Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1491:

  Which of the following should be of MOST concern to an IS auditor when reviewing an intrusion detection system (IDS)?

  A. High false-positive rate
  B. Delay in signature updates
  C. High false-negative rate
  D. Decrease in processing speed
  C. High false-negative rate

  ---

  Explanation

• Question 1492:

  An IS auditor reviewing a new application for compliance with information privacy principles should be the MOST concerned with:

  A. nonrepudiation
  B. collection limitation
  C. availability
  D. awareness
  B. collection limitation

  ---

  Explanation

• Question 1493:

  Which of the following is the PRIMARY benefit of introducing business impact analyses (BIAs) to business resiliency strategies?

  A. It identifies legal obligations that may be incurred as a result of business service disruptions
  B. It provides updates on the risk level of disasters that may occur
  C. It delineates employee responsibilities that the organization must fulfill in a crisis
  D. It helps prioritize the restoration of systems and applications
  D. It helps prioritize the restoration of systems and applications

  ---

  Explanation

  Theprimary purpose of a Business Impact Analysis (BIA) is to prioritize the restoration of systems and applications (D)based on their criticality to business operations. A BIA assesses the impact of disruptions, identifies critical processes, and

  determines recovery time objectives (RTOs) and recovery point objectives (RPOs).

  Other options:

  Identifying legal obligations (A)is an aspect of compliance but not the primary benefit of a BIA.

  Providing updates on disaster risk levels (B)falls under risk management rather than BIA objectives.

  Delineating employee responsibilities (C)is part of business continuity planning (BCP), not the BIA's main goal.

  ISACA CISA Review Manual, Information Systems Operations and Business Resilience

• Question 1494:

  Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

  A. Frequent testing of backups
  B. Annual walk-through testing
  C. Periodic risk assessment
  D. Full operational test
  D. Full operational test

  ---

  Explanation

  A disaster recovery plan (DRP) is a set of procedures and resources that enable an organization to restore its critical operations, data, and applications in the event of a disaster. A DRP should be aligned with the organization's business continuity plan (BCP), which defines the strategies and objectives for maintaining business functions during and after a disaster. To ensure that a DRP is effective, it should be tested regularly and thoroughly to identify and resolve any issues or gaps that might hinder its execution. Testing a DRP can help evaluate its feasibility, validity, reliability, and compatibility with the organization's environment and needs4. Testing can also help prepare the staff, stakeholders, and vendors involved in the DRP for their roles and responsibilities during a disaster. There are different methods and levels of testing a DRP, depending on the scope, complexity, and objectives of the test4. Some of the common testing methods are: Walkthrough testing: This is a step-by-step review of the DRP by the disaster recovery team and relevant stakeholders. It aims to verify the completeness and accuracy of the plan, as well as to clarify any doubts or questions among the participants. Simulation testing: This is a mock exercise of the DRP in a simulated disaster scenario. It aims to assess the readiness and effectiveness of the plan, as well as to identify any challenges or weaknesses that might arise during a real disaster. Checklist testing: This is a verification of the availability and functionality of the resources and equipment required for the DRP. It aims to ensure that the backup systems, data, and documentation are accessible and up-to-date45. Full interruption testing: This is the most realistic and rigorous method of testing a DRP. It involves shutting down the primary site and activating the backup site for a certain period of time. It aims to measure the actual impact and performance of the DRP under real conditions. Parallel testing: This is a less disruptive method of testing a DRP. It involves running the backup site in parallel with the primary site without affecting the normal operations. It aims to compare and validate the results and outputs of both sites45. Among these methods, full interruption testing would best demonstrate that an effective DRP is in place, as it provides the most accurate and comprehensive evaluation of the plan's capabilities and limitations4. Full interruption testing can reveal any hidden or unforeseen issues or risks that might affect the recovery process, such as data loss, system failure, compatibility problems, or human errors4. Full interruption testing can also verify that the backup site can support the critical operations and services of the organization without compromising its quality or security4. However, full interruption testing also has some drawbacks, such as being costly, time- consuming, risky, and disruptive to the normal operations4. Therefore, it should be planned carefully and conducted periodically with proper coordination and communication among all parties involved. The other options are not as effective as full interruption testing in demonstrating that an effective DRP is in place. Frequent testing of backups is only one aspect of checklist testing, which does not cover other components or scenarios of the DRP4. Annual walk- through testing is only a theoretical review of the DRP, which does not test its practical implementation or outcomes4. Periodic risk assessment is only a preparatory step for developing or updating the DRP, which does not test its functionality or performance.

  References: 2: Best Practices For Disaster Recovery Testing | Snyk 3: Disaster Recovery Plan (DR) Testing -- Methods and Must-haves - US Signal 4: Disaster Recovery Testing: What You Need to Know - Enterprise Storage Forum 5: Disaster Recovery Testing Best Practices - MSP360 1: How to Test a Disaster Recovery Plan - Abacus

• Question 1495:

  The application systems quality assurance (QA) function should:

  A. assist programmers in designing and developing applications.
  B. design and develop quality applications by employing system development methodology.
  C. ensure adherence of programs to standards.
  D. compare programs to approved system changes.
  B. design and develop quality applications by employing system development methodology.

  ---

  Explanation

• Question 1496:

  Assessments of critical information systems are based on a cyclical audit plan that has not been updated for several years. Which of the following should the IS auditor recommend to BEST address this situation?

  A. Use a revolving set of audit plans to cover all systems
  B. Update the audit plan quarterly to account for delays and deferrals of periodic reviews
  C. Regularly validate the audit plan against business risks
  D. Do not include periodic reviews in detail as part of the audit plan
  C. Regularly validate the audit plan against business risks

  ---

  Explanation

• Question 1497:

  Which of the following should be the PRIMARY focus when communicating an IS audit issue to management?

  A. The risk to which the organization is exposed due to the issue
  B. The nature, extent, and timing of subsequent audit follow-up
  C. How the issue was found and who bears responsibility
  D. A detailed solution for resolving the issue
  A. The risk to which the organization is exposed due to the issue

  ---

  Explanation

• Question 1498:

  Which of the following BEST facilitates the management of assets dunng the implementation of an information system?

  A. Configuration management database (CMDB)
  B. Quality management controls
  C. Decision support system
  D. Asset procurement system
  A. Configuration management database (CMDB)

  ---

  Explanation

• Question 1499:

  After an external IS audit, which of the following should be IT management's MAIN consideration when determining the prioritization of follow-up activities?

  A. The amount of time since the initial audit was completed.
  B. The materiality of the reported findings
  C. The availability of the external auditors
  D. The scheduling of major changes in the control environment
  B. The materiality of the reported findings

  ---

  Explanation

• Question 1500:

  An IS auditor is planning an audit of an organization's risk management practices. Which of the following would provide the MOST useful information about risk appetite?

  A. Risk policies
  B. Risk assessments
  C. Prior audit reports
  D. Management assertion
  A. Risk policies

  ---

  Explanation

  Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk appetite reflects the organization's risk culture, strategy, and tolerance, and guides the organization's risk management practices. The most useful information about risk appetite can be obtained from the risk policies, which are the documents that define the organization's risk management framework, principles, objectives, roles, responsibilities, and processes. Risk policies also establish the criteria and thresholds for identifying, assessing, prioritizing, mitigating, and monitoring risks, as well as the reporting and escalation mechanisms for risk issues. By reviewing the risk policies, an IS auditor can evaluate whether they are consistent, comprehensive, and aligned with the organization's risk appetite and whether they provide clear guidance and direction for managing risks effectively. The other options are not correct because they are either not the most useful or not relevant to risk appetite. Risk assessments are the processes of identifying, analyzing, and evaluating the risks that may affect the organization's objectives. Risk assessments provide information about the current risk profile and exposure of the organization, but they do not indicate the organization's risk appetite or preferences. Prior audit reports are the documents that summarize the findings, recommendations, and conclusions of previous audits. Prior audit reports may provide information about the past performance and issues of the organization's risk management practices, but they do not reflect the organization's risk appetite or expectations. Management assertion is a statement or declaration made by management about the accuracy, completeness, validity, or reliability of a certain fact or data. Management assertion may provide information about the management's confidence or opinion on a specific risk or issue, but it does not represent the organization's risk appetite or criteria.