ExamGecko
Search Search Login
Home Home / Isaca / CISA

Isaca CISA Practice Test - Questions Answers, Page 23

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?
Which of the following is the BEST way to ensure that an application is performing according to its specifications?
An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's GREATEST concern?
Which of the following poses the GREATEST risk to the use of active RFID tags?
The FIRST step in an incident response plan is to:
An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management experience. What is the BEST course of action?
Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?
Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

Question 221

Report
Export
Collapse

Which of the following is the MAIN purpose of an information security management system?

A.
To identify and eliminate the root causes of information security incidents
A.
To identify and eliminate the root causes of information security incidents
Answers
B.
To enhance the impact of reports used to monitor information security incidents
B.
To enhance the impact of reports used to monitor information security incidents
Answers
C.
To keep information security policies and procedures up-to-date
C.
To keep information security policies and procedures up-to-date
Answers
D.
To reduce the frequency and impact of information security incidents
D.
To reduce the frequency and impact of information security incidents
Answers
Suggested answer: D

Explanation:

:The main purpose of an information security management system (ISMS) is to reduce the frequency and impact of information security incidents. An ISMS is a systematic approach to managing information security risks, policies, procedures, and controls within an organization. An ISMS aims to ensure the confidentiality, integrity, and availability of information assets, as well as to comply with relevant laws and regulations. The other options are not the main purpose of an ISMS, but rather some of its possible benefits or components.Reference:

CISA Review Manual (Digital Version), Chapter 7, Section 7.11

CISA Review Questions, Answers & Explanations Database, Question ID 205

Question 222

Report
Export
Collapse

Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?

A.
Securing information assets in accordance with the classification assigned
A.
Securing information assets in accordance with the classification assigned
Answers
B.
Validating that assets are protected according to assigned classification
B.
Validating that assets are protected according to assigned classification
Answers
C.
Ensuring classification levels align with regulatory guidelines
C.
Ensuring classification levels align with regulatory guidelines
Answers
D.
Defining classification levels for information assets within the organization
D.
Defining classification levels for information assets within the organization
Answers
Suggested answer: B

Explanation:

Validating that assets are protected according to assigned classification is the primary role of the IS auditor in an organization's information classification process. An IS auditor should evaluate whether the information security controls are adequate and effective in safeguarding the information assets based on their classification levels. The other options are not the primary role of the IS auditor, but rather the responsibilities of the information owners, custodians, or security managers.Reference:

CISA Review Manual (Digital Version), Chapter 6, Section 6.2.31

CISA Review Questions, Answers & Explanations Database, Question ID 206

Question 223

Report
Export
Collapse

Which of the following is MOST important to consider when scheduling follow-up audits?

A.
The efforts required for independent verification with new auditors
A.
The efforts required for independent verification with new auditors
Answers
B.
The impact if corrective actions are not taken
B.
The impact if corrective actions are not taken
Answers
C.
The amount of time the auditee has agreed to spend with auditors
C.
The amount of time the auditee has agreed to spend with auditors
Answers
D.
Controls and detection risks related to the observations
D.
Controls and detection risks related to the observations
Answers
Suggested answer: B

Explanation:

The impact if corrective actions are not taken is the most important factor to consider when scheduling follow-up audits. An IS auditor should prioritize the follow-up audits based on the risk and potential consequences of not addressing the audit findings and recommendations. The other options are less important factors that may affect the timing and scope of the follow-up audits, but not their necessity or urgency.Reference:

CISA Review Manual (Digital Version), Chapter 2, Section 2.5.31

CISA Review Questions, Answers & Explanations Database, Question ID 207

Question 224

Report
Export
Collapse

An information systems security officer's PRIMARY responsibility for business process applications is to:

A.
authorize secured emergency access
A.
authorize secured emergency access
Answers
B.
approve the organization's security policy
B.
approve the organization's security policy
Answers
C.
ensure access rules agree with policies
C.
ensure access rules agree with policies
Answers
D.
create role-based rules for each business process
D.
create role-based rules for each business process
Answers
Suggested answer: C

Explanation:

Ensuring access rules agree with policies is an information systems security officer's primary responsibility for business process applications. An information systems security officer should verify that the access controls implemented for the business process applications are consistent with the organization's security policy and objectives. The other options are not the primary responsibility of an information systems security officer, but rather the tasks of an application owner, a senior management, or a business analyst.Reference:

CISA Review Manual (Digital Version), Chapter 7, Section 7.3.11

CISA Review Questions, Answers & Explanations Database, Question ID 208

Question 225

Report
Export
Collapse

During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?

A.
Require documentation that the finding will be addressed within the new system
A.
Require documentation that the finding will be addressed within the new system
Answers
B.
Schedule a meeting to discuss the issue with senior management
B.
Schedule a meeting to discuss the issue with senior management
Answers
C.
Perform an ad hoc audit to determine if the vulnerability has been exploited
C.
Perform an ad hoc audit to determine if the vulnerability has been exploited
Answers
D.
Recommend the finding be resolved prior to implementing the new system
D.
Recommend the finding be resolved prior to implementing the new system
Answers
Suggested answer: A

Explanation:

Requiring documentation that the finding will be addressed within the new system is the best course of action for a follow-up audit. An IS auditor should obtain evidence that the complex security vulnerability of low risk will be resolved in the new system and that there is a reasonable timeline for its implementation. The other options are not appropriate courses of action, as they may be too costly, time-consuming, or impractical for a low-risk finding.Reference:

CISA Review Manual (Digital Version), Chapter 2, Section 2.5.31

CISA Review Questions, Answers & Explanations Database, Question ID 209

Question 226

Report
Export
Collapse

An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

A.
There Is a reconciliation process between the spreadsheet and the finance system
A.
There Is a reconciliation process between the spreadsheet and the finance system
Answers
B.
A separate copy of the spreadsheet is routinely backed up
B.
A separate copy of the spreadsheet is routinely backed up
Answers
C.
The spreadsheet is locked down to avoid inadvertent changes
C.
The spreadsheet is locked down to avoid inadvertent changes
Answers
D.
Access to the spreadsheet is given only to those who require access
D.
Access to the spreadsheet is given only to those who require access
Answers
Suggested answer: D

Explanation:

Access to the spreadsheet is given only to those who require access is the most important control for maintaining the security of data in the spreadsheet. An IS auditor should ensure that the principle of least privilege is applied to limit the access to sensitive financial data and prevent unauthorized disclosure, modification, or deletion. The other options are less important controls that may enhance the accuracy, availability, or integrity of data in the spreadsheet, but not its security.Reference:

CISA Review Manual (Digital Version), Chapter 6, Section 6.31

CISA Review Questions, Answers & Explanations Database, Question ID 210

Question 227

Report
Export
Collapse

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

A.
Compare the agile process with previous methodology.
A.
Compare the agile process with previous methodology.
Answers
B.
Identify and assess existing agile process control
B.
Identify and assess existing agile process control
Answers
C.
Understand the specific agile methodology that will be followed.
C.
Understand the specific agile methodology that will be followed.
Answers
D.
Interview business process owners to compile a list of business requirements
D.
Interview business process owners to compile a list of business requirements
Answers
Suggested answer: C

Explanation:

Understanding the specific agile methodology that will be followed is the first step that an IS auditor should do to ensure the effectiveness of the project audit. An IS auditor should familiarize themselves with the agile approach, principles, practices, and tools that will be used by the project team, as well as the roles and responsibilities of the project stakeholders. This will help the IS auditor to identify and assess the relevant risks and controls for the project audit. The other options are not the first steps that an IS auditor should do, but rather possible subsequent actions that may depend on the specific agile methodology.Reference:

CISA Review Manual (Digital Version), Chapter 4, Section 4.3.21

CISA Review Questions, Answers & Explanations Database, Question ID 211

Question 228

Report
Export
Collapse

When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

A.
architecture and cloud environment of the system.
A.
architecture and cloud environment of the system.
Answers
B.
business process supported by the system.
B.
business process supported by the system.
Answers
C.
policies and procedures of the business area being audited.
C.
policies and procedures of the business area being audited.
Answers
D.
availability reports associated with the cloud-based system.
D.
availability reports associated with the cloud-based system.
Answers
Suggested answer: B

Explanation:

The business process supported by the system is the most important factor for an IS auditor to understand when planning an audit to assess application controls of a cloud-based system. An IS auditor should have a clear understanding of the business objectives, requirements, and risks of the process, as well as the expected outputs and outcomes of the system. This will help the IS auditor to determine the scope, objectives, and criteria of the audit, as well as to identify and evaluate the key application controls that ensure the effectiveness, efficiency, and reliability of the process. The other options are less important factors that may provide additional information or context for the audit, but not its primary focus.Reference:

CISA Review Manual (Digital Version), Chapter 5, Section 5.31

CISA Review Questions, Answers & Explanations Database, Question ID 212

Question 229

Report
Export
Collapse

Which of the following concerns is BEST addressed by securing production source libraries?

A.
Programs are not approved before production source libraries are updated.
A.
Programs are not approved before production source libraries are updated.
Answers
B.
Production source and object libraries may not be synchronized.
B.
Production source and object libraries may not be synchronized.
Answers
C.
Changes are applied to the wrong version of production source libraries.
C.
Changes are applied to the wrong version of production source libraries.
Answers
D.
Unauthorized changes can be moved into production.
D.
Unauthorized changes can be moved into production.
Answers
Suggested answer: D

Explanation:

Unauthorized changes can be moved into production is the best concern that is addressed by securing production source libraries. Production source libraries contain the source code of programs that are used in the production environment. Securing production source libraries means implementing access controls, change management procedures, and audit trails to prevent unauthorized or improper changes to the source code that could affect the functionality, performance, or security of the production programs. The other options are less relevant concerns that may not be directly addressed by securing production source libraries, but rather by other controls such as program approval, version control, or change testing.Reference:

CISA Review Manual (Digital Version), Chapter 4, Section 4.2.3.21

CISA Review Questions, Answers & Explanations Database, Question ID 213

Question 230

Report
Export
Collapse

During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

A.
Ask management why the regulatory changes have not been Included.
A.
Ask management why the regulatory changes have not been Included.
Answers
B.
Discuss potential regulatory issues with the legal department
B.
Discuss potential regulatory issues with the legal department
Answers
C.
Report the missing regulatory updates to the chief information officer (CIO).
C.
Report the missing regulatory updates to the chief information officer (CIO).
Answers
D.
Exclude recent regulatory changes from the audit scope.
D.
Exclude recent regulatory changes from the audit scope.
Answers
Suggested answer: A

Explanation:

Asking management why the regulatory changes have not been included is the first thing that an IS auditor should do during the planning stage of a compliance audit. An IS auditor should inquire about the reasons for not updating the inventory of compliance requirements with recent regulatory changes related to managing data risk. This will help the IS auditor to understand whether there is a gap in awareness, communication, or implementation of compliance obligations within the organization. The other options are not the first things that an IS auditor should do, but rather possible subsequent actions that may depend on management's response.Reference:

CISA Review Manual (Digital Version), Chapter 2, Section 2.31

CISA Review Questions, Answers & Explanations Database, Question ID 214

Total 1.198 questions
Go to page: of 120
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms