Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1111:

  Which of the following is MOST likely to be reduced when implementing optimal risk management strategies?

  A. Sampling risk
  B. Residual risk
  C. Detection risk
  D. Inherent risk
  D. Inherent risk

  ---

  Explanation

• Question 1112:

  In a review of the organization standards and guidelines for IT management, which of the following should be included in an IS development methodology?

  A. Value-added activity analysis
  B. Risk management techniques
  C. Access control rules
  D. Incident management techniques
  B. Risk management techniques

  ---

  Explanation

  Risk management techniques should be included in an IS development methodology. An IS development methodology is a set of guidelines, standards, and procedures that provide a structured and consistent approach to developing information systems. A good IS development methodology should cover all the phases of the system development life cycle (SDLC), from planning and analysis to design, implementation, testing, and maintenance. Risk management techniques are an essential part of an IS development methodology, as they help to identify, assess, prioritize, mitigate, monitor, and communicate the risks that may affect the success of the system development project. Risk management techniques can also help to ensure that the system meets the requirements and expectations of the stakeholders, complies with the relevant laws and regulations, and delivers value to the organization. The other options are not as relevant or appropriate as risk management techniques for an IS development methodology. Value-added activity analysis is a technique for evaluating the efficiency and effectiveness of business processes, but it is not specific to IS development. Access control rules are policies and mechanisms for restricting or granting access to information systems and resources, but they are more related to security management than IS development4. Incident management techniques are methods for handling and resolving incidents that disrupt the normal operation of information systems and services, but they are more related to service management than IS development.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 1911 ISACA, CISA Review Manual, 27th Edition, 2019, p. 1942 Value-Added Activity Analysis Access Control Rules Incident Management Techniques

• Question 1113:

  Which of the following can BEST reduce the impact of a long-term power failure?

  A. Power conditioning unit
  B. Emergency power-off switches
  C. Battery bank
  D. Redundant power source
  D. Redundant power source

  ---

  Explanation

• Question 1114:

  Upon completion of audit work, an IS auditor should:

  A. provide a report to senior management prior to discussion with the auditee.
  B. distribute a summary of general findings to the members of the auditing team.
  C. provide a report to the auditee stating the initial findings.
  D. review the working papers with the auditee.
  B. distribute a summary of general findings to the members of the auditing team.

  ---

  Explanation

  Upon completion of audit work, an IS auditor should distribute a summary of general findings to the members of the auditing team. This is to ensure that the audit team members are aware of the audit results, have an opportunity to provide feedback, and can agree on the audit conclusions and recommendations. Providing a report to senior management prior to discussion with the auditee, providing a report to the auditee stating the initial findings, and reviewing the working papers with the auditee are not appropriate actions for an IS auditor to take upon completion of audit work, as they may compromise the audit independence, objectivity, and quality.

  References: ISACA CISA Review Manual 27th Edition, page

• Question 1115:

  An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?

  A. Capacity management plan
  B. Training plans
  C. Database conversion results
  D. Stress testing results
  D. Stress testing results

  ---

  Explanation

  The first thing that an IS auditor should review when finding that transaction processing times in an order processing system have significantly increased after a major release is stress testing results. Stress testing is a type of testing that evaluates how a system performs under extreme or abnormal conditions, such as high volume, load, or concurrency of transactions. Stress testing results can help explain why transaction processing times in an order processing system have significantly increased after a major release by revealing any bottlenecks, limitations, or errors in the system's capacity, performance, or functionality under stress. The other options are not as relevant as stress testing results in explaining why transaction processing times in an order processing system have significantly increased after a major release, as they do not directly measure how the system performs under extreme or abnormal conditions. Capacity management plan is a document that defines and implements the processes and activities for ensuring that the system has adequate resources and capabilities to meet current and future demands. Training plans are documents that define and implement the processes and activities for ensuring that the system users have adequate skills and knowledge to use the system effectively and efficiently. Database conversion results are outcomes or outputs of transforming data from one format or structure to another to suit the system's requirements or specifications.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3

• Question 1116:

  Which of the following should be the GREATEST concern for an IS auditor reviewing recent disaster recovery operations?

  A. The recovery point objective (RPO) was not defined.
  B. Test data was lost during a recovery operation.
  C. A warm site was used as a recovery strategy.
  D. A full backup was only performed once a week.
  A. The recovery point objective (RPO) was not defined.

  ---

  Explanation

  Explanation

• Question 1117:

  Which of the following is the BEST approach to validate whether a streaming site can continue to provide service during a period of live streaming with an anticipated high volume of viewers?

  A. Fuzzing
  B. Usability test
  C. Fault grading
  D. Load test
  D. Load test

  ---

  Explanation

  Explanation

• Question 1118:

  Which of the following is the GREATEST risk related to the use of virtualized environments?

  A. The host may be a potential single point of failure within the system.
  B. There may be insufficient processing capacity to assign to guests.
  C. There may be increased potential for session hijacking.
  D. Ability to change operating systems may be limited.
  A. The host may be a potential single point of failure within the system.

  ---

  Explanation

• Question 1119:

  Which of the following is the MOST appropriate control to ensure integrity of online orders?

  A. Data Encryption Standard (DES)
  B. Digital signature
  C. Public key encryption
  D. Multi-factor authentication
  B. Digital signature

  ---

  Explanation

  A digital signature is the most appropriate control to ensure integrity of online orders because it provides a way to verify the authenticity and integrity of the data sent by the sender. A digital signature is created by applying a cryptographic algorithm to the data and attaching the result to the data. The receiver can then use the sender's public key to verify that the data has not been altered or tampered with during transmission. A digital signature also provides non-repudiation, which means that the sender cannot deny sending the data. Data Encryption Standard (DES) is a symmetric encryption algorithm that can provide confidentiality of online orders, but not integrity. DES uses the same key to encrypt and decrypt the data, which means that anyone who has the key can modify the data without detection. Public key encryption is an asymmetric encryption algorithm that can also provide confidentiality of online orders, but not integrity. Public key encryption uses a pair of keys: a public key and a private key. The sender encrypts the data with the receiver's public key, and the receiver decrypts it with their own private key. However, public key encryption does not prevent anyone from modifying the encrypted data. Multi-factor authentication is a control that can provide authentication and authorization of online orders, but not integrity. Multi-factor authentication requires the user to provide two or more pieces of evidence to prove their identity, such as a password, a token, or a biometric factor. Multi-factor authentication can prevent unauthorized access to online orders, but it does not protect the data from being modified after being sent.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 281 1 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription 2

• Question 1120:

  Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?

  A. Carbon dioxide
  B. FM-200
  C. Dry pipe
  D. Halon
  A. Carbon dioxide

  ---

  Explanation

  Carbon dioxide fire suppression systems need to be combined with an automatic switch to shut down the electricity supply in the event of activation. This is because carbon dioxide displaces oxygen in the air and can create a suffocation hazard for people in the protected area. Therefore, it is essential to cut off the power source before releasing carbon dioxide to avoid electrical shocks and sparks that could ignite the fire again. Carbon dioxide systems are typically used for total flooding applications in spaces that are not habitable, such as server rooms or data centers.