Recommend!!

Get the Full CISA dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISA-exam-dumps.html (886 New Questions)

Isaca
Exam Questions CISA
Certified Information Systems Auditor

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISA dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISA-exam-dumps.html (886 New Questions)

NEW QUESTION 1
- (Topic 3)
Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?

A. Analyzing risks posed by new regulations

B. Developing procedures to monitor the use of personal data
C. Defining roles within the organization related to privacy
D. Designing controls to protect personal data

Answer: A

Explanation:
An appropriate role of internal audit in helping to establish an organization’s privacy program is analyzing risks posed by new regulations. A privacy program is a
set of policies, procedures, and controls that aim to protect the personal data of individuals from unauthorized or unlawful collection, use, disclosure, or disposal. A
privacy program should comply with the applicable laws and regulations that govern the privacy rights and obligations of individuals and organizations, such as the
General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). New regulations may introduce new requirements or changes that
affect the organization’s privacy program and expose it to potential compliance risks or penalties. Therefore, internal audit can help to establish an organization’s
privacy program by analyzing the risks posed by new regulations and providing assurance, advice, or recommendations on how to address them1. The other
options are less appropriate or incorrect because:
? B. Developing procedures to monitor the use of personal data is not an appropriate role of internal audit in helping to establish an organization’s privacy
program, as it is more of a management or operational role. Internal audit should not be involved in designing or implementing the organization’s privacy program,
as it would compromise its independence and objectivity. Internal audit should provide assurance on the effectiveness and efficiency of the organization’s privacy
program, but not create or execute it2.
? C. Defining roles within the organization related to privacy is not an appropriate role of internal audit in helping to establish an organization’s privacy program, as
it is more of a governance or strategic role. Internal audit should not be involved in setting or approving the organization’s privacy strategy, objectives, or policies,
as it would compromise its independence and objectivity. Internal audit should provide assurance on the alignment and compliance of the organization’s privacy
program with its strategy, objectives, and policies, but not define or approve them2.
? D. Designing controls to protect personal data is not an appropriate role of internal audit in helping to establish an organization’s privacy program, as it is more of
a management or operational role. Internal audit should not be involved in designing or implementing the organization’s privacy program, as it would compromise
its independence and objectivity. Internal audit should provide assurance on the adequacy and effectiveness of the organization’s privacy program, but not design
or implement it2. References: ISACA Introduces New Audit Programs for Business Continuity/Disaster …, Best Practices for Privacy Audits - ISACA, ISACA
Produces New Audit and Assurance Programs for Data Privacy and …

NEW QUESTION 2
- (Topic 3)
Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

A. Restricting evidence access to professionally certified forensic investigators

B. Documenting evidence handling by personnel throughout the forensic investigation
C. Performing investigative procedures on the original hard drives rather than images of the hard drives
D. Engaging an independent third party to perform the forensic investigation

Answer: B

Explanation:
The most important factor to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings is to document
evidence handling by personnel throughout the forensic investigation. Documentation is essential to establish the chain of custody, prove the integrity and
authenticity of the evidence, and demonstrate compliance with legal and ethical standards. Documentation should include information such as the date, time,
location, source, destination, method, purpose, result, and authorization of each action performed on the evidence. Documentation should also include any
observations, findings, assumptions, limitations, or exceptions encountered during the investigation. References:
? CISA Review Manual (Digital Version)
? CISA Questions, Answers & Explanations Database

NEW QUESTION 3
- (Topic 2)
To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

A. Root cause
B. Responsible party
C. impact
D. Criteria

Answer: A

Explanation:
Root cause is the most important thing for an IS auditor to determine and understand to develop meaningful recommendations for findings. A root cause is the
underlying factor or condition that leads to a problem or issue. A finding is a statement that describes a problem or issue identified during an audit. A
recommendation is a suggestion or advice that aims to address or resolve a finding. To develop meaningful recommendations for findings, an IS auditor should
determine and understand the root cause of each finding, as this can help to identify the most effective and appropriate actions to prevent or correct the problem or
issue. The other options are not as important as determining and understanding the root cause, as they do not directly address or resolve the finding. References:
CISA Review Manual, 27th Edition, page 434

NEW QUESTION 4
- (Topic 1)
Which of the following MOST effectively minimizes downtime during system conversions?

A. Phased approach
B. Direct cutover

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISA dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISA-exam-dumps.html (886 New Questions)

C. Pilot study
D. Parallel run

Answer: D

Explanation:
The most effective way to minimize downtime during system conversions is to use a parallel run. A parallel run is a method of system conversion where both the
old and new systems operate simultaneously for a period of time until the new system is verified to be functioning correctly. This reduces the risk of errors, data
loss, or system failure during conversion and allows for a smooth transition from one system to another. References: CISA Review Manual, 27th Edition, page 467

NEW QUESTION 5
- (Topic 1)
Which of the following is MOST important to include in forensic data collection and preservation procedures?

A. Assuring the physical security of devices

B. Preserving data integrity
C. Maintaining chain of custody
D. Determining tools to be used

Answer: B

Explanation:
The most important thing to include in forensic data collection and preservation procedures is preserving data integrity. Data integrity is the property that ensures
that data is accurate, complete, and consistent throughout its lifecycle. Preserving data integrity is essential for forensic data collection and preservation
procedures because it ensures that the data can be used as valid and reliable evidence in legal proceedings or investigations. Preserving data integrity can be
achieved by using methods such as hashing, checksums, digital signatures, write blockers, tamper-evident seals, or timestamps. The other options are not as
important as preserving data integrity in forensic data collection and preservation procedures, as they do not affect the validity or reliability of the data. Assuring the
physical security of devices is a security measure that protects devices from unauthorized access, theft, damage, or destruction, but it does not ensure that the
data on the devices is accurate, complete, and consistent. Maintaining chain of custody is a documentation technique that records and tracks the handling and
transfer of devices or data among different parties involved in forensic activities, but it does not ensure that the data on the devices is accurate, complete, and
consistent. Determining tools to be used is a planning activity that selects and prepares the appropriate tools for forensic data collection and preservation
procedures, but it does not ensure that the data collected and preserved by the tools is accurate, complete, and consistent. References: CISA Review Manual
(Digital Version), Chapter 5, Section 5.4

NEW QUESTION 6
- (Topic 3)
Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?

A. Cost of projects divided by total IT cost

B. Expected return divided by total project cost
C. Net present value (NPV) of the portfolio
D. Total cost of each project

Answer: C

Explanation:
The most useful metric for management to consider when reviewing a project portfolio is the net present value (NPV) of the portfolio. NPV is a measure of the
profitability and value of a project or a portfolio of projects, taking into account the time value of money and the expected cash flows. NPV compares the present
value of the future cash inflows with the present value of the initial investment and shows how much value is created or lost by undertaking a project or a portfolio
of projects1. A positive NPV indicates that the project or portfolio is worth more than its cost and will generate a positive return on investment. A negative NPV
indicates that the project or portfolio is worth less than its cost and will result
in a loss. Therefore, NPV helps management to prioritize and select the most profitable and valuable projects or portfolios that align with the organizational
strategy and objectives2.
The other options are less useful or incorrect because:
? A. Cost of projects divided by total IT cost is not a useful metric for reviewing a project portfolio, as it does not reflect the benefits, value, or return of the
projects. It only shows the proportion of IT budget allocated to the projects, which may not be indicative of their strategic importance or alignment3.
? B. Expected return divided by total project cost is not a useful metric for reviewing a project portfolio, as it does not account for the time value of money and the
timing of cash flows. It only shows the average return per unit of cost, which may not be comparable across different projects or portfolios with different durations,
risks, and cash flow patterns4.
? D. Total cost of each project is not a useful metric for reviewing a project portfolio, as it does not reflect the benefits, value, or return of the projects. It only shows
the initial investment required for each project, which may not be indicative of their profitability or viability5. References: Portfolio, Program and Project
Management Using COBIT 5 - ISACA, Project Portfolio Management - ISACA, CISA Review Manual (Digital Version), Standards, Guidelines, Tools and
Techniques

NEW QUESTION 7
- (Topic 1)
During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

A. perform a business impact analysis (BIA).

B. issue an intermediate report to management.
C. evaluate the impact on current disaster recovery capability.
D. conduct additional compliance testing.

Answer: C

Explanation:
The first step that an IS auditor should take when finding that a business impact analysis (BIA) has not been performed is to evaluate the impact on current
disaster recovery capability. A BIA is a process that identifies and analyzes the potential effects of disruptions to critical business functions and processes. A BIA
helps determine the recovery priorities, objectives, and strategies for the organization. Without a BIA, the disaster recovery plan may not be aligned with the
business needs and expectations, and may not provide adequate protection and recovery for the most critical assets and activities. Therefore, an IS auditor should

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISA dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISA-exam-dumps.html (886 New Questions)

assess how the lack of a BIA affects the current disaster recovery capability and identify any gaps or risks that need to be addressed. Performing a BIA, issuing an
intermediate report to management, and conducting additional compliance testing are not the first steps that an IS auditor should take when
finding that a BIA has not been performed. These steps may be done later in the audit process, after evaluating the impact on current disaster recovery capability.
Performing a BIA is not the responsibility of the IS auditor, but of the business owners and managers. Issuing an intermediate report to management may be
premature without sufficient evidence and analysis. Conducting additional compliance testing may not be relevant or necessary without a clear understanding of
the disaster recovery requirements and objectives.

NEW QUESTION 8
- (Topic 1)
An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:

A. establish criteria for reviewing alerts.

B. recruit more monitoring personnel.
C. reduce the firewall rules.
D. fine tune the intrusion detection system (IDS).

Answer: D

Explanation:
Fine tuning the intrusion detection system (IDS) is the best recommendation to reduce the number of false positive alerts that overwhelm the log management
system, because it can help adjust the sensitivity and accuracy of the IDS rules and signatures to match the network environment and traffic patterns. Establishing
criteria for reviewing alerts, recruiting more monitoring personnel, and reducing the firewall rules are not effective solutions to address the root cause of the false
positive alerts, but rather ways to cope with the consequences. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.3

NEW QUESTION 9
- (Topic 1)
An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?

A. Report the mitigating controls.

B. Report the security posture of the organization.
C. Determine the value of the firewall.
D. Determine the risk of not replacing the firewall.

Answer: D

Explanation:
The IS auditor’s next course of action after finding that firewalls are outdated and not supported by vendors should be to determine the risk of not replacing the
firewall. Outdated firewalls may have known vulnerabilities that can be exploited by attackers to bypass security controls and access the network. They may also
lack compatibility with newer technologies or standards that are required for optimal network performance and protection. Not replacing the firewall could expose
the organization to various threats, such as data breaches, denial-of-service attacks, malware infections, or regulatory non- compliance. The IS auditor should
assess the likelihood and impact of these threats and quantify the risk level for management to make informed decisions.

NEW QUESTION 10
- (Topic 4)
Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has
approval authority?

A. Purchase requisitions and purchase orders

B. Invoices and reconciliations
C. Vendor selection and statements of work
D. Good receipts and payments

Answer: A

Explanation:
The greatest segregation of duties conflict would occur if the individual who performs the related tasks also has approval authority for purchase requisitions and
purchase orders. This is because these two tasks are directly related to each other and involve financial transactions. If the same person is responsible for both
tasks, it could lead to potential fraud or error12. For instance, the individual could approve a purchase order for a personal need and then also approve the
payment for it, leading to misuse of company funds12. References:
? Segregation of Duties: Examples of Roles, Duties & Violations - Pathlock
? Functions in the Purchasing Process and how to Segregate Purchasing Duties

NEW QUESTION 11
- (Topic 4)
in a post-implantation Nation review of a recently purchased system it is MOST important for the iS auditor to determine whether the:

A. stakeholder expectations were identified

B. vendor product offered a viable solution.
C. user requirements were met.
D. test scenarios reflected operating activities.

Answer: C

Explanation:
The most important thing for the IS auditor to determine in a post- implementation review of a recently purchased system is whether the user requirements were
met. User requirements are the specifications and expectations of the users of the system, such as the features, functions, performance, quality, and security of
the system. User requirements are usually defined and documented in the early stages of the system acquisition process, such as in the request for proposal
(RFP) or the contract. User requirements are also used as the basis for testing and evaluating the system before and after implementation.
Determining whether the user requirements were met can help the IS auditor assess whether the system is fit for purpose and delivers value and benefits to the

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISA dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISA-exam-dumps.html (886 New Questions)

users and the organization. Determining whether the user requirements were met can also help the IS auditor identify any gaps, issues, or problems with the
system that may affect its functionality, usability, or reliability. Determining whether the user requirements were met can also help the IS auditor provide feedback
and recommendations for improvement or enhancement of the system.
Stakeholder expectations were identified is not the most important thing for the IS auditor to determine in a post-implementation review of a recently purchased
system, but rather a prerequisite or input for it. Stakeholder expectations are the needs and wants of the various parties who have an interest or influence in the
system, such as users, managers, customers, suppliers, regulators, or auditors. Stakeholder expectations are usually identified and analyzed in the initial stages of
the system acquisition process, such as in the feasibility study or the business case. Stakeholder expectations are also used as inputs for defining and prioritizing
the user requirements.
Vendor product offered a viable solution is not the most important thing for the IS auditor to determine in a post-implementation review of a recently purchased
system, but rather an outcome or result of it. Vendor product is the system that is provided by an external supplier or service provider to meet the user
requirements. Vendor product offered a viable solution means that the vendor product satisfied or exceeded the user requirements and delivered value and
benefits to the users and organization. Vendor product offered a viable solution can be determined by comparing and evaluating the user requirements and the
vendor product performance and quality.
Test scenarios reflected operating activities is not the most important thing for the IS auditor to determine in a post-implementation review of a recently purchased
system, but rather a factor or criterion for it. Test scenarios are sets of conditions or situations that are used to test and verify whether the system meets the user
requirements. Test scenarios reflected operating activities means that test scenarios simulated or replicated real-world scenarios that occur during normal
operations of business processes or functions that use or depend on the system. Test scenarios reflected operating activities can help ensure that test results are
valid, reliable, and relevant.
References:
? Post Implementation Review: How to conduct and its Benefits 1
? Post-implementation reviews - Department of Prime Minister and Cabinet 2
? How To Conduct A Post Implementation Audit of Your Recently Installed System 3

NEW QUESTION 12
- (Topic 4)
What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?

A. Determine service level requirements.

B. Complete a risk assessment.
C. Perform a business impact analysis (BIA)
D. Conduct a vendor audit.

Answer: B

Explanation:
Before selecting a SaaS vendor, the most important action is to complete a risk assessment. A risk assessment is a process of identifying, analyzing, and
evaluating the potential risks associated with outsourcing software and IT infrastructure to a third-party provider. A risk assessment helps to determine the impact
and likelihood of various threats, such as data breaches, service disruptions, vendor lock-in, compliance issues, and legal disputes. A risk assessment also helps
to identify the mitigation strategies and controls that can reduce or eliminate the risks.
A risk assessment is more important than determining service level requirements, performing a business impact analysis (BIA), or conducting a vendor audit
because it provides the basis for these other actions. Service level requirements are the expectations and obligations that define the quality and quantity of service
that the vendor must provide to the customer. A BIA is a process of assessing the potential effects of an interruption or disruption of critical business functions or
processes due to an incident or disaster. A vendor audit is a process of verifying the vendor’s compliance with the contract terms, service levels, security policies,
and best practices.
Service level requirements, BIA, and vendor audit are all important actions for selecting a SaaS vendor, but they depend on the results of the risk assessment. For
example, service level requirements should reflect the risk appetite and tolerance of the customer, which are determined by the risk assessment. A BIA should
prioritize the recovery of the most critical and vulnerable business functions or processes, which are identified by the risk assessment. A vendor audit should focus
on the areas of highest risk and concern, which are highlighted by the risk assessment.
Therefore, an IS auditor should recommend to management that completing a risk assessment is the most important action before selecting a SaaS vendor.
References:
? SaaS checklist: Nine factors to consider when selecting a vendor
? SaaS vendor management: 10 best practices to achieve success
? Best Practices for Software SaaS Vendor Selection and Negotiation
? How to Evaluate SaaS Providers and Solutions by Developing … - Gartner

NEW QUESTION 13
- (Topic 4)
An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data
classification in this project?

A. Information security officer

B. Database administrator (DBA)
C. Information owner
D. Data architect

Answer: C

Explanation:
The best option for the question is C, information owner. This is because:
? The information owner is the person or entity that has the authority and responsibility for the business processes and functions that collect, use, store, and
dispose of data1.
? The information owner is accountable for ensuring that the data is handled in compliance with the applicable laws, regulations, policies, and standards, such as
the GDPR and the PIPEDA1234.
? The information owner is in the best position to determine the purpose and necessity of collecting and retaining data, as well as the risks and benefits associated
with it1.
? The information owner should consult with other stakeholders, such as the risk manager, the database administrator (DBA), and the privacy manager, to
establish and implement appropriate data classification policies and procedures2.
? Data classification is the process of organizing data in groups based on their attributes and characteristics, and then assigning class labels that describe a set of
attributes that hold true for the corresponding data sets345.
? Data classification helps organizations to identify, manage, protect, and understand their data, as well as to comply with modern data privacy regulations345.
? Data classification also helps to determine appropriate user access levels, which means defining who can access, modify, share, or delete data based on their

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISA dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISA-exam-dumps.html (886 New Questions)

roles, responsibilities, and needs345.

Therefore, the information owner should be responsible for the data classification in an ERP migration project from local systems to the cloud (option C), as they
have the authority and accountability for the data and its protection.
The other options are not correct because:
? The information security officer (option A) is responsible for overseeing and coordinating the security policies and practices of the organization that involve data6.
The information security officer should advise and assist the information owner on the best practices and standards for data security, but not determine the data
classification.
? The database administrator (DBA) (option B) is responsible for installing, configuring, monitoring, maintaining, and improving the performance of databases and
data stores that contain data5. The DBA should support the information owner in implementing and enforcing the data classification policies and procedures, but
not determine them.
? The data architect (option D) is responsible for designing, modeling, and documenting the logical and physical structures of databases and data stores that
contain data7. The data architect should collaborate with the information owner in creating and maintaining the data classification schema and metadata, but not
determine them.

NEW QUESTION 14
- (Topic 4)
Which of the following is MOST likely to be a project deliverable of an agile software development methodology?

A. Strictly managed software requirements baselines

B. Extensive project documentation
C. Automated software programming routines
D. Rapidly created working prototypes

Answer: D

Explanation:
A project deliverable is a tangible or intangible product or service that is produced as a result of a project and delivered to the customer or stakeholder. A project
deliverable can be either an intermediate deliverable that is part of the project process or a final deliverable that is the outcome of the project.
An agile software development methodology is a project management approach that involves breaking the project into phases and emphasizes continuous
collaboration and improvement. Teams follow a cycle of planning, executing, and evaluating. Agile software development methodologies value working software
over comprehensive documentation and respond to change over following a plan.
Rapidly created working prototypes are most likely to be a project deliverable of an agile software development methodology because they:
? Provide early and frequent feedback from customers and stakeholders on the
functionality and usability of the software product
? Allow for rapid validation and verification of the software requirements and design
? Enable continuous improvement and adaptation of the software product based on changing customer needs and expectations
? Reduce the risk of delivering a software product that does not meet customer needs or expectations
? Increase customer satisfaction and trust by delivering working software products frequently and consistently
Some examples of agile software development methodologies that use rapidly created working prototypes as project deliverables are:
? Scrum - a framework that organizes the work into fixed-length sprints (usually 2-4
weeks) and delivers potentially shippable increments of the software product at the end of each sprint1
? Extreme Programming (XP) - a methodology that focuses on delivering high-
quality software products through practices such as test-driven development, pair programming, continuous integration, and frequent releases2
? Rapid Application Development (RAD) - a methodology that emphasizes rapid
prototyping and user involvement throughout the software development process3 The other options are not likely to be project deliverables of an agile software
development methodology.
Strictly managed software requirements baselines are not likely to be project deliverables of an agile software development methodology. A software requirements
baseline is a set of agreed-upon and approved software requirements that serve as the basis for the software design, development, testing, and delivery. A strictly
managed software requirements baseline is a software requirements baseline that is controlled and changed only through a formal change management process.
Strictly managed software requirements baselines are more suitable for traditional or waterfall software development methodologies that follow a linear and
sequential process of defining, designing, developing, testing, and delivering software products. Strictly managed software requirements baselines are not
compatible with agile software development methodologies that embrace change and flexibility in the software requirements based on customer feedback and
evolving needs.
Extensive project documentation is not likely to be project deliverables of an agile software development methodology. Project documentation is any written or
electronic information that describes or records the activities, processes, results, or decisions of a project. Extensive project documentation is project
documentation that covers every aspect of the project in detail and requires significant time and effort to produce and maintain. Extensive project documentation is
more suitable for traditional or waterfall software development methodologies that rely on comprehensive documentation to communicate and document the
project scope, requirements, design, testing, and delivery. Extensive project documentation is not compatible with agile software development methodologies that
value working software over comprehensive documentation and use minimal documentation to support the communication and collaboration among the project
team members. Automated software programming routines are not likely to be project deliverables of an agile software development methodology. Automated
software programming routines are programs or scripts that perform repetitive or complex tasks in the software development process without human intervention.
Automated software programming routines can improve the efficiency, quality, and consistency of the software development process by reducing human errors,
saving time, and enforcing standards. Automated software programming routines can be used in any software development methodology, but they are not specific
to agile software development methodologies. Automated software programming routines are not considered as project deliverables because they are not part of
the final product that is delivered to the customer.

NEW QUESTION 15
- (Topic 4)
An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the
upcoming year as more time is needed to address a large number of recommendations from the previous year. Which of the following should the auditor do FIRST

A. Escalate to audit management to discuss the audit plan

B. Notify the chief operating officer (COO) and discuss the audit plan risks
C. Exclude IS audits from the upcoming year's plan
D. Increase the number of IS audits in the clan

Answer: A

Explanation:
The auditor should first escalate to audit management to discuss the audit plan. This is because the audit plan should be based on a risk assessment and aligned
with the organization’s objectives and strategies. The auditor should not accept the CIO’s request without proper justification and approval from the audit

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISA dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISA-exam-dumps.html (886 New Questions)

management, who are responsible for ensuring the audit plan’s quality and independence. The auditor should also communicate the potential risks and
implications of not conducting IS audits in the upcoming year, such as missing new or emerging threats, vulnerabilities, or compliance issues. References:
? CISA Review Manual (Digital Version), Chapter 2, Section 2.11
? CISA Online Review Course, Domain 1, Module 1, Lesson 22

NEW QUESTION 16
- (Topic 4)
An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy.
What is the BEST way (or the auditor to address this issue?

A. Recommend the application be patched to meet requirements.

B. Inform the IT director of the policy noncompliance.
C. Verify management has approved a policy exception to accept the risk.
D. Take no action since the application will be decommissioned in three months.

Answer: C

Explanation:
The best way for the auditor to address this issue is to verify management has approved a policy exception to accept the risk. A policy exception is a formal
authorization that allows a deviation from the established policy requirements for a specific situation or period of time. A policy exception should be based on a risk
assessment that evaluates the impact and likelihood of the potential threats and vulnerabilities, as well as the cost and benefit of the alternative controls. A policy
exception should also be documented, approved, and monitored by management.
Recommending the application be patched to meet requirements is not the best way for the auditor to address this issue. Patching the application may not be
feasible, cost-effective, or timely, given that the application will be decommissioned in three months. Patching the application may also introduce new risks or
errors that could affect the functionality or performance of the application.
Informing the IT director of the policy noncompliance is not the best way for the auditor to address this issue. Informing the IT director of the policy noncompliance
may not resolve the issue or mitigate the risk, especially if the IT director is already aware of the situation and has decided to accept it. Informing the IT director of
the policy noncompliance may also create unnecessary conflict or tension between the auditor and the auditee.
Taking no action since the application will be decommissioned in three months is not the best way for the auditor to address this issue. Taking no action may
expose the organization to significant risks or consequences, such as data breaches, regulatory fines, or reputational damage, if the application is compromised or
exploited by malicious actors. Taking no action may also violate the auditor’s professional standards and responsibilities, such as due care, objectivity, and
reporting.
References:
? ISACA, CISA Review Manual, 27th Edition, 2019, p. 289
? ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
? Cybersecurity Engineering for Legacy Systems: 6 Recommendations - SEI Blog
? How to Secure Your Company’s Legacy Applications - iCorps

NEW QUESTION 17
- (Topic 4)
Which of the following BEST describes a digital signature?

A. It is under control of the receiver.

B. It is capable of authorization.
C. It dynamically validates modifications of data.
D. It is unique to the sender using it.

Answer: D

Explanation:
A digital signature is a type of electronic signature that uses cryptographic techniques to provide authentication, integrity, and non-repudiation of digital documents.
A digital signature is created by applying a mathematical function (called a hash function) to the document and then encrypting the result with the sender’s private
key. The encrypted hash, along with the sender’s public key and other information, forms the digital signature. The receiver can verify the digital signature by
decrypting it with the sender’s public key and comparing the hash with the one computed from the document. If they match, it means that the document has not
been altered and that it was signed by the owner of the private key.
Option D is correct because a digital signature is unique to the sender using it, as it depends on the sender’s private key, which only the sender knows and
controls. No one else can create a valid digital signature with the same private key, and no one can forge or modify a digital signature without being detected.
Option A is incorrect because a digital signature is not under control of the receiver, but rather under control of the sender. The receiver can only verify the digital
signature, but cannot create or modify it.
Option B is incorrect because a digital signature is not capable of authorization, but rather capable of authentication. Authorization is the process of granting or
denying access to resources based on predefined rules or policies. Authentication is the process of verifying the identity or legitimacy of a person or entity. A digital
signature can authenticate the sender of a document, but it cannot authorize what actions the receiver can perform on the document.
Option C is incorrect because a digital signature does not dynamically validate modifications of data, but rather statically validates the integrity of data. A digital
signature is based on a snapshot of the document at the time of signing, and any subsequent changes to the document will invalidate the digital signature. A digital
signature does not monitor or update itself based on data modifications.
References:
? CISA Online Review Course1, Module 5: Protection of Information Assets, Lesson 2: Encryption Basics, slide 13-14.
? CISA Review Manual (Digital Version)2, Chapter 5: Protection of Information Assets, Section 5.2: Encryption Basics, p. 273-274.
? CISA Review Manual (Print Version), Chapter 5: Protection of Information Assets, Section 5.2: Encryption Basics, p. 273-274.
? CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_712.
? What Is a Digital Signature (and How Does it Work)1
? What are digital signatures and certificates?2
? Digital Signature Definition3
? Examples and uses of electronic signatures4
? What is an Electronic Signature?5

NEW QUESTION 18
- (Topic 4)
Which of the following is a PRIMARY benefit of using risk assessments to determine areas to be included in an audit plan?

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISA dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISA-exam-dumps.html (886 New Questions)

A. Timely audit execution

B. Effective allocation of audit resources
C. Reduced travel and expense costs
D. Effective risk mitigation

Answer: B

Explanation:
Using risk assessments to determine areas to be included in an audit plan is a primary benefit because it helps to prioritize the audit activities based on the level of
risk and the potential impact of the audit findings. This way, the audit resources, such as time, staff, and budget, can be allocated more efficiently and effectively to
the areas that need the most attention and provide the most value.
References
ISACA CISA Review Manual, 27th Edition, page 256 What is the Purpose of a Risk Assessment? Mastering the Process of Risk Assessment

NEW QUESTION 19
- (Topic 4)
Which of the following is the BEST indication of effective IT investment management?

A. IT investments are implemented and monitored following a system development life cycle (SDLC)
B. IT investments are mapped to specific business objectives
C. Key performance indicators (KPIs) are defined for each business requiring IT Investment
D. The IT Investment budget is significantly below industry benchmarks

Answer: B

Explanation:
This means that the IT investments are aligned with the strategic goals and priorities of the organization, and that they deliver value and benefits to the business.
Mapping IT investments to specific business objectives can help ensure that the IT investments are relevant, justified, and measurable, and that they support the
organization’s mission and vision.
IT investments are implemented and monitored following a system development life cycle (SDLC) is an indication of effective IT project management, but not
necessarily of effective IT investment management. The SDLC is a framework that guides the development and implementation of IT systems and applications, but
it does not address the alignment, justification, or measurement of the IT investments.
Key performance indicators (KPIs) are defined for each business requiring IT investment is an indication of effective IT performance management, but not
necessarily of effective IT investment management. KPIs are metrics that measure the outcomes and results of IT activities and processes, but they do not
address the alignment, justification, or value of the IT investments.
The IT investment budget is significantly below industry benchmarks is not an indication of effective IT investment management, but rather of low IT spending. The
IT investment budget should be based on the organization’s needs and capabilities, and not on external comparisons. A low IT investment budget may indicate
that the organization is underinvesting in IT, which could limit its potential for growth and innovation.

NEW QUESTION 20
- (Topic 4)
When auditing an organization's software acquisition process the BEST way for an IS auditor to understand the software benefits to the organization would be to
review the

A. feasibility study
B. business case
C. request for proposal (RFP)
D. alignment with IT strategy

Answer: B

Explanation:
The best way for an IS auditor to understand the software benefits to the organization would be to review the business case, which is a document that provides
the justification and rationale for acquiring a software solution based on its expected costs, benefits, risks, and alignment with the organization’s goals and
strategies. The business case helps to evaluate the feasibility and viability of the software acquisition and to support the decision-making process. A feasibility
study is a document that analyzes the technical, operational, economic, legal, and social aspects of a software solution to determine its feasibility and suitability for
the organization’s needs, but it does not necessarily provide a clear indication of the software benefits to the organization. A request for proposal (RFP) is a
document that solicits proposals from potential vendors or suppliers for a software solution based on the organization’s requirements and specifications, but it
does not necessarily provide a clear indication of the software benefits to the organization. The alignment with IT strategy is a factor that influences the software
acquisition process and ensures that the software solution supports and enables the organization’s IT strategy, but it is not a document that can be reviewed by an
IS auditor to understand the software
benefits to the organization. References: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development & Implementation,
Section 3.1: Business Case Development

NEW QUESTION 21
- (Topic 4)
When testing the accuracy of transaction data, which of the following situations BEST justifies the use of a smaller sample size?

A. The IS audit staff has a high level of experience.

B. It is expected that the population is error-free.
C. Proper segregation of duties is in place.
D. The data can be directly changed by users.

Answer: B

Explanation:
The best situation that justifies the use of a smaller sample size when testing the accuracy of transaction data is B. It is expected that the population is error-free.
The sample size is the number of items selected from the population for testing. The sample size depends on various factors, such as the level of confidence, the
tolerable error rate, the expected error rate, and the variability of the population. A smaller sample size means that fewer items are tested, which reduces the cost
and time of testing, but also increases the sampling risk (the risk that the sample is not representative of the population).

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISA dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISA-exam-dumps.html (886 New Questions)

One of the factors that affects the sample size is the expected error rate, which is the auditor’s best estimate of the proportion of errors in the population before
testing. A higher expected error rate means that more errors are likely to be found in the population, which requires a larger sample size to provide sufficient
evidence for the auditor’s conclusion. A lower expected error rate means that fewer errors are likely to be found in the population, which allows a smaller sample
size to provide sufficient evidence for the auditor’s conclusion. Therefore, if it is expected that the population is error-free (i.e., the expected error rate is zero or
very low), a smaller sample size can be justified.
The other situations do not justify the use of a smaller sample size when testing the accuracy of transaction data. A. The IS audit staff has a high level of
experience. The IS audit staff’s level of experience does not affect the sample size, but rather their ability to design and execute the sampling procedures and
evaluate the results. The IS audit staff’s level of experience may affect their judgment in selecting and applying sampling methods, but it does not change the
statistical or mathematical principles that determine the sample size. B. Proper segregation of duties is in place. Proper segregation of duties is an internal control
that helps prevent or detect errors or fraud in transaction processing, but it does not affect the sample size. The sample size is based on the characteristics of the
population and the objectives of testing, not on the controls in place. Proper segregation of duties may reduce the likelihood or impact of errors or fraud in
transaction processing, but it does not eliminate them completely. Therefore, proper segregation of duties does not justify a smaller sample size when testing the
accuracy of transaction data. C. The data can be directly changed by users. The data’s ability to be directly changed by users does not justify a smaller sample
size, but rather a larger one. The data’s ability to be directly changed by users increases the risk of errors or fraud in transaction processing, which requires a
larger sample size to provide sufficient evidence for the auditor’s conclusion. The data’s ability to be directly changed by users also increases the variability of the
population, which affects the sample size.
References:
? ISACA, CISA Review Manual, 27th Edition, 2019, p. 2471
? ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription2
? Audit Sampling - AICPA3
? How to choose a sample size (for the statistically challenged)

NEW QUESTION 22
- (Topic 4)
Which of the following BEST addresses the availability of an online store?

A. RAID level 5 storage devices

B. Online backups
C. A mirrored site at another location
D. Clustered architecture

Answer: C

Explanation:
The primary benefit of automating application testing is to provide test consistency. Automated testing can ensure that the same test cases are executed in the
same manner and order every time, which can improve the reliability and accuracy of the test results. Providing more flexibility, replacing all manual test
processes, and reducing the time to review code are possible benefits of automating application testing, but they are not the primary benefit. References:
? ISACA, CISA Review Manual, 27th Edition, 2020, p. 3091
? ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

NEW QUESTION 23
- (Topic 4)
An IS auditor reviewing incident response management processes notices that resolution times for reoccurring incidents have not shown improvement. Which of
the following is the auditor's BEST recommendation?

A. Harden IT system and application components based on best practices.

B. Incorporate a security information and event management (SIEM) system into incidentresponse
C. Implement a survey to determine future incident response training needs.
D. Introduce problem management into incident response.

Answer: D

Explanation:
The auditor’s best recommendation is D. Introduce problem management into incident response. Problem management is a practice that aims to identify, analyze,
and resolve the root causes of recurring incidents, and prevent or reduce their impact in the
future1. Problem management can help improve the resolution times for recurring incidents by eliminating or mitigating the underlying problems that cause them,
and by providing permanent solutions that can be reused or automated2. Problem management can also help improve the quality and efficiency of incident
response by reducing the workload and complexity of dealing with repetitive issues2.

NEW QUESTION 24
- (Topic 4)
How does a continuous integration/continuous development (CI/CD) process help to reduce software failure risk?

A. Easy software version rollback

B. Smaller incremental changes
C. Fewer manual milestones
D. Automated software testing

Answer: B

Explanation:
A continuous integration/continuous development (CI/CD) process helps to reduce software failure risk by enabling smaller incremental changes to the software
code, rather than large and infrequent updates12. Smaller incremental changes allow developers to detect and fix errors, bugs, or vulnerabilities more quickly and
easily, and to ensure that the software is always in a working state34. Smaller incremental changes also reduce the complexity and uncertainty of the software
development process, and improve the quality and reliability of the software product5.
References
1: What is CI/CD? Continuous integration and continuous delivery explained1 2: 5 CI/CD challenges—and how to solve them | TechBeacon4 3: Continuous
Integration vs Continuous Delivery vs Continuous Deployment2 4: 7 CI/CD Challenges & their Must-Know Solutions | BrowserStack3 5: 5 common pitfalls of
CI/CD—and how to avoid them | InfoWorld5

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISA dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISA-exam-dumps.html (886 New Questions)

NEW QUESTION 25
- (Topic 4)
A database administrator (DBA) should be prevented from having end user responsibilities:

A. having end user responsibilities

B. accessing sensitive information
C. having access to production files
D. using an emergency user ID

Answer: A

Explanation:
A database administrator (DBA) should be prevented from having end user responsibilities to avoid a conflict of interest and a violation of the principle of
segregation of duties. End user responsibilities may include initiating transactions, authorizing transactions, recording transactions or reconciling transactions. A
DBA who has end user responsibilities may compromise the integrity, confidentiality and availability of the data and the database systems. Accessing sensitive
information, having access to production files and using an emergency user ID are not end user responsibilities, but rather potential risks or controls associated
with the DBA role. References:
? : Database Administrator (DBA) Definition
? : Segregation of Duties | ISACA
? : [End User Definition]

NEW QUESTION 26
- (Topic 4)
Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?

A. Establishing a risk appetite

B. Establishing a risk management framework
C. Validating enterprise risk management (ERM)
D. Operating the risk management framework

Answer: C

Explanation:
The primary role of an internal audit function in the management of identified business risks is to validate the enterprise risk management (ERM) process and
provide assurance on its effectiveness. The internal audit function should evaluate whether the ERM process is aligned with the organization’s objectives,
strategies, policies and culture, and whether it covers all relevant risks and controls. The internal audit function should also assess whether the ERM process is
operating as designed and producing reliable and timely information for decision making. The other options are not the primary role of an internal audit function,
but rather the responsibilities of senior management, board of directors or risk owners. References:
? ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.41
? ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12072

NEW QUESTION 27
- (Topic 4)
An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following
should be the IS auditor's NEXT course of action?

A. Identify existing mitigating controls.

B. Disclose the findings to senior management.
C. Assist in drafting corrective actions.
D. Attempt to exploit the weakness.

Answer: A

Explanation:
When an IS auditor discovers a security weakness in the database configuration, the next course of action should be to identify existing mitigating controls. This
involves assessing whether any controls are already in place to address the weakness and mitigate the
risk. Understanding the current state of controls helps the auditor determine the severity of the issue and whether additional corrective actions are
necessary1. References: 1(https://www.isaca.org/resources/insights-and-expertise/audit-programs-and-tools)

NEW QUESTION 28
- (Topic 4)
An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is
the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?

A. Differential backup
B. Full backup
C. Incremental backup
D. Mirror backup

Answer: D

Explanation:
A mirror backup is a type of backup that creates an exact copy of the source data to the destination, without using any compression or encryption. A mirror backup
is the best backup scheme to recommend given the need for a shorter restoration time in the event of a disruption, because it allows for the fastest and easiest
recovery of data. A mirror backup does not store any previous versions of the files, so it only reflects the current state of the source data. Therefore, a mirror
backup requires less storage space than a full backup, but more than an incremental or differential backup.
A differential backup is a type of backup that stores the changes made to the source data since the last full backup. A differential backup requires less storage
space and time than a full backup, but more than an incremental backup. However, a differential backup also requires more time and resources to restore than a
mirror or full backup, because it needs to combine the last full backup and the latest differential backup to recover the data.
A full backup is a type of backup that copies all the files and folders from the source data to the destination, regardless of whether they have changed or not. A full

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISA dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISA-exam-dumps.html (886 New Questions)

backup provides the most complete protection of data and the simplest recovery process, but it also requires the most storage space and time to perform. A full
backup is usually done periodically, such as weekly or monthly, and followed by incremental or differential backups.
An incremental backup is a type of backup that stores the changes made to the source data since the last backup, whether it was a full or an incremental backup.
An incremental backup requires the least storage space and time to perform, but it also requires the most time and resources to restore, because it needs to
combine all the previous backups in chronological order to recover the data.

NEW QUESTION 29
- (Topic 4)
An IS auditor is reviewing an organization's business intelligence infrastructure. The BEST recommendation to help the organization achieve a reasonable level of
data quality would be to:

A. review data against data classification standards.

B. outsource data cleansing to skilled service providers.
C. consolidate data stored across separate databases into a warehouse.
D. analyze the data against predefined specifications.

Answer: D

Explanation:
This is because analyzing the data against predefined specifications is a method of data quality assessment that can help the organization achieve a reasonable
level of data quality. Data quality assessment is the process of measuring and evaluating the accuracy, completeness, consistency, timeliness, validity, and
usability of the data. Predefined specifications are the criteria or standards that define the expected or desired quality of the data. By comparing the actual data
with the predefined specifications, the organization can identify and quantify any gaps, errors, or deviations in the data quality, and take corrective actions
accordingly12.
Reviewing data against data classification standards (A) is not the best answer, because it is not a method of data quality assessment, but rather a method of data
security management. Data classification standards are the rules or guidelines that define the level of sensitivity and confidentiality of the data, and determine the
appropriate security and access controls for the data. For example, data can be classified into public, internal, confidential, or restricted categories. Reviewing data
against data classification standards can help the organization protect the data from unauthorized or inappropriate use or disclosure, but it does not directly
improve the data quality3.
Outsourcing data cleansing to skilled service providers (B) is not the best answer, because it is not a recommendation to help the organization achieve a
reasonable level of data quality, but rather a decision to delegate or transfer the responsibility of data quality management to external parties. Data cleansing is the
process of detecting and correcting any errors, inconsistencies, or anomalies in the data. Skilled service providers are third- party vendors or contractors that have
the expertise and resources to perform data cleansing tasks. Outsourcing data cleansing to skilled service providers may have some benefits, such as cost
savings, efficiency, or scalability, but it also has some risks, such as loss of control, dependency, or liability4.
Consolidating data stored across separate databases into a warehouse © is not the best answer, because it is not a method of data quality assessment, but rather
a method of data integration and storage. Data integration is the process of combining and transforming data from different sources and formats into a unified and
consistent view. Data warehouse is a centralized repository that stores integrated and historical data for analytical purposes. Consolidating data stored across
separate databases into a warehouse can help the organization improve the availability and accessibility of the data, but it does not necessarily improve the data
quality.

NEW QUESTION 30
- (Topic 4)
An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data Which of the following is the
PRIMARY advantage of this approach?

A. Audit transparency
B. Data confidentiality
C. Professionalism
D. Audit efficiency

Answer: D

Explanation:
The primary advantage of this approach is that it improves audit efficiency. Audit efficiency is the measure of how well the audit resources are used to achieve the
audit objectives. Audit efficiency can be enhanced by using methods or techniques that can save time, cost, or effort without compromising the quality or scope of
the audit. By requesting direct access to data required to perform audit procedures instead of asking management to provide the data, the auditor can reduce the
dependency on management’s cooperation, availability, or timeliness. The auditor can also avoid potential delays, errors, or biases that may occur when
management provides the data. References:
? CISA Review Manual (Digital Version), Chapter 2, Section 2.41
? CISA Online Review Course, Domain 1, Module 1, Lesson 42

NEW QUESTION 31
......

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISA dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISA-exam-dumps.html (886 New Questions)

Thank You for Trying Our Product

We offer two products:

1st - We have Practice Tests Software with Actual Exam Questions

2nd - Questons and Answers in PDF Format

CISA Practice Exam Features:

* CISA Questions and Answers Updated Frequently

* CISA Practice Questions Verified by Expert Senior Certified Staff

* CISA Most Realistic Questions that Guarantee you a Pass on Your FirstTry

* CISA Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year

100% Actual & Verified — Instant Download, Please Click

Order The CISA Practice Test Here

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Powered by TCPDF (www.tcpdf.org)