Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1791:

  Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?

  A. Regression testing
  B. Unit testing
  C. Integration testing
  D. Acceptance testing
  A. Regression testing

  ---

  Explanation

  Regression testing is the most appropriate testing method for assessing whether system integrity has been maintained after changes have been made. Regression testing is a type of software testing that ensures that previously developed and tested software still performs as expected after a change1 Regression testing helps to detect any defects or errors that may have been introduced or uncovered due to the change2 Regression testing can be performed at different levels of testing, such as unit, integration, system, and acceptance3 Unit testing is a type of software testing that verifies the functionality of individual components or units of code. Unit testing is usually performed by developers before integrating the code with other components. Unit testing helps to identify and fix errors at an early stage of development, but it does not ensure that the system as a whole works as expected after a change. Integration testing is a type of software testing that verifies the functionality, performance, and reliability of the interactions between different components or units of code. Integration testing is usually performed after unit testing and before system testing. Integration testing helps to identify and fix errors that may occur when different components are integrated, but it does not ensure that the system as a whole works as expected after a change. Acceptance testing is a type of software testing that verifies whether the system meets the user requirements and expectations. Acceptance testing is usually performed by end-users or customers after system testing and before deploying the system to production. Acceptance testing helps to ensure that the system delivers the desired value and quality to the users, but it does not ensure that the system as a whole works as expected after a change.

  References: 1: What is Regression Testing? Test Cases (Example) - Guru99 2: What is Regression Testing? Definition, Tools, Examples - Katalon 3: Regression testing -Wikipedia : What is Unit Testing? Definition, Types, Tools and Examples

  - Guru99 : What is Integration Testing? Definition, Types, Tools and Examples - Guru99 : What is Acceptance Testing? Definition, Types, Tools and Examples - Guru99

• Question 1792:

  What are the different types of Audits?

  A. Compliance, financial, operational, forensic and integrated
  B. Compliance, financial, operational, G9 and integrated
  C. Compliance, financial, SA1, forensic and integrated
  D. Compliance, financial, operational, forensic and capability
  A. Compliance, financial, operational, forensic and integrated

  ---

  Explanation

  Compliance, financial, operational, forensic and integrated are different types of audit.

  For your exam you should know the information below:

  What is an audit?

  An audit in general terms is a process of evaluating an individual or organization's accounts. This is usually done by an independent auditing body. Thus, audit involves a competent and independent person obtaining evidence and evaluating

  it objectively with regard to a given entity, which in this case is the subject of audit, in order to establish conformance to a given set of standards. Audit can be on a person, organization, system, enterprise, project or product.

  Compliance Audit

  A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review

  security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These

  audits often overlap traditional audits, but may focus on particular system or data.

  What, precisely, is examined in a compliance audit will vary depending upon whether an organization is a public or private company, what kind of data it handles and if it transmits or stores sensitive financial data. For instance, SOX

  requirements mean that any electronic communication must be backed up and secured with reasonable disaster recovery infrastructure. Health care providers that store or transmit e-health records, like personal health information, are

  subject to HIPAA requirements. Financial services companies that transmit credit card data are subject to PCI DSS requirements. In each case, the organization must be able to demonstrate compliance by producing an audit trail, often

  generated by data from event log management software.

  Financial Audit

  A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not

  absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to provide an objective

  independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and

  consequently reduce the cost of capital of the preparer of the financial statements.

  Operational Audit

  Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit financial data may

  be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Operational audit is a more comprehensive form of an Internal audit.

  The Institute of Internal Auditor (IIA) defines Operational Audit as a systematic process of evaluating an organization's effectiveness, efficiency and economy of operations under management's control and reporting to appropriate persons the

  results of the evaluation along with recommendations for improvement.

  Objectives

  To appraise the effectiveness and efficiency of a division, activity, or operation of the entity in meeting organizational goals.

  To understand the responsibilities and risks faced by an organization.

  To identify, with management participation, opportunities for improving control.

  To provide senior management of the organization with a detailed understanding of the Operations.

  Integrated Audits

  An integrated audit combines financial and operational audit steps. An integrated audit is also performed to assess overall objectives within an organization, related to financial information and asset, safeguarding, efficiency and or internal

  auditors and would include compliance test of internal controls and substantive audit step.

  IS Audit

  An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are

  safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of

  attestation engagement.

  The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets

  and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:

  Will the organization's computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) Will

  the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing

  those risks.

  Forensic Audit

  Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or irregularities

  (including fraud) and giving preventative advice.

  The purpose of a forensic audit is to use accounting procedures to collect evidence for the prosecution or investigation of financial crimes such as theft or fraud. Forensic audits may be conducted to determine if wrongdoing occurred, or to

  gather materials for the case against an alleged criminal.

  The following answers are incorrect:

  Compliance, financial, operational, forensic and integrated are different types of audits. G9, SA1 and capability are not the audit types.

  CISA Review Manual 2014 Page number 47

  http://searchcompliance.techtarget.com/definition/compliance-audit

  http://en.wikipedia.org/wiki/Financial_audit

  http://en.wikipedia.org/wiki/Operational_auditing

  http://en.wikipedia.org/wiki/Information_technology_audit

  http://www.investorwords.com/16445/forensic_audit.html

• Question 1793:

  An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services Which of the following would BEST enable the organization to resolve this issue?

  A. Problem management
  B. Incident management
  C. Service level management
  D. Change management
  A. Problem management

  ---

  Explanation

  Problem management is the best way to enable the organization to resolve the issue of repeated failures of critical data processing services, as it focuses on identifying and eliminating the root causes of incidents and preventing their

  recurrence. Problem management involves analyzing incidents, performing root cause analysis, finding solutions, implementing changes and documenting lessons learned. Incident management is not the best way to resolve the issue, as it

  focuses on restoring normal service operation as quickly as possible after an incident occurs, but does not address the underlying causes or prevent future incidents. Service level management is not the best way to resolve the issue, as it

  focuses on defining, monitoring and reporting on the service levels agreed upon between service providers and customers, but does not address the causes or solutions of incidents. Change management is not the best way to resolve the

  issue, as it focuses on ensuring that changes are implemented in a controlled and coordinated manner, but does not address the identification or elimination of incidents.

  References:

  : [Problem Management Definition]

  : [Incident Management Definition]

  : [Service Level Management Definition]

  : [Change Management Definition]

  : IT Service Management | ISACA

• Question 1794:

  Which of the following would BEST help prioritize various projects in an organization's IT portfolio?

  A. Business cases
  B. Industry trends
  C. Enterprise architecture (EA)
  D. Total cost of ownership (TCO)
  A. Business cases

  ---

  Explanation

• Question 1795:

  An IS audit reveals that many of an organization's Internet of Things (loT) devices have not been patched. Which of the following should the auditor do FIRST when determining why these devices have not received the required patches?

  A. Determine the physical location of the deployed devices
  B. Review the organization's patching policy and process documentation
  C. Ensure the devices are listed in the asset inventory database
  D. Review the organization's most recent risk assessment on loT devices
  B. Review the organization's patching policy and process documentation

  ---

  Explanation

• Question 1796:

  An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?

  A. Improve the change management process
  B. Establish security metrics.
  C. Perform a penetration test
  D. Perform a configuration review
  D. Perform a configuration review

  ---

  Explanation

  The best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities is to perform a configuration review. A configuration review is an audit procedure that involves examining and verifying the security settings and parameters of application servers against predefined standards or best practices. A configuration review can help to identify and remediate any deviations, inconsistencies, or misconfigurations that may expose the application servers to unauthorized access, exploitation, or compromise6. A configuration review can also help to ensure compliance with security policies and regulations, as well as enhance the performance and availability of application servers. The other options are less effective or incorrect because:

  A. Improving the change management process is not the best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities, as it does not address the root cause of the problem or provide a specific solution. While improving the change management process may help to prevent future inconsistencies or misconfigurations in application server settings, it does not ensure that the existing ones are detected and corrected.

  B. Establishing security metrics is not the best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities, as it does not address the root cause of the problem or provide a specific solution. While establishing security metrics may help to measure and monitor the security performance and posture of application servers, it does not ensure that the existing inconsistencies or misconfigurations in application server settings are detected and corrected.

  C. Performing a penetration test is not the best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities, as it does not address the root cause of the problem or provide a specific solution. While performing a penetration test may help to simulate and evaluate the impact of an attack on application servers, it does not ensure that the existing inconsistencies or misconfigurations in application server settings are detected and corrected.

  References: Configuring system to use application server security - IBM, Application Security Risk: Assessment and Modeling - ISACA, Five Key Components of an Application Security Program - ISACA, ISACA Practitioner Guidelines for Auditors - SSH, SCADA Cybersecurity Framework - ISACA

• Question 1797:

  Which of the following should be of concern to an IS auditor performing a software audit on virtual machines?

  A. Software licensing does not support virtual machines.
  B. Software has been installed on virtual machines by privileged users.
  C. Multiple users can access critical applications.
  D. Applications have not been approved by the CFO.
  A. Software licensing does not support virtual machines.

  ---

  Explanation

• Question 1798:

  A small IT department has embraced DevOps, which allows members of this group to deploy code to production and maintain some development access to automate releases. Which of the following is the MOST effective control?

  A. Enforce approval prior to deployment by a member of the team who has not taken part in the development.
  B. The DevOps team provides an annual policy acknowledgment that they did not develop and deploy the same code.
  C. Annual training reinforces the need to maintain segregation between developers and deployers of code
  D. The IT compliance manager performs weekly reviews to ensure the same person did not develop and deploy code.
  A. Enforce approval prior to deployment by a member of the team who has not taken part in the development.

  ---

  Explanation

  The most effective control to maintain segregation of duties in a DevOps environment is A. Enforce approval prior to deployment by a member of the team who has not taken part in the development. Segregation of duties (SoD) is a principle that requires multiple actors to complete a task to reduce the risk of fraud, error, or abuse1. In a DevOps environment, where developers and operators work together to deliver software faster and more reliably, SoD may seem to be incompatible or impractical. However, SoD can still be achieved by implementing controls that ensure that no single person can develop, test, and deploy code without oversight or review. Enforcing approval prior to deployment by a member of the team who has not taken part in the development is an effective control that ensures that code changes are verified and validated by a peer before they are released to production. This control can help prevent or detect any unauthorized or malicious modifications, errors, or vulnerabilities in the code, and ensure that the code meets the quality and security standards3. This control can also promote collaboration and feedback among the team members, and improve the transparency and accountability of the software delivery process.

• Question 1799:

  A data center's physical access log system captures each visitor's identification document numbers along with the visitor's photo. Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?

  A. Quota sampling
  B. Haphazard sampling
  C. Attribute sampling
  D. Variable sampling
  C. Attribute sampling

  ---

  Explanation

  Attribute sampling is a method of audit sampling that is used to test the effectiveness of controls by measuring the rate of deviation from a prescribed procedure or attribute. Attribute sampling is suitable for testing compliance with the data center's physical access log system, as the auditor can compare the identification document numbers and photos of the visitors with the records in the system and determine whether there are any discrepancies or errors. Attribute sampling can also provide an estimate of the deviation rate in the population and allow the auditor to draw a conclusion about the operating effectiveness of the control. Variable sampling, on the other hand, is a method of audit sampling that is used to estimate the amount or value of a population by measuring a characteristic of interest, such as monetary value, quantity, or size. Variable sampling is not appropriate for testing compliance with the data center's physical access log system, as the auditor is not interested in estimating the value of the population, but rather in testing whether the system is operating as intended. Quota sampling and haphazard sampling are both examples of non-statistical sampling methods that do not use probability theory to select a sample. Quota sampling involves selecting a sample based on certain criteria or quotas, such as age, gender, or location. Haphazard sampling involves selecting a sample without any specific plan or method. Both methods are not suitable for testing compliance with the data center's physical access log system, as they do not ensure that the sample is representative of the population and do not allow the auditor to measure the sampling risk or project the results to the population. Therefore, attribute sampling is the most useful sampling method for an IS auditor conducting compliance testing for the effectiveness of the data center's physical access log system.

  References: Audit Sampling - What Is It, Methods, Example, Advantage, Reason ISA 530: Audit sampling | ICAEW

• Question 1800:

  During the procurement process, which of the following would be the BEST indication that prospective vendors will meet the organization's needs?

  A. An account transition manager has been identified.
  B. Expected service levels are defined.
  C. The vendor's subcontractors have been identified.
  D. The service catalog is documented.
  B. Expected service levels are defined.

  ---

  Explanation