CCNA Information System Auditing Process Questions

57 questions · Information System Auditing Process · All types, answers revealed

1
MCQhard

An IS auditor reviews the exhibit from a cloud access policy. Which of the following is a potential security concern?

A.The policy does not require encryption in transit
B.The policy grants access to all objects in the bucket
C.The policy allows access from any IP in the 10.0.0.0/8 range
D.The condition uses a private IP range which is not routable from the internet
AnswerA

Without requiring HTTPS (aws:SecureTransport), data can be transmitted in plaintext.

Why this answer

Option A is correct because the cloud access policy does not specify encryption in transit (e.g., HTTPS, TLS), leaving data vulnerable to interception over the network. Without a condition like `aws:SecureTransport` set to `true`, the policy allows HTTP requests, exposing sensitive data to man-in-the-middle attacks. This is a fundamental security gap in cloud access policies.

Exam trap

The trap here is that candidates often overlook the absence of encryption in transit as a critical security control, focusing instead on IP ranges or object-level access, which are less risky when properly configured.

How to eliminate wrong answers

Option B is wrong because granting access to all objects in a bucket is not inherently a security concern if the policy is properly scoped with least privilege and combined with other controls like authentication and encryption. Option C is wrong because allowing access from any IP in the 10.0.0.0/8 range is a private IP range (RFC 1918) and is not directly routable from the internet, so it does not represent a security concern by itself; it is a common practice for internal network access. Option D is wrong because the condition using a private IP range is actually a security best practice—it restricts access to internal networks, which are not directly reachable from the internet, reducing exposure.

2
MCQmedium

An IS auditor is reviewing the audit follow-up process. The auditor notes that management has implemented corrective actions for 80% of previous audit findings. What should the auditor conclude?

A.The audit scope was too narrow
B.Further investigation of outstanding findings is needed
C.The audit process is effective
D.Management is compliant with all recommendations
AnswerB

Unresolved findings must be assessed for risks and followed up.

Why this answer

An 80% closure rate indicates that 20% of findings remain unresolved. ISACA standards require auditors to verify that all high-risk findings are remediated before concluding on control effectiveness. Without evidence that the outstanding 20% are low-risk or have an accepted risk, the auditor must investigate further to ensure residual risk is within the organization's appetite.

Exam trap

The trap here is that candidates assume a high percentage (80%) implies overall effectiveness, but CISA requires verification that all findings, especially high-risk ones, are resolved or formally accepted, not just a majority.

How to eliminate wrong answers

Option A is wrong because a narrow scope would typically result in missing findings, not in a specific closure percentage; the 80% figure does not indicate scope deficiency. Option C is wrong because an effective audit process requires not only corrective actions but also timely closure of all findings; 80% closure alone does not prove the overall process is effective, as the remaining 20% may represent critical gaps. Option D is wrong because management implementing 80% of recommendations explicitly means they are not compliant with all recommendations; the remaining 20% are outstanding.

3
MCQeasy

An IS auditor is conducting an audit of a small manufacturing company's IT operations. The company has 50 employees and uses a single server running Windows Server 2019 for file sharing and print services. There is no formal change management process. The IT manager, who also doubles as the system administrator, has full administrative rights and is the only person who can make changes to the server. During the audit, the auditor notices that the server's local security policy is configured to allow unlimited password attempts and no account lockout. The IT manager states that this is to avoid locking out users who forget their passwords. The auditor also finds that the guest account is enabled on the server. What should the auditor recommend as the HIGHEST priority action?

A.Train employees on password security.
B.Implement a formal change management process.
C.Disable the guest account and enforce account lockout policy.
D.Separate the roles of IT manager and system administrator.
AnswerC

These are direct security vulnerabilities that must be addressed immediately.

Why this answer

Option A is correct because the most immediate vulnerabilities are the enabled guest account and lack of lockout, which increase risk of unauthorized access. Option B is important but less urgent. Option C is a broader governance issue.

Option D is too general.

4
MCQhard

Based on the exhibit, what should the IS auditor MOST likely recommend?

A.Investigate whether any changes are missing from the log
B.Immediately block all direct production access for developers
C.Require all changes to go through the standard approval process
D.Review the criteria for emergency changes and enforce proper classification
AnswerD

The high number of post-approved emergency changes suggests the process is being bypassed.

Why this answer

The exhibit shows changes classified as 'emergency' bypassing the standard approval process. The IS auditor's primary concern is that emergency changes may be misclassified to avoid proper review, increasing risk. Option D is correct because it addresses the root cause: reviewing the criteria for emergency changes and enforcing proper classification ensures that only truly urgent changes bypass standard controls, while all others follow the required approval path.

Exam trap

ISACA often tests the misconception that the IS auditor should immediately block all direct production access or require all changes to go through standard approval, when the real issue is ensuring proper classification and enforcement of the emergency change process.

How to eliminate wrong answers

Option A is wrong because the log may be complete; the issue is not missing entries but the classification and approval process for changes that are logged. Option B is wrong because blocking all direct production access for developers is an overly restrictive measure that may hinder legitimate emergency fixes; the focus should be on proper change classification and approval, not blanket access denial. Option C is wrong because requiring all changes to go through the standard approval process would eliminate the emergency change process entirely, which is not practical for urgent fixes; the correct approach is to ensure emergency changes are properly classified and justified, not to eliminate the process.

5
Multi-Selecteasy

Which TWO of the following are primary objectives of an information system audit?

Select 2 answers
A.Ensure optimal performance of IT systems
B.Implement security patches and updates
C.Identify areas for improvement in IT processes
D.Evaluate the effectiveness of internal controls
E.Prepare financial statements for external reporting
AnswersC, D

Correct: IS audits aim to recommend improvements.

Why this answer

Option C is correct because identifying areas for improvement in IT processes is a primary objective of an information system audit. The audit evaluates the design and operational effectiveness of controls, then recommends enhancements to align IT processes with business goals, risk appetite, and regulatory requirements. This goes beyond mere compliance to drive continuous improvement in governance and control frameworks.

Exam trap

The trap here is confusing operational or management responsibilities (like performance tuning or patch implementation) with the auditor's role of evaluating controls and identifying process improvements, leading candidates to select options that describe IT tasks rather than audit objectives.

6
MCQmedium

An IS auditor reviews the exhibit during an audit of database controls. What is the most appropriate recommendation?

A.Review the application code for missing commit statements
B.Enable automatic retry for failed transactions
C.Implement a locking strategy to prevent resource contention
D.Increase the database timeout parameter
AnswerC

A proper locking strategy, such as using row-level locks or scheduling, reduces contention.

Why this answer

Option C is correct because the exhibit (not shown here, but implied by the context) likely depicts a deadlock graph or lock-wait chain, indicating that concurrent transactions are blocking each other. The most appropriate recommendation is to implement a locking strategy (e.g., row-level locking, lock ordering, or using snapshot isolation) to prevent resource contention and avoid deadlocks. This directly addresses the root cause of the observed performance or failure issues.

Exam trap

The trap here is that candidates often confuse a deadlock or lock contention issue with a timeout or missing COMMIT problem, and choose to increase timeouts or add retries instead of addressing the fundamental locking strategy.

How to eliminate wrong answers

Option A is wrong because missing COMMIT statements would cause uncommitted transactions to hold locks indefinitely, but the exhibit shows contention, not missing commits; reviewing application code for missing COMMITs is a generic guess that does not solve the locking conflict. Option B is wrong because enabling automatic retry for failed transactions treats the symptom (deadlock retries) rather than preventing the underlying contention; it can lead to livelock or excessive retry overhead. Option D is wrong because increasing the database timeout parameter only delays the failure or extends lock waits, making contention worse; it does not resolve the root cause of resource contention.

7
MCQeasy

An IS auditor is evaluating the effectiveness of an organization's business continuity plan (BCP). Which of the following findings would be of GREATEST concern?

A.The backup tapes are stored in a locked cabinet in the server room
B.The BCP contact list has not been updated in six months
C.The BCP has not been tested in over two years
D.The BCP relies on manual workarounds for critical systems
AnswerC

Lack of testing means the plan may fail in a disaster.

Why this answer

The BCP has not been tested in over two years is the greatest concern because testing is the only way to validate that the plan works under real-world conditions. Without recent testing, the organization cannot be confident that recovery time objectives (RTOs) and recovery point objectives (RPOs) are achievable, and any gaps or assumptions in the plan remain undiscovered. ISACA standards recommend testing at least annually, and a two-year gap significantly increases the risk of plan failure during an actual disaster.

Exam trap

The trap here is that candidates often focus on obvious physical security or documentation issues (like tape storage or outdated contact lists) and underestimate that the absence of testing renders all other BCP components unvalidated, making it the most critical finding from an audit perspective.

How to eliminate wrong answers

Option A is wrong because storing backup tapes in a locked cabinet in the server room, while not ideal (they should be offsite for geographic redundancy), is a physical security control that does not directly invalidate the BCP's effectiveness; the greater risk is the lack of testing. Option B is wrong because a BCP contact list that has not been updated in six months is a maintenance issue, but it can be corrected quickly and does not indicate that the plan itself is unworkable; the lack of testing is a more fundamental flaw. Option D is wrong because relying on manual workarounds for critical systems is a design choice that may be acceptable if the manual procedures are documented, trained, and tested; the absence of testing is what makes this reliance dangerous.

8
Multi-Selectmedium

An IS auditor is selecting an appropriate audit sample. Which THREE of the following are factors that affect the sample size?

Select 3 answers
A.Tolerable error rate
B.Confidence level
C.Sampling interval
D.Expected error rate
E.Population standard deviation
AnswersA, B, D

Lower tolerable error rates require larger samples.

Why this answer

Sample size is influenced by the expected error rate, tolerable error rate, and confidence level.

9
MCQmedium

A financial institution recently experienced a data breach where an attacker exfiltrated customer data through an SQL injection vulnerability in a web application. The IS auditor has been asked to review the application security controls. The web application is developed in-house and runs on an application server behind a web application firewall (WAF). The auditor reviews the WAF logs and finds that no SQL injection attacks were detected before the breach, but the logs show many blocked XSS attempts. The developer states that all input validation is performed on the client side using JavaScript. During the audit, the auditor also finds that the application uses a shared database account with DBA privileges for all connections. What is the MOST significant weakness that directly contributed to the breach?

A.Client-side input validation is insufficient and server-side validation is missing.
B.The use of a shared DBA database account violates the principle of least privilege.
C.The WAF is misconfigured to detect only XSS attacks but not SQL injection.
D.The application server is not patched against known SQL injection vulnerabilities.
AnswerA

Without server-side validation, the application is vulnerable to SQL injection.

Why this answer

Option B is correct because client-side validation is easily bypassed, and lack of server-side validation allowed SQL injection. Option A is possible but not confirmed. Option C is a weakness but not the direct cause of SQLi.

Option D is not supported by evidence.

10
MCQmedium

Refer to the exhibit. An IS auditor is reviewing firewall logs and notices repeated denied SSH attempts from an internal host (10.0.1.50) to a server (172.16.0.1). After the denied attempts, the host initiates permitted HTTPS connections to another server (172.16.0.5). Which of the following is the BEST interpretation of this pattern?

A.The host may be attempting to bypass security controls by using different protocols
B.The firewall rule 101 is misconfigured and blocking legitimate traffic
C.The host is performing reconnaissance and has mapped allowed services
D.The host successfully accessed server 172.16.0.1 via SSH
AnswerA

The pattern indicates probing blocked service then using permitted service, possibly to evade detection.

Why this answer

The pattern of denied SSH attempts followed by successful HTTPS connections suggests the internal host is probing for an open SSH service and, when blocked, switches to an allowed protocol (HTTPS) to communicate with a different server. This behavior indicates an attempt to bypass security controls by leveraging a permitted protocol after initial reconnaissance or direct access attempts fail. The firewall logs show the host adapts its method, which is a classic indicator of protocol hopping or tunneling attempts.

Exam trap

The trap here is that candidates may focus on the reconnaissance aspect (option C) and overlook the deliberate protocol switch, which is the key indicator of an attempt to bypass security controls rather than just map services.

How to eliminate wrong answers

Option B is wrong because there is no evidence of misconfiguration; the firewall correctly denies SSH (rule 101 likely blocks SSH to 172.16.0.1) and permits HTTPS to 172.16.0.5, which is expected behavior. Option C is wrong because while the host may be performing reconnaissance, the key observation is the shift from a denied protocol to a permitted one, which is more indicative of bypassing controls than simple mapping of allowed services. Option D is wrong because the logs explicitly show denied SSH attempts, meaning the host did not successfully access server 172.16.0.1 via SSH; the subsequent HTTPS connections are to a different server (172.16.0.5).

11
MCQmedium

During an audit of a financial application, the IS auditor discovers that user access reviews are performed quarterly instead of monthly as required by policy. Which of the following is the BEST initial action for the auditor?

A.Recommend that the policy be changed to allow quarterly reviews
B.Report the noncompliance with the policy as a finding immediately
C.Escalate the issue to senior management for immediate resolution
D.Determine if compensating controls mitigate the risk of less frequent reviews
AnswerD

Compensating controls may make quarterly reviews acceptable.

Why this answer

The IS auditor's primary role is to assess risk, not to enforce policy blindly. Quarterly reviews may still be acceptable if compensating controls (e.g., automated provisioning/deprovisioning, real-time monitoring, or role-based access controls) effectively reduce the risk of unauthorized access between reviews. Determining the presence and effectiveness of such controls is the best initial action before deciding whether to report noncompliance.

Exam trap

The trap here is that candidates assume policy noncompliance must always be reported immediately as a finding, but the CISA exam emphasizes risk-based auditing where the auditor first evaluates whether compensating controls mitigate the risk before concluding on the finding's significance.

How to eliminate wrong answers

Option A is wrong because recommending a policy change without first assessing the risk impact of the deviation could weaken security posture and is premature. Option B is wrong because immediately reporting noncompliance as a finding without evaluating compensating controls may result in an incomplete or misleading audit report, failing to consider the actual risk. Option C is wrong because escalating to senior management without first gathering evidence on compensating controls bypasses the auditor's responsibility to perform due diligence and risk assessment.

12
Multi-Selecthard

Which TWO of the following are indicators that an IS auditor may need to adjust the audit approach during fieldwork? (Select TWO.)

Select 2 answers
A.Inability to obtain sufficient appropriate audit evidence
B.Completion of the initial risk assessment
C.Audit team members are behind schedule
D.Management requests a change in audit scope
E.Higher than expected error rates in sample testing
AnswersA, E

May require alternative procedures or audit approach.

Why this answer

Option A is correct because if the IS auditor cannot obtain sufficient appropriate audit evidence, the audit approach must be adjusted—for example, by expanding sample sizes, using alternative procedures, or re-evaluating the reliance on controls. This directly impacts the ability to form an audit opinion and is a key fieldwork trigger per ISACA audit standards.

Exam trap

ISACA often tests the distinction between project management issues (like being behind schedule) and substantive audit evidence issues; candidates mistakenly select 'behind schedule' as a reason to adjust the audit approach, but it is a resource or timing problem, not a validity-of-evidence trigger.

13
MCQmedium

During an audit of an organization's disaster recovery plan (DRP), the IS auditor finds that the plan was last tested 18 months ago and no test results were documented. What should the auditor recommend?

A.Test the DRP semiannually
B.Document the results of all past tests
C.Conduct a DRP test and document the results within the next quarter
D.Assign responsibility for DRP testing to the IT manager
AnswerC

Immediate testing and documentation address the gap.

Why this answer

Option C is correct because a recent test with documented results provides assurance. Option A is incorrect because testing frequency should be based on risk, not necessarily semiannual. Option B is wrong because the recommendation should address the lack of testing and documentation.

Option D is incorrect because that is management's role; the auditor recommends.

14
MCQmedium

An organization uses continuous auditing techniques to monitor transactions. The IS auditor is evaluating the effectiveness of these techniques. Which of the following is the PRIMARY benefit of continuous auditing over traditional periodic auditing?

A.Reduced cost of audit resources
B.More timely identification of control weaknesses
C.Increased sample size for transaction testing
D.Early detection of anomalies and potential fraud
AnswerD

Continuous monitoring enables prompt detection and intervention.

Why this answer

Continuous auditing enables real-time or near-real-time monitoring of transactions, allowing the IS auditor to detect anomalies and potential fraud as they occur. This is the primary benefit because it shifts the audit function from retrospective review to proactive identification, which is critical for timely risk mitigation.

Exam trap

The trap here is that candidates often confuse the secondary benefit of timely control weakness identification (Option B) with the primary benefit of early anomaly and fraud detection, which is the core purpose of continuous auditing over periodic methods.

How to eliminate wrong answers

Option A is wrong because continuous auditing often requires significant investment in automated tools and infrastructure, which can increase rather than reduce the cost of audit resources. Option B is wrong because while continuous auditing does improve timeliness, the identification of control weaknesses is a secondary benefit; the primary advantage is the detection of anomalies and fraud at the transaction level. Option C is wrong because continuous auditing typically analyzes 100% of transactions, not just an increased sample size, making sample size irrelevant to its primary benefit.

15
Multi-Selectmedium

Which TWO of the following are the MOST effective controls to prevent unauthorized changes to production data?

Select 2 answers
A.Requiring change management approval for all production changes
B.Enforcing segregation of duties between development and production
C.Implementing audit logging of all data changes
D.Encrypting production data at rest
E.Using automated testing for all code changes
AnswersA, B

Ensures changes are authorized before implementation.

Why this answer

Requiring change management approval for all production changes is a preventive control that ensures every modification to production data is formally authorized, reviewed, and documented before implementation. This directly prevents unauthorized changes by enforcing a gatekeeping process where only approved changes proceed, reducing the risk of data integrity breaches. Without this control, even with other safeguards, an attacker or insider could bypass technical controls by simply requesting a change through official channels.

Exam trap

ISACA often tests the distinction between preventive and detective controls, and the trap here is that candidates mistakenly choose audit logging (a detective control) as a preventive measure because it provides evidence of changes, but it does not stop unauthorized changes from occurring.

16
MCQmedium

An organization uses a cloud-based ERP system to manage financial transactions. The system is accessed by employees in finance, procurement, and sales departments. The IS auditor is reviewing the user access review process. The access review is performed quarterly by the IT manager using a report generated by the ERP system. The report lists all users and their roles. The IT manager manually checks off users who are still employed and approves the report. The auditor notes that the IT manager does not have detailed knowledge of job functions in each department. Additionally, the ERP system allows role combinations that may create segregation of duties conflicts, such as a user having both 'create purchase order' and 'approve purchase order' roles. The company's policy requires segregation of duties reviews to be performed by business process owners. Which of the following is the BEST recommendation?

A.Increase the frequency of access reviews to monthly
B.Implement an automated tool to identify segregation of duties conflicts
C.Assign the access review to business process owners from each department
D.Require the IT manager to obtain confirmation from each department head
AnswerC

Business owners understand the necessary segregation of duties.

Why this answer

The core issue is that the IT manager lacks the business process knowledge to assess whether role combinations create segregation of duties (SoD) conflicts. Company policy explicitly requires SoD reviews to be performed by business process owners. Assigning the access review to business process owners from each department (Option C) directly aligns with policy and ensures that those with functional knowledge evaluate whether role assignments violate SoD rules, such as a user having both 'create purchase order' and 'approve purchase order' roles.

Exam trap

The trap here is that candidates often choose an automated tool (Option B) as the 'best' technical solution, but the question emphasizes policy compliance and the need for business process owner involvement, not just technical detection.

How to eliminate wrong answers

Option A is wrong because increasing the frequency of reviews does not address the root cause—the reviewer lacks the business knowledge to identify SoD conflicts; monthly reviews by an unqualified reviewer would still miss conflicts. Option B is wrong because while an automated tool can flag potential SoD conflicts, the question asks for the BEST recommendation given the policy requirement that business process owners perform SoD reviews; automation is a supporting control, not a substitute for assigning the review to the correct personnel. Option D is wrong because requiring the IT manager to obtain confirmation from department heads still leaves the IT manager as the primary reviewer, which violates the policy that business process owners themselves should perform the review, and it introduces a reliance on indirect confirmation rather than direct ownership.

17
MCQhard

Refer to the exhibit. An IS auditor is reviewing an IAM policy for a cloud data platform. The auditor notices that user jdoe has READ_ONLY access to all tables matching 'sales_', but asmith has READ_WRITE access to the same set of tables. Which of the following is the MOST critical control issue?

A.Users should not be directly assigned roles; use groups
B.The roles data_analyst and data_scientist have overlapping permissions
C.User jdoe should not have access to the sales_ tables
D.The resource pattern '.*' in the regex could grant access to unintended tables
AnswerD

The pattern '.*' after 'sales_' matches any suffix, but the preceding '.*' in the dataset pattern is overly broad.

Why this answer

Option D is correct because the regex pattern '.*' in the resource block is overly permissive and could match unintended tables beyond the intended 'sales_' prefix. In AWS IAM policies, the resource element uses regex-like patterns, and '.*' after 'sales_' would match any characters, including tables like 'sales_archive_private' or 'sales_2024_sensitive', potentially exposing sensitive data. This violates the principle of least privilege and is a critical control issue.

Exam trap

ISACA often tests the misconception that direct user assignment or role overlap is the primary issue, when in fact the overly broad resource pattern is the most critical control weakness.

How to eliminate wrong answers

Option A is wrong because while using groups is a best practice, the direct assignment of roles to users is not inherently a critical control issue; the policy itself is flawed regardless of assignment method. Option B is wrong because overlapping permissions between roles is not inherently a control issue; roles can legitimately share permissions, and the question focuses on the policy's resource pattern, not role design. Option C is wrong because jdoe has READ_ONLY access to sales_ tables, which may be appropriate for a data analyst; the issue is not that jdoe should lose access, but that the regex pattern could grant unintended access to both users.

18
MCQeasy

An IS auditor is evaluating the effectiveness of an organization's change management process. Which of the following is the most important control to verify during the audit?

A.All changes are approved by the IT manager.
B.Emergency changes are documented after implementation.
C.A segregation of duties exists between development and production.
D.Change requests are prioritized by business impact.
AnswerC

Segregation of duties is a key preventive control.

Why this answer

Segregation of duties between development and production environments ensures that code cannot be directly moved from development to production without independent review and testing. This control prevents unauthorized or untested code from affecting live systems, which is a fundamental principle of change management. Without this separation, a developer could introduce malicious or defective code directly into production, bypassing all quality and security checks.

Exam trap

The trap here is that candidates often focus on approval or prioritization controls (options A and D) as the most important, overlooking the foundational technical control of segregation of duties that directly prevents unauthorized code from reaching production.

How to eliminate wrong answers

Option A is wrong because requiring all changes to be approved by the IT manager is a basic authorization control, but it does not address the more critical risk of unauthorized code being introduced directly into production; approval alone cannot prevent a developer from bypassing the process. Option B is wrong because while documenting emergency changes after implementation is a compensating control, it is not the most important control; the highest priority is preventing unauthorized changes from reaching production, which segregation of duties achieves. Option D is wrong because prioritizing change requests by business impact is a project management activity that helps allocate resources, but it does not enforce any technical barrier against unauthorized code movement or ensure the integrity of the production environment.

19
MCQmedium

During an audit, the IS auditor discovers that the audit log for a critical server is overwritten every 24 hours. The auditor wants to ensure logs are preserved for a longer period. Which of the following recommendations is most appropriate?

A.Implement a manual backup of logs daily
B.Reduce the logging level to minimize data
C.Increase the log size to retain more data
D.Configure the server to archive logs to a centralized log management system
AnswerD

Centralized archiving provides secure, long-term storage and facilitates analysis.

Why this answer

The most appropriate recommendation is to configure the server to archive logs to a centralized log management system. This ensures logs are preserved beyond the 24-hour overwrite window by sending them to a separate, persistent storage location, which also supports security monitoring, forensics, and compliance requirements. Centralized logging (e.g., using syslog, SIEM, or a dedicated log collector) provides redundancy, integrity checks, and long-term retention without relying on the local server's limited storage.

Exam trap

The trap here is that candidates may choose Option C (increase log size) thinking it solves the retention issue, but they overlook that it only postpones the overwrite rather than providing a permanent, auditable archive, which is the core requirement for compliance and forensic readiness.

How to eliminate wrong answers

Option A is wrong because implementing a manual backup of logs daily is error-prone, relies on human intervention, and does not guarantee logs are captured before the 24-hour overwrite cycle completes; it also lacks automation and scalability. Option B is wrong because reducing the logging level to minimize data would discard potentially critical security events, defeating the purpose of preserving logs for audit and investigation. Option C is wrong because increasing the log size only delays the overwrite cycle but does not solve the fundamental retention problem; logs will still be overwritten once the increased capacity is exhausted, and it does not provide off-site or centralized storage.

20
MCQeasy

Which of the following is the most important factor to consider when determining sample size for a compliance test?

A.Tolerable error rate
B.Expected error rate
C.Population size
D.Sampling method
AnswerA

Tolerable error rate is the primary driver; lower rates require larger samples.

Why this answer

In compliance testing (attribute sampling), the tolerable error rate is the maximum deviation rate from a control that the auditor is willing to accept without concluding the control is ineffective. It directly determines the required sample size because a lower tolerable error rate demands a larger sample to achieve sufficient precision, while a higher rate allows a smaller sample. This factor is more critical than others because it sets the boundary for the auditor's risk assessment.

Exam trap

The trap here is that candidates often confuse 'expected error rate' (a planning estimate) with 'tolerable error rate' (the maximum acceptable deviation), mistakenly thinking the expected rate is more important because it seems to reflect reality, but the tolerable rate is the key risk-based parameter that governs sample size.

How to eliminate wrong answers

Option B (Expected error rate) is wrong because it is an estimate of the actual deviation rate in the population, used to plan sample size but not the most important factor; it influences efficiency, not the fundamental precision requirement. Option C (Population size) is wrong because for large populations (typically >500), population size has a negligible effect on sample size in attribute sampling, as the sample size formula is driven by confidence level and tolerable error rate, not population size. Option D (Sampling method) is wrong because the method (e.g., random, systematic, or stratified) affects how the sample is selected and its representativeness, but does not determine the sample size; sample size is computed independently of the selection technique.

21
MCQmedium

An IS auditor is auditing the user access management process for a large healthcare organization that uses an electronic health records (EHR) system. The organization has 5,000 users including doctors, nurses, and administrative staff. The auditor reviews a sample of access requests and finds that 20% of the requests were approved by the user's manager but the approval was not documented in the system. The auditor also finds that there is no periodic review of user access rights. The IT security manager states that users are automatically provisioned based on their role in the HR system, and that access reviews are performed manually by managers but not documented. What is the auditor's BEST recommendation to address the most significant risk?

A.Implement an automated access recertification process with quarterly reviews.
B.Disable automatic provisioning and require manual approval for all access.
C.Require that all access approvals be documented and stored in the system.
D.Perform a risk assessment to determine appropriate access controls.
AnswerA

Automated recertification ensures regular review and removal of unnecessary access.

Why this answer

The most significant risk is the lack of periodic review of user access rights, which can lead to excessive or inappropriate access (e.g., a former nurse retaining EHR access). Automating access recertification with quarterly reviews directly addresses this by enforcing a regular, documented validation of user entitlements against their current roles, reducing the risk of unauthorized access to protected health information (PHI) under HIPAA. While the undocumented approvals are a control weakness, the absence of any review cycle is a systemic failure that automated recertification resolves.

Exam trap

The trap here is that candidates focus on the documented approval finding (20% undocumented) and choose Option C, missing that the lack of any periodic review is a far more systemic risk that automated recertification directly mitigates.

How to eliminate wrong answers

Option B is wrong because disabling automatic provisioning and requiring manual approval for all access would introduce operational inefficiency and delay for 5,000 users, and it does not address the root cause—the lack of periodic review of existing access rights. Option C is wrong because requiring documentation of approvals only fixes the symptom (undocumented approvals) but ignores the more critical risk that no one is periodically verifying whether current access is still appropriate. Option D is wrong because performing a risk assessment is a preliminary step, not a direct remediation; the auditor already identified the risk (no periodic reviews), so the best recommendation is to implement a control (automated recertification) rather than re-assess.

22
MCQeasy

An IS auditor reviews the exhibit. Which of the following is the most likely cause of the denied traffic?

A.Misconfigured VPN tunnel
B.Intrusion prevention system blocking
C.Missing firewall rule allowing RDP traffic
D.Incorrect NAT configuration
AnswerC

The deny log specifically references the access-group, implying a rule is missing.

Why this answer

The log shows an RDP connection (port 3389) being denied by the access-group 'outside_in', indicating that no rule permits this traffic.

23
MCQhard

An organization uses a risk-based audit approach. For a high-risk area, the auditor decides to perform 100% testing instead of sampling. Which of the following is a valid reason for this decision?

A.The population size is small and errors are critical
B.The auditor has limited time
C.The tolerable error rate is high
D.The control is automated and always effective
AnswerA

100% testing is justified for small populations with high severity risks.

Why this answer

When the population is small and errors are critical, 100% testing ensures complete coverage and minimizes risk.

24
Multi-Selectmedium

An organization is implementing a new identity management system. Which THREE of the following are essential requirements for the system?

Select 3 answers
A.Segregation of duties enforcement.
B.Single sign-on capability.
C.Automated user provisioning.
D.Integration with Active Directory.
E.Support for biometric authentication.
AnswersA, C, D

Enforcing SoD is critical to prevent fraud.

Why this answer

Options B, D, and E are essential because automated provisioning ensures timely access, segregation of duties enforcement prevents conflicts, and integration with AD is common for centralized management. Option A is nice-to-have but not essential. Option C is not essential for most environments.

25
MCQeasy

An IS auditor is reviewing the logical access controls of an enterprise resource planning (ERP) system. The auditor finds that terminated employees' accounts are disabled but not deleted. What is the PRIMARY risk associated with this practice?

A.Disabled accounts could be re-enabled without proper authorization
B.Segregation of duties controls may be compromised
C.System performance may degrade due to accumulation of disabled accounts
D.Audit trail completeness may be affected
AnswerA

If account management is weak, re-enabling could lead to unauthorized access.

Why this answer

The primary risk of disabling rather than deleting terminated employees' accounts is that a disabled account retains its existing privileges and can be re-enabled by an attacker or insider with sufficient access (e.g., a system administrator with compromised credentials). In an ERP system, this could allow unauthorized re-activation of accounts with elevated roles, bypassing the intended termination process and leading to data theft, fraud, or system compromise.

Exam trap

ISACA often tests the misconception that 'disabled accounts are safe because they cannot log in,' but the trap here is that the account's privileges remain intact, making re-enablement the primary risk over performance or audit concerns.

How to eliminate wrong answers

Option B is wrong because segregation of duties (SoD) controls are about preventing a single user from performing conflicting functions; disabled accounts do not actively perform transactions, so SoD is not directly compromised. Option C is wrong because system performance degradation from a few thousand disabled accounts is negligible in modern ERP databases; the real risk is security, not resource consumption. Option D is wrong because audit trail completeness is not affected—disabled accounts still generate logs for access attempts, and deletion would actually remove historical audit records, whereas disabling preserves them.

26
Drag & Dropmedium

Order the steps for performing a disaster recovery test in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DR test: define objectives, prepare, execute, evaluate, and update plan.

27
Multi-Selecteasy

An IS auditor is evaluating the reliability of audit evidence. Which TWO of the following are characteristics of reliable audit evidence?

Select 2 answers
A.Independent source
B.Timely
C.Complex
D.Relevant
E.Large quantity
AnswersA, B

Evidence from independent sources is more reliable.

Why this answer

Reliable evidence is independent and timely, increasing objectivity and relevance.

28
MCQeasy

An organization has outsourced its IT operations to a third-party provider. The IS auditor is planning an audit of the outsourced services. What is the most appropriate source of audit evidence?

A.Service provider's financial statements
B.Interviews with provider's staff
C.Service auditor's SOC 2 report
D.Internal audit reports from the provider
AnswerC

SOC 2 reports provide a reliable, independent evaluation of controls relevant to security, availability, etc.

Why this answer

A SOC 2 report (Service Organization Control 2) is specifically designed to provide assurance over a service provider's controls related to security, availability, processing integrity, confidentiality, and privacy. It is issued by an independent service auditor and is the most reliable and relevant source of audit evidence when auditing outsourced IT operations, as it directly addresses the controls in place at the provider.

Exam trap

The trap here is that candidates often choose interviews with provider's staff (Option B) because they seem like direct evidence, but they lack the independence and systematic testing that a SOC 2 report provides, which is the gold standard for third-party assurance.

How to eliminate wrong answers

Option A is wrong because the service provider's financial statements are irrelevant to the operational effectiveness of IT controls; they provide financial health information, not assurance over IT processes or security. Option B is wrong because interviews with the provider's staff are subjective, lack independent verification, and are not considered sufficient audit evidence on their own for control effectiveness. Option D is wrong because internal audit reports from the provider are not independent; they are prepared by the provider's own internal audit function, which lacks the objectivity and external scrutiny required for reliable audit evidence.

29
MCQhard

Based on the exhibit, the IS auditor is reviewing access to the payroll folder. Which of the following is the MOST significant finding?

A.Internal_Audit group has Read access to payroll data
B.User asmith has only Read access to payroll
C.HR_Managers group has Full Control over payroll
D.Potential excessive privileges for user jdoe due to overlapping permissions
AnswerD

Overlapping permissions may grant unintended access.

Why this answer

Option D is the most significant finding because user jdoe has overlapping permissions from multiple group memberships (e.g., HR_Managers and Payroll_Admin), which can result in unintended cumulative effective permissions. In Windows NTFS, effective permissions are the sum of all allowed permissions from each group, minus any explicit denies, so overlapping group memberships often grant more access than intended, violating the principle of least privilege.

Exam trap

The trap here is that candidates may focus on individual permission levels (Read vs. Full Control) rather than the cumulative effect of overlapping group memberships, which is the more critical security concern in access control auditing.

How to eliminate wrong answers

Option A is wrong because the Internal_Audit group having Read access to payroll is appropriate for audit purposes and does not represent a security risk; auditors need read-only access to review data without modifying it. Option B is wrong because user asmith having only Read access is a proper restriction and not excessive; it aligns with least privilege if asmith's role only requires viewing payroll data. Option C is wrong because HR_Managers having Full Control over payroll is expected for their job function to manage employee records; this is not a finding unless the group membership is improperly broad.

30
Multi-Selecthard

An IS auditor is assessing the effectiveness of an organization's IT governance framework. Which THREE of the following are key indicators of a mature governance process?

Select 3 answers
A.Defined roles and responsibilities for IT decisions
B.Annual IT budget approval by senior management
C.Existence of an IT steering committee
D.Outsourcing of all IT operations
E.Regular measurement of IT performance against metrics
AnswersA, C, E

Clear accountability is a hallmark of governance maturity.

Why this answer

Mature governance includes defined roles, performance measurement, and an IT steering committee for oversight.

31
MCQhard

The exhibit shows a log entry from a domain controller. The IS auditor is investigating account lockout issues. What is the MOST likely cause of this event?

A.Multiple failed authentication attempts from the backup server
B.The service account password has expired
C.The service account does not exist
D.The service account has been disabled by an administrator
AnswerA

Account lockout is triggered by multiple failed attempts.

Why this answer

The log entry shows a failed authentication attempt from the backup server's IP address (10.0.0.15) using the service account 'svc_backup'. The event ID 4625 indicates an account logon failure, and the 'Failure Reason' field explicitly states 'Unknown user name or bad password'. Since the account name is correct, the most likely cause is multiple failed authentication attempts (e.g., due to a stale or incorrect password cached in the backup software) leading to account lockout, not a single event.

Exam trap

The trap here is that candidates assume a single failed logon event directly indicates lockout, but the question asks for the 'MOST likely cause' of the lockout issue, which is the accumulation of multiple failed attempts from the same source (the backup server) due to a mismatched password.

How to eliminate wrong answers

Option B is wrong because a password expiration would generate a different event (e.g., event ID 4739 or a 'password must change' prompt), not a 'bad password' failure with event ID 4625. Option C is wrong because if the service account did not exist, the failure reason would be 'No such user' or 'user name not found', not 'Unknown user name or bad password' which implies the account exists but the password is wrong. Option D is wrong because a disabled account would produce a failure reason of 'Account disabled' or 'Account currently disabled', not 'Unknown user name or bad password'.

32
MCQmedium

During an audit of a cloud service provider, the IS auditor finds that the provider's datacenter access logs show multiple successful logins by an employee during non-business hours over several weeks. The employee works in the sales department. What should the auditor do first?

A.Recommend disabling the employee's access immediately.
B.Review the access rights policy and compare with actual access.
C.Discuss with the employee's supervisor to verify if access was authorized.
D.Report the finding immediately to senior management.
AnswerC

This is the appropriate first step to confirm authorization.

Why this answer

Option C is correct because the IS auditor's first priority is to gather evidence and understand the context before taking action. The employee's sales role and non-business hours access may be legitimate (e.g., supporting a client in a different time zone). Discussing with the supervisor is a standard audit procedure to verify authorization, aligning with ISACA's audit evidence collection and due professional care.

Exam trap

The trap here is that candidates confuse the auditor's role with that of a security incident responder, leading them to choose immediate disabling or escalation without first performing due diligence through inquiry and evidence gathering.

How to eliminate wrong answers

Option A is wrong because immediately disabling access is a management action, not an auditor's role; the auditor should first verify if the access was authorized before recommending any changes. Option B is wrong because reviewing the access rights policy and comparing with actual access is a subsequent step after confirming the context; the policy review alone does not determine if this specific instance was authorized or an anomaly. Option D is wrong because reporting to senior management is premature without first understanding the situation; escalation should occur after initial verification and if unauthorized access is confirmed.

33
MCQeasy

An IS auditor is planning an audit of a newly implemented financial system. Which of the following is the PRIMARY consideration when determining the audit scope?

A.Management's request to include all modules
B.Previous audit findings and recommendations
C.Risk assessment of the financial system
D.Regulatory requirements applicable to the system
AnswerC

Risk assessment identifies areas with highest impact and likelihood, guiding scope.

Why this answer

The primary consideration for determining audit scope is a risk assessment of the financial system. ISACA standards require auditors to use a risk-based approach to focus audit efforts on areas with the highest residual risk, ensuring that resources are allocated to the most critical controls and processes. Without a risk assessment, the scope may be too broad or miss key vulnerabilities, such as segregation of duties or access control weaknesses in the new system.

Exam trap

The trap here is that candidates often select regulatory requirements (Option D) as primary because they are mandatory, but the IS auditor must first perform a risk assessment to determine which regulatory requirements are most relevant and how to scope the audit effectively.

How to eliminate wrong answers

Option A is wrong because management's request to include all modules is a stakeholder preference, not a risk-based scoping criterion; including all modules without risk analysis can lead to inefficient audits and missed high-risk areas. Option B is wrong because previous audit findings and recommendations are historical inputs that inform the risk assessment but are not the primary driver for scoping a newly implemented system, which may have different risks. Option D is wrong because regulatory requirements are mandatory compliance factors that must be included in the scope, but they are a subset of the broader risk assessment; the risk assessment determines which regulatory requirements are most relevant and how deeply to test them.

34
MCQhard

You are the lead IT auditor for a multinational corporation that recently completed a merger with another company. During the post-merger integration audit, you discover that the acquired company's legacy HR system contains sensitive personal data of 20,000 employees and has been directly accessible from the internet for the last 18 months. The system runs on an unsupported operating system (Windows Server 2008) and uses a custom-built application with no logging enabled. The acquired company's IT manager argues that the server is isolated behind a firewall and has never been compromised. However, your review of firewall logs shows numerous connection attempts from unknown IP addresses. The integration team plans to decommission this system in three months. You need to determine the appropriate audit response. Which of the following should you do NEXT?

A.Conduct a forensic analysis of the server to determine if a breach has occurred
B.Wait for the decommissioning timeline and monitor the server logs for any signs of breach
C.Issue an urgent audit report to senior management highlighting the risk and recommending immediate isolation or remediation
D.Propose a compensating control, such as requiring VPN access to the server
AnswerC

Correct: Auditors must escalate critical findings promptly to management for action.

Why this answer

Option B is correct: Immediately reporting the critical vulnerability to management is the first step because the risk of data exposure is severe and requires urgent attention. Option A delays action, C assumes a compromise that hasn't been confirmed, and D is premature without management directive.

35
MCQmedium

During an audit of an organization's change management process, the IS auditor selects a sample of 50 change requests from a population of 500. The auditor finds that 3 of the 50 did not have proper approval. What is the estimated error rate in the population?

A.3%
B.6%
C.10%
D.5%
AnswerB

Correct: 3/50 = 6% is the point estimate of the population error rate.

Why this answer

The estimated error rate is the sample error rate, which is 3/50 = 6%.

36
MCQmedium

An IS auditor is reviewing a change management process. A developer made an emergency change directly to production without following the standard change approval process. The change was later documented as a normal change. Which control weakness is MOST indicated by this scenario?

A.Inadequate segregation of duties between development and production environments
B.Absence of a rollback plan for emergency changes
C.Insufficient testing of emergency changes before deployment
D.Lack of a formal change documentation policy
AnswerA

Direct production access by developers violates segregation of duties.

Why this answer

The developer bypassed the standard change approval process by making an emergency change directly to production, then retroactively documenting it as a normal change. This directly violates the principle of segregation of duties (SoD), as the same individual who implemented the change also controlled the documentation and approval trail, eliminating independent oversight. In a properly segregated environment, developers should not have direct write access to production systems without a separate change authorization and deployment step.

Exam trap

The trap here is that candidates focus on the lack of testing or documentation, but the most critical control weakness is the violation of segregation of duties, as the developer both made the change and controlled its documentation, eliminating independent oversight.

How to eliminate wrong answers

Option B is wrong because the absence of a rollback plan, while a concern, is not the primary control weakness indicated; the core issue is the lack of segregation of duties, not the absence of a recovery procedure. Option C is wrong because insufficient testing of emergency changes is a risk, but the scenario does not mention whether testing occurred or not—the key failure is the unauthorized direct change and subsequent misdocumentation, not the testing process itself. Option D is wrong because a formal change documentation policy may exist (the change was documented as a normal change), but the weakness is that the documentation was falsified to hide the emergency bypass, not that the policy is missing.

37
MCQmedium

During an audit of a cloud service provider, the IS auditor discovers that the provider's data center access logs show an employee accessing the production environment outside of normal business hours without a change request. What should the auditor do FIRST?

A.Report the incident to the provider's management immediately
B.Recommend immediate remediation procedures
C.Obtain supporting evidence such as system logs and change tickets
D.Evaluate the potential impact and the effectiveness of compensating controls
AnswerD

Understanding the significance helps determine the appropriate response.

Why this answer

Option D is correct because the IS auditor's first priority is to assess risk. Without evaluating the potential impact of the unauthorized access and the effectiveness of any compensating controls (e.g., intrusion detection systems, session recording, or multi-factor authentication), the auditor cannot determine the severity of the finding or the urgency of subsequent actions. This aligns with the ISACA audit methodology, which mandates risk-based analysis before recommending remediation or reporting.

Exam trap

The trap here is that candidates often jump to 'gather evidence' (Option C) because it seems logical, but the CISA exam emphasizes that risk assessment (evaluating impact and controls) must precede evidence collection to avoid wasting resources on irrelevant data.

How to eliminate wrong answers

Option A is wrong because reporting to management immediately without first assessing the risk and impact is premature; the auditor must gather sufficient evidence and evaluate the situation to provide an informed report. Option B is wrong because recommending remediation procedures before understanding the full scope and compensating controls could lead to unnecessary or ineffective actions, violating the principle of risk-based auditing. Option C is wrong because while obtaining supporting evidence is important, it is not the first step; the auditor should first evaluate the potential impact and compensating controls to determine what evidence is most relevant and whether immediate escalation is needed.

38
Matchingmedium

Match each CISA domain to its focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Information System Auditing Process

Governance and Management of IT

Information Systems Acquisition, Development, and Implementation

Information Systems Operations and Business Resilience

Protection of Information Assets

Why these pairings

CISA exam covers five domains.

39
MCQeasy

An IS auditor is using statistical sampling to test a population of 10,000 transactions. The desired confidence level is 95%, and the tolerable error rate is 5%. Which of the following factors would MOST likely increase the required sample size?

A.An increase in the expected error rate to 6%
B.A decrease in the tolerable error rate to 3%
C.A decrease in the confidence level to 90%
D.An increase in the population size to 15,000
AnswerA

Higher expected error rate requires larger sample size for the same precision.

Why this answer

An increase in the expected error rate to 6% increases the required sample size because the sample size formula is directly proportional to the product of the expected error rate and its complement (p × (1-p)). At a 95% confidence level, the z-value is fixed (1.96), and as the expected error rate moves closer to 50%, the variance increases, requiring a larger sample to achieve the same precision. This is a core statistical sampling principle in audit testing.

Exam trap

The trap here is that candidates mistakenly think increasing population size always increases sample size, but in statistical sampling for large populations, the population size has a diminishing effect and is not the primary driver of sample size.

How to eliminate wrong answers

Option B is wrong because a decrease in the tolerable error rate to 3% actually increases the required sample size, not decreases it, as the auditor needs more precision to detect smaller deviations. Option C is wrong because a decrease in the confidence level to 90% reduces the z-value (from 1.96 to 1.645), which decreases the required sample size. Option D is wrong because for large populations (over 5,000), the population size has a negligible effect on sample size; increasing it to 15,000 does not materially increase the required sample size.

40
MCQhard

An IS auditor is evaluating the use of continuous auditing techniques. Which of the following is the most significant benefit of implementing continuous monitoring over traditional periodic audits?

A.Reduced need for substantive testing
B.Elimination of control risk assessments
C.Automated generation of audit reports
D.Timely detection of control deficiencies
AnswerD

Continuous monitoring detects issues in real time, allowing prompt corrective action.

Why this answer

Continuous monitoring provides timely detection of control deficiencies, enabling faster remediation.

41
Matchingmedium

Match each audit risk component to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Risk without controls

Risk that controls fail

Risk that audit misses errors

Overall risk of incorrect opinion

Why these pairings

Audit risk model is fundamental to CISA.

42
MCQmedium

Based on the exhibit, what is the most likely control weakness that allowed this condition?

A.Weak password complexity requirements
B.Lack of individual accountability for privileged actions
C.Failure to disable the default administrator account
D.Inadequate segregation of duties between IT and security teams
AnswerB

Correct: Using a shared default account prevents attribution of actions to individuals.

Why this answer

The exhibit shows that multiple users are sharing a single privileged account (e.g., 'root' or 'admin') to perform administrative actions. Without unique user IDs for each administrator, it is impossible to map specific actions (e.g., a 'sudo' command or a configuration change) back to an individual. This lack of individual accountability is the core control weakness, as it violates the audit principle of non-repudiation and prevents effective forensic investigation.

Exam trap

The trap here is that candidates confuse 'shared accounts' with 'default accounts' (Option C) or 'weak passwords' (Option A), but the exhibit's key indicator is multiple users logging in with the same non-default privileged account, which directly points to a lack of individual accountability.

How to eliminate wrong answers

Option A is wrong because weak password complexity requirements would allow brute-force attacks, but the exhibit shows shared credentials, not a password cracking scenario. Option C is wrong because failure to disable the default administrator account is a specific vulnerability (e.g., leaving the 'sa' account enabled in SQL Server), but the exhibit indicates multiple users actively using a shared account, not a dormant default account. Option D is wrong because inadequate segregation of duties between IT and security teams would involve conflicting roles (e.g., a network admin also managing firewall rules), but the exhibit focuses on shared credentials, not role separation.

43
MCQeasy

Refer to the exhibit. An IS auditor is reviewing backup error logs. The error indicates a failed backup due to a missing file. What is the MOST likely cause?

A.The backup job was scheduled during peak hours causing timeout
B.The destination path '\\BackupServer01\Backup\Shares' is invalid
C.A file in the source volume was moved or deleted during the backup window
D.Insufficient disk space on the backup destination
AnswerC

File not found during backup is common when files change.

Why this answer

The error indicates a failed backup due to a missing file. The most likely cause is that a file in the source volume was moved or deleted during the backup window. Backup processes that use file-level snapshots or open-file managers (e.g., Volume Shadow Copy Service on Windows) capture a point-in-time view; if a file is moved or deleted after the snapshot is taken but before it is read by the backup agent, the backup will fail with a 'missing file' error.

This is a classic race condition in file-level backups without proper snapshot consistency.

Exam trap

The trap here is that candidates may confuse a 'missing file' error with a destination path issue or resource constraint, but the error message specifically points to a source-side file inconsistency, not a connectivity or capacity problem.

How to eliminate wrong answers

Option A is wrong because a timeout due to peak hours would typically produce a 'timeout' or 'operation aborted' error, not a 'missing file' error. Option B is wrong because an invalid destination path would cause a 'path not found' or 'access denied' error at the start of the backup, not a mid-backup missing file error. Option D is wrong because insufficient disk space on the destination would generate a 'disk full' or 'out of space' error, not a 'missing file' error.

44
MCQhard

An IS auditor is testing the effectiveness of a preventive control that rejects invalid transactions. The auditor uses a computer-assisted audit technique (CAAT) to create a set of test transactions. What is the primary risk associated with this approach?

A.The audit may disrupt system performance
B.Test transactions may be processed as real transactions
C.Test transactions may not be representative
D.The CAAT may corrupt production data
AnswerB

If test data is not properly isolated, it can be accepted as actual data, causing data integrity issues.

Why this answer

The primary risk is that test transactions may be processed as real transactions if the CAAT does not properly isolate them from the production environment. This could result in unintended data corruption, financial misstatements, or operational disruptions. The auditor must ensure that test data is clearly flagged or run in a separate test environment to avoid integration with live processing.

Exam trap

The trap here is that candidates often confuse the risk of test transactions being processed as real (option B) with the risk of CAATs corrupting production data (option D), but corruption is a consequence of the processing error, not the direct risk of the CAAT tool itself.

How to eliminate wrong answers

Option A is wrong because system performance disruption is a secondary operational risk, not the primary risk specific to using test transactions; CAATs are designed to minimize performance impact. Option C is wrong because while representativeness is a concern for test data validity, it is not the primary risk of the approach—the core risk is that test transactions could be processed as real. Option D is wrong because CAATs themselves do not corrupt production data; the corruption occurs only if test transactions are mistakenly processed as real, which is already covered by option B.

45
Multi-Selecteasy

Which TWO of the following are primary objectives of the audit planning phase? (Select TWO.)

Select 2 answers
A.Develop detailed audit procedures
B.Identify and assess risks relevant to the audit
C.Test the effectiveness of internal controls
D.Issue the final audit report
E.Define audit scope and objectives
AnswersB, E

Risk assessment is a key planning activity.

Why this answer

During the audit planning phase, the primary objectives are to define the audit scope and objectives (Option E) and to identify and assess risks relevant to the audit (Option B). This sets the foundation for the entire audit engagement, ensuring resources are focused on high-risk areas and that the audit is aligned with organizational goals. Detailed procedures are developed later, and testing controls or issuing reports occur in subsequent phases.

Exam trap

The trap here is confusing the planning phase with the execution phase, leading candidates to select 'develop detailed audit procedures' (Option A) as a planning objective, when it is actually a step in the audit program development after planning is complete.

46
MCQhard

An IS auditor is reviewing the disaster recovery plan (DRP) for an e-commerce company that generates 90% of its revenue online. The DRP states that the recovery time objective (RTO) for the transactional database is 4 hours, and the recovery point objective (RPO) is 1 hour. The current backup strategy includes nightly full backups and hourly transaction log backups stored on a local disk array. The backups are then copied to a remote datacenter via a WAN link with an average transfer speed of 10 Mbps. The database size is 500 GB. The auditor calculates that the time to transfer the full backup over the WAN is approximately 12 hours. The organization's management is confident that the DRP is adequate because they have never had to invoke it. What is the auditor's MOST critical finding?

A.The DRP has never been tested, so its feasibility is unknown.
B.The backup strategy does not include encryption for data in transit.
C.The RTO of 4 hours is not achievable given the backup transfer time.
D.The RPO of 1 hour is not achievable because transaction logs are only taken hourly.
AnswerC

The 12-hour transfer time far exceeds the 4-hour RTO, making the DRP infeasible.

Why this answer

The DRP states an RTO of 4 hours for the transactional database, but the full backup transfer time over the 10 Mbps WAN link is approximately 12 hours. Since the backup must be restored before the database can be made available, the RTO cannot be met. This is the most critical finding because it directly invalidates a core recovery objective, regardless of whether the plan has been tested.

Exam trap

The trap here is that candidates focus on the lack of testing (Option A) as the most critical finding, but the question is designed to test whether you can identify a quantitative, objective failure to meet a stated recovery objective over a qualitative process concern.

How to eliminate wrong answers

Option A is wrong because while testing is important, the fundamental technical constraint of backup transfer time exceeding the RTO is a more immediate and critical issue; even a tested plan cannot overcome a physical bandwidth limitation. Option B is wrong because encryption of data in transit, though a security best practice, is not the most critical finding when the core recovery objective (RTO) is mathematically unachievable. Option D is wrong because the RPO of 1 hour is actually achievable with hourly transaction log backups; the issue is with the RTO, not the RPO.

47
MCQhard

An IS auditor is reviewing an organization's change management process. The auditor notes that all emergency changes are approved post-implementation by the change advisory board (CAB) within 48 hours. Which of the following is the auditor's BEST course of action?

A.Escalate the issue to senior management as a control weakness
B.Verify that all emergency changes are tested before implementation
C.Assess whether the emergency change policy includes proper justification and post-approval controls
D.Recommend that emergency changes be approved prior to implementation
AnswerC

The auditor should evaluate the adequacy of controls around the process.

Why this answer

Option D is correct because the auditor should assess whether emergency changes are properly authorized, but the post-approval within 48 hours is acceptable if controls are adequate. Option A is incorrect because immediate escalation is not warranted without evidence of a problem. Option B is wrong because testing is important but the issue is authorization.

Option C is incorrect because there is no inherent violation; the auditor should evaluate the control design.

48
MCQeasy

An IS auditor is reviewing the logical access controls of a system. Which of the following is the BEST evidence that access rights are appropriately assigned?

A.An audit log showing all successful and failed login attempts
B.A password policy requiring complex passwords
C.An access control matrix defining roles and permissions
D.A recent user access review report signed by department managers
AnswerD

Management sign-off confirms proper assignment.

Why this answer

Option D is the best evidence because a user access review report signed by department managers provides documented confirmation that the assigned access rights have been explicitly verified and approved by the data owners. This is a detective control that directly validates the appropriateness of access assignments, whereas the other options are either preventive or detective controls that do not confirm the correctness of the rights themselves.

Exam trap

The trap here is that candidates confuse a control design document (access control matrix) with evidence of control effectiveness, failing to recognize that only a recent, signed user access review provides proof that the assigned rights have been validated by the data owner.

How to eliminate wrong answers

Option A is wrong because an audit log of login attempts only records authentication events, not the authorization levels or appropriateness of assigned access rights. Option B is wrong because a password policy addresses authentication strength, not the correctness of which users have which permissions. Option C is wrong because an access control matrix is a design document that defines intended roles and permissions, but it does not provide evidence that those definitions have been correctly implemented or that the actual assigned rights are appropriate.

49
Drag & Dropmedium

Arrange the steps to configure a firewall rule in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall rule configuration begins with policy, then specifics, action, application, and testing.

50
MCQeasy

An IS auditor is planning an audit of a newly implemented ERP system. The auditor wants to ensure that the audit covers critical controls. Which of the following is the most appropriate first step in the audit planning process?

A.Interview the system administrator.
B.Review prior audit workpapers.
C.Conduct a risk assessment of the ERP implementation.
D.Develop a detailed audit program.
AnswerC

Risk assessment is the foundational step to identify risks and prioritize audit work.

Why this answer

The first step in audit planning is to conduct a risk assessment to identify high-risk areas and focus audit efforts.

51
MCQhard

An organization uses a COTS (commercial off-the-shelf) ERP system with significant customizations. The IS auditor is reviewing the system's configuration management. Which of the following findings would MOST indicate a weakness?

A.The vendor releases quarterly patches but the organization only applies critical security patches.
B.The system administrator has the ability to modify both configuration and production data.
C.Customizations are not tracked in a separate change management system.
D.The organization does not have a formal testing environment for customizations.
AnswerB

This is a direct violation of segregation of duties, significantly increasing risk of unauthorized changes.

Why this answer

Option B is correct because in a COTS ERP system with significant customizations, allowing the system administrator to modify both configuration and production data violates the principle of segregation of duties (SoD). This creates a risk of unauthorized or undetected changes, as the same individual can alter system configurations and then manipulate production data to conceal the impact, bypassing audit trails and controls.

Exam trap

The trap here is that candidates often focus on patch management or testing environments as the most critical weakness, but the CISA exam prioritizes segregation of duties as a fundamental control, especially in customized COTS systems where configuration changes can directly impact data integrity.

How to eliminate wrong answers

Option A is wrong because while applying only critical security patches is not ideal, it is a common risk-acceptance strategy for stability in heavily customized ERP systems; the question asks for the MOST indicative weakness, and patch management is less critical than SoD. Option C is wrong because customizations not tracked in a separate change management system is a procedural weakness, but it is secondary to the direct control risk of SoD; the primary concern is the ability to modify both configuration and data, not just the tracking method. Option D is wrong because lacking a formal testing environment is a risk for quality assurance, but it does not directly enable unauthorized data manipulation like the SoD violation in B does.

52
MCQhard

An IS auditor is performing a review of an organization's IT governance framework. Which of the following findings would be of MOST concern?

A.No documented IT strategy aligned with business strategy
B.Incomplete IT project portfolio management
C.Lack of an IT steering committee
D.Absence of an enterprise-wide information security policy
AnswerA

Governance requires IT to support business objectives; without alignment, the framework fails.

Why this answer

Option D is correct because absence of IT strategy alignment with business strategy undermines governance, making IT decisions misaligned. Option A is incorrect while a steering committee is important, its absence is not as critical as lack of strategic alignment. Option B is wrong because portfolio management is a tactic; without strategic alignment, it may be ineffective.

Option C is incorrect because security policies are operational, not strategic governance.

53
Multi-Selecthard

Which THREE of the following are key elements that should be included in a risk assessment report for information systems?

Select 3 answers
A.Identification of critical assets and their vulnerabilities
B.Recommendations for risk mitigation or acceptance
C.List of all vendors and their contract terms
D.Evaluation of current controls and their effectiveness
E.Detailed budget for implementing security controls
AnswersA, B, D

Needed to understand what is at risk.

Why this answer

A is correct because a risk assessment report must identify critical assets and their vulnerabilities to establish the scope and basis for risk analysis. Without this, the report cannot prioritize which systems require immediate attention or justify subsequent control recommendations.

Exam trap

The trap here is that candidates confuse operational or financial details (vendor lists, budgets) with the core risk assessment deliverables, which must focus on assets, vulnerabilities, controls, and risk treatment decisions.

54
MCQhard

An IS auditor is evaluating the effectiveness of an organization's information security awareness program. Which of the following is the BEST indicator of program effectiveness?

A.Percentage of employees who completed the training
B.Number of employees who acknowledged the security policy
C.Average score on the post-training quiz
D.Trend in security incidents attributed to human error
AnswerD

A downward trend indicates improved behavior due to awareness.

Why this answer

Option D is the best indicator because it directly measures the program's outcome: a reduction in security incidents caused by human error. While training completion, policy acknowledgment, and quiz scores measure activity or knowledge, they do not confirm that employees have changed their behavior. A downward trend in human-error-related incidents provides empirical evidence that the awareness program is effectively influencing employee actions in real-world scenarios.

Exam trap

The trap here is that candidates confuse activity metrics (completion, acknowledgment, quiz scores) with outcome metrics (actual behavior change and incident reduction), leading them to choose a proxy for effectiveness rather than the direct measure of program impact.

How to eliminate wrong answers

Option A is wrong because completion rates only measure attendance, not learning or behavior change; an employee can complete training without retaining or applying the material. Option B is wrong because acknowledging a policy is a procedural checkbox that does not verify understanding or compliance; it merely confirms receipt of information. Option C is wrong because post-training quiz scores measure short-term knowledge retention under test conditions, not the sustained application of secure practices in daily operations, and can be inflated by memorization or easy questions.

55
Multi-Selecthard

An IS auditor is assessing the backup and recovery procedures for a critical database. Which TWO of the following are the MOST important controls to ensure recoverability?

Select 2 answers
A.Backup media is encrypted.
B.Full backups are performed weekly.
C.Restore tests are conducted quarterly.
D.Backup logs are reviewed daily.
E.Backups are stored offsite.
AnswersC, E

Restore tests verify that backups can actually be recovered.

Why this answer

Options A and D are correct because storing backups offsite ensures survival of site disaster, and restore tests validate recoverability. Option B is important but not as directly critical. Option C is not necessarily most important as full backups frequency depends on RPO.

Option E is important for confidentiality but not recoverability.

56
Multi-Selectmedium

Which THREE of the following are acceptable methods for gathering audit evidence? (Select THREE.)

Select 3 answers
A.Accepting management's assertions without corroboration
B.Observation of processes being performed
C.Reperformance of control procedures
D.Inquiry of personnel
E.Obtaining hearsay from third parties
AnswersB, C, D

Observation provides direct evidence of control performance.

Why this answer

Observation of processes being performed (Option B) is an acceptable audit evidence-gathering technique because the auditor directly witnesses the execution of controls or procedures, providing firsthand evidence of their operation. This method is particularly valuable for assessing the effectiveness of manual controls or physical security measures, as it allows the auditor to verify that the process is performed as documented and to identify any deviations in real-time.

Exam trap

The trap here is that candidates may mistakenly believe that inquiry alone (Option D) is insufficient, but inquiry is a valid evidence-gathering method when combined with other procedures, while accepting unsupported assertions (Option A) and hearsay (Option E) are never acceptable as primary evidence.

57
MCQmedium

An IS auditor is reviewing the logical access controls of a financial application. Which of the following is the BEST way to verify that user access rights are appropriate?

A.Interview the IT security manager about the access control process.
B.Review the access control list for each user.
C.Re-perform a sample of transactions to detect unauthorized access.
D.Compare the user access rights with the job descriptions and responsibilities.
AnswerD

This directly validates whether access aligns with job functions.

Why this answer

Option D is correct because comparing user access rights directly against job descriptions and responsibilities is the most effective method to verify that access is appropriate based on the principle of least privilege. This approach ensures that each user's permissions align with their actual job functions, which is the core objective of a logical access control review. Interviewing or reviewing lists alone does not validate the appropriateness of access against business roles.

Exam trap

The trap here is that candidates often choose Option C (re-performing transactions) because it sounds like a direct test of control effectiveness, but it only detects unauthorized access after the fact and does not verify the appropriateness of the access rights themselves.

How to eliminate wrong answers

Option A is wrong because interviewing the IT security manager only provides a subjective, second-hand description of the process, not objective evidence that actual user access rights are appropriate. Option B is wrong because reviewing the access control list for each user shows what rights exist but does not compare them against any baseline (e.g., job roles) to determine if those rights are appropriate. Option C is wrong because re-performing a sample of transactions detects unauthorized access attempts but does not verify that the current access rights assigned to users are appropriate; it tests operational effectiveness, not the design of access provisioning.

Ready to test yourself?

Try a timed practice session using only Information System Auditing Process questions.