Isaca Updated CISA Exam Questions and Answers by malaika

The most helpful thing for an IS auditor when assessing the effectiveness of controls is the results of control testing, as this provides objective and reliable evidence of how well the controls are designed and operating in practice. A control self-assessment (CSA) is a technique that involves the participation of process owners and stakeholders in evaluating the effectiveness of controls, but it may not be as rigorous or independent as control testing. Interviews with management are useful for gaining an understanding of the control environment and culture, but they may not reflect the actual performance of controls. A control matrix is a tool that maps the controls to the objectives, risks, and requirements, but it does not measure the effectiveness of controls. References: CISA Review Manual (Digital Version),Chapter 1: Information Systems Auditing Process, Section 1.3: IT Audit Process

The best way to determine whether unauthorized changes have been made to production programs is to use source code comparison software to compare the current version of the programs with the previous version or the approved version. This will identify any changes that have been made without proper authorization or documentation. Tracing PCRs to logs or vice versa will only verify that the authorized changes have been recorded, but not detect any unauthorized changes. References: Standards, Guidelines, Tools and Techniques - ISACA, section “IS Audit and Assurance Tools and Techniques”

The best answer is A.

ISACA portfolio-management guidance emphasizes that portfolios exist at the organizational level and should be managed in line with strategic objectives. Portfolio managers are expected to determine the optimal mix of initiatives and resources to achieve organizational goals while honoring strategic constraints. That makes grouping related projects into portfolios and assessing them against strategic objectives the strongest recommendation.

Option B is too narrow because infrastructure availability is only one possible value driver. Option C is also too narrow because risk reduction alone should not dominate the whole portfolio. Option D includes business value factors, but it is still narrower than full alignment to enterprise strategy. ISACA’s framing of portfolio management is broader: balance the portfolio and align it to strategic objectives.

References (Official ISACA):

ISACA, Portfolio, Program and Project Management Using COBIT 5.

ISACA Journal, Essential Frameworks and Methodologies to Maximize the Value of IT.

ISACA Journal, The Power of IT Investment Risk Quantification and Visualization: IT Portfolio Management.