25 CISA Questions-A must know for CISA Aspirants

Saddam is a very well known IT security expert in Bangladesh having prestigious certificates and degrees like CEH, OCA, MCTS, MCP.

Through his wide experience of information audit, information security, pentest, database and core banking software, he supports and guides the CISA aspirants from all over the globe.

He has identified 25 questions (5 questions per domain) that every CISA aspirants appearing in 2017 should know.

(1)During IS audits, the type of evidence the auditor uses does not include:

  1. Physical evidence
  2. Documentary evidence
  3. Representations
  4. Reporting

Choice (d) is the correct answer. There are various types of evidence which the auditor may use, including physical evidence, documentary evidence, representations, and analysis. Reporting comes after the evidence is fully collected and analyzed.

(2)Which of the following is the technique used to obtain evidential matter about tests of controls?

  1. Re-performance
  2. Analysis
  3. Comparisons
  4. Calculations

Choice (a) is the correct answer. The IS auditor selects control tests from a

variety of techniques such as inquiry, observations, inspection, and re-performance of a policy or procedure. These techniques are used in tests of controls (compliance testing). An example of re-performance includes writing a computer program to recalculate the interest for a savings account in a bank.

(3)A CISA conducting a review found a lack of clearly defined roles and privileges in the application, which has led to a deficiency in the transaction authorization control objective. What should be the next step?

  1. Report the finding to auditee management
  2. Run a set of transactions as a sample and check authorization
  3. Ask IT department for details of user access rights
  4. Use a GAS to check the controls


Explanation: The CISA must first run a set of sample transaction and check authorization. Based on the results, the impact and materiality of this could be reported.

(4)IS internal controls are not designed to provide reasonable assurance that:

  1. Irregularities will be eliminated
  2. Access to technology assets is permitted only in accordance with management’s authorization
  3. IS operations and activities are performed in accordance with management’s authorization
  4. Adequate separation of duties is maintained

Choice (a) is the correct answer. There are inherent limitations or risks that should be recognized by the IS auditor. Errors do occur due to misunderstanding of instructions or mistakes of judgment. Also, controls can be circumvented. It would be very costly to eliminate irregularities. Choices (b) through (d) are incorrect since they are part of a well-designed system of IS internal controls.

(5)The IS audit manager analyzes his department staff’s personal development and advancement experiences to determine whether individuals are meeting their stated career goals. This is evidence of the IS audit department adherence to prescribed standards of:

  1. Due professional care
  2. Independence
  3. Performance of audit work
  4. Quality control and assurance

Choice (d) is the correct answer. The IS audit manager should establish policies and procedures for motivating audit staff to assume increased responsibilities and to perform quality work. Some examples of personal qualifications are character, intelligence, judgment, and motivation.

Due professional care standards (choice a) are part of work performance standards. Independence standards (choice b) include attitude and appearance, organizational relationship, and adherence to the Code of Professional Ethics.Performance of work standards (choice c) address planning and supervision, evidence requirements, and due professional care.

Domain 2

(1)The benefits of IS standardization do not include:

  1. Decreased costs
  2. Better IS planning and control
  3. Improved software development and maintenance, and computer operations work
  4. Enhanced interoperability of computer systems

Choice (a) is the correct answer. Standards increase the costs to train various departments’ staffs and to acquire new software tools and techniques and hardware devices.

Standards-based solutions to hardware and software problems minimize investment risk in information technology while leveraging existing investment. Standards result in more efficient IS resource utilization and more effective security measures. The IS standards can also help in integrating IS plans into an organization’s goals (choice b). They also facilitate interoperability of systems so that there are no technical barriers between computer systems acquired from different vendors (choice d). When dealing with contractors, the user organization should identify the type of standards a software development contractor should follow (e.g., industry standards, own standards). Standards also help in facilitating clear and better communications between various parties involved in software development, maintenance, and operation (choice c).

(2)An IT operational plan does not include:

  1. Risk assessment
  2. Project descriptions
  3. Project resource estimates
  4. Project implementation schedules

Choice (a) is the correct answer. Risk assessment is part of the IT strategic plan along with mission, vision, goals, environmental analysis, strategies, and critical success factors. Typically, a strategic plan covers a five-year time span and is updated annually. IT operational planning begins where strategic planning ends. During operational planning, an organization develops a realistic implementation approach for achieving its vision, based on its available resources.

An IT operational plan consists of three main parts: project descriptions (choice b), resource estimates (choice c), and implementation schedules (choice d). Depending upon its size and the complexity of its projects, an organization may also include the following types of documents as part of its operational plan: security plan summary, information plans, and information technology plans.

(3)Why is an audit committee set up?

  1. To augment the auditing skills
  2. To coordinate, govern, and manage the audit
  3. To review and ensure proper assurance
  4. To review the audit activities on a regular basis


Explanation: An audit committee is set up to review and challenge the assurances made, and maintain a working equation with management and auditors.

(4)What would be undertaken in the initial stages of an IS audit?

  1. Reviewing prior audit findings
  2. Reviewing documentation
  3. Reviewing access controls
  4. Commencing the planning process


Explanation: An audit planning process to identify the objectives, resources, and a risk-based approach is kicked-off in initial stages.

(5)An acquisition plan for IT resources would not include:

  1. Testing considerations
  2. Sourcing procedures
  3. Funding procedures
  4. Contracting considerations

Choice (a) is the correct answer. When an organization decides to acquire computing resources by contracting, it must prepare an acquisition plan. The acquisition plan does not include testing and training considerations (choice a)because it is a part of the implementation plan. The acquisition plan typically includes prospective sources of supplies and services to meet the need (choice b), funding procedures (choice c), contracting considerations (choice d), required performance characteristics, and delivery period requirements.

Domain 3

(1)Software Reverse Engineering occurs when a source code is taken apart to see how it operates to replicate or improve. Which of the given risks are incurred when Reverse Engineering is undertaken?

  1. Confidentiality agreement
  2. License agreement violation
  3. Site agreement violation
  4. Contradiction on the quality of substituted parts


Explanation: Reverse Engineering of the source or a compiled code is legally not permissible, and would imply a legal violation of end-user licensing agreements. Legal issues also arise due to copyright violation, and calls for legal action pertaining to theft of copyright.

(2)Systems and Data modeling have various diagramming methods of representation. A popular method is the Entity-relationship diagrams (ERD). In which of the following options are these methods used?

  1. Flow diagram for data flow through the system
  2. Security controls logical access diagrams
  3. Schedule diagram to detail the activities sequence
  4. Defining database design schema for requirements


Explanation: ERD diagrams are used to define the database structure. An entity-relationship diagram (ERD) details how to structure the data, and the interrelationships with other data. Data flow diagrams are then used to show the business logic and data-transformation procedures.

(3)Error seeding is planted in which of the following phases of a system development life cycle?

  1. Requirements
  2. Design
  3. Implementation
  4. Maintenance

Choice (c) is the correct answer. The purpose of error seeding is to determine whether a set of test cases is adequate. Some known error types are inserted into the program, and the program is executed with the test cases under test conditions. If only some of the seeded errors are found, the test case set is not adequate. One can estimate the number of errors remaining by subtracting the number of real errors found from the total number of real errors. The remaining test effort can then be estimated. If all the seeded errors are found, this indicates that either the test case set is adequate, or that the seeded errors were too easy to find.

(4)The waterfall development model is characterized as using a(n):

  1. Entity-based approach
  2. Risk-based approach
  3. Rule-based approach
  4. Data-based approach

Choice (a) is the correct answer. The entity-based approach has little or no interaction between system development phases similar to the waterfall method. It is procedure-based. Risk-based approach (choice b) is a prototype.

Rule-based approach (choice c) is an expert system. Data-based approach (choice d) is a neural network.

(5)Techniques such as prototyping and simulation cannot be used in which of the following phases of a system development life cycle?

  1. Requirements
  2. Design
  3. Implementation
  4. Maintenance

Choice (d) is the correct answer. The purpose of prototyping is to check the feasibility of implementing a system against the given constraints and to communicate the specifier’s interpretation of the system to the customer, in order to locate misunderstandings. A subset of system functions, constraints, and performance requirements are selected. A prototype is built using high-level tools and is evaluated against the customer’s criteria. The system requirements may be modified as a result of this evaluation. Usually, prototyping is used to define user requirements and design of the system. Simulation or modeling is used to test the functions of a software system, together with its interface to the real environment without modifying the environment in any way. The simulation may be software only or a combination of hardware and software. A model of the system to be controlled by the actual system under test is created. This model mimics the behavior of the controlled system and is for testing purposes only. Although prototyping and simulation can be used in the system maintenance phase, the payback would be less than the development phase. Usually, the scope of system maintenance can be small and minor making it cost prohibitive to the use of prototyping and simulation techniques.


Domain 4

(1)The IS team is building IS control objectives for an organization. Which of the below would not be included?

  1. Disaster recovery plan
  2. Asset Data Owners and Register
  3. Business Continuity plan
  4. IS individual system threats


Explanation: IS control objectives protect the organization from loss due to IS control failures. So, the team would not review individual system threats that are undertaken by individuals as part of risk management.

(2)After a disaster, it is imperative for the organizational members to not only move to the BCP site but also stay behind at the recovery site to monitor recovery operations. Who are these members?

  1. Top management
  2. BCP team
  3. Administration team
  4. Emergency management team members


Explanation: The employees who are designated as Recovery team including its leaders, shift supervisors and operators work to continue operations until recovery is fully restored.

(3)Traffic flow confidentiality uses which of the following security controls?

  1. Traffic padding and address hiding
  2. Testwords and traffic padding
  3. Traffic padding and seals/signatures
  4. Address hiding and seals/signatures

Choice (a) is the correct answer. Traffic flow confidentiality protects against sensitive information being disclosed  by observing network traffic flows. It uses traffic padding and address hiding controls. In traffic padding, “dummy” traffic is generated to confuse the intruder. Address hiding requires that protocol header information is protected from unauthorized attack via cryptographic means. Testwords is an incorrect choice because a string of characters is appended to a transaction by the sending party and verified by the receiving party. A testword is an early-technology realization of a seal or signature used in financial transactions. A seal or signature involves cryptographically generating a value that is appended to a plaintext data item. Both testwords and seals are used to increase the data integrity of financial transactions.

(4)During data backup, which of the below would require special handling?

  1. System files
  2. Library files
  3. Application Files
  4. Database files


Explanation: Special backup procedures must be followed to ensure data integrity of database files which could be open. Typically, users must exit out of the database prior to backup. Otherwise, files are copied to a shadow database or second system where backups are executed without conflict.

(5)Mandatory Access Controls (MAC) use labels. What happens when the label processing is bypassed?

  1. Override MAC security
  2. Overcome RAS security
  3. Resist RBAC security
  4. Implement DAC security


Explanation: A Mandatory access control or MAC system uses labels to enforce security policies. Bypassing label processing would imply that security controls are over ridden in mandatory access control (MAC).

Domain 5

(1)Identifying information assets and their owners is a significant control activity. Social engineering methods can be used to compromise Information assets. Which of the below methods represents social engineering?

  1. Software hacking tool usage to circumvent security
  2. Phishing of sensitive information by an employee
  3. Not using software development standards
  4. Deceiving a person into voluntarily cooperating with the attacker


Explanation: Social engineering refers to the using of tricks and deceit to ensure an otherwise honest person voluntarily cooperates with the attacker. Passwords and access are often procured by asking a user for assistance under guise of a genuine need. But the need would be a covert activity to circumvent security controls.

(2)Auditors are expected to be meticulous and unbiased during evaluation of audit evidence. They apply professional judgment with an attitude of professional skepticism to prevent negligence. Which of the below best indicate the application of professional judgment?

  1. Secrecy
  2. Due care
  3. Confidentiality
  4. Ethics


Explanation: Due care in professional judgment means concern given to protect from a loss. The minimum level of attention needed to prevent fraud or neglect is known as due care.

(3)Management is eventually responsible for putting in place appropriate and proper internal controls. Which of the below controls minimize the impact of an event that has already occurred?

  1. Detective
  2. Corrective
  3. Preventive
  4. Forensics


Explanation: The category of corrective controls is primarily used to reduce or minimize damage after an event has occurred.

(4)Which of the following represents the biggest concern with regard to controls?

  1. Identification of individuals
  2. Authorization
  3. Authorization
  4. Independence


Explanation: Authorization must be separated from all other functions. Changes in activities require separate authorization using the concept of separation of duties or compensating controls. The objective is to prevent an individual from violating an internal control. All control deviations should generate an audit trail, along with awareness of the deviation by management.

(5)What is meant by fiduciary responsibility?

  1. Utilize the information that is obtained for own interests while taking care of the client confidentiality
  2. Work for another person’s benefit and keep the duties as honest and fair in front of personal interests
  3. Follow the client desires and keep it completely confidential even in case of illegal acts. The audit information should never be disclosed by the auditor for protecting the client.
  4. None of the above.


Explanation: Lawyers, accountants, and auditors work on behalf of the interests of their client unless with this, they violate the law. As per law, it is the highest standard of duty for a guardian and trustee.



4 thoughts on “25 CISA Questions-A must know for CISA Aspirants”

Leave a Reply

Your email address will not be published.