[2026年03月] ベスト Certified Information Systems Auditor 学習ガイドは CISA 試験問題集 [Q424-Q442]

Share

[2026年03月] ベストCertified Information Systems Auditor学習ガイドはCISA試験問題集

CISA認定ガイド問題と解答トレーニング

質問 # 424
In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend?

  • A. Automated logging of changes to development libraries
  • B. Procedures that verify that only approved program changes are implemented
  • C. Access controls to prevent the operator from making program modifications
  • D. Additional staff to provide separation of duties

正解:B

解説:
Explanation/Reference:
Explanation:
While it would be preferred that strict separation of duties be adhered to and that additional staff is recruited as suggested in choice B, this practice is not always possible in small organizations. An IS auditor must look at recommended alternative processes. Of the choices, C is the only practical one that has an impact. An IS auditor should recommend processes that detect changes to production source and object code, such as code comparisons, so the changes can be reviewed on a regular basis by a third party. This would be a compensating control process.
Choice A, involving logging of changes to development libraries, would not detect changes to production libraries. Choice D is in effect requiring a third party to do the changes, which may not be practical in a small organization.


質問 # 425
An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

  • A. The spreadsheet is locked down to avoid inadvertent changes
  • B. Access to the spreadsheet is given only to those who require access
  • C. There Is a reconciliation process between the spreadsheet and the finance system
  • D. A separate copy of the spreadsheet is routinely backed up

正解:B

解説:
Access to the spreadsheet is given only to those who require access is the most important control for maintaining the security of data in the spreadsheet. An IS auditor should ensure that the principle of least privilege is applied to limit the access to sensitive financial data and prevent unauthorized disclosure, modification, or deletion. The other options are less important controls that may enhance the accuracy, availability, or integrity of data in the spreadsheet, but not its security. References:
* CISA Review Manual (Digital Version), Chapter 6, Section 6.31
* CISA Review Questions, Answers & Explanations Database, Question ID 210


質問 # 426
During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data any Internet-connected web browser. Which Of the following is the auditors BEST recommendation to prevent unauthorized access?

  • A. Utilize strong anti-malware controls on all computing devices.
  • B. Implement an intrusion detection system (IDS),
  • C. Update security policies and procedures.
  • D. Implement multi-factor authentication.

正解:D

解説:
The best recommendation to prevent unauthorized access in this scenario is to implement multi-factor authentication (MFA). According to the ISACA CISA Study Manual, "MFA is a security technique that requires two or more independent credentials for user authentication. MFA can be used to provide additional security for cloud-based services and applications." Thus, implementing MFA would be an effective way to prevent unauthorized access and maintain a secure environment.
Multi-factor authentication (MFA) is a security measure that requires users to provide two or more pieces of evidence to verify their identity before accessing cloud-based applications and data123. MFA can prevent unauthorized access by making it harder for attackers to compromise user credentials or bypass password protection


質問 # 427
Which of the following should be of GREATEST concern when conducting an audit of software inventory management?

  • A. Development libraries not included in inventory records
  • B. Anti-virus software not regularly upgraded
  • C. Missing licensing paper contracts
  • D. Unlicensed software

正解:D

解説:
Section: The process of Auditing Information System


質問 # 428
Which of the following types of risk are of the most interest to an IS auditor?

  • A. Control, detection, noncompliance, risk of strike
  • B. Unknown, quantifiable, cumulative
  • C. Sampling, control, detection, inherent
  • D. Inherent, noninherent, control, lack of control

正解:C

解説:
The answers including risk of strike, lack of control, and unknown are distracters.


質問 # 429
Which of the following is the PRIMARY objective when encrypting a database?

  • A. Preserving the ability to query data
  • B. Preserving the ability to access data securely
  • C. Protecting data from unauthorized changes
  • D. Protecting data from unauthorized viewing

正解:D


質問 # 430
During a review of operations, it is noted that during a batch update, an error was detected and the database initiated a roll-back. An IT operator stopped the roll-back and re-initiated the update. What should the operator have done PRIOR to re-initiating the update?

  • A. Determined the cause of the error
  • B. Allowed the roll-back to complete
  • C. Scheduled the roll-back for a later time
  • D. Obtained approval before re-initiating the update

正解:B


質問 # 431
Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

  • A. Ensuring evidence is sufficient to support audit conclusions
  • B. Ensuring unauthorized individuals do not tamper with evidence after it has been captured
  • C. Ensuring evidence is labeled to show it was obtained from an approved source
  • D. Ensuring appropriate statistical sampling methods were used

正解:A

解説:
The primary role of an audit reviewer with regard to evidence is to ensure that evidence is sufficient to support audit conclusions. Evidence is the information obtained by the auditor to provide a reasonable basis for the audit opinion or findings. Evidence should be sufficient, reliable, relevant, and useful to support the audit objectives and criteria. The audit reviewer should evaluate the quality and quantity of evidence collected by the auditor and determine if it is adequate to draw valid conclusions and recommendations. Ensuring unauthorized individuals do not tamper with evidence after it has been captured is a role of the auditor, not the audit reviewer. The auditor is responsible for safeguarding the evidence from loss, damage, or alteration during the audit process. The auditor should also document the source, date, and method of obtaining the evidence, as well as any limitations or restrictions on its use or disclosure. Ensuring appropriate statistical sampling methods were used is a role of the auditor, not the audit reviewer. The auditor is responsible for selecting an appropriate sampling method and technique that can provide sufficient evidence to achieve the audit objectives and criteria. The auditor should also document the sampling plan, population, sample size, selection method, evaluation method, and results. Ensuring evidence is labeled to show it was obtained from an approved source is a role of the auditor, not the audit reviewer. The auditor is responsible for labeling the evidence to indicate its origin, nature, and ownership. The auditor should also ensure that the evidence is obtained from reliable and credible sources that can be verified and corroborated. References: ISACA CISA Review Manual 27th Edition, page 295


質問 # 432
Which of the following is the PRIMARY reason an IS auditor should use an IT-related framework as a basis for scoping and structuring an audit?

  • A. It helps ensure comprehensiveness of the review and provides guidance on best practices.
  • B. It provides a foundation to recommend certification of the organization's compliance with the framework.
  • C. It demonstrates to management whether legal and regulatory requirements have been met.
  • D. It simplifies audit planning and reduces resource requirements to complete an audit.

正解:A


質問 # 433
Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity?

  • A. Signature-based
  • B. Host-based
  • C. Neural network
  • D. Statistical-based

正解:D

解説:
Section: Protection of Information Assets
Explanation:
A statistical-based IDS relies on a definition of known and expected behavior of systems. Since normal network activity may at times include unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious. A signature-based IDS is limited to its predefined set of detection rules, just like a virus scanner. A neural network combines the previous two IDSs to create a hybrid and better system. Host-based is another classification of IDS. Any of the three IDSs above may be host- or network-based.


質問 # 434
Which of the following metrics is the BEST indicator of the performance of a web application

  • A. Average response time
  • B. HTTP server error rate
  • C. Server uptime
  • D. Server thread count

正解:A

解説:
The best indicator of the performance of a web application is the average response time. This metric measures how long it takes for the web server to process and deliver a request from the client. It reflects the user's perception of how fast or slow the web application is, and it affects the user's satisfaction, engagement, and conversion. A low average response time means that the web application is responsive and efficient, while a high average response time means that the web application is sluggish and unreliable.
HTTP server error rate, server thread count, and server uptime are not as good indicators of the performance of a web application as the average response time. HTTP server error rate measures how often the web server fails to handle a request and returns an error code, such as 404 (Not Found) or 500 (Internal Server Error).
This metric indicates the reliability and availability of the web application, but it does not capture how fast or slow the web application is. Server thread count measures how many concurrent requests the web server can handle at a given time. This metric indicates the scalability and capacity of the web application, but it does not capture how long each request takes to process. Server uptime measures how long the web server has been running without interruption. This metric indicates the stability and resilience of the web application, but it does not capture how well the web application performs during that time.
References:
* 10 Key Application Performance Metrics & How to Measure Them - Stackify1
* Measuring performance - Learn web development | MDN2
* Understanding the Basics of Web Performance | BrowserStack3
* 14 Important Website Performance Metrics You Should Be Analyzing4
* Top 8 Web Application Performance Metrics | MetricFire Blog5
* Web Performance Monitoring: A How to Guide for Developers - Stackify6


質問 # 435
An organization's disaster recovery plan should address early recovery of:

  • A. all financial processing applications.
  • B. all information systems processes.
  • C. processing in priority order, as defined by business management.
  • D. only those applications designated by the IS manager.

正解:C

解説:
Explanation/Reference:
Explanation:
Business management should know which systems are critical and when they need to process well in advance of a disaster. It is management's responsibility to develop and maintain the plan. Adequate time will not be available for this determination once the disaster occurs. IS and the information processing facility are service organizations that exist for the purpose of assisting the general user management in successfully performing their jobs.


質問 # 436
Which of the following would be MOST important for an IS auditor to verify when conducting a business continuity audit?

  • A. Human safety procedures are in place
  • B. Data backups are performed on a timely basis
  • C. insurance coverage is adequate and premiums are current
  • D. A recovery site is contracted for and available as needed

正解:A

解説:
Section: Protection of Information Assets
Explanation:
The most important element in any business continuity process is the protection of human life. This takes precedence over all other aspects of the plan.


質問 # 437
Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?

  • A. To analyze workflows in order to optimize business processes and eliminate tasks that do not provide value
  • B. To evaluate the cost-benefit of tools implemented to monitor control performance
  • C. To assess the functionality of a software deliverable based on business processes
  • D. To enable conclusions about the performance of the processes and target variances for follow-up analysis

正解:D

解説:
Comprehensive and Detailed in-Depth Explanation:
The primary role of KPIs is to provide measurable insights into the performance of business processes and identify variances that may require corrective actions. KPIs help organizations understand whether their processes are achieving desired outcomes and where improvements are needed.
While Option A discusses workflow optimization, it is a secondary benefit rather than the primary purpose.
Options B and C do not accurately describe the core purpose of KPIs.
ISACA CISA Reference: Domain 1 - Information System Auditing Process


質問 # 438
Which of ihe following should be done FIRST to effectively define the IT audit universe for an entity with multiple business lines?

  • A. Obtain a complete listing of assets fundamental to the entity's businesses.
  • B. Identify aggregate residual IT risk for each business line.
  • C. Obtain a complete listing of the entity's IT processes
  • D. Identify key control objectives for each business line's core processes

正解:A


質問 # 439
Which of the following is the MOST important issue for an IS auditor to consider with regard to VoIP communications?

  • A. Identity management
  • B. Homogeneity of the network
  • C. Continuity of service
  • D. Nonrepudiation

正解:A

解説:
Section: Protection of Information Assets


質問 # 440
Which of the following is the BEST way to minimize sampling risk?

  • A. Perform statistical sampling
  • B. Use a larger sample size
  • C. Perform judgmental sampling
  • D. Enhance audit testing procedures

正解:A

解説:
Explanation
Sampling risk is the risk that the auditor's conclusion based on a sample may be different from the conclusion that would be reached if the entire population was tested using the same audit procedure. Sampling risk can lead to either incorrect rejection or incorrect acceptance of the audit objective. The best way to minimize sampling risk is to perform statistical sampling. Statistical sampling is a method of selecting and evaluating a sample using probability theory and mathematical calculations. Statistical sampling allows auditors to measure and control the sampling risk by determining the appropriate sample size and selection method, and evaluating the results using confidence levels and precision intervals. Statistical sampling can also provide more objective and consistent results than judgmental sampling, which relies on the auditor's professional judgment and experience.
References:
6: Sampling Risks: Definition, Example, and Explanation - Wikiaccounting
7: Sampling Risk in Audit | Sampling vs non sampling risk - Accountinguide
9: Audit sampling | ACCA Qualification | Students | ACCA Global


質問 # 441
The GREATEST benefit in implementing an expert system is the:

  • A. reduction of employee turnover in key departments.
  • B. sharing of knowledge in a central repository.
  • C. capturing of the knowledge and experience of individuals in an organization.
  • D. enhancement of personnel productivity and performance.

正解:C

解説:
The basis for an expert system is the capture and recording of the knowledge and experience of individuals in an organization. Coding and entering the knowledge in a central repository, shareable within the enterprise, is a means of facilitating the expert system. Enhancing personnel productivity and performance is a benefit; however, it is not as important as capturing the knowledge and experience. Employee turnover is not necessarily affected by an expert system.


質問 # 442
......

ベストISACA CISA学習ガイドと問題集は2026年に更新されました:https://www.goshiken.com/ISACA/CISA-mondaishu.html

CISA認定お試しPDF最新CISA問題集:https://drive.google.com/open?id=1TwVYkFsKymBebajO32VBI-zK42rU-rhi