Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1401:

  Who is responsible for ensuring that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures?

  A. Project Sponsor
  B. Security Officer
  C. User Management
  D. Senior Management
  B. Security Officer

  ---

  Explanation

  Security Officer ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life

  cycle on appropriate security measures that should be incorporated into the system.

  For the CISA exam you should know the information below about roles and responsibilities of groups/individuals that may be involved in the development process are summarized below:

  Senior Management ?Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

  User Management ?Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development,

  acceptance testing and user training. User management is concerned primarily with the following questions:

  Are the required functions available in the software?

  How reliable is the software?

  How effective is the software?

  Is the software easy to use?

  How easy is to transfer or adapt old data from preexisting software to this environment?

  Is it possible to add new functions?

  Does it meet regulatory requirement?

  Project Steering Committee ?Provides overall directions and ensures appropriate representation of the major stakeholders in the project's outcome. The project steering committee is ultimately responsible for all deliverables, project costs and

  schedules. This committee should be compromised of senior representative from each business area that will be significantly impacted by the proposed new system or system modifications.

  System Development Management ?Provides technical support for hardware and software environment by developing, installing and operating the requested system.

  Project Manager ?Provides day-to-day management and leadership of the project, ensures that project activities remain in line with the overall directions, ensures appropriate representation of the affected departments, ensures that the

  project adheres local standards, ensures that deliverable meet the quality expectation of key stakeholder, resolve interdepartmental conflict, and monitors and controls cost of the project timetables.

  Project Sponsor ?Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that success is translated

  to measurable and quantifiable terms. Data and application ownership are assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

  System Development Project Team ?Completes assigned tasks, communicates effectively with user by actively involving them in the development process, works according to local standards, and advise the project manager of necessary

  plan deviations.

  User Project Team ?Completes assigned tasks, communicate effectively with the system developers by actively involving themselves in the development process as Subject Matter Expert (SME) and works according to local standards, and

  advise the project manager of expected and actual project deviations.

  Security Officer ?Ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life

  cycle on appropriate security measures that should be incorporated into the system.

  Quality Assurance ?Personnel who review result and deliverables within each phase and at the end of each phase, and confirm compliance with requirements. Their objective is to ensure that the quality of the project by measuring adherence

  of the project staff to the organization's software development life cycle (SDLC), advise on the deviation and propose recommendation for process improvement or greater control points when deviation occur.

  The following were incorrect answers:

  Project Sponsor ?Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that success is translated

  to measurable and quantifiable terms. Data and application ownership are assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

  User Management ?Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development,

  acceptance testing and user training.

  Senior Management ?Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

  CISA review manual 2014 Page number 150

• Question 1402:

  Which of the following be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization's business-critical server hardware?

  A. Preventive maintenance costs exceed the business allocated budget.
  B. Preventive maintenance has not been approved by the information system
  C. Preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs)
  D. The preventive maintenance schedule is based on mean time between failures (MTBF) parameters.
  C. Preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs)

  ---

  Explanation

  The answer C is correct because preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs) would be of greatest concern to an IS auditor reviewing on-site preventive maintenance for an organization's business- critical server hardware. This is because outsourcing preventive maintenance to multiple vendors without NDAs exposes the organization to the risk of unauthorized access, disclosure, or modification of sensitive data and information stored on the servers. NDAs are legal contracts that bind the vendors to protect the confidentiality and security of the data and information they access or handle during the preventive maintenance. Without NDAs, the vendors may not have any obligation or incentive to safeguard the data and information, and they may misuse, leak, or compromise them for malicious or commercial purposes. This could result in financial losses, reputational damage, legal liabilities, or regulatory penalties for the organization. The other options are not as concerning as option

  C. Preventive maintenance costs exceed the business allocated budget (option A) is a financial issue that may affect the profitability or efficiency of the organization, but it does not directly impact the security or availability of the server hardware. Preventive maintenance has not been approved by the information system (option B) is a procedural issue that may indicate a lack of coordination or communication between the IT department and the business units, but it does not necessarily affect the quality or effectiveness of the preventive maintenance. The preventive maintenance schedule is based on mean time between failures (MTBF) parameters (option D) is a technical issue that may influence the frequency or timing of the preventive maintenance, but it does not imply any risk or deficiency in the preventive maintenance itself.

  References: What is a Maintenance Audit? How to audit your preventative maintenance schedule 5 Step Maintenance Management Program Audit How do you get effective Preventive Maintenance really? What is a Planned Preventative Maintenance Audit?

• Question 1403:

  An IS auditor reviewing the use of encryption finds that the symmetric key is sent by an email message between the parties. Which of the following audit responses is correct in this situation?

  A. An audit finding is recorded, as the key should be asymmetric and therefore changed.
  B. No audit finding is recorded, as it is normal to distribute a key of this nature in this manner.
  C. No audit finding is recorded, as the key can only be used once.
  D. An audit finding is recorded as the key should be distributed in a secure manner.
  D. An audit finding is recorded as the key should be distributed in a secure manner.

  ---

  Explanation

• Question 1404:

  Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

  A. Risk identification
  B. Risk classification
  C. Control self-assessment (CSA)
  D. Impact assessment
  D. Impact assessment

  ---

  Explanation

• Question 1405:

  Audit observations should be FIRST communicated with the auditee:

  A. when drafting the report.
  B. during fieldwork.
  C. at the end of fieldwork.
  D. within the audit report
  B. during fieldwork.

  ---

  Explanation

  Audit observations are the findings and recommendations that result from an audit engagement. Audit observations should be first communicated with the auditee during fieldwork, which is the stage of the audit process where the auditor

  collects and analyzes evidence to evaluate the audit objectives1. Communicating audit observations during fieldwork has several benefits, such as2:

  It allows the auditor to verify the accuracy and completeness of the observations, and to obtain additional information or clarification from the auditee if needed. It enables the auditor to discuss the root causes, impacts, and risks of the

  observations, and to solicit the auditee's input on possible corrective actions and implementation timelines.

  It helps to build rapport and trust between the auditor and the auditee, and to avoid surprises or disagreements at the end of the audit. It facilitates timely resolution of audit observations, and reduces the risk of audit delays or disputes.

  Therefore, option B is the correct answer.

  Option A is not correct because communicating audit observations when drafting the report is too late, as it may lead to misunderstandings, conflicts, or revisions that could have been avoided if the observations were communicated earlier.

  Option C is not correct because communicating audit observations at the end of fieldwork is also not ideal, as it may not leave enough time for the auditor and the auditee to discuss and agree on the observations and recommendations.

  Option D is not correct because communicating audit observations within the audit report is the final step of the audit process, not the first.

  References:

  Audit Process Overview1

  Communicating Internal Audit Findings: Best Practices for Success2

• Question 1406:

  The PRIMARY role of a control self-assessment (CSA) facilitator is to:

  A. conduct interviews to gain background information.
  B. focus the team on internal controls.
  C. report on the internal control weaknesses.
  D. provide solutions for control weaknesses.
  B. focus the team on internal controls.

  ---

  Explanation

  The primary role of a control self-assessment (CSA) facilitator is to focus the team on internal controls. A CSA facilitator is a person who guides the CSA process and helps the participants to identify, assess, and improve their internal controls. The facilitator does not conduct interviews, report on weaknesses, or provide solutions, as these are the responsibilities of the participants themselves1. The other options are incorrect because they are not the primary role of a CSA facilitator. Option A, conduct interviews to gain background information, is a preliminary step that may be done by the facilitator or the participants before the CSA session, but it is not the main purpose of the facilitator. Option C, report on the internal control weaknesses, is an outcome of the CSA process that should be done by the participants who own and operate the controls. Option D, provide solutions for control weaknesses, is also an outcome of the CSA process that should be done by the participants who are in charge of implementing the improvements.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, page 2822 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription, QID 1066693 PwC, Control Self Assessments4 Workiva, 4 factors of an effective control self-assessment (CSA) program5

• Question 1407:

  Two servers are deployed in a cluster to run a mission-critical application. To determine whether the system has been designed for optimal efficiency, the IS auditor should verify that:

  A. the security features in the operating system are all enabled
  B. the number of disks in the cluster meets minimum requirements
  C. the two servers are of exactly the same configuration
  D. load balancing between the servers has been implemented
  D. load balancing between the servers has been implemented

  ---

  Explanation

• Question 1408:

  How would an IS auditor BEST determine the effectiveness of a security awareness program?

  A. Review the results of social engineering tests.
  B. Evaluate management survey results.
  C. Interview employees to assess their security awareness.
  D. Review security awareness training quiz results.
  A. Review the results of social engineering tests.

  ---

  Explanation

  Explanation

  Comprehensive and Detailed Step-by-Step

  Social engineering tests are the most effective way toassess real-world security awarenessby measuring employees' ability to recognize and resist security threats. Review the Results of Social Engineering Tests (Correct Answer ?A)

  Evaluate Management Survey Results (Incorrect ?B) Interview Employees (Incorrect ?C)

  Review Security Training Quiz Results (Incorrect ?D)

  References:

  ISACA CISA Review Manual

  NIST 800-53 (Security Awareness and Training)

  ISO 27001: Security Awareness Control

• Question 1409:

  Which of the following is MOST important for an organization to complete prior to developing its disaster recovery plan (DRP)?

  A. Support staff skill gap analysis
  B. Comprehensive IT inventory
  C. Business impact analysis (BIA)
  D. Risk assessment
  C. Business impact analysis (BIA)

  ---

  Explanation

• Question 1410:

  A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?

  A. Establish key performance indicators (KPls) for timely identification of security incidents.
  B. Engage an external security incident response expert for incident handling.
  C. Enhance the alert functionality of the intrusion detection system (IDS).
  D. Include the requirement in the incident management response plan.
  D. Include the requirement in the incident management response plan.

  ---

  Explanation

  The best recommendation for the IS auditor to facilitate compliance with the new regulation is to include the requirement in the incident management response plan. An incident management response plan is a document that defines the roles, responsibilities, processes, and procedures for responding to security incidents. By including the new regulation in the plan, the IS auditor can ensure that the organization is aware of the reporting obligation, has a clear workflow for notifying the regulator within 24 hours, and has the necessary documentation and evidence to support the report. The other options are not as effective as including the requirement in the incident management response plan: Establishing key performance indicators (KPIs) for timely identification of security incidents is a good practice, but it does not guarantee compliance with the regulation. KPIs are metrics that measure the performance of a process or activity, but they do not specify how to perform it. The IS auditor should also provide guidance on how to identify and report security incidents within 24 hours. Engaging an external security incident response expert for incident handling is a possible option, but it may not be feasible or cost-effective. The organization may not have the budget or time to hire an external expert, or may prefer to handle the incidents internally. The IS auditor should also evaluate the qualifications and trustworthiness of the external expert, and ensure that they comply with the regulation and other contractual or legal obligations. Enhancing the alert functionality of the intrusion detection system (IDS) is a useful measure, but it is not sufficient to comply with the regulation. An IDS is a tool that monitors network traffic for malicious activity and alerts the network administrator or takes preventive action. However, an IDS may not detect all types of security incidents, or may generate false positives or negatives. The IS auditor should also consider other sources of incident detection, such as logs, reports, audits, or user feedback.