Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 2001:

  Which of the following should be an IS auditor's PRIMARY focus when auditing the implementation of a new IT operations performance monitoring system?

  A. Reviewing whether all changes have been implemented
  B. Validating whether baselines have been established
  C. Confirming whether multi-factor authentication (MFA) is deployed as part of the operational enhancements
  D. Determining whether there is a process for annual review of the maintenance manual
  B. Validating whether baselines have been established

  ---

  Explanation

• Question 2002:

  Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?

  A. Data ownership
  B. Applicable laws and regulations
  C. Business requirements and data flows
  D. End-user access rights
  B. Applicable laws and regulations

  ---

  Explanation

  When assessing the scope of privacy concerns for an IT project, the most important factor to consider is the applicable laws and regulations. These laws and regulations define the legal requirements for data privacy and protection that the project must comply with. They can vary greatly depending on the jurisdiction and the type of data being processed, and non-compliance can result in significant penalties. While data ownership, business requirements and data flows, and end-user access rights are also important considerations, they are typically guided by these legal requirements.

  References: ISACA's Information Systems Auditor Study Materials

• Question 2003:

  A review of an organization's IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

  A. A formal request for proposal (RFP) process
  B. Business case development procedures
  C. An information asset acquisition policy
  D. Asset life cycle management.
  D. Asset life cycle management.

  ---

  Explanation

  Asset life cycle management is a technique of asset management where facility managers maximize the usable life of assets through planning, purchasing, using, maintaining, and disposing of assets1. The main aim of asset life cycle management is to reduce costs and increase productivity by optimizing the performance, reliability, and lifespan of assets2. Asset life cycle management can help prevent the situation of having unused applications by ensuring that the applications are aligned with the business needs, objectives, and strategies, and that they are regularly reviewed, updated, or retired as necessary3. The other options are not as effective as asset life cycle management for preventing unused applications. A formal request for proposal (RFP) process is a method of soliciting bids from potential vendors or suppliers for a project or service. A RFP process can help select the best application for a specific requirement, but it does not ensure that the application will be used or maintained throughout its lifecycle. Business case development procedures are a set of steps that involve defining the problem, analyzing the alternatives, and proposing a solution for a project or initiative. Business case development procedures can help justify the need and value of an application, but they do not guarantee that the application will be utilized or supported after its implementation. An information asset acquisition policy is a document that outlines the rules and standards for acquiring information assets such as applications. An information asset acquisition policy can help ensure that the applications are acquired in a consistent and compliant manner, but it does not address how the applications will be managed or disposed of after their acquisition.

• Question 2004:

  An emergency change was made to an IT system as a result of a failure. Which of the following should be of GREATEST concern to the organization's information security manager?

  A. The operations team implemented the change without regression testing.
  B. The change did not include a proper assessment of risk.
  C. Documentation of the change was made after implementation.
  D. The information security manager did not review the change prior to implementation.
  B. The change did not include a proper assessment of risk.

  ---

  Explanation

• Question 2005:

  Transaction records from a business database were inadvertently deleted, and system operators decided to restore from a snapshot copy. Which of the following provides assurance that the BEST transactions were recovered successfully?

  A. Review transaction recovery logs to ensure no errors were recorded.
  B. Recount the transaction records to ensure no records are missing.
  C. Rerun the process on a backup machine to verify the results are the same.
  D. Compare transaction values against external statements to verify accuracy.
  B. Recount the transaction records to ensure no records are missing.

  ---

  Explanation

  Recounting the transaction records to ensure no records are missing provides assurance that the best transactions were recovered successfully from a snapshot copy. This is because recounting the transaction records can verify that the number of records in the restored database matches the number of records in the snapshot copy, which represents the state of the database before the deletion occurred. Recounting the transaction records can also detect any data corruption or inconsistency that may have occurred during the restore process1. Reviewing transaction recovery logs to ensure no errors were recorded is not the best answer, because transaction recovery logs may not capture all the details or issues that may affect the data quality or integrity. Transaction recovery logs are mainly used to monitor and troubleshoot the restore process, but they may not reflect the actual content or accuracy of the restored data2. Rerunning the process on a backup machine to verify the results are the same is not the best answer, because rerunning the process may introduce additional errors or inconsistencies that may affect the data quality or integrity. Rerunning the process may also consume more time and resources than necessary, and it may not guarantee that the results are identical to the original data3. Comparing transaction values against external statements to verify accuracy is not the best answer, because external statements may not be available or reliable for all transactions. External statements are documents or reports that provide information about transactions from a third-party source, such as a bank, a vendor, or a customer. However, external statements may not cover all transactions, or they may have different formats, standards, or timeliness than the internal data

• Question 2006:

  Which of the following BEST indicates that an organization has effective governance in place?

  A. The organization regularly updates governance-related policies and procedures
  B. The organizations board of directors executes on the management strategy
  C. The organization is compliant with local government regulations
  D. The organization's board of directors reviews metrics for strategic initiatives
  C. The organization is compliant with local government regulations

  ---

  Explanation

• Question 2007:

  With regard to resilience, which of the following is the GREATEST risk to an organization that has implemented a new critical system?

  A. A business impact analysis (BIA) has not been performed
  B. Business data is not sanitized in the development environment
  C. There is no plan for monitoring system downtime
  D. The process owner has not signed off on user acceptance testing (UAT)
  A. A business impact analysis (BIA) has not been performed

  ---

  Explanation

  Resilience is the ability of an organization to continue to operate effectively during or after a disruptive event. A business impact analysis (BIA) is a key process to identify the critical systems and processes that support the organization's objectives and determine the impact of their disruption. Without a BIA, the organization may not be able to prioritize the recovery of the most important systems and processes, which poses the greatest risk to its resilience. The other options are not as significant as a BIA, as they relate to data quality, system monitoring, and user acceptance testing, which are important but not essential for resilience.

  References: CISA Review Manual (Digital Version), Domain 4: Information Systems Operations and Business Resilience, Section 4.2 Business Continuity Planning

• Question 2008:

  A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?

  A. Data migration is not part of the contracted activities.
  B. The replacement is occurring near year-end reporting
  C. The user department will manage access rights.
  D. Testing was performed by the third-party consultant
  C. The user department will manage access rights.

  ---

  Explanation

  The greatest concern for an IS auditor in this scenario is that the user department will manage access rights to the new accounting system. This could pose a significant risk of unauthorized access, segregation of duties violations, data tampering and fraud. The IS auditor should ensure that access rights are defined, approved and monitored by an independent function, such as IT security or internal audit. The other options are not as concerning as option C, as they can be mitigated by other controls or procedures. Data migration is an important part of the system replacement project, but it can be performed by another party or verified by the IS auditor. The timing of the replacement near year-end reporting is a challenge, but it can be managed by proper planning, testing and contingency plans. Testing performed by the third-party consultant is acceptable, as long as it is reviewed and validated by the IS auditor or another independent party.

  References: CISA Review Manual (Digital Version) 1, Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.4: System Implementation.

• Question 2009:

  Which of the following BEST demonstrates to an IS auditor that an organization has implemented effective risk management processes?

  A. Critical business assets have additional controls.
  B. The risk register is reviewed periodically.
  C. A business impact analysis (BIA) has been completed.
  D. The inventory of IT assets includes asset classification.
  B. The risk register is reviewed periodically.

  ---

  Explanation

• Question 2010:

  Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?

  A. Whether there is explicit permission from regulators to collect personal data
  B. The organization's legitimate purpose for collecting personal data
  C. Whether sharing of personal information with third-party service providers is prohibited
  D. The encryption mechanism selected by the organization for protecting personal data
  B. The organization's legitimate purpose for collecting personal data

  ---

  Explanation

  The most important thing for an IS auditor to examine when reviewing an organization's privacy policy is its legitimate purpose for collecting personal data. A legitimate purpose is a clear and specific reason for collecting personal data that is necessary for the organization's business operations or legal obligations, and that respects the rights and interests of the data subjects. A legitimate purpose is the basis for establishing a lawful and fair processing of personal data, and it should be communicated to the data subjects in the privacy policy. The other options are not as important as the legitimate purpose in reviewing the privacy policy. Explicit permission from regulators to collect personal data is not always required, as there may be other lawful bases for data collection, such as consent, contract, or public interest. Sharing of personal information with third-party service providers is not prohibited, as long as there are adequate safeguards and agreements in place to protect the data. The encryption mechanism selected by the organization for protecting personal data is a technical control that can enhance data security, but it does not determine the legality or fairness of data collection.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2