Practice Free CISA Exam Online Questions
Question #21
The PRIMARY focus of a post-implementation review is to verify that:
- A . enterprise architecture (EA) has been complied with.
- B . user requirements have been met.
- C . acceptance testing has been properly executed.
- D . user access controls have been adequately designed.
Correct Answer: B
B
Explanation:
The primary focus of a post-implementation review is to verify that user requirements have been met. User requirements are specifications that define what users need or expect from a system or service, such as functionality, usability, reliability, etc. User requirements are usually gathered and documented at the beginning of a project, and used as a basis for designing, developing, testing, and implementing a system or service. A post-implementation review is an evaluation that assesses whether a system or service meets its objectives and delivers its expected benefits after it has been implemented. The primary focus of a post-implementation review is to verify that user requirements have been met, as this can indicate whether the system or service satisfies the user needs and expectations, provides value and quality to the users, and supports the user goals and tasks. Enterprise architecture (EA) has been complied with is a possible focus of a post-implementation review, but it is not the primary one. EA is a framework that defines how an organization’s business processes, information systems, and technology infrastructure are aligned and integrated to support its vision and strategy. EA has been complied with, as this can indicate whether the system or service fits with the organization’s current and future state, and follows the organization’s standards and principles. Acceptance testing has been properly executed is a possible focus of a post-implementation review, but it is not the primary one. Acceptance testing is a process that verifies whether a system or service meets the user requirements and expectations before it is accepted by the users or stakeholders. Acceptance testing has been properly executed, as this can indicate whether the system or service has been tested and validated by the users or stakeholders, and whether any issues or defects have been identified and resolved. User access controls have been adequately designed is a possible focus of a post-implementation review, but it is not the primary one. User access controls are mechanisms that ensure that only authorized users can access or use a system or service, and prevent unauthorized access or use. User access controls have been adequately designed, as this can indicate whether the system or service has appropriate security and privacy measures in place, and whether any risks or threats have been mitigated.
B
Explanation:
The primary focus of a post-implementation review is to verify that user requirements have been met. User requirements are specifications that define what users need or expect from a system or service, such as functionality, usability, reliability, etc. User requirements are usually gathered and documented at the beginning of a project, and used as a basis for designing, developing, testing, and implementing a system or service. A post-implementation review is an evaluation that assesses whether a system or service meets its objectives and delivers its expected benefits after it has been implemented. The primary focus of a post-implementation review is to verify that user requirements have been met, as this can indicate whether the system or service satisfies the user needs and expectations, provides value and quality to the users, and supports the user goals and tasks. Enterprise architecture (EA) has been complied with is a possible focus of a post-implementation review, but it is not the primary one. EA is a framework that defines how an organization’s business processes, information systems, and technology infrastructure are aligned and integrated to support its vision and strategy. EA has been complied with, as this can indicate whether the system or service fits with the organization’s current and future state, and follows the organization’s standards and principles. Acceptance testing has been properly executed is a possible focus of a post-implementation review, but it is not the primary one. Acceptance testing is a process that verifies whether a system or service meets the user requirements and expectations before it is accepted by the users or stakeholders. Acceptance testing has been properly executed, as this can indicate whether the system or service has been tested and validated by the users or stakeholders, and whether any issues or defects have been identified and resolved. User access controls have been adequately designed is a possible focus of a post-implementation review, but it is not the primary one. User access controls are mechanisms that ensure that only authorized users can access or use a system or service, and prevent unauthorized access or use. User access controls have been adequately designed, as this can indicate whether the system or service has appropriate security and privacy measures in place, and whether any risks or threats have been mitigated.
Question #22
Which of the following is an IS auditor’s BEST approach when prepanng to evaluate whether the IT strategy supports the organization’s vision and mission?
- A . Review strategic projects tor return on investments (ROls)
- B . Solicit feedback from other departments to gauge the organization’s maturity
- C . Meet with senior management to understand business goals
- D . Review the organization’s key performance indicators (KPls)
Correct Answer: C
C
Explanation:
The best approach for an IS auditor to evaluate whether the IT strategy supports the organization’s vision and mission is to meet with senior management to understand the business goals and how IT can enable them. This will help the IS auditor to assess the alignment and integration of IT with the business strategy and to identify any gaps or opportunities for improvement. Reviewing ROIs, KPIs, or feedback from other departments may provide some insights, but they are not sufficient to evaluate the IT strategy.
Reference: IS Audit and Assurance Standards, section “Standard 1201: Engagement Planning”
C
Explanation:
The best approach for an IS auditor to evaluate whether the IT strategy supports the organization’s vision and mission is to meet with senior management to understand the business goals and how IT can enable them. This will help the IS auditor to assess the alignment and integration of IT with the business strategy and to identify any gaps or opportunities for improvement. Reviewing ROIs, KPIs, or feedback from other departments may provide some insights, but they are not sufficient to evaluate the IT strategy.
Reference: IS Audit and Assurance Standards, section “Standard 1201: Engagement Planning”
Question #23
What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?
- A . Notify law enforcement of the finding.
- B . Require the third party to notify customers.
- C . The audit report with a significant finding.
- D . Notify audit management of the finding.
Correct Answer: D
D
Explanation:
The IS auditor should notify audit management of the finding first, as this is a significant issue that may affect the audit scope and objectives. The IS auditor should not notify law enforcement or require the third party to notify customers without consulting audit management first. The audit report with a significant finding should be issued after the audit is completed and the findings are validated.
Reference: ISACA, CISA Review Manual, 27th Edition, 2018, page 247
D
Explanation:
The IS auditor should notify audit management of the finding first, as this is a significant issue that may affect the audit scope and objectives. The IS auditor should not notify law enforcement or require the third party to notify customers without consulting audit management first. The audit report with a significant finding should be issued after the audit is completed and the findings are validated.
Reference: ISACA, CISA Review Manual, 27th Edition, 2018, page 247
Question #24
Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?
- A . Assignment of responsibility for each project to an IT team member
- B . Adherence to best practice and industry approved methodologies
- C . Controls to minimize risk and maximize value for the IT portfolio
- D . Frequency of meetings where the business discusses the IT portfolio
Correct Answer: C
C
Explanation:
Controls to minimize risk and maximize value for the IT portfolio should be the most important consideration when conducting a review of IT portfolio management, because they ensure that the IT portfolio aligns with the business strategy, objectives, and priorities, and that the IT investments deliver optimal benefits and outcomes. Assignment of responsibility for each project to an IT team member, adherence to best practice and industry approved methodologies, and frequency of meetings where the business discusses the IT portfolio are also relevant aspects of IT portfolio management, but they are not as important as controls to minimize risk and maximize value.
Reference: CISA Review Manual (Digital Version), Chapter 1, Section 1.2.3
C
Explanation:
Controls to minimize risk and maximize value for the IT portfolio should be the most important consideration when conducting a review of IT portfolio management, because they ensure that the IT portfolio aligns with the business strategy, objectives, and priorities, and that the IT investments deliver optimal benefits and outcomes. Assignment of responsibility for each project to an IT team member, adherence to best practice and industry approved methodologies, and frequency of meetings where the business discusses the IT portfolio are also relevant aspects of IT portfolio management, but they are not as important as controls to minimize risk and maximize value.
Reference: CISA Review Manual (Digital Version), Chapter 1, Section 1.2.3
Question #25
Which of the following is the GREATEST risk of project dashboards being set without sufficiently defined criteria?
- A . Adverse findings from internal and external auditors
- B . Lack of project portfolio status oversight
- C . Lack of alignment of project status reports
- D . Inadequate decision-making and prioritization
Correct Answer: D
Question #26
When drafting a disaster recovery strategy, what should be the MOST important outcome of a business impact analysis (BIA)?
- A . Establishing recovery point objectives (RPOs)
- B . Determining recovery priorities
- C . Establishing recovery time objectives (RTOs)
- D . Determining recovery costs
Correct Answer: B
Question #27
Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?
- A . A high percentage of stakeholders satisfied with the quality of IT
- B . Ahigh percentage of incidents being quickly resolved
- C . Ahigh percentage of IT processes reviewed by quality assurance (QA)
- D . Ahigh percentage of IT employees attending quality training
Correct Answer: A
A
Explanation:
Stakeholder satisfaction is a key indicator of the effectiveness of a QMS, as it reflects the extent to which the QMS meets the expectations and priorities of the customers and other interested parties. A high percentage of stakeholder satisfaction implies that the QMS is delivering consistent and reliable products or services that meet the quality standards and requirements.
Reference
ISACA CISA Review Manual, 27th Edition, page 253
The Four Main Components of A Quality Management System
The Road to Developing an Effective Quality Management System (QMS)
A
Explanation:
Stakeholder satisfaction is a key indicator of the effectiveness of a QMS, as it reflects the extent to which the QMS meets the expectations and priorities of the customers and other interested parties. A high percentage of stakeholder satisfaction implies that the QMS is delivering consistent and reliable products or services that meet the quality standards and requirements.
Reference
ISACA CISA Review Manual, 27th Edition, page 253
The Four Main Components of A Quality Management System
The Road to Developing an Effective Quality Management System (QMS)
Question #28
An IS auditor notes that the previous year’s disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor.
Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?
- A . Service level agreement (SLA)
- B . Hardware change management policy
- C . Vendor memo indicating problem correction
- D . An up-to-date RACI chart
Correct Answer: A
A
Explanation:
The best evidence that adequate resources are now allocated to successfully recover the systems is a service level agreement (SLA). An SLA is a contract between a service provider and a customer that defines the scope, quality, and terms of the service delivery. An SLA should include measurable and verifiable indicators of the service performance, such as availability, reliability, capacity, security, and recovery. An SLA should also specify the roles, responsibilities, and expectations of both parties, as well as the remedies and penalties for non-compliance. An SLA can help to ensure that the third-party vendor has allocated sufficient hardware and other resources to meet the recovery objectives and requirements of the organization.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
A
Explanation:
The best evidence that adequate resources are now allocated to successfully recover the systems is a service level agreement (SLA). An SLA is a contract between a service provider and a customer that defines the scope, quality, and terms of the service delivery. An SLA should include measurable and verifiable indicators of the service performance, such as availability, reliability, capacity, security, and recovery. An SLA should also specify the roles, responsibilities, and expectations of both parties, as well as the remedies and penalties for non-compliance. An SLA can help to ensure that the third-party vendor has allocated sufficient hardware and other resources to meet the recovery objectives and requirements of the organization.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
Question #29
Which of the following should be an IS auditor’s PRIMARY focus when developing a risk-based IS audit program?
- A . Portfolio management
- B . Business plans
- C . Business processes
- D . IT strategic plans
Correct Answer: C
C
Explanation:
Business processes should be the primary focus of an IS auditor when developing a risk-based IS audit program, because they represent the core activities and functions of the organization that support its objectives and goals. Business processes also involve the use of IT resources and systems that may pose risks to the organization’s performance and compliance. A risk-based IS audit program should identify and assess the risks associated with the business processes and determine the appropriate audit scope and procedures to provide assurance on their effectiveness and efficiency. Portfolio management, business plans, and IT strategic plans are also relevant factors for developing a risk-based IS audit program, but they are not as important as business processes.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.2.1
C
Explanation:
Business processes should be the primary focus of an IS auditor when developing a risk-based IS audit program, because they represent the core activities and functions of the organization that support its objectives and goals. Business processes also involve the use of IT resources and systems that may pose risks to the organization’s performance and compliance. A risk-based IS audit program should identify and assess the risks associated with the business processes and determine the appropriate audit scope and procedures to provide assurance on their effectiveness and efficiency. Portfolio management, business plans, and IT strategic plans are also relevant factors for developing a risk-based IS audit program, but they are not as important as business processes.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.2.1
Question #30
Who should be the FIRST to evaluate an audit report prior to issuing it to the project steering committee?
- A . IS audit manager
- B . Audit committee
- C . Business owner
- D . Project sponsor
Correct Answer: A