CISA Exam Dumps - Certified Information Systems Auditor

The lack of system documentation should be of most concern to an IS auditor reviewing the information systems acquisition, development, and implementation process. This is because system documentation is a vital source of information that describes the system’s purpose, functionality, design, architecture, testing, deployment, operation, and maintenance. System documentation helps the IS auditor to understand and evaluate the system’s quality, performance, security, compliance, and alignment with the business requirements and objectives. Without system documentation, the IS auditor may not be able to perform a thorough and effective audit of the system, aswell as identify any issues or risks that may affect the system’s reliability or integrity12.

Data owners are not trained on the use of data conversion tools is not the most concerning issue, although it may indicate a lack of user readiness or competence for the system implementation. Data conversion tools are software applications that help users to transform data from one format or structure to another, such as from legacy systems to new systems. Data owners are users who have the responsibility and authority to manage and control the data within their domain. Data owners should be trained on how to use data conversion tools to ensure that the data is accurately and securely transferred to the new system, as well as to avoid any data loss, corruption, or inconsistency. However, data owners are not the only users who need training for the system implementation, and data conversion tools are not the only tools that need training34.

A post-implementation lessons-learned exercise was not conducted is not the most concerning issue, although it may indicate a lack of continuous improvement or learning culture for the system development and implementation process. A post-implementation lessons-learned exercise is a meeting or a session that takes place after the completion of a system implementation project, where the project team and stakeholders discuss and document the successes and failures of the project, as well as identify any best practices or areas for improvement for future projects. Apost-implementation lessons-learned exercise can help to enhance the project management skills, knowledge, and performance of the project team and stakeholders, as well as to avoid repeating the same mistakes or problems in future projects56.

System deployment is routinely performed by contractors is not the most concerning issue, although it may pose some challenges or risks for the system implementation process. System deployment is the final stage of the system development life cycle (SDLC), where the system is installed and configured on the target environment and made available for use by end-users. System deployment can be performed by internal staff or external contractors, depending on the availability, expertise, and cost of resources. System deployment by contractors may offer some benefits such as faster delivery, lower cost, or higher quality than internal staff. However, system deployment by contractors mayalso introduce some risks such as loss of control, dependency, or security breaches over the system implementation process

The auditor should verify whether a right-to-audit clause exists (B) next, because it is a contractual provision that grants the auditor the right to access and examine the records, systems, and processes of the SaaS provider. A right-to-audit clause is important for ensuring transparency, accountability, and compliance of the SaaS provider with the customer’s requirements and expectations. A right-to-audit clause can also help the auditor to identify and mitigate any risks or issues related to the SaaS agreement12.

Verifying whether IT management monitors the effectiveness of the environment (A) is not the next step, because it is a part of the ongoing monitoring andevaluation process, not the initial walk-through procedures. The auditor should first establish the scope, objectives, and criteria of the audit before assessing the performance and controls of the SaaS provider.

Verifying whether a third-party security attestation exists © is not the next step, because it is not a mandatory requirement for a SaaS agreement. A third-party security attestation is a report or certificate issued by an independent auditor that evaluates and validates the security controls and practices of the SaaS provider. A third-party security attestation can provide assurance and confidence to the customer, but it does not replace or eliminate the need for a right-to-audit clause3.

Verifying whether service level agreements (SLAs) are defined and monitored (D) is not the next step, because it is not directly related to the audit process. SLAs are contractual agreements that specify the quality, availability, and performance standards of the SaaS provider. SLAs are important for measuring and managing the service delivery and customer satisfaction, but they do not grant or guarantee the right to audit4.

The business owner is the person or entity that has the authority and responsibility for defining the purpose and scope of the processing of personal data, as well as the expected outcomes and benefits. The business owner is also accountable for ensuring that the processing of personal data complies with the applicable laws and regulations, such as the General Data Protection Regulation (GDPR) or the Data Protection Act 2018 (DPA 2018).

One of the requirements of the GDPR and the DPA 2018 is to adhere to the principle of storage limitation, which states that personal data should be kept for no longer than is necessary for the purposes for which it is processed1. This means that the business owner should determine and justify how long they need to retain personal data, based on factors such as:

The nature and sensitivity of the personal data

The legal or contractual obligations or rights that apply to the personal data

The business or operational needs and expectations that depend on the personal data

The risks and impacts that may arise from retaining or deleting the personal data

The business owner should also establish and document the conditions and methods for the destruction of personal data, such as:

The criteria and triggers for deciding when to destroy personal data

The procedures and tools for securely erasing or anonymising personal data

The roles and responsibilities for carrying out and overseeing the destruction of personal data

The records and reports for verifying and evidencing the destruction of personal data

Therefore, retention periods and conditions for the destruction of personal data should be determined by the business owner, as they are in charge of defining and managing the processing of personal data, as well as ensuring its compliance with the law.

 Capacity management tools are primarily used to ensure that available resources are used efficiently and effectively to meet the current and future demands of the business. Capacity management tools can help monitor, analyze and optimize the performance and utilization of IT resources such as CPU, memory, disk, network, etc. The other options are not the primary purpose of capacity management tools, although they may be related or derived from them. References:

ISACA, CISA Review Manual, 27th Edition,chapter 4, section 4.32

ISACA, COBIT 2019 Framework: Introduction and Methodology, section 3.2

The most helpful thing for an IS auditor when assessing the effectiveness of controls is the results of control testing, as this provides objective and reliable evidence of how well the controls are designed and operating in practice. A control self-assessment (CSA) is a technique that involves the participation of process owners and stakeholders in evaluating the effectiveness of controls, but it may not be as rigorous or independent as control testing. Interviews with management are useful for gaining an understanding of the control environment and culture, but they may not reflect the actual performance of controls. A control matrix is a tool that maps the controls to the objectives, risks, and requirements, but it does not measure the effectiveness of controls. References: CISA Review Manual (Digital Version),Chapter 1: Information Systems Auditing Process, Section 1.3: IT Audit Process

Requiring a key code to be entered on the printer to produce hard copy is a method to prevent disclosure of classified documents printed on a shared printer. This is because requiring a key code adds an extra layer of security and authentication to the printing process, ensuring that only authorized users can access and retrieve the printed documents. Requiring a key code also prevents unauthorized users from viewingor tampering with the documents while they are in the printer’s queue or output tray1.

Using passwords to allow authorized users to send documents to the printer is not a sufficient method to prevent disclosure of classified documents printed on a shared printer. This is because passwords only protect the transmission of the documents from the user’s computer to the printer, but they do not protect the documents once they are printed. Passwords can also be compromised or forgotten by users, making them vulnerable to unauthorized access or denial of service2.

Encrypting the data stream between the user’s computer and the printer is not a sufficient method to prevent disclosure of classified documents printed on a shared printer. This is because encryption only protects the confidentiality and integrity of the documents while they are in transit, but they do not protect the documents once they are printed. Encryption can also introduce performance issues or compatibility problems with different printers or devices2.

Producing a header page with classification level for printed documents is not a method to prevent disclosure of classified documents printed on a shared printer. This is because producing a header page only informs the users about the sensitivity and handling of the documents, but it does not prevent unauthorized users from accessing or viewing them. Producing a header page can also waste paper and ink, as well asincrease the risk of misplacing or mixing up the documents

The best way to ensure that potential security issues are considered by the development team as part of incremental changes to agile-developed software is to include a mandatory step to analyze the security impact when making changes. This will help to identify and mitigate any security risks or vulnerabilities that may arise from the changes, and to ensure that the software meets the security requirements and standards. The other options are not as effective, because they either delegate thesecurity analysis to someone outside the development team, rely on post-deployment testing, or focus on documentation rather than analysis. References: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.5

The best approach for an IS auditor to evaluate whether the IT strategy supports the organization’s vision and mission is to meet with senior management to understand the business goals and how IT can enable them. This will help the IS auditor to assess the alignment and integration of IT with the business strategy and to identify any gaps or opportunities for improvement. Reviewing ROIs, KPIs, or feedback from other departments may provide some insights, but they are not sufficient to evaluate the IT strategy. References: IS Audit and Assurance Standards, section “Standard 1201: Engagement Planning”