Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 411:

  Backup procedures for an organization's critical data are considered to be which type of control?

  A. Directive
  B. Corrective
  C. Detective
  D. Compensating
  B. Corrective

  ---

  Explanation

  Backup procedures for an organization's critical data are considered to be corrective controls, as they are designed to restore normal operations after a disruption or failure. Corrective controls aim to minimize the impact of an incident and prevent recurrence. Directive, detective and compensating controls are not related to backup procedures. Directive controls are intended to guide or instruct users to follow policies and procedures. Detective controls are intended to identify and report incidents or violations. Compensating controls are intended to mitigate the risk of a missing or ineffective primary control.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.11

• Question 412:

  Which of the following is the PRIMARY function of a data loss prevention (DLP) policy when implemented in an organization's DLP solution?

  A. To encrypt sensitive data at rest and in transit
  B. To define rules for monitoring and protecting sensitive data
  C. To define rules and baselines for network performance
  D. To detect and block incoming network traffic
  B. To define rules for monitoring and protecting sensitive data

  ---

  Explanation

  Explanation

• Question 413:

  When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact Al will have on

  A. employee retention
  B. enterprise architecture (EA)
  C. future task updates
  D. task capacity output
  B. enterprise architecture (EA)

  ---

  Explanation

  The auditor should be most concerned with the impact AI will have on enterprise architecture (EA) when reviewing a project to replace multiple manual data entry systems with an AI system. EA is a comprehensive framework that defines the structure, components, relationships, and principles of an organization's IT environment. EA can help to align the IT strategy with the business strategy and ensure the coherence, consistency, and integration of the IT systems and services. Replacing manual data entry systems with an AI system may have significant implications for the EA, such as changing the business processes, data flows, security requirements, performance standards, or governance models. The auditor should assess whether the project has considered the impact of AI on EA and whether the EA has been updated accordingly.

  References: CISA Review Manual (Digital Version), Chapter 1, Section 1.41 CISA Online Review Course, Domain 5, Module 1, Lesson 22

• Question 414:

  An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the business continuity plan (BCP). Which of the following is the auditor's BEST course of action?

  A. Confirm the BCP has been recently updated.
  B. Review the effectiveness of the business response.
  C. Raise an audit issue for the lack of simulated testing.
  D. Interview staff members to obtain commentary on the BCP's effectiveness.
  B. Review the effectiveness of the business response.

  ---

  Explanation

  This is because the auditor's primary objective is to evaluate the adequacy and performance of the business continuity plan (BCP) in ensuring the continuity and resilience of the organization's critical functions and processes during a disruption. The auditor should review the actual results and outcomes of the business response, such as the recovery time, recovery point, service level, customer satisfaction, and incident management, and compare them with the predefined objectives and criteria of the BCP. The auditor should also identify and analyze any gaps, issues, or lessons learned from the business response, and provide recommendations for improvement12. Answer A. Confirm the BCP has been recently updated. is not the best answer, because it is not directly related to the auditor's course of action. Confirming the BCP has been recently updated is a part of the audit planning and scoping process, not the audit execution or reporting process. The auditor should confirm the BCP has been recently updated before conducting the audit, not after revealing that a simulation test has not been performed. Moreover, confirming the BCP has been recently updated does not provide sufficient evidence of the effectiveness of the business response12. Answer

  C. Raise an audit issue for the lack of simulated testing. is not the best answer, because it is not relevant to the auditor's course of action. Raising an audit issue for the lack of simulated testing is a part of the audit reporting and follow-up process, not the audit execution or evaluation process. The auditor should raise an audit issue for the lack of simulated testing after reviewing the effectiveness of the business response, not before or instead of doing so. Furthermore, raising an audit issue for the lack of simulated testing does not address the root cause or impact of the problem, nor does it provide any constructive feedback or guidance for improvement12. Answer

  D. Interview staff members to obtain commentary on the BCP's effectiveness. is not the best answer, because it is not sufficient to guide the auditor's course of action. Interviewing staff members to obtain commentary on the BCP's effectiveness is a part of the audit evidence collection and analysis process, not the audit evaluation or conclusion process. The auditor should interview staff members to obtain commentary on the BCP's effectiveness as one of the sources of information, not as the only or main source of information. Additionally, interviewing staff members to obtain commentary on the BCP's effectiveness may be subjective, biased, or incomplete, and may not reflect the actual performance or outcomes of the business response12.

  References: Business Continuity Management Audit/Assurance Program Business Continuity Plan Testing: Types and Best Practices

• Question 415:

  An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

  A. The transfer protocol does not require authentication.
  B. The quality of the data is not monitored.
  C. Imported data is not disposed of frequently.
  D. The transfer protocol is not encrypted.
  A. The transfer protocol does not require authentication.

  ---

  Explanation

• Question 416:

  Which of the following poses the GREATEST potential concern for an organization that decides to consolidate mission-critical applications on a large server as part of IT capacity management?

  A. More applications may be negatively affected by outages on the server.
  B. Continuous monitoring efforts for server capacity may be costly.
  C. Network bandwidth may be degraded during peak hours.
  D. Accurate server capacity forecasting may be more difficult.
  A. More applications may be negatively affected by outages on the server.

  ---

  Explanation

  Consolidating mission-critical applications onto a single large server introduces a single point of failure. If the server experiences an outage, all hosted applications could be impacted simultaneously, leading to significant operational

  disruptions. While continuous monitoring costs, potential network bandwidth issues, and challenges in capacity forecasting are valid concerns, the risk of a single outage affecting multiple critical applications presents the most substantial

  threat to business continuity.

  References:

  ISACA CISA Review Manual, 28th Edition, Chapter 4: Information Systems Operations and Business Resilience.

• Question 417:

  Which of the following would be of MOST concern to an IS auditor reviewing a data loss prevention (DLP) solution implementation for endpoints?

  A. The DLP solution does not support all types of servers.
  B. The solution has been implemented in blocking mode prior to performing tuning.
  C. The organization has never finished tuning the solution.
  D. The solution does not prevent data leakage because it is still in the monitoring phase.
  C. The organization has never finished tuning the solution.

  ---

  Explanation

  Explanation

• Question 418:

  Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?

  A. The vendor's process appropriately sanitizes the media before disposal
  B. The contract includes issuance of a certificate of destruction by the vendor
  C. The vendor has not experienced security incidents in the past.
  D. The disposal transportation vehicle is fully secure
  A. The vendor's process appropriately sanitizes the media before disposal

  ---

  Explanation

  The most important thing for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media is that the vendor's process appropriately sanitizes the media before disposal. As explained in the previous question, storage media may contain sensitive or confidential information that needs to be protected from unauthorized access, disclosure, or misuse. The IS auditor should verify that the vendor has a process that appropriately sanitizes the media before disposal, such as wiping, degaussing, shredding, or incinerating, and that the process is effective and compliant with the organization's policies and standards. The other options are not as important as verifying the vendor's process, because they either do not ensure the security and privacy of the information on the media, or they are secondary to the vendor's process.

  References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7

• Question 419:

  While conducting a system architecture review, an IS auditor learns of multiple complaints from field agents about the latency of a mobile thin client designed to provide information during site inspections Which of the following is the BEST way to address this situation?

  A. Upgrade the processors in the field agents' mobile devices
  B. Deploy a middleware application to improve messaging between application components.
  C. Switch to a thick-client architecture that does not require a persistent fetwork connectio.
  D. Upgrade the thin-client software to provide more informative error messages during application loading
  B. Deploy a middleware application to improve messaging between application components.

  ---

  Explanation

• Question 420:

  Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

  A. To ensure that older versions are availability for reference
  B. To ensure that only the latest approved version of the application is used
  C. To ensure compatibility different versions of the application
  D. To ensure that only authorized users can access the application
  B. To ensure that only the latest approved version of the application is used

  ---

  Explanation

  Version control is a process of managing changes to an application or a document. It ensures that only the latest approved version of the application is used by end-users, which reduces the risk of errors, inconsistencies, and unauthorized modifications. Version control also allows tracking the history of changes and restoring previous versions if needed.