- (Topic 1)
Which of the following is MOST important with regard to an application development acceptance test?
Correct Answer:
C
The most important aspect of an application development acceptance test is that user management approves the test design before the test is started, as this ensures that the test objectives, criteria, and procedures are aligned with the user requirements and expectations. The programming team’s involvement in the testing process, the testing of data files for valid information before conversion, and the quality assurance (QA) team’s charge of the testing process are also important, but they are not as critical as user management’s approval of the test design. References: CISA Review Manual (Digital Version), Chapter 4, Section 4.4.2
- (Topic 1)
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
Correct Answer:
D
The most important thing for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions is that the retention period complies with data owner responsibilities. Data owners are accountable for the quality, security, and availability of the data under their control. They are also responsible for defining and enforcing data retention policies that comply with legal, regulatory, contractual, and business requirements. Data owners should be consulted and involved in any decision that affects the retention period of their data, as they are ultimately liable for any consequences of data loss or breach.
The policy includes a strong risk-based approach, the retention period allows for review during the year-end audit, and the total transaction amount has no impact on financial reporting are not the most important things for the organization to ensure when reducing the actual retention period for media containing completed low-value transactions. These are possible factors or benefits that may influence or justify the decision, but they do not override or replace the data owner responsibilities.
- (Topic 4)
Which of the following applications has the MOST inherent risk and should be prioritized during audit planning?
Correct Answer:
C
An outsourced accounting application has the most inherent risk and should be prioritized during audit planning because it involves external parties, sensitive data, and complex transactions that are susceptible to material misstatement, error, or fraud12. An outsourced accounting application also requires more oversight and monitoring from the internal audit department to ensure compliance with the service level agreement and the organization’s policies and standards3.
References
1: Inherent Risk: Definition, Examples, and 3 Types of Audit Risks 2: 3 Types of Audit Risk
- Inherent, Control and Detection - Accountinguide 3: IS Audit Basics: The Core of IT Auditing
- (Topic 2)
Which of the following concerns is BEST addressed by securing production source libraries?
Correct Answer:
D
Unauthorized changes can be moved into production is the best concern that is addressed by securing production source libraries. Production source libraries contain the source code of programs that are used in the production environment. Securing production source libraries means implementing access controls, change management procedures, and audit trails to prevent unauthorized or improper changes to the source code that could affect the functionality, performance, or security of the production programs. The other options are less relevant concerns that may not be directly addressed by securing production source libraries, but rather by other controls such as program approval, version control, or change testing. References:
✑ CISA Review Manual (Digital Version), Chapter 4, Section 4.2.3.21
✑ CISA Review Questions, Answers & Explanations Database, Question ID 213
- (Topic 4)
An organization has an acceptable use policy in place, but users do not formally acknowledge the policy. Which of the following is the MOST significant risk from this finding?
Correct Answer:
D
An acceptable use policy (AUP) is a document that defines the rules and guidelines for using an organization’s IT resources, such as networks, devices, and software. It aims to protect the organization’s assets, security, and productivity. An AUP should be formally acknowledged by users to ensure that they are aware of their responsibilities and obligations when using the IT resources. Without formal acknowledgment, users may not be held accountable for violating the AUP or may claim ignorance of the policy. This can expose the organization to legal, regulatory, reputational, or operational risks. Lack of data for measuring compliance, violation of industry standards, and noncompliance with documentation requirements are also possible risks from not having users acknowledge the AUP, but they are less significant than lack of user accountability.
References: Workable: Acceptable use policy template, Wikipedia: Acceptable use policy