Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1241:

  When determining the quality of evidence collected during an audit, it is MOST important to ensure the evidence is:

  A. Valid, complete, and accurate.
  B. Timely, reliable, and reasonable.
  C. Sufficient and comes from the source of the information.
  D. Persuasive and applicable.
  D. Persuasive and applicable.

  ---

  Explanation

  Explanation

• Question 1242:

  Which of the following BEST enables an IS auditor to confirm the batch processing to post transactions from an input source is successful?

  A. Error log review
  B. Total number of items
  C. Hash totals
  D. Aggregate monetary amount
  C. Hash totals

  ---

  Explanation

• Question 1243:

  Which of the following controls BEST provides confidentiality and nonrepudiation for an online business looking for digital payment data security?

  A. Data Encryption Standard (DES)
  B. Advanced Encryption Standard (AES)
  C. Public Key Infrastructure (PKI)
  D. Virtual Private Network (VPN)
  C. Public Key Infrastructure (PKI)

  ---

  Explanation

  Explanation Comprehensive and Detailed Step-by-Step For online payment security, bothconfidentiality(protection of data) andnonrepudiation(ensuring the sender cannot deny a transaction) are essential. Option A (Incorrect):DES is outdatedandinsecurefor modern encryption needs. It has been replaced by stronger algorithms. Option B (Incorrect):AES provides strong encryption(confidentiality) but does not handlenonrepudiationon its own. Option C (Correct):PKI (Public Key Infrastructure)is the best solution because it providesencryption for confidentialityanddigital signatures for nonrepudiation, ensuring bothsecuretransactions andauthenticationof parties involved. Option D (Incorrect):AVPN secures network traffic, but it does not address nonrepudiation, which is critical in online payments.

  ISACA CISA Review Manual -Domain 5: Protection of Information Assets?Covers encryption, PKI, and secure payment processing.

• Question 1244:

  Which of the following should MOST concern an IS auditor reviewing an intrusion detection system (IDS)?

  A. Number of false negatives
  B. Number of false positives
  C. Legitimate traffic blocked by the system
  D. Reliability of IDS logs
  A. Number of false negatives

  ---

  Explanation

• Question 1245:

  An IS auditor assessing the controls within a newly implemented call center would First

  A. gather information from the customers regarding response times and quality of service.
  B. review the manual and automated controls in the call center.
  C. test the technical infrastructure at the call center.
  D. evaluate the operational risk associated with the call center.
  D. evaluate the operational risk associated with the call center.

  ---

  Explanation

  The first step in assessing the controls within a newly implemented call center is to evaluate the operational risk associated with the call center. This will help the IS auditor to identify the potential threats, vulnerabilities, and impacts that could affect the call center's objectives, performance, and availability. The evaluation of operational risk will also provide a basis for determining the scope, objectives, and approach of the audit. The other options are possible audit procedures, but they are not the first step in the audit process.

  References: ISACA Frameworks: Blueprints for Success, CISA Review Manual (Digital Version)

• Question 1246:

  Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?

  A. Assignment of responsibility for each project to an IT team member
  B. Adherence to best practice and industry approved methodologies
  C. Controls to minimize risk and maximize value for the IT portfolio
  D. Frequency of meetings where the business discusses the IT portfolio
  C. Controls to minimize risk and maximize value for the IT portfolio

  ---

  Explanation

  Controls to minimize risk and maximize value for the IT portfolio should be the most important consideration when conducting a review of IT portfolio management, because they ensure that the IT portfolio aligns with the business strategy, objectives, and priorities, and that the IT investments deliver optimal benefits and outcomes. Assignment of responsibility for each project to an IT team member, adherence to best practice and industry approved methodologies, and frequency of meetings where the business discusses the IT portfolio are also relevant aspects of IT portfolio management, but they are not as important as controls to minimize risk and maximize value.

  References: CISA Review Manual (Digital Version), Chapter 1, Section 1.2.3

• Question 1247:

  When reviewing a business case for a proposed implementation of a third-party system, which of the following should be an IS auditor's GREATEST concern?

  A. Lack of ongoing maintenance costs
  B. Lack of training materials
  C. Lack of plan for pilot implementation
  D. Lack of detailed work breakdown structure
  A. Lack of ongoing maintenance costs

  ---

  Explanation

  The IS auditor's greatest concern when reviewing a business case for a proposed implementation of a third-party system should be A. Lack of ongoing maintenance costs. This is because ongoing maintenance costs are an essential part of the total cost of ownership (TCO) of a third-party system, and they can have a significant impact on the return on investment (ROI) and the feasibility of the project. If the business case does not include ongoing maintenance costs, it may underestimate the true cost of the project and overestimate the benefits. This could lead to poor decision making and unrealistic expectations. Lack of training materials (B), lack of plan for pilot implementation ? and lack of detailed work breakdown structure (D) are also potential issues that could affect the quality and success of the project, but they are not as critical as lack of ongoing maintenance costs. Training materials can be developed or acquired later, pilot implementation can be planned during the project initiation or planning phase, and work breakdown structure can be refined as the project progresses. However, ongoing maintenance costs are difficult to change or estimate once the project is approved and implemented, and they can have long-term implications for the organization. Therefore, they should be included and analyzed in the business case.

• Question 1248:

  A bank has implemented a new accounting system. Which of the following is the BEST lime for an IS auditor to perform a post-implementation review?

  A. After user acceptance testing (UAT) is completed
  B. One full year after go-live
  C. As close to go-live as possible
  D. After the first reporting cycle
  C. As close to go-live as possible

  ---

  Explanation

• Question 1249:

  Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?

  A. The exceptions are likely to continue indefinitely.
  B. The exceptions may result in noncompliance.
  C. The exceptions may elevate the level of operational risk.
  D. The exceptions may negatively impact process efficiency.
  B. The exceptions may result in noncompliance.

  ---

  Explanation

  The greatest concern associated with a high number of IT policy exceptions approved by management is that the exceptions may result in noncompliance. IT policy exceptions are deviations from the established IT policies that are granted by management for specific reasons and circumstances. However, if there are too many exceptions, it may indicate that the IT policies are not aligned with the business needs, regulatory requirements, or best practices. This may expose the organization to legal, contractual, or reputational risks due to noncompliance. The other options are not as concerning as noncompliance, as they do not have the same potential impact or consequences. The exceptions are likely to continue indefinitely is a possible outcome of a high number of exceptions, but it does not necessarily imply a negative effect on the organization. The exceptions may elevate the level of operational risk is a valid concern, but it can be mitigated by implementing compensating controls or monitoring mechanisms. The exceptions may negatively impact process efficiency is a minor concern, as it does not affect the effectiveness or reliability of the IT processes.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

• Question 1250:

  An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?

  A. The applications are not included in business continuity plans (BCFs)
  B. The applications may not reasonably protect data.
  C. The application purchases did not follow procurement policy.
  D. The applications could be modified without advanced notice.
  B. The applications may not reasonably protect data.

  ---

  Explanation

  The greatest risk associated with the situation of business units purchasing cloud-based applications without IT support is that the applications may not reasonably protect data. Cloud-based applications are software applications that run on the internet, rather than on a local device or network. Cloud-based applications offer many benefits, such as scalability, accessibility, and cost-effectiveness, but they also pose many challenges and risks, especially for data security1. Data security is the process of protecting data from unauthorized access, use, modification, disclosure, or destruction. Data security is essential for ensuring the confidentiality, integrity, and availability of data, as well as complying with legal and regulatory requirements. Data security is especially important for cloud-based applications, as data are stored and processed on remote servers that are owned and managed by third-party cloud service providers (CSPs)2. When business units purchase cloud-based applications without IT support, they may not be aware of or follow the best practices and standards for data security in the cloud. They may not perform adequate risk assessments, vendor evaluations, contract reviews, or audits to ensure that the CSPs and the applications meet the organization's data security policies and expectations. They may not implement appropriate data encryption, backup, recovery, or disposal methods to protect the data in transit and at rest. They may not monitor or control the access and usage of the data by internal or external users. They may not report or respond to any data breaches or incidents that may occur3. These actions or inactions may expose the organization's data to various threats and vulnerabilities in the cloud, such as cyberattacks, human errors, malicious insiders, misconfigurations, or legal disputes. These threats and vulnerabilities may result in data loss, leakage, corruption, or compromise, which may have serious consequences for the organization's reputation, operations, performance, compliance, and liability4. Therefore, it is essential that business units consult and collaborate with IT support before purchasing any cloud-based applications, and follow the organization's guidelines and procedures for cloud security. IT support can help business units to select and use cloud- based applications that are suitable and secure for their needs and objectives.

  References: Top 5 Risks With Cloud Software and How to Mitigate Them4 Mitigate risks and secure your cloud-native applications3 12 Risks, Threats and Vulnerabilities in Moving to the Cloud2 Best Practices to Manage Risks in the Cloud1