Domain 1: Information System Auditing Process (18%)

1. During which phase of the audit process does an auditor gain an understanding of the entity’s
environment and internal controls?

A. Reporting
B. Planning
C. Fieldwork
D. Follow-up

Answer: B. Planning

Explanation: In the planning phase, auditors gather information about the entity’s environment and
internal controls to identify areas of risk and develop an appropriate audit approach.

2. What technique involves the auditor watching a process or activity as it is performed?

A. Inquiry
B. Inspection
C. Observation
D. Reperformance

Answer: C. Observation

Explanation: Observation involves the auditor directly watching processes or activities to understand
how they are performed and to identify potential control issues.

3. Which scenario best describes an auditor using the inquiry technique?

A.The auditor watches an employee process transactions.

B.The auditor reviews financial statements for accuracy.
C. The auditor interviews employees about their job functions.
D. The auditor examines security logs for unauthorized access attempts.

Answer: C. The auditor interviews employees about their job functions.

Explanation: Inquiry involves asking questions to gather information, usually through interviews with
employees to understand processes and controls.

4. An auditor is reviewing the access control mechanisms in a company’s IT system. During the review,
they discovered that terminated employees still have active user accounts. What should the auditor
do next?

A. Report the issue to management immediately

B. Ignore the issue since it is not significant
C.Verify if the accounts have been used after termination
D. Recommend a complete overhaul of the access control system

Answer: C. Verify if the accounts have been used after termination

Explanation: Before taking further steps, the auditor should determine if the accounts have been used
improperly, which would indicate a serious control lapse and guide the next actions.

5. An auditor finds that a company’s disaster recovery plan (DRP) has not been tested in over two
years. What is the best course of action for the auditor to recommend?

A. Immediately create a new DRP

B. Test the existing DRP as soon as possible
C. Ignore the issue and proceed with the audit
D.Conduct a training session on the importance of DRP

Answer: B. Test the existing DRP as soon as possible

Explanation: Regular testing of the DRP is essential to ensure it will work effectively in an actual disaster.
Testing the current plan will help identify any deficiencies or areas for improvement.

Domain 2: Governance and Management of IT (18%)

1. Which of the following frameworks is commonly used for IT governance and management?

A. ISO 9001
B. COBIT
C. Six Sigma
D. ITIL

Answer: B. COBIT

Explanation: COBIT (Control Objectives for Information and Related Technology) is a widely recognized
framework for IT governance and management, providing guidelines and best practices.

2. An organization wants to implement a new cloud-based CRM system. Which risk management
strategy should be applied to address data privacy concerns?

A. Data encryption
B. Hiring additional IT staff
C. Increasing the IT budget
D. Conducting social engineering tests

Answer: A. Data encryption

Explanation: Encrypting data ensures that it remains secure and private when stored in the cloud,
addressing data privacy concerns.

3. An IT manager is tasked with developing a governance framework for a new IT initiative. What is
the first step they should take?

A. Allocate the budget for the initiative

B. Identify the stakeholders and their requirements
C. Train the IT staff on governance principles
D. Purchase the necessary IT infrastructure
Answer: B. Identify the stakeholders and their requirements

Explanation: Identifying stakeholders and understanding their requirements is crucial for developing a
governance framework that addresses their needs and aligns with organizational goals.

3. Which of the following is an example of a performance metric in IT governance?

A. Number of IT staff
B. IT budget allocation
C. System uptime percentage
D. Number of IT policies

Answer: C. System uptime percentage

Explanation: System uptime percentage is a performance metric that measures the availability and
reliability of IT systems, which is crucial for assessing the effectiveness of IT governance.

4. Which of the following tools is commonly used for project management in IT governance?

A. CMDB
B. Gantt Chart
C. SLA
D. ITIL

Answer: B. Gantt Chart

Explanation: A Gantt chart is a project management tool essential for planning, scheduling, and tracking
project progress, making it particularly valuable in IT governance.

Domain 3: Information Systems Acquisition, Development, and Implementation (12%)

1. Which of the following is a primary benefit of using prototyping in system development?

A. Reducing documentation
B. Increasing project costs
C. Enhancing user involvement and feedback
D. Extending project timelines

Answer: C. Enhancing user involvement and feedback

Explanation: Prototyping involves users early and often in the development process, allowing for
feedback and adjustments to ensure the final system meets user needs.

2. An organization is selecting a new software vendor. What is the first step in the vendor selection
process?

A. Negotiating the contract

B. Evaluating vendor proposals
C. Defining system requirements
D. Conducting a security audit

Answer: C. Defining system requirements

Explanation: Defining system requirements is crucial as it forms the basis for evaluating vendor
proposals and selecting the appropriate software solution.

3. What is the main purpose of user acceptance testing (UAT)?

A. To verify that the system is secure
B. To ensure the system meets user requirements
C. To test the system’s performance
D. To identify programming errors

Answer: B. To ensure the system meets user requirements

Explanation: User Acceptance Testing (UAT) is performed to ensure the system operates as expected and
fulfills the end user’s needs and requirements.

4. An IT project is behind schedule and over budget. What should be the immediate focus to address
these issues?

A. Cutting project resources

B. Reassessing project scope and timeline
C. Increasing project staff
D. Reducing the quality of deliverables

Answer: B. Reassessing project scope and timeline

Explanation: Reassessing the project scope and timeline helps identify the causes of delays and cost
overruns, allowing for adjustments to bring the project back on track.

5. During the implementation of a new ERP system, a critical business process is not functioning as
expected. What should the project team do first?

A. Ignore the issue and continue with the implementation

B. Revert to the old system immediately
C. Conduct a root cause analysis to identify the issue
D. Terminate the project

Answer: C. Conduct a root cause analysis to identify the issue

Explanation: Conducting a root cause analysis helps to understand the underlying problem, allowing the
project team to address it effectively and ensure the ERP system functions correctly.

Domain 4: Information Systems Operations and Business Resilience (26%)

1. Which of the following is an example of preventive maintenance in IT operations?

A. Installing software updates

B. Restoring data from backups
C. Monitoring system performance
D. Conducting security audits

Answer: A. Installing software updates

Explanation: Preventive maintenance involves proactive measures such as installing software updates to
prevent potential issues and ensure system reliability.

2. Which type of backup involves copying only the data that has changed since the last full backup?

A. Full backup
B. Incremental backup
C. Differential backup
D. Snapshot backup

Answer: B. Incremental backup

Explanation: Incremental backups copy only the data that has changed since the last backup, reducing
backup time and storage requirements.

3. What is the objective of a business impact analysis (BIA)?

A. To identify potential threats to IT systems

B. To assess the impact of disruptions on business operations
C. To develop security policies
D. To perform regular system maintenance

Answer: B. To assess the impact of disruptions on business operations

Explanation: A BIA identifies and evaluates the effects of disruptions on business operations, helping to
prioritize recovery efforts and develop effective continuity plans.

4. Which of the following best describes a hot site in disaster recovery planning?

A. An alternate site with basic infrastructure

B. An alternate site with fully operational systems and data
C. An alternate site with only data storage capabilities
D. An alternate site with no pre-installed systems

Answer: B. An alternate site with fully operational systems and data

Explanation: A hot site is a fully equipped backup location where an organization can swiftly resume
essential business operations in case of a disaster.

5. An organization wants to ensure that its critical systems can recover quickly from a hardware
failure. Which of the following strategies should they implement?

A. Full data backup every month

B. Redundant Array of Independent Disks (RAID)
C. Manual system monitoring
D. Monthly system maintenance

Answer: B. Redundant Array of Independent Disks (RAID)

Explanation: RAID provides redundancy by storing data across multiple disks, allowing the system to
continue operating even if one disk fails, thereby enhancing fault tolerance and recovery speed.
Domain 5: Protection of Information Assets (26%)

1. Which of the following is a common method for verifying the integrity of data?

A. Encryption
B. Hashing
C. Compression
D. Tokenization

Answer: B. Hashing

Explanation: Hashing generates a unique fixed-size string (hash) from data, which can be used to verify
that the data has not been altered by comparing the hash values.

2. An employee needs access to sensitive data for a project. What principle should the IT department
apply to grant access?

A. Least privilege
B. Full access
C. Default Allow
D. Maximum privilege

Answer: A. Least privilege

Explanation: The principle of least privilege mandates that users be given only the minimal access
needed to carry out their tasks, thereby minimizing the risk of unauthorized access to sensitive
information.

3. A company wants to implement multi-factor authentication (MFA) for its remote employees. Which
of the following combinations would provide MFA?

A. Username and password

B. Password and security token
C. Password and email address
D. Username and email address

Answer: B. Password and security token

Explanation: Multi-factor authentication (MFA) requires two or more verification factors. Combining a
password (something you know) with a security token (something you have) provides MFA.

4. Which of the following techniques is used to verify the authenticity and integrity of a digital
message?

A. Digital signature
B. Symmetric key encryption
C. Data compression
D. Firewall

Answer: A. Digital signature

Explanation: A digital signature employs cryptographic methods to verify a message’s authenticity and
integrity, ensuring it has not been altered and confirming the sender’s identity.

5. An organization intends to implement a Bring Your Own Device (BYOD) policy. What is a crucial
security measure that should be included in the policy?

A. Allowing unrestricted access to corporate networks

B. Requiring employees to use personal devices without any restrictions
C. Implementing mobile device management (MDM) solutions
D. Providing employees with unrestricted internet access

Answer: C. Implementing mobile device management (MDM) solutions

Explanation: MDM solutions enable the organization to manage and secure personal devices used for
work, enforcing security policies, and protecting corporate data.

CISA with InfosecTrain

Preparing for the CISA exam is a significant step in advancing your career in IT auditing, control, and
security. By mastering the five critical domains and utilizing this guide’s commonly asked CISA exam
questions and answers, you can enhance your exam preparation and identify areas for further study.
Consistent practice and review are keys to success. With focused learning and the resources provided by
InfosecTrain, you can confidently approach the CISA certification exam and unlock new opportunities in
the field of information systems auditing. Good luck on your journey to becoming a Certified
Information Systems Auditor!