Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1091:

  Which of the following audit include specific tests of control to demonstrate adherence to specific regulatory or industry standard?

  A. Compliance Audit
  B. Financial Audit
  C. Operational Audit
  D. Forensic audit
  A. Compliance Audit

  ---

  Explanation

  A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review

  security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These

  audits often overlap traditional audits, but may focus on particular system or data.

  What is an audit?

  An audit in general terms is a process of evaluating an individual or organization's accounts. This is usually done by an independent auditing body. Thus, audit involves a competent and independent person obtaining evidence and evaluating

  it objectively with regard to a given entity, which in this case is the subject of audit, in order to establish conformance to a given set of standards. Audit can be on a person, organization, system, enterprise, project or product.

  Compliance Audit

  A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review

  security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These

  audits often overlap traditional audits, but may focus on particular system or data.

  What, precisely, is examined in a compliance audit will vary depending upon whether an organization is a public or private company, what kind of data it handles and if it transmits or stores sensitive financial data. For instance, SOX

  requirements mean that any electronic communication must be backed up and secured with reasonable disaster recovery infrastructure. Health care providers that store or transmit e-health records, like personal health information, are

  subject to HIPAA requirements. Financial services companies that transmit credit card data are subject to PCI DSS requirements. In each case, the organization must be able to demonstrate compliance by producing an audit trail, often

  generated by data from event log management software.

  Financial Audit

  A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not

  absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to provide an objective

  independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and

  consequently reduce the cost of capital of the preparer of the financial statements.

  Operational Audit

  Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit financial data may

  be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Operational audit is a more comprehensive form of an Internal audit.

  The Institute of Internal Auditor (IIA) defines Operational Audit as a systematic process of evaluating an organization's effectiveness, efficiency and economy of operations under management's control and reporting to appropriate persons the

  results of the evaluation along with recommendations for improvement.

  Objectives

  To appraise the effectiveness and efficiency of a division, activity, or operation of the entity in meeting organizational goals.

  To understand the responsibilities and risks faced by an organization.

  To identify, with management participation, opportunities for improving control.

  To provide senior management of the organization with a detailed understanding of the Operations.

  Integrated Audits

  An integrated audit combines financial and operational audit steps. An integrated audit is also performed to assess overall objectives within an organization, related to financial information and asset, safeguarding, efficiency and or internal

  auditors and would include compliance test of internal controls and substantive audit step.

  IS Audit

  An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are

  safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of

  attestation engagement.

  The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets

  and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:

  Will the organization's computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) Will

  the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing

  those risks.

  Forensic Audit

  Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or irregularities

  (including fraud) and giving preventative advice.

  The purpose of a forensic audit is to use accounting procedures to collect evidence for the prosecution or investigation of financial crimes such as theft or fraud. Forensic audits may be conducted to determine if wrongdoing occurred, or to

  gather materials for the case against an alleged criminal.

  The following answers are incorrect:

  Financial Audit- A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable

  assurance, but not absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework.

  Operational Audit - Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit

  financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. [1] Operational audit is a more comprehensive form of an Internal audit.

  Forensic Audit - Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or

  irregularities (including fraud) and giving preventative advice.

  CISA Review Manual 2014 Page number 47

  http://searchcompliance.techtarget.com/definition/compliance-audit

  http://en.wikipedia.org/wiki/Financial_audit

  http://en.wikipedia.org/wiki/Operational_auditing

  http://en.wikipedia.org/wiki/Information_technology_audit

  http://www.investorwords.com/16445/forensic_audit.html

• Question 1092:

  Which of the following is MOST important for an IS auditor to verify after finding repeated unauthorized access attempts were recorded on a security report?

  A. Password reset requests have been confirmed as legitimate
  B. There is evidence that the incident was investigated
  C. System configuration changes are properly tracked
  D. A comprehensive access policy has been established
  B. There is evidence that the incident was investigated

  ---

  Explanation

• Question 1093:

  Which of the following presents the GREATEST risk to an organization's ability to manage quality control (QC) processes?

  A. Lack of segregation of duties
  B. Lack of a dedicated QC function
  C. Lack of policies and procedures
  D. Lack of formal training and attestation
  C. Lack of policies and procedures

  ---

  Explanation

  The greatest risk to an organization's ability to manage QC processes is the lack of policies and procedures that define the QC objectives, standards, methods, roles, and responsibilities. Without policies and procedures, the QC processes may be inconsistent, ineffective, inefficient, or noncompliant with the relevant regulations and best practices. Policies and procedures provide the foundation and guidance for the QC processes and help to ensure their quality, reliability, and accountability.

  References: ISACA CISA Review Manual, 27th Edition, page 253 Quality Control - an overview | ScienceDirect Topics Quality Control: Meaning, Importance, Definition and Objectives

• Question 1094:

  Which of the following is the PRIMARY reason an IS auditor would recommend offsite backups although critical data is already on a redundant array of inexpensive disks (RAID)?

  A. The array cannot offer protection against disk corruption.
  B. The array cannot recover from a natural disaster.
  C. The array relies on proper maintenance.
  D. Disks of the array cannot be hot-swapped for quick recovery.
  B. The array cannot recover from a natural disaster.

  ---

  Explanation

• Question 1095:

  In a decentralized organization, the selection and purchase of IS products is acceptable as long as which of the following conditions exists?

  A. The same operating system is used throughout the organization.
  B. Various offices are independent and exchange data on an occasional basis.
  C. Acquired items are consistent with the organization's short- and long-term IS strategy plans.
  D. Managers undertake a full cost-benefit analysis before deciding what to purchase.
  C. Acquired items are consistent with the organization's short- and long-term IS strategy plans.

  ---

  Explanation

• Question 1096:

  Which of the following metrics is MOST helpful for evaluating the effectiveness of problem management practices?

  A. The number of recurring incidents that cause downtime
  B. The percentage of incidents resolved within a service level agreement (SLA)
  C. The number of incidents investigated and diagnosed
  D. The average time to detect and prioritize an incident
  A. The number of recurring incidents that cause downtime

  ---

  Explanation

  Explanation

• Question 1097:

  Which of the following is the GREATEST advantage of utilizing guest operating systems m a virtual environment?

  A. They can be logged into and monitored from any location.
  B. They prevent access to the greater environment via Transmission Control Protocol/Internet Protocol (TCP/IP).
  C. They are easier to containerize with minimal impact to the rest of the environment .
  D. They can be wiped quickly in the event of a security breach.
  C. They are easier to containerize with minimal impact to the rest of the environment .

  ---

  Explanation

  Explanation

• Question 1098:

  The PRIMARY objective of a follow-up audit is to:

  A. assess the appropriateness of recommendations.
  B. verify compliance with policies.
  C. evaluate whether the risk profile has changed.
  D. determine adequacy of actions taken on recommendations.
  D. determine adequacy of actions taken on recommendations.

  ---

  Explanation

• Question 1099:

  Which of the following constitutes an effective detective control in a distributed processing environment?

  A. A log of privileged account use is reviewed.
  B. A disaster recovery plan (DRP)4% in place for the entire system.
  C. User IDs are suspended after three incorrect passwords have been entered.
  D. Users are required to request additional access via an electronic mail system.
  A. A log of privileged account use is reviewed.

  ---

  Explanation

• Question 1100:

  Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

  A. Annual sign-off of acceptable use policy
  B. Regular monitoring of user access logs
  C. Security awareness training
  D. Formalized disciplinary action
  C. Security awareness training

  ---

  Explanation

  The most effective control to mitigate unintentional misuse of authorized access is security awareness training. This is because security awareness training can educate users on the proper use of their access rights, the potential consequences of misuse, and the best practices to protect the confidentiality, integrity, and availability of information systems. Security awareness training can also help users recognize and avoid common threats such as phishing, malware, and social engineering. Annual sign-off of acceptable use policy, regular monitoring of user access logs, and formalized disciplinary action are not the most effective controls to mitigate unintentional misuse of authorized access. These controls may help deter or detect intentional misuse, but they do not address the root cause of unintentional misuse, which is often a lack of knowledge or awareness of security policies and procedures.