Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 311:

  Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?

  A. IT value analysis
  B. Prior audit reports
  C. IT balanced scorecard
  D. Vulnerability assessment report
  C. IT balanced scorecard

  ---

  Explanation

  An IT balanced scorecard (BSC) is a performance metric that is used to identify, improve, and control the various functions and outcomes of an IT department or organization. An IT BSC is based on the concept of the balanced scorecard, which was introduced by Robert Kaplan and David Norton in 1992 as a strategic management system that translates the vision and strategy of an organization into measurable objectives and actions. An IT BSC adapts the balanced scorecard framework to the specific needs and goals of the IT function, aligning it with the business strategy and value proposition. An IT BSC typically consists of four perspectives that help managers plan, implement, and evaluate the IT performance: customer, internal process, learning and growth, and financial. Each perspective defines a set of objectives, measures, targets, and initiatives that reflect the IT contribution to the organization's success. For example, the customer perspective may measure the satisfaction and retention of internal and external customers who use IT services or products; the internal process perspective may measure the efficiency and effectiveness of IT processes such as development, delivery, support, or security; the learning and growth perspective may measure the skills, knowledge, innovation, and culture of the IT staff; and the financial perspective may measure the costs, benefits, and return on investment of IT projects or assets. An IT BSC provides a new IS auditor with the most useful information to evaluate overall IT performance because it: Provides a comprehensive and balanced view of the IT function from multiple angles and stakeholders Links the IT objectives and activities to the business strategy and value creation Enables a clear communication and alignment of expectations and priorities among IT managers, staff, customers, and other stakeholders Facilitates a continuous monitoring and improvement of IT performance based on data-driven feedback and analysis Supports a holistic and integrated approach to IT governance, risk management, and compliance Therefore, an IT BSC is a valuable tool for a new IS auditor to assess how well the IT function is fulfilling its mission and delivering value to the organization.

  References: The IT Balanced Scorecard (BSC) Explained - BMC Software What Is a Balanced Scorecard (BSC), How Is it Used in Business? Lost in the Woods: COBIT 2019 and the IT Balanced Scorecard - ISACA

• Question 312:

  The business case for an information system investment should be available for review until the:

  A. information system investment is retired.
  B. information system has reached end of life.
  C. formal investment decision is approved.
  D. benefits have been fully realized.
  D. benefits have been fully realized.

  ---

  Explanation

  The business case for an information system investment is a document that provides the rationale and justification for the investment, based on the expected costs, benefits, risks, and impacts of the project12. The business case should be

  available for review until the benefits have been fully realized, because it serves as a baseline for measuring the actual performance and outcomes of the project against the planned ones34. This helps to evaluate the success and value of

  the investment, and to identify any gaps or issues that need to be addressed5.

  References:

  1: The Business Case for Security - CISA

  2: Beyond the Business Case: New Approaches to IT Investment

  3: #HowTo: Build a Business Case for Cybersecurity Investment

  4: ISACA CISA Certified Information Systems Auditor Exam ... - PUPUWEB

  5: The Business Case for Security | CISA

• Question 313:

  Which of the following is the MOST important Issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?

  A. Continuity of service
  B. Identity management
  C. Homogeneity of the network
  D. Nonrepudiation
  C. Homogeneity of the network

  ---

  Explanation

  The most important issue for an IS auditor to consider with regard to Voice- over IP (VoIP) communications is the homogeneity of the network, because it affects the quality, security, and reliability of the VoIP service. A homogeneous network is one that uses a single protocol or standard for VoIP communication, such as Session Initiation Protocol (SIP) or H.32312. A homogeneous network can reduce the complexity, latency, and interoperability issues that may arise from using different or incompatible protocols or devices for VoIP communication12. Continuity of service, identity management, and nonrepudiation are also important issues for VoIP communications, but not as important as the homogeneity of the network.

  References: 1: CISA Review Manual (Digital Version), Chapter 4, Section 4.4.3 2: CISA Online Review Course, Module 4, Lesson 4

• Question 314:

  Which of the following findings would be of GREATEST concern to an IS auditor reviewing firewall security for an organization's corporate network?

  A. The production configuration does not conform to corporate policy.
  B. Responsibility for the firewall administration rests with two different divisions.
  C. Industry hardening guidance has not been considered.
  D. The firewall configuration file is extremely long and complex.
  A. The production configuration does not conform to corporate policy.

  ---

  Explanation

• Question 315:

  Which of the following audit assess accuracy of financial reporting?

  A. Compliance Audit
  B. Financial Audit
  C. Operational Audit
  D. Forensic audit
  B. Financial Audit

  ---

  Explanation

  A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not

  absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to provide an objective

  independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and

  consequently reduce the cost of capital of the preparer of the financial statements.

  What is an audit?

  An audit in general terms is a process of evaluating an individual or organization's accounts. This is usually done by an independent auditing body. Thus, audit involves a competent and independent person obtaining evidence and evaluating

  it objectively with regard to a given entity, which in this case is the subject of audit, in order to establish conformance to a given set of standards. Audit can be on a person, organization, system, enterprise, project or product.

  Compliance Audit

  A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review

  security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These

  audits often overlap traditional audits, but may focus on particular system or data.

  What, precisely, is examined in a compliance audit will vary depending upon whether an organization is a public or private company, what kind of data it handles and if it transmits or stores sensitive financial data. For instance, SOX

  requirements mean that any electronic communication must be backed up and secured with reasonable disaster recovery infrastructure. Health care providers that store or transmit e-health records, like personal health information, are

  subject to HIPAA requirements. Financial services companies that transmit credit card data are subject to PCI DSS requirements. In each case, the organization must be able to demonstrate compliance by producing an audit trail, often

  generated by data from event log management software.

  Financial Audit A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to provide an objective independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and consequently reduce the cost of capital of the preparer of the financial statements.

  Operational Audit

  Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit financial data may

  be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Operational audit is a more comprehensive form of an Internal audit.

  The Institute of Internal Auditor (IIA) defines Operational Audit as a systematic process of evaluating an organization's effectiveness, efficiency and economy of operations under management's control and reporting to appropriate persons the

  results of the evaluation along with recommendations for improvement.

  Objectives

  To appraise the effectiveness and efficiency of a division, activity, or operation of the entity in meeting organizational goals.

  To understand the responsibilities and risks faced by an organization.

  To identify, with management participation, opportunities for improving control.

  To provide senior management of the organization with a detailed understanding of the Operations.

  Integrated Audits

  An integrated audit combines financial and operational audit steps. An integrated audit is also performed to assess overall objectives within an organization, related to financial information and asset, safeguarding, efficiency and or internal

  auditors and would include compliance test of internal controls and substantive audit step.

  IS Audit

  An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are

  safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of

  attestation engagement.

  The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets

  and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:

  Will the organization's computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) Will

  the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing

  those risks.

  Forensic Audit

  Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or irregularities

  (including fraud) and giving preventative advice.

  The purpose of a forensic audit is to use accounting procedures to collect evidence for the prosecution or investigation of financial crimes such as theft or fraud. Forensic audits may be conducted to determine if wrongdoing occurred, or to

  gather materials for the case against an alleged criminal.

  The following answers are incorrect:

  Compliance Audit - A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance

  preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory

  or industry standard. These audits often overlap traditional audits, but may focus on particular system or data.

  Operational Audit - Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit

  financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives.[1] Operational audit is a more comprehensive form of an Internal audit.

  Forensic Audit - Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or

  irregularities (including fraud) and giving preventative advice.

  CISA Review Manual 2014 Page number 44

  http://searchcompliance.techtarget.com/definition/compliance-audit

  http://en.wikipedia.org/wiki/Financial_audit

  http://en.wikipedia.org/wiki/Operational_auditing

  http://en.wikipedia.org/wiki/Information_technology_audit

  http://www.investorwords.com/16445/forensic_audit.html

• Question 316:

  Following request for proposal (RFP) responses, a project seeking to acquire a new application system has identified a short list of vendors. At this point, the IS auditor should:

  A. encourage contact with current users of the vendor's products
  B. perform a detailed cost-benefit exercise on the proposed application
  C. require that contract terms include a right-to-audit clause
  D. recommend performing system integration tests
  C. require that contract terms include a right-to-audit clause

  ---

  Explanation

• Question 317:

  Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?

  A. Continuous auditing
  B. Manual checks
  C. Exception reporting
  D. Automated reconciliations
  A. Continuous auditing

  ---

  Explanation

  Continuous auditing provides the greatest assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively12. Continuous auditing involves the use of automated tools to continuously monitor and audit a system's operations12. This allows for real-time identification and resolution of issues, ensuring that the system is always functioning as expected. It also provides ongoing assurance about the integrity and reliability of the data being compiled by the middleware application.

  References: 5 Data Integration Methods and Strategies | Talend What Is Middleware? Definition, Architecture, and Best Practices

• Question 318:

  A legacy application is running on an operating system that is no longer supported by the vendor. If the organization continues to use the current application, which of the following should be the IS auditor's GREATEST concern?

  A. Potential exploitation of zero-day vulnerabilities in the system
  B. Inability to update the legacy application database
  C. Increased cost of maintaining the system
  D. Inability to use the operating system due to potential license issues
  A. Potential exploitation of zero-day vulnerabilities in the system

  ---

  Explanation

• Question 319:

  Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?

  A. Re-partitioning
  B. Degaussing
  C. Formatting
  D. Data wiping
  D. Data wiping

  ---

  Explanation

  The best way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed is data wiping. Data wiping is a process that overwrites the data on the hard disk with random or meaningless patterns, making it unrecoverable by any software or hardware methods. Data wiping can provide a high level of security and assurance that the organization's information is permanently erased from the hard disk, and that it cannot be accessed by unauthorized parties or malicious actors. Re-partitioning is not a way to sanitize a hard disk for reuse, but rather a way to organize the hard disk into different logical sections or volumes. Re-partitioning does not erase the data on the hard disk, but only changes the structure and allocation of the disk space. Re- partitioning may make the data inaccessible to the operating system, but not to other tools or methods that can scan or recover the data from the disk sectors. Degaussing is a way to sanitize a hard disk for reuse, but only for magnetic hard disks, not solid state drives (SSDs). Degaussing is a process that exposes the hard disk to a strong magnetic field, which disrupts and destroys the magnetic alignment of the data on the disk platters. Degaussing can effectively erase the data on magnetic hard disks, but it can also damage or render unusable the electronic components of the hard disk, such as the read/write heads or circuit boards. Degaussing also does not work on SSDs, which store data using flash memory cells, not magnetic media. Formatting is not a way to sanitize a hard disk for reuse, but rather a way to prepare the hard disk for use by an operating system. Formatting is a process that creates a file system on the hard disk, which defines how the data is stored and accessed on the disk. Formatting does not erase the data on the hard disk, but only deletes the file system metadata and marks the disk space as available for new data. Formatting may make the data invisible to the operating system, but not to other tools or methods that can restore or recover the data from the disk sectors.

  References: How to Wipe A Hard Drive for Reuse? Check the Quickest Way to Wipe A Hard Drive - EaseUS 1 HP PCs - Using Secure Erase or HP Disk Sanitizer 2 HOW to QUICKLY and PERMANENTLY SANITIZE ANY DRIVE (SSD, USB thumb drive ...)

• Question 320:

  Which of the following is the most important benefit of control self-assessment (CSA)?

  A. CSA is a policy/rule driven
  B. In CSA approach, risk is identified sooner
  C. CSA requires limited employee participations
  D. In CSA, resources are being used in an effective manner.
  B. In CSA approach, risk is identified sooner

  ---

  Explanation

  Control self-assessment is an assessment of controls made by staff and management within the unit or units involved. It is a management technique that assures stakeholders, customers and other parties that the internal controls of the

  organization are reliable. The CSA approach requires extensive employee participations and training. This will help to employee understand more about business risks. This will insure the detection of risk in timely manner.

  For your exam you should know the information below about control self-assessment:

  Benefits of CSA

  Early detection of risk

  More efficient and improved internal controls

  Creation of cohesive teams through employee involvement

  Developing a sense of ownership of the controls in the employees and process owners, and reducing their resistance to control improvement initiatives Increased employee awareness of organizational objectives, and knowledge of risk and

  internal controls

  Highly motivated employees

  Improved audit training process

  Reduction in control cost

  Assurance provided to stakeholders and customers

  Traditional and CSA attributes

  Traditional Historical CSA

  Assign duties/supervises staff Empowered/accountable employees

  Policy/rule driven Continuous improvement/learning curve

  Limited employee participation Extensive employee participation and training

  Narrow stakeholders focus Broad stakeholders focus

  Auditors and other specialist Staff at all level, in all functions, are the primary control analysts

  The following answers are incorrect:

  The other options specified are incorrectly describes about CSA.

  CISA review manual 2014 page number 61, 62 and 63