Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 741:

  An organization is establishing a steering committee for the implementation of a new enterprise resource planning (ERP) system that uses Agile project management methodology. What is the MOST important criterion for the makeup of this committee?

  A. Senior management representation
  B. Ability to meet the time commitment required
  C. Agile project management experience
  D. ERP implementation experience
  C. Agile project management experience

  ---

  Explanation

• Question 742:

  Which type of security testing is MOST efficient for finding hidden errors in software and facilitating source code optimization?

  A. User acceptance testing (UAT)
  B. Black box testing
  C. White box testing
  D. Penetration testing
  C. White box testing

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step

  White box testingis the most effective foridentifying hidden errorsand optimizingsource code quality.

  Option A (Incorrect):UAT focuses on functionalityfrom anend-user perspective, not source code errors.

  Option B (Incorrect):Black box testingexamines software behaviorwithout reviewing code, making it less effective for code-level optimization. Option C (Correct):White box testing(also known asclear box or structural testing)analyzes source

  codefor vulnerabilities, logic errors, and optimization opportunities.

  Option D (Incorrect):Penetration testingidentifiessecurity weaknesses, but it does notfocus on code efficiency.

  ISACA CISA Review Manual -Domain 3: Information Systems Acquisition, Development, and Implementation?Coverssoftware testing methodologies and secure coding practices.

• Question 743:

  Which of the following audit procedures would provide the BEST assurance that an application program is functioning as designed?

  A. Using a continuous auditing module
  B. Interviewing business management
  C. Confirming accounts
  D. Reviewing program documentation
  A. Using a continuous auditing module

  ---

  Explanation

  Using a continuous auditing module is an audit procedure that would provide the best assurance that an application program is functioning as designed. A continuous auditing module is a software tool that performs automated and continuous testing and monitoring of an application program's inputs, outputs, processes, and controls. A continuous auditing module can help to verify the accuracy, completeness, validity, reliability, and timeliness of the application program's data and transactions. A continuous auditing module can also help to identify and report any errors, anomalies, deviations, or exceptions in the application program's performance or compliance. The other options are not as effective or relevant as using a continuous auditing module for providing assurance that an application program is functioning as designed. Interviewing business management is a technique for obtaining information and opinions from the users or owners of the application program, but it does not directly test or verify the functionality or quality of the application program. Confirming accounts is a technique for verifying the existence and accuracy of account balances or transactions, but it does not necessarily reflect the design or operation of the application program. Reviewing program documentation is a technique for examining the specifications, requirements, and procedures of the application program, but it does not provide evidence of the actual implementation or execution of the application program.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2361 Continuous audit and monitoring - PwC2

• Question 744:

  Which of the following is the MOST important security consideration when using infrastructure as a Service (IaaS)?

  A. User access management
  B. Compliance with internal standards
  C. Segmentation among guests
  D. Backup and recovery strategy
  A. User access management

  ---

  Explanation

• Question 745:

  Which of the following is the BEST indication of the completeness of interface control documents used for the development of a new application?

  A. All documents have been reviewed by end users.
  B. All inputs and outputs for potential actions are included.
  C. Both successful and failed interface data transfers are recorded.
  D. Failed interface data transfers prevent subsequent processes.
  B. All inputs and outputs for potential actions are included.

  ---

  Explanation

• Question 746:

  During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?

  A. Key performance indicators (KPIs)
  B. Maximum allowable downtime (MAD)
  C. Recovery point objective (RPO)
  D. Mean time to restore (MTTR)
  B. Maximum allowable downtime (MAD)

  ---

  Explanation

  The primary factor to determine system criticality within an organization is the maximum allowable downtime (MAD). MAD is the maximum time frame during which recovery must become effective before an outage compromises the ability of an organization to achieve its business objectives and/or survival. MAD reflects the business impact of a system outage on the organization's operations, reputation, compliance, and finances. MAD can help to prioritize system recovery efforts, allocate resources, and establish recovery objectives.

• Question 747:

  During which phase of the incident management life cycle should metrics such as "mean time to incident discovery" and "cost of recovery" be reported?

  A. Containment, analysis, tracking, and recovery
  B. Post-incident assessment
  C. Planning and preparation
  D. Detection, triage, and investigation
  B. Post-incident assessment

  ---

  Explanation

• Question 748:

  During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?

  A. Notify the chair of the audit committee.
  B. Notify the audit manager.
  C. Retest the control.
  D. Close the audit finding.
  B. Notify the audit manager.

  ---

  Explanation

  The auditor's best course of action in this situation is to notify the audit manager. The audit manager is responsible for overseeing the audit follow-up process and ensuring that audit issues are resolved in a timely and satisfactory manner. The audit manager can then decide whether to escalate the matter to higher authorities, such as the chair of the audit committee, or to accept management's decision and close the audit finding. The other options are not appropriate for the auditor to do without consulting with the audit manager first. Notifying the chair of the audit committee is a drastic step that may undermine the relationship between the auditor and management, and it should be done only after exhausting other means of resolving the issue. Retesting the control is not necessary, as management has already decided not to implement the recommendations. Closing the audit finding is premature, as management's decision may not be aligned with the audit objectives or risk appetite.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4

• Question 749:

  An IS auditor has been asked to review the quality of data in a general ledger system. Which of the following would provide the auditor with the MOST meaningful results?

  A. Discussion of the largest account values with business owners
  B. Integrity checks against source documentation
  C. System vulnerability assessment
  D. Interviews with system owners and operators
  B. Integrity checks against source documentation

  ---

  Explanation

• Question 750:

  Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

  A. The job scheduler application has not been designed to display pop-up error messages.
  B. Access to the job scheduler application has not been restricted to a maximum of two staff members
  C. Operations shift turnover logs are not utilized to coordinate and control the processing environment
  D. Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor
  D. Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor

  ---

  Explanation

  Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor. This is a serious control weakness that could compromise the integrity, availability, and security of the IT operations. An IS auditor should be concerned about the lack of oversight and accountability for such changes, which could result in unauthorized, erroneous, or malicious modifications that affect the processing environment. The other options are less critical issues that may not have a significant impact on the IT operations.