The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 621
- Question
- Answer
- Explanation
- CISA Question 622
- Question
- Answer
- Explanation
- CISA Question 623
- Question
- Answer
- Explanation
- CISA Question 624
- Question
- Answer
- Explanation
- CISA Question 625
- Question
- Answer
- Explanation
- CISA Question 626
- Question
- Answer
- Explanation
- CISA Question 627
- Question
- Answer
- Explanation
- CISA Question 628
- Question
- Answer
- Explanation
- CISA Question 629
- Question
- Answer
- Explanation
- CISA Question 630
- Question
- Answer
- Explanation
CISA Question 621
Question
An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)?
A. References from other customers
B. Service level agreement (SLA) template
C. Maintenance agreement
D. Conversion plan
Answer
A. References from other customers
Explanation
An IS auditor should look for an independent verification that the ISP can perform the tasks being contracted for. References from other customers would provide an independent, external review and verification of procedures and processes the ISP follows-issues which would be of concern to an IS auditor. Checking references is a means of obtaining an independent verification that the vendor can perform the services it says it can. A maintenance agreement relates more to equipment than to services, and a conversion plan, while important, is less important than verification that the ISP can provide the services they propose.
CISA Question 622
Question
When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor?
A. There could be a question regarding the legal jurisdiction.
B. Having a provider abroad will cause excessive costs in future audits.
C. The auditing process will be difficult because of the distance.
D. There could be different auditing norms.
Answer
A. There could be a question regarding the legal jurisdiction.
Explanation
In the funds transfer process, when the processing scheme is centralized in a different country, there could be legal issues of jurisdiction that might affect the right to perform a review in the other country. The other choices, though possible, are not as relevant as the issue of legal jurisdiction.
CISA Question 623
Question
An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the:
A. hardware configuration.
B. access control software.
C. ownership of intellectual property.
D. application development methodology.
Answer
C. ownership of intellectual property.
Explanation
Of the choices, the hardware and access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. Similarly, the development methodology should be of no real concern. The contract must, however, specify who owns the intellectual property (i.e., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract.
CISA Question 624
Question
Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor’s business continuity plan?
A. Yes, because an IS auditor will evaluate the adequacy of the service bureau’s plan and assist their company in implementing a complementary plan.
B. Yes, because based on the plan, an IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract.
C. No, because the backup to be provided should be specified adequately in the contract.
D. No, because the service bureau’s business continuity plan is proprietary information.
Answer
A. Yes, because an IS auditor will evaluate the adequacy of the service bureau’s plan and assist their company in implementing a complementary plan.
Explanation
The primary responsibility of an IS auditor is to assure that the company assets are being safeguarded. This is true even if the assets do not reside on the immediate premises. Reputable service bureaus will have a well-designed and tested business continuity plan.
CISA Question 625
Question
Which of the following is the MOST important function to be performed by IS management when a service has been outsourced?
A. Ensuring that invoices are paid to the provider
B. Participating in systems design with the provider
C. Renegotiating the provider’s fees
D. Monitoring the outsourcing provider’s performance
Answer
D. Monitoring the outsourcing provider’s performance
Explanation
In an outsourcing environment, the company is dependent on the performance of the service provider. Therefore, it is critical the outsourcing provider’s performance be monitored to ensure that services are delivered to the company as required. Payment of invoices is a finance function, which would be completed per contractual requirements. Participating in systems design is a byproduct of monitoring the outsourcing provider’s performance, while renegotiating fees is usually a one-time activity.
CISA Question 626
Question
After the merger of two organizations, multiple self-developed legacy applications from both companies are to be replaced by a new common platform. Which of the following would be the GREATEST risk?
A. Project management and progress reporting is combined in a project management office which is driven by external consultants.
B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach.
C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company’s legacy systems.
D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.
Answer
B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach.
Explanation
The efforts should be consolidated to ensure alignment with the overall strategy of the post-merger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house developed legacy applications. In post-merger integration programs, it is common to form project management offices to ensure standardized and comparable information levels in the planning and reporting structures, and to centralize dependencies of project deliverables or resources. The experience of external consultants can be valuable since project management practices do not require in-depth knowledge of the legacy systems. This can free up resources for functional tasks. Itis a good idea to first get familiar with the old systems, to understand what needs to be done in a migration and to evaluate the implications of technical decisions. In most cases, mergers result in application changes and thus in training needs as organizations and processes change to leverage the intended synergy effects of the merger.
CISA Question 627
Question
Which of the following BEST supports the prioritization of new IT projects?
A. Internal control self-assessment (CSA)
B. Information systems audit
C. Investment portfolio analysis
D. Business risk assessment
Answer
C. Investment portfolio analysis
Explanation
It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy, but will provide the rationale for terminating nonperforming IT projects. Internal control self-assessment (CSA) may highlight noncompliance to the current policy, but may not necessarily be the best source for driving the prioritization of IT projects. Like internal CSA, IS audits may provide only part of the picture for the prioritization of IT projects.
Business risk analysis is part of the investment portfolio analysis but, by itself, is not the best method for prioritizing new IT projects.
CISA Question 628
Question
In the context of effective information security governance, the primary objective of value delivery is to:
A. optimize security investments in support of business objectives.
B. implement a standard set of security practices.
C. institute a standards-based solution.
D. implement a continuous improvement culture.
Answer
A. optimize security investments in support of business objectives.
Explanation
In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. The tools and techniques for implementing value delivery include implementation of a standard set of security practices, institutionalization and commoditization of standards-based solutions, and implementation of a continuous improvement culture considering security as a process, not an event.
CISA Question 629
Question
A benefit of open system architecture is that it:
A. facilitates interoperability.
B. facilitates the integration of proprietary components.
C. will be a basis for volume discounts from equipment vendors.
D. allows for the achievement of more economies of scale for equipment.
Answer
A benefit of open system architecture is that it:
Explanation
Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. In contrast, closed system components are built to proprietary standards so that other suppliers’ systems cannot or will not interface with existing systems.
CISA Question 630
Question
To assist an organization in planning for IT investments, an IS auditor should recommend the use of:
A. project management tools.
B. an object-oriented architecture.
C. tactical planning.
D. enterprise architecture (EA).
Answer
D. enterprise architecture (EA).
Explanation
Enterprise architecture (EA) involves documenting the organization’s IT assets and processes in a structured manner to facilitate understanding, management and planning for IT investments. It involves both a current state and a representation of an optimized future state.
In attempting to complete an EA, organizations can address the problem either from a technology perspective or a business process perspective. Project management does not consider IT investment aspects; it is a tool to aid in delivering projects. Object-oriented architecture is a software development methodology and does not assist in planning for IT investment, while tactical planning is relevant only after highlevel IT investment decisions have been made.