- (Topic 2)
During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?

1. A. Perform substantive testing of terminated users' access rights.
2. B. Perform a review of terminated users' account activity
3. C. Communicate risks to the application owner.
4. D. Conclude that IT general controls ate ineffective.

Correct Answer: B
The IS auditor’s next step after determining that many terminated users’ accounts were not disabled is to perform a review of terminated users’ account activity. This means that the IS auditor should check whether any of the terminated users’ accounts were accessed or used after their termination date, which could indicate unauthorized or fraudulent activity. The IS auditor should also assess the impact and risk of such activity on the confidentiality, integrity, and availability of IT resources and data. The other options are not as appropriate as performing a review of terminated users’ account activity, as they do not provide sufficient evidence or assurance of the extent and effect of the problem.
References: CISA Review Manual, 27th Edition, page 240

- (Topic 3)
What should an IS auditor do FIRST when management responses to an in-person internal control questionnaire indicate a key internal control is no longer effective?

1. A. Determine the resources required to make the control effective.
2. B. Validate the overall effectiveness of the internal control.
3. C. Verify the impact of the control no longer being effective.
4. D. Ascertain the existence of other compensating controls.

Correct Answer: D
The first thing that an IS auditor should do when management responses to an in-person internal control questionnaire indicate a key internal control is no longer effective is to ascertain the existence of other compensating controls. Compensating controls are alternative controls that provide reasonable assurance of achieving the same objective as the original control. The IS auditor should verify whether there are any compensating controls in place that can mitigate the risk of the key control being ineffective, and evaluate their adequacy and effectiveness. The other options are not the first steps, because they either require more information about the compensating controls, or they are actions to be taken after identifying and assessing the compensating controls. References: CISA Review Manual (Digital Version)1, Chapter 2, Section 2.2.3

- (Topic 4)
An organization considering the outsourcing of a business application should FIRST:

1. A. define service level requirements.
2. B. perform a vulnerability assessment.
3. C. conduct a cost-benefit analysis.
4. D. issue a request for proposal (RFP).

Correct Answer: C
An organization considering the outsourcing of a business application should first conduct a cost-benefit analysis to evaluate the feasibility, viability and desirability of the outsourcing decision. A cost-benefit analysis should compare the costs and benefits of outsourcing versus keeping the application in-house, taking into account factors such as financial,
operational, strategic, legal, regulatory, security and quality aspects. A cost-benefit analysis should also identify the risks and opportunities associated with outsourcing, and provide a basis for defining the service level requirements, performing a vulnerability assessment, and issuing a request for proposal (RFP) in the subsequent stages of the outsourcing process. References: Info Technology & Systems Resources | COBIT, Risk, Governance
… - ISACA, CISA Certification | Certified Information Systems Auditor | ISACA

- (Topic 1)
During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?

1. A. Review working papers with the auditee.
2. B. Request the auditee provide management responses.
3. C. Request management wait until a final report is ready for discussion.
4. D. Present observations for discussion only.

Correct Answer: D
The IS auditor’s best course of action in this situation is to present observations for discussion only. Observations are factual statements or findings that are based on the audit evidence collected and analyzed during the audit. Observations can be presented to management for discussion and feedback, but they should not be considered as final conclusions or recommendations until the audit is completed and the audit report is issued. The other options are not appropriate for presenting the findings to date, as they may compromise the audit quality or integrity. Reviewing working papers with the auditee is not advisable, as working papers are confidential documents that contain the auditor’s notes, calculations, and opinions that may not be relevant or accurate for management’s review. Requesting the auditee provide management responses is premature, as management responses should be obtained after the audit report is issued and the audit findings and recommendations are finalized. Requesting management wait until a final report is ready for discussion is impractical, as management may have a legitimate interest or need to know the audit progress and results as soon as possible. References: CISA Review Manual (Digital Version), Chapter 2, Section 2.3

- (Topic 4)
Which type of attack poses the GREATEST risk to an organization's most sensitive data?

1. A. Password attack
2. B. Eavesdropping attack
3. C. Insider attack
4. D. Spear phishing attack

Correct Answer: C
An insider attack poses the greatest risk to an organization’s most sensitive data. An insider attack is a type of cyberattack that is carried out by someone who has legitimate access to the organization’s network, systems, or data, such as an employee, contractor, or business partner. An insider attack can be intentional or unintentional, malicious or negligent, and can have various motives, such as financial gain, revenge, espionage, sabotage, or curiosity.
An insider attack poses the greatest risk to an organization’s most sensitive data because:
✑ An insider has a high level of trust and privilege within the organization, which allows them to bypass security controls and access confidential or restricted data without raising suspicion or detection.
✑ An insider has a deep knowledge of the organization’s operations, processes, policies, and vulnerabilities, which enables them to exploit them effectively and cause maximum damage or disruption.
✑ An insider can use various techniques and tools to conceal their identity and actions, such as encryption, steganography, deletion, or alteration of logs or evidence.
✑ An insider can cause significant harm or loss to the organization in terms of data integrity, availability, confidentiality, reputation, compliance, and profitability.
According to the 2023 Cost of Insider Threats Global Report by Ponemon Institute and ObserveIT 1, the average annual cost of insider threats for organizations worldwide was
$11.45 million in 2022, a 31% increase from 2018. The report also found that the average number of incidents per organization was 77 in 2022, a 47% increase from 2018. The report classified insider threats into three categories: careless or negligent employees or contractors, criminal or malicious insiders, and credential thieves. The report revealed that careless or negligent insiders were the most common and costly type of insider threat, accounting for 62% of all incidents and $4.58 million in costs.
The other options are not the greatest risk to an organization’s most sensitive data, although they can still pose significant threats.
A password attack is a type of cyberattack that attempts to guess or crack a user’s password to gain unauthorized access to their account or system. A password attack can use various methods, such as brute force, dictionary, rainbow table, phishing, keylogging, or social engineering. A password attack can compromise the security and privacy of the user’s data and information. However, a password attack can be prevented or mitigated by using strong and unique passwords, changing passwords frequently, enabling multi-factor authentication (MFA), and avoiding clicking on suspicious links or attachments.
An eavesdropping attack is a type of cyberattack that intercepts or monitors the communication between two parties without their knowledge or consent. An eavesdropping attack can use various techniques, such as wiretapping, packet sniffing, man-in-the-middle (MITM), or side-channel. An eavesdropping attack can expose the content and metadata of the communication, such as messages, files, voice calls, emails, etc. However, an eavesdropping attack can be prevented or mitigated by using encryption, authentication,
digital signatures, VPNs (virtual private networks), or secure protocols.
A spear phishing attack is a type of phishing attack that targets a specific individual or group with personalized and convincing emails that appear to come from a trusted source. A spear phishing attack aims to trick the recipient into clicking on a malicious link or attachment that can infect their device with malware or steal their credentials or data. A spear phishing attack can compromise the security and privacy of the recipient’s data and information. However, a spear phishing attack can be prevented or mitigated by verifying the sender’s identity and email address, checking the email content for spelling and grammar errors, hovering over links before clicking on them (or not clicking at all), scanning attachments for viruses before opening them (or not opening at all), and reporting suspicious emails to IT security staff.