Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1101:

  Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?

  A. It demonstrates the maturity of the incident response program.
  B. It reduces the likelihood of an incident occurring.
  C. It identifies deficiencies in the operating environment.
  D. It increases confidence in the team's response readiness.
  D. It increases confidence in the team's response readiness.

  ---

  Explanation

  The primary benefit of a tabletop exercise for an incident response plan is to increase confidence in the team's response readiness (D). A tabletop exercise is a simulated scenario that tests the effectiveness and efficiency of the incident response plan and team. It allows the team to practice their roles and responsibilities, review their procedures and tools, and identify and resolve any gaps or issues in their response process. A tabletop exercise can help the team to improve their skills, knowledge, and communication, and to prepare for real incidents.

• Question 1102:

  Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

  A. Rotate job duties periodically.
  B. Perform an independent audit.
  C. Hire temporary staff.
  D. Implement compensating controls.
  D. Implement compensating controls.

  ---

  Explanation

  The best way to address segregation of duties issues in an organization with budget constraints is to implement compensating controls, which are alternative controls that reduce or eliminate the risk of errors or fraud due to inadequate segregation of duties. Compensating controls may include independent reviews, reconciliations, approvals, or supervisions. Rotating job duties periodically may reduce the risk of collusion or abuse of privileges, but it may also affect operational efficiency and continuity. Performing an independent audit may detect segregation of duties issues, but it does not prevent them. Hiring temporary staff may increase operational costs and introduce new risks.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4

• Question 1103:

  Management has decided to accept a risk in response to a draft audit recommendation. Which of the following should be the IS auditor's NEXT course of action?

  A. Document management's acceptance in the audit report.
  B. Escalate the acceptance to the board.
  C. Ensure a follow-up audit is on next year's plan.
  D. Escalate acceptance to the audit committee.
  A. Document management's acceptance in the audit report.

  ---

  Explanation

• Question 1104:

  Which of the following is the GREATEST impact as a result of the ongoing deterioration of a detective control?

  A. Decreased effectiveness of root cause analysis
  B. Decreased overall recovery time
  C. Increased number of false negatives in security logs
  D. Increased demand for storage space for logs
  C. Increased number of false negatives in security logs

  ---

  Explanation

• Question 1105:

  Which of the following BEST indicates that the effectiveness of an organization's security awareness program has improved?

  A. A decrease in the number of information security audit findings
  B. An increase in the number of staff who complete awareness training
  C. An increase in the number of phishing emails reported by employees
  D. A decrease in the number of malware outbreaks
  C. An increase in the number of phishing emails reported by employees

  ---

  Explanation

  The effectiveness of an organization's security awareness program can be measured by capturing data on changes in the way people react to threats, such as the ability to recognize and avoid social engineering attacks1. An increase in the

  number of phishing emails reported by employees indicates that they are more aware of the signs and risks of phishing, and are more likely to take appropriate actions to prevent or mitigate the impact of such attacks23.

  References:

  1:

  The Importance Of Measuring Security Awareness 2: Measuring the effectiveness of your security awareness program 3: How effective is security awareness training? The effectiveness of an organization's security awareness program can

  be measured by capturing data on changes in the way people react to threats, such as the ability to recognize and avoid social engineering attacks1. An increase in the number of phishing emails reported by employees indicates that they are

  more aware of the signs and risks of phishing, and are more likely to take appropriate actions to prevent or mitigate the impact of such attacks23.

  References:

  1:

  The Importance Of Measuring Security Awareness 2: Measuring the effectiveness of your security awareness program 3: How effective is security awareness training?

• Question 1106:

  The IS auditor has identified a potential fraud perpetrated by the network administrator. The IS auditor should:

  A. issue a report to ensure a timely resolution
  B. review the audit finding with the audit committee prior to any other discussions
  C. perform more detailed tests prior to disclosing the audit results
  D. share the potential audit finding with the security administrator
  B. review the audit finding with the audit committee prior to any other discussions

  ---

  Explanation

• Question 1107:

  Which of the following statement correctly describes the difference between QAT and UAT?

  A. QAT focuses on technical aspect of the application and UAT focuses on functional aspect of the application
  B. UAT focuses on technical aspect of the application and QAT focuses on functional aspect of the application
  C. UAT and QAT both focuses on functional aspect of the application
  D. UAT and QAT both focuses on technical aspect of the application
  A. QAT focuses on technical aspect of the application and UAT focuses on functional aspect of the application

  ---

  Explanation

  Final Acceptance Testing -It has two major parts: Quality Assurance Testing(QAT) focusing on the technical aspect of the application and User acceptance testing focusing on functional aspect of the application.

  For CISA exam you should know below types of testing:

  Unit Testing ?The testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensure internal operation of the programs according to the specification.

  Interface or integration testing ?A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure

  dictated by design. The term integration testing is also referred to tests that verify and validate functioning of the application under test with other systems, where a set of data is transferred from one system to another.

  System Testing ?A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non-

  production test/development environment by software developers designated as a test team. The following specific analysis may be carried out during system testing.

  Recovery Testing ?Checking the system's ability to recover after a software or hardware failure.

  Security Testing ?Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems.

  Load Testing ?Testing an application with large quantities of data to evaluate its performance during peak hour.

  Volume testing ?Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records that application can process.

  Stress Testing ?Studying the impact on the application by testing with an incremental umber of concurrent users/services on the application to determine maximum number of concurrent user/service the application can process.

  Performance Testing ?Comparing the system performance to other equivalent systems using well defined benchmarks.

  Final Acceptance Testing ?It has two major parts: Quality Assurance Testing(QAT) focusing on the technical aspect of the application and User acceptance testing focusing on functional aspect of the application. QAT focuses on documented

  specifications and the technology employed. It verifies that application works as documented by testing the logical design and the technology itself. It also ensures that the application meet the documented technical specifications and

  deliverables. QAT is performed primarily by IS department. The participation of end user is minimal and on request. QAT does not focus on functionality testing. UAT supports the process of ensuring that the system is production ready and

  satisfies all documented requirements. The methods include:

  Definition of test strategies and procedure.

  Design of test cases and scenarios

  Execution of the tests.

  Utilization of the result to verify system readiness.

  Acceptance criteria are defined criteria that a deliverable must meet to satisfy the predefined needs of the user. A UAT plan must be documented for the final test of the completed system. The tests are written from a user's perspective and

  should test the system in a manner as close to production possible.

  The following were incorrect answers:

  The other presented options incorrectly describe the difference between QAT and UAT

  CISA review manual 2014 Page number 166

• Question 1108:

  An IS auditor has completed an audit on the organization's IT strategic planning process. Which of the following findings should be given the HIGHEST priority?

  A. The IT strategic plan was completed prior to the formulation of the business strategic plan
  B. Assumptions in the IT strategic plan have not been communicated to business stakeholders
  C. The IT strategic plan was formulated based on the current IT capabilities
  D. The IT strategic plan does not include resource requirements for implementation
  A. The IT strategic plan was completed prior to the formulation of the business strategic plan

  ---

  Explanation

• Question 1109:

  What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?

  A. Notify law enforcement of the finding.
  B. Require the third party to notify customers.
  C. The audit report with a significant finding.
  D. Notify audit management of the finding.
  D. Notify audit management of the finding.

  ---

  Explanation

  The IS auditor should notify audit management of the finding first, as this is a significant issue that may affect the audit scope and objectives. The IS auditor should not notify law enforcement or require the third party to notify customers without consulting audit management first. The audit report with a significant finding should be issued after the audit is completed and the findings are validated.

  References: ISACA, CISA Review Manual, 27th Edition, 2018, page 247

• Question 1110:

  Which of the following is the MOST important task of an IS auditor during an application post-implementation review?

  A. Conduct a business impact analysis (BIA)
  B. Perform penetration testing
  C. identify project delays
  D. Verify user access controls
  D. Verify user access controls

  ---

  Explanation