Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1811:

  Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?

  A. Reversing the hash function using the digest
  B. Altering the plaintext message
  C. Deciphering the receiver's public key
  D. Obtaining the sender's private key
  D. Obtaining the sender's private key

  ---

  Explanation

  A digital signature is a cryptographic technique that verifies the authenticity and integrity of a message or document, by using a hash function and an asymmetric encryption algorithm. A hash function is a mathematical function that transforms any input data into a fixed-length output value called a digest, which is unique for each input. An asymmetric encryption algorithm uses two keys: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret by the owner. To create a digital signature, the sender first applies a hash function to the plaintext message to generate a digest. Then, the sender encrypts the digest with their private key to produce the digital signature. To verify the digital signature, the receiver decrypts the digital signature with the sender's public key to obtain the digest. Then, the receiver applies the same hash function to the plaintext message to generate another digest. If the two digests match, it means that the message has not been altered and that it came from the sender. The security of a digital signature depends on the secrecy of the sender's private key. If an attacker obtains the sender's private key, they can create fake digital signatures for any message they want, thus compromising the control provided by the digital signature. Reversing the hash function using the digest is not possible, as hash functions are designed to be one-way functions that cannot be inverted. Altering the plaintext message will result in a different digest after applying the hash function, which will not match with the decrypted digest from the digital signature, thus invalidating the digital signature. Deciphering the receiver's public key is not relevant, as public keys are meant to be publicly available and do not affect the security of digital signatures.

• Question 1812:

  The PRIMARY objective of conducting a post-implementation review is to:

  A. determine if project management methodology was applied consistently
  B. verify that the information system meets the intended objectives
  C. determine if testing documentation was sufficient
  D. allow employees to provide feedback on the information system
  B. verify that the information system meets the intended objectives

  ---

  Explanation

• Question 1813:

  As part of an IS audit, the auditor notes the practices listed below. Which of the following would be a segregation of duties concern?

  A. Operators are degaussing magnetic tapes during night shifts.
  B. System programmers have logged access to operating system parameters.
  C. System programmers are performing the duties of operators.
  D. Operators are acting as tape librarians on alternate shifts.
  D. Operators are acting as tape librarians on alternate shifts.

  ---

  Explanation

• Question 1814:

  An IS auditor observes an organization is performing data backup and restoration testing on an ad hoc basis without a defined process. What is the MOST likely result of a data disruption event?

  A. Increased loss impact
  B. Decreased data confidentiality
  C. Increased likelihood of future risk events
  D. Decreased data integrity
  A. Increased loss impact

  ---

  Explanation

• Question 1815:

  Which of the following audit risk is related to material error exist that would not be prevented or detected on timely basis by the system of internal controls?

  A. Inherent Risk
  B. Control Risk
  C. Detection Risk
  D. Overall Audit Risk
  B. Control Risk

  ---

  Explanation

  The risk that material error exist that would not be prevented or detected on timely basis by the system of internal controls. For example, the control risk associated with manual review could be high because activities requiring investigation

  are often easily missed due to the volume of logged information.

  For your exam you should know below information about audit risk:

  Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue unqualified report due to the auditor's failure to detect material misstatement either due to error or fraud. This risk is composed of inherent risk (IR), control

  risk (CR) and detection risk (DR), and can be calculated thus:

  AR = IR ?CR ?DR

  Inherent Risk

  Auditors must determine risks when working with clients. One type of risk to be aware of is inherent risk. While assessing this level of risk, you ignore whether the client has internal controls in place (such as a secondary review of financial

  statements) in order to help mitigate the inherent risk. You consider the strength of the internal controls when assessing the client's control risk. Your job when assessing inherent risk is to evaluate how susceptible the financial statement

  assertions are to material misstatement given the nature of the client's business. A few key factors can increase inherent risk.

  Environment and external factors: Here are some examples of environment and external factors that can lead to high inherent risk:

  Rapid change: A business whose inventory becomes obsolete quickly experiences high inherent risk.

  Expiring patents: Any business in the pharmaceutical industry also has inherently risky environment and external factors. Drug patents eventually expire, which means the company faces competition from other manufacturers marketing the

  same drug under a generic label.

  State of the economy: The general level of economic growth is another external factor affecting all businesses.

  Availability of financing: Another external factor is interest rates and the associated availability of financing. If your client is having problems meeting its short-term cash payments, available loans with low interest rates may mean the difference

  between your client staying in business or having to close its doors.

  Prior-period misstatements: If a company has made mistakes in prior years that weren't material (meaning they weren't significant enough to have to change), those errors still exist in the financial statements. You have to aggregate prior-

  period misstatements with current year misstatements to see if you need to ask the client to adjust the account for the total misstatement.

  You may think an understatement in one year compensates for an overstatement in another year. In auditing, this assumption isn't true. Say you work a cash register and one night the register comes up $20 short. The next week, you

  somehow came up $20 over my draw count. The $20 differences are added together to represent the total amount of your mistakes which is $40 and not zero. Zero would indicate no mistakes at all had occurred.

  Susceptibility to theft or fraud: If a certain asset is susceptible to theft or fraud, the account or balance level may be considered inherently risky. For example, if a client has a lot of customers who pay in cash, the balance sheet cash account is

  going to have risk associated with theft or fraud because of the fact that cash is more easily diverted than customer checks or credit card payments.

  Looking at industry statistics relating to inventory theft, you may also decide to consider the inventory account as inherently risky. Small inventory items can further increase the risk of this account valuation being incorrect because those items

  are easier to conceal (and therefore easier to steal).

  Control Risk

  Control risk has been defined under International Standards of Auditing (ISAs) as following:

  The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or

  detected and corrected, on a timely basis by the entity's internal control.

  In simple words control risk is the probability that a material misstatement exists in an assertion because that misstatement was not either prevented from entering entity's financial information or it was not detected and corrected by the

  internal control system of the entity.

  It is the responsibility of the management and those charged with governance to implement internal control system and maintain it appropriately which includes managing control risk.

  There can be many reasons for control risk to arise and why it cannot be eliminated absolutely. But some of them are as follows:

  Cost-benefit constraints

  Circumvention of controls

  Inappropriate design of controls

  Inappropriate application of controls

  Lack of control environment and accountability

  Novel situations

  Outdated controls

  Inappropriate segregation of duties

  Detection Risk

  Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements.

  An auditor must apply audit procedures to detect material misstatements in the financial statements whether due to fraud or error. Misapplication or omission of critical audit procedures may result in a material misstatement remaining

  undetected by the auditor. Some detection risk is always present due to the inherent limitations of the audit such as the use of sampling for the selection of transactions.

  Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed testing.

  The following answers are incorrect:

  Inherent Risk - It is the risk level or exposure of a process or entity to be audited without taking into account the control that management has implemented.

  Detection risk - The risk that material errors or misstatements that have occurred will not be detected by an IS auditor.

  Overall audit risk - The probability that information or financial report may contain material errors and that the auditor may not detect an error that has occurred. An objective in formulating the audit approach is to limit the audit risk in the area

  under security so the overall audit risk is at sufficiently low level at the completion of the examination.

  CISA review manual 2014 page number 50

  http://en.wikipedia.org/wiki/Audit_risk

  http://www.dummies.com/how-to/content/how-to-assess-inherent-risk-in-an-audit.html

  http://pakaccountants.com/what-is-control-risk/

  http://accounting-simplified.com/audit/risk-assessment/audit-risk.html

• Question 1816:

  Which of the following is the MOST effective control when granting access to a service provider for a ctoud-6ased application?

  A. Administrator access is provided for a limited period with an expiration date.
  B. Access has been provided on a need-to-know basis.
  C. User IDs are deleted when work is completed.
  D. Access is provided to correspond with the service level agreement (SLA).
  B. Access has been provided on a need-to-know basis.

  ---

  Explanation

  Explanation Granting access on a need-to-know basis ensures that a service provider only has the permissions necessary to perform their specific tasks. This principle minimizes the risk of unauthorized access oraccidental misuse of the system by restricting access to essential areas only. It aligns with the least privilege principle, a cornerstone of effective access control. Limited Administrator Access with Expiration (Option A):This is helpful but does not ensure that the access granted aligns with the specific job requirements. Deleting User IDs After Completion (Option C):This is a good practice but applies after the task, not during access. Access Corresponding to the SLA (Option D):While important, this focuses on timeframes and does not restrict permissions effectively.

  ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.

• Question 1817:

  Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's mobile device policies and controls in its corporate environment?

  A. The mobile authentication policy requires biometrics.
  B. The virtual private network (VPN) policy is not enabled for the internal corporate network.
  C. Not all active devices are enrolled in mobile device management (MDM).
  D. Remote wipe and lock features are only available with access to the internet.
  C. Not all active devices are enrolled in mobile device management (MDM).

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step

  A lack ofMobile Device Management (MDM) enrollmentis the biggest concern, asunmanaged devicespose a serious security risk.

  Not All Devices Enrolled in MDM (Correct Answer ?C) Biometric Authentication Required (Incorrect ?A)

  VPN Not Required for Internal Network (Incorrect ?B) Remote Wipe Requires Internet (Incorrect ?D)

  References:

  ISACA CISA Review Manual

  NIST 800-124 (Mobile Device Security)

• Question 1818:

  Which of the following biometric access controls has the HIGHEST rate of false negatives?

  A. Iris recognition
  B. Fingerprint scanning
  C. Face recognition
  D. Retina scanning
  B. Fingerprint scanning

  ---

  Explanation

  Among the options provided, fingerprint scanning has the highest rate of false negatives. False negatives occur when a biometric system fails to recognize an authentic individual. Factors such as skin conditions (wet, dry, greasy), finger injuries, and inadequate scanning can contribute to false negatives in fingerprint scanning1. In comparison, iris recognition23, face recognition45, and retina scanning67 generally have lower rates of false negatives.

  References: How Accurate are today's Fingerprint Scanners? - Bayometric 25 Advantages and Disadvantages of Iris Recognition - Biometric Today Iris Recognition Technology (or, Musings While Going through Airport ... The Critics Were Wrong: NIST Data Shows the Best Facial Recognition Algorithms Are Neither Racist Nor Sexist | ITIF NIST Launches Studies into Masks' Effect on Face Recognition Software Retinal scan - Wikipedia How accurate are retinal security scans - Smart Eye Technology

• Question 1819:

  An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?

  A. Users can export application logs.
  B. Users can view sensitive data.
  C. Users can make unauthorized changes.
  D. Users can install open-licensed software.
  C. Users can make unauthorized changes.

  ---

  Explanation

  The greatest risk associated with having most users with administrator access to an externally facing system containing sensitive data is that users can make unauthorized changes to the system or the data, which could compromise the integrity, confidentiality, and availability of the system and the data. Users can export application logs, view sensitive data, and install open-licensed software are also risks, but they are not as severe as unauthorized changes.

  References: ISACA CISA Review Manual 27th Edition Chapter 4

• Question 1820:

  When continuous monitoring systems are being implemented, an IS auditor should FIRST identify:

  A. the location and format of output files
  B. applications that provide the highest financial risk
  C. high-risk areas within the organization
  D. the controls on which to focus
  D. the controls on which to focus

  ---

  Explanation