- (Topic 2)
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

1. A. reflect current practices.
2. B. include new systems and corresponding process changes.
3. C. incorporate changes to relevant laws.
4. D. be subject to adequate quality assurance (QA).

Correct Answer: A
The greatest concern for an IS auditor when reviewing IT policies and procedures that are not regularly reviewed and updated is that policies and procedures might not reflect current practices. Policies are documents that define the goals, objectives, and guidelines for an organization’s information systems and resources. Procedures are documents that describe the steps, tasks, or activities for implementing or executing policies. Policies and procedures should be regularly reviewed and updated to ensure that they are relevant, accurate, consistent, and effective for the organization’s information systems and resources. Policies and procedures that are not regularly reviewed and updated might not reflect current practices, as they might be outdated, obsolete, or incompatible with the current state or needs of the organization’s information systems and resources. This can cause confusion, inconsistency, inefficiency, or noncompliance among users or stakeholders who rely on policies and procedures for guidance or direction. Policies and procedures might not include new systems and corresponding process changes is a possible concern for an IS auditor when reviewing IT policies and procedures that are not regularly reviewed and updated, but it is not the greatest one. Policies and procedures might not include new systems and corresponding process changes, as they might be unaware of or unresponsive to the introduction or modification of information systems or resources within the organization. This can cause gaps, overlaps, or conflicts among policies and procedures that affect different information systems or resources.

- (Topic 4)
Which of the following is MOST important when defining the IS audit scope?

1. A. Minimizing the time and cost to the organization of IS audit procedures
2. B. Involving business in the formulation of the scope statement
3. C. Aligning the IS audit procedures with IT management priorities
4. D. Understanding the relationship between IT and business risks

Correct Answer: D
The most important factor when defining the IS audit scope is to understand the relationship between IT and business risks, as this helps to identify the areas that have the most potential impact on the organization’s objectives, performance, and value. By understanding the IT and business risks, the IS auditor can focus the audit scope on the key processes, systems, controls, and issues that need to be assessed and addressed. References
ISACA CISA Review Manual, 27th Edition, page 256
Ten Factors to Consider when Setting the Scope of an Internal Audit What Is an Audit Scope? | Auditing Basics | KirkpatrickPrice

- (Topic 4)
Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

1. A. Target architecture is defined at a technical level.
2. B. The previous year's IT strategic goals were not achieved.
3. C. Strategic IT goals are derived solely from the latest market trends.
4. D. Financial estimates of new initiatives are disclosed within the document.

Correct Answer: C
The most concerning thing for an IS auditor reviewing an IT strategy document is that the strategic IT goals are derived solely from the latest market trends. An IT strategy document is a blueprint that defines how an organization will use technology to achieve its goals. It should be based on a thorough analysis of the organization’s internal and external factors, such as its vision, mission, values, objectives, strengths, weaknesses, opportunities, threats, customers, competitors, regulations, and industry standards. An IT strategy document should also align with the organization’s business strategy and reflect its unique needs and capabilities. If an IT strategy document is derived solely from the latest market trends, it may not be relevant or appropriate for the organization’s specific situation. It may also lack coherence, consistency, feasibility, or sustainability.
The other options are not as concerning as option C. Target architecture is defined at a technical level is not a concern for an IS auditor reviewing an IT strategy document. Target architecture is the desired state of an organization’s IT systems in terms of their structure, functionality, performance, security, interoperability, and integration. Defining target architecture at a technical level can help an IS auditor to understand how the organization plans to achieve its strategic IT goals and what technical requirements and standards it needs to follow. The previous year’s IT strategic goals were not achieved is not a concern for an IS auditor reviewing an IT strategy document. The previous year’s IT strategic goals are the outcomes that the organization intended to accomplish with its IT initiatives in the past year. Not achieving these goals may indicate some challenges or gaps in the organization’s IT performance or execution. However, this does not necessarily affect the quality or validity of the current IT strategy document. An IS auditor should focus on evaluating whether the current IT strategy document is realistic, measurable, achievable, relevant, and time-bound. Financial estimates of new initiatives are disclosed within the document is not a concern for an IS auditor reviewing an IT strategy document. Financial
estimates are projections of the costs and benefits of new initiatives that are part of the IT strategy document. Disclosing financial estimates within the document can help an IS auditor to assess whether the new initiatives are aligned with the organization’s budget and resources and whether they provide value for money. References: IT Strategy Template for a Successful Strategic Plan | Gartner, Definitive Guide to Developing an IT Strategy and Roadmap - CioPages, An Example of a Well-Developed IT Strategy Plan - Resolute

- (Topic 4)
Which of the following would minimize the risk of losing transactions as a result of a disaster?

1. A. Sending a copy of the transaction logs to offsite storage on a daily basis
2. B. Storing a copy of the transaction logs onsite in a fireproof vault
3. C. Encrypting a copy of the transaction logs and store on a local server
4. D. Signing a copy of the transaction logs and store on a local server

Correct Answer: A
Sending a copy of the transaction logs to offsite storage on a daily basis would minimize the risk of losing transactions as a result of a disaster. This is because offsite storage provides a backup of the data that can be recovered in case of a catastrophic event that destroys or damages the onsite data. Storing a copy of the transaction logs onsite in a fireproof vault (B) would not protect the data from other types of disasters, such as floods, earthquakes, or theft. Encrypting © or signing (D) a copy of the transaction logs and storing them on a local server would not prevent the loss of data if the server is affected by the disaster. Encryption and digital signatures are security measures that protect the confidentiality and integrity of the data, but not the availability.
Reference: CISA - Certified Information Systems Auditor Study Guide1, Chapter 5:
Protection of Information Assets, Section 5.2: Backup and Recovery Concepts, Page 353.

- (Topic 4)
In a review of the organization standards and guidelines for IT management, which of the following should be included in an IS development methodology?

1. A. Value-added activity analysis
2. B. Risk management techniques
3. C. Access control rules
4. D. Incident management techniques

Correct Answer: B
Risk management techniques should be included in an IS development methodology. An IS development methodology is a set of guidelines, standards, and procedures that provide a structured and consistent approach to developing information systems. A good IS development methodology should cover all the phases of the system development life cycle (SDLC), from planning and analysis to design, implementation, testing, and maintenance1.
Risk management techniques are an essential part of an IS development methodology, as they help to identify, assess, prioritize, mitigate, monitor, and communicate the risks that may affect the success of the system development project. Risk management techniques can also help to ensure that the system meets the requirements and expectations of the stakeholders, complies with the relevant laws and regulations, and delivers value to the organization2.
The other options are not as relevant or appropriate as risk management techniques for an IS development methodology. Value-added activity analysis is a technique for evaluating the efficiency and effectiveness of business processes, but it is not specific to IS development3. Access control rules are policies and mechanisms for restricting or granting access to information systems and resources, but they are more related to security management than IS development4. Incident management techniques are methods for handling and resolving incidents that disrupt the normal operation of information systems and services, but they are more related to service management than IS development5. References:
✑ ISACA, CISA Review Manual, 27th Edition, 2019, p. 1911
✑ ISACA, CISA Review Manual, 27th Edition, 2019, p. 1942
✑ Value-Added Activity Analysis3
✑ Access Control Rules4
✑ Incident Management Techniques5