Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 831:

  Which of the following are used in a firewall to protect the entity's internal resources?

  A. Remote access servers
  B. Secure Sockets Layers (SSLs)
  C. Internet Protocol (IP) address restrictions
  D. Failover services
  C. Internet Protocol (IP) address restrictions

  ---

  Explanation

  Internet Protocol (IP) address restrictions are used in a firewall to protect the entity's internal resources by allowing or denying access to specific IP addresses or ranges of IP addresses based on predefined rules. Remote access servers, Secure Sockets Layers (SSLs), and failover services are not directly related to firewall protection, but rather to other aspects of network security, such as authentication, encryption, and availability.

  References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.2: Network Security Devices and Technologies

• Question 832:

  Which of the following must be in place before an IS auditor initiates audit follow-up activities?

  A. Available resources for the activities included in the action plan
  B. A management response in the final report with a committed implementation date
  C. A heal map with the gaps and recommendations displayed in terms of risk
  D. Supporting evidence for the gaps and recommendations mentioned in the audit report
  B. A management response in the final report with a committed implementation date

  ---

  Explanation

  This must be in place before an IS auditor initiates audit follow-up activities, because it indicates that management has acknowledged and accepted the audit findings and recommendations, and has agreed to take corrective actions within a specified timeframe. Audit follow-up activities are the processes and procedures that the IS auditor performs to verify that management has implemented the agreed-upon actions effectively and in a timely manner, and that the audit findings have been resolved or mitigated. The other options are not required to be in place before an IS auditor initiates audit follow- up activities: Available resources for the activities included in the action plan. This is a factor that may affect the feasibility and success of the action plan, but it is not a prerequisite for the audit follow-up activities. The IS auditor should assess the availability and adequacy of the resources for the action plan during the audit planning and execution phases, and provide recommendations accordingly. However, the IS auditor does not need to wait for the resources to be available before initiating the audit follow-up activities. A heat map with the gaps and recommendations displayed in terms of risk. This is a tool that may help the IS auditor prioritize and communicate the gaps and recommendations, but it is not a requirement for the audit follow-up activities. A heat map is a graphical representation of data that uses colors to indicate the level of risk or impact of each gap or recommendation. The IS auditor may use a heat map to support the audit report or presentation, but it does not replace the need for a management response with a committed implementation date. Supporting evidence for the gaps and recommendations mentioned in the audit report. This is a component that should be included in the audit report, but it is not a condition for the audit follow-up activities. Supporting evidence is the information or data that supports or substantiates the audit findings and recommendations. The IS auditor should collect and document sufficient, reliable, relevant, and useful evidence during the audit execution phase, and present it in the audit report. However, the IS auditor does not need to have supporting evidence in place before initiating the audit follow-up activities.

• Question 833:

  Which of the following approaches BEST enables an IS auditor to detect security vulnerabilities within an application?

  A. Threat modeling
  B. Concept mapping
  C. Prototyping
  D. Threat intelligence
  A. Threat modeling

  ---

  Explanation

  Threat modeling is an approach that enables IS auditors to identify, analyze, and mitigate potential security vulnerabilities within an application by understanding the threats, attacks, vulnerabilities, and countermeasures. This proactive

  technique helps in designing secure applications.

  References:

  ISACA CISA Review Manual 27th Edition, Page 276-277 (Threat Modeling)

• Question 834:

  Which of the following BEST reflects a mature strategic planning process?

  A. Action plans with IT requirements built into all projects
  B. An IT strategic plan with specifications of controls and safeguards
  C. An IT strategic plan that supports the corporate strategy
  D. IT projects from the strategic plan are approved by management
  C. An IT strategic plan that supports the corporate strategy

  ---

  Explanation

• Question 835:

  Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?

  A. Ensure sufficient audit resources are allocated,
  B. Communicate audit results organization-wide.
  C. Ensure ownership is assigned.
  D. Test corrective actions upon completion.
  C. Ensure ownership is assigned.

  ---

  Explanation

  The most effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented is to ensure ownership is assigned. This means that the management of the audited area should accept responsibility for implementing the action plans and report on their progress and completion to the audit committee or senior management. This will ensure accountability, commitment, and follow- up for the audit recommendations34.

  References: 3: CISA Review Manual (Digital Version), Chapter 1: The Process of Auditing Information Systems, Section 1.6: Reporting, page 41 4: CISA Online Review Course, Module 1: The Process of Auditing Information Systems, Lesson 1.6: Reporting

• Question 836:

  Management has learned the implementation of a new IT system will not be completed on time and has requested an audit. Which of the following audit findings should be of GREATEST concern?

  A. The actual start times of some activities were later than originally scheduled.
  B. Tasks defined on the critical path do not have resources allocated.
  C. The project manager lacks formal certification.
  D. Milestones have not been defined for all project products.
  B. Tasks defined on the critical path do not have resources allocated.

  ---

  Explanation

  The audit finding that should be of greatest concern is that tasks defined on the critical path do not have resources allocated, as this means that the project is likely to face significant delays and cost overruns, since the critical path is the sequence of activities that determines the minimum time required to complete the project. The actual start times of some activities being later than originally scheduled may indicate some minor deviations from the project plan, but they may not necessarily affect the overall project completion time if they are not on the critical path. The project manager lacking formal certification may affect the quality and efficiency of the project management process, but it does not necessarily imply that the project manager is incompetent or unqualified. Milestones have been defined for all project products, but they may not be realistic or achievable if they do not take into account the resource constraints and dependencies of the critical path tasks.

  References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.3: IT Project Management

• Question 837:

  A job is scheduled to transfer data from a transactional system database to a data lake for reporting purposes. Which of the following would be of GREATEST concern to an IS auditor?

  A. The inventory of scheduled jobs is not periodically reviewed
  B. Automated support ticket creation has not been implemented for job failures and errors
  C. Access to scheduling changes is restricted to job operators
  D. Notification alerts are configured to be sent to a support distribution group
  A. The inventory of scheduled jobs is not periodically reviewed

  ---

  Explanation

  Periodic review of scheduled jobs is crucial to prevent unauthorized or outdated jobs from running, which could lead to security risks, data inconsistencies, or compliance issues.If the inventory of scheduled jobs is not reviewed periodically

  (A), it could result in jobs running with incorrect parameters, unauthorized transfers, or failure to decommission obsolete processes.

  Other options:

  Automated support ticket creation (B)is beneficial but is not as critical as ensuring the overall accuracy and security of job execution. Restricting access to scheduling changes (C)is a security control, but its absence is not the most pressing

  concern compared to unreviewed jobs. Notification alerts to a support group (D)is a good practice but does not replace the need for a formal review process.

  ISACA CISA Review Manual, Information Systems Operations and Business Resilience

• Question 838:

  An IS auditor has learned that access privileges are not periodically reviewed or updated. Which of the following would provide the BEST evidence to determine whether transactions have been executed by authorized employees?

  A. Audit trails
  B. Control totals
  C. Reconciliations
  D. Change logs
  A. Audit trails

  ---

  Explanation

  The best evidence to determine whether transactions have been executed by authorized employees is audit trails. Audit trails are secure records that catalog events or procedures to provide support documentation. They are used to

  authenticate security and operational actions, mitigate challenges, or provide proof of compliance and operational integrity2. Audit trails can track and trace the following information related to transactions:

  Who initiated, approved, modified, or deleted a transaction When a transaction occurred (date and time)

  Where a transaction took place (location or device) What type of transaction was performed (action or operation) Why a transaction was executed (purpose or reason) By analyzing audit trails, an IS auditor can verify whether transactions

  have been executed by authorized employees or not. Audit trails can also identify any unauthorized, fraudulent, or erroneous transactions that may have occurred. Audit trails can also help to resolve any disputes or discrepancies that may

  arise from transactions.

  References:

  What Is an Audit Trail? Everything You Need to Know

• Question 839:

  Which of the following should be used as the PRIMARY basis for prioritizing IT projects and initiatives?

  A. Estimated cost and time
  B. Level of risk reduction
  C. Expected business value
  D. Available resources
  C. Expected business value

  ---

  Explanation

• Question 840:

  An organization's information security policies should be developed PRIMARILY on the basis of:

  A. enterprise architecture (EA).
  B. industry best practices.
  C. a risk management process.
  D. past information security incidents.
  C. a risk management process.

  ---

  Explanation