Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 461:

  Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's information security governance?

  A. Risk assessments of information assets are not periodically performed.
  B. All Control Panel Items
  C. The information security policy does not extend to service providers.
  D. There is no process to measure information security performance.
  E. The information security policy is not reviewed by executive management.
  C. The information security policy does not extend to service providers.

  ---

  Explanation

• Question 462:

  Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?

  A. Data from the source and target system may be intercepted.
  B. Data from the source and target system may have different data formats.
  C. Records past their retention period may not be migrated to the new system.
  D. System performance may be impacted by the migration
  A. Data from the source and target system may be intercepted.

  ---

  Explanation

  The greatest security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system is data from the source and target system may be intercepted. Data interception is an attack that occurs when an unauthorized entity or individual captures or accesses data that are being transmitted or stored on an information system or network. Data interception can compromise the confidentiality and integrity of data, and cause harm or damage to data owners or users. Data migration from a legacy HR system to a cloud-based system involves transferring data from one system or location to another system or location over a network connection. This poses a high risk of data interception, as data may be exposed or vulnerable during transit or storage on unsecured or untrusted networks or systems. Data from the source and target system may have different data formats is a possible challenge associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. Data formats are specifications that define how data are structured or encoded on an information system or network. Data formats may vary depending on different systems or platforms. Data migration may require converting data from one format to another format to ensure compatibility and interoperability between systems. Records past their retention period may not be migrated to the new system is a possible outcome associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. Retention period is a duration that defines how long data should be kept or stored on an information system or network before being deleted or destroyed. Retention period may depend on various factors such as legal requirements, business needs, storage capacity, etc. Data migration may involve deleting or destroying data that are past their retention period to reduce the volume or complexity of data to be transferred or to comply with regulations or policies. System performance may be impacted by the migration is a possible impact associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. System performance is a measure of how well an information system or network functions or operates, such as speed, reliability, availability, etc. System performance may be affected by data migration, as data migration may consume significant resources or bandwidth, cause interruptions or delays, or introduce errors or inconsistencies.

• Question 463:

  During a review, an IS auditor discovers that corporate users are able to access cloud- based applications and data any Internet-connected web browser.

  Which Of the following is the auditor's BEST recommendation to prevent unauthorized access?

  A. Implement an intrusion detection system (IDS),
  B. Update security policies and procedures.
  C. Implement multi-factor authentication.
  D. Utilize strong anti-malware controls on all computing devices.
  C. Implement multi-factor authentication.

  ---

  Explanation

  The best recommendation to prevent unauthorized access to cloud-based applications and data is to implement multi-factor authentication (MFA). MFA is a method of verifying the identity of a user by requiring two or more pieces of evidence, such as a password, a code sent to a phone, or a biometric factor. MFA adds an extra layer of security to prevent unauthorized access, even if the user's password is compromised or stolen. MFA can also help comply with data privacy and security regulations, such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). The other options are not as effective as MFA in preventing unauthorized access. An intrusion detection system (IDS) is a tool that monitors network traffic and alerts administrators of suspicious or malicious activity, but it does not prevent access by itself. Updating security policies and procedures is a good practice, but it does not ensure that users follow them or that they are enforced. Utilizing strong anti-malware controls on all computing devices can help protect against malware infections, but it does not prevent users from accessing cloud-based applications and data from any Internet-connected web browser.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2471 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription What Is Cloud Security? | Google Cloud Cloud Application Security Best Practices | Snyk

• Question 464:

  During development of an information security policy, which of the following would BEST ensure alignment to business objectives?

  A. Incorporation of industry best practices
  B. Linkage between policy and procedures
  C. Use of a balanced scorecard
  D. Input from relevant stakeholders
  C. Use of a balanced scorecard

  ---

  Explanation

• Question 465:

  Which of the following is the BEST method to maintain an audit trail of changes made to the source code of a program?

  A. Embed details within source code.
  B. Standardize file naming conventions.
  C. Utilize automated version control.
  D. Document details on a change register.
  C. Utilize automated version control.

  ---

  Explanation

  Automated version control systems are the best method to maintain an audit trail of changes made to the source code of a program. They automatically track and manage changes to the source code over time, allowing you to see what changes were made, when they were made, and who made them. This provides a clear and detailed audit trail that can be invaluable for debugging, understanding the evolution of the code, and ensuring accountability.

• Question 466:

  An IS audit manager is preparing the staffing plan for an audit engagement of a cloud service provider. What should be the manager's PRIMARY concern when being made aware that a new auditor in the department previously worked for this provider?

  A. Independence
  B. Professional conduct
  C. Subject matter expertise
  D. Resource availability
  A. Independence

  ---

  Explanation

• Question 467:

  Why would a database be renormalized?

  A. To ensure data integrity
  B. To increase processing efficiency
  C. To prevent duplication of data
  D. To save storage space
  B. To increase processing efficiency

  ---

  Explanation

  A database is renormalized when there is a need to improve processing efficiency.

  There is, however, a risk to data integrity when this occurs. Since it implies the introduction of duplication, it will not likely allow saving of storage space.

  Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 109).

• Question 468:

  Which of the following is the BEST way to detect software license violations?

  A. Implementing a corporate policy on copyright infringements and software use.
  B. Requiring that all PCs be diskless workstations.
  C. Installing metering software on the LAN so applications can be accessed through the metered software.
  D. Regularly scanning PCs in use to ensure that unauthorized copies of software have not been loaded on the PC.
  D. Regularly scanning PCs in use to ensure that unauthorized copies of software have not been loaded on the PC.

  ---

  Explanation

  The best way to prevent and detect software license violations is to regularly scan used PCs, either from the LAN or directly, to ensure that unauthorized copies of software have not been loaded on the PC.

  Other options are not detective.

  A corporate policy is not necessarily enforced and followed by all employees.

  Software can be installed from other means than floppies or CD-ROMs (from a LAN or even downloaded from the Internet) and software metering only concerns applications that are registered.

  Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 108).

• Question 469:

  Which of the following is the MOST important reason for an organization to automate data purging?

  A. Protection against privacy breaches
  B. Storage cost reduction
  C. Disaster recovery planning
  D. Ransomware protection
  A. Protection against privacy breaches

  ---

  Explanation

• Question 470:

  Which of the following should an IS auditor use when verifying a three-way match has occurred in an enterprise resource planning (ERR) system?

  A. Bank confirmation
  B. Goods delivery notification
  C. Purchase requisition
  D. Purchase order
  D. Purchase order

  ---

  Explanation

  A three-way match is a process of verifying that a purchase order, a goods receipt and an invoice are consistent before making a payment1. A three-way match ensures that the organization only pays for the goods or services that it ordered and received, and that the prices and quantities are accurate. A three-way match can prevent errors, fraud and overpayments in the accounts payable process. An IS auditor should use a purchase order when verifying a three-way match has occurred in an enterprise resource planning (ERP) system. A purchase order is a document that authorizes a purchase transaction and specifies the items, quantities, prices and terms of the order2. A purchase order is the first document in the three-way match process, and it serves as the basis for comparing the goods receipt and the invoice. An IS auditor can use a purchase order to check if the ERP system has correctly recorded, matched and approved the three documents before making a payment. The other options are not as useful for verifying a three-way match. A bank confirmation is a document that verifies the balance and activity of a bank account. A bank confirmation can be used to confirm that a payment has been made or received, but it does not provide information about the details of the purchase transaction or the three-way match process. A goods delivery notification is a document that informs the buyer that the goods have been shipped or delivered by the seller4. A goods delivery notification can be used to track the status of the delivery, but it does not provide information about the quantity or quality of the goods or the invoice amount. A purchase requisition is a document that requests authorization to purchase goods or services from a specific supplier. A purchase requisition can be used to initiate the purchasing process, but it does not provide information about the actual purchase order, goods receipt or invoice.

  References: Bank Confirmation - Overview, How It Works, Importance3 What is Goods Delivery Note? | Definition and Example4 What Is Three-Way Matching and Why Is It Important? | NetSuite1 Enterprise Resource Planning (ERP) - Definition, Types, Uses