CISA Exam 14, 13 mc, 10 mc 55 Questions with Verified Answers,100% CORRECT

CISA Exam 14, 13 mc, 10 mc 55 Questions with Verified Answers (CISA exam, adapted) Authentication is the process by which the: system verifies that the user is entitled to enter the transaction requested. user identifies him- or herself to the system. system verifies the identity of the user. user indicates to the system that the transaction was processed correctly. - CORRECT ANSWER system verifies the identity of the user. (CMA exam, adapted) Data processing activities may be classified in terms of three stages or processes: input, processing, and output. An activity that is not normally associated with the input stage is: batching. verifying. recording. reporting. - CORRECT ANSWER reporting. (CISA exam, adapted) To ensure confidentiality in an asymmetric-key encryption system, knowledge of which of the following keys is required to decrypt the receive message? Private Public I II Both I and II Neither I nor II - CORRECT ANSWER Private To authenticate the message sender in an asymmetric-key encryption system, which of the following keys is required to decrypt the received message? Sender's private key Receiver's private key Sender's public key Receiver's public key - CORRECT ANSWER Sender's public key To ensure the data sent over the Internet are protected, which of the following keys is required to encrypt the data (before transmission) using an asymmetric-key encryption method? Sender's public key Sender's private key Receiver's public key Receiver's private key - CORRECT ANSWER Receiver's public key Which of the following groups/laws was the earliest to encourage auditors to PCAOB COBIT SAS No. 99 COSO Sarbanes-Oxley Act - CORRECT ANSWER SAS No. 99 Incentive to commit fraud usually will include all of the following, except: inadequate segregation of duties. alcohol, drug, or gambling addiction. feelings of resentment. personal habits and lifestyle. financial pressure. - CORRECT ANSWER inadequate segregation of duties. (CPA exam, adapted) An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing? System hardware policy Internal control policy Disaster recovery plan Supply chain management policy System security policy - CORRECT ANSWER Disaster recovery plan A message digest is the result of hashing. Which of the following statements about the hashing process is true? It is reversible. Comparing the hashing results can ensure confidentiality. Hashing is the best approach to make sure that two files are identical. None of the choices are true. - CORRECT ANSWER Hashing is the best approach to make sure that two files are identical. Which one of the following vulnerabilities would create the most serious risk to a firm? Employees writing instant messages with friends during office hours Unauthorized access to the firm's network Employees recording passwords in Excel files Using open source software (downloaded for free) on the firm's network - CORRECT ANSWER Unauthorized access to the firm's network Which of the following statements is correct? SOC 1 reports provide the evaluations on a broader set of controls implemented by the service provider. A spam will send a network packet that appears to come from a source other than its actual source. Multifactor authentication is less secure than requiring a user always entering a password to access a network. Fault tolerance uses redundant units to provide a system with the ability to continue functioning when part of the system fails. - CORRECT ANSWER Fault tolerance uses redundant units to provide a system with the ability to continue functioning when part of the system fails. Which of the following can be considered as a good alternative to back up data and applications? Continuous monitoring Business continuity management Cloud computing Disaster recover planning - CORRECT ANSWER Cloud computing A digital certificate: indicates that the subscriber identified has sole control and access to the private key. is used to certify public-key and private-key pairs. ensures that the symmetric-key encryption method functions well. is a trusted entity to certify and revoke Certificate Authorities (CA). - CORRECT ANSWER indicates that the subscriber identified has sole control and access to the private key. The symmetric-key encryption method: is slow. solves problems in key distribution and key management. uses the same key for both senders and receivers for encryption and decryption. is not appropriate for encrypting large data sets. - CORRECT ANSWER uses the same key for both senders and receivers for encryption and decryption. The fraud triangle indicates which of the following condition(s) exist for a fraud to be perpetrated? rationalization. pressure. legal environment. a and b are correct a, b, and c are correct - CORRECT ANSWER a, b, and c are correct To prevent repudiation in conducting e-business, companies must be able to authenticate their trading partners. Which of the following encryption methods can be used for authentication purpose? Symmetric-key encryption method Asymmetric-key encryption method Both symmetric-key and asymmetric-key encryption methods are good for authentication. - CORRECT ANSWER Asymmetric-key encryption method Regarding GDPR, which of the following statements is/are correct? It is a regulation enforced by EU. It is to protect EU citizens' personal data. It is not relevant to the companies in the U.S. a and b are correct a, b, and c are correct - CORRECT ANSWER a and b are correct Which organization created the Reporting on an Entity's Cybersecurity Risk Management Program and Controls: Attestation Guide in 2017? SEC AICPA US Congress Department of Homeland Security - CORRECT ANSWER AICPA Business continuity management is a preventive control. detective control. corrective control. Two of the choices are correct. - CORRECT ANSWER corrective control. Encryption is a preventive control. detective control. corrective control. Two of the choices are correct. - CORRECT ANSWER preventive control. What is fault tolerance? A policy allowing employees to make mistakes Using redundant units to continue functioning when a system is failing An application that can detect mistakes and correct mistakes automatically Two of the choices are correct. - CORRECT ANSWER Using redundant units to continue functioning when a system is failing Comparing encryption with hashing, which one of the following is correct? Hashing process is reversible. Encryption is used to ensure data integrity. Hashing results are large data. Encryption results are called cypher text. - CORRECT ANSWER Encryption results are called cypher text. Disaster recovery plan is a preventive control. detective control. corrective control. Two of the choices are correct. - CORRECT ANSWER corrective control. Select a correct statement describing encryption or hashing process. Encryption process is reversible. Hashing results are called message digests. Hashing process is used to obtain a digital signature. Encryption process is to maintain confidentiality. All of the choices are correct. - CORRECT ANSWER Encryption process is reversible. Select a correct statement regarding encryption methods. Most companies prefer using asymmetric-key encryption method for data transmission. Symmetric-key encryption method is used to authenticate trading partners. Only asymmetric-key encryption method can ensure confidentiality. Asymmetric-key encryption method is used to create digital signatures. - CORRECT ANSWER Asymmetric-key encryption method is used to create digital signatures. Based on SOX, which of the following sections is about internal controls? 401 906 404 302 - CORRECT ANSWER 404 SOX requires companies to use COSO or COSO ERM as the framework in evaluating internal controls. True False - CORRECT ANSWER False Controls that are designed to prevent, detect, or correct errors in transactions as they are processed through a specific subsystem are referred to as: general controls. application controls. physical controls. Two of the choices are correct. None of the choices are correct. - CORRECT ANSWER application controls. Which of the following is not a component in the COSO 2013 internal control framework? Control environment Risk assessment Control activities Effective operations Monitoring - CORRECT ANSWER Effective operations Prenumbering of source documents helps to verify that: multiple types of source documents have a unique identifier. no inventory has been misplaced. all transactions have been recorded because the numerical sequence serves as a control. documents have been used in order. - CORRECT ANSWER all transactions have been recorded because the numerical sequence serves as a control A field check is a(n) general control. detective control. output control. preventive control. corrective control. - CORRECT ANSWER preventive control. Which is not an example of a batch total? Hash total Financial total Exception total Record count - CORRECT ANSWER Exception total Backup is a preventive control. True False - CORRECT ANSWER False The computer sums the first four digits of a customer number to calculate the value of the fifth digit and then compares that calculation to the number typed during data entry. This is an example of a: check digit verification. field check. parity check. batch total. - CORRECT ANSWER check digit verification. Which of the following statements is correct? Regarding IT control and governance, the COBIT framework is most commonly adopted by companies in the United States. ITIL is the best internal control framework for the high-tech industry. ISO 27000 series are best practices for IT service management. SOX requires all public companies to use the COSO ERM framework to meet the requirements of section 404. - CORRECT ANSWER Regarding IT control and governance, the COBIT framework is most commonly adopted by companies in the United States. Based on SOX, which of the following sections is about corporate responsibility for financial reports? 101 201 302 404 - CORRECT ANSWER 302 Based on COSO 2013, which of the following statements is not correct? Employees at any level of an organization play a role in internal control. Internal controls can provide reasonable assurance only. Internal control is a process consisting of ongoing tasks and activities. The responsibility of monitoring the effectiveness of internal controls belongs to the internal audit group. - CORRECT ANSWER The responsibility of monitoring the effectiveness of internal controls belongs to the internal audit group. Which of the following is not one of the five essential components in the COSO 2013 framework? Control environment Control activities Monitoring activities Control assessment - CORRECT ANSWER Control assessment Access control to ensure only authorized personnel have access to a firm's network is a: input control. general control. process control. output control. - CORRECT ANSWER general control. The ISO 27000 series are a framework for: data management. IT governance. information security management. IT general controls. - CORRECT ANSWER information security management. Segregation of duty is a: preventive control. corrective control. detective control. personnel general control. - CORRECT ANSWER preventive control. The responsibility of enterprise risk management belongs to? Controller Internal auditors Management External auditors - CORRECT ANSWER Management Most input controls are designed to assess one field only, which of the following input controls will need to examine a record to determine the control is effective or not? Completeness check. Range check. Size check. Validity check. - CORRECT ANSWER Completeness check. Which of the following is a correct statement about COBIT 2019 framework? It is a framework for IT audit conducted by public accounting firms. It is a framework for enterprise risk management. It focuses on providing guidance for information security. It is designed for information and technology governance and management. - CORRECT ANSWER It is designed for information and technology governance and management. Which of the following is a correct statement about COSO ERM 2017 framework? It focuses on evaluating effectiveness of internal controls. It enhances alignment among strategy-setting, decision-making, and performance through enterprise risk management. It stresses the importance of having one department responsible for risk management. It is a framework developed by the IT audit profession. - CORRECT ANSWER It enhances alignment among strategy-setting, decision-making, and performance through enterprise risk management. Big Data is often described by the 4 Vs, or: A. volume, volatility, veracity and variety. B. volume, velocity, veracity, and variability. C. volume, volatility, veracity, and variability. D. volume, velocity, veracity, and variety. - CORRECT ANSWER D. volume, velocity, veracity, and variety. According to estimates considered in the chapter, up to what percentage of a data analyst's time is spent cleaning (or scrubbing) the data to be ready for analysis? A. 0 percent B. 90 percent C. 20 percent D. 40 percent - CORRECT ANSWER B. 90 percent The acronym ETL, in the process of readying data for use in data analysis, refers to what three words? A. Extrapolate, transform, and learn B. Extrapolate, transpose, and load C. Extract, transform, and load D. Extract, transform, and learn - CORRECT ANSWER C. Extract, transform, and load Which term is used to describe the science of examining raw data, removing excess noise from the dataset, and organizing the data with the purpose of drawing conclusions for decision making? A. Audit Analytics B. Data Analytics C. Extract, transform, and load D. Big Data - CORRECT ANSWER B. Data Analytics ADS is a standard format for data files and fields typically needed to support an external audit in a given financial business process area that was developed by the AICPA. The acronym ADS stands for what three words? A. Audit Data Standards B. Auditor Data Standards C. Accounting Data Standards D. Accounting Doctoral Scholars - CORRECT ANSWER A. Audit Data Standards Which type of question does prescriptive analysis address? A. What should we do based on what we expect will happen? B. What happened? C. Will it happen in the future? D. Why did it happen? - CORRECT ANSWER A. What should we do based on what we expect will happen? Which type of question does descriptive analysis address? A. What should we do based on what we expect will happen? B. Why did it happen? C. What happened? D. Will it happen in the future? - CORRECT ANSWER C. What happened? What type of analysis addresses questions of "Why did it happen"? Multiple Choice Diagnostic analysis Predictive analysis Descriptive analysis Prescriptive analysis - CORRECT ANSWER Diagnostic analysis What type of analysis would address the question of whether a customer will ultimately pay if credit is granted? A. Predictive analysis B. Prescriptive analysis C. Descriptive analysis D. Diagnostic analysis - CORRECT ANSWER A. Predictive analysis If we wanted to know what grade we needed to get on the final in this class based on our expected performance before the final, we would call that _____________ analysis? A. Prescriptive B. Diagnostic C. Predictive D. Descriptive - CORRECT ANSWER A. Prescriptive