Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1161:

  A configuration management audit identified that predefined automated procedures are used when deploying and configuring application infrastructure in a cloud-based environment. Which of the following is MOST important for the IS auditor to review?

  A. Storage location of configuration management documentation
  B. Processes for making changes to cloud environment specifications
  C. Contracts of vendors responsible for maintaining provisioning tools
  D. Number of administrators with access to cloud management consoles
  B. Processes for making changes to cloud environment specifications

  ---

  Explanation

  The IS auditor should review the processes for making changes to cloud environment specifications, as these are the inputs for the predefined automated procedures that deploy and configure the application infrastructure. The IS auditor should verify that the changes are authorized, documented, tested, and approved before they are applied to the cloud environment. The IS auditor should also check that the changes are aligned with the business requirements and do not introduce any security or performance issues.

  References: ISACA CISA Review Manual, 27th Edition, page 254 Configuration Management in Cloud Computing - ScienceDirect Cloud Configuration Management - BMC Software

• Question 1162:

  Which of the following is the MOST important requirement for an IS auditor to evaluate when reviewing a transmission of personally identifiable information (PII) between two organizations?

  A. Completeness
  B. Timeliness
  C. Necessity
  D. Accuracy
  C. Necessity

  ---

  Explanation

• Question 1163:

  In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

  A. hire another person to perform migration to production.
  B. implement continuous monitoring controls.
  C. remove production access from the developers.
  D. perform a user access review for the development team
  C. remove production access from the developers.

  ---

  Explanation

  The best recommendation for a small IT web development company where developers must have write access to production is to remove production access from the developers. Production access is the ability to modify or update the live systems or applications that are used by customers or end users. Production access should be restricted to authorized and qualified personnel only, as any changes or errors in production can affect the functionality, performance, or security of the systems or applications. Developers should not have write access to production, as they may introduce bugs, vulnerabilities, or inconsistencies in the code that can compromise the quality or reliability of the systems or applications. The other options are not as effective as removing production access from the developers, as they do not address the root cause of the problem or provide the same benefits. Hiring another person to perform migration to production is a costly solution that can help segregate the roles and responsibilities of developers and migrators, but it does not remove production access from the developers. Implementing continuous monitoring controls is a good practice that can help detect and correct any issues or anomalies in production, but it does not remove production access from the developers. Performing a user access review for the development team is a detective control that can help verify and validate the access rights and privileges of developers, but it does not remove production access from the developers.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

• Question 1164:

  Which of the following is the BEST sampling method to ensure only active users have access to critical systems?

  A. Substantive testing
  B. Difference estimation
  C. Unstratified mean per unit
  D. Compliance testing
  D. Compliance testing

  ---

  Explanation

• Question 1165:

  Code changes are compiled and placed in a change folder by the developer. An implementation team migrates changes to production from the change folder. Which of the following BEST indicates separation of duties is in place during the migration process?

  A. A second individual performs code review before the change is released to production.
  B. The developer approves changes prior to moving them to the change folder.
  C. The implementation team does not have experience writing code.
  D. The implementation team does not have access to change the source code.
  A. A second individual performs code review before the change is released to production.

  ---

  Explanation

• Question 1166:

  An IS auditor is reviewing an organization's risk management program. Which of the following should be the PRIMARY driver of the enterprise IT risk appetite?

  A. Strategic objectives
  B. Return on investment (ROI)
  C. Cost of implementing controls
  D. Likelihood of risk events
  A. Strategic objectives

  ---

  Explanation

  An organization's IT risk appetite should be primarily driven by its strategic objectives. The risk appetite defines the amount and type of risk the organization is willing to pursue or retain to achieve its goals. Aligning risk appetite with strategic

  objectives ensures that risk- taking is consistent with the organization's mission and vision. While ROI, cost of controls, and the likelihood of risk events are important considerations in risk management, they are factors evaluated within the

  context of the overarching strategic objectives.

  References:

  ISACA CISA Review Manual, 28th Edition, Chapter 2: Governance and Management of IT.

• Question 1167:

  When measuring the effectiveness of a security awareness program, the MOST helpful key performance indicator (KPI) is the number of:

  A. employees who have signed the information security policy.
  B. employees passing a phishing exercise.
  C. employees attending security awareness training.
  D. security incidents detected by tools.
  B. employees passing a phishing exercise.

  ---

  Explanation

• Question 1168:

  An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?

  A. The default configurations have been changed.
  B. All tables in the database are normalized.
  C. The service port used by the database server has been changed.
  D. The default administration account is used after changing the account password.
  A. The default configurations have been changed.

  ---

  Explanation

  Changing the default configurations of a database system is a critical control for securing it from unauthorized access or exploitation. Default configurations often include weak passwords, unnecessary services, open ports, or known vulnerabilities that can be easily exploited by attackers. The other options are not as important as changing the default configurations, as they do not address the root cause of the security risks. Normalizing tables in the database is a design technique for improving data quality and performance, but it does not affect security. Changing the service port used by the database server is a form of security by obscurity, which can be easily bypassed by port scanning tools. Using the default administration account after changing the account password is still risky, as the account name may be known or guessed by attackers.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.4

• Question 1169:

  Which of the following is MOST important for an effective control self-assessment (CSA) program?

  A. Determining the scope of the assessment
  B. Performing detailed test procedures
  C. Evaluating changes to the risk environment
  D. Understanding the business process
  D. Understanding the business process

  ---

  Explanation

  Understanding the business process is the most important factor for an effective control self-assessment (CSA) program. A CSA program is a technique that allows managers and work teams directly involved in business units, functions or processes to participate in assessing the organization's risk management and control processes1. A CSA program can help identify risks and potential exposures to achieving strategic business objectives, evaluate the adequacy and effectiveness of controls, and implement remediation plans to address any gaps or weaknesses2. To conduct a successful CSA, it is essential to have a clear and comprehensive understanding of the business process under review, including its objectives, inputs, outputs, activities, resources, dependencies, stakeholders, performance indicators, etc. This will help to identify the relevant risks and controls associated with the process, as well as to evaluate their impact and likelihood. Determining the scope of the assessment, performing detailed test procedures, and evaluating changes to the risk environment are also important factors for an effective CSA program, but not as important as understanding the business process. These factors are more related to the execution and monitoring phases of the CSA program, while understanding the business process is related to the planning and preparation phase. Without a solid understanding of the business process, the scope, testing, and evaluation of the CSA may not be accurate or complete.

  References: ISACA CISA Review Manual 27th Edition, page 310

• Question 1170:

  Which of the following observations should be of GREATEST concern to an IS auditor assessing access controls for the accounts payable module of a finance system?

  A. Payment files are stored on a shared drive in a writable format prior to processing.
  B. Accounts payable staff have access to update vendor bank account details.
  C. The IS auditor was granted access to create purchase orders.
  D. Configured delegation limits do not align to the organization's delegation's policy.
  B. Accounts payable staff have access to update vendor bank account details.

  ---

  Explanation