Isaca CISA Certification CISA Questions & Answers

• Question 21:

  With regard to resilience, which of the following is the GREATEST risk to an organization that has implemented a new critical system?

  A. A business impact analysis (BIA) has not been performed

  B. Business data is not sanitized in the development environment

  C. There is no plan for monitoring system downtime

  D. The process owner has not signed off on user acceptance testing (UAT)

  Correct Answer: A

• Question 22:

  A web proxy server for corporate connections to external resources reduces organizational risk by:

  A. anonymizing users through changed IP addresses.

  B. providing multi-factor authentication for additional security.

  C. providing faster response than direct access.

  D. load balancing traffic to optimize data pathways.

  Correct Answer: B

• Question 23:

  An IS auditor is reviewing the service agreement with a technology company that provides IT help desk services to the organization. Which of the following monthly performance metrics is the BEST indicator of service quality?

  A. The total number of users requesting help desk services

  B. The average call waiting time on each request

  C. The percent of issues resolved by the first contact

  D. The average turnaround time spent on each reported issue

  Correct Answer: C

• Question 24:

  Which of the following is the MOST important control for virualized environments?

  A. Regular updates of policies for the operation of the virtualized environment

  B. Hardening for the hypervisor and guest machines

  C. Redundancy of hardware resources and network components

  D. Monitoring utilization of resources at the guest operating system level

  Correct Answer: B

  The most important control for virtualized environments is hardening for the hypervisor and guest machines. Hardening the hypervisor and guest machines involves taking measures to ensure that the system is secure and protected from external threats. This includes ensuring that all security patches and updates are applied, that the systems are configured securely, and that only approved applications are allowed to run. Additionally, it is important to ensure that the system is regularly monitored for any malicious activity. For more information, please refer to the ISACA CISA Study Guide section 4.13.4.1.

• Question 25:

  An IS auditor is performing a follow-up audit for findings identified in an organization's user provisioning process.

  Which of the following is the MOST appropriate population to sample from when testing for remediation?

  A. All users provisioned after the finding was originally identified

  B. All users provisioned after management resolved the audit issue

  C. All users provisioned after the final audit report was issued

  D. All users who have followed user provisioning processes provided by management

  Correct Answer: C

• Question 26:

  During which phase of the software development life cycle is it BEST to initiate the discussion of application controls?

  A. Business case development phase when stakeholders are identified

  B. Application design phase process functionalities are finalized

  C. User acceptance testing (UAT) phase when test scenarios are designed

  D. Application coding phase when algorithms are developed to solve business problems

  Correct Answer: B

  The best time to initiate the discussion of application controls is during the Application Design phase, when the process functionalities are finalized. This is according to the ISACA CISA Study Manual, which states, "Application controls should be discussed during the design phase and implemented in the development of the system." (ISACA CISA Study Manual, 26th Edition, Section 4.2.2, Page 4.27)

• Question 27:

  An IS auditor is reviewing the security of a web-based customer relationship management (CRM) system that is directly accessed by customers via the Internet. Which of the following should be a concern for the auditor?

  A. The system is hosted on an external third-party service provider's servers.

  B. The system is hosted in a hybrid-cloud platform managed by a service provider.

  C. The system is hosted within a demilitarized zone (DMZ) of a corporate network.

  D. The system is hosted within an internal segment of a corporate network.

  Correct Answer: D

  A web-based CRM system that is directly accessed by customers via the Internet should be hosted in a secure and isolated environment to protect it from external threats and unauthorized access. A web-based CRM system should also be reliable, trusted, and backed up regularly1. Hosting the system on an external third-party service provider's servers (A) or a hybrid- cloud platform managed by a service provider (B) may not be a concern for the auditor if the service provider has adequate security measures and service level agreements in place. The auditor should verify the security controls and contractual terms of the service provider before trusting them with the CRM data23. Hosting the system within a demilitarized zone (DMZ) of a corporate network ?is a common practice to provide an extra layer of security to the CRM system from untrusted networks, such as the Internet. A DMZ is a perimeter network that isolates the CRM system from the internal network and filters the incoming traffic from the external network using a security gateway4567. Hosting the system within an internal segment of a corporate network (D) is a concern for the auditor because it exposes the CRM system and the internal network to potential attacks from the Internet. The CRM system should not be directly accessible from the Internet without a DMZ or a firewall to protect it. This could compromise the confidentiality, integrity, and availability of the CRM data and the internal network78.

• Question 28:

  Which of the following is the MOST important Issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?

  A. Continuity of service

  B. Identity management

  C. Homogeneity of the network

  D. Nonrepudiation

  Correct Answer: C

• Question 29:

  An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction. Which of the following should the auditor do NEXT?

  A. Report the variance immediately to the audit committee

  B. Request an explanation of the variance from the auditee

  C. Increase the sample size to 100% of the population

  D. Exclude the transaction from the sample population

  Correct Answer: B

• Question 30:

  Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves for care?

  A. Infrastructure as a Service (laaS) provider

  B. Software as a Service (SaaS) provider

  C. Network segmentation

  D. Dynamic localization

  Correct Answer: B

  Explanation: The most efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves for care is B. Software as a Service (SaaS) provider. SaaS providers offer cloud-based services that allow organizations to access applications, data, and infrastructure on demand, making it easier to access patient data no matter where the patient is located. Reference: ISACA CISA Study Manual, section 5.3.3.1.