CISA 試験問題 746
A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?
正解: D
The primary focus of the IS auditor reviewing the first year of the project should be regression testing.
Regression testing is a type of testing that ensures that the existing functionality of the system is not affected by the changes or upgrades made to the system. Since the project involves upgrading the ERP system hosting the general ledger, which is a critical and complex component of the finance department, it is important to verify that the upgrade does not introduce any errors or defects that could compromise the accuracy, completeness, and reliability of the financial data and reports. Regression testing can help identify and resolve any issues before they affect the users and the business processes.
Unit testing, network performance, and user acceptance testing (UAT) are also important aspects of the project, but they are not the primary focus of the IS auditor in the first year. Unit testing is a type of testing that verifies that each individual module or component of the system works as expected. Network performance is a measure of how well the system can communicate and exchange data with other systems and devices over a network. User acceptance testing (UAT) is a type of testing that validates that the system meets the user requirements and expectations. These aspects are more relevant in later stages of the project, when the system is more developed and ready for deployment.
References:
ERP Upgrade: The Path to Modernization | SAP
ERP System Validation: Your Guide To Successfully Validating ERP Systems The role of internal auditors in ERP#based organizations What is Regression Testing? Definition, Tools and Examples What is Unit Testing? Definition, Tools and Examples What is Network Performance? Definition, Metrics and Examples What is User Acceptance Testing (UAT)? Definition, Process and Examples
Regression testing is a type of testing that ensures that the existing functionality of the system is not affected by the changes or upgrades made to the system. Since the project involves upgrading the ERP system hosting the general ledger, which is a critical and complex component of the finance department, it is important to verify that the upgrade does not introduce any errors or defects that could compromise the accuracy, completeness, and reliability of the financial data and reports. Regression testing can help identify and resolve any issues before they affect the users and the business processes.
Unit testing, network performance, and user acceptance testing (UAT) are also important aspects of the project, but they are not the primary focus of the IS auditor in the first year. Unit testing is a type of testing that verifies that each individual module or component of the system works as expected. Network performance is a measure of how well the system can communicate and exchange data with other systems and devices over a network. User acceptance testing (UAT) is a type of testing that validates that the system meets the user requirements and expectations. These aspects are more relevant in later stages of the project, when the system is more developed and ready for deployment.
References:
ERP Upgrade: The Path to Modernization | SAP
ERP System Validation: Your Guide To Successfully Validating ERP Systems The role of internal auditors in ERP#based organizations What is Regression Testing? Definition, Tools and Examples What is Unit Testing? Definition, Tools and Examples What is Network Performance? Definition, Metrics and Examples What is User Acceptance Testing (UAT)? Definition, Process and Examples
CISA 試験問題 747
Which of the following security measures is MOST important for protecting Internet of Things (IoT) devices from potential cyberattacks?
正解: C
The most important security measure for protecting Internet of Things (IoT) devices from potential cyberattacks is changing default passwords. Many IoT devices come with default, easily guessable passwords, which are a common target for attackers. Changing these passwords to strong, unique ones significantly reduces the risk of unauthorized access and helps secure the devices from cyberattacks.
CISA 試験問題 748
While implementing an invoice system, Lily has implemented a database control which checks that new
transactions are matched to those previously input to ensure that they have not already been entered.
Which of the following control is implemented by Lily?
transactions are matched to those previously input to ensure that they have not already been entered.
Which of the following control is implemented by Lily?
正解: B
Section: Information System Acquisition, Development and Implementation
Explanation/Reference:
In a duplicate check control new transaction are matched to those previously input to ensure that they have
not already been entered. For ex. A vendor invoice number agrees with previously recorded invoice to
ensure that the current order is not a duplicate and, therefore, the vendor will not be paid twice.
For CISA exam you should know below mentioned data validation edits and controls
Sequence Check - The control number follows sequentially and any sequence or duplicated control
numbers are rejected or noted on an exception report for follow-up purposes. For example, invoices are
numbered sequentially. The day's invoice begins with 12001 and ends with 15045. If any invoice larger than
15045 is encountered during processing, that invoice would be rejected as an invalid invoice number.
Limit Check -Data should not exceed a predefined amount. For example, payroll checks should not exceed
US $ 4000. If a check exceeds US $ 4000, data would be rejected for further verification/authorization.
Validity Check -Programmed checking of data validity in accordance with predefined criteria. For example,
a payroll record contains a field for marital status and the acceptable status codes are M or
S. If any other
code is entered, record should be rejected.
Range Check -Data should not exceed a predefined range of values. For example, product type code
range from 100 to 250. Any code outside this range should be rejected as an invalid product type.
Reasonableness check - Input data are matched to predefined reasonable limits or occurrence rates. For
example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more
than 20 widgets is received, the computer program should be designed to print the record with a warning
indicating that the order appears unreasonable.
Table Lookups - Input data comply with predefined criteria maintained in computerized table of possible
values. For example, an input check enters a city code of 1 to 10. This number corresponds with a
computerize table that matches a code to a city name.
Existence Check - Data are entered correctly and agree with valid predefined criteria. For example, a valid
transaction code must be entered in transaction code field.
Key verification -The keying process is repeated by a separate individual using a machine that compares
the original key stroke to the repeated keyed input. For ex. the worker number is keyed twice and
compared to verify the keying process.
Check digit - a numeric value that has been calculated mathematically is added to a data to ensure that
original data have not been p[ altered or incorrect, but Valid, value substituted. This control is effective in
detecting transposition and transcription error. For ex. A check digit is added to an account number so it
can be checked for accuracy when it is used.
Completeness check - a filed should always contain data rather than zero or blanks. A check of each byte
of that field should be performed to determine that some form of data, or not blanks or zeros, is present.
For ex. A worker number on a new employee record is left blank. His is identified as a key in filed and the
record would be rejected, with a request that the field be completed before the record is accepted for
processing.
Duplicate check- new transaction is matched to those previously input to ensure that they have not already
been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the
current order is not a duplicate and, therefore, the vendor will not be paid twice.
Logical relationship check - if a particular condition is true, then one or more additional conditions or data
input relationship may be required to be true and consider the input valid. For ex. The hire data of an
employee may be required to be true and consider the input valid. For ex. The hire date of an employee
may be required to be more than 16 years past his/her date of birth.
The following were incorrect answers:
Range Check -Data should not exceed a predefined range of values. For example, product type code
range from 100 to 250. Any code outside this range should be rejected as an invalid product type.
Existence Check - Data are entered correctly and agree with valid predefined criteria. For example, a valid
transaction code must be entered in transaction code field.
Reasonableness check - Input data are matched to predefined reasonable limits or occurrence rates. For
example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more
than 20 widgets is received, the computer program should be designed to print the record with a warning
indicating that the order appears unreasonable.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 215
Explanation/Reference:
In a duplicate check control new transaction are matched to those previously input to ensure that they have
not already been entered. For ex. A vendor invoice number agrees with previously recorded invoice to
ensure that the current order is not a duplicate and, therefore, the vendor will not be paid twice.
For CISA exam you should know below mentioned data validation edits and controls
Sequence Check - The control number follows sequentially and any sequence or duplicated control
numbers are rejected or noted on an exception report for follow-up purposes. For example, invoices are
numbered sequentially. The day's invoice begins with 12001 and ends with 15045. If any invoice larger than
15045 is encountered during processing, that invoice would be rejected as an invalid invoice number.
Limit Check -Data should not exceed a predefined amount. For example, payroll checks should not exceed
US $ 4000. If a check exceeds US $ 4000, data would be rejected for further verification/authorization.
Validity Check -Programmed checking of data validity in accordance with predefined criteria. For example,
a payroll record contains a field for marital status and the acceptable status codes are M or
S. If any other
code is entered, record should be rejected.
Range Check -Data should not exceed a predefined range of values. For example, product type code
range from 100 to 250. Any code outside this range should be rejected as an invalid product type.
Reasonableness check - Input data are matched to predefined reasonable limits or occurrence rates. For
example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more
than 20 widgets is received, the computer program should be designed to print the record with a warning
indicating that the order appears unreasonable.
Table Lookups - Input data comply with predefined criteria maintained in computerized table of possible
values. For example, an input check enters a city code of 1 to 10. This number corresponds with a
computerize table that matches a code to a city name.
Existence Check - Data are entered correctly and agree with valid predefined criteria. For example, a valid
transaction code must be entered in transaction code field.
Key verification -The keying process is repeated by a separate individual using a machine that compares
the original key stroke to the repeated keyed input. For ex. the worker number is keyed twice and
compared to verify the keying process.
Check digit - a numeric value that has been calculated mathematically is added to a data to ensure that
original data have not been p[ altered or incorrect, but Valid, value substituted. This control is effective in
detecting transposition and transcription error. For ex. A check digit is added to an account number so it
can be checked for accuracy when it is used.
Completeness check - a filed should always contain data rather than zero or blanks. A check of each byte
of that field should be performed to determine that some form of data, or not blanks or zeros, is present.
For ex. A worker number on a new employee record is left blank. His is identified as a key in filed and the
record would be rejected, with a request that the field be completed before the record is accepted for
processing.
Duplicate check- new transaction is matched to those previously input to ensure that they have not already
been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the
current order is not a duplicate and, therefore, the vendor will not be paid twice.
Logical relationship check - if a particular condition is true, then one or more additional conditions or data
input relationship may be required to be true and consider the input valid. For ex. The hire data of an
employee may be required to be true and consider the input valid. For ex. The hire date of an employee
may be required to be more than 16 years past his/her date of birth.
The following were incorrect answers:
Range Check -Data should not exceed a predefined range of values. For example, product type code
range from 100 to 250. Any code outside this range should be rejected as an invalid product type.
Existence Check - Data are entered correctly and agree with valid predefined criteria. For example, a valid
transaction code must be entered in transaction code field.
Reasonableness check - Input data are matched to predefined reasonable limits or occurrence rates. For
example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more
than 20 widgets is received, the computer program should be designed to print the record with a warning
indicating that the order appears unreasonable.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 215
CISA 試験問題 749
The PRIMARY purpose of a configuration management system is to:
正解: B
Explanation
A configuration management system is a process that establishes and maintains the consistency of a product's attributes throughout its life cycle. It helps to identify and control the functional and physical characteristics of a product, and to record and report any changes to those characteristics. A configuration management system also supports the audit of the product to verify its conformance to requirements.
構成管理システムの主要な活動の一つは、ソフトウェアのベースラインを定義することです。ベースラインとは、比較や測定の基準となる固定された参照点です。要件、設計文書、テスト計画、ソフトウェアコンポーネントなど、あらゆる構成項目に対してベースラインを設定できます。ベースラインを設定することで、ソフトウェア製品が本来の目的と品質基準を満たしていること、そしてソフトウェアへの変更が適切に管理され、文書化されることを保証できます。
構成管理システムは、ソフトウェアの更新の追跡、リリース手順のサポート、変更承認の標準化など、その他の活動もサポートしますが、これらはその主な目的ではありません。
したがって、他の選択肢は誤りです。
参考文献: : 構成管理とは - Red Hat : 構成管理 | 定義、重要性、および利点 - ServerWatch
A configuration management system is a process that establishes and maintains the consistency of a product's attributes throughout its life cycle. It helps to identify and control the functional and physical characteristics of a product, and to record and report any changes to those characteristics. A configuration management system also supports the audit of the product to verify its conformance to requirements.
構成管理システムの主要な活動の一つは、ソフトウェアのベースラインを定義することです。ベースラインとは、比較や測定の基準となる固定された参照点です。要件、設計文書、テスト計画、ソフトウェアコンポーネントなど、あらゆる構成項目に対してベースラインを設定できます。ベースラインを設定することで、ソフトウェア製品が本来の目的と品質基準を満たしていること、そしてソフトウェアへの変更が適切に管理され、文書化されることを保証できます。
構成管理システムは、ソフトウェアの更新の追跡、リリース手順のサポート、変更承認の標準化など、その他の活動もサポートしますが、これらはその主な目的ではありません。
したがって、他の選択肢は誤りです。
参考文献: : 構成管理とは - Red Hat : 構成管理 | 定義、重要性、および利点 - ServerWatch
CISA 試験問題 750
A disaster recovery plan (DRP) should include steps for:
正解: D
A disaster recovery plan (DRP) is a set of detailed, documented guidelines that outline a business' critical assets and explain how the organization will respond to unplanned incidents. Unplanned incidents or disasters typically include cyberattacks, system failures, power outages, natural disasters, equipment failures, or infrastructure damage1. A DRP aims to minimize the impact of a disaster on the business continuity, data integrity, and service delivery of the organization. A DRP also helps the organization recover from a disaster as quickly and efficiently as possible.
A DRP should include steps for obtaining replacement supplies, as this is an essential part of restoring the normal operation of the organization after a disaster. Replacement supplies may include hardware, software, data, network components, office equipment, or other resources that are needed to resume the business functions and processes that were disrupted by the disaster. Obtaining replacement supplies may involve contacting vendors, suppliers, or partners; activating backup or alternative systems; or purchasing or renting new equipment. A DRP should identify the sources, locations, and costs of the replacement supplies, as well as the procedures and responsibilities for acquiring and installing them.
他の 3 つのオプションは、災害前の計画プロセスの一部であるか、災害復旧の目的に直接関係しないため、DRP に含めるべき手順ではありません。リスクの評価と定量化は、組織に影響を与える可能性のある潜在的な脅威と脆弱性を特定し、各シナリオの可能性と影響を判断するのに役立つため、DRP を作成する前に実行すべき手順です 2。災害計画コンサルタントとの契約交渉も、外部の専門知識とガイダンスを使用して組織が DRP を設計、実装、テスト、および維持するのに役立つ災害前の活動です 3。アプリケーション制御要件の特定は、DRP の手順ではなく、組織が使用するソフトウェア アプリケーションの品質、セキュリティ、および信頼性を保証するアプリケーション開発および保守プロセスの一部です。
したがって、代替品を入手することが正しい解決策です。
参考文献:
* 災害復旧計画とは? + チェックリスト
* リスク評価 - ISACA
* 災害復旧計画 - ISACA
* [アプリケーション制御 - ISACA]
A DRP should include steps for obtaining replacement supplies, as this is an essential part of restoring the normal operation of the organization after a disaster. Replacement supplies may include hardware, software, data, network components, office equipment, or other resources that are needed to resume the business functions and processes that were disrupted by the disaster. Obtaining replacement supplies may involve contacting vendors, suppliers, or partners; activating backup or alternative systems; or purchasing or renting new equipment. A DRP should identify the sources, locations, and costs of the replacement supplies, as well as the procedures and responsibilities for acquiring and installing them.
他の 3 つのオプションは、災害前の計画プロセスの一部であるか、災害復旧の目的に直接関係しないため、DRP に含めるべき手順ではありません。リスクの評価と定量化は、組織に影響を与える可能性のある潜在的な脅威と脆弱性を特定し、各シナリオの可能性と影響を判断するのに役立つため、DRP を作成する前に実行すべき手順です 2。災害計画コンサルタントとの契約交渉も、外部の専門知識とガイダンスを使用して組織が DRP を設計、実装、テスト、および維持するのに役立つ災害前の活動です 3。アプリケーション制御要件の特定は、DRP の手順ではなく、組織が使用するソフトウェア アプリケーションの品質、セキュリティ、および信頼性を保証するアプリケーション開発および保守プロセスの一部です。
したがって、代替品を入手することが正しい解決策です。
参考文献:
* 災害復旧計画とは? + チェックリスト
* リスク評価 - ISACA
* 災害復旧計画 - ISACA
* [アプリケーション制御 - ISACA]
- 他のバージョン
- 2028ISACA.CISA.v2026-05-23.q352
- 6065ISACA.CISA.v2025-02-07.q999
- 4268ISACA.CISA.v2024-09-23.q905
- 993ISACA.CISA.v2024-06-15.q120
- 2499ISACA.CISA.v2023-11-23.q401
- 1971ISACA.CISA.v2022-12-04.q122
- 最新アップロード
- 131LinuxFoundation.KCSA.v2026-07-11.q23
- 130Fortinet.NSE7_SOC_AR-7.6.v2026-07-11.q23
- 227Salesforce.Data-Architect.v2026-07-11.q178
- 332Cisco.350-801.v2026-07-11.q280
- 732ISACA.CISA.v2026-07-11.q999
- 371ISC.CCSP.v2026-07-11.q364
- 182Fortinet.FCP_FAZ_AN-7.6.v2026-07-11.q88
- 325Google.Professional-Cloud-Developer.v2026-07-10.q342
- 138WGU.Applied-Algebra.v2026-07-10.q33
- 177Esri.EAEP_2025.v2026-07-10.q95
