Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1481:

  When evaluating the recent implementation of an intrusion detection system (IDS), an IS auditor should be MOST concerned with inappropriate:

  A. encryption.
  B. training.
  C. tuning.
  D. patching.
  C. tuning.

  ---

  Explanation

• Question 1482:

  An IS auditor is reviewing documentation from a change that was applied to an application. Which of the following findings would be the GREATEST concern?

  A. Testing documentation does not show manager approval.
  B. Testing documentation is dated three weeks before the system implementation date.
  C. Testing documentation is approved prior to completion of user acceptance testing (UAT).
  D. Testing documentation is kept in hard copy format.
  C. Testing documentation is approved prior to completion of user acceptance testing (UAT).

  ---

  Explanation

• Question 1483:

  An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following would impair the auditor's independence?

  A. The auditor implemented a specific control during the development of the system.
  B. The auditor provided advice concerning best practices.
  C. The auditor participated as a member of the project team without operational responsibilities
  D. The auditor designed an embedded audit module exclusively for audit
  A. The auditor implemented a specific control during the development of the system.

  ---

  Explanation

  The auditor implemented a specific control during the development of the system. This would impair the auditor's independence, as it would create a self-review threat, which is a situation where an auditor has to evaluate or review the results of his or her own work or judgment1. A self-review threat may compromise the auditor's objectivity and impartiality, as the auditor may be biased or influenced by his or her own involvement or interest in the system1. The auditor may also face a conflict of interest or a loss of credibility if he or she has to report on any issues or deficiencies related to the control he or she implemented.

• Question 1484:

  Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

  A. Risk acceptance
  B. Risk transfer
  C. Risk reduction
  D. Risk avoidance
  D. Risk avoidance

  ---

  Explanation

• Question 1485:

  Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

  A. The policy includes a strong risk-based approach.
  B. The retention period allows for review during the year-end audit.
  C. The retention period complies with data owner responsibilities.
  D. The total transaction amount has no impact on financial reporting
  C. The retention period complies with data owner responsibilities.

  ---

  Explanation

  The most important factor for the organization to ensure when reducing the retention period for media containing completed low-value transactions is that the retention period complies with data owner responsibilities. Data owners are accountable for defining the retention and disposal requirements for the data under their custody, based on business, legal, regulatory, and contractual obligations. The policy should reflect the data owner's decisions and obtain their approval. The policy should also include a risk-based approach, but this is not as important as complying with data owner responsibilities. The retention period should allow for review during the year-end audit, but this may not be necessary for low-value transactions that have minimal impact on financial reporting. The total transaction amount may have some impact on financial reporting, but this is not a direct consequence of reducing the retention period.

  References: CISA Review Manual, 27th Edition, pages 414-4151 CISA Review Questions, Answers and Explanations Database, Question ID: 255

• Question 1486:

  Which of the following is an example of a preventative control in an accounts payable system?

  A. The system only allows payments to vendors who are included In the system's master vendor list.
  B. Backups of the system and its data are performed on a nightly basis and tested periodically.
  C. The system produces daily payment summary reports that staff use to compare against invoice totals.
  D. Policies and procedures are clearly communicated to all members of the accounts payable department
  A. The system only allows payments to vendors who are included In the system's master vendor list.

  ---

  Explanation

  The system only allows payments to vendors who are included in the system's master vendor list is an example of a preventative control in an accounts payable system. A preventative control is a control that aims to prevent errors or irregularities from occurring in the first place. By restricting payments to vendors who are authorized and verified in the master vendor list, the system prevents unauthorized or fraudulent payments from being made. The other options are examples of other types of controls, such as backup (recovery), reconciliation (detective), and communication (directive) controls.

  References: CISA Review Manual, 27th Edition, page 223

• Question 1487:

  When assessing whether an organization's IT performance measures are comparable to other organizations in the same industry, which of the following would be MOST helpful to review?

  A. IT governance frameworks
  B. Benchmarking surveys
  C. Utilization reports
  D. Balanced scorecard
  B. Benchmarking surveys

  ---

  Explanation

  IT performance measures are indicators of how well an organization is achieving its IT goals and objectives. Benchmarking surveys are useful tools for comparing an organization's IT performance measures with those of other organizations in the same industry or sector. Benchmarking surveys can provide insights into best practices, gaps, trends, and opportunities for improvement. IT governance frameworks, utilization reports, and balanced scorecards are not as helpful for comparing IT performance measures across organizations, as they may vary in scope, methodology, and terminology.

  References: IT Resources | Knowledge and Insights | ISACA, CISA Review Manual (Digital Version)

• Question 1488:

  Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change management process?

  A. The added functionality has not been documented.
  B. The new functionality may not meet requirements.
  C. The project may fail to meet the established deadline.
  D. The project may go over budget.
  B. The new functionality may not meet requirements.

  ---

  Explanation

  The main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B). This is because:

  A project change management process is a set of procedures that defines how changes to the project scope, schedule, budget, quality, or resources are requested, evaluated, approved, implemented, and controlled. A project change

  management process helps to ensure that the changes are aligned with the project objectives, stakeholders' expectations, and business needs12. Adding a new system functionality during the development phase without following a project

  change management process can introduce risks such as:

  The added functionality has not been documented (option A), which can lead to confusion, inconsistency, errors, and rework.

  The project may fail to meet the established deadline (option C), which can result in delays, penalties, and customer dissatisfaction.

  The project may go over budget (option D), which can cause cost overruns, financial losses, and reduced profitability.

  However, the main risk is that the new functionality may not meet requirements (option B), which can have serious consequences such as:

  The new functionality may not be compatible with the existing system or other components.

  The new functionality may not be tested or verified for quality, performance, security, or usability.

  The new functionality may not deliver the expected value or benefits to the users or customers.

  The new functionality may not comply with the regulatory or contractual obligations. The new functionality may cause dissatisfaction, complaints, or litigation from the stakeholders. Therefore, the main risk associated with adding a new system

  functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B), as this can jeopardize the success and acceptance of the project.

  References: 1: How to Make a Change Management Plan (Templates Included) - ProjectManager 2: What Is Change Management? Process and Models Explained - ProjectManager 3: 8 Steps for an Effective Change Management Process -

  Smartsheet

• Question 1489:

  Which of the following is MOST important for an IS auditor to ensure is included in a global organization's online data privacy notification to customers?

  A. Consequences to the organization for mishandling the data
  B. Consent terms including the purpose of data collection
  C. Contact information for reporting violations of consent
  D. Industry standards for data breach notification
  B. Consent terms including the purpose of data collection

  ---

  Explanation

• Question 1490:

  An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?

  A. Analyze a new application that moots the current re
  B. Perform an analysis to determine the business risk
  C. Bring the escrow version up to date.
  D. Develop a maintenance plan to support the application using the existing code
  C. Bring the escrow version up to date.

  ---

  Explanation

  This means that the organization should obtain the source code from the escrow agent and compare it with the current version of the application that they are using. The organization should then identify and apply any changes or updates that are missing or different in the escrow version, so that it matches the current version. This way, the organization can ensure that they have a complete and accurate copy of the source code that reflects their current needs and requirements. Bringing the escrow version up to date can help the organization to avoid or reduce the risks and costs associated with using an outdated or incompatible version of the source code. For example, an older version of the source code may have bugs, errors, or vulnerabilities that could affect the functionality, security, or performance of the application. An older version of the source code may also lack some features, enhancements, or integrations that could improve the usability, efficiency, or value of the application. An older version of the source code may also not comply with some standards, regulations, or contracts that could affect the quality, reliability, or legality of the application1. The other options are not as good as bringing the escrow version up to date for the organization. Option A, analyzing a new application that meets the current requirements, is a possible option but it may be more time-consuming, expensive, and risky than updating the existing application. The organization may have to go through a complex and lengthy process of selecting, acquiring, implementing, testing, and migrating to a new application, which could disrupt their operations and performance. The organization may also have to deal with compatibility, interoperability, or data quality issues when switching to a new application2. Option B, performing an analysis to determine the business risk, is a necessary step but not a recommendation for the organization. The organization should already be aware of the business risk of using an application whose vendor has gone out of business and whose escrow has an older version of the source code. The organization should focus on finding and implementing a solution to mitigate or eliminate this risk3. Option D, developing a maintenance plan to support the application using the existing code, is not a feasible option because it assumes that the organization has access to the existing code. However, this is not the case because the vendor has gone out of business and the escrow has an older version of the source code. The organization cannot support or maintain an application without having a complete and accurate copy of its source code.

  References: How Important Is Source Code Escrow - ISACA The What and Why of Source Code Escrow Unlocking Source Code In Escrow 2023: A Guide To Secure Software