Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1181:

  During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:

  A. Future compatibility of the application.
  B. Proposed functionality of the application.
  C. Controls incorporated into the system specifications.
  D. Development methodology employed.
  C. Controls incorporated into the system specifications.

  ---

  Explanation

  The primary responsibility of an IS auditor during the design phase of a software development project is to evaluate the controls incorporated into the system specifications. Controls are mechanisms or procedures that aim to ensure the security, reliability, or performance of a system or process. System specifications are documents that define and describe the requirements, features, functions, or components of a system or software. Evaluating the controls incorporated into the system specifications is a key responsibility of an IS auditor during the design phase of a software development project, as it helps ensure that the system or software meets the organization's objectives, standards, and expectations for security, reliability, or performance. The other options are not primary responsibilities of an IS auditor during the design phase of a software development project, as they do not directly relate to evaluating the controls incorporated into the system specifications. Future compatibility of the application is a possible factor that may affect the functionality or usability of the application in different environments or platforms, but it is not a primary responsibility of an IS auditor during the design phase of a software development project. Proposed functionality of the application is a possible factor that may affect the suitability or value of the application for meeting user needs or expectations, but it is not a primary responsibility of an IS auditor during the design phase of a software development project. Development methodology employed is a possible factor that may affect the quality or consistency of the software development process, but it is not a primary responsibility of an IS auditor during the design phase of a software development project.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3

• Question 1182:

  Which of the following methodologies is MOST appropriate to use for developing software with incomplete requirements?

  A. Process-based
  B. Critical chain
  C. Waterfall
  D. Agile
  D. Agile

  ---

  Explanation

• Question 1183:

  Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?

  A. Review of program documentation
  B. Use of test transactions
  C. Interviews with knowledgeable users
  D. Review of source code
  B. Use of test transactions

  ---

  Explanation

  The most conclusive audit procedure for evaluating the effectiveness of an e- commerce application system's edit routine is to use test transactions. A test transaction is a simulated input that is processed by the system to verify its output and performance1. By using test transactions, an auditor can directly observe how the edit routine checks the validity, accuracy, and completeness of data entered by users, and how it handles incorrect or invalid data. A test transaction can also help measure the efficiency, reliability, and security of the edit routine, as well as identify any errors or weaknesses in the system. The other options are not as conclusive as using test transactions, as they rely on indirect or secondary sources of information. Reviewing program documentation is an audit procedure that involves examining the written description of the system's design, specifications, and functionality2. However, program documentation may not reflect the actual implementation or operation of the system, and it may not reveal any discrepancies or defects in the edit routine. Interviews with knowledgeable users is an audit procedure that involves asking questions to the people who use or manage the system3. However, interviews with knowledgeable users may not provide sufficient or objective evidence of the edit routine's effectiveness, and they may be influenced by personal opinions or biases. Reviewing source code is an audit procedure that involves analyzing the programming language and logic of the system4. However, reviewing source code may not be feasible or practical for complex or large systems, and it may not demonstrate how the edit routine performs in real scenarios.

• Question 1184:

  A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:

  A. evaluate replacement systems and performance monitoring software.
  B. restrict functionality of system monitoring software to security-related events.
  C. re-install the system and performance monitoring software.
  D. use analytical tools to produce exception reports from the system and performance monitoring software
  D. use analytical tools to produce exception reports from the system and performance monitoring software

  ---

  Explanation

  Using analytical tools to produce exception reports from the system and performance monitoring software is the most effective plan of action for a company that purchased and implemented system and performance monitoring software.

  Exception reports are reports that highlight deviations or anomalies from predefined thresholds or standards. Using analytical tools to produce exception reports can help to reduce the size and complexity of the system and performance

  monitoring reports, as well as to focus on the most relevant and critical information for review and action. The other options are less effective plans of action, as they may involve unnecessary costs, risks, or efforts.

  References:

  CISA Review Manual (Digital Version), Chapter 4, Section 4.2.21 CISA Review Questions, Answers and Explanations Database, Question ID 219

• Question 1185:

  Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?

  A. Project segments are established.
  B. The work is separated into phases.
  C. The work is separated into sprints.
  D. Project milestones are created.
  C. The work is separated into sprints.

  ---

  Explanation

  The best way to enable the effectiveness of an agile project for the rapid development of a new software application is to separate the work into sprints. Sprints are short, time-boxed iterations that deliver a potentially releasable product increment at the end of each sprint. Sprints allow agile teams to work in a flexible and adaptive manner, respond quickly to changing customer needs and feedback, and deliver value faster and more frequently. Sprints also help teams to plan, execute, review, and improve their work in a collaborative and transparent way. Project segments, phases, and milestones are not specific to agile projects and do not necessarily enable the effectiveness of an agile project.

  References: Agile Project Management [What is it and How to Start] - Atlassian, CISA Review Manual (Digital Version).

• Question 1186:

  An organization requires the use of a key card to enter its data center. Recently, a control was implemented that requires biometric authentication for each employee. Which type of control has been added?

  A. Detective
  B. Preventive
  C. Compensating
  D. Corrective
  B. Preventive

  ---

  Explanation

• Question 1187:

  Which of the following is the BEST IS audit strategy?

  A. Perform audits based on impact and probability of error and failure.
  B. Cycle general control and application audits over a two-year period.
  C. Conduct general control audits annually and application audits in alternating years.
  D. Limit audits to new application system developments.
  A. Perform audits based on impact and probability of error and failure.

  ---

  Explanation

• Question 1188:

  Which of the following is the MOST significant risk to an organization migrating its onsite application servers to a public cloud service provider?

  A. Service provider access to organizational data
  B. Account hacking from other clients using the same provider
  C. Increased dependency on an external provider
  D. Service provider limiting the right to audit
  A. Service provider access to organizational data

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step

  Thebiggest riskin cloud migration isdata security, especially unauthorized access by the cloud provider.

  Option A (Correct):The cloud providermanages and stores organizational data, meaning that abreach, insider threat, or improper accessposes amajor risk.

  Properencryption and access controlsare critical.

  Option B (Incorrect):Whilemulti-tenancy risks exist, cloud providers typically implement strongisolation mechanismsbetween clients. Option C (Incorrect):Increased dependency on the provider is aconcern, but the impact depends onservice

  agreements and redundancy measures. Option D (Incorrect):Limiting the right to audit is acompliance issue, butdata security risksare more critical.

  ISACA CISA Review Manual -Domain 5: Protection of Information Assets?Covers

  cloud computing risks and security considerations.

• Question 1189:

  Which of the following is MOST important to review during the project initiation phase of developing and deploying a new application?

  A. User requirements
  B. User acceptance testing (UAT) plans
  C. Deployment plans
  D. Architectural design
  A. User requirements

  ---

  Explanation

  User requirements are the foundation of any successful application. Properly defining what the application needs to do and how it should serve users is critical before moving into design or development.

  References:

  Project Management Methodologies (Agile, Waterfall, etc.): All major methodologies emphasize the criticality of understanding user requirements during the initial project phases.

  Software Development Lifecycle (SDLC): Requirements gathering is a cornerstone of the initiation phase within the SDLC.

  ISACA Resources: While not explicitly tied to a CISA document, ISACA's emphasis on governance and aligning IT with business objectives reinforces the importance of starting with clear user requirements.

• Question 1190:

  In the case of a disaster where the data center is no longer available, which of the following tasks should be done FIRST?

  A. Perform data recovery.
  B. Arrange for a secondary site.
  C. Analyze risk.
  D. Activate the call tree.
  D. Activate the call tree.

  ---

  Explanation

  In the event of a disaster where the data center is no longer available, the first step should be to activate the call tree1. A call tree is a layered hierarchical communication model used to notify specific individuals of an event and coordinate

  recovery efforts. This ensures that all relevant parties are informed about the situation and can begin executing their parts of the disaster recovery plan.

  References:

  IT Disaster Recovery Plan | Ready.gov