Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1341:

  During a review of an organization's IT capacity management process, an IS auditor should be MOST concerned if capacity planning:

  A. Was reviewed once during the previous six months.
  B. Omitted changes to key business systems.
  C. Lacked input from system administrators.
  D. Was based on input from IT service management only.
  B. Omitted changes to key business systems.

  ---

  Explanation

  Explanation

• Question 1342:

  Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?

  A. Review the third party's monitoring logs and incident handling
  B. Review the roles and responsibilities of the third-party provider
  C. Evaluate the organization's third-party monitoring process
  D. Determine if the organization has a secure connection to the provider
  B. Review the roles and responsibilities of the third-party provider

  ---

  Explanation

  The first step when planning an IS audit of a third-party service provider that monitors network activities is to review the roles and responsibilities of the third-party provider. This will help to establish the scope, objectives, and expectations of the audit, as well as to identify any potential risks, issues, or gaps in the service level agreement (SLA) between the organization and the provider. Reviewing the third party's monitoring logs and incident handling, evaluating the organization's third-party monitoring process, and determining if the organization has a secure connection to the provider are important steps, but they should be performed after reviewing the roles and responsibilities of the provider.

  References: CISA Review Manual (Digital Version)1, page 269.

• Question 1343:

  An organization considers implementing a system that uses a technology that is not in line with the organization's IT strategy. Which of the following is the BEST justification for deviating from the IT strategy?

  A. The system has a reduced cost of ownership.
  B. The organization has staff familiar with the technology.
  C. The business benefits are achieved even with extra costs.
  D. The system makes use of state-of-the-art technology.
  A. The system has a reduced cost of ownership.

  ---

  Explanation

• Question 1344:

  Multiple invoices are usually received for individual purchase orders, since purchase orders require staggered delivery dates. Which of the following is the BEST audit technique to test for duplicate payments?

  A. Run the data on the software programs used to process supplier payments.
  B. Use generalized audit software on the invoice transaction file.
  C. Run the data on the software programs used to process purchase orders.
  D. Use generalized audit software on the purchase order transaction file.
  A. Run the data on the software programs used to process supplier payments.

  ---

  Explanation

• Question 1345:

  Which of the following is the BEST way for an IS auditor to reduce sampling risk when performing audit sampling to verify the adequacy of an organization's internal controls?

  A. Lower the sample standard deviation
  B. Decrease the sampling size
  C. Outsource the sampling process.
  D. Use a statistical sampling method
  A. Lower the sample standard deviation

  ---

  Explanation

• Question 1346:

  What is the FIRST step an auditor should take when beginning a follow-up audit?

  A. Review workpapers from the previous audit.
  B. Gather evidence of remediation to conduct tests of controls.
  C. Review previous findings and action plans.
  D. Meet with the auditee to discuss remediation progress.
  C. Review previous findings and action plans.

  ---

  Explanation

• Question 1347:

  Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?

  A. Data leakage as a result of employees leaving to work for competitors
  B. Noncompliance fines related to storage of regulated information
  C. Unauthorized logical access to information through an application interface
  D. Physical theft of media on which information is stored
  D. Physical theft of media on which information is stored

  ---

  Explanation

  Full disk encryption (FDE) is a means of protecting information by encrypting all of the data on a disk, including temporary files, programs, and system files1. FDE is best suited for addressing the risk scenario of physical theft of media on which information is stored, as it prevents unauthorized access to the data even if the device is lost or stolen2. FDE does not prevent data leakage as a result of employees leaving to work for competitors, as they may still have access to the data while using the device or copy the data to another device before leaving. FDE does not prevent noncompliance fines related to storage of regulated information, as it does not ensure that the data is stored in accordance with the applicable laws and regulations. FDE does not prevent unauthorized logical access to information through an application interface, as it does not control the access rights and permissions of users and applications. *

  References: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 2402 Planning, "The IS audit and assurance professional should identify and assess risk relevant to the area under review." 3 One of the risk factors to consider is "the sensitivity of information processed, stored or transmitted by the system" 3. FDE is one of the possible controls to mitigate the risk of unauthorized disclosure of sensitive information due to physical theft of media.

• Question 1348:

  Which of the following is the PRIMARY purpose of using data analytics when auditing an enterprise resource planning (ERP) system for a large organization?

  A. To determine recovery point objectives (RPOs)
  B. To identify business processing errors
  C. To select sampling methods
  D. To identify threats to the ERP
  B. To identify business processing errors

  ---

  Explanation

• Question 1349:

  Which of the following is the BEST reason for delaying the application of a critical security patch?

  A. Lack of vulnerability management
  B. Conflicts with software development life cycle
  C. Technology interdependencies
  D. Resource limitations
  C. Technology interdependencies

  ---

  Explanation

• Question 1350:

  The BEST way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and:

  A. payment processing.
  B. payroll processing.
  C. procurement.
  D. product registration.
  A. payment processing.

  ---

  Explanation

  Segregation of duties is a key internal control that aims to prevent fraud and errors by ensuring that no single individual has the authority to execute two or more conflicting sensitive transactions or functions. In the accounts payable vendor payment cycle, segregation of duties involves separating the tasks of vendor setup, procurement, invoice approval, and payment processing. This way, an employee cannot create a fictitious vendor and issue a payment to themselves or their accomplices without being detected by another person. Therefore, the best way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and payment processing.

  References: Segregation of Duties in the Accounts Payable Vendor Payment Cycle for SMBs - Now With a Podcast! - Debra R Richardson : What is Separation of duties - University of California, Berkeley