Section: Information System Acquisition, Development and Implementation
Explanation/Reference:
Consistency - The consistency property ensures that any transaction will bring the database from one valid
state to another. Any data written to the database must be valid according to all defined rules, including but
not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee
correctness of the transaction in all ways the application programmer might have wanted (that is the
responsibility of application-level code) but merely that any programming errors do not violate any defined
rules.
For CISA exam you should know below information about ACID properties in DBMS:
Atomicity - Atomicity requires that each transaction is "all or nothing": if one part of the transaction fails, the
entire transaction fails, and the database state is left unchanged. An atomic system must guarantee
atomicity in each and every situation, including power failures, errors, and crashes. To the outside world, a
committed transaction appears (by its effects on the database) to be indivisible ("atomic"), and an aborted
transaction does not happen.
Consistency - The consistency property ensures that any transaction will bring the database from one valid
state to another. Any data written to the database must be valid according to all defined rules, including but
not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee
correctness of the transaction in all ways the application programmer might have wanted (that is the
responsibility of application-level code) but merely that any programming errors do not violate any defined
rules.
Isolation - The isolation property ensures that the concurrent execution of transactions results in a system
state that would be obtained if transactions were executed serially, i.e. one after the other. Providing
isolation is the main goal of concurrency control. Depending on concurrency control method, the effects of
an incomplete transaction might not even be visible to another transaction.[citation needed]
Durability - Durability means that once a transaction has been committed, it will remain so, even in the
event of power loss, crashes, or errors. In a relational database, for instance, once a group of SQL
statements execute, the results need to be stored permanently (even if the database crashes immediately
thereafter). To defend against power loss, transactions (or their effects) must be recorded in a non-volatile
memory.
The following were incorrect answers:
Atomicity - Atomicity requires that each transaction is "all or nothing": if one part of the transaction fails, the
entire transaction fails, and the database state is left unchanged.
Isolation - The isolation property ensures that the concurrent execution of transactions results in a system
state that would be obtained if transactions were executed serially, i.e. one after the other.
Durability - Durability means that once a transaction has been committed, it will remain so, even in the
event of power loss, crashes, or errors.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 218

Section: Protection of Information Assets
Explanation:
After identifying potential security vulnerabilities, the IS auditor's next step is to perform a business impact
analysis of the threats that would exploit the vulnerabilities.

Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. Enabling audit trails increases the use of disk space. A transaction log file would be used totrace transactions, but would not aid in determining accountability and responsibility. The objective of capacity planning is the efficient and effective use of IT resources and requires information such as CPU utilization, bandwidth, number of users, etc.

The most significant risk when an application uses individual end-user accounts to access the underlying database is that users may be able to circumvent application controls. Application controls are the policies, procedures, and mechanisms that ensure the accuracy, completeness, validity, and authorization of transactions and data within an application. Application controls can include input validation, output verification, processing logic, reconciliation, exception handling, and audit trails. Application controls can help prevent or detect errors, fraud, or unauthorized access or modification of data.
However, if an application uses individual end-user accounts to access the underlying database, it means that the users have direct access to the database without going through the application layer. This can expose the database to potential risks such as:
* Users may be able to bypass the application controls and manipulate the data in the database directly using SQL commands or other tools. For example, users may be able to change their own or others' salaries, grades, or balances without proper authorization or validation.
* Users may be able to access or disclose sensitive or confidential data that they are not supposed to see or share. For example, users may be able to view other users' personal information, passwords, or credit card numbers.
* Users may be able to introduce errors or inconsistencies in the data by entering invalid or incorrect data or by deleting or modifying existing data. For example, users may be able to create duplicate records, break referential integrity, or cause data loss or corruption.
* Users may be able to compromise the security and performance of the database by creating unauthorized objects, granting excessive privileges, executing malicious code, or consuming excessive resources. For example, users may be able to create backdoors, viruses, or denial-of-service attacks.
Therefore, using individual end-user accounts to access the underlying database can pose a serious threat to the integrity, confidentiality, availability, and reliability of the data and the application.
The other options are not as significant as option C. Multiple connects to the database are used and slow the process is a performance issue that can affect the efficiency and responsiveness of the application and the database, but it does not necessarily compromise the data quality or security. User accounts may remain active after a termination is a security issue that can increase the risk of unauthorized access or misuse of data by former employees or others who have access to their credentials, but it can be mitigated by implementing proper account management and monitoring processes. Application may not capture a complete audit trail is a compliance issue that can affect the accountability and traceability of transactions and data within the application and the database, but it does not directly affect the data accuracy or protection.
References:
* Should application users be database users? - Stack Overflow1
* An Approach Toward Sarbanes-Oxley ITGC Risk Assessment - ISACA2
* ISACA CISA Certified Information Systems Auditor Exam ... - PUPUWEB3
* Why inactive accounts are a security risk | Stratosphere4

Section: The process of Auditing Information System
Explanation
Explanation:
A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework.
The purpose of an audit is to provide an objective independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and consequently reduce the cost of capital of the preparer of the financial statements.
For your exam you should know below information about different types of audit:
What is an audit?
An audit in general terms is a process of evaluating an individual or organization's accounts. This is usually done by an independent auditing body. Thus, audit involves a competent and independent person obtaining evidence and evaluating it objectively with regard to a given entity, which in this case is the subject of audit, in order to establish conformance to a given set of standards. Audit can be on a person, organization, system, enterprise, project or product.
Compliance Audit
A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines.
Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These audits often overlap traditional audits, but may focus on particular system or data.
What, precisely, is examined in a compliance audit will vary depending upon whether an organization is a public or private company, what kind of data it handles and if it transmits or stores sensitive financial data.
For instance, SOX requirements mean that any electronic communication must be backed up and secured with reasonable disaster recovery infrastructure. Health care providers that store or transmit e-health records, like personal health information, are subject to HIPAA requirements. Financial services companies that transmit credit card data are subject to PCI DSS requirements. In each case, the organization must be able to demonstrate compliance by producing an audit trail, often generated by data from event log management software.
Financial Audit
A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework.
The purpose of an audit is to provide an objective independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and consequently reduce the cost of capital of the preparer of the financial statements.
Operational Audit
Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Operational audit is a more comprehensive form of an Internal audit.
The Institute of Internal Auditor (IIA) defines Operational Audit as a systematic process of evaluating an organization's effectiveness, efficiency and economy of operations under management's control and reporting to appropriate persons the results of the evaluation along with recommendations for improvement.
Objectives
To appraise the effectiveness and efficiency of a division, activity, or operation of the entity in meeting organizational goals.
To understand the responsibilities and risks faced by an organization.
To identify, with management participation, opportunities for improving control.
To provide senior management of the organization with a detailed understanding of the Operations.
Integrated Audits
An integrated audit combines financial and operational audit steps. An integrated audit is also performed to assess overall objectives within an organization, related to financial information and asset, safeguarding, efficiency and or internal auditors and would include compliance test of internal controls and substantive audit step.
IS Audit
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:
Will the organization's computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing those risks.
Forensic Audit
Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or irregularities (including fraud) and giving preventative advice.
The purpose of a forensic audit is to use accounting procedures to collect evidence for the prosecution or investigation of financial crimes such as theft or fraud. Forensic audits may be conducted to determine if wrongdoing occurred, or to gather materials for the case against an alleged criminal.
The following answers are incorrect:
Compliance Audit - A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These audits often overlap traditional audits, but may focus on particular system or data.
Operational Audit - Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives.[1] Operational audit is a more comprehensive form of an Internal audit.
Forensic Audit - Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/ financial disputes and or irregularities (including fraud) and giving preventative advice.
Reference:
CISA Review Manual 2014 Page number 44
http://searchcompliance.techtarget.com/definition/compliance-audit
http://en.wikipedia.org/wiki/Financial_audit
http://en.wikipedia.org/wiki/Operational_auditing
http://en.wikipedia.org/wiki/Information_technology_audit
http://www.investorwords.com/16445/forensic_audit.html