Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1081:

  Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?

  A. Ensure that the facts presented in the report are correct
  B. Communicate the recommendations lo senior management
  C. Specify implementation dates for the recommendations.
  D. Request input in determining corrective action.
  A. Ensure that the facts presented in the report are correct

  ---

  Explanation

  Ensuring that the facts presented in the report are correct is the most important thing for an IS auditor to do during an exit meeting with an auditee. An IS auditor should confirm that the audit findings and observations are accurate, complete, and supported by sufficient evidence, as well as that the auditee understands and agrees with them. This will help to avoid any misunderstandings or disputes later on, as well as to enhance the credibility and quality of the audit report. The other options are less important things for an IS auditor to do during an exit meeting, as they may involve communicating the recommendations to senior management, specifying implementation dates for the recommendations, or requesting input in determining corrective action.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.5.21 CISA Review Questions, Answers and Explanations Database, Question ID 222

• Question 1082:

  An IS auditor is conducting a pre-implementation review to determine a new system's production readiness. The auditor's PRIMARY concern should be whether:

  A. the project adhered to the budget and target date
  B. users were involved in the quality assurance (QA) testing
  C. there are unresolved high-risk items
  D. benefits realization has been evidenced
  C. there are unresolved high-risk items

  ---

  Explanation

• Question 1083:

  Which of the following is the BEST control to mitigate the risk of shadow IT?

  A. Intrusion detection system (IDS)
  B. Vendor management reviews
  C. Vulnerability scanning
  D. Security awareness training
  D. Security awareness training

  ---

  Explanation

  Explanation

• Question 1084:

  Which of the following is MOST important to consider when creating audit follow-up procedures?

  A. Whether the organization has sufficient funds to address the issue
  B. Whether management has determined if risk is within the organization's risk appetite
  C. Whether follow-up procedures would determine if identified risks have been mitigated
  D. Whether the auditee has allotted sufficient time for the follow-up
  C. Whether follow-up procedures would determine if identified risks have been mitigated

  ---

  Explanation

• Question 1085:

  Which of the following provides the BEST providence that outsourced provider services are being properly managed?

  A. The service level agreement (SLA) includes penalties for non-performance.
  B. Adequate action is taken for noncompliance with the service level agreement (SLA).
  C. The vendor provides historical data to demonstrate its performance.
  D. Internal performance standards align with corporate strategy.
  B. Adequate action is taken for noncompliance with the service level agreement (SLA).

  ---

  Explanation

  Adequate action taken for noncompliance with the service level agreement (SLA) provides the best evidence that outsourced provider services are being properly managed. This shows that the organization is monitoring the performance of the provider and enforcing the terms of the SLA. The other options are not as convincing as evidence of proper management. Option A, the SLA includes penalties for non-performance, is a good practice but does not guarantee that the penalties are actually applied or that the performance is satisfactory. Option C, the vendor provides historical data to demonstrate its performance, is not reliable because the data may be biased or inaccurate. Option D, internal performance standards align with corporate strategy, is irrelevant to the question of outsourced provider management.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, page 2821 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription, QID 1066692

• Question 1086:

  An IS auditor is evaluating the security of an organization's data backup process, which includes the transmission of daily incremental backups to a dedicated offsite server. Which of the following findings poses the GREATEST risk to the organization?

  A. Backup transmissions are not encrypted
  B. Backup transmissions occasionally fail
  C. Data recovery testing is conducted once per year
  D. The archived data log is incomplete
  A. Backup transmissions are not encrypted

  ---

  Explanation

• Question 1087:

  An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data classification in this project?

  A. Information security officer
  B. Database administrator (DBA)
  C. Information owner
  D. Data architect
  C. Information owner

  ---

  Explanation

  The best option for the question is C, information owner. This is because: The information owner is the person or entity that has the authority and responsibility for the business processes and functions that collect, use, store, and dispose of data1. The information owner is accountable for ensuring that the data is handled in compliance with the applicable laws, regulations, policies, and standards, such as the GDPR and the PIPEDA1234. The information owner is in the best position to determine the purpose and necessity of collecting and retaining data, as well as the risks and benefits associated with it1. The information owner should consult with other stakeholders, such as the risk manager, the database administrator (DBA), and the privacy manager, to establish and implement appropriate data classification policies and procedures2. Data classification is the process of organizing data in groups based on their attributes and characteristics, and then assigning class labels that describe a set of attributes that hold true for the corresponding data sets. Data classification helps organizations to identify, manage, protect, and understand their data, as well as to comply with modern data privacy regulations345. Data classification also helps to determine appropriate user access levels, which means defining who can access, modify, share, or delete data based on their roles, responsibilities, and needs345. Therefore, the information owner should be responsible for the data classification in an ERP migration project from local systems to the cloud (option C), as they have the authority and accountability for the data and its protection. The other options are not correct because: The information security officer (option A) is responsible for overseeing and coordinating the security policies and practices of the organization that involve data6. The information security officer should advise and assist the information owner on the best practices and standards for data security, but not determine the data classification. The database administrator (DBA) (option B) is responsible for installing, configuring, monitoring, maintaining, and improving the performance of databases and data stores that contain data5. The DBA should support the information owner in implementing and enforcing the data classification policies and procedures, but not determine them. The data architect (option D) is responsible for designing, modeling, and documenting the logical and physical structures of databases and data stores that contain data7. The data architect should collaborate with the information owner in creating and maintaining the data classification schema and metadata, but not determine them.

• Question 1088:

  Which of the following should an IS auditor validate FIRST when reviewing the security of an organization's IT infrastructure as it relates to Internet of Things (loT) devices?

  A. Identification and inventory of loT devices
  B. Access control and network segmentation for loT devices
  C. Strong password protection for loT devices
  D. Physical security of loT devices
  A. Identification and inventory of loT devices

  ---

  Explanation

• Question 1089:

  Due to a high volume of customer orders, an organization plans to implement a new application for customers to use for online ordering Which type of testing is MOST important to ensure the security of the application prior to go-live?

  A. Stress testing
  B. Vulnerability testing
  C. Regression testing
  D. User acceptance testing (UAT)
  B. Vulnerability testing

  ---

  Explanation

• Question 1090:

  Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

  A. Analyze whether predetermined test objectives were met.
  B. Perform testing at the backup data center.
  C. Evaluate participation by key personnel.
  D. Test offsite backup files.
  A. Analyze whether predetermined test objectives were met.

  ---

  Explanation

  The best way to determine whether a test of a disaster recovery plan (DRP) was successful is to analyze whether predetermined test objectives were met. Test objectives are specific, measurable, achievable, relevant, and time-bound (SMART) goals that define what the test aims to accomplish and how it will be evaluated. Test objectives should be aligned with the DRP objectives and scope, and should cover aspects such as recovery time objectives (RTOs), recovery point objectives (RPOs), critical business functions, roles and responsibilities, communication channels, backup systems, and contingency procedures. By comparing the actual test results with the expected test objectives, the IS auditor can measure the effectiveness and efficiency of the DRP and identify any gaps or weaknesses that need to be addressed.