Isaca Updated CISA Exam Questions and Answers by tamara

According to the ISACA CISA documentation, one of the requirements for internal audit quality assurance (QA) and continuous improvement processes is to have an external assessment at least once every five years by a qualified, independent reviewer or review team from outside the organization1. This is to ensure that the internal audit activity conforms to the International Standards for the Professional Practice of Internal Auditing (the Standards) and the Code of Ethics, and to identify opportunities for improvement2. Therefore, the lack of periodic engagement with external assessors would present the greatest concern during a review of internal audit QA and continuous improvement processes.

When a data center is attempting to restore computing facilities at an alternative site following a disaster, the operating system should be restored FIRST. Here’s why:

• Operating System (OS):
• Data Backups:
• Applications:
• Decision Support System (DSS):

In summary, prioritize restoring the operating system, which forms the basis for subsequent recovery steps12. Once the OS is functional, proceed with data backups, applications, and other systems as needed.

The primary role of key performance indicators (KPIs) in supporting business process effectiveness is to enable conclusions about the performance of the processes and target variances for follow-up analysis. KPIs are measurable values that demonstrate how effectively an organization is achieving its key objectives. KPIs can help to monitor and evaluate the performance, quality, and efficiency of the business processes. KPIs can also help to identify areas for improvement and benchmark against best practices or industry standards. KPIs can also provide feedback and guidance for decision making and corrective actions. References:

• CISA Review Manual (Digital Version), Chapter 1, Section 1.3.21
• CISA Online Review Course, Domain 5, Module 2, Lesson 22

 Social engineering is the manipulation of people to perform actions or divulge confidential information. It is a common technique used by attackers to gain unauthorized access to systems or data. Employees who use public social networking sites may be vulnerable to social engineering attacks, such as phishing, baiting, or pretexting, which pose the greatest risk to the organization’s security. The other options are not as serious as social engineering, as they relate to web application vulnerabilities, intellectual property rights, and reputation management, which are less likely to compromise the organization’s assets or operations. References: CISA Review Manual (Digital Version), Domain 5: Protection of Information Assets, Section 5.3 Security Awareness Training1