built application with no logging enabled. The acquired company's IT manager argues that the server is isolated behind a firewall and has never been compromised. However, your review of firewall logs shows numerous connection attempts from unknown IP addresses. The integration team plans to decommission this system in three months. You need to determine the appropriate audit response. Which of the following should you do NEXT?

A.Conduct a forensic analysis of the server to determine if a breach has occurred
B.Wait for the decommissioning timeline and monitor the server logs for any signs of breach
C.Issue an urgent audit report to senior management highlighting the risk and recommending immediate isolation or remediation
D.Propose a compensating control, such as requiring VPN access to the server
AnswerC

Correct: Auditors must escalate critical findings promptly to management for action.

Why this answer

Option B is correct: Immediately reporting the critical vulnerability to management is the first step because the risk of data exposure is severe and requires urgent attention. Option A delays action, C assumes a compromise that hasn't been confirmed, and D is premature without management directive.

669
MCQmedium

An organization classifies IT incidents based on severity. A critical financial application is unavailable, impacting all users. According to ITIL best practices, which severity level should this incident be assigned?

A.P2
B.P3
C.P1
D.P4
AnswerC

Correct: P1 is for critical incidents with major business impact, such as a full application outage.

Why this answer

P1 incidents are the highest severity, typically involving a critical service outage affecting all users with significant business impact.

670
MCQeasy

Which type of disaster recovery test involves a full switch-over from the primary site to the alternate site, resulting in actual disruption of normal operations?

A.Full interruption test
B.Tabletop test
C.Parallel test
D.Simulation test
AnswerA

Correct. This is the most realistic and disruptive test.

Why this answer

A full interruption test (also called full-scale test) involves actual failover, shutting down primary operations and running completely from the alternate site.

671
MCQmedium

An IS auditor is reviewing the logical access controls for a financial application. The auditor notices that user access reviews are performed annually by the application owner, but there is no documentation indicating that managers confirm the continued need for access. Which of the following is the MOST significant risk associated with this finding?

A.Unauthorized access to sensitive data due to excessive privileges
B.Increased likelihood of successful social engineering attacks
C.Non-compliance with regulatory requirements for access controls
D.Inability to detect insider threats in a timely manner
AnswerA

Without manager confirmation, users may retain access they no longer need, increasing the risk of unauthorized access.

Why this answer

Without manager confirmation, access may remain for users who no longer need it, leading to segregation of duties conflicts or unauthorized access. Annual reviews without manager sign-off increase the risk that access is not appropriately revoked when roles change.

672
MCQmedium

During an audit of an organization's change management process, the IS auditor selects a sample of 50 change requests from a population of 500. The auditor finds that 3 of the 50 did not have proper approval. What is the estimated error rate in the population?

A.3%
B.6%
C.10%
D.5%
AnswerB

Correct: 3/50 = 6% is the point estimate of the population error rate.

Why this answer

The estimated error rate is calculated by dividing the number of errors found in the sample (3) by the sample size (50), yielding 6%. This is a point estimate of the population error rate, assuming the sample is representative. The auditor would then use statistical sampling techniques to determine a confidence interval for the true population error rate.

Exam trap

The trap here is that candidates often mistakenly divide the number of errors by the total population (500) instead of the sample size (50), leading to the incorrect 3% answer, confusing the sample error rate with the population error rate.

How to eliminate wrong answers

Option A (3%) is wrong because it incorrectly divides the number of errors (3) by the total population (500), which is not the correct method for estimating the error rate from a sample; the sample error rate is 3/50 = 6%. Option C (10%) is wrong because it might come from misreading the numbers (e.g., 5/50 or confusing 3 with 5) or incorrectly applying a rule of thumb. Option D (5%) is wrong because it could result from a miscalculation such as 2.5/50 rounded or confusing the sample size with the population size.

673
MCQhard

An organization is adopting ITIL 4 to improve its service management practices. Which guiding principle emphasizes understanding how different components work together to deliver value?

A.Think and work holistically
B.Start where you are
C.Keep it simple and practical
D.Focus on value
AnswerA

This principle addresses the need to see the big picture and understand interconnections.

Why this answer

The ITIL 4 guiding principle 'Think and work holistically' emphasizes considering the entire service value system and how all components interact.

674
MCQmedium

Refer to the exhibit. Which of the following services is accessible from the internet to host 10.1.1.100?

A.HTTP only
B.Telnet only
C.HTTPS and SSH
D.FTP only
AnswerC

Ports 443 (HTTPS) and 22 (SSH) are explicitly permitted.

Why this answer

The exhibit shows an access control list (ACL) permitting TCP ports 443 (HTTPS) and 22 (SSH) from any source to host 10.1.1.100. Since the ACL is applied inbound on the internet-facing interface, only HTTPS and SSH traffic are allowed through to that host. Therefore, option C is correct.

Exam trap

The trap here is that candidates often confuse HTTP with HTTPS or Telnet with SSH, assuming that if one is allowed, the other must also be allowed, but the ACL explicitly permits only the specific port numbers listed.

How to eliminate wrong answers

Option A is wrong because HTTP (port 80) is not permitted by the ACL; only HTTPS (port 443) is allowed, so HTTP alone is not accessible. Option B is wrong because Telnet (port 23) is not listed in the ACL; only SSH (port 22) is permitted for remote access. Option D is wrong because FTP (ports 20/21) is not permitted by the ACL; no FTP traffic is allowed to reach host 10.1.1.100.

675
MCQeasy

An organization is implementing a business continuity plan (BCP). Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA)?

A.To document the step-by-step recovery procedures for each system
B.To identify potential threats and vulnerabilities to the organization
C.To inventory all IT assets and their configurations
D.To identify critical business processes and their recovery time objectives (RTOs)
AnswerD

BIA helps prioritize processes and define RTOs and RPOs.

Why this answer

The primary purpose of a business impact analysis (BIA) is to identify critical business processes and quantify the impact of their disruption, which directly drives the recovery time objectives (RTOs) and recovery point objectives (RPOs). These RTOs and RPOs form the foundation for selecting appropriate recovery strategies and technologies, such as synchronous replication for near-zero RPO or warm standby sites for specific RTO windows. Without a BIA, the BCP would lack the business-driven metrics needed to prioritize recovery efforts and allocate resources effectively.

Exam trap

The trap here is that candidates often confuse the BIA with a risk assessment or asset inventory, but the BIA is exclusively focused on business process criticality and recovery time objectives, not on threats, vulnerabilities, or hardware lists.

How to eliminate wrong answers

Option A is wrong because documenting step-by-step recovery procedures is the purpose of the recovery plan development phase, not the BIA; the BIA identifies what needs recovery and how quickly, but does not prescribe the technical steps. Option B is wrong because identifying potential threats and vulnerabilities is the domain of a risk assessment, which is a separate process that often uses the BIA's outputs to prioritize risks, but the BIA itself focuses on business process impact, not threat enumeration. Option C is wrong because inventorying all IT assets and their configurations is part of asset management or configuration management (e.g., CMDB), not the BIA; the BIA identifies which processes are critical, not the detailed hardware/software inventory.

Page 8

Page 9 of 14

Page 10