Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1631:

  Which of the following is the BEST indicator that a third-party vendor adheres to the controls required by the organization?

  A. Review of monthly performance reports submitted by the vendor
  B. Certifications maintained by the vendor
  C. Regular independent assessment of the vendor
  D. Substantive log file review of the vendor's system
  C. Regular independent assessment of the vendor

  ---

  Explanation

• Question 1632:

  During an operational audit on the procurement department, the audit team encounters a key system that uses an artificial intelligence (Al) algorithm. The audit team does not have the necessary knowledge to proceed with the audit. Which of the following is the BEST way to handle this situation?

  A. Perform a skills assessment to identify members from other business units with knowledge of Al.
  B. Remove the Al portion from the audit scope and proceed with the audit.
  C. Delay the audit until the team receives training on Al.
  D. Engage external consultants who have audit experience and knowledge of Al.
  D. Engage external consultants who have audit experience and knowledge of Al.

  ---

  Explanation

  If the audit team lacks the necessary knowledge to audit a system that uses an AI algorithm, engaging external consultants who have audit experience and knowledge of AI would be the best approach. These consultants can provide the

  expertise needed to effectively audit the AI system. This approach ensures that the audit is conducted thoroughly and accurately, without requiring the audit team to acquire new skills or knowledge.

  References:

  Auditing Guidelines for Artificial Intelligence - ISACA An In-Depth Guide To Audit AI Models - Censius

• Question 1633:

  An organization has implemented a distributed security administration system to replace the previous centralized one. Which of the following presents the GREATEST potential concern?

  A. Security procedures may be inadequate to support the change
  B. A distributed security system is inherently a weak security system
  C. End-user acceptance of the new system may be difficult to obtain
  D. The new system will require additional resources
  A. Security procedures may be inadequate to support the change

  ---

  Explanation

  A distributed security administration system is a system that allows different administrators to manage the security of different parts of the network or organization. This can provide more flexibility, scalability, and efficiency than a centralized system, where one administrator is responsible for the entire security. However, a distributed security administration system also presents some potential challenges and risks, such as: Inconsistency and conflict among different security policies and standards Lack of coordination and communication among different administrators Difficulty in monitoring and auditing the overall security status and performance Increased complexity and cost of security management and maintenance Therefore, the greatest potential concern for implementing a distributed security administration system is that the security procedures may be inadequate to support the change. Security procedures are the rules and guidelines that define how security is implemented and enforced in an organization. They include policies, standards, processes, roles, responsibilities, controls, and metrics. Security procedures should be aligned with the business objectives, risks, and requirements of the organization, as well as the best practices and regulations in the industry. Security procedures should also be reviewed and updated regularly to reflect the changes in the environment, technology, and threats. If the security procedures are not adequate to support the change from a centralized to a distributed security administration system, the organization may face increased security risks, such as unauthorized access, data breaches, compliance violations, reputation damage, and financial losses. Therefore, it is essential to ensure that the security procedures are revised and adapted to suit the new system, and that they are communicated and enforced effectively across the organization.

  References:

  1: Security in Distributed System - GeeksforGeeks

  2: Distributed System Security Architecture - Wikipedia

  3: Distributed Systems Security: Issues, Processes and Solutions

• Question 1634:

  During a review of an application system, an IS auditor identifies automated controls designed to prevent the entry of duplicate transactions. What is the BEST way to verify that the controls work as designed?

  A. Implement periodic reconciliations.
  B. Review quality assurance (QA) test results.
  C. Use generalized audit software for seeking data corresponding to duplicate transactions.
  D. Enter duplicate transactions in a copy of the live system.
  A. Implement periodic reconciliations.

  ---

  Explanation

• Question 1635:

  Which of the following would be an appropriate role of internal audit in helping to establish an organization's privacy program?

  A. Analyzing risks posed by new regulations
  B. Developing procedures to monitor the use of personal data
  C. Defining roles within the organization related to privacy
  D. Designing controls to protect personal data
  A. Analyzing risks posed by new regulations

  ---

  Explanation

  An appropriate role of internal audit in helping to establish an organization's privacy program is analyzing risks posed by new regulations. A privacy program is a set of policies, procedures, and controls that aim to protect the personal data of individuals from unauthorized or unlawful collection, use, disclosure, or disposal. A privacy program should comply with the applicable laws and regulations that govern the privacy rights and obligations of individuals and organizations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). New regulations may introduce new requirements or changes that affect the organization's privacy program and expose it to potential compliance risks or penalties. Therefore, internal audit can help to establish an organization's privacy program by analyzing the risks posed by new regulations and providing assurance, advice, or recommendations on how to address them1. The other options are less appropriate or incorrect because:

  B. Developing procedures to monitor the use of personal data is not an appropriate role of internal audit in helping to establish an organization's privacy program, as it is more of a management or operational role. Internal audit should not be involved in designing or implementing the organization's privacy program, as it would compromise its independence and objectivity. Internal audit should provide assurance on the effectiveness and efficiency of the organization's privacy program, but not create or execute it2.

  C. Defining roles within the organization related to privacy is not an appropriate role of internal audit in helping to establish an organization's privacy program, as it is more of a governance or strategic role. Internal audit should not be involved in setting or approving the organization's privacy strategy, objectives, or policies, as it would compromise its independence and objectivity. Internal audit should provide assurance on the alignment and compliance of the organization's privacy program with its strategy, objectives, and policies, but not define or approve them2.

  D. Designing controls to protect personal data is not an appropriate role of internal audit in helping to establish an organization's privacy program, as it is more of a management or operational role. Internal audit should not be involved in designing or implementing the organization's privacy program, as it would compromise its independence and objectivity. Internal audit should provide assurance on the adequacy and effectiveness of the organization's privacy program, but not design or implement it2.

  References: ISACA Introduces New Audit Programs for Business Continuity/Disaster ..., Best Practices for Privacy Audits ISACA, ISACA Produces New Audit and Assurance Programs for Data Privacy and ...

• Question 1636:

  Which of the following BEST describes a common risk in implementing a new application software package?

  A. Parameter settings are incorrect
  B. Transaction volume is excessive
  C. Sensitivity of transactions is high
  D. The application lacks audit trails
  D. The application lacks audit trails

  ---

  Explanation

• Question 1637:

  A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem. Which of the following is the senior auditor s MOST appropriate course of action?

  A. Ask the auditee to retest
  B. Approve the work papers as written
  C. Have the finding reinstated
  D. Refer the issue to the audit director
  C. Have the finding reinstated

  ---

  Explanation

  The senior auditor's most appropriate course of action is to have the finding reinstated, because the auditee's claim of correcting the problem is not sufficient evidence to support the removal of the finding. The auditor should verify that the

  corrective action has been implemented effectively and that it has resolved the underlying issue or risk. The auditor should also document the evidence and results of the verification in the work papers. The other options are not appropriate,

  because they either accept the auditee's claim without verification, delegate the responsibility to the auditee or escalate the issue unnecessarily.

  References:

  ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.51 ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12062

• Question 1638:

  An auditor notes the administrator user ID is shared among three financial managers to perform month-end updates. Which of the following is the BEST recommendation to ensure the administrator ID in the financial system is controlled effectively?

  A. Implement use of individual software tokens
  B. Conduct employee awareness training
  C. Institute user ID logging and monitoring
  D. Ensure data in the financial systems has been classified
  A. Implement use of individual software tokens

  ---

  Explanation

• Question 1639:

  Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:

  A. the patches were updated.
  B. The logs were monitored.
  C. The network traffic was being monitored.
  D. The domain controller was classified for high availability.
  B. The logs were monitored.

  ---

  Explanation

  The auditor's best course of action after a security breach in which a hacker exploited a well-known vulnerability in the domain controller is to determine if the logs were monitored. Log monitoring is an essential control for detecting and responding to security incidents, especially when known vulnerabilities exist in the system. The auditor should assess if the logs were properly configured, collected, reviewed, analyzed, and acted upon by the responsible parties. Updating patches, monitoring network traffic, and classifying domain controllers for high availability are also important controls, but they are not directly related to the detection and response of the security breach.

  References: CISA Review Manual (Digital Version), page 301 CISA Questions, Answers and Explanations Database, question ID 3340

• Question 1640:

  Audit frameworks cart assist the IS audit function by:

  A. defining the authority and responsibility of the IS audit function.
  B. providing details on how to execute the audit program.
  C. providing direction and information regarding the performance of audits.
  D. outlining the specific steps needed to complete audits
  C. providing direction and information regarding the performance of audits.

  ---

  Explanation

  Audit frameworks can assist the IS audit function by providing direction and information regarding the performance of audits. Audit frameworks are sets of standards, guidelines, and best practices that help IS auditors plan, conduct, and report on their audit engagements. Audit frameworks can help IS auditors ensure the quality, consistency, and professionalism of their audit work, as well as comply with the expectations and requirements of the stakeholders and regulators. Audit frameworks can also help IS auditors address the specific challenges and risks of auditing information systems and technology. Defining the authority and responsibility of the IS audit function is not a way that audit frameworks can assist the IS audit function, but rather a way that the IS audit charter can assist the IS audit function. The IS audit charter is a document that defines the purpose, scope, objectives, and authority of the IS audit function within the organization. The IS audit charter can help IS auditors establish their role and position in relation to other functions and departments, as well as clarify their rights and obligations. Providing details on how to execute the audit program is not a way that audit frameworks can assist the IS audit function, but rather a way that the audit methodology can assist the IS audit function. The audit methodology is a set of procedures and techniques that guide IS auditors in performing their audit tasks and activities. The audit methodology can help IS auditors apply a systematic and structured approach to their audit work, as well as use appropriate tools and methods to collect and analyze evidence. Outlining the specific steps needed to complete audits is not a way that audit frameworks can assist the IS audit function, but rather a way that the audit plan can assist the IS audit function. The audit plan is a document that describes the scope, objectives, timeline, resources, and deliverables of a specific audit engagement. The audit plan can help IS auditors organize and manage their audit work, as well as communicate their expectations and responsibilities to the auditees.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 51 1 Understanding Project Audit Frameworks - Wolters Kluwer 2 How to Implement a Robust Audit Framework - Insights - Metricstream 3 What Is The Internal Audit Function? An Accurate Definition Of The