Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 251:

  Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?

  A. Readily available resources such as domains and risk and control methodologies
  B. Comprehensive coverage of fundamental and critical risk and control areas for IT governance
  C. Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies
  D. Wide acceptance by different business and support units with IT governance objectives
  D. Wide acceptance by different business and support units with IT governance objectives

  ---

  Explanation

  The greatest benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization is wide acceptance by different business and support units with IT governance objectives. An international IT governance framework, such as COBIT, provides a common language and understanding for IT governance among various stakeholders, such as management, users, auditors and regulators. This facilitates alignment, communication and collaboration among them. Readily available resources, comprehensive coverage and fewer resources expended are also benefits of adopting an international IT governance framework, but they are not the greatest benefit.

  References: CISA Review Manual (Digital Version) , Chapter 1, Section 1.3.1.

• Question 252:

  Which of the following practices BEST ensures that archived electronic information of permanent importance is accessible over time?

  A. Acquire applications that emulate old software.
  B. Periodically test the integrity of the information.
  C. Regularly migrate data to current technology.
  D. Periodically backup the archived data.
  C. Regularly migrate data to current technology.

  ---

  Explanation

• Question 253:

  Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?

  A. Human resources (HR) sourcing strategy
  B. Records of actual time spent on projects
  C. Peer organization staffing benchmarks
  D. Budgeted forecast for the next financial year
  B. Records of actual time spent on projects

  ---

  Explanation

  The best source of information for IT management to estimate resource requirements for future projects is the records of actual time spent on projects. This data can provide a realistic and reliable basis for forecasting future resource needs based on historical trends and patterns. The records of actual time spent on projects can also help IT management to identify any gaps or inefficiencies in resource allocation and utilization. The human resources (HR) sourcing strategy is not a good source of information for estimating resource requirements for future projects, as it may not reflect the actual demand and availability of IT resources. The peer organization staffing benchmarks are not a good source of information for estimating resource requirements for future projects, as they may not account for the specific characteristics and needs of each organization. The budgeted forecast for the next financial year is not a good source of information for estimating resource requirements for future projects, as it may not be based on accurate or realistic assumptions.

  References: CISA Review Manual, 27th Edition, pages 465-4661 CISA Review Questions, Answers and Explanations Database, Question ID: 263

• Question 254:

  Which of the following should be considered when examining fire suppression systems as part of a data center environmental controls review?

  A. Installation manuals
  B. Onsite replacement availability
  C. Insurance coverage
  D. Maintenance procedures
  D. Maintenance procedures

  ---

  Explanation

  The correct answer is

  D. Maintenance procedures should be considered when examining fire suppression systems as part of a data center environmental controls review. Fire suppression systems are critical for protecting the data center equipment and personnel from fire hazards. Therefore, they should be regularly maintained and tested to ensure their proper functioning and compliance with safety standards. Maintenance procedures should include inspection, cleaning, replacement, and repair of the fire suppression system components, as well as documentation of the maintenance activities and results. Installation manuals, onsite replacement availability, and insurance coverage are not directly related to the fire suppression system performance and effectiveness, and therefore are not relevant for the audit review.

  References: CISA Review Manual (Digital Version)1, page 403.

• Question 255:

  An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

  A. Sell-assessment reports of IT capability and maturity
  B. IT performance benchmarking reports with competitors
  C. Recent third-party IS audit reports
  D. Current and previous internal IS audit reports
  C. Recent third-party IS audit reports

  ---

  Explanation

  Recent third-party IS audit reports would be most helpful in determining the effectiveness of the IT governance framework of the target company. IT governance is a framework that defines the roles, responsibilities, and processes for aligning IT strategy with business strategy. A third-party IS audit is an independent and objective examination of an organization's IT governance framework by an external auditor. Recent third-party IS audit reports can provide reliable and unbiased evidence of the strengths, weaknesses, and maturity of the IT governance framework of the target company. The other options are not as helpful as recent third-party IS audit reports, as they may not be as comprehensive, accurate, or current as external audits.

  References: CISA Review Manual, 27th Edition, page 94

• Question 256:

  One advantage of monetary unit sampling is the fact that

  A. results are stated m terms of the frequency of items in error
  B. it can easily be applied manually when computer resources are not available
  C. large-value population items are segregated and audited separately
  D. it increases the likelihood of selecting material items from the population
  D. it increases the likelihood of selecting material items from the population

  ---

  Explanation

  Monetary unit sampling (MUS) is a statistical sampling method that is used to determine if the account balances or monetary amounts in a population contain any misstatements. MUS treats each individual dollar in the population as a separate sampling unit, so that larger balances or amounts have a higher probability of being selected than smaller ones. MUS then projects the results of testing the sample to the entire population in terms of dollar values, rather than error rates. One advantage of MUS is that it increases the likelihood of selecting material items from the population. Material items are those that have a significant impact on the financial statements and could influence the decisions of users. By giving more weight to larger items, MUS ensures that material misstatements are more likely to be detected and reported. MUS also reduces the sample size required to achieve a desired level of confidence and precision, as compared to other sampling methods that do not consider the value of items.

  References:

  4: Monetary unit sampling definition -- AccountingTools

  5: How Does Monetary Unit Sampling Work? - dummies

  6: Audit sampling | ACCA Qualification | Students | ACCA Global

• Question 257:

  During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?

  A. Revise the assessment based on senior management's objections.
  B. Escalate the issue to audit management.
  C. Finalize the draft audit report without changes.
  D. Gather evidence to analyze senior management's objections
  D. Gather evidence to analyze senior management's objections

  ---

  Explanation

  The auditor's best course of action when senior management disagrees with some of the facts presented in the draft audit report is to gather evidence to analyze senior management's objections. The auditor should not revise the assessment, escalate the issue, or finalize the report without changes until they have evaluated the validity and relevance of senior management's objections and resolved any discrepancies or misunderstandings. The auditor should maintain a professional and objective attitude and seek to present a fair and accurate audit report based on sufficient and appropriate evidence.

  References: CISA Review Manual (Digital Version), page 372 CISA Questions, Answers and Explanations Database, question ID 3338

• Question 258:

  An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management experience. What is the BEST course of action?

  A. Transfer the assignment to a different audit manager despite lack of IT project management experience.
  B. Outsource the audit to independent and qualified resources.
  C. Manage the audit since there is no one else with the appropriate experience.
  D. Have a senior IS auditor manage the project with the IS audit manager performing final review.
  B. Outsource the audit to independent and qualified resources.

  ---

  Explanation

• Question 259:

  During the review of a system disruption incident, an IS auditor notes that IT support staff were put in a position to make decisions beyond their level of authority.

  Which of the following is the BEST recommendation to help prevent this situation in the future?

  A. Introduce escalation protocols.
  B. Develop a competency matrix.
  C. Implement fallback options.
  D. Enable an emergency access ID.
  A. Introduce escalation protocols.

  ---

  Explanation

  The best recommendation to help prevent the situation where IT support staff were put in a position to make decisions beyond their level of authority during the review of a system disruption incident is to introduce escalation protocols.

  Escalation protocols are policies and procedures that define who should be notified, involved, or consulted when an incident occurs, how the communication and handover should take place, and what criteria or triggers should be used to

  escalate the incident to a higher level of authority or expertise2. Escalation protocols help to ensure that:

  Incidents are handled by the appropriate staff with the required skills, knowledge, and experience

  Incidents are resolved in a timely and effective manner Incidents are escalated to senior management or specialized teams when necessary Incidents are documented and reported accurately and transparently Incidents are analyzed and

  learned from to prevent recurrence or mitigate impact Therefore, by introducing escalation protocols, an organization can improve its incident management process and avoid putting IT support staff in a position to make decisions beyond their

  level of authority.

  References:

  Escalation policies for effective incident management, Section 1: What is incident escalation?

• Question 260:

  During audit planning, an IS auditor walked through the design of controls related to a new data loss prevention (DLP) tool. It was noted that the tool will be configured to alert IT management when large files are sent outside of the organization via email. What type of control will be tested?

  A. Detective
  B. Corrective
  C. Directive
  D. Preventive
  A. Detective

  ---

  Explanation