Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 701:

  Which of the following is a project management technique for defining and deploying software deliverables within a relatively short and fixed period of time, and with predetermined specific resources?

  A. Functional Point analysis
  B. Gantt Chart
  C. Critical path methodology
  D. Time box management
  D. Time box management

  ---

  Explanation

  Time box management is a project management technique for defining and deploying software deliverables within a relatively short and fixed period of time, and with predetermined specific resources. There is a need to balance software

  quality and meet the delivery requirements within the time box or timeframe. The project manager has some degree of flexibility and uses discretion is scoping the requirement. Timebox management can be used to accomplish prototyping or

  RAPID application development type in which key feature are to be delivered in a short period of time.

  The following were incorrect answers:

  Critical path Method -The critical path method (CPM) is an algorithm for scheduling a set of project activities

  Gantt Chart -A Gantt chart is a type of bar chart, developed by Henry Gantt in the 1910s, that illustrates a project schedule. Gantt charts illustrate the start and finish dates of the terminal elements and summary elements of a project. Terminal

  elements and summary elements comprise the work breakdown structure of the project. Modern Gantt charts also show the dependency (i.e. precedence network) relationships between activities. Gantt charts can be used to show current

  schedule status using percent-complete shadings and a vertical "TODAY" line as shown here.

  Functional Point Analysis -Function Point Analysis (FPA) is an ISO recognized method to measure the functional size of an information system. The functional size reflects the amount of functionality that is relevant to and recognized by the

  user in the business. It is independent of the technology used to implement the system.

  CISA review manual 2014 Page number 154

• Question 702:

  Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?

  A. Policies and procedures for managing documents provided by department heads
  B. A system-generated list of staff and their project assignments. roles, and responsibilities
  C. Previous audit reports related to other departments' use of the same system
  D. Information provided by the audit team lead an the authentication systems used by the department
  B. A system-generated list of staff and their project assignments. roles, and responsibilities

  ---

  Explanation

  The answer B is correct because a system-generated list of staff and their project assignments, roles, and responsibilities is the most useful to an IS auditor performing a review of access controls for a document management system. A document management system is a software that helps organizations store, manage, and share documents electronically. Access controls are the mechanisms that restrict or allow access to the documents based on predefined criteria, such as user identity, role, or project. An IS auditor needs to verify that the access controls are properly configured and implemented to ensure the security, confidentiality, and integrity of the documents. A system-generated list of staff and their project assignments, roles, and responsibilities can help the IS auditor to perform the following tasks: Identify the users who have access to the document management system and their level of access (e.g., read-only, edit, delete, etc.). Compare the actual access rights of the users with their expected or authorized access rights based on their roles and responsibilities. Detect any anomalies, discrepancies, or violations in the access rights of the users, such as excessive or unauthorized access, segregation of duties conflicts, or dormant or inactive accounts. Evaluate the effectiveness and efficiency of the access control policies and procedures, such as user provisioning, deprovisioning, authentication, authorization, auditing, etc. The other options are not as useful as option

  B. Policies and procedures for managing documents provided by department heads (option A) are not reliable sources of information for an IS auditor because they may not reflect the actual practices or compliance status of the document management system. Previous audit reports related to other departments' use of the same system (option C) are not relevant for an IS auditor because they may not address the specific issues or risks associated with the current department's use of the document management system. Information provided by the audit team lead on the authentication systems used by the department (option D) is not sufficient for an IS auditor because authentication is only one aspect of access control and it does not provide information on the authorization or auditing of the document access.

  References: Overview of document management in SharePoint Setting Up a Document Control System: 6 Basic Steps Access Control Management: Purpose, Types, Tools, and Benefits 9 Best Document Management Systems of 2023

• Question 703:

  Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?

  A. Periodic vendor reviews
  B. Dual control
  C. Independent reconciliation
  D. Re-keying of monetary amounts
  E. Engage an external security incident response expert for incident handling.
  B. Dual control

  ---

  Explanation

  The best recommendation to prevent fraudulent electronic funds transfers by accounts payable employees is dual control. Dual control is a segregation of duties control that requires two or more individuals to perform or authorize a transaction or activity. Dual control can prevent fraudulent electronic funds transfers by requiring independent verification and approval of payment requests, amounts, and recipients by different accounts payable employees. The other options are not as effective as dual control in preventing fraudulent electronic funds transfers, as they do not involve independent checks or approvals. Periodic vendor reviews are detective controls that can help identify any irregularities or anomalies in vendor payments, but they do not prevent fraudulent electronic funds transfers from occurring. Independent reconciliation is a detective control that can help compare and confirm payment records with bank statements, but it does not prevent fraudulent electronic funds transfers from occurring. Re-keying of monetary amounts is an input control that can help detect any errors or discrepancies in payment amounts, but it does not prevent fraudulent electronic funds transfers from occurring.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

• Question 704:

  To create a digital signature in a message using asymmetric encryption, it is necessary to:

  A. first use a symmetric algorithm for the authentication sequence.
  B. encrypt the authentication sequence using a public key.
  C. transmit the actual digital signature in unencrypted clear text.
  D. encrypt the authentication sequence using a private key.
  D. encrypt the authentication sequence using a private key.

  ---

  Explanation

• Question 705:

  In the development of a new financial application, the IS auditor's FIRST involvement should be in the:

  A. control design.
  B. feasibility study.
  C. application design.
  D. system test.
  B. feasibility study.

  ---

  Explanation

  In the development of a new financial application, the IS auditor's first involvement should be in the feasibility study. A feasibility study is a preliminary analysis that evaluates the technical, operational, economic, and legal aspects of a proposed project or system. A feasibility study helps determine whether the project or system is viable, feasible, and desirable for the organization and its stakeholders. The IS auditor's role in the feasibility study is to provide an independent and objective assessment of the project or system's risks, benefits, costs, and impacts. The IS auditor should also ensure that the feasibility study follows a structured and systematic approach, considers all relevant factors and alternatives, and complies with the organization's policies and standards. The IS auditor should also verify that the feasibility study is documented and communicated to the appropriate decision-makers. The IS auditor's involvement in the feasibility study is important because it can help: Identify and mitigate potential risks and issues that could affect the project or system's success Evaluate and justify the project or system's alignment with the organization's strategy, goals, and value proposition Estimate and optimize the project or system's resources, budget, schedule, and quality Assess and enhance the project or system's security, reliability, performance, and usability Ensure that the project or system meets the expectations and requirements of the users and other stakeholders The other three options are not the first involvement of the IS auditor in the development of a new financial application, although they may be part of the subsequent stages of the development process. Control design is the process of defining and implementing controls that ensure the security, integrity, availability, and efficiency of the system. Application design is the process of specifying the functional and technical features of the system. System test is the process of verifying that the system meets the specifications and requirements. Therefore, feasibility study is the best answer.

  References: [Feasibility Study - ISACA] [IS Auditing Guideline G13 Performing an IS Audit Engagement - ISACA]

• Question 706:

  Which of the following should be reviewed FIRST when planning an IS audit?

  A. Recent financial information
  B. Annual business unit budget
  C. IS audit standards
  D. The business environment
  D. The business environment

  ---

  Explanation

• Question 707:

  Which of the following tests is MOST likely to detect an error in one subroutine resulting from a recent change in another subroutine?

  A. User acceptance testing (UAT)
  B. Black-box testing
  C. Regression testing
  D. Stress testing
  C. Regression testing

  ---

  Explanation

• Question 708:

  Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?

  A. Document the security view as part of the EA
  B. Consider stakeholder concerns when defining the EA
  C. Perform mandatory post-implementation reviews of IT implementations
  D. Conduct EA reviews as part of the change advisory board
  D. Conduct EA reviews as part of the change advisory board

  ---

  Explanation

  The best way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements is to conduct EA reviews as part of the change advisory board (CAB). A CAB is a committee that evaluates and authorizes changes to IT services, such as new IT implementations. By conducting EA reviews as part of the CAB process, the organization can ensure that the proposed changes are consistent with the EA vision, goals, standards, and guidelines. This can help avoid potential conflicts, risks, or inefficiencies that may arise from misaligned IT implementations. Additionally, EA reviews can help identify opportunities for improvement, optimization, or innovation in the IT services. The other options are not the best ways to help ensure new IT implementations align with EA principles and requirements. Documenting the security view as part of the EA is important, but it does not guarantee that new IT implementations will follow the security requirements or best practices. Considering stakeholder concerns when defining the EA is also essential, but it does not ensure that new IT implementations will meet the stakeholder expectations or needs. Performing mandatory post-implementation reviews of IT implementations is a good practice, but it does not prevent potential issues or problems that may arise from misaligned IT implementations.

  References:

  5: Change Advisory Board Best Practices: 15+ Industry Leaders Weigh In

  6: What Does the Change Advisory Board (CAB) Do?

  7: How do I set up an effective change advisory board? - ServiceNow

  8: ITIL Change Management - The Role of the Change Advisory Board

• Question 709:

  The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?

  A. Technology risk
  B. Detection risk
  C. Control risk
  D. Inherent risk
  B. Detection risk

  ---

  Explanation

  The primary reason for an IS auditor to use data analytics techniques is to reduce detection risk. Detection risk is the risk that an IS auditor will fail to detect material errors or irregularities in the information systems environment. By using data analytics techniques, such as data extraction, analysis, visualization, and reporting, an IS auditor can enhance the audit scope, coverage, efficiency, and effectiveness. Data analytics techniques can help an IS auditor to identify anomalies, patterns, trends, correlations, and outliers in large volumes of data that may indicate potential issues or risks. Technology risk, control risk, and inherent risk are types of audit risk that are not directly affected by the use of data analytics techniques by an IS auditor.

  References: [ISACA Journal Article: Data Analytics for Auditors]

• Question 710:

  An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and computer downtime This is BEST zed as an application of.

  A. risk framework
  B. balanced scorecard
  C. value chain analysis
  D. control self-assessment (CSA)
  B. balanced scorecard

  ---

  Explanation

  A balanced scorecard is a framework that translates the IT strategy into measurable objectives, indicators, targets, and initiatives across four perspectives:

  financial, customer, internal process, and learning and growth. A balanced scorecard helps to monitor and evaluate how well the IT function is delivering value to the organization, achieving its strategic goals, and improving its capabilities and

  competencies. The other options are not the primary uses of a balanced scorecard, because they either focus on specific aspects of IT rather than the overall performance, or they are not directly related to the IT strategy.