Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 791:

  Which of the following would be the GREATEST concern for an IS auditor conducting a pre-implementation review of a data loss prevention (DLP> tool?

  A. The tool is implemented in monitor mode rather than block mode.
  B. Crawlers are used to discover sensitive data.
  C. Deep packet inspection opens data packets in transit.
  D. Encryption keys are not centrally managed.
  A. The tool is implemented in monitor mode rather than block mode.

  ---

  Explanation

  A data loss prevention (DLP) tool implemented in monitor mode only observes and logs potential data leakage but does not actively prevent it. This leaves the organization vulnerable to data breaches, making it the most critical concern in a pre-implementation review. Crawlers for Sensitive Data (Option B):While crawlers may pose a performance impact, they are essential for discovering sensitive data. Deep Packet Inspection (Option C):Though it introduces privacy considerations, it is a standard DLP functionality for inspecting data in transit. Encryption Key Management (Option D):While important for security, improper management does not immediately prevent DLP functionality.

  ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.

• Question 792:

  During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following is the auditor's BEST recommendation?

  A. System administrators should ensure consistency of assigned rights.
  B. IT security should regularly revoke excessive system rights.
  C. Human resources (HR) should delete access rights of terminated employees.
  D. Line management should regularly review and request modification of access rights
  D. Line management should regularly review and request modification of access rights

  ---

  Explanation

  The best recommendation for the auditor to make is

  D. Line management should regularly review and request modification of access rights. Access rights are the permissions and privileges granted to users to access, view, modify, or delete data or resources on a system or network1. Excessive rights are access rights that are not necessary or appropriate for a user's role or function, and may pose a risk of unauthorized or inappropriate use of data or resources2. Therefore, it is important to ensure that access rights are aligned with the principle of least privilege, which means that users should only have the minimum level of access required to perform their duties2. Line management is responsible for overseeing and supervising the activities and performance of their staff, and ensuring that they comply with the organization's policies and standards3. Therefore, line management should regularly review and request modification of access rights for their staff, as they are in the best position to: Understand the roles and functions of their staff, and determine the appropriate level of access rights needed for them to perform their duties effectively and efficiently. Monitor and evaluate the usage and behavior of their staff, and identify any changes or anomalies that may indicate excessive or inappropriate access rights. Communicate and collaborate with IT security or system administrators, who are responsible for granting, revoking, or modifying access rights, and request any necessary adjustments or corrections.

• Question 793:

  Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?

  A. Performing independent reviews of responsible parties engaged in the project
  B. Shortlisting vendors to perform renovations
  C. Ensuring the project progresses as scheduled and milestones are achieved
  D. Implementing data center operational controls
  A. Performing independent reviews of responsible parties engaged in the project

  ---

  Explanation

  IS auditors primarily provide assurance and oversight. In this context, independent reviews ensure that those responsible for the renovation project are meeting their obligations, following best practices, and managing risks appropriately.

  References:

  ISACA's Code of Professional Ethics: Emphasizes the IS Auditor's duty to be independent and objective.

  The Role of IS Audit: IS Auditors are not project managers but provide objective assessment and guidance regarding controls and risk mitigation within projects. CISA Review Manual (27th Edition): May have sections discussing the role of IS

  auditors in infrastructure projects or similar initiatives.

• Question 794:

  Which of the following is the process of feeding test data into two systems ?the modified system and alternative system and comparing the result?

  A. Parallel Test
  B. Black box testing
  C. Regression Testing
  D. Pilot Testing
  A. Parallel Test

  ---

  Explanation

  Parallel testing is the process of feeding test data into two systems ?the modified system and an alternative system and comparing the result.

  For CISA exam you should know below mentioned types of testing

  Alpha and Beta Testing ?An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically,

  software goes to two stages testing before it consider finished. The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it free to interested user. Pilot Testing ?A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests ?usually over interim platform and with only basic functionalities.

  White box testing ?Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's specific logic path. However, testing all possible logical path in large

  information system is not feasible and would be cost prohibitive, and therefore is used on selective basis only.

  Black Box Testing ?An integrity based form of testing associated with testing components of an information system's "functional" operating effectiveness without regards to any specific internal program structure. Applicable to integration and

  user acceptance testing.

  Function/validation testing ?It is similar to system testing but it is often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements.

  Regression Testing ?The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

  Parallel Testing ?This is the process of feeding test data into two systems ?the modified system and an alternative system and comparing the result.

  Sociability Testing ?The purpose of these tests is to confirm that new or modified system can operate in its target environment without adversely impacting existing system. This should cover not only platform that will perform primary

  application processing and interface with other system but, in a client server and web development, changes to the desktop environment. Multiple application may run on the user's desktop, potentially simultaneously, so it is important to test

  the impact of installing new dynamic link libraries (DLLs ) , making operating system registry or configuration file modification, and possibly extra memory utilization.

  The following were incorrect answers:

  Regression Testing ?The process of returning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

  Black Box Testing ?An integrity based form of testing associated with testing components of an information system's "functional" operating effectiveness without regards to any specific internal program structure. Applicable to integration and

  user acceptance testing.

  Pilot Testing ?A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests ?usually

  over interim platform and with only basic functionalities

  CISA review manual 2014 Page number 167

• Question 795:

  Which procedure provides the GREATEST assurance that corrective action to an audit report has been taken?

  A. Performing subsequent audit tests to verify resolution of the deficiencies
  B. Inquiring about the current status of the recommendation
  C. Reporting to the audit committee or the board of directors concerning specific action taken or lack thereof
  D. Requesting a written management reply to the audit report, identifying corrective action for each deficiency
  A. Performing subsequent audit tests to verify resolution of the deficiencies

  ---

  Explanation

• Question 796:

  Which of the following layer of an enterprise data flow architecture is responsible for data copying, transformation in Data Warehouse (DW) format and quality control?

  A. Data Staging and quality layer
  B. Desktop Access Layer
  C. Data Mart layer
  D. Data access layer
  A. Data Staging and quality layer

  ---

  Explanation

  Data Staging and quality layer ?This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems

  periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers.

  For CISA exam you should know below information about business intelligence:

  Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to assist decision making and assess organizational performance. To deliver effective BI, organizations need to design and implement a

  data architecture. The complete data architecture consists of two components

  The enterprise data flow architecture (EDFA)

  A logical data architecture

  Various layers/components of this data flow architecture are as follows:

  Presentation/desktop access layer ?This is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas

  and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data Source Layer ?Enterprise information derives from number of sources:

  Operational data ?Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files. External Data ?Data provided to an organization by external sources. This could include data

  such as customer demographic and market share information.

  Nonoperational data ?Information needed by end user that is not currently maintained in a computer accessible format.

  Core data warehouse ?This is where all the data of interest to an organization is captured and organized to assist reporting and analysis. DWs are normally instituted as large relational databases. A property constituted DW should support

  three basic form of an inquiry.

  Drilling up and drilling down ?Using dimension of interest to the business, it should be possible to aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can also be used to refine the analysis.

  Drill across ?Use common attributes to access a cross section of information in the warehouse such as sum sales across all product lines by customer and group of customers according to length of association with the company. Historical

  Analysis ?The warehouse should support this by holding historical, time variant data. An example of historical analysis would be to report monthly store sales and then repeat the analysis using only customer who were preexisting at the start

  of the year in order to separate the effective new customer from the ability to generate repeat business with existing customers.

  Data Mart Layer ?Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

  processing (OLAP) data structure.

  Data Staging and quality layer ?This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems

  periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers.

  Data Access Layer ?This layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  Data Preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed.

  Data mining is concern with exploring large volume of data to determine patterns and trends of information. Data mining often identifies patterns that are counterintuitive due to number and complexity of data relationships. Data quality needs

  to be very high to not corrupt the result.

  Metadata repository layer ?Metadata are data about data. The information held in metadata layer needs to extend beyond data structure names and formats to provide detail on business purpose and context. The metadata layer should be

  comprehensive in scope, covering data as they flow between the various layers, including documenting transformation and validation rules.

  Warehouse Management Layer ?The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security.

  Application messaging layer ?This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.

  Internet/Intranet layer ?This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking.

  Various analysis models used by data architects/ analysis follows:

  Activity or swim-lane diagram ?De-construct business processes.

  Entity relationship diagram ?Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative is involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW.

  The following were incorrect answers:

  Desktop access layer or presentation layer is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as

  Congas and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data Mart layer ?Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

  processing (OLAP) data structure.

  Data access layer ?his layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  CISA review manual 2014 Page number 188

• Question 797:

  The practice of periodic secure code reviews is which type of control?

  A. Preventive
  B. Compensating
  C. Corrective
  D. Detective
  A. Preventive

  ---

  Explanation

• Question 798:

  Which of the following is the PRIMARY benefit of using a capability maturity model?

  A. It provides detailed changes management strategies for performance improvement.
  B. It helps the organization estimate how long it will lake to reach the highest level of maturity in each area
  C. It provides a way to compare against similar organizations' maturity levels
  D. It helps the organization develop a roadmap toward its desired level of n each area
  D. It helps the organization develop a roadmap toward its desired level of n each area

  ---

  Explanation

• Question 799:

  Which of the following would be the GREATEST concern to an IS auditor reviewing an IT outsourcing arrangement?

  A. Several IT personnel perform the same functions as the vendor.
  B. The contract does not include a renewal option.
  C. Development of KPIs that will be used was assigned to the vendor.
  D. Some penalties were waived during contract negotiations.
  A. Several IT personnel perform the same functions as the vendor.

  ---

  Explanation

• Question 800:

  During a closing meeting, the IT manager disagrees with a valid audit finding presented by the IS auditor and requests the finding be excluded from the final report. Which of the following is the auditor's BEST course of action?

  A. Request that the IT manager be removed from the remaining meetings and future audits.
  B. Modify the finding to include the IT manager's comments and inform the audit manager of the changes.
  C. Remove the finding from the report and continue presenting the remaining findings.
  D. Provide the evidence which supports the finding and keep the finding in the report.
  D. Provide the evidence which supports the finding and keep the finding in the report.

  ---

  Explanation