Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1691:

  Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?

  A. Rotating backup copies of transaction files offsite
  B. Using a database management system (DBMS) to dynamically back-out partially processed transactions
  C. Maintaining system console logs in electronic formal
  D. Ensuring bisynchronous capabilities on all transmission lines
  B. Using a database management system (DBMS) to dynamically back-out partially processed transactions

  ---

  Explanation

  The best way to ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure is to use a database management system (DBMS) to dynamically back-out partially processed transactions. A DBMS is a software system that manages the creation, manipulation, retrieval, and security of data stored in a database. A DBMS can provide features such as transaction management, concurrency control, recovery management, and integrity management. A DBMS can dynamically back-out partially processed transactions by using mechanisms such as rollback segments, undo logs, or write-ahead logs. These mechanisms allow the DBMS to restore the database to a consistent state before the failure occurred.

  References: CISA Review Manual (Digital Version) CISA Questions, Answers and Explanations Database

• Question 1692:

  Which of the following would be of GREATEST concern to an IS auditor reviewing the feasibility study for a new application system?

  A. Security requirements have not been defined.
  B. Conditions under which the system will operate are unclear.
  C. The business case does not include well-defined strategic benefits.
  D. System requirements and expectations have not been clarified.
  D. System requirements and expectations have not been clarified.

  ---

  Explanation

• Question 1693:

  An IS auditor is reviewing an organization's system development life cycle (SDLC) Which of the following MUST be included in the review?

  A. Ownership of the system quality management plan
  B. Utilization of standards in the system development processes and procedures
  C. Validation that system development processes adhere to quality standards
  D. Definition of quality attributes to be associated with the system
  B. Utilization of standards in the system development processes and procedures

  ---

  Explanation

• Question 1694:

  Which of the following should be the MOST important consideration when prioritizing the funding for competing IT projects?

  A. Criteria used to determine the benefits of projects
  B. Skills and capabilities within the project management team
  C. Quality and accuracy of the IT project inventory
  D. Senior management preferences
  A. Criteria used to determine the benefits of projects

  ---

  Explanation

• Question 1695:

  How is nonrepudiation supported within a public key infrastructure (PKI) environment?

  A. Through the use of elliptical curve cryptography on transmitted messages
  B. Through the use of a certificate issued by a certificate authority (CA)
  C. Through the use of private keys to decrypt data received by a user
  D. Through the use of enterprise key management systems
  B. Through the use of a certificate issued by a certificate authority (CA)

  ---

  Explanation

• Question 1696:

  Which of the following is NOT a defined ISO basic task related to network management?

  A. Fault management
  B. Accounting resources
  C. Security management
  D. Communications management
  D. Communications management

  ---

  Explanation

  Fault management: Detects the devices that present some kind of fault.

  Configuration management: Allows users to know, define and change remotely the configuration of any device.

  Accounting resources: Holds the records of the resource usage in the WAN.

  Performance management: Monitors usage levels and sets alarms when a threshold has been surpassed.

  Security management: Detects suspicious traffic or users and generates alarms accordingly.

  Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 137).

• Question 1697:

  Which of the following audit combines financial and operational audit steps?

  A. Compliance Audit
  B. Financial Audit
  C. Integrated Audit
  D. Forensic audit
  C. Integrated Audit

  ---

  Explanation

  An integrated audit combines financial and operational audit steps. An integrated audit is also performed to assess overall objectives within an organization, related to financial information and asset, safeguarding, efficiency and or internal

  auditors and would include compliance test of internal controls and substantive audit step.

  What is an audit?

  An audit in general terms is a process of evaluating an individual or organization's accounts. This is usually done by an independent auditing body. Thus, audit involves a competent and independent person obtaining evidence and evaluating

  it objectively with regard to a given entity, which in this case is the subject of audit, in order to establish conformance to a given set of standards. Audit can be on a person, organization, system, enterprise, project or product.

  Compliance Audit

  A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review

  security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These

  audits often overlap traditional audits, but may focus on particular system or data.

  What, precisely, is examined in a compliance audit will vary depending upon whether an organization is a public or private company, what kind of data it handles and if it transmits or stores sensitive financial data. For instance, SOX

  requirements mean that any electronic communication must be backed up and secured with reasonable disaster recovery infrastructure. Health care providers that store or transmit e-health records, like personal health information, are

  subject to HIPAA requirements. Financial services companies that transmit credit card data are subject to PCI DSS requirements. In each case, the organization must be able to demonstrate compliance by producing an audit trail, often

  generated by data from event log management software.

  Financial Audit

  A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not

  absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to provide an objective

  independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and

  consequently reduce the cost of capital of the preparer of the financial statements.

  Operational Audit

  Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit financial data may

  be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Operational audit is a more comprehensive form of an Internal audit.

  The Institute of Internal Auditor (IIA) defines Operational Audit as a systematic process of evaluating an organization's effectiveness, efficiency and economy of operations under management's control and reporting to appropriate persons the

  results of the evaluation along with recommendations for improvement.

  Objectives

  To appraise the effectiveness and efficiency of a division, activity, or operation of the entity in meeting organizational goals.

  To understand the responsibilities and risks faced by an organization.

  To identify, with management participation, opportunities for improving control.

  To provide senior management of the organization with a detailed understanding of the Operations.

  Integrated Audits

  An integrated audit combines financial and operational audit steps. An integrated audit is also performed to assess overall objectives within an organization, related to financial information and asset, safeguarding, efficiency and or internal

  auditors and would include compliance test of internal controls and substantive audit step.

  IS Audit

  An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are

  safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of

  attestation engagement.

  The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets

  and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:

  Will the organization's computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) Will

  the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing

  those risks.

  Forensic Audit

  Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or irregularities

  (including fraud) and giving preventative advice.

  The purpose of a forensic audit is to use accounting procedures to collect evidence for the prosecution or investigation of financial crimes such as theft or fraud. Forensic audits may be conducted to determine if wrongdoing occurred, or to

  gather materials for the case against an alleged criminal.

  The following answers are incorrect:

  Compliance Audit - A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance

  preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory

  or industry standard. These audits often overlap traditional audits, but may focus on particular system or data.

  Financial Audit- A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable

  assurance, but not absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to provide an

  objective independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and

  consequently reduce the cost of capital of the preparer of the financial statements.

  Forensic Audit - Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or

  irregularities (including fraud) and giving preventative advice.

  CISA Review Manual 2014 Page number 44

  http://searchcompliance.techtarget.com/definition/compliance-audit

  http://en.wikipedia.org/wiki/Financial_audit

  http://en.wikipedia.org/wiki/Operational_auditing

  http://en.wikipedia.org/wiki/Information_technology_audit

  http://www.investorwords.com/16445/forensic_audit.html

• Question 1698:

  An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. Which of the following is the GREATEST risk to the organization related to data backup and retrieval?

  A. The organization may be locked into an unfavorable contract with the vendor.
  B. The vendor may be unable to restore critical data.
  C. The vendor may be unable to restore data by recovery time objective (RTO) requirements.
  D. The organization may not be allowed to inspect the vendor's data center.
  B. The vendor may be unable to restore critical data.

  ---

  Explanation

  An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. SaaS is a model in which the software is centrally hosted and accessed by the user via a web browser using the internet1. The vendor owns and maintains the software and the data, and the organization pays for the use of the service on a subscription or usage basis. The greatest risk to the organization related to data backup and retrieval is that the vendor may be unable to restore critical data. Data backup and retrieval are essential processes for ensuring the availability, integrity, and security of data in case of loss, corruption, or damage. Data backup is the process of creating and storing copies of data in a separate location from the original data. Data retrieval is the process of accessing and restoring the backed-up data when needed. Critical data are data that are vital for the operation, continuity, and recovery of the organization. If the vendor is unable to restore critical data, the organization may face severe consequences, such as: Business disruption: The organization may not be able to perform its core functions, deliver its products or services, or meet its customer or stakeholder expectations. Revenue loss: The organization may lose income, market share, or competitive advantage due to reduced sales, customer dissatisfaction, or reputation damage. Legal liability: The organization may face lawsuits, fines, or penalties for breaching contractual, regulatory, or statutory obligations related to data protection, privacy, or security. Recovery cost: The organization may incur additional expenses for repairing or replacing the lost or corrupted data, restoring the system functionality, or compensating the affected parties The other options are not as great as the vendor's inability to restore critical data. The organization may be locked into an unfavorable contract with the vendor, which may limit its flexibility, control, or choice over the service quality, cost, or duration. However, this risk can be mitigated by negotiating better terms and conditions, reviewing the contract periodically, or switching to another vendor if possible. The vendor may be unable to restore data by recovery time objective (RTO) requirements, which are the maximum acceptable time frames for restoring data after a disruption5. However, this risk can be reduced by setting realistic and achievable RTOs, monitoring the vendor's performance, or implementing alternative recovery strategies if needed5. The organization may not be allowed to inspect the vendor's data center, which may limit its visibility, transparency, or assurance over the service provider's infrastructure, security, or compliance. However, this risk can be overcome by requesting third-party audits, certifications, or reports from the vendor that demonstrate their adherence to industry standards and best practices. Therefore, option B is the correct answer.

  References: What is SaaS? Software as a Service | Microsoft Azure What is Data Backup? - Definition from Techopedia Critical Data Definition The Risks of Cloud Computing | Cloud Academy Recovery Time Objective (RTO) Definition [Cloud Computing Security Risks: What You Need To Know | CloudHealth by VMware]

• Question 1699:

  What would be an IS auditor's GREATEST concern when using a test environment for an application audit?

  A. Test and production environments lack data encryption.
  B. Developers have access to the test environment.
  C. Retention period of test data has been exceeded.
  D. Test and production environments do not mirror each other.
  D. Test and production environments do not mirror each other.

  ---

  Explanation

• Question 1700:

  A core system fails a week after a scheduled update, causing an outage that impacts service. Which of the following is MOST important for incident management to focus on when addressing the issue?

  A. Analyzing the root cause of the outage to ensure the incident will not reoccur
  B. Restoring the system to operational state as quickly as possible
  C. Ensuring all resolution steps are fully documented prior to returning the system to service
  D. Rolling back the unsuccessful change to the previous state
  B. Restoring the system to operational state as quickly as possible

  ---

  Explanation

  The most important thing for incident management to focus on when addressing an issue that causes an outage is restoring the system to operational state as quickly as possible. Incident management is the process of detecting, investigating, and resolving incidents that disrupt or degrade a service or system. An incident is an unplanned event that affects the normal functioning or quality of a service or system. An outage is a type of incident that causes a complete loss of service or system availability. The main goal of incident management is to restore the service or system to its operational state as quickly as possible, minimizing the impact on users and business operations. *The other options are not as important as option

  B. Analyzing the root cause of the outage to ensure the incident will not re-occur is a valuable activity, but not the most important thing for incident management to focus on when addressing an issue that causes an outage. Root cause analysis is a process of identifying and eliminating the underlying factors that caused an incident or problem. Root cause analysis can help to prevent or reduce the likelihood of similar incidents or problems in the future. However, root cause analysis is usually performed after the incident has been resolved and the service or system has been restored. Ensuring all resolution steps are fully documented prior to returning the system to service is a good practice, but not the most important thing for incident management to focus on when addressing an issue that causes an outage. Documentation is a process of recording and maintaining information about an incident and its resolution steps. Documentation can help to improve communication, accountability, learning, and improvement within incident management. However, documentation should not delay or interfere with the restoration of the service or system. Rolling back the unsuccessful change to the previous state is a possible solution, but not the most important thing for incident management to focus on when addressing an issue that causes an outage. Rolling back is a process of reverting a change that has been applied to a service or system that caused an incident or problem. Rolling back can help to restore the service or system to its previous state before the change was made.