Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 841:

  Which of the following would be MOST useful for determining whether the goals of IT are aligned with the organization's goals?

  A. Balanced scorecard
  B. Enterprise architecture
  C. Key performance indicators
  D. Enterprise dashboard
  A. Balanced scorecard

  ---

  Explanation

• Question 842:

  Data is being transferred from an application database to a data warehouse. Some fields were not picked up in the extraction process and therefore were not transferred to the data warehouse. Which of the following is the GREATEST risk associated with this situation?

  A. Management reporting could be delayed.
  B. Transaction errors may occur within the application.
  C. Management decisions may be based on incomplete data.
  D. Data that was transferred to the warehouse may not be accurate.
  C. Management decisions may be based on incomplete data.

  ---

  Explanation

  Explanation

• Question 843:

  Which of the following should be of GREATEST concern to an IS auditor conducting an audit of incident response procedures?

  A. End users have not completed security awareness training.
  B. Senior management is not involved in the incident response process.
  C. There is no procedure in place to learn from previous security incidents.
  D. Critical incident response events are not recorded in a centralized repository.
  B. Senior management is not involved in the incident response process.

  ---

  Explanation

• Question 844:

  A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?

  A. unit testing
  B. Network performance
  C. User acceptance testing (UAT)
  D. Regression testing
  D. Regression testing

  ---

  Explanation

  The primary focus of the IS auditor reviewing the first year of the project should be regression testing. Regression testing is a type of testing that ensures that the existing functionality of the system is not affected by the changes or upgrades made to the system. Since the project involves upgrading the ERP system hosting the general ledger, which is a critical and complex component of the finance department, it is important to verify that the upgrade does not introduce any errors or defects that could compromise the accuracy, completeness, and reliability of the financial data and reports. Regression testing can help identify and resolve any issues before they affect the users and the business processes. Unit testing, network performance, and user acceptance testing (UAT) are also important aspects of the project, but they are not the primary focus of the IS auditor in the first year. Unit testing is a type of testing that verifies that each individual module or component of the system works as expected. Network performance is a measure of how well the system can communicate and exchange data with other systems and devices over a network. User acceptance testing (UAT) is a type of testing that validates that the system meets the user requirements and expectations. These aspects are more relevant in later stages of the project, when the system is more developed and ready for deployment.

  References: ERP Upgrade: The Path to Modernization | SAP ERP System Validation: Your Guide To Successfully Validating ERP Systems The role of internal auditors in ERPbased organizations What is Regression Testing? Definition, Tools and Examples What is Unit Testing? Definition, Tools and Examples What is Network Performance? Definition, Metrics and Examples What is User Acceptance Testing (UAT)? Definition, Process and Examples

• Question 845:

  Which of the following is the PRIMARY objective of cyber resiliency?

  A. To resume normal operations after service disruptions
  B. To prevent potential attacks or disruptions in operations
  C. To efficiently and effectively recover from an incident with limited operational impact
  D. To limit the severity of security breaches and maintain continuous operations
  D. To limit the severity of security breaches and maintain continuous operations

  ---

  Explanation

• Question 846:

  Which of the following would be the GREATEST concern during a financial statement audit?

  A. A backup has not been identified for key approvers.
  B. System capacity has not been tested.
  C. The procedures for generating key reports have not been approved.
  D. The financial management system is cloud based.
  C. The procedures for generating key reports have not been approved.

  ---

  Explanation

• Question 847:

  An IS auditor reviews change control tickets and finds an emergency change request where an IT manager approved the change modified the code on the production platform, and resolved the ticket. Which of the following should be the auditor's GREATEST concern?

  A. There was no follow-up approval from the business.
  B. The change was made less than an hour after the request.
  C. There was no testing prior to making the change in production.
  D. The IT manager performed the change and resolved the ticket.
  D. The IT manager performed the change and resolved the ticket.

  ---

  Explanation

• Question 848:

  When reviewing capacity monitoring, an IS auditor notices several incidents where storage capacity limits were reached, while the average utilization was below 30%. Which of the following would the IS auditor MOST likely identify as the root cause?

  A. The IT response to the alerts was too slow.
  B. The amount of data produced was unacceptable for operations.
  C. The storage space should have been enlarged in time.
  D. The dynamics of the utilization were not properly taken into account.
  D. The dynamics of the utilization were not properly taken into account.

  ---

  Explanation

• Question 849:

  Which of the following is the BEST compensating control against segregation of duties conflicts in new code development?

  A. Adding the developers to the change approval board
  B. A small number of people have access to deploy code
  C. Post-implementation change review
  D. Creation of staging environments
  C. Post-implementation change review

  ---

  Explanation

  A post-implementation change review is the best compensating control against segregation of duties conflicts in new code development. This process involves a thorough review of the changes after they have been implemented to ensure that they meet their objectives and that the stakeholders are satisfied with the results1. It provides an opportunity to identify and correct any issues or conflicts that may have arisen during the development and implementation process. While other options like adding developers to the change approval board, limiting code deployment access to a small number of people, and creating staging environments can also serve as compensating controls, a post-implementation change review provides a more comprehensive and effective control mechanism21.

  References: Review and Close Change process ST 2 5 - Micro Focus Change Management for SOC: Risks, Controls, Audits, Guidance

• Question 850:

  If a recent release of a program has to be backed out of production, the corresponding changes within the delta version of the code should be:

  A. filed in production for future reference in researching the problem.
  B. applied to the source code that reflects the version in production.
  C. eliminated from the source code that reflects the version in production.
  D. reinstalled when replacing the version back into production.
  C. eliminated from the source code that reflects the version in production.

  ---

  Explanation

  When a program release needs to be backed out of production, the changes introduced by that release must be removed from the source code to ensure the system returns to its prior state. This approach ensures that the source code

  reflects the stable version without the problematic changes.

  References:

  ISACA CISA Review Manual 27th Edition, Page 244-245 (Change Management)