Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 491:

  Which of the following should be identified FIRST during the risk assessment process?

  A. Vulnerability to threats
  B. Existing controls
  C. Information assets
  D. Legal requirements
  C. Information assets

  ---

  Explanation

  The risk assessment process involves identifying the information assets that are at risk, analyzing the threats and vulnerabilities that could affect them, evaluating the impact and likelihood of a risk event, and determining the appropriate controls to mitigate the risk. The first step is to identify the information assets, as they are the objects of protection and the basis for the rest of the process. Without knowing what assets are at risk, it is not possible to assess their value, exposure, or protection level.

  References: ISACA Frameworks: Blueprints for Success

• Question 492:

  Which of the following would be MOST helpful to an IS auditor performing a risk assessment of an application programming interface (API) that feeds credit scores from a well-known commercial credit agency into an organizational system?

  A. A data dictionary of the transferred data
  B. A technical design document for the interface configuration
  C. The most recent audit report from the credit agency
  D. The approved business case for the API
  B. A technical design document for the interface configuration

  ---

  Explanation

• Question 493:

  When evaluating a protect immediately prior to implementation, which of the following would provide the BEST evidence that the system has the required functionality?

  A. User acceptance testing (UAT) results
  B. Quality assurance (QA) results
  C. Integration testing results
  D. Sign-off from senior management
  B. Quality assurance (QA) results

  ---

  Explanation

• Question 494:

  An IS auditor reviewing a purchase accounting system notices several duplicate payments made for the services rendered. Which of the following is the auditor's BEST recommendation for preventing duplicate payments?

  A. Implement a configuration control to enable sequential numbering of invoices.
  B. Request vendors to attach service acknowledgment notices to purchase orders.
  C. Implement a system control that determines if there are corresponding invoices for purchase orders.
  D. Perform additional supervisory reviews prior to the invoice payments.
  C. Implement a system control that determines if there are corresponding invoices for purchase orders.

  ---

  Explanation

• Question 495:

  To help determine whether a controls-reliant approach to auditing financial systems in a company should be used, which sequence of IS audit work is MOST appropriate?

  A. Review of the general IS controls followed by a review of the application controls
  B. Detailed examination of financial transactions followed by review of the general ledger
  C. Review of major financial applications followed by a review of IT governance processes
  D. Review of application controls followed by a test of key business process controls
  A. Review of the general IS controls followed by a review of the application controls

  ---

  Explanation

• Question 496:

  When reviewing an organization's finalized risk assessment process, what would be the MAIN reason for an IS auditor to compare acceptable risk level with residual risk?

  A. To identify omissions made in the completed risk assessment
  B. To identify new risks the organization may have to address
  C. To recommend control enhancements for further risk reduction
  D. To advise management on risk appetite levels
  C. To recommend control enhancements for further risk reduction

  ---

  Explanation

  Explanation

• Question 497:

  Which of the following documents should define roles and responsibilities within an IT audit organization?

  A. Audit charter
  B. Annual audit plan
  C. Engagement letter
  D. Audit scope letter
  A. Audit charter

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step

  Theaudit charteris a formal document that definesthe purpose, authority, and responsibilitiesof the internal audit function.

  Audit Charter (Correct Answer ?A)

  Annual Audit Plan (Incorrect ?B)

  Engagement Letter (Incorrect ?C)

  Audit Scope Letter (Incorrect ?D)

  References:

  ISACA CISA Review Manual

  COBIT 2019 (Audit Governance)

• Question 498:

  Which of the following control checks would utilize data analytics?

  A. Evaluating configuration settings for the credit card application system
  B. Reviewing credit card applications submitted in the past month for blank data fields
  C. Attempting to submit credit card applications with blank data fields
  D. Reviewing the business requirements document for the credit card application system
  D. Reviewing the business requirements document for the credit card application system

  ---

  Explanation

• Question 499:

  What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

  A. Senior management's request
  B. Prior year's audit findings
  C. Organizational risk assessment
  D. Previous audit coverage and scope
  C. Organizational risk assessment

  ---

  Explanation

  The primary basis for selecting which IS audits to perform in the coming year is the organizational risk assessment. An organizational risk assessment is a formal process for identifying, evaluating, and controlling risks that may affect the achievement of the organization's goals and objectives3. An organizational risk assessment can help IS auditors prioritize and plan their audit activities based on the level of risk exposure and impact of each area or process within the organization. An organizational risk assessment can also help IS auditors align their audit objectives and criteria with the organization's strategy and performance indicators. Senior management's request, prior year's audit findings, and previous audit coverage and scope are also possible bases for selecting which IS audits to perform in the coming year, but not as primary as the organizational risk assessment. These factors are more secondary or supplementary sources of information that can help IS auditors refine or adjust their audit plan based on specific needs or issues identified by management or previous audits. However, these factors may not reflect the current or emerging risks that may affect the organization's operations or performance.

  References: ISACA CISA Review Manual 27th Edition, page 295

• Question 500:

  An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?

  A. Availability of the user list reviewed
  B. Confidentiality of the user list reviewed
  C. Source of the user list reviewed
  D. Completeness of the user list reviewed
  C. Source of the user list reviewed

  ---

  Explanation