Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1701:

  Which of the following provides the GREATEST assurance that an organization has effective controls preventing connection of unauthorized Internet of Things (IoT) devices to the corporate network?

  A. Reviewing authenticated network vulnerability scan results
  B. Assessing as-implemented IoT device configurations
  C. Assessing network access control (NAC) configurations
  D. Reviewing IT policies covering IoT authorizations
  C. Assessing network access control (NAC) configurations

  ---

  Explanation

  Explanation

• Question 1702:

  While reviewing a hot site, the IS auditor discovers that one type of hardware platform is not installed. The IS auditor should FIRST:

  A. recommend the purchase and installation of hardware at the hot site.
  B. report the finding immediately to senior IS management.
  C. determine the business impact of the absence of the hardware.
  D. establish the lead time for delivery of a new machine.
  C. determine the business impact of the absence of the hardware.

  ---

  Explanation

• Question 1703:

  During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

  A. Rollback strategy
  B. Test cases
  C. Post-implementation review objectives
  D. Business case
  D. Business case

  ---

  Explanation

  The most important consideration for a go-live decision when implementing an upgraded enterprise resource planning (ERP) system is the business case. The business case is the document that defines and justifies the need, value, feasibility, and risks of the project. It also outlines the expected costs, benefits, outcomes, and impacts of the project. The business case provides the basis for measuring and evaluating the success of the project. Therefore, before deciding to go live with an upgraded ERP system, it is essential to review and validate the business case to ensure that it is still relevant, accurate, realistic, and achievable. A rollback strategy, test cases, and post-implementation review objectives are not the most important considerations for a go-live decision when implementing an upgraded ERP system. These are important elements of project planning, execution, and evaluation, but they are not sufficient to determine whether the project is worth pursuing or delivering. These elements should be aligned with and derived from the business case.

• Question 1704:

  When an organization introduces virtualization into its architecture, which of the following should be an IS auditor's PRIMARY area of focus to verify adequate protection?

  A. Shared storage space
  B. Host operating system configuration
  C. Maintenance cycles
  D. Multiple versions of the same operating system
  B. Host operating system configuration

  ---

  Explanation

• Question 1705:

  Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?

  A. Access to change testing strategy and results is not restricted to staff outside the IT team.
  B. Some user acceptance testing (IJAT) was completed by members of the IT team.
  C. IT administrators have access to the production and development environment
  D. Post-implementation testing is not conducted for all system releases.
  D. Post-implementation testing is not conducted for all system releases.

  ---

  Explanation

  Post-implementation testing is the process of verifying and validating the functionality, performance, and security of a system after it has been deployed to the production environment1. Post-implementation testing is important for ensuring that the system meets the user requirements and expectations, as well as the operational and business objectives. Post-implementation testing also helps to identify and resolve any defects, errors, or issues that may have occurred during the deployment process or that may have been missed during the previous testing stages. Therefore, the observation that post-implementation testing is not conducted for all system releases should be of greatest concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team. This observation indicates that the system may have quality, reliability, or security problems that could affect the user satisfaction, system performance, or data integrity. This observation also suggests that the change and release management controls are not adequate or effective, as they do not ensure that all system releases are properly tested and validated before and after deployment. Option A is not correct because access to change testing strategy and results is not restricted to staff outside the IT team is not a major concern for an IS auditor. While it is good practice to limit access to sensitive or confidential information, such as test data or test cases, to authorized personnel only, access to change testing strategy and results may not pose a significant risk to the system or the organization. Moreover, access to change testing strategy and results may be beneficial for some stakeholders outside the IT team, such as business users, project managers, or auditors, who may need to review or evaluate the testing process or outcomes. Option B is not correct because some user acceptance testing (UAT) was completed by members of the IT team is not a major concern for an IS auditor. User acceptance testing is the process of verifying and validating that the system meets the user requirements and expectations by involving actual or representative users in the testing process. While it is preferable to have independent and unbiased users perform UAT, it may not be feasible or practical for some organizations, especially those with small or limited resources. Therefore, some UAT may be completed by members of the IT team, as long as they have sufficient knowledge and experience of the user needs and expectations, and as long as they follow the UAT plan and criteria. Option C is not correct because IT administrators have access to the production and development environment is not a major concern for an IS auditor. IT administrators are responsible for managing and maintaining the IT infrastructure, including the production and development environments4. Therefore, it is reasonable and necessary for them to have access to both environments, as long as they follow the appropriate policies and procedures for accessing, using, and securing them. Moreover, IT administrators may need to perform tasks such as backup, restore, patching, or troubleshooting in both environments.

  References: What Is Post Implementation Testing? Post Implementation Review (PIR) - Definition and Process2 User Acceptance Testing (UAT): Definition and Examples3 What Is an IT Administrator? Definition and Examples

• Question 1706:

  Which of the following is an effective way to ensure the integrity of file transfers in a peer- to-peer (P2P) computing environment?

  A. Associate a message authentication code with each file transferred.
  B. Ensure the files are transferred through an intrusion detection system (IDS).
  C. Encrypt the packets shared between peers within the environment.
  D. Connect the client computers in the environment to a jump server.
  A. Associate a message authentication code with each file transferred.

  ---

  Explanation

• Question 1707:

  Which of the following methods will BEST reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system?

  A. Parallel changeover
  B. Modular changeover
  C. Phased operation
  D. Pilot operation
  A. Parallel changeover

  ---

  Explanation

  The best method to reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system is parallel changeover. Parallel changeover is a method of system conversion that involves running both the old and the new systems simultaneously for a period of time, until the new system is verified to be working correctly and completely. Parallel changeover can help reduce the risk of data loss, errors, or disruptions that may occur due to the incompatibility of the technologies, as well as provide a backup option in case of failure or malfunction of the new system. Parallel changeover can also help users compare and validate the results of both systems, and facilitate their training and adaptation to the new system. Modular changeover is a method of system conversion that involves replacing one module or component of the old system with a corresponding module or component of the new system at a time, until the entire system is replaced. Modular changeover can help reduce the complexity and scope of the conversion, as well as minimize the impact on the users and operations. However, modular changeover may not be feasible or effective when the technologies of the old and new systems are not compatible, as it may create integration or interoperability issues among the modules. Phased operation is a method of system conversion that involves implementing the new system in stages or increments, each with a subset of functions or features, until the entire system is operational. Phased operation can help reduce the risk and cost of implementing a large and complex system, as well as allow for testing and feedback at each stage. However, phased operation may not be suitable or efficient when the technologies of the old and new systems are not compatible, as it may require extensive modifications or adaptations to enable partial functionality. Pilot operation is a method of system conversion that involves implementing the new system in a limited or controlled environment, such as a department or a location, before rolling it out to the entire organization. Pilot operation can help test and evaluate the performance and usability of the new system, as well as identify and resolve any issues or problems before full-scale implementation. However, pilot operation may not be relevant or reliable when the technologies of the old and new systems are not compatible, as it may not reflect the actual conditions or challenges of operating both systems concurrently.

• Question 1708:

  Which of the following is the PRIMARY purpose of batch processing monitoring?

  A. To comply with security standards
  B. To summarize the batch processing reporting
  C. To log error events in batch processing
  D. To prevent an incident that may result from batch failure
  D. To prevent an incident that may result from batch failure

  ---

  Explanation

  Explanation

• Question 1709:

  A company converted its payroll system from an external service to an internal package. Payroll processing in April was run in parallel. To validate the completeness of data after the conversion, which of the following comparisons from the old to the new system would be MOST effective?

  A. Turnaround time for payroll processing
  B. Employee counts and year-to-date payroll totals
  C. Master file employee data to payroll journals
  D. Cut-off dates and overwrites for a sample of employees
  C. Master file employee data to payroll journals

  ---

  Explanation

• Question 1710:

  When selecting a new data loss prevention (DLP) solution, the MOST important consideration is that the solution:

  A. is cost effective and meets proposed return on investment (ROI) criteria.
  B. provides comprehensive reporting and alerting features with detailed insights on data movements.
  C. is compatible with legacy IT infrastructure and integrates with other security tools.
  D. identifies and safeguards confidential information from unauthorized transmission.
  D. identifies and safeguards confidential information from unauthorized transmission.

  ---

  Explanation

  Explanation