Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 241:

  The PRIMARY benefit of automating application testing is to:

  A. provide test consistency.
  B. provide more flexibility.
  C. replace all manual test processes.
  D. reduce the time to review code.
  A. provide test consistency.

  ---

  Explanation

  The primary benefit of automating application testing is to provide test consistency. Automated testing can ensure that the same test cases are executed in the same manner and order every time, which can improve the reliability and accuracy of the test results. Providing more flexibility, replacing all manual test processes, and reducing the time to review code are possible benefits of automating application testing, but they are not the primary benefit.

  References: ISACA, CISA Review Manual, 27th Edition, 2020, p. 3091 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription

• Question 242:

  Which of the following testing procedure is used by an auditor to check whether a firm is following the rules and regulations applicable to an activity or practice?

  A. Compliance testing
  B. Sanity testing
  C. Recovery testing
  D. Substantive testing
  A. Compliance testing

  ---

  Explanation

  Audit undertaken to confirm whether a firm is following the rules and regulations (prescribed by its internal authority or control system) applicable to an activity or practice.

  Compliance testing is basically an audit of a system carried out against a known criterion. A compliance test may come in many different forms dependent on the request received but basically can be broken down into several different types:

  Operating Systems and Applications: A verification that an operating system and/or applications are configured appropriately to the companies needs and lockdown requirements, thus providing adequate and robust controls to ensure that the Confidentiality, Integrity and Availability of the system will not be affected in its normal day to day operation. Systems in development: A verification that the intended system under development meets the configuration and lockdown standards requested by the customer. Management of IT and Enterprise Architecture: A verification that the in-place IT management infrastructure encompassing all aspects of system support has been put in place. This is to ensure effective change control, audit, business continuity and security procedures etc. have been formulated, documented and put in place. Interconnection Policy: A verification that adequate security and business continuity controls governing the connection to other systems, be they Telecommunications, Intranets, Extranets and Internet etc. have been put in place, have been fully documented and correspond to the stated customer requirements.

  The following answers are incorrect: Substantive testing - A procedure used during accounting audits to check for errors in balance sheets and other financial documentation. A substantive test might involve checking a random sample of transactions for errors, comparing account balances to find discrepancies, or analysis and review of procedures used to execute and record transactions.

  Sanity testing - Testing to determine if a new software version is performing well enough to accept it for a major testing effort. If application is crashing for initial use, then system is not stable enough for further testing and build or application is assigned to fix.

  Recovery testing ?Testing how well a system recovers from crashes, hardware failures, or other catastrophic problems.

  CISA review manual 2014 page number 52 and 53 http://www.wikijob.co.uk/wiki/substantive-testing

• Question 243:

  Which of the following BEST helps to identify errors during data transfer?

  A. Decrease the size of data transfer packets.
  B. Test the integrity of the data transfer.
  C. Review and verify the data transfer sequence numbers.
  D. Enable a logging process for data transfer.
  B. Test the integrity of the data transfer.

  ---

  Explanation

• Question 244:

  An IS auditor observes that an organization's systems are being used for cryptocurrency mining on a regular basis. Which of the following is the auditor's FIRST course of action?

  A. Report the incident immediately.
  B. Recommend changing the organization's firewall settings.
  C. Consult the organization's acceptable use policy.
  D. Require mining software to be uninstalled.
  C. Consult the organization's acceptable use policy.

  ---

  Explanation

• Question 245:

  Which of the following business continuity activities prioritizes the recovery of critical functions?

  A. Business continuity plan (BCP) testing
  B. Business impact analysis (BIA)
  C. Disaster recovery plan (DRP) testing
  D. Risk assessment
  B. Business impact analysis (BIA)

  ---

  Explanation

  A business impact analysis (BIA) is a process that identifies and evaluates the potential effects or consequences of disruptions or disasters on an organization's critical business functions or processes. A BIA can help prioritize the recovery of critical functions by assessing their importance and urgency for the organization's operations, objectives, and stakeholders, and determining their recovery time objectives (RTOs), which are the maximum acceptable time for restoring a function after a disruption. A business continuity plan (BCP) testing is a process that verifies and validates the effectiveness and readiness of a BCP, which is a document that outlines the strategies and procedures for ensuring the continuity of critical business functions in the event of a disruption or disaster. A BCP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are recovered according to the BCP. A disaster recovery plan (DRP) testing is a process that verifies and validates the effectiveness and readiness of a DRP, which is a document that outlines the technical and operational steps for restoring the IT systems and infrastructure that support critical business functions in the event of a disruption or disaster. A DRP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are supported by the IT systems and infrastructure according to the DRP. A risk assessment is a process that identifies and analyzes the potential threats and vulnerabilities that could affect an organization's critical business functions or processes. A risk assessment does not prioritize the recovery of critical functions, but rather estimates their likelihood and impact of being disrupted by various risk scenarios.

• Question 246:

  Which of the following level in CMMI model focuses on process innovation and continuous optimization?

  A. Level 4
  B. Level 5
  C. Level 3
  D. Level 2
  B. Level 5

  ---

  Explanation

  Level 5 is the optimizing process and focus on process innovation and continuous integration.

  For CISA Exam you should know below information about Capability Maturity Model Integration (CMMI) mode:

  Maturity model

  A maturity model can be viewed as a set of structured levels that describe how well the behaviors, practices and processes of an organization can reliably and sustainable produce required outcomes.

  CMMI Levels

  

  A maturity model can be used as a benchmark for comparison and as an aid to understanding - for example, for comparative assessment of different organizations where there is something in common that can be used as a basis for

  comparison. In the case of the CMM, for example, the basis for comparison would be the organizations' software development processes.

  Structure

  The model involves five aspects:

  Maturity Levels: a 5-level process maturity continuum - where the uppermost (5th) level is a notional ideal state where processes would be systematically managed by a combination of process optimization and continuous process

  improvement.

  Key Process Areas: a Key Process Area identifies a cluster of related activities that, when performed together, achieve a set of goals considered important. Goals: the goals of a key process area summarize the states that must exist for that

  key process area to have been implemented in an effective and lasting way. The extent to which the goals have been accomplished is an indicator of how much capability the organization has established at that maturity level. The goals

  signify the scope, boundaries, and intent of each key process area. Common Features: common features include practices that implement and institutionalize a key process area. There are five types of common features: commitment to

  perform, ability to perform, activities performed, measurement and analysis, and verifying implementation.

  Key Practices: The key practices describe the elements of infrastructure and practice that contribute most effectively to the implementation and institutionalization of the area.

  Levels

  There are five levels defined along the continuum of the model and, according to the SEI: "Predictability, effectiveness, and control of an organization's software processes are believed to improve as the organization moves up these five

  levels. While not rigorous, the empirical evidence to date supports this belief".[citation needed]

  Initial (chaotic, ad hoc, individual heroics) - the starting point for use of a new or undocumented repeat process.

  Repeatable - the process is at least documented sufficiently such that repeating the same steps may be attempted.

  Defined - the process is defined/confirmed as a standard business process, and decomposed to levels 0, 1 and 2 (the last being Work Instructions).

  Managed - the process is quantitatively managed in accordance with agreed-upon metrics.

  Optimizing - process management includes deliberate process optimization/improvement.

  Within each of these maturity levels are Key Process Areas which characteristic that level, and for each such area there are five factors: goals, commitment, ability, measurement, and verification. These are not necessarily unique to CMM,

  representing -- as they do -- the stages that organizations must go through on the way to becoming mature.

  The model provides a theoretical continuum along which process maturity can be developed incrementally from one level to the next. Skipping levels is not allowed/feasible.

  Level 1 - Initial (Chaotic)

  It is characteristic of processes at this level that they are (typically) undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable

  environment for the processes.

  Level 2 - Repeatable

  It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained

  during times of stress.

  Level 3 - Defined

  It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS

  processes) and used to establish consistency of process performance across the organization.

  Level 4 - Managed

  It is characteristic of processes at this level that, using process metrics, management can effectively control the AS-IS process (e.g., for software development). In particular, management can identify ways to adjust and adapt the process to

  particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level.

  Level 5 - Optimizing

  It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements.

  At maturity level 5, processes are concerned with addressing statistical common causes of process variation and changing the process (for example, to shift the mean of the process performance) to improve process performance. This would

  be done at the same time as maintaining the likelihood of achieving the established quantitative process-improvement objectives.

  The following were incorrect answers:

  Level 4 ?Focus on process management and process control

  Level 3 ?Process definition and process deployment.

  Level 2 ?Performance management and work product management.

  CISA review manual 2014 Page number 188

• Question 247:

  An IS auditor is verifying the adequacy of an organization's internal controls and is concerned about potential circumvention of regulations. Which of the following is the BEST sampling method to use?

  A. Variable sampling
  B. Random sampling
  C. Cluster sampling
  D. Attribute sampling
  D. Attribute sampling

  ---

  Explanation

  The best sampling method to use for verifying the adequacy of an organization's internal controls and being concerned about potential circumvention of regulations is

  B. Random sampling. Random sampling is a method of selecting a sample from a population in which each item has an equal and independent chance of being selected1. Random sampling reduces the risk of bias or manipulation in the sample selection, and ensures that the sample is representative of the population. Random sampling can be used for both attribute and variable sampling, which are two types of audit sampling that test for the occurrence rate or the monetary value of errors, respectively.

• Question 248:

  The implementation of an IT governance framework requires that the board of directors of an organization:

  A. Address technical IT issues.
  B. Be informed of all IT initiatives.
  C. Have an IT strategy committee.
  D. Approve the IT strategy.
  D. Approve the IT strategy.

  ---

  Explanation

  IT governance is a framework that defines the roles, responsibilities, and processes for aligning IT strategy with business strategy. The board of directors of an organization is ultimately accountable for IT governance and has the authority to approve the IT strategy. The board of directors does not need to address technical IT issues, be informed of all IT initiatives, or have an IT strategy committee, as these tasks can be delegated to other stakeholders or committees within the organization.

• Question 249:

  Data Loss Prevention (DLP) tools provide the MOST protection against:

  A. The installation of unknown malware.
  B. Malicious programs running on organizational systems.
  C. The downloading of sensitive information to devices by employees.
  D. The sending of corrupt data files to external parties via email.
  C. The downloading of sensitive information to devices by employees.

  ---

  Explanation

  Explanation

  Comprehensive and Detailed Step-by-Step

  DLP (Data Loss Prevention) toolsare designed toprevent unauthorized access, transfer, or leakage of sensitive data, especially byinsider threatsorunauthorized downloads. Preventing Unauthorized Downloads (Correct Answer ?C)

  Preventing Malware Installation (Incorrect ?A, B) Preventing Corrupt Data Transmission (Incorrect ?D)

  References:

  ISACA CISA Review Manual

  NIST 800-53 (Data Protection Controls)

  CIS (Center for Internet Security) DLP Best Practices

• Question 250:

  In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?

  A. Discovery
  B. Attacks
  C. Planning
  D. Reporting
  A. Discovery

  ---

  Explanation

  Penetration testing is a method of evaluating the security of a system or network by simulating an attack from a malicious source. Penetration testing typically consists of four phases: planning, discovery, attacks, and reporting. In the discovery phase, penetration testers gather information about the target system or network, such as host detection, domain name system (DNS) interrogation, port scanning, service identification, operating system fingerprinting, vulnerability scanning, etc. This information can help to identify potential entry points, weaknesses, or vulnerabilities that can be exploited in the subsequent attack phase. Host detection and DNS interrogation are techniques that can be used in the discovery phase to determine the active hosts and their IP addresses and hostnames on the target network.

  References: [ISACA CISA Review Manual 27th Edition], page 368.