Isaca CISA Practice Test - Questions Answers, Page 23

List of questions
Question 221

Which of the following is the MAIN purpose of an information security management system?
:The main purpose of an information security management system (ISMS) is to reduce the frequency and impact of information security incidents. An ISMS is a systematic approach to managing information security risks, policies, procedures, and controls within an organization. An ISMS aims to ensure the confidentiality, integrity, and availability of information assets, as well as to comply with relevant laws and regulations. The other options are not the main purpose of an ISMS, but rather some of its possible benefits or components.Reference:
CISA Review Manual (Digital Version), Chapter 7, Section 7.11
CISA Review Questions, Answers & Explanations Database, Question ID 205
Question 222

Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?
Validating that assets are protected according to assigned classification is the primary role of the IS auditor in an organization's information classification process. An IS auditor should evaluate whether the information security controls are adequate and effective in safeguarding the information assets based on their classification levels. The other options are not the primary role of the IS auditor, but rather the responsibilities of the information owners, custodians, or security managers.Reference:
CISA Review Manual (Digital Version), Chapter 6, Section 6.2.31
CISA Review Questions, Answers & Explanations Database, Question ID 206
Question 223

Which of the following is MOST important to consider when scheduling follow-up audits?
The impact if corrective actions are not taken is the most important factor to consider when scheduling follow-up audits. An IS auditor should prioritize the follow-up audits based on the risk and potential consequences of not addressing the audit findings and recommendations. The other options are less important factors that may affect the timing and scope of the follow-up audits, but not their necessity or urgency.Reference:
CISA Review Manual (Digital Version), Chapter 2, Section 2.5.31
CISA Review Questions, Answers & Explanations Database, Question ID 207
Question 224

An information systems security officer's PRIMARY responsibility for business process applications is to:
Ensuring access rules agree with policies is an information systems security officer's primary responsibility for business process applications. An information systems security officer should verify that the access controls implemented for the business process applications are consistent with the organization's security policy and objectives. The other options are not the primary responsibility of an information systems security officer, but rather the tasks of an application owner, a senior management, or a business analyst.Reference:
CISA Review Manual (Digital Version), Chapter 7, Section 7.3.11
CISA Review Questions, Answers & Explanations Database, Question ID 208
Question 225

During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?
Requiring documentation that the finding will be addressed within the new system is the best course of action for a follow-up audit. An IS auditor should obtain evidence that the complex security vulnerability of low risk will be resolved in the new system and that there is a reasonable timeline for its implementation. The other options are not appropriate courses of action, as they may be too costly, time-consuming, or impractical for a low-risk finding.Reference:
CISA Review Manual (Digital Version), Chapter 2, Section 2.5.31
CISA Review Questions, Answers & Explanations Database, Question ID 209
Question 226

An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?
Access to the spreadsheet is given only to those who require access is the most important control for maintaining the security of data in the spreadsheet. An IS auditor should ensure that the principle of least privilege is applied to limit the access to sensitive financial data and prevent unauthorized disclosure, modification, or deletion. The other options are less important controls that may enhance the accuracy, availability, or integrity of data in the spreadsheet, but not its security.Reference:
CISA Review Manual (Digital Version), Chapter 6, Section 6.31
CISA Review Questions, Answers & Explanations Database, Question ID 210
Question 227

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?
Understanding the specific agile methodology that will be followed is the first step that an IS auditor should do to ensure the effectiveness of the project audit. An IS auditor should familiarize themselves with the agile approach, principles, practices, and tools that will be used by the project team, as well as the roles and responsibilities of the project stakeholders. This will help the IS auditor to identify and assess the relevant risks and controls for the project audit. The other options are not the first steps that an IS auditor should do, but rather possible subsequent actions that may depend on the specific agile methodology.Reference:
CISA Review Manual (Digital Version), Chapter 4, Section 4.3.21
CISA Review Questions, Answers & Explanations Database, Question ID 211
Question 228

When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.
The business process supported by the system is the most important factor for an IS auditor to understand when planning an audit to assess application controls of a cloud-based system. An IS auditor should have a clear understanding of the business objectives, requirements, and risks of the process, as well as the expected outputs and outcomes of the system. This will help the IS auditor to determine the scope, objectives, and criteria of the audit, as well as to identify and evaluate the key application controls that ensure the effectiveness, efficiency, and reliability of the process. The other options are less important factors that may provide additional information or context for the audit, but not its primary focus.Reference:
CISA Review Manual (Digital Version), Chapter 5, Section 5.31
CISA Review Questions, Answers & Explanations Database, Question ID 212
Question 229

Which of the following concerns is BEST addressed by securing production source libraries?
Unauthorized changes can be moved into production is the best concern that is addressed by securing production source libraries. Production source libraries contain the source code of programs that are used in the production environment. Securing production source libraries means implementing access controls, change management procedures, and audit trails to prevent unauthorized or improper changes to the source code that could affect the functionality, performance, or security of the production programs. The other options are less relevant concerns that may not be directly addressed by securing production source libraries, but rather by other controls such as program approval, version control, or change testing.Reference:
CISA Review Manual (Digital Version), Chapter 4, Section 4.2.3.21
CISA Review Questions, Answers & Explanations Database, Question ID 213
Question 230

During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?
Asking management why the regulatory changes have not been included is the first thing that an IS auditor should do during the planning stage of a compliance audit. An IS auditor should inquire about the reasons for not updating the inventory of compliance requirements with recent regulatory changes related to managing data risk. This will help the IS auditor to understand whether there is a gap in awareness, communication, or implementation of compliance obligations within the organization. The other options are not the first things that an IS auditor should do, but rather possible subsequent actions that may depend on management's response.Reference:
CISA Review Manual (Digital Version), Chapter 2, Section 2.31
CISA Review Questions, Answers & Explanations Database, Question ID 214
Question