Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1461:

  Which of the following BEST enables an organization to improve the visibility of end-user computing (EUC) applications that support regulatory reporting?

  A. EUC inventory
  B. EUC availability controls
  C. EUC access control matrix
  D. EUC tests of operational effectiveness
  A. EUC inventory

  ---

  Explanation

  The best way to improve the visibility of end-user computing (EUC) applications that support regulatory reporting is to maintain an EUC inventory, as this provides a comprehensive and up-to-date list of all EUC applications, their owners, their locations, their purposes, and their dependencies. An EUC inventory can help identify and manage the risks associated with EUC applications, such as data quality, security, compliance, and continuity. EUC availability controls, EUC access control matrix, and EUC tests of operational effectiveness are important for ensuring the reliability and security of EUC applications, but they do not improve the visibility of EUC applications as much as an EUC inventory.

  References: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.4: End-user Computing

• Question 1462:

  When an organization conducts business process improvements, the IS auditor should be MOST concerned with the:

  A. metrics used to evaluate key operating segments.
  B. adequacy of the controls in the redesigned process.
  C. adequacy of reporting to senior management.
  D. lack of version control over process documentation.
  C. adequacy of reporting to senior management.

  ---

  Explanation

• Question 1463:

  Which of the following BEST facilitates the legal process in the event of an incident?

  A. Right to perform e-discovery
  B. Advice from legal counsel
  C. Preserving the chain of custody
  D. Results of a root cause analysis
  C. Preserving the chain of custody

  ---

  Explanation

  The best way to facilitate the legal process in the event of an incident is to preserve the chain of custody of the evidence. The chain of custody is a record of who handled, accessed, or modified the evidence, when, where, how, and why. The chain of custody helps to ensure the integrity, authenticity, and admissibility of the evidence in a court of law. The chain of custody also helps to prevent tampering, alteration, or loss of evidence that could compromise the investigation or the prosecution.

  References: CISA Review Manual (Digital Version) CISA Questions, Answers and Explanations Database

• Question 1464:

  Which of the following is the PRIMARY reason for an IS auditor to select a statistical sampling method?

  A. Statistical sampling methods enable the auditor to objectively quantify the probability of error.
  B. Statistical sampling methods are the most effective way to avoid sampling risk.
  C. Statistical sampling methods must be used to mitigate audit risk.
  D. Statistical sampling methods help the auditor to determine the tolerable error rate.
  B. Statistical sampling methods are the most effective way to avoid sampling risk.

  ---

  Explanation

• Question 1465:

  A project team evaluated vendor responses to a request for proposal (RFP). An IS auditor reviewing the evaluation process would expect the team to have considered each vendor's:

  A. security policy.
  B. acceptance test plan
  C. financial stability
  D. development methodology.
  A. security policy.

  ---

  Explanation

• Question 1466:

  An IS auditor is auditing the operating effectiveness of weekly user access reviews. Of the five weekly reviews sampled, one has not been signed or dated. What is the MAIN reason to note this observation as a finding?

  A. The review may not be accurate.
  B. The review may not contain the appropriate content.
  C. The review may not be in compliance with industry standards.
  D. The review may not have been performed.
  D. The review may not have been performed.

  ---

  Explanation

  Explanation

• Question 1467:

  Which of the following is the PRIMARY reason for an IS auditor to perform a risk assessment?

  A. It helps to identify areas with a relatively high probability of material problems.
  B. It provides a basis for the formulation of corrective action plans.
  C. It increases awareness of the types of management actions that may be inappropriate
  D. It helps to identify areas that are most sensitive to fraudulent or inaccurate practices
  A. It helps to identify areas with a relatively high probability of material problems.

  ---

  Explanation

  The primary reason for an IS auditor to perform a risk assessment is to help identify areas with a relatively high probability of material problems. A risk assessment is a systematic process of evaluating the potential risks that may be involved in an activity or undertaking. It involves identifying the sources of risk, analyzing the likelihood and impact of the risk, and prioritizing the risks based on their significance. A risk assessment helps the IS auditor to focus on the areas that are most vulnerable to errors, fraud, or inefficiencies, and to design appropriate audit procedures to address those risks. A risk assessment also helps the IS auditor to allocate audit resources efficiently and effectively. A risk assessment does not provide a basis for the formulation of corrective action plans, as this is a responsibility of management, not the IS auditor. A risk assessment does not increase awareness of the types of management actions that may be inappropriate, as this is a matter of professional ethics and judgment. A risk assessment does not help to identify areas that are most sensitive to fraudulent or inaccurate practices, as this is a result of the risk assessment, not its purpose.

  References: ISACA, CISA Review Manual, 27th Edition, Chapter 1: The Process of Auditing Information Systems, Section 1.3: Risk Assessment in Planning1 Corporate Finance Institute, Audit Risk Model2

• Question 1468:

  When conducting a requirements analysis for a project the BEST approach would be to:

  A. conduct a control self-assessment.
  B. consult key stakeholders.
  C. test operational deliverables.
  D. prototype the requirements.
  B. consult key stakeholders.

  ---

  Explanation

• Question 1469:

  Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

  A. Conduct periodic on-site assessments using agreed-upon criteria.
  B. Periodically review the service level agreement (SLA) with the vendor.
  C. Conduct an unannounced vulnerability assessment of vendor's IT systems.
  D. Obtain evidence of the vendor's control self-assessment (CSA).
  A. Conduct periodic on-site assessments using agreed-upon criteria.

  ---

  Explanation

  The most effective method to verify that a service vendor keeps control levels as required by the client is to conduct periodic on-site assessments using agreed- upon criteria. On-site assessments can provide direct evidence of whether the vendor's controls are operating effectively and consistently in accordance with the client's expectations and requirements. Agreed-upon criteria can ensure that the assessments are objective, relevant, and reliable. The other options are not as effective as on-site assessments in verifying the vendor's control levels. Periodically reviewing the SLA with the vendor can help monitor whether the vendor meets its contractual obligations and service standards, but it does not provide assurance of whether the vendor's controls are adequate or sufficient. Conducting an unannounced vulnerability assessment of vendor's IT systems can help identify any weaknesses or gaps in the vendor's security controls, but it may violate the terms and conditions of the vendor-client relationship or cause operational disruptions. Obtaining evidence of the vendor's CSA can provide some indication of whether the vendor's controls are self-monitored and reported, but it does not verify whether the vendor's controls are independent or accurate.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4

• Question 1470:

  An external IS auditor is reviewing the continuous monitoring system for a large bank and notes several potential issues. Which of the following would present the GREATEST concern regarding the reliability of the monitoring system?

  A. The system results are not reviewed by senior management.
  B. The alert threshold is updated periodically.
  C. The monitoring thresholds are not subject to change management.
  D. The monitoring system was configured by a third party.
  C. The monitoring thresholds are not subject to change management.

  ---

  Explanation

  Explanation