Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1331:

  Which of the following is a PRIMARY benefit of an integrated audit?

  A. It enhances audit quality assurance (QA).
  B. It optimizes audit efforts across various functions.
  C. It ensures the improvement of auditor skills and competencies.
  D. It is suited for different business areas within organizations of any size.
  B. It optimizes audit efforts across various functions.

  ---

  Explanation

  Explanation

• Question 1332:

  Which of the following occurs during the issues management process for a system development project?

  A. Contingency planning
  B. Configuration management
  C. Help desk management
  D. Impact assessment
  D. Impact assessment

  ---

  Explanation

  Impact assessment is an activity that occurs during the issues management process for a system development project. Issues management is a process of identifying, analyzing, resolving, and monitoring issues that may affect the project scope, schedule, budget, or quality. Impact assessment is a technique of evaluating the severity and priority of an issue, as well as its implications for the project objectives and deliverables. The other options are not activities that occur during the issues management process, but rather related to other processes such as contingency planning, configuration management, or help desk management.

  References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.31 CISA Review Questions, Answers and Explanations Database, Question ID 217

• Question 1333:

  Which of the following should be of GREATEST concern to an IS auditor testing interface controls for an associated bank wire transfer process?

  A. Data is not independently verified by a third party.
  B. Data in the bank's wire transfer system does not reconcile with transferred data.
  C. Customer-provided information does not appear to be accurate.
  D. The wire transfer was not completed with the most recent secure protocol.
  B. Data in the bank's wire transfer system does not reconcile with transferred data.

  ---

  Explanation

• Question 1334:

  Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

  A. Background checks
  B. User awareness training
  C. Transaction log review
  D. Mandatory holidays
  C. Transaction log review

  ---

  Explanation

  The best compensating control when segregation of duties is lacking in a small IS department is transaction log review. Transaction log review can help detect any unauthorized or fraudulent activities performed by IS staff who have access to multiple functions or systems. Transaction log review can also provide an audit trail for accountability and investigation purposes. The other options are not as effective as transaction log review in compensating for the lack of segregation of duties. Background checks are preventive controls that can help screen potential employees for any criminal records or dishonest behavior, but they do not prevent existing employees from abusing their access privileges. User awareness training is a detective control that can help educate users on how to report any suspicious or abnormal activities in the IS environment, but it does not monitor or verify the actions of IS staff. Mandatory holidays are deterrent controls that can discourage IS staff from engaging in fraudulent activities by requiring them to take periodic leave, but they do not prevent or detect such activities when they occur.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

• Question 1335:

  Which of the following BEST mitigates the risk associated with the deployment of a new production system?

  A. Problem management
  B. Incident management
  C. Configuration management
  D. Release management
  D. Release management

  ---

  Explanation

  Explanation

• Question 1336:

  Which of the following is the BEST way to mitigate the impact of ransomware attacks?

  A. Invoking the disaster recovery plan (DRP)
  B. Backing up data frequently
  C. Paying the ransom
  D. Requiring password changes for administrative accounts
  B. Backing up data frequently

  ---

  Explanation

  Ransomware is a type of malicious software that encrypts the victim's data and demands a ransom for its decryption1. Ransomware attacks can cause significant damage to an organization's operations, reputation, and finances1. Therefore,

  it is important to mitigate the impact of ransomware attacks by implementing effective prevention and recovery strategies.

  One of the best ways to mitigate the impact of ransomware attacks is to back up data frequently12345. Data backups are copies of the organization's data that are stored in a separate location or medium, such as an external hard drive, cloud

  storage, or tape2. Data backups can help the organization restore its data in case of a ransomware attack, without paying the ransom or losing valuable information2. Data backups should be performed regularly, preferably daily or weekly,

  depending on the criticality and volume of the data2. Data backups should also be tested periodically to ensure their integrity and usability2. The other options are not as effective as backing up data frequently in mitigating the impact of

  ransomware attacks. Invoking the disaster recovery plan (DRP) is a reactive measure that can help the organization resume its operations after a ransomware attack, but it does not prevent or reduce the damage caused by the attack3. Paying the ransom is not a recommended option, as it does not guarantee the decryption of the data or the deletion of the stolen data by the attackers. Paying the ransom also encourages further attacks and funds criminal activities14. Requiring password changes for administrative accounts is a good security practice, but it is not sufficient to prevent or recover from ransomware attacks.

  Ransomware attacks can exploit other vulnerabilities, such as phishing emails, outdated software, or weak network security15.

  References: 1: How to Mitigate the Risk of Ransomware Attacks: The Definitive Guide 2:

  Mitigating malware and ransomware attacks - The National Cyber Security Centre 3: 3 steps to prevent and recover from ransomware 4: Ransomware Epidemic: Use these 8 Strategies to Mitigate Risk 5: Practical Steps to Mitigate

  Ransomware Attacks - ITSecurityWire

• Question 1337:

  Which type of device sits on the perimeter of a corporate of home network, where it obtains a public IP address and then generates private IP addresses internally?

  A. Switch
  B. Intrusion prevention system (IPS)
  C. Gateway
  D. Router
  D. Router

  ---

  Explanation

  A router is a type of device that sits on the perimeter of a corporate or home network, where it obtains a public IP address and then generates private IP addresses internally. A router connects two or more networks and forwards packets between them based on routing rules. A router can also provide network address translation (NAT) functionality, which allows multiple devices to share a single public IP address and access the internet. A switch is a type of device that connects multiple devices within a network and forwards packets based on MAC addresses. An intrusion prevention system (IPS) is a type of device that monitors network traffic and blocks or modifies malicious packets based on predefined rules. A gateway is a type of device that acts as an interface between different networks or protocols, such as a modem or a firewall.

  References: CISA Review Manual (Digital Version), [ISACA Glossary of Terms]

• Question 1338:

  A characteristic of a digital signature is that it

  A. is under control of the receiver
  B. is unique to the message
  C. is validated when data are changed
  D. has a reproducible hashing algorithm
  B. is unique to the message

  ---

  Explanation

  A digital signature is a specific type of e-signature that is backed by a digital certificate. A digital certificate is a document that contains the public key of a signer and is issued by a trusted third party called a certificate authority (CA). A digital signature provides proof of the identity of the signer and the integrity of the signed document. A characteristic of a digital signature is that it is unique to the message. This means that a digital signature cannot be copied from one document to another without being detected as invalid. A digital signature is created by applying a mathematical function called a hashing algorithm to the document. A hashing algorithm produces a fixed-length output called a hash or digest from any input data. The hash is unique to the input data; any change in the input data will result in a different hash. The signer then encrypts the hash with their private key (a secret key that only they know) to create the digital signature. The encrypted hash is attached to the document as the digital signature. The recipient of the document can verify the digital signature by decrypting it with the signer's public key (a key that is publicly available and matches the private key) to obtain the hash. The recipient then applies the same hashing algorithm to the document to generate another hash. The recipient then compares the two hashes; if they match, it means that the document has not been altered and that the signer is authentic. Therefore, a digital signature is unique to the message because it is derived from the hash of the message, which is unique to the message.

  References:

  7: Free Online Signature Generator (Type or Draw) | Signaturely

  8: What are digital signatures and certificates? | Acrobat Sign - Adobe

  9: eSign PDF with Electronic Signature Free Online - Smallpdf

• Question 1339:

  An IS auditor is reviewing the change management process in a large IT service organization. Which of the following observations would be the GREATEST concern?

  A. Emergency software releases are not fully documented after implementation
  B. User acceptance testing (UAT) can be waived in case of emergency software releases
  C. Code is migrated manually into production during emergency software releases
  D. A senior developer has permanent access to promote code for emergency software releases
  D. A senior developer has permanent access to promote code for emergency software releases

  ---

  Explanation

• Question 1340:

  Which of the following data validation control validates input data against predefined range values?

  A. Range Check
  B. Table lookups
  C. Existence check
  D. Reasonableness check
  A. Range Check

  ---

  Explanation

  In the Range Check control data should not exceed a predefined range of values

  For CISA exam you should know below mentioned data validation edits and controls

  Sequence Check ?The control number follows sequentially and any sequence or duplicated control numbers are rejected or noted on an exception report for follow-up purposes. For example, invoices are numbered sequentially. The day's

  invoice begins with 12001 and ends with 15045. If any invoice larger than 15045 is encountered during processing, that invoice would be rejected as an invalid invoice number.

  Limit Check ?Data should not exceed a predefined amount. For example, payroll checks should not exceed US $ 4000. If a check exceeds US $ 4000, data would be rejected for further verification/authorization.

  Validity Check ?Programmed checking of data validity in accordance with predefined criteria. For example, a payroll record contains a field for marital status and the acceptable status codes are M or S. If any other code is entered, record

  should be rejected.

  Range Check ?Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

  Reasonableness check ?Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received,

  the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

  Table Lookups ?Input data comply with predefined criteria maintained in computerized table of possible values. For example, an input check enters a city code of 1 to 10. This number corresponds with a computerize table that matches a

  code to a city name.

  Existence Check ?Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

  Key verification ?The keying process is repeated by a separate individual using a machine that compares the original key stroke to the repeated keyed input. For ex. the worker number is keyed twice and compared to verify the keying

  process.

  Check digit ?a numeric value that has been calculated mathematically is added to a data to ensure that original data have not been p[ altered or incorrect, but Valid, value substituted. This control is effective in detecting transposition and transcription error. For ex. A check digit is added to an account number so it can be checked for accuracy when it is used. Completeness check ?a filed should always contain data rather than zero or blanks. A check of each byte of that field should be performed to determine that some form of data, or not blanks or zeros, is present. For ex. A worker number on a

  new employee record is left blank. His is identified as a key in filed and the record would be rejected, with a request that the field be completed before the record is accepted for processing.

  Duplicate check ?new transaction is matched to those previously input to ensure that they have not already been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the current order is not a duplicate and, therefore, the vendor will not be paid twice. Logical relationship check ?if a particular condition is true, then one or more additional conditions or data input relationship may be required to be true and consider the input valid. For ex. The hire data of an employee may be required to be

  true and consider the input valid. For ex. The hire date of an employee may be required to be more than 16 years past his her date of birth.

  The following were incorrect answers:

  Table Lookups ?Input data comply with predefined criteria maintained in computerized table of possible values. For example, an input check enters a city code of 1 to 10. This number corresponds with a computerize table that matches a

  code to a city name.

  Existence Check ?Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

  Reasonableness check ?Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received,

  the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

  CISA review manual 2014 Page number 215