Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1411:

  The PRIMARY focus of a post-implementation review is to verify that:

  A. enterprise architecture (EA) has been complied with.
  B. user requirements have been met.
  C. acceptance testing has been properly executed.
  D. user access controls have been adequately designed.
  B. user requirements have been met.

  ---

  Explanation

  The primary focus of a post-implementation review is to verify that user requirements have been met. User requirements are specifications that define what users need or expect from a system or service, such as functionality, usability, reliability, etc. User requirements are usually gathered and documented at the beginning of a project, and used as a basis for designing, developing, testing, and implementing a system or service. A post-implementation review is an evaluation that assesses whether a system or service meets its objectives and delivers its expected benefits after it has been implemented. The primary focus of a post-implementation review is to verify that user requirements have been met, as this can indicate whether the system or service satisfies the user needs and expectations, provides value and quality to the users, and supports the user goals and tasks. Enterprise architecture (EA) has been complied with is a possible focus of a post- implementation review, but it is not the primary one. EA is a framework that defines how an organization's business processes, information systems, and technology infrastructure are aligned and integrated to support its vision and strategy. EA has been complied with, as this can indicate whether the system or service fits with the organization's current and future state, and follows the organization's standards and principles. Acceptance testing has been properly executed is a possible focus of a post-implementation review, but it is not the primary one. Acceptance testing is a process that verifies whether a system or service meets the user requirements and expectations before it is accepted by the users or stakeholders. Acceptance testing has been properly executed, as this can indicate whether the system or service has been tested and validated by the users or stakeholders, and whether any issues or defects have been identified and resolved. User access controls have been adequately designed is a possible focus of a post-implementation review, but it is not the primary one. User access controls are mechanisms that ensure that only authorized users can access or use a system or service, and prevent unauthorized access or use. User access controls have been adequately designed, as this can indicate whether the system or service has appropriate security and privacy measures in place, and whether any risks or threats have been mitigated.

• Question 1412:

  Which of the following is MOST important for an IS auditor to verify when reviewing the planned use of Benford's law as a data analytics technique to detect fraud in a set of credit card transactions?

  A. The transactions are in double integer format.
  B. The transaction amounts are selected randomly without restriction.
  C. The transaction analysis is limited to transactions within standard deviation.
  D. The transactions are all in the same currency.
  D. The transactions are all in the same currency.

  ---

  Explanation

  Explanation

• Question 1413:

  Following a discussion on the results of a recent audit engagement, the process owner of the audited area has provided an action plan addressing the gaps and recommendations. The auditor disagrees with some of the responses where the process owner is accepting a level of residual risk that is not within the organization's risk appetite. What is the auditor's BEST course of action?

  A. Include the issue in the next report to the audit committee.
  B. Inform executive management of the residual risk.
  C. Accept the action plan proposed by the process owner.
  D. Escalate the situation to audit management.
  D. Escalate the situation to audit management.

  ---

  Explanation

  Explanation

• Question 1414:

  The PRIMARY advantage of object-oriented technology is enhanced:

  A. efficiency due to the re-use of elements of logic.
  B. management of sequential program execution for data access.
  C. grouping of objects into methods for data access.
  D. management of a restricted variety of data types for a data object.
  A. efficiency due to the re-use of elements of logic.

  ---

  Explanation

  The primary advantage of object-oriented technology is enhanced efficiency due to the re-use of elements of logic. Object-oriented technology is a software design model that uses objects, which contain both data and code, to create modular and reusable programs. Objects can be inherited from other objects, which reduces duplication and improves maintainability. Grouping objects into methods for data access, managing sequential program execution for data access, and managing a restricted variety of data types for a data object are not advantages of object-oriented technology.

  References: ISACA CISA Review Manual 27th Edition, page 304

• Question 1415:

  Which of the following fourth generation language is a development tools to generate lower level programming languages?

  A. Query and report generator
  B. Embedded database 4GLs
  C. Relational database 4GL
  D. Application generators
  D. Application generators

  ---

  Explanation

  Application generators ?These development tools generate lower level programming languages(3GL) such as COBOL and

  C. The application can be further tailored and customized. Data processing development personnel, not end user, use application generators.

  For CISA exam you should know below mentioned types of 4GLs

  Query and report generator ?These specialize language can extract and produce reports. Recently more powerful language has been produced that can access database records, produce complex on-line output and be developed in an

  almost natural language.

  Embedded database 4GLs ?These depend on self-contained database management systems. These characteristics often makes them more user-friendly but also may lead to applications that are not integrated well with other product

  applications. Example includes FOCUS, RAMIS II and NOMAD 2. Relational database 4GLs ?These high level language products are usually an optional feature on vendor's DBMS product line. These allow the application developer to make better use of DBMS product, but they often are not end-useroriented. Example include SQL+ MANTIS and NATURAL.

  Application generators ?These development tools generate lower level programming languages(3GL) such as COBOL and

  C. The application can be further tailored and customized. Data processing development personnel, not end user, use

  application generators.

  The following were incorrect answers:

  Query and report generator ?These specialize language can extract and produce reports.

  Relational database 4GLs ?These high level language products are usually an optional feature on vendor's DBMS product line.

  Embedded database 4GLs ?These depend on self-contained database management systems. These characteristics often makes them more user-friendly but also may lead to applications that are not integrated well with other product

  applications.

  CISA review manual 2014 Page number 209

• Question 1416:

  During the course of fieldwork, an internal IS auditor observes a critical vulnerability within a newly deployed application. What is the auditor's BEST course of action?

  A. Document the finding in the report.
  B. Identify other potential vulnerabilities.
  C. Notify IT management.
  D. Report the finding to the external auditors.
  C. Notify IT management.

  ---

  Explanation

• Question 1417:

  Which of the following is MOST important when defining the IS audit scope?

  A. Minimizing the time and cost to the organization of IS audit procedures
  B. Involving business in the formulation of the scope statement
  C. Aligning the IS audit procedures with IT management priorities
  D. Understanding the relationship between IT and business risks
  D. Understanding the relationship between IT and business risks

  ---

  Explanation

  The most important factor when defining the IS audit scope is to understand the relationship between IT and business risks, as this helps to identify the areas that have the most potential impact on the organization's objectives, performance,

  and value. By understanding the IT and business risks, the IS auditor can focus the audit scope on the key processes, systems, controls, and issues that need to be assessed and addressed.

  References:

  ISACA CISA Review Manual, 27th Edition, page 256

  Ten Factors to Consider when Setting the Scope of an Internal Audit What Is an Audit Scope? | Auditing Basics | KirkpatrickPrice

• Question 1418:

  An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

  A. incident management.
  B. quality assurance (QA).
  C. change management.
  D. project management.
  C. change management.

  ---

  Explanation

  A weakness in change management is the most likely cause of an incorrect version of source code being amended by a development team. Change management is the process of controlling and documenting changes to IT systems and software. It ensures that changes are authorized, tested, and implemented in a controlled manner. If change management is weak, there is a risk of using outdated or incorrect versions of source code, which can lead to errors, defects, or security vulnerabilities in the software.

• Question 1419:

  When reviewing an IT strategic plan, the GREATEST concern would be that

  A. an IT strategy committee has not been created
  B. the plan does not support relevant organizational goals.
  C. there are no key performance indicators (KPls).
  D. the plan was not formally approved by the board of directors
  B. the plan does not support relevant organizational goals.

  ---

  Explanation

  The greatest concern when reviewing an IT strategic plan is

  B. The plan does not support relevant organizational goals. This is because an IT strategic plan should align and integrate the IT goals and objectives with the organization's overall

  strategy and vision, and ensure that IT supports and enables the business processes and functions1. If the IT strategic plan does not support relevant organizational goals, it may lead to:

  Suboptimal or negative outcomes and value for the organization, as IT investments and initiatives may not align with the organization's priorities, needs, or expectations1. Conflicts or inconsistencies between IT and business functions, as IT

  may not deliver the expected level of service, quality, or performance2. Wasted or inefficient use of resources, as IT may spend time, money, or effort on projects or activities that are not relevant or beneficial for the organization2.

• Question 1420:

  An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

  A. Staging
  B. Testing
  C. Integration
  D. Development
  A. Staging

  ---

  Explanation

  A staging environment is a replica of the production environment that is used to test and verify software before deploying it to production. A staging environment is most likely to have the same software version as production, as it mimics the real-world conditions and configurations that will be encountered in production. A testing environment is a separate environment that is used to perform various types of testing on software, such as functional testing, performance testing, security testing, etc. A testing environment may not have the same software version as production, as it may undergo frequent changes or updates based on testing results or feedback. An integration environment is a separate environment that is used to combine and test software components or modules from different developers or sources, to ensure that they work together as expected. An integration environment may not have the same software version as production, as it may involve different versions or branches of software from different sources. A development environment is a separate environment that is used by developers to create and modify software code. A development environment may not have the same software version as production, as it may contain unfinished or untested code that has not been released yet.