Isaca Updated CISA Exam Questions and Answers by zadie

Audit planning is the process of developing an overall strategy and approach for conducting an audit. Audit planning involves identifying the objectives, scope, criteria, and methodology of the audit, as well as the resources, schedule, and reporting requirements. Audit planning also involves performing a risk assessment to identify and prioritize the areas of highest risk and significance for the audit1.

Risk assessment is a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking. Risk assessment involves identifying the sources and causes of risk, analyzing the likelihood and impact of risk, and determining the level of risk and the appropriate response2.

During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. The best course of action in this situation is C. Validate the low-risk entity ratings and apply professional judgment.

This is because validating the low-risk entity ratings can help to ensure that the risk assessment is accurate, reliable, and consistent with the business objectives and expectations. Validating the low-risk entity ratings can also help to identify any changes or developments that may affect the risk profile of the entities since the last assessment. Applying professional judgment can help to determine whether the low-risk entities should be included or excluded from the audit plan, based on factors such as materiality, relevance, significance, and assurance needs3.

The most important part of a feasibility study is the economics1. A cost-benefit analysis of available products is crucial as it helps to understand the economic viability of the project1. It compares the costs of the project with the benefits it is expected to deliver, which is essential for making informed decisions1. Omitting this could lead to investments in hardware that may not provide the expected returns or meet the organization’s needs.

References:

The Components of a Feasibility Study - ProjectEngineer

Automated version control systems are the best method to maintain an audit trail of changes made to the source code of a program. They automatically track and manage changes to the source code over time, allowing you to see what changes were made, when they were made, and who made them1. This provides a clear and detailed audit trail that can be invaluable for debugging, understanding the evolution of the code, and ensuring accountability23.

 Enterprise architecture (EA) is the most helpful to an IS auditor reviewing the alignment of planned IT budget with the organization’s goals and strategic objectives. EA is a well-defined practice for conducting enterprise analysis, design, planning, and implementation, using a comprehensive approach at all times, for the successful development and execution of strategy1. EA provides a blueprint for an effective IT strategy and guides the controlled evolution of IT in a way that delivers business benefit in a cost-effective way2. By reviewing the EA, the IS auditor can evaluate how well the planned IT budget supports the business vision, strategy, objectives, and capabilities of the organization.

The other options are not as helpful as EA for reviewing the alignment of planned IT budget with the organization’s goals and strategic objectives. BIA is a process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity ofoperations during and after a business disruption3. BIA quantifies the impacts of disruptions on service delivery, risks to service delivery, and recovery time objectives (RTOs) and recovery point objectives (RPOs)3. BIA is useful for developing strategies, solutions, and plans for business continuity and disaster recovery, but it does not directly address the alignment of planned IT budget with the organization’s goals and strategic objectives. Risk assessment report is a document that contains the results of performing a risk assessment or the formal output from the process of assessing risk4. Risk assessment is a method to identify, analyze, and control hazards and risks present in a situation or a place5. Risk assessment report is useful for identifying and mitigating potential threats and issues that are detrimental to the business or an enterprise, but it does not directly addressthe alignment of planned IT budget with the organization’s goals and strategic objectives. Audit recommendations are guidance that highlights actions to be taken by management6. When implemented, process risks should be mitigated, and performance should be enhanced6. Audit recommendations are useful for improving the quality and reliability of the information system and its outputs, but they do not directly address the alignment of planned IT budget with the organization’s goals and strategic objectives. Therefore, option A is the correct answer.