Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 611:

  Which of the following should an IS auditor verify when auditing the effectiveness of virus protection?

  A. Frequency of IDS log reviews
  B. Currency of software patch application
  C. Schedule for migration to production
  D. Frequency of external Internet access
  B. Currency of software patch application

  ---

  Explanation

• Question 612:

  Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

  A. Restricting evidence access to professionally certified forensic investigators
  B. Documenting evidence handling by personnel throughout the forensic investigation
  C. Performing investigative procedures on the original hard drives rather than images of the hard drives
  D. Engaging an independent third party to perform the forensic investigation
  B. Documenting evidence handling by personnel throughout the forensic investigation

  ---

  Explanation

  The most important factor to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings is to document evidence handling by personnel throughout the forensic investigation.

  Documentation is essential to establish the chain of custody, prove the integrity and authenticity of the evidence, and demonstrate compliance with legal and ethical standards. Documentation should include information such as the date, time,

  location, source, destination, method, purpose, result, and authorization of each action performed on the evidence. Documentation should also include any observations, findings, assumptions, limitations, or exceptions encountered during the

  investigation.

  References:

  CISA Review Manual (Digital Version)

  CISA Questions, Answers and Explanations Database

• Question 613:

  Which of the following is the GREATEST concern when using a cold backup site?

  A. Compatibility problems with existing equipment might exist.
  B. Peripheral equipment might not be sufficient to handle critical applications.
  C. It is difficult to test critical applications at the backup site
  D. Physical security requirements at the backup site might not be met.
  C. It is difficult to test critical applications at the backup site

  ---

  Explanation

• Question 614:

  Which of the following is the PRIMARY benefit of operational log management?

  A. It enhances user experience via predictive analysis.
  B. It improves security with real-time monitoring of network data.
  C. It organizes data to identify performance issues.
  D. It supports data aggregation using unified storage.
  B. It improves security with real-time monitoring of network data.

  ---

  Explanation

  Explanation Operational log management primarily enhances security by enabling real-time monitoring and detection of anomalies within network data. Logs provide valuable information for identifying threats, investigating incidents, and ensuring compliance with security policies. Predictive Analysis for User Experience (Option A):While logs may support analytics, this is not the primary benefit. Performance Issue Identification (Option C):Logs can help identify performance issues, but the focus of operational log management is security. Data Aggregation Using Unified Storage (Option D):This supports management but is secondary to the security benefits.

  ISACA CISA Review Manual, Job Practice Area 3: Information Systems Operations and Business Resilience.

• Question 615:

  An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's GREATEST concern?

  A. User access rights have not been periodically reviewed by the client.
  B. Payroll processing costs have not been included in the IT budget.
  C. The third-party contract has not been reviewed by the legal department.
  D. The third-party contract does not comply with the vendor management policy.
  C. The third-party contract has not been reviewed by the legal department.

  ---

  Explanation

  The third-party contract has not been reviewed by the legal department is the auditor's greatest concern because it poses a significant legal and financial risk to the client. A third-party contract is a legally binding agreement between the client and the outsourced payroll provider that defines the scope, terms, and conditions of the service. A third-party contract should be reviewed by the legal department to ensure that it complies with the applicable laws and regulations, protects the client's interests and rights, and specifies the roles and responsibilities of both parties. A third-party contract that has not been reviewed by the legal department may contain clauses that are unfavorable, ambiguous, or contradictory to the client, such as: Inadequate or unclear service level agreements (SLAs) that do not specify the quality, timeliness, and accuracy of the payroll service. Insufficient or vague security and confidentiality provisions that do not safeguard the client's data and information from unauthorized access, use, disclosure, or loss. Unreasonable or excessive fees, penalties, or liabilities that may impose an undue financial burden on the client. Limited or no audit rights that may prevent the client from verifying the effectiveness and compliance of the payroll provider's internal controls. Inflexible or restrictive termination clauses that may limit the client's ability to cancel or switch to another payroll provider. A third-party contract that has not been reviewed by the legal department may expose the client to various risks, such as: Legal disputes or litigation with the payroll provider over contractual breaches or performance issues. Regulatory fines or sanctions for noncompliance with tax, labor, or other laws and regulations related to payroll. Financial losses or damages due to errors, fraud, or negligence by the payroll provider. Reputation damage or customer dissatisfaction due to payroll errors or delays. Therefore, an IS auditor should be highly concerned about a third-party contract that has not been reviewed by the legal department and recommend that the client seek legal advice before signing or renewing any contract with an outsourced payroll provider. User access rights have not been periodically reviewed by the client is a moderate concern because it may indicate a lack of proper access control over the payroll system. User access rights are the permissions granted to users to access, view, modify, or delete data and information in the payroll system. User access rights should be periodically reviewed by the client to ensure that they are aligned with the user's roles and responsibilities, and that they are revoked or modified when a user changes roles or leaves the organization. User access rights that are not periodically reviewed by the client may result in unauthorized or inappropriate access to payroll data and information, which may compromise its confidentiality, integrity, and availability. Payroll processing costs have not been included in the IT budget is a minor concern because it may indicate a lack of proper planning and allocation of IT resources for payroll processing. Payroll processing costs are the expenses incurred by the client for using an outsourced payroll service, such as fees, charges, taxes, or penalties. Payroll processing costs should be included in the IT budget to ensure that they are adequately estimated, monitored, and controlled. Payroll processing costs that are not included in the IT budget may result in unexpected or excessive costs for payroll processing, which may affect the client's profitability and cash flow. The third-party contract does not comply with the vendor management policy is a low concern because it may indicate a lack of alignment between the client's vendor management policy and its actual vendor selection and evaluation process. A vendor management policy is a set of guidelines and procedures that governs how the client manages its relationship with its vendors, such as how to select, monitor, evaluate, and terminate vendors. A vendor management policy should be consistent with the client's business objectives, risk appetite, and regulatory requirements. A third-party contract that does not comply with the vendor management policy may result in suboptimal vendor performance or service quality, but it does not necessarily imply a breach of contract or a violation of law.

• Question 616:

  Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''

  A. Steps taken to address identified vulnerabilities are not formally documented
  B. Results are not reported to individuals with authority to ensure resolution
  C. Scans are performed less frequently than required by the organization's vulnerability scanning schedule
  D. Results are not approved by senior management
  B. Results are not reported to individuals with authority to ensure resolution

  ---

  Explanation

  The finding that should be of greatest concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program is that results are not reported to individuals with authority to ensure resolution. This indicates a lack of accountability and communication for vulnerability management, which may result in unresolved or delayed remediation of identified vulnerabilities. This may expose the organization to increased risk of cyberattacks or breaches. The other findings are also concerning, but not as much as this one, because they may affect the completeness, accuracy or timeliness of the vulnerability scanning process, but not necessarily its effectiveness.

  References: ISACA, CISA Review Manual, 27th Edition, chapter 4, section 4.41 ISACA, COBIT 2019 Framework: Introduction and Methodology, section 3.2

• Question 617:

  Which of the following E-commerce model covers all the transactions between companies and government organization?

  A. B-to-C relationships
  B. B-to-B relationships
  C. B-to-E relationships
  D. B-to-G relationships
  D. B-to-G relationships

  ---

  Explanation

  Business-to-Government(B-to-G) relationships covers all the transactions between companies and government organizations. Currently this category is infancy, but it could expand quit rapidly as government use their own operations to promote awareness and growth of e-commerce. In addition to public procurement, administrations may also offer the option of electronic interchange for such transactions as VAT returns and the payment of corporate taxes.

  For CISA exam you should know below E-commerce models:

  Business-to-Consumer (B-to-C) relationships ?The greatest potential power of E-commerce comes from its ability to redefine relationship with customers in creating a new convenient, low-cost channel to transact business. Companies can

  tailor their marketing strategies to an individual customer's needs and wants. As more of its business shifts on-line, a company will have an enhanced ability to track how its customer interact with it.

  Business-to-Business (B-to-B) relationships ?The relationship among the selling services of two or more business opens up the possibility of re-engineering business process across the boundaries that have traditionally separated external entities from each other. Because of the ease of access and the ubiquity of the Internet, for example companies can build business process that combine previously separated activities. The result is faster, higher quality and lower-cost set of transactions. The market has ever created to subdivision of B-to-B called business-to-small business(B-to-SB) relationships

  Business-to-employee(B-to-E) relationships ?Web technologies also assist in the dissemination of information to and among an organization employees.

  Business-to-Government(B-to-G) relationships ?covers all the transactions between companies and government organizations. Currently this category is infancy, but it could expand quit rapidly as government use their own operations to

  promote awareness and growth of e-commerce. In addition to public procurement, administrations may also offer the option of electronic interchange for such transactions as VAT returns and the payment of corporate taxes.

  The following were incorrect answers:

  The other options presented does not covers all transactions between companies and government organizations.

  CISA review manual 2014 Page number 175

• Question 618:

  Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?

  A. Staff were not involved in the procurement process, creating user resistance to the new system.
  B. Data is not converted correctly, resulting in inaccurate patient records.
  C. The deployment project experienced significant overruns, exceeding budget projections.
  D. The new system has capacity issues, leading to slow response times for users.
  B. Data is not converted correctly, resulting in inaccurate patient records.

  ---

  Explanation

  The most significant risk associated with a new health records system that replaces a legacy system is data not being converted correctly, resulting in inaccurate patient records. Data conversion is the process of transferring data from one format or system to another. Data conversion is a critical step in implementing a new health records system, as it ensures that the patient data are consistent, complete, accurate, and accessible in the new system. Data not being converted correctly may cause errors, discrepancies, or losses in patient records, which may have serious implications for patient safety, quality of care, legal compliance, and privacy protection. Staff not being involved in the procurement process, creating user resistance to the new system; the deployment project experiencing significant overruns, exceeding budget projections; and the new system having capacity issues, leading to slow response times for users are also risks associated with a new health records system implementation, but they are not as significant as data not being converted correctly.

  References: [ISACA CISA Review Manual 27th Edition], page 281.

• Question 619:

  Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?

  A. Penetration testing
  B. Application security testing
  C. Forensic audit
  D. Server security audit
  C. Forensic audit

  ---

  Explanation

• Question 620:

  An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

  A. Imported data is not disposed of frequently.
  B. The transfer protocol is not encrypted.
  C. The transfer protocol does not require authentication.
  D. The quality of the data is not monitored.
  D. The quality of the data is not monitored.

  ---

  Explanation