Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1521:

  A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?

  A. IT operator
  B. System administration
  C. Emergency support
  D. Database administration
  C. Emergency support

  ---

  Explanation

  Segregation of duties (SOD) is a core internal control and an essential component of an effective risk management strategy. SOD emphasizes sharing the responsibilities of key business processes by distributing the discrete functions of these processes to multiple people and departments, helping to reduce the risk of possible errors and fraud1. SOD is especially important in IT security, where granting excessive system access to one person or group can lead to harmful consequences, such as data breaches, identity theft, or bypassing security controls2. SOD breaks IT-related tasks into four separate function categories: authorization, custody, recordkeeping, and reconciliation1. Ideally, no one person or department holds responsibility in multiple categories. In a role-based environment, where access privileges are granted based on predefined roles, it is important to ensure that the roles are designed and assigned in a way that supports SOD. For example, the person who develops an application should not also be the one who tests it, deploys it, or maintains it. Therefore, an application developer should not be assigned the roles of IT operator, system administration, or database administration, as these roles may conflict with their development role and create opportunities for misuse or abuse of the system. The only role that may be assigned to an application developer without violating SOD is emergency support, which is a temporary role that allows the developer to access the system in case of a critical issue that requires immediate resolution3. However, even this role should be granted with caution and monitored closely to ensure compliance with SOD policies.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, page 2824 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription, QID 1066692 Hyperproof Blog, Segregation of Duties: What it is and Why it's Important1 Advisera Blog, Segregation of duties in your ISMS according to ISO 27001 A.6.1.23

• Question 1522:

  An internal audit department recently established a quality assurance (QA) program as part of its overall audit program. Which of the following activities is MOST important to include as part of the QA program requirements?

  A. Implementing corrective action plans.
  B. Reviewing audit standards periodically
  C. Analyzing user satisfaction reports from business lines
  D. Creating a long-term plan for internal audit staffing
  A. Implementing corrective action plans.

  ---

  Explanation

• Question 1523:

  An IS auditor is evaluating a virtual server environment and teams that the production server, development server and management console are housed in the same physical host.

  What should be the auditor's PRIMARY concern?

  A. The physical host is a single point of failure.
  B. The management console is a single point of failure
  C. The development server and management console share the same host.
  D. The development and production servers share the same host.
  A. The physical host is a single point of failure.

  ---

  Explanation

• Question 1524:

  Which of the following technology trends can lead to more robust data loss prevention (DLP) tools?

  A. Cloud computing
  B. Robotic process automation (RPA)
  C. Internet of Things (IoT)
  D. Machine learning algorithms
  D. Machine learning algorithms

  ---

  Explanation

• Question 1525:

  Identify the payment model from description presented below:

  A users write an electronic check, which is digitally signed with instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer's signature on the payment and transfer

  the fund from the payer's account to the payee's account.

  A. Electronic Money Model
  B. Electronics Checks model
  C. Electronic transfer model
  D. Electronic withdraw model
  B. Electronics Checks model

  ---

  Explanation

  Electronic check system model real-world checks quite well and thus relatively simple to understand and implement. A users write an electronic check, which is digitally signed instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer's signature on the payment and transfer the fund from the payer's account to the payee's account.

  For CISA exam you should know below information about payment systems

  There are two types of parties involved in all payment systems ?the issuer and the user. An issuer is an entity that operates the payment service. An issuer holds the items that the payment represents. The user of the payment service

  performs two main functions- making payments and receiving payments ?and therefore can be described as a payer or payee receptively.

  Electronic Money Model ?The objective of electronic money systems is emulating physical cash. An issuer attempts to do this by creating digital certificates, which are then purchased by users who redeem them with the issuer at a later date.

  In the interim, certificates can be transferred among users to trade for goods or services. For the certificate to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer can

  not determine the original withdrawer of the certificate. This provides an electronic certificate with unconditional uncertainty.

  Electronic Check Model ?Electronic check system model real-world checks quite well and thus relatively simple to understand and implement. A users write an electronic check, which is digitally signed instruction to pay. This is transferred to

  another user, who then deposits the electronic check with the issuer. The issuer will verify payer's signature on the payment and transfer the fund from the payer's account to the payee's account.

  Electronic Transfer Model ?Electronic systems are simplest of three payment models. The payer simply creates a payment transfer instructions, sign it digitally and send it to issuer. The issuer then verifies the signature on the request and

  performs the transfer. This type of systems requires payer to be on-line and not payee.

  The following were incorrect answers:

  Electronic Money Model ?The objective of electronic money systems is emulating physical cash. An issuer attempts to do this by creating digital certificates, which are then purchased by users who redeem them with the issuer at a later date.

  In the interim, certificates can be transferred among users to trade for goods or services. For the certificate to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer can

  not determine the original withdrawer of the certificate. This provides an electronic certificate with unconditional uncertainty. Electronic Transfer Model ?Electronic systems are simplest of three payment models. The payer simply creates a

  payment transfer instructions, sign it digitally and send it to issuer. The issuer then verifies the signature on the request and performs the transfer. This type of systems requires payer to be on-line and not payee.

  CISA review manual 2014 Page number 183

• Question 1526:

  An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?

  A. Report the mitigating controls.
  B. Report the security posture of the organization.
  C. Determine the value of the firewall.
  D. Determine the risk of not replacing the firewall.
  D. Determine the risk of not replacing the firewall.

  ---

  Explanation

  The IS auditor's next course of action after finding that firewalls are outdated and not supported by vendors should be to determine the risk of not replacing the firewall. Outdated firewalls may have known vulnerabilities that can be exploited by attackers to bypass security controls and access the network. They may also lack compatibility with newer technologies or standards that are required for optimal network performance and protection. Not replacing the firewall could expose the organization to various threats, such as data breaches, denial-of-service attacks, malware infections, or regulatory non- compliance. The IS auditor should assess the likelihood and impact of these threats and quantify the risk level for management to make informed decisions.

• Question 1527:

  As IS auditor discovers that due to resource constraints, a database administrator (DBA) is responsible for developing and executing changes into the production environment. Which of the following should the auditor do FIRST?

  A. Identify whether any compensating controls exist
  B. Report a potential segregation of duties (SoD) violation
  C. Determine whether another database administrator could make the changes
  D. Ensure a change management process is followed prior to implementation
  D. Ensure a change management process is followed prior to implementation

  ---

  Explanation

• Question 1528:

  Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?

  A. The IT strategy is modified in response to organizational change.
  B. The IT strategy is approved by executive management.
  C. The IT strategy is based on IT operational best practices.
  D. The IT strategy has significant impact on the business strategy
  B. The IT strategy is approved by executive management.

  ---

  Explanation

  The best evidence that an organization's IT strategy is aligned to its business objectives is that the IT strategy is approved by executive management. This implies that the IT strategy has been reviewed and validated by the senior leaders of the organization, who are responsible for setting and overseeing the business objectives. The IT strategy may be modified in response to organizational change, based on IT operational best practices, or have significant impact on the business strategy, but these are not sufficient indicators of alignment without executive approval.

  References: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.1

• Question 1529:

  Which of the following is MOST important to include when developing a business continuity plan (BCP)?

  A. Criteria for triggering the plan
  B. Details of linked security policies
  C. Details of a comprehensive asset inventory
  D. Plans for addressing all types of threats
  A. Criteria for triggering the plan

  ---

  Explanation

  Explanation

• Question 1530:

  Which of the following is the MOST effective mitigation strategy to protect confidential information from insider threats?

  A. Implementing authentication mechanisms
  B. Performing an entitlement review process
  C. Defining segregation of duties
  D. Establishing authorization controls.
  D. Establishing authorization controls.

  ---

  Explanation