Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 661:

  Which of the following is necessary for effective risk management in IT governance?

  A. Local managers are solely responsible for risk evaluation.
  B. IT risk management is separate from corporate risk management.
  C. Risk management strategy is approved by the audit committee.
  D. Risk evaluation is embedded in management processes.
  D. Risk evaluation is embedded in management processes.

  ---

  Explanation

  The necessary condition for effective risk management in IT governance is that risk evaluation is embedded in management processes. Risk evaluation is the process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable. Risk evaluation should be integrated into the management processes of planning, implementing, monitoring, and reviewing the IT activities and resources. This will ensure that risk management is aligned with the business objectives, strategies, and values, and that risk responses are timely, appropriate, and effective.

  References: CISA Review Manual (Digital Version) CISA Questions, Answers and Explanations Database

• Question 662:

  Which of the following is the BEST way to ensure a vendor complies with system security requirements?

  A. Require security training for vendor staff.
  B. Review past incidents reported by the vendor.
  C. Review past audits on the vendor's security compliance.
  D. Require a compliance clause in the vendor contract.
  D. Require a compliance clause in the vendor contract.

  ---

  Explanation

• Question 663:

  Which of the following fourth generation language depends on self-contained database management systems?

  A. Query and report generator
  B. Embedded database 4GLs
  C. Relational database 4GL
  D. Application generators
  B. Embedded database 4GLs

  ---

  Explanation

  Embedded database 4GLsare depend on self-contained database management systems. These characteristics often makes them more user-friendly but also may lead to applications that are not integrated well with other product

  applications. Example includes FOCUS, RAMIS II and NOMAD 2.

  For CISA exam you should know below mentioned types of 4GLs

  Query and report generator ?These specialize language can extract and produce reports. Recently more powerful language has been produced that can access database records, produce complex on-line output and be developed in an

  almost natural language.

  Embedded database 4GLs ?These depend on self-contained database management systems. These characteristics often makes them more user-friendly but also may lead to applications that are not integrated well with other product

  applications. Example includes FOCUS, RAMIS II and NOMAD 2. Relational database 4GLs ?These high level language products are usually an optional feature on vendor's DBMS product line. These allow the application developer to make better use of DBMS product, but they often are not end-useroriented. Example include SQL+ MANTIS and NATURAL.

  Application generators ?These development tools generate lower level programming languages(3GL) such as COBOL and

  C. The application can be further tailored and customized. Data processing development personnel, not end user, use

  application generators.

  The following were incorrect answers:

  Query and report generator ?These specialize language can extract and produce reports.

  Relational database 4GLs ?These high level language products are usually an optional feature on vendor's DBMS product line.

  Application generators ?These development tools generate lower level programming languages(3GL) such as COBOL and

  C.

  CISA review manual 2014 Page number 209

• Question 664:

  An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

  A. Verify all patches have been applied to the software system's outdated version
  B. Close all unused ports on the outdated software system.
  C. Segregate the outdated software system from the main network.
  D. Monitor network traffic attempting to reach the outdated software system.
  C. Segregate the outdated software system from the main network.

  ---

  Explanation

  The best way to reduce the immediate risk associated with using an unsupported version of the software is to segregate the outdated software system from the main network. An unsupported software system may have unpatched vulnerabilities that could be exploited by attackers to compromise the system or access sensitive data. By isolating the system from the rest of the network, the organization can limit the exposure and impact of a potential breach. Verifying all patches have been applied to the outdated software system, closing all unused ports on the outdated software system and monitoring network traffic attempting to reach the outdated software system are also good practices, but they do not address the root cause of the risk, which is the lack of vendor support and updates.

  References: CISA Review Manual, 27th Edition, page 2951 CISA Review Questions, Answers and Explanations Database - 12 Month Subscription

• Question 665:

  An IS auditor is planning a review of an organizations robotic process automation (RPA) technology. Which of the following MUST be included in the audit work plan?

  A. Integration architecture
  B. Change management
  C. Cost-benefit analysis
  D. Employee training content
  D. Employee training content

  ---

  Explanation

• Question 666:

  Which of the following provides the BEST evidence of successfully completed batch uploads?

  A. Sign-off on the batch journal
  B. Using sequence controls
  C. Enforcing batch cut-off times
  D. Reviewing process logs
  B. Using sequence controls

  ---

  Explanation

• Question 667:

  A financial group recently implemented new technologies and processes, Which type of IS audit would provide the GREATEST level of assurance that the department's objectives have been met?

  A. Performance audit
  B. Integrated audit
  C. Cyber audit
  D. Financial audit
  B. Integrated audit

  ---

  Explanation

  The type of IS audit that would provide the greatest level of assurance that the department's objectives have been met after implementing new technologies and processes is an integrated audit. An integrated audit is an audit that combines financial, operational, compliance, and IT auditing aspects to provide a holistic view of the organization's performance and risks. An integrated audit can evaluate whether the new technologies and processes are aligned with the organization's goals, strategies, policies, and controls, and whether they are delivering value, efficiency, effectiveness, and reliability. The other types of IS audits (A, C and D) would not provide the same level of assurance, as they would only focus on specific aspects of the organization's activities, such as performance, cyber security, or financial reporting, which may not capture the full impact of the new technologies and processes.

  References: CISA Certification | Certified Information Systems Auditor | ISACA, CISA Review Manual (Digital Version), Chapter 1: The Process of Auditing Information Systems, Section 1.2: Types of IS Audit Engagements

• Question 668:

  Which of the following procedures for testing a disaster recovery plan (DRP) is MOST effective?

  A. Testing at a secondary site using offsite data backups
  B. Performing a quarterly tabletop exercise
  C. Reviewing recovery time and recovery point objectives
  D. Reviewing documented backup and recovery procedures
  A. Testing at a secondary site using offsite data backups

  ---

  Explanation

• Question 669:

  Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?

  A. adequate measurement of key risk indicators (KRIS)
  B. Inadequate alignment of IT plans and business objectives
  C. Inadequate business impact analysis (BIA) results and predictions
  D. Inadequate measurement of key performance indicators (KPls)
  B. Inadequate alignment of IT plans and business objectives

  ---

  Explanation

  The most significant impact to an organization that does not use an IT governance framework is inadequate alignment of IT plans and business objectives. IT governance is a framework for the governance and management of enterprise

  information and technology (IandT) that supports enterprise goal achievement1. IT governance helps to ensure that IT investments and activities are aligned with the business strategy, vision, and values of the organization. IT governance also

  helps to optimize the value of IT, manage IT-related risks, and measure and monitor IT performance.

  Without an IT governance framework, an organization may face challenges such as:

  Lack of clarity and direction for IT decision making Inconsistent or conflicting IT priorities and demands Inefficient or ineffective use of IT resources and capabilities Poor quality or delivery of IT services and products Increased exposure to IT-

  related threats and vulnerabilities Reduced customer satisfaction and trust in IT

  Missed opportunities for innovation and competitive advantage Therefore, an organization that does not use an IT governance framework may fail to achieve its business objectives and may lose its competitive edge in the market.

  References:

  COBIT 2019 Framework Introduction and Methodology, Section 1.1: What Is Governance of Enterprise IandT?

  IT Governance: Definitions, Frameworks and Planning, Section 1: What Is IT Governance?

• Question 670:

  Which of the following will BEST ensure that archived electronic information of permanent importance remains accessible over time?

  A. Performing preventive maintenance on old hardware
  B. Acquiring applications that emulate old software
  C. Regularly migrating data to current technology
  D. Periodically backing up archived data
  C. Regularly migrating data to current technology

  ---

  Explanation