Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1921:

  A finance department has a two-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger in year one the system version upgrade will be applied and in year two business processes will be updated to implement new system functionality. Which of the following should be the PRIMARY focus of an IS auditor reviewing the second year of the implementation'?

  A. Data migration
  B. Sociability testing
  C. User acceptance testing (UAT)
  D. Initial user access provisioning
  C. User acceptance testing (UAT)

  ---

  Explanation

  Explanation

  During the second year of the ERP system upgrade project, the focus shifts to ensuring that the updated business processes integrate seamlessly with the new system functionality. User acceptance testing (UAT) validates that the system

  meets user requirements and business objectives.

  Data Migration (Option A):Data migration is more relevant in the first phase when upgrading the system version.

  Sociability Testing (Option B):This is less critical than confirming user functionality for process changes.

  Initial User Access Provisioning (Option D):This is part of security and access controls but not the primary focus of business process validation.

  ISACA CISA Review Manual, Job Practice Area 3: Information Systems Operations

  and Business Resilience.

• Question 1922:

  Which type of risk would MOST influence the selection of a sampling methodology?

  A. Inherent
  B. Residual
  C. Control
  D. Detection
  D. Detection

  ---

  Explanation

  The type of risk that would most influence the selection of a sampling methodology is detection risk (option D). This is because: Detection risk is the risk that the auditor will not detect a material misstatement that exists in an assertion. Detection risk depends on the effectiveness of the audit procedures and how well they are applied by the auditor. The selection of a sampling methodology is part of the design of audit procedures, which aims to reduce detection risk to an acceptable level1. The auditor should consider the following factors when selecting a sampling methodology: The objectives of the audit procedure and the related assertions. The characteristics of the population from which the sample will be drawn, such as its size, homogeneity, and structure. The sampling technique to be used, such as random, systematic, haphazard, or judgmental. The sample size and the method of selecting sample items. The evaluation of the sample results and the projection of errors to the population. The auditor should also consider the advantages and disadvantages of different sampling methodologies, such as statistical and non-statistical sampling. Statistical sampling is a sampling technique that uses random selection and probability theory to evaluate sample results. Non-statistical sampling is a sampling technique that does not use random selection or probability theory to evaluate sample results. Some of the advantages and disadvantages are as follows: Statistical sampling allows the auditor to measure and control sampling risk, which is the risk that the sample is not representative of the population. Statistical sampling also allows the auditor to quantify the precision and reliability of the sample results. However, statistical sampling requires more technical knowledge and skills, as well as more time and cost, than non-statistical sampling. Non-statistical sampling relies on the auditor's professional judgment and experience to select and evaluate sample items. Non-statistical sampling is more flexible and less complex than statistical sampling. However, non-statistical sampling does not provide an objective basis for measuring and controlling sampling risk, nor does it allow the auditor to quantify the precision and reliability of the sample results. Therefore, the type of risk that would most influence the selection of a sampling methodology is detection risk (option D), as it determines how effective and efficient the audit procedures should be in order to provide sufficient appropriate audit evidence.

  References: 1: Audit Sampling - Overview, Purpose, Importance, and Types 2: Audit Sampling | Auditing and Attestation | CPA Exam FAR 3: Audit Sampling | ACCA Qualification | Students | ACCA Global

• Question 1923:

  planning an end-user computing (EUC) audit, it is MO ST important for the IS auditor to

  A. evaluate the organization's EUC policy
  B. evaluate EUC threats and vulnerabilities
  C. obtains an inventory EUC applications
  D. determine EUC materiality and complexity thresholds
  D. determine EUC materiality and complexity thresholds

  ---

  Explanation

• Question 1924:

  Which of the following is the BEST reason to implement a data retention policy?

  A. To establish a recovery point objective (RPO) for disaster recovery procedures
  B. To limit the liability associated with storing and protecting information
  C. To document business objectives for processing data within the organization
  D. To assign responsibility and ownership for data protection outside IT
  B. To limit the liability associated with storing and protecting information

  ---

  Explanation

  The best reason to implement a data retention policy is to limit the liability associated with storing and protecting information. A data retention policy is a business' established protocol for maintaining information, typically defining what data needs to be retained, the format in which it should be kept, how long it should be stored for, whether it should eventually be archived or deleted, who has the authority to dispose of it, and what procedure to follow in the event of a policy violation1. A data retention policy can help an organization to: Comply with legal and regulatory requirements that mandate the retention and disposal of certain types of data, such as financial records, health records, or personal data Reduce the risk of data breaches, theft, loss, or corruption by minimizing the amount of data stored and ensuring proper security measures are in place Save costs and resources by optimizing the use of storage space and reducing the need for backup and recovery operations Enhance operational efficiency and performance by eliminating unnecessary or outdated data and improving data quality and accessibility Support business continuity and disaster recovery plans by ensuring critical data is available and recoverable in case of an emergency Facilitate audit trails and investigations by providing evidence of data authenticity, integrity, and provenance Therefore, by implementing a data retention policy, an organization can limit its liability associated with storing and protecting information, as well as improve its data governance and management practices.

  References: Data Retention Policy 101: Best Practices, Examples and More

• Question 1925:

  Which of the following BEST indicates a need to review an organization's information security policy?

  A. High number of low-risk findings in the audit report
  B. Increasing exceptions approved by management
  C. Increasing complexity of business transactions
  D. Completion of annual IT risk assessment
  B. Increasing exceptions approved by management

  ---

  Explanation

• Question 1926:

  An emergency power-off switch should:

  A. not be identified.
  B. be illuminated.
  C. be protected
  D. not be in the computer room
  B. be illuminated.

  ---

  Explanation

• Question 1927:

  Which audit technique provides the GREATEST assurance that incident management procedures are effective?

  A. Determining whether incidents are categorized and addressed
  B. Performing comprehensive vulnerability scanning and penetration testing
  C. Comparing incident management procedures to best practices
  D. Evaluating end-user satisfaction survey results
  B. Performing comprehensive vulnerability scanning and penetration testing

  ---

  Explanation

• Question 1928:

  When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;

  A. data analytics findings.
  B. audit trails
  C. acceptance lasting results
  D. rollback plans
  A. data analytics findings.

  ---

  Explanation

  When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system, it is most effective for an IS auditor to review data analytics findings. Data analytics is a technique that uses software tools and statistical methods to analyze large volumes of data and identify patterns, anomalies, errors or inconsistencies. Data analytics can help to compare the source and target data sets, validate the data quality and integrity, and detect any data loss or corruption during the migration process. The other options are not as effective, because audit trails only record the actions performed on the data, acceptance testing results only verify the functionality of the new system, and rollback plans only provide contingency measures in case of migration failure.

  References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.6

• Question 1929:

  One advantage of monetary unit sampling is the fact that:

  A. results are stated in terms of the frequency of items in error
  B. it can easily be applied manually when computer resources are not available
  C. it increases the likelihood of selecting material items from the population
  D. large-value population items are segregated and audited separately
  A. results are stated in terms of the frequency of items in error

  ---

  Explanation

• Question 1930:

  Which of the following is MOST important for an IS auditor to assess during a post- implementation review of a newly modified IT application developed in-house?

  A. Sufficiency of implemented controls
  B. Resource management plan
  C. Updates required for end-user manuals
  D. Rollback plans for changes
  A. Sufficiency of implemented controls

  ---

  Explanation

  A post-implementation review (PIR) of a newly modified IT application focuses on ensuring that the system meets business and security requirements effectively. Thesufficiency of implemented controls(A) is the most critical aspect because it

  ensures that security, operational, and compliance controls are functioning correctly.These controls include access controls, data integrity checks, and audit logs to prevent unauthorized access, data corruption, or security breaches.

  Other options:

  Resource management plan (B)is important for project management but is not the primary concern for an IS auditor in a post-implementation review. Updates required for end-user manuals (C)are necessary for usability but do not impact the

  security or operational integrity of the system.

  Rollback plans for changes (D)are important for change management but are typically assessed before deployment, not in a PIR.

  ISACA CISA Review Manual, IT Governance and Management of IT