CISA Exam Dumps - Isaca Certification Questions and Answers

When outsourcingIS functions,independent audit provisionsensure thatcontractors meet security, compliance, and operational standards.

Option A (Incorrect):Security procedures should be included but are subject tochangeandmay not be detailedin the contract.

Option B (Correct):Independent audit rightsallow the organization toverifythat the vendor complies with security, operational, and regulatory requirements.

Option C (Incorrect):Naming specific staff isimpracticaland not acore contractual requirement.

Option D (Incorrect):Data transfer protocols are important, but they are atechnical detailrather than aprimary contract requirement.

The effectiveness of an information security awareness program is best measured by assessing real-world behavior rather than subjective feedback or indirect metrics. Social engineering exercises simulate real-world attack scenarios, testing whether employees can identify and respond appropriately to security threats. This directly evaluates the program ' s impact on employee behavior and awareness.

Measuring User Satisfaction (Option A):While useful for feedback, satisfaction does not measure the effectiveness of awareness in preventing security incidents.

Reviewing Security Staff Performance Evaluations (Option C):This focuses on staff capabilities rather than the awareness program ' s effectiveness.

Analyzing Help Desk Calls (Option D):This might provide insight into recurring issues but does not directly measure the program ' s success in changing user behavior.

Conducting social engineering exercises aligns with best practices for assessing organizational security awareness.

 A top-down maturity model process is a method of assessing and improving the maturity level of a process or a set of processes within an organization. A maturity level is a measure of how well-defined, controlled, measured, and optimized a process is. A top-down maturity model process starts with defining the desired maturity level and then identifying the gaps and improvement opportunities for each process. This helps prioritize the processes that need the most attention and improvement. Therefore, a result of utilizing a top-down maturity model process is identification of processes with the most improvement opportunities.

A means of benchmarking the effectiveness of similar processes with peers, a means of comparing the effectiveness of other processes within the enterprise, and identification of older, more established processes to ensure timely review are not results of utilizing a top-down maturity model process. These are possible benefits or objectives of using other types of maturity models or assessment methods, but they are not specific to a top-down approach.

 The greatest concern with this situation is that a business-critical application does not currently have any level of fault tolerance and thus has a single point of failure. A single point of failure is a component or element of a system that, if it fails, will cause the entire system to stop functioning. Fault tolerance is the ability of a system to continue operating without interruption or degradation in the event of a failure of one or more of its components or elements. Fault tolerance can be achieved by using techniques such as redundancy, replication, backup, or failover. A business-critical application should have a high level of fault tolerance to ensure its availability, reliability, and continuity. References:

CISA Review Manual (Digital Version), Chapter 5, Section 5.51

CISA Online Review Course,Domain 3, Module 3, Lesson 22

The primary benefit of using one-time passwords is that an intercepted password cannot be reused, as it is valid only for a single login session or transaction. One-time passwords enhance the security of authentication by preventing replay attacks or password guessing. The other options are not the primary benefits of using one-time passwords. Security for applications can be automated with or without one-time passwords. Users may still have to memorize complex passwords or use a device or software to generate one-time passwords. Users can still be locked out of an account if they enter an incorrect or expired one-time password. References: CISA Review Manual (Digital Version), Chapter 6, Section 6.1

The key audit concern at data input is integrity—ensuring accuracy, validity, and completeness. Without integrity, outputs cannot be trusted. Availability and resilience are operational concerns, while normalization is a design technique. Integrity remains the top security and audit focus.

References (ISACA): ISACA Audit and Assurance Standards – Information Criteria (Effectiveness, Efficiency, Integrity, Availability).

The main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B). This is because:

A project change management process is a set of procedures that defines how changes to the project scope, schedule, budget, quality, or resources are requested, evaluated, approved, implemented, and controlled12.

A project change management process helps to ensure that the changes are aligned with the project objectives, stakeholders’ expectations, and business needs12.

Adding a new system functionality during the development phase without following a project change management process can introduce risks such as:

The added functionality has not been documented (option A), which can lead to confusion, inconsistency, errors, and rework3.

The project may fail to meet the established deadline (option C), which can result in delays, penalties, and customer dissatisfaction3.

The project may go over budget (option D), which can cause cost overruns, financial losses, and reduced profitability3.

However, the main risk is that the new functionality may not meet requirements (option B), which can have serious consequences such as:

The new functionality may not be compatible with the existing system or other components3.

The new functionality may not be tested or verified for quality, performance, security, or usability3.

The new functionality may not deliver the expected value or benefits to the users or customers3.

The new functionality may not comply with the regulatory or contractual obligations3.

The new functionality may cause dissatisfaction, complaints, or litigation from the stakeholders3.

Therefore, the main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B), as this can jeopardize the success and acceptance of the project.

The business case for an information system investment is a document that provides the rationale and justification for the investment, based on the expected costs, benefits, risks, and impacts of the project12. The business case should be available for review until the benefits have been fully realized, because it serves as a baseline for measuring the actual performance and outcomes of the project against the planned ones34. This helps to evaluate the success and value of the investment, and to identify any gaps or issues that need to be addressed5.

References

1: The Business Case for Security - CISA

2: Beyond the Business Case: New Approaches to IT Investment

3: #HowTo: Build a Business Case for Cybersecurity Investment

4: ISACA CISA Certified Information Systems Auditor Exam … - PUPUWEB

5: The Business Case for Security | CISA

If the audit team lacks the necessary knowledge to audit a system that uses an AI algorithm, engaging external consultants who have audit experience and knowledge of AI would be the best approach12. These consultants can provide the expertise needed to effectively audit the AI system12. This approach ensures that the audit is conducted thoroughly and accurately, without requiring the audit team to acquire new skills or knowledge12.

The executive management concern that could be addressed by the implementation of a security metrics dashboard is the effectiveness of the security program. A security metrics dashboard is a tool that provides a visual representation of key performance indicators (KPIs) and key risk indicators (KRIs) related to the organization’s information security objectives and activities. A security metrics dashboard can help executive management monitor and evaluate the performance and value delivery of the security program, identify strengths and weaknesses, assess compliance with policies and standards, and support decision making and improvement initiatives. Security incidents vs. industry benchmarks, total number of hours budgeted to security, and total number of false positives are not executive management concerns that could be addressed by the implementation of a security metrics dashboard. These are more operational or technical aspects of information security that could be measured and reported by other means, such as incident reports, budget reports, or log analysis. References: [ISACA CISA Review Manual 27th Edition], page 302

 Access to the data center is controlled by a mantrap provides the greatest assurance that only authorized individuals can access a data center. A mantrap is a physical security device that consists of a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens1. A mantrap prevents unauthorized entry by requiring authentication at both doors, such as biometric scanners, card readers, or PIN codes. A mantrap also prevents tailgating, which is the act of following an authorized person into a restricted area without proper authorization2. A mantrap can also detect and trap intruders who attempt to force their way through the doors.

The other options are less effective physical controls for data center access. The data center is patrolled by a security guard is a deterrent measure, but it does not prevent unauthorized access by itself. A security guard may not be able to monitor all entry points, or may be distracted, bribed, or overpowered by intruders. Access to the data center is monitored by video cameras is a detective measure, but it does not prevent unauthorized access either. Video cameras can record the activities of intruders, but they cannot stop them from entering or alert the security personnel in real time. ID badges must be displayed before access is granted is a preventive measure, but it relies on human verification, which can be prone to errors or manipulation. ID badges can also be lost, stolen, or forged by intruders.

Audit findings should be communicated as early as possible to avoid misunderstandings, provide an opportunity for corrective action, and ensure transparency.

Option A (Incorrect):The planning phase involves defining audit scope, objectives, and methodology, but findings are not yet available to discuss with management.

Option B (Incorrect):The reporting phase formalizes audit results, but discussing issuesonlyat this stage may lead to delays in corrective action.

Option C (Incorrect):The follow-up phase ensures that management has implemented corrective actions, but this occursafterthe initial discussion of findings.

Option D (Correct):The fieldwork phase is when auditors activelygather evidence, analyze data, and identify issues. Discussing observationsduringthis phase allows for immediate clarification, validation, and resolution of misunderstandings before the final report.

A digital signature is a type of electronic signature that uses cryptographic techniques to provide authentication, integrity, and non-repudiation of digital documents. A digital signature is created by applying a mathematical function (called a hash function) to the document and then encrypting the result with the sender’s private key. The encrypted hash, along with the sender’s public key and other information, forms the digital signature. The receiver can verify the digital signature by decrypting it with the sender’s public key and comparing the hash with the one computed from the document. If they match, it means that the document has not been altered and that it was signed by the owner of the private key.

Option D is correct because a digital signature is unique to the sender using it, as it depends on the sender’s private key, which only the sender knows and controls. No one else can create a valid digital signature with the same private key, and no one can forge or modify a digital signature without being detected.

Option A is incorrect because a digital signature is not under control of the receiver, but rather under control of the sender. The receiver can only verify the digital signature, but cannot create or modify it.

Option B is incorrect because a digital signature is not capable of authorization, but rather capable of authentication. Authorization is the process of granting or denying access to resources based on predefined rules or policies. Authentication is the process of verifying the identity or legitimacy of a person or entity. A digital signature can authenticate the sender of a document, but it cannot authorize what actions the receiver can perform on the document.

Option C is incorrect because a digital signature does not dynamically validate modifications of data, but rather statically validates the integrity of data. A digital signature is based on a snapshot of the document at the time of signing, and any subsequent changes to the document will invalidate the digital signature. A digital signature does not monitor or update itself based on data modifications.

Comprehensive and Detailed Explanation:

The primary purpose of IT capacity management is to ensure that IT infrastructure can meet current and future performance requirements in a cost-effective manner.

Option A is correct because it directly relates to capacity management goals.

Option B (rapid deployment) relates more to change management.

Option C (security concerns) is outside the scope of capacity management.

Option D (reducing cost/time) may be a secondary benefit but not the primary objective.

???? ISACA Reference: CISA Review Manual 27th Edition, Domain 2, section on capacity management and IT service performance.

 The greatest benefit of using a prototyping approach in software development is that it helps to conceptualize and clarify requirements. A prototyping approach is a method of creating a simplified or partial version of a software product to demonstrate its features and functionality. A prototyping approach can help to elicit, validate, and refine the requirements of the software product, as well as to obtain feedback from the users and stakeholders. The other options are not the greatest benefits of using a prototyping approach, but rather possible outcomes or advantages of doing so. References:

CISA Review Manual (Digital Version), Chapter 4, Section 4.3.11

CISA Review Questions, Answers and Explanations Database, Question ID 227

The greatest resulting impact of project reporting not accurately reflecting current progress is that the project steering committee cannot provide effective governance. The project steering committee is a group of senior executives or stakeholders who oversee the project and provide strategic direction, guidance, and support. The project steering committee relies on accurate and timely project reporting to monitor the project’s status, performance, risks, issues, and changes. If the project reporting is inaccurate, the project steering committee cannot make informed decisions, resolve problems, allocate resources, or ensure alignment with the organizational goals and objectives.

The other options are not as impactful as option C. The project manager will have to be replaced is a possible consequence, but not the greatest impact, of inaccurate project reporting. The project manager is responsible for planning, executing, monitoring, controlling, and closing the project. The project manager may face disciplinary actions or termination if they fail to provide accurate and honest project reporting. However, this does not necessarily affect the overall governance of the project. The project reporting to the board of directors will be incomplete is a potential risk, but not the greatest impact, of inaccurate project reporting. The board of directors is the highest governing body of an organization that sets the vision, mission, values, and policies. The board of directors may receive periodic orad hoc project reporting to ensure that the project is aligned with the organizational strategy and delivers value. If the project reporting is inaccurate, the board of directors may lose confidence in the project or intervene in its management. However, this does not directly affect the day-to-day governance of the project. The project will not withstand a quality assurance (QA) review is a possible outcome, but not the greatest impact, of inaccurate project reporting. A quality assurance review is a process to evaluate the quality of the project’s processes and deliverables against predefined standards and criteria. A quality assurance review may reveal discrepancies or errors in the project reporting that may affect the credibility and reliability of the project. However, this does not necessarily affect the governance of the project. References: Project Steering Committee - Roles and Responsibilities, Project Reporting Best Practices, Quality Assurance in Project Management

The most significant risk that IS auditors are required to consider for each engagement is the misalignment with business objectives. This is because IS audit engagements are intended to provide assurance that the IT systems and processes support the achievement of the business objectives and strategies. If there is a misalignment,it could result in wasted resources, missed opportunities, inefficiencies, errors, or failures that could adversely affect the organization’s performance and reputation12. References: 1: CISA Review Manual (Digital Version), Chapter 1: The Process of Auditing Information Systems, Section 1.3: Audit Risk, page 28 2: CISA Online Review Course, Module 1: The Process of Auditing Information Systems, Lesson 1.3: Audit Risk

The best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities is to perform a configuration review. A configuration review is an audit procedure that involves examining and verifying the security settings and parameters of application servers against predefined standards or best practices. A configuration review can help to identify and remediate any deviations, inconsistencies, or misconfigurations thatmay expose the application servers to unauthorized access, exploitation, or compromise6. A configuration review can also help to ensure compliance with security policies and regulations, as well as enhance the performance and availability of application servers. The other options are less effective or incorrect because:

A. Improving the change management process is not the best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities, as it does not address the root cause of the problem or provide a specific solution. While improving the change management process may help to prevent future inconsistencies or misconfigurations in application server settings, it does not ensure that the existing ones are detected and corrected.

B. Establishing security metrics is not the best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities, as it does not address the root cause of the problem or provide a specific solution. While establishing security metrics may help to measure and monitor the security performance and posture of application servers, it does not ensure that the existing inconsistencies or misconfigurations in application server settings are detected and corrected.

C. Performing a penetration test is not the best recommendation by the IS auditor for finding that application servers had inconsistent security settings leading to potential vulnerabilities, as it does not address the root cause of the problem or provide a specific solution. While performing a penetration test may help to simulate and evaluate the impact of an attack on application servers, it does not ensure that the existing inconsistencies or misconfigurations in application server settings are detected and corrected. References: Configuring system to useapplication server security - IBM, Application Security Risk: Assessment and Modeling - ISACA, Five Key Components of an Application SecurityProgram - ISACA, ISACA Practitioner Guidelines for Auditors - SSH, SCADA Cybersecurity Framework - ISACA

 The IS auditor’s primary focus when evaluating an organization’s offsite storage facility should be the adequacy of physical and environmental controls. Physical and environmental controls are essential to protect the offsite storage facility from unauthorized access, theft, fire, water damage, pests or other hazards that could compromise the integrity and availability of backup media. Shared facilities is something that the IS auditor should consider when evaluating the offsite storage facility, but it is not the primary focus. Results of business continuity plan (BCP) test or retention policy and period are things that the IS auditor should review when evaluating the organization’s BCP or backup strategy, not the offsite storage facility itself. References: ISACA, CISA Review Manual, 27th Edition, 2018, page 388

Enterprise Architecture (EA) governance requires proper oversight and separation of duties to ensure strategic alignment and risk management.

Option A (Correct):If IT application owners have sole authority over architecture approval, there is a high risk of inadequate governance, lack of strategic alignment, and potential conflicts of interest. Architecture decisions should involve multiple stakeholders, including business and security teams, to ensure compliance, security, and business alignment.

Option B (Incorrect):While having the CIO chair the architecture review board might not be ideal, it is not thegreatestconcern. The CIO is a senior leader who can provide oversight and direction, even if additional governance mechanisms should be in place.

Option C (Incorrect):Reviewing security requirements within the EA program is abest practice, as it ensures that security is embedded into enterprise architecture rather than treated as an afterthought.

Option D (Incorrect):Enterprise architecture should ideally encompass both IT and business processes. Governing non-IT-related projects is not inherently problematic, as EA is designed to align business strategy with IT infrastructure.

The IS auditor’s most important course of action after finding that several similar incidents were logged during the audit period is to determine if a root cause analysis was conducted. A root cause analysis is a systematic process that identifies the underlying causes of system failures or incidents. A root cause analysis can help to prevent recurrence of similar incidents, improve system performance and reliability, and enhance incident management processes. The IS auditor should evaluate whether a root cause analysis was performed for each incident, whether it was timely and thorough, and whether it resulted in effective corrective actions.

Comprehensive and Detailed Explanation:

A Certification Practice Statement (CPS) is a detailed document that describes the practices a Certificate Authority (CA) uses when issuing and managing digital certificates. It includes procedures for handling compromised private keys, revocation, renewal, and security controls.

Certificate policy (B): High-level rules governing certificate usage, but not operational details.

PKI disclosure statement (C): Provides users with general PKI-related information.

Certificate revocation list (D): A technical mechanism listing revoked certificates, but not the procedures for managing compromise.

???? ISACA Reference: CISA Review Manual 27th Edition, Domain 5, section on PKI components and certificate lifecycle management.

The best recommendation for the auditor to make is D. Line management should regularly review and request modification of access rights. Access rights are the permissions and privileges granted to users to access, view, modify, or delete data or resources on a system or network1. Excessive rights are access rights that are not necessary or appropriate for a user’s role or function, and may pose a risk of unauthorized or inappropriate use of data or resources2. Therefore, it is important to ensure that access rights are alignedwith the principle of least privilege, which means that users should only have the minimum level of access required to perform their duties2.

Line management is responsible for overseeing and supervising the activities and performance of their staff, and ensuring that they comply with the organization’s policies and standards3. Therefore, line management should regularly review and request modification of access rights for their staff, as they are in the best position to:

Understand the roles and functions of their staff, and determine the appropriate level of access rights needed for them to perform their duties effectively and efficiently.

Monitor and evaluate the usage and behavior of their staff, and identify any changes or anomalies that may indicate excessive or inappropriate access rights.

Communicate and collaborate with IT security or system administrators, who are responsible for granting, revoking, or modifying access rights, and request any necessary adjustments or corrections.

 An organization outsourced its IS functions. To meet its responsibility for disaster recovery, the organization should coordinate disaster recovery administration with the outsourcing vendor. This is because the organization remains accountable for ensuring the continuity and availability of its IS functions, even if they are outsourced to a third party. The organization should establish clear roles and responsibilities, communication channels, testing procedures, and escalation processes with the outsourcing vendor for disaster recovery purposes. The organization should not discontinue maintenance of the disaster recovery plan (DRP), as it still needs to have a documented and updated plan for restoring its IS functions in case of a disaster. The organization should not delegate evaluation of disaster recovery to a third party or internal audit, as it still needs to monitor and review the performance and compliance of the outsourcing vendor with respect to disaster recovery objectives and standards. References: CISA Review Manual (Digital Version), [ISACA Auditing Standards]

The system only allows payments to vendors who are included in the system’s master vendor list is an example of a preventative control in an accounts payable system. A preventative control is a control that aims to prevent errors or irregularities from occurring in the first place. By restricting payments to vendors who are authorized and verified in the master vendor list, the system prevents unauthorized or fraudulent payments from being made. The other options are examples of other types of controls, such as backup (recovery), reconciliation (detective), and communication (directive) controls. References: CISA Review Manual, 27th Edition, page 223

SFTP (Secure File Transfer Protocol)is the most secure option for transferring data over the internet, as it encrypts both commands and data, ensuring confidentiality and integrity.

SFTP (Correct Answer – C)

Uses SSH (Secure Shell) for encryption.

Provides authentication and encryption for secure data transfers.

Example:A company uses SFTP to securely transmit payroll files to a third-party processor.

UDP (Incorrect – A)

Faster but lacks encryption and data integrity checks.

HTTP (Incorrect – B)

Transfers data in plaintext and is vulnerable to interception.

RDP (Incorrect – D)

Used for remote desktop access, not secure file transfers.

Implementing business rules to validate employee data entry is the best way to reduce the likelihood of future occurrences of poor data quality that cause customer complaints about receiving different items from what they ordered on the organization’s website. Business rules are logical statements that define the conditions and actions for data validation, such as checking for data completeness, accuracy, consistency, and integrity. Assigning responsibility for improving data quality, investing in additional employee training for data entry, and outsourcing data cleansing activities to reliable third parties are also possible ways to improve data quality, but they are not as effective as implementing business rules to validate employee data entry. References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.1

An IT steering committee is a group of senior executives and stakeholders who provide strategic direction, guidance, and oversight for the IT function of an organization. An IT steering committee can help to improve the maturity of the IT team by ensuring that the IT initiatives are aligned with the business goals and objectives, that the IT resources are allocated and utilized effectively and efficiently, and that the IT performance and value are measuredand communicated. An IT steering committee can also help to resolve conflicts, prioritize demands, and foster collaboration among the IT project managers and other business units.

References

ISACA CISA Review Manual, 27th Edition, page 254

Auditing IT Governance

The Impact of Poor IT Audit Planning and Mitigating Audit Risk

IS Audit Basics: The Components of the IT Audit Report

The most concerning issue when determining if information assets are adequately safeguarded during transport and disposal is lack of appropriate data classification. Data classification is a process that assigns categories or levels of sensitivity to different types of information assets based on their value, criticality, or risk to the organization. Data classification can help safeguard information assets during transport and disposal by providing criteria and guidelines for identifying, labeling, handling, and protecting information assets according to their sensitivity. Lack of appropriate data classification can compromise the security and confidentiality of information assets during transport and disposal by exposing them to unauthorized access, disclosure, theft, damage, or destruction. The other options are not as concerning as lack of appropriate data classification in safeguarding information assets during transport and disposal, as they do not affect the identification, labeling, handling, or protection of information assets according to their sensitivity. Lack of appropriate labeling is a possible factor that may increase the risk of misplacing, losing, or mishandling information assets during transport and disposal, but it does not affect the classification of information assets according to their sensitivity. Lack of recent awareness training is a possible factor that may affect the knowledge or behavior of staff involved in transporting or disposing of information assets, but it does not affect the classification of information assets according to their sensitivity. Lack of password protection is a possible factor that may affect the security or confidentiality of information assets stored on devices during transport and disposal, but it does not affect the classification of information assets according to their sensitivity. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2

The most important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy is the business objectives. An information security policy is a document that defines the organization’s approach to protecting its information assets from internal and external threats. It should align with the organization’s mission, vision, values, and goals, and support its business processes and functions1. An informationsecurity policy should also be focused on the business needs and requirements of the organization, rather than on technical details orspecific solutions2.

The other options are not as important as the business objectives, because they do not directly reflect the organization’s purpose and direction. IT steering committee minutes are records of the discussions and decisions made by a group of senior executives who oversee the IT strategy and governance of the organization. They may provide some insights into the information security policy, but they are not sufficientto evaluate its adequacy3. Alignment with the IT tactical plan is a measure of how well the information security policy supports the short-term actions and projects that implement the IT strategy. However, the IT tactical plan itself shouldbe aligned with the business objectives, and not vice versa4. Compliance with industry best practice is a desirable quality of an information security policy, but it is not a guarantee of its effectiveness or suitability for the organization. Industry best practices are general guidelines or recommendations that may not apply to every organization or situation. An information security policy should be customized and tailored to the specific context and needs of the organization. References:

The 12 Elements of an Information Security Policy | Exabeam1

11 Key Elements of an Information Security Policy | Egnyte2

What is an IT steering committee? Definition, roles and responsibilities …3

What is IT Strategy? Definition, Components and Best Practices | BMC …4

IT Security Policy: Key Components and Best Practices for Every Business 

The best way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems is to establish rules for converting data from one format to another, because this ensures that the data quality and integrity are maintained throughout the data transformation process. Data conversion rules define the standards, procedures, and methods for transforming data from different sources and formats into a common format andstructure that can be used by the business intelligence systems12. Implementing data entry controlsfor new and existing applications, implementing a consistent database indexing strategy, and developing a metadata repository to store and access metadata are not the best ways to reduce the risk of inaccurate or misleading dataproliferating through business intelligence systems, becausethey do not address the issue of dataconversion, which is a critical step in the data integration process for business intelligence systems. References: 1: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.3 2: CISA Online Review Course, Module 4, Lesson 3

The most effective method for positive authentication for physical access is a retina scan because it uses a biometric characteristic that is strongly tied to the individual and difficult to share, transfer, or replicate compared with cards, codes, or visual checks. ISACA materials discussing physical access and identity verification recognize biometrics such as retina scans as a high-assurance authentication mechanism.

Option B is correct because positive authentication means reliably confirming that the person presenting for access is truly the claimed individual. A retina scan verifies “something you are,” which is generally stronger than “something you have” or “something you know” for physical access authentication.

Option A is weaker because a proximity card is only possession-based authentication. It can be lost, borrowed, stolen, or shared, so it does not positively verify identity to the same degree as biometrics. This makes it less effective than a retina scan.

Option C is also weaker. A numeric keypad depends on a code that can be disclosed or observed, and a surveillance camera is more detective than authentication-focused. Together they do not provide the same strong identity binding as biometrics.

Option D improves assurance somewhat, but a smart card is still possession-based and a security guard’s judgment can be fallible. Human verification helps, but it does not usually match the direct individual-specific certainty of biometric authentication.

Therefore, B is the best answer because a retina scan most effectively provides positive authentication by directly verifying an individual’s unique biometric characteristic.

References (Official ISACA):

ISACA Journal, Against the Quantum Threat: Selective Compatibility — references retina and palm print scans being confirmed at each use to prevent identity theft.

ISACA News and Trends biometric authentication resources index.

 The planning phase is the stage of the internal audit process where contact is established with the individuals responsible for the business processes in scope for review. The planning phase involves defining the objectives, scope, and criteria of the audit, as well as identifying the key risks and controls related to the audited area. The planning phase also involves communicating with the auditee to obtain relevant information, documents, and data, as well as to schedule interviews, walkthroughs, and meetings. The planning phase aims to ensure that the audit team has a clear understanding of the audited area and its context, and that the audit plan is aligned with the expectations and needs of the auditee and other stakeholders.

The execution phase is the stage of the internal audit process where the audit team performs the audit procedures according to the audit plan. The execution phase involves testing the design and operating effectiveness of the controls, collecting and analyzing evidence, documenting the audit work and results, and identifying any issues or findings. The execution phase aims to provide sufficient and appropriate evidence to support the audit conclusions and recommendations.

The follow-up phase is the stage of the internal audit process where the audit team monitors and verifies the implementation of the corrective actions agreed upon by the auditee in response to the audit findings. The follow-up phase involves reviewing the evidence provided by the auditee, conducting additional tests or interviews if necessary, and evaluating whether the corrective actions have adequately addressed the root causes of the findings. The follow-up phase aims to ensure that the auditee has taken timely and effective actions to improve its processes and controls.

The selection phase is not a standard stage of the internal audit process, but it may refer to the process of selecting which areas or functions to audit based on a risk assessment or an annual audit plan. The selection phase involves evaluating the inherent and residual risks of each potential auditable area, considering the impact, likelihood, and frequency of those risks, as well as other factors such as regulatory requirements, stakeholder expectations, previous audit results, and available resources. The selection phase aims to prioritize and allocate the audit resources to those areas that present the highest risks or opportunities for improvement.

Therefore, option A is the correct answer.

 The primary benefit of information asset classification is that it enables risk management decisions. Information asset classification helps to identify the value, sensitivity and criticality of information assets, and to determine the appropriate level of protection and controls required for them. This facilitates risk assessment and risk treatment processes, and ensures that information assets are aligned with business objectives and regulatory requirements. Preventing loss of assets, helping to align organizational objectives or facilitating budgeting accuracy are secondary benefits of information asset classification, but not the main purpose. References: ISACA, CISA Review Manual, 27th Edition, 2018, page 300