CISA Exam Comprehensive Practice Questions and Correct Answers with
Detailed Rationales
In a public key infrastructure (PKI), which of the following may be relied upon to
prove that an online transaction was authorized by a specific customer?
A. Nonrepudiation
B. Encryption
C. Authentication
D. Integrity
correct answer is A.
Which of the following BEST ensures the integrity of a server's operating system
(OS)?
A. Protecting the server in a secure location
B. Setting a boot password
C. Hardening the server configuration
D. Implementing activity logging
correct answer is C.
The PRIMARY purpose of an IT forensic audit is:
A. to participate in investigations related to corporate fraud.
B. the systematic collection and analysis of evidence after a system irregularity.
C. to assess the correctness of an organization's financial statements.
D. to preserve evidence of criminal activity.
The correct answer is B.
The IS auditor is reviewing an organization's human resources (HR) database
implementation. The IS auditor discovers that the database servers are clustered for
high availability, all default database accounts have been removed and database
,audit logs are kept and reviewed on a weekly basis. What other area should the IS
auditor check to ensure that the databases are appropriately secured?
A. Database digital signatures
B. Database encryption nonces and other variables
C. Database media access control (MAC) address authentication
D. Database initialization parameters
The correct answer is D.
Which of the following processes will be MOST effective in reducing the risk that
unauthorized software on a backup server is distributed to the production server?
A. Manually copy files to accomplish replication.
B. Review changes in the software version control system.
C. Ensure that developers do not have access to the backup server.
D. Review the access control log of the backup server.
The correct answer is B.
A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of
receiving financial data and has communicated the site's address, user ID and
password to the financial services company in separate email messages. The
company is to transmit its data to the FTP site after manually encrypting the data.
The IS auditor's GREATEST concern with this process is that:
A. the users may not remember to manually encrypt the data before transmission.
B. the site credentials were sent to the financial services company via email.
C. personnel at the consulting firm may obtain access to sensitive data.
D. the use of a shared user ID to the FTP site does not allow for user accountability.
correct answer is A.
In the course of performing a risk analysis, an IS auditor has identified threats and
potential impacts. Next, the IS auditor should:
A. identify and assess the risk assessment process used by management.
,B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls.
correct answer is D.
A. certificate revocation list (CRL).
B. digital signature.
C. digital certificate.
D. receiver's private key.
Correct answer is C.
When performing a review of a business process reengineering (BPR) effort, which
of the following choices would be the PRIMARY concern?
A. Controls are eliminated as part of the BPR effort.
B. Resources are not adequate to support the BPR process.
C. The audit department is not involved in the BPR effort.
D. The BPR effort includes employees with limited knowledge of the process area.
The correct answer is A.
An IS auditor suspects an incident (attack) is occurring while an audit is being
performed on a financial system. What should the IS auditor do FIRST?
A. Request that the system be shut down to preserve evidence.
B. Report the incident to management.
C. Ask for immediate suspension of the suspect accounts.
D. Immediately investigate the source and nature of the incident.
The correct answer is B.
Online banking transactions are being posted to the database when processing
suddenly comes to a halt. The integrity of the transaction processing is BEST
ensured by:
A. database integrity checks.
, B. validation checks.
C. input controls.
D. database commits and rollbacks.
Correct answer is D.
Which of the following would be evaluated as a preventive control by an IS auditor
performing an audit?
A. Transaction logs
B. Before and after image reporting
C. Table lookups
D. Tracing and tagging
the answer is C.
As a driver of IT governance, transparency of IT's cost, value and risk is primarily
achieved through:
A. performance measurement.
B. strategic alignment.
C. value delivery.
D. resource management.
the answer is A.
Which of the following choices is the MOST effective control that should be
implemented to ensure accountability for application users accessing sensitive data
in the human resource management system (HRMS) and among interfacing
applications to the HRMS?
A. Two-factor authentication
B. A digital certificate
C. Audit trails
D. Single sign-on authentication
the answer is C.
Detailed Rationales
In a public key infrastructure (PKI), which of the following may be relied upon to
prove that an online transaction was authorized by a specific customer?
A. Nonrepudiation
B. Encryption
C. Authentication
D. Integrity
correct answer is A.
Which of the following BEST ensures the integrity of a server's operating system
(OS)?
A. Protecting the server in a secure location
B. Setting a boot password
C. Hardening the server configuration
D. Implementing activity logging
correct answer is C.
The PRIMARY purpose of an IT forensic audit is:
A. to participate in investigations related to corporate fraud.
B. the systematic collection and analysis of evidence after a system irregularity.
C. to assess the correctness of an organization's financial statements.
D. to preserve evidence of criminal activity.
The correct answer is B.
The IS auditor is reviewing an organization's human resources (HR) database
implementation. The IS auditor discovers that the database servers are clustered for
high availability, all default database accounts have been removed and database
,audit logs are kept and reviewed on a weekly basis. What other area should the IS
auditor check to ensure that the databases are appropriately secured?
A. Database digital signatures
B. Database encryption nonces and other variables
C. Database media access control (MAC) address authentication
D. Database initialization parameters
The correct answer is D.
Which of the following processes will be MOST effective in reducing the risk that
unauthorized software on a backup server is distributed to the production server?
A. Manually copy files to accomplish replication.
B. Review changes in the software version control system.
C. Ensure that developers do not have access to the backup server.
D. Review the access control log of the backup server.
The correct answer is B.
A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of
receiving financial data and has communicated the site's address, user ID and
password to the financial services company in separate email messages. The
company is to transmit its data to the FTP site after manually encrypting the data.
The IS auditor's GREATEST concern with this process is that:
A. the users may not remember to manually encrypt the data before transmission.
B. the site credentials were sent to the financial services company via email.
C. personnel at the consulting firm may obtain access to sensitive data.
D. the use of a shared user ID to the FTP site does not allow for user accountability.
correct answer is A.
In the course of performing a risk analysis, an IS auditor has identified threats and
potential impacts. Next, the IS auditor should:
A. identify and assess the risk assessment process used by management.
,B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls.
correct answer is D.
A. certificate revocation list (CRL).
B. digital signature.
C. digital certificate.
D. receiver's private key.
Correct answer is C.
When performing a review of a business process reengineering (BPR) effort, which
of the following choices would be the PRIMARY concern?
A. Controls are eliminated as part of the BPR effort.
B. Resources are not adequate to support the BPR process.
C. The audit department is not involved in the BPR effort.
D. The BPR effort includes employees with limited knowledge of the process area.
The correct answer is A.
An IS auditor suspects an incident (attack) is occurring while an audit is being
performed on a financial system. What should the IS auditor do FIRST?
A. Request that the system be shut down to preserve evidence.
B. Report the incident to management.
C. Ask for immediate suspension of the suspect accounts.
D. Immediately investigate the source and nature of the incident.
The correct answer is B.
Online banking transactions are being posted to the database when processing
suddenly comes to a halt. The integrity of the transaction processing is BEST
ensured by:
A. database integrity checks.
, B. validation checks.
C. input controls.
D. database commits and rollbacks.
Correct answer is D.
Which of the following would be evaluated as a preventive control by an IS auditor
performing an audit?
A. Transaction logs
B. Before and after image reporting
C. Table lookups
D. Tracing and tagging
the answer is C.
As a driver of IT governance, transparency of IT's cost, value and risk is primarily
achieved through:
A. performance measurement.
B. strategic alignment.
C. value delivery.
D. resource management.
the answer is A.
Which of the following choices is the MOST effective control that should be
implemented to ensure accountability for application users accessing sensitive data
in the human resource management system (HRMS) and among interfacing
applications to the HRMS?
A. Two-factor authentication
B. A digital certificate
C. Audit trails
D. Single sign-on authentication
the answer is C.
