Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 321:

  During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?

  A. Review sign-off documentation
  B. Review the source code related to the calculation
  C. Re-perform the calculation with audit software
  D. Inspect user acceptance lest (UAT) results
  C. Re-perform the calculation with audit software

  ---

  Explanation

  The best way to obtain assurance that certain automated calculations comply with the regulatory requirements is to re-perform the calculation with audit software. This will allow the auditor to independently verify the accuracy and validity of the calculation and compare it with the expected results. Reviewing sign-off documentation, source code, or user acceptance test results may not provide sufficient evidence or assurance that the calculation is correct and compliant.

  References: CISA Review Manual (Digital Version), page 325 CISA Questions, Answers and Explanations Database, question ID 3335

• Question 322:

  While reviewing the project plan for a new system prior to go-live, an IS auditor notes that the project team has not documented a fallback plan. Which of the following would be the BEST go-live approach in this situation?

  A. Parallel processing
  B. Immediate cutover
  C. Real-time replication
  D. Load balancing
  A. Parallel processing

  ---

  Explanation

• Question 323:

  Which of the following is MOST critical for the effective implementation of IT governance?

  A. Strong risk management practices
  B. Internal auditor commitment
  C. Supportive corporate culture
  D. Documented policies
  C. Supportive corporate culture

  ---

  Explanation

  The most critical factor for the effective implementation of IT governance is a supportive corporate culture. A supportive corporate culture is one that fosters collaboration, communication and commitment among all stakeholders involved in IT governance processes. A supportive corporate culture also promotes a shared vision, values and goals for IT governance across the organization. Strong risk management practices, internal auditor commitment or documented policies are important elements for IT governance implementation, but they are not sufficient without a supportive corporate culture.

  References: ISACA, CISA Review Manual, 27th Edition, 2018, page 41

• Question 324:

  A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?

  A. Separate authorization for input of transactions
  B. Statistical sampling of adjustment transactions
  C. Unscheduled audits of lost stock lines
  D. An edit check for the validity of the inventory transaction
  A. Separate authorization for input of transactions

  ---

  Explanation

  Separate authorization for input of transactions. This control would have best prevented this type of fraud in a retail environment by ensuring that the warehouse employee who handles the inventory items does not have the authority to enter adjustments to the inventory system. This would create a segregation of duties that would reduce the risk of collusion and concealment of theft. The other options are not as effective as option A in preventing this type of fraud. Option B, statistical sampling of adjustment transactions, is a detective control that may help identify fraudulent transactions after they have occurred, but it does not prevent them from happening in the first place. Option C, unscheduled audits of lost stock lines, is also a detective control that may reveal discrepancies between the physical and recorded inventory, but it does not address the root cause of the fraud. Option D, an edit check for the validity of the inventory transaction, is a preventive control that may help verify the accuracy and completeness of the transaction data, but it does not prevent unauthorized or fraudulent adjustments.

  References: ISACA, CISA Review Manual, 27th Edition, 2019 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription Different Types of Inventory Fraud and How to Prevent Them1 6 Ways to Prevent Inventory Fraud in Your Business2

• Question 325:

  An organization is migrating its HR application to an Infrastructure as a Service (laaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?

  A. The cloud provider's external auditor
  B. The cloud provider
  C. The operating system vendor
  D. The organization
  D. The organization

  ---

  Explanation

  The organization is primarily responsible for the security configurations of the deployed application's operating system when migrating its HR application to an Infrastructure as a Service (IaaS) model in a private cloud. This is because in an IaaS model, the cloud provider is responsible for the security of the underlying infrastructure that they lease to their customers, such as servers, storage, and networks, while the customer is responsible for the security of the areas of the cloud infrastructure over which they have control, such as operating systems, middleware, and applications. Therefore, the organization needs to ensure that the operating system is properly configured, patched, hardened, and monitored to protect the HR application from unauthorized access or malicious attacks. The other options are not primarily responsible for the security configurations of the deployed application's operating system. The cloud provider's external auditor is not responsible for any security configurations, but rather for verifying and reporting on the cloud provider's compliance with relevant standards and regulations. The cloud provider is responsible for the security of the underlying infrastructure, but not for the operating system or any software installed on it by the customer. The operating system vendor is responsible for providing updates and patches for the operating system, but not for configuring or securing it according to the customer's needs.

  References:

  11: What Is IaaS (Infrastructure As A Service)? - Forbes

  12: What is Shared Responsibility Model? - Check Point Software

  13: Who Is Responsible for Cloud Security? - Security Intelligence

• Question 326:

  Which of the following is the BEST security control to validate the integrity of data communicated between production databases and a big data analytics system?

  A. Hashing in-scope data sets
  B. Encrypting in-scope data sets
  C. Running and comparing the count function within the in-scope data sets
  D. Hosting a digital certificate for in-scope data sets
  A. Hashing in-scope data sets

  ---

  Explanation

  Hashing is a technique that transforms data into a fixed-length value, called a hash or a digest, that uniquely represents the original data. Hashing can be used to validate the integrity of data communicated between production databases and a big data analytics system by comparing the hash values of the data before and after the communication. If the hash values match, the data has not been altered; if they differ, the data has been tampered with or corrupted. Hashing is a better security control than encrypting, running and comparing the count function, or hosting a digital certificate for this purpose because: Encrypting in-scope data sets can protect the confidentiality of the data, but not necessarily the integrity. Encryption algorithms can be broken or bypassed by malicious actors, or encryption keys can be compromised or lost. Moreover, encryption adds overhead to the communication process and may affect the performance of the big data analytics system. Running and comparing the count function within the in-scope data sets can only verify the number of records or elements in the data sets, but not the content or quality of the data. The count function cannot detect any changes or errors in the data values, such as missing, duplicated, corrupted, or manipulated data. Hosting a digital certificate for in-scope data sets can provide authentication and non- repudiation for the data sources, but not integrity for the data itself. A digital certificate is a document that contains information about the identity and public key of an entity, such as a person, organization, or device. A digital certificate does not contain or verify the actual data that is communicated between production databases and a big data analytics system.

  References: Ensuring Data Integrity with Hash Codes Database Security: An Essential Guide Control methods of Database Security

• Question 327:

  An organization outsourced its IS functions to meet its responsibility for disaster recovery, the organization should:

  A. discontinue maintenance of the disaster recovery plan (DRP>
  B. coordinate disaster recovery administration with the outsourcing vendor
  C. delegate evaluation of disaster recovery to a third party
  D. delegate evaluation of disaster recovery to internal audit
  B. coordinate disaster recovery administration with the outsourcing vendor

  ---

  Explanation

  An organization outsourced its IS functions. To meet its responsibility for disaster recovery, the organization should coordinate disaster recovery administration with the outsourcing vendor. This is because the organization remains accountable for ensuring the continuity and availability of its IS functions, even if they are outsourced to a third party. The organization should establish clear roles and responsibilities, communication channels, testing procedures, and escalation processes with the outsourcing vendor for disaster recovery purposes. The organization should not discontinue maintenance of the disaster recovery plan (DRP), as it still needs to have a documented and updated plan for restoring its IS functions in case of a disaster. The organization should not delegate evaluation of disaster recovery to a third party or internal audit, as it still needs to monitor and review the performance and compliance of the outsourcing vendor with respect to disaster recovery objectives and standards.

  References: CISA Review Manual (Digital Version), [ISACA Auditing Standards]

• Question 328:

  When drafting a disaster recovery strategy, what should be the MOST important outcome of a business impact analysis (BIA)?

  A. Establishing recovery point objectives (RPOs)
  B. Determining recovery priorities
  C. Establishing recovery time objectives (RTOs)
  D. Determining recovery costs
  B. Determining recovery priorities

  ---

  Explanation

• Question 329:

  An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?

  A. The number of users deleting the email without reporting because it is a phishing email
  B. The number of users clicking on the link to learn more about the sender of the email
  C. The number of users forwarding the email to their business unit managers
  D. The number of users reporting receipt of the email to the information security team
  D. The number of users reporting receipt of the email to the information security team

  ---

  Explanation

  The metric that best indicates the effectiveness of awareness training is the number of users reporting receipt of the email to the information security team. This shows that the users are able to recognize and report a phishing email, which is a common social engineering technique used by attackers to trick users into revealing sensitive information or installing malicious software. The other metrics do not demonstrate a high level of security awareness, as they either ignore, follow, or forward the phishing email, which could expose the organization to potential risks.

  References: CISA Review Manual, 27th Edition, page 326

• Question 330:

  An IS auditor evaluating the change management process must select a sample from the change log. What is the BEST way to the auditor to confirm the change log is complete?

  A. Interview change management personnel about completeness.
  B. Take an item from the log and trace it back to the system.
  C. Obtain management attestation of completeness.
  D. Take the last change from the system and trace it back to the log.
  D. Take the last change from the system and trace it back to the log.

  ---

  Explanation

  The answer D is correct because the best way for the auditor to confirm the change log is complete is to take the last change from the system and trace it back to the log. A change log is a record of all the changes that have been made to a system, such as software updates, bug fixes, configuration modifications, etc. A change log should contain information such as the date and time of the change, the description and purpose of the change, the person or service who made the change, and the approval status of the change. A complete change log helps to ensure that the system is secure, reliable, and compliant with the relevant standards and regulations. An IS auditor evaluating the change management process must select a sample from the change log to verify that the changes are properly authorized, documented, tested, and implemented. However, before selecting a sample, the auditor must ensure that the change log is complete and accurate, meaning that it contains all the changes that have been made to the system and that there are no missing, duplicated, or falsified entries. To do this, the auditor can use a technique called backward tracing, which involves taking the last change from the system and tracing it back to the log. This way, the auditor can check if the change is recorded in the log with all the relevant details and if there are any gaps or inconsistencies in the log. If the last change from the system is not found in the log or does not match with the log entry, it indicates that the change log is incomplete or inaccurate. The other options are not as good as option

  D. Interviewing change management personnel about completeness (option A) is not a reliable way to confirm the change log is complete because it relies on subjective opinions and self-reported information, which may not be truthful or accurate. Taking an item from the log and tracing it back to the system (option B) is a technique called forward tracing, which can be used to verify that a specific change in the log has been implemented in the system. However, this technique does not confirm that all changes in the system are recorded in the log. Obtaining management attestation of completeness (option C) is not a sufficient way to confirm the change log is complete because it does not provide any evidence or verification of completeness. Management attestation may also be biased or influenced by conflicts of interest.

  References: IS Audit Basics: Auditing Data Privacy Audit Logging: What It Is and How It Works | Datadog Change Management for SOC: Risks, Controls, Audits, Guidance Turn auditing on or off | Microsoft Learn #118 | ITGC- System Change (Audit) Log Review - A2Q2