Free CISA Practice Questions – 2025 Updated

A. Review the list of end users and evaluate for authorization.

This is a substantive test to determine the impact or consequence of the control failure. While useful for risk-rating the finding, it is not the immediate next step after identifying the process-level weakness.

C. Verify management's approval for this exemption.

This action is part of the validation phase to confirm that the observation is a genuine weakness. An auditor should perform this step before concluding that a weakness exists; it is not the next step after making the finding.

D. Obtain a verbal confirmation from IT for this exemption.

Relying on verbal confirmation is contrary to professional auditing standards. Audit evidence must be sufficient, reliable, and verifiable; verbal statements alone do not meet this requirement.

---

1. ISACA, CISA Review Manual, 27th ed., 2019. Chapter 1, "The IS Audit Process," Section: "Communicate Audit Results," p. 53. This section emphasizes that the final report is the primary deliverable for expressing opinions and reporting findings to management, stating, "The final report is the primary deliverable of the audit team... It is the vehicle for expressing opinions and for reporting findings." This establishes reporting as the key action after a finding is concluded.

2. ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 4th ed., 2020. "IS Audit and Assurance Standard 1401 Reporting." Section 3.1 states, "The IS auditor shall, upon completion of the audit, provide a report to the engaging party or other responsible parties as required." This standard mandates reporting as the formal action upon completion of audit work on a specific area.

3. ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 4th ed., 2020. "IS Audit and Assurance Guideline 2401 Reporting." Section G3, "Communication of Results," notes, "IS auditors should communicate results to the appropriate parties... Timely reporting is important to enable prompt corrective action." This highlights that the purpose of reporting is to trigger management action.

B. Technical co-sourcing is a valid option to fill skill gaps but is not the most important first step; the primary action is to effectively utilize the existing team's skills.

C. A certification demonstrates a general level of competence but does not guarantee the specific skills needed for a particular audit, which is the core of the proficiency standard.

D. Supervision is covered by a separate standard (ISACA Standard 1006) and, while essential for quality, it cannot compensate for a fundamental lack of required skills within the team.

---

1. ISACA. (2022). CISA Review Manual, 27th Edition. Chapter 1, The Process of Auditing Information Systems, Section: ISACA IS Audit and Assurance Standards. The manual explains that the audit function must have the collective skills and expertise to perform the audit, and the audit manager is responsible for ensuring that staff are competent for their assigned roles.

2. ISACA. (2014). ITAF: A Professional Practices Framework for IS Audit/Assurance, 4th Edition. Standard S2: Independence, Professional Ethics and Professionalism, Guideline G2 Proficiency. This guideline states, "The IS audit and assurance function should assess the skills and knowledge required to complete the planned audit and assurance work... and ensure that it has sufficient and appropriate resources to complete the work." This directly supports assigning work based on assessed skills.

3. ISACA. (2014). ITAF: A Professional Practices Framework for IS Audit/Assurance, 4th Edition. Standard 1202: Proficiency, Section 1202.2. This section explicitly states, "The IS audit and assurance function should be collectively competent, having the skills and knowledge to perform the audit work." This emphasizes the team's combined ability, which is best achieved by aligning tasks with individual strengths.

A. It is under the control of the sender, who uses their private key to create it; the receiver only uses the public key to verify it.

B. Its primary functions are authentication, integrity, and non-repudiation. Authorization is a separate process of granting permissions, although a signature can support it.

C. It provides a static integrity check for data at the point of verification. It does not dynamically validate ongoing modifications after signing.

1. ISACA. (2019). CISA Review Manual, 27th Edition. Domain 5: Protection of Information Assets, Section 5.2.5 Cryptography. The manual explains that a digital signature is created using a private key that is unique to the signer, providing authentication, integrity, and non-repudiation.

2. National Institute of Standards and Technology (NIST). (2013). FIPS PUB 186-4, Digital Signature Standard (DSS). Section 1, Introduction, p. 1. The standard specifies, "A digital signature is a cryptographic value that is calculated from the data and a secret key held by the signer." This directly links the signature to the unique control of the sender.

3. Rivest, R. L., Shamir, A., & Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2), 120–126. https://doi.org/10.1145/359340.359342. The foundational paper on RSA describes the signing process as being dependent on the signer's secret key (private key), making the signature unique to that entity.

A. This is a specific operational risk that may occur as a consequence of poor governance, not the fundamental structural problem itself.

B. This is a symptom of the core issue. Without defined decision-making entities, there is no one to formally establish and enforce the organization's risk appetite.

D. This is a specific example of the broader problem described in option C. The approval entity for standards is one of the "key decision-making entities" that is missing.

1. ISACA, COBIT® 2019 Framework: Introduction and Methodology, 2018. Page 39, Figure 4.4, "Components of a Governance System," lists "Organizational structures" as a core component and defines them as "the key decision-making entities in an enterprise." The absence of this component is therefore the failure to identify these entities.

2. ISACA, CISA Review Manual, 27th Edition, 2019. Chapter 2, Section 2.2, "IT Governance Structure," emphasizes that a primary purpose of the structure is to define the roles and responsibilities for IT decision-making processes to ensure they align with the enterprise's strategies and objectives.

3. De Haes, S., & Van Grembergen, W. (2009). An Exploratory Study into IT Governance Implementations and its Impact on Business/IT Alignment. Information Systems Management, 26(2), 123-137. https://doi.org/10.1080/10580530902794786. The study highlights that IT governance structures (e.g., committees) are the primary mechanisms for decision-making rights and accountability.

A. Benchmarking is a performance measurement activity that compares an organization to its peers. It is a useful tool within an established governance framework but does not create or fundamentally improve the structure itself.

B. Implementing KPIs is a management activity to measure progress toward strategic goals. Without a clear, executive-driven strategy, KPIs lack the necessary context and may measure the wrong things.

D. Third-party audits provide independent assurance over existing controls and governance processes. Auditing is a reactive control function, not a proactive measure to establish or improve the core governance direction.

1. ISACA, CISA Review Manual, 27th Edition. Domain 2: Governance and Management of IT, Section 2.2, IT Governance Structure. The manual states, "IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives." This directly supports the principle that leadership's role in strategy is paramount.

2. ISACA, COBIT 2019 Framework: Introduction and Methodology. Governance System Principles, Principle 1: Provide Stakeholder Value. The framework emphasizes that governance is about value creation, which starts with "negotiating and deciding among different stakeholders’ value aspirations." This negotiation and decision-making process is led by the governing body (executive management) to set strategy.

3. ISACA, COBIT 2019 Framework: Governance and Management Objectives. APO02 Managed Strategy. A key practice (APO02.02) is to "Assess the current environment, capabilities, and performance." This assessment is done to "articulate an enterprise and IT strategy in which business and IT stakeholders are involved." Executive management are the primary business stakeholders whose involvement is critical for this process to be effective.

A. System administrators are responsible for implementing access rights as approved, not for determining the business need or ensuring consistency in assignments, which is a management function.

B. While IT security may assist in the process, they lack the business context to independently decide which rights are excessive. This responsibility properly belongs to business management.

C. This is a reactive control that only addresses terminated employees, failing to cover the broader issue of excessive rights among current employees due to role changes or privilege accumulation.

1. ISACA, CISA Review Manual, 27th Edition, 2019.

Page 278, Section 5.2.4, User Access Review: "A periodic review of user access rights should be performed by the data/system owner to ensure that access is still required for the user's job function... The data/system owner is in the best position to determine whether a user's access is appropriate." (Line management typically fulfills this role for their direct reports).

Page 279, Privilege Creep: "Periodic reviews of user access rights by data/system owners are a key control to detect and correct this condition [privilege creep]."

2. Fenz, S., & Ekelhart, A. (2011). Formalizing Information Security Knowledge. Proceedings of the 44th Hawaii International Conference on System Sciences.

Section 3.2, Access Control: The paper discusses the fundamental principle that access rights should be granted based on business roles and responsibilities. It implicitly supports that the review of these rights must be conducted by those who manage these roles, i.e., line management. (DOI: 10.1109/HICSS.2011.138)

3. Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Communications of the ACM, 18(7), 387-408.

Section I.A.3, Principle of Least Privilege: This foundational paper establishes the principle that a subject should be given only those privileges necessary to complete its task. The entity best positioned to define "necessary" privileges is the business or line manager responsible for the task, making their review essential for maintaining this principle. (DOI: 10.1145/360813.360816)

A. Alignment of information security with IT objectives is too narrow. Information security must align with the objectives of the entire business, not just the IT department.

C. Integration of business and information security is a critical goal, but it is an outcome that can only be achieved when there is a foundational commitment from management to prioritize it.

D. User accountability for information security is an important operational control, but it cannot be effectively established or enforced without the policies, training, and authority that stem from management's commitment.

1. ISACA, CISA Review Manual, 27th Edition (2019). Domain 4: Information Asset Protection, Section 4.2 Information Security Governance. The manual states, "The success of the information security program is dependent on the commitment of executive management. This commitment is required to obtain the necessary resources and to support the integration of information security practices into all business processes." (p. 229).

2. ISACA, COBIT 2019 Framework: Governance and Management Objectives (2018). Governance Domain: Evaluate, Direct and Monitor (EDM). Specifically, objective EDM01 Ensured Governance Framework Setting and Maintenance emphasizes that the governing body (i.e., senior management) must direct the establishment of a governance system, which includes providing leadership and setting the tone for the entire enterprise.

3. von Solms, B., & von Solms, R. (2004). The 10 deadly sins of information security management. Computers & Security, 23(5), 371-376. https://doi.org/10.1016/j.cose.2004.05.002. The article identifies the lack of top management commitment as a primary reason for the failure of information security initiatives, reinforcing that it is a foundational requirement.

B. Encrypting the disk: Encryption protects data but does not erase it. Without destroying the encryption key (a process called cryptographic erase), the data remains fully recoverable.

C. Reformatting: A standard reformat typically only removes pointers to the data in the file system's index, leaving the actual data intact and easily recoverable with common software.

D. Deleting files sequentially: Deleting files merely marks the storage space as available for reuse; the underlying data is not removed and is trivially recovered until overwritten.

1. National Institute of Standards and Technology (NIST). (2014). Special Publication 800-88 Revision 1: Guidelines for Media Sanitization. Section 2.4, "Sanitization Categories," and Appendix A, Table A-2, "Guidelines for Magnetic Disks." The document specifies overwriting as a primary technique for achieving a "Purge" level of sanitization, which protects against laboratory-level recovery attacks. (pp. 7, 29).

2. ISACA. (2019). CISA Review Manual, 27th Edition. Domain 4: Information Systems Operations and Business Resilience, Section 4.5.4, "Media Sanitization, Retention and Disposal." The manual explicitly identifies overwriting as a key method for sanitizing media to prevent the recovery of sensitive information.

3. Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9), 1278-1308. https://doi.org/10.1109/PROC.1975.9939. This foundational paper discusses the principle of secure data handling, including the need for complete erasure (achieved by overwriting) rather than simple deletion, a concept that remains central to modern data disposal standards. (Section E.4, "Erasure of residual information").

B. An annual policy acknowledgment is a weak administrative control that provides no timely assurance that the policy is being followed.

C. Annual training is insufficient because the DevOps process described inherently violates traditional SoD; the control must adapt to the process.

D. A weekly review is a detective control. It is less effective than a preventative control (A) because malicious or faulty code could be in production for up to a week before detection.

---

1. ISACA, CISA Review Manual, 27th Edition (2019). Domain 3: Information Systems Acquisition, Development, and Implementation, Section 3.4. The manual emphasizes that when segregation of duties is not feasible (e.g., in small organizations), compensating controls are essential. It states, "Compensating controls for a lack of segregation of duties could include audit trails, reconciliation, exception reporting and transaction logs... Another common compensating control is supervision and review of activities." Peer review (Option A) is a form of this required supervision.

2. ISACA, COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective BAI06: Managed IT Changes. This objective requires that changes are properly managed and deployed. Practice BAI06.05, "Implement and track changes," notes the importance of controlled promotion to production. Where traditional SoD is not possible, compensating controls such as independent review before promotion are necessary to meet the control objective.

3. Deo, S., & Lath, V. (2017). DevOps: An Audit and Security Perspective. ISACA Journal, 4. This article discusses how the DevOps model challenges traditional SoD. It recommends implementing compensating controls, stating, "Peer review of code before check-in is a good practice to ensure that no single developer can push malicious code into the repository." This directly supports the effectiveness of option A as a primary control in a DevOps environment.

A. Confidentiality and data protection clauses are legal safeguards to protect sensitive information from unauthorized disclosure but do not provide a mechanism to access the source code.

B. A service level agreement (SLA) defines performance standards, availability, and support metrics but does not grant rights to the underlying source code if those levels are not met.

D. A right-to-audit clause grants the organization the ability to inspect the vendor's processes and controls for compliance, but it does not confer ownership or access to the source code.

---

1. ISACA, CISA Review Manual, 27th Edition. Domain 3: Information Systems Acquisition, Development, and Implementation, Section 3.4.5 Contract Management. The manual explicitly identifies software escrow as a critical control to ensure access to source code in the event of vendor failure, stating, "A software escrow agreement is a common risk mitigation control that places the application source code in the custody of a licensed third party." This ensures the licensee can maintain the software if the vendor goes out of business.

2. ISACA, CISA Glossary. The official ISACA glossary defines "Software Escrow" as: "A legal arrangement whereby a third party holds the source code for a computer program. The source code is released to the licensee if the licensor (software vendor) files for bankruptcy or fails to maintain the software as stipulated in the escrow agreement." This definition directly aligns with the scenario presented in the question.

3. Purdue University, "Software Licensing and Escrow Agreements." Course materials for IT project management and acquisition often highlight escrow as a key risk mitigation tool. These materials explain that when an organization licenses critical software without receiving the source code, it creates a dependency risk that is best managed through an escrow agreement, which provides for the conditional release of the code. (Reference to general principles taught in university-level IT management courses).

B. Providing advice on best practices is an acceptable advisory role for an auditor; it does not involve operational decision-making or implementation, thus preserving independence.

C. Participation in a project team in a non-operational, advisory capacity is a common practice that helps ensure controls are considered early, without impairing independence.

D. Designing an embedded audit module is part of the audit function itself. It is a tool for the auditor, not an operational system control, and does not impair independence.

1. ISACA, CISA Review Manual, 27th Edition, 2019. Chapter 1, The Process of Auditing Information Systems, Section on "ISACA IS Audit and Assurance Standards," discusses the standard on independence, stating that auditors should not get involved in the development, implementation, or operation of the systems they audit. (Specifically, Guideline 2003.2 discusses that an IS auditor should not be assigned to audit an IS that he/she previously designed or developed).

2. ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 4th Edition, 2020. Standard 1003 Independence, Section 3.1 states: "IS audit and assurance professionals shall be independent and be seen to be independent of the audited entity in all matters related to the audit." Section 3.3 further clarifies that "IS audit and assurance professionals shall not perform operational duties for the areas being audited."

3. Singleton, T. (2011). The Auditor’s Role in System Development. ISACA Journal, Volume 6. This article clarifies the appropriate advisory role of an auditor in system development projects versus the inappropriate operational role. It emphasizes that "auditors should not make design decisions or perform any implementation tasks" to maintain independence for post-implementation reviews.

B. Network vulnerability scans are a post-implementation validation step. While crucial for confirming the patch worked, preventing a production failure through prior testing is more important.

C. Vulnerability assessments are the process of identifying the need for patches. The question concerns the process of applying a patch for an already known vulnerability.

D. Defining roles and responsibilities is a foundational governance activity. It is essential for process execution but is not the most critical technical consideration when applying the patch itself.

---

1. ISACA, CISA Review Manual, 27th Edition (2019). Domain 4: Information Systems Operations and Business Resilience, Section 4.4, Change, Configuration and Release Management. The manual emphasizes that all changes, including patches, must be tested in a separate, controlled environment before being promoted to production to minimize the risk of service disruption and ensure the change meets business requirements. This directly supports the primacy of testing.

2. ISACA, COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective BAI06, Managed IT Changes. Specifically, key practice BAI06.02 states the need to "Assess, approve and test all IT changes..." Testing is identified as a core activity to manage the risk associated with changes to the production environment, which is especially critical for mission-critical applications.

3. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-53 Rev. 5, "Security and Privacy Controls for Information Systems and Organizations" (2020). Control family CM (Configuration Management), specifically control CM-4 "Impact Analyses." The control discussion notes that organizations analyze changes to the system to determine potential security and operational impacts. Testing in a non-production environment is a primary method for conducting this impact analysis for patches.

A. System interface testing is a verification activity performed during development to find defects; it does not ensure ongoing data integrity in a production environment.

B. User acceptance testing (UAT) is a process to confirm the system meets business requirements before deployment, not a continuous technical control for data integrity.

D. Audit logs are a detective control that records events for subsequent review. They can help identify an integrity failure after it has occurred but do not prevent it.

1. ISACA, CISA Review Manual, 27th Edition. Chapter 3: Information Systems Acquisition, Development, and Implementation, Section 3.4.2 Input/Origination Controls. This section details various validation checks (e.g., sequence check, limit check, reasonableness check, validity check) as key controls to ensure the completeness, accuracy, and validity of data entered into a system, which is directly applicable to data received via an interface.

2. ISACA, "Data Integrity: An Information Security Requirement," White Paper, 2018. Page 6 discusses controls for data integrity, stating, "Input validation is a programming technique that ensures only properly formatted data may enter a software system component." This highlights validation as a primary control for ensuring integrity at data entry points, including system interfaces.

3. Hall, J. A. (2018). Accounting Information Systems (10th ed.). Cengage Learning. Chapter 15, "The Systems Development Life Cycle and System Acquisition," discusses application controls. The section on input controls explicitly describes validation controls (e.g., field check, sign check, limit check) as essential for ensuring that data processing is free from errors, which is the essence of data integrity. This textbook is standard courseware in information systems programs at numerous universities.

A. Cameras are not monitored 24/7.

This is an operational weakness affecting the deterrent or reactive value of the CCTV system, but it does not supersede the primary concern of a fundamental privacy violation.

C. The retention period for video recordings is undefined.

This is a data governance issue. While important for data minimization and reducing long-term risk, it is secondary to the immediate privacy infringement of recording without notice.

D. There are no backups of the videos.

This impacts the availability of evidence for investigations. It is a control weakness related to security operations, not the core legal and ethical issue of patient privacy.

---

1. ISACA, CISA Review Manual, 27th Edition (2019). Domain 5: Protection of Information Assets, Section 5.3 Physical Access and Environmental Controls. The manual emphasizes that physical security controls must be implemented in a manner that respects privacy laws and regulations. The lack of notice directly contravenes the privacy principle of transparency, which is a cornerstone of most data protection frameworks. The context of a healthcare facility elevates privacy to the highest level of concern.

2. Ko, R. K., & Lee, S. S. G. (2011). A CISA-based evaluation framework for healthcare information security. International Journal of Security and Its Applications, 5(4), 1-14. This paper discusses the application of CISA principles in healthcare, highlighting that compliance with regulations like HIPAA is a primary driver for security and audit activities. A key aspect of HIPAA's Privacy Rule is providing a notice of privacy practices to patients. Covert surveillance in patient care areas without clear justification and notice would be a significant compliance failure.

3. Gostin, L. O., & Nass, S. (Eds.). (2009). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. National Academies Press (US). Chapter 3, "Privacy and Security in the Electronic Health Information System," discusses the importance of notice and consent as fundamental privacy principles. It states, "The principle of openness and transparency holds that the public should be able to know about the collection, use, and disclosure of personal information." The absence of a notice directly violates this principle. (Available from: https://www.ncbi.nlm.nih.gov/books/NBK20679/)

B. Issue the finding without identifying an owner: This is ineffective because a finding without an assigned owner is unlikely to be remediated, defeating the purpose of the audit.

C. Assign shared responsibility to all IT teams: The auditor lacks the authority to assign responsibility. Furthermore, shared responsibility often leads to a diffusion of responsibility where no single team takes action.

D. Determine the most appropriate team and assign accordingly: Assigning responsibility is a management function. The auditor oversteps their authority by making such an assignment, which could be ignored by the team.

---

1. ISACA, CISA Review Manual, 27th Edition. Chapter 1, Section 1.4.11, "Conduct Follow-up," states, "The responsibility for the implementation of the agreed-on recommendations resides with management." This clarifies that while auditors recommend, management is responsible for actioning those recommendations, which includes assigning ownership. When ownership is unclear at the team level, it becomes a management responsibility to resolve.

2. ISACA, ITAF™: A Professional Practices Framework for IS Audit/Assurance, 4th Edition. Guideline 2401.5, "Ownership of the Report," specifies, "However, management is responsible for acting on the report’s findings and recommendations." This principle underscores that the auditor's role is to report, and management's role is to act, which includes resolving internal disputes over responsibility for corrective actions.

3. Weber, R. (1999). Information Systems Control and Audit. Prentice Hall. Chapter 3, "The Audit Process," discusses the reporting phase. The text emphasizes that the auditor's report is directed to management and the audit committee, who are empowered to ensure that appropriate corrective actions are taken. Escalating unresolved issues like ownership is a standard part of this communication process.

A. Prioritizing by operational risk is a valid component of audit scoping, but it does not provide the foundational structure needed to understand and test against multiple, varied regulatory schemes.

B. Following the most stringent regulation is a corporate compliance strategy, not an audit planning technique. An auditor must validate compliance against all applicable regulations, as some may have unique requirements not covered by the strictest one.

C. A standardized reporting template is a tool for the reporting phase of the audit, ensuring consistency of outputs. It does not assist in the critical upfront planning phase of defining the audit's scope and methodology.

1. ISACA, CISA Review Manual, 27th Edition, 2019. Chapter 1, Section 1.3.2, "Laws, Regulations, and Standards," emphasizes that the IS auditor must identify and understand the legal and regulatory requirements that affect the organization. Using a governance framework is the standard method to organize and manage these diverse requirements for audit purposes.

2. ISACA, COBIT 2019 Framework: Introduction and Methodology, 2018. Page 19, Figure 3.5, lists "Compliance with external laws and regulations" as a key governance objective. The framework is designed to be mapped to specific laws and regulations to provide a single, integrated control structure for managing and auditing compliance.

3. von Solms, R., & von Solms, S. H. (2004). "The 10 deadly sins of information security management." Computers & Security, 23(5), 371-376. This academic article discusses the importance of a top-down, policy-driven approach, which is embodied by an IT governance framework. Mapping regulations to such a framework is a key activity in ensuring comprehensive compliance and auditability. DOI: https://doi.org/10.1016/j.cose.2004.05.002

A. Requiring a standard change request to be completed and approved would cause an unacceptable delay in restoring critical services during an emergency outage.

C. Read-only access is insufficient for a programmer to debug and implement a fix, which requires permissions to modify code or system configurations.

D. Reviewing activity logs is a necessary follow-up action, but it does not address the immediate problem of how to grant the programmer the access needed to fix the issue.

1. ISACA, CISA Review Manual, 27th Edition. Domain 3: Information Systems Acquisition, Development, and Implementation, Section 3.4.4, discusses the change management process. It explicitly notes that emergency changes require a defined process that may bypass standard procedures to ensure timely resolution, but must include post-implementation review and documentation. This aligns with providing temporary access and reviewing the activity.

2. ISACA, COBIT 2019 Framework: Governance and Management Objectives. The management objective BAI06, Managed Changes, includes practice BAI06.04, "Manage emergency changes." This practice emphasizes the need for a formal process to handle emergency changes that cannot follow normal procedures, including subsequent review and authorization.

3. ISACA, CISA Review Manual, 27th Edition. Domain 5: Protection of Information Assets, Section 5.2.4, covers identity and access management. The concept of granting temporary privileged access for specific, justified tasks (like an emergency) under heightened monitoring is a core principle of mature access control systems.

A. Training personnel do not need to be security professionals; effective communication and teaching skills are often more important for delivering the message.

C. While relevant scenarios enhance training content, their inclusion does not guarantee effectiveness without a way to measure their impact on user behavior.

D. Phishing exercises are a specific tool used to test and measure one aspect of the program's outcome, but establishing the overall metrics (B) is the foundational strategy.

1. ISACA. (2019). CISA Review Manual, 27th Edition. Domain 5: Protection of Information Assets, Section 5.3.3 Security Awareness, Training and Education. The manual emphasizes that security awareness programs should be evaluated for effectiveness, which inherently requires metrics to measure changes in behavior and compliance.

2. Parsons, K., McCormac, A., Butavicius, M., & Pattinson, M. (2014). A new framework for measuring information security awareness. Computers & Security, 42, 99-116. https://doi.org/10.1016/j.cose.2014.02.004. The paper argues that "measuring the effectiveness of awareness initiatives is crucial" (p. 99) and proposes a framework centered on quantifiable metrics to assess knowledge, attitude, and behavior.

3. ISACA. (2018). Measuring the Effectiveness of a Security Awareness Program. ISACA Journal, Volume 6. This article states, "To justify the investment in a security awareness program, it is essential to measure its effectiveness. The metrics should be aligned with the organization’s security objectives and should be able to demonstrate a positive change in employee behavior."

A. The absence of an IT strategy committee is a governance weakness, but a well-aligned plan can still exist without one.

C. The lack of Key Performance Indicators (KPIs) is a significant issue for measuring success, but it is less critical than the plan's fundamental misalignment with business goals.

D. Lack of formal board approval is a serious governance process failure, but the content and strategic alignment of the plan itself are of greater concern.

---

1. ISACA, CISA Review Manual, 27th Edition (2019). Domain 2: Governance and Management of IT, Section 2.4, IT Strategy. The manual states, "The IT strategic plan must be an integral part of the overall business strategic plan... The focus should be on strategic alignment." This highlights that the primary role of the IT strategy is to support the business strategy.

2. ISACA, COBIT 2019 Framework: Governance and Management Objectives (2018). APO02 Managed Strategy, p. 47. The purpose statement for this management objective is to "Articulate a strategy for the digital transformation of the organization and deliver the desired value through a road map of incremental changes. Use a holistic I&T approach, ensuring that each initiative is clearly connected to an overall strategy." This directly links IT initiatives to the overall strategy.

3. Henderson, J. C., & Venkatraman, N. (1993). Strategic alignment: Leveraging information technology for transforming organizations. IBM systems journal, 32(1), 4-16. This foundational academic paper introduces the Strategic Alignment Model (SAM), which posits that the effectiveness of IT is dependent on the tight linkage between business strategy and IT strategy. A failure in this linkage is the most critical strategic failure. (DOI: https://doi.org/10.1147/sj.382.0472 - Note: This is a link to a later reprint of the original concept).

B. This describes the function of database auditing or logging tools, which are separate from the concurrency control mechanism of record-locking.

C. This is achieved through access control lists (ACLs), database views, or data validation rules, not through the temporary transactional locking mechanism.

D. This is an oversimplification and inaccurate. Locking is typically at the record or page level, not the file level, and its purpose is transactional integrity, not general user exclusion.

1. ISACA. (2019). CISA Review Manual, 27th Edition. Domain 5: Protection of Information Assets, Section 5.4.3 Database Management Systems. The manual explains that concurrency controls, such as locking, are essential to "ensure that two users cannot update the same record at the same time," which directly supports the prevention of concurrent update risks.

2. Silberschatz, A., Korth, H. F., & Sudarshan, S. (2019). Database System Concepts (7th ed.). McGraw-Hill. In Chapter 16, "Concurrency Control," Section 16.1 "Lock-Based Protocols," the text states, "A lock is a mechanism to control concurrent access to a data item... to prevent this state [lost update], the transaction T1 must be able to lock the data item."

3. Elmasri, R., & Navathe, S. B. (2016). Fundamentals of Database Systems (7th ed.). Pearson. Chapter 21, "Concurrency Control Techniques," Section 21.1.2 "Types of Locks and System Lock Tables," describes how exclusive locks are used to prevent multiple transactions from modifying a data item concurrently, thus avoiding integrity problems.

A. A security guard patrol is a detective and deterrent control, but a guard cannot be at all entry points simultaneously, making it less effective than a physical barrier.

B. Video cameras are primarily a detective control used for monitoring and post-incident investigation; they do not physically prevent unauthorized access.

C. Displaying ID badges is a weak preventive control susceptible to human error, forgery, theft, and social engineering tactics like tailgating.

---

1. ISACA, CISA Review Manual, 27th Edition. Domain 5: Protection of Information Assets, Section 5.3.2, "Data Center Security." The manual describes physical security controls for sensitive areas, highlighting that mantraps are a primary control to prevent tailgating, thereby ensuring only authorized individuals gain entry. It classifies this as a stronger preventive measure compared to guards (deterrent/detective) or cameras (detective).

2. National Institute of Standards and Technology (NIST), Special Publication 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations." Control family PE (Physical and Environmental Protection), Control ID PE-3, "Physical Access Control." This standard details the need to "control ingress/egress to the facility and the system within the facility." Mantraps are a specific implementation of this control that provides a high level of assurance by physically enforcing access policies.

3. Purdue University, Center for Education and Research in Information Assurance and Security (CERIAS), Technical Report 2006-13, "A Look at Physical Security." In the section discussing "Piggybacking and Tailgating" (Page 10), the report identifies these as significant threats and lists mantraps as a key technological countermeasure. This academic source validates the high effectiveness of mantraps in preventing unauthorized physical entry compared to other controls.

A. Bank confirmation: This is an audit procedure used to verify cash balances held at a financial institution, not to validate procurement transactions.

B. Goods delivery notification: While this document is a critical part of the three-way match, it only confirms receipt. The purchase order authorizes the transaction itself.

C. Purchase requisition: This is an internal document used to request the purchasing department to place an order; it is not part of the three-way match with the external supplier invoice.

1. ISACA. (2019). CISA Review Manual, 27th Edition. In Domain 3: Information Systems Acquisition, Development, and Implementation, Section 3.5 Application Controls, the manual discusses automated controls within business processes. The three-way match is a classic example of a processing control to ensure transaction integrity in the procure-to-pay cycle, with the Purchase Order being the source authorization document.

2. Romney, M. B., & Steinbart, P. J. (2021). Accounting Information Systems (15th ed.). Pearson. In Chapter 13, "The Expenditure Cycle: Purchasing to Cash Disbursements," the text describes the three-way match: "The accounts payable department is responsible for authorizing payments...by matching the vendor invoice with the corresponding purchase order and receiving report." (p. 405). This highlights the PO as a core component.

3. Hall, J. A. (2018). Accounting Information Systems (10th ed.). Cengage Learning. Chapter 12, "The Expenditure Cycle," explains that the objective of the three-way match is to reconcile the invoice with the purchase order and receiving report "to ensure that the organization pays only for the goods it ordered and received." (p. 521). This establishes the PO as the baseline for what was ordered.

A. Reviewing data classification levels evaluates the design of the underlying policy, not the operational effectiveness of the technical control (DLP) that enforces it.

B. Verifying software installation confirms the control's implementation or presence, but does not prove it is configured correctly or is effectively preventing data loss.

C. Conducting interviews is a form of inquiry that gathers subjective evidence; it is not a direct test and is considered less reliable than re-performance or inspection.

1. ISACA, CISA Review Manual, 27th Edition. Chapter 1, Section 1.4.4, "Audit Procedures and Techniques." This section outlines various audit techniques, noting that tests of controls are used to "verify the operational effectiveness of controls." The procedure described in option D is a direct test of a control's effectiveness. The manual also implicitly supports the hierarchy of evidence, where direct testing by the auditor provides stronger assurance than inquiry (interviews) or inspection of configuration (verifying installation).

2. ISACA, IS Audit and Assurance Standard 1205: Audit Evidence, Section 3.3. This standard states, "When designing and performing audit procedures, IS auditors shall evaluate the reliability of the audit evidence." It further explains that evidence is more reliable when it is "obtained directly by the IS auditor rather than indirectly" and "obtained from the IS auditor’s direct observation, inspection, calculation or physical examination." Option D represents a direct test and inspection by the auditor, making it the most reliable form of evidence among the choices.

3. ISACA, "IT Control Objectives for Sarbanes-Oxley, 4th Edition," (2020). Page 31, "Testing IT General Controls." The guide describes different testing methods, including inquiry, observation, inspection, and re-performance. It clarifies that "Re-performance provides the highest level of assurance" because it involves the independent execution of procedures or controls. Option D is an example of re-performance.

B. Identifying business risks is part of the auditor's analysis, but the primary goal of this discussion is to first confirm the factual basis of the observation.

C. Assisting with control enhancements is a management function; direct involvement by the auditor could impair their professional independence and objectivity.

D. Recording the proposed corrective action is an important outcome of the discussion, but it is secondary to and dependent on management first agreeing with the validity of the observation.

---

1. ISACA, CISA Review Manual, 27th Edition, 2019. Domain 1: The Process of Auditing Information Systems, Section 1.4.7 Communication and Reporting. The manual emphasizes that discussions with management during the closing meeting are essential to "ensure that there have been no misunderstandings or misinterpretations of fact."

2. ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 4th Edition, 2020. Guideline 2401 Reporting, Section 2401.8, "Discussion of Results." This guideline states that one of the key purposes of discussing results with management is to "ensure that the reported findings are factually correct and complete."

3. Singleton, T. (2012). The IIA’s New Practice Guide on Internal Auditing and Fraud. ISACA Journal, Volume 6. The article reinforces the audit process, where validating findings with management is a standard practice to ensure accuracy before formal reporting, which is a cornerstone of due professional care.

A. Version control issues: While managing specific point-in-time versions can be a concern, it is a lesser risk than the complete and immediate corruption of all recoverable data.

B. Reduced system performance: This is a valid operational concern due to network and I/O overhead, but it can be engineered and managed. It does not represent a catastrophic data recovery failure risk.

D. Increase in IT investment cost: This is a financial factor and a project management concern, not an operational risk to data integrity and recoverability, which is the primary purpose of the system.

1. ISACA, CISA Review Manual, 27th Edition (2019). Domain 4: Information Systems Operations and Business Resilience, Section 4.6.3 Backup and Restoration Schemes. The manual discusses various offsite backup and recovery alternatives, including mirroring (shadowing). It notes that while mirroring provides rapid recovery, a significant disadvantage is that "any corruption to the primary database is immediately replicated to the shadow database." This directly supports the conclusion that the greatest risk is the inability to recover from events that cause data corruption.

2. National Institute of Standards and Technology (NIST), Special Publication 800-34 Rev. 1, "Contingency Planning Guide for Federal Information Systems" (2010). Section 4.2.2, Recovery Strategies. The guide discusses mirrored sites, stating, "Because the alternate site is a mirror image of the primary site, it is vulnerable to the same threats and hazards." This includes logical corruption from malware or attacks, which would be propagated in real-time, undermining the recovery capability.

A. Systems design and architecture: While critical for implementing privacy controls, this stage is guided by the requirements already defined. If privacy is not a requirement, it will not be designed into the architecture.

B. Software selection and acquisition: This stage applies to procuring existing software. The selection criteria, including privacy features, must be based on the requirements established beforehand.

C. User acceptance testing (UAT): This is a validation phase to confirm that the system meets its specified requirements. It is far too late and costly to introduce fundamental privacy principles at this point.

1. ISACA. (2019). CISA Review Manual, 27th Edition. Chapter 3: Information Systems Acquisition, Development, and Implementation, Section 3.2.2 Requirements Definition. The manual emphasizes that security and privacy requirements must be identified and documented during this phase to ensure they are built into the system.

2. Cavoukian, A. (2011). Privacy by Design: The 7 Foundational Principles – Implementation and Mapping of Fair Information Practices. Information and Privacy Commissioner of Ontario. The principle of "Proactive not Reactive; Preventative not Remedial" explicitly states that privacy measures should be anticipated and embedded into the design and architecture of IT systems and business practices before the fact. This process begins with requirements.

3. Gürses, S., & van Hoboken, J. (2017). Privacy after the agile turn. In Engineering Privacy and Protest. This academic work discusses that in any development methodology, privacy considerations must be front-loaded into the initial stages, such as requirements gathering, to be effective. (This concept is widely supported in peer-reviewed literature on software engineering and privacy).

A. Variable sampling: This method is used to estimate a numerical value, such as the monetary value of an account balance, not for testing the rate of compliance (pass/fail).

B. Random sampling: This is a sample selection technique to ensure each item has an equal chance of being chosen, not the overall sampling methodology for testing a control's effectiveness.

C. Cluster sampling: This is a selection method where the population is divided into groups (clusters). It is a way to draw a sample, not the type of testing performed.

1. ISACA. (2019). CISA Review Manual, 27th Edition. Section 1.4.4, Audit Sampling. The manual states, "Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population... Attribute sampling is generally applied in compliance testing..."

2. Arens, A. A., Elder, R. J., & Beasley, M. S. (2020). Auditing and Assurance Services: An Integrated Approach (17th ed.). Pearson. Chapter 15, "Audit Sampling for Tests of Controls and Substantive Tests of Transactions," explains that auditors use attribute sampling to determine whether controls are operating effectively and the rate of deviation from prescribed procedures.

3. ISACA. (2014). ITAF: A Professional Practices Framework for IS Audit/Assurance, 3rd Edition. Guideline 2204 Audit Sampling, Section 3.3. This guideline details that statistical sampling for compliance testing (tests of controls) involves attribute sampling to conclude on the rate of deviation from a control.

A. Hardening systems is a specific technical control; it does not address the fundamental process failure of not learning from past incidents.

B. A SIEM is a tool for detection and analysis. It helps identify incidents but does not inherently fix the process for root cause analysis.

C. A training survey is an indirect approach that assumes a skills gap, which may not be the reason for the recurring process failure.

1. ISACA, CISA Review Manual, 27th Edition (2019). Chapter 4: Information Technology Operations, Section 4.4.3 Incident Management. The manual distinguishes between incident management (restoring normal service) and problem management (determining the root cause of incidents). It states, "The goal of problem management is to prevent incidents from happening, recurring and to minimize the impact of incidents that cannot be prevented." This directly supports that recurring incidents are the domain of problem management.

2. Pollard, C., & Cater-Steel, A. (2009). Justifying the benefits of ITIL: A Tasmanian public sector case study. In Van-Thanh-David, N., & Poru, C. (Eds.), Proceedings of the 13th Pacific Asia Conference on Information Systems (PACIS 2009), Paper 103. This academic paper discusses the implementation of ITIL, noting that "Problem Management aims to resolve the root causes of incidents and thus to minimize the adverse impact of incidents... It also seeks to prevent recurrence of incidents" (Section 2.2, ITIL V3 Service Operation).

3. Iden, J., & Langeland, L. (2010). Setting the Stage for a Successful ITIL Adoption. International Journal of Information Management, 30(5), 411-419. https://doi.org/10.1016/j.ijinfomgt.2010.01.002. The paper clarifies the distinct roles: "Incident management is a reactive process... Problem management is a proactive process initiated to identify and remove the underlying causes of incidents and thereby prevent incidents from recurring" (Table 1, p. 413). This reinforces that recurring incidents are a trigger for problem management.

A. Model-based design notations (e.g., BPMN, UML) are tools for visualizing and documenting processes, not comprehensive frameworks for guiding their systematic improvement.

B. A balanced scorecard is a strategic performance management tool used to measure and monitor organizational performance against goals, but it does not provide the methodology for process improvement itself.

D. Project management methodologies are used to manage the execution of an improvement initiative as a project, not to define the framework or goals of the process improvement program.

1. ISACA. (2019). CISA Review Manual, 27th Edition. Domain 2: Governance and Management of IT, Section 2.6.2 Maturity and Process Improvement Models, p. 113. The manual states, "Maturity models... are used to assess the maturity and capability of an organization’s processes and to identify areas for process improvement."

2. ISACA. (2018). COBIT 2019 Framework: Introduction and Methodology. Chapter 8: COBIT Performance Management, pp. 51-53. This section details the process capability levels (0-5) which provide a "staged path for process improvement."

3. Paulk, M. C., Curtis, B., Chrissis, M. B., & Weber, C. V. (1993). The Capability Maturity Model: Guidelines for Improving the Software Process. Software Engineering Institute, Carnegie Mellon University. (CMU/SEI-93-TR-024). This foundational document explains that the CMM provides "a framework for organizing evolutionary steps into five maturity levels that lay successive foundations for continuous process improvement."

A. Communicating observations for the first time while drafting the report is too late and violates the "no surprises" principle of auditing.

C. While a summary of findings is discussed at the end of fieldwork, individual observations should have been communicated as they were identified, not held until the end.

D. The audit report is a formal documentation of findings that have already been discussed and validated with management; it should not be the initial point of communication.

1. ISACA. (2019). CISA Review Manual, 27th Edition. Section 1.5.4, "Communicating Audit Results," page 67. The manual states, "Throughout the audit, the IS auditor should communicate with management of the area under review to keep them apprised of the progress of the audit and any potential findings." This supports continuous communication during the fieldwork phase.

2. ISACA. (2014). ITAF™: A Professional Practices Framework for IS Audit/Assurance, 4th Edition. Guideline 2206, "Communicating with the Auditee," emphasizes the importance of ongoing communication throughout the audit process to ensure that the auditee is aware of the audit's progress and any issues identified.

3. Weber, R. (2012). Information Systems Control and Audit. Pearson Education. Chapter 20, "The Management of Information Systems Auditing," discusses the audit process, noting that auditors should discuss deficiencies with auditees as they are found to ensure factual accuracy before formal reporting. (This is a widely used textbook in university auditing courses).

B. Identifying data workflows is a critical subsequent step, but it can only be done effectively after the sensitive data to be tracked has been identified and classified.

C. A threat analysis is performed against specific assets. To conduct a meaningful analysis for DLP, the organization must first identify and classify the sensitive data assets.

D. Creating DLP policies and templates is a later stage in the process that relies on the completed data classification, workflow analysis, and threat assessment.

1. ISACA, CISA Review Manual, 27th Edition, 2019. Domain 3: Information Systems Acquisition, Development, and Implementation, Section 3.5, "Data Classification." The manual emphasizes that data classification is a prerequisite for applying appropriate security controls, stating that it is "the foundation of a sound information security program." This establishes classification as a primary step before controls (like DLP) are implemented.

2. National Institute of Standards and Technology (NIST), Cybersecurity Framework Version 1.1, April 16, 2018. The framework's first core function is "Identify (ID)." The first category within this function, "Asset Management (ID.AM-1)," specifies that "Physical devices and systems...are inventoried" and "ID.AM-2" specifies "Software platforms and applications...are inventoried." This framework, widely adopted in the industry, places asset identification and management as the initial activity.

3. ISACA Journal, "A Practical Approach to Data Loss Prevention," Volume 4, 2017. This article outlines a phased methodology for DLP implementation. It explicitly states, "The first phase is to identify sensitive data... This involves data discovery and classification to determine what data are sensitive, where they are located, who is using them and how they are being used." This directly supports data inventory and classification as the initial step.

A. This describes substantive testing or input validation testing, where an auditor actively attempts to input invalid data, not an analysis of an existing data population.

B. This is a review of documentation to understand control requirements and design, which is a preliminary audit step, not a data analytics procedure.

D. This is a review of system configuration. While it is a valid audit test of control design, it does not involve analyzing transactional data sets.

1. ISACA, CISA Review Manual, 27th Edition. Domain 3: Information Systems Auditing Process, Section 3.4.3 Data Analytics. The manual states, "Data analytics is a key tool that enables auditors to analyze large volumes of data to identify anomalies, exceptions, and noncompliance... It allows for the testing of entire populations of data..." The scenario in option C is a classic example of testing a population for exceptions.

2. ISACA, Data Analytics A Practical Approach, 2011. Page 11, under the section "Attribute Testing," provides examples of data analytics use cases, including "Testing for valid field content." Reviewing new account applications for invalid dates of birth is a direct implementation of this testing approach.

3. Vasarhelyi, M. A., Kogan, A., & Tuttle, B. M. (2015). Big Data in Accounting: An Overview. Accounting Horizons, 29(2), 381–396. https://doi.org/10.2308/acch-51071. This publication discusses how data analytics enables auditors to move from sampling to testing entire populations. On page 385, it notes that auditors can "test entire populations of transactions for anomalies," which directly supports the method described in option C.

A. eliminated: End-user testing is a critical control to validate that an acquired package functions correctly within the organization's specific environment and meets its unique business needs.

C. increased: While the testing effort or scope might change, the fundamental need for business validation remains the same. This option is less accurate than stating the need is unchanged.

D. reduced: Vendor testing does not cover the organization's specific data, configurations, integrations with other systems, or business workflows. Reducing user testing introduces significant business risk.

---

1. ISACA, CISA Review Manual, 27th Edition (2019). In Chapter 3, Section 3.2.3, "Acquisition," it is stated that when acquiring application systems, "The same SDLC process should be followed as for in-house development." This implies that essential phases like user acceptance testing are not diminished or eliminated; their necessity remains unchanged.

2. ISACA, CISA Review Manual, 27th Edition (2019). Chapter 3, Section 3.4.6, "Testing Methodologies," defines User Acceptance Testing (UAT) as verifying that a system can support business scenarios. This requirement is universal and not dependent on the software's origin, reinforcing that the need is constant.

3. Vaishnavi, V. K., & Kuechler, W. (2015). Design Science Research Methods and Patterns: Innovating Information and Communication Technology. In discussions of system implementation (Chapter 2, Section 2.2.4), the validation and testing phases are treated as essential for any system being introduced into an organization, whether built or bought, to ensure it meets the specified requirements. The need for this validation is a constant principle.

B. Defining transmission conditions is a technical implementation task typically performed by the data custodian, based on the classification set by the owner.

C. The organization's governance function creates the classification policy based on standards; the owner's role is to apply that specific policy to their data.

D. Ensuring documents are handled with appropriate controls is the primary responsibility of the data custodian, who manages the systems storing the data.

---

1. ISACA, CISA Review Manual, 27th Edition (2019), Domain 5: Protection of Information Assets, Section 5.2.2 Information Classification. The manual states, "The data owner is responsible for classifying the information." This section clearly delineates the roles, assigning the act of classification to the owner and the implementation of controls to the custodian.

2. Stanford University, University IT, Information Security Office. "Information Security Roles and Responsibilities." In the section defining the "Data Owner," the first responsibility listed is "Assigning an initial classification to data and periodically reviewing that classification to ensure it is still appropriate." This is official documentation from a reputable academic institution.

3. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Annex A, Control A.5.12 "Classification of information," states that "Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification." The implementation guidance for this standard consistently assigns the responsibility for this classification to the information "owner."

A. Open access to testing documentation for internal staff is a minor concern regarding information confidentiality, not a critical failure of the change management process itself.

C. While a segregation of duties violation, it is a common and often accepted risk in small IT teams, which can be mitigated with strong compensating controls like activity logging and monitoring.

D. This is a significant weakness, but it occurs after deployment. The failure in UAT (Option B) is a more fundamental breakdown because it allows a potentially flawed system to be approved for production in the first place.

1. ISACA, CISA Review Manual, 27th Edition., Domain 3: Information Systems Acquisition, Development, and Implementation, Section 3.5.7 Testing Methodologies. The manual emphasizes that UAT is performed by users to test against their requirements and is a "critical milestone that determines whether the system is acceptable and ready for implementation." When performed by the IT team, this critical, independent validation is lost.

2. Gallegos, F., & Senft, S. (2009). Information Technology Control and Audit, Third Edition. Auerbach Publications. Chapter 21, "Managing the Systems Development Life Cycle," details the phases of testing. It specifies that User Acceptance Testing is conducted by the end-user to ensure the system functions as expected from a business perspective, distinct from the technical testing performed by the development team.

3. COBIT 2019 Framework: Governance and Management Objectives, BAI07: Manage Change Acceptance and Transitioning. This practice area highlights the need for proper testing and acceptance criteria to be met before transitioning services into production. A key activity is obtaining formal user acceptance, which implies independence from the development team. The framework's core principles separate building (IT team) from running and using (business users), making IT's involvement in UAT a violation of this principle.