Questions created by Sieuwert van Otterloo. Visit this page for an explanation: https://ictinstitute.nl/cisa-practice-questions/ The CISA exam consist of 150 multiple choice questions, each with four options. In general, all four options exist and add value, so you mush choose the best of four good options. * indicates the correct answer. 1 Which of the following is true: - The audit committee gets its authority from the audit charter - An audit charter defines scope and objects of an external audit - The audit charter describes the frequency of internal and external audits * - The audit charter must be approved by top management or the audit committee Note: the committee approves the charter. The charter gives authority to the IS auditor. 2 Which of the following policy documents regulates the creation and use of complicated financial models with custom macros in excel by business users? - The information security policy - The access control policy * - The end user computing policy - The acceptable use policy End user computing is about applications made by end users, either in excel, low code tools or other end user friendly development environments. End user computing is sees as a risk. 3 You discover that multiple marketing employees all use the same account name / password to use the corporate twitter account. This leads to a lack of: - confidentiality - data integrity * - accountability - access control Accountability is lost since you cannot see who does what if there are no individual accounts. 4 What is a good control to compensate for lack of segregation of duties? * - transaction logs - database encryption - independent security testing - privacy by design Only transactions logs compensate for the fact that a single person can complete a whole transaction. 5 Which document contains a detailed estimate of the project benefits over time? - The feasibility study - The business impact analysis * - The business case - The post implementation review The feasibility study does not contains a detailed estimate. The business impact analysis is not a project management document but used for business continuity management. 6 What is the most important of an IS auditor in an application development project? - monitor project progress and report exceptions * - review and test application controls - reviewing and approving the business requirements - test project deliverables against quality standards The IS auditor should be involved in the design of application controls and make sure the controls work as intended. 7 What is the purpose of a disaster recovery plan? - provide procedures for sustaining business operations while recovering from a disruption - provide procedures to recover from a cyberattack * - provide procedures for relocating information system operations at an alternative location - provide procedures to recover an information system The DRP is part of the business continuity plan that deals with the technical problem of bringing systems back online at a new location. 8 Which of the following would be of the MOST concern to an information systems auditor? - Backups are made every other day instead of daily * - The organisation has not established a recovery point objective - Backups are encrypted with an 128 bit key - Backups are stored at an alternative location only two miles from the main location You need to have objectives before you can decide if controls / procedures are adequate. 9 Which of the following describes the relation between RTO and RPO? * - The RTO can be smaller, larger or equal to the RPO - The RTO should always be less than the RPO - The RPO should always be less than the RTO - The RPO and RTO are most likely to be equal RPO is about data loss, RTO about service downtime. These are not directly related and different systems can have widely different requirements. 10 Which of the following devices has the primary function of blocking unwanted network traffic? Bridge * Firewall Load balancer Router The other devices are not designed to block traffic. 11 What is the most efficient way to add a digital signature to a large document? - To sign the document with the sender's private key and compute a message digest of the signature - To sign the document with the receiver's public key and compute a message digest of the signature * - To compute a message digest and sign the digest with the sender's private key - To compute a message digest and sign the digest with the receiver's public key Public key cryptography cannot efficiently handle large inputs. You need to reduce the input using a message digest or hash algorithm. 12 What is the best preventive control against cross site scripting attacks? - access control * - encoding of untrusted data - logging - PEN-testing Encoding will make sure that input data is displayed but not executed.