CISA Practise Database Verified Exam Questions and Answers
6 views 0 purchase
Course
CISA
Institution
CISA
CISA Practise Database Verified Exam
Questions and Answers
The PRIMARY advantage of a continuous audit approach is that it:
Select an answer:
A. does not require an IS auditor to collect evidence on system reliability while processing is
taking place.
B. requires the IS auditor to review and ...
CISA Practise Database Verified Exam
Questions and Answers
The PRIMARY advantage of a continuous audit approach is that it:
Select an answer:
A. does not require an IS auditor to collect evidence on system reliability while processing is
taking place.
B. requires the IS auditor to review and follow up immediately on all information collected.
C. can improve system security when used in time-sharing environments that process a large
number of transactions.
D. does not depend on the complexity of an organization's computer systems. - answer✔✔1.1.
The correct answer is C.
The use of continuous auditing techniques can improve system security when used in time-
sharing environments that process a large number of transactions, but leave a scarce paper trail.
Choice A is incorrect since the continuous audit approach often does require an IS auditor to
collect evidence on system reliability while processing is taking place. Choice B is incorrect
since an IS auditor normally would review and follow up only on material deficiencies or errors
detected. Choice D is incorrect since the use of continuous audit techniques depends on the
complexity of an organization's computer systems.
Which of the following ensures the availability of transactions in the event of a disaster?
Select an answer:
A. Send tapes hourly containing transactions offsite.
B. Send tapes daily containing transactions offsite.
C. Capture transactions to multiple storage devices.
D. Transmit transactions offsite in real time. - answer✔✔4.10. The correct answer is D.
The only way to ensure availability of all transactions is to perform a real-time transmission to an
offsite facility. Choices A and B are not in real time and, therefore, would not include all the
transactions. Choice C does not ensure availability at an offsite location.
An organization has outsourced its help desk function. Which of the following indicators would
be the BEST to include in the service level agreement (SLA)?
Select an answer:
A. Overall number of users supported
B. Percentage of incidents solved in the first call
C. Number of incidents reported to the help desk
D. Number of agents answering the phones - answer✔✔4.2. You are correct, the answer is B.
Since it is about service level (performance) indicators, the percentage of incidents solved on the
first call is the only option that is relevant. Choices A, C and D are not quality measures of the
help desk service.
Which of the following will MOST successfully identify overlapping key controls in business
application systems?
Select an answer:
A. Reviewing system functionalities that are attached to complex business processes
B. Submitting test transactions through an integrated test facility (ITF)
C. Replacing manual monitoring with an automated auditing solution
D. Testing controls to validate that they are effective - answer✔✔The correct answer is C.
As part of the effort to realize continuous audit management (CAM), there are cases for
introducing an automated monitoring and auditing solution. All key controls need to be clearly
aligned for systematic implementation; thus, analysts have the opportunity to come across
unnecessary or overlapping key controls in existing systems. In general, highly complex business
processes may have more key controls than business areas with less complexity; however,
finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-
thought-out key control structure has been established from the beginning, finding any overlap in
control will not be possible. An ITF is an audit technique to test the accuracy of the processes in
the application system. It may find control flaws in the application system, but it would be
difficult to find the overlap in key controls. By testing controls to validate whether they are
effective, the IS auditor can identify whether there are overlapping controls; however, the
process of implementing an automated auditing solution would better identify overlapping
controls.
Overall business risk for a particular threat can be expressed as:
Select an answer:
A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a
vulnerability.
B. the magnitude of the impact should a threat source successfully exploit the vulnerability.
C. the likelihood of a given threat source exploiting a given vulnerability.
D. the collective judgment of the risk assessment team. - answer✔✔2-8 The correct answer is A.
Choice A takes into consideration the likelihood and magnitude of the impact and provides the
best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a
vulnerability in the asset but does not provide the magnitude of the possible damage to the asset.
Similarly, choice C considers only the magnitude of the damage and not the possibility of a
threat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not
suitable for a scientific risk management process, but is often used and sometimes quite sensible.
An IS auditor observes that one of the servers on the perimeter network is running a vulnerable
operating system. What is the MOST likely implication due to the existence of a system
vulnerability?
Select an answer:
A. The server is susceptible to an attack.
B. An attack will occur.
C. A control must be designed as a countermeasure.
D. The likelihood of threats will increase. - answer✔✔5.1. You are correct, the answer is A.
Vulnerabilities, if not addressed, leave the server at a risk of being attacked. The existence of a
vulnerability does not automatically imply that an attack will occur. A control may be designed
only if it would be cost-effective. The existence of a vulnerability does not increase the
likelihood of threats to a system.
Which of the following methods of suppressing a fire in a data center is the MOST effective and
environmentally friendly?
Select an answer:
A. Halon gas
B. Wet-pipe sprinklers
C. Dry-pipe sprinklers
D. Carbon dioxide gas - answer✔✔5.4. The correct answer is C.
Water sprinklers, with an automatic power shutoff system, are accepted as efficient because they
can be set to automatic release without threat to life, and water is environmentally friendly.
Sprinklers must be dry-pipe to prevent the risk of leakage. Halon is efficient and effective as it
does not threaten human life and, therefore, can be set to automatic release, but it is
environmentally damaging and very expensive. Water is an acceptable medium but the pipes
should be empty to avoid leakage, so a full system is not a viable option. Carbon dioxide is
accepted as an environmentally acceptable gas, but it is less efficient because it cannot be set to
automatic release in a staffed site since it threatens life.
Which of the following should be included in a feasibility study for a project to implement an
electronic data interchange (EDI) process?
Select an answer:
A. The encryption algorithm format
B. The detailed internal control procedures
C. The necessary communication protocols
D. The proposed trusted third-party agreement - answer✔✔3.4. The correct answer is C.
Encryption algorithms, third-party agreements and internal control procedures are too detailed
for this phase. They would only be outlined and any cost or performance implications shown.
The communications protocols must be included, as there may be significant cost implications if
new hardware and software are involved, and risk implications if the technology is new to the
organization.
What kind of software application testing is considered the final stage of testing and typically
includes users outside the development team?
Select an answer:
A. Alpha testing
B. White box testing
C. Regression testing
D. Beta testing - answer✔✔3.5. You are correct, the answer is D.
Beta testing is the final stage of testing and typically includes users outside the development
area. Beta testing is a form of user acceptance testing (UAT), and generally involves a limited
number of users who are external to the development effort. Alpha testing is the testing stage just
before beta testing. Alpha testing is typically performed by programmers and business analysts,
instead of users. Alpha testing is used to identify bugs or glitches that can be fixed before beta
testing begins with external users. White box testing is performed much earlier in the software
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Brightstars. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $12.49. You're not tied to anything after your purchase.
