ExamGecko
Search Search Login
Home Home / Isaca / CISA

Isaca CISA Practice Test - Questions Answers, Page 27

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?
Which of the following is the BEST way to ensure that an application is performing according to its specifications?
An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's GREATEST concern?
Which of the following poses the GREATEST risk to the use of active RFID tags?
The FIRST step in an incident response plan is to:
An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management experience. What is the BEST course of action?
Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?
Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?
An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Question 261

Report
Export
Collapse

The IS quality assurance (OA) group is responsible for:

A.
ensuring that program changes adhere to established standards.
A.
ensuring that program changes adhere to established standards.
Answers
B.
designing procedures to protect data against accidental disclosure.
B.
designing procedures to protect data against accidental disclosure.
Answers
C.
ensuring that the output received from system processing is complete.
C.
ensuring that the output received from system processing is complete.
Answers
D.
monitoring the execution of computer processing tasks.
D.
monitoring the execution of computer processing tasks.
Answers
Suggested answer: A

Explanation:

The IS quality assurance (QA) group is responsible for ensuring that program changes adhere to established standards. Program changes are modifications made to software applications or systems to fix errors, improve performance, add functionality, or meet changing requirements. Program changes should follow established standards for documentation, authorization, testing, implementation, and review. The IS QA group is responsible for verifying that program changes comply with these standards and meet the expected quality criteria. Designing procedures to protect data against accidental disclosure; ensuring that the output received from system processing is complete; and monitoring the execution of computer processing tasks are not responsibilities of the IS QA group.Reference:[ISACA CISA Review Manual 27th Edition], page 304.

Question 262

Report
Export
Collapse

An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?

A.
Availability of the user list reviewed
A.
Availability of the user list reviewed
Answers
B.
Confidentiality of the user list reviewed
B.
Confidentiality of the user list reviewed
Answers
C.
Source of the user list reviewed
C.
Source of the user list reviewed
Answers
D.
Completeness of the user list reviewed
D.
Completeness of the user list reviewed
Answers
Suggested answer: C

Question 263

Report
Export
Collapse

Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

A.
The certificate revocation list has not been updated.
A.
The certificate revocation list has not been updated.
Answers
B.
The PKI policy has not been updated within the last year.
B.
The PKI policy has not been updated within the last year.
Answers
C.
The private key certificate has not been updated.
C.
The private key certificate has not been updated.
Answers
D.
The certificate practice statement has not been published
D.
The certificate practice statement has not been published
Answers
Suggested answer: A

Question 264

Report
Export
Collapse

Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

A.
Use of stateful firewalls with default configuration
A.
Use of stateful firewalls with default configuration
Answers
B.
Ad hoc monitoring of firewall activity
B.
Ad hoc monitoring of firewall activity
Answers
C.
Misconfiguration of the firewall rules
C.
Misconfiguration of the firewall rules
Answers
D.
Potential back doors to the firewall software
D.
Potential back doors to the firewall software
Answers
Suggested answer: C

Question 265

Report
Export
Collapse

An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:

A.
violation reports may not be reviewed in a timely manner.
A.
violation reports may not be reviewed in a timely manner.
Answers
B.
a significant number of false positive violations may be reported.
B.
a significant number of false positive violations may be reported.
Answers
C.
violations may not be categorized according to the organization's risk profile.
C.
violations may not be categorized according to the organization's risk profile.
Answers
D.
violation reports may not be retained according to the organization's risk profile.
D.
violation reports may not be retained according to the organization's risk profile.
Answers
Suggested answer: C

Question 266

Report
Export
Collapse

Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

A.
Expected deliverables meeting project deadlines
A.
Expected deliverables meeting project deadlines
Answers
B.
Sign-off from the IT team
B.
Sign-off from the IT team
Answers
C.
Ongoing participation by relevant stakeholders
C.
Ongoing participation by relevant stakeholders
Answers
D.
Quality assurance (OA) review
D.
Quality assurance (OA) review
Answers
Suggested answer: B

Question 267

Report
Export
Collapse

In order to be useful, a key performance indicator (KPI) MUST

A.
be approved by management.
A.
be approved by management.
Answers
B.
be measurable in percentages.
B.
be measurable in percentages.
Answers
C.
be changed frequently to reflect organizational strategy.
C.
be changed frequently to reflect organizational strategy.
Answers
D.
have a target value.
D.
have a target value.
Answers
Suggested answer: D

Explanation:

A key performance indicator (KPI) is a quantifiable measure of performance over time for a specific objective1. KPIs help organizations and teams track their progress and achievements towards their strategic goals. To be useful, a KPI must have a target value, which is the desired level of performance or outcome that the organization or team aims to achieve. A target value provides a clear direction and a benchmark for measuring success or failure. Without a target value, a KPI is meaningless, as it does not indicate whether the performance is good or bad, or how far or close the organization or team is from reaching their objective.

Question 268

Report
Export
Collapse

Which of the following are BEST suited for continuous auditing?

A.
Low-value transactions
A.
Low-value transactions
Answers
B.
Real-lime transactions
B.
Real-lime transactions
Answers
C.
Irregular transactions
C.
Irregular transactions
Answers
D.
Manual transactions
D.
Manual transactions
Answers
Suggested answer: B

Explanation:

Continuous auditing is a method of performing audit-related activities on a real-time or near real-time basis. Continuous auditing is best suited for real-time transactions, such as online banking, e-commerce, or electronic funds transfer, that require immediate verification and assurance. Low-value transactions are not necessarily suitable for continuous auditing, as they may not pose significant risks or require frequent monitoring. Irregular transactions are not suitable for continuous auditing, as they may not occur frequently or consistently enough to justify the use of continuous auditing techniques. Manual transactions are not suitable for continuous auditing, as they may not be captured or processed by automated systems that enable continuous auditing.Reference:

CISA Review Manual, 27th Edition, pages 307-3081

CISA Review Questions, Answers & Explanations Database, Question ID: 253

Question 269

Report
Export
Collapse

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

A.
The policy includes a strong risk-based approach.
A.
The policy includes a strong risk-based approach.
Answers
B.
The retention period allows for review during the year-end audit.
B.
The retention period allows for review during the year-end audit.
Answers
C.
The retention period complies with data owner responsibilities.
C.
The retention period complies with data owner responsibilities.
Answers
D.
The total transaction amount has no impact on financial reporting
D.
The total transaction amount has no impact on financial reporting
Answers
Suggested answer: C

Explanation:

The most important factor for the organization to ensure when reducing the retention period for media containing completed low-value transactions is that the retention period complies with data owner responsibilities. Data owners are accountable for defining the retention and disposal requirements for the data under their custody, based on business, legal, regulatory, and contractual obligations. The policy should reflect the data owner's decisions and obtain their approval. The policy should also include a risk-based approach, but this is not as important as complying with data owner responsibilities. The retention period should allow for review during the year-end audit, but this may not be necessary for low-value transactions that have minimal impact on financial reporting. The total transaction amount may have some impact on financial reporting, but this is not a direct consequence of reducing the retention period.Reference:

CISA Review Manual, 27th Edition, pages 414-4151

CISA Review Questions, Answers & Explanations Database, Question ID: 255

Question 270

Report
Export
Collapse

Providing security certification for a new system should include which of the following prior to the system's implementation?

A.
End-user authorization to use the system in production
A.
End-user authorization to use the system in production
Answers
B.
External audit sign-off on financial controls
B.
External audit sign-off on financial controls
Answers
C.
Testing of the system within the production environment
C.
Testing of the system within the production environment
Answers
D.
An evaluation of the configuration management practices
D.
An evaluation of the configuration management practices
Answers
Suggested answer: D

Explanation:

Providing security certification for a new system should include an evaluation of the configuration management practices prior to the system's implementation. Configuration management is a process that ensures that the system's components are identified, controlled, and tracked throughout the system's lifecycle. Configuration management helps to maintain the security and integrity of the system by preventing unauthorized or unintended changes. End-user authorization to use the system in production is not part of security certification, but rather a post-implementation activity that grants access rights to authorized users. External audit sign-off on financial controls is not part of security certification, but rather a verification activity that ensures that the system complies with financial reporting standards. Testing of the system within the production environment is not part of security certification, but rather a validation activity that ensures that the system meets the functional and performance requirements.Reference:

CISA Review Manual, 27th Edition, pages 449-4501

CISA Review Questions, Answers & Explanations Database, Question ID: 2572

Total 1.198 questions
Go to page: of 120
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms