Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 131:

  What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

  A. The contract does not contain a right-to-audit clause.
  B. An operational level agreement (OLA) was not negotiated.
  C. Several vendor deliverables missed the commitment date.
  D. Software escrow was not negotiated.
  D. Software escrow was not negotiated.

  ---

  Explanation

  The greatest concern for an IS auditor reviewing contracts for licensed software that executes a critical business process is that software escrow was not negotiated. Software escrow is an arrangement where a third-party holds a copy of the source code and documentation of a licensed software in a secure location. The software escrow agreement specifies the conditions under which the licensee can access the escrowed materials, such as in case of bankruptcy, termination, or breach of contract by the licensor. Software escrow is important for ensuring the continuity and availability of a critical business process that depends on a licensed software. Without software escrow, the licensee may face significant risks and challenges in maintaining, modifying, or recovering the software in case of any disruption or dispute with the licensor.

  References: CISA Review Manual (Digital Version) CISA Questions, Answers and Explanations Database

• Question 132:

  Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

  A. The certificate revocation list has not been updated.
  B. The PKI policy has not been updated within the last year.
  C. The private key certificate has not been updated.
  D. The certificate practice statement has not been published
  A. The certificate revocation list has not been updated.

  ---

  Explanation

• Question 133:

  Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?

  A. Purchase requisitions and purchase orders
  B. Invoices and reconciliations
  C. Vendor selection and statements of work
  D. Good receipts and payments
  D. Good receipts and payments

  ---

  Explanation

  The greatest segregation of duties conflict would occur if the individual who performs the related tasks also has approval authority for purchase requisitions and purchase orders. This is because these two tasks are directly related to each other and involve financial transactions. If the same person is responsible for both tasks, it could lead to potential fraud or error. For instance, the individual could approve a purchase order for a personal need and then also approve the payment for it, leading to misuse of company funds.

  References: Segregation of Duties: Examples of Roles, Duties and Violations - Pathlock Functions in the Purchasing Process and how to Segregate Purchasing Duties

• Question 134:

  Which of the following is the BEST metric to measure the alignment of IT and business strategy?

  A. Level of stakeholder satisfaction with the scope of planned IT projects
  B. Percentage of enterprise risk assessments that include IT-related risk
  C. Percentage of stat satisfied with their IT-related roles
  D. Frequency of business process capability maturity assessments
  B. Percentage of enterprise risk assessments that include IT-related risk

  ---

  Explanation

  The best metric to measure the alignment of IT and business strategy is the percentage of enterprise risk assessments that include IT-related risk. This metric indicates how well the organization identifies and manages the IT risks that could affect its strategic objectives and performance. A high percentage of enterprise risk assessments that include IT-related risk shows that the organization considers IT as an integral part of its business strategy and aligns its IT resources and capabilities with its business needs and goals .

  References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.2: IT Strategy, page 67 : CISA Online Review Course, Module 2: Governance and Management of IT, Lesson 2.2: IT Strategy

• Question 135:

  Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?

  A. The BCP's contact information needs to be updated
  B. The BCP is not version controlled.
  C. The BCP has not been approved by senior management.
  D. The BCP has not been tested since it was first issued.
  D. The BCP has not been tested since it was first issued.

  ---

  Explanation

  The greatest concern for an IS auditor reviewing an organization's business continuity plan (BCP) is that the BCP has not been tested since it was first issued. A BCP is a document that describes how an organization will continue its critical business functions in the event of a disruption or disaster. A BCP should include information such as roles and responsibilities, recovery strategies, resources, procedures, communication plans, and backup arrangements3. Testing the BCP is a vital step in ensuring its validity, effectiveness, and readiness. Testing the BCP involves simulating various scenarios and executing the BCP to verify whether it meets its objectives and requirements. Testing the BCP can also help to identify and correct any gaps, errors, or weaknesses in the BCP before they become issues during a real incident4. Therefore, an IS auditor should be concerned if the BCP has not been tested since it was first issued, as it may indicate that the BCP is outdated, inaccurate, incomplete, or ineffective. The other options are less concerning or incorrect because:

  A. The BCP's contact information needs to be updated is not a great concern for an IS auditor reviewing an organization's BCP, as it is a minor issue that can be easily fixed. Contact information refers to the names, phone numbers, email addresses, or other details of the people involved in the BCP execution or communication. Contact information needs to be updated regularly to reflect any changes in personnel or roles. While having outdated contact information may cause some delays or confusion during a BCP activation, it does not affect the overall validity or effectiveness of the BCP.

  B. The BCP is not version controlled is not a great concern for an IS auditor reviewing an organization's BCP, as it is a moderate issue that can be improved. Version control refers to the process of tracking and managing changes made to the BCP over time. Version control helps to ensure that only authorized changes are made to the BCP and that there is a clear record of who made what changes when and why. Version control also helps to avoid conflicts or inconsistencies among different versions of the BCP. While having no version control may cause some difficulties or risks in maintaining and updating the BCP, it does not affect the overall validity or effectiveness of the BCP.

  C. The BCP has not been approved by senior management is not a great concern for an IS auditor reviewing an organization's BCP, as it is a high-level issue that can be resolved. Approval by senior management refers to the formal endorsement and support of the BCP by the top executives or leaders of the organization. Approval by senior management helps to ensure that the BCP is aligned with the organization's strategy, objectives, and priorities, and that it has sufficient resources and authority to be implemented. Approval by senior management also helps to increase the awareness and commitment of the organization's stakeholders to the BCP. While having no approval by senior management may affect the credibility and acceptance of the BCP, it does not affect the overall validity or effectiveness of the BCP.

  References: Working Toward a Managed, Mature Business Continuity Plan - ISACA, ISACA Introduces New Audit Programs for Business Continuity/ Disaster ..., Disaster Recovery and Business Continuity Preparedness for Cloud-based ...

• Question 136:

  Which of the following performance management tools BEST helps an IS auditor evaluate the success of an organization's IT strategy implementation and execution?

  A. IT benchmarking
  B. Capability maturity model
  C. Six Sigma
  D. IT metrics dashboard
  D. IT metrics dashboard

  ---

  Explanation

  Explanation

• Question 137:

  Which of the following is the PRIMARY objective of enterprise architecture (EA)?

  A. Maintaining detailed system documentation
  B. Managing and planning for IT investments
  C. Executing customized development and delivery of projects
  D. Enforcing the IT policy across the organization
  B. Managing and planning for IT investments

  ---

  Explanation

• Question 138:

  Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?

  A. Align service level agreements (SLAs) with current needs.
  B. Monitor customer satisfaction with the change.
  C. Minimize costs related to the third-party agreement.
  D. Ensure right to audit is included within the contract.
  A. Align service level agreements (SLAs) with current needs.

  ---

  Explanation

  The primary area of focus when an organization decides to outsource technical support for its external customers is to align service level agreements (SLAs) with current needs. SLAs are contracts that define the scope, quality, and

  expectations of the services provided by the vendor, as well as the remedies or penalties for non-compliance. SLAs are essential for ensuring that the outsourced technical support meets the customer's requirements and satisfaction, as well

  as the organization's objectives and standards. By aligning SLAs with current needs, the organization can specify the key performance indicators (KPIs), metrics, and targets that reflect the desired outcomes and value of the technical support.

  This can also help to monitor and evaluate the vendor's performance, identify gaps or issues, and implement corrective actions or improvements.

  References:

  Service Level Agreement (SLA) Examples and Template What is an SLA? Best practices for service-level agreements

• Question 139:

  Which of the following BEST mitigates the risk of SQL injection attacks against applications exposed to the internet?

  A. Web application firewall (WAF)
  B. SQL server hardening
  C. Patch management program
  D. SQL server physical controls
  A. Web application firewall (WAF)

  ---

  Explanation

  AWeb Application Firewall (WAF) (A) is the best control to mitigate SQL injection attacks because it can detect and block malicious SQL queries before they reach the application.WAFs analyze incoming requests, filter SQL injection attempts,

  and provide an additional layer of security for web applications.

  Other options:

  SQL server hardening (B)improves security but does not specifically address SQL injection. Patch management (C)is necessary but does not provide immediate protection against new SQL injection attacks. Physical controls (D)are unrelated

  to application-layer threats like SQL injection.

  ISACA CISA Review Manual, Information Security

• Question 140:

  IT governance should be driven by:

  A. business unit initiatives.
  B. balanced scorecards.
  C. policies and standards.
  D. organizational strategies.
  D. organizational strategies.

  ---

  Explanation

  IT governance should be driven by organizational strategies. It provides a formal structure for organizations to produce measurable results toward achieving their strategies and ensures that IT investments support business objectives12. While business unit initiatives, balanced scorecards, and policies and standards can play a role in IT governance, they are tools or methods that support the implementation of the organizational strategies.