Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1611:

  Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?

  A. Accept management's decision and continue the follow-up.
  B. Report the issue to IS audit management.
  C. Report the disagreement to the board.
  D. Present the issue to executive management.
  B. Report the issue to IS audit management.

  ---

  Explanation

  Prior to a follow-up engagement, if an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation, the IS auditor should report the issue to IS audit management. This is because IS audit management is responsible for ensuring that audit findings are properly communicated and resolved. Accepting management's decision and continuing the follow-up would not address the IS auditor's concern. Reporting the disagreement to the board or executive management would be premature and inappropriate without consulting IS audit management first.

  References: CISA Review Manual (Digital Version), Chapter 1, Section 1.6

• Question 1612:

  Which of the following provides the BEST evidence that all elements of a business continuity plan (BCP) are operating effectively?

  A. Walk-through test results
  B. Full operational test results
  C. Tabletop test results
  D. Simulation test results
  A. Walk-through test results

  ---

  Explanation

• Question 1613:

  A payroll application system accepts individual user sign-on IDs and then connects to its database using a single application ID. The GREATEST weakness under this system architecture is that:

  A. an incident involving unauthorized access to data cannot be tied to a specific user.
  B. when multiple sessions with the same application ID collide, the database locks up.
  C. users can gain direct access to the application ID and circumvent data controls.
  D. the database becomes unavailable if the password of the application ID expires.
  C. users can gain direct access to the application ID and circumvent data controls.

  ---

  Explanation

• Question 1614:

  Which of the following should be an IS auditor's PRIMARY consideration when determining which issues to include in an audit report?

  A. Professional skepticism
  B. Management's agreement
  C. Materiality
  D. Inherent risk
  C. Materiality

  ---

  Explanation

  Materiality is the primary consideration when determining which issues to include in an audit report, as it reflects the significance or importance of the issues to the users of the report. Materiality is a relative concept that depends on the nature, context, and amount of the issues, as well as the expectations and needs of the users. Materiality helps the auditor to prioritize the issues and communicate them clearly and concisely.

  References: ISACA CISA Review Manual, 27th Edition, page 256 Materiality in Auditing - AICPA Materiality in Planning and Performing an Audit - IAASB

• Question 1615:

  The information in the knowledge base can be expressed in several ways. Which of the following way uses questionnaires to lead the user through a series of choices until a conclusion is reached?

  A. Decision tree
  B. Rules
  C. Semantic nets
  D. Knowledge interface
  A. Decision tree

  ---

  Explanation

  Decision tree uses questionnaires to lead the user through a series of choices, until a conclusion is reached. Flexibility is compromised because the user must answer the questions in an exact sequence.

  For CISA Exam you should know below information about Artificial Intelligence and Expert System Artificial intelligence is the study and application of the principles by which: Knowledge is acquired and used

  Goals are generated and achieved Information is communicated Collaboration is achieved Concepts are formed Languages are developed

  Two main programming languages that have been developed for artificial intelligence are LISP and PROLOG.

  Expert system are compromised primary components, called shells, when they are not populated with particular data, and the shells are designed to host new expert system.

  Keys to the system is the knowledge base (KB), which contains specific information or fact patterns associated with a particular subject matter and the rule for interpreting these facts. The KB interface with a database in obtaining data to

  analyze a particular problem in deriving an expert conclusion. The information in the KB can be expressed in several ways:

  Decision Tree ?Using questionnaires to lead the user through a series of choices, until a conclusion is reached. Flexibility is compromised because the user must answer the questions in an exact sequence.

  Rule ?Expressing declarative knowledge through the use of if-then relationships. For example, if a patient's body temperature is over 39 degrees Celsius and their pulse is under 60, then they might be suffering from a certain disease.

  Semantic nets ?Consist of a graph in which the node represent physical or conceptual object and the arcs describe the relationship between the nodes. Semantic nets resemble a data flow diagram and make use of an inheritance mechanism

  to prevent duplication of a data.

  Additionally, the inference engine shown is a program that uses the KB and determines the most appropriate outcome based on the information supplied by the user. In addition, an expert system includes the following components

  Knowledge interface ?Allows the expert to enter knowledge into the system without the traditional mediation of a software engineer.

  Data Interface ?Enables the expert system to collect data from nonhuman sources, such as measurement instruments in a power plant.

  The following were incorrect answers:

  Rule ?Expressing declarative knowledge through the use of if-then relationships.

  Semantic nets ?Semantic nets consist of a graph in which the node represent physical or conceptual object and the arcs describe the relationship between the nodes. Knowledge interface ?Allows the expert to enter knowledge into the

  system without the traditional mediation of a software engineer.

  CISA review manual 2014 Page number 187

• Question 1616:

  Which of the following should be done FIRST to effectively define the IT audit universe for an entity with multiple business lines?

  A. Identify aggregate residual IT risk for each business line.
  B. Obtain a complete listing of the entity's IT processes.
  C. Obtain a complete listing of assets fundamental to the entity's businesses.
  D. Identify key control objectives for each business line's core processes.
  D. Identify key control objectives for each business line's core processes.

  ---

  Explanation

• Question 1617:

  Which of the following should be an IS auditor's GREATEST concern when reviewing an outsourcing arrangement with a third-party cloud service provider to host personally identifiable data?

  A. The data is not adequately segregated on the host platform.
  B. Fees are charged based on the volume of data stored by the host.
  C. The outsourcing contract does not contain a right-to-audit clause.
  D. The organization's servers are not compatible with the third party's infrastructure
  A. The data is not adequately segregated on the host platform.

  ---

  Explanation

• Question 1618:

  Which of the following is the BEST justification for deferring remediation testing until the next audit?

  A. The auditor who conducted the audit and agreed with the timeline has left the organization.
  B. Management's planned actions are sufficient given the relative importance of the observations.
  C. Auditee management has accepted all observations reported by the auditor.
  D. The audit environment has changed significantly.
  D. The audit environment has changed significantly.

  ---

  Explanation

  Deferring remediation testing until the next audit is justified only when there are significant changes in the audit environment that affect the relevance or validity of the audit observations and recommendations. For example, if there are changes in the business processes, systems, regulations, or risks that require a new audit scope or approach. The other options are not valid justifications for deferring remediation testing, as they do not address the timeliness or quality of the audit follow-up process. The auditor who conducted the audit and agreed with the timeline has left the organization does not affect the responsibility of the audit function to ensure that remediation testing is performed as planned. Management's planned actions are sufficient given the relative importance of the observations does not guarantee that management will actually implement those actions or that they will be effective in addressing the audit issues. Auditee management has accepted all observations reported by the auditor does not eliminate the need for verification of remediation actions by an independent party.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4

• Question 1619:

  An organization has decided to purchase a web-based email service from a third-party vendor and eliminate its own email server infrastructure. What type of cloud computing environment would BEST meet the organization's objective?

  A. Platform as a Service (PaaS)
  B. Software as a Service (SaaS)
  C. Database as a Service (DBaaS)
  D. Infrastructure as a Service (laaS)
  B. Software as a Service (SaaS)

  ---

  Explanation

• Question 1620:

  Which of the following layer of an enterprise data flow architecture represents subsets of information from the core data warehouse?

  A. Presentation layer
  B. Desktop Access Layer
  C. Data Mart layer
  D. Data access layer
  C. Data Mart layer

  ---

  Explanation

  Data Mart layer ?Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

  processing (OLAP) data structure.

  For CISA exam you should know below information about business intelligence:

  Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to assist decision making and assess organizational performance. To deliver effective BI, organizations need to design and implement a

  data architecture. The complete data architecture consists of two components

  The enterprise data flow architecture (EDFA)

  A logical data architecture

  Various layers/components of this data flow architecture are as follows:

  Presentation/desktop access layer ?This is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas

  and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data Source Layer ?Enterprise information derives from number of sources:

  Operational data ?Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files. External Data ?Data provided to an organization by external sources. This could include data

  such as customer demographic and market share information.

  Nonoperational data ?Information needed by end user that is not currently maintained in a computer accessible format.

  Core data warehouse ?This is where all the data of interest to an organization is captured and organized to assist reporting and analysis. DWs are normally instituted as large relational databases. A property constituted DW should support

  three basic form of an inquiry.

  Drilling up and drilling down ?Using dimension of interest to the business, it should be possible to aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can also be used to refine the analysis.

  Drill across ?Use common attributes to access a cross section of information in the warehouse such as sum sales across all product lines by customer and group of customers according to length of association with the company. Historical

  Analysis ?The warehouse should support this by holding historical, time variant data. An example of historical analysis would be to report monthly store sales and then repeat the analysis using only customer who were preexisting at the start

  of the year in order to separate the effective new customer from the ability to generate repeat business with existing customers.

  Data Mart Layer ?Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

  processing (OLAP) data structure.

  Data Staging and quality layer ?This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems

  periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers.

  Data Access Layer ?This layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  Data Preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed.

  Data mining is concern with exploring large volume of data to determine patterns and trends of information. Data mining often identifies patterns that are counterintuitive due to number and complexity of data relationships. Data quality needs

  to be very high to not corrupt the result.

  Metadata repository layer ?Metadata are data about data. The information held in metadata layer needs to extend beyond data structure names and formats to provide detail on business purpose and context. The metadata layer should be

  comprehensive in scope, covering data as they flow between the various layers, including documenting transformation and validation rules. Warehouse Management Layer ?The function of this layer is the scheduling of the tasks necessary to

  build and maintain the DW and populate data marts. This layer is also involved in administration of security.

  Application messaging layer ?This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.

  Internet/Intranet layer ?This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking.

  Various analysis models used by data architects/ analysis follows:

  Activity or swim-lane diagram ?De-construct business processes.

  Entity relationship diagram ?Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative is

  involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW.

  The following were incorrect answers:

  Desktop access layer or presentation layer is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as

  Congas and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data access layer ?his layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  CISA review manual 2014 Page number 188