Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1851:

  During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective. Which of the following is the auditor's BEST action?

  A. Explain to IT management that the new control will be evaluated during follow-up
  B. Re-perform the audit before changing the conclusion.
  C. Change the conclusion based on evidence provided by IT management.
  D. Add comments about the action taken by IT management in the report.
  B. Re-perform the audit before changing the conclusion.

  ---

  Explanation

  The auditor's best action when IT management provides suitable evidence for a control that had been concluded as ineffective is to re-perform the audit before changing the conclusion. This means that the auditor should verify the validity, completeness, and timeliness of the evidence provided by IT management and test the effectiveness of the new control in meeting the audit objectives. The auditor should not change the conclusion based on evidence provided by IT management without re- performing the audit, as this could compromise the auditor's independence and objectivity. The auditor should also not explain to IT management that the new control will be evaluated during follow-up or add comments about the action taken by IT management in the report, as these actions do not address the original audit finding.

  References: CISA Review Manual, 27th Edition, page 439

• Question 1852:

  Which of the following is the MAJOR advantage of automating internal controls?

  A. To enable the review of large value transactions
  B. To efficiently test large volumes of data
  C. To help identity transactions with no segregation of duties
  D. To assist in performing analytical reviews
  B. To efficiently test large volumes of data

  ---

  Explanation

  The major advantage of automating internal controls is to efficiently test large volumes of data, because automated controls can perform repetitive tasks faster, more accurately, and more consistently than manual controls. Automated controls can also provide audit trails and exception reports that facilitate the monitoring and evaluation of the control effectiveness12. Reviewing large value transactions, identifying transactions with no segregation of duties, and performing analytical reviews are possible benefits of automating internal controls, but not the major advantage.

  References: 1: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.2 2: CISA Online Review Course, Module 5, Lesson 2

• Question 1853:

  A shared resource matrix is a technique commonly used to locate:

  A. Malicious code
  B. Security flaws
  C. Trap doors
  D. Covert channels
  D. Covert channels

  ---

  Explanation

  Analyzing resources of a system is one standard for locating covert channels because the basis of a covert channel is a shared resource. The following properties must hold for a storage channel to exist:

  1. Both sending and receiving process must have access to the same attribute of a shared object.

  2. The sending process must be able to modify the attribute of the shared object.

  3. The receiving process must be able to reference that attribute of the shared object.

  4. A mechanism for initiating both processes and properly sequencing their respective accesses to the shared resource must exist.

  Note: Similar properties for timing channel can be listed

  The following answers are incorrect:

  All other answers were not directly related to discovery of Covert Channels.

  Acerbic Publications, Acerbic Publications (Test Series) - CRC Press LLC, Page No. 225

  http://www.cs.ucsb.edu/~sherwood/cs290/papers/covert-kemmerer.pdf

  http://www.cs.utexas.edu/~byoung/cs361/lecture16.pdf

  http://www.cs.utexas.edu/~byoung/cs361/lecture16.pdf

• Question 1854:

  Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

  A. Program coding standards have been followed
  B. Acceptance test criteria have been developed
  C. Data conversion procedures have been established.
  D. The design has been approved by senior management.
  B. Acceptance test criteria have been developed

  ---

  Explanation

  The most important thing for an IS auditor to determine during the detailed design phase of a system development project is that acceptance test criteria have been developed. Acceptance test criteria define the expected functionality, performance and quality of the system, and are used to verify that the system meets the user requirements and specifications. The IS auditor should ensure that the acceptance test criteria are clear, measurable and agreed upon by all stakeholders. Program coding standards have been followed is something that the IS auditor should check during the coding or testing phase, not the detailed design phase. Data conversion procedures have been established or the design has been approved by senior management are things that the IS auditor should verify during the implementation phase, not the detailed design phase.

  References: ISACA, CISA Review Manual, 27th Edition, 2018, page 323

• Question 1855:

  Which of the following network topologies will provide the GREATEST fault tolerance?

  A. Bus configuration
  B. Mesh configuration
  C. Star configuration
  D. Ring configuration
  B. Mesh configuration

  ---

  Explanation

• Question 1856:

  Which of the following is the PRIMARY objective of the IS audit function?

  A. Perform reviews based on standards developed by professional organizations.
  B. Reports to management on the functioning of internal controls.
  C. Certify the accuracy of financial data.
  D. Facilitate extraction of computer-based data for substantive testing.
  A. Perform reviews based on standards developed by professional organizations.

  ---

  Explanation

• Question 1857:

  Which of the following should an IS auditor be MOST concerned with when a system uses RFID?

  A. privacy
  B. Maintainability
  C. Scalability
  D. Nonrepudiation
  A. privacy

  ---

  Explanation

  RFID stands for Radio Frequency Identification, and it is a technology that uses radio waves to identify or track objects that have a small chip (RFID tag) attached to them. RFID tags can store various types of information, such as serial numbers, product codes, or personal data. RFID readers can scan the tags from a distance and access the information without physical contact1. RFID has many benefits for different applications, such as inventory management, supply chain optimization, asset tracking, and access control. However, RFID also poses some challenges and risks for information security and privacy. Some of these risks are: Privacy: RFID tags can be read by unauthorized or malicious parties, who can collect personal or sensitive data without the knowledge or consent of the tag owners. This can lead to identity theft, profiling, tracking, or surveillance2. For example, a hacker could scan an RFID-tagged passport or credit card and steal the personal information or financial details of the owner3. Communication attacks: RFID systems are vulnerable to various types of attacks that target the wireless communication between the tags and the readers. These include eavesdropping, jamming, spoofing, replaying, cloning, or modifying the data transmitted by the tags or the readers4. For example, an attacker could intercept the data from an RFID tag and alter it before sending it to the reader, causing false or misleading information to be recorded. Mafia fraud: This is a type of attack where an adversary acts as a man-in-the-middle and relays the information between two legitimate parties. This can allow the adversary to bypass authentication or authorization mechanisms and gain access to restricted areas or resources. For example, an attacker could use a device to relay the signal from an RFID- tagged car key to the car's ignition system and start the car without having the physical key.

• Question 1858:

  Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?

  A. Performing a cyber resilience test
  B. Performing a full interruption test
  C. Performing a tabletop test
  D. Performing a parallel test
  B. Performing a full interruption test

  ---

  Explanation

  A full interruption test is the most realistic and reliable way to ensure that recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP). RTOs are the maximum amount of time that a business can tolerate being offline after a disaster. A full interruption test involves shutting down the primary site and switching over to the backup site, simulating a real disaster scenario. This test can measure the actual time it takes to restore the systems, applications, and functions that are critical for the business continuity. A full interruption test can also reveal any issues or gaps in the DRP that might affect the recovery process. The other options are not as effective as a full interruption test for ensuring RTOs are met. A cyber resilience test is a type of DR test that focuses on the ability to withstand and recover from cyberattacks. It does not necessarily cover other types of disasters or test the entire DRP. A tabletop test is a low-impact DR test that involves a walkthrough of the DRP with the key stakeholders and staff. It does not involve any actual switching over or testing of the backup systems. A parallel test is a type of DR test that involves running the backup systems alongside the primary systems, without disrupting the normal operations. It does not measure the time it takes to switch over or resume operations at the backup site.

  References: Best Practices For Disaster Recovery Testing Disaster recovery testing Disaster Recovery Testing: Everything to Know

• Question 1859:

  A proper audit trail of changes to server start-up procedures would include evidence of:

  A. subsystem structure.
  B. program execution.
  C. security control options.
  D. operator overrides.
  D. operator overrides.

  ---

  Explanation

  A proper audit trail of changes to server start-up procedures would include evidence of operator overrides, which are actions taken by the system operator to bypass or modify the normal execution of the server start-up process. Operator overrides may indicate unauthorized or improper changes that could affect the security, availability, or performance of the server. Therefore, an audit trail should capture and document any operator overrides that occur during the server startup process. Evidence of subsystem structure, program execution, and security control options are not directly related to changes to server start-up procedures. Subsystem structure refers to the components and relationships of a subsystem within a larger system. Program execution refers to the process of running a software program on a computer. Security control options refer to the settings and parameters that define the security level and access rights for a system or application. These are all important aspects of auditing a server, but they do not provide evidence of changes to server start-up procedures.

• Question 1860:

  An organization produces control reports with a desktop application that accesses data in the central production database. Which of the following would give an IS auditor concern about the reliability of these reports?

  A. The reports are printed by the same person who reviews them.
  B. The reports are available to all end users.
  C. The report definitions file is not included in routine backups.
  D. The report definitions can be modified by end users.
  D. The report definitions can be modified by end users.

  ---

  Explanation

  Explanation