Isaca CISA Certification CISA Questions & Answers

• Question 31:

  Which of the following is the BEST point in time to conduct a post-implementation review?

  A. After a full processing cycle

  B. Immediately after deployment

  C. After the warranty period

  D. Prior to the annual performance review

  Correct Answer: A

  Explanation: The best point in time to conduct a post-implementation review is after a full processing cycle. A post-implementation review is conducted to verify that the implemented system meets the original requirements and that it is operating as intended. Therefore, it is important to wait until the system has gone through a full processing cycle, so that any errors or issues can be identified and addressed. This allows the organization to make sure that the system is stable and reliable before it is put into production.

• Question 32:

  A database administrator (DBA) should be prevented from having end user responsibilities :

  A. having end user responsibilities

  B. accessing sensitive information

  C. having access to production files

  D. using an emergency user ID

  Correct Answer: A

• Question 33:

  Which of the following can only be provided by asymmetric encryption?

  A. Information privacy

  B. 256-brt key length

  C. Data availability

  D. Nonrepudiation

  Correct Answer: D

• Question 34:

  During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor's GREATEST concern with this situation?

  A. Unrealistic milestones

  B. Inadequate deliverables

  C. Unclear benefits

  D. Incomplete requirements

  Correct Answer: D

  Explanation: According to the ISACA CISA Study Manual (2020), it is important that business owners are involved in the project initiation phase in order to ensure that the project is aligned with the organization's objectives and that the

  necessary requirements have been identified (p. 183). Therefore, the IS auditor's greatest concern should be that incomplete requirements may have been identified due to the lack of business owner involvement in the project initiation phase.

• Question 35:

  An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?

  A. Review test procedures and scenarios

  B. Conduct a mock conversion test

  C. Establish a configuration baseline

  D. Automate the test scripts

  Correct Answer: B

• Question 36:

  Which of the following provides an IS auditor assurance that the interface between a point- of-sale (POS) system and the general ledger is transferring sales data completely and accurately?

  A. Electronic copies of customer sales receipts are maintained.

  B. Monthly bank statements are reconciled without exception.

  C. Nightly batch processing has been replaced with real-time processing.

  D. The data transferred over the POS interface is encrypted.

  Correct Answer: A

  Electronic copies of customer sales receipts are records that show the details of each sales transaction, such as the date, time, amount, item, and payment method12. Electronic copies of customer sales receipts can provide an IS auditor

  assurance that the interface between a point-of-sale (POS) system and the general ledger is transferring sales data completely and accurately, because:

  Electronic copies of customer sales receipts can be used to verify and reconcile the sales data that is captured by the POS system and posted to the general ledger12. Electronic copies of customer sales receipts can be used to detect and

  correct any errors, discrepancies, or frauds that may occur during the data transfer process12. Electronic copies of customer sales receipts can be used to comply with accounting standards, tax regulations, and audit requirements12.

• Question 37:

  Which of the following concerns is MOST effectively addressed by implementing an IT framework for alignment between IT and business objectives?

  A. Inaccurate business impact analysis (BIA)

  B. Inadequate IT change management practices

  C. Lack of a benchmark analysis

  D. Inadequate IT portfolio management

  Correct Answer: D

  Explanation: Implementing an IT framework for alignment between IT and business objectives is an effective way to address inadequate IT portfolio management. This type of framework helps ensure that IT investments are aligned with the organization's business objectives and that IT investments are tracked and managed in a way that maximizes the value of those investments. Additionally, the framework can provide a basis for evaluating the effectiveness of IT investments and making decisions about future investments.

• Question 38:

  An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards Which of the following should be the auditor's NEXT action1?

  A. Make recommendations to IS management as to appropriate quality standards

  B. Postpone the audit until IS management implements written standards

  C. Document and lest compliance with the informal standards

  D. Finalize the audit and report the finding

  Correct Answer: C

• Question 39:

  Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?

  A. Policies and procedures for managing documents provided by department heads

  B. A system-generated list of staff and their project assignments. roles, and responsibilities

  C. Previous audit reports related to other departments' use of the same system

  D. Information provided by the audit team lead an the authentication systems used by the department

  Correct Answer: B

  A system-generated list of staff and their project assignments, roles, and responsibilities is the most useful to an IS auditor performing a review of access controls for a document management system (DMS). A DMS is a system used to create, store, manage, and track electronic documents and images of paper- based documents through software1. Access controls are the mechanisms that regulate who can access, modify, or delete documents in a DMS, and under what conditions2. A system-generated list of staff and their project assignments, roles, and responsibilities helps the IS auditor to verify the appropriateness, accuracy, and completeness of the access rights granted to different users or groups of users in the DMS, based on the principle of least privilege and the segregation of duties23. Policies and procedures for managing documents provided by department heads (A) are not the most useful to an IS auditor performing a review of access controls for a DMS. Policies and procedures are the documents that define the rules, standards, and guidelines for managing documents in a DMS, such as the document lifecycle, retention, classification, security, etc1. Policies and procedures are important to establish the expectations and requirements for document management, but they do not provide sufficient evidence or assurance of the actual implementation and effectiveness of the access controls in the DMS. Previous audit reports related to other departments' use of the same system ?are not the most useful to an IS auditor performing a review of access controls for a DMS. Previous audit reports are the documents that summarize the findings, conclusions, and recommendations of previous audits conducted on the same or similar systems or processes4. Previous audit reports are useful to identify the common or recurring issues, risks, or gaps in the access controls of the DMS, as well as the best practices or lessons learned from other departments. However, previous audit reports do not reflect the current state or performance of the access controls in the DMS, and they may not be relevant or applicable to the specific department or scope of the current audit. Information provided by the audit team lead on the authentication systems used by the department (D) are not the most useful to an IS auditor performing a review of access controls for a DMS. Authentication systems are the systems that verify the identity and credentials of the users who attempt to access the DMS, such as passwords, tokens, biometrics, etc2. Authentication systems are important to ensure the integrity and accountability of the users who access the DMS, but they do not provide sufficient information or assurance of the authorization and restriction of the users who access the DMS. Authorization and restriction are the aspects of access control that determine what actions or operations the users can perform on the documents in the DMS, such as read, write, edit, delete, etc2.

• Question 40:

  Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

  A. Target architecture is defined at a technical level.

  B. The previous year's IT strategic goals were not achieved.

  C. Strategic IT goals are derived solely from the latest market trends.

  D. Financial estimates of new initiatives are disclosed within the document.

  Correct Answer: B

  This is because it is important to ensure that the organization's IT strategy is in line with its overall business strategy, and that the IT goals are well-defined and achievable. If the previous year's goals were not achieved, this indicates that the organization is not properly assessing its IT goals, or that the goals are not realistic or achievable. References: [1] ISACA - Certified Information Systems Auditor (CISA) - https:// www.isaca.org/certification/cisa [2] CISA Exam - ISACA https://www.isaca.org/credentialing/cisa- certification/cisa-exam [3] Certified Information Systems Auditor (CISA) Certification - https:// www.isaca.org/credentialing/cisa-certification [4] 5 Reasons to Pursue the CISA Certification - https:// blog.udemy.com/cisa-certification/ [5] Certified Information Systems Auditor (CISA) Certification - https:// www.isaca.org/credentialing/cisa-certification