CISA Online Practice Questions and Answers

Correct Answer: D

The strategy that would provide the greatest assurance of system quality at implementation is delivering only the core functionality on the initial target date. This strategy can help avoid compromising the quality of the system by focusing on the essential features that meet the user needs and expectations. Delivering only the core functionality can also help reduce the scope creep, complexity, and testing efforts of the system development project. Implementing overtime pay and bonuses for all development staff, utilizing new system development tools to improve productivity, and recruiting IS staff to expedite system development are not strategies that would provide the greatest assurance of system quality at implementation. These strategies may help speed up the system development process, but they may also introduce new risks or challenges such as burnout, learning curve, integration issues, or communication gaps. These risks or challenges may adversely affect the quality of the system.

Correct Answer: C

For an organization that has plans to implement web-based trading, it would be most important for an IS auditor to verify that the organization's information security plan includes security requirements for the new application. Security requirements are statements that define what security features and functions are needed to protect the confidentiality, integrity, and availability of the web-based trading application and its data. Security requirements should be identified and documented during the planning phase of the application development life cycle, before any design or coding activities take place. Attributes for system passwords, security training prior to implementation, and firewall configuration for the web server are also important aspects of information security, but they are not as essential as security requirements for ensuring that the web-based trading application meets its security objectives.

Correct Answer: D

In a RAO model, which stands for Responsible, Accountable, Consulted, and Informed, the accountable role must be assigned to only one individual. The accountable role is the person who has the ultimate authority and responsibility for the

outcome of the project or task, and who approves or rejects the work done by the responsible role. The accountable role cannot be delegated or shared, as it is essential to have a clear and single point of accountability for each project or

task. The other roles can be assigned to more than one individual:

Responsible. This is the person who does the work or performs the task. There can be multiple responsible roles for different aspects or phases of a project or task, as long as they are coordinated and supervised by the accountable role.

Informed. This is the person who needs to be notified or updated about the progress or results of the project or task. There can be multiple informed roles who have an interest or stake in the project or task, but who do not need to be

consulted or involved in the decision-making process. Consulted. This is the person who provides input, feedback, or advice on the project or task. There can be multiple consulted roles who have expertise or experience relevant to the project

or task, but who do not have the authority or responsibility to approve or reject the work done by the responsible role.

Correct Answer: D

The business process owner is the most important stakeholder to involve in the review of the processes that prevent fraud within a business expense claim system. This is because the business process owner is responsible for defining, implementing, and monitoring the business rules and policies that govern the expense claim process. The business process owner also has the authority and accountability to approve or reject expense claims, as well as to investigate and report any suspicious or fraudulent activities. The business process owner can provide valuable insights and feedback to the IS auditor on the effectiveness and efficiency of the current processes, as well as the potential risks and controls that need to be addressed12. The information security manager is not the most important stakeholder because their role is mainly focused on ensuring the confidentiality, integrity, and availability of the information systems and data that support the expense claim process. The information security manager can help the IS auditor with assessing the technical aspects of the system, such as access controls, encryption, logging, and backup, but they may not have sufficient knowledge or authority over the business rules and policies that prevent fraud1. The quality assurance (QA) manager is not the most important stakeholder because their role is mainly focused on ensuring the quality and reliability of the software applications and systems that support the expense claim process. The QA manager can help the IS auditor with testing and verifying the functionality and performance of the system, but they may not have sufficient knowledge or authority over the business rules and policies that prevent fraud1. The business department executive is not the most important stakeholder because their role is mainly focused on overseeing the strategic objectives and financial performance of the business department that uses the expense claim system. The business department executive can help the IS auditor with understanding the business context and needs of the expense claim process, but they may not have sufficient knowledge or authority over the operational details and controls that prevent fraud

Correct Answer: B

Audit observations are the findings and recommendations that result from an audit engagement. Audit observations should be first communicated with the auditee during fieldwork, which is the stage of the audit process where the auditor

collects and analyzes evidence to evaluate the audit objectives1. Communicating audit observations during fieldwork has several benefits, such as2:

It allows the auditor to verify the accuracy and completeness of the observations, and to obtain additional information or clarification from the auditee if needed. It enables the auditor to discuss the root causes, impacts, and risks of the

observations, and to solicit the auditee's input on possible corrective actions and implementation timelines.

It helps to build rapport and trust between the auditor and the auditee, and to avoid surprises or disagreements at the end of the audit. It facilitates timely resolution of audit observations, and reduces the risk of audit delays or disputes.

Therefore, option B is the correct answer.

Option A is not correct because communicating audit observations when drafting the report is too late, as it may lead to misunderstandings, conflicts, or revisions that could have been avoided if the observations were communicated earlier.

Option C is not correct because communicating audit observations at the end of fieldwork is also not ideal, as it may not leave enough time for the auditor and the auditee to discuss and agree on the observations and recommendations.

Option D is not correct because communicating audit observations within the audit report is the final step of the audit process, not the first.

References:

Audit Process Overview1

Communicating Internal Audit Findings: Best Practices for Success2

Correct Answer: B

A continuous integration/continuous development (CI/CD) process helps to reduce software failure risk by enabling smaller incremental changes to the software code, rather than large and infrequent updates. Smaller incremental changes

allow developers to detect and fix errors, bugs, or vulnerabilities more quickly and easily, and to ensure that the software is always in a working state. Smaller incremental changes also reduce the complexity and uncertainty of the software

development process, and improve the quality and reliability of the software product.

References:

1: What is CI/CD? Continuous integration and continuous delivery explained

2: CI/CD challenges--and how to solve them | TechBeacon

3: Continuous Integration vs Continuous Delivery vs Continuous Deployment

4: CI/CD Challenges and their Must-Know Solutions | BrowserStack

5: common pitfalls of CI/CD--and how to avoid them | InfoWorld

Correct Answer: C

Warehouse Management Layer ?The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security.

For CISA exam you should know below information about business intelligence:

Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to assist decision making and assess organizational performance. To deliver effective BI, organizations need to design and implement a

data architecture. The complete data architecture consists of two components

The enterprise data flow architecture (EDFA)

A logical data architecture

Various layers/components of this data flow architecture are as follows:

Presentation/desktop access layer ?This is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas

and business objects, and purpose built application such as balanced source cards and digital dashboards.

Data Source Layer ?Enterprise information derives from number of sources:

Operational data ?Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files. External Data ?Data provided to an organization by external sources. This could include data

such as customer demographic and market share information.

Nonoperational data ?Information needed by end user that is not currently maintained in a computer accessible format.

Core data warehouse ?This is where all the data of interest to an organization is captured and organized to assist reporting and analysis. DWs are normally instituted as large relational databases. A property constituted DW should support

three basic form of an inquiry.

Drilling up and drilling down ?Using dimension of interest to the business, it should be possible to aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can also be used to refine the analysis.

Drill across ?Use common attributes to access a cross section of information in the warehouse such as sum sales across all product lines by customer and group of customers according to length of association with the company. Historical

Analysis ?The warehouse should support this by holding historical, time variant data. An example of historical analysis would be to report monthly store sales and then repeat the analysis using only customer who were preexisting at the start

of the year in order to separate the effective new customer from the ability to generate repeat business with existing customers.

Data Mart Layer ?Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

processing (OLAP) data structure.

Data Staging and quality layer ?This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems

periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers.

Data Access Layer ?This layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

now permits SQL access to data even if it is not stored in a relational database.

Data Preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed. Data mining is concern with exploring large volume of data to determine patterns and trends of information. Data mining often identifies patterns that are counterintuitive due to number and complexity of data relationships. Data quality needs to be very high to not corrupt the result.

Metadata repository layer ?Metadata are data about data. The information held in metadata layer needs to extend beyond data structure names and formats to provide detail on business purpose and context. The metadata layer should be

comprehensive in scope, covering data as they flow between the various layers, including documenting transformation and validation rules.

Warehouse Management Layer ?The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security.

Application messaging layer ?This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.

Internet/Intranet layer ?This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking.

Various analysis models used by data architects/ analysis follows:

Activity or swim-lane diagram ?De-construct business processes.

Entity relationship diagram ?Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative is

involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW.

The following were incorrect answers:

Desktop access layer or presentation layer is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as

Congas and business objects, and purpose built application such as balanced source cards and digital dashboards.

Data preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed.

Data access layer ?his layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

now permits SQL access to data even if it is not stored in a relational database.

Reference:

CISA review manual 2014 Page number 188

Correct Answer: B

Correct Answer: B

Correct Answer: B