Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1991:

  Which of the following is the BEST way to confirm that a digital signature is valid?

  A. Confirm that the sender's public key certificate is from a trusted certificate authority (CA).
  B. Compare the hash value of the digital signature manually
  C. Verify the digital signature by obtaining the senders public key
  D. Request a valid private key from the sender and compare it with the public key
  A. Confirm that the sender's public key certificate is from a trusted certificate authority (CA).

  ---

  Explanation

• Question 1992:

  An organization has decided to build a data warehouse using source data from several disparate systems to support strategic decision-making.

  Which of the following is the BEST way to ensure the accuracy and completeness of the data used to support business decisions?

  A. The source data is pre-selected so that it already supports senior management's desired business decision outcome.
  B. The source data is from the current year of operations so that irrelevant data from prior years is not included.
  C. The source data is modified in the data warehouse to remove confidential or sensitive information.
  D. The source data is standardized and cleansed before loading into the data warehouse.
  D. The source data is standardized and cleansed before loading into the data warehouse.

  ---

  Explanation

• Question 1993:

  Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?

  A. Encryption of the spreadsheet
  B. Version history
  C. Formulas within macros
  D. Reconciliation of key calculations
  C. Formulas within macros

  ---

  Explanation

  The most important thing for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros is the formulas within macros. Macros are sequences of commands or instructions that can automate tasks or calculations in a spreadsheet. Formulas are expressions that perform calculations on values or data in a spreadsheet. The accuracy of a spreadsheet depends largely on whether the formulas within macros are correct, consistent, and complete. The IS auditor should review the formulas within macros to verify that they produce the expected results and do not contain any errors or inconsistencies. The other options are not as important as formulas within macros, as they do not directly affect the accuracy of a spreadsheet. Encryption of the spreadsheet is a security control that can protect the confidentiality and integrity of the spreadsheet, but it does not ensure its accuracy. Version history is a document control feature that can track and manage changes to the spreadsheet, but it does not verify its accuracy. Reconciliation of key calculations is a validation technique that can compare and confirm the results of calculations with other sources, but it does not evaluate the accuracy of formulas within macros.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

• Question 1994:

  The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

  A. risk management review
  B. control self-assessment (CSA).
  C. service level agreement (SLA).
  D. balanced scorecard.
  C. service level agreement (SLA).

  ---

  Explanation

  A service level agreement (SLA) is a contract between a service provider and a customer that defines the expected level of performance, risks, and capabilities of an IT infrastructure. An IS auditor can use an SLA to measure how well the IT

  infrastructure meets the business needs and objectives, as well as to identify any gaps or issues that need to be addressed. The other options are not directly related to measuring the performance, risks, and capabilities of an IT infrastructure.

  References:

  CISA Review Manual (Digital Version), Chapter 5, Section 5.2.11 CISA Review Questions, Answers and Explanations Database, Question ID 203

• Question 1995:

  Which of the following job scheduling schemes for operating system updates is MOST likely to adequately balance protection of workstations with user requirements?

  A. Automated patching jobs and immediate restart
  B. Automated patching jobs followed by a scheduled restart outside of business hours
  C. End users can initiate patching including subsequent system restarts
  D. Applying only those patches not requiring a system restart
  B. Automated patching jobs followed by a scheduled restart outside of business hours

  ---

  Explanation

• Question 1996:

  Which of the following testing procedure is used by the auditor during accounting audit to check errors in balance sheet and other financial documentation?

  A. Compliance testing
  B. Sanity testing
  C. Recovery testing
  D. Substantive testing
  D. Substantive testing

  ---

  Explanation

  A procedure used during accounting audits to check for errors in balance sheets and other financial documentation. A substantive test might involve checking a random sample of transactions for errors, comparing account balances to find

  discrepancies, or analysis and review of procedures used to execute and record transactions.

  Substantive testing is the stage of an audit when the auditor gathers evidence as to the extent of misstatements in client's accounting records or other information. This evidence is referred to as substantive evidence and is an important factor

  in determining the auditor's opinion on the financial statements as a whole. The audit procedures used to gather this evidence are referred to as substantive procedures, or substantive tests. Substantive procedures (or substantive tests) are

  those activities performed by the auditor during the substantive testing stage of the audit that gather evidence as to the completeness, validity and/or accuracy of account balances and underlying classes of transactions.

  Account balances and underlying classes of transaction must not contain any material misstatements. They must be materially complete, valid and accurate. Auditors gather evidence about these assertions by undertaking substantive

  procedures, which may include:

  Physically examining inventory on balance date as evidence that inventory shown in the accounting records actually exists (validity assertion); Arranging for suppliers to confirm in writing the details of the amount owing at balance date as

  evidence that accounts payable is complete (completeness assertion); and Making inquiries of management about the collectability of customers' accounts as evidence that trade debtors is accurate as to its valuation. Evidence that an

  account balance or class of transaction is not complete, valid or accurate is evidence of a substantive misstatement.

  The following answers are incorrect:

  Compliance Testing - Compliance testing is basically an audit of a system carried out against a known criterion.

  Sanity testing - Testing to determine if a new software version is performing well enough to accept it for a major testing effort. If application is crashing for initial use, then system is not stable enough for further testing and build or application is

  assigned to fix.

  Recovery testing ?Testing how well a system recovers from crashes, hardware failures, or other catastrophic problems.

  CISA review manual 2014 page number 52 and 53

  http://www.businessdictionary.com/definition/compliance-test.html

• Question 1997:

  A company laptop has been stolen and all photos on the laptop have been published on social medi

  A. Which of the following is the IS auditor's BEST course of action?
  B. Determine if the laptop had the appropriate level of encryption
  C. Verify the organization's incident reporting policy was followed
  D. Ensure that the appropriate authorities have been notified
  E. Review the photos to determine whether they were for business or personal purposes
  B. Determine if the laptop had the appropriate level of encryption

  ---

  Explanation

• Question 1998:

  Which of the following should be the PRIMARY consideration when validating a data analytic algorithm that has never been used before?

  A. Enhancing the design of data visualization
  B. Increasing speed and efficiency of audit procedures
  C. Confirming completeness and accuracy
  D. Decreasing the time for data analytics execution
  C. Confirming completeness and accuracy

  ---

  Explanation

• Question 1999:

  During the walk-through procedures for an upcoming audit, an IS auditor notes that the key application in scope is part of a Software as a Service (SaaS) agreement. What should the auditor do NEXT?

  A. Verify whether IT management monitors the effectiveness of the environment.
  B. Verify whether a right-to-audit clause exists.
  C. Verify whether a third-party security attestation exists.
  D. Verify whether service level agreements (SLAs) are defined and monitored.
  B. Verify whether a right-to-audit clause exists.

  ---

  Explanation

  The auditor should verify whether a right-to-audit clause exists (B) next, because it is a contractual provision that grants the auditor the right to access and examine the records, systems, and processes of the SaaS provider. A right-to-audit clause is important for ensuring transparency, accountability, and compliance of the SaaS provider with the customer's requirements and expectations. A right-to-audit clause can also help the auditor to identify and mitigate any risks or issues related to the SaaS agreement. Verifying whether IT management monitors the effectiveness of the environment (A) is not the next step, because it is a part of the ongoing monitoring and evaluation process, not the initial walk-through procedures. The auditor should first establish the scope, objectives, and criteria of the audit before assessing the performance and controls of the SaaS provider. Verifying whether a third-party security attestation exists ?is not the next step, because it is not a mandatory requirement for a SaaS agreement. A third-party security attestation is a report or certificate issued by an independent auditor that evaluates and validates the security controls and practices of the SaaS provider. A third-party security attestation can provide assurance and confidence to the customer, but it does not replace or eliminate the need for a right-to-audit clause Verifying whether service level agreements (SLAs) are defined and monitored (D) is not the next step, because it is not directly related to the audit process. SLAs are contractual agreements that specify the quality, availability, and performance standards of the SaaS provider. SLAs are important for measuring and managing the service delivery and customer satisfaction, but they do not grant or guarantee the right to audit4.

• Question 2000:

  Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

  A. Reviewing vacation patterns
  B. Reviewing user activity logs
  C. Interviewing senior IT management
  D. Mapping IT processes to roles
  D. Mapping IT processes to roles

  ---

  Explanation

  Mapping IT processes to roles is an activity that provides an IS auditor with the most insight regarding potential single person dependencies that might exist within the organization. Single person dependencies occur when only one person has the knowledge, skills, or access rights to perform a critical IT function. Mapping IT processes to roles can help to identify such dependencies and assess their impact on the continuity and security of IT operations. The other activities do not provide as much insight into single person dependencies, as they do not show the relationship between IT processes and roles.

  References: CISA Review Manual, 27th Edition, page 94