Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 441:

  Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

  A. IT steering committee minutes
  B. Business objectives
  C. Alignment with the IT tactical plan
  D. Compliance with industry best practice
  B. Business objectives

  ---

  Explanation

  The most important consideration for an IS auditor when assessing the adequacy of an organization's information security policy is the business objectives. An information security policy is a document that defines the organization's approach to protecting its information assets from internal and external threats. It should align with the organization's mission, vision, values, and goals, and support its business processes and functions1. An information security policy should also be focused on the business needs and requirements of the organization, rather than on technical details or specific solutions2. The other options are not as important as the business objectives, because they do not directly reflect the organization's purpose and direction. IT steering committee minutes are records of the discussions and decisions made by a group of senior executives who oversee the IT strategy and governance of the organization. They may provide some insights into the information security policy, but they are not sufficient to evaluate its adequacy3. Alignment with the IT tactical plan is a measure of how well the information security policy supports the short-term actions and projects that implement the IT strategy. However, the IT tactical plan itself should be aligned with the business objectives, and not vice versa4. Compliance with industry best practice is a desirable quality of an information security policy, but it is not a guarantee of its effectiveness or suitability for the organization. Industry best practices are general guidelines or recommendations that may not apply to every organization or situation. An information security policy should be customized and tailored to the specific context and needs of the organization.

  References: The 12 Elements of an Information Security Policy | Exabeam1 11 Key Elements of an Information Security Policy | Egnyte2 What is an IT steering committee? Definition, roles and responsibilities ...3 What is IT Strategy? Definition, Components and Best Practices | BMC ...4 IT Security Policy: Key Components and Best Practices for Every Business

• Question 442:

  When designing a data analytics process, which of the following should be the stakeholder's role in automating data extraction and validation?

  A. Indicating which data elements are necessary to make informed decisions
  B. Allocating the resources necessary to purchase the appropriate software packages
  C. Performing the business case analysis for the data analytics initiative
  D. Designing the workflow necessary for the data analytics tool to evaluate the appropriate data
  A. Indicating which data elements are necessary to make informed decisions

  ---

  Explanation

  The stakeholder's role in automating data extraction and validation is to indicate which data elements are necessary to make informed decisions. The stakeholder is the person who has a vested interest in the outcome of the data analytics

  process and can provide the business context and requirements for the analysis. The stakeholder can help the data analyst to identify the relevant data sources, the key performance indicators (KPIs), and the expected results of the analysis.

  References:

  What Is the Data Analysis Process? 5 Key Steps to Follow - G2 What's the Best Approach to Data Analytics? - Harvard Business Review Weekly challenge 1 - GitHub: Let's build from here

• Question 443:

  What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?

  A. Full test results
  B. Completed test plans
  C. Updated inventory of systems
  D. Change management processes
  A. Full test results

  ---

  Explanation

  The best way to assess the effectiveness of changes made to processes and tools related to an organization's BCP is to review the full test results of the BCP. Full test results can provide evidence of whether the changes have improved the BCP's objectives, such as recovery time objectives (RTOs), recovery point objectives (RPOs), and business impact analysis (BIA). The other options are not as effective as reviewing the full test results, as they do not demonstrate the actual performance of the BCP under simulated disaster scenarios. Completed test plans are only documents that outline the scope, objectives, and procedures of the BCP testing, but they do not show the outcomes or issues encountered during the testing. Updated inventory of systems is a component of the BCP that identifies the critical systems and resources required for business continuity, but it does not measure the effectiveness of the BCP changes. Change management processes are controls that ensure that changes to the BCP are authorized, documented, and communicated, but they do not evaluate the impact or benefit of the changes.

  References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.3

• Question 444:

  Which of the following control make sure that input data comply with predefined criteria maintained in computerized table of possible values?

  A. Range Check
  B. Table lookups
  C. Existence check
  D. Reasonableness check
  B. Table lookups

  ---

  Explanation

  In table lookups input data comply with predefined criteria maintained in computerized table of possible values. For example, an input check enters a city code of 1 to 10. This number corresponds with a computerize table that matches a code to a city name.

  For CISA exam you should know below mentioned data validation edits and controls

  Sequence Check ?The control number follows sequentially and any sequence or duplicated control numbers are rejected or noted on an exception report for follow-up purposes. For example, invoices are numbered sequentially. The day's

  invoice begins with 12001 and ends with 15045. If any invoice larger than 15045 is encountered during processing, that invoice would be rejected as an invalid invoice number.

  Limit Check ?Data should not exceed a predefined amount. For example, payroll checks should not exceed US $ 4000. If a check exceeds US $ 4000, data would be rejected for further verification/authorization.

  Validity Check ?Programmed checking of data validity in accordance with predefined criteria. For example, a payroll record contains a field for marital status and the acceptable status codes are M or S. If any other code is entered, record

  should be rejected.

  Range Check ?Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

  Reasonableness check ?Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received,

  the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

  Table Lookups ?Input data comply with predefined criteria maintained in computerized table of possible values. For example, an input check enters a city code of 1 to 10. This number corresponds with a computerize table that matches a

  code to a city name.

  Existence Check ?Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

  Key verification ?The keying process is repeated by a separate individual using a machine that compares the original key stroke to the repeated keyed input. For ex. the worker number is keyed twice and compared to verify the keying

  process.

  Check digit ?a numeric value that has been calculated mathematically is added to a data to ensure that original data have not been p[ altered or incorrect, but Valid, value substituted. This control is effective in detecting transposition and

  transcription error. For ex. A check digit is added to an account number so it can be checked for accuracy when it is used.

  Completeness check ?a filed should always contain data rather than zero or blanks. A check of each byte of that field should be performed to determine that some form of data, or not blanks or zeros, is present. For ex. A worker number on a

  new employee record is left blank. His is identified as a key in filed and the record would be rejected, with a request that the field be completed before the record is accepted for processing.

  Duplicate check ?new transaction is matched to those previously input to ensure that they have not already been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the current order is not a

  duplicate and, therefore, the vendor will not be paid twice.

  Logical relationship check ?if a particular condition is true, then one or more additional conditions or data input relationship may be required to be true and consider the input valid. For ex. The hire data of an employee may be required to be

  true and consider the input valid. For ex. The hire date of an employee may be required to be more than 16 years past his her date of birth.

  The following were incorrect answers:

  Range Check ?Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

  Existence Check ?Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field. Reasonableness check ?Input data are matched to predefined reasonable

  limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received, the computer program should be designed to print the record with a

  warning indicating that the order appears unreasonable.

  CISA review manual 2014 Page number 215

• Question 445:

  Which of the following is the BEST way to ensure an organization's data classification policies are preserved during the process of data transformation?

  A. Map data classification controls to data sets.
  B. Control access to extract, transform, and load (ETL) tools.
  C. Conduct a data discovery exercise across all business applications.
  D. Implement classification labels in metadata during data creation.
  D. Implement classification labels in metadata during data creation.

  ---

  Explanation

  Data classification is the process of tagging data according to its type, sensitivity, and value to the organization. Data transformation is the process of changing the structure and format of data to make it usable for analysis and visualization. Both processes are important for data security and compliance, but they also pose some challenges. One of the challenges is to ensure that the organization's data classification policies are preserved during the process of data transformation. This means that the data should retain its original classification level and labels after it is transformed, and that the appropriate controls and protections are applied to the transformed data. The best way to ensure this is to implement classification labels in metadata during data creation (D). Metadata is data that describes other data, such as its source, format, content, and context. By adding classification labels to metadata, the data can be easily identified and tracked throughout its lifecycle, including during data transformation. The labels can also help enforce the proper access rights and encryption standards for the data, regardless of its state or location.

• Question 446:

  An IS auditor learns that an organization did not conduct any penetration testing over one internet-facing webpage prior to of the following is the auditor's BEST course of action?

  A. Revise IT security procedures to require penetration tests for internally developed services prior to deployment.
  B. Report a control deficiency, as no penetration test has been conducted and documented.
  C. Confirm whether vulnerability scanning was conducted after the webpage was deployed.
  D. Meet with IT and the information security team to determine why testing was not completed.
  D. Meet with IT and the information security team to determine why testing was not completed.

  ---

  Explanation

  Explanation

• Question 447:

  An incident response team has been notified of a virus outbreak in a network subnet.

  Which of the following should be the NEXT step?

  A. Focus on limiting the damage.
  B. Remove and restore the affected systems.
  C. Verify that the compromised systems are fully functional.
  D. Document the incident.
  A. Focus on limiting the damage.

  ---

  Explanation

• Question 448:

  An IS auditor discovered abnormalities in a monthly report generated from a system upgraded six months ago. Which of the following should be the auditor's FIRST course of action?

  A. Inspect source code for proof of abnormalities
  B. Perform a change management review of the system
  C. Schedule an access review of the system
  D. Determine the impact of abnormalities in the report
  D. Determine the impact of abnormalities in the report

  ---

  Explanation

• Question 449:

  At a project steering committee meeting, it is stated that adding controls to business processes undergoing re-engineering is an unnecessary cost. The IS auditor's BEST response is that the actual control overhead for a business process is: A. usually considerable, but the benefits of good controls always exceed the cost.

  B. the responsibility of the project manager, and the cost should have been included in the budget.

  C. usually difficult to ascertain but is justifiable, because controls are essential to doing business

  D. usually less than the potential cost of failure caused by lack of controls.

  Correct Answer. D
  D

  ---

  Explanation

• Question 450:

  Control self-assessments (CSAs) can be used to:

  A. Determine the value of assets.
  B. Establish baselines.
  C. Evaluate strategic business goals.
  D. Replace audits.
  B. Establish baselines.

  ---

  Explanation

  Explanation

  Control self-assessment (CSA) is a process that allows business units to evaluate the effectiveness of internal controls. It is primarily used toestablish baselines (Option B) for measuring control effectiveness and risk management. ISACA

  CISA

  CSA is a recognized internal control mechanism that supports risk assessment and control improvement.

  Risk Implication:If CSAs are not conducted properly, organizations may lack visibility into weak controls, increasing exposure to risks.

  Alternative Choices:

  Option A:CSA does not focus on asset valuation.

  Option C:Strategic business goals are assessed separately through governance processes.

  Option D:CSA complements, but does not replace, formal audits.