Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1061:

  Which of the following can only be provided by asymmetric encryption?

  A. Information privacy
  B. 256-brt key length
  C. Data availability
  D. Nonrepudiation
  D. Nonrepudiation

  ---

  Explanation

  The only thing that can be provided by asymmetric encryption is nonrepudiation. Nonrepudiation is the ability to prove that a message or transaction was originated or authorized by a specific party. Asymmetric encryption uses a pair of keys: a public key and a private key. The public key can be shared with anyone, while the private key is kept secret by the owner. If a message is encrypted with the sender's private key, only the sender's public key can decrypt it. This proves that the message was sent by the sender and not by anyone else. This is called digital signature and it provides nonrepudiation. Asymmetric encryption can also provide information privacy by encrypting a message with the receiver's public key, so that only the receiver's private key can decrypt it. However, information privacy can also be provided by symmetric encryption, which uses a single key to encrypt and decrypt messages.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.21 CISA Online Review Course, Domain 3, Module 2, Lesson 12

• Question 1062:

  Which of the following BEST enables an IS auditor to detect incorrect exchange rates applied to outward remittance transactions at a financial institution?

  A. Developing computer-assisted audit techniques (CAATs) during transaction audits
  B. Performing sampling tests on transactions processed at the end of each day
  C. Running continuous auditing scripts at the end of each day
  D. Using supervised machine learning techniques to develop a regression model to predict incorrect input
  A. Developing computer-assisted audit techniques (CAATs) during transaction audits

  ---

  Explanation

• Question 1063:

  An organization's sensitive data is stored in a cloud computing environment and is encrypted. Which of the following findings should be of GREATEST concern to an IS auditor?

  A. The encryption keys are not kept under dual control.
  B. The cloud vendor does not have multi-regional presence.
  C. Symmetric keys are used for encryption.
  D. Data encryption keys are accessible to the service provider.
  D. Data encryption keys are accessible to the service provider.

  ---

  Explanation

• Question 1064:

  An organization used robotic process automation (RPA) technology to develop software bots that extract data from various sources for input into a legacy financial application. Which of the following should be of GREATEST concern to an IS auditor when reviewing the software bot job scheduling and production process automation?

  A. Minor overrides were not authorized by the business
  B. Software bots were incapable of learning from training data
  C. Software bots were programmed to record all user interactions, including mouse tracking
  D. Unauthorized modifications were made to the scripts to improve performance
  D. Unauthorized modifications were made to the scripts to improve performance

  ---

  Explanation

  Explanation

  Unauthorized modifications to scripts (D) pose the greatest risk because they can lead to unintended processing errors, security vulnerabilities, or fraudulent activities.Change management controls should be in place to prevent unauthorized

  script changes.

  Other options:

  Minor overrides not authorized (A)is a concern but does not pose as much risk as unauthorized script changes.

  Bots incapable of learning (B)is a limitation but not a security risk. Recording user interactions (C)raises privacy concerns but is not as critical as unauthorized script modifications.

  ISACA CISA Review Manual, Information Systems Operations and Business Resilience

• Question 1065:

  When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

  A. Implementation plan
  B. Project budget provisions
  C. Requirements analysis
  D. Project plan
  C. Requirements analysis

  ---

  Explanation

  Requirements analysis should be the best thing to compare against the business case when determining whether a project in the design phase will meet organizational objectives, because it defines the functional and non-functional specifications of the project deliverables that should satisfy the business needs and expectations. Requirements analysis can help evaluate whether the project design is aligned with the business case and whether it can achieve the desired outcomes and benefits. Implementation plan, project budget provisions, and project plan are also important aspects of a project in the design phase, but they are not as relevant as requirements analysis for comparing against the business case.

  References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.1

• Question 1066:

  An IS auditor finds the timeliness and depth of information regarding the organization's IT projects varies based on which project manager is assigned. Which of the following recommendations would be A MOST helpful in achieving predictable and repeatable project management processes?

  A. Alignment of project performance to pay incentives
  B. Adoption of business case and earned value templates
  C. Use of Gantt charts and work breakdown structures
  D. Measurement against defined and documented procedures
  B. Adoption of business case and earned value templates

  ---

  Explanation

• Question 1067:

  Which of the following would contribute MOST to employees' understanding of data handling responsibilities?

  A. Requiring staff acknowledgement of security policies
  B. Labeling documents according to appropriate security classification
  C. Implementing a tailored security awareness training program
  D. Demonstrating support by senior management of the security program
  C. Implementing a tailored security awareness training program

  ---

  Explanation

• Question 1068:

  Which of the following is an IS auditor's BEST approach when prepanng to evaluate whether the IT strategy supports the organization's vision and mission?

  A. Review strategic projects tor return on investments (ROls)
  B. Solicit feedback from other departments to gauge the organization's maturity
  C. Meet with senior management to understand business goals
  D. Review the organization's key performance indicators (KPls)
  C. Meet with senior management to understand business goals

  ---

  Explanation

  The best approach for an IS auditor to evaluate whether the IT strategy supports the organization's vision and mission is to meet with senior management to understand the business goals and how IT can enable them. This will help the IS

  auditor to assess the alignment and integration of IT with the business strategy and to identify any gaps or opportunities for improvement. Reviewing ROIs, KPIs, or feedback from other departments may provide some insights, but they are

  not sufficient to evaluate the IT strategy.

  References: IS Audit and Assurance Standards, section "Standard 1201:

  Engagement Planning"

• Question 1069:

  A CIO has asked an IS auditor to implement several security controls for an organization's IT processes and systems. The auditor should:

  A. perform the assignment and future audits with due professional care.
  B. obtain approval from executive management for the implementation.
  C. refuse due to independence issues.
  D. communicate the conflict of interest to audit management.
  D. communicate the conflict of interest to audit management.

  ---

  Explanation

• Question 1070:

  Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

  A. The policy includes a strong risk-based approach.
  B. The retention period allows for review during the year-end audit.
  C. The total transaction amount has no impact on financial reporting.
  D. The retention period complies with data owner responsibilities.
  D. The retention period complies with data owner responsibilities.

  ---

  Explanation

  The most important thing for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions is that the retention period complies with data owner responsibilities. Data owners are accountable for the quality, security, and availability of the data under their control. They are also responsible for defining and enforcing data retention policies that comply with legal, regulatory, contractual, and business requirements. Data owners should be consulted and involved in any decision that affects the retention period of their data, as they are ultimately liable for any consequences of data loss or breach. The policy includes a strong risk-based approach, the retention period allows for review during the year-end audit, and the total transaction amount has no impact on financial reporting are not the most important things for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions. These are possible factors or benefits that may influence or justify the decision, but they do not override or replace the data owner responsibilities.