- Home
- ISACA Certification
- CISA Exam
- ISACA.CISA.v2025-09-01.q454 Dumps
Question 376
Which of the following is a PRIMARY responsibility of a quality assurance (QA) team?
Correct Answer: D
A quality assurance (QA) team is a group of professionals who are responsible for ensuring that the products or services of an organization meet the quality standards and expectations of customers and stakeholders1. A QA team performs various activities, such as:
Planning, designing, and executing quality tests and audits to verify the quality of the products or services1 Identifying, analyzing, and reporting quality issues, defects, or non-conformities1 Recommending and implementing corrective and preventive actions to resolve quality problems and prevent recurrence1 Monitoring and measuring the effectiveness and efficiency of the quality processes and improvements1 Establishing and maintaining quality documentation, records, and reports1 Providing quality training, guidance, and support to the staff and management1 One of the primary responsibilities of a QA team is to implement procedures to facilitate adoption of quality management best practices. Quality management best practices are the methods, techniques, or tools that have been proven to be effective in achieving and maintaining high-quality standards in an organization2. Some examples of quality management best practices are:
Adopting a customer-focused approach that aims to meet or exceed customer requirements and satisfaction2 Implementing a process approach that manages the interrelated activities as a coherent system2 Applying continuous improvement methods that seek to enhance the performance and value of the products or services2 Using evidence-based decision making that relies on factual data and information2 Developing a culture of engagement and empowerment that involves and motivates the people in the organization2 By implementing procedures to facilitate adoption of quality management best practices, a QA team can help the organization achieve the following benefits:
Improve the quality and reliability of the products or services2
Reduce the costs and risks associated with poor quality or non-compliance2 Increase the customer loyalty and retention2 Enhance the reputation and competitiveness of the organization2 Foster a culture of excellence and innovation in the organization2 The other options are not primary responsibilities of a QA team. Creating test data to facilitate the user acceptance testing (UAT) process is a task that can be performed by a QA team, but it is not their main duty. UAT is a process in which the end users test the product or service to ensure that it meets their needs and expectations before it is released or deployed3. A QA team can create test data to simulate real-world scenarios and conditions for UAT, but they are not directly involved in conducting UAT. Managing employee onboarding processes and background checks is not a responsibility of a QA team. Employee onboarding is a process in which new hires are integrated into the organization, while background checks are screenings that verify the identity, credentials, and history of potential employees4. These processes are usually handled by the human resources department or an external agency, not by a QA team. Advising the steering committee on quality management issues and remediation efforts is not a primary responsibility of a QA team. A steering committee is a group of senior executives or managers who provide strategic direction, oversight, and support for a project or program5. A QA team can advise the steering committee on quality management issues and remediation efforts, but they are not accountable for making decisions or implementing actions. Therefore, option D is the correct answer.
References:
Quality Assurance Team: Roles & Responsibilities
What are the Best Practices in Quality Management?
User Acceptance Testing (UAT): A Complete Guide
Employee Onboarding Process: Definition & Best Practices
What Is A Steering Committee? - The Basics
Planning, designing, and executing quality tests and audits to verify the quality of the products or services1 Identifying, analyzing, and reporting quality issues, defects, or non-conformities1 Recommending and implementing corrective and preventive actions to resolve quality problems and prevent recurrence1 Monitoring and measuring the effectiveness and efficiency of the quality processes and improvements1 Establishing and maintaining quality documentation, records, and reports1 Providing quality training, guidance, and support to the staff and management1 One of the primary responsibilities of a QA team is to implement procedures to facilitate adoption of quality management best practices. Quality management best practices are the methods, techniques, or tools that have been proven to be effective in achieving and maintaining high-quality standards in an organization2. Some examples of quality management best practices are:
Adopting a customer-focused approach that aims to meet or exceed customer requirements and satisfaction2 Implementing a process approach that manages the interrelated activities as a coherent system2 Applying continuous improvement methods that seek to enhance the performance and value of the products or services2 Using evidence-based decision making that relies on factual data and information2 Developing a culture of engagement and empowerment that involves and motivates the people in the organization2 By implementing procedures to facilitate adoption of quality management best practices, a QA team can help the organization achieve the following benefits:
Improve the quality and reliability of the products or services2
Reduce the costs and risks associated with poor quality or non-compliance2 Increase the customer loyalty and retention2 Enhance the reputation and competitiveness of the organization2 Foster a culture of excellence and innovation in the organization2 The other options are not primary responsibilities of a QA team. Creating test data to facilitate the user acceptance testing (UAT) process is a task that can be performed by a QA team, but it is not their main duty. UAT is a process in which the end users test the product or service to ensure that it meets their needs and expectations before it is released or deployed3. A QA team can create test data to simulate real-world scenarios and conditions for UAT, but they are not directly involved in conducting UAT. Managing employee onboarding processes and background checks is not a responsibility of a QA team. Employee onboarding is a process in which new hires are integrated into the organization, while background checks are screenings that verify the identity, credentials, and history of potential employees4. These processes are usually handled by the human resources department or an external agency, not by a QA team. Advising the steering committee on quality management issues and remediation efforts is not a primary responsibility of a QA team. A steering committee is a group of senior executives or managers who provide strategic direction, oversight, and support for a project or program5. A QA team can advise the steering committee on quality management issues and remediation efforts, but they are not accountable for making decisions or implementing actions. Therefore, option D is the correct answer.
References:
Quality Assurance Team: Roles & Responsibilities
What are the Best Practices in Quality Management?
User Acceptance Testing (UAT): A Complete Guide
Employee Onboarding Process: Definition & Best Practices
What Is A Steering Committee? - The Basics
Question 377
An IS auditor evaluating the change management process must select a sample from the change log. What is the BEST way to the auditor to confirm the change log is complete?
Correct Answer: D
Explanation
The answer D is correct because the best way for the auditor to confirm the change log is complete is to take the last change from the system and trace it back to the log. A change log is a record of all the changes that have been made to a system, such as software updates, bug fixes, configuration modifications, etc. A change log should contain information such as the date and time of the change, the description and purpose of the change, the person or service who made the change, and the approval status of the change. A complete change log helps to ensure that the system is secure, reliable, and compliant with the relevant standards and regulations.
An IS auditor evaluating the change management process must select a sample from the change log to verify that the changes are properly authorized, documented, tested, and implemented. However, before selecting a sample, the auditor must ensure that the change log is complete and accurate, meaning that it contains all the changes that have been made to the system and that there are no missing, duplicated, or falsified entries. To do this, the auditor can use a technique called backward tracing, which involves taking the last change from the system and tracing it back to the log. This way, the auditor can check if the change is recorded in the log with all the relevant details and if there are any gaps or inconsistencies in the log. If the last change from the system is not found in the log or does not match with the log entry, it indicates that the change log is incomplete or inaccurate.
The other options are not as good as option D. Interviewing change management personnel about completeness (option A) is not a reliable way to confirm the change log is complete because it relies on subjective opinions and self-reported information, which may not be truthful or accurate. Taking an item from the log and tracing it back to the system (option B) is a technique called forward tracing, which can be used to verify that a specific change in the log has been implemented in the system. However, this technique does not confirm that all changes in the system are recorded in the log. Obtaining management attestation of completeness (option C) is not a sufficient way to confirm the change log is complete because it does not provide any evidence or verification of completeness. Management attestation may also be biased or influenced by conflicts of interest.
References:
IS Audit Basics: Auditing Data Privacy
Audit Logging: What It Is & How It Works | Datadog
Change Management for SOC: Risks, Controls, Audits, Guidance
Turn auditing on or off | Microsoft Learn
#118 | ITGC- System Change (Audit) Log Review - A2Q2
The answer D is correct because the best way for the auditor to confirm the change log is complete is to take the last change from the system and trace it back to the log. A change log is a record of all the changes that have been made to a system, such as software updates, bug fixes, configuration modifications, etc. A change log should contain information such as the date and time of the change, the description and purpose of the change, the person or service who made the change, and the approval status of the change. A complete change log helps to ensure that the system is secure, reliable, and compliant with the relevant standards and regulations.
An IS auditor evaluating the change management process must select a sample from the change log to verify that the changes are properly authorized, documented, tested, and implemented. However, before selecting a sample, the auditor must ensure that the change log is complete and accurate, meaning that it contains all the changes that have been made to the system and that there are no missing, duplicated, or falsified entries. To do this, the auditor can use a technique called backward tracing, which involves taking the last change from the system and tracing it back to the log. This way, the auditor can check if the change is recorded in the log with all the relevant details and if there are any gaps or inconsistencies in the log. If the last change from the system is not found in the log or does not match with the log entry, it indicates that the change log is incomplete or inaccurate.
The other options are not as good as option D. Interviewing change management personnel about completeness (option A) is not a reliable way to confirm the change log is complete because it relies on subjective opinions and self-reported information, which may not be truthful or accurate. Taking an item from the log and tracing it back to the system (option B) is a technique called forward tracing, which can be used to verify that a specific change in the log has been implemented in the system. However, this technique does not confirm that all changes in the system are recorded in the log. Obtaining management attestation of completeness (option C) is not a sufficient way to confirm the change log is complete because it does not provide any evidence or verification of completeness. Management attestation may also be biased or influenced by conflicts of interest.
References:
IS Audit Basics: Auditing Data Privacy
Audit Logging: What It Is & How It Works | Datadog
Change Management for SOC: Risks, Controls, Audits, Guidance
Turn auditing on or off | Microsoft Learn
#118 | ITGC- System Change (Audit) Log Review - A2Q2
Question 378
What should an IS auditor evaluate FIRST when reviewing an organization's response to new privacy legislation?
Correct Answer: D
The first thing that an IS auditor should evaluate when reviewing an organization's response to new privacy legislation is the analysis of systems that contain privacy components. Privacy components are elements of a system that collect, process, store, or transmit personal information that is subject to privacy legislation. An analysis of systems that contain privacy components should identify what types of personal information are involved, where they are located, how they are used, who has access to them, and what risks or threats they face. An analysis of systems that contain privacy components is essential for determining the scope and impact of the new privacy legislation on the organization's systems and processes.
The other options are not as important as option D. An implementation plan for restricting the collection of personal information is a possible action, but not the first thing to evaluate, when reviewing an organization's response to new privacy legislation. An implementation plan for restricting the collection of personal information is a document that outlines how an organization will comply with the principle of data minimization, which states that personal information should be collected only for specific and legitimate purposes and only to the extent necessary for those purposes. An implementation plan for restricting the collection of personal information should be based on an analysis of systems that contain privacy components. Privacy legislation in other countries that may contain similar requirements is a possible source of reference, but not the first thing to evaluate, when reviewing an organization's response to new privacy legislation. Privacy legislation in other countries that may contain similar requirements is a set of laws or regulations that governs the protection of personal information in other jurisdictions that may have comparable or compatible standards or expectations as the new privacy legislation. Privacy legislation in other countries that may contain similar requirements may provide guidance or best practices for complying with the new privacy legislation. However, privacy legislation in other countries that may contain similar requirements should not be used as a substitute for an analysis of systems that contain privacy components.
An operational plan for achieving compliance with the legislation is a possible deliverable, but not the first thing to evaluate, when reviewing an organization's response to new privacy legislation. An operational plan for achieving compliance with the legislation is a document that describes how an organization will implement and maintain the necessary policies, procedures, controls, and measures to comply with the new privacy legislation. An operational plan for achieving compliance with the legislation should be derived from an analysis of systems that contain privacy components. References: Privacy law - Wikipedia, Data Protect ion and Privacy Legislation Worldwide | UNCTAD, Data minimization - Wikipedia
The other options are not as important as option D. An implementation plan for restricting the collection of personal information is a possible action, but not the first thing to evaluate, when reviewing an organization's response to new privacy legislation. An implementation plan for restricting the collection of personal information is a document that outlines how an organization will comply with the principle of data minimization, which states that personal information should be collected only for specific and legitimate purposes and only to the extent necessary for those purposes. An implementation plan for restricting the collection of personal information should be based on an analysis of systems that contain privacy components. Privacy legislation in other countries that may contain similar requirements is a possible source of reference, but not the first thing to evaluate, when reviewing an organization's response to new privacy legislation. Privacy legislation in other countries that may contain similar requirements is a set of laws or regulations that governs the protection of personal information in other jurisdictions that may have comparable or compatible standards or expectations as the new privacy legislation. Privacy legislation in other countries that may contain similar requirements may provide guidance or best practices for complying with the new privacy legislation. However, privacy legislation in other countries that may contain similar requirements should not be used as a substitute for an analysis of systems that contain privacy components.
An operational plan for achieving compliance with the legislation is a possible deliverable, but not the first thing to evaluate, when reviewing an organization's response to new privacy legislation. An operational plan for achieving compliance with the legislation is a document that describes how an organization will implement and maintain the necessary policies, procedures, controls, and measures to comply with the new privacy legislation. An operational plan for achieving compliance with the legislation should be derived from an analysis of systems that contain privacy components. References: Privacy law - Wikipedia, Data Protect ion and Privacy Legislation Worldwide | UNCTAD, Data minimization - Wikipedia
Question 379
Which of the following testing method examines internal structure or working of an application?
Correct Answer: A
Section: Information System Acquisition, Development and Implementation
Explanation/Reference:
White-box testing (also known as clear box testing, glass box testing, transparent box testing, and
structural testing) is a method of testing software that tests internal structures or workings of an application,
as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the
system, as well as programming skills, are used to design test cases. The tester chooses inputs to
exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes
in a circuit, e.g. in-circuit testing (ICT).
White-box testing can be applied at the unit, integration and system levels of the software testing process.
Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for
integration and system testing more frequently today. It can test paths within a unit, paths between units
during integration, and between subsystems during a system-level test. Though this method of test design
can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification
or missing requirements.
For your exam you should know the information below:
Alpha and Beta Testing - An alpha version is early version is an early version of the application system
submitted to the internal user for testing. The alpha version may not contain all the features planned for the
final version. Typically, software goes to two stages testing before it consider finished. The first stage is
called alpha testing is often performed only by the user within the organization developing the software. The
second stage is called beta testing, a form of user acceptance testing, generally involves a limited number
of external users. Beta testing is the last stage of testing, and normally involves real world exposure,
sending the beta version of the product to independent beta test sites or offering it free to interested user.
Pilot Testing -A preliminary test that focuses on specific and predefined aspect of a system. It is not meant
to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept
are early pilot tests - usually over interim platform and with only basic functionalities.
White box testing - Assess the effectiveness of a software program logic. Specifically, test data are used in
determining procedural accuracy or conditions of a program's specific logic path. However, testing all
possible logical path in large information system is not feasible and would be cost prohibitive, and therefore
is used on selective basis only.
Black Box Testing - An integrity based form of testing associated with testing components of an information
system's "functional" operating effectiveness without regards to any specific internal program structure.
Applicable to integration and user acceptance testing.
Function/validation testing - It is similar to system testing but it is often used to test the functionality of the
system against the detailed requirements to ensure that the software that has been built is traceable to
customer requirements.
Regression Testing -The process of rerunning a portion of a test scenario or test plan to ensure that
changes or corrections have not introduced new errors. The data used in regression testing should be
same as original data.
Parallel Testing - This is the process of feeding test data into two systems - the modified system and an
alternative system and comparing the result.
Sociability Testing -The purpose of these tests is to confirm that new or modified system can operate in its
target environment without adversely impacting existing system. This should cover not only platform that
will perform primary application processing and interface with other system but, in a client server and web
development, changes to the desktop environment. Multiple application may run on the user's desktop,
potentially simultaneously, so it is important to test the impact of installing new dynamic link libraries
(DLLs), making operating system registry or configuration file modification, and possibly extra memory
utilization.
The following answers are incorrect:
Parallel Testing - This is the process of feeding test data into two systems - the modified system and an
alternative system and comparing the result.
Regression Testing -The process of rerunning a portion of a test scenario or test plan to ensure that
changes or corrections have not introduced new errors. The data used in regression testing should be
same as original data.
Pilot Testing -A preliminary test that focuses on specific and predefined aspect of a system. It is not meant
to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept
are early pilot tests - usually over interim platform and with only basic functionalities
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 167
Official ISC2 guide to CISSP CBK 3rd Edition Page number 176
Explanation/Reference:
White-box testing (also known as clear box testing, glass box testing, transparent box testing, and
structural testing) is a method of testing software that tests internal structures or workings of an application,
as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the
system, as well as programming skills, are used to design test cases. The tester chooses inputs to
exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes
in a circuit, e.g. in-circuit testing (ICT).
White-box testing can be applied at the unit, integration and system levels of the software testing process.
Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for
integration and system testing more frequently today. It can test paths within a unit, paths between units
during integration, and between subsystems during a system-level test. Though this method of test design
can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification
or missing requirements.
For your exam you should know the information below:
Alpha and Beta Testing - An alpha version is early version is an early version of the application system
submitted to the internal user for testing. The alpha version may not contain all the features planned for the
final version. Typically, software goes to two stages testing before it consider finished. The first stage is
called alpha testing is often performed only by the user within the organization developing the software. The
second stage is called beta testing, a form of user acceptance testing, generally involves a limited number
of external users. Beta testing is the last stage of testing, and normally involves real world exposure,
sending the beta version of the product to independent beta test sites or offering it free to interested user.
Pilot Testing -A preliminary test that focuses on specific and predefined aspect of a system. It is not meant
to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept
are early pilot tests - usually over interim platform and with only basic functionalities.
White box testing - Assess the effectiveness of a software program logic. Specifically, test data are used in
determining procedural accuracy or conditions of a program's specific logic path. However, testing all
possible logical path in large information system is not feasible and would be cost prohibitive, and therefore
is used on selective basis only.
Black Box Testing - An integrity based form of testing associated with testing components of an information
system's "functional" operating effectiveness without regards to any specific internal program structure.
Applicable to integration and user acceptance testing.
Function/validation testing - It is similar to system testing but it is often used to test the functionality of the
system against the detailed requirements to ensure that the software that has been built is traceable to
customer requirements.
Regression Testing -The process of rerunning a portion of a test scenario or test plan to ensure that
changes or corrections have not introduced new errors. The data used in regression testing should be
same as original data.
Parallel Testing - This is the process of feeding test data into two systems - the modified system and an
alternative system and comparing the result.
Sociability Testing -The purpose of these tests is to confirm that new or modified system can operate in its
target environment without adversely impacting existing system. This should cover not only platform that
will perform primary application processing and interface with other system but, in a client server and web
development, changes to the desktop environment. Multiple application may run on the user's desktop,
potentially simultaneously, so it is important to test the impact of installing new dynamic link libraries
(DLLs), making operating system registry or configuration file modification, and possibly extra memory
utilization.
The following answers are incorrect:
Parallel Testing - This is the process of feeding test data into two systems - the modified system and an
alternative system and comparing the result.
Regression Testing -The process of rerunning a portion of a test scenario or test plan to ensure that
changes or corrections have not introduced new errors. The data used in regression testing should be
same as original data.
Pilot Testing -A preliminary test that focuses on specific and predefined aspect of a system. It is not meant
to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept
are early pilot tests - usually over interim platform and with only basic functionalities
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 167
Official ISC2 guide to CISSP CBK 3rd Edition Page number 176
Question 380
An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment Which of the following should the auditor do FIRST?
Correct Answer: B