Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1221:

  An audit committee is reviewing an annual IT risk assessment. Which of the following is the BEST justification for the audits selected?

  A. Likelihood of an IT process failure
  B. Key IT general process controls
  C. Applications impacted
  D. Underlying business risks
  D. Underlying business risks

  ---

  Explanation

• Question 1222:

  An organization has implemented data storage hardware. Which of the following should an IS auditor review to assess if IT is maximizing storage and network utilization?

  A. Capacity management plans
  B. Downtime statistics
  C. The quality management systems
  D. Routine and non-routine job schedules
  A. Capacity management plans

  ---

  Explanation

• Question 1223:

  Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

  A. Perform a business impact analysis (BIA).
  B. Determine which databases will be in scope.
  C. Identify the most critical database controls.
  D. Evaluate the types of databases being used
  B. Determine which databases will be in scope.

  ---

  Explanation

  The first task that an IS auditor should complete during the preliminary planning phase of a database security review is to determine which databases will be in scope. The scope defines the boundaries and objectives of the audit, as well as

  the resources, time, and budget required. The IS auditor should identify the databases that are relevant to the audit based on factors such as their criticality, risk, complexity, size, type, location, and ownership. The IS auditor should also

  consider the regulatory, contractual, and organizational requirements that apply to the databases. By defining the scope clearly and accurately, the IS auditor can ensure that the audit is focused, feasible, and effective.

  References:

  CISA Review Manual (Digital Version)

  CISA Questions, Answers and Explanations Database

• Question 1224:

  Which of the following software development methodology is a reuse-based approach to defining, implementing and composing loosely coupled independent components into systems?

  A. Agile Developments
  B. Software prototyping
  C. Rapid application development
  D. Component based development
  D. Component based development

  ---

  Explanation

  Component-based software engineering (CBSE) (also known as component-based development (CBD)) is a branch of software engineering that emphasizes the separation of concerns in respect of the wide-ranging functionality available

  throughout a given software system. It is a reuse-based approach to defining, implementing and composing loosely coupled independent components into systems. This practice aims to bring about an equally wide-ranging degree of benefits

  in both the short-term and the long-term for the software itself and for organizations that sponsor such software.

  Software engineers[who?] regard components as part of the starting platform for service-orientation. Components play this role, for example, in web services, and more recently, in service-oriented architectures (SOA), whereby a component

  is converted by the web service into a service and subsequently inherits further characteristics beyond that of an ordinary component.

  Components can produce or consume events and can be used for event-driven architectures (EDA).

  Definition and characteristics of components

  An individual software component is a software package, a web service, a web resource, or a module that encapsulates a set of related functions (or data).

  All system processes are placed into separate components so that all of the data and functions inside each component are semantically related (just as with the contents of classes). Because of this principle, it is often said that components

  are modular and cohesive.

  With regard to system-wide co-ordination, components communicate with each other via interfaces. When a component offers services to the rest of the system, it adopts a provided interface that specifies the services that other components

  can utilize, and how they can do so. This interface can be seen as a signature of the component - the client does not need to know about the inner workings of the component (implementation) in order to make use of it. This principle results in

  components referred to as encapsulated. The UML illustrations within this article represent provided interfaces by a lollipop-symbol attached to the outer edge of the component.

  However, when a component needs to use another component in order to function, it adopts a used interface that specifies the services that it needs. In the UML illustrations in this article, used interfaces are represented by an open socket

  symbol attached to the outer edge of the component.

  A simple example of several software components - pictured within a hypothetical holiday-reservation system represented in UML 2.0.

  Another important attribute of components is that they are substitutable, so that a component can replace another (at design time or run-time), if the successor component meets the requirements of the initial component (expressed via the

  interfaces). Consequently, components can be replaced with either an updated version or an alternative without breaking the system in which the component operates.

  As a general rule of thumb for engineers substituting components, component B can immediately replace component A, if component B provides at least what component A provided and uses no more than what component A used.

  Software components often take the form of objects (not classes) or collections of objects (from object-oriented programming), in some binary or textual form, adhering to some interface description language (IDL) so that the component may

  exist autonomously from other components in a computer.

  When a component is to be accessed or shared across execution contexts or network links, techniques such as serialization or marshalling are often employed to deliver the component to its destination.

  Reusability is an important characteristic of a high-quality software component. Programmers should design and implement software components in such a way that many different programs can reuse them. Furthermore, component-based

  usability testing should be considered when software components directly interact with users.

  It takes significant effort and awareness to write a software component that is effectively reusable. The component needs to be:

  fully documented

  thoroughly tested

  robust - with comprehensive input-validity checking

  able to pass back appropriate error messages or return codes

  designed with an awareness that it will be put to unforeseen uses

  The following were incorrect answers:

  Agile Development - Agile software development is a group of software development methods based on iterative and incremental development, where requirements and solutions evolve through collaboration between self-organizing, cross-

  functional teams.

  Software prototyping- Software prototyping, refers to the activity of creating prototypes of software applications, i.e., incomplete versions of the software program being developed. It is an activity that can occur in software development and is

  comparable to prototyping as known from other fields, such as mechanical engineering or manufacturing.

  Rapid application development (RAD) is a software development methodology that uses minimal planning in favor of rapid prototyping. The "planning" of software developed using RAD is interleaved with writing the software itself. The lack of

  extensive per-planning generally allows software to be written much faster, and makes it easier to change requirements.

  CISA review manual 2014 Page number 194

• Question 1225:

  An IS auditor plans to review all access attempts to a video-monitored and proximity card- controlled communications room. Which of the following would be MOST useful to the auditor?

  A. Alarm system with CCTV
  B. Access control log
  C. Security incident log
  D. Access card allocation records
  B. Access control log

  ---

  Explanation

  A system electronic log is the most useful source of information for an IS auditor to review all access attempts to a video-monitored and proximity card-controlled communications room. A system electronic log can provide accurate and detailed records of the date, time, card number, and status (success or failure) of each access attempt. A system electronic log can also be easily searched, filtered, and analyzed by the auditor to identify any unauthorized or suspicious access attempts. A manual sign-in and sign-out log is not as reliable or useful as a system electronic log, because it depends on the honesty and compliance of the users. A manual log can be easily manipulated, forged, or omitted by the users or intruders. A manual log also does not capture the status of each access attempt, and it can be difficult to verify the identity of the users based on their signatures. An alarm system with CCTV is not as useful as a system electronic log, because it only captures the events that trigger the alarm, such as unauthorized or forced entry. An alarm system with CCTV does not provide a complete record of all access attempts, and it can be affected by factors such as camera angle, lighting, and resolution. An alarm system with CCTV also requires more time and effort to review the video footage by the auditor. A security incident log is not as useful as a system electronic log, because it only records the incidents that are reported by the users or detected by the security staff. A security incident log does not provide a comprehensive record of all access attempts, and it can be incomplete or inaccurate depending on the reporting and detection mechanisms. A security incident log also does not capture the details of each access attempt, such as the card number and status.

  References: ISACA CISA Review Manual 27th Edition (2019), page 247 ISACA CISA Certified Information Systems Auditor Exam ... - PUPUWEB

• Question 1226:

  Which of the following practices associated with capacity planning provides the GREATEST assurance that future incidents related to existing server performance will be prevented?

  A. Reviewing results from simulated high-demand stress test scenarios
  B. Performing a root cause analysis for past performance incidents
  C. Anticipating current service level agreements (SLAs) will remain unchanged
  D. Duplicating existing disk drive systems to improve redundancy and data storage
  A. Reviewing results from simulated high-demand stress test scenarios

  ---

  Explanation

• Question 1227:

  A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system Which of the following is the IS auditors BEST recommendation?

  A. Enable automatic encryption decryption and electronic signing of data files
  B. implement software to perform automatic reconciliations of data between systems
  C. Have coders perform manual reconciliation of data between systems
  D. Automate the transfer of data between systems as much as feasible
  D. Automate the transfer of data between systems as much as feasible

  ---

  Explanation

  The best recommendation for an organization that does not have a process to identify and correct records that do not get transferred to the receiving system is to implement software to perform automatic reconciliations of data between systems. This will ensure that the data integrity and completeness are maintained and that any errors or discrepancies are detected and resolved in a timely manner. Enabling encryption, decryption, and electronic signing of data files may enhance the data security and authenticity, but not the data accuracy or consistency. Having coders perform manual reconciliation of data between systems may be prone to human errors and inefficiencies. Automating the transfer of data between systems as much as feasible may reduce the chances of data loss or corruption, but not eliminate them completely.

  References: IS Audit and Assurance Standards, section "Standard 1202: Risk Assessment in Planning"

• Question 1228:

  Which of the following should be GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?

  A. Data conversion was performed using manual processes.
  B. Backups of the old system and data are not available online.
  C. Unauthorized data modifications occurred during conversion.
  D. The change management process was not formally documented
  C. Unauthorized data modifications occurred during conversion.

  ---

  Explanation

  The greatest concern for an IS auditor reviewing data conversion and migration during the implementation of a new application system is unauthorized data modifications occurred during conversion. Unauthorized data modifications are changes or alterations to data that are not authorized, intended, or expected, such as due to errors, fraud, or sabotage. Unauthorized data modifications occurred during conversion can compromise the accuracy, completeness, and integrity of the data being converted and migrated to the new application system, and may result in data loss, corruption, or inconsistency. The other options are not as concerning as unauthorized data modifications occurred during conversion in reviewing data conversion and migration during the implementation of a new application system, as they do not affect the accuracy, completeness, or integrity of the data being converted and migrated. Data conversion was performed using manual processes is a possible factor that may increase the risk or complexity of data conversion and migration, but it does not necessarily imply that unauthorized data modifications occurred during conversion. Backups of the old system and data are not available online is a possible factor that may affect the availability or accessibility of the old system and data for backup or recovery purposes, but it does not imply that unauthorized data modifications occurred during conversion. The change management process was not formally documented is a possible factor that may affect the quality or consistency of the change management process for implementing the new application system, but it does not imply that unauthorized data modifications occurred during conversion.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3

• Question 1229:

  Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?

  A. Configure a single server as a primary authentication server and a second server as a secondary authentication server.
  B. Configure each authentication server as belonging to a cluster of authentication servers.
  C. Configure each authentication server and ensure that each disk of its RAID is attached to the primary controller.
  D. Configure each authentication server and ensure that the disks of each server form part of a duplex.
  B. Configure each authentication server as belonging to a cluster of authentication servers.

  ---

  Explanation

  Configuring each authentication server as belonging to a cluster of authentication servers is the best way to minimize performance degradation of servers used to authenticate users of an e-commerce website. A cluster is a group of servers that work together to provide high availability, load balancing, and fault tolerance. If one server fails or becomes overloaded, another server in the cluster can take over its workload without disrupting the service. A single server as a primary authentication server and a second server as a secondary authentication server is not as effective as a cluster, because the secondary server is only used when the primary server fails, which means it is idle most of the time and does not improve performance. Configuring each authentication server and ensuring that each disk of its RAID is attached to the primary controller does not address the issue of performance degradation, but rather the issue of data redundancy and reliability. RAID (redundant array of independent disks) is a technology that combines multiple disks into a logical unit that can tolerate disk failures and improve data access speed. Configuring each authentication server and ensuring that the disks of each server form part of a duplex does not address the issue of performance degradation, but rather the issue of data backup and recovery. A duplex is a pair of disks that store identical copies of data, so that if one disk fails, the other disk can be used to restore the data.

  References: ISACA CISA Review Manual 27th Edition, page 310

• Question 1230:

  An internal IS auditor recommends that incoming accounts payable payment files be encrypted. Which type of control is the auditor recommending?

  A. Corrective
  B. Detective
  C. Preventive
  D. Directive
  D. Directive

  ---

  Explanation