The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 481
- Question
- Answer
- Explanation
- CISA Question 482
- Question
- Answer
- Explanation
- CISA Question 483
- Question
- Answer
- Explanation
- CISA Question 484
- Question
- Answer
- Explanation
- CISA Question 485
- Question
- Answer
- Explanation
- CISA Question 486
- Question
- Answer
- Explanation
- CISA Question 487
- Question
- Answer
- Explanation
- CISA Question 488
- Question
- Answer
- Explanation
- CISA Question 489
- Question
- Answer
- Explanation
- CISA Question 490
- Question
- Answer
- Explanation
CISA Question 481
Question
During an application audit, an IS auditor finds several problems related to corrupted data in the database. Which of the following is a corrective control that the IS auditor should recommend?
A. Implement data backup and recovery procedures.
B. Define standards and closely monitor for compliance.
C. Ensure that only authorized personnel can update the database.
D. Establish controls to handle concurrent access problems.
Answer
A. Implement data backup and recovery procedures.
Explanation
Implementing data backup and recovery procedure is a corrective control, because backup and recovery procedures can be used to roll back database errors.
Defining or establishing standards is a preventive control, while monitoring for compliance is a detective control. Ensuring that only authorized personnel can update the database is a preventive control. Establishing controls to handle concurrent access problems is also a preventive control.
CISA Question 482
Question
During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely:
A. review access control configuration
B. evaluate interface testing.
C. review detailed design documentation.
D. evaluate system testing.
Answer
A. review access control configuration
Explanation
Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. Since a postimplementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system, since these are usually vendor packages with user manuals. System testing should be performed before final user signoff.
CISA Question 483
Question
The reason a certification and accreditation process is performed on critical systems is to ensure that:
A. security compliance has been technically evaluated.
B. data have been encrypted and are ready to be stored.
C. the systems have been tested to run on different platforms.
D. the systems have followed the phases of a waterfall model.
Answer
A. security compliance has been technically evaluated.
Explanation
Certified and accredited systems are systems that have had their security compliance technically evaluated for running on a specific production server. Choice B is incorrect because not all data of certified systems are encrypted. Choice C is incorrect because certified systems are evaluated to run in a specific environment.
A waterfall model is a software development methodology and not a reason for performing a certification and accrediting process.
CISA Question 484
Question
An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a:
A. correlation of semantic characteristics of the data migrated between the two systems.
B. correlation of arithmetic characteristics of the data migrated between the two systems.
C. correlation of functional characteristics of the processes between the two systems.
D. relative efficiency of the processes between the two systems.
Answer
A. correlation of semantic characteristics of the data migrated between the two systems.
Explanation
Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor’s main concern should be to verify that the interpretation of the data is the same in the new as it was in the old system. Arithmetic characteristics represent aspects of data structure and internal definition in the database, and therefore are less important than the semantic characteristics. A review of the correlation of the functional characteristics or a review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.
CISA Question 485
Question
From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is:
A. a big bang deployment after proof of concept.
B. prototyping and a one-phase deployment.
C. a deployment plan based on sequenced phases.
D. to simulate the new infrastructure before deployment.
Answer
C. a deployment plan based on sequenced phases.
Explanation
When developing a large and complex IT infrastructure, the best practice is to use a phased approach to fitting the entire system together. This will provide greater assurance of quality results. The other choices are riskier approaches.
CISA Question 486
Question
Which of the following would impair the independence of a quality assurance team?
A. Ensuring compliance with development methods
B. Checking the testing assumptions
C. Correcting coding errors during the testing process
D. Checking the code to ensure proper documentation
Answer
C. Correcting coding errors during the testing process
Explanation
Correction of code should not be a responsibility of the quality assurance team as it would not ensure segregation of duties and would impair the team’s independence. The other choices are valid quality assurance functions.
CISA Question 487
Question
Which of the following system and data conversion strategies provides the GREATEST redundancy?
A. Direct cutover
B. Pilot study
C. Phased approach
D. Parallel run
Answer
D. Parallel run
Explanation
Parallel runs are the safest-though the most expensive-approach, because both the old and new systems are run, thus incurring what might appear to be double costs. Direct cutover is actually quite risky, since it does not provide for a ‘shake down period’ nor does it provide an easy fallback option. Both a pilot study and a phased approach are performed incrementally, making rollback procedures difficult to execute.
CISA Question 488
Question
An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk?
A. Pilot
B. Parallel
C. Direct cutover
D. Phased
Answer
C. Direct cutover
Explanation
Direct cutover implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems.
All other alternatives are done gradually and thus provide greater recoverability and are therefore less risky.
CISA Question 489
Question
Which of the following is an implementation risk within the process of decision support systems?
A. Management control
B. Semistructured dimensions
C. inability to specify purpose and usage patterns
D. Changes in decision processes
Answer
C. inability to specify purpose and usage patterns
Explanation
The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a decision support system (DSS). Choices A, B and D are not risks, but characteristics of a DDS.
CISA Question 490
Question
At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should:
A. report the error as a finding and leave further exploration to the auditee’s discretion.
B. attempt to resolve the error.
C. recommend that problem resolution be escalated.
D. ignore the error, as it is not possible to get objective evidence for the software error.
Answer
C. recommend that problem resolution be escalated.
Explanation
When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted.
Recording it as a minor error and leaving it to the auditee’s discretion would be inappropriate, and neglecting the error would indicate that the auditor has not taken steps to further probe the issue to its logical end.