CISA Exam Dumps - Certified Information Systems Auditor

Audit planning is the process of developing an overall strategy and approach for conducting an audit. Audit planning involves identifying the objectives, scope, criteria, and methodology of the audit, as well as the resources, schedule, and reporting requirements. Audit planning also involves performing a risk assessment to identify and prioritize the areas of highest risk and significance for the audit1.

Risk assessment is a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking. Risk assessment involves identifying the sources and causes of risk, analyzing the likelihood and impact of risk, and determining the level of risk and the appropriate response2.

During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. The best course of action in this situation is C. Validate the low-risk entity ratings and apply professional judgment.

This is because validating the low-risk entity ratings can help to ensure that the risk assessment is accurate, reliable, and consistent with the business objectives and expectations. Validating the low-risk entity ratings can also help to identify any changes or developments that may affect the risk profile of the entities since the last assessment. Applying professional judgment can help to determine whether the low-risk entities should be included or excluded from the audit plan, based on factors such as materiality, relevance, significance, and assurance needs3.

 Discovery sampling is an appropriate sampling method for an IS auditor who intends to launch an intensive investigation if one exception is found. Discovery sampling is a type of attribute sampling that determines the sample size based on an acceptable risk of not finding at least one occurrence of an attribute when a given rate of occurrence exists in a population. Discovery sampling can be used by an IS auditor who wants to detect fraud or errors that have a low probability but high impacton an audit objective. The other options are not appropriate sampling methods for this purpose, as they may involve judgmental sampling, variable sampling, or stratified sampling. References:

CISA Review Manual (Digital Version), Chapter 2, Section 2.31

CISA ReviewQuestions, Answers and Explanations Database, Question ID 230

The best way to determine whether programmers have permission to alter data in the production environment is by reviewing the access rights that have been granted. Access rights are permissions or privileges that define what actions or operations a user can perform on an information system or resource. By reviewing the access rights that have been granted to programmers, an IS auditor can verify whether they have been authorized to modify data in the production environment, which is where live data and applications are stored and executed. The access control system’s log settings are parameters that define what events or activities are recorded by the access control system, which is a system that enforces the access rights and policies of an information system or resource. The access control system’s log settings are not the best way to determine whether programmers have permission to alter data in the production environment, as they do not indicate what permissions or privileges have been granted to programmers. How the latest system changes were implemented is a process that describes how software updates or modifications are deployed to the production environment. How the latest system changes were implemented is not the best way to determine whether programmers have permission to alter data in the production environment, as it does not indicate what permissions or privileges have been granted to programmers. The access control system’s configuration is a set of rules or parameters that define how the access control system operates and functions. The access control system’s configuration is not the best way to determine whether programmers have permission to alter data in the production environment, as it does not indicate what permissions or privileges have been granted to programmers. 

The best answer is C. Local laws and regulations.

ISACA privacy guidance consistently frames data protection policy around compliance with privacy laws, rules, and regulations. ISACA specifically notes that privacy strategies and policies should be reviewed and updated regularly to reflect regulatory changes and ensure compliance. Since data protection obligations are often legally mandated and penalties can be significant, legal and regulatory requirements are the most important consideration when determining review frequency.

Option A. Industry best practices can inform good policy design, but they do not override legal requirements.

Option B. Business objectives matter for alignment, but they are not the strongest driver of review frequency in a privacy context.

Option D. Known international standards can be useful references, but local legal obligations are more binding and more important for determining how often the policy must be revisited.

Therefore, C is the correct answer because compliance with local laws and regulations is the most important driver of how frequently a data protection policy should be reviewed.

References (Official ISACA):

ISACA Journal, What Is Your Privacy and Data Protection Strategy?.

ISACA, The Evolving World of Data Privacy: Trends and Strategies.

ISACA Journal, Privacy Risk Management.

ISACA Journal, Analyzing Privacy Policies as Data.

Network segmentation is the best security measure to reduce the risk of propagation when a cyberattack occurs, because it divides the network into smaller subnetworks that are isolated from each other and have different access controls and security policies. This limits the spread of malicious traffic and prevents attackers from accessing sensitive data or systems in other segments. Aperimeter firewall, a data loss prevention (DLP) system, and a web application firewall are also useful security measures, but they do not prevent propagation within the network as effectively as network segmentation does. References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.3

The use of open-source software components in IoT devices presents the greatest security risk due to potential vulnerabilities that may exist within the software. These vulnerabilities can be exploited if patches are not applied promptly, and the organization might not have direct control over the software ' s maintenance and security updates. This risk is amplified in critical manufacturing environments where compromised IoT devices can lead to operational disruptions.

Physical Security (Option A):While important, theft of IoT devices generally poses less risk compared to a system-wide compromise due to software vulnerabilities.

Firmware Storage Constraints (Option C):While a limitation, this is a secondary concern compared to exploitable software.

Devices Not Using Wireless Connectivity (Option D):Wired devices are generally more secure, reducing this as a significant concern.