Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1501:

  A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system. Which of the following is the IS auditor's BEST recommendation?

  A. Enable automatic encryption, decryption, and electronic signing of data files.
  B. Automate the transfer of data between systems as much as is feasible.
  C. Have coders perform manual reconciliation of data between systems.D
  D. Implement software to perform automatic reconciliations of data between systems.
  D. Implement software to perform automatic reconciliations of data between systems.

  ---

  Explanation

• Question 1502:

  What should be the PRIMARY focus during a review of a business process improvement project?

  A. Business project plan
  B. Continuous monitoring plans
  C. The cost of new controls
  D. Business impact
  D. Business impact

  ---

  Explanation

• Question 1503:

  To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?

  A. Recipient's public key
  B. Sender's private key
  C. Sender's public key
  D. Recipient's private key
  A. Recipient's public key

  ---

  Explanation

  The best option for ensuring confidentiality through the use of asymmetric encryption is to encrypt a message with the recipient's public key (option A). This is because: Asymmetric encryption, also known as public-key cryptography, is a type of encryption that uses a pair of keys to encrypt and decrypt data. The pair of keys includes a public key, which can be shared with anyone, and a private key, which is kept secret by the owner. In asymmetric encryption, the sender uses the recipient's public key to encrypt the data. The recipient then uses their private key to decrypt the data. This approach allows for secure communication between two parties without the need for both parties to have the same secret key. Encrypting a message with the recipient's public key ensures that only the recipient can decrypt it with their private key. This provides confidentiality, which means that the message is protected from unauthorized access or disclosure. Encrypting a message with the sender's private key (option B) does not ensure confidentiality, but rather authentication, which means that the message can be verified as coming from the sender. This is because anyone can decrypt the message with the sender's public key, but only the sender can encrypt it with their private key. Encrypting a message with the sender's public key (option C) or the recipient's private key (option D) does not make sense, as it would render the message unreadable by both parties. This is because neither party has the corresponding key to decrypt it. Therefore, the best option for ensuring confidentiality through the use of asymmetric encryption is to encrypt a message with the recipient's public key (option A), as this ensures that only the recipient can decrypt it with their private key.

  References: 1: What is asymmetric encryption? | Asymmetric vs. symmetric ... - Cloudflare 2: What is Asymmetric Encryption? - GeeksforGeeks

• Question 1504:

  The charging method that effectively encourages the MOST efficient use of IS resources is:

  A. specific charges that can be tied back to specific usage.
  B. total utilization to achieve full operating capacity.
  C. residual income in excess of actual incurred costs.
  D. allocations based on the ability to absorb charges.
  A. specific charges that can be tied back to specific usage.

  ---

  Explanation

  The charging method for IS resources is the way that the IS function allocates its costs to the users or business units that consume its services. The charging method can affect the behavior and incentives of the users and the IS function, as well as the efficiency and effectiveness of the IS resources. Therefore, choosing an appropriate charging method is an important decision for the IS function and its stakeholders. One of the possible charging methods is to charge specific costs that can be tied back to specific usage. This means that the IS function tracks and measures the actual consumption of each user or business unit for each IS service, and charges them accordingly. For example, if a user uses 10 GB of storage space, 5 hours of CPU time, and 100 MB of network bandwidth, the IS function will charge them based on the unit costs of these resources. This charging method has the advantage of encouraging the most efficient use of IS resources, as it provides clear and accurate feedback to the users about their consumption and costs, and motivates them to optimize their usage and avoid waste or overuse. This charging method also aligns the interests of the IS function and the users, as both parties benefit from reducing costs and improving efficiency. The other possible charging methods are: Total utilization to achieve full operating capacity: This means that the IS function charges a fixed amount to each user or business unit based on their proportion of the total operating capacity of the IS resources. For example, if a user or business unit has 10% of the total computing power allocated to them, they will pay 10% of the total IS costs. This charging method has the disadvantage of discouraging efficient use of IS resources, as it does not reflect the actual consumption or usage of each user or business unit, and does not provide any incentive to reduce costs or improve efficiency. This charging method also creates a mismatch between the interests of the IS function and the users, as the IS function benefits from increasing costs and capacity, while the users bear the burden of paying for them. Residual income in excess of actual incurred costs: This means that the IS function charges a markup or profit margin on top of its actual incurred costs to each user or business unit. For example, if a user or business unit consumes $100 worth of IS resources, the IS function will charge them $120, where $20 is the residual income for the IS function. This charging method has the disadvantage of discouraging efficient use of IS resources, as it increases the costs for the users and reduces their value for money. This charging method also creates a conflict between the interests of the IS function and the users, as the IS function benefits from increasing costs and profits, while the users suffer from paying more than they should. Allocations based on the ability to absorb charges: This means that the IS function charges different amounts to different users or business units based on their ability to pay or their profitability. For example, if a user or business unit is more profitable or has a higher budget than another user or business unit, they will pay more for the same amount of IS resources. This charging method has the disadvantage of discouraging efficient use of IS resources, as it does not reflect the actual consumption or usage of each user or business unit, and does not provide any incentive to reduce costs or improve efficiency. This charging method also creates an unfair and arbitrary distribution of costs among the users or business units, as some pay more than others for no valid reason.

  References: 1: Charging Methods for IT Services - IT Process Wiki 2: IT Chargeback Methods - CIO Wiki 3: IT Chargeback - Wikipedia

• Question 1505:

  An IS auditor is reviewing an IT project and finds that an earned value analysis (EVA) is not regularly performed as part of project status reporting. Which of the following is the GREATEST risk resulting from this situation?

  A. Resources might not be assigned and prioritized in a timely manner.
  B. Time and budget overruns might not be identified in a timely manner.
  C. The project might not be compliant with project management standards.
  D. Business requirements may not be properly benchmarked.
  B. Time and budget overruns might not be identified in a timely manner.

  ---

  Explanation

  Explanation

• Question 1506:

  Which of the following is a telecommunication device that translates data from digital to analog form and back to digital?

  A. Multiplexer
  B. Modem
  C. Protocol converter
  D. Concentrator
  B. Modem

  ---

  Explanation

  A modem is a device that translates data from digital form and then back to digital for communication over analog lines.

  Information Systems Audit and Control Association,

  Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 114).

• Question 1507:

  An IS auditor observes a system performance monitoring tool which states that a server critical to the organization averages high CPU utilization across a cluster of four virtual servers throughout the audit period. To determine if further investigation is required, an IS auditor should review:

  A. the system process activity log
  B. system baselines
  C. the number of CPUs allocated to each virtual machine
  D. organizational objectives
  B. system baselines

  ---

  Explanation

• Question 1508:

  Which of the following is the MOST important responsibility of user departments associated with program changes?

  A. Providing unit test data
  B. Analyzing change requests
  C. Updating documentation lo reflect latest changes
  D. Approving changes before implementation
  D. Approving changes before implementation

  ---

  Explanation

  The most important responsibility of user departments associated with program changes is approving changes before implementation. This is because user departments are the primary stakeholders and beneficiaries of the program changes, and they need to ensure that the changes meet their requirements, expectations, and objectives. User departments also need to approve the changes before implementation to avoid unauthorized, unnecessary, or erroneous changes that could affect the functionality, performance, or security of the program. Providing unit test data is a responsibility of user departments associated with program changes, but it is not the most important one. Unit test data is used to verify that the individual components of the program work as expected after the changes. However, unit test data alone cannot guarantee that the program as a whole works correctly, or that the changes are aligned with the user departments' needs. Analyzing change requests is a responsibility of user departments associated with program changes, but it is not the most important one. Analyzing change requests is the process of evaluating the feasibility, necessity, and impact of the proposed changes. However, analyzing change requests does not ensure that the changes are implemented correctly, or that they are acceptable to the user departments. Updating documentation to reflect latest changes is a responsibility of user departments associated with program changes, but it is not the most important one. Updating documentation is the process of maintaining accurate and complete records of the program's specifications, features, and functions after the changes. However, updating documentation does not ensure that the changes are effective, or that they are approved by the user departments.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 281 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription

• Question 1509:

  Which of the following activities should occur after a business impact analysis (BIA)?

  A. Identify threats to the IT environment
  B. Identify critical applications
  C. Analyze recovery options
  D. Review the computing and user environment
  C. Analyze recovery options

  ---

  Explanation

• Question 1510:

  Which of the following layer of an enterprise data flow architecture is concerned with the assembly and preparation of data for loading into data marts?

  A. Data preparation layer
  B. Desktop Access Layer
  C. Data Mart layer
  D. Data access layer
  A. Data preparation layer

  ---

  Explanation

  Data preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed.

  For CISA exam you should know below information about business intelligence:

  Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to assist decision making and assess organizational performance. To deliver effective BI, organizations need to design and implement a

  data architecture. The complete data architecture consists of two components

  The enterprise data flow architecture (EDFA)

  A logical data architecture

  Various layers/components of this data flow architecture are as follows:

  Presentation/desktop access layer ?This is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas

  and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data Source Layer ?Enterprise information derives from number of sources:

  Operational data ?Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files. External Data ?Data provided to an organization by external sources. This could include data

  such as customer demographic and market share information.

  Nonoperational data ?Information needed by end user that is not currently maintained in a computer accessible format.

  Core data warehouse ?This is where all the data of interest to an organization is captured and organized to assist reporting and analysis. DWs are normally instituted as large relational databases. A property constituted DW should support

  three basic form of an inquiry.

  Drilling up and drilling down ?Using dimension of interest to the business, it should be possible to aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can also be used to refine the analysis.

  Drill across ?Use common attributes to access a cross section of information in the warehouse such as sum sales across all product lines by customer and group of customers according to length of association with the company. Historical

  Analysis ?The warehouse should support this by holding historical, time variant data. An example of historical analysis would be to report monthly store sales and then repeat the analysis using only customer who were preexisting at the start

  of the year in order to separate the effective new customer from the ability to generate repeat business with existing customers.

  Data Mart Layer ?Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

  processing (OLAP) data structure.

  Data Staging and quality layer ?This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems

  periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers.

  Data Access Layer ?This layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  Data Preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed. Data mining is concern with exploring large volume of data to determine patterns and trends of information. Data mining often identifies patterns that are counterintuitive due to number and complexity of data relationships. Data quality needs to be very high to not corrupt the result.

  Metadata repository layer ?Metadata are data about data. The information held in metadata layer needs to extend beyond data structure names and formats to provide detail on business purpose and context. The metadata layer should be

  comprehensive in scope, covering data as they flow between the various layers, including documenting transformation and validation rules.

  Warehouse Management Layer ?The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security.

  Application messaging layer ?This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.

  Internet/Intranet layer ?This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking.

  Various analysis models used by data architects/ analysis follows:

  Activity or swim-lane diagram ?De-construct business processes.

  Entity relationship diagram ?Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative is

  involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW.

  The following were incorrect answers:

  Desktop access layer or presentation layer is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as

  Congas and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data Mart layer ?Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

  processing (OLAP) data structure.

  Data access layer ?his layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  CISA review manual 2014 Page number 188