Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 981:

  To ensure the organization is able to centrally manage mobile devices to protect against data disclosure, it is MOST important for an IS auditor to determine whether:

  A. A mobile security awareness training program exists.
  B. Incident statistics are regularly provided to management.
  C. Remote wipe functionality is enabled on mobile devices.
  D. Lost mobile devices can be located remotely.
  C. Remote wipe functionality is enabled on mobile devices.

  ---

  Explanation

  Explanation

• Question 982:

  Which of the following should be of MOST concern lo an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

  A. The certificate revocation list has not been updated.
  B. The private key certificate has not been updated.
  C. The PKI policy has not been updated within the last year.
  D. The certificate practice statement has not been published.
  A. The certificate revocation list has not been updated.

  ---

  Explanation

• Question 983:

  Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?

  A. Hash totals
  B. Online review of description
  C. Comparison to historical order pattern
  D. Self-checking digit
  D. Self-checking digit

  ---

  Explanation

  A self-checking digit is the most effective accuracy control for entry of a valid numeric part number. This method involves adding an extra digit at the end of every number which is calculated from the other digits. This digit is then used to check the accuracy of the entered number1. While hash totals, online review of description, and comparison to historical order pattern can be used as accuracy controls, they are not as effective as a self-checking digit.

• Question 984:

  When reviewing a newly implemented quality management system (QMS), which of the following should be the IS auditor's PRIMARY concern?

  A. The QMS benefit measures were not included in the business case.
  B. The QMS testing methodology is not clearly documented.
  C. The QMS post-implementation review (PIR) has not been finalized.
  D. The QMS is not mapped to some core business processes.
  D. The QMS is not mapped to some core business processes.

  ---

  Explanation

• Question 985:

  An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?

  A. The security of the desktop PC is enhanced.
  B. Administrative security can be provided for the client.
  C. Desktop application software will never have to be upgraded.
  D. System administration can be better managed
  C. Desktop application software will never have to be upgraded.

  ---

  Explanation

  The major advantage of moving from many desktop PCs to a thin client architecture is that desktop application software will never have to be upgraded. A thin client architecture is a type of client-server architecture that uses lightweight or minimal devices (thin clients) as clients that connect to a central server that provides most of the processing and storage functions. A thin client architecture can offer several benefits over a traditional desktop PC architecture, such as lower cost, higher security, easier maintenance, etc. One of these benefits is that desktop application software will never have to be upgraded on thin clients, as all the applications are installed and updated on the server, and accessed by thin clients through a network connection. This can save time and money for installing and upgrading software on individual devices, and ensure consistency and compatibility among different devices. The security of the desktop PC is enhanced is a possible advantage of moving from many desktop PCs to a thin client architecture, but it is not the major one. A thin client architecture can enhance the security of desktop PCs by reducing the exposure or vulnerability of data and applications on individual devices, and centralizing the security management and control on the server. However, this advantage may depend on other factors such as network security, server security, user authentication, etc. Administrative security can be provided for the client is a possible advantage of moving from many desktop PCs to a thin client architecture, but it is not the major one. A thin client architecture can provide administrative security for clients by allowing administrators to configure and manage client devices remotely from the server, and enforce policies and restrictions on client access or usage. However, this advantage may depend on other factors such as network reliability, server availability, user compliance, etc. System administration can be better managed is a possible advantage of moving from many desktop PCs to a thin client architecture, but it is not the major one. A thin client architecture can improve system administration by simplifying and streamlining the tasks and activities involved in maintaining and supporting client devices, such as backup, recovery, troubleshooting, etc., and consolidating them on the server. However, this advantage may depend on other factors such as network bandwidth, server capacity, user satisfaction

• Question 986:

  What is the MOST effective way to detect installation of unauthorized software packages by employees?

  A. Regular scanning of hard drives
  B. Communicating the policy to employees
  C. Logging of activity on the network
  D. Maintaining current antivirus software
  A. Regular scanning of hard drives

  ---

  Explanation

  Regular scanning of hard drives is the most effective way to detect installation of unauthorized software packages by employees because it can identify any software that is not approved by the organization and may pose a security risk or violate the software policy. Communicating the policy to employees is important, but it may not prevent or detect unauthorized software installation. Logging of activity on the network can monitor network traffic, but it may not capture all software installation events. Maintaining current antivirus software can protect the system from malicious software, but it may not detect all unauthorized software packages.

  References: ISACA, CISA Review Manual, 27th Edition, 2020, p. 2381 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription

• Question 987:

  Which of the following is the GREATEST risk when relying on reports generated by end- user computing (EUC)?

  A. Data may be inaccurate.
  B. Reports may not work efficiently.
  C. Reports may not be timely.
  D. Historical data may not be available.
  A. Data may be inaccurate.

  ---

  Explanation

  End-user computing (EUC) is a system in which users are able to create working applications besides the divided development process of design, build, test and release that is typically followed by software engineers. Examples of EUC tools include spreadsheets, databases, low-code/no-code platforms, and generative AI applications2. EUC tools can provide flexibility, efficiency, and innovation for the users, but they also pose significant risks if not properly managed and controlled3. The greatest risk when relying on reports generated by EUC is that the data may be inaccurate. Data accuracy refers to the extent to which the data in the reports reflect the true values of the underlying information4. Inaccurate data can lead to erroneous decisions, misleading analysis, unreliable reporting, and compliance violations. Some of the factors that can cause data inaccuracy in EUC reports are: Lack of rigorous testing: EUC tools may not undergo the same level of testing and validation as IT-developed applications, which can result in errors, bugs, or inconsistencies in the data processing and output. Lack of version and change control: EUC tools may not have a clear record of the changes made to them over time, which can create confusion, duplication, or loss of data. Users may also modify or overwrite the data without proper authorization or documentation. Lack of documentation and reliance on end-user who developed it: EUC tools may not have sufficient documentation to explain their purpose, functionality, assumptions, limitations, and dependencies. Users may also rely on the knowledge and expertise of the original developer, who may not be available or may not have followed best practices. Lack of maintenance processes: EUC tools may not have regular updates, backups, or reviews to ensure their functionality and security. Users may also neglect to delete or archive obsolete or redundant data. Lack of security: EUC tools may not have adequate access controls, encryption, or authentication mechanisms to protect the data from unauthorized access, modification, or disclosure. Users may also store or share the data in insecure locations or devices. Lack of audit trail: EUC tools may not have a traceable history of the data sources, inputs, outputs, calculations, and transformations. Users may also manipulate or falsify the data without detection or accountability. Overreliance on manual controls: EUC tools may depend on human intervention to input, verify, or correct the data, which can introduce errors, delays, or biases. Users may also lack the skills or training to use the EUC tools effectively and efficiently3. The other options are not as great as data inaccuracy when relying on EUC reports. Reports may not work efficiently, reports may not be timely, and historical data may not be available are all potential risks associated with EUC tools, but they are less severe and less frequent than data inaccuracy. Moreover, these risks can be mitigated by improving the performance, scheduling, and storage of the EUC tools. However, data inaccuracy can have a pervasive and lasting impact on the quality and credibility of the reports and the decisions based on them. Therefore, option A is the correct answer.

  References: What is Data Accuracy? What Is End User Computing (EUC) Risk? End-user computing End-User Computing (EUC) Risks: A Comprehensive Guide

• Question 988:

  Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?

  A. File level encryption
  B. File Transfer Protocol (FTP)
  C. Instant messaging policy
  D. Application-level firewalls
  D. Application-level firewalls

  ---

  Explanation

  Application level firewalls are the best control to prevent the transfer of files to external parties through instant messaging (IM) applications, because they can inspect and filter network traffic based on application-specific protocols and commands, such as IM file transfer commands. Application level firewalls can block or allow IM file transfers based on predefined rules or policies. File level encryption, file transfer protocol (FTP), and instant messaging policy are not effective controls to prevent IM file transfers, because they do not restrict or monitor IM network traffic.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.1

• Question 989:

  During a follow-up audit, an IS auditor learns the organization implemented an automated process instead of the originally agreed upon enhancement of the manual process. The auditor should:

  A. report the finding that recommendations were not acted upon
  B. perform a cost-benefit analysis on the new process
  C. verify that the new process satisfies control objectives
  D. report the recommendation as implemented
  C. verify that the new process satisfies control objectives

  ---

  Explanation

• Question 990:

  An organization allows programmers to change production systems in emergency situations without seeking prior approval. Which of the following controls should an IS auditor consider MOST important?

  A. Programmers' subsequent reports
  B. Limited number of super users
  C. Operator logs
  D. Automated log of changes
  D. Automated log of changes

  ---

  Explanation