CISA Exam Dumps - Certified Information Systems Auditor

 Data integrity is the property that ensures that data is accurate, complete, consistent, and reliable throughout its lifecycle. The best data integrity check is tracing data back to the point of origin, which is the source where the data was originally created or captured. This check can verify that data has not been altered or corrupted during transmission, processing, or storage. It can also identify any errors or discrepancies in data entry or conversion. Counting the transactions processed per day is a performance measure that does not directly assess data integrity. Performing a sequence check is a validity check that ensures that data follows a predefined order or pattern. It can detect missing or out-of-order data elements, but it cannot verify their accuracy or completeness. Preparing and running test data is a testing technique that simulates real data to evaluate how a system handles different scenarios. It can help identify errors or bugs in the system logic or functionality, but it cannot ensure data integrity in production environments. References: Information Systems Operations and Business Resilience, CISA Review Manual (Digital Version)

Referential integrity is a property of data that ensures that all references between tables are valid and consistent. Disabling referential integrity controls can result in orphaned records, data anomalies, and inaccurate queries. The most effective way to compensate for the lack of referential integrity is to perform periodic table link checks, which verify that all foreign keys match existing primary keys in the related tables. More frequent data backups, concurrent access controls, and performance monitoring tools do not address the issue of data consistency and accuracy. References: ISACA CISA Review Manual 27th Edition, page 291

Prior to a follow-up engagement, if an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation, the IS auditor should report the issue to IS audit management. This is because IS audit management is responsible for ensuring that audit findings are properly communicated and resolved. Accepting management’s decision and continuing the follow-up would not address the IS auditor’s concern. Reporting the disagreement to the board or executive management would be premature and inappropriate without consulting IS audit management first. References: CISA Review Manual (Digital Version), Chapter 1, Section 1.6

Reviewing and evaluating application test cases is the most effective use of an IS auditor’s time during the evaluation of controls over a major application development project. Application test cases are designed to verify that the application meets the functional and non-functional requirements and specifications. They also help to identify and correct any errors, defects, or vulnerabilities in the application before it is deployed. By reviewing and evaluating the test cases, the IS auditor can assess the quality, reliability, security, and performance of the application and provide recommendations for improvement. 

The best recommendation to prevent fraudulent electronic funds transfers by accounts payable employees is dual control. Dual control is a segregation of duties control that requires two or more individuals to perform or authorize a transaction or activity. Dual control can prevent fraudulent electronic funds transfers by requiring independent verification and approval of payment requests, amounts, and recipients by different accounts payable employees. The other options are not as effective as dual control in preventing fraudulent electronic funds transfers, as they do not involve independent checks or approvals. Periodic vendor reviews are detective controls that can help identify any irregularities or anomalies in vendor payments, but they do not prevent fraudulent electronic funds transfers from occurring. Independent reconciliation is a detective control that can help compare and confirm payment records with bank statements, but it does not prevent fraudulent electronic funds transfers from occurring. Re-keying of monetary amounts is an input control that can help detect any errors or discrepancies in payment amounts, but it does not prevent fraudulent electronic funds transfers from occurring. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

The best way to protect sensitive information such as personally identifiable information (PII) stored in a particular data format while allowing the software developers to use it in development and test environments is data masking. Data masking is a technique that replaces or obscures sensitive data elements with fictitious or modified data elements that retain the original format and characteristics of the data. Data masking can help protect sensitive information such as PII stored in a particular data format while allowing the software developers to use it in development and test environments by preventing the exposure or disclosure of the real data values without affecting the functionality or performance of the software or application. The other options are not as effective as data masking in protecting sensitive information such as PII stored in a particular data format while allowing the software developers to use it in development and test environments, as they have different limitations or drawbacks. Data tokenization is a technique that replaces sensitive data elements with non-sensitive tokens that have no intrinsic value or meaning. Data tokenization can protect sensitive information such as PII from unauthorized access or theft, but it may not retain the original format and characteristics of the data, which may affect the functionality or performance of the software or application. Data encryption is a technique that transforms sensitive data elements into unreadable or unintelligible ciphertext using an algorithm and a key. Data encryption can protect sensitive information such as PII from unauthorized access or modification, but it requires decryption to restore the original data values, which may introduce additional complexity or overhead to the software development process. Data abstraction is a technique that hides the details or complexity of data structures or operations from users or programmers by providing a simplified representation or interface. Data abstraction can help improve the usability or maintainability of software or applications, but it does not protect sensitive information such as PII from exposure or disclosure. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2

 A weakness in change management is the most likely cause of an incorrect version of source code being amended by a development team. Change management is the process of controlling and documenting changes to IT systems and software. It ensures that changes are authorized, tested, and implemented in a controlled manner. If change management is weak, there is a risk of using outdated or incorrect versions of source code, which can lead to errors, defects, or security vulnerabilities in the software.