Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1301:

  Which of the following component of an expert system allows the expert to enter knowledge into the system without the traditional mediation of a software engineer?

  A. Decision tree
  B. Rules
  C. Semantic nets
  D. Knowledge interface
  D. Knowledge interface

  ---

  Explanation

  Knowledge interface allows the expert to enter knowledge into the system without the traditional mediation of a software engineer.

  For CISA Exam you should know below information about Artificial Intelligence and Expert System Artificial intelligence is the study and application of the principles by which: Knowledge is acquired and used

  Goals are generated and achieved Information is communicated Collaboration is achieved Concepts are formed Languages are developed

  Two main programming languages that have been developed for artificial intelligence are LISP and PROLOG.

  Expert system are compromised primary components, called shells, when they are not populated with particular data, and the shells are designed to host new expert system.

  Keys to the system is the knowledge base (KB), which contains specific information or fact patterns associated with a particular subject matter and the rule for interpreting these facts. The KB interface with a database in obtaining data to

  analyze a particular problem in deriving an expert conclusion. The information in the KB can be expressed in several ways:

  Decision Tree ?Using questionnaires to lead the user through a series of choices, until a conclusion is reached. Flexibility is compromised because the user must answer the questions in an exact sequence.

  Rule ?Expressing declarative knowledge through the use of if-then relationships. For example, if a patient's body temperature is over 39 degrees Celsius and their pulse is under 60, then they might be suffering from a certain disease.

  Semantic nets ?Consist of a graph in which the node represent physical or conceptual object and the arcs describe the relationship between the nodes. Semantic nets resemble a data flow diagram and make use of an inheritance mechanism

  to prevent duplication of a data.

  Additionally, the inference engine shown is a program that uses the KB and determines the most appropriate outcome based on the information supplied by the user. In addition, an expert system includes the following components

  Knowledge interface ?Allows the expert to enter knowledge into the system without the traditional mediation of a software engineer.

  Data Interface ?Enables the expert system to collect data from nonhuman sources, such as measurement instruments in a power plant.

  The following were incorrect answers:

  Decision Tree ?Using questionnaires to lead the user through a series of choices, until a conclusion is reached. Flexibility is compromised because the user must answer the questions in an exact sequence.

  Rule - Expressing declarative knowledge through the use of if-then relationships.

  Semantic nets ?Semantic nets consist of a graph in which the node represent physical or conceptual object and the arcs describe the relationship between the nodes.

  CISA review manual 2014 Page number 187

• Question 1302:

  Which of the following features of a library control software package would protect against unauthorized updating of source code?

  A. Required approvals at each life cycle step
  B. Date and time stamping of source and object code
  C. Access controls for source libraries
  D. Release-to-release comparison of source code
  C. Access controls for source libraries

  ---

  Explanation

  Access controls for source libraries are the features of a library control software package that would protect against unauthorized updating of source code. Access controls are the mechanisms that regulate who can access, modify, or delete the source code stored in the source libraries. Source libraries are the repositories that contain the source code files and their versions. By implementing access controls for source libraries, the library control software package can prevent unauthorized or malicious users from tampering with the source code and compromising its integrity, security, or functionality1. The other options are not as effective as access controls for source libraries in protecting against unauthorized updating of source code. Option A, required approvals at each life cycle step, is a good practice but may not be sufficient to prevent unauthorized updates if the approval process is bypassed or compromised. Option B, date and time stamping of source and object code, is a useful feature but may not prevent unauthorized updates if the date and time stamps are altered or ignored. Option D, release-to-release comparison of source code, is a helpful feature but may not prevent unauthorized updates if the comparison results are not reviewed or acted upon.

  References: ISACA, CISA Review Manual, 27th Edition, 2019 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription How to protect your source code from attackers2 How to Stop Unauthorized Use of Open Source Code

• Question 1303:

  Which of the following is the MOST efficient way to identify fraudulent activity on a set of transactions?

  A. Control self-assessments (CSAs)
  B. Interviews with control owners
  C. Regression analysis
  D. Benford's law analysis
  D. Benford's law analysis

  ---

  Explanation

  Explanation

  Benford's law analysis is a powerful technique for identifying irregularities or anomalies in numerical datasets, such as financial transactions. It detects deviations from expected frequency distributions, which may indicate fraud. Control Self-

  Assessments (CSAs) (Option A):Useful for control evaluation but not for fraud detection.

  Interviews with Control Owners (Option B):Provide insights but are not efficient for identifying fraudulent patterns.

  Regression Analysis (Option C):Effective for predictive modeling but less so for detecting fraud in transactional data.

  ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.

• Question 1304:

  Which of the following is the BEST metric to measure the quality of software developed in an organization?

  A. Amount of successfully migrated software changes
  B. Reduction in the help desk budget
  C. Number of defects discovered in production
  D. Increase in quality assurance (QA) activities
  C. Number of defects discovered in production

  ---

  Explanation

  Explanation

• Question 1305:

  Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

  A. Mobile device tracking program
  B. Mobile device upgrade program
  C. Mobile device testing program
  D. Mobile device awareness program
  D. Mobile device awareness program

  ---

  Explanation

  A mobile device awareness program would best enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy. A mobile device awareness program is a set of activities that aim to educate and inform the employees about the benefits, challenges, and best practices of using their personal mobile devices for work purposes. A mobile device awareness program can help the organization to: Communicate the organization's policies and expectations regarding BYOD, such as which devices are allowed, what data can be accessed or stored, and what security measures are required. Raise the employees' awareness of the potential threats and vulnerabilities that affect their mobile devices, such as malware, phishing, data leakage, or device loss. Provide the employees with guidance and tips on how to protect their mobile devices and the organization's data, such as using strong passwords, encryption, antivirus software, remote wipe, or VPN. Encourage the employees to report any incidents or issues related to their mobile devices, such as suspicious messages, unauthorized access, or device damage. A mobile device awareness program can help the organization to reduce the security risks associated with BYOD by enhancing the employees' knowledge, skills, and behavior in using their mobile devices securely and responsibly. A mobile device awareness program can also help the organization to comply with relevant regulations and standards that govern data privacy and security in the cloud. The other options are not as effective as a mobile device awareness program in enabling an organization to address the security risks associated with BYOD. Option A, mobile device tracking program, is a tool that allows the organization to monitor and locate the employees' mobile devices in case of loss or theft. However, this tool may not prevent or detect other types of security risks, such as malware infection or data breach. Option B, mobile device upgrade program, is a process that ensures that the employees' mobile devices are running the latest versions of operating systems and applications. However, this process may not address other aspects of security, such as user behavior or data protection. Option C, mobile device testing program, is a method that verifies the functionality and compatibility of the employees' mobile devices with the organization's systems and networks. However, this method may not cover all the scenarios or factors that may affect the security of the mobile devices or the organization's data2.

  References: Mobile Device Security Awareness Topics Security Awareness Top Ten Topics - #8 Mobile Devices

• Question 1306:

  Which of the following is a prerequisite to help ensure that IS hardware and software support the delivery of mission-critical functions?

  A. Control over IS infrastructure expenditure
  B. An independent audit of the process
  C. A comprehensive IS applications architecture
  D. Documented emergency change procedures
  C. A comprehensive IS applications architecture

  ---

  Explanation

• Question 1307:

  Which of the following BEST describes an audit risk?

  A. The company is being sued for false accusations.
  B. The financial report may contain undetected material errors.
  C. Employees have been misappropriating funds.
  D. Key employees have not taken vacation for 2 years.
  B. The financial report may contain undetected material errors.

  ---

  Explanation

  The best description of an audit risk is that the financial report may contain undetected material errors. Audit risk is the risk that the auditor expresses an inappropriate opinion on the financial report when it contains material misstatements or errors. Audit risk consists of three components: inherent risk, control risk, and detection risk. Inherent risk is the susceptibility of an assertion or a control to a material misstatement or error due to factors such as complexity, volatility, fraud, or human error. Control risk is the risk that a material misstatement or error will not be prevented or detected by the internal controls. Detection risk is the risk that the auditor's procedures will not detect a material misstatement or error that exists in an assertion or a control.

  References: CISA Review Manual (Digital Version) CISA Questions, Answers and Explanations Database

• Question 1308:

  Which of the following responses to risk associated with segregation of duties would incur the LOWEST initial cost?

  A. Risk acceptance
  B. Risk mitigation
  C. Risk transference
  D. Risk reduction
  A. Risk acceptance

  ---

  Explanation

  Segregation of duties is a fundamental concept in cybersecurity and information security. It refers to the practice of dividing critical tasks and responsibilities among different individuals or roles within an organization to reduce the risk of fraud,

  error, or unauthorized activities1. Segregation of duties is designed to prevent unilateral actions within an organization's workflow, which can result in damaging events that would exceed the organization's risk tolerance2. There are different

  types of responses to risk associated with segregation of duties, depending on the level of risk and the cost-benefit analysis. Some of the common responses are:

  Risk acceptance: This means acknowledging a risk and deciding to tolerate it without taking any corrective actions. This response is usually chosen when the risk is low or the cost of mitigation is too high. Risk mitigation: This means taking

  steps ahead of time to lessen the effects of a risk and make it less likely to happen. Some examples of mitigation strategies are making backup plans, setting up early warning systems, and staying away from high-risk areas or activities.

  Risk transference: This means shifting the negative impact of a risk and/or the responsibility for managing the risk response to a third party. Some examples of transference strategies are outsourcing, insurance, or contracts5. Risk reduction:

  This means reducing the probability and/or severity of the risk below a threshold of acceptability. Some examples of reduction strategies are implementing controls, policies, or procedures to prevent or detect risks6. Based on these

  definitions, the response to risk associated with segregation of duties that would incur the lowest initial cost is A. Risk acceptance. This is because risk acceptance does not require any additional resources or actions to address the risk.

  However, risk acceptance also implies that the organization is willing to bear the consequences of the risk if it occurs, which could be costly in the long run. Therefore, the correct answer to your question is A. Risk acceptance.

• Question 1309:

  Which of the following controls helps to reduce fraud risk associated with robotic process automation (RPA)?

  A. Inclusion of robots in business impact assessments (BIAs)
  B. Password rotation
  C. Recertification process for robots
  D. Common RPA testing framework
  B. Password rotation

  ---

  Explanation

• Question 1310:

  What should an IS auditor evaluate FIRST when reviewing an organization's response to new privacy legislation?

  A. Implementation plan for restricting the collection of personal information
  B. Privacy legislation in other countries that may contain similar requirements
  C. Operational plan for achieving compliance with the legislation
  D. Analysis of systems that contain privacy components
  D. Analysis of systems that contain privacy components

  ---

  Explanation

  The first thing that an IS auditor should evaluate when reviewing an organization's response to new privacy legislation is the analysis of systems that contain privacy components. Privacy components are elements of a system that collect, process, store, or transmit personal information that is subject to privacy legislation. An analysis of systems that contain privacy components should identify what types of personal information are involved, where they are located, how they are used, who has access to them, and what risks or threats they face. An analysis of systems that contain privacy components is essential for determining the scope and impact of the new privacy legislation on the organization's systems and processes. The other options are not as important as option

  D. An implementation plan for restricting the collection of personal information is a possible action, but not the first thing to evaluate, when reviewing an organization's response to new privacy legislation. An implementation plan for restricting the collection of personal information is a document that outlines how an organization will comply with the principle of data minimization, which states that personal information should be collected only for specific and legitimate purposes and only to the extent necessary for those purposes. An implementation plan for restricting the collection of personal information should be based on an analysis of systems that contain privacy components. Privacy legislation in other countries that may contain similar requirements is a possible source of reference, but not the first thing to evaluate, when reviewing an organization's response to new privacy legislation. Privacy legislation in other countries that may contain similar requirements is a set of laws or regulations that governs the protection of personal information in other jurisdictions that may have comparable or compatible standards or expectations as the new privacy legislation. Privacy legislation in other countries that may contain similar requirements may provide guidance or best practices for complying with the new privacy legislation. However, privacy legislation in other countries that may contain similar requirements should not be used as a substitute for an analysis of systems that contain privacy components. An operational plan for achieving compliance with the legislation is a possible deliverable, but not the first thing to evaluate, when reviewing an organization's response to new privacy legislation. An operational plan for achieving compliance with the legislation is a document that describes how an organization will implement and maintain the necessary policies, procedures, controls, and measures to comply with the new privacy legislation. An operational plan for achieving compliance with the legislation should be derived from an analysis of systems that contain privacy components.

  References: Privacy law - Wikipedia, Data Protection and Privacy Legislation Worldwide | UNCTAD, Data minimization - Wikipedia