Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1781:

  Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?

  A. Data storage costs
  B. Data classification
  C. Vendor cloud certification
  D. Service level agreements (SLAs)
  B. Data classification

  ---

  Explanation

  Data classification is the first consideration when deciding whether data should be moved to a cloud provider for storage because it determines the level of protection and security required for the data. Data classification also helps to identify the legal and regulatory requirements that apply to the data, such as privacy, retention and disposal policies. Data storage costs, vendor cloud certification and service level agreements (SLAs) are important factors to consider, but they are secondary to data classification.

  References: CISA Review Manual (Digital Version) 1, Chapter 5, Section 5.3.2

• Question 1782:

  Using swipe cards to limit employee access to restricted areas requires implementing which additional control?

  A. Physical sign-in of all employees for access to restricted areas
  B. Implementation of additional PIN pads
  C. Periodic review of access profiles by management
  D. Installation of closed-circuit television (CCTV)
  C. Periodic review of access profiles by management

  ---

  Explanation

  Periodic review of access profiles by management is an additional control that is required when using swipe cards to limit employee access to restricted areas. Swipe cards are a type of physical access control that use magnetic stripes or

  radio frequency identification (RFID) to store and transmit information about the cardholder's identity and access rights. Swipe cards can help to prevent unauthorized entry, protect sensitive assets and data, and monitor access activity.

  However, swipe cards alone are not enough to ensure effective access control. They need to be complemented by other controls, such as:

  Periodic review of access profiles by management: This is a type of logical access control that involves verifying that the access rights assigned to each cardholder are appropriate, necessary, and consistent with the organization's policies

  and procedures. Periodic review of access profiles can help to detect and correct any errors, inconsistencies, or violations in the access control system, such as outdated, excessive, or redundant access rights, segregation of duties conflicts,

  or unauthorized changes. Periodic review of access profiles can also help to ensure compliance with internal and external audit requirements and regulations. Implementation of additional PIN pads: This is a type of multi-factor authentication

  (MFA) that requires the cardholder to enter a personal identification number (PIN) in addition to swiping their card. MFA can enhance the security of the access control system by adding another layer of verification and reducing the risk of lost,

  stolen, or cloned cards being used by unauthorized persons. Installation of closed-circuit television (CCTV): This is a type of surveillance system that uses cameras and monitors to record and display the images of the people and activities in

  the restricted areas. CCTV can deter potential intruders, provide evidence of any security incidents or breaches, and enable real-time monitoring and response by security personnel.

  The other options are not as effective or relevant as periodic review of access profiles by management for an additional control when using swipe cards. Physical sign-in of all employees for access to restricted areas is a redundant and

  inefficient control that can be easily bypassed or manipulated. It also does not provide any assurance or verification of the identity or access rights of the cardholders. Audit hooks are software routines embedded in an application that can

  trigger an alert or a report when certain conditions are met. Audit hooks can help to detect anomalies or exceptions in access control lists, but they do not provide a comprehensive or integrated view of them.

  References:

  ISACA, CISA Review Manual, 27th Edition, 2019, p. 236 ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 3rd Edition, 2014, p. 88 Data Analytics for Auditing Access Control

• Question 1783:

  An organization requires the use of a key card to enter its data center. Recently, a control was implemented that requires biometric authentication for each employee.

  Which type of control has been added?

  A. Corrective
  B. Compensating
  C. Preventive
  D. Detective
  C. Preventive

  ---

  Explanation

• Question 1784:

  When protecting the confidentiality of information assets, the MOST effective control practice is the:

  A. Awareness training of personnel on regulatory requirements
  B. Utilization of a dual-factor authentication mechanism
  C. Configuration of read-only access to all users
  D. Enforcement of a need-to-know access control philosophy
  D. Enforcement of a need-to-know access control philosophy

  ---

  Explanation

• Question 1785:

  An organization processing high volumes of financial transactions has implemented log file analysis on a central log server to continuously monitor compliance with its fraud policy. Which of the following poses the GREATEST risk to this control?

  A. IT operations staff have the right to restart the log server.
  B. Data entry staff have privileged access to the log server.
  C. IT operations staff are able to stop the payment processing system.
  D. Software developers have read access to the log server.
  B. Data entry staff have privileged access to the log server.

  ---

  Explanation

• Question 1786:

  When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained. Which of the following is the auditor's BEST course of action?

  A. Inform senior management.
  B. Reevaluate internal controls.
  C. Inform audit management.
  D. Re-perform past audits to ensure independence.
  C. Inform audit management.

  ---

  Explanation

  If an IS auditor suspects that independence may not have been maintained in past audits, the best course of action is to inform audit management. Audit management has the responsibility and authority to address such issues. They can review the situation, determine if there was indeed a lack of independence, and decide on the appropriate actions to take123. While informing senior management, reevaluating internal controls, and re-performing past audits might be necessary at some point, the first step should be to inform audit management.

• Question 1787:

  Which of the following is the BEST data integrity check?

  A. Counting the transactions processed per day
  B. Performing a sequence check
  C. Tracing data back to the point of origin
  D. Preparing and running test data
  C. Tracing data back to the point of origin

  ---

  Explanation

  Data integrity is the property that ensures that data is accurate, complete, consistent, and reliable throughout its lifecycle. The best data integrity check is tracing data back to the point of origin, which is the source where the data was originally created or captured. This check can verify that data has not been altered or corrupted during transmission, processing, or storage. It can also identify any errors or discrepancies in data entry or conversion. Counting the transactions processed per day is a performance measure that does not directly assess data integrity. Performing a sequence check is a validity check that ensures that data follows a predefined order or pattern. It can detect missing or out-of-order data elements, but it cannot verify their accuracy or completeness. Preparing and running test data is a testing technique that simulates real data to evaluate how a system handles different scenarios. It can help identify errors or bugs in the system logic or functionality, but it cannot ensure data integrity in production environments.

  References: Information Systems Operations and Business Resilience, CISA Review Manual (Digital Version)

• Question 1788:

  Which of the following is MOST important for an IS auditor to verify when evaluating tne upgrade of an organization's enterprise resource planning (ERP) application?

  A. Application related documentation was updated to reflect the changes in the new version
  B. Security configurations were appropriately applied to the new version
  C. Users were provided security training on the new version
  D. Lessons teamed analysis was documented after the upgrade
  B. Security configurations were appropriately applied to the new version

  ---

  Explanation

  Explanation

• Question 1789:

  A bank recently experienced fraud where unauthorized payments were inserted into the payments transaction process. An IS auditor has reviewed the application systems and databases along the processing chain but has not identified the entry point of the fraudulent transactions. Where should the auditor look NEXT?

  A. Operating system patch levels
  B. Interfaces between systems
  C. Change management repository
  D. System backup and archiving
  B. Interfaces between systems

  ---

  Explanation

• Question 1790:

  An IS auditor is performing a follow-up audit for findings identified in an organization's user provisioning process. Which of the following is the MOST appropriate population to sample from when testing for remediation?

  A. All users provisioned after the final audit report was issued
  B. All users who have followed user provisioning processes provided by management
  C. All users provisioned after management resolved the audit issue
  D. All users provisioned after the finding was originally identified
  C. All users provisioned after management resolved the audit issue

  ---

  Explanation