Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1541:

  Which of the following observations regarding change management should be considered the MOST serious risk by an IS auditor?

  A. There is no software used to track change management.
  B. The change is not approved by the business owners.
  C. The change is deployed two weeks after approval.
  D. The development of the change is not cost-effective.
  B. The change is not approved by the business owners.

  ---

  Explanation

• Question 1542:

  An outsourced recruitment vendor processes personally identifiable information (PII) related to an organization's new hires. Which of the following would be the GREATEST concern to an IS auditor reviewing the third-party risk management process?

  A. The vendor collects data using an external-facing web service.
  B. The vendor lacks a team of dedicated privacy professionals.
  C. The vendor uses a fourth party to host client data.
  D. The vendor is excluded from the third-party due diligence process.
  D. The vendor is excluded from the third-party due diligence process.

  ---

  Explanation

  Explanation

• Question 1543:

  When deploying an application that was created using the programming language and tools supported by the cloud provider, the MOST appropriate cloud computing model for an organization to adopt is:

  A. Platform as a Service (PaaS).
  B. Software as a Service (SaaS).
  C. Infrastructure as a Service (laaS).
  D. Identity as a Service (IDaaS).
  A. Platform as a Service (PaaS).

  ---

  Explanation

• Question 1544:

  Which of the following projects would be MOST important to review in an audit of an organization's financial statements?

  A. Resource optimization of the enterprise resource planning (ERP) system
  B. Security enhancements to the customer relationship database
  C. Automation of operational risk management processes
  D. Outsourcing of the payroll system to an external service provider
  C. Automation of operational risk management processes

  ---

  Explanation

• Question 1545:

  When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

  A. compare the organization's strategic plan against industry best practice.
  B. interview senior managers for their opinion of the IT function.
  C. ensure an IT steering committee is appointed to monitor new IT projects.
  D. evaluate deliverables of new IT initiatives against planned business services.
  D. evaluate deliverables of new IT initiatives against planned business services.

  ---

  Explanation

  When auditing the alignment of IT to the business strategy, it is most important for the IS auditor to evaluate deliverables of new IT initiatives against planned business services. This can help the IS auditor to assess whether the IT initiatives are meeting the business needs and expectations, delivering value and benefits, and supporting the business objectives and goals. Comparing the organization's strategic plan against industry best practice is a possible technique for auditing the alignment of IT to the business strategy, but it is not the most important thing for the IS auditor to do, as industry best practice may not be applicable or relevant to the specific context or situation of the organization. Interviewing senior managers for their opinion of the IT function is a possible technique for auditing the alignment of IT to the business strategy, but it is not the most important thing for the IS auditor to do, as senior managers' opinions may be subjective or biased, and may not reflect the actual performance or outcomes of the IT function. Ensuring an IT steering committee is appointed to monitor new IT projects is a possible control for ensuring the alignment of IT to the business strategy, but it is not the most important thing for the IS auditor to do, as an IT steering committee may not be effective or efficient in monitoring new IT projects, and may not have sufficient authority or influence over the IT function.

• Question 1546:

  An IS auditor conducting audit follow-up activities learns that some previously agreed-upon corrective actions have not been taken and that the associated risk has been accepted by senior management. If the auditor disagrees with management's decision, what is the BEST way to address the situation?

  A. Repeat the audit with audit scope only covering areas with accepted risks
  B. Report the issue to the chief audit executive for resolution
  C. Recommend new corrective actions to mitigate the accepted risk
  D. Take no action since management's decision has been made
  B. Report the issue to the chief audit executive for resolution

  ---

  Explanation

• Question 1547:

  Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?

  A. Ensure corrected program code is compiled in a dedicated server.
  B. Ensure change management reports are independently reviewed.
  C. Ensure programmers cannot access code after the completion of program edits.
  D. Ensure the business signs off on end-to-end user acceptance test (UAT) results.
  C. Ensure programmers cannot access code after the completion of program edits.

  ---

  Explanation

  The IS auditor's best recommendation is to ensure that programmers cannot access code after the completion of program edits. This is because programmers who have access to code after editing may introduce unauthorized or malicious

  changes that could compromise the security, functionality, or performance of the application. By restricting access to code after editing, the organization can ensure that only authorized and tested code is released into production, and prevent

  any tampering or reoccurrence of the same issue.

  References:

  1 discusses the importance of controlling access to code after editing and testing, and provides some best practices for doing so.

  2 explains how programmers can introduce malicious code into applications, and how to prevent and detect such attacks.

  3 describes the role of IS auditors in reviewing and assessing the security and quality of application code.

• Question 1548:

  Which of the following controls is BEST implemented through system configuration?

  A. Network user accounts for temporary workers expire after 90 days.
  B. Application user access is reviewed every 180 days for appropriateness.
  C. Financial data in key reports is traced to source systems for completeness and accuracy.
  D. Computer operations personnel initiate batch processing jobs daily.
  A. Network user accounts for temporary workers expire after 90 days.

  ---

  Explanation

  This control is best implemented through system configuration because it can be enforced automatically by setting a parameter in the network operating system or directory service. This ensures that temporary workers do not have access to the network beyond their authorized period, and reduces the risk of unauthorized or malicious use of their accounts12. References1: Configuration and Change Management - CISA2: What is IT Governance? - Definition from Techopedia

• Question 1549:

  Which of the following layer in an enterprise data flow architecture derives enterprise information from operational data, external data and nonoperational data?

  A. Data preparation layer
  B. Data source layer
  C. Data mart layer
  D. Data access layer
  B. Data source layer

  ---

  Explanation

  Enterprise information derives from number of sources:

  Operational data ?Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files.

  External Data ?Data provided to an organization by external sources. This could include data such as customer demographic and market share information.

  Nonoperational data ?Information needed by end user that is not currently maintained in a computer accessible format.

  For CISA exam you should know below information about business intelligence:

  Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to assist decision making and assess organizational performance. To deliver effective BI, organizations need to design and implement a

  data architecture. The complete data architecture consists of two components

  The enterprise data flow architecture (EDFA)

  A logical data architecture

  Various layers/components of this data flow architecture are as follows:

  Presentation/desktop access layer ?This is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas

  and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data Source Layer - Enterprise information derives from number of sources:

  Operational data ?Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files. External Data ?Data provided to an organization by external sources. This could include data

  such as customer demographic and market share information.

  Nonoperational data ?Information needed by end user that is not currently maintained in a computer accessible format.

  Core data warehouse -This is where all the data of interest to an organization is captured and organized to assist reporting and analysis. DWs are normally instituted as large relational databases. A property constituted DW should support

  three basic form of an inquiry.

  Drilling up and drilling down ?Using dimension of interest to the business, it should be possible to aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can also be used to refine the analysis.

  Drill across ?Use common attributes to access a cross section of information in the warehouse such as sum sales across all product lines by customer and group of customers according to length of association with the company. Historical

  Analysis ?The warehouse should support this by holding historical, time variant data. An example of historical analysis would be to report monthly store sales and then repeat the analysis using only customer who were preexisting at the start

  of the year in order to separate the effective new customer from the ability to generate repeat business with existing customers. Data Mart Layer- Data mart represents subset of information from the core DW selected and organized to meet

  the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical processing (OLAP) data structure.

  Data Staging and quality layer -This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems

  periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers.

  Data Access Layer -This layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  Data Preparation layer -This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed. Data mining is concern with exploring large volume of data to determine patterns and trends of information. Data mining often identifies patterns that are counterintuitive due to number and complexity of data relationships. Data quality needs to be very high to not corrupt the result.

  Metadata repository layer - Metadata are data about data. The information held in metadata layer needs to extend beyond data structure names and formats to provide detail on business purpose and context. The metadata layer should be

  comprehensive in scope, covering data as they flow between the various layers, including documenting transformation and validation rules.

  Warehouse Management Layer -The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security.

  Application messaging layer -This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.

  Internet/Intranet layer ?This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking.

  Various analysis models used by data architects/ analysis follows:

  Activity or swim-lane diagram ?De-construct business processes.

  Entity relationship diagram -Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative is

  involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW.

  The following were incorrect answers:

  Data mart layer - Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

  processing (OLAP) data structure.

  Data access layer - his layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  Data preparation layer -This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed.

  CISA review manual 2014 Page number 188

• Question 1550:

  In an annual audit cycle, the audit of an organization's IT department resulted in many findings. Which of the following would be the MOST important consideration when planning the next audit?

  A. Postponing the review until all of the findings have been rectified
  B. Limiting the review to the deficient areas
  C. Verifying that all recommendations have been implemented
  D. Following up on the status of all recommendations
  D. Following up on the status of all recommendations

  ---

  Explanation

  The most important consideration when planning the next audit after many findings is to follow up on the status of all recommendations, as this will ensure that the audit findings are addressed in a timely and effective manner, and that the root

  causes of the issues are resolved12. Following up on the status of all recommendations will also help to assess the progress and performance of the IT department, and to identify any new or emerging risks or challenges.

  References:

  1: What to consider when resolving internal audit findings

  2: A brief guide to follow up4

  3: Guidance on auditing planning for Internal Audit2

  4: Corrective Action Plan (CAP): How to Manage Audit Findings