The type of review that is most important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application is C. Forensic audit. A forensic audit is a type of audit that involves collecting, analyzing, and preserving evidence of fraud, corruption, or other illegal or unethical activities1. A forensic audit can help the IS auditor to identify and document the source, scope, and impact of the exploitation, as well as the perpetrators, motives, and methods involved. A forensic audit can also help the IS auditor to provide recommendations for preventing or mitigating future exploitations, and to support any legal actions or investigations that may arise from the incident2.

The most useful tool for determining whether the goals of IT are aligned with the organization's goals is a balanced scorecard. A balanced scorecard is a strategic management system that translates an organization's vision and mission into a set of objectives and measures across four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard helps align IT goals with organizational goals by linking them to a common strategy map that shows how IT contributes to value creation and performance improvement in each perspective. A balanced scorecard also helps monitor and evaluate IT performance against predefined targets and indicators.
Enterprise dashboard, enterprise architecture (EA), and key performance indicators (KPIs) are not the most useful tools for determining whether the goals of IT are aligned with the organization's goals. These tools may help communicate, design, or measure IT goals or activities, but they do not provide a comprehensive framework for aligning IT goals with organizational goals across multiple dimensions.

An incident response team has been notified of a virus outbreak in a network subnet. The next step should be to focus on limiting the damage by containing the virus and preventing it from spreading further. This may involve isolating the affected systems, disconnecting them from the network, blocking malicious traffic or applying patches or antivirus updates. Verifying that the compromised systems are fully functional, documenting the incident and removing and restoring the affected systems are possible steps that could be taken after limiting the damage. References:
* : [Incident Response Definition]
* : [Incident Response Process | ISACA]
* : [Virus Definition]

The authority given to the audit function is one of the components that is found in an audit charter. According to the IIA, the audit charter is a formal document that defines internal audit's purpose, authority, responsibility and position within the organization1. The authority given to the audit function includes the scope of its activities, the access to records, personnel and physical properties relevant to its work, and the independence and objectivity of its staff2. The authority given to the audit function helps to ensure that internal auditors can perform their duties effectively and efficiently, and that they can provide assurance and consulting services that add value and improve the organization's operations3.
The other options are not found in an audit charter. The process of developing the annual audit plan is not part of the audit charter, but rather a separate document that outlines the methodology, criteria and resources for selecting and prioritizing audit engagements based on a risk assessment4. Required training for audit staff is not part of the audit charter, but rather a component of the quality assurance and improvement program that evaluates the competence and performance of internal auditors and provides them with opportunities for professional development5. Audit objectives and scope are not part of the audit charter, but rather specific elements of each individual audit engagement that define the expected outcomes and the boundaries of the audit work.

The programmer having access to the production programs is a control weakness that would have contributed most to the problem of unauthorized changes to key fields in a payroll system report. This is because it violates the principle of segregation of duties, which requires that different individuals or groups perform different functions related to system development, testing, implementation, and operation. Allowing programmers to access production programs increases the risk of errors, fraud, or malicious actions that may compromise the integrity, availability, or confidentiality of the system or its data. The other options are not as significant as having access to production programs, as they relate to other aspects of system development or maintenance, such as user involvement in testing (which affects user satisfaction and acceptance), user requirements documentation (which affects system functionality and quality), and payroll files control (which affects data security and accuracy). References: CISA Review Manual (Digital Version), Domain 3:
Information Systems Acquisition, Development and Implementation, Section 3.2 Project Management Practices