Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 551:

  An organization is ready to implement a new IT solution consisting of multiple modules. The last module updates the processed data into the database. Which of the following findings should be of MOST concern to the IS auditor?

  A. Absence of a formal change approval process
  B. Lack of input validation
  C. Use of weak encryption
  D. Lack of a data dictionary
  B. Lack of input validation

  ---

  Explanation

• Question 552:

  To test the integrity of the data in the accounts receivable master file, an IS auditor is particularly interested in reviewing customers with balances over $400,000. The selection technique the IS auditor would use to obtain such a sample is called:

  A. random selection.
  B. systematic selection.
  C. discovery selection.
  D. stratification.
  B. systematic selection.

  ---

  Explanation

• Question 553:

  An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?

  A. Review test procedures and scenarios
  B. Conduct a mock conversion test
  C. Establish a configuration baseline
  D. Automate the test scripts
  B. Conduct a mock conversion test

  ---

  Explanation

  The auditor's best recommendation prior to go-live is to conduct a mock conversion test. This is because a mock conversion test can help to verify the accuracy, completeness, and validity of the data conversion process. A mock conversion

  test can also help to identify and resolve any issues or errors before the actual conversion takes place. A mock conversion test can also provide assurance that the converted data meets the business requirements and expectations.

  References:

  CISA Review Manual (Digital Version), Chapter 3, Section 3.3.21 CISA Online Review Course, Domain 2, Module 2, Lesson 22

• Question 554:

  An IS auditor has been tasked to review the processes that prevent fraud within a business expense claim system. Which of the following stakeholders is MOST important to involve in this review?

  A. Information security manager
  B. Quality assurance (QA) manager
  C. Business department executive
  D. Business process owner
  D. Business process owner

  ---

  Explanation

  The business process owner is the most important stakeholder to involve in the review of the processes that prevent fraud within a business expense claim system. This is because the business process owner is responsible for defining, implementing, and monitoring the business rules and policies that govern the expense claim process. The business process owner also has the authority and accountability to approve or reject expense claims, as well as to investigate and report any suspicious or fraudulent activities. The business process owner can provide valuable insights and feedback to the IS auditor on the effectiveness and efficiency of the current processes, as well as the potential risks and controls that need to be addressed12. The information security manager is not the most important stakeholder because their role is mainly focused on ensuring the confidentiality, integrity, and availability of the information systems and data that support the expense claim process. The information security manager can help the IS auditor with assessing the technical aspects of the system, such as access controls, encryption, logging, and backup, but they may not have sufficient knowledge or authority over the business rules and policies that prevent fraud1. The quality assurance (QA) manager is not the most important stakeholder because their role is mainly focused on ensuring the quality and reliability of the software applications and systems that support the expense claim process. The QA manager can help the IS auditor with testing and verifying the functionality and performance of the system, but they may not have sufficient knowledge or authority over the business rules and policies that prevent fraud1. The business department executive is not the most important stakeholder because their role is mainly focused on overseeing the strategic objectives and financial performance of the business department that uses the expense claim system. The business department executive can help the IS auditor with understanding the business context and needs of the expense claim process, but they may not have sufficient knowledge or authority over the operational details and controls that prevent fraud

• Question 555:

  During an audit of an access control system an IS auditor finds that RFID card readers are not connected via the network to a central server Which of the following is the GREATEST risk associated with this finding?

  A. Incidents cannot be investigated without a centralized log file
  B. Card reader firmware updates cannot be rolled out automatically.
  C. Lost or stolen cards cannot be disabled immediately.
  D. The system is not easily scalable to accommodate a new device
  C. Lost or stolen cards cannot be disabled immediately.

  ---

  Explanation

• Question 556:

  Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

  A. Legacy data has not been purged.
  B. Admin account passwords are not set to expire.
  C. Default settings have not been changed.
  D. Database activity logging is not complete.
  B. Admin account passwords are not set to expire.

  ---

  Explanation

  Admin accounts typically have the highest level of privileges and access to sensitive data. If the passwords for these accounts are not set to expire, it increases the risk of unauthorized access and potential security breaches. This is especially true if an admin's credentials are compromised, as the attacker could have ongoing access to critical systems and data

• Question 557:

  When evaluating the management practices at a third-party organization providing outsourced services, the IS auditor considers relying on an independent auditors report. The IS auditor would first:

  A. determine if recommendations have been implemented
  B. review the objectives of the audit
  C. examine the independent auditor's workpapers.
  D. discuss the report with the independent auditor
  B. review the objectives of the audit

  ---

  Explanation

• Question 558:

  When evaluating whether the expected benefits of a project have been achieved, it is MOST important for an IS auditor to review:

  A. post-implementation issues.
  B. quality assurance results.
  C. the project schedule.
  D. the business case.
  D. the business case.

  ---

  Explanation

• Question 559:

  An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?

  A. Overviews of interviews between data center personnel and the auditor
  B. Prior audit reports involving other corporate disaster recovery audits
  C. Summary memos reflecting audit opinions regarding noted weaknesses
  D. Detailed evidence of the successes and weaknesses of all contingency testing
  D. Detailed evidence of the successes and weaknesses of all contingency testing

  ---

  Explanation

  The IS audit manager should specifically review the detailed evidence of the successes and weaknesses of all contingency testing to substantiate the conclusions of the audit of the corporate disaster recovery test. This is because the detailed evidence can provide the audit manager with a clear and objective picture of how well the disaster recovery plan was executed, what issues or gaps were encountered, and what recommendations or actions were taken to address them. The detailed evidence can also help the audit manager to verify the accuracy, completeness, and validity of the audit findings, as well as to evaluate the adequacy and effectiveness of the disaster recovery controls. The other options are not as specific or relevant as the detailed evidence of all contingency testing. Overviews of interviews between data center personnel and the auditor may provide some useful information, but they are not sufficient to substantiate the conclusions without supporting evidence from the actual testing. Prior audit reports involving other corporate disaster recovery audits may provide some benchmarking or comparison data, but they are not directly related to the current audit scope and objectives. Summary memos reflecting audit opinions regarding noted weaknesses may provide some high-level insights, but they are not enough to substantiate the conclusions without detailed evidence to back them up.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2411 Disaster Recovery Audit Work Program

• Question 560:

  To develop meaningful recommendations for findings, which of the following is MOST important for an IS auditor to determine and understand?

  A. Criteria
  B. Responsible party
  C. Impact
  D. Root cause
  C. Impact

  ---

  Explanation