Which of the following backup schemes is the BEST option when storage media is limited?
Correct Answer: C
A differential backup scheme is the best option when storage media is limited, as it only backs up the data that has changed since the last full backup. This reduces the amount of storage space required and also simplifies the restoration process, as only the last full backup and the last differential backup are needed. A real-time backup scheme would require continuous replication of data, which would consume a lot of storage space and network bandwidth. A virtual backup scheme would create a snapshot of the data at a point in time, but it would not reduce the storage space required, as it would still need to store the changes made to the data. A full backup scheme would back up all the data every time, which would require the most storage space and also take longer to complete. References: ISACA, CISA Review Manual, 27th Edition, 2018, page 405
CISA Exam Question 177
Which of the following would BEST help lo support an auditor's conclusion about the effectiveness of an implemented data classification program?
Correct Answer: C
Access rights provisioned according to scheme would best help to support an auditor's conclusion about the effectiveness of an implemented data classification program. This would indicate that the data classification program has been properly implemented and enforced, and that the data is protected according to its sensitivity and value. The other options are not sufficient to demonstrate the effectiveness of a data classification program, as they do not show how the data is actually accessed and used by authorized users. References: * CISA Review Manual (Digital Version), Chapter 6, Section 6.2.31 * CISA Review Questions, Answers & Explanations Database, Question ID 2042
CISA Exam Question 178
During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?
Correct Answer: B
The auditor's best course of action in this situation is to notify the audit manager. The audit manager is responsible for overseeing the audit follow-up process and ensuring that audit issues are resolved in a timely and satisfactory manner. The audit manager can then decide whether to escalate the matter to higher authorities, such as the chair of the audit committee, or to accept management's decision and close the audit finding. The other options are not appropriate for the auditor to do without consulting with the audit manager first. Notifying the chair of the audit committee is a drastic step that may undermine the relationship between the auditor and management, and it should be done only after exhausting other means of resolving the issue. Retesting the control is not necessary, as management has already decided not to implement the recommendations. Closing the audit finding is premature, as management's decision may not be aligned with the audit objectives or risk appetite. References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4
CISA Exam Question 179
A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?
Correct Answer: D
The primary focus of the IS auditor reviewing the first year of the project should be regression testing. Regression testing is a type of testing that ensures that the existing functionality of the system is not affected by the changes or upgrades made to the system. Since the project involves upgrading the ERP system hosting the general ledger, which is a critical and complex component of the finance department, it is important to verify that the upgrade does not introduce any errors or defects that could compromise the accuracy, completeness, and reliability of the financial data and reports. Regression testing can help identify and resolve any issues before they affect the users and the business processes. Unit testing, network performance, and user acceptance testing (UAT) are also important aspects of the project, but they are not the primary focus of the IS auditor in the first year. Unit testing is a type of testing that verifies that each individual module or component of the system works as expected. Network performance is a measure of how well the system can communicate and exchange data with other systems and devices over a network. User acceptance testing (UAT) is a type of testing that validates that the system meets the user requirements and expectations. These aspects are more relevant in later stages of the project, when the system is more developed and ready for deployment. References: * ERP Upgrade: The Path to Modernization | SAP * ERP System Validation: Your Guide To Successfully Validating ERP Systems * The role of internal auditors in ERP#based organizations * What is Regression Testing? Definition, Tools & Examples * What is Unit Testing? Definition, Tools & Examples * What is Network Performance? Definition, Metrics & Examples * What is User Acceptance Testing (UAT)? Definition, Process & Examples
CISA Exam Question 180
During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor's BEST course of action?
Correct Answer: D
The auditor's best course of action after discovering instances where employees shared license keys to critical pieces of business software is to verify whether the licensing agreement allows shared use. A licensing agreement is a contract between the software provider and the user that defines the terms and conditions of using the software, including the number, type, and scope of licenses granted. Some licensing agreements may allow shared use of license keys among multiple users or devices, while others may prohibit or restrict such use. By verifying the licensing agreement, the auditor can determine whether the employees violated the contract or not, and whether there are any legal or financial risks or implications for the organization. The other options are not as appropriate as option D, as they may not address the root cause of the issue or provide a comprehensive solution. Recommending the utilization of software licensing monitoring tools may help prevent or detect future instances of license key sharing, but it does not resolve the current situation or ensure compliance with the licensing agreement. Recommending the purchase of additional software license keys may be unnecessary or wasteful if the licensing agreement already allows shared use or if there are unused licenses available. Validating user need for shared software licenses may help identify the reasons or motivations behind license key sharing, but it does not justify or excuse such behavior if it violates the licensing agreement. References: * 9: Best License Management Software 2023 | Capterra * 10: Best 10 Software License Management Tools in 2023 | Zluri * 11: Top 10 Software License Tracking Tools | Zluri * 12: Top 5 Software License Tracking Solutions in 2023 - DNSstuff
