- (Topic 3)
Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

1. A. Program coding standards have been followed
2. B. Acceptance test criteria have been developed
3. C. Data conversion procedures have been established.
4. D. The design has been approved by senior management.

Correct Answer: B
The most important thing for an IS auditor to determine during the detailed design phase of a system development project is that acceptance test criteria have been developed. Acceptance test criteria define the expected functionality, performance and quality of the system, and are used to verify that the system meets the user requirements and specifications. The IS auditor should ensure that the acceptance test criteria are clear, measurable and agreed upon by all stakeholders. Program coding standards have been followed is something that the IS auditor should check during the coding or testing phase, not the detailed design phase. Data conversion procedures have been established or the design has been approved by senior management are things that the IS auditor should verify during the implementation phase, not the detailed design phase. References: ISACA, CISA Review Manual, 27th Edition, 2018, page 323

- (Topic 4)
Which of the following is the MOST important outcome of an information security program?

1. A. Operating system weaknesses are more easily identified.
2. B. Emerging security technologies are better understood and accepted.
3. C. The cost to mitigate information security risk is reduced.
4. D. Organizational awareness of security responsibilities is improved.

Correct Answer: D
The most important outcome of an information security program is to improve the organizational awareness of security responsibilities, as this will foster a culture of security and ensure that all stakeholders are aware of their roles and obligations in protecting the information assets of the organization. An information security program should also aim to achieve other outcomes, such as identifying operating system weaknesses, understanding and accepting emerging security technologies, and reducing the cost to mitigate information security risk, but these are not as important as improving the awareness of security responsibilities, which is the foundation of any effective information security program. *References: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 2402 Planning, “The IS audit and assurance professional should identify and assess risk relevant to the area under review.” 1 One of the risk factors to consider is “the level of awareness of management and staff regarding IT risk management” 1. According to the ISACA IT Audit and Assurance Guideline G13 Information Security Management, “The objective of an information security management audit/assurance review is to provide management with an independent assessment relating to the effectiveness of information security management within the enterprise.” The guideline also states that “the audit/assurance professional should evaluate whether there is an appropriate level of awareness throughout the enterprise regarding information security policies, standards, procedures and guidelines.” According to a web search result from Microsoft Security, “Information security programs need to: … Support the execution of decisions.” 2 One of the ways to support the execution of decisions is to ensure that everyone in the organization understands their security responsibilities and follows the security policies and procedures.

- (Topic 4)
An IS auditor is reviewing a bank's service level agreement (SLA) with a third-party provider that hosts the bank's secondary data center, which of the following findings should be of GREATEST concern to the auditor?

1. A. The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (ORP).
2. B. The SLA has not been reviewed in more than a year.
3. C. Backup data is hosted online only.
4. D. The recovery point objective (RPO) has a shorter duration than documented in the disaster recovery plan (DRP).

Correct Answer: A
The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (DRP) should be of greatest concern to the auditor when reviewing a bank’s SLA with a third-party provider that hosts the bank’s secondary data center. This is because the RTO is the maximum acceptable time for restoring a system or an application after a disaster or a disruption. A longer RTO than the DRP means that the bank may not be able to resume its critical business operations within the expected time frame, which may result in significant financial losses, reputational damage, customer dissatisfaction, or regulatory non-compliance12.
The SLA has not been reviewed in more than a year is not the greatest concern, although it is a good practice to review and update the SLA periodically to ensure that it reflects the current business needs and expectations, as well as any changes in the service provider’s capabilities or performance. However, a lack of review does not necessarily imply a lack of compliance or quality of service, as long as the SLA is still valid and enforceable34.
Backup data is hosted online only is not the greatest concern, although it may pose some security risks if the backup data is not encrypted or protected by adequate access controls. Online backup data means that the backup data is stored on a remote server that can be accessed via the Internet, which may offer some advantages such as faster recovery, lower cost, and higher availability than offline backup data that is stored on physical media such as tapes or disks. However, online backup data also requires reliable network connectivity and bandwidth, as well as proper security measures to prevent unauthorized access or tampering56.
The recovery point objective (RPO) has a shorter duration than documented in the DRP is not the greatest concern, although it may indicate some inconsistency or misalignment between the SLA and the DRP. The RPO is the maximum acceptable amount of data loss measured in time from a disaster or a disruption. A shorter RPO than the DRP means that the bank may lose less data than expected, which may be beneficial for its business continuity and recovery. However, a shorter RPO may also imply more frequent backups, which may increase the cost and complexity of the backup process

- (Topic 2)
An information systems security officer's PRIMARY responsibility for business process applications is to:

1. A. authorize secured emergency access
2. B. approve the organization's security policy
3. C. ensure access rules agree with policies
4. D. create role-based rules for each business process

Correct Answer: C
Ensuring access rules agree with policies is an information systems security officer’s primary responsibility for business process applications. An information systems security officer should verify that the access controls implemented for the business process applications are consistent with the organization’s security policy and objectives. The other options are not the primary responsibility of an information systems security officer, but rather the tasks of an application owner, a senior management, or a business analyst. References:
✑ CISA Review Manual (Digital Version), Chapter 7, Section 7.3.11
✑ CISA Review Questions, Answers & Explanations Database, Question ID 208

- (Topic 3)
A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?

1. A. IT operator
2. B. System administration
3. C. Emergency support
4. D. Database administration

Correct Answer: C
Segregation of duties (SOD) is a core internal control and an essential component of an effective risk management strategy. SOD emphasizes sharing the responsibilities of key business processes by distributing the discrete functions of these processes to multiple people and departments, helping to reduce the risk of possible errors and fraud1.
SOD is especially important in IT security, where granting excessive system access to one person or group can lead to harmful consequences, such as data breaches, identity theft, or bypassing security controls2. SOD breaks IT-related tasks into four separate function categories: authorization, custody, recordkeeping, and reconciliation1. Ideally, no one person or department holds responsibility in multiple categories.
In a role-based environment, where access privileges are granted based on predefined roles, it is important to ensure that the roles are designed and assigned in a way that supports SOD. For example, the person who develops an application should not also be the one who tests it, deploys it, or maintains it.
Therefore, an application developer should not be assigned the roles of IT operator, system administration, or database administration, as these roles may conflict with their development role and create opportunities for misuse or abuse of the system. The only role that may be assigned to an application developer without violating SOD is emergency support, which is a temporary role that allows the developer to access the system in case of a critical issue that requires immediate resolution3. However, even this role should be granted with caution and monitored closely to ensure compliance with SOD policies. References:
✑ ISACA, CISA Review Manual, 27th Edition, 2019, page 2824
✑ ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription, QID 1066692
✑ Hyperproof Blog, Segregation of Duties: What it is and Why it’s Important1
✑ Advisera Blog, Segregation of duties in your ISMS according to ISO 27001A.6.1.23