Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1171:

  Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

  A. Audit cycle defined in the audit plan
  B. Complexity of management's action plans
  C. Recommendation from executive management
  D. Residual risk from the findings of previous audits
  D. Residual risk from the findings of previous audits

  ---

  Explanation

  Residual risk from the findings of previous audits should be the primary basis for prioritizing follow-up audits, because it reflects the level of exposure and potential impact that remains after management has implemented corrective actions or accepted the risk. Follow-up audits should focus on verifying whether the residual risk is within acceptable levels and whether the corrective actions are effective and sustainable. Audit cycle defined in the audit plan, complexity of management's action plans, and recommendation from executive management are not valid criteria for prioritizing follow-up audits, because they do not consider the residual risk from previous audits.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4.3

• Question 1172:

  Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

  A. Monitor and restrict vendor activities
  B. Issues an access card to the vendor.
  C. Conceal data devices and information labels
  D. Restrict use of portable and wireless devices.
  A. Monitor and restrict vendor activities

  ---

  Explanation

  The most effective control to protect information assets in a data center from theft by a vendor is to monitor and restrict vendor activities. A vendor may have legitimate access to the data center for maintenance or support purposes, but they may also have malicious intentions or be compromised by an attacker. By monitoring and restricting vendor activities, the organization can ensure that the vendor only performs authorized tasks and does not access or tamper with sensitive data or equipment. Issuing an access card to the vendor, concealing data devices and information labels, and restricting use of portable and wireless devices are also useful controls, but they are not as effective as monitoring and restricting vendor activities in preventing theft by a vendor.

  References: CISA Review Manual, 27th Edition, page 3381 CISA Review Questions, Answers and Explanations Database - 12 Month Subscription

• Question 1173:

  Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

  A. Ensuring unauthorized individuals do not tamper with evidence after it has been captured
  B. Ensuring evidence is sufficient to support audit conclusions
  C. Ensuring appropriate statistical sampling methods were used
  D. Ensuring evidence is labeled to show it was obtained from an approved source
  B. Ensuring evidence is sufficient to support audit conclusions

  ---

  Explanation

  The primary role of an audit reviewer with regard to evidence is to ensure that evidence is sufficient to support audit conclusions. Evidence is the information obtained by the auditor to provide a reasonable basis for the audit opinion or findings. Evidence should be sufficient, reliable, relevant, and useful to support the audit objectives and criteria. The audit reviewer should evaluate the quality and quantity of evidence collected by the auditor and determine if it is adequate to draw valid conclusions and recommendations. Ensuring unauthorized individuals do not tamper with evidence after it has been captured is a role of the auditor, not the audit reviewer. The auditor is responsible for safeguarding the evidence from loss, damage, or alteration during the audit process. The auditor should also document the source, date, and method of obtaining the evidence, as well as any limitations or restrictions on its use or disclosure. Ensuring appropriate statistical sampling methods were used is a role of the auditor, not the audit reviewer. The auditor is responsible for selecting an appropriate sampling method and technique that can provide sufficient evidence to achieve the audit objectives and criteria. The auditor should also document the sampling plan, population, sample size, selection method, evaluation method, and results. Ensuring evidence is labeled to show it was obtained from an approved source is a role of the auditor, not the audit reviewer. The auditor is responsible for labeling the evidence to indicate its origin, nature, and ownership. The auditor should also ensure that the evidence is obtained from reliable and credible sources that can be verified and corroborated.

  References: ISACA CISA Review Manual 27th Edition, page 295

• Question 1174:

  An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?

  A. When the model was tested with data drawn from a different population, the accuracy decreased.
  B. The data set for training the model was obtained from an unreliable source.
  C. An open-source programming language was used to develop the model.
  D. The model was tested with data drawn from the same population as the training data.
  B. The data set for training the model was obtained from an unreliable source.

  ---

  Explanation

• Question 1175:

  What is the PRIMARY advantage of prototyping as part of systems development?

  A. Maximizes user satisfaction
  B. Eliminates the need for internal controls
  C. Increases accuracy in reporting
  D. Reduces the need for compliance testing
  A. Maximizes user satisfaction

  ---

  Explanation

• Question 1176:

  An organization issues digital certificates to employees to enable connectivity to a web-based application. Which of the following public key infrastructure (PKI) components MUST be included in the application architecture for determining the on-going validity of connections?

  A. Secure hash algorithm (SHA)
  B. Registration authority (RA)
  C. Certificate authority (CA)
  D. Certificate revocation list (CRL)
  A. Secure hash algorithm (SHA)

  ---

  Explanation

• Question 1177:

  An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?

  A. Evaluate the appropriateness of the remedial action taken.
  B. Conduct a risk analysis incorporating the change.
  C. Report results of the follow-up to the audit committee.
  D. Inform senior management of the change in approach.
  A. Evaluate the appropriateness of the remedial action taken.

  ---

  Explanation

  The auditor's next course of action should be to evaluate the appropriateness of the remedial action taken by the auditee. The auditor should assess whether the alternative approach taken by the auditee is effective, efficient, and aligned with the audit objectives and recommendations. The auditor should also consider the impact of the change on the audit scope, criteria, and risk assessment. Conducting a risk analysis incorporating the change, reporting results of the follow-up to the audit committee, and informing senior management of the change in approach are possible subsequent actions that the auditor may take after evaluating the appropriateness of the remedial action taken.

  References: CISA Review Manual (Digital Version): Chapter 1 - Information Systems Auditing Process

• Question 1178:

  An IS auditor should aware of various analysis models used by data architecture. Which of the following analysis model outline the major process of an organization and the external parties with which business interacts?

  A. Context Diagrams
  B. Activity Diagrams
  C. Swim-lane diagrams
  D. Entity relationship diagrams
  A. Context Diagrams

  ---

  Explanation

  Context diagram ?Outline the major processes of an organization and the external parties with which business interacts.

  For CISA exam you should know below information about business intelligence:

  Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to assist decision making and assess organizational performance. To deliver effective BI, organizations need to design and implement a

  data architecture. The complete data architecture consists of two components

  The enterprise data flow architecture (EDFA)

  A logical data architecture

  Various layers/components of this data flow architecture are as follows:

  Presentation/desktop access layer ?This is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas

  and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data Source Layer ?Enterprise information derives from number of sources:

  Operational data ?Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files. External Data ?Data provided to an organization by external sources. This could include data

  such as customer demographic and market share information.

  Nonoperational data ?Information needed by end user that is not currently maintained in a computer accessible format.

  Core data warehouse ?This is where all the data of interest to an organization is captured and organized to assist reporting and analysis. DWs are normally instituted as large relational databases. A property constituted DW should support

  three basic form of an inquiry.

  Drilling up and drilling down ?Using dimension of interest to the business, it should be possible to aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can also be used to refine the analysis.

  Drill across ?Use common attributes to access a cross section of information in the warehouse such as sum sales across all product lines by customer and group of customers according to length of association with the company. Historical

  Analysis ?The warehouse should support this by holding historical, time variant data. An example of historical analysis would be to report monthly store sales and then repeat the analysis using only customer who were preexisting at the start

  of the year in order to separate the effective new customer from the ability to generate repeat business with existing customers.

  Data Mart Layer ?Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

  processing (OLAP) data structure.

  Data Staging and quality layer ?This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems

  periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers.

  Data Access Layer ?This layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  Data Preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed.

  Data mining is concern with exploring large volume of data to determine patterns and trends of information. Data mining often identifies patterns that are counterintuitive due to number and complexity of data relationships. Data quality needs to be very high to not corrupt the result. Metadata repository layer ?Metadata are data about data. The information held in metadata layer needs to extend beyond data structure names and formats to provide detail on business purpose and context. The metadata layer should be

  comprehensive in scope, covering data as they flow between the various layers, including documenting transformation and validation rules.

  Warehouse Management Layer ?The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security.

  Application messaging layer ?This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.

  Internet/Intranet layer ?This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking.

  Various analysis models used by data architects/ analysis follows:

  Activity or swim-lane diagram ?De-construct business processes.

  Entity relationship diagram ?Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative is

  involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW.

  The following were incorrect answers:

  Context diagram ?Outline the major processes of an organization and the external parties with which business interacts.

  Activity or swim-lane diagram ?De-construct business processes.

  CISA review manual 2014 Page number 188

• Question 1179:

  Which of the following is the BEST source of information to determine the required level of data protection on a file server?

  A. Data classification policy and procedures
  B. Access rights of similar file servers
  C. Previous data breach incident reports
  D. Acceptable use policy and privacy statements
  A. Data classification policy and procedures

  ---

  Explanation

  The best source of information to determine the required level of data protection on a file server is the data classification policy and procedures, which define the criteria and methods for classifying data according to its sensitivity, value, and criticality, and specify the appropriate security measures and controls for each data category. Data classification policy and procedures help to ensure that data is protected in proportion to its importance and risk exposure. Access rights of similar file servers, previous data breach incident reports, and acceptable use policy and privacy statements are not sufficient or reliable sources of information to determine the required level of data protection on a file server, as they do not provide clear and consistent guidance on how to classify and protect data.

  References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.1: Information Asset Security Framework

• Question 1180:

  An IS auditor is reviewing the security of a web-based customer relationship management (CRM) system that is directly accessed by customers via the Internet, which of the following should be a concern for the auditor?

  A. The system is hosted on an external third-party service provider's server.
  B. The system is hosted in a hybrid-cloud platform managed by a service provider.
  C. The system is hosted within a demilitarized zone (DMZ) of a corporate network.
  D. The system is hosted within an internal segment of a corporate network.
  D. The system is hosted within an internal segment of a corporate network.

  ---

  Explanation

  A web-based CRM system that is directly accessed by customers via the Internet should be hosted in a secure and isolated environment to protect it from external threats and unauthorized access. A web-based CRM system should also be reliable, trusted, and backed up regularly. Hosting the system on an external third-party service provider's servers (A) or a hybrid- cloud platform managed by a service provider (B) may not be a concern for the auditor if the service provider has adequate security measures and service level agreements in place. The auditor should verify the security controls and contractual terms of the service provider before trusting them with the CRM data. Hosting the system within a demilitarized zone (DMZ) of a corporate network is a common practice to provide an extra layer of security to the CRM system from untrusted networks, such as the Internet. A DMZ is a perimeter network that isolates the CRM system from the internal network and filters the incoming traffic from the external network using a security gateway. Hosting the system within an internal segment of a corporate network (D) is a concern for the auditor because it exposes the CRM system and the internal network to potential attacks from the Internet. The CRM system should not be directly accessible from the Internet without a DMZ or a firewall to protect it. This could compromise the confidentiality, integrity, and availability of the CRM data and the internal network.