- (Topic 4)
What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?
Correct Answer:
D
The best course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit is to evaluate the residual risk due to open issues. Residual risk is the risk that remains after the implementation of controls or mitigating actions. Evaluating the residual risk due to open issues can help the IS auditor assess the impact and likelihood of the potential threats and vulnerabilities that have not been addressed by the auditee, as well as the adequacy and effectiveness of the existing controls or mitigating actions. Evaluating the residual risk due to open issues can also help the IS auditor prioritize and communicate the open issues to the auditee and other stakeholders, such as senior management or audit committee, and recommend appropriate actions or escalation procedures.
Ensuring the open issues are retained in the audit results is a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but it is not the best one. Ensuring the open issues are retained in the audit results can help the IS auditor document and report the status and progress of the audit recommendations, as well as provide a basis for future follow-up audits. However, ensuring the open issues are retained in the audit results does not provide an analysis or evaluation of the residual risk due to open issues, which is more important for informing decision- making and action-taking.
Terminating the follow-up because open issues are not resolved is not a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but rather a consequence or outcome of it. Terminating the follow-up because open issues are not resolved may indicate that the auditee has failed to comply with the agreed-upon actions or deadlines, or that the IS auditor has encountered significant obstacles or resistance from the auditee. Terminating the follow-up because open issues are not resolved may also trigger further actions or sanctions from the IS auditor or other authorities, such as issuing a qualified or adverse opinion, withholding certification, or imposing penalties.
Recommending compensating controls for open issues is not a course of action for an IS
auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but rather a possible outcome or result of it. Compensating controls are alternative or additional controls that are implemented to reduce or eliminate the risk associated with a weakness or deficiency in another control. Recommending compensating controls for open issues may be appropriate when the auditee is unable to implement the original audit recommendations due to technical, operational, financial, or other constraints, and when the compensating controls can provide a similar or equivalent level of assurance. However, recommending compensating controls for open issues requires a prior evaluation of the residual risk due to open issues, which is more important for determining whether compensating controls are necessary and feasible.
References:
✑ Follow-up Audits - Canadian Audit and Accountability Foundation 1
✑ Conducting The Audit Follow-Up: When To Verify - The Auditor 2
✑ Internal Audit Follow Ups: Are They Really Worth The Effort
- (Topic 4)
A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem. Which of the following is the senior auditor s MOST appropriate course of action?
Correct Answer:
C
The senior auditor’s most appropriate course of action is to have the finding reinstated, because the auditee’s claim of correcting the problem is not sufficient evidence to support the removal of the finding. The auditor should verify that the corrective action has been implemented effectively and that it has resolved the underlying issue or risk. The auditor should also document the evidence and results of the verification in the work papers. The other options are not appropriate, because they either accept the auditee’s claim without verification, delegate the responsibility to the auditee or escalate the issue unnecessarily. References:
✑ ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.51
✑ ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12062
- (Topic 3)
Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?
Correct Answer:
A
The greatest risk of using a reciprocal site for disaster recovery is the inability to utilize the site when required. A reciprocal site is an agreement between two organizations to provide backup facilities for each other in case of a disaster. However, this arrangement may not be reliable or enforceable, especially if both organizations are affected by the same disaster or have conflicting priorities. Therefore, the IS auditor should recommend that management consider alternative options for disaster recovery, such as dedicated sites or cloud services12. References:
✑ CISA Review Manual, 27th Edition, page 3381
✑ CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
- (Topic 4)
Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?
Correct Answer:
B
The primary advantage of using virtualization technology for corporate applications is to achieve better utilization of resources, such as hardware, software, network and storage. Virtualization technology allows multiple applications to run on a single physical server or device, which reduces the need for additional hardware and maintenance costs. Virtualization technology also enables dynamic allocation and reallocation of resources according to the demand and priority of the applications, which improves efficiency and flexibility. The other options are not the primary advantage of using virtualization technology, although they may be some of the benefits or challenges depending on the implementation and configuration. References:
✑ ISACA, CISA Review Manual, 27th Edition, chapter 4, section 4.21
✑ ISACA, COBIT 2019 Framework: Introduction and Methodology, section 3.23
- (Topic 3)
Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''
Correct Answer:
C
The best way to ensure that a backup copy is available for restoration of mission critical data after a disaster is to periodically test backups stored in a remote location. Testing backups is essential to verify that the backup copies are valid, complete, and recoverable. Testing backups also helps to identify any issues or errors that may affect the backup process or the restoration of data. Storing backups in a remote location is important to protect the backup copies from physical damage, theft, or unauthorized access that may occur at the primary site. Using an electronic vault for incremental backups, deploying a fully automated backup maintenance system, or using both tape and disk backup systems are not sufficient to ensure that a backup copy is available for restoration of mission critical data after a disaster, as they do not address the need for testing backups or storing them in a remote location. References: Backup and Recovery of Data: The Essential Guide | Veritas, The Truth About Data Backup for Mission-Critical Environments - DATAVERSITY.