Practice Free CISA Exam Online Questions
Question #271
An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments.
The IS auditor should FIRST
- A . document the exception in an audit report.
- B . review security incident reports.
- C . identify compensating controls.
- D . notify the audit committee.
Correct Answer: C
C
Explanation:
The first action that an IS auditor should take when finding a high-risk vulnerability in a public-facing web server used to process online customer payments is to identify compensating controls. Compensating controls are alternative or additional controls that provide reasonable assurance of mitigating the risk of exploiting the vulnerability. The IS auditor should assess the effectiveness of the compensating controls and determine whether they reduce the risk to an acceptable level. If not, the IS auditor should recommend remediation actions to address the vulnerability. Documenting the exception in an audit report is an important action, but it should not be the first action, as it does not address the urgency of the situation. Reviewing security incident reports is a useful action, but it should not be the first action, as it does not provide assurance of preventing future incidents. Notifying the audit committee is a necessary action, but it should not be the first action, as it does not involve taking any corrective measures.
Reference: CISA Review Manual, 27th Edition, pages 295-2961
CISA Review Questions, Answers & Explanations Database, Question ID: 260
C
Explanation:
The first action that an IS auditor should take when finding a high-risk vulnerability in a public-facing web server used to process online customer payments is to identify compensating controls. Compensating controls are alternative or additional controls that provide reasonable assurance of mitigating the risk of exploiting the vulnerability. The IS auditor should assess the effectiveness of the compensating controls and determine whether they reduce the risk to an acceptable level. If not, the IS auditor should recommend remediation actions to address the vulnerability. Documenting the exception in an audit report is an important action, but it should not be the first action, as it does not address the urgency of the situation. Reviewing security incident reports is a useful action, but it should not be the first action, as it does not provide assurance of preventing future incidents. Notifying the audit committee is a necessary action, but it should not be the first action, as it does not involve taking any corrective measures.
Reference: CISA Review Manual, 27th Edition, pages 295-2961
CISA Review Questions, Answers & Explanations Database, Question ID: 260
Question #272
Which of the following is the BEST way to mitigate the impact of ransomware attacks?
- A . Invoking the disaster recovery plan (DRP)
- B . Backing up data frequently
- C . Paying the ransom
- D . Requiring password changes for administrative accounts
Correct Answer: B
B
Explanation:
Ransomwareis a type of malicious software that encrypts the victim’s data and demands a ransom for its decryption1. Ransomware attacks can cause significant damage to an organization’s operations, reputation, andfinances1. Therefore, it is important to mitigate the impact of ransomware attacks by implementing effective prevention and recovery strategies.
One of the best ways to mitigate the impact of ransomware attacks is to back up data frequently12345. Data backups are copies of the organization’s data that are stored in a separate location or medium, such as an external harddrive, cloud storage, or tape2. Data backupscan help the organization restore its data in case of a ransomware attack, without paying the ransom or losing valuable information2. Data backups shouldbe performed regularly, preferably daily or weekly, depending on the criticality and volume of the data2. Data backups should also be tested periodically to ensure their integrity and usability2.
The other options are not as effective as backing up data frequently in mitigating the impact of ransomware attacks. Invoking the disaster recovery plan (DRP) is a reactive measure that can help the organization resume its operations after a ransomware attack, but it does not prevent or reduce the damage caused by the attack3. Paying the ransom is not a recommended option, as it does not guarantee the decryption of the data or the deletion of the stolen data by the attackers. Paying the ransom also encourages further attacks and funds criminal activities14. Requiring password changes for administrative accounts is a good security practice, but it is not sufficient to prevent or recover from ransomware attacks. Ransomware attacks can exploit other vulnerabilities, such as phishing emails, outdated software, or weak network security15.
Reference: 1: How to Mitigatethe Risk of Ransomware Attacks: The Definitive Guide 2: Mitigating malwareand ransomware attacks – The National Cyber Security Centre 3: 3 steps to prevent and recover from ransomware 4: Ransomware Epidemic: Use these 8 Strategies to Mitigate Risk 5: Practical Steps to Mitigate Ransomware Attacks – ITSecurityWire
B
Explanation:
Ransomwareis a type of malicious software that encrypts the victim’s data and demands a ransom for its decryption1. Ransomware attacks can cause significant damage to an organization’s operations, reputation, andfinances1. Therefore, it is important to mitigate the impact of ransomware attacks by implementing effective prevention and recovery strategies.
One of the best ways to mitigate the impact of ransomware attacks is to back up data frequently12345. Data backups are copies of the organization’s data that are stored in a separate location or medium, such as an external harddrive, cloud storage, or tape2. Data backupscan help the organization restore its data in case of a ransomware attack, without paying the ransom or losing valuable information2. Data backups shouldbe performed regularly, preferably daily or weekly, depending on the criticality and volume of the data2. Data backups should also be tested periodically to ensure their integrity and usability2.
The other options are not as effective as backing up data frequently in mitigating the impact of ransomware attacks. Invoking the disaster recovery plan (DRP) is a reactive measure that can help the organization resume its operations after a ransomware attack, but it does not prevent or reduce the damage caused by the attack3. Paying the ransom is not a recommended option, as it does not guarantee the decryption of the data or the deletion of the stolen data by the attackers. Paying the ransom also encourages further attacks and funds criminal activities14. Requiring password changes for administrative accounts is a good security practice, but it is not sufficient to prevent or recover from ransomware attacks. Ransomware attacks can exploit other vulnerabilities, such as phishing emails, outdated software, or weak network security15.
Reference: 1: How to Mitigatethe Risk of Ransomware Attacks: The Definitive Guide 2: Mitigating malwareand ransomware attacks – The National Cyber Security Centre 3: 3 steps to prevent and recover from ransomware 4: Ransomware Epidemic: Use these 8 Strategies to Mitigate Risk 5: Practical Steps to Mitigate Ransomware Attacks – ITSecurityWire
Question #273
Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?
- A . adequate measurement of key risk indicators (KRIS)
- B . Inadequate alignment of IT plans and business objectives
- C . Inadequate business impact analysis (BIA) results and predictions
- D . Inadequate measurement of key performance indicators (KPls)
Correct Answer: B
B
Explanation:
The most significant impact to an organization that does not use an IT governance framework is inadequate alignment of IT plans and business objectives. IT governance is a framework for the governance and management of enterprise information and technology (I&T) that supports enterprise goal achievement1. IT governance helps to ensure that IT investments and activities are aligned with the business strategy, vision, and values of the organization. IT governance also helps to optimize the value of IT, manage IT-related risks, and measure and monitor IT performance1.
Without an IT governance framework, an organization may face challenges such as:
Lack of clarity and direction for IT decision making Inconsistent or conflicting IT priorities and demands Inefficient or ineffective use of IT resources and capabilities Poor quality or delivery of IT services and products Increased exposure to IT-related threats and vulnerabilities Reduced customer satisfaction and trust in IT
Missed opportunities for innovation and competitive advantage
Therefore, an organization that does not use an IT governance framework may fail to achieve its business objectives and may lose its competitive edge in the market.
Reference: COBIT 2019 Framework Introduction and Methodology, Section 1.1: What Is Governance of Enterprise I&T?
IT Governance: Definitions, Frameworks and Planning, Section 1: What Is IT Governance?
B
Explanation:
The most significant impact to an organization that does not use an IT governance framework is inadequate alignment of IT plans and business objectives. IT governance is a framework for the governance and management of enterprise information and technology (I&T) that supports enterprise goal achievement1. IT governance helps to ensure that IT investments and activities are aligned with the business strategy, vision, and values of the organization. IT governance also helps to optimize the value of IT, manage IT-related risks, and measure and monitor IT performance1.
Without an IT governance framework, an organization may face challenges such as:
Lack of clarity and direction for IT decision making Inconsistent or conflicting IT priorities and demands Inefficient or ineffective use of IT resources and capabilities Poor quality or delivery of IT services and products Increased exposure to IT-related threats and vulnerabilities Reduced customer satisfaction and trust in IT
Missed opportunities for innovation and competitive advantage
Therefore, an organization that does not use an IT governance framework may fail to achieve its business objectives and may lose its competitive edge in the market.
Reference: COBIT 2019 Framework Introduction and Methodology, Section 1.1: What Is Governance of Enterprise I&T?
IT Governance: Definitions, Frameworks and Planning, Section 1: What Is IT Governance?
Question #274
To mitigate the risk of exposing data through application programming interface (API) queries.
Which of the following design considerations is MOST important?
- A . Data retention
- B . Data minimization
- C . Data quality
- D . Data integrity
Correct Answer: B
B
Explanation:
The answer B is correct because data minimization is the most important design consideration to mitigate the risk of exposing data through application programming interface (API) queries. An API is a set of rules and protocols that allows different software components or systems to communicate and exchange data. API queries are requests sent by users or applications to an API to retrieve or manipulate data. For example, a user may query an API to get information about a product, a service, or a location.
Data minimization is the principle of collecting, processing, and storing only the minimum amount of data that are necessary for a specific purpose. Data minimization can help to reduce the risk of exposing data through API queries by limiting the amount and type of data that are available or accessible through the API. Data minimization can also help to protect the privacy and security of the data subjects and the data providers, as well as to comply with the relevant laws and regulations.
Some of the benefits of data minimization for API design are:
Privacy: Data minimization can enhance the privacy of the data subjects by ensuring that only the data that are relevant and essential for the API purpose are collected and processed. This can prevent unnecessary or excessive collection or disclosure of personal or sensitive data, such as names, addresses, phone numbers, email addresses, etc. Data minimization can also help to comply with the privacy laws and regulations that require data protection by design and by default, such as GDPR (General Data Protection Regulation) or CCPA (California Consumer Privacy Act).
Security: Data minimization can improve the security of the data providers by reducing the attack surface and the potential damage of a data breach. If less data are stored or transmitted through the API, there are fewer opportunities for attackers to access or compromise the data. Data minimization can also help to implement security controls such as encryption, access control, or logging more efficiently and effectively.
Performance: Data minimization can increase the performance of the API by optimizing the use of resources and bandwidth. If less data are stored or transmitted through the API, there are less storage space and network traffic required. Data minimization can also help to improve the speed and reliability of the API responses.
Some of the techniques for data minimization in API design are:
Define clear and specific purposes for the API and document them in the API specification or documentation.
Identify and classify the data that are needed for each purpose and assign them appropriate labels or levels, such as public, internal, confidential, or restricted.
Implement filters or parameters in the API queries that allow users or applications to specify or limit the data fields or attributes they want to retrieve or manipulate.
Use pagination or throttling in the API responses that limit the number or size of data items returned per request.
Use anonymization or pseudonymization techniques that remove or replace any identifying information from the data before sending them through the API.
Some examples of web resources that discuss data minimization in API design are:
Data Minimization in Web APIs – World Wide Web Consortium (W3C) Adding Privacy by Design in Secure Application Development Chung-ju/Data-Minimization: A repository of related papers. – GitHub
B
Explanation:
The answer B is correct because data minimization is the most important design consideration to mitigate the risk of exposing data through application programming interface (API) queries. An API is a set of rules and protocols that allows different software components or systems to communicate and exchange data. API queries are requests sent by users or applications to an API to retrieve or manipulate data. For example, a user may query an API to get information about a product, a service, or a location.
Data minimization is the principle of collecting, processing, and storing only the minimum amount of data that are necessary for a specific purpose. Data minimization can help to reduce the risk of exposing data through API queries by limiting the amount and type of data that are available or accessible through the API. Data minimization can also help to protect the privacy and security of the data subjects and the data providers, as well as to comply with the relevant laws and regulations.
Some of the benefits of data minimization for API design are:
Privacy: Data minimization can enhance the privacy of the data subjects by ensuring that only the data that are relevant and essential for the API purpose are collected and processed. This can prevent unnecessary or excessive collection or disclosure of personal or sensitive data, such as names, addresses, phone numbers, email addresses, etc. Data minimization can also help to comply with the privacy laws and regulations that require data protection by design and by default, such as GDPR (General Data Protection Regulation) or CCPA (California Consumer Privacy Act).
Security: Data minimization can improve the security of the data providers by reducing the attack surface and the potential damage of a data breach. If less data are stored or transmitted through the API, there are fewer opportunities for attackers to access or compromise the data. Data minimization can also help to implement security controls such as encryption, access control, or logging more efficiently and effectively.
Performance: Data minimization can increase the performance of the API by optimizing the use of resources and bandwidth. If less data are stored or transmitted through the API, there are less storage space and network traffic required. Data minimization can also help to improve the speed and reliability of the API responses.
Some of the techniques for data minimization in API design are:
Define clear and specific purposes for the API and document them in the API specification or documentation.
Identify and classify the data that are needed for each purpose and assign them appropriate labels or levels, such as public, internal, confidential, or restricted.
Implement filters or parameters in the API queries that allow users or applications to specify or limit the data fields or attributes they want to retrieve or manipulate.
Use pagination or throttling in the API responses that limit the number or size of data items returned per request.
Use anonymization or pseudonymization techniques that remove or replace any identifying information from the data before sending them through the API.
Some examples of web resources that discuss data minimization in API design are:
Data Minimization in Web APIs – World Wide Web Consortium (W3C) Adding Privacy by Design in Secure Application Development Chung-ju/Data-Minimization: A repository of related papers. – GitHub
Question #275
Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?
- A . Validate the audit observations_
- B . Identify business risks associated with the observations.
- C . Assist the management with control enhancements.
- D . Record the proposed course of corrective action.
Correct Answer: A
A
Explanation:
The primary reason an IS auditor should discuss observations with management before delivering a final report is A. Validate the audit observations. This is because discussing the observations with management can help the auditor to ensure that the findings are accurate, complete, and supported by sufficient evidence1. It can also help the auditor to obtain management’s perspective and feedback on the issues and risks identified, and to avoid any misunderstandings or surprises when the final report is issued2.
A
Explanation:
The primary reason an IS auditor should discuss observations with management before delivering a final report is A. Validate the audit observations. This is because discussing the observations with management can help the auditor to ensure that the findings are accurate, complete, and supported by sufficient evidence1. It can also help the auditor to obtain management’s perspective and feedback on the issues and risks identified, and to avoid any misunderstandings or surprises when the final report is issued2.
Question #276
Retention periods and conditions for the destruction of personal data should be determined by the.
- A . risk manager.
- B . database administrator (DBA).
- C . privacy manager.
- D . business owner.
Correct Answer: D
D
Explanation:
The business owner is the person or entity that has the authority and responsibility for defining the purpose and scope of the processing of personal data, as well as the expected outcomes and benefits. The business owner is also accountable for ensuring that the processing of personal data complies with the applicable laws and regulations, such as the General Data Protection Regulation (GDPR) or the Data Protection Act 2018 (DPA 2018).
One of the requirements of the GDPR and the DPA 2018 is to adhere to the principle of storage limitation, which states that personal data should be kept for no longer than is necessary for the purposes for which it is processed1. This means that the business owner should determine and justify how long they need to retain personal data, based on factors such as:
The nature and sensitivity of the personal data
The legal or contractual obligations or rights that apply to the personal data
The business or operational needs and expectations that depend on the personal data
The risks and impacts that may arise from retaining or deleting the personal data
The business owner should also establish and document the conditions and methods for the destruction of personal data, such as:
The criteria and triggers for deciding when to destroy personal data
The procedures and tools for securely erasing or anonymising personal data
The roles and responsibilities for carrying out and overseeing the destruction of personal data The records and reports for verifying and evidencing the destruction of personal data
Therefore, retention periods and conditions for the destruction of personal data should be determined by the business owner, as they are in charge of defining and managing the processing of personal data, as well as ensuring its compliance with the law.
D
Explanation:
The business owner is the person or entity that has the authority and responsibility for defining the purpose and scope of the processing of personal data, as well as the expected outcomes and benefits. The business owner is also accountable for ensuring that the processing of personal data complies with the applicable laws and regulations, such as the General Data Protection Regulation (GDPR) or the Data Protection Act 2018 (DPA 2018).
One of the requirements of the GDPR and the DPA 2018 is to adhere to the principle of storage limitation, which states that personal data should be kept for no longer than is necessary for the purposes for which it is processed1. This means that the business owner should determine and justify how long they need to retain personal data, based on factors such as:
The nature and sensitivity of the personal data
The legal or contractual obligations or rights that apply to the personal data
The business or operational needs and expectations that depend on the personal data
The risks and impacts that may arise from retaining or deleting the personal data
The business owner should also establish and document the conditions and methods for the destruction of personal data, such as:
The criteria and triggers for deciding when to destroy personal data
The procedures and tools for securely erasing or anonymising personal data
The roles and responsibilities for carrying out and overseeing the destruction of personal data The records and reports for verifying and evidencing the destruction of personal data
Therefore, retention periods and conditions for the destruction of personal data should be determined by the business owner, as they are in charge of defining and managing the processing of personal data, as well as ensuring its compliance with the law.
Question #277
During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress.
Which of the following is the GREATEST resulting impact?
- A . The project manager will have to be replaced.
- B . The project reporting to the board of directors will be incomplete.
- C . The project steering committee cannot provide effective governance.
- D . The project will not withstand a quality assurance (QA) review.
Correct Answer: C
C
Explanation:
The greatest resulting impact of project reporting not accurately reflecting current progress is that the project steering committee cannot provide effective governance. The project steering committee is a group of senior executives or stakeholders who oversee the project and provide strategic direction, guidance, and support. The project steering committee relies on accurate and timely project reporting to monitor the project’s status, performance, risks, issues, and changes. If the project reporting is inaccurate, the project steering committee cannot make informed decisions, resolve problems, allocate resources, or ensure alignment with the organizational goals and objectives.
The other options are not as impactful as option C. The project manager will have to be replaced is a possible consequence, but not the greatest impact, of inaccurate project reporting. The project manager is responsible for planning, executing, monitoring, controlling, and closing the project. The project manager may face disciplinary actions or termination if they fail to provide accurate and honest project reporting. However, this does not necessarily affect the overall governance of the project. The project reporting to the board of directors will be incomplete is a potential risk, but not the greatest impact, of inaccurate project reporting. The board of directors is the highest governing body of an organization that sets the vision, mission, values, and policies. The board of directors may receive periodic or ad hoc project reporting to ensure that the project is aligned with the organizational strategy and delivers value. If the project reporting is inaccurate, the board of directors may lose confidence in the project or intervene in its management. However, this does not directly affect the day-to-day governance of the project. The project will not withstand a quality assurance (QA) review is a possible outcome, but not the greatest impact, of inaccurate project reporting. A quality assurance review is a process to evaluate the quality of the project’s processes and deliverables against predefined standards and criteria. A quality assurance review may reveal discrepancies or errors in the project reporting that may affect the credibility and reliability of the project. However, this does not necessarily affect the governance of the project.
Reference: Project Steering Committee – Roles &Responsibilities, Project Reporting Best Practices, Quality Assurance in Project Management
C
Explanation:
The greatest resulting impact of project reporting not accurately reflecting current progress is that the project steering committee cannot provide effective governance. The project steering committee is a group of senior executives or stakeholders who oversee the project and provide strategic direction, guidance, and support. The project steering committee relies on accurate and timely project reporting to monitor the project’s status, performance, risks, issues, and changes. If the project reporting is inaccurate, the project steering committee cannot make informed decisions, resolve problems, allocate resources, or ensure alignment with the organizational goals and objectives.
The other options are not as impactful as option C. The project manager will have to be replaced is a possible consequence, but not the greatest impact, of inaccurate project reporting. The project manager is responsible for planning, executing, monitoring, controlling, and closing the project. The project manager may face disciplinary actions or termination if they fail to provide accurate and honest project reporting. However, this does not necessarily affect the overall governance of the project. The project reporting to the board of directors will be incomplete is a potential risk, but not the greatest impact, of inaccurate project reporting. The board of directors is the highest governing body of an organization that sets the vision, mission, values, and policies. The board of directors may receive periodic or ad hoc project reporting to ensure that the project is aligned with the organizational strategy and delivers value. If the project reporting is inaccurate, the board of directors may lose confidence in the project or intervene in its management. However, this does not directly affect the day-to-day governance of the project. The project will not withstand a quality assurance (QA) review is a possible outcome, but not the greatest impact, of inaccurate project reporting. A quality assurance review is a process to evaluate the quality of the project’s processes and deliverables against predefined standards and criteria. A quality assurance review may reveal discrepancies or errors in the project reporting that may affect the credibility and reliability of the project. However, this does not necessarily affect the governance of the project.
Reference: Project Steering Committee – Roles &Responsibilities, Project Reporting Best Practices, Quality Assurance in Project Management
Question #278
When auditing the feasibility study of a system development project, the IS auditor should:
- A . review qualifications of key members of the project team.
- B . review the request for proposal (RFP) to ensure that it covers the scope of work.
- C . review cost-benefit documentation for reasonableness.
- D . ensure that vendor contracts are reviewed by legal counsel.
Correct Answer: C
C
Explanation:
A feasibility study is an assessment that determines the likelihood of a proposed project being successful, such as a new system development1. A feasibility study typically covers various aspects of the project, such as technical, economic, operational and legal feasibility2. The IS auditor’s role is to audit the feasibility study and ensure that it is objective, realistic and reliable3.
One of the most important aspects of a feasibility study is the economic feasibility, which analyzes the costs and benefits of the proposed system and compares them with alternative solutions2. The economic feasibility study should include a detailed breakdown of the development, implementation and operational costs, as well as the expected revenues, savings and intangible benefits of the system3. The IS auditor should review the cost-benefit documentation for reasonableness and accuracy, and verify that the assumptions and calculations are valid and supported by evidence3.
The other options are not directly related to auditing the feasibility study of a system development project. Reviewing qualifications of key members of the project team (option A) is more relevant to auditing the project management and human resources aspects of the project. Reviewing the request for proposal (RFP) to ensure that it covers the scope of work (option B) is more relevant to auditing the procurement and vendor selection process of the project. Ensuring that vendor contracts are reviewed by legal counsel (option D) is more relevant to auditing the legal and contractual aspects of the project.
Reference: 3: Types of Feasibility Study in Software Project Development 2: Feasibility Analysis in System Development Process 1: What Is a Feasibility Study? Definition, Benefits and Types
C
Explanation:
A feasibility study is an assessment that determines the likelihood of a proposed project being successful, such as a new system development1. A feasibility study typically covers various aspects of the project, such as technical, economic, operational and legal feasibility2. The IS auditor’s role is to audit the feasibility study and ensure that it is objective, realistic and reliable3.
One of the most important aspects of a feasibility study is the economic feasibility, which analyzes the costs and benefits of the proposed system and compares them with alternative solutions2. The economic feasibility study should include a detailed breakdown of the development, implementation and operational costs, as well as the expected revenues, savings and intangible benefits of the system3. The IS auditor should review the cost-benefit documentation for reasonableness and accuracy, and verify that the assumptions and calculations are valid and supported by evidence3.
The other options are not directly related to auditing the feasibility study of a system development project. Reviewing qualifications of key members of the project team (option A) is more relevant to auditing the project management and human resources aspects of the project. Reviewing the request for proposal (RFP) to ensure that it covers the scope of work (option B) is more relevant to auditing the procurement and vendor selection process of the project. Ensuring that vendor contracts are reviewed by legal counsel (option D) is more relevant to auditing the legal and contractual aspects of the project.
Reference: 3: Types of Feasibility Study in Software Project Development 2: Feasibility Analysis in System Development Process 1: What Is a Feasibility Study? Definition, Benefits and Types
Question #279
Which of the following provides the BEST providence that outsourced provider services are being properly managed?
- A . The service level agreement (SLA) includes penalties for non-performance.
- B . Adequate action is taken for noncompliance with the service level agreement (SLA).
- C . The vendor provides historical data to demonstrate its performance.
- D . Internal performance standards align with corporate strategy.
Correct Answer: B
B
Explanation:
Adequate action taken for noncompliance with the service level agreement (SLA) provides the best evidence that outsourced provider services are being properly managed. This shows that the organization is monitoring the performance of the provider and enforcing the terms of the SLA.
The other options are not as convincing as evidence of proper management.
Option A, the SLA includes penalties for non-performance, is a good practice but does not guarantee that the penalties are actually applied or that the performance is satisfactory.
Option C, the vendor provides historical data to demonstrate its performance, is not reliable because the data may be biased or inaccurate.
Option D, internal performance standards align with corporate strategy, is irrelevant to the question of outsourced provider management.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, page 2821
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription, QID 1066692
B
Explanation:
Adequate action taken for noncompliance with the service level agreement (SLA) provides the best evidence that outsourced provider services are being properly managed. This shows that the organization is monitoring the performance of the provider and enforcing the terms of the SLA.
The other options are not as convincing as evidence of proper management.
Option A, the SLA includes penalties for non-performance, is a good practice but does not guarantee that the penalties are actually applied or that the performance is satisfactory.
Option C, the vendor provides historical data to demonstrate its performance, is not reliable because the data may be biased or inaccurate.
Option D, internal performance standards align with corporate strategy, is irrelevant to the question of outsourced provider management.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, page 2821
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription, QID 1066692
Question #280
What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?
- A . it facilitates easier audit follow-up
- B . it enforces action plan consensus between auditors and auditees
- C . it establishes accountability for the action plans
- D . it helps to ensure factual accuracy of findings
Correct Answer: C
C
Explanation:
The primary benefit of an audit approach that requires reported findings to be issued together with related action plans, owners, and target dates is that it establishes accountability for the action plans. Accountability means that the individuals or groups who are responsible for implementing the action plans are clearly identified and held liable for their completion within the specified time frame. Accountability also implies that the action plans are monitored and evaluated to ensure that they are effective and efficient in addressing the audit findings and mitigating the associated risks1. Accountability helps to ensure that the audit recommendations are taken seriously and implemented properly, and that the audit value is realized by the organization2. The other options are less relevant or incorrect because:
C
Explanation:
The primary benefit of an audit approach that requires reported findings to be issued together with related action plans, owners, and target dates is that it establishes accountability for the action plans. Accountability means that the individuals or groups who are responsible for implementing the action plans are clearly identified and held liable for their completion within the specified time frame. Accountability also implies that the action plans are monitored and evaluated to ensure that they are effective and efficient in addressing the audit findings and mitigating the associated risks1. Accountability helps to ensure that the audit recommendations are taken seriously and implemented properly, and that the audit value is realized by the organization2. The other options are less relevant or incorrect because: