Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1821:

  During a pre-implementation review, an IS auditor notes that some scenarios have not been tested. Management has indicated that the project is critical and cannot be postponed. Which of the following is the auditor's BEST course of action?

  A. Determine whether the tested scenarios covered the most significant project risks.
  B. Help management complete remaining scenario testing before implementation.
  C. Recommend project implementation be postponed until all scenarios have been tested.
  D. Perform remaining scenario testing in the production environment post implementation.
  A. Determine whether the tested scenarios covered the most significant project risks.

  ---

  Explanation

• Question 1822:

  Which of the following metrics is MOST useful to an IS auditor when evaluating whether IT investments are meeting business objectives?

  A. Realized return on investment (ROI) versus projected ROI
  B. Actual return on investment (ROI) versus industry average ROI.
  C. Actual versus projected customer satisfaction
  D. Budgeted spend versus actual spend
  A. Realized return on investment (ROI) versus projected ROI

  ---

  Explanation

• Question 1823:

  A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

  A. Implement overtime pay and bonuses for all development staff.
  B. Utilize new system development tools to improve productivity.
  C. Recruit IS staff to expedite system development.
  D. Deliver only the core functionality on the initial target date.
  D. Deliver only the core functionality on the initial target date.

  ---

  Explanation

  The strategy that would provide the greatest assurance of system quality at implementation is delivering only the core functionality on the initial target date. This strategy can help avoid compromising the quality of the system by focusing on the essential features that meet the user needs and expectations. Delivering only the core functionality can also help reduce the scope creep, complexity, and testing efforts of the system development project. Implementing overtime pay and bonuses for all development staff, utilizing new system development tools to improve productivity, and recruiting IS staff to expedite system development are not strategies that would provide the greatest assurance of system quality at implementation. These strategies may help speed up the system development process, but they may also introduce new risks or challenges such as burnout, learning curve, integration issues, or communication gaps. These risks or challenges may adversely affect the quality of the system.

• Question 1824:

  Which of the following is the MOST efficient way to identify fraudulent activity on a set of transactions?

  A. Control self-assessments (CSAs)
  B. Interviews with control owners
  C. Regression analysis
  D. Benford's law analysis
  D. Benford's law analysis

  ---

  Explanation

  Benford's law analysis is a powerful technique for identifying irregularities or anomalies in numerical datasets, such as financial transactions. It detects deviations from expected frequency distributions, which may indicate fraud. Control Self-

  Assessments (CSAs) (Option A):Useful for control evaluation but not for fraud detection.

  Interviews with Control Owners (Option B):Provide insights but are not efficient for identifying fraudulent patterns.

  Regression Analysis (Option C):Effective for predictive modeling but less so for detecting fraud in transactional data.

  ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.

• Question 1825:

  A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

  A. the provider has alternate service locations.
  B. the contract includes compensation for deficient service levels.
  C. the provider's information security controls are aligned with the company's.
  D. the provider adheres to the company's data retention policies.
  C. the provider's information security controls are aligned with the company's.

  ---

  Explanation

  The most important thing for the company to verify when outsourcing the printing of customer statements is whether the provider's information security controls are aligned with the company's. This is because customer statements contain sensitive personal and financial information that need to be protected from unauthorized access, disclosure, modification or destruction. The provider's information security controls should be consistent with the company's policies, standards and regulations, and should be audited periodically to ensure compliance. The other options are also relevant, but not as critical as information security.

  References: CISA Review Manual (Digital Version)1, Chapter 3, Section 3.2.2

• Question 1826:

  Which of the following is the MAIN benefit of using data analytics when testing the effectiveness of controls?

  A. Analytics can be applied to any type of control
  B. Analytics remove the need to focus on areas of higher risk
  C. The demand for IS auditors is reduced over time
  D. The full population can be tested.
  D. The full population can be tested.

  ---

  Explanation

• Question 1827:

  Which of the following is the BEST reason for software developers to use automated testing versus manual testing?

  A. CAATs are easily developed
  B. Improved regression testing
  C. Ease of maintaining automated test scripts
  D. Reduces the scope of acceptance testing
  B. Improved regression testing

  ---

  Explanation

• Question 1828:

  Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization's patch management process?

  A. The organization's software inventory is not complete.
  B. Applications frequently need to be rebooted for patches to take effect.
  C. Software vendors are bundling patches.
  D. Testing patches takes significant time.
  A. The organization's software inventory is not complete.

  ---

  Explanation

  The organization's software inventory is not complete. This finding would be of greatest concern to an IS auditor assessing an organization's patch management process because: A software inventory is a list of all the software assets that an organization owns, uses, or manages. A software inventory is essential for effective patch management, as it helps identify the software that needs to be updated, the patches that are available, and the dependencies and compatibility issues that may arise. Without a complete software inventory, an organization may miss some critical patches, expose itself to security risks, and waste resources on unnecessary or redundant patches. Applications frequently need to be rebooted for patches to take effect. This finding would be of moderate concern to an IS auditor assessing an organization's patch management process because: Rebooting applications for patches to take effect is a common and expected practice in some cases, especially for operating system or kernel patches. However, frequent reboots may indicate that the organization is not applying patches in a timely or efficient manner, or that the patches are not well-designed or tested. Frequent reboots may also cause disruption to the business operations and user experience, and increase the risk of data loss or corruption. Software vendors are bundling patches. This finding would be of low concern to an IS auditor assessing an organization's patch management process because: Bundling patches is a practice where software vendors combine multiple patches into a single package or update. Bundling patches can have some advantages, such as reducing the number of downloads and installations, simplifying the patch management process, and ensuring consistency and compatibility among patches. However, bundling patches can also have some disadvantages, such as increasing the size and complexity of the updates, delaying the delivery of critical patches, and introducing new bugs or vulnerabilities. Testing patches takes significant time. This finding would be of low concern to an IS auditor assessing an organization's patch management process because: Testing patches is a vital step in the patch management process, as it helps ensure that the patches are functional, secure, and compatible with the existing software and hardware environment. Testing patches can take significant time, depending on the scope, complexity, and frequency of the patches. However, testing patches is a necessary investment to avoid potential problems or failures that could result from applying untested or faulty patches.

  References: Best practices for patch management Server Patch Management: Best Practices and Tools 11 Key Steps of the Patch Management Process

• Question 1829:

  During which phase of an incident response process should corrective actions to the response procedure be considered and implemented?

  A. Eradication
  B. Identification
  C. Review
  D. Containment
  A. Eradication

  ---

  Explanation

• Question 1830:

  Which of the following situations would impair the independence of an IS auditor involved in a software development project?

  A. Determining the nature of implemented controls
  B. Programming embedded audit modules
  C. Being an expert advisor to the project sponsor
  D. Defining end-user requirements
  D. Defining end-user requirements

  ---

  Explanation