Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1591:

  Which of the following is the BEST way to foster continuous improvement of IS audit processes and practices?

  A. Invite external auditors and regulators to perform regular assessments of the IS audit function.
  B. Implement rigorous managerial review and sign-off of IS audit deliverables.
  C. Frequently review IS audit policies, procedures, and instruction manuals.
  D. Establish and embed quality assurance (QA) within the IS audit function.
  D. Establish and embed quality assurance (QA) within the IS audit function.

  ---

  Explanation

  The best way to foster continuous improvement of IS audit processes and practices is to establish and embed quality assurance (QA) within the IS audit function, as this will ensure that the IS audit activities are aligned with the standards, expectations, and objectives of the organization and the stakeholders. QA involves periodic internal and external assessments, benchmarking, feedback, and root cause analysis to identify and address gaps, issues, and opportunities for improvement

• Question 1592:

  Which of the following should be established FIRST when initiating a control self-assessment program in a small organization?

  A. Control baselines
  B. Client questionnaires
  C. External consultants
  D. Facilitated workshops
  B. Client questionnaires

  ---

  Explanation

• Question 1593:

  During an audit of an organization's financial statements, an IS auditor finds that the IT general controls are deficient. What should the IS auditor recommend?

  A. Increase the compliance testing of the application controls.
  B. Place greater reliance on the application controls.
  C. Increase the substantive testing of the financial balances.
  D. Place greater reliance on the framework of control.
  C. Increase the substantive testing of the financial balances.

  ---

  Explanation

• Question 1594:

  Which of the following is MOST useful for determining the strategy for IT portfolio management?

  A. IT metrics dashboards
  B. IT roadmap
  C. Capability maturity model
  D. Life cycle cost-benefit analysis
  B. IT roadmap

  ---

  Explanation

• Question 1595:

  A senior IS auditor suspects that a PC may have been used to perpetrate fraud in a finance department. The auditor should FIRST report this suspicion to:

  A. the audit committee.
  B. audit management.
  C. auditee line management.
  D. the police.
  B. audit management.

  ---

  Explanation

• Question 1596:

  In which of the following payment mode, an issuer attempts to emulate physical cash by creating digital certificates, which are purchased by users who redeem them with the issuer at a later date?

  A. Electronic Money Model
  B. Electronics Checks model
  C. Electronic transfer model
  D. Electronic withdraw model
  A. Electronic Money Model

  ---

  Explanation

  In an electronic money model issuer attempts to do this by creating digital certificates, which are then purchased by users who redeem them with the issuer at a later date. In the interim, certificates can be transferred among users to trade for goods or services. For the certificate to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer can not determine the original withdrawer of the certificate. This provides an electronic certificate with unconditional uncertainty.

  For CISA exam you should know below information about payment systems

  There are two types of parties involved in all payment systems ?the issuer and the user. An issuer is an entity that operates the payment service. An issuer holds the items that the payment represents. The user of the payment service performs two main functions- making payments and receiving payments ?and therefore can be described as a payer or payee receptively.

  Electronic Money Model ?The objective of electronic money systems is emulating physical cash. An issuer attempts to do this by creating digital certificates, which are then purchased by users who redeem them with the issuer at a later date. In the interim, certificates can be transferred among users to trade for goods or services. For the certificate to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer can not determine the original withdrawer of the certificate. This provides an electronic certificate with unconditional uncertainty.

  Electronic Check Model ?Electronic check system model real-world checks quite well and thus relatively simple to understand and implement. A users write an electronic check, which is digitally signed instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer's signature on the payment and transfer the fund from the payer's account to the payee's account.

  Electronic Transfer Model ?Electronic systems are simplest of three payment models. The payer simply creates a payment transfer instructions, sign it digitally and send it to issuer. The issuer then verifies the signature on the request and performs the transfer. This type of systems requires payer to be on-line and not payee.

  The following were incorrect answers:

  Electronic Check Model ?Electronic check system model real-world checks quite well and thus relatively simple to understand and implement. A users write an electronic check, which is digitally signed instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer's signature on the payment and transfer the fund from the payer's account to the payee's account. Electronic Transfer Model -Electronic systems are simplest of three payment models. The payer simply creates a payment transfer instructions, sign it digitally and send it to issuer. The issuer then verifies the signature on the request and performs the transfer. This type of systems requires payer to be on-line and not payee.

  Electronic Withdraw Model ?Not a valid type of payment system.

  CISA review manual 2014 Page number 183

• Question 1597:

  Which of the following statement INCORRECTLY describes the Control self-assessment (CSA) approach?

  A. CSA is policy or rule driven
  B. CSA Empowered/accountable employees
  C. CSA focuses on continuous improvement/learning curve
  D. In CSA, Staffs at all level, in all functions, are the primary control analyst.
  A. CSA is policy or rule driven

  ---

  Explanation

  The word INCORRECTLY is the keyword used in the question. You need to find out an option which incorrectly describes Control Self-assessment.

  For your exam you should know the information below about control self-assessment:

  Control self-assessment is an assessment of controls made by the staff and management of the unit or units involved. It is a management technique that assures stakeholders, customers and other parties that the internal controls of the

  organization are reliable.

  Benefits of CSA

  Early detection of risk

  More efficient and improved internal controls

  Creation of cohesive teams through employee involvement

  Developing a sense of ownership of the controls in the employees and process owners, and reducing their resistance to control improvement initiatives Increased employee awareness of organizational objectives, and knowledge of risk and

  internal controls

  Highly motivated employees

  Improved audit training process

  Reduction in control cost

  Assurance provided to stakeholders and customers

  Traditional and CSA attributes

  Traditional Historical CSA

  Assign duties/supervises staff Empowered/accountable employees

  Policy/rule driven Continuous improvement/learning curve

  Limited employee participation Extensive employee participation and training

  Narrow stakeholders focus Broad stakeholders focus

  Auditors and other specialist Staff at all level, in all functions, are the primary control analysts

  The following answers are incorrect:

  The other options specified are correctly describes about CSA.

  CISA review manual 2014 page number 61, 62 and 63

• Question 1598:

  An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which of the following IS the BEST recommendation?

  A. Benchmark organizational performance against industry peers
  B. Implement key performance indicators (KPIs).
  C. Require executive management to draft IT strategy
  D. Implement annual third-party audits.
  C. Require executive management to draft IT strategy

  ---

  Explanation

  The best recommendation to improve IT governance within the organization is

  C. Require executive management to draft IT strategy. IT governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization1. One of the key objectives of IT governance is to ensure alignment and integration between technology and business strategies, leading to optimal outcomes and value creation1. Therefore, it is essential that executive management, who are responsible for setting the vision, mission, and goals of the organization, are also involved in drafting the IT strategy that supports and enables them. By requiring executive management to draft IT strategy, the organization can: Ensure that the IT strategy is consistent and coherent with the business strategy, and reflects the organization's priorities, values, and culture2. Enhance communication and collaboration between IT and business functions, and foster a shared understanding and commitment to the IT strategy2. Increase accountability and transparency for IT performance and outcomes, and ensure that IT investments are aligned with the organization's risk appetite and value proposition2.

• Question 1599:

  An auditee disagrees with a recommendation for corrective action that appears in the draft engagement report. Which of the following is the IS auditor's BEST course of action when preparing the final report?

  A. Come to an agreement prior to issuing the final report.
  B. Include the position supported by senior management in the final engagement report
  C. Ensure the auditee's comments are included in the working papers
  D. Exclude the disputed recommendation from the final engagement report
  B. Include the position supported by senior management in the final engagement report

  ---

  Explanation

  The IS auditor's best course of action when preparing the final report is to include the position supported by senior management in the final engagement report. The IS auditor should communicate the audit findings and recommendations to senior management and obtain their feedback and approval before issuing the final report. If there is a disagreement between the auditee and the IS auditor regarding a recommendation for corrective action, the IS auditor should present both sides of the argument and the supporting evidence, and seek senior management's opinion and decision. The IS auditor should respect and follow senior management's position, and include it in the final engagement report, along with the auditee's comments if applicable. The other options are not the best course of action, because they either do not resolve the disagreement, do not reflect senior management's authority, or do not report the audit results accurately and completely.

  References: CISA Review Manual (Digital Version)1, Chapter 2, Section 2.2.5

• Question 1600:

  A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

  A. use a proxy server to filter out Internet sites that should not be accessed.
  B. keep a manual log of Internet access.
  C. monitor remote access activities.
  D. include a statement in its security policy about Internet use.
  D. include a statement in its security policy about Internet use.

  ---

  Explanation

  The first step that the organization should take to ensure that only the corporate network is used for downloading business data is to include a statement in its security policy about Internet use. A security policy is a document that defines the rules, expectations, and overall approach that an organization uses to maintain the confidentiality, integrity, and availability of its data1. A security policy should clearly state the acceptable and unacceptable use of Internet resources, such as personal accounts with ISPs, and the consequences of violating the policy. A security policy also helps to guide the implementation of technical controls, such as proxy servers, firewalls, or monitoring tools, that can enforce the policy and prevent or detect unauthorized Internet access. The other options are not the first step that the organization should take, but rather subsequent or complementary steps that depend on the security policy. Using a proxy server to filter out Internet sites that should not be accessed is a technical control that can help implement the security policy, but it does not address the root cause of why users are using personal accounts with ISPs. Keeping a manual log of Internet access is a monitoring technique that can help audit the compliance with the security policy, but it does not prevent or deter users from using personal accounts with ISPs. Monitoring remote access activities is another monitoring technique that can help detect unauthorized Internet access, but it does not specify what constitutes unauthorized access or how to respond to it.

  References: ISACA CISA Review Manual 27th Edition (2019), page 247 What is a Security Policy? Definition, Elements, and Examples - Varonis1