- (Topic 4)
An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the
business continuity plan (BCP). Which of the following is the auditor's BEST course of action?
Correct Answer:
B
This is because the auditor’s primary objective is to evaluate the adequacy and performance of the business continuity plan (BCP) in ensuring the continuity and resilience of the organization’s critical functions and processes during a disruption. The auditor should review the actual results and outcomes of the business response, such as the recovery time, recovery point, service level, customer satisfaction, and incident management, and compare them with the predefined objectives and criteria of the
BCP. The auditor should also identify and analyze any gaps, issues, or lessons learned from the business response, and provide recommendations for improvement12.
Answer A. Confirm the BCP has been recently updated. is not the best answer, because it is not directly related to the auditor’s course of action. Confirming the BCP has been recently updated is a part of the audit planning and scoping process, not the audit execution or reporting process. The auditor should confirm the BCP has been recently updated before conducting the audit, not after revealing that a simulation test has not been performed. Moreover, confirming the BCP has been recently updated does not provide sufficient evidence of the effectiveness of the business response12.
Answer C. Raise an audit issue for the lack of simulated testing. is not the best answer, because it is not relevant to the auditor’s course of action. Raising an audit issue for the lack of simulated testing is a part of the audit reporting and follow-up process, not the audit execution or evaluation process. The auditor should raise an audit issue for the lack of simulated testing after reviewing the effectiveness of the business response, not before or instead of doing so. Furthermore, raising an audit issue for the lack of simulated testing does not address the root cause or impact of the problem, nor does it provide any constructive feedback or guidance for improvement12.
Answer D. Interview staff members to obtain commentary on the BCP’s effectiveness. is not the best answer, because it is not sufficient to guide the auditor’s course of action. Interviewing staff members to obtain commentary on the BCP’s effectiveness is a part of the audit evidence collection and analysis process, not the audit evaluation or conclusion process. The auditor should interview staff members to obtain commentary on the BCP’s effectiveness as one of the sources of information, not as the only or main source of information. Additionally, interviewing staff members to obtain commentary on the BCP’s effectiveness may be subjective, biased, or incomplete, and may not reflect the actual performance or outcomes of the business response12.
References:
✑ Business Continuity Management Audit/Assurance Program
✑ Business Continuity Plan Testing: Types and Best Practices
- (Topic 2)
Which of the following documents should specify roles and responsibilities within an IT audit organization?
Correct Answer:
B
The audit charter is a document that defines the purpose, scope, authority, and responsibility of an IT audit organization. The audit charter should specify roles and responsibilities within an IT audit organization, such as who is accountable for approving the audit plan, who is responsible for conducting the audits, who is authorized to access the audit evidence, and who is accountable for reporting the audit results. The organizational chart, the engagement letter, and the annual audit plan are also important documents for an IT audit organization, but they do not specify roles and responsibilities as clearly and comprehensively as the audit charter.
- (Topic 4)
Which of the following should be an IS auditor's PRIMARY consideration when determining which issues to include in an audit report?
Correct Answer:
C
Materiality is the primary consideration when determining which issues to include in an audit report, as it reflects the significance or importance of the issues to the users of the report. Materiality is a relative concept that depends on the nature, context, and amount of the issues, as well as the expectations and needs of the users. Materiality helps the auditor to prioritize the issues and communicate them clearly and concisely.
References
ISACA CISA Review Manual, 27th Edition, page 256 Materiality in Auditing - AICPA
Materiality in Planning and Performing an Audit - IAASB
- (Topic 4)
An auditee disagrees with a recommendation for corrective action that appears in the draft engagement report. Which of the following is the IS auditor's BEST course of action when preparing the final report?
Correct Answer:
B
The IS auditor’s best course of action when preparing the final report is to include the position supported by senior management in the final engagement report. The IS auditor should communicate the audit findings and recommendations to senior management and obtain their feedback and approval before issuing the final report. If there is a disagreement between the auditee and the IS auditor regarding a recommendation for corrective action, the IS auditor should present both sides of the argument and the supporting evidence, and seek senior management’s opinion and decision. The IS auditor should respect and follow senior management’s position, and include it in the final engagement report, along with the auditee’s comments if applicable. The other options are not the best course of action, because they either do not resolve the disagreement, do not reflect senior management’s authority, or do not report the audit results accurately and completely. References: CISA Review Manual (Digital Version)1, Chapter 2, Section 2.2.5
- (Topic 4)
Which of the following statements appearing in an organization's acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?
Correct Answer:
D
The statement that BEST demonstrates alignment with data classification standards related to the protection of information assets is D. All information assets will be assigned a clearly defined level to facilitate proper employee handling. Data classification involves categorizing information assets based on their sensitivity, importance, and usage. Assigning clearly defined levels (such as public, internal, confidential, etc.) to information assets ensures that appropriate security controls are applied based on their classification. By doing so, organizations can manage access, encryption, and other protective measures effectively12.
References:
✑ IFRC. “Information Security: Acceptable Use
Policy.” 1(https://www.ifrc.org/sites/default/files/2021-11/IFRC-Information- Security-Acceptable-Use-Policy.pdf)
✑ UNSW Sydney. “Data Classification
Standard.” 2(https://www.unsw.edu.au/content/dam/pdfs/governance/policy/2022- 01-policies/datastandard.pdf)
✑ Digital Guardian. “What is a Data Classification
Policy?” 3(https://www.digitalguardian.com/blog/what-data-classification-policy)
✑ Microsoft Service Trust Portal. “Data classification & sensitivity label
taxonomy.” 4(https://learn.microsoft.com/en-us/compliance/assurance/assurance- data-classification-and-labels)
✑ Clark University ITS Policies. “Data Classification - Data Security
Policies.” 5(https://www2.clarku.edu/offices/its/policies/data_classification.cfm)