ExamGecko
Search Search Login
Home Home / Isaca / CISA

Isaca CISA Practice Test - Questions Answers, Page 53

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?
Which of the following is the BEST way to ensure that an application is performing according to its specifications?
The FIRST step in an incident response plan is to:
An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's GREATEST concern?
Which of the following poses the GREATEST risk to the use of active RFID tags?
An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?
Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?
An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management experience. What is the BEST course of action?
An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?
Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?

Question 521

Report
Export
Collapse

Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?

A.
The information security policy has not been approved by the chief audit executive (CAE).
A.
The information security policy has not been approved by the chief audit executive (CAE).
Answers
B.
The information security policy does not include mobile device provisions
B.
The information security policy does not include mobile device provisions
Answers
C.
The information security policy is not frequently reviewed
C.
The information security policy is not frequently reviewed
Answers
D.
The information security policy has not been approved by the policy owner
D.
The information security policy has not been approved by the policy owner
Answers
Suggested answer: D

Explanation:

The auditor should be most concerned about the information security policy not being approved by the policy owner. This is because the policy owner is the person who has the authority and accountability for ensuring that the policy is implemented and enforced. Without the policy owner's approval, the policy may not reflect the organization's objectives, risks, and compliance requirements. The policy owner is usually a senior executive or a board member who has a stake in the information security governance. The other options are less critical than the policy owner's approval, although they may also indicate some weaknesses in the policy development and maintenance process.Reference:

CISA Review Manual (Digital Version), Chapter 1, Section 1.21

CISA Online Review Course, Domain 5, Module 1, Lesson 12

Question 522

Report
Export
Collapse

An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?

A.
implement a control self-assessment (CSA)
A.
implement a control self-assessment (CSA)
Answers
B.
Conduct a gap analysis
B.
Conduct a gap analysis
Answers
C.
Develop a maturity model
C.
Develop a maturity model
Answers
D.
Evaluate key performance indicators (KPIs)
D.
Evaluate key performance indicators (KPIs)
Answers
Suggested answer: D

Explanation:

The best approach to determine whether IT service delivery is based on consistently effective processes is to evaluate key performance indicators (KPIs). KPIs are measurable values that demonstrate how effectively an organization is achieving its key objectives. KPIs can help the IT governance body to monitor and assess the performance, quality, and efficiency of the IT service delivery processes. KPIs can also help to identify areas for improvement and benchmark against best practices or industry standards.Reference:

CISA Review Manual (Digital Version), Chapter 1, Section 1.3.21

CISA Online Review Course, Domain 5, Module 2, Lesson 22

Question 523

Report
Export
Collapse

An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified Which type of control is in place?

A.
Detective
A.
Detective
Answers
B.
Compensating
B.
Compensating
Answers
C.
Corrective
C.
Corrective
Answers
D.
Directive
D.
Directive
Answers
Suggested answer: D

Explanation:

The type of control that is in place when an organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified is directive. Directive controls are those that guide or direct the actions of individuals or groups to achieve a desired outcome. Directive controls can also help to prevent or reduce the occurrence of undesirable events. Hiring policies and procedures are examples of directive controls that aim to ensure that only qualified and competent personnel are employed to perform IT-related tasks.Reference:

CISA Review Manual (Digital Version), Chapter 4, Section 4.11

CISA Online Review Course, Domain 1, Module 2, Lesson 12

Question 524

Report
Export
Collapse

An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year. Which of the following should the auditor do FIRST

A.
Escalate to audit management to discuss the audit plan
A.
Escalate to audit management to discuss the audit plan
Answers
B.
Notify the chief operating officer (COO) and discuss the audit plan risks
B.
Notify the chief operating officer (COO) and discuss the audit plan risks
Answers
C.
Exclude IS audits from the upcoming year's plan
C.
Exclude IS audits from the upcoming year's plan
Answers
D.
Increase the number of IS audits in the clan
D.
Increase the number of IS audits in the clan
Answers
Suggested answer: A

Explanation:

The auditor should first escalate to audit management to discuss the audit plan. This is because the audit plan should be based on a risk assessment and aligned with the organization's objectives and strategies. The auditor should not accept the CIO's request without proper justification and approval from the audit management, who are responsible for ensuring the audit plan's quality and independence. The auditor should also communicate the potential risks and implications of not conducting IS audits in the upcoming year, such as missing new or emerging threats, vulnerabilities, or compliance issues.Reference:

CISA Review Manual (Digital Version), Chapter 2, Section 2.11

CISA Online Review Course, Domain 1, Module 1, Lesson 22

Question 525

Report
Export
Collapse

Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?

A.
Security policies are not applicable across all business units
A.
Security policies are not applicable across all business units
Answers
B.
End users are not required to acknowledge security policy training
B.
End users are not required to acknowledge security policy training
Answers
C.
The security policy has not been reviewed within the past year
C.
The security policy has not been reviewed within the past year
Answers
D.
Security policy documents are available on a public domain website
D.
Security policy documents are available on a public domain website
Answers
Suggested answer: D

Explanation:

The auditor should be most concerned about the security policy documents being available on a public domain website. This is because this exposes the organization's security posture and strategy to potential attackers, who can exploit the information to launch targeted attacks or bypass the security controls. The security policy documents should be classified as confidential and protected from unauthorized access or disclosure. The other options are less severe than exposing the security policy documents to the public, although they may also indicate some gaps or weaknesses in the security policy development, implementation, or maintenance process.Reference:

CISA Review Manual (Digital Version), Chapter 5, Section 5.31

CISA Online Review Course, Domain 3, Module 1, Lesson 12

Question 526

Report
Export
Collapse

An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?

A.
Review test procedures and scenarios
A.
Review test procedures and scenarios
Answers
B.
Conduct a mock conversion test
B.
Conduct a mock conversion test
Answers
C.
Establish a configuration baseline
C.
Establish a configuration baseline
Answers
D.
Automate the test scripts
D.
Automate the test scripts
Answers
Suggested answer: B

Explanation:

The auditor's best recommendation prior to go-live is to conduct a mock conversion test. This is because a mock conversion test can help to verify the accuracy, completeness, and validity of the data conversion process. A mock conversion test can also help to identify and resolve any issues or errors before the actual conversion takes place. A mock conversion test can also provide assurance that the converted data meets the business requirements and expectations.Reference:

CISA Review Manual (Digital Version), Chapter 3, Section 3.3.21

CISA Online Review Course, Domain 2, Module 2, Lesson 22

Question 527

Report
Export
Collapse

As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (B1A)?

A.
Risk appetite
A.
Risk appetite
Answers
B.
Critical applications m the cloud
B.
Critical applications m the cloud
Answers
C.
Completeness of critical asset inventory
C.
Completeness of critical asset inventory
Answers
D.
Recovery scenarios
D.
Recovery scenarios
Answers
Suggested answer: C

Explanation:

The most important thing to assess when conducting a business impact analysis (BIA) is the completeness of critical asset inventory. This is because the critical asset inventory is the basis for identifying and prioritizing the business processes, functions, and resources that are essential for the continuity of operations. The critical asset inventory should include both tangible and intangible assets, such as hardware, software, data, personnel, facilities, contracts, and reputation. The critical asset inventory should also be updated regularly to reflect any changes in the business environment or needs.Reference:

CISA Review Manual (Digital Version), Chapter 5, Section 5.41

CISA Online Review Course, Domain 3, Module 3, Lesson 12

Question 528

Report
Export
Collapse

Which of the following can only be provided by asymmetric encryption?

A.
Information privacy
A.
Information privacy
Answers
B.
256-brt key length
B.
256-brt key length
Answers
C.
Data availability
C.
Data availability
Answers
D.
Nonrepudiation
D.
Nonrepudiation
Answers
Suggested answer: D

Explanation:

The only thing that can be provided by asymmetric encryption is nonrepudiation. Nonrepudiation is the ability to prove that a message or transaction was originated or authorized by a specific party. Asymmetric encryption uses a pair of keys: a public key and a private key. The public key can be shared with anyone, while the private key is kept secret by the owner. If a message is encrypted with the sender's private key, only the sender's public key can decrypt it. This proves that the message was sent by the sender and not by anyone else. This is called digital signature and it provides nonrepudiation. Asymmetric encryption can also provide information privacy by encrypting a message with the receiver's public key, so that only the receiver's private key can decrypt it. However, information privacy can also be provided by symmetric encryption, which uses a single key to encrypt and decrypt messages.Reference:

CISA Review Manual (Digital Version), Chapter 5, Section 5.21

CISA Online Review Course, Domain 3, Module 2, Lesson 12

Question 529

Report
Export
Collapse

Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?

A.
To enable conclusions about me performance of the processes and target variances tor follow-up analysis
A.
To enable conclusions about me performance of the processes and target variances tor follow-up analysis
Answers
B.
To analyze workflows in order to optimize business processes and eliminate tasks that do not provide value
B.
To analyze workflows in order to optimize business processes and eliminate tasks that do not provide value
Answers
C.
To assess the functionality of a software deliverable based on business processes
C.
To assess the functionality of a software deliverable based on business processes
Answers
Suggested answer: A

Explanation:

The primary role of key performance indicators (KPIs) in supporting business process effectiveness is to enable conclusions about the performance of the processes and target variances for follow-up analysis. KPIs are measurable values that demonstrate how effectively an organization is achieving its key objectives. KPIs can help to monitor and evaluate the performance, quality, and efficiency of the business processes. KPIs can also help to identify areas for improvement and benchmark against best practices or industry standards. KPIs can also provide feedback and guidance for decision making and corrective actions.Reference:

CISA Review Manual (Digital Version), Chapter 1, Section 1.3.21

CISA Online Review Course, Domain 5, Module 2, Lesson 22

Question 530

Report
Export
Collapse

In an IT organization where many responsibilities are shared which of the following is the BEST control for detecting unauthorized data changes?

A.
Users are required to periodically rotate responsibilities
A.
Users are required to periodically rotate responsibilities
Answers
B.
Segregation of duties conflicts are periodically reviewed
B.
Segregation of duties conflicts are periodically reviewed
Answers
C.
Data changes are independently reviewed by another group
C.
Data changes are independently reviewed by another group
Answers
D.
Data changes are logged in an outside application
D.
Data changes are logged in an outside application
Answers
Suggested answer: C

Explanation:

The best control for detecting unauthorized data changes in an IT organization where many responsibilities are shared is to have data changes independently reviewed by another group. This is because an independent review can provide an objective and unbiased verification of the data changes and ensure that they are authorized, accurate, and complete. An independent review can also help to detect any errors, fraud, or malicious activities that may have occurred during the data changes. An independent review can also provide assurance that the data integrity and security are maintained.Reference:

CISA Review Manual (Digital Version), Chapter 4, Section 4.31

CISA Online Review Course, Domain 1, Module 4, Lesson 22

Total 1.198 questions
Go to page: of 120
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms