Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 2071:

  What would be the PRIMARY reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center?

  A. To improve traceability
  B. To prevent piggybacking
  C. To implement multi-factor authentication
  D. To reduce maintenance costs
  A. To improve traceability

  ---

  Explanation

  The primary reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center is to improve traceability (A). Traceability is the ability to track and monitor the activities and movements of

  individuals or objects within a system or environment. Traceability is important for ensuring security, accountability, and compliance in a data center, where sensitive and critical data are stored and processed. An RFID access card system

  can improve traceability by using RFID technology to verify and record the identity and access of each user who enters or exits the data center. RFID stands for Radio Frequency Identification, and it enables wireless communication between

  a reader and an RFID tag. An RFID tag is installed in a door key card or fob, which users use to gain access to the data center. An RFID reader is installed near the door, and it contains an antenna that receives data transmitted by the RFID

  tag. A control panel is a computer server that reads and interprets the data passed along by the RFID reader. A database is a storage system that stores the data collected by the control panel1. An RFID access card system can provide

  several benefits for traceability, such as123:

  It can uniquely identify each user and their access level, and prevent unauthorized access or impersonation.

  It can record the date, time, and duration of each user's access, and generate logs and reports for auditing purposes.

  It can monitor the location and status of each user within the data center, and alert security personnel in case of any anomalies or emergencies.

  It can integrate with other security systems, such as cameras, alarms, or biometrics, to enhance verification and protection.

  A universal PIN code system, on the other hand, can compromise traceability by using a single or shared personal identification number (PIN) to grant access to multiple users. A universal PIN code system can pose several risks for

  traceability, such as4:

  It can be easily guessed, stolen, shared, or compromised by malicious actors or insiders. It can not distinguish between different users or their access levels, and allow unauthorized or excessive access. It can not record or track the activities

  or movements of each user within the data center, and create gaps or errors in the audit trail.

  It can not integrate with other security systems, and provide limited verification and protection.

  Therefore, an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center to improve traceability.

  References:

  RFID Access Control Guide: 4 Best RFID Access Control Systems - ButterflyMX Choosing Card Technology in 2023 | ICT

  RFID Vs Magnetic Key Cards: What's The Difference? - Go Safer Security RFID vs Barcode - Advantages, Disadvantages and Differences

• Question 2072:

  An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

  A. Source code version control
  B. Project change management controls
  C. Existence of an architecture review board
  D. Configuration management
  B. Project change management controls

  ---

  Explanation

  Scope creep is the uncontrolled expansion of a project's scope, which can result in delays, cost overruns, and quality issues. To mitigate the risk of scope creep, an IS auditor should look for project change management controls, which are processes and procedures for managing changes to the project's scope, schedule, budget, and quality. Project change management controls ensure that changes are properly requested, approved, documented, communicated, and implemented. Source code version control, existence of an architecture review board, and configuration management are also important for software development, but they do not directly address the risk of scope creep.

  References: ISACA Frameworks: Blueprints for Success, Project Management Institute: A Guide to the Project Management Body of Knowledge

• Question 2073:

  Which of the following is MOST important to define within a disaster recovery plan (DRP)?

  A. A comprehensive list of disaster recovery scenarios and priorities
  B. Business continuity plan (BCP)
  C. Test results for backup data restoration
  D. Roles and responsibilities for recovery team members
  D. Roles and responsibilities for recovery team members

  ---

  Explanation

• Question 2074:

  Which of the following presents the GREATEST risk associated with end-user computing (EUC) applica-tions over financial reporting?

  A. Inability to quickly modify and deploy a solution
  B. Lack of portability for users
  C. Loss of time due to manual processes
  D. Calculation errors in spreadsheets
  D. Calculation errors in spreadsheets

  ---

  Explanation

  Spreadsheets, often used in EUC, are prone to manual input errors and formula mistakes. These errors can significantly compromise the accuracy and integrity of financial reporting.

  References:

  ISACA CISA Review Manual (Current Edition) - Chapter on End-User Computing (EUC) risks

  Industry Research on Spreadsheet Errors: Multiple studies highlight the prevalence of errors in spreadsheets, especially those used for financial purposes.

• Question 2075:

  An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

  A. The process does not require specifying the physical locations of assets.
  B. Process ownership has not been established.
  C. The process does not include asset review.
  D. Identification of asset value is not included in the process.
  B. Process ownership has not been established.

  ---

  Explanation

  An IS auditor would be most concerned if process ownership has not been established for the information asset management process, as this would indicate a lack of accountability, responsibility, and authority for managing the assets throughout their lifecycle. The process owner should also ensure that the process is aligned with the organization's objectives, policies, and standards. The process should require specifying the physical locations of assets, include asset review, and identify asset value, but these are less critical than establishing process ownership.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3

• Question 2076:

  Which of the following would BEST reduce the risk of application programming interface (API) unavailability?

  A. Establishing dedicated servers for incoming API requests
  B. Implementing a continuous integration and deployment process
  C. Conducting periodic stress testing
  D. Limiting the rate of incoming requests
  D. Limiting the rate of incoming requests

  ---

  Explanation

  Limiting the rate of incoming requests, known as rate limiting, helps prevent API overloading by controlling the number of requests a client can make within a specific timeframe. This measure protects the API from being overwhelmed,

  ensuring better availability and performance. While dedicated servers, continuous integration/deployment, and stress testing contribute to overall system robustness, rate limiting directly addresses the risk of unavailability due to excessive or

  malicious traffic.

  References:

  ISACA CISA Review Manual, 28th Edition, Chapter 4: Information Systems Operations and Business Resilience.

• Question 2077:

  An IS auditor is reviewing an organization's business intelligence infrastructure. The BEST recommendation to help the organization achieve a reasonable level of data quality would be to:

  A. review data against data classification standards.
  B. outsource data cleansing to skilled service providers.
  C. consolidate data stored across separate databases into a warehouse.
  D. analyze the data against predefined specifications.
  D. analyze the data against predefined specifications.

  ---

  Explanation

  This is because analyzing the data against predefined specifications is a method of data quality assessment that can help the organization achieve a reasonable level of data quality. Data quality assessment is the process of measuring and evaluating the accuracy, completeness, consistency, timeliness, validity, and usability of the data. Predefined specifications are the criteria or standards that define the expected or desired quality of the data. By comparing the actual data with the predefined specifications, the organization can identify and quantify any gaps, errors, or deviations in the data quality, and take corrective actions accordingly12. Reviewing data against data classification standards (A) is not the best answer, because it is not a method of data quality assessment, but rather a method of data security management. Data classification standards are the rules or guidelines that define the level of sensitivity and confidentiality of the data, and determine the appropriate security and access controls for the data. For example, data can be classified into public, internal, confidential, or restricted categories. Reviewing data against data classification standards can help the organization protect the data from unauthorized or inappropriate use or disclosure, but it does not directly improve the data quality3. Outsourcing data cleansing to skilled service providers (B) is not the best answer, because it is not a recommendation to help the organization achieve a reasonable level of data quality, but rather a decision to delegate or transfer the responsibility of data quality management to external parties. Data cleansing is the process of detecting and correcting any errors, inconsistencies, or anomalies in the data. Skilled service providers are third- party vendors or contractors that have the expertise and resources to perform data cleansing tasks. Outsourcing data cleansing to skilled service providers may have some benefits, such as cost savings, efficiency, or scalability, but it also has some risks, such as loss of control, dependency, or liability4. Consolidating data stored across separate databases into a warehouse ?is not the best answer, because it is not a method of data quality assessment, but rather a method of data integration and storage. Data integration is the process of combining and transforming data from different sources and formats into a unified and consistent view. Data warehouse is a centralized repository that stores integrated and historical data for analytical purposes. Consolidating data stored across separate databases into a warehouse can help the organization improve the availability and accessibility of the data, but it does not necessarily improve the data quality.

• Question 2078:

  A checksum is classified as which type of control?

  A. Detective control
  B. Preventive control
  C. Corrective control
  D. Administrative control
  A. Detective control

  ---

  Explanation

  A checksum is classified as a detective control. A checksum is a mathematical value that is calculated from a data set and used to verify the integrity of the data. A checksum can detect if the data has been altered or corrupted during transmission or storage. A checksum does not prevent or correct the data corruption, but it alerts the user or system of the problem. Therefore, it is a detective control. A preventive control is a control that prevents an error or incident from occurring. A corrective control is a control that restores normal operations after an error or incident has occurred. An administrative control is a control that involves policies, procedures, standards, guidelines, or organizational structures.

  References: CISA Review Manual (Digital Version)1, page 439.

• Question 2079:

  During a post-implementation review, a step in determining whether a project met user requirements is to review the:

  A. completeness of user documentation.
  B. integrity of key calculations.
  C. effectiveness of user training.
  D. change requests initiated after go-live.
  D. change requests initiated after go-live.

  ---

  Explanation

• Question 2080:

  Which of the following is the MAIN responsibility of the IT steering committee?

  A. Reviewing and assisting with IT strategy integration efforts
  B. Developing and assessing the IT security strategy
  C. Implementing processes to integrate security with business objectives
  D. Developing and implementing the secure system development framework
  A. Reviewing and assisting with IT strategy integration efforts

  ---

  Explanation

  This means that the IT steering committee is responsible for ensuring that the IT strategy aligns with and supports the business strategy, vision, and goals of the organization. The IT steering committee is also responsible for overseeing and approving major IT initiatives, projects, and investments, and allocating resources and priorities accordingly. Developing and assessing the IT security strategy (B) is not the main responsibility of the IT steering committee, but rather a specific aspect of the IT strategy that may be delegated to a subcommittee or a dedicated security function. The IT steering committee may provide guidance and oversight for the IT security strategy, but it is not directly involved in developing and assessing it. Implementing processes to integrate security with business objectives ?is not the main responsibility of the IT steering committee, but rather an operational task that may be performed by the IT management and staff. The IT steering committee may monitor and evaluate the effectiveness of the security processes, but it is not directly involved in implementing them. Developing and implementing the secure system development framework (D) is not the main responsibility of the IT steering committee, but rather a technical task that may be performed by the IT developers and engineers. The IT steering committee may approve and endorse the secure system development framework, but it is not directly involved in developing and implementing it.