Skip to Content

ISACA CISA Certified Information Systems Auditor Exam Questions and Answers – 5

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

ISACA Certified Information Systems Auditor (CISA) Exam Questions and Answers

CISA Question 481

Question

During an application audit, an IS auditor finds several problems related to corrupted data in the database. Which of the following is a corrective control that the IS auditor should recommend?

A. Implement data backup and recovery procedures.
B. Define standards and closely monitor for compliance.
C. Ensure that only authorized personnel can update the database.
D. Establish controls to handle concurrent access problems.

Answer

A. Implement data backup and recovery procedures.

Explanation

Implementing data backup and recovery procedure is a corrective control, because backup and recovery procedures can be used to roll back database errors.
Defining or establishing standards is a preventive control, while monitoring for compliance is a detective control. Ensuring that only authorized personnel can update the database is a preventive control. Establishing controls to handle concurrent access problems is also a preventive control.

CISA Question 482

Question

During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely:

A. review access control configuration
B. evaluate interface testing.
C. review detailed design documentation.
D. evaluate system testing.

Answer

A. review access control configuration

Explanation

Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. Since a postimplementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system, since these are usually vendor packages with user manuals. System testing should be performed before final user signoff.

CISA Question 483

Question

The reason a certification and accreditation process is performed on critical systems is to ensure that:

A. security compliance has been technically evaluated.
B. data have been encrypted and are ready to be stored.
C. the systems have been tested to run on different platforms.
D. the systems have followed the phases of a waterfall model.

Answer

A. security compliance has been technically evaluated.

Explanation

Certified and accredited systems are systems that have had their security compliance technically evaluated for running on a specific production server. Choice B is incorrect because not all data of certified systems are encrypted. Choice C is incorrect because certified systems are evaluated to run in a specific environment.
A waterfall model is a software development methodology and not a reason for performing a certification and accrediting process.

CISA Question 484

Question

An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a:

A. correlation of semantic characteristics of the data migrated between the two systems.
B. correlation of arithmetic characteristics of the data migrated between the two systems.
C. correlation of functional characteristics of the processes between the two systems.
D. relative efficiency of the processes between the two systems.

Answer

A. correlation of semantic characteristics of the data migrated between the two systems.

Explanation

Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor’s main concern should be to verify that the interpretation of the data is the same in the new as it was in the old system. Arithmetic characteristics represent aspects of data structure and internal definition in the database, and therefore are less important than the semantic characteristics. A review of the correlation of the functional characteristics or a review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.

CISA Question 485

Question

From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is:

A. a big bang deployment after proof of concept.
B. prototyping and a one-phase deployment.
C. a deployment plan based on sequenced phases.
D. to simulate the new infrastructure before deployment.

Answer

C. a deployment plan based on sequenced phases.

Explanation

When developing a large and complex IT infrastructure, the best practice is to use a phased approach to fitting the entire system together. This will provide greater assurance of quality results. The other choices are riskier approaches.

CISA Question 486

Question

Which of the following would impair the independence of a quality assurance team?

A. Ensuring compliance with development methods
B. Checking the testing assumptions
C. Correcting coding errors during the testing process
D. Checking the code to ensure proper documentation

Answer

C. Correcting coding errors during the testing process

Explanation

Correction of code should not be a responsibility of the quality assurance team as it would not ensure segregation of duties and would impair the team’s independence. The other choices are valid quality assurance functions.

CISA Question 487

Question

Which of the following system and data conversion strategies provides the GREATEST redundancy?

A. Direct cutover
B. Pilot study
C. Phased approach
D. Parallel run

Answer

D. Parallel run

Explanation

Parallel runs are the safest-though the most expensive-approach, because both the old and new systems are run, thus incurring what might appear to be double costs. Direct cutover is actually quite risky, since it does not provide for a ‘shake down period’ nor does it provide an easy fallback option. Both a pilot study and a phased approach are performed incrementally, making rollback procedures difficult to execute.

CISA Question 488

Question

An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk?

A. Pilot
B. Parallel
C. Direct cutover
D. Phased

Answer

C. Direct cutover

Explanation

Direct cutover implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems.
All other alternatives are done gradually and thus provide greater recoverability and are therefore less risky.

CISA Question 489

Question

Which of the following is an implementation risk within the process of decision support systems?

A. Management control
B. Semistructured dimensions
C. inability to specify purpose and usage patterns
D. Changes in decision processes

Answer

C. inability to specify purpose and usage patterns

Explanation

The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a decision support system (DSS). Choices A, B and D are not risks, but characteristics of a DDS.

CISA Question 490

Question

At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should:

A. report the error as a finding and leave further exploration to the auditee’s discretion.
B. attempt to resolve the error.
C. recommend that problem resolution be escalated.
D. ignore the error, as it is not possible to get objective evidence for the software error.

Answer

C. recommend that problem resolution be escalated.

Explanation

When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted.
Recording it as a minor error and leaving it to the auditee’s discretion would be inappropriate, and neglecting the error would indicate that the auditor has not taken steps to further probe the issue to its logical end.

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. We need money to operate the site, and almost all of it comes from online advertising. Please support us by disabling these ads blocker.

Please disable ad blocker