Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1971:

  Which of the following is the MOST effective sampling method for an IS auditor to use for identifying fraud and circumvention of regulations?

  A. Discovery sampling
  B. Stop-or-go sampling
  C. Statistical sampling
  D. Variable sampling
  A. Discovery sampling

  ---

  Explanation

• Question 1972:

  An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization's RACI chart. Which of the following roles within the chart would provide this information?

  A. Consulted
  B. Informed
  C. Responsible
  D. Accountable
  D. Accountable

  ---

  Explanation

  The role within the RACI chart that would provide information on who has oversight of staff performing a specific task is accountable. A RACI chart is a matrix that defines and assigns the roles and responsibilities of different stakeholders for a project, process, or activity. RACI stands for responsible, accountable, consulted, and informed. Accountable is the role that has the authority and oversight to approve or reject the work done by the responsible role. The other options are not the roles that provide information on who has oversight of staff performing a specific task, as they have different meanings and functions. Consulted is the role that provides input or advice to the responsible or accountable roles. Informed is the role that receives updates or reports from the responsible or accountable roles. Responsible is the role that performs or executes the work or task.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3

• Question 1973:

  The IS auditor's PRIMARY role in control self-assessment (CSA) is to:

  A. evaluate the controls.
  B. facilitate the process.
  C. identify weaknesses.
  D. draw up an action plan.
  C. identify weaknesses.

  ---

  Explanation

• Question 1974:

  During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?

  A. There are documented compensating controls over the business processes.
  B. The risk acceptances were previously reviewed and approved by appropriate senior management
  C. The business environment has not significantly changed since the risk acceptances were approved.
  D. The risk acceptances with issues reflect a small percentage of the total population
  A. There are documented compensating controls over the business processes.

  ---

  Explanation

  The mitigating factor that would most significantly minimize the impact of not renewing IT risk acceptances in a timely manner is having documented compensating controls over the business processes. Compensating controls are alternative controls that reduce or eliminate the risk when the primary control is not feasible or cost-effective. The other factors, such as previous approval by senior management, unchanged business environment, and small percentage of issues, do not mitigate the risk as effectively as compensating controls.

  References: ISACA CISA Review Manual 27th Edition Chapter 1

• Question 1975:

  An IS auditor is reviewing how password resets are performed for users working remotely. Which type of documentation should be requested to understand the detailed steps required for this activity?

  A. Standards
  B. Guidelines
  C. Policies
  D. Procedures
  D. Procedures

  ---

  Explanation

• Question 1976:

  Which of the following is the MOST cost-effective way to determine the effectiveness of a business continuity plan (BCP)?

  A. Full operational test
  B. Post-implementation review
  C. Stress test
  D. Tabletop exercise
  D. Tabletop exercise

  ---

  Explanation

  Explanation

• Question 1977:

  Which of the following is the GREATEST risk associated with utilizing spreadsheets for financial reporting in end-user computing (EUC)?

  A. Lack of password protection
  B. Lack of processing integrity
  C. Increase in regulatory violations
  D. Increase in operational incidents
  B. Lack of processing integrity

  ---

  Explanation

  Explanation

• Question 1978:

  Which of the following findings related to segregation of duties should be of GREATEST concern to an IS auditor?

  A. The person who tests source code also approves changes.
  B. The person who administers servers is also part of the infrastructure management team.
  C. The person who creates new user accounts also modifies user access levels.
  D. The person who edits source code also has write access to production.
  D. The person who edits source code also has write access to production.

  ---

  Explanation

• Question 1979:

  Which of the following ACID property in DBMS ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other?

  A. Atomicity
  B. Consistency
  C. Isolation
  D. Durability
  C. Isolation

  ---

  Explanation

  Isolation - The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other.

  For CISA exam you should know below information about ACID properties in DBMS:

  Atomicity - Atomicity requires that each transaction is "all or nothing": if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged. An atomic system must guarantee atomicity in each and every

  situation, including power failures, errors, and crashes. To the outside world, a committed transaction appears (by its effects on the database) to be indivisible ("atomic"), and an aborted transaction does not happen.

  Consistency - The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints,

  cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any

  programming errors do not violate any defined rules.

  Isolation - The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other. Providing isolation is the main goal of

  concurrency control. Depending on concurrency control method, the effects of an incomplete transaction might not even be visible to another transaction. [citation needed]

  Durability - Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors. In a relational database, for instance, once a group of SQL statements execute, the results need to

  be stored permanently (even if the database crashes immediately thereafter). To defend against power loss, transactions (or their effects) must be recorded in a non-volatile memory.

  The following were incorrect answers:

  Consistency - The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints,

  cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any

  programming errors do not violate any defined rules.

  Durability - Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors.

  Atomicity requires that each transaction is "all or nothing": if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged.

  CISA review manual 2014 Page number 218

• Question 1980:

  When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?

  A. Data backups
  B. Decision support system
  C. Operating system
  D. Applications
  C. Operating system

  ---

  Explanation

  When a data center is attempting to restore computing facilities at an alternative site following a disaster, the operating system should be restored FIRST. Here's why:

  1.Operating System (OS):

  The OS is the foundation of any computing environment. It manages hardware resources, provides essential services, and allows applications to run. Restoring the OS ensures that the infrastructure is operational and ready for further

  recovery steps.

  Without a functional OS, applications cannot execute, and data backups cannot be effectively restored.

  2.Data Backups:

  While data backups are critical for recovery, they depend on a working infrastructure. If the OS is not operational, restoring data backups becomes challenging.

  Data backups should follow the OS restoration.

  3.Applications:

  Applications rely on the OS to function.

  Restoring applications before the OS may lead to compatibility issues or incomplete functionality.

  Applications should be restored after ensuring a stable OS environment.

  4.Decision Support System (DSS):

  DSS is an application category.

  It should follow the restoration of both the OS and critical applications. In summary, prioritize restoring the operating system, which forms the basis for subsequent recovery steps12. Once the OS is functional, proceed with data backups,

  applications, and other systems as needed.