CISA Exam Dumps - Certified Information Systems Auditor

The best answer is B. The policies are not regularly reviewed and updated.

ISACA guidance notes that, when auditing policy documents, one of the quickest indicators of trouble is the absence of current reviews, changes, approvals, and alignment with actual practice. If policies are outdated, they may no longer reflect the organization’s control environment, regulatory obligations, technologies, or business processes. That creates a direct governance and compliance risk.

Option A is generally a positive sign, not a concern, because formal review and approval supports governance. Option C can matter, but lack of direct mapping to best practices is usually less serious than having stale policies that no longer reflect reality. Option D is not ideal if policies exclude broader stakeholders, but IT policies are often primarily directed toward IT staff while still being supported by wider governance documents. The most serious issue is that outdated policies may be ineffective, unenforceable, or inconsistent with current controls.

References (Official ISACA):

ISACA, Do Your Policy Documents Represent Current Practices?

ISACA Journal, IS Audit Basics: The Auditors, IS/IT Policies and Compliance

 In an online application, data architecture provides the most information about the transaction audit trail, as it describes how data are created, stored, processed, accessed and exchanged among different components of the application. Data architecture includes data models, schemas, dictionaries, metadata, standards and policies that define the structure, quality, integrity, security and governance of data. Data architecture can help the IS auditor to trace the origin, flow, transformation and destination of data in an online transaction, and to identify the key data elements, attributes and relationships that are relevant for audit purposes. A system/process flowchart is a graphical representation of the sequence of steps or activities that are performed by a system or process. A system/process flowchart can provide some information about the transaction audit trail, but it is not as detailed or comprehensive as data architecture. A system/process flowchart shows the inputs, outputs, decisions and actions of a system or process, but it does not show the data elements, attributes and relationships that are involved in each step or activity. A file layout is a specification of the format and structure of a data file. A file layout can provide some information about the transaction audit trail, but it is not as detailed or comprehensive as data architecture. A file layout shows the fields, types, lengths and positions of data in a file, but it does not show the origin, flow, transformation and destination of data in an online transaction. Source code documentation is a description of the logic, functionality and purpose of a program or module written in a programming language. Source code documentation can provide some information about the transaction audit trail, but it is not as detailed or comprehensive as data architecture. Source code documentation shows the instructions, variables and parameters that are used to perform calculations and operations on data, but it does not show the data elements, attributes and relationships that are involved in each instruction or operation. References: CISA Review Manual (Digital Version) 1, Chapter 4: Information Systems Operations and Business Resilience, Section 4.2: Data Administration Practices.

The greatest concern is regulatory noncompliance arising from cross-border data processing and storage. ISACA guidance on cloud data sovereignty states that when data is stored across multiple jurisdictions, organizations must navigate complex legal and regulatory challenges, including conflicting national laws and cross-border transfer restrictions. This is especially important for financial organizations, which often operate under stricter regulatory obligations regarding customer data, outsourcing, and location of processing.

Option A is correct because the key risk in extending cloud servers into several foreign countries is that the outsourced processing arrangement may violate applicable regulations or create conflicts among data protection, financial-sector, and jurisdictional requirements. ISACA notes that data sovereignty means data is governed by the laws of the country where it is stored, and that organizations must ensure compliance when cloud data spans borders.

Option B is not the greatest concern. Distributed server deployment can introduce integrity challenges, but ISACA’s cross-border cloud guidance emphasizes the legal and governance burden far more directly than integrity degradation as the primary risk.

Option C is incorrect because data classification does not become invalid merely because data is stored overseas. Classification remains an internal governance concept, although handling requirements may change depending on jurisdiction. ISACA specifically recommends maintaining strong data classification systems alongside legal and compliance review for cross-border cloud use.

Option D is also not the greatest concern. Data ownership and responsibility should be clarified contractually, but ISACA identifies legal compliance and jurisdictional conflicts as the dominant governance risk in cross-border cloud environments.

Therefore, A is the best answer because regulatory exposure from cross-border outsourced processing is the most significant concern in this scenario.

References (Official ISACA):

ISACA, Cloud Data Sovereignty: Governance and Risk Implications of Cross-Border Cloud Storage.

ISACA Journal, Data Owners’ Responsibilities When Migrating to the Cloud.

ISACA Journal, Addressing the Challenges of IT Audits by Supreme Audit Institutions.

The main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B). This is because:

A project change management process is a set of procedures that defines how changes to the project scope, schedule, budget, quality, or resources are requested, evaluated, approved, implemented, and controlled12.

A project change management process helps to ensure that the changes are aligned with the project objectives, stakeholders’ expectations, and business needs12.

Adding a new system functionality during the development phase without following a project change management process can introduce risks such as:

The added functionality has not been documented (option A), which can lead to confusion, inconsistency, errors, and rework3.

The project may fail to meet the established deadline (option C), which can result in delays, penalties, and customer dissatisfaction3.

The project may go over budget (option D), which can cause cost overruns, financial losses, and reduced profitability3.

However, the main risk is that the new functionality may not meet requirements (option B), which can have serious consequences such as:

The new functionality may not be compatible with the existing system or other components3.

The new functionality may not be tested or verified for quality, performance, security, or usability3.

The new functionality may not deliver the expected value or benefits to the users or customers3.

The new functionality may not comply with the regulatory or contractual obligations3.

The new functionality may cause dissatisfaction, complaints, or litigation from the stakeholders3.

Therefore, the main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B), as this can jeopardize the success and acceptance of the project.

Data definition standards within a database primarily support data formatting by establishing how data elements must be structured, represented, and stored. In practical terms, these standards define characteristics such as data type, field length, allowable values, precision, naming conventions, and valid formats. ISACA glossary material includes format checking as a control concept, which directly relates to verifying that data conforms to a prescribed format. That is the closest and strongest match to what data definition standards support.

Option C is correct because data definition standards are about consistency of data structure and representation. When an organization enforces common definitions for fields and attributes, it improves the consistency and usability of data across systems and applications. ISACA governance and data management material emphasizes that defining the format in which data are presented is part of giving data meaning and ensuring quality and usability.

Option A is incorrect because data disposal concerns end-of-life handling of data, such as destruction, archival expiration, and secure deletion. Those activities are governed by retention, records management, privacy, and disposal requirements, not by database data definition standards. ISACA privacy and data lifecycle guidance treats disposal as a separate lifecycle issue.

Option B is incorrect because data retention relates to how long data should be kept for business, legal, regulatory, or operational purposes. Retention policies may rely on data classification and legal obligations, but they are not what data definition standards primarily address.

Option D is incorrect because data confidentiality is mainly supported by access controls, encryption, classification, segregation of duties, and related security controls. Although well-defined data may indirectly help governance, confidentiality is not the main purpose of data definition standards.

Therefore, the best answer is C because enforcing data definition standards within a database most directly supports correct and consistent data formatting.

References (Official ISACA):

ISACA Glossary — Format checking.

ISACA, Unearthing and Enhancing Intelligence and Wisdom Within the COBIT 5 Governance of Information Model — discusses defining the format in which data are presented.

ISACA Journal, IS Audit Basics: Data Management Body of Knowledge—A Summary for Auditors — supports the role of data management standards and quality.

ISACA, SOC Reports for Cloud Security and Privacy — distinguishes use, retention, and disposal from data structure concerns.

The best way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems is to establish rules for converting data from one format to another, because this ensures that the data quality and integrity are maintained throughout the data transformation process. Data conversion rules define the standards, procedures, and methods for transforming data from different sources and formats into a common format andstructure that can be used by the business intelligence systems12. Implementing data entry controlsfor new and existing applications, implementing a consistent database indexing strategy, and developing a metadata repository to store and access metadata are not the best ways to reduce the risk of inaccurate or misleading dataproliferating through business intelligence systems, becausethey do not address the issue of dataconversion, which is a critical step in the data integration process for business intelligence systems. References: 1: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.3 2: CISA Online Review Course, Module 4, Lesson 3