Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 381:

  An IS auditor is reviewing the service management of an outsourced help desk. Which of the following is the BEST indicator of how effectively the service provider is performing this function?

  A. Average ticket age
  B. Number of calls worked
  C. Customer satisfaction ratings
  D. Call transcript reviews
  C. Customer satisfaction ratings

  ---

  Explanation

  Explanation

• Question 382:

  A small business unit is implementing a control self-assessment (CSA) program and leveraging the internal audit function to test its internal controls annually. Which of the following is the MOST significant benefit of this approach?

  A. Compliance costs are reduced.
  B. Risks are detected earlier.
  C. Business owners can focus more on their core roles.
  D. Line management is more motivated to avoid control exceptions.
  B. Risks are detected earlier.

  ---

  Explanation

  The most significant benefit of implementing a control self-assessment (CSA) program and leveraging the internal audit function to test its internal controls annually is that risks are detected earlier. A CSA program is a process that enables business owners and managers to assess and improve their own internal controls on a regular basis, without relying on external auditors or consultants. A CSA program can help identify and mitigate risks, enhance performance, increase accountability, and foster a culture of control within the organization. By leveraging the internal audit function to test its internal controls annually, a small business unit can also obtain independent assurance and validation of its CSA results, as well as recommendations for improvement. This approach can help reduce compliance costs, as external audits may be less frequent or extensive. However, this is not the most significant benefit, as compliance costs are only one aspect of the total cost of risk. Business owners can also focus more on their core roles, as they can delegate some of their control responsibilities to their staff or teams through CSA. However, this is not the most significant benefit, as business owners still need to oversee and monitor their CSA activities and results, and ensure that they align with their strategic objectives and priorities. Line management may also be more motivated to avoid control exceptions, as they are directly involved in assessing and improving their own controls through CSA. However, this is not the most significant benefit, as motivation alone may not be sufficient to ensure effective control design and operation.

  References: Info Technology and Systems Resources | COBIT, Risk, Governance ... - ISACA, IT Governance and Process Maturity

• Question 383:

  An organization saves confidential information in a file with password protection and the file is placed in a shared folder. An attacker has stolen this information by obtaining the password through social engineering. Implementing which of the following would BEST enable the organization to prevent this type of incident in the future?

  A. Multi-factor authentication (MFA)
  B. Security awareness programs for employees
  C. Access history log review by the business manager
  D. File encryption along with password protection
  B. Security awareness programs for employees

  ---

  Explanation

  Social engineering exploits human vulnerabilities, and the most effective mitigation is training employees to recognize and respond to these threats. Security awareness programs help build a culture of vigilance, equipping employees with the

  knowledge to identify phishing attempts, suspicious behavior, and other social engineering tactics. Multi-factor Authentication (MFA) (Option A):Enhances access control but does not address the human vulnerability to social engineering.

  Access History Log Review (Option C):Useful for post-incident analysis but does not prevent incidents.

  File Encryption with Password Protection (Option D):Adds security layers but is ineffective if the password is compromised.

  ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.

• Question 384:

  Which of the following provides the MOST useful information for performing a business impact analysis (B1A)?

  A. inventory of relevant business processes
  B. Policies for business procurement
  C. Documentation of application configurations
  D. Results of business resumption planning efforts
  A. inventory of relevant business processes

  ---

  Explanation

  A business impact analysis (BIA) is a process that identifies and evaluates the potential effects of disruptions to critical business operations as a result of a disaster, accident or emergency. A BIA should include an inventory of relevant business processes that support the organization's strategic objectives and are essential for its continuity. The inventory should also identify the dependencies, interdependencies, recovery priorities and time frames for each business process. Policies for business procurement, documentation of application configurations and results of business resumption planning efforts are not as useful as an inventory of relevant business processes for performing a BIA.

  References: : Business Impact Analysis (BIA) Definition : Business Impact Analysis (BIA) | ISACA

• Question 385:

  Which of the following should be an IS auditor's GREATEST concern when assessing an IT service configuration database?

  A. The database is read-accessible for all users.
  B. The database is write-accessible for all users.
  C. The database is not encrypted at rest.
  D. The database is executable for all users.
  B. The database is write-accessible for all users.

  ---

  Explanation

• Question 386:

  Which of the following is the GREATEST risk that could result from a contracted penetration tester attempting SQL injection techniques on the production system?

  A. The tester's access could be elevated.
  B. Events could be improperly logged.
  C. Sensitive data could be exfiltrated.
  D. Production data could be altered.
  D. Production data could be altered.

  ---

  Explanation

  Explanation

• Question 387:

  Which of the following is the PRIMARY reason for an IS auditor to use computer-assisted audit techniques (CAATs)?

  A. To efficiently test an entire population
  B. To perform direct testing of production data
  C. To conduct automated sampling for testing
  D. To enable quicker access to information
  D. To enable quicker access to information

  ---

  Explanation

• Question 388:

  Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?

  A. Reviewing the parameter settings
  B. Reviewing the system log
  C. Interviewing the firewall administrator
  D. Reviewing the actual procedures
  A. Reviewing the parameter settings

  ---

  Explanation

  The best audit procedure to determine whether a firewall is configured in compliance with the organization's security policy is reviewing the parameter settings. Parameter settings are values or options that define how a firewall operates and functions, such as rules, filters, ports, protocols, etc. By reviewing the parameter settings of a firewall, an IS auditor can verify whether they match with the organization's security policy, which is a document that outlines the security objectives, requirements, and guidelines for an organization's information systems and resources. Reviewing the system log is a possible audit procedure to determine whether a firewall is configured in compliance with the organization's security policy, but it is not the best one, as a system log records events or activities that occur on a firewall, such as connections, requests, responses, errors, alerts, etc., and may not indicate whether they comply with the organization's security policy. Interviewing the firewall administrator is a possible audit procedure to determine whether a firewall is configured in compliance with the organization's security policy, but it is not the best one, as a firewall administrator may not provide accurate or reliable information about the firewall configuration, and may have conflicts of interest or ulterior motives. Reviewing the actual procedures is a possible audit procedure to determine whether a firewall is configured in compliance with the organization's security policy, but it is not the best one, as actual procedures describe how a firewall is configured and maintained, such as installation, testing, updating, etc., and may not reflect whether they comply with the organization's security policy.

• Question 389:

  An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is MOST important to assess in the audit?

  A. Segregation of duties between issuing purchase orders and making payments.
  B. Segregation of duties between receiving invoices and setting authorization limits
  C. Management review and approval of authorization tiers
  D. Management review and approval of purchase orders
  A. Segregation of duties between issuing purchase orders and making payments.

  ---

  Explanation

  The most important control to assess in an audit of an organization's accounts payable processes is segregation of duties between issuing purchase orders and making payments. Segregation of duties is a principle that requires different individuals or departments to perform different tasks or functions within a process, in order to prevent fraud, errors, or conflicts of interest. In the accounts payable process, segregation of duties between issuing purchase orders and making payments ensures that no one person can initiate and complete a transaction without proper authorization and verification. This reduces the risk of duplicate payments, overpayments, unauthorized payments, or payments to fictitious vendors.

  References: Accounts payable controls Accounts Payable Internal Controls: A Simple Checklist

• Question 390:

  During an audit, an IT finding is agreed upon by all IT teams involved, but no team wants to be responsible for remediation or considers the finding within Its area of responsibility Which of the following is the IS auditor's BEST course of action?

  A. Escalate to IT management for resolution.
  B. Issue the finding without identifying an owner
  C. Assign shared responsibility to all IT teams.
  D. Determine the most appropriate team and assign accordingly.
  A. Escalate to IT management for resolution.

  ---

  Explanation

  The best course of action for the IS auditor is A. Escalate to IT management for resolution. This is because IT management is responsible for overseeing and coordinating the IT activities and functions within the organization, and ensuring

  that they comply with the audit findings and recommendations. IT management can help resolve the issue of finding ownership by:

  Clarifying and communicating the roles and responsibilities of each IT team, and how they relate to the finding and its remediation.

  Evaluating and assigning the finding to the most appropriate IT team, based on their expertise, authority, and availability.

  Providing guidance and support to the assigned IT team, and monitoring their progress and performance in remediating the finding.