Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1951:

  Which of the following should an IS auditor review when evaluating information systems governance for a large organization?

  A. Approval processes for new system implementations
  B. Procedures for adding a new user to the invoice processing system
  C. Approval processes for updating the corporate website
  D. Procedures for regression testing system changes
  A. Approval processes for new system implementations

  ---

  Explanation

  Information systems governance is the set of policies, processes, structures, and practices that ensure the alignment of IT with business objectives, the delivery of value from IT investments, the management of IT risks, and the optimization of IT resources1. Information systems governance is a strategic and high-level function that covers the entire organization and its IT portfolio. Therefore, an IS auditor should review the aspects of information systems governance that are relevant to the organization's vision, mission, goals, and strategies. One of the aspects that an IS auditor should review when evaluating information systems governance for a large organization is the approval processes for new system implementations. This is because new system implementations are significant IT investments that require careful planning, analysis, design, development, testing, deployment, and evaluation to ensure that they meet the business requirements, deliver the expected benefits, comply with the relevant standards and regulations, and minimize the potential risks2. The approval processes for new system implementations should involve the appropriate stakeholders, such as senior management, business owners, IT managers, project managers, users, and auditors, who have the authority and responsibility to approve or reject the proposed system implementations based on predefined criteria and metrics3. The approval processes for new system implementations should also be documented, transparent, consistent, and timely to ensure accountability and traceability4. Therefore, an IS auditor should review the approval processes for new system implementations to assess whether they are aligned with the information systems governance framework and objectives. The other possible options are: Procedures for adding a new user to the invoice processing system: This is an operational task that involves granting access rights and permissions to a specific user for a specific system based on the principle of least privilege. This is not a strategic or high-level function that falls under information systems governance. Therefore, an IS auditor should not review this aspect when evaluating information systems governance for a large organization. Approval processes for updating the corporate website: This is a tactical task that involves making changes or enhancements to the content or design of the corporate website based on the business needs and feedback. This is not a strategic or high-level function that falls under information systems governance. Therefore, an IS auditor should not review this aspect when evaluating information systems governance for a large organization. Procedures for regression testing system changes: This is a technical task that involves verifying that existing system functionalities are not adversely affected by new system changes or updates. This is not a strategic or high-level function that falls under information systems governance. Therefore, an IS auditor should not review this aspect when evaluating information systems governance for a large organization.

  References: 1: What is IT Governance? - Definition from Techopedia 2: System Implementation - an overview | ScienceDirect Topics 3: Project Approval Process - Project Management Knowledge 4: 5 Best Practices For A Successful Project Approval Process | Kissflow Project : Principle of Least Privilege (POLP) | Imperva : How to Update Your Website Content - 7 Step Guide | HostGator Blog : What Is Regression Testing? Definition and Best Practices | BrowserStack

• Question 1952:

  An IS auditor reviewing a job scheduling tool notices performance and reliability problems. Which of the following is MOST likely affecting the tool?

  A. Administrator passwords do not meet organizational security and complexity requirements.
  B. The number of support staff responsible for job scheduling has been reduced.
  C. The scheduling tool was not classified as business-critical by the IT department.
  D. Maintenance patches and the latest enhancement upgrades are missing.
  D. Maintenance patches and the latest enhancement upgrades are missing.

  ---

  Explanation

  The performance and reliability of a job scheduling tool can be significantly affected if maintenance patches and the latest enhancement upgrades are missing. These patches and upgrades often contain fixes for known issues and improvements to the tool's functionality. If they are not applied, the tool may continue to exhibit known problems or fail to benefit from enhancements that could improve its performance and reliability. While factors like administrator password requirements23, number of support staff45, and tool classification can impact various aspects of a tool's operation, they are less likely to be the direct cause of performance and reliability problems.

  References: Patch Management Definition and Best Practices - Rapid7 Password must meet complexity requirements - Windows Security NIST's New Password Rule Book: Updated Guidelines Offer Benefits and Risk - ISACA Workforce optimization: Staff scheduling with AI | McKinsey Poor Employee Scheduling - Major Consequences And Solutions A Critical Analysis of Job Shop Scheduling in Context of Industry 4.0

• Question 1953:

  To reduce operational costs, IT management plans to reduce the number of servers currently used to run business applications. Which of the following is MOST helpful to review when identifying which servers are no longer required?

  A. Performance feedback from the user community
  B. Contract with the server vendor
  C. Server CPU usage trends
  D. Mean time between failure (MTBF) of each server
  C. Server CPU usage trends

  ---

  Explanation

  When identifying which servers are no longer required, reviewing server CPU usage trends is the most helpful approach. Monitoring the CPU usage over time provides insights into how actively a server is being utilized. Servers with

  consistently low CPU usage may be candidates for consolidation or decommissioning. By analyzing CPU utilization patterns, IT management can make informed decisions about which servers can be retired without impacting performance or

  availability.

  References:

  1.ISACA. "Technical Guide on IT Migration Audit." 1(http://kb.icai.org/pdfs/PDFFile5b278a12a66758.27269499.pdf)

  2.Zapier. "IT audit: The ultimate guide [with checklist]." 2(https://zapier.com/blog/it-audit/)

  3.ISACA. "CISA Certification | Certified Information Systems Auditor." 3(https://www.isaca.org/credentialing/cisa)

• Question 1954:

  During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

  A. Require the auditee to address the recommendations in full.
  B. Adjust the annual risk assessment accordingly.
  C. Evaluate senior management's acceptance of the risk.
  D. Update the audit program based on management's acceptance of risk.
  C. Evaluate senior management's acceptance of the risk.

  ---

  Explanation

  The best course of action for an IS auditor who finds that some critical recommendations have not been implemented is to evaluate senior management's acceptance of the risk. The IS auditor should understand the reasons why the recommendations have not been implemented and the implications for the organization's risk exposure. The IS auditor should also verify that senior management has formally acknowledged and accepted the residual risk and has documented the rationale and justification for their decision. The IS auditor should communicate the findings and the risk acceptance to the audit committee and other relevant stakeholders.

  References: CISA Review Manual (Digital Version) CISA Questions, Answers and Explanations Database

• Question 1955:

  An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST

  A. document the exception in an audit report.
  B. review security incident reports.
  C. identify compensating controls.
  D. notify the audit committee.
  C. identify compensating controls.

  ---

  Explanation

  The first action that an IS auditor should take when finding a high-risk vulnerability in a public-facing web server used to process online customer payments is to identify compensating controls. Compensating controls are alternative or additional controls that provide reasonable assurance of mitigating the risk of exploiting the vulnerability. The IS auditor should assess the effectiveness of the compensating controls and determine whether they reduce the risk to an acceptable level. If not, the IS auditor should recommend remediation actions to address the vulnerability. Documenting the exception in an audit report is an important action, but it should not be the first action, as it does not address the urgency of the situation. Reviewing security incident reports is a useful action, but it should not be the first action, as it does not provide assurance of preventing future incidents. Notifying the audit committee is a necessary action, but it should not be the first action, as it does not involve taking any corrective measures.

  References: CISA Review Manual, 27th Edition, pages 295-2961 CISA Review Questions, Answers and Explanations Database, Question ID: 260

• Question 1956:

  When planning an audit to assess controls for an application in the cloud environment, it is MOST important for an IS auditor to understand:

  A. The noncompliance fee for violating a service level agreement (SLA).
  B. Availability reports from the cloud platform architecture.
  C. The shared responsibility model between cloud provider and organization.
  D. Business process reengineering that is supported by the cloud system.
  C. The shared responsibility model between cloud provider and organization.

  ---

  Explanation

  Explanation

• Question 1957:

  During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

  A. perform a business impact analysis (BIA).
  B. issue an intermediate report to management.
  C. evaluate the impact on current disaster recovery capability.
  D. conduct additional compliance testing.
  C. evaluate the impact on current disaster recovery capability.

  ---

  Explanation

  The first step that an IS auditor should take when finding that a business impact analysis (BIA) has not been performed is to evaluate the impact on current disaster recovery capability. A BIA is a process that identifies and analyzes the potential effects of disruptions to critical business functions and processes. A BIA helps determine the recovery priorities, objectives, and strategies for the organization. Without a BIA, the disaster recovery plan may not be aligned with the business needs and expectations, and may not provide adequate protection and recovery for the most critical assets and activities. Therefore, an IS auditor should assess how the lack of a BIA affects the current disaster recovery capability and identify any gaps or risks that need to be addressed. Performing a BIA, issuing an intermediate report to management, and conducting additional compliance testing are not the first steps that an IS auditor should take when finding that a BIA has not been performed. These steps may be done later in the audit process, after evaluating the impact on current disaster recovery capability. Performing a BIA is not the responsibility of the IS auditor, but of the business owners and managers. Issuing an intermediate report to management may be premature without sufficient evidence and analysis. Conducting additional compliance testing may not be relevant or necessary without a clear understanding of the disaster recovery requirements and objectives.

• Question 1958:

  A national bank recently migrated a large number of business-critical applications to the cloud. Which of the following is MOST important to ensuring the resiliency of the applications?

  A. Negotiating a nondisclosure agreement (NDA) with the provider
  B. Conducting periodic system stress testing
  C. Creating restore points for critical applications
  D. Using a monitoring tool to assess uptime
  C. Creating restore points for critical applications

  ---

  Explanation

  Explanation

• Question 1959:

  Which of the following is the BEST approach to help organizations address risks associated with shadow IT?

  A. Implementing policies that prohibit the use of unauthorized systems and solutions
  B. Training employees on information security and conducting routine follow-ups
  C. Providing employees with access to necessary systems and unlimited software licenses
  D. Conducting regular security assessments to identify unauthorized systems and solutions
  A. Implementing policies that prohibit the use of unauthorized systems and solutions

  ---

  Explanation

  Explanation

• Question 1960:

  Which of the following BEST enables an organization to determine the effectiveness of its information security awareness program?

  A. Measuring user satisfaction with the quality of the training
  B. Evaluating the results of a social engineering exercise
  C. Reviewing security staff performance evaluations
  D. Performing an analysis of the number of help desk calls
  B. Evaluating the results of a social engineering exercise

  ---

  Explanation

  The effectiveness of an information security awareness program is best measured by assessing real-world behavior rather than subjective feedback or indirect metrics. Social engineering exercises simulate real-world attack scenarios, testing

  whether employees can identify and respond appropriately to security threats. This directly evaluates the program's impact on employee behavior and awareness. Measuring User Satisfaction (Option A):While useful for feedback, satisfaction

  does not measure the effectiveness of awareness in preventing security incidents. Reviewing Security Staff Performance Evaluations (Option C):This focuses on staff capabilities rather than the awareness program's effectiveness. Analyzing

  Help Desk Calls (Option D):This might provide insight into recurring issues but does not directly measure the program's success in changing user behavior.

  Conducting social engineering exercises aligns with best practices for assessing organizational security awareness.

  ISACA CISA Review Manual, Job Practice Area 2: Information Systems Audit and Assurance.