Isaca CISA Certified Information Systems Auditor Exam Practice Test

Answer : A

Answer : D

The most important thing to define within a disaster recovery plan (DRP) is the roles and responsibilities for recovery team members, as this ensures that everyone knows what to do, who to report to, and how to communicate in the event of a disaster. A business continuity plan (BCP) is a broader document that covers the overall strategy and objectives for maintaining or resuming business operations after a disaster. Test results for backup data restoration are important to verify the integrity and availability of backup data, but they are not part of the DRP itself.A comprehensive list of disaster recovery scenarios and priorities is useful to identify the potential risks and impacts of different types of disasters, but it is not as critical as defining the roles and responsibilities for recovery team members.Reference:CISA Review Manual (Digital Version), Chapter 4: Information Systems Operations, Maintenance and Service Management, Section 4.3: Disaster Recovery Planning1

Answer : D

In the event of a disaster where the data center is no longer available, the first step should be to activate the call tree1.A call tree is a layered hierarchical communication model used to notify specific individuals of an event and coordinate recovery efforts1.This ensures that all relevant parties are informed about the situation and can begin executing their parts of the disaster recovery plan1.

IT Disaster Recovery Plan | Ready.gov

Answer : B

The effectiveness of an information security awareness program is best measured by assessing real-world behavior rather than subjective feedback or indirect metrics. Social engineering exercises simulate real-world attack scenarios, testing whether employees can identify and respond appropriately to security threats. This directly evaluates the program's impact on employee behavior and awareness.

Measuring User Satisfaction (Option A):While useful for feedback, satisfaction does not measure the effectiveness of awareness in preventing security incidents.

Reviewing Security Staff Performance Evaluations (Option C):This focuses on staff capabilities rather than the awareness program's effectiveness.

Analyzing Help Desk Calls (Option D):This might provide insight into recurring issues but does not directly measure the program's success in changing user behavior.

Conducting social engineering exercises aligns with best practices for assessing organizational security awareness.

Answer : C

The primary role of an internal audit function in the management of identified business risks is to validate the enterprise risk management (ERM) process and provide assurance on its effectiveness. The internal audit function should evaluate whether the ERM process is aligned with the organization's objectives, strategies, policies and culture, and whether it covers all relevant risks and controls. The internal audit function should also assess whether the ERM process is operating as designed and producing reliable and timely information for decision making. The other options are not the primary role of an internal audit function, but rather the responsibilities of senior management, board of directors or risk owners.Reference:

ISACA, CISA Review Manual, 27thEdition, chapter 1, section 1.41

ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12072

Answer : D

Answer : C

The most important aspect of an application development acceptance test is that user management approves the test design before the test is started, as this ensures that the test objectives, criteria, and procedures are aligned with the user requirements and expectations. The programming team's involvement in the testing process, the testing of data files for valid information before conversion, and the quality assurance (QA) team's charge of the testing process are also important, but they are not as critical as user management's approval of the test design.Reference:CISA Review Manual (Digital Version), Chapter 4, Section 4.4.2