- (Topic 4)
Which of the following is MOST critical to the success of an information security program?

1. A. User accountability for information security
2. B. Management's commitment to information security
3. C. Integration of business and information security
4. D. Alignment of information security with IT objectives

Correct Answer: B
Management’s commitment to information security is the most critical factor for the success of an information security program, as it sets the tone and direction for the organization’s security culture and practices. Management’s commitment is demonstrated by establishing a clear security policy, providing adequate resources, assigning roles and responsibilities, enforcing compliance, and supporting continuous improvement. The other options are important elements of an information security program, but they depend on management’s commitment to be effective. References: CISA Review Manual (Digital Version) 1, page 439.

- (Topic 4)
An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data Which of the following is the PRIMARY advantage of this approach?

1. A. Audit transparency
2. B. Data confidentiality
3. C. Professionalism
4. D. Audit efficiency

Correct Answer: D
The primary advantage of this approach is that it improves audit efficiency. Audit efficiency is the measure of how well the audit resources are used to achieve the audit objectives. Audit efficiency can be enhanced by using methods or techniques that can save time, cost, or effort without compromising the quality or scope of the audit. By requesting direct access to data required to perform audit procedures instead of asking management to provide the data, the auditor can reduce the dependency on management’s cooperation, availability, or timeliness. The auditor can also avoid potential delays, errors, or biases that may occur when management provides the data. References:
✑ CISA Review Manual (Digital Version), Chapter 2, Section 2.41
✑ CISA Online Review Course, Domain 1, Module 1, Lesson 42

- (Topic 1)
A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

1. A. Implement overtime pay and bonuses for all development staff.
2. B. Utilize new system development tools to improve productivity.
3. C. Recruit IS staff to expedite system development.
4. D. Deliver only the core functionality on the initial target date.

Correct Answer: D
The strategy that would provide the greatest assurance of system quality at implementation is delivering only the core functionality on the initial target date. This strategy can help avoid compromising the quality of the system by focusing on the essential features that meet the user needs and expectations. Delivering only the core functionality can also help reduce the scope creep, complexity, and testing efforts of the system development project.
Implementing overtime pay and bonuses for all development staff, utilizing new system development tools to improve productivity, and recruiting IS staff to expedite system development are not strategies that would provide the greatest assurance of system quality at implementation. These strategies may help speed up the system development process, but they may also introduce new risks or challenges such as burnout, learning curve, integration issues, or communication gaps. These risks or challenges may adversely affect the quality of the system.

- (Topic 3)
An IS auditor assessing the controls within a newly implemented call center would First

1. A. gather information from the customers regarding response times and quality of service.
2. B. review the manual and automated controls in the call center.
3. C. test the technical infrastructure at the call center.
4. D. evaluate the operational risk associated with the call center.

Correct Answer: D
The first step in assessing the controls within a newly implemented call center is to evaluate the operational risk associated with the call center. This will help the IS auditor to identify the potential threats, vulnerabilities, and impacts that could affect the call center’s objectives, performance, and availability. The evaluation of operational risk will also provide a basis for determining the scope, objectives, and approach of the audit. The other options are possible audit procedures, but they are not the first step in the audit process. References: ISACA Frameworks: Blueprints for Success, CISA Review Manual (Digital Version)

- (Topic 4)
An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?

1. A. Directive
2. B. Detective
3. C. Preventive
4. D. Compensating

Correct Answer: A
An organization is shifting to a remote workforce. In preparation, the IT department is performing stress and capacity testing of remote access infrastructure and systems. This type of control is being implemented to direct or guide actions to achieve a desired outcome. Therefore, it is a directive control. Directive controls are proactive controls that seek to prevent undesirable events from occurring. They include policies, standards, procedures, guidelines, training, and testing. Detective controls are reactive controls that seek to identify undesirable events that have already occurred. They include monitoring, logging, auditing, and reporting. Preventive controls are proactive controls that seek to avoid undesirable events from occurring. They include authentication, encryption, firewalls, and antivirus software. Compensating controls are alternative controls that provide a similar level of protection as the primary controls when the primary controls are not feasible or cost-effective. They include segregation of duties, manual reviews, and backup systems. References: CISA Review Manual (Digital Version), [ISACA Glossary of Terms]