Which of the following is the PRIMARY reason for an IS auditor to perform a risk assessment?
Correct Answer: A
The primary reason for an IS auditor to perform a risk assessment is to help identify areas with a relatively high probability of material problems. A risk assessment is a systematic process of evaluating the potential risks that may be involved in an activity or undertaking. It involves identifying the sources of risk, analyzing the likelihood and impact of the risk, and prioritizing the risks based on their significance. A risk assessment helps the IS auditor to focus on the areas that are most vulnerable to errors, fraud, or inefficiencies, and to design appropriate audit procedures to address those risks. A risk assessment also helps the IS auditor to allocate audit resources efficiently and effectively. A risk assessment does not provide a basis for the formulation of corrective action plans, as this is a responsibility of management, not the IS auditor. A risk assessment does not increase awareness of the types of management actions that may be inappropriate, as this is a matter of professional ethics and judgment. A risk assessment does not help to identify areas that are most sensitive to fraudulent or inaccurate practices, as this is a result of the risk assessment, not its purpose. References: ISACA, CISA Review Manual, 27th Edition, Chapter 1: The Process of Auditing Information Systems, Section 1.3: Risk Assessment in Planning1 Corporate Finance Institute, Audit Risk Model2
CISA Exam Question 87
During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?
Correct Answer: B
The best way to validate that appropriate security controls are in place to prevent data loss is to review compliance with data loss and applicable mobile device user acceptance policies. This will ensure that the organization has established clear rules and guidelines for employees to follow when connecting their personal devices to company-owned computers. A walk-through, a DLP tool configuration, and a security awareness training are not sufficient to validate the effectiveness of the controls, as they may not cover all possible scenarios and risks. References: IT Audit Fundamentals Certificate Resources
CISA Exam Question 88
Which of the following provides the BEST assurance of data integrity after file transfers?
Correct Answer: C
The best assurance of data integrity after file transfers is hash values. Hash values are unique strings that are generated by applying a mathematical function to the data. Hash values can be used to verify that the data has not been altered or corrupted during the transfer, as any change in the data would result in a different hash value. By comparing the hash values of the source and destination files, one can confirm that the data is identical and intact. The other options are not as effective as hash values for ensuring data integrity after file transfers. Check digits are digits added to a number to detect errors in data entry or transmission, but they are not reliable for detecting intentional or complex modifications of the data. Monetary unit sampling is a statistical sampling technique used for auditing financial statements, but it is not applicable for verifying data integrity after file transfers. Reasonableness check is a validation method that checks whether the data falls within an expected range or format, but it does not guarantee that the data is accurate or consistent with the source. References: * 5: On Windows, how to check that data is unchanged after copying? - Super User * 6: Data integrity | Cloud Storage Transfer Service Documentation | Google Cloud * 7: Checking File Integrity - HECC Knowledge Base * 8: How to setup File Transfer Integrity Checks - Progress.com
CISA Exam Question 89
Which of the following should an IS auditor recommend be done FIRST when an organization is planning to implement an IT compliance program?
Correct Answer: D
CISA Exam Question 90
To confirm integrity for a hashed message, the receiver should use:
Correct Answer: A
To confirm integrity for a hashed message, the receiver should use the same hashing algorithm as the sender' s to create a binary image of the file. A hashing algorithm is a mathematical function that transforms an input data into a fixed-length output value, called a hash or a digest. A hashing algorithm has two main properties: it is one-way, meaning that it is easy to compute the hash from the input, but hard to recover the input from the hash; and it is collision-resistant, meaning that it is very unlikely to find two different inputs that produce the same hash. These properties make hashing algorithms useful for verifying the integrity of data, as any change in the input data will result in a different hash value. Therefore, to confirm integrity for a hashed message, the receiver should use the same hashing algorithm as the sender's to create a binary image of the file, which is a representation of the file in bits (0s and 1s). The receiver should then compare this binary image with the hash value sent by the sender. If they match, then the message has not been altered in transit. If they do not match, then the message has been corrupted or tampered with. References: * Ensuring Data Integrity with Hash Codes * Message Integrity
