Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1421:

  Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?

  A. Restricting program functionality according to user security profiles
  B. Restricting access to update programs to accounts payable staff only
  C. Including the creator's user ID as a field in every transaction record created
  D. Ensuring that audit trails exist for transactions
  D. Ensuring that audit trails exist for transactions

  ---

  Explanation

  Segregation of duties (SoD) is a key internal control that aims to prevent fraud and errors by ensuring that no single individual can perform incompatible or conflicting tasks within a business process. SoD reduces the risk of unauthorized or improper transactions, manipulation of data, or misappropriation of assets. In the accounts payable department, SoD involves separating the following functions: invoice processing, payment authorization, payment execution, and reconciliation. For example, the person who approves an invoice should not be the same person who issues the payment or reconciles the bank statement. One of the best ways to ensure appropriate SoD within the accounts payable department is to restrict program functionality according to user security profiles. This means that each user of the accounts payable system should have a unique login and password, and should only have access to the functions that are relevant to their role and responsibilities. For instance, an invoice processor should not be able to approve payments or modify vendor records. This way, the system can enforce SoD and prevent unauthorized or fraudulent activities. The other options are not as effective as restricting program functionality according to user security profiles. Restricting access to update programs to accounts payable staff only is a general access control measure, but it does not address the SoD issue within the accounts payable department. Including the creator's user ID as a field in every transaction record created is a useful audit trail feature, but it does not prevent users from performing incompatible functions. Ensuring that audit trails exist for transactions is a detective control that can help identify and investigate any irregularities, but it does not prevent them from occurring in the first place.

• Question 1422:

  A cloud access security broker (CASB) administers the user access of a Software as a Service {SaaS) on behalf of the customer organization. When conducting an audit of the service, which of the following is MOST important for the IS auditor to confirm?

  A. The CASB logs the access request as a service record that is reviewed after granting access.
  B. The CASB verifies the access request from a named customer contact before granting access.
  C. The CASB manages secure access to the federated directory service used by the SaaS application.
  D. The CASB conducts periodic audits of access requests to ensure compliance with customer policy.
  C. The CASB manages secure access to the federated directory service used by the SaaS application.

  ---

  Explanation

• Question 1423:

  What should an IS auditor do FIRST when a follow-up audit reveals some management action plans have not been initiated?

  A. Confirm whether the identified risks are still valid.
  B. Provide a report to the audit committee.
  C. Escalate the lack of plan completion to executive management.
  D. Request an additional action plan review to confirm the findings.
  C. Escalate the lack of plan completion to executive management.

  ---

  Explanation

  The first thing that an IS auditor should do when a follow-up audit reveals some management action plans have not been initiated is to escalate the lack of plan completion to executive management. This is because the failure to implement the agreed management action plans may indicate that the management is not taking the audit findings and recommendations seriously, or that they are accepting too much risk by not addressing the identified issues. Escalating the lack of plan completion to executive management can help to raise awareness and accountability, as well as to seek support and intervention to ensure that the management action plans are executed in a timely and effective manner12. Confirming whether the identified risks are still valid is not the first thing to do, although it may be a useful step to reassess the current situation and the potential impact of not implementing the management action plans. However, confirming the validity of the risks does not address the root cause of why the management action plans have not been initiated, nor does it provide any assurance or remediation for the unresolved issues34. Providing a report to the audit committee is not the first thing to do, although it may be a necessary step to communicate and document the results of the follow-up audit. However, providing a report to the audit committee does not guarantee that the management action plans will be initiated, nor does it resolve any conflicts or challenges that may prevent the management from implementing them34. Requesting an additional action plan review to confirm the findings is not the first thing to do, although it may be a prudent step to verify and validate the accuracy and completeness of the follow-up audit. However, requesting an additional review may delay or defer the implementation of the management action plans, as well as consume more internal audit resources and time

• Question 1424:

  Which of the following is the MOST effective way to identify anomalous transactions when performing a payroll fraud audit?

  A. Substantive testing of payroll files
  B. Data analytics on payroll data
  C. Observation of payment processing
  D. Sample-based review of pay stubs
  B. Data analytics on payroll data

  ---

  Explanation

• Question 1425:

  An IS auditor is assessing an organization's DevSecOps approach. Which of the following BEST indicates a proactive approach to identifying vulnerabilities?

  A. Integration of automated security testing tools into the continuous integration/continuous delivery (CI/CD) process
  B. Open-source dependency checks within continuous integration/continuous delivery (CI/CD) process
  C. Use of the most current development frameworks and libraries
  D. Post-implementation vulnerability scans on application deployments
  A. Integration of automated security testing tools into the continuous integration/continuous delivery (CI/CD) process

  ---

  Explanation

  Explanation

• Question 1426:

  An organization's strategy to source certain IT functions from a Software as a Service (SaaS) provider should be approved by the:

  A. chief financial officer (CFO).
  B. chief risk officer (CRO).
  C. IT steering committee.
  D. IT operations manager.
  C. IT steering committee.

  ---

  Explanation

• Question 1427:

  Which of the following would BEST enable an IS auditor to perform an audit that requires testing the full population of data?

  A. Expertise in statistical sampling of data
  B. Proficiency in the use of data analytics tools
  C. Experience in database administration
  D. Proficiency in programming and coding
  B. Proficiency in the use of data analytics tools

  ---

  Explanation

• Question 1428:

  An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified Which type of control is in place?

  A. Detective
  B. Compensating
  C. Corrective
  D. Directive
  D. Directive

  ---

  Explanation

  The type of control that is in place when an organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified is directive. Directive controls are those that guide or direct the actions of individuals or groups to achieve a desired outcome. Directive controls can also help to prevent or reduce the occurrence of undesirable events. Hiring policies and procedures are examples of directive controls that aim to ensure that only qualified and competent personnel are employed to perform IT-related tasks.

  References: CISA Review Manual (Digital Version), Chapter 4, Section 4.11 CISA Online Review Course, Domain 1, Module 2, Lesson 12

• Question 1429:

  An organization has replaced its call center with Al chatbots that autonomously learn new responses through internet queries and customer conversation history. Which of the following would an IS auditor tasked with verifying IT controls consider to be the GREATEST risk?

  A. The model may not result in expected efficiencies.
  B. The model's operations may be difficult for the IT team to document.
  C. The model may not generate accurate responses due to overfitting.
  D. It may be difficult to audit the model due to the lack of a suitable framework.
  D. It may be difficult to audit the model due to the lack of a suitable framework.

  ---

  Explanation

  Explanation

• Question 1430:

  When using a wireless device, which of the following BEST ensures confidential access to email via web mail?

  A. Wired equivalent privacy (WEP)
  B. Hypertext transfer protocol secure (HTTPS)
  C. Simple object access protocol (SOAP)
  D. Extensible markup language (XML)
  A. Wired equivalent privacy (WEP)

  ---

  Explanation