Home

Home / Isaca / CISA

Question list

List of questions

Question 1

(0)

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Question 2

(0)

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Question 3

(0)

The PRIMARY benefit of automating application testing is to:

Question 4

(0)

Which of the following BEST addresses the availability of an online store?

Question 5

(0)

Which of the following is the BEST way to prevent social engineering incidents?

Question 6

(0)

The PRIMARY purpose of a configuration management system is to:

Question 7

(0)

Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

Question 8

(0)

Which of the following BEST enables alignment of IT with business objectives?

Question 9

(0)

Which of the following are used in a firewall to protect the entity's internal resources?

Question 10

(0)

Which of the following would be MOST impacted if an IS auditor were to assist with the implementation of recommended control enhancements?

Open VPLUS File

Convert VPLUS to PDF

Related questions

Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?

Which of the following poses the GREATEST risk to the use of active RFID tags?

Which of the following is the BEST way to ensure that an application is performing according to its specifications?

The FIRST step in an incident response plan is to:

An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management experience. What is the BEST course of action?

An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's GREATEST concern?

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?

Question 1096 - CISA discussion

Report

Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?

A.

Interview the application developer.

B.

Obtain management attestation and sign-off.

C.

Review the application implementation documents.

D.

Review system configuration parameters and output.

Suggested answer: C

Explanation:

Reviewing the application implementation documents is the best way for an IS auditor to assess the design of an automated application control. An automated application control is a control that is embedded in the application software and is executed by the system without human intervention. An automated application control is designed to ensure the accuracy, completeness, validity, and authorization of transactions and data processed by the application. Examples of automated application controls are input validation, edit checks, calculations, reconciliations, and exception reports.

The application implementation documents are the documents that describe the design specifications, logic, and functionality of the application and its controls. The application implementation documents may include:

Business requirements document - a document that defines the business objectives, needs, and expectations of the application.

Functional specifications document - a document that describes the features, functions, and interfaces of the application and its controls.

Technical specifications document - a document that details the technical architecture, design, and configuration of the application and its controls.

Test plan and test cases - a document that outlines the testing strategy, methodology, and scenarios for verifying the functionality and performance of the application and its controls.

User manual and training material - a document that provides instructions and guidance on how to use the application and its controls.

By reviewing the application implementation documents, an IS auditor can:

Gain an understanding of the purpose, scope, and nature of the application and its controls.

Evaluate whether the application and its controls are designed to meet the business requirements and objectives.

Identify any gaps, inconsistencies, or errors in the design of the application and its controls.

Compare the design of the application and its controls with the best practices and standards in the industry.

Determine whether the application and its controls are adequately tested and documented.

Interviewing the application developer is not the best way for an IS auditor to assess the design of an automated application control. An interview is a verbal communication technique that involves asking questions and listening to responses. An interview can be useful for obtaining general information or clarifying specific issues related to the application and its controls. However, an interview alone cannot provide sufficient evidence or documentation to support the auditor's assessment of the design of an automated application control. An interview may also be subject to bias, misunderstanding, or misinterpretation by either party.

Obtaining management attestation and sign-off is not the best way for an IS auditor to assess the design of an automated application control. Management attestation and sign-off is a formal process that involves obtaining written confirmation from management that they have reviewed and approved the design of the application and its controls. Management attestation and sign-off can indicate management's commitment and accountability for the quality and effectiveness of the application and its controls. However, management attestation and sign-off cannot substitute for an independent and objective evaluation by an IS auditor. Management attestation and sign-off may also be influenced by pressure, conflict of interest, or fraud.

Reviewing system configuration parameters and output is not the best way for an IS auditor to assess the design of an automated application control. System configuration parameters are settings that define how the system operates or interacts with other components. System output is data or information that is produced by the system as a result of processing transactions or performing functions. Reviewing system configuration parameters and output can help an IS auditor to verify whether the system is configured correctly and whether it produces accurate and reliable output. However, reviewing system configuration parameters and output cannot provide a comprehensive view of how the application and its controls are designed to achieve their objectives. Reviewing system configuration parameters and output may also require technical expertise or access rights that may not be available to an IS auditor.

Show Answer

asked 18/09/2024

BartÅ‚omiej Praniuk

24 questions

User

Your answer: A B C D

0 comments

Sorted by

Leave a comment first