Isaca Updated CISA Exam Questions and Answers by artie

The IS auditor should first determine whether the business impact analysis (BIA) is current with the organization’s structure and context. The BIA is a critical component of the BCP and should reflect the current state of the organization. If the BIA is not up-to-date, it may not accurately reflect the impact of a disruption to the organization’s operations, including the closure of a production plant12.

The greatest indicator that the cybersecurity policy may need to be revised is a significant increase in approved exceptions. This implies that the policy is not aligned with the current business needs and risks, and that it may be too restrictive or outdated. The other options are not necessarily indicators of a need for policy revision, as they may be due to other factors such as changes in the externalenvironment, audit scope or methodology. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.21

 Ensuring that the facts presented in the report are correct is the most important thing for an IS auditor to do during an exit meeting with an auditee. An IS auditor should confirm that the audit findings and observations are accurate, complete, and supported by sufficient evidence, as well as that the auditee understands and agrees with them. This will help to avoid any misunderstandings or disputes later on, as well as to enhance the credibility and quality of the audit report. The other options are less important things for an IS auditor to do during an exit meeting, as they may involve communicating the recommendations to senior management, specifying implementation dates for the recommendations, or requesting input in determining corrective action. References:

CISA Review Manual (Digital Version), Chapter 2, Section 2.5.21

CISA Review Questions, Answers and Explanations Database, Question ID 222