Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 531:

  An IS auditor noted that a change to a critical calculation was placed into the production environment without being tested. Which of the following is the BEST way to obtain assurance that the calculation functions correctly?

  A. Check regular execution of the calculation batch job.
  B. Obtain post-change approval from management.
  C. Perform substantive testing using computer-assisted audit techniques (CAATs).
  D. Interview the lead system developer.
  A. Check regular execution of the calculation batch job.

  ---

  Explanation

• Question 532:

  Which of the following is a challenge in developing a service level agreement (SLA) for network services?

  A. Establishing a well-designed framework for network servirces.
  B. Finding performance metrics that can be measured properly
  C. Ensuring that network components are not modified by the client
  D. Reducing the number of entry points into the network
  B. Finding performance metrics that can be measured properly

  ---

  Explanation

  One of the challenges in developing a SLA for network services is finding performance metrics that can be measured properly and reflect the quality of service expected by the customer. Establishing a well-designed framework for network services is not a challenge, but a good practice. Ensuring that network components are not modified by the client or reducing the number of entry points into the network are security issues, not SLA issues.

  References: ISACA, CISA Review Manual, 27th Edition, 2018, page 333

• Question 533:

  An IS auditor should be MOST concerned if which of the following fire suppression systems is utilized to protect an asset storage closet?

  A. Deluge system
  B. Wet pipe system
  C. Preaction system
  D. CO2 system
  D. CO2 system

  ---

  Explanation

  A CO2 system could be a concern for an IS auditor when used to protect an asset storage closet. While CO2 systems are effective at suppressing fires, they can pose a significant safety risk to personnel. In the event of a fire, the CO2 system would fill the room with carbon dioxide, displacing the oxygen. This could be hazardous to anyone who might be in the room at the time.

  References: ISACA's Information Systems Auditor Study Materials

• Question 534:

  An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in- house. Which of the following findings should be the IS auditor's GREATEST concern?

  A. The cost of outsourcing is lower than in-house development.
  B. The vendor development team is located overseas.
  C. A training plan for business users has not been developed.
  D. The data model is not clearly documented.
  D. The data model is not clearly documented.

  ---

  Explanation

  The finding that should be the IS auditor's greatest concern is that the data model is not clearly documented. A data model is a representation of the structure, relationships, and constraints of the data used by an application. It is a vital component of the software development process, as it helps to ensure the accuracy, consistency, and quality of the data1. A clear and comprehensive documentation of the data model is essential for the maintenance and support of the application, as it facilitates the understanding, modification, and troubleshooting of the data and the application logic2. If the organization plans to bring the support and future maintenance of the application back in-house, it will need to have access to the data model documentation from the vendor. Without it, the organization may face difficulties in transferring the knowledge and skills from the vendor to the in-house team, as well as in adapting and enhancing the application to meet changing business needs and requirements3. The lack of data model documentation may also increase the risk of errors, inconsistencies, and inefficiencies in the data and the application performance2. The other findings are not as concerning as the lack of data model documentation, because they do not directly affect the quality and maintainability of the application. The cost of outsourcing is lower than in-house development is a benefit rather than a risk for the organization, as it implies that outsourcing has helped to save time and money for the organization4. The vendor development team is located overseas is a common practice in outsourcing, and it does not necessarily imply a lower quality or a higher risk of the application. However, it may pose some challenges in terms of communication, coordination, and cultural differences, which can be managed by establishing clear expectations, roles, and responsibilities, as well as using effective tools and methods for communication and collaboration5. A training plan for business users has not been developed is a gap that should be addressed by the organization before deploying the application, as it may affect the user acceptance and satisfaction of the application. However, it does not directly impact the quality or maintainability of the application itself.

  References: What is Data Modeling? Definition and Types | Informatica1 Data Modeling Best Practices: Documentation | erwin2 Data Model Documentation - an overview | ScienceDirect Topics3 Outsourcing App Development Pros and Cons ?Droids On Roids4 8 Risks of Software Development Outsourcing and Their Solutions - Acropolium5 Software Training Plan: How to Create One for Your Business - Elinext

• Question 535:

  An IS audit reveals an IT application is experiencing poor performance including data inconsistency and integrity issues. What is the MOST likely cause?

  A. Database clustering
  B. Data caching
  C. Reindexing of the database table
  D. Load balancing
  B. Data caching

  ---

  Explanation

  Data caching is the most likely cause of poor performance, data inconsistency and integrity issues in an IT application, because it involves storing frequently accessed data in a temporary memory location (cache) to reduce the latency and bandwidth consumption of retrieving data from the original source. However, data caching can also introduce problems such as stale data (when the cache is not updated with changes made to the original source), cache coherence (when multiple caches store copies of the same data and need to be synchronized), and cache corruption (when the cache is damaged or tampered with). Database clustering is not a likely cause of poor performance, data inconsistency and integrity issues, because it involves distributing data across multiple servers or nodes to improve availability, scalability and load balancing of database operations. Database clustering can also enhance data consistency and integrity by using replication and synchronization mechanisms to ensure that all nodes have the same view of the data. Reindexing of the database table is not a likely cause of poor performance, data inconsistency and integrity issues, because it involves rebuilding or reorganizing indexes on tables or views to improve query performance and reduce fragmentation of index pages. Reindexing can also improve data consistency and integrity by ensuring that indexes reflect the current state of the data in the tables or views. Load balancing is not a likely cause of poor performance, data inconsistency and integrity issues, because it involves distributing workloads across multiple servers or resources to optimize resource utilization, throughput and response time of applications. Load balancing can also enhance data consistency and integrity by using algorithms and protocols to route requests to the most appropriate server or resource based on availability, capacity and performance.

  References: Data Caching Database Clustering Reindexing Database Tables in SQL Server [Load Balancing]

• Question 536:

  What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?

  A. it facilitates easier audit follow-up
  B. it enforces action plan consensus between auditors and auditees
  C. it establishes accountability for the action plans
  D. it helps to ensure factual accuracy of findings
  C. it establishes accountability for the action plans

  ---

  Explanation

  The primary benefit of an audit approach that requires reported findings to be issued together with related action plans, owners, and target dates is that it establishes accountability for the action plans. Accountability means that the individuals or groups who are responsible for implementing the action plans are clearly identified and held liable for their completion within the specified time frame. Accountability also implies that the action plans are monitored and evaluated to ensure that they are effective and efficient in addressing the audit findings and mitigating the associated risks1. Accountability helps to ensure that the audit recommendations are taken seriously and implemented properly, and that the audit value is realized by the organization2. The other options are less relevant or incorrect because:

  A. It facilitates easier audit follow-up is not the primary benefit of an audit approach that requires reported findings to be issued together with related action plans, owners, and target dates, as it is more of a secondary or indirect benefit. Audit follow-up is the process of verifying whether the action plans have been implemented and whether they have resolved the audit findings3. While having clear action plans, owners, and target dates may facilitate easier audit follow-up by providing a basis for tracking and reporting the progress and status of the action plans, it does not necessarily guarantee that the action plans will be implemented or effective.

  B. It enforces action plan consensus between auditors and auditees is not the primary benefit of an audit approach that requires reported findings to be issued together with related action plans, owners, and target dates, as it is more of a prerequisite or condition for such an approach. Action plan consensus means that the auditors and auditees agree on the audit findings and recommendations, and on the action plans to address them4. While having action plan consensus may enhance the credibility and acceptance of the audit approach, it does not necessarily ensure that the action plans will be implemented or effective.

  D. It helps to ensure factual accuracy of findings is not the primary benefit of an audit approach that requires reported findings to be issued together with related action plans, owners, and target dates, as it is more of an outcome or result of such an approach. Factual accuracy of findings means that the audit findings are based on sufficient, reliable, relevant, and useful evidence5. While having factual accuracy of findings may increase the confidence and trust in the audit approach, it does not necessarily ensure that the action plans will be implemented or effective.

  References: Accountability - ISACA, Audit Value ISACA, Audit Follow- up - ISACA, Action Plan Consensus - ISACA, Factual Accuracy of Findings - ISACA

• Question 537:

  Which of the following is the GREATEST advantage of outsourcing the development of an e-banking solution when in-house technical expertise is not available?

  A. Lower start-up costs
  B. Reduced risk of system downtime
  C. Direct oversight of risks
  D. Increased ability to adapt the system
  A. Lower start-up costs

  ---

  Explanation

  Outsourcing the development of an e-banking solution when in-house technical expertise is not available can significantly reduce start-up costs. This is because the organization can avoid the expenses associated with hiring and training a full-time development team, purchasing necessary hardware and software, and maintaining the system1. While outsourcing can also potentially reduce the risk of system downtime, increase the ability to adapt the system, and provide direct oversight of risks, these benefits are not as immediate or guaranteed as the cost savings.

  References: Maxicus1, Forbes2, Strategyand - PwC3

• Question 538:

  Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?

  A. A high percentage of stakeholders satisfied with the quality of IT
  B. A high percentage of IT processes reviewed by quality assurance (QA)
  C. A high percentage of incidents being quickly resolved
  D. A high percentage of IT employees attending quality training
  A. A high percentage of stakeholders satisfied with the quality of IT

  ---

  Explanation

• Question 539:

  Which of the following audit is mainly designed to evaluate the internal control structure in a given process or area?

  A. Compliance Audit
  B. Financial Audit
  C. Operational Audit
  D. Forensic audit
  C. Operational Audit

  ---

  Explanation

  Operational audit is mainly designed to evaluate the internal control structure in a given process or area. Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented,

  systematic, and independent evaluation of organizational activities. In Operational audit financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives.

  Operational audit is a more comprehensive form of an Internal audit.

  What is an audit?

  An audit in general terms is a process of evaluating an individual or organization's accounts. This is usually done by an independent auditing body. Thus, audit involves a competent and independent person obtaining evidence and evaluating

  it objectively with regard to a given entity, which in this case is the subject of audit, in order to establish conformance to a given set of standards. Audit can be on a person, organization, system, enterprise, project or product.

  Compliance Audit

  A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review

  security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These

  audits often overlap traditional audits, but may focus on particular system or data.

  What, precisely, is examined in a compliance audit will vary depending upon whether an organization is a public or private company, what kind of data it handles and if it transmits or stores sensitive financial data. For instance, SOX

  requirements mean that any electronic communication must be backed up and secured with reasonable disaster recovery infrastructure. Health care providers that store or transmit e-health records, like personal health information, are

  subject to HIPAA requirements. Financial services companies that transmit credit card data are subject to PCI DSS requirements. In each case, the organization must be able to demonstrate compliance by producing an audit trail, often

  generated by data from event log management software.

  Financial Audit

  A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not

  absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to provide an objective

  independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and

  consequently reduce the cost of capital of the preparer of the financial statements.

  Operational Audit

  Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit financial data may

  be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Operational audit is a more comprehensive form of an Internal audit.

  The Institute of Internal Auditor (IIA) defines Operational Audit as a systematic process of evaluating an organization's effectiveness, efficiency and economy of operations under management's control and reporting to appropriate persons the

  results of the evaluation along with recommendations for improvement.

  Objectives

  To appraise the effectiveness and efficiency of a division, activity, or operation of the entity in meeting organizational goals.

  To understand the responsibilities and risks faced by an organization.

  To identify, with management participation, opportunities for improving control.

  To provide senior management of the organization with a detailed understanding of the Operations.

  Integrated Audits

  An integrated audit combines financial and operational audit steps. An integrated audit is also performed to assess overall objectives within an organization, related to financial information and asset, safeguarding, efficiency and or internal

  auditors and would include compliance test of internal controls and substantive audit step.

  IS Audit

  An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are

  safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of

  attestation engagement.

  The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets

  and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:

  Will the organization's computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) Will

  the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing

  those risks.

  Forensic Audit Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or irregularities (including fraud) and giving preventative advice. The purpose of a forensic audit is to use accounting procedures to collect evidence for the prosecution or investigation of financial crimes such as theft or fraud. Forensic audits may be conducted to determine if wrongdoing occurred, or to gather materials for the case against an alleged criminal.

  The following answers are incorrect: Compliance Audit - A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These audits often overlap traditional audits, but may focus on particular system or data.

  Financial Audit- A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to provide an objective independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and consequently reduce the cost of capital of the preparer of the financial statements.

  Forensic Audit - Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or irregularities (including fraud) and giving preventative advice.

  CISA Review Manual 2014 Page number 44 http://searchcompliance.techtarget.com/definition/compliance-audit http://en.wikipedia.org/wiki/Financial_audit http://en.wikipedia.org/wiki/Operational_auditing http://en.wikipedia.org/wiki/Information_technology_audit http://www.investorwords.com/16445/forensic_audit.html

• Question 540:

  Which of the following BEST indicates to an IS auditor that an organization handles emergency changes appropriately and transparently?

  A. The application operations manual contains procedures to ensure emergency fixes do not compromise system integrity.
  B. Special logon IDs are used to grant programmers permanent access to the production environment.
  C. Change management controls are retroactively applied.
  D. Emergency changes are applied to production libraries immediately.
  A. The application operations manual contains procedures to ensure emergency fixes do not compromise system integrity.

  ---

  Explanation