CISA Practice Exam Spring 2024 Questions and Correct Answers with
Detailed Rationales
Which of the following would be MOST important for an IS auditor to verify
while conducting a business continuity audit?
A. Data backups are performed on a timely basis.
B.A recovery site is contracted for and available as needed.
C. Human safety procedures are in place.
D. Insurance coverage is adequate and premiums are current.
C. Human safety procedures are in place.
Explanation: The most important element in any business continuity process is the
protection of human life. This takes precedence over all other aspects of the plan.
An IS auditor reviewing a network log discovers that an employee ran elevated
commands on their PC by invoking the task scheduler to launch restricted
applications. This is an example what type of attack?
A. A race condition
B.A privilege escalation
C.A buffer overflow
D. An impersonation
B.A privilege escalation
Explanation: This is a type of attack where higher-level system authority is
obtained by various methods. In this example, the task scheduler service runs with
administrator permissions, and a security flaw allows programs launched by the
scheduler to run at the same permission level.
A comprehensive and effective email policy should address the issues of email
structure, policy enforcement, monitoring and:
A. recovery.
B. retention.
,C. rebuilding.
D. reuse.
B. retention.
Explanation: Besides being a good practice, laws and regulations may require an
organization to keep information that has an impact on the financial statements.
The prevalence of lawsuits in which email communication is held in the same
regard as the official form of classic paper makes the retention policy of corporate
email a necessity. All email generated on an organization’s hardware is the
property of the organization, and an email policy should address the retention of
messages, considering both known and unforeseen litigation. The policy should
also address the destruction of emails after a specified time to protect the nature
and confidentiality of the messages themselves.
An IS auditor who was involved in designing an organization's business continuity
plan (BCP) has been assigned to audit the plan. The IS auditor should:
A. decline the assignment.
B. inform management of the possible conflict of interest after completing the
audit assignment.
C. inform the BCP team of the possible conflict of interest prior to beginning the
assignment.
D. communicate the possibility of conflict of interest to audit management prior to
starting the assignment.
D. communicate the possibility of conflict of interest to audit management prior to
starting the assignment.
Explanation: A possible conflict of interest, likely to affect the IS auditor’s
independence, should be brought to the attention of management prior to starting
the assignment.
Which of the following is the MOST critical element to effectively execute a
disaster recovery plan?
A. Offsite storage of backup data
B. Up-to-date list of key disaster recovery contacts
C. Availability of a replacement data center
, D. Clearly defined recovery time objective (RTO)
A. Offsite storage of backup data
Explanation: Remote storage of backups is the most critical disaster recovery plan
(DRP) element of the items listed because access to backup data is required to
restore systems.
An IS auditor found that the enterprise architecture (EA) recently adopted by an
organization has an adequate current-state representation. However, the
organization has started a separate project to develop a future-state representation.
The IS auditor should:
A. recommend that this separate project be completed as soon as possible.
B. report this issue as a finding in the audit report.
C. recommend the adoption of the Zachmann framework.
D.re-scope the audit to include the separate project as part of the current audit.
B. report this issue as a finding in the audit report.
Explanation: It is critical for the EA to include the future state because the gap
between the current state and the future state will determine IT strategic and
tactical plans. If the EA does not include a future-state representation, it is not
complete, and this issue should be reported as a finding.
What is the PRIMARY consideration for an IS auditor reviewing the prioritization
and coordination of IT projects and program management?
A. Projects are aligned with the organization’s strategy.
B. Identified project risk is monitored and mitigated.
C. Controls related to project planning and budgeting are appropriate.
D.IT project metrics are reported accurately.
A. Projects are aligned with the organization’s strategy.
Explanation: The primary goal of IT projects is to add value to the business, so
they must be aligned with the business strategy to achieve the intended results.
Therefore, the IS auditor should first focus on ensuring this alignment.
Detailed Rationales
Which of the following would be MOST important for an IS auditor to verify
while conducting a business continuity audit?
A. Data backups are performed on a timely basis.
B.A recovery site is contracted for and available as needed.
C. Human safety procedures are in place.
D. Insurance coverage is adequate and premiums are current.
C. Human safety procedures are in place.
Explanation: The most important element in any business continuity process is the
protection of human life. This takes precedence over all other aspects of the plan.
An IS auditor reviewing a network log discovers that an employee ran elevated
commands on their PC by invoking the task scheduler to launch restricted
applications. This is an example what type of attack?
A. A race condition
B.A privilege escalation
C.A buffer overflow
D. An impersonation
B.A privilege escalation
Explanation: This is a type of attack where higher-level system authority is
obtained by various methods. In this example, the task scheduler service runs with
administrator permissions, and a security flaw allows programs launched by the
scheduler to run at the same permission level.
A comprehensive and effective email policy should address the issues of email
structure, policy enforcement, monitoring and:
A. recovery.
B. retention.
,C. rebuilding.
D. reuse.
B. retention.
Explanation: Besides being a good practice, laws and regulations may require an
organization to keep information that has an impact on the financial statements.
The prevalence of lawsuits in which email communication is held in the same
regard as the official form of classic paper makes the retention policy of corporate
email a necessity. All email generated on an organization’s hardware is the
property of the organization, and an email policy should address the retention of
messages, considering both known and unforeseen litigation. The policy should
also address the destruction of emails after a specified time to protect the nature
and confidentiality of the messages themselves.
An IS auditor who was involved in designing an organization's business continuity
plan (BCP) has been assigned to audit the plan. The IS auditor should:
A. decline the assignment.
B. inform management of the possible conflict of interest after completing the
audit assignment.
C. inform the BCP team of the possible conflict of interest prior to beginning the
assignment.
D. communicate the possibility of conflict of interest to audit management prior to
starting the assignment.
D. communicate the possibility of conflict of interest to audit management prior to
starting the assignment.
Explanation: A possible conflict of interest, likely to affect the IS auditor’s
independence, should be brought to the attention of management prior to starting
the assignment.
Which of the following is the MOST critical element to effectively execute a
disaster recovery plan?
A. Offsite storage of backup data
B. Up-to-date list of key disaster recovery contacts
C. Availability of a replacement data center
, D. Clearly defined recovery time objective (RTO)
A. Offsite storage of backup data
Explanation: Remote storage of backups is the most critical disaster recovery plan
(DRP) element of the items listed because access to backup data is required to
restore systems.
An IS auditor found that the enterprise architecture (EA) recently adopted by an
organization has an adequate current-state representation. However, the
organization has started a separate project to develop a future-state representation.
The IS auditor should:
A. recommend that this separate project be completed as soon as possible.
B. report this issue as a finding in the audit report.
C. recommend the adoption of the Zachmann framework.
D.re-scope the audit to include the separate project as part of the current audit.
B. report this issue as a finding in the audit report.
Explanation: It is critical for the EA to include the future state because the gap
between the current state and the future state will determine IT strategic and
tactical plans. If the EA does not include a future-state representation, it is not
complete, and this issue should be reported as a finding.
What is the PRIMARY consideration for an IS auditor reviewing the prioritization
and coordination of IT projects and program management?
A. Projects are aligned with the organization’s strategy.
B. Identified project risk is monitored and mitigated.
C. Controls related to project planning and budgeting are appropriate.
D.IT project metrics are reported accurately.
A. Projects are aligned with the organization’s strategy.
Explanation: The primary goal of IT projects is to add value to the business, so
they must be aligned with the business strategy to achieve the intended results.
Therefore, the IS auditor should first focus on ensuring this alignment.
