Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 471:

  Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?

  A. Data owners are not trained on the use of data conversion tools.
  B. A post-implementation lessons-learned exercise was not conducted.
  C. There is no system documentation available for review.
  D. System deployment is routinely performed by contractors.
  C. There is no system documentation available for review.

  ---

  Explanation

• Question 472:

  Which of the following should be the PRIMARY audience for a third-party technical security assessment report?

  A. Operational IT management
  B. Board of directors
  C. Legal counsel
  D. External regulators
  B. Board of directors

  ---

  Explanation

• Question 473:

  When conducting an audit of an organization's use of AI in its customer service chatbots, an IS auditor should PRIMARILY focus on the:

  A. Safeguarding of personal data processing by the AI system.
  B. AI system's compliance with industry security standards.
  C. Speed and accuracy of chatbot responses to customer queries.
  D. AI system's ability to handle multiple customer queries at once.
  A. Safeguarding of personal data processing by the AI system.

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step Theprimary concernwhen auditing an AI-powered chatbot is ensuring thesafeguarding of personal datato comply with privacy regulations such asGDPR, CCPA, and ISO 27701. AI chatbots process customer inquiries, often handling sensitive personal data. Safeguarding of Personal Data (Correct Answer A) Compliance with Industry Standards (Incorrect B) Speed and Accuracy of Chatbot Responses (Incorrect C) AI's Ability to Handle Multiple Queries (Incorrect D)

  References: ISACA CISA Review Manual ISO 27701 (Privacy Information Management System) GDPR and CCPA Compliance Guidelines

• Question 474:

  The GREATEST concern for an IS auditor reviewing vulnerability assessments by the auditee would be if the assessments are:

  A. Conducted once per year just before system audits are scheduled.
  B. Conducted by the internal technical team instead of external experts.
  C. Performed for critical systems, not for the entire infrastructure.
  D. Performed using open-source testing tools.
  A. Conducted once per year just before system audits are scheduled.

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step

  Conducting vulnerability assessmentsonly once per year, right before an audit,creates a false sense of securityandleaves systems exposedbetween assessments.

  Annual Testing Before Audit (Correct Answer ?A)

  Internal Team Conducting Assessments (Incorrect ?B) Focusing on Critical Systems (Incorrect ?C)

  Using Open-Source Tools (Incorrect ?D)

  References:

  ISACA CISA Review Manual

  NIST 800-115 (Technical Guide to Security Testing)

• Question 475:

  When auditing a quality assurance plan, an IS auditor should be MOST concerned if the:

  A. quality assurance function is separate from the programming function.
  B. SDLC is coupled with the quality assurance plan.
  C. quality assurance function is periodically reviewed by internal audit.
  D. scope of quality assurance activities is undefined.
  D. scope of quality assurance activities is undefined.

  ---

  Explanation

• Question 476:

  What is the PRIMARY benefit of prototyping as a method of system development?

  A. Reduces the need for testing.
  B. Minimizes the time the IS auditor has to review the system.
  C. Increases the likelihood of user satisfaction.
  D. Eliminates the need for documentation.
  C. Increases the likelihood of user satisfaction.

  ---

  Explanation

• Question 477:

  Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

  A. The organization's systems inventory is kept up to date.
  B. Vulnerability scanning results are reported to the CISO.
  C. The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities
  D. Access to the vulnerability scanning tool is periodically reviewed
  A. The organization's systems inventory is kept up to date.

  ---

  Explanation

  The completeness of the vulnerability scanning process depends on the accuracy and currency of the organization's systems inventory, which is a list of all the hardware and software assets that are owned or used by the organization. A complete and up-to-date systems inventory can help ensure that all the systems are identified and scanned for vulnerabilities, and that no system is missed or overlooked. Vulnerability scanning results are reported to the CISO is a good practice for ensuring accountability and visibility of the vulnerability management process, but it is not the most important thing to verify when determining the completeness of the vulnerability scanning process, as reporting does not guarantee that all the systems are scanned. The organization is using a cloud-hosted scanning tool for identification of vulnerabilities is a possible option for conducting vulnerability scanning, but it is not the most important thing to verify when determining the completeness of the vulnerability scanning process, as the type of scanning tool does not affect the scope or coverage of the scanning. Access to the vulnerability scanning tool is periodically reviewed is a critical control for ensuring the security and integrity of the vulnerability scanning tool, but it is not the most important thing to verify when determining the completeness of the vulnerability scanning process, as access review does not ensure that all the systems are scanned.

• Question 478:

  The purpose of data migration testing is to validate data:

  A. retention.
  B. completeness.
  C. availability.
  D. confidentiality.
  B. completeness.

  ---

  Explanation

• Question 479:

  Which of the following is the BEST indication that a software development project is on track to meet its completion deadline?

  A. Technical specifications and development requirements have been agreed upon and formally recorded.
  B. Project plan due dates have been documented for each phase of the software development life cycle.
  C. Issues identified during user acceptance testing (UAT) have been addressed prior to the original implementation date.
  D. The planned software go-live date has been communicated in advance to end users and stakeholders.
  C. Issues identified during user acceptance testing (UAT) have been addressed prior to the original implementation date.

  ---

  Explanation

  Explanation

• Question 480:

  In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

  A. integrated test facility (ITF).
  B. parallel simulation.
  C. transaction tagging.
  D. embedded audit modules.
  C. transaction tagging.

  ---

  Explanation

  Transaction tagging is a technique by which transactions are marked with unique identifiers or headers and traced through the system using agents or sensors at each processing point1. Transaction tagging allows for continuous monitoring and analysis of transaction processing in a high-volume, real-time system by providing visibility into the performance, availability, and reliability of each transaction and its components. Transaction tagging can also help to identify and isolate errors, bottlenecks, anomalies, and security issues in the system.