ISACA CISA Certified Information Systems Auditor Exam Questions

A. Review the list of end users and evaluate for authorization.

This is a substantive test to determine the impact or consequence of the control failure. While useful for risk-rating the finding, it is not the immediate next step after identifying the process-level weakness.

C. Verify management's approval for this exemption.

This action is part of the validation phase to confirm that the observation is a genuine weakness. An auditor should perform this step before concluding that a weakness exists; it is not the next step after making the finding.

D. Obtain a verbal confirmation from IT for this exemption.

Relying on verbal confirmation is contrary to professional auditing standards. Audit evidence must be sufficient, reliable, and verifiable; verbal statements alone do not meet this requirement.

---

1. ISACA, CISA Review Manual, 27th ed., 2019. Chapter 1, "The IS Audit Process," Section: "Communicate Audit Results," p. 53. This section emphasizes that the final report is the primary deliverable for expressing opinions and reporting findings to management, stating, "The final report is the primary deliverable of the audit team... It is the vehicle for expressing opinions and for reporting findings." This establishes reporting as the key action after a finding is concluded.

2. ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 4th ed., 2020. "IS Audit and Assurance Standard 1401 Reporting." Section 3.1 states, "The IS auditor shall, upon completion of the audit, provide a report to the engaging party or other responsible parties as required." This standard mandates reporting as the formal action upon completion of audit work on a specific area.

3. ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 4th ed., 2020. "IS Audit and Assurance Guideline 2401 Reporting." Section G3, "Communication of Results," notes, "IS auditors should communicate results to the appropriate parties... Timely reporting is important to enable prompt corrective action." This highlights that the purpose of reporting is to trigger management action.

B. Technical co-sourcing is a valid option to fill skill gaps but is not the most important first step; the primary action is to effectively utilize the existing team's skills.

C. A certification demonstrates a general level of competence but does not guarantee the specific skills needed for a particular audit, which is the core of the proficiency standard.

D. Supervision is covered by a separate standard (ISACA Standard 1006) and, while essential for quality, it cannot compensate for a fundamental lack of required skills within the team.

---

1. ISACA. (2022). CISA Review Manual, 27th Edition. Chapter 1, The Process of Auditing Information Systems, Section: ISACA IS Audit and Assurance Standards. The manual explains that the audit function must have the collective skills and expertise to perform the audit, and the audit manager is responsible for ensuring that staff are competent for their assigned roles.

2. ISACA. (2014). ITAF: A Professional Practices Framework for IS Audit/Assurance, 4th Edition. Standard S2: Independence, Professional Ethics and Professionalism, Guideline G2 Proficiency. This guideline states, "The IS audit and assurance function should assess the skills and knowledge required to complete the planned audit and assurance work... and ensure that it has sufficient and appropriate resources to complete the work." This directly supports assigning work based on assessed skills.

3. ISACA. (2014). ITAF: A Professional Practices Framework for IS Audit/Assurance, 4th Edition. Standard 1202: Proficiency, Section 1202.2. This section explicitly states, "The IS audit and assurance function should be collectively competent, having the skills and knowledge to perform the audit work." This emphasizes the team's combined ability, which is best achieved by aligning tasks with individual strengths.

A. It is under the control of the sender, who uses their private key to create it; the receiver only uses the public key to verify it.

B. Its primary functions are authentication, integrity, and non-repudiation. Authorization is a separate process of granting permissions, although a signature can support it.

C. It provides a static integrity check for data at the point of verification. It does not dynamically validate ongoing modifications after signing.

1. ISACA. (2019). CISA Review Manual, 27th Edition. Domain 5: Protection of Information Assets, Section 5.2.5 Cryptography. The manual explains that a digital signature is created using a private key that is unique to the signer, providing authentication, integrity, and non-repudiation.

2. National Institute of Standards and Technology (NIST). (2013). FIPS PUB 186-4, Digital Signature Standard (DSS). Section 1, Introduction, p. 1. The standard specifies, "A digital signature is a cryptographic value that is calculated from the data and a secret key held by the signer." This directly links the signature to the unique control of the sender.

3. Rivest, R. L., Shamir, A., & Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2), 120–126. https://doi.org/10.1145/359340.359342. The foundational paper on RSA describes the signing process as being dependent on the signer's secret key (private key), making the signature unique to that entity.

A. This is a specific operational risk that may occur as a consequence of poor governance, not the fundamental structural problem itself.

B. This is a symptom of the core issue. Without defined decision-making entities, there is no one to formally establish and enforce the organization's risk appetite.

D. This is a specific example of the broader problem described in option C. The approval entity for standards is one of the "key decision-making entities" that is missing.

1. ISACA, COBIT® 2019 Framework: Introduction and Methodology, 2018. Page 39, Figure 4.4, "Components of a Governance System," lists "Organizational structures" as a core component and defines them as "the key decision-making entities in an enterprise." The absence of this component is therefore the failure to identify these entities.

2. ISACA, CISA Review Manual, 27th Edition, 2019. Chapter 2, Section 2.2, "IT Governance Structure," emphasizes that a primary purpose of the structure is to define the roles and responsibilities for IT decision-making processes to ensure they align with the enterprise's strategies and objectives.

3. De Haes, S., & Van Grembergen, W. (2009). An Exploratory Study into IT Governance Implementations and its Impact on Business/IT Alignment. Information Systems Management, 26(2), 123-137. https://doi.org/10.1080/10580530902794786. The study highlights that IT governance structures (e.g., committees) are the primary mechanisms for decision-making rights and accountability.

A. Benchmarking is a performance measurement activity that compares an organization to its peers. It is a useful tool within an established governance framework but does not create or fundamentally improve the structure itself.

B. Implementing KPIs is a management activity to measure progress toward strategic goals. Without a clear, executive-driven strategy, KPIs lack the necessary context and may measure the wrong things.

D. Third-party audits provide independent assurance over existing controls and governance processes. Auditing is a reactive control function, not a proactive measure to establish or improve the core governance direction.

1. ISACA, CISA Review Manual, 27th Edition. Domain 2: Governance and Management of IT, Section 2.2, IT Governance Structure. The manual states, "IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives." This directly supports the principle that leadership's role in strategy is paramount.

2. ISACA, COBIT 2019 Framework: Introduction and Methodology. Governance System Principles, Principle 1: Provide Stakeholder Value. The framework emphasizes that governance is about value creation, which starts with "negotiating and deciding among different stakeholders’ value aspirations." This negotiation and decision-making process is led by the governing body (executive management) to set strategy.

3. ISACA, COBIT 2019 Framework: Governance and Management Objectives. APO02 Managed Strategy. A key practice (APO02.02) is to "Assess the current environment, capabilities, and performance." This assessment is done to "articulate an enterprise and IT strategy in which business and IT stakeholders are involved." Executive management are the primary business stakeholders whose involvement is critical for this process to be effective.

A. System administrators are responsible for implementing access rights as approved, not for determining the business need or ensuring consistency in assignments, which is a management function.

B. While IT security may assist in the process, they lack the business context to independently decide which rights are excessive. This responsibility properly belongs to business management.

C. This is a reactive control that only addresses terminated employees, failing to cover the broader issue of excessive rights among current employees due to role changes or privilege accumulation.

1. ISACA, CISA Review Manual, 27th Edition, 2019.

Page 278, Section 5.2.4, User Access Review: "A periodic review of user access rights should be performed by the data/system owner to ensure that access is still required for the user's job function... The data/system owner is in the best position to determine whether a user's access is appropriate." (Line management typically fulfills this role for their direct reports).

Page 279, Privilege Creep: "Periodic reviews of user access rights by data/system owners are a key control to detect and correct this condition [privilege creep]."

2. Fenz, S., & Ekelhart, A. (2011). Formalizing Information Security Knowledge. Proceedings of the 44th Hawaii International Conference on System Sciences.

Section 3.2, Access Control: The paper discusses the fundamental principle that access rights should be granted based on business roles and responsibilities. It implicitly supports that the review of these rights must be conducted by those who manage these roles, i.e., line management. (DOI: 10.1109/HICSS.2011.138)

3. Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Communications of the ACM, 18(7), 387-408.

Section I.A.3, Principle of Least Privilege: This foundational paper establishes the principle that a subject should be given only those privileges necessary to complete its task. The entity best positioned to define "necessary" privileges is the business or line manager responsible for the task, making their review essential for maintaining this principle. (DOI: 10.1145/360813.360816)

A. Alignment of information security with IT objectives is too narrow. Information security must align with the objectives of the entire business, not just the IT department.

C. Integration of business and information security is a critical goal, but it is an outcome that can only be achieved when there is a foundational commitment from management to prioritize it.

D. User accountability for information security is an important operational control, but it cannot be effectively established or enforced without the policies, training, and authority that stem from management's commitment.

1. ISACA, CISA Review Manual, 27th Edition (2019). Domain 4: Information Asset Protection, Section 4.2 Information Security Governance. The manual states, "The success of the information security program is dependent on the commitment of executive management. This commitment is required to obtain the necessary resources and to support the integration of information security practices into all business processes." (p. 229).

2. ISACA, COBIT 2019 Framework: Governance and Management Objectives (2018). Governance Domain: Evaluate, Direct and Monitor (EDM). Specifically, objective EDM01 Ensured Governance Framework Setting and Maintenance emphasizes that the governing body (i.e., senior management) must direct the establishment of a governance system, which includes providing leadership and setting the tone for the entire enterprise.

3. von Solms, B., & von Solms, R. (2004). The 10 deadly sins of information security management. Computers & Security, 23(5), 371-376. https://doi.org/10.1016/j.cose.2004.05.002. The article identifies the lack of top management commitment as a primary reason for the failure of information security initiatives, reinforcing that it is a foundational requirement.

B. Encrypting the disk: Encryption protects data but does not erase it. Without destroying the encryption key (a process called cryptographic erase), the data remains fully recoverable.

C. Reformatting: A standard reformat typically only removes pointers to the data in the file system's index, leaving the actual data intact and easily recoverable with common software.

D. Deleting files sequentially: Deleting files merely marks the storage space as available for reuse; the underlying data is not removed and is trivially recovered until overwritten.

1. National Institute of Standards and Technology (NIST). (2014). Special Publication 800-88 Revision 1: Guidelines for Media Sanitization. Section 2.4, "Sanitization Categories," and Appendix A, Table A-2, "Guidelines for Magnetic Disks." The document specifies overwriting as a primary technique for achieving a "Purge" level of sanitization, which protects against laboratory-level recovery attacks. (pp. 7, 29).

2. ISACA. (2019). CISA Review Manual, 27th Edition. Domain 4: Information Systems Operations and Business Resilience, Section 4.5.4, "Media Sanitization, Retention and Disposal." The manual explicitly identifies overwriting as a key method for sanitizing media to prevent the recovery of sensitive information.

3. Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9), 1278-1308. https://doi.org/10.1109/PROC.1975.9939. This foundational paper discusses the principle of secure data handling, including the need for complete erasure (achieved by overwriting) rather than simple deletion, a concept that remains central to modern data disposal standards. (Section E.4, "Erasure of residual information").

B. An annual policy acknowledgment is a weak administrative control that provides no timely assurance that the policy is being followed.

C. Annual training is insufficient because the DevOps process described inherently violates traditional SoD; the control must adapt to the process.

D. A weekly review is a detective control. It is less effective than a preventative control (A) because malicious or faulty code could be in production for up to a week before detection.

---

1. ISACA, CISA Review Manual, 27th Edition (2019). Domain 3: Information Systems Acquisition, Development, and Implementation, Section 3.4. The manual emphasizes that when segregation of duties is not feasible (e.g., in small organizations), compensating controls are essential. It states, "Compensating controls for a lack of segregation of duties could include audit trails, reconciliation, exception reporting and transaction logs... Another common compensating control is supervision and review of activities." Peer review (Option A) is a form of this required supervision.

2. ISACA, COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective BAI06: Managed IT Changes. This objective requires that changes are properly managed and deployed. Practice BAI06.05, "Implement and track changes," notes the importance of controlled promotion to production. Where traditional SoD is not possible, compensating controls such as independent review before promotion are necessary to meet the control objective.

3. Deo, S., & Lath, V. (2017). DevOps: An Audit and Security Perspective. ISACA Journal, 4. This article discusses how the DevOps model challenges traditional SoD. It recommends implementing compensating controls, stating, "Peer review of code before check-in is a good practice to ensure that no single developer can push malicious code into the repository." This directly supports the effectiveness of option A as a primary control in a DevOps environment.

A. Confidentiality and data protection clauses are legal safeguards to protect sensitive information from unauthorized disclosure but do not provide a mechanism to access the source code.

B. A service level agreement (SLA) defines performance standards, availability, and support metrics but does not grant rights to the underlying source code if those levels are not met.

D. A right-to-audit clause grants the organization the ability to inspect the vendor's processes and controls for compliance, but it does not confer ownership or access to the source code.

---

1. ISACA, CISA Review Manual, 27th Edition. Domain 3: Information Systems Acquisition, Development, and Implementation, Section 3.4.5 Contract Management. The manual explicitly identifies software escrow as a critical control to ensure access to source code in the event of vendor failure, stating, "A software escrow agreement is a common risk mitigation control that places the application source code in the custody of a licensed third party." This ensures the licensee can maintain the software if the vendor goes out of business.

2. ISACA, CISA Glossary. The official ISACA glossary defines "Software Escrow" as: "A legal arrangement whereby a third party holds the source code for a computer program. The source code is released to the licensee if the licensor (software vendor) files for bankruptcy or fails to maintain the software as stipulated in the escrow agreement." This definition directly aligns with the scenario presented in the question.

3. Purdue University, "Software Licensing and Escrow Agreements." Course materials for IT project management and acquisition often highlight escrow as a key risk mitigation tool. These materials explain that when an organization licenses critical software without receiving the source code, it creates a dependency risk that is best managed through an escrow agreement, which provides for the conditional release of the code. (Reference to general principles taught in university-level IT management courses).