- (Topic 3)
Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?
Correct Answer:
B
The most conclusive audit procedure for evaluating the effectiveness of an e- commerce application system’s edit routine is to use test transactions. A test transaction is a simulated input that is processed by the system to verify its output and performance1. By using test transactions, an auditor can directly observe how the edit routine checks the validity, accuracy, and completeness of data entered by users, and how it handles incorrect or invalid data. A test transaction can also help measure the efficiency, reliability, and security of the edit routine, as well as identify any errors or weaknesses in the system.
The other options are not as conclusive as using test transactions, as they rely on indirect or secondary sources of information. Reviewing program documentation is an audit procedure that involves examining the written description of the system’s design, specifications, and functionality2. However, program documentation may not reflect the actual implementation or operation of the system, and it may not reveal any discrepancies or defects in the edit routine. Interviews with knowledgeable users is an audit procedure that involves asking questions to the people who use or manage the system3. However, interviews with knowledgeable users may not provide sufficient or objective evidence of the edit routine’s effectiveness, and they may be influenced by personal opinions or
biases. Reviewing source code is an audit procedure that involves analyzing the programming language and logic of the system4. However, reviewing source code may not be feasible or practical for complex or large systems, and it may not demonstrate how the edit routine performs in real scenarios.
- (Topic 4)
Which of the following concerns is MOST effectively addressed by implementing an IT framework for alignment between IT and business objectives?
Correct Answer:
D
An IT framework for alignment between IT and business objectives is a set of principles, guidelines, and practices that help an organization to ensure that its IT investments support its strategic goals, deliver value, manage risks, and optimize resources. One of the benefits of implementing such a framework is that it enables an effective IT portfolio management, which is the process of selecting, prioritizing, monitoring, and evaluating the IT projects and services that comprise the IT portfolio. An IT portfolio is a collection of IT assets, such as applications, infrastructure, data, and capabilities, that are aligned with the business needs and objectives. An IT portfolio management helps an organization to achieve the following outcomes:
✑ Align the IT portfolio with the business strategy and vision
✑ Balance the IT portfolio among different types of investments, such as innovation, growth, maintenance, and compliance
✑ Optimize the IT portfolio performance, value, and risk
✑ Enhance the IT portfolio decision-making and governance
✑ Improve the IT portfolio communication and transparency
Therefore, an inadequate IT portfolio management is a major concern that can be addressed by implementing an IT framework for alignment between IT and business objectives. An inadequate IT portfolio management can result in the following issues:
✑ Misalignment of the IT portfolio with the business needs and expectations
✑ Imbalance of the IT portfolio among competing demands and priorities
✑ Suboptimal use of the IT resources and capabilities
✑ Lack of visibility and accountability of the IT portfolio outcomes and impacts
✑ Poor communication and collaboration among the IT portfolio stakeholders The other possible options are:
✑ Inaccurate business impact analysis (BIA): A BIA is a process of identifying and assessing the potential effects of a disruption or disaster on the critical business functions and processes. A BIA helps an organization to determine the recovery priorities, objectives, and strategies for its business continuity plan. A BIA is not directly related to an IT framework for alignment between IT and business objectives, although it may use some inputs from the IT portfolio management. Therefore, an inaccurate BIA is not a concern that can be effectively addressed by implementing an IT framework for alignment between IT and business objectives.
✑ Inadequate IT change management practices: IT change management is a process of controlling and managing the changes to the IT environment, such as hardware, software, configuration, or documentation. IT change management helps an organization to minimize the risks and disruptions caused by the changes, ensure the quality and consistency of the changes, and align the changes with the business requirements. IT change management is not directly related to an IT framework for alignment between IT and business objectives, although it may support some aspects of the IT portfolio management. Therefore, inadequate IT change management practices are not a concern that can be effectively addressed by implementing an IT framework for alignment between IT and business objectives.
✑ Lack of a benchmark analysis: A benchmark analysis is a process of comparing an organization’s performance, processes, or practices with those of other organizations or industry standards. A benchmark analysis helps an organization to identify its strengths and weaknesses, set realistic goals and targets, and implement best practices for improvement. A benchmark analysis is not directly related to an IT framework for alignment between IT and business objectives, although it may provide some insights for the IT portfolio management. Therefore, lack of a benchmark analysis is not a concern that can be effectively addressed by implementing an IT framework for alignment between IT and business objectives. References: 1: What is Portfolio Management? | Smartsheet 2: What Is Portfolio Management? - Definition from Techopedia 3: What Is Project Portfolio Management (PPM)? | ProjectManager.com 4: What Is Business Impact
Analysis? | Smartsheet 5: What Is Change Management? - Definition from Techopedia 6: Benchmarking - Wikipedia
- (Topic 4)
An IS auditor determines that the vendor's deliverables do not include the source code for a newly acquired product. To address this issue, which of the following should the auditor recommend be included in the contract?
Correct Answer:
C
The correct answer is C. Software escrow agreement. A software escrow agreement is a legal arrangement between three parties: the software developer (licensor), the end-user (licensee), and an escrow agent. The agreement ensures that the software’s source code and other relevant assets are securely stored with the escrow agent, and can be released to the licensee under certain conditions, such as the licensor’s bankruptcy, insolvency, or failure to provide support or maintenance1. A software escrow agreement can provide the licensee with assurance and continuity for the software they depend on, and protect them from losing access or functionality in case of any unforeseen events or disputes with the licensor1.
- (Topic 4)
During a database management evaluation an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts Which of the following is the auditor's BEST course of action?
Correct Answer:
C
The auditor’s best course of action is to document the finding and explain the risk of having administrator accounts with inappropriate security settings. This is because the auditor’s role is to identify and report the issues, not to fix them or request others to fix them. The auditor should also communicate the impact of the finding, such as the possibility of unauthorized access, data tampering, or denial of service attacks. The auditor should not assume the responsibility of the IT manager or the DBA, who are in charge of changing the security parameters or disabling the accounts. References:
✑ CISA Review Manual (Digital Version), Chapter 4, Section 4.2.21
✑ CISA Online Review Course, Domain 1, Module 3, Lesson 32
- (Topic 2)
Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?
Correct Answer:
D
Changes to the job scheduler application’s parameters are not approved and reviewed by an operations supervisor. This is a serious control weakness that could compromise the integrity, availability, and security of the IT operations. An IS auditor should be concerned about the lack of oversight and accountability for such changes, which could result in unauthorized, erroneous, or malicious modifications that affect the processing environment. The other options are less critical issues that may not have a significant impact on the IT operations. References:
✑ CISA Review Manual (Digital Version), Chapter 4, Section 4.2.3.11
✑ CISA Review Questions, Answers & Explanations Database, Question ID 202