Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1531:

  Which of the following criteria is MOST important for the successful delivery of benefits from an IT project?

  A. Assessing the impact of changes to individuals and business units within the organization
  B. Involving key stakeholders during the development and execution phases of the project
  C. Ensuring that IT project managers have sign-off authority on the business case
  D. Quantifying the size of the software development effort required by the project
  B. Involving key stakeholders during the development and execution phases of the project

  ---

  Explanation

• Question 1532:

  IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance. Which of the following controls will MOST effectively compensate for the lack of referential integrity?

  A. More frequent data backups
  B. Periodic table link checks
  C. Concurrent access controls
  D. Performance monitoring tools
  B. Periodic table link checks

  ---

  Explanation

  Referential integrity is a property of data that ensures that all references between tables are valid and consistent. Disabling referential integrity controls can result in orphaned records, data anomalies, and inaccurate queries. The most effective way to compensate for the lack of referential integrity is to perform periodic table link checks, which verify that all foreign keys match existing primary keys in the related tables. More frequent data backups, concurrent access controls, and performance monitoring tools do not address the issue of data consistency and accuracy.

  References: ISACA CISA Review Manual 27th Edition, page 291

• Question 1533:

  An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's BEST course of action?

  A. Determine exposure to the business
  B. Adjust future testing activities accordingly
  C. Increase monitoring for security incidents
  D. Hire a third party to perform security testing
  A. Determine exposure to the business

  ---

  Explanation

  The IS auditor's best course of action when reviewing the use of an outsourcer for disposal of storage media is to determine exposure to the business. Storage media, such as hard disks, tapes, flash drives, or CDs, may contain sensitive or confidential information that needs to be protected from unauthorized access, disclosure, or misuse. The IS auditor should verify that the outsourcer has a process that appropriately sanitizes the media before disposal, such as wiping, degaussing, shredding, or incinerating, and that the process is effective and compliant with the organization's policies and standards. The IS auditor should also assess the potential impact and risk to the business if the storage media is not properly sanitized or disposed of, such as data breaches, reputational damage, legal or regulatory penalties, or loss of competitive advantage. The other options are not the best course of action, because they either do not address the root cause of the problem, or they are reactive rather than proactive measures.

  References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7

• Question 1534:

  Which of the following BEST enables an organization to verify whether an encrypted message sent by a client has been altered?

  A. The digital signature
  B. The message header
  C. The date and time stamp of the received message
  D. The sender's private key
  A. The digital signature

  ---

  Explanation

  Explanation

• Question 1535:

  During an audit of the organization's data privacy policy, the IS auditor identified that only some IT application databases have encryption in place. What should be the auditor's FIRST action?

  A. Assess the resources required to implement encryption to unencrypted databases.
  B. Review the most recent database penetration testing results.
  C. Determine whether compensating controls are in place.
  D. Review a comprehensive list of databases with the information they contain.
  C. Determine whether compensating controls are in place.

  ---

  Explanation

• Question 1536:

  Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?

  A. The design of controls
  B. Industry standards and best practices
  C. The results of the previous audit
  D. The amount of time since the previous audit
  C. The results of the previous audit

  ---

  Explanation

  The results of the previous audit are an important source of information for an IS auditor to consider when performing the risk assessment prior to an audit engagement, as they can provide insights into the current state and performance of the auditee, identify any issues or gaps that need to be followed up or addressed, and highlight any areas that require special attention or focus. The design of controls is an important factor to evaluate during an audit engagement, but it is not the most important thing to consider when performing the risk assessment prior to an audit engagement, as it does not reflect the actual implementation or effectiveness of the controls. Industry standards and best practices are useful benchmarks or guidelines for an IS auditor to compare or measure against during an audit engagement, but they are not the most important thing to consider when performing the risk assessment prior to an audit engagement, as they may not be applicable or relevant to the specific context or objectives of the auditee. The amount of time since the previous audit is a relevant criterion to determine the frequency or timing of an audit engagement, but it is not the most important thing to consider when performing the risk assessment prior to an audit engagement, as it does not indicate the level or nature of risk associated with the auditee.

• Question 1537:

  During the forensic investigation of a cyberattack involving credit card data, which of the following is MOST important to ensure?

  A. Adequate card security features are activated.
  B. The company's payment platforms are blocked.
  C. Proper chain of custody is maintained.
  D. All staff in the payment card unit are interviewed.
  C. Proper chain of custody is maintained.

  ---

  Explanation

  Explanation Comprehensive and Detailed Step-by-Step In forensic investigations,maintaining a proper chain of custodyiscriticalto ensuring that evidence is admissible in court and has not been altered. Option A (Incorrect):Activatingsecurity features(e.g., encryption or tokenization) is apreventive measurebut does not aid in investigating the attack. Option B (Incorrect):Blocking payment platforms may be necessary fordamage control, but it does not ensure a properinvestigation. Option C (Correct):Thechain of custodyensures thatevidence remains intact, can betraced, and islegally validfor prosecution. This is the most critical aspect of forensic investigations. Option D (Incorrect):Interviewing staff may provide insights, but without properevidence handling, the investigation's integrity is at risk.

  ISACA CISA Review Manual -Domain 5: Protection of Information Assets?Coversforensic investigations, evidence handling, and legal compliance.

• Question 1538:

  A review of an organization's enterprise architecture (EA) BEST enables an IS auditor to determine:

  A. alignment of IT service levels with business objectives.
  B. the organization's level of compliance with regulations.
  C. adherence to budget for current IT initiative implementations.
  D. alignment of the IT strategy with business strategy.
  D. alignment of the IT strategy with business strategy.

  ---

  Explanation

  Explanation

• Question 1539:

  Which of the following BEST demonstrates alignment of the IT department with the corporate mission?

  A. Analysis of IT department functionality
  B. Biweekly reporting to senior management
  C. Annual board meetings
  D. Quarterly steering committee meetings
  D. Quarterly steering committee meetings

  ---

  Explanation

  Quarterly steering committee meetings best demonstrate alignment of the IT department with the corporate mission because they provide a regular forum for strategic planning, decision making, and communication between IT leaders and business stakeholders12. Steering committee meetings help to ensure that IT goals and initiatives are aligned with the business vision, mission, and objectives, and that IT performance and value are monitored and evaluated34.

  References:

  1: IT Governance and the Balanced Scorecard - ISACA Journal

  2: IT Steering Committee Best Practices: A Recipe for Success

  3: What is IT Governance? - Definition from Techopedia

  4: CISA Cybersecurity Strategic Plan | CISA

• Question 1540:

  Which of the following function in traditional EDI translate data between the standard format and trading partner's propriety format?

  A. Communication handler
  B. Application Interface
  C. Application System
  D. EDI Translator
  D. EDI Translator

  ---

  Explanation

  EDI Translator translates data between standard format (ANSI X12) and trading partner's propriety information.

  For CISA Exam you should know below information about Traditional EDI functions.

  Moving data in a batch transmission process through the traditional EDI process generally involves three functions within each trading partner's computer system

  Communication handler ?Process for transmitting and receiving electronic documents between trading partners via dial-up lines, public switched networks, multiple dedicated lines or a value added network (VAN). VAN use computerized

  message switching and storage capabilities to provide electronic mailbox services similar to post offices. The VAN receives all the outbound transactions from an organization, sort them by destination and passes them to precipitants when

  they log on to check their mailbox and receive transmission.

  EDI Interface ?Interface function that manipulates and routes data between the application system and the communication handler. The interface consists of two components

  EDI Translator ?The device translates data between standard format (ANSI X12) and trading partner's propriety information.

  Application Interface ?This interface moves electronic transactions to or from the application systems and perform data mapping. Data mapping is the process by which data are extracted from EDI translation process and integrated with the

  data or process of receiving company.

  3. Application System ?The program that process the data sent to, or received from, the trading partner. Although new controls should be developed for the EDI interface, the control for existing applications, if left unchanged, are usually

  unaffected.

  The following were incorrect answers:

  Communication handler ?Process for transmitting and receiving electronic documents between trading partners via dial-up lines, public switched networks, multiple dedicated lines or a value added network (VAN).

  Application System ?The program that process the data sent to, or received from, the trading partner. Although new controls should be developed for the EDI interface, the control for existing applications, if left unchanged, are usually

  unaffected.

  Application Interface ?This interface moves electronic transactions to or from the application systems and perform data mapping.

  CISA review manual 2014 Page number 178