Isaca Updated CISA Exam Questions and Answers by mikayla

Stress testing is a type of performance testing that evaluates how a system behaves under extreme load conditions, such as high user traffic, large data volumes, or limited resources. It is useful for identifying potential bottlenecks, errors, or failures that may affect the system’s functionality or availability. Stress testing during the quality assurance (QA) phase would have identified the concern of users complaining that a newly released ERP system is functioning too slowly. The other options are not as relevant for this concern, as they relate to different aspects of testing, such as regression testing (verifying that existing functionality is not affected by new changes), interface testing (verifying that the system interacts correctly with other systems or components), or integration testing (verifying that the system works as a whole after combining different modules or units). References: CISA Review Manual (Digital Version), Domain 5: Protection of Information Assets, Section 5.4 Testing Techniques1

The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (DRP) should be of greatest concern to the auditor when reviewing a bank’s SLA with a third-party provider that hosts the bank’s secondary data center. This is because the RTO is the maximum acceptable time for restoring a system or an application after a disaster or a disruption. A longer RTO than the DRP means that the bank maynot be able to resume its critical business operations within the expected time frame, which may result insignificant financial losses, reputational damage, customer dissatisfaction, or regulatory non-compliance12.

The SLA has not been reviewed in more than a year is not the greatest concern, although it is a good practice to review and update the SLA periodically to ensure that it reflects the current business needsand expectations, as well as any changes in the service provider’s capabilities or performance. However, a lack of review does not necessarily imply a lack of compliance or quality of service, as long as the SLA is still valid and enforceable34.

Backup data is hosted online only is not the greatest concern, although it may pose some security risks if the backup data is not encrypted or protected by adequate access controls. Online backup data means that the backup data is stored on a remote server that can be accessed via the Internet, which may offer some advantages such as faster recovery, lower cost, and higher availability than offline backup data that is stored on physical media such as tapes or disks. However, online backup data also requires reliable network connectivity and bandwidth, as well as proper security measures to prevent unauthorized access or tampering56.

The recovery point objective (RPO) has a shorter duration than documented in the DRP is not the greatest concern, although it may indicate some inconsistency or misalignment between the SLA and the DRP. The RPO is the maximum acceptable amount of data loss measured in time from a disaster or a disruption. A shorter RPO than the DRP means that the bank may lose less data than expected, which may be beneficial for its business continuity and recovery. However, a shorter RPO may also imply more frequent backups, which may increase the cost and complexity ofthe backup process

 The best evidence of an IT strategy correction’s effectiveness is the synchronization of IT activities with corporate objectives. The IT strategy correction is a process of reviewing and adjusting the IT strategy to ensure that it aligns with and supports the corporate strategy and objectives. The synchronization of IT activities with corporate objectives means that the IT activities are consistent with and contribute to the achievement of the corporate goals and vision. The IS auditor can measure and evaluate the IT strategy correction’s effectiveness by comparing the IT activities with the corporate objectives, and assessing whether they are aligned, integrated, and coordinated. The other options are not as good evidence of an IT strategy correction’s effectiveness, because they either do not reflect the alignment of IT and business, or they are inputs or outputs of the IT strategycorrection process rather than outcomes or results. References: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.1

The best way to determine whether unauthorized changes have been made to production programs is to use source code comparison software to compare the current version of the programs with the previous version or the approved version. This will identify any changes that have been made without proper authorization or documentation. Tracing PCRs to logs or vice versa will only verify that the authorized changes have been recorded, but not detect any unauthorized changes. References: Standards, Guidelines, Tools and Techniques - ISACA, section “IS Audit and Assurance Tools and Techniques”