Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 771:

  An IS auditor is performing a post-implementation review of a system deployed two years ago. Which of the following findings should be of MOST concern to the auditor?

  A. Maintenance costs were not included in the project lifecycle costs.
  B. Benefits as stated in the business case have not been realized.
  C. Workarounds due to remaining defects had to be used longer than anticipated.
  D. The system has undergone several change requests to further extend functionality.
  B. Benefits as stated in the business case have not been realized.

  ---

  Explanation

• Question 772:

  An IS auditor should aware of various analysis models used by data architecture. Which of the following analysis model depict data entities and how they relate?

  A. Context Diagrams
  B. Activity Diagrams
  C. Swim-lane diagrams
  D. Entity relationship diagrams
  D. Entity relationship diagrams

  ---

  Explanation

  Entity relationship diagram ?Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative is

  involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW.

  For CISA exam you should know below information about business intelligence:

  Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to assist decision making and assess organizational performance. To deliver effective BI, organizations need to design and implement a

  data architecture. The complete data architecture consists of two components

  The enterprise data flow architecture (EDFA)

  A logical data architecture

  Various layers/components of this data flow architecture are as follows:

  Presentation/desktop access layer ?This is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas

  and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data Source Layer ?Enterprise information derives from number of sources:

  Operational data ?Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files. External Data ?Data provided to an organization by external sources. This could include data

  such as customer demographic and market share information.

  Nonoperational data ?Information needed by end user that is not currently maintained in a computer accessible format.

  Core data warehouse ?This is where all the data of interest to an organization is captured and organized to assist reporting and analysis. DWs are normally instituted as large relational databases. A property constituted DW should support

  three basic form of an inquiry.

  Drilling up and drilling down ?Using dimension of interest to the business, it should be possible to aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can also be used to refine the analysis.

  Drill across ?Use common attributes to access a cross section of information in the warehouse such as sum sales across all product lines by customer and group of customers according to length of association with the company. Historical

  Analysis ?The warehouse should support this by holding historical, time variant data. An example of historical analysis would be to report monthly store sales and then repeat the analysis using only customer who were preexisting at the start

  of the year in order to separate the effective new customer from the ability to generate repeat business with existing customers.

  Data Mart Layer ?Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

  processing (OLAP) data structure.

  Data Staging and quality layer ?This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems

  periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers.

  Data Access Layer ?This layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  Data Preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed.

  Data mining is concern with exploring large volume of data to determine patterns and trends of information. Data mining often identifies patterns that are counterintuitive due to number and complexity of data relationships. Data quality needs

  to be very high to not corrupt the result.

  Metadata repository layer ?Metadata are data about data. The information held in metadata layer needs to extend beyond data structure names and formats to provide detail on business purpose and context. The metadata layer should be

  comprehensive in scope, covering data as they flow between the various layers, including documenting transformation and validation rules. Warehouse Management Layer ?The function of this layer is the scheduling of the tasks necessary to

  build and maintain the DW and populate data marts. This layer is also involved in administration of security.

  Application messaging layer ?This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.

  Internet/Intranet layer ?This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking.

  Various analysis models used by data architects/ analysis follows:

  Context diagram ?Outline the major processes of an organization and the external parties with which business interacts.

  Activity or swim-lane diagram ?De-construct business processes.

  Entity relationship diagram ?Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative is

  involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW.

  The following were incorrect answers:

  Context diagram ?Outline the major processes of an organization and the external parties with which business interacts.

  Activity or swim-lane diagram ?De-construct business processes.

  CISA review manual 2014 Page number 188

• Question 773:

  During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. Which of the following is the BEST course of action in this situation?

  A. Outsource low-risk audits to external audit service providers.
  B. Conduct limited-scope audits of low-risk business entities.
  C. Validate the low-risk entity ratings and apply professional judgment.
  D. Challenge the risk rating and include the low-risk entities in the plan.
  C. Validate the low-risk entity ratings and apply professional judgment.

  ---

  Explanation

  Audit planning is the process of developing an overall strategy and approach for conducting an audit. Audit planning involves identifying the objectives, scope, criteria, and methodology of the audit, as well as the resources, schedule, and reporting requirements. Audit planning also involves performing a risk assessment to identify and prioritize the areas of highest risk and significance for the audit1. Risk assessment is a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking. Risk assessment involves identifying the sources and causes of risk, analyzing the likelihood and impact of risk, and determining the level of risk and the appropriate response. During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. The best course of action in this situation is

  C. Validate the low-risk entity ratings and apply professional judgment. This is because validating the low-risk entity ratings can help to ensure that the risk assessment is accurate, reliable, and consistent with the business objectives and expectations. Validating the low-risk entity ratings can also help to identify any changes or developments that may affect the risk profile of the entities since the last assessment. Applying professional judgment can help to determine whether the low-risk entities should be included or excluded from the audit plan, based on factors such as materiality, relevance, significance, and assurance needs.

• Question 774:

  An IS auditor considering the risks associated with spooling sensitive reports for off-line printing will be the MOST concerned that:

  A. data can easily be read by operators
  B. data can more easily be amended by unauthorized persons
  C. unauthorized copies of reports can be printed
  D. output will be lost if the system should fail
  C. unauthorized copies of reports can be printed

  ---

  Explanation

• Question 775:

  Which of the following findings would be of GREATEST concern when reviewing project risk management practices?

  A. There are no formal milestone sign-offs.
  B. Qualitative risk analyses have not been updated.
  C. Ongoing issues are not formally tracked.
  D. Project management software is not being used.
  C. Ongoing issues are not formally tracked.

  ---

  Explanation

• Question 776:

  In a situation where the recovery point objective (RPO) is 0 for an online transaction processing system, which of the following is MOST important for an IS auditor to verify?

  A. The application has a clustered architecture to ensure high availability
  B. Synchronous data mirroring is implemented between the data centers
  C. IT is able to recover system functionality in the shortest possible time frame
  D. Daily backups are created and backup media are verified
  B. Synchronous data mirroring is implemented between the data centers

  ---

  Explanation

• Question 777:

  An organization transmits large amount of data from one internal system to another. The IS auditor is reviewing quality of the data at the originating point. Which of the following should the auditor verify first?

  A. The data has been encrypted
  B. The data extraction process is completed
  C. The data transformation is accurate
  D. The source data is accurate
  D. The source data is accurate

  ---

  Explanation

• Question 778:

  Which of the following will invalidate the authenticity of digital evidence in a forensic investigation?

  A. The investigator installed forensic software on the original drive that contained the evidence.
  B. A software write blocker was used in the collection of the evidence.
  C. The investigator collected the evidence while the machine was still powered on.
  D. The evidence was collected from analysis of a copy of the disk data.
  A. The investigator installed forensic software on the original drive that contained the evidence.

  ---

  Explanation

  Explanation

• Question 779:

  An organization offers an e-commerce platform that allows consumer-to-consumer transactions. The platform now uses blockchain technology to ensure the parties are unable to deny the transactions. Which of the following attributes BEST describes the risk element that this technology is addressing?

  A. Integrity
  B. Nonrepudiation
  C. Confidentiality
  D. Availability
  B. Nonrepudiation

  ---

  Explanation

• Question 780:

  A web proxy server for corporate connections to external resources reduces organizational risk by:

  A. anonymizing users through changed IP addresses.
  B. providing multi-factor authentication for additional security.
  C. providing faster response than direct access.
  D. load balancing traffic to optimize data pathways.
  A. anonymizing users through changed IP addresses.

  ---

  Explanation

  A web proxy server for corporate connections to external resources reduces organizational risk by anonymizing users through changed IP addresses. A web proxy server is an intermediary between the web and client devices, that can provide proxy services to a client or a group of clients1. One of the main benefits of using a web proxy server is that it allows users to change their IP address and location, circumventing geoblocking and hiding their identity from the target website2. Anonymizing internal IP addresses is important for online security, as it helps protect the organization from several threats. If an attacker controls a server that employees connect to, the outgoing IP address of the organization's router is logged on the server. This IP address can be used by the attacker to launch a denial-of-service (DoS) attack or to create more targeted attacks such as phishing2. With a web proxy server, the IP shown in web logs is the web proxy's, which means an attacker would not have access to the organization's router outgoing IP address. Anonymizing outgoing IP addresses is also important when carrying out sensitive actions online, such as law enforcement investigations or competitive intelligence. A web proxy server can help users avoid exposing their internal IP address that leads back to their organization, and instead use a third-party web proxy that provides more anonymity2. The other options are not directly related to reducing organizational risk by using a web proxy server. Providing multi-factor authentication for additional security (option B) is a benefit of some web proxy servers, but it is not the main purpose of using a web proxy server3. Providing faster response than direct access (option C) is a benefit of some web proxy servers that cache content for better data transfer speeds and less bandwidth usage, but it is not directly related to reducing organizational risk1. Load balancing traffic to optimize data pathways (option D) is a benefit of some web proxy servers that distribute traffic across multiple servers, but it is not directly related to reducing organizational risk4.

  References: 1: Proxy servers and tunneling 2: Multi-factor authentication: How to enable 2FA and boost your security 3: What Is Multi-factor Authentication (MFA) Security? 4: How it works: Microsoft Entra multifactor authentication