Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 591:

  An IS auditor determines elevated administrator accounts for servers that are not properly checked out and then back in after each use. Which of the following is the MOST appropriate sampling technique to determine the scope of the problem?

  A. Haphazard sampling
  B. Random sampling
  C. Statistical sampling
  D. Stratified sampling
  C. Statistical sampling

  ---

  Explanation

• Question 592:

  An IS auditor finds that irregularities have occurred and that auditee management has chosen to ignore them. If reporting to external authorities is required which of the following is the BEST action for the IS auditor to take?

  A. Submit the report to appropriate regulators immediately.
  B. Obtain approval from audit management to submit the report.
  C. Obtain approval from auditee management to release the report.
  D. Obtain approval from both audit and auditee management to release the report.
  B. Obtain approval from audit management to submit the report.

  ---

  Explanation

• Question 593:

  An IS auditor has been tasked with auditing the inventory control process for a large organization that processes millions of data transactions. Which of the following is the BEST testing strategy to adopt?

  A. Continuous monitoring
  B. Control self-assessments (CSAs)
  C. Risk assessments
  D. Stop-or-go sampling
  A. Continuous monitoring

  ---

  Explanation

  Given the large volume of data transactions, continuous monitoring is the best testing strategy for auditing the inventory control process. Continuous monitoring involves the automated review of operational and financial data to identify anomalies or areas of concern. This approach allows for real-time identification and resolution of issues, making it particularly effective for large organizations with high transaction volumes.

  References: ISACA's Information Systems Auditor Study Materials1

• Question 594:

  Which control type would provide the MOST useful input to a root cause analysis?

  A. Compensating
  B. Detective
  C. Directive
  D. Corrective
  B. Detective

  ---

  Explanation

• Question 595:

  A vendor requires privileged access to a key business application. Which of the following is the BEST recommendation to reduce the risk of data leakage?

  A. Implement real-time activity monitoring for privileged roles
  B. Include the right-to-audit in the vendor contract
  C. Perform a review of privileged roles and responsibilities
  D. Require the vendor to implement job rotation for privileged roles
  A. Implement real-time activity monitoring for privileged roles

  ---

  Explanation

  A vendor requires privileged access to a key business application. The best recommendation to reduce the risk of data leakage is to implement real-time activity monitoring for privileged roles. This is because real-time activity monitoring can provide visibility and accountability for the actions performed by the vendor with privileged access, such as creating, modifying, deleting, or copying data. Real-time activity monitoring can also enable timely detection and response to any unauthorized or suspicious activities that may indicate data leakage. Including the right-to-audit in the vendor contract is a good practice, but it may not be sufficient to prevent or detect data leakage in a timely manner, as audits are usually performed periodically or on-demand. Performing a review of privileged roles and responsibilities is also a good practice, but it may not address the specific risk of data leakage by the vendor with privileged access. Requiring the vendor to implement job rotation for privileged roles may reduce the risk of collusion or fraud, but it may not prevent or detect data leakage by any individual with privileged access.

  References: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program Management Guide]

• Question 596:

  Which of the following would be MOST useful to an IS auditor when making recommendations to enable continual improvement of IT processes over time?

  A. IT incident log
  B. Benchmarking studies
  C. Maturity model
  D. IT risk register
  C. Maturity model

  ---

  Explanation

• Question 597:

  An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?

  A. Document the findings in the audit report.
  B. Identify who approved the policies.
  C. Escalate the situation to the lead auditor.
  D. Communicate the observation to the auditee.
  D. Communicate the observation to the auditee.

  ---

  Explanation

  An IS auditor has identified deficiencies within the organization's software development life cycle (SDLC) policies. The SDLC is the process of planning, developing, testing, and deploying software applications1. SDLC policies are the guidelines and standards that govern the SDLC process and ensure its quality, security, and compliance. Deficiencies in SDLC policies can lead to various risks, such as: Software errors, bugs, or vulnerabilities that can affect the functionality, reliability, or security of the applications Software failures, delays, or overruns that can affect the delivery, performance, or customer satisfaction of the applications

  Software non-compliance that can result in legal, regulatory, or contractual violations or penalties

  The next step that the IS auditor should do after identifying deficiencies in SDLC policies is to communicate the observation to the auditee. The auditee is the person or entity that is subject to the audit and is responsible for the area being

  audited4. In this case, the auditee could be the software development manager, the project manager, or the senior management of the organization. Communicating the observation to the auditee is important for several reasons:

  It allows the IS auditor to verify the accuracy and validity of the observation and gather additional evidence or information from the auditee It gives the auditee an opportunity to respond to the observation and provide their perspective,

  explanation, or justification for the deficiencies It enables the IS auditor to discuss with the auditee the potential impact, root cause, and remediation plan for the deficiencies It fosters a collaborative and constructive relationship between the IS

  auditor and the auditee and promotes transparency and accountability in the audit process The other options are not as appropriate as communicating the observation to the auditee. Documenting the findings in the audit report is a later step

  that should be done after communicating with the auditee and finalizing the observation. Identifying who approved the policies is not relevant for addressing the deficiencies and may imply blame or fault on a specific person or group.

  Escalating the situation to the lead auditor is not necessary unless there is a serious disagreement or conflict with the auditee that cannot be resolved by normal communication. Therefore, option D is the correct answer.

  References:

  What Is The Software Development Life Cycle? | PagerDuty Software Development Life Cycle (SDLC) Policy | StrongDM What Is SDLC? Best Phases, Methodologies, and Benefits Revealed - Kellton Communicating Audit Findings

• Question 598:

  Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

  A. Expected deliverables meeting project deadlines
  B. Sign-off from the IT team
  C. Ongoing participation by relevant stakeholders
  D. Quality assurance (OA) review
  B. Sign-off from the IT team

  ---

  Explanation

• Question 599:

  A contract bid is digitally signed and electronically mailed. The PRIMARY advantage to using a digital signature is that:

  A. the bid cannot be forged even if the keys are compromised.
  B. the bid and the signature can be copied from one document to another.
  C. the signature can be authenticated even if no encryption is used.
  D. any alteration of the bid will invalidate the signature.
  C. the signature can be authenticated even if no encryption is used.

  ---

  Explanation

• Question 600:

  An IS auditor is reviewing desktop software profiles and notes that a user has downloaded and installed several games that are not approved by the company. Which of the following is the MOST significant risk that could result from this situation?

  A. Violation of user's privacy
  B. Potential for malware
  C. Noncompliance with the acceptable use policy
  D. Interoperability issues with company software
  B. Potential for malware

  ---

  Explanation