CISA Exam Dumps - Certified Information Systems Auditor

The best answer is C. Insufficient due diligence performed on the vendor.

ISACA guidance on third-party and cloud risk repeatedly emphasizes the need for thorough vendor due diligence before entering or expanding a business relationship. When confidential backups are being migrated to a cloud solution, insufficient due diligence is the greatest concern because it can expose the organization to security, privacy, resilience, and compliance failures across the whole service arrangement.

Option A is relevant for retired media handling, but it is narrower than the overall third-party risk. Option B affects performance and growth, not necessarily confidentiality. Option D is a business issue, but not the greatest audit concern when confidential data is involved. Vendor due diligence is the most important control at this stage.

References (Official ISACA):

ISACA, The Top 5 Cybersecurity Threats and How to Defend Against Them.

ISACA Journal, The Encrypted Truth Is Already Out There.

The best recommendation is to place an intrusion detection system (IDS) between the firewall and the Internet. An IDS is a device or software that monitors network traffic for malicious activity and alerts the network administrator or takes preventive action. By placing an IDS between the firewall and the Internet, the IS auditor can enhance the security of the network perimeter and detect any attack attempts that the firewall was unable to recognize.

The other options are not as effective as placing an IDS between the firewall and the Internet:

Placing an IDS between the firewall and the organization’s web server would not protect the web server from external attacks that bypass the firewall. The web server should be placed in a demilitarized zone (DMZ), which is a separate network segment that isolates public-facing servers from the internal network.

Placing an IDS between the firewall and the demilitarized zone (DMZ) would not protect the DMZ from external attacks that bypass the firewall. The DMZ should be protected by twofirewalls, one facing the Internet and one facing the internal network, with an IDS monitoring both sides of each firewall.

Placing an IDS between the firewall and the organization’s network would not protect the organization’s network from external attacks that bypass the firewall. The organization’s network should be protected by a firewall that blocks unauthorized traffic from entering or leaving the network, with an IDS monitoring both sides of the firewall.

The greatest concern is whether the increased incident resolution time will adversely affect the organization’s business operations and whether that impact was properly assessed before the contract change. In ISACA terms, service arrangements should be aligned with business needs and service objectives. If a contract change weakens incident response commitments, the key audit concern is not simply the wording of the SLA, but whether management evaluated the resulting business impact. ISACA guidance notes that support agreements and SLAs should be aligned with internal service expectations and business requirements.

Option A is correct because incident resolution times directly affect availability, continuity, user support, and operational resilience. If the contract now permits slower restoration or resolution, the organization may be exposed to longer outages or degraded services. The central risk is whether management made that trade-off knowingly after analyzing the impact on critical business processes. This is the most important concern from an audit and governance perspective.

Option B is not the best answer because noncompliance with IT security policy could be serious, but the question specifically highlights a change in incident resolution time. Unless there is evidence of an actual policy violation, the more direct concern is operational impact on the business.

Option C is also not the greatest concern. In practice, if the contract terms changed, the SLA may need revision or alignment, but that is more of a documentation and governance symptom. The deeper issue is whether the revised service commitments are acceptable to the business. ISACA guidance stresses alignment of support agreements and SLAs with organizational needs.

Option D is the weakest answer because considering alternative cost-reduction methods is a management decision, not the primary audit concern. Auditors focus on risk and control implications, not whether management explored every possible commercial option.

Therefore, A is the best answer because the most significant issue is whether the organization evaluated the impact of slower incident resolution on business processes before accepting the lower-cost contract.

References (Official ISACA):

ISACA, A Framework for SIEM Implementation — support agreements should be aligned with internal SLAs.

ISACA, Top Risks and Rewards of Moving to the Cloud — auditors should review cloud provider SLAs and evaluate continuity implications.

ISACA Journal, Is Business Continuity Management Still Relevant? — audit concern centers on business impact and risk acceptance.

ISACA Journal, Understanding Software Metric Use — SLAs should use metrics that are monitored and measured.

The best answer is C. Review audit planning documents.

Before an audit project starts, senior audit leadership must ensure the engagement has been adequately planned. Reviewing planning documents is the control point that lets leadership confirm the objective, scope, risk focus, resourcing, timing, and methodology are appropriate before fieldwork begins. This is the broadest and most essential oversight activity among the choices.

Option A can be part of governance in some audit functions, but direct scope signoff is narrower than review of the full planning package. Option B and D may occur depending on the audit approach, but they are not mandatory leadership actions in every case. The most defensible answer is leadership review of the planning documents because it establishes readiness and oversight before the project begins.

References (Official ISACA):

ISACA, CISA Exam Content Outline — audit planning and execution are structured and risk-based.

ISACA, Now Is the Time for IT Auditors to Perform Advisory Pre-Implementation Reviews — emphasizes engaging leadership and planning around risk and control deficiencies.

ISACA, An Appropriate Approach for Program and Project Management — supports structured planning and oversight before execution.

The correct answer is B. Review the terms and provisions in the contract.

When auditing an outsourced application, the auditor should first understand the contractual responsibilities, service scope, control expectations, reporting requirements, audit rights, compliance obligations, and security commitments. ISACA guidance on outsourcing and third-party assurance emphasizes that contracts are foundational because they define what the service provider is obligated to do and what the customer is entitled to review.

Option A is not first because billing validation is secondary to understanding the service arrangement and obligations.

Option C is incorrect because implementing access rights is a management responsibility, not an audit procedure.

Option D is important, but the auditor must first know whether such reporting is required, how it is defined, and under what timelines, all of which are typically governed by the contract or related agreement.

Therefore, the correct answer is B, because contract review establishes the basis for all further audit work over the outsourced HR application.

References (Official ISACA):

ISACA Journal, Third Party Assurance — highlights the importance of understanding outsourced service arrangements and related assurance expectations.

ISACA Now Blog, The Challenging Task of Auditing Social Media — states that when a function is outsourced, the contract should be reviewed to ensure it specifies required activities and expectations.