CISA Exam Dumps - Certified Information Systems Auditor

The best way for an IS auditor to understand the software benefits to the organization would be to review the business case, which is a document that provides the justification and rationale for acquiring a software solution based on its expected costs, benefits, risks, and alignment with the organization’s goals and strategies. The business case helps to evaluate the feasibility and viability of the software acquisition and to support the decision-making process. A feasibility study is a document that analyzes the technical, operational, economic, legal, and social aspects of a software solution to determine its feasibility and suitability for the organization’s needs, but it does not necessarily provide a clear indication of the software benefits to the organization. A request for proposal (RFP) is a document that solicits proposals from potential vendors or suppliers for a software solution based on the organization’s requirements and specifications, but it does not necessarily provide a clear indication of the software benefits to the organization. The alignment with IT strategy is a factor that influences the software acquisition processand ensures that the software solution supports and enables the organization’s IT strategy, but it is not a document that can be reviewed by an IS auditor to understand the software benefits to the organization. References: CISA Review Manual(Digital Version), Chapter 3: Information Systems Acquisition, Development & Implementation, Section 3.1: Business Case Development

The best method to delete sensitive information from storage media that will be reused is multiple overwriting. This is because multiple overwriting ensures that the data is practically unrecoverable by any software or hardware means. Multiple overwriting involves writing 0s, 1s, or random patterns onto all sectors of the storage media several times, making the original data unreadable or inaccessible. There arevarious software programs available that can securely delete files from storage media using multiple overwriting techniques1.

Crypto-shredding is not the best method because it only works for encrypted data. Crypto-shredding involves deleting the encryption key used to encrypt the data, making the data unreadable and unrecoverable. However, if the data is not encrypted, crypto-shredding will not erase it2.

Reformatting and re-partitioning are not the best methods because they do not erase the data completely. Reformatting and re-partitioning only delete the file system structures and pointers that make the data accessible, but thedata itself remains on the storage media and can be recovered using data recovery software

 A feasibility study is an assessment that determines the likelihood of a proposed project being successful, such as a new system development1. A feasibility study typically covers various aspects of the project, such as technical, economic, operational and legal feasibility2. The IS auditor’s role is to audit the feasibility study and ensure that it is objective, realistic and reliable3.

One of the most important aspects of a feasibility study is the economic feasibility, which analyzes the costs and benefits of the proposed system and compares them with alternative solutions2. Theeconomic feasibility study should include a detailed breakdown of the development, implementation and operational costs, as well as the expected revenues, savings and intangible benefits of the system3. The IS auditor should review the cost-benefit documentation for reasonableness and accuracy, and verify that the assumptions and calculations are valid and supported by evidence3.

The other options are not directly related to auditing the feasibility study of a system development project. Reviewing qualifications of key members of the project team (option A) is more relevant to auditing the project management and human resources aspects of the project. Reviewing the request for proposal (RFP) to ensure that it covers the scope of work (option B) is more relevant to auditing the procurement and vendor selection process of the project. Ensuring that vendor contracts are reviewed by legal counsel (option D) is more relevant to auditing the legal and contractual aspects of the project.

References: 3: Types of Feasibility Study in Software Project Development 2: Feasibility Analysis in System Development Process 1: What Is a Feasibility Study? Definition, Benefits and Types

According to the CISA - Certified Information Systems Auditor Study Guide1, the correct answer to your question is A. Encrypt the disk drive. This is because encryption is a logical security measure that can protect data even if the physical device is stolen or lost. Encryption makes thedata unreadable and inaccessible without the proper key or password. The other options are not as effective as encryption in this scenario. Two-factor authentication is a user authentication method that requires two pieces of evidence to verify the user’s identity, such as a password and a code sent to a phone. However, this does not prevent unauthorized access to the data if the laptop is already logged in or if the attacker can bypass the authentication. Enhancing physical security is a preventive measure that can reduce the risk of theft, but it does not guarantee that theft will not occur or that the data will be safe if it does. Requiring the use of cable locks is another preventive measure that can deter thieves, but it can also be easily cut or removed by a determined attacker.

Separate authorization for input of transactions. This control would have best prevented this type of fraud in a retail environment by ensuring that the warehouse employee who handles the inventory items does not have the authority to enter adjustments to the inventory system. This would create a segregation of duties that would reduce the risk of collusion and concealment of theft.

The other options are not as effective as option A in preventing this type of fraud. Option B, statistical sampling of adjustment transactions, is a detective control that may help identify fraudulent transactions after they have occurred, but it does not prevent them from happening in the first place. Option C, unscheduled audits of lost stock lines, is also a detective control that may reveal discrepancies between the physical and recorded inventory, but it does not address the root cause of the fraud. Option D, an edit check for the validity of the inventory transaction, is a preventive control that may help verify the accuracy and completeness of the transaction data, but it does not prevent unauthorized or fraudulent adjustments.

References:

ISACA, CISA Review Manual, 27th Edition, 2019

ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

Different Types of Inventory Fraud and How to Prevent Them1

6 Ways to Prevent Inventory Fraud in Your Business2

The audit procedure that would have most likely identified the exception of critical servers not included in the central log repository is to compare a list of all servers from the directory server against a list of all servers present in the central log repository. This would allow the IS auditor to detect any discrepancies or omissions in the central log repository. The other audit procedures (A, C and D) would not be effective in identifying this exception, as they would only focus on the alerts generated, the alert settings configured, or the servers included in the previous year’s audit, which may not reflect the current state of the central log repository. References: IS Audit and Assurance Guideline 2202: Evidence Collection Techniques, CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.3: Logging and Monitoring

 This should be the IS auditor’s greatest concern, because it means that the organization has not considered the potential impact of the cloud document storage solution on its ability to continue its operations in the event of a disruption or disaster. A BCP is a document that outlines the procedures and actions to be taken in order to maintain or resume critical business functions during and after a crisis. A BCP should be updated whenever there is a significant change in the organization’s IT infrastructure, systems, processes, or dependencies, such as implementing a cloud document storage solution. The IS auditor should verify that the BCP reflects the current state of the organization’s IT environment, and that it addresses the risks, challenges, and opportunities associated with the cloud document storage solution.

The other options are not as concerning as the BCP not being updated:

Users are not required to sign updated acceptable use agreements. This is a minor concern, but it does not pose a major threat to the organization’s business continuity. Acceptable use agreements are documents that define the rules and guidelines for using IT resources, such as the cloud document storage solution. Users should sign updated acceptable use agreements to acknowledge their responsibilities and obligations, and to comply with the organization’spolicies and standards. However, this does not affect the organization’s ability to continue its operations in a crisis.

Users have not been trained on the new system. This is a moderate concern, but it does not jeopardize the organization’s business continuity. Training users on the new system is important to ensure that they can use it effectively and efficiently, and to avoid errors or misuse that could compromise the security or performance of the system. However, this does not prevent the organization from accessing or restoring its data in a crisis.

Mobile devices are not encrypted. This is a serious concern, but it does not directly impact the organization’s business continuity. Encrypting mobile devices is a security measure thatprotects the data stored on them from unauthorized access or disclosure in case of loss or theft. However, this does not affect the availability or integrity of the data stored in the cloud document storage solution, which should have its own encryption mechanisms.

 The auditor should be most concerned with the impact AI will have on enterprise architecture (EA) when reviewing a project to replace multiple manual data entry systems with an AI system. EA is a comprehensive framework that defines the structure, components, relationships, and principles of an organization’s IT environment. EA can help to align the IT strategy with the business strategy and ensure the coherence, consistency, and integration of the IT systems and services. Replacing manual data entry systems with an AI system may have significant implications for the EA, such aschanging the business processes, data flows, security requirements, performance standards, or governance models. The auditor should assess whether the project has considered the impact of AI on EA and whether the EA has been updated accordingly. References:

CISA Review Manual (Digital Version), Chapter 1, Section 1.41

CISA Online Review Course, Domain 5, Module 1, Lesson 22