Isaca Updated CISA Exam Questions and Answers by andrei

A test plan for the BCP is essential to ensure that the plan is effective, updated and aligned with the current business needs and objectives. A change in organizational structure with significant impact to business processes may require a revision of the BCP and a new test plan to validate its adequacy. The lack of a test plan for the BCP for two years indicates a high risk of failure in the event ofa disaster or disruption. Therefore, this should be the auditor’s greatest concern among the given options. References:

ISACA, IT Control Objectives for Sarbanes-Oxley, 4th Edition, section 5.3.21

ISACA, CISA Review Manual, 27th Edition, chapter 5, section 5.42

 The internal audit manager should have a reporting line to the audit committee, which is an independent body that oversees the internal audit function and ensures its objectivity and accountability. Reporting functionally to a senior management official may compromise the independence and clarity of the internal audit reporting process, as senior management may have a vested interest in the audit results or influence the audit scope and priorities. *References: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 1002 Independence, “The chief audit executive (CAE)should report functionally to the board or its equivalent (e.g., audit committee) and administratively to executive management.” 1

 The best process for continuous auditing for a large financial institution is validating access controls for real-time data systems. This is because access controls are critical for ensuring the confidentiality, integrity, and availability of the financial data that is processed and transmitted by the real-time data systems. Real-time data systems are systems that provide timely and accurate information to support decision-making and transactions in a dynamic and complex environment. Examples of real-time data systems in the financial sector include payment systems, trading platforms, risk management systems, and fraud detection systems. Continuous auditing of access controls can help detect and prevent unauthorized access, data leakage, data manipulation, or data loss that could compromise the security, reliability, or compliance of the real-time data systems.

Testing encryption standards on the disaster recovery system is not the best process for continuous auditing for a large financial institution. Encryption standards are important for protecting the data stored or transmitted by the disaster recovery system, which is a system that provides backup and recovery capabilities in case of a disruption or disaster. However, testing encryption standards is not a continuous process, but rather a periodic or event-driven process that can be performed as part of the disaster recovery plan testing or validation.

Performing parallel testing between systems is not the best process for continuous auditing for a large financial institution. Parallel testing is a process of comparing the results of two or more systems that perform the same function or task, such as a new system and an old system, or a primary system and a backup system. Parallel testing can help verify the accuracy, consistency, and compatibility of thesystems. However, parallel testing is not a continuous process, but rather a temporary or transitional process that can be performed as part of the system implementation or migration.

Validating performance of help desk metrics is not the best process for continuous auditing for a large financial institution. Help desk metrics are indicators that measure the efficiency, effectiveness, and quality of the help desk service, which is a service that provides technical support and assistance to the users of information systems and technology. Help desk metrics can include metrics such as response time, resolution time, customer satisfaction, and service level agreement (SLA) compliance. Validating performance of help desk metrics can help evaluate and improve the help desk service. However, validating performance of help desk metrics is not a continuous auditing process, but rather a continuous monitoring process that can be performed by the help desk management or quality assurance team.

References:

All eyes on: Continuous auditing - KPMG Global 1

Internal audit’s role at financial institutions: PwC 2

The Fed - Supervisory Policy and Guidance Topics - Large Banking … 3

Continuous Audit: Definition, Steps, Advantages and Disadvantages 4

 Regular scanning of hard drives is the most effective way to detect installation of unauthorized software packages by employees because it can identify any software that is not approved by the organization and may pose a security risk or violate the software policy. Communicating the policy to employees is important, but it may not prevent or detect unauthorized software installation. Logging of activity on the network can monitor network traffic, but it may not capture all software installation events. Maintaining current antivirus software can protect the system from malicious software, but it may not detect all unauthorized software packages. References:

ISACA, CISA Review Manual, 27th Edition, 2020, p. 2381

ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription