Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 361:

  When reviewing the effectiveness of data center operations, the IS auditor would FIRST establish that system performance:

  A. is monitored and reported against agreed service levels.
  B. reflects the expected usage levels established at implementation.
  C. meets the expected targets specified by the manufacturer.
  D. is within generally accepted reliability levels for that system.
  D. is within generally accepted reliability levels for that system.

  ---

  Explanation

• Question 362:

  Which of the following MOST efficiently protects computer equipment against short-term reductions in electrical power?

  A. Surge protection devices
  B. Alternative power supplies
  C. Power line conditioners
  D. Generators
  C. Power line conditioners

  ---

  Explanation

• Question 363:

  Which of the following software development methodology uses minimal planning and in favor of rapid prototyping?

  A. Agile Developments
  B. Software prototyping
  C. Rapid application development
  D. Component based development
  C. Rapid application development

  ---

  Explanation

  Rapid application development (RAD) is a software development methodology that uses minimal planning in favor of rapid prototyping. The "planning" of software developed using RAD is interleaved with writing the software itself. The lack of extensive per-planning generally allows software to be written much faster, and makes it easier to change requirements. Rapid Application Development

  

  Four phases of RAD Requirements Planning phase ?combines elements of the system planning and systems analysis phases of the Systems Development Life Cycle (SDLC). Users, managers, and IT staff members discuss and agree on business needs, project scope, constraints, and system requirements. It ends when the team agrees on the key issues and obtains management authorization to continue.

  User design phase ?during this phase, users interact with systems analysts and develop models and prototypes that represent all system processes, inputs, and outputs. The RAD groups or subgroups typically use a combination of Joint Application Development (JAD) techniques and CASE tools to translate user needs into working models. User Design is a continuous interactive process that allows users to understand, modify, and eventually approve a working model of the system that meets their needs.

  Construction phase ?focuses on program and application development task similar to the SDLC. In RAD, however, users continue to participate and can still suggest changes or improvements as actual screens or reports are developed. Its tasks are programming and application development, coding, unit-integration and system testing.

  Cutover phase ?resembles the final tasks in the SDLC implementation phase, including data conversion, testing, changeover to the new system, and user training. Compared with traditional methods, the entire process is compressed. As a result, the new system is built, delivered, and placed in operation much sooner.

  The following were incorrect answers:

  Agile Development - Agile software development is a group of software development methods based on iterative and incremental development, where requirements and solutions evolve through collaboration between self-organizing, cross-functional teams.

  Software prototyping- Software prototyping, refers to the activity of creating prototypes of software applications, i.e., incomplete versions of the software program being developed. It is an activity that can occur in software development and is comparable to prototyping as known from other fields, such as mechanical engineering or manufacturing.

  Component Based Development - It is a reuse-based approach to defining, implementing and composing loosely coupled independent components into systems. This practice aims to bring about an equally wide-ranging degree of benefits in both the short-term and the long-term for the software itself and for organizations that sponsor such software.

  CISA review manual 2014 Page number 195

• Question 364:

  In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?

  A. Planning phase
  B. Execution phase
  C. Follow-up phase
  D. Selection phase
  A. Planning phase

  ---

  Explanation

  The planning phase is the stage of the internal audit process where contact is established with the individuals responsible for the business processes in scope for review. The planning phase involves defining the objectives, scope, and criteria of the audit, as well as identifying the key risks and controls related to the audited area. The planning phase also involves communicating with the auditee to obtain relevant information, documents, and data, as well as to schedule interviews, walkthroughs, and meetings. The planning phase aims to ensure that the audit team has a clear understanding of the audited area and its context, and that the audit plan is aligned with the expectations and needs of the auditee and other stakeholders. The execution phase is the stage of the internal audit process where the audit team performs the audit procedures according to the audit plan. The execution phase involves testing the design and operating effectiveness of the controls, collecting and analyzing evidence, documenting the audit work and results, and identifying any issues or findings. The execution phase aims to provide sufficient and appropriate evidence to support the audit conclusions and recommendations. The follow-up phase is the stage of the internal audit process where the audit team monitors and verifies the implementation of the corrective actions agreed upon by the auditee in response to the audit findings. The follow-up phase involves reviewing the evidence provided by the auditee, conducting additional tests or interviews if necessary, and evaluating whether the corrective actions have adequately addressed the root causes of the findings. The follow-up phase aims to ensure that the auditee has taken timely and effective actions to improve its processes and controls. The selection phase is not a standard stage of the internal audit process, but it may refer to the process of selecting which areas or functions to audit based on a risk assessment or an annual audit plan. The selection phase involves evaluating the inherent and residual risks of each potential auditable area, considering the impact, likelihood, and frequency of those risks, as well as other factors such as regulatory requirements, stakeholder expectations, previous audit results, and available resources. The selection phase aims to prioritize and allocate the audit resources to those areas that present the highest risks or opportunities for improvement. Therefore, option A is the correct answer.

  References: Stages and phases of internal audit - piranirisk.com Step-by-Step Internal Audit Checklist | AuditBoard Audit Process | The Office of Internal Audit - University of Oregon

• Question 365:

  John had implemented a validation check on the marital status field of a payroll record. A payroll record contains a field for marital status and acceptable status code are M for Married or S for Single. If any other code is entered, record should be rejected. Which of the following data validation control was implemented by John?

  A. Range Check
  B. Validity Check
  C. Existence check
  D. Reasonableness check
  B. Validity Check

  ---

  Explanation

  In a validity check control programmed checking of data validity in accordance with predefined criteria. For example, a payroll record contains a field for marital status and the acceptable status codes are M or S. If any other code is entered, record should be rejected.

  For CISA exam you should know below mentioned data validation edits and controls

  Sequence Check ?The control number follows sequentially and any sequence or duplicated control numbers are rejected or noted on an exception report for follow-up purposes. For example, invoices are numbered sequentially. The day's

  invoice begins with 12001 and ends with 15045. If any invoice larger than 15045 is encountered during processing, that invoice would be rejected as an invalid invoice number.

  Limit Check ?Data should not exceed a predefined amount. For example, payroll checks should not exceed US $ 4000. If a check exceeds US $ 4000, data would be rejected for further verification/authorization.

  Validity Check ?Programmed checking of data validity in accordance with predefined criteria. For example, a payroll record contains a field for marital status and the acceptable status codes are M or S. If any other code is entered, record

  should be rejected.

  Range Check ?Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

  Reasonableness check ?Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received,

  the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

  Table Lookups ?Input data comply with predefined criteria maintained in computerized table of possible values. For example, an input check enters a city code of 1 to 10. This number corresponds with a computerize table that matches a

  code to a city name.

  Existence Check ?Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

  Key verification ?The keying process is repeated by a separate individual using a machine that compares the original key stroke to the repeated keyed input. For ex. the worker number is keyed twice and compared to verify the keying

  process.

  Check digit ?a numeric value that has been calculated mathematically is added to a data to ensure that original data have not been p[ altered or incorrect, but Valid, value substituted. This control is effective in detecting transposition and

  transcription error. For ex. A check digit is added to an account number so it can be checked for accuracy when it is used.

  Completeness check ?a filed should always contain data rather than zero or blanks. A check of each byte of that field should be performed to determine that some form of data, or not blanks or zeros, is present. For ex. A worker number on a

  new employee record is left blank. His is identified as a key in filed and the record would be rejected, with a request that the field be completed before the record is accepted for processing.

  Duplicate check ?new transaction is matched to those previously input to ensure that they have not already been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the current order is not a

  duplicate and, therefore, the vendor will not be paid twice.

  Logical relationship check ?if a particular condition is true, then one or more additional conditions or data input relationship may be required to be true and consider the input valid. For ex. The hire data of an employee may be required to be

  true and consider the input valid. For ex. The hire date of an employee may be required to be more than 16 years past his her date of birth.

  The following were incorrect answers:

  Range Check -Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

  Existence Check ?Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

  Reasonableness check ?Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received,

  the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

  CISA review manual 2014 Page number 215

• Question 366:

  Which of the following is the BEST indication that an information security awareness program is effective?

  A. A reduction in the number of reported information security incidents
  B. A reduction in the success rate of social engineering attacks
  C. A reduction in the cost of maintaining the information security program
  D. A reduction in the number of information security attacks
  B. A reduction in the success rate of social engineering attacks

  ---

  Explanation

  The success rate of social engineering attacks directly measures the behavioral changes resulting from an information security awareness program. Employees who are aware and informed are better equipped to identify and thwart such

  attacks. Reduction in Reported Incidents (Option A):This may indicate underreporting rather than program effectiveness.

  Reduction in Cost of Maintaining the Program (Option C):This reflects cost efficiency, not program effectiveness.

  Reduction in Number of Attacks (Option D):The number of attacks is beyond the control of awareness programs and does not reflect their impact.

  ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.

• Question 367:

  A bank is selecting a server for its retail accounts application. To ensure that the server can handle a high volume of transactions with the required response times, which test should the IS auditor recommend?

  A. Regression
  B. Acceptance
  C. Benchmark
  D. Integration
  C. Benchmark

  ---

  Explanation

• Question 368:

  Which of the following is MOST important when implementing a data classification program?

  A. Understanding the data classification levels
  B. Formalizing data ownership
  C. Developing a privacy policy
  D. Planning for secure storage capacity
  B. Formalizing data ownership

  ---

  Explanation

  Data classification is the process of organizing data into categories based on its sensitivity, value, and risk to the organization. Data classification helps to ensure that data is protected according to its importance and regulatory requirements.

  Data classification also enables data owners to make informed decisions about data access, retention, and disposal.

  To implement a data classification program, it is most important to formalize data ownership. Data owners are the individuals or business units that have the authority and responsibility for the data they create or use. Data owners should be

  involved in defining the data classification levels, assigning the appropriate classification to their data, and ensuring that the data is handled according to the established policies and procedures. Data owners should also review and update the

  data classification periodically or when there are changes in the data or its usage.

  The other options are not as important as formalizing data ownership when implementing a data classification program. Understanding the data classification levels is necessary, but it is not sufficient without identifying the data owners who

  will apply them. Developing a privacy policy is a good practice, but it is not specific to data classification. Planning for secure storage capacity is a technical consideration, but it does not address the business and legal aspects of data

  classification.

  References:

  ISACA, CISA Review Manual, 27th Edition, 2020, page 247 Data Classification: What It Is and How to Implement It

• Question 369:

  Which of the following presents the GREATEST challenge to the alignment of business and IT?

  A. Lack of chief information officer (CIO) involvement in board meetings
  B. Insufficient IT budget to execute new business projects
  C. Lack of information security involvement in business strategy development
  D. An IT steering committee chaired by the chief information officer (CIO)
  A. Lack of chief information officer (CIO) involvement in board meetings

  ---

  Explanation

  The greatest challenge to the alignment of business and IT is the lack of chief information officer (CIO) involvement in board meetings. The CIO is the senior executive responsible for overseeing the IT strategy, governance, and operations of the organization, and ensuring that they support the business objectives and needs. The CIO should be involved in board meetings to communicate the value and contribution of IT to the organization, to align the IT vision and direction with the business strategy and priorities, and to advocate for the IT resources and investments required to achieve the desired outcomes. The lack of CIO involvement in board meetings can result in a disconnect between business and IT, a loss of trust and confidence in IT, and missed opportunities for innovation and value creation. The other options are not as challenging as the lack of CIO involvement in board meetings, because they either do not affect the strategic alignment of business and IT, or they can be addressed by other means such as collaboration, negotiation, or escalation.

  References: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.1

• Question 370:

  Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

  A. Compliance with action plans resulting from recent audits
  B. Compliance with local laws and regulations
  C. Compliance with industry standards and best practice
  D. Compliance with the organization's policies and procedures
  B. Compliance with local laws and regulations

  ---

  Explanation

  The best test to provide assurance that a health care organization is handling patient data appropriately is compliance with local laws and regulations, as these are the primary sources of authority and obligation for data protection and privacy. Compliance with action plans, industry standards, or organizational policies and procedures are also important, but they may not cover all the legal requirements or reflect the current best practices for handling patient data.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.3