The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 941
- Question
- Answer
- Explanation
- CISA Question 942
- Question
- Answer
- Explanation
- CISA Question 943
- Question
- Answer
- Explanation
- CISA Question 944
- Question
- Answer
- Explanation
- CISA Question 945
- Question
- Answer
- Explanation
- CISA Question 946
- Question
- Answer
- Explanation
- CISA Question 947
- Question
- Answer
- Explanation
- CISA Question 948
- Question
- Answer
- Explanation
- CISA Question 949
- Question
- Answer
- Explanation
- CISA Question 950
- Question
- Answer
- Explanation
CISA Question 941
Question
Data flow diagrams are used by IS auditors to:
A. order data hierarchically.
B. highlight high-level data definitions.
C. graphically summarize data paths and storage.
D. portray step-by-step details of data generation.
Answer
C. graphically summarize data paths and storage.
Explanation
Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.
CISA Question 942
Question
An integrated test facility is considered a useful audit tool because it:
A. is a cost-efficient approach to auditing application controls.
B. enables the financial and IS auditors to integrate their audit tests.
C. compares processing output with independently calculated data.
D. provides the IS auditor with a tool to analyze a large range of information
Answer
C. compares processing output with independently calculated data.
Explanation
An integrated test facility is considered a useful audit tool because it uses the same programs to compare processing using independently calculated data. This involves setting up dummy entities on an application system and processing test or production data against the entity as a means of verifying processing accuracy.
CISA Question 943
Question
Which of the following would be the BEST population to take a sample from when testing program changes?
A. Test library listings
B. Source program listings
C. Program change requests
D. Production library listings
Answer
D. Production library listings
Explanation
The best source from which to draw any sample or test of system information is the automated system. The production libraries represent executables that are approved and authorized to process organizational data. Source program listings would be timeintensive. Program change requests are the documents used to initiate change; there is no guarantee that the request has been completed for all changes. Test library listings do not represent the approved and authorized executables.
CISA Question 944
Question
During a review of a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first
names. To determine the extent of the duplication, the IS auditor would use:
A. test data to validate data input.
B. test data to determine system sort capabilities.
C. generalized audit software to search for address field duplications.
D. generalized audit software to search for account field duplications.
Answer
C. generalized audit software to search for address field duplications.
Explanation
Since the name is not the same {due to name variations), one method to detect duplications would be to compare other common fields, such as addresses. A subsequent review to determine common customer names at these addresses could then be conducted. Searching for duplicate account numbers would not likely find duplications, since customers would most likely have different account numbers for each variation. Test data would not be useful to detect the extent of any data characteristic, but simply to determine how the data were processed.
CISA Question 945
Question
Which audit technique provides the BEST evidence of the segregation of duties in an IS department?
A. Discussion with management
B. Review of the organization chart
C. Observation and interviews
D. Testing of user access rights
Answer
C. Observation and interviews
Explanation
By observing the IS staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IS staff, the auditor can get an overview of the tasks performed. Based on the observations and interviews the auditor can evaluate the segregation of duties.
Management may not be aware of the detailed functions of each employee in the IS department; therefore, discussion with the management would provide only limited information regarding segregation of duties. An organization chart would not provide details of the functions of the employees. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform.
CISA Question 946
Question
When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware of which of the
following?
A. The point at which controls are exercised as data flow through the system
B. Only preventive and detective controls are relevant
C. Corrective controls can only be regarded as compensating
D. Classification allows an IS auditor to determine which controls are missing
Answer
A. The point at which controls are exercised as data flow through the system
Explanation
An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect, since corrective controls remove or reduce the effects of errors or irregularities and are exclusively regarded as compensating controls. Choice D is incorrect and irrelevant since the existence and function of controls is important, not the classification.
CISA Question 947
Question
Which of the following would normally be the MOST reliable evidence for an auditor?
A. A confirmation letter received from a third party verifying an account balance
B. Assurance from line management that an application is working as designed
C. Trend data obtained from World Wide Web (Internet) sources
D. Ratio analysts developed by the IS auditor from reports supplied by line management
Answer
A. A confirmation letter received from a third party verifying an account balance
Explanation
Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable.
CISA Question 948
Question
Which of the following should be of MOST concern to an IS auditor?
A. Lack of reporting of a successful attack on the network
B. Failure to notify police of an attempted intrusion
C. Lack of periodic examination of access rights
D. Lack of notification to the public of an intrusion
Answer
A. Lack of reporting of a successful attack on the network
Explanation
Not reporting an intrusion is equivalent to an IS auditor hiding a malicious intrusion, which would be a professional mistake. Although notification to the police may be required and the lack of a periodic examination of access rights might be a concern, they do not represent as big a concern as the failure to report the attack.
Reporting to the public is not a requirement and is dependent on the organization’s desire, or lack thereof, to make the intrusion known.
CISA Question 949
Question
In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:
A. identify and assess the risk assessment process used by management.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls.
Answer
D. identify and evaluate the existing controls.
Explanation
It is important for an IS auditor to identify and evaluate the existing controls and security once the potential threats and possible impacts are identified. Upon completion of an audit an IS auditor should describe and discuss with management the threats and potential impacts on the assets.
CISA Question 950
Question
During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should:
A. create the procedures document.
B. terminate the audit.
C. conduct compliance testing.
D. identify and evaluate existing practices.
Answer
D. identify and evaluate existing practices.
Explanation
One of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization. IS auditors should not prepare documentation, as doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.