Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 211:

  An IS auditor finds that corporate mobile devices used by employees have varying levels of password settings. Which of the following would be the BEST recommendation?

  A. Update the acceptable use policy for mobile devices.
  B. Notify employees to set passwords to a specified length.
  C. Encrypt data between corporate gateway and devices.
  D. Apply a security policy to the mobile devices.
  D. Apply a security policy to the mobile devices.

  ---

  Explanation

• Question 212:

  Which of the following is MOST critical to the success of an information security program?

  A. Management's commitment to information security
  B. User accountability for information security
  C. Alignment of information security with IT objectives
  D. Integration of business and information security
  A. Management's commitment to information security

  ---

  Explanation

  The most critical factor for the success of an information security program is management's commitment to information security. Management's commitment to information security means that the senior management supports, sponsors, funds, monitors and enforces the information security program within the organization. Management's commitment to information security also demonstrates leadership, sets the tone and culture, and establishes the strategic direction and objectives for information security. User accountability for information security, alignment of information security with IT objectives, and integration of business and information security are also important factors for the success of an information security program, but they are not as critical as management's commitment to information security, as they depend on or derive from it.

  References: Info Technology and Systems Resources | COBIT, Risk, Governance ... - ISACA, IT Governance and Process Maturity

• Question 213:

  Which of the following is MOST important to include in a business case for an IT-enabled investment?

  A. Business impact analysis (BIA)
  B. Cost-benefit analysis
  C. Security requirements
  D. Risk assessment
  B. Cost-benefit analysis

  ---

  Explanation

  Explanation

• Question 214:

  A mission-critical application utilizes a one-node database server. On multiple occasions, the database service has been stopped to perform routine patching, causing application outages. Which of the following should be the IS auditor's GREATEST concern?

  A. Revenue lost due to application outages
  B. Patching performed by the vendor
  C. A large number of scheduled database changes
  D. The presence of a single point of failure
  D. The presence of a single point of failure

  ---

  Explanation

• Question 215:

  Which of the following would be an IS auditor's BEST recommendation to senior management when several IT initiatives are found to be misaligned with the organization's strategy?

  A. Define key performance indicators (KPIs) for IT.
  B. Modify IT initiatives that do not map to business strategies.
  C. Reassess the return on investment (ROI) for the IT initiatives.
  D. Reassess IT initiatives that do not map to business strategies.
  D. Reassess IT initiatives that do not map to business strategies.

  ---

  Explanation

• Question 216:

  The BEST way for an IS auditor to validate that separation of duties has been implemented is to perform:

  A. A review of personnel files.
  B. An analysis of documented job descriptions.
  C. A review of the organizational chart.
  D. A walk-through of job functions.
  D. A walk-through of job functions.

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step

  Awalk-through of job functionsprovides direct evidence thatseparation of duties (SoD)is implemented effectively. It involves observing employees as they perform tasks to confirm that no single person has excessive privileges.

  Walk-through of Job Functions (Correct Answer D)

  Review of Personnel Files (Incorrect A)

  Analysis of Documented Job Descriptions (Incorrect B)

  Review of Organizational Chart (Incorrect C)

  References:

  ISACA CISA Review Manual

  COBIT 2019: Risk Management and Governance

  ISO 27001: Segregation of Duties Control

• Question 217:

  Which of the following audit techniques is MOST appropriate for verifying application program controls?

  A. Statistical sampling
  B. Code review
  C. Confirmation of accounts
  D. Use of test data
  D. Use of test data

  ---

  Explanation

• Question 218:

  The waterfall life cycle model of software development is BEST suited for which of the following situations?

  A. The project will involve the use of new technology.
  B. The project intends to apply an object-oriented design approach.
  C. The project requirements are well understood.
  D. The project is subject to time pressures.
  C. The project requirements are well understood.

  ---

  Explanation

• Question 219:

  Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:

  A. eliminated
  B. unchanged
  C. increased
  D. reduced
  B. unchanged

  ---

  Explanation

  Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is unchanged. This is because end users are still the ultimate customers and beneficiaries of the system, and they need to ensure that the software package meets their requirements, expectations, and satisfaction. End user testing, also known as user acceptance testing (UAT) or beta testing, is the final stage of testing performed by the user or client to determine whether the software can be accepted or not1. End user testing is important for both in-house developed and acquired software packages, as it helps to verify the functionality, usability, performance, and reliability of the system2. End user testing also helps to identify and resolve any defects, errors, or issues that may not have been detected by the developers or vendors. Therefore, option B is the correct answer. Option A is not correct because end user testing is not eliminated by acquiring a software package. Even though the software package may have been tested by the vendor or supplier, it may still have bugs, compatibility issues, or configuration problems that need to be fixed before deployment. Option C is not correct because end user testing is not increased by acquiring a software package. The scope and extent of end user testing depend on various factors, such as the complexity, criticality, and customization of the system, and not on whether it is developed in-house or acquired. Option D is not correct because end user testing is not reduced by acquiring a software package. The software package may still require modifications or integrations to suit the specific needs and environment of the organization, and these changes need to be tested by the end users.

  References: Chapter 4 Methods of Software Acquisition What is User Acceptance Testing (UAT): A Complete Guide1 What Is End-to-End Testing? (With How-To and Example)3 How to Evaluate New Software in 5 Steps User Acceptance Testing (UAT) in ERP Projects User Acceptance Testing for Packaged Software

• Question 220:

  Which of the following should be given GREATEST consideration when implementing the use of an open-source product?

  A. Support
  B. Performance
  C. Confidentiality
  D. Usability
  A. Support

  ---

  Explanation

  Support should be given the greatest consideration when implementing the use of an open- source product, as open-source software may not have the same level of technical support, maintenance, and updates as proprietary software. Open-source software users may have to rely on the community of developers and users, online forums, or third-party vendors for support, which may not be timely, reliable, or consistent. Therefore, before implementing an open-source product, users should evaluate the availability and quality of support options, such as documentation, forums, mailing lists, bug trackers, chat channels, etc.