CISA Exam Dumps - Certified Information Systems Auditor

The IS auditor’s greatest concern when reviewing a business case for a proposed implementation of a third-party system should be A. Lack of ongoing maintenance costs. This is because ongoing maintenance costs are an essential part of the total cost of ownership (TCO) of a third-party system, and they can have a significant impact on the return on investment (ROI) and the feasibility of the project. If the business case does not include ongoing maintenance costs, it may underestimate the true cost of the project and overestimate the benefits. This could lead to poor decision making and unrealistic expectations.

Lack of training materials (B), lack of plan for pilot implementation ©, and lack of detailed work breakdown structure (D) are also potential issues that could affect the quality and success of the project, but they are not as critical as lack of ongoing maintenance costs. Training materials can be developed or acquired later, pilot implementation can be planned during the project initiation or planning phase, and work breakdown structure can be refined as the project progresses. However, ongoing maintenance costs are difficult to change or estimate once the project is approved and implemented, and they can have long-term implications for the organization. Therefore, they should be included and analyzed in the business case.

The best course of action for a security administrator who is called in the middle of the night by the on-call programmer who needs access to the live system is to give the programmer an emergency ID for temporary access and review the activity. This is because:

Requiring that a change request be completed and approved may delay the resolution of the problem and cause further damage or disruption to the system or business operations. A change request is a formal document that describes the proposed change, its rationale, impact, benefits, risks, costs, and approval process. A change request is usually required for planned or scheduled changes, not for emergency or urgent changes.

Giving the programmer read-only access to investigate the problem may not be sufficient or effective, as the programmer may need to perform actions or tests that require write or execute permissions. Read-only access means that the user can only view or copy data or files, but cannot modify or delete them.

Reviewing activity logs the following day and investigating any suspicious activity may not prevent or detect any unauthorized or malicious actions by the programmer in real time. Activity logs are records of events and actions that occur within a system or network. Activity logs can provide evidence and accountability for system activities, but they are not proactive or preventive controls.

Therefore, giving the programmer an emergency ID for temporary access and reviewing the activity is the best course of action, as it allows the programmer to access the live system and resolve the problem quickly, while also ensuring that the security administrator can monitor and verify the programmer’s activity and revoke the access when it is no longer needed. An emergency ID is a temporary account that grants a user elevated privileges or access to a system or resource for a specific purpose and duration. An emergency ID should be:

Created and authorized by a security administrator or manager

Assigned to a specific user and purpose

Limited in scope and time

Logged and audited

Revoked and deleted after use

Some of the best practices for emergency access to live systems are12:

Establish clear policies and procedures for requesting, approving, granting, monitoring, reviewing, and revoking emergency access

Define criteria and scenarios for emergency access, such as severity, impact, urgency, and risk

Implement controls to prevent unauthorized or unnecessary use of emergency access, such as multifactor authentication, approval workflows, alerts, notifications, and time restrictions

Implement controls to track and audit emergency access activities, such as logging, reporting, analysis, and investigation

Implement controls to ensure accountability and responsibility for emergency access users, such as attestation, justification, documentation, and feedback

The audit team’s most important course of action is to consult the legal department to understand the procedure for requesting data from a different jurisdiction, as this will ensure that the data analytics techniques are compliant with the applicable laws and regulations of both countries12. Requesting data from a foreign branch may involve legal risks such as data privacy, data sovereignty, and data protection34, and the audit team should seek legal guidance before proceeding with the data extraction and analysis.

References

1: Data Analytics and Auditing Standards 2: Data Analytics and the Audit Process 3: Data Privacy and Data Protection: US Law and Legislation 4: Data Sovereignty: What It Is and Why It Matters

The primary role of a control self-assessment (CSA) facilitator is to focus the team on internal controls. A CSA facilitator is a person who guides the CSA process and helps the participants to identify, assess, and improve their internal controls. The facilitator does not conduct interviews, report on weaknesses, or provide solutions, as these are the responsibilities of the participants themselves1.

The other options are incorrect because they are not the primary role of a CSA facilitator. Option A, conduct interviews to gain background information, is a preliminary step that may be done by the facilitator or the participants before the CSA session, but it is not the main purpose of the facilitator. Option C, report on the internal control weaknesses, is an outcome of the CSA process that should be done by the participants who own and operate the controls. Option D, provide solutions for control weaknesses, is also an outcome of the CSA process that should be done by the participants who are in charge of implementing the improvements.

 Substantive testing provides the most reliable audit evidence on the validity of transactions in a financial application. Substantive testing is an audit procedure that examines the financial statements and supporting documentation to see if they contain errors or misstatements. Substantive testing can help to verify that the transactions recorded in the financial applicationare authorized, complete, accurate, and properly classified. Substantive testing can include methods such as vouching, confirmation, analytical procedures, or physical examination. 

 Following a configuration management process to maintain applications is the primary reason for ensuring proper change control. Configuration management is a process of identifying, documenting, controlling, and verifying the configuration items and their interrelationships within an IT system or environment. Following a configuration management process can help to ensure that any changes to the applications are authorized, tested, documented, and tracked throughout their lifecycle. This will help to prevent unauthorized or improper changes that could affect the functionality, performance, or security of the applications. The other options are not the primary reasons for following a configuration management process, but rather possible benefits or outcomes of doing so. References:

CISA Review Manual (Digital Version), Chapter 4, Section 4.3.31

CISA Review Questions, Answers and Explanations Database, Question ID 225

Comprehensive and Detailed Explanation:

The most effective way to prevent unauthorized IoT devices from connecting is through network access control (NAC), which enforces authentication and authorization before allowing a device onto the network.

Vulnerability scans (A): Identify weaknesses but do not actively prevent device connections.

Reviewing IoT configurations (B): Focuses on existing devices, not unauthorized ones.

Policies (D): Provide guidance but do not enforce technical prevention.

📖 ISACA Reference: CISA Review Manual 27th Edition, Domain 5, section on network security and endpoint access control.

The change management process is the set of procedures and activities that ensure that changes to the information system are authorized, tested, documented, and implemented in a controlled manner12. A defect in a recent release indicates that there may be issues with the quality assurance, testing, or approval of the changes, which could affect the reliability, security, and performance of the system3 . Therefore, the auditor’s next step should be to evaluate the change management process and identify the root cause of the defect, as well as the impact and remediation of the incident.

References

1: Change Management - CISA

2: What is Change Management? - Definition from Techopedia

3: How to Audit Change Management - ISACA Journal

The Business Case for Security | CISA