CISA exam topics 101-200 with verified
answers
101.
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are
not available. What should the auditor recommend be done FIRST?
A. Implement additional firewalls to protect the system.
B. Decommission the server.
C. Implement a new system that can be patched.
D. Evaluate the associated risk. - correct answer ✔✔ D. Evaluate the associated risk.
102.
During a review of an organization's network threat response process, the IS auditor noticed
that the majority of alerts were closed without resolution.Management responded that those
alerts were unworkable due to lack of actionable intelligence, and therefore the support team is
allowed to close them. What is the BEST way for the auditor to address this situation?
A. Further review closed unactioned alerts to identify mishandling of threats.
B. Reopen unactioned alerts and report to the audit committee.
C. Recommend that management enhance the policy and improve threat awareness training.
D. Omit the finding from the report as this practice is in compliance with the current policy. -
correct answer ✔✔ A. Further review closed unactioned alerts to identify mishandling of
threats. (Correct)
C. Recommend that management enhance the policy and improve threat awareness training. (3
voted)
,103.
Which of the following BEST helps to ensure data integrity across system interfaces?
A. Reconciliations
B. Environment segregation
C. Access controls
D. System backups
* - correct answer ✔✔ A. Reconciliations
104.
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts
payable system. Which of the following is the IS auditor's BEST recommendation for a
compensating control?
A. Require written authorization for all payment transactions.
B. Review payment transaction history.
C. Reconcile payment transactions with invoices.
D. Restrict payment authorization to senior staff members. - correct answer ✔✔ C. Reconcile
payment transactions with invoices.
The correct answer is C because there is no dual control due to system limitation, the only
compensating control here is to reconcile each transaction with the invoice inorder to ensure
the accuracy of the transaction processed.
105.
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then
keyed into the job-costing system. What is the BEST control to ensure that data is accurately
entered into the system?
,A. Display back of project detail after entry
B. Reconciliation of total amounts by project
C. Reasonableness checks for each cost type
D. Validity checks, preventing entry of character data - correct answer ✔✔ D. Validity checks,
preventing entry of character data
Reconciliation of total amounts by project is indeed an important control, and it can help
identify discrepancies and errors in data entry. It ensures that the total costs in the job-costing
system match the calculated totals from the spreadsheets used for project cost estimates.
So, while both "Reconciliation of total amounts by project" and "Validity checks, preventing
entry of character data" are valuable controls, they serve slightly different purposes:
- "Reconciliation of total amounts by project" focuses on detecting errors and discrepancies
after data entry.
- "Validity checks, preventing entry of character data" focuses on preventing incorrect data from
being entered in the first place by ensuring the data meets certain criteria.
In practice, a combination of these controls would provide robust data accuracy and integrity
assurance.
106.
An organization plans to receive an automated data feed into its enterprise data warehouse
from a third-party service provider. Which of the following would be the BEST way to prevent
accepting bad data?
A. Purchase data cleansing tools from a reputable vendor.
, B. Appoint data quality champions across the organization.
C. Obtain error codes indicating failed data feeds.
D. Implement business rules to reject invalid data. - correct answer ✔✔ D. Implement business
rules to reject invalid data.
107.
Which task should an IS auditor complete FIRST during the preliminary planning phase of a
database security review?
A. Determine which databases will be in scope.
B. Identify the most critical database controls.
C. Evaluate the types of databases being used.
D. Perform a business impact analysis (BIA).
* - correct answer ✔✔ A. Determine which databases will be in scope.
Setting scope is very important. After deciding on the scope, you need to find the important
databases within the scope. Databases outside the scope are not important.
108.
Which of the following is an IS auditor's GREATEST concern when an organization does not
regularly update software on individual workstations in the internal environment?
A. The organization may not be in compliance with licensing agreements.
B. System functionality may not meet business requirements.
C. The system may have version control issues.
D. The organization may be more susceptible to cyber-attacks. - correct answer ✔✔ D. The
organization may be more susceptible to cyber-attacks.
answers
101.
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are
not available. What should the auditor recommend be done FIRST?
A. Implement additional firewalls to protect the system.
B. Decommission the server.
C. Implement a new system that can be patched.
D. Evaluate the associated risk. - correct answer ✔✔ D. Evaluate the associated risk.
102.
During a review of an organization's network threat response process, the IS auditor noticed
that the majority of alerts were closed without resolution.Management responded that those
alerts were unworkable due to lack of actionable intelligence, and therefore the support team is
allowed to close them. What is the BEST way for the auditor to address this situation?
A. Further review closed unactioned alerts to identify mishandling of threats.
B. Reopen unactioned alerts and report to the audit committee.
C. Recommend that management enhance the policy and improve threat awareness training.
D. Omit the finding from the report as this practice is in compliance with the current policy. -
correct answer ✔✔ A. Further review closed unactioned alerts to identify mishandling of
threats. (Correct)
C. Recommend that management enhance the policy and improve threat awareness training. (3
voted)
,103.
Which of the following BEST helps to ensure data integrity across system interfaces?
A. Reconciliations
B. Environment segregation
C. Access controls
D. System backups
* - correct answer ✔✔ A. Reconciliations
104.
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts
payable system. Which of the following is the IS auditor's BEST recommendation for a
compensating control?
A. Require written authorization for all payment transactions.
B. Review payment transaction history.
C. Reconcile payment transactions with invoices.
D. Restrict payment authorization to senior staff members. - correct answer ✔✔ C. Reconcile
payment transactions with invoices.
The correct answer is C because there is no dual control due to system limitation, the only
compensating control here is to reconcile each transaction with the invoice inorder to ensure
the accuracy of the transaction processed.
105.
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then
keyed into the job-costing system. What is the BEST control to ensure that data is accurately
entered into the system?
,A. Display back of project detail after entry
B. Reconciliation of total amounts by project
C. Reasonableness checks for each cost type
D. Validity checks, preventing entry of character data - correct answer ✔✔ D. Validity checks,
preventing entry of character data
Reconciliation of total amounts by project is indeed an important control, and it can help
identify discrepancies and errors in data entry. It ensures that the total costs in the job-costing
system match the calculated totals from the spreadsheets used for project cost estimates.
So, while both "Reconciliation of total amounts by project" and "Validity checks, preventing
entry of character data" are valuable controls, they serve slightly different purposes:
- "Reconciliation of total amounts by project" focuses on detecting errors and discrepancies
after data entry.
- "Validity checks, preventing entry of character data" focuses on preventing incorrect data from
being entered in the first place by ensuring the data meets certain criteria.
In practice, a combination of these controls would provide robust data accuracy and integrity
assurance.
106.
An organization plans to receive an automated data feed into its enterprise data warehouse
from a third-party service provider. Which of the following would be the BEST way to prevent
accepting bad data?
A. Purchase data cleansing tools from a reputable vendor.
, B. Appoint data quality champions across the organization.
C. Obtain error codes indicating failed data feeds.
D. Implement business rules to reject invalid data. - correct answer ✔✔ D. Implement business
rules to reject invalid data.
107.
Which task should an IS auditor complete FIRST during the preliminary planning phase of a
database security review?
A. Determine which databases will be in scope.
B. Identify the most critical database controls.
C. Evaluate the types of databases being used.
D. Perform a business impact analysis (BIA).
* - correct answer ✔✔ A. Determine which databases will be in scope.
Setting scope is very important. After deciding on the scope, you need to find the important
databases within the scope. Databases outside the scope are not important.
108.
Which of the following is an IS auditor's GREATEST concern when an organization does not
regularly update software on individual workstations in the internal environment?
A. The organization may not be in compliance with licensing agreements.
B. System functionality may not meet business requirements.
C. The system may have version control issues.
D. The organization may be more susceptible to cyber-attacks. - correct answer ✔✔ D. The
organization may be more susceptible to cyber-attacks.
