
[Oct-2021] Updated Isaca Certification CISA Exam Questions BUNDLE PACK
Master The ISACA Content CISA EXAM DUMPS WITH GUARANTEED SUCCESS!
NEW QUESTION 514
An IS auditor finds that conference rooms have active network ports. Which of the following is MOST
important to ensure?
- A. A single sign-on has been implemented in the corporate network
- B. The corporate network is using an intrusion prevention system (IPS)
- C. This part of the network is isolated from the corporate network
- D. Antivirus software is in place to protect the corporate network
Answer: C
Explanation:
Section: Protection of Information Assets
Explanation:
If the conference rooms have access to the corporate network, unauthorized users may be able to connect
to the corporate network; therefore, both networks should be isolated either via a firewall or being physically
separated. An I PS would detect possible attacks, but only after they have occurred. A single sign-on would
ease authentication management. Antivirus software would reduce the impact of possible viruses; however,
unauthorized users would still be able to access the corporate network, which is the biggest risk.
NEW QUESTION 515
An IS auditor is conducting a follow-up internal IS audit and determines that several recommendations from
the prior year have not been implemented. Which of the following should be the auditor's FIRST course of
action?
- A. Add unimplemented recommendations as findings for the new audit.
- B. Continue the audit and disregard prior audit recommendations.
- C. Evaluate the recommendations in context of the current IT environment.
- D. Request management implement recommendations from the prior year.
Answer: A
Explanation:
Section: Protection of Information Assets
NEW QUESTION 516
Which of the following audit assess accuracy of financial reporting?
- A. Forensic audit
- B. Compliance Audit
- C. Financial Audit
- D. Operational Audit
Answer: C
Explanation:
Section: The process of Auditing Information System
Explanation
Explanation:
A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework.
The purpose of an audit is to provide an objective independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and consequently reduce the cost of capital of the preparer of the financial statements.
For your exam you should know below information about different types of audit:
What is an audit?
An audit in general terms is a process of evaluating an individual or organization's accounts. This is usually done by an independent auditing body. Thus, audit involves a competent and independent person obtaining evidence and evaluating it objectively with regard to a given entity, which in this case is the subject of audit, in order to establish conformance to a given set of standards. Audit can be on a person, organization, system, enterprise, project or product.
Compliance Audit
A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines.
Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These audits often overlap traditional audits, but may focus on particular system or data.
What, precisely, is examined in a compliance audit will vary depending upon whether an organization is a public or private company, what kind of data it handles and if it transmits or stores sensitive financial data.
For instance, SOX requirements mean that any electronic communication must be backed up and secured with reasonable disaster recovery infrastructure. Health care providers that store or transmit e-health records, like personal health information, are subject to HIPAA requirements. Financial services companies that transmit credit card data are subject to PCI DSS requirements. In each case, the organization must be able to demonstrate compliance by producing an audit trail, often generated by data from event log management software.
Financial Audit
A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework.
The purpose of an audit is to provide an objective independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and consequently reduce the cost of capital of the preparer of the financial statements.
Operational Audit
Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Operational audit is a more comprehensive form of an Internal audit.
The Institute of Internal Auditor (IIA) defines Operational Audit as a systematic process of evaluating an organization's effectiveness, efficiency and economy of operations under management's control and reporting to appropriate persons the results of the evaluation along with recommendations for improvement.
Objectives
To appraise the effectiveness and efficiency of a division, activity, or operation of the entity in meeting organizational goals.
To understand the responsibilities and risks faced by an organization.
To identify, with management participation, opportunities for improving control.
To provide senior management of the organization with a detailed understanding of the Operations.
Integrated Audits
An integrated audit combines financial and operational audit steps. An integrated audit is also performed to assess overall objectives within an organization, related to financial information and asset, safeguarding, efficiency and or internal auditors and would include compliance test of internal controls and substantive audit step.
IS Audit
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:
Will the organization's computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing those risks.
Forensic Audit
Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or irregularities (including fraud) and giving preventative advice.
The purpose of a forensic audit is to use accounting procedures to collect evidence for the prosecution or investigation of financial crimes such as theft or fraud. Forensic audits may be conducted to determine if wrongdoing occurred, or to gather materials for the case against an alleged criminal.
The following answers are incorrect:
Compliance Audit - A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These audits often overlap traditional audits, but may focus on particular system or data.
Operational Audit - Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives.[1] Operational audit is a more comprehensive form of an Internal audit.
Forensic Audit - Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/ financial disputes and or irregularities (including fraud) and giving preventative advice.
Reference:
CISA Review Manual 2014 Page number 44
http://searchcompliance.techtarget.com/definition/compliance-audit
http://en.wikipedia.org/wiki/Financial_audit
http://en.wikipedia.org/wiki/Operational_auditing
http://en.wikipedia.org/wiki/Information_technology_audit
http://www.investorwords.com/16445/forensic_audit.html
NEW QUESTION 517
Which of the following would BEST detect that a distributed-denial-of-service attack (DDoS) is occurring?
- A. Automated monitoring of logs
- B. Server crashes
- C. Penetration testing
- D. Customer service complaints
Answer: C
NEW QUESTION 518
.An IS auditor should carefully review the functional requirements in a systems-development project to ensure that the project is designed to:
- A. Be financially feasible
- B. Be culturally feasible
- C. Meet business objectives
- D. Enforce data security
Answer: C
Explanation:
An IS auditor should carefully review the functional requirements in a systems-development project to ensure that the project is designed to meet business objectives.
NEW QUESTION 519
Which of the following manages the digital certificate life cycle to ensure adequate security and controls exist in digital signature applications related to e-commerce?
- A. Certificate authority (CA)
- B. Certification relocation list
- C. Registration authority
- D. Certification practice statement
Answer: A
Explanation:
Explanation/Reference:
Explanation:
The certificate authority maintains a directory of digital certificates for the reference of those receiving them, it manages the certificate life cycle, including certificate directory maintenance and certificate revocation list maintenance and publication. Choice A is not correct because a registration authority is an optional entity that is responsible for the administrative tasks associated with registering the end entity that is the subject of the certificate issued by the CA. Choice C is incorrect since a CRL is an instrument for checking the continued validity of the certificates for which the CA has responsibility. Choice D is incorrect because a certification practice statement is a detailed set of rules governing the certificate authority's operations.
NEW QUESTION 520
Which of the following ACID property in DBMS requires that each transaction is "all or nothing"?
- A. Atomicity
- B. Isolation
- C. Durability
- D. Consistency
Answer: A
Explanation:
Explanation/Reference:
Atomicity requires that each transaction is "all or nothing": if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged.
For CISA exam you should know below information about ACID properties in DBMS:
Atomicity - Atomicity requires that each transaction is "all or nothing": if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged. An atomic system must guarantee atomicity in each and every situation, including power failures, errors, and crashes. To the outside world, a committed transaction appears (by its effects on the database) to be indivisible ("atomic"), and an aborted transaction does not happen.
Consistency - The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not violate any defined rules.
Isolation - The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other. Providing isolation is the main goal of concurrency control. Depending on concurrency control method, the effects of an incomplete transaction might not even be visible to another transaction. [citation needed] Durability - Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors. In a relational database, for instance, once a group of SQL statements execute, the results need to be stored permanently (even if the database crashes immediately thereafter). To defend against power loss, transactions (or their effects) must be recorded in a non-volatile memory.
The following were incorrect answers:
Consistency - The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not violate any defined rules.
Isolation - The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other.
Durability - Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 218
NEW QUESTION 521
The purpose of business continuity planning and disaster-recovery planning is to:
- A. Accept the risk and impact of a business
- B. Eliminate the risk and impact of a business interruption or disaster
- C. Mitigate, or reduce, the risk and impact of a business interruption or disaster
- D. Transfer the risk and impact of a business interruption or disaster
Answer: C
Explanation:
Explanation/Reference:
Explanation:
The primary purpose of business continuity planning and disaster-recovery planning is to mitigate, or reduce, the risk and impact of a business interruption or disaster.
Total elimination of risk is impossible.
NEW QUESTION 522
The GREATEST benefit in implementing an expert system is the:
- A. sharing of knowledge in a central repository.
- B. reduction of employee turnover in key departments.
- C. capturing of the knowledge and experience of individuals in an organization.
- D. enhancement of personnel productivity and performance.
Answer: C
Explanation:
Explanation/Reference:
Explanation:
The basis for an expert system is the capture and recording of the knowledge and experience of individuals in an organization. Coding and entering the knowledge in a central repository, shareable within the enterprise, is a means of facilitating the expert system. Enhancing personnel productivity and performance is a benefit; however, it is not as important as capturing the knowledge and experience.
Employee turnover is not necessarily affected by an expert system.
NEW QUESTION 523
Which of the following is the BEST control to protect an organization's sensitive data when using a publicly available cloud storage service?
- A. Data encryption performed by the organization prior to uploading
- B. Cryptographic hash function performed by the cloud vendor
- C. Transport layer security (TLS) between the cloud vendor and the organization
- D. Transparent volume encryption offered by the cloud vendor
Answer: A
NEW QUESTION 524
An IS auditor has been asked to perform a post-Implementation assessment of a new corporate human resources (HR) system. Which of the following control areas would be MOST important to review for the protection of employee information?
- A. Data retention practices
- B. Logging capabilities
- C. System architecture
- D. Authentication mechanisms
Answer: B
NEW QUESTION 525
Which of the following is MOST important to consider when developing a bring your own device (BYOD) policy?
- A. Remote wipe procedures
- B. Application download restrictions
- C. Procedure for accessing the network
- D. Supported operating systems
Answer: C
Explanation:
Section: Governance and Management of IT
NEW QUESTION 526
Which of the following should be of PRIMARY concern to an IS auditor reviewing the
management of external IT service providers?
- A. Evaluating the process for transferring knowledge to the IT department
- B. Prohibiting the provider from subcontracting services
- C. Determining if the services were provided as contracted
- D. Minimizing costs for the services provided
Answer: C
Explanation:
From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements. Minimizing costs, if applicable and achievable (depending on the customer's need) is traditionally not part of an IS auditor's job. This would normally be done by a line management function within the IT department. Furthermore, during an audit, it is too late to minimize the costs for existing provider arrangements. Subcontracting providers could be a concern, but it would not be the primary concern. Transferring knowledge to the internal IT department might be desirable under certain circumstances, but should not be the primary concern of an IS auditor when auditing IT service providers and the management thereof.
NEW QUESTION 527
Which of the following refers to the act of creating and using an invented scenario to persuade a target to perform an action?
- A. Pretexting
- B. None of the choices.
- C. Backgrounding
- D. Bounce checking
- E. Check making
Answer: A
Explanation:
Explanation/Reference:
Explanation:
Pretexting is the act of creating and using an invented scenario to persuade a target to release information or perform an action and is usually done over the telephone. It is more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information.
NEW QUESTION 528
Effective IT governance will ensure that the IT plan is consistent with the organization's:
- A. business plan.
- B. security plan.
- C. audit plan.
- D. investment plan.
Answer: A
Explanation:
Explanation/Reference:
Explanation:
To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization's business plans. The audit and investment plans are not part of the IT plan, while the security plan should be at a corporate level.
NEW QUESTION 529
The CIO of an organization is concerned that the information security policies may not be comprehensive.
Which of the following should an IS auditor recommend be performed FIRST?
- A. Obtain a copy of their competitor's policies
- B. Determine if there is j process to handle exceptions to the policies
- C. Compare the policies against an industry framework.
- D. Establish a governance board to track compliance with the policies
Answer: C
NEW QUESTION 530
A stockbroker accepts orders over the Internet. Which of the following is the MOST appropriate control to ensure confidentiality of the orders?
- A. Digital signature
- B. Data Encryption Standard (DES)
- C. Virtual private network
- D. Public key encryption
Answer: D
Explanation:
Section: Protection of Information Assets
NEW QUESTION 531
What is the primary objective of a control self-assessment (CSA) program?
- A. Replacement of the audit responsibility
- B. Enhancement of the audit responsibility
- C. Integrity of the audit responsibility
- D. Elimination of the audit responsibility
Answer: B
Explanation:
Section: Protection of Information Assets
Explanation:
Audit responsibility enhancement is an objective of a control self-assessment (CSA) program.
NEW QUESTION 532
Library control software restricts source code to:
- A. Write-only access
- B. Read-only access
- C. Full access
- D. Read-write access
Answer: B
Explanation:
Explanation/Reference:
Library control software restricts source code to read-only access.
NEW QUESTION 533
With the objective of mitigating the risk and impact of a major business interruption, a disaster recovery
plan should endeavor to reduce the length of recovery time necessary, as well as costs associated with
recovery. Although DRP results in an increase of pre-and post-incident operational costs, the extra costs
are more than offset by reduced recovery and business impact costs. True or false?
- A. True
- B. False
Answer: A
Explanation:
Section: Protection of Information Assets
Explanation:
With the objective of mitigating the risk and impact of a major business interruption, a disaster- recovery
plan should endeavor to reduce the length of recovery time necessary and the costs associated with
recovery. Although DRP results in an increase of pre-and post-incident operational costs, the extra costs
are more than offset by reduced recovery and business impact costs.
NEW QUESTION 534
Which of the following observations noted during a review of the organization s social media practices should be of MOST concern to the IS auditor?
- A. The organization does not have a documented social media policy.
- B. Not all employees using social media have attended the security awareness program.
- C. The organization does not require approval for social media posts.
- D. More than one employee is authorized to publish on social media on behalf of the organization
Answer: A
NEW QUESTION 535
Which of the following is an IS auditor's BEST recommendation to mitigate the risk of eavesdropping associated with an application programming interface (API) integration implementation?
- A. Implement Simple Object Access Protocol (SOAP)
- B. Mask the API endpoints
- C. Encrypt the extensible markup language (XML) file
- D. Implement Transport Layer Security (TLS)
Answer: D
NEW QUESTION 536
......
Pass ISACA CISA Exam – Experts Are Here To Help You: https://www.exams-boost.com/CISA-valid-materials.html
Get Latest Isaca Certification CISA Practice Test For Quick Preparation: https://drive.google.com/open?id=1GWZR5_moMvsie3Bt5-aRdC2n5BkRJp7D