Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 481:

  While conducting a review of project plans related to a new software development, an IS auditor finds the project initiation document (PID) is incomplete. What is the BEST way for the auditor to proceed?

  A. Meet with the project sponsor to discuss the incomplete document.
  B. Prepare a finding for the audit report.
  C. Inform audit management of possible risks associated with the deficiency.
  D. Escalate to the project steering committee.
  A. Meet with the project sponsor to discuss the incomplete document.

  ---

  Explanation

• Question 482:

  An organization has decided to implement a third-party system in its existing IT environment Which of the following is MOST important for the IS auditor to confirm?

  A. The organization has created a clone of the third party's IT infrastructure to host the IT system
  B. The organization has maintained a clone of the existing infrastructure as backup.
  C. The organization has analyzed the IT infrastructure to determine the feasibility of hosting the IT system.
  D. The organization has purchased a newly released IT infrastructure environment relevant to the IT system
  C. The organization has analyzed the IT infrastructure to determine the feasibility of hosting the IT system.

  ---

  Explanation

• Question 483:

  Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

  A. Comparing code between old and new systems
  B. Running historical transactions through the new system
  C. Reviewing quality assurance (QA) procedures
  D. Loading balance and transaction data to the new system
  B. Running historical transactions through the new system

  ---

  Explanation

  The most assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system can be obtained by running historical transactions through the new system. Historical transactions are transactions that have been processed and recorded by the old system in the past. Running historical transactions through the new system can provide the most assurance over the completeness and accuracy of loan application processing, by comparing the results and outputs of the new system with those of the old system, and verifying whether they match or differ. This can help identify and resolve any errors or issues that may arise from the new system, such as data conversion, functionality, compatibility, etc. Comparing code between old and new systems is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. Code is a set of instructions or commands that define how a system operates or functions. Comparing code between old and new systems can provide some assurance over the completeness and accuracy of loan application processing, by checking whether the logic, algorithms, or functions of the new system are consistent or equivalent with those of the old system. However, this may not be sufficient or reliable, as code may not reflect the actual performance or outcomes of the system, and may not detect any errors or issues that may occur at the data or user level. Reviewing quality assurance (QA) procedures is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. QA procedures are steps or activities that ensure that a system meets its quality standards and requirements, such as testing, verification, validation, etc. Reviewing QA procedures can provide some assurance over the completeness and accuracy of loan application processing, by evaluating whether the new system has been properly tested and verified before implementation. However, this may not be adequate or accurate, as QA procedures may not cover all aspects or scenarios of loan application processing, and may not reveal any errors or issues that may arise after implementation. Loading balance and transaction data to the new system is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. Balance and transaction data are data that reflect the status and history of loan applications in a system, such as amounts, dates, payments, etc. Loading balance and transaction data to the new system can provide some assurance over the completeness and accuracy of loan application processing, by transferring data from the old system to the new system and ensuring that they are consistent and correct. However, this may not be enough or valid, as balance and transaction data may not represent all aspects or features of loan application processing, and may not indicate any errors or issues that may arise

• Question 484:

  Which of the following is an IS auditor's BEST recommendation for mitigating risk associated with inadvertent disclosure of sensitive information by employees?

  A. Intrusion prevention system (IPS) and firewalls
  B. Data loss prevention (DLP) technologies
  C. Cryptographic protection
  D. Email phishing simulation exercises
  B. Data loss prevention (DLP) technologies

  ---

  Explanation

  DLP technologies are designed to prevent the unauthorized transmission or leakage of sensitive data, such as PII, intellectual property, or financial information, by employees or other insiders. DLP technologies can monitor, detect, and block

  data in motion, data at rest, and data in use across various channels, such as email, web, cloud, or removable devices. DLP technologies can also help enforce data security policies and compliance requirements.

  References:

  ISACA CISA Review Manual, 27th Edition, page 253

  The role of disclosures in risk assessment and mitigation Mitigate Risk Strategy for Information Management

• Question 485:

  Which of the following is MOST important to determine when conducting an audit Of an organization's data privacy practices?

  A. Whether a disciplinary process is established for data privacy violations
  B. Whether strong encryption algorithms are deployed for personal data protection
  C. Whether privacy technologies are implemented for personal data protection
  D. Whether the systems inventory containing personal data is maintained
  D. Whether the systems inventory containing personal data is maintained

  ---

  Explanation

  The answer D is correct because the most important thing to determine when conducting an audit of an organization's data privacy practices is whether the systems inventory containing personal data is maintained. A systems inventory is a list of all the systems, applications, databases, and devices that store, process, or transmit personal data within the organization. Maintaining a systems inventory is essential for data privacy because it helps the organization to identify, classify, and protect the personal data it holds, as well as to comply with the relevant privacy laws and regulations. A systems inventory also enables the organization to perform data protection impact assessments (DPIAs), data breach notifications, data subject access requests, and data retention and disposal policies. The other options are not as important as option

  D. Whether a disciplinary process is established for data privacy violations (option A) is a policy issue that may deter or sanction the employees who violate the data privacy rules, but it does not directly affect the data privacy practices of the organization. Whether strong encryption algorithms are deployed for personal data protection (option B) is a technical issue that may enhance the security and confidentiality of the personal data, but it does not address the other aspects of data privacy, such as accuracy, consent, and purpose limitation. Whether privacy technologies are implemented for personal data protection (option C) is also a technical issue that may support the data privacy practices of the organization, but it does not guarantee that the organization follows the best practices or complies with the applicable laws and regulations.

  References: IS Audit Basics: Auditing Data Privacy Best Practices for Privacy Audits ISACA Produces New Audit and Assurance Programs for Data Privacy and Mobile Computing

• Question 486:

  Which of the following BEST enables an IS auditor to prioritize financial reporting spreadsheets for an end-user computing (EUC) audit?

  A. Understanding the purpose of each spreadsheet
  B. Identifying the spreadsheets with built-in macros
  C. Reviewing spreadsheets based on file size
  D. Ascertaining which spreadsheets are most frequently used
  A. Understanding the purpose of each spreadsheet

  ---

  Explanation

• Question 487:

  Which of the following ACID property in DBMS means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors?

  A. Atomicity
  B. Consistency
  C. Isolation
  D. Durability
  D. Durability

  ---

  Explanation

  Durability - Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors.

  For CISA exam you should know below information about ACID properties in DBMS:

  Atomicity - Atomicity requires that each transaction is "all or nothing": if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged. An atomic system must guarantee atomicity in each and every

  situation, including power failures, errors, and crashes. To the outside world, a committed transaction appears (by its effects on the database) to be indivisible ("atomic"), and an aborted transaction does not happen.

  Consistency - The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints,

  cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any

  programming errors do not violate any defined rules.

  Isolation - The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other. Providing isolation is the main goal of

  concurrency control. Depending on concurrency control method, the effects of an incomplete transaction might not even be visible to another transaction. [citation needed]

  Durability - Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors. In a relational database, for instance, once a group of SQL statements execute, the results need to

  be stored permanently (even if the database crashes immediately thereafter). To defend against power loss, transactions (or their effects) must be recorded in a non-volatile memory.

  The following were incorrect answers:

  Consistency - The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints,

  cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any

  programming errors do not violate any defined rules.

  Isolation - The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other.

  Atomicity requires that each transaction is "all or nothing": if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged.

  CISA review manual 2014 Page number 218

• Question 488:

  While implementing an invoice system, Lily has implemented a database control which checks that new transactions are matched to those previously input to ensure that they have not already been entered. Which of the following control is implemented by Lily?

  A. Range Check
  B. Duplicate Check
  C. Existence check
  D. Reasonableness check
  B. Duplicate Check

  ---

  Explanation

  In a duplicate check control new transaction are matched to those previously input to ensure that they have not already been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the current order is not a duplicate and, therefore, the vendor will not be paid twice.

  For CISA exam you should know below mentioned data validation edits and controls

  Sequence Check ?The control number follows sequentially and any sequence or duplicated control numbers are rejected or noted on an exception report for follow-up purposes. For example, invoices are numbered sequentially. The day's

  invoice begins with 12001 and ends with 15045. If any invoice larger than 15045 is encountered during processing, that invoice would be rejected as an invalid invoice number.

  Limit Check ?Data should not exceed a predefined amount. For example, payroll checks should not exceed US $ 4000. If a check exceeds US $ 4000, data would be rejected for further verification/authorization.

  Validity Check ?Programmed checking of data validity in accordance with predefined criteria. For example, a payroll record contains a field for marital status and the acceptable status codes are M or S. If any other code is entered, record

  should be rejected.

  Range Check ?Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

  Reasonableness check ?Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received,

  the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

  Table Lookups ?Input data comply with predefined criteria maintained in computerized table of possible values. For example, an input check enters a city code of 1 to 10. This number corresponds with a computerize table that matches a

  code to a city name.

  Existence Check ?Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

  Key verification ?The keying process is repeated by a separate individual using a machine that compares the original key stroke to the repeated keyed input. For ex. the worker number is keyed twice and compared to verify the keying

  process.

  Check digit ?a numeric value that has been calculated mathematically is added to a data to ensure that original data have not been p[ altered or incorrect, but Valid, value substituted. This control is effective in detecting transposition and

  transcription error. For ex. A check digit is added to an account number so it can be checked for accuracy when it is used.

  Completeness check ?a filed should always contain data rather than zero or blanks. A check of each byte of that field should be performed to determine that some form of data, or not blanks or zeros, is present. For ex. A worker number on a

  new employee record is left blank. His is identified as a key in filed and the record would be rejected, with a request that the field be completed before the record is accepted for processing.

  Duplicate check ?new transaction is matched to those previously input to ensure that they have not already been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the current order is not a

  duplicate and, therefore, the vendor will not be paid twice.

  Logical relationship check ?if a particular condition is true, then one or more additional conditions or data input relationship may be required to be true and consider the input valid. For ex. The hire data of an employee may be required to be

  true and consider the input valid. For ex. The hire date of an employee may be required to be more than 16 years past his/her date of birth.

  The following were incorrect answers:

  Range Check ?Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

  Existence Check ?Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

  Reasonableness check ?Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received,

  the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

  CISA review manual 2014 Page number 215

• Question 489:

  An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?

  A. Security cameras deployed outside main entrance
  B. Antistatic mats deployed at the computer room entrance
  C. Muddy footprints directly inside the emergency exit
  D. Fencing around facility is two meters high
  C. Muddy footprints directly inside the emergency exit

  ---

  Explanation

  An IS auditor is conducting a review of a data center. An observation that could indicate an access control issue is muddy footprints directly inside the emergency exit. Access control is a process that ensures that only authorized entities or individuals can access or use an information system or resource, and prevents unauthorized access or use. Access control can be implemented using various methods or mechanisms, such as physical, logical, administrative, etc. Muddy footprints directly inside the emergency exit could indicate an access control issue, as they could suggest that someone has entered the data center through the emergency exit without proper authorization or authentication, and potentially compromised the security or integrity of the data center. Security cameras deployed outside main entrance is not an observation that could indicate an access control issue, but rather a control that could enhance access control, as security cameras are devices that capture and record video footage of the surroundings, and can help monitor and deter unauthorized access or activity. Antistatic mats deployed at the computer room entrance is not an observation that could indicate an access control issue, but rather a control that could prevent static electricity damage, as antistatic mats are devices that dissipate or reduce static charges from people or objects, and can help protect electronic equipment from electrostatic discharge (ESD). Fencing around facility is two meters high is not an observation that could indicate an access control issue, but rather a control that could improve physical security, as fencing is a barrier that encloses or surrounds an area, and can help prevent unauthorized entry or intrusion.

• Question 490:

  Which of the following is the PRIMARY protocol for protecting outbound content from tampering and eavesdropping?

  A. Transport Layer Security (TLS)
  B. Secure Shell (SSH)
  C. Point-to-Point Protocol (PPP)
  D. Internet Key Exchange (IKE)
  A. Transport Layer Security (TLS)

  ---

  Explanation