CISA examtopics 101-200
1. 101.
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the
auditor recommend be done FIRST?
A. Implement additional firewalls to protect the system.
B. Decommission the server.
C. Implement a new system that can be patched.
D. Evaluate the associated risk.: D. Evaluate the associated risk.
2. 102.
During a review of an organization's network threat response process, the IS auditor noticed that the majority of alerts were
closed without resolution.Management responded that those alerts were unworkable due to lack of actionable intelligence, and
therefore the support team is allowed to close them. What is the BEST way for the auditor to address this situation?
A. Further review closed unactioned alerts to identify mishandling of threats.
B. Reopen unactioned alerts and report to the audit committee.
C. Recommend that management enhance the policy and improve threat awareness training.
D. Omit the finding from the report as this practice is in compliance with the
current policy.: A. Further review closed unactioned alerts to identify mishandling of threats. (Correct)
C. Recommend that management enhance the policy and improve threat awareness training. (3 voted)
3. 103.
Which of the following BEST helps to ensure data integrity across system interfaces?
A. Reconciliations
B. Environment segregation
C. Access controls
D. System backups
*: A. Reconciliations
4. 104.
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following
is the IS auditor's BEST recommendation for a compensating control?
,A. Require written authorization for all payment transactions.
B. Review payment transaction history.
C. Reconcile payment transactions with invoices.
D. Restrict payment authorization to senior staff members.: C. Reconcile payment transactions with invoices.
The correct answer is C because there is no dual control due to system limitation, the only compensating control here is to reconcile
each transaction with the invoice inorder to ensure the accuracy of the transaction processed.
5. 105.
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing
system. What is the BEST control to ensure that data is accurately entered into the system?
A. Display back of project detail after entry
B. Reconciliation of total amounts by project
C. Reasonableness checks for each cost type
D. Validity checks, preventing entry of character data: D. Validity checks, preventing entry of character data
Reconciliation of total amounts by project is indeed an important control, and it can help identify discrepancies and errors in data
entry. It ensures that the total costs in the job-costing system match the calculated totals from the spreadsheets used for project
cost estimates.
So, while both "Reconciliation of total amounts by project" and "Validity checks, preventing entry of character data" are valuable
controls, they serve slightly different purposes:
- "Reconciliation of total amounts by project" focuses on detecting errors and discrepancies after data entry.
- "Validity checks, preventing entry of character data" focuses on preventing incorrect data from being entered in the first place by
ensuring the data meets certain criteria.
In practice, a combination of these controls would provide robust data accuracy and integrity assurance.
6. 106.
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider.
Which of the following would be the BEST way to prevent accepting bad data?
A. Purchase data cleansing tools from a reputable vendor.
B. Appoint data quality champions across the organization.
C. Obtain error codes indicating failed data feeds.
, CISA examtopics 101-200
D. Implement business rules to reject invalid data.: D. Implement business rules to reject invalid data.
7. 107.
Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?
A. Determine which databases will be in scope.
B. Identify the most critical database controls.
C. Evaluate the types of databases being used.
D. Perform a business impact analysis (BIA).
*: A. Determine which databases will be in scope.
Setting scope is very important. After deciding on the scope, you need to find the important databases within the scope.
Databases outside the scope are not important.
8. 108.
Which of the following is an IS auditor's GREATEST concern when an organization does not regularly update software on individual
workstations in the internal environment?
A. The organization may not be in compliance with licensing agreements.
B. System functionality may not meet business requirements.
C. The system may have version control issues.
D. The organization may be more susceptible to cyber-attacks.: D. The organization may be more susceptible to cyber-attacks.
9. 109.
An organization has assigned two new IS auditors to audit a new system implementation. One of the auditors has an IT-related
degree, and one has a business degree. Which of the following is MOST important to meet the IS audit standard for proficiency?
A. The standard is met as long as a supervisor reviews the new auditors' work.
B. The standard is met as long as one member has a globally recognized audit certification.
C. Team member assignments must be based on individual competencies.
D. Technical co-sourcing must be used to help the new staff.: C. Team member assignments must be based on individual
competencies.
, 10. 110.
Which of the following is a social engineering attack method?
A. A hacker walks around an office building using scanning tools to search for a wireless network to gain access.
B. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.
C. An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure
door.
D. An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.
*: B. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.
B. áå NûqÞTOL «˜ ) _ÆIP M@ŒÆ¼
induced ˜ „reveal í:
11. 111. *
Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their
condition just prior to a computer system failure?
A. Rotating backup copies of transaction files offsite
B. Ensuring bisynchronous capabilities on all transmission lines
C. Maintaining system console logs in electronic format
D. Using a database management system (DBMS) to dynamically back-out partially processed transactions: reinstate ()b©
D. Using a database management system (DBMS) to dynamically back-out partially processed transactions (pupuweb + Most Voted
*6 100%)
allows for the rollback of transactions that were only partially completed before the system failure. It ensures that the data
remains consistent and eliminates any incomplete or inconsistent data that may have been created during the system failure.
B. Ensuring bisynchronous capabilities on all transmission lines (freecram + examtopics) 12. 112.
Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity
supply in the event of activation?
A. FM-200
B. Dry pipe
C. Carbon dioxide
1. 101.
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the
auditor recommend be done FIRST?
A. Implement additional firewalls to protect the system.
B. Decommission the server.
C. Implement a new system that can be patched.
D. Evaluate the associated risk.: D. Evaluate the associated risk.
2. 102.
During a review of an organization's network threat response process, the IS auditor noticed that the majority of alerts were
closed without resolution.Management responded that those alerts were unworkable due to lack of actionable intelligence, and
therefore the support team is allowed to close them. What is the BEST way for the auditor to address this situation?
A. Further review closed unactioned alerts to identify mishandling of threats.
B. Reopen unactioned alerts and report to the audit committee.
C. Recommend that management enhance the policy and improve threat awareness training.
D. Omit the finding from the report as this practice is in compliance with the
current policy.: A. Further review closed unactioned alerts to identify mishandling of threats. (Correct)
C. Recommend that management enhance the policy and improve threat awareness training. (3 voted)
3. 103.
Which of the following BEST helps to ensure data integrity across system interfaces?
A. Reconciliations
B. Environment segregation
C. Access controls
D. System backups
*: A. Reconciliations
4. 104.
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following
is the IS auditor's BEST recommendation for a compensating control?
,A. Require written authorization for all payment transactions.
B. Review payment transaction history.
C. Reconcile payment transactions with invoices.
D. Restrict payment authorization to senior staff members.: C. Reconcile payment transactions with invoices.
The correct answer is C because there is no dual control due to system limitation, the only compensating control here is to reconcile
each transaction with the invoice inorder to ensure the accuracy of the transaction processed.
5. 105.
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing
system. What is the BEST control to ensure that data is accurately entered into the system?
A. Display back of project detail after entry
B. Reconciliation of total amounts by project
C. Reasonableness checks for each cost type
D. Validity checks, preventing entry of character data: D. Validity checks, preventing entry of character data
Reconciliation of total amounts by project is indeed an important control, and it can help identify discrepancies and errors in data
entry. It ensures that the total costs in the job-costing system match the calculated totals from the spreadsheets used for project
cost estimates.
So, while both "Reconciliation of total amounts by project" and "Validity checks, preventing entry of character data" are valuable
controls, they serve slightly different purposes:
- "Reconciliation of total amounts by project" focuses on detecting errors and discrepancies after data entry.
- "Validity checks, preventing entry of character data" focuses on preventing incorrect data from being entered in the first place by
ensuring the data meets certain criteria.
In practice, a combination of these controls would provide robust data accuracy and integrity assurance.
6. 106.
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider.
Which of the following would be the BEST way to prevent accepting bad data?
A. Purchase data cleansing tools from a reputable vendor.
B. Appoint data quality champions across the organization.
C. Obtain error codes indicating failed data feeds.
, CISA examtopics 101-200
D. Implement business rules to reject invalid data.: D. Implement business rules to reject invalid data.
7. 107.
Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?
A. Determine which databases will be in scope.
B. Identify the most critical database controls.
C. Evaluate the types of databases being used.
D. Perform a business impact analysis (BIA).
*: A. Determine which databases will be in scope.
Setting scope is very important. After deciding on the scope, you need to find the important databases within the scope.
Databases outside the scope are not important.
8. 108.
Which of the following is an IS auditor's GREATEST concern when an organization does not regularly update software on individual
workstations in the internal environment?
A. The organization may not be in compliance with licensing agreements.
B. System functionality may not meet business requirements.
C. The system may have version control issues.
D. The organization may be more susceptible to cyber-attacks.: D. The organization may be more susceptible to cyber-attacks.
9. 109.
An organization has assigned two new IS auditors to audit a new system implementation. One of the auditors has an IT-related
degree, and one has a business degree. Which of the following is MOST important to meet the IS audit standard for proficiency?
A. The standard is met as long as a supervisor reviews the new auditors' work.
B. The standard is met as long as one member has a globally recognized audit certification.
C. Team member assignments must be based on individual competencies.
D. Technical co-sourcing must be used to help the new staff.: C. Team member assignments must be based on individual
competencies.
, 10. 110.
Which of the following is a social engineering attack method?
A. A hacker walks around an office building using scanning tools to search for a wireless network to gain access.
B. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.
C. An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure
door.
D. An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.
*: B. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.
B. áå NûqÞTOL «˜ ) _ÆIP M@ŒÆ¼
induced ˜ „reveal í:
11. 111. *
Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their
condition just prior to a computer system failure?
A. Rotating backup copies of transaction files offsite
B. Ensuring bisynchronous capabilities on all transmission lines
C. Maintaining system console logs in electronic format
D. Using a database management system (DBMS) to dynamically back-out partially processed transactions: reinstate ()b©
D. Using a database management system (DBMS) to dynamically back-out partially processed transactions (pupuweb + Most Voted
*6 100%)
allows for the rollback of transactions that were only partially completed before the system failure. It ensures that the data
remains consistent and eliminates any incomplete or inconsistent data that may have been created during the system failure.
B. Ensuring bisynchronous capabilities on all transmission lines (freecram + examtopics) 12. 112.
Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity
supply in the event of activation?
A. FM-200
B. Dry pipe
C. Carbon dioxide
