An organization is developing a web portal using some external components. Which of the following should be of MOST concern to an IS auditor?
Correct Answer: A
Question 922
An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the business continuity plan (BCP). Which of the following is the auditor's BEST course of action?
Correct Answer: B
This is because the auditor's primary objective is to evaluate the adequacy and performance of the business continuity plan (BCP) in ensuring the continuity and resilience of the organization's critical functions and processes during a disruption. The auditor should review the actual results and outcomes of the business response, such as the recovery time, recovery point, service level, customer satisfaction, and incident management, and compare them with the predefined objectives and criteria of the BCP. The auditor should also identify and analyze any gaps, issues, or lessons learned from the business response, and provide recommendations for improvement12. Answer A. Confirm the BCP has been recently updated. is not the best answer, because it is not directly related to the auditor's course of action. Confirming the BCP has been recently updated is a part of the audit planning and scoping process, not the audit execution or reporting process. The auditor should confirm the BCP has been recently updated before conducting the audit, not after revealing that a simulation test has not been performed. Moreover, confirming the BCP has been recently updated does not provide sufficient evidence of the effectiveness of the business response12. Answer C. Raise an audit issue for the lack of simulated testing. is not the best answer, because it is not relevant to the auditor's course of action. Raising an audit issue for the lack of simulated testing is a part of the audit reporting and follow-up process, not the audit execution or evaluation process. The auditor should raise an audit issue for the lack of simulated testing after reviewing the effectiveness of the business response, not before or instead of doing so. Furthermore, raising an audit issue for the lack of simulated testing does not address the root cause or impact of the problem, nor does it provide any constructive feedback or guidance for improvement12. Answer D. Interview staff members to obtain commentary on the BCP's effectiveness. is not the best answer, because it is not sufficient to guide the auditor's course of action. Interviewing staff members to obtain commentary on the BCP's effectiveness is a part of the audit evidence collection and analysis process, not the audit evaluation or conclusion process. The auditor should interview staff members to obtain commentary on the BCP's effectiveness as one of the sources of information, not as the only or main source of information. Additionally, interviewing staff members to obtain commentary on the BCP's effectiveness may be subjective, biased, or incomplete, and may not reflect the actual performance or outcomes of the business response12. References: Business Continuity Management Audit/Assurance Program Business Continuity Plan Testing: Types and Best Practices
Question 923
The reliability of an application system's audit trail may be questionable if:
Correct Answer: D
Explanation/Reference: Explanation: An audit trail is not effective if the details in it can be amended.
Question 924
Which of the following is the BEST metric to measure the alignment of IT and business strategy?
Correct Answer: B
The best metric to measure the alignment of IT and business strategy is the percentage of enterprise risk assessments that include IT-related risk. This metric indicates how well the organization identifies and manages the IT risks that could affect its strategic objectives and performance. A high percentage of enterprise risk assessments that include IT-related risk shows that the organization considers IT as an integral part of its business strategy and aligns its IT resources and capabilities with its business needs and goals . References: : CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.2: IT Strategy, page 67 : CISA Online Review Course, Module 2: Governance and Management of IT, Lesson 2.2: IT Strategy
Question 925
An IS auditor has assessed a payroll service provider's security policy and finds significant topics are missing. Which of the following is the auditor's BEST course of action?
