Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 351:

  A senior IS auditor suspects that a PC may have been used to perpetrate fraud in a finance department. The auditor should FIRST report this suspicion to:

  A. audit management.
  B. the police.
  C. the audit committee.
  D. auditee line management.
  A. audit management.

  ---

  Explanation

• Question 352:

  An IS auditor is reviewing the process followed in identifying and prioritizing the critical business processes. This process is part of the:

  A. balanced scorecard.
  B. business impact analysis (BIA).
  C. operations component of the business continuity plan (BCP).
  D. enterprise risk management plan.
  C. operations component of the business continuity plan (BCP).

  ---

  Explanation

• Question 353:

  An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?

  A. Examine the computer to search for evidence supporting the suspicions.
  B. Advise management of the crime after the investigation.
  C. Contact the incident response team to conduct an investigation.
  D. Notify local law enforcement of the potential crime before further investigation.
  C. Contact the incident response team to conduct an investigation.

  ---

  Explanation

  The IS auditor's best course of action if they suspect an organization's computer may have been used to commit a crime is to contact the incident response team to conduct an investigation. The incident response team is a group of experts who are responsible for responding to security incidents, such as data breaches, ransomware attacks, or cybercrimes. The incident response team can help to preserve and collect digital evidence, determine the scope and impact of the incident, contain and eradicate the threat, and restore normal operations. The IS auditor should not examine the computer themselves, as they may inadvertently alter or destroy potential evidence, or compromise the chain of custody. The IS auditor should also not notify local law enforcement before further investigation, as this may escalate the situation unnecessarily or interfere with the internal investigation process. The IS auditor should advise management of the crime after the investigation, or as soon as possible if there is an imminent risk or legal obligation to do so.

• Question 354:

  Which of the following BEST facilitates the successful implementation of IT performance monitoring?

  A. Determining goals for IT resources and processes
  B. Identifying tools to automate performance measurement
  C. Establishing templates for periodic reporting to management
  D. Adopting global standards and measurement norms
  B. Identifying tools to automate performance measurement

  ---

  Explanation

  Explanation

• Question 355:

  An IS auditor wants to verify alignment of the organization's business continuity plan (BCP) with the business strategy. Which of the following would be MOST helpful to review?

  A. Disaster recovery plan (DRP) testing results
  B. Business impact analysis (BIA)
  C. Corporate risk management policy
  D. Key performance indicators (KPIs)
  B. Business impact analysis (BIA)

  ---

  Explanation

  Explanation

  Comprehensive and Detailed Step-by-Step

  To ensure that theBCP aligns with business strategy, aBusiness Impact Analysis (BIA)is the most valuable resource.

  Option A (Incorrect):DRP testing resultsshow how wellsystems recover, but they do notestablish strategic alignmentwith business priorities. Option B (Correct):ABIA identifies critical processes, financial impact, and business priorities,

  ensuring that theBCP is alignedwith strategic goals. Option C (Incorrect):Thecorporate risk management policyis broader and does not focus onbusiness continuity priorities.

  Option D (Incorrect):KPIs measure performance, but they do notdefine business continuity needs.

  ISACA CISA Review Manual -Domain 4: Information Systems Operations and Business Resilience?CoversBCP, BIA, and business continuity alignment.

• Question 356:

  Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

  A. Balanced scorecard
  B. Enterprise dashboard
  C. Enterprise architecture (EA)
  D. Key performance indicators (KPIs)
  A. Balanced scorecard

  ---

  Explanation

  The most useful tool for determining whether the goals of IT are aligned with the organization's goals is a balanced scorecard. A balanced scorecard is a strategic management system that translates an organization's vision and mission into a set of objectives and measures across four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard helps align IT goals with organizational goals by linking them to a common strategy map that shows how IT contributes to value creation and performance improvement in each perspective. A balanced scorecard also helps monitor and evaluate IT performance against predefined targets and indicators. Enterprise dashboard, enterprise architecture (EA), and key performance indicators (KPIs) are not the most useful tools for determining whether the goals of IT are aligned with the organization's goals. These tools may help communicate, design, or measure IT goals or activities, but they do not provide a comprehensive framework for aligning IT goals with organizational goals across multiple dimensions.

• Question 357:

  Which of the following would BEST indicate the effectiveness of a security awareness training program?

  A. Results of third-party social engineering tests
  B. Employee satisfaction with training
  C. Increased number of employees completing training
  D. Reduced unintentional violations
  D. Reduced unintentional violations

  ---

  Explanation

  The effectiveness of a security awareness training program is best indicated by a reduction in unintentional violations. When employees are well-trained and aware of security practices, they are less likely to inadvertently violate security policies or make mistakes that could lead to breaches. While other factors (such as third-party social engineering tests, employee satisfaction, and completion rates) provide valuable insights, the ultimate goal of security awareness training is to minimize unintentional errors and improve overall security posture.

  References: (https://www.isaca.org/resources/isaca- journal/issues/2023/volume-2/considerations-for-developing-cybersecurity-awareness- training) (https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2023/securityawareness-training-a-critical-success-factor-for-organizations)

• Question 358:

  Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?

  A. A high percentage of stakeholders satisfied with the quality of IT
  B. Ahigh percentage of incidents being quickly resolved
  C. Ahigh percentage of IT processes reviewed by quality assurance (QA)
  D. Ahigh percentage of IT employees attending quality training
  A. A high percentage of stakeholders satisfied with the quality of IT

  ---

  Explanation

  Stakeholder satisfaction is a key indicator of the effectiveness of a QMS, as it reflects the extent to which the QMS meets the expectations and priorities of the customers and other interested parties. A high percentage of stakeholder

  satisfaction implies that the QMS is delivering consistent and reliable products or services that meet the quality standards and requirements.

  References:

  ISACA CISA Review Manual, 27th Edition, page 253

  The Four Main Components of A Quality Management System The Road to Developing an Effective Quality Management System (QMS)

• Question 359:

  Which of the following is the BEST sampling method when performing an audit test to determine the number of access requests without approval signatures?

  A. Attribute sampling
  B. Judgment sampling
  C. Stratified sampling
  D. Stop-or-go sampling
  A. Attribute sampling

  ---

  Explanation

• Question 360:

  Which of the following is an estimation technique where the results can be measure by the functional size of an information system based on the number and complexity of input, output, interface and queries?

  A. Functional Point analysis
  B. Gantt Chart
  C. Time box management
  D. Critical path methodology
  A. Functional Point analysis

  ---

  Explanation

  For CISA exam you should know below information about Functional Point Analysis:

  Function Point Analysis (FPA) is an ISO recognized method to measure the functional size of an information system. The functional size reflects the amount of functionality that is relevant to and recognized by the user in the business. It is

  independent of the technology used to implement the system.

  The unit of measurement is "function points". So, FPA expresses the functional size of an information system in a number of function points (for example: the size of a system is 314 fop's).

  The functional size may be used:

  To budget application development or enhancement costs

  To budget the annual maintenance costs of the application portfolio

  To determine project productivity after completion of the project

  To determine the Software Size for cost estimating

  All software applications will have numerous elementary processes or independent processes to move data. Transactions (or elementary processes) that bring data from outside the application domain (or application boundary) to inside that

  application boundary are referred to as external inputs. Transactions (or elementary processes) that take data from a resting position (normally on a file) to outside the application domain (or application boundary) are referred as either an

  external outputs or external inquiries. Data at rest that is maintained by the application in question is classified as internal logical files. Data at rest that is maintained by another application in question is classified as external interface files.

  Types of Function Point Counts:

  Development Project Function Point Count

  Function Points can be counted at all phases of a development project from requirements up to and including implementation. This type of count is associated with new development work. Scope creep can be tracked and monitored by

  understanding the functional size at all phase of a project. Frequently, this type of count is called a baseline function point count.

  Enhancement Project Function Point Count

  It is common to enhance software after it has been placed into production. This type of function point count tries to size enhancement projects. All production applications evolve over time. By tracking enhancement size and associated costs a

  historical database for your organization can be built. Additionally, it is important to understand how a Development project has changed over time.

  Application Function Point Count

  Application counts are done on existing production applications. This "baseline count" can be used with overall application metrics like total maintenance hours. This metric can be used to track maintenance hours per function point. This is an

  example of a normalized metric. It is not enough to examine only maintenance, but one must examine the ratio of maintenance hours to size of the application to get a true picture.

  Productivity:

  The definition of productivity is the output-input ratio within a time period with due consideration for quality.

  Productivity = outputs/inputs (within a time period, quality considered)

  The formula indicates that productivity can be improved by (1) by increasing outputs with the same inputs, (2) by decreasing inputs but maintaining the same outputs, or (3) by increasing outputs and decreasing inputs change the ratio

  favorably.

  Software Productivity = Function Points / Inputs

  Effectiveness vs. Efficiency:

  Productivity implies effectiveness and efficiency in individual and organizational performance. Effectiveness is the achievement of objectives. Efficiency is the achievement of the ends with least amount of resources.

  Software productivity is defined as hours/function points or function points/hours. This is the average cost to develop software or the unit cost of software. One thing to keep in mind is the unit cost of software is not fixed with size. What

  industry data shows is the unit cost of software goes up with size.

  Average cost is the total cost of producing a particular quantity of output divided by that quantity. In this case to Total Cost/Function Points. Marginal cost is the change in total cost attributable to a one-unit change in output.

  There are a variety of reasons why marginal costs for software increase as size increases. The following is a list of some of the reasons

  As size becomes larger complexity increases.

  As size becomes larger a greater number of tasks need to be completed.

  As size becomes larger there is a greater number of staff members and they become more difficult to manage.

  Function Points are the output of the software development process. Function points are the unit of software. It is very important to understand that Function Points remain constant regardless who develops the software or what language the

  software is developed in. Unit costs need to be examined very closely. To calculate average unit cost all items (units) are combined and divided by the total cost. On the other hand, to accurately estimate the cost of an application each

  component cost needs to be estimated.

  Determine type of function point count

  Determine the application boundary

  Identify and rate transactional function types to determine their contribution to the unadjusted function point count.

  Identify and rate data function types to determine their contribution to the unadjusted function point count.

  Determine the value adjustment factor (VAF)

  Calculate the adjusted function point count.

  To complete a function point count knowledge of function point rules and application documentation is needed. Access to an application expert can improve the quality of the count. Once the application boundary has been established, FPA

  can be broken into three major parts

  FPA for transactional function types

  FPA for data function types

  FPA for GSCs

  Rating of transactions is dependent on both information contained in the transactions and the number of files referenced, it is recommended that transactions are counted first. At the same time a tally should be kept of all FTR's (file types

  referenced) that the transactions reference. Every FTR must have at least one or more transactions. Each transaction must be an elementary process. An elementary process is the smallest unit of activity that is meaningful to the end user in

  the business. It must be self-contained and leave the business in consistent state

  The following were incorrect answers:

  Critical Path Methodology - The critical path method (CPM) is an algorithm for scheduling a set of project activities

  Gantt Chart - A Gantt chart is a type of bar chart, developed by Henry Gantt in the 1910s, that illustrates a project schedule. Gantt charts illustrate the start and finish dates of the terminal elements and summary elements of a project.

  Terminal elements and summary elements comprise the work breakdown structure of the project. Modern Gantt charts also show the dependency (i.e. precedence network) relationships between activities. Gantt charts can be used to show

  current schedule status using percent-complete shadings and a vertical "TODAY" line as shown here.

  Time box Management - In time management, a time boxing allocates a fixed time period, called a time box, to each planned activity. Several project management approaches use time boxing. It is also used for individual use to address

  personal tasks in a smaller time frame. It often involves having deliverables and deadlines, which will improve the productivity of the user.

  CISA review manual 2014 Page number 154