Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1051:

  Which of the following ACID property ensures that transaction will bring the database from one valid state to another?

  A. Atomicity
  B. Consistency
  C. Isolation
  D. Durability
  B. Consistency

  ---

  Explanation

  Consistency - The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints,

  cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any

  programming errors do not violate any defined rules.

  For CISA exam you should know below information about ACID properties in DBMS:

  Atomicity - Atomicity requires that each transaction is "all or nothing": if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged. An atomic system must guarantee atomicity in each and every

  situation, including power failures, errors, and crashes. To the outside world, a committed transaction appears (by its effects on the database) to be indivisible ("atomic"), and an aborted transaction does not happen. Consistency - The

  consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers,

  and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not

  violate any defined rules.

  Isolation - The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other. Providing isolation is the main goal of

  concurrency control. Depending on concurrency control method, the effects of an incomplete transaction might not even be visible to another transaction.[citation needed]

  Durability - Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors. In a relational database, for instance, once a group of SQL statements execute, the results need to

  be stored permanently (even if the database crashes immediately thereafter). To defend against power loss, transactions (or their effects) must be recorded in a non-volatile memory.

  The following were incorrect answers:

  Atomicity - Atomicity requires that each transaction is "all or nothing": if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged.

  Isolation - The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other.

  Durability - Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors.

  CISA review manual 2014 Page number 218

• Question 1052:

  An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?

  A. Implement a new system that can be patched.
  B. Implement additional firewalls to protect the system.
  C. Decommission the server.
  D. Evaluate the associated risk.
  D. Evaluate the associated risk.

  ---

  Explanation

  The first step in addressing a vulnerability is to evaluate the associated risk, which involves assessing the likelihood and impact of a potential exploit. Based on the risk assessment, the appropriate mitigation strategy can be determined, such as implementing a new system, adding firewalls, or decommissioning the server.

  References: ISACA CISA Review Manual 27th Edition, page 280

• Question 1053:

  Which of the following would be MOST important for an IS auditor to review during an audit of an automated continuous monitoring process being used by the finance department?

  A. Resiliency of the monitoring service
  B. Dual control and approvals embedded in processes
  C. Management sign-off of test documentation
  D. Configuration of the monitoring tool
  B. Dual control and approvals embedded in processes

  ---

  Explanation

• Question 1054:

  Stress testing should ideally be carried out under a:

  A. test environment with production workloads.
  B. test environment with test data.
  C. production environment with production workloads.
  D. production environment with test data.
  A. test environment with production workloads.

  ---

  Explanation

  Stress testing is designed to evaluate a system's performance under extreme conditions1. It is typically carried out in a test environment that closely mirrors the production environment, using production workloads1. This approach ensures

  that the test results accurately reflect how the system would perform under similar conditions in the production environment1. Using a test environment also prevents any disruptions or damage to the production environment during testing1.

  References:

  Stress Testing Best Practices: A Seven Steps Model

• Question 1055:

  Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?

  A. An increase in the number of identified false positives
  B. An increase in the number of detected Incidents not previously identified
  C. An increase in the number of unfamiliar sources of intruders
  D. An increase in the number of internally reported critical incidents
  B. An increase in the number of detected Incidents not previously identified

  ---

  Explanation

  Signature-based intrusion detection systems (IDS) are systems that compare network traffic with predefined patterns of known attacks, called signatures. The effectiveness of signature-based IDS depends on how well they can detect new or unknown attacks that are not in their signature database. Therefore, an increase in the number of detected incidents not previously identified is the best indicator of the effectiveness of signature-based IDS, as it shows that they can recognize novel or modified attacks.

• Question 1056:

  Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

  A. Temperature sensors
  B. Humidity sensors
  C. Water sensors
  D. Air pressure sensors
  C. Water sensors

  ---

  Explanation

  Water sensors are devices that can detect the presence of water or moisture in a given area. They are often deployed below the floor tiles of a data center to monitor for any water leaks that may damage the equipment or cause electrical hazards. Water sensors can alert the data center staff or trigger an automatic response to prevent or mitigate the water leakage. The other options are not likely to be deployed below the floor tiles of a data center. Temperature sensors and humidity sensors are usually deployed above the floor tiles to measure the ambient conditions of the data center and ensure optimal cooling and ventilation. Air pressure sensors are typically deployed at the air vents or ducts to monitor the airflow and pressure distribution in the data center.

  References: Data Center Environmental Monitoring Water Detection in Data Centers

• Question 1057:

  When testing the accuracy of transaction data, which of the following situations BEST justifies the use of a smaller sample size?

  A. The IS audit staff has a high level of experience.
  B. It is expected that the population is error-free.
  C. Proper segregation of duties is in place.
  D. The data can be directly changed by users.
  B. It is expected that the population is error-free.

  ---

  Explanation

  The best situation that justifies the use of a smaller sample size when testing the accuracy of transaction data is

  B. It is expected that the population is error-free. The sample size is the number of items selected from the population for testing. The sample size depends on various factors, such as the level of confidence, the tolerable error rate, the expected error rate, and the variability of the population. A smaller sample size means that fewer items are tested, which reduces the cost and time of testing, but also increases the sampling risk (the risk that the sample is not representative of the population). One of the factors that affects the sample size is the expected error rate, which is the auditor's best estimate of the proportion of errors in the population before testing. A higher expected error rate means that more errors are likely to be found in the population, which requires a larger sample size to provide sufficient evidence for the auditor's conclusion. A lower expected error rate means that fewer errors are likely to be found in the population, which allows a smaller sample size to provide sufficient evidence for the auditor's conclusion. Therefore, if it is expected that the population is error-free (i.e., the expected error rate is zero or very low), a smaller sample size can be justified. The other situations do not justify the use of a smaller sample size when testing the accuracy of transaction data. A. The IS audit staff has a high level of experience. The IS audit staff's level of experience does not affect the sample size, but rather their ability to design and execute the sampling procedures and evaluate the results. The IS audit staff's level of experience may affect their judgment in selecting and applying sampling methods, but it does not change the statistical or mathematical principles that determine the sample size.

  B. Proper segregation of duties is in place. Proper segregation of duties is an internal control that helps prevent or detect errors or fraud in transaction processing, but it does not affect the sample size. The sample size is based on the characteristics of the population and the objectives of testing, not on the controls in place. Proper segregation of duties may reduce the likelihood or impact of errors or fraud in transaction processing, but it does not eliminate them completely. Therefore, proper segregation of duties does not justify a smaller sample size when testing the accuracy of transaction data.

  C. The data can be directly changed by users. The data's ability to be directly changed by users does not justify a smaller sample size, but rather a larger one. The data's ability to be directly changed by users increases the risk of errors or fraud in transaction processing, which requires a larger sample size to provide sufficient evidence for the auditor's conclusion. The data's ability to be directly changed by users also increases the variability of the population, which affects the sample size.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2471 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription2 Audit Sampling - AICPA3 How to choose a sample size (for the statistically challenged)

• Question 1058:

  Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?

  A. Real-time audit software
  B. Performance data
  C. Quality assurance (QA) reviews
  D. Participative management techniques
  B. Performance data

  ---

  Explanation

  The best source of information for assessing the effectiveness of IT process monitoring is performance data. Performance data is a type of information that measures and reports on the results or outcomes of IT processes, such as availability, reliability, throughput, response time, or error rate. Performance data can help assess the effectiveness of IT process monitoring by providing quantitative and qualitative indicators of whether IT processes are meeting their objectives, standards, or expectations. The other options are not as good as performance data in assessing the effectiveness of IT process monitoring, as they do not provide direct or objective evidence of IT process results or outcomes. Real-time audit software is a type of tool that can help automate and facilitate audit activities, such as data collection, analysis, or reporting, but it does not provide information on IT process performance. Quality assurance (QA) reviews are a type of activity that can help evaluate and improve the quality of IT processes, products, or services, but they do not provide information on IT process performance. Participative management techniques are a type of method that can help involve and motivate IT staff in decision-making and problem-solving processes, but they do not provide information on IT process performance.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3

• Question 1059:

  A sample for testing must include the 80 largest client balances and a random sample of the rest. What should the IS auditor recommend?

  A. Query the database.
  B. Develop an integrated test facility (ITF).
  C. Use generalized audit software.
  D. Leverage a random number generator.
  C. Use generalized audit software.

  ---

  Explanation

  Generalized audit software is a type of computer-assisted audit technique (CAAT) that allows the IS auditor to perform various audit tasks on the data stored in different file formats and databases. Generalized audit software can help the IS

  auditor to select a sample for testing that includes the 80 largest client balances and a random sample of the rest, by using functions such as sorting, filtering, stratifying, and randomizing the data23. Generalized audit software can also help

  the IS auditor to perform other audit procedures on the sample, such as verifying the accuracy, completeness, and validity of the data.

  References:

  1: Generalized Audit Software (GAS) - ISACA

  2: Audit Sampling - ISACA

  3: How to use generalized audit software to perform audit sampling

  4: Generalized Audit Software: A Review of Five Packages

• Question 1060:

  Who is accountable for an organization's enterprise risk management (ERM) program?

  A. Board of directors
  B. Steering committee
  C. Chief risk officer (CRO)
  D. Executive management
  A. Board of directors

  ---

  Explanation