Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1841:

  An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

  A. Obtain error codes indicating failed data feeds.
  B. Purchase data cleansing tools from a reputable vendor.
  C. Appoint data quality champions across the organization.
  D. Implement business rules to reject invalid data.
  D. Implement business rules to reject invalid data.

  ---

  Explanation

  The best way to prevent accepting bad data from a third-party service provider is to implement business rules to reject invalid data. Business rules are logical statements that define the data quality requirements and standards for the organization. By implementing business rules, the organization can ensure that only data that meets the predefined criteria is accepted into the enterprise data warehouse. Obtaining error codes indicating failed data feeds, purchasing data cleansing tools from a reputable vendor, and appointing data quality champions across the organization are useful measures to improve data quality, but they do not prevent accepting bad data in the first place.

  References: ISACA Journal Article: Data Quality Management

• Question 1842:

  Which of the following is MOST important to ensure when planning a black box penetration test?

  A. The management of the client organization is aware of the testing.
  B. The test results will be documented and communicated to management.
  C. The environment and penetration test scope have been determined.
  D. Diagrams of the organization's network architecture are available.
  C. The environment and penetration test scope have been determined.

  ---

  Explanation

  A black box penetration test is a type of security assessment that simulates an attack on a system or network without any prior knowledge of its configuration or architecture. The main objective of this test is to identify vulnerabilities and

  weaknesses that can be exploited by external or internal threat actors. To plan a black box penetration test, it is most important to ensure that the environment and penetration test scope have been determined. This means that the tester and

  the client organization have agreed on the boundaries, objectives, methods, and deliverables of the test, as well as the legal and ethical aspects of the engagement. Without a clear definition of the environment and scope, the test may not be

  effective, efficient, or compliant with relevant standards and regulations. Additionally, the tester may cause unintended damage or disruption to the client's systems or networks, or violate their privacy or security policies.

  References:

  What are black box, grey box, and white box penetration testing? What Is Black-Box Penetration Testing and Why Should You Choose It?

• Question 1843:

  An IS auditor wants to gain a better understanding of an organization's selected IT operating system software. Which of the following would be MOST helpful to review?

  A. Service level agreements (SLAs)
  B. Project steering committee charter
  C. IT audit reports
  D. Enterprise architecture (EA)
  C. IT audit reports

  ---

  Explanation

• Question 1844:

  An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

  A. Note the exception in a new report as the item was not addressed by management.
  B. Recommend alternative solutions to address the repeat finding.
  C. Conduct a risk assessment of the repeat finding.
  D. Interview management to determine why the finding was not addressed.
  D. Interview management to determine why the finding was not addressed.

  ---

  Explanation

  If an IS auditor finds that management did not address a prior period audit finding, the next course of action should be to interview management to determine why the finding was not addressed, as this would help to understand the root cause, the impact, and the risk level of the issue. Noting the exception in a new report, recommending alternative solutions, or conducting a risk assessment are possible subsequent steps, but they should not precede interviewing management.

  References: CISA Review Manual (Digital Version), Chapter 1, Section 1.6

• Question 1845:

  Which of the following findings would be of GREATEST concern when auditing an organization's end-user computing (EUC)?

  A. Errors flowed through to financial statements
  B. Reduced oversight by the IT department
  C. Inconsistency of patching processes being followed
  D. Inability to monitor EUC audit logs and activities
  A. Errors flowed through to financial statements

  ---

  Explanation

• Question 1846:

  An organization allows employees to use personally owned mobile devices to access customers' personal information. An IS auditor's GREATEST concern should be whether:

  A. mobile devices are compatible with company infrastructure.
  B. devices have the capability to segregate business and personal data.
  C. mobile device security policies have been implemented.
  D. devices have adequate storage and backup capabilities.
  C. mobile device security policies have been implemented.

  ---

  Explanation

• Question 1847:

  An organization implements a data loss prevention tool as a control to mitigate the risk of sensitive data leaving the organization via electronic mail. Which of the following would provide the BEST indication of adequate control design?

  A. Management has formally approved the control design.
  B. Management presents evidence that data loss incidents have decreased.
  C. Security administrators can demonstrate the functions of the tool.
  D. Rules enforced by the tool were based on the classification of the data.
  C. Security administrators can demonstrate the functions of the tool.

  ---

  Explanation

• Question 1848:

  What type of control has been implemented when secure code reviews are conducted as part of a deployment program?

  A. Monitoring
  B. Deterrent
  C. Detective
  D. Corrective
  C. Detective

  ---

  Explanation

• Question 1849:

  Which of the following BEST protects evidence in a forensic investigation?

  A. imaging the affected system
  B. Powering down the affected system
  C. Protecting the hardware of the affected system
  D. Rebooting the affected system
  A. imaging the affected system

  ---

  Explanation

  Imaging the affected system is the best way to protect evidence in a forensic investigation, because it creates a bit-by-bit copy of the original data that can be analyzed without altering or compromising the original source. Imaging preserves the integrity and authenticity of the evidence and allows for verification and validation of the results. Powering down or rebooting the affected system can cause data loss or corruption, while protecting the hardware does not prevent unauthorized access or tampering with the software or data.

  References: 3: CISA Review Manual (Digital Version), Chapter 6, Section 6.4.1 4: CISA Online Review Course, Module 6, Lesson 4

• Question 1850:

  An IS auditor is assessing the adequacy of management's remediation action plan. Which of the following should be the MOST important consideration?

  A. Plan approval by the audit committee
  B. Impacts on future audit work
  C. Criticality of audit findings
  D. Potential cost savings
  C. Criticality of audit findings

  ---

  Explanation

  The most important consideration when assessing the adequacy of management's remediation action plan is the criticality of the audit findings, as this reflects the level of risk and impact that the findings pose to the organization's objectives,

  performance, and value. The IS auditor should evaluate whether the remediation action plan addresses the root causes, mitigates the risks, and resolves the issues of the audit findings in a timely and effective manner. The IS auditor should

  also consider the feasibility, reasonableness, and measurability of the remediation actions.

  References:

  ISACA CISA Review Manual, 27th Edition, page 256

  How to Write an Audit Finding - Dallas Chapter of the IIA How to Write an Audit Report: 14 Steps (with Pictures) - wikiHow