Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1661:

  Which of the following is the MOST likely root cause of shadow IT in an organization?

  A. Lengthy approval for technology investment
  B. The opportunity to reduce software license fees
  C. Ease of use for cloud-based applications and services
  D. Approved software not meeting user requirements
  D. Approved software not meeting user requirements

  ---

  Explanation

  Shadow IT often arises whenapproved software does not meet user requirements(Option D), leading employees to seek alternative solutions. ISACA CISA

  IT governance frameworks stress the need for user-centric IT policies to

  mitigate shadow IT risks.

  Risk Implication:Shadow IT introduces security vulnerabilities, compliance risks, and potential data breaches.

• Question 1662:

  An IS auditor is evaluating the progress of a web-based customer service application development project. Which of the following would be MOST helpful for this evaluation?

  A. Backlog consumption reports
  B. Critical path analysis reports
  C. Developer status reports
  D. Change management logs
  A. Backlog consumption reports

  ---

  Explanation

  A backlog consumption report is a report that shows the amount of work that has been completed and the amount of work that remains to be done in a project. It is a useful tool for measuring the progress and performance of a web-based customer service application development project, as it can indicate whether the project is on track, ahead or behind schedule, and how much effort is required to finish the project. A backlog consumption report can also help identify any issues or risks that may affect the project delivery. Critical path analysis reports, developer status reports and change management logs are also helpful for evaluating a project, but they are not as helpful as a backlog consumption report, as they do not provide a clear picture of the overall project status and completion rate.

  References: : [Backlog Consumption Report Definition] : Backlog Consumption Report | ISACA

• Question 1663:

  Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?

  A. Require written authorization for all payment transactions
  B. Restrict payment authorization to senior staff members.
  C. Reconcile payment transactions with invoices.
  D. Review payment transaction history
  A. Require written authorization for all payment transactions

  ---

  Explanation

  Requiring written authorization for all payment transactions is the IS auditor's best recommendation for a compensating control in an environment where segregation of duties (SoD) cannot be enforced in an accounts payable system. SoD is a principle that requires different individuals or functions to perform different tasks or roles in a business process, such as initiating, approving, recording and reconciling transactions. SoD reduces the risk of errors, fraud and misuse of resources by preventing any single person or function from having excessive or conflicting authority or responsibility. A compensating control is a control that mitigates or reduces the risk associated with the absence or weakness of another control. Requiring written authorization for all payment transactions is a compensating control that provides an independent verification and approval of each transaction before it is processed by the accounts payable system. This control can help to detect and prevent unauthorized, duplicate or erroneous payments, and to ensure compliance with policies and procedures. The other options are not as effective as option A, as they do not provide an independent verification or approval of payment transactions. Restricting payment authorization to senior staff members is a control that limits the number of people who can authorize payments, but it does not prevent them from initiating or processing payments themselves, which could violate SoD. Reconciling payment transactions with invoices is a control that verifies that the payments match the invoices, but it does not prevent unauthorized, duplicate or erroneous payments from being processed by the accounts payable system. Reviewing payment transaction history is a control that monitors and analyzes the payment transactions after they have been processed by the accounts payable system, but it does not prevent unauthorized, duplicate or erroneous payments from occurring in the first place.

  References: CISA Review Manual (Digital Version) , Chapter 5: Protection of Information Assets, Section 5.2: Logical Access.

• Question 1664:

  Which of the following is MOST helpful for understanding an organization's key driver to modernize application platforms?

  A. Vendor software inventories
  B. Network architecture diagrams
  C. System-wide incident reports
  D. Inventory of end-of-life software
  D. Inventory of end-of-life software

  ---

  Explanation

• Question 1665:

  An IS auditor has validated that an organization's IT department runs several low-priority automated tasks Which of the following is the BEST recommendation for an automated job schedule?

  A. Low-priority jobs should be avoided.
  B. Low-priority jobs should include the major functions.
  C. Low-priority jobs should be provided with optimal resources.
  D. Low-priority jobs should be scheduled subject to resource availability.
  D. Low-priority jobs should be scheduled subject to resource availability.

  ---

  Explanation

  Explanation Low-priority jobs typically involve non-critical processes or tasks that do not immediately impact business operations. The best approach to handling such jobs is to schedule them subject to resource availability. This ensures that high-priority tasks can access resources when needed without being affected by the execution of low-priority tasks. Avoiding Low-Priority Jobs (Option A)is not feasible because even low-priority tasks may be necessary for maintenance or support activities. Including Major Functions in Low-Priority Jobs (Option B)contradicts the classification of "low-priority" because major functions are usually critical. Allocating Optimal Resources to Low-Priority Jobs (Option C)is inefficient as resources should primarily be allocated to high-priority tasks. Scheduling based on resource availability optimizes the use of resources, avoids unnecessary delays in high-priority activities, and ensures that low-priority tasks are executed without disrupting overall operations. This aligns with best practices in IT resource management and scheduling.

  ISACA CISA Review Manual, Job Practice Area 3: Information Systems Operations and Business Resilience.

• Question 1666:

  To select a sample for testing, which must include the 80 largest client balances and a random sample of the rest, the IS auditor should recommend:

  A. sorting the file with a utility.
  B. use of generalized audit software.
  C. applying attribute sampling using software.
  D. development of an integrated test facility (ITF).
  C. applying attribute sampling using software.

  ---

  Explanation

• Question 1667:

  An IS auditor wants to understand the collective effect of the preventive, detective, and corrective controls for a specific business process. Which of the following should the auditor focus on FIRST?

  A. The formal documentation of the process and how adherence is measured
  B. Whether the existence of preventive controls causes corrective controls to become unnecessary
  C. Whether segregation of duties is in place when two controls are applied simultaneously
  D. The various points in the process where controls are exercised
  D. The various points in the process where controls are exercised

  ---

  Explanation

• Question 1668:

  An organization is planning to implement a control self-assessment (CSA) program tor selected business processes Which of the following should be the role of the internal audit team for this program?

  A. De-scope business processes to be covered by CSAs from future audit plans.
  B. Design testing procedures for management to assess process controls effectively.
  C. Perform testing to validate the accuracy of management's self-assessment.
  D. Advise management on the self-assessment process.
  D. Advise management on the self-assessment process.

  ---

  Explanation

  Explanation

• Question 1669:

  During which IT project phase is it MOST appropriate to conduct a benefits realization analysis?

  A. Post-implementation review phase
  B. Final implementation phase
  C. User acceptance testing (UAT) phase
  D. Design review phase
  A. Post-implementation review phase

  ---

  Explanation

• Question 1670:

  An IS auditor learns that an in-house system development life cycle (SDLC) project has not met user specifications. The auditor should FIRST examine requirements from which of the following phases?

  A. Configuration phase
  B. User training phase
  C. Quality assurance (QA) phase
  D. Development phase
  C. Quality assurance (QA) phase

  ---

  Explanation

  The quality assurance (QA) phase is the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. This is because the QA phase is the phase where the system is tested and verified against the user specifications and the design specifications to ensure that it meets the functional and non-functional requirements, as well as the quality standards and expectations. The QA phase involves various testing activities, such as unit testing, integration testing, system testing, acceptance testing, performance testing, security testing, etc., to identify and resolve any defects, errors, or deviations from the specifications12. The configuration phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The configuration phase is the phase where the system is installed and configured on the target environment, such as hardware, software, network, etc., to prepare it for deployment and operation. The configuration phase may involve activities such as installation, customization, migration, integration, etc., to ensure that the system is compatible and interoperable with the existing infrastructure and systems34. The user training phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The user training phase is the phase where the end-users are trained and educated on how to use the system effectively and efficiently. The user training phase may involve activities such as developing training materials, conducting training sessions, providing feedback and support, etc., to ensure that the users are familiar and comfortable with the system features and functions56. The development phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The development phase is the phase where the system is coded and built based on the design specifications and the user specifications. The development phase may involve activities such as programming, debugging, documenting, etc., to create a working prototype or a final product of the system