Isaca Updated CISA Exam Questions and Answers by tymon

The auditor’s greatest concern when reviewing data inputs from spreadsheets into the core finance system would be undocumented code that formats data and transmits directly to the database. This is because undocumented code can introduce errors, inconsistencies, and security risks in the data processing and reporting. Undocumented code can also make it difficult to verify the accuracy, completeness, and validity of the data inputs and outputs, as well as to trace the source and destination of the data. Undocumented code can also violate the principles of segregation of duties, as the same person who creates the code may also have access to the data and the database.

The other options are not as concerning as undocumented code, although they may also pose some risks. A lack of complete inventory of spreadsheets and inconsistent file naming may make it challenging to identify and locate the relevant spreadsheets, but they do not directly affect the quality or integrity of the data inputs. The department data protection policy not being reviewed or updated for two years may indicate a lack of awareness or compliance with the current data protection regulations, but it does not necessarily imply that the data inputs are compromised or inaccurate. Spreadsheets being accessible by all members of the finance department may increase the risk of unauthorized or accidental changes to the data, but it can be mitigated by implementing access controls, password protection, and audit trails.

References:

ISACA, CISA Review Manual, 27th Edition, 2019, p. 2261

Five Common Spreadsheet Risks and Ways to Control Them2

GREATEST Concerns When Reviewing Data Inputs from Spreadsheets3

The most important factor to ensure when developing an effective security awareness program is B. Outcome metrics for the program are established. This is because outcome metrics are measures that evaluate the impact and results of the security awareness program on the behavior and performance of the users, and the security posture and objectives of the organization1. Outcome metrics can help ensure the effectiveness of the security awareness program by:

Providing feedback and evidence on whether the security awareness program is achieving its goals and expectations, such as reducing the number of incidents, improving the compliance rate, or increasing the reporting rate1.

Identifying and quantifying the strengths and weaknesses of the security awareness program, and enabling continuous improvement and optimization of the program content, delivery, and frequency1.

Demonstrating and communicating the value and return on investment of the security awareness program to the stakeholders and management, and securing their support and commitment for the program1.

Transaction tagging is a technique by which transactions are marked with unique identifiers or headers and traced through the system using agents or sensors at each processing point1. Transaction tagging allows for continuous monitoring and analysis of transaction processing in a high-volume, real-time system by providing visibility into the performance, availability, and reliability of each transaction and its components1. Transaction tagging can also help to identify and isolate errors, bottlenecks, anomalies, and security issues in the system1.

 Control totals are a method of verifying the accuracy and completeness of data processing by comparing the totals of key fields in input and output records1. Control totals can be used to reduce the risk of incomplete processing, which is the failure to process all the data or transactions that are expected or required2.

Incomplete processing can result in data loss, inconsistency, or incompleteness, which can affect the quality and reliability of the information system and its outputs. Incomplete processing can be caused by various factors, such as:

Hardware or software failures that interrupt the processing or transmission of data2

Human errors or omissions that skip or miss some data or transactions2

Malicious attacks or unauthorized access that delete or modify some data or transactions2

Environmental hazards or disasters that damage or destroy some data or transactions2

Control totals can help detect and prevent incomplete processing by:

Providing a benchmark or reference point to compare the input and output data or transactions1

Identifying any discrepancies or deviations from the expected or required totals1

Alerting the users or operators to investigate and resolve the causes of incomplete processing1

Ensuring that all the data or transactions are properly transmitted, converted, and processed1

The other options are not as relevant as control totals for reducing the risk of incomplete processing. Posting to the wrong record is the error of assigning or transferring data or transactions to an incorrect account, file, or record3. Improper backup is the failure to create, store, or restore copies of data or transactions in case of loss, corruption, or damage4. Improper authorization is the lack of proper permission or approval to access, modify, or process data or transactions. Control totals may not be able to prevent or detect these errors or failures, as they are not related to the completeness of data processing. Therefore, option B is the correct answer.

References:

control totals - Barrons Dictionary - AllBusiness.com

What is control total amount? - Sage Advice US

Posting Error Definition

Backup Definition

[Authorization Definition]