Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 2031:

  During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:

  A. application test cases.
  B. acceptance testing.
  C. cost-benefit analysis.
  D. project plans.
  A. application test cases.

  ---

  Explanation

  Reviewing and evaluating application test cases is the most effective use of an IS auditor's time during the evaluation of controls over a major application development project. Application test cases are designed to verify that the application meets the functional and non-functional requirements and specifications. They also help to identify and correct any errors, defects, or vulnerabilities in the application before it is deployed. By reviewing and evaluating the test cases, the IS auditor can assess the quality, reliability, security, and performance of the application and provide recommendations for improvement.

• Question 2032:

  The GREATEST benefit of using a polo typing approach in software development is that it helps to:

  A. minimize scope changes to the system.
  B. decrease the time allocated for user testing and review.
  C. conceptualize and clarify requirements.
  D. Improve efficiency of quality assurance (QA) testing
  C. conceptualize and clarify requirements.

  ---

  Explanation

  The greatest benefit of using a prototyping approach in software development is that it helps to conceptualize and clarify requirements. A prototyping approach is a method of creating a simplified or partial version of a software product to demonstrate its features and functionality. A prototyping approach can help to elicit, validate, and refine the requirements of the software product, as well as to obtain feedback from the users and stakeholders. The other options are not the greatest benefits of using a prototyping approach, but rather possible outcomes or advantages of doing so.

  References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.11 CISA Review Questions, Answers and Explanations Database, Question ID 227

• Question 2033:

  An IS auditor reviewing an incident management process identifies client information was lost due to ransomware attacks. Which of the following would MOST effectively minimize the impact of future occurrences?

  A. Change access to client data to read-only.
  B. Improve the ransomware awareness program.
  C. Back up client data more frequently.
  D. Monitor all client data changes.
  B. Improve the ransomware awareness program.

  ---

  Explanation

• Question 2034:

  When assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that:

  A. database conflicts are managed during replication.
  B. end users are trained in the replication process.
  C. the source database is backed up on both sites.
  D. user rights are identical on both databases.
  A. database conflicts are managed during replication.

  ---

  Explanation

  A database conflict occurs when the same data is modified at two separate servers, such as a customer database and a remote call center database, and the changes are not consistent with each other. For example, if a customer updates

  their phone number at the customer database, and a call center agent updates the same customer's address at the remote call center database, there is a conflict between the two updates. Database conflicts can cause data inconsistency,

  corruption, or loss if they are not detected and resolved properly.

  Two-way replication is a process of synchronizing data between two databases, so that any changes made in one database are reflected in the other database, and vice versa. Two- way replication can improve data availability, performance,

  and scalability, but it also increases the risk of database conflicts. Therefore, when assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that database

  conflicts are managed during replication. This means that the project should have a clear and effective strategy for:

  Preventing or minimizing database conflicts by using techniques such as locking, timestamping, or partitioning.

  Detecting or identifying database conflicts by using tools such as triggers, logs, or alerts.

  Resolving or handling database conflicts by using methods such as priority-based, rule-based, or user-based resolution.

  The other possible options are:

  B. end users are trained in the replication process: This is not a relevant or important factor for the IS auditor to ensure when assessing a proposed project for the two-way replication of a customer database with a remote call center. End users are not directly involved in the replication process, and they do not need to have detailed knowledge or skills about how replication works. The replication process should be transparent and seamless to the end users, and they should only interact with the data through their applications or interfaces.

  C. the source database is backed up on both sites: This is not a sufficient or necessary factor for the IS auditor to ensure when assessing a proposed project for the two-way replication of a customer database with a remote call center. Backing up the source database on both sites can provide some level of data protection and recovery, but it does not address the issue of database conflicts that can occur during replication. Moreover, backing up the source database on both sites may not be feasible or efficient, as it may consume more storage space and network bandwidth, and introduce more complexity and overhead to the replication process.

  D. user rights are identical on both databases: This is not a critical or relevant factor for the IS auditor to ensure when assessing a proposed project for the two- way replication of a customer database with a remote call center. User rights are the permissions or privileges that users have to access or modify data in a database. User rights do not directly affect the occurrence or resolution of database conflicts during replication. User rights may vary depending on the role or function of the users in different databases, and they should be defined and enforced according to the security policies and requirements of each database.

• Question 2035:

  Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?

  A. Documentation of exit routines
  B. System initialization logs
  C. Change control log
  D. Security system parameters
  C. Change control log

  ---

  Explanation

  Operating system parameters are settings or values that affect the behavior or performance of the operating system. Modifications to the operating system parameters may be necessary to improve the system functionality, security, or efficiency. However, such modifications may also introduce risks or errors that can affect the system stability, compatibility, or integrity. Therefore, modifications to the operating system parameters should be authorized and documented by the appropriate authority. A change control log is a record of all changes made to the system, including the date, time, description, reason, authorization, and impact of each change. A change control log can help the IS auditor to verify whether modifications to the operating system parameters were authorized by comparing the log entries with the actual system settings and the change approval documents.

• Question 2036:

  Which of the following group is MOST likely responsible for the implementation of IT projects?

  A. IT steering committee
  B. IT strategy committee
  C. IT compliance committee
  D. IT governance committee
  A. IT steering committee

  ---

  Explanation

• Question 2037:

  An IS auditor determines that the vendor's deliverables do not include the source code for a newly acquired product. To address this issue, which of the following should the auditor recommend be included in the contract?

  A. Confidentiality and data protection clauses
  B. Service level agreement (SLA)
  C. Software escrow agreement
  D. Right-to-audit clause
  C. Software escrow agreement

  ---

  Explanation

  The correct answer is

  C. Software escrow agreement. A software escrow agreement is a legal arrangement between three parties: the software developer (licensor), the end-user (licensee), and an escrow agent. The agreement ensures that the software's source code and other relevant assets are securely stored with the escrow agent, and can be released to the licensee under certain conditions, such as the licensor's bankruptcy, insolvency, or failure to provide support or maintenance. A software escrow agreement can provide the licensee with assurance and continuity for the software they depend on, and protect them from losing access or functionality in case of any unforeseen events or disputes with the licensor.

• Question 2038:

  Which of the following is the PRIMARY function of an internal IS auditor when the organization acquires a new IT system to support its business strategy?

  A. Identifying significant IT errors and fraud
  B. Assessing system development life cycle (SDLC) controls
  C. Implementing risk and control gap mitigation
  D. Evaluating IT risk and controls
  D. Evaluating IT risk and controls

  ---

  Explanation

  Explanation

• Question 2039:

  Which of the following would be MOST effective in detecting the presence of an unauthorized wireless access point on an internal network?

  A. Continuous network monitoring
  B. Periodic network vulnerability assessments
  C. Review of electronic access logs
  D. Physical security reviews
  A. Continuous network monitoring

  ---

  Explanation

  The most effective method for detecting the presence of an unauthorized wireless access point on an internal network is A. Continuous network monitoring. This is because continuous network monitoring can capture and analyze all the wireless traffic in the network and identify any rogue or spoofed devices that may be connected to the network without authorization. Continuous network monitoring can also alert the system administrator of any suspicious or anomalous activities on the network and help to locate and remove the unauthorized wireless access point quickly. Periodic network vulnerability assessments (B) can also help to detect unauthorized wireless access points, but they are not as effective as continuous network monitoring, because they are performed at fixed intervals and may miss some devices that are added or removed between the assessments. Review of electronic access logs ?can provide some information about the devices that access the network, but they may not be able to detect devices that use fake or stolen credentials or devices that do not generate any logs. Physical security reviews (D) can help to prevent unauthorized physical access to the network ports or devices, but they may not be able to detect wireless access points that are hidden or disguised as legitimate devices.

• Question 2040:

  An organization has assigned two new IS auditors to audit a new system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which of the following is MOST important to meet the IS audit standard for proficiency?

  A. Team member assignments must be based on individual competencies
  B. Technical co-sourcing must be used to help the new staff
  C. The standard is met as long as one member has a globally recognized audit certification.
  D. The standard is met as long as a supervisor reviews the new auditors' work
  A. Team member assignments must be based on individual competencies

  ---

  Explanation

  The IS audit standard for proficiency states that the IS auditor must have the knowledge, skills and experience needed to perform the audit work. This implies that the IS auditor must be competent in both the technical and business aspects of the audit subject matter. Therefore, team member assignments must be based on individual competencies, so that each auditor can perform the tasks that match their qualifications and expertise. This will also ensure that the audit objectives are met and the audit quality is maintained. Option B is incorrect because technical co-sourcing is not a requirement to meet the IS audit standard for proficiency. Co-sourcing is an option that may be used when the internal audit function lacks the necessary resources or skills to perform the audit work. However, co-sourcing does not guarantee that the new staff will acquire the proficiency needed for the audit. Moreover, co-sourcing may introduce additional risks and challenges, such as confidentiality, independence, communication and coordination issues. Option C is incorrect because having a globally recognized audit certification does not necessarily mean that the standard for proficiency is met. A certification is an indication of the auditor's knowledge and competence in a specific domain, but it does not cover all aspects of IS auditing. The auditor must also have relevant experience and continuous learning to maintain and enhance their proficiency. Furthermore, having one certified member does not ensure that the other members are also proficient. Option D is incorrect because having a supervisor review the new auditors' work is not sufficient to meet the IS audit standard for proficiency. A supervisor review is a quality assurance measure that helps to ensure that the audit work is performed in accordance with the standards and policies. However, a supervisor review does not substitute for the proficiency of the auditors who perform the work. The auditors must still have the necessary knowledge, skills and experience to conduct the audit tasks effectively and efficiently.

  References: CISA Online Review Course1, Module 1: The Process of Auditing Information Systems, Lesson 2: Mandatory Guidance, slide 8-9. CISA Review Manual (Digital Version)2, Chapter 1: The Process of Auditing Information Systems, Section 1.3: Mandatory Guidance, p. 24-25. CISA Review Manual (Print Version), Chapter 1: The Process of Auditing Information Systems, Section 1.3: Mandatory Guidance, p. 24-25. CISA Questions, Answers and Explanations Database3, Question ID: QAE_CISA_711.