Real CISA Exam PDF Test Engine Practice Test Questions [Q378-Q402]

Real CISA Exam PDF Test Engine Practice Test Questions

ISACA CISA Real 2021 Braindumps Mock Exam Dumps

Information Systems Auditing Process: This topic area evaluates your ability to provide conclusions on the status of IS/IT security, control, and risk solutions of an organization. It will measure your skills in the following subsections:

• Planning – IS audit standards, guidelines and codes of ethics; business processes; types of controls; risk-based audit planning; types of assessments and audits;
• Execution – audit project management; sampling methodology; data analytics; communication and reporting methods; audit evidence collection methods.

 

NEW QUESTION 378
Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

• A. Centralizing procedures and implementing change control
• B. Developing and implementing an audit data repository
• C. Decentralizing procedures and implementing periodic peer review
• D. Developing and communicating test procedure best practices to audit teams

Answer: A

 

NEW QUESTION 379
A characteristic of a digital signature is that it:

• A. is under control of the receiver.
• B. has a reproducible hashing algorithm.
• C. is unique to the message.
• D. is validated when data are changed.

Answer: C

 

NEW QUESTION 380
When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware of which of the following?

• A. The point at which controls are exercised as data flow through the system
• B. Only preventive and detective controls are relevant
• C. Classification allows an IS auditor to determine which controls are missing
• D. Corrective controls can only be regarded as compensating

Answer: A

Explanation:
An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect, since corrective controls remove or reduce the effects of errors or irregularities and are exclusively regarded as compensating controls. Choice D is incorrect and irrelevant since the existence and function of controls is important, not the classification.

 

NEW QUESTION 381
Allowing application programmers to directly patch or change code in production programs increases risk of fraud. True or false?

• A. False
• B. True

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Allowing application programmers to directly patch or change code in production programs increases risk of fraud.

 

NEW QUESTION 382
An accuracy measure for a biometric system is:

• A. false-acceptance rate.
• B. registration time.
• C. system response time.
• D. input file size.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
For a biometric solution three main accuracy measures are used: false-rejection rate (FRR), cross-error rate (CER) and false-acceptance rate (FAR). FRR is a measure of how often valid individuals are rejected.
FAR is a measure of how often invalid individuals are accepted. CER is a measure of when the false- rejection rate equals the false-acceptance rate. Choices A and B are performance measures.

 

NEW QUESTION 383
Which of the following may be deployed in a network as lower cost surveillance and early-warning tools?

• A. Stateful inspection firewalls
• B. Hardware IDSs
• C. Botnets
• D. Hardware IPSs
• E. Stateful logging facilities
• F. None of the choices.
• G. Honeypots

Answer: G

Explanation:
Honeypots , essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques.

 

NEW QUESTION 384
An IS auditor interviewing a payroll clerk finds that the answers do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should:

• A. suspend the audit.
• B. place greater reliance on previous audits.
• C. conclude that the controls are inadequate.
• D. expand the scope to include substantive testing

Answer: D

Explanation:
Section: Protection of Information Assets
Explanation:
If the answers provided to an IS auditor's questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests. There is no evidence that whatever controls might exist are either inadequate or adequate. Placing greater reliance on previous audits or suspending the audit are inappropriate actions as they provide no current knowledge of the adequacy of the existing controls.

 

NEW QUESTION 385
What can be implemented to provide the highest level of protection from external attack?

• A. Configuring two load-sharing firewalls facilitating VPN access from external hosts to internal hosts
• B. Layering perimeter network protection by configuring the firewall as a screened host in a screened
  subnet behind the bastion host
• C. Configuring the firewall as the protecting bastion host
• D. Configuring the firewall as a screened host behind a router

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation:
Layering perimeter network protection by configuring the firewall as a screened host in a screened subnet
behind the bastion host provides a higher level of protection from external attack than all other answers.

 

NEW QUESTION 386
The ultimate purpose of IT governance is to:

• A. centralize control of IT.
• B. reduce IT costs.
• C. encourage optimal use of IT.
• D. decentralize IT resources across the organization.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not always desired, although it may be desired in a decentralized environment. Centralizing control of IT is not always desired.
An example of where it might be desired is an enterprise desiring a single point of customer contact.

 

NEW QUESTION 387
Which of the following is a distinctive feature of the Secure Electronic Transactions (SET) protocol when used for electronic credit card payments?

• A. The buyer is liable for any transaction involving his/her personal SET certificates.
• B. The buyer is assured that neither the merchant nor any other party can misuse their credit card data.
• C. All personal SET certificates are stored securely in the buyer's computer.
• D. The payment process is simplified, as the buyer is not required to enter a credit card number and an expiration date.

Answer: A

Explanation:
The usual agreement between the credit card issuer and the cardholder stipulates that the cardholder assumes responsibility for any use of their personal SET certificates for e-commerce transactions. Depending upon the agreement between the merchant and the buyer's credit card issuer, the merchant will have access to the credit card number and expiration date. Secure data storage in the buyer's computer (local computer security) is not part of the SET standard. Although the buyer is not required to enter their credit card data, they will have to handle the wallet software.

 

NEW QUESTION 388
Which of the following is MOST important when an incident may lead to prosecution?

• A. Independent assessment
• B. Impact analysis
• C. Preservation of evidence
• D. Timely incident detection

Answer: C

Explanation:
Section: Information System Operations, Maintenance and Support

 

NEW QUESTION 389
An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive
use for which of the following technologies?

• A. Parsing
• B. Digitalized signatures
• C. Steganography
• D. Hashing

Answer: C

Explanation:
Section: Protection of Information Assets
Explanation:
Steganography is a technique for concealing the existence of messages or information. An increasingly
important stenographical technique is digital watermarking, which hides data within data, e.g., by encoding
rights information in a picture or music file without altering the picture or music's perceivable aesthetic
qualities. Digitalized signatures are not related to digital rights management. Hashing creates a message
hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of
cryptography. Parsing is the process of splitting up a continuous stream of characters for analytical
purposes, and is widely applied in the design of programming languages or in data entry editing.

 

NEW QUESTION 390
The advantage of a bottom-up approach to the development of organizational policies is that the policies:

• A. will not conflict with overall corporate policy.
• B. are more likely to be derived as a result of a risk assessment.
• C. ensure consistency across the organization.
• D. are developed for the organization as a whole

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation:
A bottom-up approach begins by defining operational-level requirements and policies, which are derived
and implemented as the result of risk assessments. Enterprise-level policies are subsequently developed
based on a synthesis of existing operational policies. Choices A, C and D are advantages of a top-down
approach for developing organizational policies. This approach ensures that the policies will not be in
conflict with overall corporate policy and ensure consistency across the organization.

 

NEW QUESTION 391
What should be the GREATEST concern to an IS auditor when employees use portable media (MP3 players, flash drives)?

• A. The cost of these devices multiplied by all the employees could be high
• B. The copying of sensitive data on them
• C. They facilitate the spread of malicious code through the corporate network
• D. The copying of songs and videos on them

Answer: B

Explanation:
Explanation/Reference:
Explanation:
The MAIN concern with MP3 players and flash drives is data leakage, especially sensitive information. This could occur if the devices were lost or stolen. The risk when copying songs and videos is copyright infringement, but this is normally aless important risk than information leakage. Choice C is hardly an issue because employees normally buy the portable media with their own funds. Choice D is a possible risk, but not as important as information leakage and can be reduced by other controls.

 

NEW QUESTION 392
In the 2c area of the diagram, there are three hubs connected to each other. What potential risk might this indicate?

• A. Virus attack
• B. Poor management controls
• C. Vulnerability to external hackers
• D. Performance degradation

Answer: D

Explanation:
Hubs are internal devices that usually have no direct external connectivity, and thus are not prone to hackers. There are no known viruses that are specific to hub attacks. While this situation may be an indicator of poor management controls, choiceB is more likely when the practice of stacking hubs and creating more terminal connections is used.

 

NEW QUESTION 393
An IT governance framework provides an organization with:

• A. assurance that there will be IT cost reductions
• B. organizational structures to enlarge the market share through IT
• C. assurance that there are surplus IT investments
• D. a basis for directing and controlling IT.

Answer: D

 

NEW QUESTION 394
The objective of concurrency control in a database system is to:

• A. prevent integrity problems when two processes attempt to update the same data at the same time.
• B. prevent inadvertent or unauthorized disclosure of data in the database.
• C. restrict updating of the database to authorized users.
• D. ensure the accuracy, completeness and consistency of data.

Answer: A

Explanation:
Section: Protection of Information Assets
Explanation:
Concurrency controls prevent data integrity problems, which can arise when two update processes access
the same data item at the same time. Access controls restrict updating of the database to authorized users,
and controls such as passwords prevent the inadvertent or unauthorized disclosure of data from the
database. Quality controls, such as edits, ensure the accuracy, completeness and consistency of data
maintained in the database.

 

NEW QUESTION 395
Two servers are deployed in a cluster to run a mission-critical application. To determine whether the
system has been designed for optimal efficiency, the IS auditor should verify that:

• A. the number of disks in the cluster meets minimum requirements
• B. load balancing between the servers has been implemented
• C. the two servers are of exactly the same configuration
• D. the security features in the operating system are all enabled

Answer: B

Explanation:
Section: The process of Auditing Information System

 

NEW QUESTION 396
In an environment that automatically reports all program changes. which of the following is the MOST efficient way to detect unauthorized changes to production programs?

• A. Periodically running and reviewing test data against production programs
• B. Verifying user management approval of modifications
• C. Manually comparing code in production programs to controlled copies
• D. Reviewing the last compile dale of production programs

Answer: B

 

NEW QUESTION 397
A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items to the inventory system Which control would have BEST prevented this type of fraud in a retail environment?

• A. An edit check for the validity of the inventory transaction
• B. Separate authorization for input of transactions
• C. Statistical sampling of adjustment transactions
• D. Unscheduled audits of lost stock lines

Answer: B

 

NEW QUESTION 398
Which of the following tools is MOST helpful in estimating budgets for tasks within a large IT business application project?

• A. Ganttchart
• B. Balanced scorecard
• C. Critical path methodology (CPM)
• D. Function point analysis (FPA)

Answer: D

 

NEW QUESTION 399
Which of the following risks could result from inadequate software baselining?

• A. Software integrity violations
• B. Sign-off delays
• C. Scope creep
• D. inadequate controls

Answer: C

Explanation:
Explanation/Reference:
Explanation:
A software baseline is the cut-off point in the design and development of a system beyond which additional requirements or modifications to the design do not or cannot occur without undergoing formal strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage the requirements of a system through baselining can result in a number of risks. Foremost among these risks is scope creep, the process through which requirements change during development. Choices, C and D may not always result, but choice A is inevitable.

 

NEW QUESTION 400
Establishing data ownership is an important first step for which of the following processes? Choose the BEST answer.

• A. Developing organizational security policies
• B. Classifying data
• C. Creating roles and responsibilities
• D. Assigning user access privileges

Answer: B

Explanation:
Explanation/Reference:
To properly implement data classification, establishing data ownership is an important first step.

 

NEW QUESTION 401
Which of the following BEST demonstrates the degree of alignment between IT and business strategy?

• A. Number of IT policies that refer directly to business goals
• B. Number of IT projects driven by business requirements
• C. Percentage of IT value drivers mapped to business value drivers
• D. Percentage of users aware of information security policies

Answer: C

 

NEW QUESTION 402
......

Prepare For The CISA Question Papers In Advance: https://www.validtorrent.com/CISA-valid-exam-torrent.html

Released ISACA CISA Updated Questions PDF: https://drive.google.com/open?id=1WyqjwERmPIQ7_k2M3DyEXAGX86ayZlmt