Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1311:

  An external audit firm was engaged to perform a validation and verification review for a systems implementation project. The IS auditor identifies that regression testing is not part of the project plan and was not performed by the systems implementation team. According to the team, the parallel testing being performed is sufficient, making regression testing unnecessary.

  What should be the auditor's NEXT step?

  A. Evaluate the extent of the parallel testing being performed
  B. Recommend integration and stress testing be conducted by the systems implementation team
  C. Conclude that parallel testing is sufficient and regression testing is not needed
  D. Recommend regression testing be conducted by the systems implementation team
  D. Recommend regression testing be conducted by the systems implementation team

  ---

  Explanation

  Regression testing is crucial to ensure that new changes do not negatively impact existing functionalities. The IS auditor should recommend that regression testing be conducted to confirm that the system operates correctly after changes are

  made.

  References:

  ISACA CISA Review Manual 27th Edition, Page 256-257 (Testing Strategies)

• Question 1312:

  An online retailer is receiving customer about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

  A. Implement business rules to validate employee data entry.
  B. Invest in additional employee training for data entry.
  C. Assign responsibility for improving data quality.
  D. Outsource data cleansing activities to reliable third parties.
  A. Implement business rules to validate employee data entry.

  ---

  Explanation

• Question 1313:

  Due to advancements in technology and electronic records, an IS auditor has completed an engagement by email only. Which of the following did the IS auditor potentially compromise?

  A. Proficiency
  B. Due professional care
  C. Sufficient evidence
  D. Reporting
  B. Due professional care

  ---

  Explanation

  Due professional care is the obligation of an IS auditor to exercise the appropriate level of skill, competence, and diligence in performing an audit. It also requires the IS auditor to comply with the relevant standards, guidelines, and ethical principles of the profession. Completing an engagement by email only may compromise due professional care, as it may limit the IS auditor's ability to obtain sufficient and appropriate evidence, to communicate effectively with the auditee and other stakeholders, and to perform adequate quality assurance and review procedures. The other options are not as relevant as due professional care, as they relate to specific aspects of an audit, such as proficiency (the knowledge and skills of the IS auditor), sufficient evidence (the quantity and quality of the audit evidence), and reporting (the presentation and communication of the audit results).

  References: CISA Review Manual (Digital Version), Domain: The Process of Auditing Information Systems, Section 1.2 ISACA IT Audit and Assurance Standards

• Question 1314:

  Which of the following is the MOST important consideration when implementing a Zero Trust strategy for mobile, wireless, and Internet of Things (IoT) devices?

  A. Ensuring the latest firmware updates are applied regularly to all devices
  B. Validating the identity of all devices and users before granting access to resources
  C. Focusing on user training and awareness to prevent phishing attacks
  D. Implementing strong encryption protocols for data in transit and at rest
  B. Validating the identity of all devices and users before granting access to resources

  ---

  Explanation

  Explanation

• Question 1315:

  Who is responsible for defining data access permissions?

  A. IT operations manager
  B. Data owner
  C. Database administrator (DBA)
  D. Information security manager
  B. Data owner

  ---

  Explanation

  Explanation

  Comprehensive and Detailed Step-by-Step

  Thedata owneris the individual or entity responsible for classifying, protecting, and defining access permissions to data. They ensure that only authorized personnel can access, modify, or distribute data based on business needs and

  regulatory requirements.

  Data Owner (Correct Answer ?B)

  IT Operations Manager (Incorrect ?A)

  Database Administrator (DBA) (Incorrect ?C)

  Information Security Manager (Incorrect ?D)

  References:

  ISACA CISA Review Manual

  COBIT 2019 Framework

  NIST 800-53 (Security and Privacy Controls for Federal Information Systems)

• Question 1316:

  During business process reengineering (BPR) of a bank's teller activities, an IS auditor should evaluate:

  A. the impact of changed business processes.
  B. the cost of new controls.
  C. BPR project plans.
  D. continuous improvement and monitoring plans.
  A. the impact of changed business processes.

  ---

  Explanation

• Question 1317:

  chain management processes Customer orders are not being fulfilled in a timely manner, and the inventory in the warehouse does not match the quantity of goods in the sales orders. Which of the following is the auditor's BEST recommendation?

  A. Require the sales representative to verify inventory levels prior to finalizing sales orders.
  B. Require the warehouse manager to send updated inventory levels on a periodic basis.
  C. Revise the order fulfillment procedures in collaboration with the e-commerce team.
  D. Implement an automated control to verify inventory levels prior to finalizing sales orders.
  D. Implement an automated control to verify inventory levels prior to finalizing sales orders.

  ---

  Explanation

• Question 1318:

  Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks?

  A. Average the business units' IT risk levels
  B. Identify the highest-rated IT risk level among the business units
  C. Prioritize the organization's IT risk scenarios
  D. Establish a global IT risk scoring criteria
  C. Prioritize the organization's IT risk scenarios

  ---

  Explanation

  The best approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks is to prioritize the organization's IT risk scenarios. IT risk appetite is the amount and type of IT risk that an organization is willing to accept in pursuit of its objectives. IT risk scenarios are hypothetical situations that describe the potential impact of IT risk events on the organization's objectives, processes, and resources. By prioritizing the organization's IT risk scenarios, the IS auditor can identify the most significant IT risks that affect the organization as a whole, and align them with the organization's strategic goals, values, and culture. Prioritizing the organization's IT risk scenarios can also help to communicate and monitor the IT risk appetite across the organization, and facilitate consistent and informed decision making. The other approaches (A, B and D) are not effective for determining the overall IT risk appetite of an organization, as they do not consider the impact and likelihood of IT risks on the organization's objectives, nor do they account for the diversity and complexity of IT risks across different business units.

  References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of Information Technology, Section 2.3: Information Technology Risk Management

• Question 1319:

  William has been assigned a changeover task. He has to break the older system into deliverable modules. Initially, the first module of the older system is phased out using the first module of a new system. Then, the second module of the old system is phased out, using the second module of the newer system and so forth until reaching the last module. Which of the following changeover system William needs to implement?

  A. Parallel changeover
  B. Phased changeover
  C. Abrupt changeover
  D. Pilot changeover
  B. Phased changeover

  ---

  Explanation

  In phased changeover approach, the older system is broken into deliverables modules. Initially, the first module of older system is phased out using the first module of a new system. Then, the second module of the newer system is phased

  out, using the second module of the newer system and so forth until reaching the last module.

  Some of the risk areas that may exist in the phased changeover area includes:

  Resource challenge

  Extension of the project life cycle to cover two systems.

  Change management for requirements and customizations to maintain ongoing support of the older systems.

  Changeover refers to an approach to shift users from using the application from the existing (old) system to the replacing (new) system.

  Changeover to newer system involves four major steps or activities

  Conversion of files and programs; test running on test bed

  Installation of new hardware, operating system, application system and the migrated data.

  Training employees or user in groups

  Scheduling operations and test running for go-live or changeover

  Some of the risk areas related to changeover includes:

  1.Asset safeguarding

  2.Data integrity

  3.System effectiveness

  4.Change management challenges

  5.Duplicate or missing records

• Question 1320:

  Which of the following MOST effectively enables consistency across high-volume software changes'?

  A. The use of continuous integration and deployment pipelines
  B. Management reviews of detailed exception reports for released code
  C. Publication of a refreshed policy on development and release management
  D. An ongoing awareness campaign for software deployment best practices
  A. The use of continuous integration and deployment pipelines

  ---

  Explanation