Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 371:

  An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?

  A. A single point of failure for both voice and data communications
  B. Inability to use virtual private networks (VPNs) for internal traffic
  C. Lack of integration of voice and data communications
  D. Voice quality degradation due to packet toss
  A. A single point of failure for both voice and data communications

  ---

  Explanation

  The IS auditor's primary concern when an organization has recently implemented a Voice-over IP (VoIP) communication system is a single point of failure for both voice and data communications. VoIP is a technology that allows voice communication over IP networks such as the internet. VoIP can offer benefits such as lower costs, higher flexibility, and better integration with other applications. However, VoIP also introduces risks such as dependency on network availability, performance, and security. If both voice and data communications share the same network infrastructure and devices, then a single point of failure can affect both services simultaneously and cause significant disruption to business operations. Therefore, the IS auditor should evaluate the availability and redundancy of the network components and devices that support VoIP communication. The other options are not as critical as a single point of failure for both voice and data communications, as they do not pose a direct threat to business continuity.

  References: CISA Review Manual, 27th Edition, page 385

• Question 372:

  Which of the following should an IS auditor do FIRST when auditing a robotics process automation (RPA) implementation?

  A. Evaluate the overall solution architecture.
  B. Analyze the sequence of activities performed by the robot.
  C. Understand the business processes automated by the robot.
  D. Identity the credentials used by the robot and where they are stored.
  D. Identity the credentials used by the robot and where they are stored.

  ---

  Explanation

  Explanation

• Question 373:

  In a RAO model, which of the following roles must be assigned to only one individual?

  A. Responsible
  B. Informed
  C. Consulted
  D. Accountable
  D. Accountable

  ---

  Explanation

  In a RAO model, which stands for Responsible, Accountable, Consulted, and Informed, the accountable role must be assigned to only one individual. The accountable role is the person who has the ultimate authority and responsibility for the

  outcome of the project or task, and who approves or rejects the work done by the responsible role. The accountable role cannot be delegated or shared, as it is essential to have a clear and single point of accountability for each project or

  task. The other roles can be assigned to more than one individual:

  Responsible. This is the person who does the work or performs the task. There can be multiple responsible roles for different aspects or phases of a project or task, as long as they are coordinated and supervised by the accountable role.

  Informed. This is the person who needs to be notified or updated about the progress or results of the project or task. There can be multiple informed roles who have an interest or stake in the project or task, but who do not need to be

  consulted or involved in the decision-making process. Consulted. This is the person who provides input, feedback, or advice on the project or task. There can be multiple consulted roles who have expertise or experience relevant to the project

  or task, but who do not have the authority or responsibility to approve or reject the work done by the responsible role.

• Question 374:

  While auditing an IT department's cloud service provider, the IS auditor found that privileged access monitoring is not being performed as required by the contract. The provider disagrees with this issue and notes that compensating controls are in place. The IS auditor's NEXT course of action should be to:

  A. test compensating controls as part of the audit.
  B. define a remediation plan.
  C. review privileged access logs.
  D. recommend revising the service level agreement (SLA).
  A. test compensating controls as part of the audit.

  ---

  Explanation

• Question 375:

  Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

  A. Apply single sign-on for access control
  B. Implement segregation of duties.
  C. Enforce an internal data access policy.
  D. Enforce the use of digital signatures.
  C. Enforce an internal data access policy.

  ---

  Explanation

  The most appropriate control to prevent unauthorized retrieval of confidential information stored in a business application system is to enforce an internal data access policy. A data access policy defines who can access what data, under what conditions and for what purposes. It also specifies the roles and responsibilities of data owners, custodians and users, as well as the security measures and controls to protect data confidentiality, integrity and availability. By enforcing a data access policy, the organization can ensure that only authorized personnel can retrieve confidential information from the business application system. Applying single sign-on for access control, implementing segregation of duties and enforcing the use of digital signatures are also useful controls, but they are not sufficient to prevent unauthorized data retrieval without a clear and comprehensive data access policy.

  References: CISA Review Manual, 27th Edition, page 2301 CISA Review Questions, Answers and Explanations Database - 12 Month Subscription

• Question 376:

  An IS auditor is reviewing the system development practices of an organization that is about to move from a Waterfall to an Agile approach. Which of the following is MOST important for the auditor to focus on as a result of this move?

  A. Secure code review
  B. Release management
  C. Capacity planning
  D. Code documentation
  B. Release management

  ---

  Explanation

  Explanation

• Question 377:

  Which of the following is the MOST important regulatory consideration for an organization determining whether to use its customer data to train AI algorithms?

  A. Documentation of AI algorithm accuracy during the training process
  B. Ethical and optimal utilization of data computing resources
  C. Collection of data and obtaining data subject consent
  D. Continuous monitoring of AI algorithm performance
  C. Collection of data and obtaining data subject consent

  ---

  Explanation

  Explanation Comprehensive and Detailed Step-by-Step Data collection and obtaining consentis themost critical regulatory requirementwhen using customer data for AI training, especially under laws likeGDPR, CCPA, and ISO 27701. Collection of Data and Obtaining Consent (Correct Answer ?C)

  AI Algorithm Accuracy (Incorrect ?A)

  Ethical Use of Computing Resources (Incorrect ?B) Continuous Monitoring of AI (Incorrect ?D)

  References:

  ISACA CISA Review Manual

  GDPR and CCPA Compliance Guidelines

  ISO 27701 (Privacy Information Management System)

• Question 378:

  Which of the following is MOST important for an IS auditor to consider when determining an appropriate sample size in situations where selecting the entire population is not feasible?

  A. Tolerable error
  B. Accessibility of the data
  C. Data integrity
  D. Responsiveness of the auditee
  A. Tolerable error

  ---

  Explanation

• Question 379:

  Which of the following is the BEST recommendation to drive accountability for achieving the desired outcomes specified in a benefits realization plan for an IT project?

  A. Document the dependencies between the project and other projects within the same program.
  B. Ensure that IT takes ownership for the delivery and tracking of all aspects of the benefits realization plan.
  C. Ensure that the project manager has formal authority for managing the benefits realization plan.
  D. Assign responsibilities, measures, and timelines for each identified benefit within the plan.
  D. Assign responsibilities, measures, and timelines for each identified benefit within the plan.

  ---

  Explanation

• Question 380:

  An organization's data retention policy states that all data will be backed up, retained for 10 years, and then destroyed. When conducting an audit of the long-term offsite backup program, an IS auditor should:

  A. verify that business owners review data before it is destroyed.
  B. verify that there is a process to ensure readability and restore capability.
  C. confirm that business interruption insurance coverage is in place.
  D. review data classification schemes for appropriate security levels.
  B. verify that there is a process to ensure readability and restore capability.

  ---

  Explanation