Isaca CISA Practice Test - Questions Answers, Page 101

A three-way match is a process of verifying that a purchase order, a goods receipt and an invoice are consistent before making a payment1. A three-way match ensures that the organization only pays for the goods or services that it ordered and received, and that the prices and quantities are accurate. A three-way match can prevent errors, fraud and overpayments in the accounts payable process.

An IS auditor should use a purchase order when verifying a three-way match has occurred in an enterprise resource planning (ERP) system.A purchase order is a document that authorizes a purchase transaction and specifies the items, quantities, prices and terms of the order2. A purchase order is the first document in the three-way match process, and it serves as the basis for comparing the goods receipt and the invoice. An IS auditor can use a purchase order to check if the ERP system has correctly recorded, matched and approved the three documents before making a payment.

The other options are not as useful for verifying a three-way match.A bank confirmation is a document that verifies the balance and activity of a bank account3. A bank confirmation can be used to confirm that a payment has been made or received, but it does not provide information about the details of the purchase transaction or the three-way match process.A goods delivery notification is a document that informs the buyer that the goods have been shipped or delivered by the seller4. A goods delivery notification can be used to track the status of the delivery, but it does not provide information about the quantity or quality of the goods or the invoice amount.A purchase requisition is a document that requests authorization to purchase goods or services from a specific supplier2. A purchase requisition can be used to initiate the purchasing process, but it does not provide information about the actual purchase order, goods receipt or invoice.

Bank Confirmation - Overview, How It Works, Importance3

What is Goods Delivery Note?| Definition & Example4

What Is Three-Way Matching & Why Is It Important?| NetSuite1

Enterprise Resource Planning (ERP) - Definition, Types, Uses2

The most reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls is to verify that confidential files cannot be transmitted to a personal USB device.This is because DLP controls are designed to prevent the loss, leakage or misuse of sensitive data through breaches, ex-filtration transmissions and unauthorized use1. A personal USB device is a common way for data to be stolen or compromised, as it can bypass network security measures and allow unauthorized access to confidential files. Therefore, testing the DLP controls by attempting to copy or transfer confidential files to a personal USB device can provide a direct and objective evidence of whether the DLP controls are working as intended or not.

The other options are less reliable ways for an IS auditor to evaluate the operational effectiveness of an organization's DLP controls. Reviewing data classification levels based on industry best practice is a way to assess the adequacy of the organization's data protection policies, but it does not measure how well the DLP controls are implemented or enforced in practice. Verifying that current DLP software is installed on all computer systems is a way to check the technical configuration of the DLP solution, but it does not test how well the DLP software detects and prevents data loss incidents in real scenarios. Conducting interviews to identify possible data protection vulnerabilities is a way to gather qualitative information from stakeholders, but it does not provide quantitative or empirical data on the actual performance of the DLP controls.

What is Data Loss Prevention (DLP)?[Guide] - CrowdStrike

The primary reason an IS auditor should discuss observations with management before delivering a final report is A. Validate the audit observations.This is because discussing the observations with management can help the auditor to ensure that the findings are accurate, complete, and supported by sufficient evidence1.It can also help the auditor to obtain management's perspective and feedback on the issues and risks identified, and to avoid any misunderstandings or surprises when the final report is issued2.

Real-time replication to a second data center means that any changes made to the primary data center are immediately copied to the secondary data center. This can improve data availability and performance, but also introduces the risk of propagating malicious or erroneous changes to the backup data center. If a cybersecurity attack compromises the primary data center, it may also affect the secondary data center, making it difficult or impossible to recover from the attack using the replicated data. Therefore, option C is the greatest risk associated with this change.

Option A is not correct because version control issues are more likely to occur with batch processing backup, which may create inconsistencies between different versions of the data. Option B is not correct because real-time replication may reduce system performance at the primary data center, but it may also improve system performance at the secondary data center by reducing latency and network traffic. Option D is not correct because although real-time replication may increase IT investment cost, this is not a risk but a trade-off that the organization has to consider.

Data Replication: The Basics, Risks, and Best Practices1

Best Practices for Data Replication Between Data Centers2

The Good, Bad, and Ugly of Data Replication3

The most beneficial stage of the system development life cycle (SDLC) to consider data privacy principles is D. Requirements definition.This is because data privacy principles should be integrated into the design and development of customer-facing IT applications from the very beginning, not as an afterthought or a retrofit1.By considering data privacy principles in the requirements definition stage, the developers can identify the personal data that will be collected, processed, stored, and shared by the application, and ensure that they comply with the relevant laws and regulations, such as the General Data Protection Regulation (GDPR)2.They can also apply the principles of data minimization, purpose limitation, transparency, consent, and security to protect the privacy rights and interests of the customers3.

The best sampling method to use for verifying the adequacy of an organization's internal controls and being concerned about potential circumvention of regulations is B. Random sampling.Random sampling is a method of selecting a sample from a population in which each item has an equal and independent chance of being selected1. Random sampling reduces the risk of bias or manipulation in the sample selection, and ensures that the sample is representative of the population.Random sampling can be used for both attribute and variable sampling, which are two types of audit sampling that test for the occurrence rate or the monetary value of errors, respectively2.

The auditor's best recommendation is D. Introduce problem management into incident response.Problem management is a practice that aims to identify, analyze, and resolve the root causes of recurring incidents, and prevent or reduce their impact in the future1.Problem management can help improve the resolution times for recurring incidents by eliminating or mitigating the underlying problems that cause them, and by providing permanent solutions that can be reused or automated2.Problem management can also help improve the quality and efficiency of incident response by reducing the workload and complexity of dealing with repetitive issues2.

The primary purpose of creating a simulated production environment with multiple vulnerable applications is D. To attract attackers in order to study their behavior.This is also known as a honeypot, which is a decoy system that mimics a real target and lures attackers into revealing their techniques, tools, and motives1.A honeypot can help the organization's security team to improve their defense strategies, identify new threats, and collect digital evidence of cyberattacks1.

Capability maturity models (CMMs) are frameworks that help organizations assess and improve their processes in various domains, such as software development, project management, service delivery, and cybersecurity1. CMMs define different levels of process maturity, from initial to optimized, and describe the characteristics and best practices of each level.By using CMMs, organizations can benchmark their current processes against a common standard, identify gaps and weaknesses, and implement improvement actions to achieve higher levels of process maturity2.CMMs can also help organizations align their processes with their strategic goals, measure their performance, and increase their efficiency, quality, and customer satisfaction3.

Therefore, the use of CMMs would best enhance a process improvement program, as they provide a systematic and structured approach to evaluate and improve processes based on proven principles and practices. Option C is the correct answer.

Option A is not correct because model-based design notations are graphical or textual languages that help designers specify, visualize, and document the structure and behavior of systems4. While they can be useful for designing and communicating complex systems, they do not directly address the process improvement aspect of a program.

Option B is not correct because balanced scorecard is a strategic management tool that helps organizations translate their vision and mission into measurable objectives and indicators. While it can be useful for monitoring and evaluating the performance of a program, it does not provide specific guidance on how to improve processes.

Option D is not correct because project management methodologies are sets of principles and practices that help organizations plan, execute, and control projects. While they can be useful for managing the scope, schedule, cost, quality, and risk of a program, they do not focus on the process improvement aspect of a program.

Guide to Process Maturity Models2

What is CMMI?A model for optimizing development processes1

Capability Maturity Model (CMM): A Definitive Guide3

Model-Based Design Notations4

Balanced Scorecard

Project Management Methodologies