Free ISACA CISA Practice Exams - Page 3 of 62

Question #21

Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

A . The system does not have a maintenance plan.
B . The system contains several minor defects.
C . The system deployment was delayed by three weeks.
D . The system was over budget by 15%.

Reveal Solution Hide Solution

Question #22

What type of control has been implemented when secure code reviews are conducted as part of a deployment program?

A . Monitoring
B . Deterrent
C . Detective
D . Corrective

Reveal Solution Hide Solution

Question #23

Which of the following would BEST prevent an arbitrary application of a patch?

A . Database access control
B . Established maintenance windows
C . Network based access controls
D . Change management

Reveal Solution Hide Solution

Question #24

The PRIMARY role of an IS auditor in the remediation of problems found during an audit engagement is to:

A . help auditee management by providing the solution.
B . explain the findings and provide general advice.
C . present updated policies to management for approval.
D . take ownership of the problems and oversee remediation efforts.

Reveal Solution Hide Solution

Question #25

Which of the following is an IS auditor’s BEST recommendation to mitigate the risk of eavesdropping associated with an application programming interface (API) integration implementation?

A . Encrypt the extensible markup language (XML) file.
B . Implement Transport Layer Security (TLS).
C . Mask the API endpoints.
D . Implement Simple Object Access Protocol (SOAP).

Reveal Solution Hide Solution

Question #26

Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?

A . Data storage costs
B . Data classification
C . Vendor cloud certification
D . Service level agreements (SLAs)

Reveal Solution Hide Solution

Question #27

An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email.

Which of the following metrics BEST indicates the effectiveness of awareness training?

A . The number of users deleting the email without reporting because it is a phishing email
B . The number of users clicking on the link to learn more about the sender of the email
C . The number of users forwarding the email to their business unit managers
D . The number of users reporting receipt of the email to the information security team

Reveal Solution Hide Solution

Question #28

An IS auditor is reviewing the installation of a new server. The IS auditor’s PRIMARY objective is to ensure that

A . security parameters are set in accordance with the manufacturer s standards.
B . a detailed business case was formally approved prior to the purchase.
C . security parameters are set in accordance with the organization’s policies.
D . the procurement project invited lenders from at least three different suppliers.

Reveal Solution Hide Solution

Question #29

An IS auditor is planning an audit of an organization’s risk management practices.

Which of the following would provide the MOST useful information about

risk appetite?

A . Risk policies
B . Risk assessments
C . Prior audit reports
D . Management assertion

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk appetite reflects the organization’s risk culture, strategy, and tolerance, and guides the organization’s risk management practices. The most useful information about risk appetite can be obtained from the risk policies, which are the documents that define the organization’s risk management framework, principles, objectives, roles, responsibilities, and processes. Risk policies also establish the criteria and thresholds for identifying, assessing, prioritizing, mitigating, and monitoring risks, as well as the reporting and escalation mechanisms for risk issues. By reviewing the risk policies, an IS auditor can evaluate whether they are consistent, comprehensive, and aligned with the organization’s risk appetite and whether they provide clear guidance and direction for managing risks effectively.

The other options are not correct because they are either not the most useful or not relevant to risk appetite. Risk assessments are the processes of identifying, analyzing, and evaluating the risks that may affect the organization’s objectives. Risk assessments provide information about the current risk profile and exposure of the organization, but they do not indicate the organization’s risk appetite or preferences. Prior audit reports are the documents that summarize the findings, recommendations, and conclusions of previous audits. Prior audit reports may provide information about the past performance and issues of the organization’s risk management practices, but they do not reflect the organization’s risk appetite or expectations. Management assertion is a statement or declaration made by management about the accuracy, completeness, validity, or reliability of a certain fact or data. Management assertion may provide information about the management’s confidence or opinion on a specific risk or issue, but it does not represent the organization’s risk appetite or criteria.

Question #30

Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?

A . Carbon dioxide
B . FM-200
C . Dry pipe
D . Halon

Reveal Solution Hide Solution