Isaca Updated CISA Exam Questions and Answers by reign

Generalized audit software is a type of computer-assisted audit technique (CAAT) that allows the IS auditor to perform various audit tasks on the data stored in different file formats and databases1. Generalized audit software can help the IS auditor to select a sample for testing that includes the 80 largest client balances and a random sample of the rest, by using functions such as sorting, filtering, stratifying, and randomizing the data23. Generalized audit software can also help the IS auditor to perform other audit procedures on the sample, such as verifying the accuracy, completeness, and validity of the data4.

References

1: Generalized Audit Software (GAS) - ISACA 2: Audit Sampling - ISACA 3: How to use generalized audit software to perform audit sampling 4: Generalized Audit Software: A Review of Five Packages

Comprehensive and Detailed Explanation:

The greatest concern is if the vendor is excluded from the organization’s third-party due diligence process. Without proper due diligence, the organization has no assurance that the vendor meets minimum security and privacy requirements, exposing PII to significant risk.

Option A: External-facing services carry risk but can be mitigated by proper controls.

Option B: Lack of dedicated privacy staff may increase risk, but controls may still exist.

Option C: Fourth-party hosting adds risk but is acceptable if included in due diligence.

Option D: Correct — exclusion from due diligence represents a fundamental breakdown in vendor risk management.

???? ISACA Reference: CISA Review Manual 27th Edition, Domain 5, section on third-party/vendor risk management and data privacy.