Actualtests offers free demo for CISA exam. "Isaca CISA", also known as CISA exam, is a Isaca Certification. This set of posts, Passing the Isaca CISA exam, will help you answer those questions. The CISA Questions & Answers covers all the knowledge points of the real exam. 100% real Isaca CISA exams and revised by experts!

Q76. - (Topic 4) 

During the requirements definition phase of a software development project, the aspects of software testing that should be addressed are developing: 

A. test data covering critical applications. 

B. detailed test plans. 

C. quality assurance test specifications. 

D. user acceptance testing specifications. 

Answer:

Explanation: 

A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase. The other choices are generally performed during the system testing phase. 


Q77. - (Topic 2) 

An IS auditor is reviewing access to an application to determine whether the 10 most recent "new user" forms were correctly authorized. This is an example of: 

A. variable sampling. 

B. substantive testing. 

C. compliance testing. 

D. stop-or-go sampling. 

Answer:

Explanation: 

Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed. 


Q78. - (Topic 3) 

An example of a direct benefit to be derived from a proposed IT-related business investment is: 

A. enhanced reputation. 

B. enhanced staff morale. 

C. the use of new technology. 

D. increased market penetration. 

Answer:

Explanation: 

A comprehensive business case for any proposed IT-related business investment should have clearly defined business benefits to enable the expected return to be calculated. These benefits usually fall into two categories: direct and indirect, or soft.Direct benefits usually comprise the quantifiable financial benefits that the new system is expected to generate. The potential benefits of enhanced reputation and enhanced staff morale are difficult to quantify, but should be quantified to the extent possible. IT investments should not be made just for the sake of new technology but should be based on a quantifiable business need. 


Q79. - (Topic 1) 

Network environments often add to the complexity of program-to-program communication, making the implementation and maintenance of application systems more difficult. True or false? 

A. True 

B. False 

Answer:

Explanation: Network environments often add to the complexity of program-to-program communication, making application systems implementation and maintenance more difficult. 


Q80. - (Topic 4) 

An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE? 

A. Controls the proliferation of multiple versions of programs 

B. Expands the programming resources and aids available 

C. Increases program and processing integrity 

D. Prevents valid changes from being overwritten by other changes 

Answer:

Explanation: 

A strength of an IDE is that it expands the programming resources and aids available. The other choices are IDE weaknesses. 


Q81. - (Topic 3) 

In the context of effective information security governance, the primary objective of value delivery is to: 

A. optimize security investments in support of business objectives. 

B. implement a standard set of security practices. 

C. institute a standards-based solution. 

D. implement a continuous improvement culture. 

Answer:

Explanation: 

In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. The tools and techniques for implementing value delivery include implementation of a standard set of security practices, institutionalization and commoditization of standards-based solutions, and implementation of a continuous improvement culture considering security as a process, not an event. 


Q82. - (Topic 3) 

The PRIMARY objective of implementing corporate governance by an organization's management is to: 

A. provide strategic direction. 

B. control business operations. 

C. align IT with business. 

D. implement best practices. 

Answer:

Explanation: 

Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized. Hence, the primary objective of corporate governance is to provide strategic direction. Based on the strategic direction, business operations are directed and controlled. 


Q83. - (Topic 1) 

Proper segregation of duties prohibits a system analyst from performing quality-assurance functions. True or false? 

A. True 

B. False 

Answer:

Explanation: Proper segregation of duties prohibits a system analyst from performing quality-assurance functions. 


Q84. - (Topic 1) 

Which of the following is a guiding best practice for implementing logical access controls? 

A. Implementing the Biba Integrity Model 

B. Access is granted on a least-privilege basis, per the organization's data owners 

C. Implementing the Take-Grant access control model 

D. Classifying data according to the subject's requirements 

Answer:

Explanation: Logical access controls should be reviewed to ensure that access is granted on a least-privilege basis, per the organization's data owners. 


Q85. - (Topic 2) 

During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system? 

A. Dumping the memory content to a file 

B. Generating disk images of the compromised system 

C. Rebooting the system 

D. Removing the system from the network 

Answer:

Explanation: 

Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory. The other choices are appropriate actions for preserving evidence. 


Q86. - (Topic 3) 

After the merger of two organizations, multiple self-developed legacy applications from both companies are to be replaced by a new common platform. Which of the following would be the GREATEST risk? 

A. Project management and progress reporting is combined in a project management office which is driven by external consultants. 

B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. 

C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company's legacy systems. 

D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs. 

Answer:

Explanation: 

The efforts should be consolidated to ensure alignment with the overall strategy of the postmerger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house developed legacy applications. In postmerger integration programs, it is common to form project management offices to ensure standardized and comparable information levels in the planning and reporting structures, and to centralizedependencies of project deliverables or resources. The experience of external consultants can be valuable since project management practices do not require in-depth knowledge of the legacy systems. This can free up resources for functional tasks. Itis a good idea to first get familiar with the old systems, to understand what needs to be done in a migration and to evaluate the implications of technical decisions. In most cases, mergers result in application changes and thus in training needs asorganizations and processes change to leverage the intended synergy effects of the merger. 


Q87. - (Topic 1) 

Which of the following provides the strongest authentication for physical access control? 

A. Sign-in logs 

B. Dynamic passwords 

C. Key verification 

D. Biometrics 

Answer:

Explanation: Biometrics can be used to provide excellent physical access control. 


Q88. - (Topic 2) 

An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely: 

A. evaluate the record retention plans for off-premises storage. 

B. interview programmers about the procedures currently being followed. 

C. compare utilization records to operations schedules. 

D. review data file access records to test the librarian function. 

Answer:

Explanation: 

Asking programmers about the procedures currently being followed is useful in determining whether access to program documentation is restricted to authorized persons. Evaluating the record retention plans for off-premises storage tests the recovery procedures, not the access control over program documentation. Testing utilization records or data files will not address access security over program documentation. 


Q89. - (Topic 4) 

An advantage of using sanitized live transactions in test data is that: 

A. all transaction types will be included. 

B. every error condition is likely to be tested. 

C. no special routines are required to assess the results. 

D. test transactions are representative of live processing. 

Answer:

Explanation: 

Test data will be representative of live processing; however, it is unlikely that all transaction types or error conditions will be tested in this way. 


Q90. - (Topic 1) 

Why does an IS auditor review an organization chart? 

A. To optimize the responsibilities and authority of individuals 

B. To control the responsibilities and authority of individuals 

C. To better understand the responsibilities and authority of individuals 

D. To identify project sponsors 

Answer:

Explanation: The primary reason an IS auditor reviews an organization chart is to better understand the responsibilities and authority of individuals.