Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 931:

  Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?

  A. Lessons learned were implemented.
  B. Management approved the PIR report.
  C. The review was performed by an external provider.
  D. Project outcomes have been realized.
  D. Project outcomes have been realized.

  ---

  Explanation

  The best indicator of whether a PIR performed by the PMO was effective is whether project outcomes have been realized. Project outcomes are the benefits or value that a project delivers to its stakeholders, such as improved efficiency, quality, customer satisfaction, or revenue. A PIR should evaluate whether project outcomes have been achieved in accordance with project objectives, scope, budget, and schedule. The other options are not as good as project outcomes in determining the effectiveness of a PIR. Lessons learned are valuable inputs for improving future projects, but they do not measure whether project outcomes have been realized. Management approval of the PIR report is a sign of acceptance and support for the PIR findings and recommendations, but it does not reflect whether project outcomes have been achieved. The review performed by an external provider is a way of ensuring objectivity and independence for the PIR, but it does not guarantee whether project outcomes have been realized.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3

• Question 932:

  Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

  A. Audit charter
  B. IT steering committee
  C. Information security policy
  D. Audit best practices
  A. Audit charter

  ---

  Explanation

  The audit charter is the document that defines the purpose, authority and responsibility of the IS audit function. It provides IS audit professionals with the best source of direction for performing audit functions, as it establishes the scope, objectives, reporting lines, independence, accountability and resources of the IS audit function. The IT steering committee is a governance body that oversees the strategic alignment, prioritization and direction of IT initiatives, but it does not provide specific guidance for IS audit functions. The information security policy is a document that defines the rules and principles for protecting information assets in the organization, but it does not cover all aspects of IS audit functions. Audit best practices are general guidelines and recommendations for conducting effective and efficient audits, but they are not binding or authoritative sources of direction for IS audit functions.

  References: CISA Review Manual (Digital Version) 1, Chapter 1: Information Systems Auditing Process, Section 1.1: Audit Charter.

• Question 933:

  An organization's audit charter should:

  A. set the enterprise strategic direction.
  B. detail the audit objectives.
  C. define the auditors' right to access information.
  D. include the IS audit plan.
  A. set the enterprise strategic direction.

  ---

  Explanation

• Question 934:

  An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

  A. refuse the assignment to avoid conflict of interest.
  B. use the knowledge of the application to carry out the audit.
  C. inform audit management of the earlier involvement.
  D. modify the scope of the audit.
  C. inform audit management of the earlier involvement.

  ---

  Explanation

  The IS auditor should inform audit management of the earlier involvement in designing the application. This is to ensure that there is no conflict of interest or bias that may affect the objectivity or independence of the audit. Audit management can then decide whether to assign a different auditor or to proceed with the same auditor with appropriate safeguards. The other options are not appropriate for the IS auditor to do in this situation. Refusing the assignment to avoid conflict of interest is an extreme measure that may not be necessary or feasible, especially if there are no other qualified auditors available. Using the knowledge of the application to carry out the audit is risky, as it may lead to overlooking or ignoring potential issues or errors in the application. Modifying the scope of the audit is not advisable, as it may compromise the quality or completeness of the audit.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.1

• Question 935:

  An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the organization's wider security threat and vulnerability management program.

  Which of the following would BEST enable the organization to work toward improvement in this area?

  A. Implementing security logging to enhance threat and vulnerability management
  B. Maintaining a catalog of vulnerabilities that may impact mission-critical systems
  C. Using a capability maturity model to identify a path to an optimized program
  D. Outsourcing the threat and vulnerability management function to a third party
  C. Using a capability maturity model to identify a path to an optimized program

  ---

  Explanation

  The best way to enable the organization to work toward improvement in its security threat and vulnerability management program is to use a capability maturity model to identify a path to an optimized program. A capability maturity model is a

  framework that helps organizations assess their current level of performance and maturity in a specific domain, and provides guidance and best practices to achieve higher levels of excellence. A capability maturity model for vulnerability

  management can help the organization to evaluate its current practices, identify gaps and weaknesses, and implement improvement actions based on the defined criteria and objectives.

  References:

  1: What is a Capability Maturity Model?

  2: Capability Maturity Model - Wikipedia

  3: Vulnerability Management Maturity Model - SANS Institute

  4: Stages Of Vulnerability Management Maturity Model - SecPod Blog

• Question 936:

  Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?

  A. Industry regulations
  B. Industry standards
  C. Incident response plan
  D. Information security policy
  A. Industry regulations

  ---

  Explanation

  Following a breach, the maximum amount of time before customers must be notified that their personal information may have been compromised depends on the industry regulations that apply to the organization. Different industries and jurisdictions may have different legal and regulatory requirements for breach notification, such as the General Data Protection Regulation (GDPR) in the European Union, the Health Insurance Portability and Accountability Act (HIPAA) in the United States, or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. Industry standards, incident response plans, and information security policies are not as authoritative as industry regulations in determining the breach notification time frame.

  References: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program Management Guide]

• Question 937:

  Which of the following approaches would utilize data analytics to facilitate the testing of a new account creation process?

  A. Attempt to submit new account applications with invalid dates of birth.
  B. Review the business requirements document for date of birth field requirements.
  C. Review new account applications submitted in the past month for invalid dates of birth.
  D. Evaluate configuration settings for the date of birth field requirements
  C. Review new account applications submitted in the past month for invalid dates of birth.

  ---

  Explanation

  Data analytics is the process of collecting, transforming, analyzing, and visualizing data to gain insights and support decision making1. Data analytics can be used to facilitate the testing of a new account creation process by applying various

  techniques and methods to evaluate the quality, functionality, performance, and security of the process. One of the approaches that would utilize data analytics to test the new account creation process is to review new account applications

  submitted in the past month for invalid dates of birth. This approach would involve the following steps:

  Extract the data of new account applications from the source system, such as a database or a web service, using appropriate tools and methods. Transform and clean the data to ensure its accuracy, completeness, consistency, and validity,

  using techniques such as data profiling, data cleansing, data mapping, and data validation.

  Analyze the data to identify any anomalies, errors, or outliers in the date of birth field, using methods such as descriptive statistics, exploratory data analysis, hypothesis testing, or anomaly detection. Visualize the data to present the findings

  and insights in a clear and understandable way, using tools and techniques such as charts, graphs, dashboards, or reports. By reviewing new account applications submitted in the past month for invalid dates of birth, the tester can use data

  analytics to:

  Verify if the new account creation process is working as expected and meets the business requirements and specifications for the date of birth field. Detect any defects or issues in the new account creation process that may cause invalid

  dates of birth to be accepted or rejected incorrectly. Measure and monitor the performance and reliability of the new account creation process in terms of data quality, accuracy, and completeness. Evaluate and improve the test coverage and

  effectiveness of the new account creation process by identifying any gaps or risks in the test cases or scenarios.

  Therefore, option C is the correct answer.

  Option A is not correct because attempting to submit new account applications with invalid dates of birth is not a data analytics approach, but a functional testing approach that involves executing test cases or scenarios manually or

  automatically to validate the behavior and functionality of the new account creation process. Option B is not correct because reviewing the business requirements document for date of birth field requirements is not a data analytics approach,

  but a requirements analysis approach that involves examining and understanding the needs and expectations of the stakeholders for the new account creation process. Option D is not correct because evaluating configuration settings for date

  of birth field requirements is not a data analytics approach, but a configuration testing approach that involves verifying if the settings and parameters of the new account creation process are correct and consistent with the requirements.

• Question 938:

  The PRIMARY reason for an IS auditor to perform a functional walk-through of a business process during the preliminary phase of an audit assignment is to:

  A. identify control weaknesses in the business process.
  B. optimize the business process.
  C. understand the key areas.
  D. understand the resource requirements.
  C. understand the key areas.

  ---

  Explanation

  Explanation

• Question 939:

  An IS auditor finds that a document related to a client has been leaked. Which of the following should be the auditor's NEXT step?

  A. Report data leakage finding to regulatory authorities
  B. Determine the classification of data leaked
  C. Report data leakage finding to senior management
  D. Notify appropriate law enforcement.
  B. Determine the classification of data leaked

  ---

  Explanation

• Question 940:

  Which of the following is the BEST detective control for a job scheduling process involving data transmission?

  A. Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.
  B. Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).
  C. Jobs are scheduled and a log of this activity is retained for subsequent review.
  D. Job failure alerts are automatically generated and routed to support personnel.
  D. Job failure alerts are automatically generated and routed to support personnel.

  ---

  Explanation

  The best detective control for a job scheduling process involving data transmission is job failure alerts that are automatically generated and routed to support personnel. Job failure alerts are notifications that indicate when a scheduled job or task fails to execute or complete successfully, such as due to errors, interruptions, or delays. Job failure alerts can help detect and correct any issues or anomalies in the job scheduling process involving data transmission by informing and alerting the support personnel who can investigate and resolve the problem. The other options are not as effective as job failure alerts in detecting issues or anomalies in the job scheduling process involving data transmission, as they do not provide timely or specific information or feedback. Metrics denoting the volume of monthly job failures are reported and reviewed by senior management is a reporting technique that can help measure and improve the performance and reliability of the job scheduling process, but it does not provide immediate or detailed information on individual job failures. Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP) is a preventive control that can help ensure the timeliness and security of the job scheduling process involving data transmission, but it does not detect any issues or anomalies that may occur during the process. Jobs are scheduled and a log of this activity is retained for subsequent review is a logging technique that can help record and track the status and results of the job scheduling process involving data transmission, but it does not provide real-time or proactive information on job failures.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2