Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1191:

  When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary. What should the auditor do NEXT?

  A. Report that the changes make it impractical to determine whether the risks have been addressed.
  B. Accept management's assertion and report that the risks have been addressed.
  C. Determine whether the changes have introduced new risks that need to be addressed.
  D. Review the changes and determine whether the risks have been addressed.
  B. Accept management's assertion and report that the risks have been addressed.

  ---

  Explanation

  When operational management informs the IS auditor that recent organizational changes have addressed previously identified risks and implementing the action plan is no longer necessary, the IS auditor should accept management's assertion and report that the risks have been addressed. However, it is essential to document this communication and ensure that there is evidence supporting management's claim. If there are any doubts or concerns, further investigation may be necessary. The auditor should not assume new risks without proper assessment or evidence

• Question 1192:

  An internal audit department recently established a quality assurance (QA) program as part of its overall audit program. Which of the following activities should be included as part of the QA program requirements?

  A. Reporting program results to the board
  B. Reviewing audit standards periodically
  C. Analyzing user satisfaction reports from business lines
  D. Conducting long-term planning for internal audit staffing
  B. Reviewing audit standards periodically

  ---

  Explanation

• Question 1193:

  Which of the following controls should be implemented to BEST minimize system downtime for maintenance?

  A. Nightly full backups
  B. Virtualization
  C. Warm site
  D. Clustering
  D. Clustering

  ---

  Explanation

• Question 1194:

  Which of the following is a PRIMARY responsibility of an IT steering committee?

  A. Prioritizing IT projects in accordance with business requirements
  B. Reviewing periodic IT risk assessments
  C. Validating and monitoring the skill sets of IT department staff
  D. Establishing IT budgets for the business
  A. Prioritizing IT projects in accordance with business requirements

  ---

  Explanation

  A primary responsibility of an IT steering committee is prioritizing IT projects in accordance with business requirements, as this ensures that IT resources are allocated to support the strategic objectives and needs of the organization.

  Reviewing periodic IT risk assessments, validating and monitoring the skill sets of IT department staff, and establishing IT budgets for the business are important activities, but they are not the primary responsibility of an IT steering committee.

  They may be delegated to other IT governance bodies or functions within the organization.

  References: CISA Review Manual (Digital Version), Chapter 1:

  Information Systems Auditing Process, Section 1.2: IT Governance

• Question 1195:

  Which of the following BEST describes the process of creating a digital envelope?

  A. The encryption key is compressed within a folder after a message is encoded using symmetric encryption.
  B. A message is encoded using symmetric encryption, and then the encryption key is secured using public key encryption.
  C. The message is hashed, and the hash total is sent using symmetric encryption.
  D. A message digest is encrypted using asymmetric encryption, and the encryption key is sent using asymmetric encryption.
  B. A message is encoded using symmetric encryption, and then the encryption key is secured using public key encryption.

  ---

  Explanation

  Explanation

• Question 1196:

  Which of the following is MOST important for an IS auditor to review when determining whether IT investments are providing value to tie business?

  A. Return on investment (ROI)
  B. Business strategy
  C. Business cases
  D. Total cost of ownership (TCO)
  B. Business strategy

  ---

  Explanation

  The answer B is correct because the most important thing for an IS auditor to review when determining whether IT investments are providing value to the business is the business strategy. The business strategy is the plan or direction that guides the organization's decisions and actions to achieve its goals and objectives. The business strategy defines the organization's vision, mission, values, competitive advantage, target market, value proposition, and key performance indicators (KPIs). IT investments are the expenditures or costs incurred by the organization to acquire, develop, maintain, or improve its IT assets, such as hardware, software, network, data, or services. IT investments can help the organization to support its business processes, operations, functions, and capabilities. IT investments can also help the organization to create or enhance its products, services, or solutions for its customers or stakeholders. To determine whether IT investments are providing value to the business, an IS auditor needs to review how well the IT investments align with and contribute to the business strategy. Alignment means that the IT investments are consistent and compatible with the business strategy, and that they support and enable the achievement of the strategic goals and objectives. Contribution means that the IT investments are effective and efficient in delivering the expected outcomes and benefits for the business, and that they generate a positive return on investment (ROI) or value for money. An IS auditor can use various methods or frameworks to review the alignment and contribution of IT investments to the business strategy, such as: Balanced scorecard: A balanced scorecard is a tool that measures and monitors the performance of an organization across four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard can help an IS auditor to evaluate how well the IT investments support and improve each perspective of the organization's performance, and how they link to the organization's vision and strategy. Value chain analysis: A value chain analysis is a tool that identifies and analyzes the primary and support activities that add value to an organization's products or services. A value chain analysis can help an IS auditor to assess how well the IT investments enhance or optimize each activity of the value chain, and how they create or sustain a competitive advantage for the organization. Business case analysis: A business case analysis is a tool that evaluates the feasibility, viability, and desirability of a proposed project or initiative. A business case analysis can help an IS auditor to examine how well the IT investments address a business problem or opportunity, how they deliver the expected benefits and outcomes for the stakeholders, and how they compare with alternative options or solutions. The other options are not as important as option

  B. Return on investment (ROI) (option A) is a metric that measures the profitability or efficiency of an investment by comparing its benefits or returns with its costs or expenses. ROI can help an IS auditor to quantify the value of IT investments for the business, but it does not capture all aspects of value, such as quality, satisfaction, or impact. ROI also depends on how well the IT investments align with the business strategy in the first place. Business cases (option C) are documents that justify and support a proposed project or initiative by describing its objectives, scope, benefits, costs, risks, and alternatives. Business cases can help an IS auditor to understand the rationale and expectations for IT investments, but they do not guarantee that the IT investments will actually deliver the desired value for the business. Business cases also need to be aligned with the business strategy to ensure their relevance and validity. Total cost of ownership (TCO) (option D) is a metric that measures the total costs incurred by an organization to acquire, operate, maintain, and dispose of an IT asset over its life cycle. TCO can help an IS auditor to estimate the financial impact of IT investments for the business, but it does not reflect the benefits or outcomes of IT investments, nor does it indicate how well the IT investments support or enable the business strategy.

  References: IT Strategy: Aligning IT and Business Strategy How To Measure The Value Of Your Technology Investments IT Investment Management: A Framework for Assessing ... - GAO How To Align Your Technology Investments With Your Business Strategy

• Question 1197:

  Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?

  A. Critical business applications
  B. Business processes
  C. Existing IT controls
  D. Recent audit results
  B. Business processes

  ---

  Explanation

  This is because the business processes are the core activities and functions that enable the organization to achieve its objectives and create value for its stakeholders. The business processes are also the sources and drivers of various risks that may affect the organization's performance, compliance, and reputation. Therefore, the IS auditor should focus on understanding, assessing, and prioritizing the business processes that are most critical, complex, or vulnerable to the organization's success, and align the audit objectives, scope, and resources accordingly. Critical business applications (A) are not the most important area of focus for an IS auditor when developing a risk-based audit strategy, but rather a specific aspect of the business processes that may require attention. Critical business applications are the software systems that support the execution and automation of the business processes, such as enterprise resource planning (ERP), customer relationship management (CRM), or accounting systems. Critical business applications may pose significant risks to the organization if they are not reliable, secure, or efficient. Therefore, the IS auditor should consider the criticality, functionality, and dependency of the business applications when planning the audit, but not as the primary focus12. Existing IT controls ?are not the most important area of focus for an IS auditor when developing a risk-based audit strategy, but rather an outcome or output of the risk assessment process. Existing IT controls are the policies, procedures, practices, and technologies that are implemented to manage and mitigate the IT-related risks that may affect the organization's business processes and objectives. Existing IT controls may vary in their design, effectiveness, and maturity. Therefore, the IS auditor should evaluate and test the existing IT controls as part of the audit execution and reporting process, but not as the main focus. Recent audit results (D) are not the most important area of focus for an IS auditor when developing a risk-based audit strategy, but rather an input or source of information for the risk assessment process. Recent audit results are the findings, recommendations, and opinions of previous audits that may provide insights or feedback on the organization's business processes, risks, and controls. Recent audit results may also indicate any changes or trends in the organization's risk profile or environment. Therefore, the IS auditor should review and consider the recent audit results as part of the audit planning and scoping process, but not as the main focus.

• Question 1198:

  Which of the following should be of GREATEST concern to an IS auditor when auditing an organization's IT strategy development process?

  A. The IT strategy was developed before the business plan
  B. A business impact analysis (BIA) was not performed to support the IT strategy
  C. The IT strategy was developed based on the current IT capability
  D. Information security was not included as a key objective m the IT strategic plan.
  D. Information security was not included as a key objective m the IT strategic plan.

  ---

  Explanation

  The greatest concern for an IS auditor when auditing an organization's IT strategy development process is that information security was not included as a key objective in the IT strategic plan. Information security is a vital component of IT strategy, as it ensures the confidentiality, integrity and availability of information assets, and supports the business objectives and regulatory compliance. The other options are not as significant as the lack of information security in the IT strategic plan.

  References: CISA Review Manual (Digital Version), Chapter 1, Section 1.31

• Question 1199:

  An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?

  A. Implementing risk responses on management's behalf
  B. Integrating the risk register for audit planning purposes
  C. Providing assurances to management regarding risk
  D. Facilitating audit risk identification and evaluation workshops
  B. Integrating the risk register for audit planning purposes

  ---

  Explanation

  The most effective way for the audit team to leverage the risk management maturity of the organization is to integrate the risk register for audit planning purposes. The risk register is a document that records the identified risks, their likelihood,

  impact, and mitigation strategies for a project or an organization. By using the risk register, the audit team can align their audit objectives, scope, and procedures with the organization's risk profile and priorities. This will help the audit team to

  provide more value-added and relevant assurance and recommendations to the management and stakeholders. Some of the web sources that support this answer are:

  Audit Maturity And Risk Management | Ideagen

  Building a Mature Enterprise Risk Management Plan | AuditBoard CISA Certified Information Systems Auditor ?

• Question 1200:

  An IS auditor is reviewing a bank's service level agreement (SLA) with a third-party provider that hosts the bank's secondary data center, which of the following findings should be of GREATEST concern to the auditor?

  A. The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (ORP).
  B. The SLA has not been reviewed in more than a year.
  C. Backup data is hosted online only.
  D. The recovery point objective (RPO) has a shorter duration than documented in the disaster recovery plan (DRP).
  A. The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (ORP).

  ---

  Explanation

  The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (DRP) should be of greatest concern to the auditor when reviewing a bank's SLA with a third-party provider that hosts the bank's secondary data center. This is because the RTO is the maximum acceptable time for restoring a system or an application after a disaster or a disruption. A longer RTO than the DRP means that the bank may not be able to resume its critical business operations within the expected time frame, which may result in significant financial losses, reputational damage, customer dissatisfaction, or regulatory non-compliance12. The SLA has not been reviewed in more than a year is not the greatest concern, although it is a good practice to review and update the SLA periodically to ensure that it reflects the current business needs and expectations, as well as any changes in the service provider's capabilities or performance. However, a lack of review does not necessarily imply a lack of compliance or quality of service, as long as the SLA is still valid and enforceable34. Backup data is hosted online only is not the greatest concern, although it may pose some security risks if the backup data is not encrypted or protected by adequate access controls. Online backup data means that the backup data is stored on a remote server that can be accessed via the Internet, which may offer some advantages such as faster recovery, lower cost, and higher availability than offline backup data that is stored on physical media such as tapes or disks. However, online backup data also requires reliable network connectivity and bandwidth, as well as proper security measures to prevent unauthorized access or tampering56. The recovery point objective (RPO) has a shorter duration than documented in the DRP is not the greatest concern, although it may indicate some inconsistency or misalignment between the SLA and the DRP. The RPO is the maximum acceptable amount of data loss measured in time from a disaster or a disruption. A shorter RPO than the DRP means that the bank may lose less data than expected, which may be beneficial for its business continuity and recovery. However, a shorter RPO may also imply more frequent backups, which may increase the cost and complexity of the backup process