Practice Free CISA Exam Online Questions
Question #371
Which of the following methods will BEST reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system?
- A . Parallel changeover
- B . Modular changeover
- C . Phased operation
- D . Pilot operation
Correct Answer: A
A
Explanation:
The best method to reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system is parallel changeover. Parallel changeover is a method of system conversion that involves running both the old and the new systems simultaneously for a period of time, until the new system is verified to be working correctly and completely. Parallel changeover can help reduce the risk of data loss, errors, or disruptions that may occur due to the incompatibility of the technologies, as well as provide a backup option in case of failure or malfunction of the new system. Parallel changeover can also help users compare and validate the results of both systems, and facilitate their training and adaptation to the new system.
Modular changeover is a method of system conversion that involves replacing one module or component of the old system with a corresponding module or component of the new system at a time, until the entire system is replaced. Modular changeover can help reduce the complexity and scope of the conversion, as well as minimize the impact on the users and operations. However, modular changeover may not be feasible or effective when the technologies of the old and new systems are not compatible, as it may create integration or interoperability issues among the modules.
Phased operation is a method of system conversion that involves implementing the new system in stages or increments, each with a subset of functions or features, until the entire system is operational. Phased operation can help reduce the risk and cost of implementing a large and complex system, as well as allow for testing and feedback at each stage. However, phased operation may not be suitable or efficient when the technologies of the old and new systems are not compatible, as it may require extensive modifications or adaptations to enable partial functionality.
Pilot operation is a method of system conversion that involves implementing the new system in a limited or controlled environment, such as a department or a location, before rolling it out to the entire organization. Pilot operation can help test and evaluate the performance and usability of the new system, as well as identify and resolve any issues or problems before full-scale implementation. However, pilot operation may not be relevant or reliable when the technologies of the old and new systems are not compatible, as it may not reflect the actual conditions or challenges of operating both systems concurrently.
References:
TRANSITION TO THE NEW SYSTEM – O’Reilly Media 1
10 Challenges To Think About When Upgrading From Legacy Systems – Forbes
A
Explanation:
The best method to reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system is parallel changeover. Parallel changeover is a method of system conversion that involves running both the old and the new systems simultaneously for a period of time, until the new system is verified to be working correctly and completely. Parallel changeover can help reduce the risk of data loss, errors, or disruptions that may occur due to the incompatibility of the technologies, as well as provide a backup option in case of failure or malfunction of the new system. Parallel changeover can also help users compare and validate the results of both systems, and facilitate their training and adaptation to the new system.
Modular changeover is a method of system conversion that involves replacing one module or component of the old system with a corresponding module or component of the new system at a time, until the entire system is replaced. Modular changeover can help reduce the complexity and scope of the conversion, as well as minimize the impact on the users and operations. However, modular changeover may not be feasible or effective when the technologies of the old and new systems are not compatible, as it may create integration or interoperability issues among the modules.
Phased operation is a method of system conversion that involves implementing the new system in stages or increments, each with a subset of functions or features, until the entire system is operational. Phased operation can help reduce the risk and cost of implementing a large and complex system, as well as allow for testing and feedback at each stage. However, phased operation may not be suitable or efficient when the technologies of the old and new systems are not compatible, as it may require extensive modifications or adaptations to enable partial functionality.
Pilot operation is a method of system conversion that involves implementing the new system in a limited or controlled environment, such as a department or a location, before rolling it out to the entire organization. Pilot operation can help test and evaluate the performance and usability of the new system, as well as identify and resolve any issues or problems before full-scale implementation. However, pilot operation may not be relevant or reliable when the technologies of the old and new systems are not compatible, as it may not reflect the actual conditions or challenges of operating both systems concurrently.
References:
TRANSITION TO THE NEW SYSTEM – O’Reilly Media 1
10 Challenges To Think About When Upgrading From Legacy Systems – Forbes
Question #372
Which of the following business continuity activities prioritizes the recovery of critical functions?
- A . Business continuity plan (BCP) testing
- B . Business impact analysis (BIA)
- C . Disaster recovery plan (DRP) testing
- D . Risk assessment
Correct Answer: B
B
Explanation:
A business impact analysis (BIA) is a process that identifies and evaluates the potential effects or consequences of disruptions or disasters on an organization’s critical business functions or processes. A BIA can help prioritize the recovery of critical functions by assessing their importance and urgency for the organization’s operations, objectives, and stakeholders, and determining their recovery time objectives (RTOs), which are the maximum acceptable time for restoring a function after a disruption. A business continuity plan (BCP) testing is a process that verifies and validates the effectiveness and readiness of a BCP, which is a document that outlines the strategies and procedures for ensuring the continuity of critical business functions in the event of a disruption or disaster. A BCP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are recovered according to the BCP. A disaster recovery plan (DRP) testing is a process that verifies and validates the effectiveness and readiness of a DRP, which is a document that outlines the technical and operational steps for restoring the IT systems and infrastructure that support critical business functions in the event of a disruption or disaster. A DRP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are supported by the IT systems and infrastructure according to the DRP. A risk assessment is a process that identifies and analyzes the potential threats and vulnerabilities that could affect an organization’s critical business functions or processes. A risk assessment does not prioritize the recovery of critical functions, but rather estimates their likelihood and impact of being disrupted by various risk scenarios.
B
Explanation:
A business impact analysis (BIA) is a process that identifies and evaluates the potential effects or consequences of disruptions or disasters on an organization’s critical business functions or processes. A BIA can help prioritize the recovery of critical functions by assessing their importance and urgency for the organization’s operations, objectives, and stakeholders, and determining their recovery time objectives (RTOs), which are the maximum acceptable time for restoring a function after a disruption. A business continuity plan (BCP) testing is a process that verifies and validates the effectiveness and readiness of a BCP, which is a document that outlines the strategies and procedures for ensuring the continuity of critical business functions in the event of a disruption or disaster. A BCP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are recovered according to the BCP. A disaster recovery plan (DRP) testing is a process that verifies and validates the effectiveness and readiness of a DRP, which is a document that outlines the technical and operational steps for restoring the IT systems and infrastructure that support critical business functions in the event of a disruption or disaster. A DRP testing does not prioritize the recovery of critical functions, but rather evaluates how well they are supported by the IT systems and infrastructure according to the DRP. A risk assessment is a process that identifies and analyzes the potential threats and vulnerabilities that could affect an organization’s critical business functions or processes. A risk assessment does not prioritize the recovery of critical functions, but rather estimates their likelihood and impact of being disrupted by various risk scenarios.
Question #373
Management has decided to accept a risk in response to a draft audit recommendation.
Which of the following should be the IS auditor’s NEXT course of action?
- A . Document management’s acceptance in the audit report.
- B . Escalate the acceptance to the board.
- C . Ensure a follow-up audit is on next year’s plan.
- D . Escalate acceptance to the audit committee.
Correct Answer: A
Question #374
Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization’s information security governance?
- A . Risk assessments of information assets are not periodically performed.
- B . All Control Panel Items
- C . The information security policy does not extend to service providers.
- D . There is no process to measure information security performance.
- E . The information security policy is not reviewed by executive management.
Correct Answer: C
Question #375
Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?
- A . The policy aligns with corporate policies and practices.
- B . The policy aligns with global best practices.
- C . The policy aligns with business goals and objectives.
- D . The policy aligns with local laws and regulations.
Correct Answer: D
D
Explanation:
The data retention policy for a global organization with regional offices in multiple countries should align with local laws and regulations, as they may vary significantly from one country to another and may impose different requirements and penalties for non-compliance. The policy should also consider the corporate policies and practices, the global best practices, and the business goals and objectives, but these are secondary to the legal compliance.
References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.3: Data Classification and Protection
D
Explanation:
The data retention policy for a global organization with regional offices in multiple countries should align with local laws and regulations, as they may vary significantly from one country to another and may impose different requirements and penalties for non-compliance. The policy should also consider the corporate policies and practices, the global best practices, and the business goals and objectives, but these are secondary to the legal compliance.
References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.3: Data Classification and Protection
Question #376
An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production.
Which of the following is the MOST significant risk from this situation?
- A . Loss of application support
- B . Lack of system integrity
- C . Outdated system documentation
- D . Developer access 1o production
Correct Answer: B
B
Explanation:
The most significant risk from not testing patches before putting them into production is the lack of system integrity. Patches are software updates that fix bugs, vulnerabilities or performance issues in an application system. However, patches may also introduce new errors, conflicts or compatibility issues that could affect the functionality, reliability or security of the system4. By not testing patches before putting them into production, the organization exposes itself to the risk of system failures, data corruption or unauthorized access. Loss of application support, outdated system documentation and developer access to production are also risks from not testing patches, but they are not as significant as the lack of system integrity.
References:
CISA Review Manual, 27th Edition, page 2951
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
B
Explanation:
The most significant risk from not testing patches before putting them into production is the lack of system integrity. Patches are software updates that fix bugs, vulnerabilities or performance issues in an application system. However, patches may also introduce new errors, conflicts or compatibility issues that could affect the functionality, reliability or security of the system4. By not testing patches before putting them into production, the organization exposes itself to the risk of system failures, data corruption or unauthorized access. Loss of application support, outdated system documentation and developer access to production are also risks from not testing patches, but they are not as significant as the lack of system integrity.
References:
CISA Review Manual, 27th Edition, page 2951
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
Question #377
Which of the following should be of GREATEST concern to an IS auditor when auditing an organization’s IT strategy development process?
- A . The IT strategy was developed before the business plan
- B . A business impact analysis (BIA) was not performed to support the IT strategy
- C . The IT strategy was developed based on the current IT capability
- D . Information security was not included as a key objective m the IT strategic plan.
Correct Answer: D
D
Explanation:
The greatest concern for an IS auditor when auditing an organization’s IT strategy development process is that information security was not included as a key objective in the IT strategic plan. Information security is a vital component of IT strategy, as it ensures the confidentiality, integrity and availability of information assets, and supports the business objectives and regulatory compliance. The other options are not as significant as the lack of information security in the IT strategic plan.
References: CISA Review Manual (Digital Version), Chapter 1, Section 1.31
D
Explanation:
The greatest concern for an IS auditor when auditing an organization’s IT strategy development process is that information security was not included as a key objective in the IT strategic plan. Information security is a vital component of IT strategy, as it ensures the confidentiality, integrity and availability of information assets, and supports the business objectives and regulatory compliance. The other options are not as significant as the lack of information security in the IT strategic plan.
References: CISA Review Manual (Digital Version), Chapter 1, Section 1.31
Question #378
An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test.
Which of the following should the IS audit manager specifically review to substantiate the conclusions?
- A . Overviews of interviews between data center personnel and the auditor
- B . Prior audit reports involving other corporate disaster recovery audits
- C . Summary memos reflecting audit opinions regarding noted weaknesses
- D . Detailed evidence of the successes and weaknesses of all contingency testing
Correct Answer: D
D
Explanation:
The IS audit manager should specifically review the detailed evidence of the successes and weaknesses of all contingency testing to substantiate the conclusions of the audit of the corporate disaster recovery test. This is because the detailed evidence can provide the audit manager with a clear and objective picture of how well the disaster recovery plan was executed, what issues or gaps were encountered, and what recommendations or actions were taken to address them. The detailed evidence can also help the audit manager to verify the accuracy, completeness, and validity of the audit findings, as well as to evaluate the adequacy and effectiveness of the disaster recovery controls.
The other options are not as specific or relevant as the detailed evidence of all contingency testing. Overviews of interviews between data center personnel and the auditor may provide some useful information, but they are not sufficient to substantiate the conclusions without supporting evidence from the actual testing. Prior audit reports involving other corporate disaster recovery audits may provide some benchmarking or comparison data, but they are not directly related to the current audit scope and objectives. Summary memos reflecting audit opinions regarding noted weaknesses may provide some high-level insights, but they are not enough to substantiate the conclusions without detailed evidence to back them up.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, p. 2411
Disaster Recovery Audit Work Program2
D
Explanation:
The IS audit manager should specifically review the detailed evidence of the successes and weaknesses of all contingency testing to substantiate the conclusions of the audit of the corporate disaster recovery test. This is because the detailed evidence can provide the audit manager with a clear and objective picture of how well the disaster recovery plan was executed, what issues or gaps were encountered, and what recommendations or actions were taken to address them. The detailed evidence can also help the audit manager to verify the accuracy, completeness, and validity of the audit findings, as well as to evaluate the adequacy and effectiveness of the disaster recovery controls.
The other options are not as specific or relevant as the detailed evidence of all contingency testing. Overviews of interviews between data center personnel and the auditor may provide some useful information, but they are not sufficient to substantiate the conclusions without supporting evidence from the actual testing. Prior audit reports involving other corporate disaster recovery audits may provide some benchmarking or comparison data, but they are not directly related to the current audit scope and objectives. Summary memos reflecting audit opinions regarding noted weaknesses may provide some high-level insights, but they are not enough to substantiate the conclusions without detailed evidence to back them up.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, p. 2411
Disaster Recovery Audit Work Program2
Question #379
With regard to resilience, which of the following is the GREATEST risk to an organization that has implemented a new critical system?
- A . A business impact analysis (BIA) has not been performed
- B . Business data is not sanitized in the development environment
- C . There is no plan for monitoring system downtime
- D . The process owner has not signed off on user acceptance testing (UAT)
Correct Answer: A
A
Explanation:
Resilience is the ability of an organization to continue to operate effectively during or after a disruptive event. A business impact analysis (BIA) is a key process to identify the critical systems and processes that support the organization’s objectives and determine the impact of their disruption. Without a BIA, the organization may not be able to prioritize the recovery of the most important systems and processes, which poses the greatest risk to its resilience. The other options are not as significant as a BIA, as they relate to data quality, system monitoring, and user acceptance testing, which are important but not essential for resilience.
References: CISA Review Manual (Digital Version), Domain 4: Information Systems Operations and Business Resilience, Section 4.2 Business Continuity Planning1
A
Explanation:
Resilience is the ability of an organization to continue to operate effectively during or after a disruptive event. A business impact analysis (BIA) is a key process to identify the critical systems and processes that support the organization’s objectives and determine the impact of their disruption. Without a BIA, the organization may not be able to prioritize the recovery of the most important systems and processes, which poses the greatest risk to its resilience. The other options are not as significant as a BIA, as they relate to data quality, system monitoring, and user acceptance testing, which are important but not essential for resilience.
References: CISA Review Manual (Digital Version), Domain 4: Information Systems Operations and Business Resilience, Section 4.2 Business Continuity Planning1
Question #380
Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?
- A . Degaussing
- B . Random character overwrite
- C . Physical destruction
- D . Low-level formatting
Correct Answer: C
C
Explanation:
The most effective method of destroying sensitive data stored on electronic media is physical destruction, which involves breaking, shredding, melting, or incinerating the media to make it unreadable and unrecoverable. Degaussing, random character overwrite, and low-level formatting are methods of sanitizing or erasing data from electronic media, but they do not guarantee complete destruction of data and may leave some traces that can be recovered by advanced techniques. Therefore, physical destruction is the most secure and reliable method of data disposal for sensitive data.
References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.4: Data Disposal
C
Explanation:
The most effective method of destroying sensitive data stored on electronic media is physical destruction, which involves breaking, shredding, melting, or incinerating the media to make it unreadable and unrecoverable. Degaussing, random character overwrite, and low-level formatting are methods of sanitizing or erasing data from electronic media, but they do not guarantee complete destruction of data and may leave some traces that can be recovered by advanced techniques. Therefore, physical destruction is the most secure and reliable method of data disposal for sensitive data.
References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.4: Data Disposal