Page | 1
CISA (CERTIFIED INFORMATION SYSTEMS
AUDITOR) QUESTIONS WITH DETAILED
VERIFIED ANSWERS
Indemnity Clause Ans: a contractual transfer of risk between two
contractual parties generally to prevent loss or compensate for a loss
which may occur as a result of a specified event
Portfolio Management Ans: Assist in the definition, prioritization,
approval and running of a set of projects within a given organization.
These tools offer data capture, workflow and scenario planning
functionality, which can help identify the optimum set of projects (from
the full set of ideas) to take forward within a given budget.
Helps to gain an understanding of the effectiveness of controls over the
management of multiple projects
Top-Down Approach (Meaning-Based) Ans: Deriving lower-level policies
from corporate policies which aids in ensuring consistency across the
organization and consistency with other policies.
What is the BEST way to ensure that the tested code that is moved into
production is the same? Ans: Release management software
The project steering committee is ultimately responsible for: Ans:
project deliverables, costs and timetables
Load testing Ans: Evaluates the performance of the software under
normal and peak conditions.
Recovery testing Ans: evaluates the ability of a system to recover after
a failure.
Volume testing Ans: evaluates the impact of incremental volume of
records (not users) on a system.
, Page | 2
Stress testing Ans: determines the capacity of the software to cope with
an abnormal number of users or simultaneous operations.
Spooling Ans: sends documents to be printed to a buffer instead of
sending them immediately to the printer
Professional standards Ans: Professional standards from ISACA, The
Institute of Internal Auditors and the International Federation of
Accountants require supervision of audit staff to accomplish audit
objectives and comply with competence, professional proficiency and
documentation requirements, and more.
Honeypot Ans: Vulnerable computer that is set up to entice an intruder
to break into it and provides clues as to the hacker's methods and
strategies
Program coding standards Ans: These are required for efficient program
maintenance and modifications.
Denormalization vs Normalization Ans: Normalization is used to remove
redundant data from the database and to store non-redundant and
consistent data into it. Reduces data redundancy and inconsistency.
Maintains data integrity
Denormalization is used to combine multiple table data into one so that it
can be queried quickly. Introduces redundancy. Does not maintain any
data integrity
Escrow Agreement Ans: A source code escrow agreement is primarily
recommended to help protect the enterprise's investment in software,
because the source code will be available through a trusted third party
and can be retrieved if the start-up vendor goes out of business.
Which of the following is the initial step in creating a firewall policy?
Ans: Identification of network applications to be externally accessed
What BEST helps prioritize the recovery of IT assets when planning for a
disaster? Ans: Business impact analysis
, Page | 3
Incorporating the business impact analysis (BIA) into the IT disaster
recovery planning process is critical to ensure that IT assets are
prioritized to align with the business.
An advantage in using a bottom-up vs. a top-down approach to software
testing is that: Ans: errors in critical modules are detected earlier.
Spoofing Attack Ans: Attacker pretends to be another user or machine
to gain access
denial of service attack Ans: a cyber attack in which an attacker sends a
flood of data packets to the target computer, with the aim of overloading
its resources
Example: Ping of death
port scanning attack Ans: An attack where an attacker scans your
systems to see which ports are listening in an attempt to find a way to
gain unauthorized access.
man-in-the-middle attack Ans: A form of eavesdropping where the
attacker intercepts a computerized conversation between two parties and
then allows the conversation to continue by relaying the appropriate data
to both parties, while simultaneously monitoring the same data passing
through the attacker's conduit.
Which of the following is the MOST important consideration for database
hardening? Ans: Default database configurations are changed.
Default database configurations, such as default passwords and services,
need to be changed; otherwise, the database could be easily
compromised by malicious code and by intruders.
Which of the following has the MOST significant impact on the success of
an application systems implementation? Ans: The overall organizational
environment
An IS auditor discovers that developers have operator access to the
command line of a production environment operating system. Which of
the following controls would BEST mitigate the risk of undetected and
, Page | 4
unauthorized program changes to the production environment? Ans: The
matching of hash keys over time would allow detection of changes to
files.
pharming attack Ans: The pharming attack redirects the traffic to an
unauthorized web site by exploiting vulnerabilities of the DNS server.
Mitigation: Domain name system server security hardening
stress test Ans: a form of deliberately intense or thorough testing used
to determine the stability and performance of a given system, critical
infrastructure or entity. It involves testing beyond normal operational
capacity, often to a breaking point, in order to observe the results.
Ideally, stress testing should be carried out in a: Ans: test environment
using live workloads.
Which of the following is the BEST method for testing program changes?
Ans: Trace a sample of modified programs to supporting change tickets.
Function Point Analysis Ans: This is a technique used to determine the
size of a development task based on the number of function points.
Function points are factors such as inputs, outputs, inquiries and logical
internal sites.
White Box Testing Ans: This involves a detailed review of the behavior
of program code. It is a quality assurance technique suited to simpler
applications during the design and building stage of development.
Black Box Testing Ans: Testing, either functional or non-functional,
without reference to the internal structure of the component or system.
As part of the business continuity planning process, which of the following
should be identified FIRST in the business impact analysis? Ans: Critical
business processes for ascertaining the priority for recovery
In determining the acceptable time period for the resumption of critical
business processes: Ans: both downtime costs and recovery costs need
to be evaluated.
CISA (CERTIFIED INFORMATION SYSTEMS
AUDITOR) QUESTIONS WITH DETAILED
VERIFIED ANSWERS
Indemnity Clause Ans: a contractual transfer of risk between two
contractual parties generally to prevent loss or compensate for a loss
which may occur as a result of a specified event
Portfolio Management Ans: Assist in the definition, prioritization,
approval and running of a set of projects within a given organization.
These tools offer data capture, workflow and scenario planning
functionality, which can help identify the optimum set of projects (from
the full set of ideas) to take forward within a given budget.
Helps to gain an understanding of the effectiveness of controls over the
management of multiple projects
Top-Down Approach (Meaning-Based) Ans: Deriving lower-level policies
from corporate policies which aids in ensuring consistency across the
organization and consistency with other policies.
What is the BEST way to ensure that the tested code that is moved into
production is the same? Ans: Release management software
The project steering committee is ultimately responsible for: Ans:
project deliverables, costs and timetables
Load testing Ans: Evaluates the performance of the software under
normal and peak conditions.
Recovery testing Ans: evaluates the ability of a system to recover after
a failure.
Volume testing Ans: evaluates the impact of incremental volume of
records (not users) on a system.
, Page | 2
Stress testing Ans: determines the capacity of the software to cope with
an abnormal number of users or simultaneous operations.
Spooling Ans: sends documents to be printed to a buffer instead of
sending them immediately to the printer
Professional standards Ans: Professional standards from ISACA, The
Institute of Internal Auditors and the International Federation of
Accountants require supervision of audit staff to accomplish audit
objectives and comply with competence, professional proficiency and
documentation requirements, and more.
Honeypot Ans: Vulnerable computer that is set up to entice an intruder
to break into it and provides clues as to the hacker's methods and
strategies
Program coding standards Ans: These are required for efficient program
maintenance and modifications.
Denormalization vs Normalization Ans: Normalization is used to remove
redundant data from the database and to store non-redundant and
consistent data into it. Reduces data redundancy and inconsistency.
Maintains data integrity
Denormalization is used to combine multiple table data into one so that it
can be queried quickly. Introduces redundancy. Does not maintain any
data integrity
Escrow Agreement Ans: A source code escrow agreement is primarily
recommended to help protect the enterprise's investment in software,
because the source code will be available through a trusted third party
and can be retrieved if the start-up vendor goes out of business.
Which of the following is the initial step in creating a firewall policy?
Ans: Identification of network applications to be externally accessed
What BEST helps prioritize the recovery of IT assets when planning for a
disaster? Ans: Business impact analysis
, Page | 3
Incorporating the business impact analysis (BIA) into the IT disaster
recovery planning process is critical to ensure that IT assets are
prioritized to align with the business.
An advantage in using a bottom-up vs. a top-down approach to software
testing is that: Ans: errors in critical modules are detected earlier.
Spoofing Attack Ans: Attacker pretends to be another user or machine
to gain access
denial of service attack Ans: a cyber attack in which an attacker sends a
flood of data packets to the target computer, with the aim of overloading
its resources
Example: Ping of death
port scanning attack Ans: An attack where an attacker scans your
systems to see which ports are listening in an attempt to find a way to
gain unauthorized access.
man-in-the-middle attack Ans: A form of eavesdropping where the
attacker intercepts a computerized conversation between two parties and
then allows the conversation to continue by relaying the appropriate data
to both parties, while simultaneously monitoring the same data passing
through the attacker's conduit.
Which of the following is the MOST important consideration for database
hardening? Ans: Default database configurations are changed.
Default database configurations, such as default passwords and services,
need to be changed; otherwise, the database could be easily
compromised by malicious code and by intruders.
Which of the following has the MOST significant impact on the success of
an application systems implementation? Ans: The overall organizational
environment
An IS auditor discovers that developers have operator access to the
command line of a production environment operating system. Which of
the following controls would BEST mitigate the risk of undetected and
, Page | 4
unauthorized program changes to the production environment? Ans: The
matching of hash keys over time would allow detection of changes to
files.
pharming attack Ans: The pharming attack redirects the traffic to an
unauthorized web site by exploiting vulnerabilities of the DNS server.
Mitigation: Domain name system server security hardening
stress test Ans: a form of deliberately intense or thorough testing used
to determine the stability and performance of a given system, critical
infrastructure or entity. It involves testing beyond normal operational
capacity, often to a breaking point, in order to observe the results.
Ideally, stress testing should be carried out in a: Ans: test environment
using live workloads.
Which of the following is the BEST method for testing program changes?
Ans: Trace a sample of modified programs to supporting change tickets.
Function Point Analysis Ans: This is a technique used to determine the
size of a development task based on the number of function points.
Function points are factors such as inputs, outputs, inquiries and logical
internal sites.
White Box Testing Ans: This involves a detailed review of the behavior
of program code. It is a quality assurance technique suited to simpler
applications during the design and building stage of development.
Black Box Testing Ans: Testing, either functional or non-functional,
without reference to the internal structure of the component or system.
As part of the business continuity planning process, which of the following
should be identified FIRST in the business impact analysis? Ans: Critical
business processes for ascertaining the priority for recovery
In determining the acceptable time period for the resumption of critical
business processes: Ans: both downtime costs and recovery costs need
to be evaluated.
