CISA: Certified Information Systems Auditor

The best indicator of the effectiveness of an organization's incident response program is the financial impact per security event. This metric measures the direct and indirect costs associated with security incidents, such as loss of revenue, reputation damage, legal fees, recovery expenses, and fines. By reducing the financial impact per security event, the organization can demonstrate that its incident response program is effective in mitigating the consequences of security breaches and restoring normal operations as quickly as possible. Number of successful penetration tests, percentage of protected business applications, and number of security vulnerability patches are indicators of the security posture of the organization, but they do not reflect the effectiveness of the incident response program.Reference:ISACA Journal Article: Measuring Incident Response Effectiveness

The most important responsibility of user departments associated with program changes is approving changes before implementation. This is because user departments are the primary stakeholders and beneficiaries of the program changes, and they need to ensure that the changes meet their requirements, expectations, and objectives. User departments also need to approve the changes before implementation to avoid unauthorized, unnecessary, or erroneous changes that could affect the functionality, performance, or security of the program.

Providing unit test data is a responsibility of user departments associated with program changes, but it is not the most important one. Unit test data is used to verify that the individual components of the program work as expected after the changes. However, unit test data alone cannot guarantee that the program as a whole works correctly, or that the changes are aligned with the user departments' needs.

Analyzing change requests is a responsibility of user departments associated with program changes, but it is not the most important one. Analyzing change requests is the process of evaluating the feasibility, necessity, and impact of the proposed changes. However, analyzing change requests does not ensure that the changes are implemented correctly, or that they are acceptable to the user departments.

Updating documentation to reflect latest changes is a responsibility of user departments associated with program changes, but it is not the most important one. Updating documentation is the process of maintaining accurate and complete records of the program's specifications, features, and functions after the changes. However, updating documentation does not ensure that the changes are effective, or that they are approved by the user departments.

ISACA, CISA Review Manual, 27th Edition, 2019, p. 281

ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

The audit finding that should be of greatest concern is that tasks defined on the critical path do not have resources allocated, as this means that the project is likely to face significant delays and cost overruns, since the critical path is the sequence of activities that determines the minimum time required to complete the project. The actual start times of some activities being later than originally scheduled may indicate some minor deviations from the project plan, but they may not necessarily affect the overall project completion time if they are not on the critical path. The project manager lacking formal certification may affect the quality and efficiency of the project management process, but it does not necessarily imply that the project manager is incompetent or unqualified.Milestones have been defined for all project products, but they may not be realistic or achievable if they do not take into account the resource constraints and dependencies of the critical path tasks.Reference:CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.3: IT Project Management

Requiring documentation that the finding will be addressed within the new system is the best course of action for a follow-up audit. An IS auditor should obtain evidence that the complex security vulnerability of low risk will be resolved in the new system and that there is a reasonable timeline for its implementation. The other options are not appropriate courses of action, as they may be too costly, time-consuming, or impractical for a low-risk finding.Reference:

CISA Review Manual (Digital Version), Chapter 2, Section 2.5.31

CISA Review Questions, Answers & Explanations Database, Question ID 209

The answer D is correct because the best way for the auditor to confirm the change log is complete is to take the last change from the system and trace it back to the log. A change log is a record of all the changes that have been made to a system, such as software updates, bug fixes, configuration modifications, etc. A change log should contain information such as the date and time of the change, the description and purpose of the change, the person or service who made the change, and the approval status of the change. A complete change log helps to ensure that the system is secure, reliable, and compliant with the relevant standards and regulations.

An IS auditor evaluating the change management process must select a sample from the change log to verify that the changes are properly authorized, documented, tested, and implemented. However, before selecting a sample, the auditor must ensure that the change log is complete and accurate, meaning that it contains all the changes that have been made to the system and that there are no missing, duplicated, or falsified entries. To do this, the auditor can use a technique called backward tracing, which involves taking the last change from the system and tracing it back to the log. This way, the auditor can check if the change is recorded in the log with all the relevant details and if there are any gaps or inconsistencies in the log. If the last change from the system is not found in the log or does not match with the log entry, it indicates that the change log is incomplete or inaccurate.

The other options are not as good as option D. Interviewing change management personnel about completeness (option A) is not a reliable way to confirm the change log is complete because it relies on subjective opinions and self-reported information, which may not be truthful or accurate. Taking an item from the log and tracing it back to the system (option B) is a technique called forward tracing, which can be used to verify that a specific change in the log has been implemented in the system. However, this technique does not confirm that all changes in the system are recorded in the log. Obtaining management attestation of completeness (option C) is not a sufficient way to confirm the change log is complete because it does not provide any evidence or verification of completeness. Management attestation may also be biased or influenced by conflicts of interest.

IS Audit Basics: Auditing Data Privacy

Audit Logging: What It Is & How It Works | Datadog

Change Management for SOC: Risks, Controls, Audits, Guidance

Turn auditing on or off | Microsoft Learn

#118 | ITGC- System Change (Audit) Log Review - A2Q2