Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1831:

  An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?

  A. Between each host and the local network switch/hub
  B. Between virtual local area networks (VLANs)
  C. Inside the demilitarized zone (DMZ)
  D. At borders of network segments with different security levels
  D. At borders of network segments with different security levels

  ---

  Explanation

• Question 1832:

  Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of which type of telecommunications continuity?

  A. Voice recovery
  B. Alternative routing
  C. Long-haul network diversity
  D. Last-mile circuit protection
  D. Last-mile circuit protection

  ---

  Explanation

  Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of last-mile circuit protection. Last-mile circuit protection is a type of telecommunications continuity that ensures the availability and redundancy of the final segment of the network that connects the end-user to the service provider. The local communications loop, also known as the local loop or subscriber line, is the physical link between the customer premises and the nearest central office or point of presence of the service provider. By having multiple Internet connections from different providers or technologies, such as cable, DSL, fiber, wireless, or satellite, the recovery facilities can avoid losing connectivity in case one of the connections fails or is disrupted by a disaster5.

  References:

  9: Last Mile Redundancy - How to Ensure Business Continuity - Multapplied Networks

• Question 1833:

  Which of the following BEST enables an IS auditor to confirm the batch processing to post transactions from an input source is successful?

  A. Error log review
  B. Total number of items
  C. Hash totals
  D. Aggregate monetary amount
  C. Hash totals

  ---

  Explanation

  Hash totals are a control technique used to ensure data integrity during batch processing. A hash total is a calculated value based on the data in a batch. This value is compared to a pre-calculated hash total to confirm that all data has been

  processed correctly and without alteration.

  References:

  ISACA CISA Review Manual (27th Edition): Hash totals are discussed within the context of batch processing controls.

  Other Auditing Resources: Hash totals are a fundamental control technique discussed in various audit and information security publications.

• Question 1834:

  A financial institution suspects that a manager has been crediting customer accounts without authorization. Which of the following is the MOST effective method to validate this concern?

  A. Variable sampling
  B. Attribute sampling
  C. Stop or go sampling
  D. Discovery sampling
  B. Attribute sampling

  ---

  Explanation

• Question 1835:

  An organization is considering outsourcing the processing of customer insurance claims. An IS auditor notes that customer data will be sent offshore for processing. Which of the following would be the BEST way to address the risk of exposing customer data?

  A. Require background checks on all service provider personnel involved in the processing of data.
  B. Recommend the use of a service provider within the same country as the organization.
  C. Consider whether the service provider has the ability to meet service level agreements (SLAs).
  D. Assess whether the service provider meets the organization's data protection policies.
  D. Assess whether the service provider meets the organization's data protection policies.

  ---

  Explanation

• Question 1836:

  Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization's enterprise architecture (EA) program?

  A. IT application owners have sole responsibility for architecture approval.
  B. The architecture review board is chaired by the CIO.
  C. Information security requirements are reviewed by the EA program.
  D. The EA program governs projects that are not IT-related.
  A. IT application owners have sole responsibility for architecture approval.

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step Enterprise Architecture (EA) governance requires proper oversight and separation of duties to ensure strategic alignment and risk management. Option A (Correct):If IT application owners have sole authority over architecture approval, there is a high risk of inadequate governance, lack of strategic alignment, and potential conflicts of interest. Architecture decisions should involve multiple stakeholders, including business and security teams, to ensure compliance, security, and business alignment. Option B (Incorrect):While having the CIO chair the architecture review board might not be ideal, it is not thegreatestconcern. The CIO is a senior leader who can provide oversight and direction, even if additional governance mechanisms should be in place. Option C (Incorrect):Reviewing security requirements within the EA program is abest practice, as it ensures that security is embedded into enterprise architecture rather than treated as an afterthought. Option D (Incorrect):Enterprise architecture should ideally encompass both IT and business processes. Governing non-IT-related projects is not inherently problematic, as EA is designed to align business strategy with IT infrastructure.

  ISACA CISA Review Manual -Domain 1: Information Systems Auditing Process?Covers IT governance and EA program structure.

• Question 1837:

  A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?

  A. The survey results were not presented in detail lo management.
  B. The survey questions did not address the scope of the business case.
  C. The survey form template did not allow additional feedback to be provided.
  D. The survey was issued to employees a month after implementation.
  B. The survey questions did not address the scope of the business case.

  ---

  Explanation

  The greatest concern for an IS auditor when a post-implementation review was conducted by issuing a survey to users is that the survey questions did not address the scope of the business case. A post-implementation review is a process of evaluating the outcomes and benefits of a project after it has been completed and implemented. A post-implementation review can help to assess whether the project met its objectives, delivered its expected value, and satisfied its stakeholders1. A survey is a method of collecting feedback and opinions from users or other stakeholders about their experience and satisfaction with the project. A survey can help to measure the user acceptance, usability, and functionality of the project deliverables2. A business case is a document that justifies the need for a project based on its expected benefits, costs, risks, and alternatives. A business case defines the scope, objectives, and requirements of the project and provides a basis for its approval and initiation3. Therefore, an IS auditor should be concerned if the survey questions did not address the scope of the business case, as it may indicate that the post-implementation review was not comprehensive, relevant, or aligned with the project goals. The other options are less concerning or incorrect because:

  A. The survey results were not presented in detail to management is not a great concern for an IS auditor when a post-implementation review was conducted by issuing a survey to users, as it is more of a communication or reporting issue than an audit issue. While presenting the survey results in detail to management may help to inform them about the project performance and outcomes, it does not affect the validity or quality of the post-implementation review itself.

  C. The survey form template did not allow additional feedback to be provided is not a great concern for an IS auditor when a post-implementation review was conducted by issuing a survey to users, as it is more of a design or format issue than an audit issue. While allowing additional feedback to be provided may help to capture more insights or suggestions from users, it does not affect the validity or quality of the post-implementation review itself.

  D. The survey was issued to employees a month after implementation is not a great concern for an IS auditor when a post-implementation review was conducted by issuing a survey to users, as it is more of a timing or scheduling issue than an audit issue. While issuing the survey to employees sooner after implementation may help to collect more accurate and timely feedback from users, it does not affect the validity or quality of the post-implementation review itself.

  References: Post Implementation Review - ISACA, Survey - ISACA, Business Case - ISACA

• Question 1838:

  An organization is implementing a data loss prevention (DLP) system in response to a new regulatory requirement Reviewing. which of the following would be MOST helpful in evaluating the system's design?

  A. System manuals
  B. Enterprise architecture (EA)
  C. Historical record of data breaches
  D. Industry trends
  B. Enterprise architecture (EA)

  ---

  Explanation

• Question 1839:

  An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality. Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. After the data quality team identifies the system data at fault, which of the following should internal audit recommend as the NEXT step in the process?

  A. Create business rules that validate data quality.
  B. Develop an improvement plan.
  C. Identify the root cause of data quality problems.
  D. Identify the source data owners.
  A. Create business rules that validate data quality.

  ---

  Explanation

• Question 1840:

  A business has requested an IS audit to determine whether information stored in an application system is adequately protected. Which of the following is the MOST important action before the audit work begins?

  A. Establish control objectives
  B. Conduct a vulnerability analysis
  C. Perform penetration testing
  D. Review remediation reports
  A. Establish control objectives

  ---

  Explanation