Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1761:

  Which of the following is the MOST significant risk associated with peer-to-peer networking technology?

  A. Reduction in staff productivity
  B. Loss of information during transmission
  C. Lack of reliable internet network connections
  D. Lack of central monitoring
  D. Lack of central monitoring

  ---

  Explanation

• Question 1762:

  After the release of an application system, an IS auditor wants to verify that the system is providing value to the organization. The auditor's BEST course of action would be to:

  A. review the results of compliance testing.
  B. quantify improvements in client satisfaction.
  C. confirm that risk has declined since the application system release.
  D. perform a gap analysis against the benefits defined in the business case.
  D. perform a gap analysis against the benefits defined in the business case.

  ---

  Explanation

• Question 1763:

  An organization recently implemented a data loss prevention (DLP) solution to control data in transit. Which of the following would be the GREATEST risk related to the DLP implementation?

  A. Scanning end-points during peak hours
  B. Inadequate data classification
  C. Improperly configured DLP modules
  D. DLP false positive alerts
  B. Inadequate data classification

  ---

  Explanation

• Question 1764:

  An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow- up procedure?

  A. Review the documentation of recant changes to implement sequential order numbering.
  B. Inquire with management if the system has been configured and tested to generate sequential order numbers.
  C. Inspect the system settings and transaction logs to determine if sequential order numbers are generated.
  D. Examine a sample of system generated purchase orders obtained from management
  C. Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

  ---

  Explanation

  The most reliable follow-up procedure to determine if management has resolved the finding of non-sequential purchase order numbers is to inspect the system settings and transaction logs to determine if sequential order numbers are generated. This will provide direct evidence of the system's functionality and compliance with the audit recommendation. The other options are less reliable because they rely on indirect evidence or information obtained from management, which may not be accurate or complete.

  References: CISA Review Manual (Digital Version), Standards, Guidelines, Tools and Techniques

• Question 1765:

  Controls related to authorized modifications to production programs are BEST tested by:

  A. tracing modifications from the original request for change forward to the executable program.
  B. tracing modifications from the executable program back to the original request for change.
  C. testing only the authorizations to implement the new program.
  D. reviewing only the actual lines of source code changed in the program.
  A. tracing modifications from the original request for change forward to the executable program.

  ---

  Explanation

  Controls related to authorized modifications to production programs are best tested by tracing modifications from the original request for change forward to the executable program, as this ensures that the change management process was followed and that the modifications were approved, documented, tested, and implemented correctly. Tracing modifications from the executable program back to the original request for change may not reveal any unauthorized or undocumented changes that occurred during the process. Testing only the authorizations to implement the new program or reviewing only the actual lines of source code changed in the program are not sufficient to test the controls related to authorized modifications, as they do not cover the entire change management process.

  References: CISA Review Manual (Digital Version), Chapter 4: Information Systems Operations, Maintenance and Service Management, Section 4.2: Change Management

• Question 1766:

  During the post-implementation review of an application that was implemented six months ago which of the following would be MOST helpful in determining whether the application meets business requirements?

  A. Project closure report and lessons-learned documents from the project management office (PMO)
  B. User acceptance testing (UAT) results and sign-off from users on meeting business requirements
  C. Comparison between expected benefits from the business case and actual benefits after implementation
  D. Difference between approved budget and actual project expenditures determined post implementation
  C. Comparison between expected benefits from the business case and actual benefits after implementation

  ---

  Explanation

• Question 1767:

  Which of the following MUST be completed as part of the annual audit planning process?

  A. Business impact analysis (BIA)
  B. Fieldwork
  C. Risk assessment
  D. Risk control matrix
  C. Risk assessment

  ---

  Explanation

  Risk assessment is a mandatory part of the annual audit planning process, as it helps to identify and prioritize the areas that pose the highest risk to the organization's objectives and operations. Risk assessment involves analyzing the internal and external factors that affect the organization's risk profile, evaluating the likelihood and impact of potential events or scenarios, assessing the existing controls and mitigation strategies, and determining the residual risk level. Based on the risk assessment results, the IS auditor can allocate resources and schedule audits accordingly. A business impact analysis (BIA) is a process that identifies and evaluates the critical business functions and processes that could be disrupted by a disaster or incident, and estimates the potential impact on the organization's operations, reputation and finances. A BIA is not a mandatory part of the annual audit planning process, but it can be used as an input for risk assessment or as a subject for audit. Fieldwork is the phase of an audit where the IS auditor collects evidence to support the audit objectives and conclusions. Fieldwork is not part of the annual audit planning process, but it is part of each individual audit engagement. A risk control matrix is a tool that maps the risks identified in a risk assessment to the controls that mitigate them. A risk control matrix is not a mandatory part of the annual audit planning process, but it can be used as an output of risk assessment or as a tool for audit testing.

  References: CISA Review Manual (Digital Version) 1, Chapter 1: Information Systems Auditing Process, Section 1.2: Audit Planning.

• Question 1768:

  Which of the following BEST describes a digital signature?

  A. It is under control of the receiver.
  B. It is capable of authorization.
  C. It dynamically validates modifications of data.
  D. It is unique to the sender using it.
  D. It is unique to the sender using it.

  ---

  Explanation

  A digital signature is a type of electronic signature that uses cryptographic techniques to provide authentication, integrity, and non-repudiation of digital documents. A digital signature is created by applying a mathematical function (called a hash function) to the document and then encrypting the result with the sender's private key. The encrypted hash, along with the sender's public key and other information, forms the digital signature. The receiver can verify the digital signature by decrypting it with the sender's public key and comparing the hash with the one computed from the document. If they match, it means that the document has not been altered and that it was signed by the owner of the private key. Option D is correct because a digital signature is unique to the sender using it, as it depends on the sender's private key, which only the sender knows and controls. No one else can create a valid digital signature with the same private key, and no one can forge or modify a digital signature without being detected. Option A is incorrect because a digital signature is not under control of the receiver, but rather under control of the sender. The receiver can only verify the digital signature, but cannot create or modify it. Option B is incorrect because a digital signature is not capable of authorization, but rather capable of authentication. Authorization is the process of granting or denying access to resources based on predefined rules or policies. Authentication is the process of verifying the identity or legitimacy of a person or entity. A digital signature can authenticate the sender of a document, but it cannot authorize what actions the receiver can perform on the document. Option C is incorrect because a digital signature does not dynamically validate modifications of data, but rather statically validates the integrity of data. A digital signature is based on a snapshot of the document at the time of signing, and any subsequent changes to the document will invalidate the digital signature. A digital signature does not monitor or update itself based on data modifications.

• Question 1769:

  When reviewing the functionality of an intrusion detection system (IDS), the IS auditor should be MOST concerned if:

  A. legitimate packets blocked by the system have increased
  B. actual attacks have not been identified
  C. detected events have increased
  D. false positives have been reported
  B. actual attacks have not been identified

  ---

  Explanation

  The main purpose of an IDS is to detect and report malicious or suspicious activity on a network or a host. If an IDS fails to identify actual attacks, it means that the IDS is not functioning properly or effectively, and it exposes the organization to serious security risks and potential damage. This is the most concerning scenario for an IS auditor, as it indicates a major deficiency in the IDS performance and configuration. ReferencesWhat is an intrusion detection system (IDS)?What is Intrusion Detection Systems (IDS)? How does it Work?When reviewing an intrusion detection system (IDS), an IS auditor ...Intrusion Detection Systems (IDS)--An Overview with a Generalized ...An overview of issues in testing intrusion detection systems - NISTA Review of Intrusion Detection Systems and Their ...

• Question 1770:

  Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?

  A. Establish the timing of testing.
  B. Identify milestones.
  C. Determine the test reporting
  D. Establish the rules of engagement.
  D. Establish the rules of engagement.

  ---

  Explanation

  The rules of engagement define the scope, objectives, methodology, deliverables, and limitations of the penetration testing. They also specify the legal and ethical boundaries, communication channels, and escalation procedures. Establishing the rules of engagement is the first step when planning to conduct penetration testing for a client, as it ensures that both parties agree on the expectations and outcomes of the testing. The other options are important steps, but they should be done after the rules of engagement are established.

  References: CISA Review Manual (Digital Version) 1, page 381.