Isaca CISA
Certified Information Systems Auditor
Version: 3.9
, Isaca CISA Exam
Topic 1, Main Questions (240 Main Questions)
QUESTION NO: 1
IS management has decided to rewrite a legacy customer relations system using fourth generation
languages (4GLs). Which of the following risks is MOST often associated with system
development using 4GLs?
A. Inadequate screen/report design facilities
B. Complex programming language subsets
C. Lack of portability across operating systems
D. Inability to perform data intensive operations
Answer: D
Explanation:
4GLs are usually not suitable for data intensive operations. Instead, they are used mainly for
graphic user interface (GUI) design or as simple query/report generators.
QUESTION NO: 2
Which of the following would be the BEST method for ensuring that critical fields in a master
record have been updated properly?
A. Field checks
B. Control totals
C. Reasonableness checks
D. A before-and-after maintenance report
Answer: D
Explanation:
A before-and-after maintenance report is the best answer because a visual review would provide
the most positive verification that updating was proper.
QUESTION NO: 3
Which of the following is a dynamic analysis tool for the purpose of testing software modules?
A. Blackbox test
B. Desk checking
C. Structured walk-through
D. Design and code
Answer: A
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com 2
, Isaca CISA Exam
A blackbox test is a dynamic analysis tool for testing software modules. During the testing of
software modules a blackbox test works first in a cohesive manner as one single unit/entity,
consisting of numerous modules and second, with the user data that flows across software
modules. In some cases, this even drives the software behavior.
QUESTION NO: 4
Which of the following is MOST likely to result from a business process reengineering (BPR)
project?
A. An increased number of people using technology
B. Significant cost savings, through a reduction in the complexity of information technology
C. A weaker organizational structures and less accountability
D. Increased information protection (IP) risk will increase
Answer: A
Explanation:
A BPR project more often leads to an increased number of people using technology, and this
would be a cause for concern. Incorrect answers:
B. As BPR is often technology oriented, and this technology is usually more complex and volatile
than in the past, cost savings do not often materialize in this areA.
D. There is no reason for IP to conflict with a BPR project, unless the project is not run properly.
QUESTION NO: 5
Which of the following devices extends the network and has the capacity to store frames and act
as a storage and forward device?
A. Router
B. Bridge
C. Repeater
D. Gateway
Answer: B
Explanation:
A bridge connects two separate networks to form a logical network (e.g., joining an ethernet and
token network) and has the storage capacity to store frames and act as a storage and forward
device. Bridges operate at the OSI data link layer by examining the media access control header
of a data packet.
QUESTION NO: 6
Which of the following is a benefit of using callback devices?
"Pass Any Exam. Any Time." - www.actualtests.com 3
, Isaca CISA Exam
A. Provide an audit trail
B. Can be used in a switchboard environment
C. Permit unlimited user mobility
D. Allow call forwarding
Answer: A
Explanation:
A callback feature hooks into the access control software and logs all authorized and unauthorized
access attempts, permitting the follow-up and further review of potential breaches. Call forwarding
(choice D) is a means of potentially bypassing callback control. By dialing through an authorized
phone number from an unauthorized phone number, a perpetrator can gain computer access. This
vulnerability can be controlled through callback systems that are available.
QUESTION NO: 7
A call-back system requires that a user with an id and password call a remote server through a
dial-up line, then the server disconnects and:
A. dials back to the user machine based on the user id and password using a telephone number
from its database.
B. dials back to the user machine based on the user id and password using a telephone number
provided by the user during this connection.
C. waits for a redial back from the user machine for reconfirmation and then verifies the user id
and password using its database.
D. waits for a redial back from the user machine for reconfirmation and then verifies the user id
and password using the sender's database.
Answer: A
Explanation:
A call-back system in a net centric environment would mean that a user with an id and password
calls a remote server through a dial-up line first, and then the server disconnects and dials back to
the user machine based on the user id and password using a telephone number from its database.
Although the server can depend upon its own database, it cannot know the authenticity of the
dialer when the user dials again. The server cannot depend upon the sender's database to dial
back as the same could be manipulated.
QUESTION NO: 8
Structured programming is BEST described as a technique that:
A. provides knowledge of program functions to other programmers via peer reviews.
B. reduces the maintenance time of programs by the use of small-scale program modules.
C. makes the readable coding reflect as closely as possible the dynamic execution of the program.
"Pass Any Exam. Any Time." - www.actualtests.com 4
Certified Information Systems Auditor
Version: 3.9
, Isaca CISA Exam
Topic 1, Main Questions (240 Main Questions)
QUESTION NO: 1
IS management has decided to rewrite a legacy customer relations system using fourth generation
languages (4GLs). Which of the following risks is MOST often associated with system
development using 4GLs?
A. Inadequate screen/report design facilities
B. Complex programming language subsets
C. Lack of portability across operating systems
D. Inability to perform data intensive operations
Answer: D
Explanation:
4GLs are usually not suitable for data intensive operations. Instead, they are used mainly for
graphic user interface (GUI) design or as simple query/report generators.
QUESTION NO: 2
Which of the following would be the BEST method for ensuring that critical fields in a master
record have been updated properly?
A. Field checks
B. Control totals
C. Reasonableness checks
D. A before-and-after maintenance report
Answer: D
Explanation:
A before-and-after maintenance report is the best answer because a visual review would provide
the most positive verification that updating was proper.
QUESTION NO: 3
Which of the following is a dynamic analysis tool for the purpose of testing software modules?
A. Blackbox test
B. Desk checking
C. Structured walk-through
D. Design and code
Answer: A
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com 2
, Isaca CISA Exam
A blackbox test is a dynamic analysis tool for testing software modules. During the testing of
software modules a blackbox test works first in a cohesive manner as one single unit/entity,
consisting of numerous modules and second, with the user data that flows across software
modules. In some cases, this even drives the software behavior.
QUESTION NO: 4
Which of the following is MOST likely to result from a business process reengineering (BPR)
project?
A. An increased number of people using technology
B. Significant cost savings, through a reduction in the complexity of information technology
C. A weaker organizational structures and less accountability
D. Increased information protection (IP) risk will increase
Answer: A
Explanation:
A BPR project more often leads to an increased number of people using technology, and this
would be a cause for concern. Incorrect answers:
B. As BPR is often technology oriented, and this technology is usually more complex and volatile
than in the past, cost savings do not often materialize in this areA.
D. There is no reason for IP to conflict with a BPR project, unless the project is not run properly.
QUESTION NO: 5
Which of the following devices extends the network and has the capacity to store frames and act
as a storage and forward device?
A. Router
B. Bridge
C. Repeater
D. Gateway
Answer: B
Explanation:
A bridge connects two separate networks to form a logical network (e.g., joining an ethernet and
token network) and has the storage capacity to store frames and act as a storage and forward
device. Bridges operate at the OSI data link layer by examining the media access control header
of a data packet.
QUESTION NO: 6
Which of the following is a benefit of using callback devices?
"Pass Any Exam. Any Time." - www.actualtests.com 3
, Isaca CISA Exam
A. Provide an audit trail
B. Can be used in a switchboard environment
C. Permit unlimited user mobility
D. Allow call forwarding
Answer: A
Explanation:
A callback feature hooks into the access control software and logs all authorized and unauthorized
access attempts, permitting the follow-up and further review of potential breaches. Call forwarding
(choice D) is a means of potentially bypassing callback control. By dialing through an authorized
phone number from an unauthorized phone number, a perpetrator can gain computer access. This
vulnerability can be controlled through callback systems that are available.
QUESTION NO: 7
A call-back system requires that a user with an id and password call a remote server through a
dial-up line, then the server disconnects and:
A. dials back to the user machine based on the user id and password using a telephone number
from its database.
B. dials back to the user machine based on the user id and password using a telephone number
provided by the user during this connection.
C. waits for a redial back from the user machine for reconfirmation and then verifies the user id
and password using its database.
D. waits for a redial back from the user machine for reconfirmation and then verifies the user id
and password using the sender's database.
Answer: A
Explanation:
A call-back system in a net centric environment would mean that a user with an id and password
calls a remote server through a dial-up line first, and then the server disconnects and dials back to
the user machine based on the user id and password using a telephone number from its database.
Although the server can depend upon its own database, it cannot know the authenticity of the
dialer when the user dials again. The server cannot depend upon the sender's database to dial
back as the same could be manipulated.
QUESTION NO: 8
Structured programming is BEST described as a technique that:
A. provides knowledge of program functions to other programmers via peer reviews.
B. reduces the maintenance time of programs by the use of small-scale program modules.
C. makes the readable coding reflect as closely as possible the dynamic execution of the program.
"Pass Any Exam. Any Time." - www.actualtests.com 4
