Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1901:

  Which of the following findings should be of GREATEST concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization?

  A. Insufficient processes to track ownership of each EUC application?
  B. Insufficient processes to lest for version control
  C. Lack of awareness training for EUC users
  D. Lack of defined criteria for EUC applications
  D. Lack of defined criteria for EUC applications

  ---

  Explanation

  The finding that should be of greatest concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization is the lack of defined criteria for EUC applications. EUC applications are applications that are developed and maintained by end-users, rather than by IT professionals, to support their business functions and processes. Examples of EUC applications include spreadsheets, databases, reports, and scripts. The lack of defined criteria for EUC applications means that the organization does not have clear and consistent standards or guidelines to identify, classify, and manage EUC applications. This can lead to various risks, such as: Inaccurate or unreliable data and results from EUC applications that are not validated, verified, or tested Unauthorized or inappropriate access or use of EUC applications that are not secured, controlled, or monitored Inconsistent or incompatible data and results from EUC applications that are not integrated, documented, or updated Loss or corruption of data and results from EUC applications that are not backed up, recovered, or archived Therefore, the IS auditor should be most concerned about the lack of defined criteria for EUC applications, as it can affect the quality, integrity, and availability of the EUC applications and the data they produce. Insufficient processes to track ownership of each EUC application is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. The ownership of an EUC application refers to the person or group who is responsible for creating, maintaining, and using the EUC application. Insufficient processes to track ownership of each EUC application means that the organization does not have adequate mechanisms or records to identify and communicate who owns each EUC application. This can lead to risks, such as: Lack of accountability or ownership for the quality and accuracy of the EUC application and its data Lack of support or maintenance for the EUC application when the owner leaves or changes roles Lack of awareness or training for the users of the EUC application on its purpose and functionality However, these risks are less severe than those caused by the lack of defined criteria for EUC applications. Insufficient processes to test for version control is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. Version control is a process that tracks and manages the changes made to an EUC application over time. Insufficient processes to test for version control means that the organization does not have adequate procedures or tools to ensure that the changes made to an EUC application are authorized, documented, and tested. This can lead to risks, such as: Errors or inconsistencies in the data and results from different versions of the EUC application Conflicts or confusion among the users of the EUC application on which version is current or correct Loss or overwrite of data and results from previous versions of the EUC application However, these risks are less severe than those caused by the lack of defined criteria for EUC applications. Lack of awareness training for EUC users is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. Awareness training for EUC users is a process that educates and informs the users of the EUC applications on their roles, responsibilities, and risks. Lack of awareness training for EUC users means that the organization does not have adequate programs or materials to raise the knowledge and skills of the users on how to use and manage the EUC applications effectively and securely. This can lead to risks, such as: Misuse or abuse of the EUC applications by users who are not aware of their impact or implications Non-compliance or violation of policies or regulations by users who are not aware of their requirements or expectations Dissatisfaction or frustration among users who are not aware of their benefits or limitations However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.

  References: End-user computing - Wikipedia How to Manage the Risks Associated with End User Computing 2 Managing end user computing risks - KPMG UK 3

• Question 1902:

  An IS auditor Is renewing the deployment of a new automated system Which of the following findings presents the MOST significant risk?

  A. The new system has resulted m layoffs of key experienced personnel.
  B. Users have not been trained on the new system.
  C. Data from the legacy system is not migrated correctly to the new system.
  D. The new system is not platform agnostic
  C. Data from the legacy system is not migrated correctly to the new system.

  ---

  Explanation

  The finding that presents the most significant risk when reviewing the deployment of a new automated system is that data from the legacy system is not migrated correctly to the new system. Data migration is a critical process that involves transferring data from one system to another, ensuring its accuracy, completeness, integrity, and usability. If data migration is not performed correctly, it can result in data loss, corruption, inconsistency, or duplication, which can affect the functionality, performance, reliability, and security of the new system. Data migration errors can also have serious business implications, such as affecting decision making, reporting, compliance, customer service, and revenue. The other findings (A, B and D) are less significant risks, as they can be mitigated by rehiring or retraining personnel, providing user training, or adapting the system to different platforms.

• Question 1903:

  Which of the following is the MOST important consideration for a contingency facility?

  A. The contingency facility has the same badge access controls as the primary site.
  B. Both the contingency facility and the primary site have the same number of business assets in their inventory.
  C. The contingency facility is located a sufficient distance away from the primary site.
  D. Both the contingency facility and the primary site are easily identifiable.
  C. The contingency facility is located a sufficient distance away from the primary site.

  ---

  Explanation

  A contingency facility is a backup site that can be used to resume business operations in the event of a disaster or disruption at the primary site. The most important consideration for a contingency facility is that it is located a sufficient distance away from the primary site, so that it is not affected by the same event that caused the disruption. For example, if the primary site is damaged by a fire, flood, earthquake, or terrorist attack, the contingency facility should be in a different geographic area that is unlikely to experience the same hazard. This way, the organization can continue to provide its services and products to its customers and stakeholders without interruption. The other options are not as important as the location of the contingency facility. The badge access controls, the number of business assets, and the identifiability of the sites are secondary factors that may affect the security and efficiency of the contingency facility, but they are not essential for its functionality. Therefore, option C is the correct answer.

  References: The Importance of Contingency Planning WHO guidance for contingency planning

• Question 1904:

  Which of the following would BEST protect the confidentiality of sensitive data in transit between multiple offices?

  A. Hash algorithms
  B. Digital signatures
  C. Public key infrastructure (PKI)
  D. Kerberos
  C. Public key infrastructure (PKI)

  ---

  Explanation

  Explanation

• Question 1905:

  When an intrusion into an organization's network is detected, which of the following should be done FIRST?

  A. Notify senior management.
  B. Block all compromised network nodes.
  C. Identify nodes that have been compromised.
  D. Contact law enforcement.
  D. Contact law enforcement.

  ---

  Explanation

• Question 1906:

  Which of the following is the MOST important privacy consideration for an organization that uses a cloud service provider to process customer data?

  A. Data privacy must be managed in accordance with the regulations applicable to the organization.
  B. Data privacy must be monitored in accordance with industry standards and best practices.
  C. No personal information may be transferred to the service provider without notifying the customer.
  D. Customer data transferred to the service provider must be reported to the regulatory authority.
  D. Customer data transferred to the service provider must be reported to the regulatory authority.

  ---

  Explanation

• Question 1907:

  An organization has both an IT strategy committee and an IT steering committee. When reviewing the minutes of the IT steering committee, an IS auditor would expect to find that the committee:

  A. assessed the contribution of IT to the business.
  B. acquired and assigned appropriate resources for projects.
  C. compared the risk and return of IT investments.
  D. reviewed the achievement of the strategic IT objective.
  B. acquired and assigned appropriate resources for projects.

  ---

  Explanation

• Question 1908:

  An IS auditor finds a number of system accounts that do not have documented approvals. Which of the following should be performed FIRST by the auditor?

  A. Have the accounts removed immediately
  B. Obtain sign-off on the accounts from the application owner
  C. Document a finding and report an ineffective account provisioning control
  D. Determine the purpose and risk of the accounts
  D. Determine the purpose and risk of the accounts

  ---

  Explanation

• Question 1909:

  Which of the following BEST demonstrates the degree of alignment between IT and business strategy?

  A. Number of IT projects driven by business requirements
  B. Percentage of users aware of information security policies
  C. Number of IT policies that refer directly to business goals
  D. Percentage of IT value drivers mapped to business value drivers
  D. Percentage of IT value drivers mapped to business value drivers

  ---

  Explanation

• Question 1910:

  An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction. Which of the following should the auditor do NEXT?

  A. Report the variance immediately to the audit committee
  B. Request an explanation of the variance from the auditee
  C. Increase the sample size to 100% of the population
  D. Exclude the transaction from the sample population
  B. Request an explanation of the variance from the auditee

  ---

  Explanation

  An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction. The next step that the auditor should do is to request an explanation of the variance from the auditee. This is because the variance may indicate an error, fraud, or an unusual but legitimate transaction that requires further investigation. The auditor should not report the variance immediately to the audit committee without verifying its cause and significance. The auditor should not increase the sample size to 100% of the population without considering the cost-benefit analysis and the sampling methodology. The auditor should not exclude the transaction from the sample population without justification, as it may affect the validity and reliability of the audit results.

  References: CISA Review Manual (Digital Version), [ISACA Auditing Standards]