Isaca Updated CISA Exam Questions and Answers by scarlet

 The rules of engagement define the scope, objectives, methodology, deliverables, and limitations of the penetration testing. They also specify the legal and ethical boundaries, communication channels, and escalation procedures. Establishing the rules of engagement is the first step when planning to conduct penetration testing for a client, as it ensures that both parties agree on the expectations and outcomes of the testing. The other options are important steps, but they should be done after the rules of engagement are established. References: CISA Review Manual (Digital Version) 1, page 381.

The best way to determine whether IT investments are meeting business objectives is to compare the realized return on investment (ROI) versus the projected ROI (Option B). This approach measures actual performance against planned expectations.

ISACA CISA Reference: The ISACA IT Governance framework emphasizes performance measurement through ROI analysis, ensuring IT investments align with strategic objectives.

Risk Implication: If actual ROI is lower than projected, this may indicate ineffective investment decisions, poor execution, or misalignment with business goals.

Alternative Choices:

Option A: Break-even analysis only determines when an investment recoups its costs but does not measure performance against business objectives.

Option C: Budgeted versus actual spend assesses financial discipline but does not indicate business impact.

Option D: Industry average ROI provides benchmarking but does not assess internal goal achievement.