The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 1721
- Question
- Answer
- Explanation
- CISA Question 1722
- Question
- Answer
- Explanation
- CISA Question 1723
- Question
- Answer
- Explanation
- CISA Question 1724
- Question
- Answer
- Explanation
- CISA Question 1725
- Question
- Answer
- Explanation
- CISA Question 1726
- Question
- Answer
- Explanation
- CISA Question 1727
- Question
- Answer
- Explanation
- CISA Question 1728
- Question
- Answer
- Explanation
- CISA Question 1729
- Question
- Answer
- Explanation
- CISA Question 1730
- Question
- Answer
- Explanation
CISA Question 1721
Question
An organization has just completed their annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the next step for the organization?
A. Review and evaluate the business continuity plan for adequacy
B. Perform a full simulation of the business continuity plan
C. Train and educate employees regarding the business continuity plan
D. Notify critical contacts in the business continuity plan
Answer
A. Review and evaluate the business continuity plan for adequacy
Explanation
The business continuity plan should be reviewed every time a risk assessment is completed for the organization. Training of the employees and a simulation should be performed after the business continuity plan has been deemed adequate for the organization. There is no reason to notify the business continuity plan contacts at this time.
CISA Question 1722
Question
During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:
A. assessment of the situation may be delayed.
B. execution of the disaster recovery plan could be impacted.
C. notification of the teams might not occur.
D. potential crisis recognition might be ineffective.
Answer
B. execution of the disaster recovery plan could be impacted.
Explanation
Execution of the business continuity plan would be impacted if the organization does not know when to declare a crisis. Choices A, C and D are steps that must be performed to know whether to declare a crisis. Problem and severity assessment would provide information necessary in declaring a disaster. Once a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying this step until a disaster has been declared would negate the effect of having response teams. Potential crisis recognition is the first step in responding to a disaster.
CISA Question 1723
Question
During the design of a business continuity plan, the business impact analysis (BIA) identifies critical processes and supporting applications. This will PRIMARILY influence the:
A. responsibility for maintaining the business continuity plan.
B. criteria for selecting a recovery site provider.
C. recovery strategy.
D. responsibilities of key personnel.
Answer
C. recovery strategy.
Explanation
The most appropriate strategy is selected based on the relative risk level and criticality identified in the business impact analysis (BIA.) The other choices are made after the selection or design of the appropriate recovery strategy.
CISA Question 1724
Question
With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the:
A. clarity and simplicity of the business continuity plans.
B. adequacy of the business continuity plans.
C. effectiveness of the business continuity plans.
D. ability of IS and end-user personnel to respond effectively in emergencies.
Answer
A. clarity and simplicity of the business continuity plans.
Explanation
The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to be clear and simple. To evaluate adequacy, the IS auditor should review the plans and compare them to appropriate standards. To evaluate effectiveness, the IS auditor should review the results from previous tests. This is the best determination for the evaluation of effectiveness. An understanding of roles and responsibilities by key stakeholders will assist in ensuring the business continuity plan is effective. To evaluate the response, the IS auditor should review results of continuity tests. This will provide the IS auditor with assurance that target and recovery times are met. Emergency procedures and employee training need to be reviewed to determine whether the organization had implemented plans to allow for the effective response.
CISA Question 1725
Question
The BEST method for assessing the effectiveness of a business continuity plan is to review the:
A. plans and compare them to appropriate standards.
B. results from previous tests.
C. emergency procedures and employee training.
D. offsite storage and environmental controls.
Answer
B. results from previous tests.
Explanation
Previous test results will provide evidence of the effectiveness of the business continuity plan. Comparisons to standards will give some assurance that the plan addresses the critical aspects of a business continuity plan but will not reveal anything about its effectiveness.
Reviewing emergency procedures, offsite storage and environmental controls would provide insight into some aspects of the plan but would fall short of providing assurance of the plan’s overall effectiveness.
CISA Question 1726
Question
Which of the following insurance types provide for a loss arising from fraudulent acts by employees?
A. Business interruption
B. Fidelity coverage
C. Errors and omissions
D. Extra expense
Correct Answer: B
Answer
B. Fidelity coverage
Explanation
Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees. Business interruption insurance covers the loss of profit due to the disruption in the operations of an organization. Errors and omissions insurance provides legal liability protection in the event that the professional practitioner commits an act that results in financial loss to a client. Extra expense insurance is designed to cover the extra costs of continuing operations following a disaster/ disruption within an organization.
CISA Question 1727
Question
Which of the following would be MOST important for an IS auditor to verify when conducting a business continuity audit?
A. Data backups are performed on a timely basis
B. A recovery site is contracted for and available as needed
C. Human safety procedures are in place
D. insurance coverage is adequate and premiums are current
Answer
C. Human safety procedures are in place
Explanation
The most important element in any business continuity process is the protection of human life. This takes precedence over all other aspects of the plan.
CISA Question 1728
Question
In the event of a disruption or disaster, which of the following technologies provides for continuous operations?
A. Load balancing
B. Fault-tolerant hardware
C. Distributed backups
D. High-availability computing
Answer
B. Fault-tolerant hardware
Explanation
Fault-tolerant hardware is the only technology that currently supports continuous, uninterrupted service. Load balancing is used to improve the performance of the server by splitting the work between several servers based on workloads. High-availability (HA) computing facilities provide a quick but not continuous recovery, while distributed backups require longer recovery times.
CISA Question 1729
Question
In determining the acceptable time period for the resumption of critical business processes:
A. only downtime costs need to be considered.
B. recovery operations should be analyzed.
C. both downtime costs and recovery costs need to be evaluated.
D. indirect downtime costs should be ignored.
Answer
C. both downtime costs and recovery costs need to be evaluated.
Explanation
Both downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis (BIA) should be a recovery strategy that represents the optimal balance.
Downtime costs cannot be looked at in isolation.
The quicker information assets can be restored and business processing resumed, the smaller the downtime costs. However, the expenditure needed to have the redundant capability required to recover information resources might be prohibitive for nonessential business processes.
Recovery operations do not determine the acceptable time period for the resumption of critical business processes, and indirect downtime costs should be considered in addition to the direct cash outflows incurred due to business disruption. The indirect costs of a serious disruption to normal business activity, e.g., loss of customer and supplier goodwill and loss of market share, may actually be more significant than direct costs over time, thus reaching the point where business viability is threatened.
CISA Question 1730
Question
The PRIMARY objective of testing a business continuity plan is to:
A. familiarize employees with the business continuity plan.
B. ensure that all residual risks are addressed.
C. exercise all possible disaster scenarios.
D. identify limitations of the business continuity plan.
Answer
D. identify limitations of the business continuity plan.
Explanation
Testing the business continuity plan provides the best evidence of any limitations that may exist. Familiarizing employees with the business continuity plan is a secondary benefit of a test. It is not cost effective to address residual risks in a business continuity plan, and it is not practical to test all possible disaster scenarios.