Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1281:

  During a follow-up engagement, an IS auditor confirms evidence of a problem that was not an issue in the original audit. Which of the following is the auditor's BEST course of action?

  A. Include the evidence as part of a future audit.
  B. Report only on the areas within the scope of the follow-up.
  C. Report the risk to management in the follow-up report.
  D. Expand the follow-up scope to include examining the evidence.
  C. Report the risk to management in the follow-up report.

  ---

  Explanation

• Question 1282:

  Which of the following is the PRIMARY purpose of a business impact analysts (BIA) in an organization's overall risk management strategy?

  A. Evaluating business investment opportunities for the organization
  B. Identifying critical business processes to effectively prioritize recovery efforts
  C. Ensuring compliance with regulations through regular audits
  D. Conducting vulnerability assessments to enhance network security measures
  B. Identifying critical business processes to effectively prioritize recovery efforts

  ---

  Explanation

  Explanation

• Question 1283:

  Which of the following is MOST important for an IS auditor to determine when reviewing how the organization's incident response team handles devices that may be involved in criminal activity?

  A. Whether devices are checked for malicious applications
  B. Whether the access logs are checked before seizing the devices
  C. Whether users have knowledge of their devices being examined
  D. Whether there is a chain of custody for the devices
  D. Whether there is a chain of custody for the devices

  ---

  Explanation

• Question 1284:

  An IS auditor is reviewing an organization's business continuity plan (BCP) following a change in organizational structure with significant impact to business processes.

  Which of the following findings should be the auditor's GREATEST concern?

  A. Key business process end users did not participate in the business impact " analysis (BIA)
  B. Copies of the BCP have not been distributed to new business unit end users sjnce the reorganization
  C. A test plan for the BCP has not been completed during the last two years
  C. A test plan for the BCP has not been completed during the last two years

  ---

  Explanation

  A test plan for the BCP is essential to ensure that the plan is effective, updated and aligned with the current business needs and objectives. A change in organizational structure with significant impact to business processes may require a revision of the BCP and a new test plan to validate its adequacy. The lack of a test plan for the BCP for two years indicates a high risk of failure in the event of a disaster or disruption. Therefore, this should be the auditor's greatest concern among the given options.

  References: ISACA, IT Control Objectives for Sarbanes-Oxley, 4th Edition, section 5.3.21 ISACA, CISA Review Manual, 27th Edition, chapter 5, section 5.42

• Question 1285:

  Which of the following layer of an enterprise data flow architecture is concerned with basic data communication?

  A. Data preparation layer
  B. Desktop Access Layer
  C. Internet/Intranet layer
  D. Data access layer
  C. Internet/Intranet layer

  ---

  Explanation

  Internet/Intranet layer ?This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking.

  For CISA exam you should know below information about business intelligence:

  Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to assist decision making and assess organizational performance. To deliver effective BI, organizations need to design and implement a

  data architecture. The complete data architecture consists of two components

  The enterprise data flow architecture (EDFA)

  A logical data architecture

  Various layers/components of this data flow architecture are as follows:

  Presentation/desktop access layer ?This is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas

  and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data Source Layer ?Enterprise information derives from number of sources:

  Operational data ?Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files. External Data ?Data provided to an organization by external sources. This could include data

  such as customer demographic and market share information.

  Nonoperational data ?Information needed by end user that is not currently maintained in a computer accessible format.

  Core data warehouse ?This is where all the data of interest to an organization is captured and organized to assist reporting and analysis. DWs are normally instituted as large relational databases. A property constituted DW should support

  three basic form of an inquiry.

  Drilling up and drilling down ?Using dimension of interest to the business, it should be possible to aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can also be used to refine the analysis.

  Drill across ?Use common attributes to access a cross section of information in the warehouse such as sum sales across all product lines by customer and group of customers according to length of association with the company. Historical Analysis ?The warehouse should support this by holding historical, time variant data. An example of historical analysis would be to report monthly store sales and then repeat the analysis using only customer who were preexisting at the start of the year in order to separate the effective new customer from the ability to generate repeat business with existing customers.

  Data Mart Layer ?Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

  processing (OLAP) data structure.

  Data Staging and quality layer ?This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems

  periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers.

  Data Access Layer ?This layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  Data Preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed.

  Data mining is concern with exploring large volume of data to determine patterns and trends of information. Data mining often identifies patterns that are counterintuitive due to number and complexity of data relationships. Data quality needs

  to be very high to not corrupt the result.

  Metadata repository layer ?Metadata are data about data. The information held in metadata layer needs to extend beyond data structure names and formats to provide detail on business purpose and context. The metadata layer should be

  comprehensive in scope, covering data as they flow between the various layers, including documenting transformation and validation rules.

  Warehouse Management Layer ?The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security.

  Application messaging layer ?This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.

  Internet/Intranet layer ?This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking.

  Various analysis models used by data architects/ analysis follows:

  Activity or swim-lane diagram ?De-construct business processes.

  Entity relationship diagram ?Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative is

  involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW.

  The following were incorrect answers:

  Desktop access layer or presentation layer is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as

  Congas and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed.

  Data access layer ?his layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  CISA review manual 2014 Page number 188

• Question 1286:

  Which of the following is the PRIMARY reason to perform a risk assessment?

  A. To determine the current risk profile
  B. To ensure alignment with the business impact analysis (BIA)
  C. To achieve compliance with regulatory requirements
  D. To help allocate budget for risk mitigation controls
  A. To determine the current risk profile

  ---

  Explanation

  The primary reason to perform a risk assessment is to determine the current risk profile of the organization, which is the level of risk exposure and the likelihood and impact of potential threats. This will help the organization to identify and prioritize the risks that need to be addressed and to align the risk management strategy with the business objectives. A risk assessment may also help to achieve compliance, support the BIA, and allocate budget, but these are not the primary reasons.

  References: ISACA Glossary of Terms, section "risk assessment"

• Question 1287:

  Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?

  A. Effectiveness of the security program
  B. Security incidents vs. industry benchmarks
  C. Total number of hours budgeted to security
  D. Total number of false positives
  A. Effectiveness of the security program

  ---

  Explanation

  The executive management concern that could be addressed by the implementation of a security metrics dashboard is the effectiveness of the security program. A security metrics dashboard is a tool that provides a visual representation of key performance indicators (KPIs) and key risk indicators (KRIs) related to the organization's information security objectives and activities. A security metrics dashboard can help executive management monitor and evaluate the performance and value delivery of the security program, identify strengths and weaknesses, assess compliance with policies and standards, and support decision making and improvement initiatives. Security incidents vs. industry benchmarks, total number of hours budgeted to security, and total number of false positives are not executive management concerns that could be addressed by the implementation of a security metrics dashboard. These are more operational or technical aspects of information security that could be measured and reported by other means, such as incident reports, budget reports, or log analysis.

  References: [ISACA CISA Review Manual 27th Edition], page 302

• Question 1288:

  Which of the following control testing approaches is BEST used to evaluate a control's ongoing effectiveness by comparing processing results to independently calculated data?

  A. Embedded audit modules
  B. Sample-based re-performance
  C. Integrated test facility (ITF)
  D. Statistical sampling
  D. Statistical sampling

  ---

  Explanation

• Question 1289:

  An organization with high availability resource requirements is selecting a provider for cloud computing. Which of the following would cause the GREATEST concern to an IS auditor? The provider:

  A. hosts systems for the organization's competitor.
  B. does not store backup media offsite.
  C. is not internationally certified for high availability.
  D. deploys patches automatically without testing.
  D. deploys patches automatically without testing.

  ---

  Explanation

• Question 1290:

  An organization plans to implement a virtualization strategy enabling multiple operating systems on a single host. Which of the following should be the GREATEST concern with this strategy?

  A. Adequate storage space
  B. Complexity of administration
  C. Network bandwidth
  D. Application performance
  D. Application performance

  ---

  Explanation