Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?
Correct Answer: B
It is important for an IS auditor to review the information systems acquisition, development, and implementation process to ensure that it has been performed properly and that any errors or issues have been identified and addressed. A lessons-learned exercise is an important part of this process, as it allows for the identification and rectification of any issues that may have been missed during the initial stages of the process. Without this exercise, any potential issues may go unnoticed and lead to further problems down the line.
Question 847
Which of the following is the BEST evidence of the maturity of an organization's information security program?
Correct Answer: B
Section: Information System Operations, Maintenance and Support
Question 848
An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?
Correct Answer: B
Explanation Developing a risk-based plan considering each entity's business processes would best help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan. A risk-based plan is a plan that prioritizes the audit activities based on the level of risk associated with each area or process. A risk-based plan can help to allocate the audit resources more efficiently and effectively, and provide more assurance and value to the stakeholders1. By considering each entity's business processes, the IS audit can identify and assess the specific risks and controls that affect the IT environment of each entity, and tailor the audit objectives, scope, and procedures accordingly. This can help to address the unique needs and expectations of each entity, and ensure that the IS audit covers the key risk areas that are relevant and significant to each entity's operations, performance, and compliance2. The other options are not as effective as developing a risk-based plan considering each entity's business processes in ensuring that IS audit still covers key risk areas within the IT environment as part of its annual plan. Option A, increasing the frequency of risk-based IS audits for each business entity, is not a feasible or efficient solution, as it may increase the audit costs and workload, and create duplication or overlap of audit efforts. Option C, conducting an audit of newly introduced IT policies and procedures, is a limited and narrow approach, as it may not cover all the aspects or dimensions of the IT environment that may have changed or been affected by the split. Option D, revising IS audit plans to focus on IT changes introduced after the split, is a reactive and short-term approach, as it may not reflect the current or future state of the IT environment or the business objectives of each entity. References: ISACA, CISA Review Manual, 27th Edition, 2019 ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription Risk-Based Audit Planning: A Guide for Internal Audit1 Risk-Based Audit Approach: Definition & Example
Question 849
Which of the following would BEST detect that a distributed-denial-of-service attack (DDoS) is occurring?
Correct Answer: C
Question 850
Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible?
Correct Answer: C
Section: Protection of Information Assets Explanation: The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until a complete system test has taken place. Sociability testing and system tests take place at a later stage in the development process.
