CISA Exam Dumps - Certified Information Systems Auditor

 The best metric to assure compliance with the policy of providing security awareness training to all new employees is the percentage of new hires that have completed the training, as this directly measures the extent to which the policy is implemented and enforced. The number of new hires who have violated enterprise security policies, the number of reported incidents by new hires, and the percentage of new hires who report incidents are not directly related to the policy, as they may depend on other factors such as the nature and frequency of threats, the effectiveness of security controls, and the reporting culture of the organization. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.7

Before issuing the final audit report, the auditor should confirm factual findings with the auditee. ISACA audit guidance emphasizes that findings should be vetted, communicated, and reviewed with client management prior to final publication so that the report is factually accurate and misunderstandings are resolved.

Option B is correct because confirming factual findings with the auditee is a key step just before final issuance. ISACA guidance notes that findings may be discussed with auditees as they are gathered and should be verified with them where possible. ISACA also stresses that draft reports should be reviewed by client management before publication to ensure factual accuracy.

Option A is incorrect because the audit committee is generally a report recipient or governance body, not the party with whom the auditor first validates factual accuracy of detailed findings. The auditee is in the best position to confirm whether the facts, context, and operational details are accurate before the report becomes final.

Option C is an important audit responsibility, but it should already have been completed during fieldwork and evidence-gathering. By the conclusion of the audit, the auditor should already possess sufficient, appropriate evidence to support findings. The question asks what should be done at the conclusion of the audit, but before issuing the final report, which points to factual confirmation with the auditee.

Option D is not the best answer because management is responsible for developing action plans. While auditors may discuss recommendations, they should not take ownership of management’s corrective action plan in a way that compromises independence. The more immediate and proper pre-issuance step is confirming the factual accuracy of findings.

Thus, in classic CISA logic, the auditor should first ensure that the report is factually correct by validating findings with the auditee before the final report is issued. That makes B the correct answer.

References (Official ISACA):

ISACA, The Top-Five Audit Essentials for Driving Efficiency and Value — findings should be vetted and communicated with the client; draft report reviewed by client management prior to final publication.

ISACA Journal, Agile Audit — findings may be shared and verified with auditees before the final report.

ISACA Journal, Future Ready: Toward a Sound Agile Audit Framework — auditee feedback at the final reporting stage is important.

ISACA Journal case study — draft report sent to auditee and comments/amendments accepted before issuing report.

The auditor’s next action after finding that there is an informal unwritten set of standards in the IS department is to document and test compliance with the informal standards. This is because the auditor’s role is to evaluate the adequacy and effectiveness of the existing controls, regardless of whether they are formal or informal, written or unwritten. The auditor should also assess the risks and implications of having informal standards, such as lack of consistency, accountability, or traceability. The auditor should not make recommendations, postpone the audit, or finalize the audit without performing the audit procedures. References:

CISA Review Manual (Digital Version), Chapter 2, Section 2.21

CISA Online Review Course, Domain 1, Module 1, Lesson 12

When an employee is terminated for fraudulent activity, the first priority is to immediately prevent further unauthorized or malicious activity. In ISACA guidance, terminated employees’ access rights should be removed promptly and effective controls must ensure they lose system access at termination. This makes disabling logical access the most immediate and appropriate first step.

Option C is correct because logical access allows the former employee to continue using systems, data, email, applications, or remote connections. If access is not disabled immediately, the organization remains exposed to sabotage, data theft, fraud continuation, or destruction of evidence. ISACA sources explicitly state that terminated employees should lose all access rights and that access restriction should occur immediately after departure.

Option A may be necessary as part of a fraud investigation, but it is not the first step. Reviewing approved transactions is investigative and retrospective; the organization must first contain the risk by cutting off access. In CISA exam logic, immediate risk containment generally comes before investigation.

Option B may also be appropriate from a physical security and HR perspective, especially if there is concern about confrontation or physical removal. However, from an IT audit and information security perspective, the most urgent action is disabling logical access because damage can occur remotely and instantly if access remains active.

Option D can be relevant for preserving evidence, but it still does not come before access removal. Evidence preservation is important, yet the first control priority is to stop ongoing access and prevent further compromise.

Therefore, the best answer is C because immediate revocation of system access is the first and most critical action when terminating an employee for fraudulent activity.

References (Official ISACA):

ISACA Journal, Mitigating IT Risks for Logical Access — effective controls should ensure terminated employees lose all access rights.

ISACA, Secure Management of Former Employee Data: A Practical Approach — “Immediate Access Restriction” as step 1 after employee departure.

ISACA Journal, What Every CISO Must Know About SSH Keys — access should be terminated when no longer needed.

An insider attack poses the greatest risk to an organization’s most sensitive data. An insider attack is a type of cyberattack that is carried out by someone who has legitimate access to the organization’s network, systems, or data, such as an employee, contractor, or business partner. An insider attack can be intentional or unintentional, malicious or negligent, and can have various motives, such as financial gain, revenge, espionage, sabotage, or curiosity.

An insider attack poses the greatest risk to an organization’s most sensitive data because:

An insider has a high level of trust and privilege within the organization, which allows them to bypass security controls and access confidential or restricted data without raising suspicion or detection.

An insider has a deep knowledge of the organization’s operations, processes, policies, and vulnerabilities, which enables them to exploit them effectively and cause maximum damage or disruption.

An insider can use various techniques and tools to conceal their identity and actions, such as encryption, steganography, deletion, or alteration of logs or evidence.

An insider can cause significant harm or loss to the organization in terms of data integrity, availability, confidentiality, reputation, compliance, and profitability.

According to the 2023 Cost of Insider Threats Global Report by Ponemon Institute and ObserveIT 1, the average annual cost of insider threats for organizations worldwide was $11.45 million in 2022, a 31% increase from 2018. The report also found that the average number of incidents per organization was 77 in 2022, a 47% increase from 2018. The report classified insider threats into three categories: careless or negligent employees or contractors, criminal or malicious insiders, and credential thieves. The report revealed that careless or negligent insiders were the most common and costly type of insider threat, accounting for 62% of all incidents and $4.58 million in costs.

The other options are not the greatest risk to an organization’s most sensitive data, although they can still pose significant threats.

A password attack is a type of cyberattack that attempts to guess or crack a user’s password to gain unauthorized access to their account or system. A password attack can use various methods, such as brute force, dictionary, rainbow table, phishing, keylogging, or social engineering. A password attack can compromise the security and privacy of the user’s data and information. However, a password attack can be prevented or mitigated by using strong and unique passwords, changing passwords frequently, enabling multi-factor authentication (MFA), and avoiding clicking on suspicious links or attachments.

An eavesdropping attack is a type of cyberattack that intercepts or monitors the communication between two parties without their knowledge or consent. An eavesdropping attack can use various techniques, such as wiretapping, packet sniffing, man-in-the-middle (MITM), or side-channel. An eavesdropping attack can expose the content and metadata of the communication, such as messages, files, voice calls, emails, etc. However, an eavesdropping attack can be prevented or mitigated by using encryption, authentication, digital signatures, VPNs (virtual private networks), or secure protocols.

A spear phishing attack is a type of phishing attack that targets a specific individual or group with personalized and convincing emails that appear to come from a trusted source. A spear phishing attack aims to trick the recipient into clicking on a malicious link or attachment that can infect their device with malware or steal their credentials or data. A spear phishing attack can compromise the security and privacy of the recipient’s data and information. However, a spear phishing attack can be prevented or mitigated by verifying the sender’s identity and email address, checking the email content for spelling and grammar errors, hovering over links before clicking on them (or not clicking at all), scanning attachments for viruses before opening them (or not opening at all), and reporting suspicious emails to IT security staff.

This method is known as creating a digital signature of the message. It ensures the integrity of the message by verifying that it has not been tampered with in transit. The process involves hashing the message and encrypting the hash value with the sender’s private key. Any changes to the message will result in a different hash value1. This method is used in DomainKeys Identified Mail (DKIM), which verifies an email’s domain and helps show that the email has not been tampered with in transit2.

 A checksum is classified as a detective control. A checksum is a mathematical value that is calculated from a data set and used to verify the integrity of the data. A checksum can detect if the data has been altered or corrupted during transmission or storage. A checksum does not prevent or correct the data corruption, but it alerts the user or system of the problem. Therefore, it is a detective control. A preventive control is a control that prevents an error or incident from occurring. A corrective control is a control that restores normal operations after an error or incident has occurred. Anadministrative control is a controlthat involves policies, procedures, standards, guidelines, or organizational structures. References: CISA Review Manual (Digital Version)1, page 439.