CISA Exam Dumps - Certified Information Systems Auditor

Access authorization tables are the best way to achieve effective separation of duties in an online environment, as they allow the definition and enforcement of different access rights and privileges for different users or roles, based on the principle of least privilege12. Access authorization tables can help to prevent unauthorized or inappropriate actions, such as fraud, errors, or misuse of the system, by ensuring that no user has enough privileges to perform all parts of a transaction or business process34.

References

1: Separation of Duty (SOD) - Glossary | CSRC3 2: Separation of Duties within Information Systems4 3: Separation of Duties: Implementation & Challenges in IT2 4: Implementing Segregation of Duties: A Practical Experience Based on Best Practices - ISACA1

Audit frameworks can assist the IS audit function by providing direction and information regarding the performance of audits. Audit frameworks are sets of standards, guidelines, and best practices that help IS auditors plan, conduct, and report on their audit engagements. Audit frameworks can help IS auditors ensure the quality, consistency, and professionalism of their audit work, as well as comply with the expectations and requirements of the stakeholders and regulators. Audit frameworks can also help IS auditors address the specific challenges and risks of auditing information systems and technology.

Defining the authority and responsibility of the IS audit function is not a way that audit frameworks can assist the IS audit function, but rather a way that the IS audit charter can assist the IS audit function. The IS audit charter is a document that defines the purpose, scope, objectives, and authority of the IS audit function within the organization. The IS audit charter can help IS auditors establish their role and position in relation to other functions and departments, as well as clarify their rights and obligations.

Providing details on how to execute the audit program is not a way that audit frameworks can assist the IS audit function, but rather a way that the audit methodology can assist the IS audit function. The audit methodology is a set of procedures and techniques that guide IS auditors in performing their audit tasks and activities. The audit methodology can help IS auditors apply a systematic and structured approach to their audit work, as well as use appropriate tools and methods to collect and analyze evidence.

Outlining the specific steps needed to complete audits is not a way that audit frameworks can assist the IS audit function, but rather a way that the audit plan can assist the IS audit function. The audit plan is a document that describes the scope, objectives, timeline, resources, and deliverables of a specific audit engagement. The audit plan can help IS auditors organize and manage their audit work, as well as communicate their expectations and responsibilities to the auditees.

A test plan for the BCP is essential to ensure that the plan is effective, updated and aligned with the current business needs and objectives. A change in organizational structure with significant impact to business processes may require a revision of the BCP and a new test plan to validate its adequacy. The lack of a test plan for the BCP for two years indicates a high risk of failure in the event ofa disaster or disruption. Therefore, this should be the auditor’s greatest concern among the given options. References:

ISACA, IT Control Objectives for Sarbanes-Oxley, 4th Edition, section 5.3.21

ISACA, CISA Review Manual, 27th Edition, chapter 5, section 5.42

When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system, it is most effective for an IS auditor to review data analytics findings. Data analytics is a technique that uses software tools and statistical methods to analyze large volumes of data and identify patterns, anomalies, errors or inconsistencies. Data analytics can help to compare the source and target data sets, validate the data quality and integrity, and detect any data loss or corruption during the migration process. The other options are not as effective, because audit trails only record the actions performed on the data, acceptance testingresults only verify the functionality of the new system, and rollback plans only provide contingency measures in case of migration failure. References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.6

 Periodic review of access profiles by management is an additional control that is required when using swipe cards to limit employee access to restricted areas. Swipe cards are a type of physical access control that use magnetic stripes or radio frequency identification (RFID) to store and transmit information about the cardholder’s identity and access rights. Swipe cards can help to prevent unauthorized entry, protect sensitive assets and data, and monitor access activity. However, swipe cards alone are not enough to ensure effective access control. They need to be complemented by other controls, such as:

Periodic review of access profiles by management: This is a type of logical access control that involves verifying that the access rights assigned to each cardholder are appropriate, necessary, and consistent with the organization’s policies and procedures. Periodic review of access profiles can help to detect and correct any errors, inconsistencies, or violations in the access control system, such as outdated, excessive, or redundant access rights, segregation of duties conflicts, or unauthorized changes. Periodic review of access profiles can also help to ensure compliance with internal and external audit requirements and regulations.

Implementation of additional PIN pads: This is a type of multi-factor authentication (MFA) that requires the cardholder to enter a personal identification number (PIN) in addition to swiping their card. MFA can enhance the security of the access control system by adding another layer of verificationand reducing the risk of lost, stolen, or cloned cards being used by unauthorized persons.

Installation of closed-circuit television (CCTV): This is a type of surveillance system that uses cameras and monitors to record and display the images of the people and activities in the restricted areas. CCTV can deter potential intruders, provide evidence of any security incidents or breaches, and enable real-time monitoring and response by security personnel.

The other options are not as effective or relevant as periodic review of access profiles by management for an additional control when using swipe cards. Physical sign-in of all employees for access to restricted areas is a redundant and inefficient control that can be easily bypassed or manipulated. It also does not provide any assurance or verification of the identity or access rights of the cardholders. Audit hooks are software routines embedded in an application that can trigger an alert or a report when certain conditions are met. Audit hooks can help to detect anomalies or exceptions in access control lists, but they do not provide a comprehensive or integrated view of them.