Isaca Updated CISA Exam Questions and Answers by khalid

The IS auditor’s best course of action in this situation is to present observations for discussion only. Observations are factual statements or findings that are based on the audit evidence collected and analyzed during the audit. Observations can be presented to management for discussion and feedback, but they should not be considered as final conclusions or recommendations until the audit is completed and the audit report is issued. The other options are not appropriate for presenting the findings to date, as they may compromise the audit quality or integrity. Reviewing working papers with the auditee is not advisable, as working papers are confidential documents that contain the auditor’s notes, calculations, and opinions that may not be relevant or accurate for management’s review. Requesting the auditee provide management responses is premature, as management responses should be obtained after the audit report is issued and the audit findings and recommendations are finalized. Requesting management wait until a final report is ready for discussion is impractical, as management may have a legitimate interest or need to know the audit progress and results as soon as possible. References: CISA Review Manual (Digital Version), Chapter 2, Section 2.3

 The best detective control for a job scheduling process involving data transmission is job failure alerts that are automatically generated and routed to support personnel. Job failure alerts are notifications that indicate when a scheduled job or task fails to execute or complete successfully, such as due to errors, interruptions, or delays. Job failure alerts can help detect and correct any issues or anomalies in the job scheduling process involving data transmission by informing and alerting the support personnel who can investigate and resolve the problem. The other options are not as effective as job failure alerts in detecting issues or anomalies in the job scheduling process involving data transmission, as they do not provide timely or specific information or feedback. Metrics denoting the volume of monthly job failures are reported and reviewed by senior management is a reporting technique that can help measure and improve the performance and reliability of the job scheduling process, but it does not provide immediate or detailed information on individual job failures. Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP) is a preventive control that can help ensure the timeliness and security of the job scheduling process involving data transmission, but it does not detect any issues or anomalies that may occur during the process. Jobs are scheduled and a log of this activity is retained for subsequent review is a logging technique that can help record and track the status and results of the job scheduling process involving data transmission, but it does not provide real-time or proactive information on job failures. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

 The auditor’s best course of action in this situation is to notify the audit manager. The audit manager is responsible for overseeing the audit follow-up process and ensuring that audit issues are resolved in a timely and satisfactory manner. The audit manager can then decide whether to escalate the matter to higher authorities, such as the chair of the audit committee, or to accept management’s decision and close the audit finding. The other options are not appropriate for the auditor to do without consulting with the audit manager first. Notifying the chair of the audit committee is a drastic step that may undermine the relationship between the auditor and management, and it should be done only after exhausting other means of resolving the issue. Retesting the control is not necessary, as management has already decided not to implement the recommendations. Closing the audit finding is premature, as management’s decision may not be aligned with the audit objectives or risk appetite. References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4

The security architecture of an online application is a design that describes how various security components and controls are integrated and configured to protect the application from internal and external threats. When auditing the security architecture of an online application, an IS auditor should first review the location of the firewall within the network, as this determines how effectively the firewall can filter and monitor the traffic between different network segments and zones. The firewall standards, configuration, and firmware version are also important aspects to review, but they are secondary to the location of the firewall.