An IS auditor found that operations personnel failed to run a script contributing to year-end financial statements. Which of the following is the BEST recommendation?
Correct Answer: B
The best recommendation for the IS auditor to make is to implement a closing checklist, as this will help to ensure that all the required tasks and scripts are performed and verified during the year-end closing process12. A closing checklist can also help to prevent errors, omissions, and delays that could affect the accuracy and timeliness of the financial statements3 . References 1: Year-end closing procedures for GL - Dynamics GP | Microsoft Learn1 2: Year-end activities FAQ - Finance | Dynamics 365 | Microsoft Learn2 3: Year-End Closing Checklist: 10 Steps to Close Your Books3 : Year End Closing Checklist: 7 Steps to Make it Easy
CISA Exam Question 252
An IS auditor is reviewing enterprise governance and finds there is no defined organizational structure for technology risk governance. Which of the following is the GREATEST concern with this lack of structure?
Correct Answer: C
The greatest concern with the lack of structure for technology risk governance is C. Key decision-making entities for technology risk have not been identified. Technology risk governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization1. Technology risk governance requires a clear organizational structure that defines who has the authority and responsibility to make decisions, set objectives, allocate resources, monitor performance, and ensure compliance for technology risk management2. Without such a structure, an organization may face the following challenges: Lack of alignment and integration between technology and business strategies, leading to suboptimal outcomes and missed opportunities. Lack of clarity and consistency in technology risk identification, assessment, mitigation, and reporting, leading to gaps and overlaps in risk coverage and exposure. Lack of communication and collaboration among different stakeholders involved in technology risk management, leading to conflicts and inefficiencies. Lack of oversight and accountability for technology risk management activities and results, leading to poor quality and reliability.
CISA Exam Question 253
Which of the following provides the BEST providence that outsourced provider services are being properly managed?
Correct Answer: B
Adequate action taken for noncompliance with the service level agreement (SLA) provides the best evidence that outsourced provider services are being properly managed. This shows that the organization is monitoring the performance of the provider and enforcing the terms of the SLA. The other options are not as convincing as evidence of proper management. Option A, the SLA includes penalties for non-performance, is a good practice but does not guarantee that the penalties are actually applied or that the performance is satisfactory. Option C, the vendor provides historical data to demonstrate its performance, is not reliable because the data may be biased or inaccurate. Option D, internal performance standards align with corporate strategy, is irrelevant to the question of outsourced provider management. References: * ISACA, CISA Review Manual, 27th Edition, 2019, page 2821 * ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription, QID 1066692
CISA Exam Question 254
While reviewing the effectiveness of an incident response program, an IS auditor notices a high number of reported incidents involving malware originating from removable media found by employees. Which of the following is the MOST appropriate recommendation to management?
Correct Answer: B
CISA Exam Question 255
Which of the following is MOST useful when planning to audit an organization's compliance with cybersecurity regulations in foreign countries?
Correct Answer: D
The most useful thing to do when planning to audit an organization's compliance with cybersecurity regulations in foreign countries is to map the different regulatory requirements to the organization's IT governance framework. This is because an IT governance framework is a roadmap that defines the methods used by an organization to implement, manage and report on IT governance within said organization1. IT governance helps align business and IT strategies using a solid and formal framework2. By mapping the different regulatory requirements to the IT governance framework, the auditor can: Identify the commonalities and differences among the various cybersecurity regulations that apply to the organization's operations in different countries. Assess the level of compliance and maturity of the organization's IT governance practices against each regulatory requirement. Evaluate the risks and gaps associated with non-compliance or partial compliance with any of the regulatory requirements. Recommend appropriate actions or improvements to enhance the organization's IT governance and cybersecurity posture. Option D is correct because mapping the different regulatory requirements to the organization's IT governance framework is a systematic and effective way to plan and conduct an audit of compliance with cybersecurity regulations in foreign countries.
