Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1621:

  Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?

  A. Ensure the third party allocates adequate resources to meet requirements.
  B. Use analytics within the internal audit function
  C. Conduct a capacity planning exercise
  D. Utilize performance monitoring tools to verify service level agreements (SLAs)
  D. Utilize performance monitoring tools to verify service level agreements (SLAs)

  ---

  Explanation

  The best way for an organization to mitigate the risk associated with third- party application performance is to utilize performance monitoring tools to verify service level agreements (SLAs). Performance monitoring tools are software or hardware devices that measure and report the performance of an application or system, such as speed, availability, reliability, etc. Performance monitoring tools can help mitigate the risk associated with third-party application performance, by allowing the organization to verify whether the third-party provider is meeting the SLAs, which are contracts or agreements that define the expected level and quality of service for an application or system. Performance monitoring tools can also help identify and resolve any performance issues or problems that may arise from the third-party application. Ensuring the third party allocates adequate resources to meet requirements is a possible way to mitigate the risk associated with third-party application performance, but it is not the best one, as it may not be feasible or effective depending on the availability, cost, and suitability of the resources. Using analytics within the internal audit function is a possible way to mitigate the risk associated with third-party application performance, but it is not the best one, as it may not be timely or relevant depending on the frequency, scope, and quality of the analytics. Conducting a capacity planning exercise is a possible way to mitigate the risk associated with third-party application performance, but it is not the best one, as it may not be accurate or reliable depending on the assumptions, methods, and data used for the capacity planning.

• Question 1622:

  Which of the following BEST enables the timely identification of risk exposure?

  A. External audit review
  B. Internal audit review
  C. Control self-assessment (CSA)
  D. Stress testing
  C. Control self-assessment (CSA)

  ---

  Explanation

  Control self-assessment (CSA) is a technique that enables business managers and staff to assess and improve the effectiveness of their own controls and risk management processes. CSA can best enable the timely identification of risk

  exposure, as it allows for continuous monitoring and reporting of risks by those who are closest to the business processes and activities. External audit review, internal audit review, and stress testing are also useful methods for identifying risk

  exposure, but they are not as timely as CSA, as they are performed periodically or on demand by external or internal parties who may not have as much insight into the business operations and environment.

  References:

  ISACA CISA Review Manual 27th Edition, page 95.

• Question 1623:

  Which of the following is MOST important with regard to an application development acceptance test?

  A. The programming team is involved in the testing process.
  B. All data files are tested for valid information before conversion.
  C. User management approves the test design before the test is started.
  D. The quality assurance (QA) team is in charge of the testing process.
  C. User management approves the test design before the test is started.

  ---

  Explanation

  The most important aspect of an application development acceptance test is that user management approves the test design before the test is started, as this ensures that the test objectives, criteria, and procedures are aligned with the user requirements and expectations. The programming team's involvement in the testing process, the testing of data files for valid information before conversion, and the quality assurance (QA) team's charge of the testing process are also important, but they are not as critical as user management's approval of the test design.

  References: CISA Review Manual (Digital Version), Chapter 4, Section 4.4.2

• Question 1624:

  An IS auditor is reviewing job scheduling software and notes instances of delayed processing time, unexpected job interruption, and out-of-sequence job execution. Which of the following should the auditor examine FIRST to help determine the reasons for these instances?

  A. System schedule
  B. Job schedule
  C. Exception log
  D. Change log
  C. Exception log

  ---

  Explanation

• Question 1625:

  Which of the following is MOST helpful for evaluating benefits realized by IT projects?

  A. Benchmarking IT project management practices with industry peers
  B. Evaluating compliance with key security controls
  C. Comparing planned versus actual return on investment (ROI)
  D. Reviewing system development life cycle (SDLC) processes
  C. Comparing planned versus actual return on investment (ROI)

  ---

  Explanation

• Question 1626:

  Which of the following network management toots should an IS auditor use to review the type of packets flowing along a monitored link'?

  A. Response time reports
  B. Network monitors
  C. Protocol analyzers
  D. Online monitors
  B. Network monitors

  ---

  Explanation

• Question 1627:

  Which of the following is MOST important lo have in place for he continuous improvement of process maturity within a large IT support function?

  A. Performance metrics dashboard
  B. Control self-assessments (CSAs)
  C. Regular internal audits
  D. Project management
  A. Performance metrics dashboard

  ---

  Explanation

• Question 1628:

  Which of the following is PRIMARILY used in blockchain technology to create a distributed immutable ledger?

  A. Artificial intelligence (Al)
  B. Application hardening
  C. Edge computing
  D. Encryption
  D. Encryption

  ---

  Explanation

• Question 1629:

  An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?

  A. Loss of application support
  B. Lack of system integrity
  C. Outdated system documentation
  D. Developer access 1o production
  B. Lack of system integrity

  ---

  Explanation

  The most significant risk from not testing patches before putting them into production is the lack of system integrity. Patches are software updates that fix bugs, vulnerabilities or performance issues in an application system. However, patches may also introduce new errors, conflicts or compatibility issues that could affect the functionality, reliability or security of the system4. By not testing patches before putting them into production, the organization exposes itself to the risk of system failures, data corruption or unauthorized access. Loss of application support, outdated system documentation and developer access to production are also risks from not testing patches, but they are not as significant as the lack of system integrity.

  References: CISA Review Manual, 27th Edition, page 2951 CISA Review Questions, Answers and Explanations Database - 12 Month Subscription

• Question 1630:

  An organization's disposal policy emphasizes obtaining maximum value for surplus IT media. The IS auditor should obtain assurance that:

  A. the media is returned to the vendor for credit
  B. any existing data is removed before disposal
  C. identification labels are removed
  D. the media is recycled to other groups within the organization
  D. the media is recycled to other groups within the organization

  ---

  Explanation