Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 161:

  An organization has engaged a third party to implement an application to perform business- critical calculations. Which of the following is the MOST important process to help ensure the application provides accurate calculations?

  A. Key performance indicator (KPI) monitoring
  B. Change management
  C. Configuration management
  D. Quality assurance (QA)
  D. Quality assurance (QA)

  ---

  Explanation

  The most important process to help ensure the application provides accurate calculations is quality assurance (QA), which involves verifying that the application meets the specified requirements and standards, and testing the application for functionality, performance, reliability, security, and usability. QA helps to identify and correct any defects or errors in the application before it is deployed to the production environment. Key performance indicator (KPI) monitoring, change management, and configuration management are important processes for managing and maintaining the application after it is implemented, but they do not directly ensure the accuracy of the calculations performed by the application.

  References: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.3: Practices for Quality Assurance

• Question 162:

  An existing system is being replaced with a new application package. User acceptance testing (UAT) should ensure that:

  A. data from the old system has been converted correctly
  B. the new system functions as expected
  C. the new system is better than the old system
  D. there is a business need for the new system
  B. the new system functions as expected

  ---

  Explanation

• Question 163:

  Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?

  A. The information security policy has not been approved by the chief audit executive (CAE).
  B. The information security policy does not include mobile device provisions
  C. The information security policy is not frequently reviewed
  D. The information security policy has not been approved by the policy owner
  D. The information security policy has not been approved by the policy owner

  ---

  Explanation

  The auditor should be most concerned about the information security policy not being approved by the policy owner. This is because the policy owner is the person who has the authority and accountability for ensuring that the policy is implemented and enforced. Without the policy owner's approval, the policy may not reflect the organization's objectives, risks, and compliance requirements. The policy owner is usually a senior executive or a board member who has a stake in the information security governance. The other options are less critical than the policy owner's approval, although they may also indicate some weaknesses in the policy development and maintenance process.

  References: CISA Review Manual (Digital Version), Chapter 1, Section 1.21 CISA Online Review Course, Domain 5, Module 1, Lesson 12

• Question 164:

  Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?

  A. Testing incident response plans with a wide range of scenarios
  B. Prioritizing incidents after impact assessment.
  C. Linking incidents to problem management activities
  D. Training incident management teams on current incident trends
  C. Linking incidents to problem management activities

  ---

  Explanation

  Linking incidents to problem management activities would most effectively help to reduce the number of repeated incidents in an organization, because problem management aims to identify and eliminate the root causes of incidents and prevent their recurrence. Testing incident response plans, prioritizing incidents, and training incident management teams are all good practices, but they do not directly address the issue of repeated incidents.

  References: ISACA ITAF 3rd Edition Section 3600

• Question 165:

  During planning for a cloud service audit, audit management becomes aware that the assigned IS auditor is unfamiliar with the technologies in use and their associated risks to the business. To ensure audit quality, which of the following actions should audit management consider FIRST?

  A. Conduct a follow-up audit after a suitable period has elapsed.
  B. Reschedule the audit assignment for the next financial year.
  C. Reassign the audit to an internal audit subject matter expert.
  D. Extend the duration of the audit to give the auditor more time.
  C. Reassign the audit to an internal audit subject matter expert.

  ---

  Explanation

  The best action that audit management should consider first is to reassign the audit to an internal audit subject matter expert. This is because cloud service audits require specialized knowledge and skills to assess the risks and controls associated with the cloud service provider and the cloud service customer. An IS auditor who is unfamiliar with the technologies in use and their associated risks to the business may not be able to perform an effective and efficient audit, and may miss important issues or provide inaccurate recommendations. Therefore, it is important to ensure that the IS auditor assigned to the cloud service audit has the appropriate competence and experience. The other options are not as good as reassigning the audit to an internal audit subject matter expert. Conducting a follow-up audit after a suitable period has elapsed may not address the quality issues of the initial audit, and may also delay the identification and remediation of any problems. Rescheduling the audit assignment for the next financial year may expose the organization to unnecessary risks and may not meet the audit objectives or expectations. Extending the duration of the audit to give the auditor more time may not be feasible or cost-effective, and may not guarantee that the auditor will acquire the necessary knowledge and skills in time.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 1391 ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2009, p. 14

• Question 166:

  An application development team is also promoting changes to production for a critical financial application. Which of the following would be the BEST control to reduce the associated risk?

  A. Implementing a change management code review
  B. Implementing a peer review process
  C. Performing periodic audits
  D. Submitting change logs to the business manager for review
  A. Implementing a change management code review

  ---

  Explanation

• Question 167:

  Which of the following should an IS auditor determine FIRST when evaluating additional hardware required to support the acquisition of a new accounting system?

  A. A training program has been developed to support the new accounting system.
  B. The supplier has experience supporting accounting systems.
  C. The hardware specified will be compliant with the current IT strategy.
  D. The hardware will be installed in a secure and environmentally controlled area.
  C. The hardware specified will be compliant with the current IT strategy.

  ---

  Explanation

• Question 168:

  Which of the following is the PRIMARY reason an IS auditor would recommend offsite backups although critical data is already on a redundant array of inexpensive disks (RAID)?

  A. Disks of the array cannot be hot-swapped for quick recovery.
  B. The array cannot offer protection against disk corruption.
  C. The array relies on proper maintenance.
  D. The array cannot recover from a natural disaster.
  D. The array cannot recover from a natural disaster.

  ---

  Explanation

• Question 169:

  Which of the following is a PRIMARY responsibility of a quality assurance (QA) team?

  A. Creating test data to facilitate the user acceptance testing (IJAT) process
  B. Managing employee onboarding processes and background checks
  C. Advising the steering committee on quality management issues and remediation efforts
  D. Implementing procedures to facilitate adoption of quality management best practices
  D. Implementing procedures to facilitate adoption of quality management best practices

  ---

  Explanation

  A quality assurance (QA) team is a group of professionals who are responsible for ensuring that the products or services of an organization meet the quality standards and expectations of customers and stakeholders. A QA team performs various activities, such as: Planning, designing, and executing quality tests and audits to verify the quality of the products or services Identifying, analyzing, and reporting quality issues, defects, or non-conformities1 Recommending and implementing corrective and preventive actions to resolve quality problems and prevent recurrence1 Monitoring and measuring the effectiveness and efficiency of the quality processes and improvements Establishing and maintaining quality documentation, records, and reports Providing quality training, guidance, and support to the staff and management1 One of the primary responsibilities of a QA team is to implement procedures to facilitate adoption of quality management best practices. Quality management best practices are the methods, techniques, or tools that have been proven to be effective in achieving and maintaining high-quality standards in an organization. Some examples of quality management best practices are: Adopting a customer-focused approach that aims to meet or exceed customer requirements and satisfaction Implementing a process approach that manages the interrelated activities as a coherent system Applying continuous improvement methods that seek to enhance the performance and value of the products or services Using evidence-based decision making that relies on factual data and information Developing a culture of engagement and empowerment that involves and motivates the people in the organization By implementing procedures to facilitate adoption of quality management best practices, a QA team can help the organization achieve the following benefits: Improve the quality and reliability of the products or services Reduce the costs and risks associated with poor quality or non-compliance Increase the customer loyalty and retention Enhance the reputation and competitiveness of the organization Foster a culture of excellence and innovation in the organization The other options are not primary responsibilities of a QA team. Creating test data to facilitate the user acceptance testing (UAT) process is a task that can be performed by a QA team, but it is not their main duty. UAT is a process in which the end users test the product or service to ensure that it meets their needs and expectations before it is released or deployed3. A QA team can create test data to simulate real-world scenarios and conditions for UAT, but they are not directly involved in conducting UAT. Managing employee onboarding processes and background checks is not a responsibility of a QA team. Employee onboarding is a process in which new hires are integrated into the organization, while background checks are screenings that verify the identity, credentials, and history of potential employees4. These processes are usually handled by the human resources department or an external agency, not by a QA team. Advising the steering committee on quality management issues and remediation efforts is not a primary responsibility of a QA team. A steering committee is a group of senior executives or managers who provide strategic direction, oversight, and support for a project or program5. A QA team can advise the steering committee on quality management issues and remediation efforts, but they are not accountable for making decisions or implementing actions. Therefore, option D is the correct answer.

  References: Quality Assurance Team: Roles and Responsibilities What are the Best Practices in Quality Management? User Acceptance Testing (UAT): A Complete Guide Employee Onboarding Process: Definition and Best Practices What Is A Steering Committee? - The Basics

• Question 170:

  During an IS audit, it is discovered that security configurations differ across the organization's virtual server farm. Which of the following is the IS auditor's BEST recommendation for improving the control environment?

  A. Conduct an independent review of each server's security configuration
  B. Implement a security configuration baseline for virtual servers
  C. Implement security monitoring controls for high-risk virtual servers
  D. Conduct a standard patch management review across the virtual server farm
  B. Implement a security configuration baseline for virtual servers

  ---

  Explanation