Isaca Updated CISA Exam Questions and Answers by santino

The primary reason to perform internal QA for an internal audit function is to ensure that the internal audit activity adheres to the Definition of Internal Auditing and the International Standards for the Professional Practiceof Internal Auditing (Standards) issued by the Institute of Internal Auditors (IIA), as well as the internal audit methodology and policies of the organization. A QA program enables an evaluation of the internal audit activity’s performance, efficiency, effectiveness, and value, and identifies opportunities for improvement. A QA program also helps to enhance the credibility and reputation of the internal audit function among the stakeholders.

References

Quality Assurance - The Institute of Internal Auditors or The IIA

Benefits of a quality assurance review for internal audit

Optimize your internal audit function with a quality assurance review …

A risk assessment must be completed as part of annual audit planning. ISACA’s ITAF-based guidance states that the IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for effective allocation of audit resources.

Option C is correct because audit planning is fundamentally risk-based under ISACA guidance. Annual planning requires identifying and prioritizing risk areas so the audit plan focuses on the areas of greatest significance. ISACA also notes that, before creating the annual audit plan, the organizationwide risk register should be reviewed thoroughly to prioritize risk areas.

Option A may inform audit planning in some organizations, but it is not a universal required planning step.

Option B can be useful, but it is optional and supplementary, not mandatory.

Option D is typically developed at the engagement level for specific audits rather than as a mandatory organizationwide annual planning deliverable.

Therefore, C is the best answer because risk assessment is the required foundation of the annual audit plan under ISACA guidance.

References (Official ISACA):

ISACA Journal, Developing the IT Audit Plan Using COBIT 2019 — ITAF requires an appropriate risk assessment approach to develop the overall IS audit plan.

ISACA Journal, Auditing and Digital Transformation Are at a Crossroads — before creating the annual audit plan, the organizationwide risk register should be reviewed thoroughly.

ISACA, Certification Exam Candidate Guide — includes evaluation of audit processes and quality programs, supporting structured audit planning.

The best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities is to perform a configuration review. A configuration review is an audit procedure that involves examining and verifying the security settings and parameters of application servers against predefined standards or best practices. A configuration review can help to identify and remediate any deviations, inconsistencies, or misconfigurations thatmay expose the application servers to unauthorized access, exploitation, or compromise6. A configuration review can also help to ensure compliance with security policies and regulations, as well as enhance the performance and availability of application servers. The other options are less effective or incorrect because:

A. Improving the change management process is not the best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities, as it does not address the root cause of the problem or provide a specific solution. While improving the change management process may help to prevent future inconsistencies or misconfigurations in application server settings, it does not ensure that the existing ones are detected and corrected.

B. Establishing security metrics is not the best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities, as it does not address the root cause of the problem or provide a specific solution. While establishing security metrics may help to measure and monitor the security performance and posture of application servers, it does not ensure that the existing inconsistencies or misconfigurations in application server settings are detected and corrected.

C. Performing a penetration test is not the best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities, as it does not address the root cause of the problem or provide a specific solution. While performing a penetration test may help to simulate and evaluate the impact of an attack on application servers, it does not ensure that the existing inconsistencies or misconfigurations in application server settings are detected and corrected. References: Configuring system to useapplication server security - IBM, Application Security Risk: Assessment and Modeling - ISACA, Five Key Components of an Application SecurityProgram - ISACA, ISACA Practitioner Guidelines for Auditors - SSH, SCADA Cybersecurity Framework - ISACA