Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1961:

  Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's information security program?

  A. The program was not formally signed off by the sponsor.
  B. Key performance indicators (KPIs) are not established.
  C. Not all IT staff are aware of the program.
  D. The program was last updated five years ago.
  B. Key performance indicators (KPIs) are not established.

  ---

  Explanation

• Question 1962:

  Which of the following should be the PRIMARY objective of conducting an audit follow-up of management action plans?

  A. To verify that risks listed in the audit report have been properly mitigated
  B. To identify new risks and controls for the organization
  C. To ensure senior management is aware of the audit findings
  D. To align the management action plans with business requirements
  A. To verify that risks listed in the audit report have been properly mitigated

  ---

  Explanation

• Question 1963:

  Which of the following is the BEST way to ensure email confidentiality in transit?

  A. Encryption of corporate network traffic
  B. Complex user passwords
  C. End-to-end encryption
  D. Digital signatures
  C. End-to-end encryption

  ---

  Explanation

  End-to-end encryption ensures that email content is encrypted during transmission and can only be decrypted by the intended recipient. This approach provides robust protection against interception and unauthorized access. Encryption of

  Corporate Network Traffic (Option A):This does not address email confidentiality once the email leaves the corporate network. Complex User Passwords (Option B):Enhances account security but does not ensure email confidentiality in

  transit.

  Digital Signatures (Option D):Ensures authenticity and integrity but does not encrypt the email content.

  ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.

• Question 1964:

  The BEST way to provide assurance that a project is adhering to the project plan is to:

  A. require design reviews at appropriate points in the life cycle.
  B. have an IS auditor participate on the steering committee.
  C. have an IS auditor participate on the quality assurance (QA) team.
  D. conduct compliance audits at major system milestones.
  D. conduct compliance audits at major system milestones.

  ---

  Explanation

  The best way to provide assurance that a project is adhering to the project plan is to conduct compliance audits at major system milestones. A compliance audit is a systematic and independent examination of the project's activities, documents, and deliverables to determine whether they conform to the project plan and its specifications, standards, and requirements1. A major system milestone is a significant point or event in the project's life cycle that marks the completion of a phase, stage, or deliverable. By conducting compliance audits at major system milestones, the auditor can provide assurance that the project is adhering to the project plan by: Verifying that the project's scope, schedule, budget, quality, and risks are aligned with the project plan and its objectives Identifying any deviations, discrepancies, or non-compliances that may affect the project's performance or outcome Recommending and monitoring corrective and preventive actions to address the identified issues and improve the project's compliance Reporting and communicating the audit findings, conclusions, and recommendations to the relevant stakeholders The other options are not as effective as conducting compliance audits at major system milestones for providing assurance that the project is adhering to the project plan. Requiring design reviews at appropriate points in the life cycle is a useful technique for ensuring that the project's design meets the user and business requirements and follows the design standards and best practices3. However, design reviews are not sufficient for providing assurance that the project is adhering to the project plan, as they do not cover other aspects of the project such as schedule, budget, quality, or risks. Having an IS auditor participate on the steering committee is a possible way for providing assurance that the project is adhering to the project plan, as the auditor can provide independent advice and oversight to the steering committee on quality management issues and remediation efforts4. However, this may not be feasible or appropriate for every project, as it may create a conflict of interest or compromise the auditor's objectivity and independence. Having an IS auditor participate on the quality assurance (QA) team is another possible way for providing assurance that the project is adhering to the project plan, as the auditor can assist the QA team in implementing procedures to facilitate adoption of quality management best practices5. However, this may also not be feasible or appropriate for every project, as it may create a conflict of interest or compromise the auditor's objectivity and independence. Therefore, option D is the correct answer.

  References: What Is Compliance Audit? Definition and Process | ASQ What Is A Project Milestone? - The Basics Design Review - an overview | ScienceDirect Topics Project success through project assurance - Project Management Institute Quality Assurance Team: Roles and Responsibilities

• Question 1965:

  An IS auditor is reviewing an artificial intelligence (Al) and expert system application. The system has produced several critical errors with severe impact. Which of the following should the IS auditor do NEXT to understand the cause of the errors?

  A. Review the decision-making logic built into the system.
  B. Interview the system owner.
  C. Understand the purpose and functionality of the system.
  D. Verify system adherence to corporate policy.
  A. Review the decision-making logic built into the system.

  ---

  Explanation

• Question 1966:

  Which of the following is MOST important to consider when determining the usefulness of audit evidence?

  A. Timing of the evidence
  B. Nature of evidence gathered
  C. Overall objectives of the review
  D. Competence of the IS auditor
  C. Overall objectives of the review

  ---

  Explanation

• Question 1967:

  Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

  A. Media recycling policy
  B. Media sanitization policy
  C. Media labeling policy
  D. Media shredding policy
  B. Media sanitization policy

  ---

  Explanation

  Data disposal controls are the measures that ensure that data are securely and permanently erased or destroyed when they are no longer needed or authorized to be retained. Data disposal controls support business strategic objectives by reducing the risk of data breaches, complying with data privacy regulations, optimizing the use of storage resources, and enhancing the reputation and trust of the organization1. A media sanitization policy is a document that defines the roles, responsibilities, procedures, and standards for sanitizing different types of media that contain sensitive or confidential data. Media sanitization is the process of removing or modifying data on a media device to make it unreadable or unrecoverable by any means. Media sanitization can be achieved by various methods, such as overwriting, degaussing, encryption, or physical destruction2. A media sanitization policy would provide an IS auditor with the greatest assurance that data disposal controls support business strategic objectives because it demonstrates that the organization has a clear and consistent approach to protect its data from unauthorized access or disclosure throughout the data life cycle. A media sanitization policy also helps the organization to comply with various data privacy regulations, such as the EU General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS), that require proper disposal of personal or sensitive data3. The other options are not as effective as a media sanitization policy in providing assurance that data disposal controls support business strategic objectives. A media recycling policy is a document that defines the criteria and procedures for reusing media devices that have been sanitized or erased. A media recycling policy can help the organization to save costs and reduce environmental impact, but it does not address how the data are disposed of in the first place4. A media labeling policy is a document that defines the rules and standards for labeling media devices that contain sensitive or confidential data. A media labeling policy can help the organization to identify and classify its data assets, but it does not specify how the data are sanitized or destroyed when they are no longer needed. A media shredding policy is a document that defines the methods and procedures for physically destroying media devices that contain sensitive or confidential data. A media shredding policy can be a part of a media sanitization policy, but it is not sufficient to cover all types of media devices or data disposal scenarios.

  References: ISACA, CISA Review Manual, 27th Edition, 2019 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription Secure Data Disposal and Destruction: 6 Methods to Follow1 Why (and How to) Dispose of Digital Data2 What is Data Disposition? The Complete Guide3 Data Disposition: What is it and why should it be part of your data retention policy?

• Question 1968:

  Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?

  A. Ensuring standards are adhered to within the development process
  B. Ensuring the test work supports observations
  C. Updating development methodology
  D. Implementing solutions to correct defects
  D. Implementing solutions to correct defects

  ---

  Explanation

  Implementing solutions to correct defects is a responsibility of the development function, not the quality assurance (QA) function. The QA function should ensure that the development process follows the established standards and methodologies, and that the defects are identified and reported. The QA function should not be involved in fixing the defects, as this would compromise its independence and objectivity. The other options are valid responsibilities of the QA function, and they should not raise concern for an IS auditor.

  References: CISA Review Manual (Digital Version) 1, page 300.

• Question 1969:

  Which of the following BEST Indicates that an incident management process is effective?

  A. Decreased time for incident resolution
  B. Increased number of incidents reviewed by IT management
  C. Decreased number of calls lo the help desk
  D. Increased number of reported critical incidents
  A. Decreased time for incident resolution

  ---

  Explanation

  Decreased time for incident resolution is the best indicator that an incident management process is effective. Incident management is a process that aims to restore normal service operation as quickly as possible after an incident, which is an unplanned interruption or reduction in quality of an IT service. Decreased time for incident resolution means that the incident management process is able to identify, analyze, respond to, and resolve incidents efficiently and effectively. The other indicators do not necessarily reflect the effectiveness of the incident management process, as they may depend on other factors such as the nature, frequency, and severity of incidents.

  References: CISA Review Manual, 27th Edition, page 372

• Question 1970:

  Which of the following is MOST critical to include when developing a data loss prevention (DLP) policy?

  A. Identification of the relevant network channels requiring protection
  B. Identification of the users, groups and roles to whom the policy will apply
  C. Identification of enforcement actions
  D. Identification of the content to protect
  D. Identification of the content to protect

  ---

  Explanation