Isaca Updated CISA Exam Questions and Answers by philippa

The greatest concern is the lack of documentation for the basic assumptions and formulas used to develop the decision logic. In AI and algorithmic systems, undocumented assumptions, logic, and model foundations undermine transparency, explainability, validation, governance, auditability, and the ability to assess whether outputs are reliable and appropriate. ISACA’s AI audit guidance specifically emphasizes questioning assumptions and identifying conditions that are taken for granted within AI systems.

Option D is correct because without documented assumptions and formulas, neither management nor the auditor can effectively understand how the AI system reaches conclusions, validate whether it is working as intended, assess bias or error, or confirm whether controls are adequate. ISACA’s AI-related guidance highlights that assumptions embedded in AI systems must be examined because changing environments, unreliable data, or hidden logic can create serious control weaknesses.

Option A is not the greatest concern by itself. Outsourcing development to vendors may introduce third-party risk, but vendor use is common and can be controlled through contracts, review, validation, and oversight. The mere fact of outsourcing does not create as severe a control weakness as undocumented decision logic.

Option B is a potential concern because annual review might be too infrequent depending on the system’s risk and rate of change. However, even with infrequent review, the organization would still have documented policy and decision logic to examine. A complete lack of documentation of assumptions and formulas is more serious because it prevents meaningful review altogether.

Option C is also a concern, but vendor maintenance access can be managed through access controls, logging, approvals, segregation, and monitoring. Access by contracted developers is not inherently unacceptable. The more fundamental weakness is the absence of documented logic foundations, which affects governance and auditability at the core.

Therefore, the greatest concern is D because undocumented assumptions and formulas make the AI system insufficiently transparent and far harder to audit, validate, and control.

References (Official ISACA):

ISACA Journal, AI Risk and Mitigation: Tips and Tricks for Auditing in the AI Era — stresses questioning assumptions and identifying taken-for-granted conditions in AI systems.

ISACA Journal, Algorithms and the Auditor — supports the auditor’s role in questioning algorithmic reliability and possible errors.

ISACA White Paper, Leveraging COBIT for Effective AI System Governance — highlights risk assessment and governance throughout the AI life cycle.

The best guard against the risk of attack by hackers is encryption. Encryption is the process of transforming data into an unreadable format using a secret key or algorithm. Encryption can protect data in transit and at rest from unauthorized access, modification, or disclosure by hackers. Encryption can also ensure the authenticity and integrity of data by using digital signatures or hashes.

Tunneling, message validation, and firewalls are not the best guards against the risk of attack by hackers. Tunneling is a technique that encapsulates one network protocol within another to create a secure connection between two endpoints. Message validation is a process that verifies the format, content, and origin of a message before accepting it. Firewalls are devices or software that filter network traffic based on predefined rules. These controls may help reduce the exposure or impact of hacker attacks, but they do not provide the same level of protection as encryption.

The first step when conducting an IT risk assessment is to identify assets to be protected, which include hardware, software, data, processes, people, and facilities that support the business objectives and operations of an organization. Identifying assets to be protected helps to establish the scope and boundaries of the risk assessment, as well as the value and criticality of each asset. Identifying potential threats, assessing vulnerabilities, and evaluating controls in place are subsequent steps in the risk assessment process that depend on the identification of assets to be protected. References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.3: IT Risk Management

The most reliable follow-up procedure to determine if management has resolved the finding of non-sequential purchase order numbers is to inspect the system settings and transaction logs to determine if sequential order numbers are generated. This will provide direct evidence of the system’s functionality and compliance with the audit recommendation. The other options are less reliable because they rely on indirect evidence or information obtained from management, which may not be accurate or complete. References: CISA Review Manual (Digital Version), Standards, Guidelines, Tools and Techniques