ISACA CISA Certified Information Systems Auditor Exam Questions and Answers – 27

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

CISA Question 2891

Question

During the planning stage of a compliance audit, an IS auditor discovers that a bank’s inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

A. Discuss potential regulatory issues with the legal department.
B. Ask management why the regulatory changes have not been included.
C. Exclude recent regulatory changes from the audit scope.
D. Report the missing regulatory updates to the chief information officer (CIO).

Answer

B. Ask management why the regulatory changes have not been included.

CISA Question 2892

Question

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

A. Restricting evidence access to professionally certified forensic investigators
B. Engaging an independent third party to perform the forensic investigation
C. Performing investigative procedures on the original hard drives rather than images of the hard drives
D. Documenting evidence handling by personnel throughout the forensic investigation

Answer

D. Documenting evidence handling by personnel throughout the forensic investigation

CISA Question 2893

Question

An IS auditor is reviewing IT policies and found that most policies have not been reviewed in over 3 years. The MOST significant risk is that the policies do not reflect:

A. current legal requirements.
B. the vision of the CEO.
C. the mission of the organization.
D. current industry best practices.

Answer

A. current legal requirements.

CISA Question 2894

Question

Which of the following provides an IS auditor the MOST assurance that an organization is compliant with legal and regulatory requirements?

A. The IT manager is responsible for the organization’s compliance with legal and regulatory requirements.
B. Controls associated with legal and regulatory requirements have been identified and tested.
C. Senior management has provided attestation of legal and regulatory compliance.
D. There is no history of complaints or fines from regulators regarding noncompliance.

Answer

B. Controls associated with legal and regulatory requirements have been identified and tested.

CISA Question 2895

Question

An IS auditor is conducting a review of an organization’s information systems and discovers data that is no longer needed by business applications. Which of the following would be the IS auditor’s BEST recommendation?

A. Ask the data custodian to remove it after confirmation from the business user.
B. Assess the data according to the retention policy.
C. Back up the data to removable media and store in a secure area.
D. Keep the data and protect it using a data classification policy.

Answer

A. Ask the data custodian to remove it after confirmation from the business user.

CISA Question 2896

Question

Which of the following observations noted during a review of the organization’s social media practices should be of MOST concern to the IS auditor?

A. The organization does not require approval for social media posts.
B. More than one employee is authorized to publish on social media on behalf of the organization.
C. Not all employees using social media have attended the security awareness program.
D. The organization does not have a documented social media policy.

Answer

D. The organization does not have a documented social media policy.

CISA Question 2897

Question

An organization plans to launch a social media presence as part of a new customer service campaign. Which of the following is the MOST significant risk from the perspective of potential litigation?

A. The policy stating what employees can post on the organization’s behalf is unclear.
B. Access to corporate-sponsored social media accounts requires only single-factor authentication.
C. Approved employees can use personal devices to post on the company’s behalf.
D. There is a lack of clear procedures for responding to customers on social media outlets.

Answer

A. The policy stating what employees can post on the organization’s behalf is unclear.

CISA Question 2898

Question

An organization’s IT security policy states that user IDs must uniquely identify individuals and that users should not disclose their passwords. An IS auditor discovers that several generic user IDs are being used. Which of the following is the MOST appropriate course of action for the auditor?

A. Investigate the noncompliance.
B. Include the finding in the final audit report.
C. Recommend disciplinary action.
D. Recommend a change in security policy.

Answer

A. Investigate the noncompliance.

CISA Question 2899

Question

Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?

A. Identifying where existing data resides and establishing a data classification matrix.
B. Requiring users to save files in secured folders instead of a company-wide shared drive
C. Reviewing data transfer logs to determine historical patterns of data flow
D. Developing a DLP policy and requiring signed acknowledgement by users

Answer

D. Developing a DLP policy and requiring signed acknowledgement by users

CISA Question 2900

Question

In assessing the priority given to systems covered in an organization’s business continuity plan (BCP), an IS auditor should FIRST:

A. review results of previous business continuity plan (BCP) tests.
B. review the backup and restore processes.
C. verify the criteria for disaster recovery site selection.
D. validate the recovery time objectives and recovery point objectives.

Answer

D. validate the recovery time objectives and recovery point objectives.