Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 671:

  During an internal audit review of a human resources (HR) recruitment system implementation the IS auditor notes that several defects were unresolved at the time the system went live.

  Which of the following is the auditor's MOST important task prior to formulating an audit opinion?

  A. Review the initial implementation plan for timelines.
  B. Confirm the project plan was approved.
  C. Review the user acceptance test (UAT) results for defects
  D. Confirm the seventy of the identified defects.
  D. Confirm the seventy of the identified defects.

  ---

  Explanation

• Question 672:

  Which of the following represents the HIGHEST level of maturity of an information security program?

  A. A training program is in place to promote information security awareness.
  B. A framework is in place to measure risks and track effectiveness.
  C. Information security policies and procedures are established.
  D. The program meets regulatory and compliance requirements.
  B. A framework is in place to measure risks and track effectiveness.

  ---

  Explanation

  According to the ISACA's Information Security Governance Guidance for Boards of Directors and Executive Management, the highest level of maturity of an information security program is Level 5: Optimized, which means that the program is aligned with the business objectives and strategy, and continuously monitors and improves its performance and effectiveness. A framework is in place to measure risks and track effectiveness, and the program is proactive, adaptive, and innovative. The other options represent lower levels of maturity: A training program is in place to promote information security awareness. This is Level 2: Repeatable, which means that the program has some basic policies and procedures, and provides awareness training to employees. Information security policies and procedures are established. This is Level 3: Defined, which means that the program has formalized policies and procedures, and assigns roles and responsibilities for information security. The program meets regulatory and compliance requirements. This is Level 4: Managed, which means that the program has established metrics and reporting mechanisms, and complies with relevant laws and regulations.

  References: ISACA. (2001). Information Security Governance Guidance for B

• Question 673:

  Which of the following should be done FIRST to minimize the risk of unstructured data?

  A. Identify repositories of unstructured data.
  B. Purchase tools to analyze unstructured data.
  C. Implement strong encryption for unstructured data.
  D. Implement user access controls to unstructured data.
  A. Identify repositories of unstructured data.

  ---

  Explanation

  Unstructured data is data that does not have a predefined model or organization, making it difficult to store, process, and analyze using traditional relational databases or spreadsheets. Unstructured data can pose a risk to an organization if it contains sensitive, confidential, or regulated information that is not properly secured, managed, or governed. To minimize the risk of unstructured data, the first step is to identify the repositories of unstructured data, such as file servers, cloud storage, email systems, social media platforms, etc. This will help to understand the scope, volume, and nature of unstructured data in the organization, and to prioritize the areas that need further analysis and action.

  References: Unstructured data - Wikipedia

• Question 674:

  Which of the following provides an IS auditor the BEST evidence that a third-party service provider's information security controls are effective?

  A. Documentation of the service provider's security configuration controls
  B. A review of the service provider's policies and procedures
  C. An audit report of the controls by an external auditor
  D. An interview with the service provider's senior management
  C. An audit report of the controls by an external auditor

  ---

  Explanation

  Explanation

  Comprehensive and Detailed Step-by-Step

  Toverify the effectivenessof a third-party provider'ssecurity controls, anindependent external audit reportis thestrongestevidence.

  Option A (Incorrect):Security configuration documentsare helpful butdo not confirm effectivenesswithout validation.

  Option B (Incorrect):Policies and procedures outlineintent, but anaudit confirms actual implementation.

  Option C (Correct):External audit reports (e.g., SOC 2, ISO 27001)provideindependent assurancethat security controls are effective. Option D (Incorrect):Management interviews providequalitativeinsights but arenot objective evidenceof

  control effectiveness.

  ISACA CISA Review Manual -Domain 3: Information Systems Acquisition, Development, and Implementation?Coversthird-party risk assessments and audit assurance.

• Question 675:

  Which of the following is the PRIMARY reason an IS auditor should use an IT-related framework as a basis for scoping and structuring an audit?

  A. It provides a foundation to recommend certification of the organization's compliance with the framework.
  B. It simplifies audit planning and reduces resource requirements to complete an audit.
  C. It demonstrates to management whether legal and regulatory requirements have been met.
  D. It helps ensure comprehensiveness of the review and provides guidance on best practices.
  D. It helps ensure comprehensiveness of the review and provides guidance on best practices.

  ---

  Explanation

• Question 676:

  A current project to develop IT-based solutions will need additional funding to meet changes in business requirements. Who is BEST suited to obtain this additional funding?

  A. Project sponsor
  B. Project manager
  C. IT strategy committee
  D. Board of directors
  A. Project sponsor

  ---

  Explanation

• Question 677:

  An IT balanced scorecard is PRIMARILY used for: A. evaluating the IT project portfolio

  B. measuring IT strategic performance

  C. allocating IT budget and resources

  D. monitoring risk in lT-related processes

  Correct Answer. B
  B

  ---

  Explanation

  An IT balanced scorecard is primarily used for measuring IT strategic performance. An IT balanced scorecard is a framework that translates the IT strategy into measurable objectives, indicators, targets, and initiatives across four perspectives: financial, customer, internal process, and learning and growth. An IT balanced scorecard helps to monitor and evaluate how well the IT function is delivering value to the organization, achieving its strategic goals, and improving its capabilities and competencies. The other options are not the primary uses of an IT balanced scorecard, because they either focus on specific aspects of IT rather than the overall performance, or they are not directly related to the IT strategy.

  References: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.3

• Question 678:

  In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?

  A. Reviewing the last compile date of production programs
  B. Manually comparing code in production programs to controlled copies
  C. Periodically running and reviewing test data against production programs
  D. Verifying user management approval of modifications
  A. Reviewing the last compile date of production programs

  ---

  Explanation

  Reviewing the last compile date of production programs is the most efficient way to detect unauthorized changes to production programs, as it can quickly identify any discrepancies between the expected and actual dates of program modification. The last compile date is a timestamp that indicates when a program was last compiled or translated from source code to executable code. Any changes to the source code would require a recompilation, which would update the last compile date. The IS auditor can compare the last compile date of production programs with the authorized change requests and reports to verify that only approved changes were implemented. The other options are not as efficient as option A, as they are more time-consuming, labor-intensive or error-prone. Manually comparing code in production programs to controlled copies is a method of verifying that the code in production matches the code in a secure repository or library, but it requires access to both versions of code and a tool or technique to compare them line by line. Periodically running and reviewing test data against production programs is a method of verifying that the programs produce the expected outputs and results, but it requires designing, executing and evaluating test cases for each program. Verifying user management approval of modifications is a method of verifying that the changes to production programs were authorized and documented, but it does not ensure that the changes were implemented correctly or accurately.

  References: CISA Review Manual (Digital Version) , Chapter 4: Information Systems Operations and Business Resilience, Section 4.3: Change Management Practices.

• Question 679:

  Which of the following provides re BEST evidence that outsourced provider services are being properly managed?

  A. Adequate action is taken for noncompilance with the service level agreement (SLA).
  B. The service level agreement (SLA) includes penalties tor non-performance.
  C. Internal performance standards align with corporate strategy.
  D. The vendor provides historical data to demonstrate its performance.
  A. Adequate action is taken for noncompilance with the service level agreement (SLA).

  ---

  Explanation

• Question 680:

  The MOST significant reason for using key performance indicators (KPIs) to track the progress of IT projects against initial targets is that they:

  A. influence management decisions to outsource IT projects
  B. identify which projects may require additional funding
  C. provide timely indication of when corrective actions need to be taken
  D. identify instances where increased stakeholder engagement is required
  D. identify instances where increased stakeholder engagement is required

  ---

  Explanation