Isaca CISA Practice Test - Questions Answers, Page 73

The most important consideration when planning the next audit after many findings is to follow up on the status of all recommendations, as this will ensure that the audit findings are addressed in a timely and effective manner, and that the root causes of the issues are resolved12.Following up on the status of all recommendations will also help to assess the progress and performance of the IT department, and to identify any new or emerging risks or challenges34.

Reference

1: What to consider when resolving internal audit findings32: A brief guide to follow up43: Guidance on auditing planning for Internal Audit24: Corrective Action Plan (CAP): How to Manage Audit Findings1

A balanced scorecard is a strategic planning framework that companies use to assign priority to their products, projects, and services; communicate about their targets or goals; and plan their routine activities1. The scorecard enables companies to monitor and measure the success of their strategies to determine how well they have performed.A balanced scorecard for IT management can help assess IT functions and processes by defining four perspectives: financial, customer, internal business process, and learning and growth2.These perspectives can help IT management align their IT objectives with the organization's vision and mission, identify and prioritize the key performance indicators (KPIs) for IT, and evaluate the effectiveness and efficiency of IT operations and services3.

Reference

1: Balanced Scorecard - Overview, Four Perspectives2: The IT Balanced Scorecard (BSC) Explained - BMC Software3: A BALANCED SCORECARD (BSC) FOR IT PERFORMANCE MANAGEMENT - SAS Support

Generalized audit software is a type of computer-assisted audit technique (CAAT) that allows the IS auditor to perform various audit tasks on the data stored in different file formats and databases1.Generalized audit software can help the IS auditor to select a sample for testing that includes the 80 largest client balances and a random sample of the rest, by using functions such as sorting, filtering, stratifying, and randomizing the data23.Generalized audit software can also help the IS auditor to perform other audit procedures on the sample, such as verifying the accuracy, completeness, and validity of the data4.

Reference

1: Generalized Audit Software (GAS) - ISACA2: Audit Sampling - ISACA3: How to use generalized audit software to perform audit sampling4: Generalized Audit Software: A Review of Five Packages

The most appropriate testing approach when auditing a daily data flow between two systems via an automated interface is to perform data reconciliation between the two systems for a sample of 25 days.Data reconciliation is a process of verifying that the data transferred from one system to another is complete and accurate, and that there are no discrepancies or errors in the data flow1.Data reconciliation can be performed by using generalized audit software, which is a type of computer-assisted audit technique (CAAT) that allows the IS auditor to perform various audit tasks on the data stored in different file formats and databases2. By performing data reconciliation for a sample of 25 days, the IS auditor can test the reliability and consistency of the data flow over a reasonable period of time, and identify any potential issues or anomalies that could affect the quality of the data or the functionality of the systems.

Reference

1: Data Flow Testing - GeeksforGeeks2: Generalized Audit Software (GAS) - ISACA

In reviewing the IT strategic plan, the IS auditor should consider whether it identifies the major IT initiatives that are aligned with the organization's vision, mission, and objectives, and that support the business strategy and priorities12.The major IT initiatives should also be realistic, measurable, and achievable, and should have clear timelines, budgets, and responsibilities34.

Reference

1: IT Strategy Template for a Successful Strategic Plan | Gartner22: IT Strategy Template for a Successful Strategic Plan | Gartner43: Conduct a Strategic Plan Review & Assessment - Governance34: Time To Conduct A Strategy Review?Here's How To Get Started1

The IS auditor should be most concerned if completeness testing has not been performed on the log data, as this could indicate that some logs are missing, corrupted, or tampered with, and that the log aggregation system is not reliable or accurate12.Completeness testing is a process of verifying that all the logs generated by the source systems are successfully collected, transferred, and stored by the log aggregation system, and that there are no gaps or inconsistencies in the log data34. Completeness testing is essential for ensuring the integrity and validity of the log data, and for supporting the risk management practices of the organization.

Reference

1: Log Aggregation: How it Works, Methods, and Tools - Exabeam22: Log Aggregation & Monitoring Relation in Cybersecurity43: Log Aggregation: What It Is & How It Works | Datadog34: Data Flow Testing - GeeksforGeeks1

The best recommendation for the IS auditor to make is to implement a closing checklist, as this will help to ensure that all the required tasks and scripts are performed and verified during the year-end closing process12.A closing checklist can also help to prevent errors, omissions, and delays that could affect the accuracy and timeliness of the financial statements3.

Reference

1: Year-end closing procedures for GL - Dynamics GP | Microsoft Learn12: Year-end activities FAQ - Finance | Dynamics 365 | Microsoft Learn23: Year-End Closing Checklist: 10 Steps to Close Your Books3: Year End Closing Checklist: 7 Steps to Make it Easy

The greatest risk associated with security patches being automatically downloaded and applied to production servers is that patches may result in major service failures, as they may introduce new bugs, conflicts, or incompatibilities that could affect the functionality, performance, or availability of the servers12.Automatic patching may also bypass the testing and validation processes that are necessary to ensure the quality and reliability of the patches34.

Reference

1: Do you leave Windows Automatic Updates enabled on your production IIS server?- Server Fault12: Azure now installs security updates on Windows VMs automatically33: Server Patch Management | Process of Server Patching - ManageEngine24: Windows Security Updates | Microsoft Patch Updates Guide - ManageEngine4

Access authorization tables are the best way to achieve effective separation of duties in an online environment, as they allow the definition and enforcement of different access rights and privileges for different users or roles, based on the principle of least privilege12.Access authorization tables can help to prevent unauthorized or inappropriate actions, such as fraud, errors, or misuse of the system, by ensuring that no user has enough privileges to perform all parts of a transaction or business process34.

Reference

1: Separation of Duty (SOD) - Glossary | CSRC32: Separation of Duties within Information Systems43: Separation of Duties: Implementation & Challenges in IT24: Implementing Segregation of Duties: A Practical Experience Based on Best Practices - ISACA1