CISA Online Practice Questions and Answers

Correct Answer: D

Residual risk from the findings of previous audits should be the primary basis for prioritizing follow-up audits, because it reflects the level of exposure and potential impact that remains after management has implemented corrective actions or accepted the risk. Follow-up audits should focus on verifying whether the residual risk is within acceptable levels and whether the corrective actions are effective and sustainable. Audit cycle defined in the audit plan, complexity of management's action plans, and recommendation from executive management are not valid criteria for prioritizing follow-up audits, because they do not consider the residual risk from previous audits. References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4.3

Correct Answer: A

The IS auditor's primary concern when an organization has recently implemented a Voice-over IP (VoIP) communication system is a single point of failure for both voice and data communications. VoIP is a technology that allows voice communication over IP networks such as the internet. VoIP can offer benefits such as lower costs, higher flexibility, and better integration with other applications. However, VoIP also introduces risks such as dependency on network availability, performance, and security. If both voice and data communications share the same network infrastructure and devices, then a single point of failure can affect both services simultaneously and cause significant disruption to business operations. Therefore, the IS auditor should evaluate the availability and redundancy of the network components and devices that support VoIP communication. The other options are not as critical as a single point of failure for both voice and data communications, as they do not pose a direct threat to business continuity. References: CISA Review Manual, 27th Edition, page 385

Correct Answer: A

The most effective control over visitor access to highly secured areas is to require visitors to be escorted by authorized personnel. This control ensures that visitors are supervised at all times and do not enter any restricted or sensitive areas without permission. It also allows authorized personnel to verify the identity, purpose, and clearance of the visitors, and to monitor their behavior and activities. Escorting visitors also reduces the risk of tailgating, piggybacking, or unauthorized duplication of access credentials. Requiring visitors to use biometric authentication, monitoring visitors online by security cameras, and requiring visitors to enter through dead-man doors are all examples of technical controls that can enhance visitor access control, but they are not as effective as escorting visitors. Biometric authentication can provide a high level of identity verification, but it does not prevent visitors from accessing unauthorized areas or compromising security in other ways. Security cameras can provide a record of visitor movements and actions, but they may not deter or detect security breaches in real time. Dead-man doors can prevent unauthorized entry by requiring two-factor authentication, but they do not ensure that visitors are accompanied by authorized personnel. References: ISC Best Practices for Facility Access Control Visitor Management Best Practices From Top Organizations2 8 Best Practices for Setting Up a Visitor Management System

Correct Answer: C

Correct Answer: D

Correct Answer: A

Correct Answer: A

The Data Owner is the person who has been entrusted with a data set that belong to the company. As such they are responsible to classify the data according to it's value and sensitivity. The Data Owner decides who will get access to the data, what type of access would be granted. The Data Owner will tell the Data Custodian or System Administrator what access to configure within the systems.

A business executive or manager is typically responsible for an information asset. These are the individuals that assign the appropriate classification to information assets. They ensure that the business information is protected with appropriate controls. Periodically, the information asset owners need to review the classification and access rights associated with information assets. The owners, or their delegates, may be required to approve access to the information. Owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the information. Owners or their delegates are responsible for understanding the risks that exist with regards to the information that they control.

The following answers are incorrect:

Executive Management/Senior Management - Executive management maintains the overall responsibility for protection of the information assets. The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know.

Security Officer - The security officer directs, coordinates, plans, and organizes information security activities throughout the organization. The security officer works with many different individuals, such as executive management, management of the business units, technical staff, business partners, auditors, and third parties such as vendors. The security officer and his or her team are responsible for the design, implementation, management, and review of the organization's security policies, standards, procedures, baselines, and guidelines.

End User - The end user does not decide on classification of the data

Reference:

CISA review manual 2014 page number 108 Official ISC2 guide to CISSP CBK 3rd Edition Page number 342

Correct Answer: C

Correct Answer: D

A procedure used during accounting audits to check for errors in balance sheets and other financial documentation. A substantive test might involve checking a random sample of transactions for errors, comparing account balances to find

discrepancies, or analysis and review of procedures used to execute and record transactions.

Substantive testing is the stage of an audit when the auditor gathers evidence as to the extent of misstatements in client's accounting records or other information. This evidence is referred to as substantive evidence and is an important factor

in determining the auditor's opinion on the financial statements as a whole. The audit procedures used to gather this evidence are referred to as substantive procedures, or substantive tests. Substantive procedures (or substantive tests) are

those activities performed by the auditor during the substantive testing stage of the audit that gather evidence as to the completeness, validity and/or accuracy of account balances and underlying classes of transactions.

Account balances and underlying classes of transaction must not contain any material misstatements. They must be materially complete, valid and accurate. Auditors gather evidence about these assertions by undertaking substantive

procedures, which may include:

Physically examining inventory on balance date as evidence that inventory shown in the accounting records actually exists (validity assertion); Arranging for suppliers to confirm in writing the details of the amount owing at balance date as

evidence that accounts payable is complete (completeness assertion); and Making inquiries of management about the collectability of customers' accounts as evidence that trade debtors is accurate as to its valuation. Evidence that an

account balance or class of transaction is not complete, valid or accurate is evidence of a substantive misstatement.

The following answers are incorrect:

Compliance Testing - Compliance testing is basically an audit of a system carried out against a known criterion.

Sanity testing - Testing to determine if a new software version is performing well enough to accept it for a major testing effort. If application is crashing for initial use, then system is not stable enough for further testing and build or application is

assigned to fix.

Recovery testing ?Testing how well a system recovers from crashes, hardware failures, or other catastrophic problems.

Reference:

CISA review manual 2014 page number 52 and 53

http://www.businessdictionary.com/definition/compliance-test.html

Correct Answer: B