Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1711:

  Which of the following is an advantage of using agile software development methodology over the waterfall methodology?

  A. Less funding required overall
  B. Quicker deliverables
  C. Quicker end user acceptance
  D. Clearly defined business expectations
  B. Quicker deliverables

  ---

  Explanation

  The advantage of using agile software development methodology over the waterfall methodology is that it allows for quicker deliverables. Agile software development is an iterative and incremental approach that emphasizes customer feedback, collaboration, and adaptation. Agile software development delivers working software in short cycles, called sprints, that typically last from two to four weeks. This enables the development team to respond to changing requirements, deliver value faster, and improve quality. Waterfall software development is a linear and sequential approach that follows a predefined set of phases, such as planning, analysis, design, implementation, testing, and maintenance. Waterfall software development requires a clear and stable definition of the project scope, deliverables, and expectations before starting the development process. Waterfall software development can be slow, rigid, and costly, especially if changes occur during the later stages of the project.

  References: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.1: Project Management Practices

• Question 1712:

  An organization plans to deploy Wi-Fi location analytics to count the number of shoppers per day across its various retail outlets. What should the IS auditor recommend as the FIRST course of action by IT management?

  A. Conduct a privacy impact assessment
  B. Mask media access control (MAC) addresses
  C. Survey shoppers for feedback
  D. Develop a privacy notice to be displayed to shoppers
  A. Conduct a privacy impact assessment

  ---

  Explanation

• Question 1713:

  Which of the following should be the GREATEST concern for an IS auditor assessing an organization's disaster recovery plan (DRP)?

  A. The DRP was developed by the IT department.
  B. The DRP has not been tested during the past three years.
  C. The DRP has not been updated for two years.
  D. The DRP does not include the recovery the time objective (RTO) for a key system.
  B. The DRP has not been tested during the past three years.

  ---

  Explanation

  The DRP is a set of procedures and resources that enable an organization to restore its critical IT functions and operations in the event of a disaster or disruption. The DRP should be tested regularly to ensure its effectiveness, validity, and

  readiness. Testing the DRP can help to identify and resolve any gaps, issues, or weaknesses in the plan, as well as to evaluate the performance and capability of the recovery team and resources. If the DRP has not been tested during the

  past three years, it may not reflect the current IT environment, business requirements, or recovery objectives, and it may fail to meet the expectations and needs of the stakeholders.

  References:

  ISACA CISA Review Manual, 27th Edition, page 255

  Disaster Recovery Plan Testing: The Ultimate Checklist What is a Disaster Recovery Plan (DRP) and How Do You Write One?

• Question 1714:

  Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?

  A. Cost of projects divided by total IT cost
  B. Expected return divided by total project cost
  C. Net present value (NPV) of the portfolio
  D. Total cost of each project
  C. Net present value (NPV) of the portfolio

  ---

  Explanation

  The most useful metric for management to consider when reviewing a project portfolio is the net present value (NPV) of the portfolio. NPV is a measure of the profitability and value of a project or a portfolio of projects, taking into account the time value of money and the expected cash flows. NPV compares the present value of the future cash inflows with the present value of the initial investment and shows how much value is created or lost by undertaking a project or a portfolio of projects1. A positive NPV indicates that the project or portfolio is worth more than its cost and will generate a positive return on investment. A negative NPV indicates that the project or portfolio is worth less than its cost and will result in a loss. Therefore, NPV helps management to prioritize and select the most profitable and valuable projects or portfolios that align with the organizational strategy and objectives2. The other options are less useful or incorrect because:

  A. Cost of projects divided by total IT cost is not a useful metric for reviewing a project portfolio, as it does not reflect the benefits, value, or return of the projects. It only shows the proportion of IT budget allocated to the projects, which may not be indicative of their strategic importance or alignment3.

  B. Expected return divided by total project cost is not a useful metric for reviewing a project portfolio, as it does not account for the time value of money and the timing of cash flows. It only shows the average return per unit of cost, which may not be comparable across different projects or portfolios with different durations, risks, and cash flow patterns4.

  D. Total cost of each project is not a useful metric for reviewing a project portfolio, as it does not reflect the benefits, value, or return of the projects. It only shows the initial investment required for each project, which may not be indicative of their profitability or viability5.

  References: Portfolio, Program and Project Management Using COBIT 5 - ISACA, Project Portfolio Management - ISACA, CISA Review Manual (Digital Version), Standards, Guidelines, Tools and Techniques

• Question 1715:

  Which of the following is an IS auditor's BEST recommendation after identifying that HR staff create new employees in the payroll system as well as process payroll due to limited staffing?

  A. Document roles and responsibilities of payroll staff.
  B. Implement a payroll system user awareness training program.
  C. Implement independent periodic review of payroll transactions.
  D. Rotate payroll responsibilities within HR.
  C. Implement independent periodic review of payroll transactions.

  ---

  Explanation

  Explanation

• Question 1716:

  Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?

  A. Establishing a risk appetite
  B. Establishing a risk management framework
  C. Validating enterprise risk management (ERM)
  D. Operating the risk management framework
  C. Validating enterprise risk management (ERM)

  ---

  Explanation

  The primary role of an internal audit function in the management of identified business risks is to validate the enterprise risk management (ERM) process and provide assurance on its effectiveness. The internal audit function should evaluate whether the ERM process is aligned with the organization's objectives, strategies, policies and culture, and whether it covers all relevant risks and controls. The internal audit function should also assess whether the ERM process is operating as designed and producing reliable and timely information for decision making. The other options are not the primary role of an internal audit function, but rather the responsibilities of senior management, board of directors or risk owners.

  References: ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.41 ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12072

• Question 1717:

  An organization has decided to reengineer business processes to improve the performance of overall IT service delivery. Which of the following recommendations from the project team should be the GREATEST concern to the IS auditor?

  A. Disable operational logging to enhance the processing speed and save storage.
  B. Adopt a service delivery model based on insights from peer organizations.
  C. Delegate business decisions to the chief risk officer (CRO).
  D. Eliminate certain reports and key performance indicators (KPIs)
  A. Disable operational logging to enhance the processing speed and save storage.

  ---

  Explanation

  Disabling operational logging compromises critical functions such as security monitoring, troubleshooting, and compliance reporting. Logs are essential for tracking system activities, identifying anomalies, and conducting forensic

  investigations in case of incidents. Enhancing processing speed and saving storage should not come at the cost of reducing logging, as this increases security risks and weakens the organization's ability to detect and respond to threats.

  Adopting a Peer-Inspired Service Delivery Model (Option B):This might pose risks if not customized for the organization's context, but it is not as critical as the loss of operational logging. Delegating Business Decisions to the CRO (Option

  C):While unconventional, this does not inherently introduce risks to IT service delivery unless operational control issues arise. Eliminating Reports and KPIs (Option D):This could hinder performance tracking but does not compromise

  operational security as severely as disabling logging. Operational logging is foundational to maintaining security, reliability, and accountability in IT environments.

  ISACA CISA Review Manual, Job Practice Area 3: Information Systems Operations and Business Resilience.

• Question 1718:

  Which of the following is a corrective control that reduces the impact of a threat event?

  A. Business process analysis
  B. Security policy
  C. Business continuity plan (BCP)
  D. Segregation of duties (SoD)
  C. Business continuity plan (BCP)

  ---

  Explanation

• Question 1719:

  An IS auditor's PRIMARY objective when examining problem reports should be to help ensure:

  A. problems are resolved in a cost-effective manner.
  B. every problem is classified appropriately.
  C. problems are only escalated to senior management when necessary.
  D. every problem is assigned to an individual for resolving.
  B. every problem is classified appropriately.

  ---

  Explanation

• Question 1720:

  An organization is developing data classification standards and has asked internal audit for advice on aligning the standards with best practices. Internal audit would MOST likely recommend the standards should be:

  A. based on the results of an organization-wide risk assessment.
  B. based on the business requirements for confidentiality of the information.
  C. aligned with the organization's segregation of duties requirements.
  D. based on the business requirements for authentication of the information.
  C. aligned with the organization's segregation of duties requirements.

  ---

  Explanation