Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 851:

  Which of the following should be of GREATEST concern to an IS auditor reviewing project documentation for a client relationship management (CRM) system migration project?

  A. The technical migration is planned for a holiday weekend and end users may not be available.
  B. Five weeks prior to the target date, there are still numerous defects in the printing functionality.
  C. A single implementation phase is planned and the legacy system will be immediately decommissioned.
  D. Employees are concerned that data representation in the new system is completely different from the old system.
  C. A single implementation phase is planned and the legacy system will be immediately decommissioned.

  ---

  Explanation

• Question 852:

  When auditing the closing stages of a system development protect which of the following should be the MOST important consideration?

  A. Control requirements
  B. Rollback procedures
  C. Functional requirements documentation
  D. User acceptance lest (UAT) results
  D. User acceptance lest (UAT) results

  ---

  Explanation

  When auditing the closing stages of a system development project, the most important consideration should be the user acceptance test (UAT) results. The UAT is a critical phase of the system development life cycle (SDLC) that ensures that the system meets the functional requirements and expectations of the end users. The UAT results provide evidence of the system's quality, performance, usability, and reliability. Control requirements, rollback procedures, and functional requirements documentation are also important considerations, but they are not as crucial as the UAT results in determining if the system is ready for deployment.

  References: CISA Review Manual (Digital Version)1, page 325.

• Question 853:

  Of the following who should be responsible for cataloging and inventorying robotic process automation (RPA) processes?

  A. IT personnel
  B. Business owner
  C. Information security personnel
  D. Data steward
  B. Business owner

  ---

  Explanation

  Explanation

  The business owner is best positioned to catalog and inventory robotic process automation (RPA) processes because they understand the processes, objectives, and associated risks. They ensure that RPA aligns with business goals and

  compliance requirements. IT Personnel (Option A):Typically support implementation and maintenance but may lack insight into business processes.

  Information Security Personnel (Option C):Focus on securing processes but are not responsible for inventorying them.

  Data Steward (Option D):Primarily responsible for data governance, not RPA process inventory.

  ISACA CISA Review Manual, Job Practice Area 1: Governance and Management of IT.

• Question 854:

  During a pre-deployment assessment, what is the BEST indication that a business case will lead to the achievement of business objectives?

  A. The business case reflects stakeholder requirements.
  B. The business case is based on a proven methodology.
  C. The business case passed a quality review by an independent party.
  D. The business case identifies specific plans for cost allocation.
  A. The business case reflects stakeholder requirements.

  ---

  Explanation

  During a pre-deployment assessment, the best indication that a business case will lead to the achievement of business objectives is that the business case reflects stakeholder requirements. A business case is a document that explains the rationale, benefits, costs, and risks of a proposed project or initiative. A business case should align with the strategic goals and vision of the organization and address the needs and expectations of the stakeholders who are involved in or affected by the project. Stakeholder requirements are the conditions or capabilities that stakeholders expect from a project or its outcomes. Stakeholders can include customers, users, employees, managers, suppliers, regulators, and others who have an interest or stake in the project. Stakeholder requirements should be identified, analyzed, prioritized, validated, and documented throughout the project lifecycle. The business case should reflect stakeholder requirements because they provide the basis for defining the project scope, objectives, deliverables, quality standards, success criteria, and benefits realization. By reflecting stakeholder requirements, the business case can demonstrate how the project will add value to the organization and its stakeholders, justify the investment and resources required for the project, and facilitate the decision-making and approval process for the project . Therefore, during a pre-deployment assessment, an IS auditor should look for evidence that the business case reflects stakeholder requirements as the best indication that the business case will lead to the achievement of business objectives.

  References: How to Write a Business Case (Template Included) - ProjectManager How to Write a Business Case | Smartsheet What are Stakeholder Requirements? | PM Study Circle Stakeholder Requirements - Project Management Knowledge Business Case vs Business Requirements - Difference Between [Business Case Development - Project Management Docs]

• Question 855:

  Which of the following system redundancy configurations BEST improves system resiliency and reduces the possibility of a single cause of failure impacting system dependability?

  A. Active redundancy
  B. Homogeneous redundancy
  C. Diverse redundancy
  D. Passive redundancy
  C. Diverse redundancy

  ---

  Explanation

• Question 856:

  An IS auditor finds that confidential company data has been inadvertently leaked through social engineering. The MOST effective way to help prevent a recurrence of this issue is to implement:

  A. penalties to staff for security policy breaches.
  B. a third-party intrusion prevention solution.
  C. a security awareness program.
  D. data loss prevention (DLP) software.
  C. a security awareness program.

  ---

  Explanation

• Question 857:

  Which of the following indicates that an internal audit organization is structured to support the independence and clarity of the reporting process?

  A. Auditors are responsible for performing operational duties or activities.
  B. The internal audit manager reports functionally to a senior management official.
  C. The internal audit manager has a reporting line to the audit committee.
  D. Auditors are responsible for assessing and operating a system of internal controls.
  C. The internal audit manager has a reporting line to the audit committee.

  ---

  Explanation

  The internal audit manager should have a reporting line to the audit committee, which is an independent body that oversees the internal audit function and ensures its objectivity and accountability. Reporting functionally to a senior management official may compromise the independence and clarity of the internal audit reporting process, as senior management may have a vested interest in the audit results or influence the audit scope and priorities. *

  References: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 1002 Independence, "The chief audit executive (CAE) should report functionally to the board or its equivalent (e.g., audit committee) and administratively to executive management." 1

• Question 858:

  Which of the following should be the PRIMARY purpose of conducting tabletop exercises when re-viewing a security incident response plan?

  A. To provide efficiencies for alignment with incident response test scenarios
  B. To determine process improvement options for the incident response plan
  C. To gather documentation for responding to security audit inquiries
  D. To confirm that technology is in place to support the incident response plan
  B. To determine process improvement options for the incident response plan

  ---

  Explanation

• Question 859:

  Which of the following would be an IS auditor's GREATEST concern when evaluating a cybersecurity incident response plan?

  A. The plan has not been recently tested.
  B. Roles and responsibilities are not detailed for each process.
  C. Stakeholder contact details are not up-to-date.
  D. The plan does not include incident response metrics.
  B. Roles and responsibilities are not detailed for each process.

  ---

  Explanation

• Question 860:

  Audit frameworks can assist the IS audit function by:

  A. providing details on how to execute the audit program.
  B. outlining the specific steps needed to complete audits.
  C. providing direction and information regarding the performance of audits.
  D. defining the authority and responsibility of the IS audit function.
  C. providing direction and information regarding the performance of audits.

  ---

  Explanation