CISA Exam Dumps - Isaca Certification Questions and Answers

An IS auditor reviewing the threat assessment for a data center would be most concerned if all identified threats relate to external entities. This indicates that the threat assessment is incomplete and biased, as it ignores the potential threats from internal sources, such as employees, contractors, vendors, or authorized visitors. Internal threats can pose significant risks to the data center, as they may have access to sensitive information, systems, or facilities, and may exploit their privileges for malicious or fraudulent purposes. According to a study by IBM, 60% of cyberattacks in 2015 were carried out by insiders1

Some of the identified threats are unlikely to occur is not a cause for concern, as it shows that the threat assessment is comprehensive and realistic, and considers all possible scenarios, regardless of their probability. A threat assessment should not exclude any potential threats based on subjective judgments or assumptions, as they may still have a high impact if they materialize.

The exercise was completed by local management is not a cause for concern, as it shows that the threat assessment is conducted by the people who are most familiar with the data center’s operations, environment, and risks. Local management may have more relevant and accurate information and insights than external parties, and may be more invested in the outcome of the threat assessment.

Neighboring organizations’ operations have been included is not a cause for concern, as it shows that the threat assessment is holistic and contextual, and considers the interdependencies and influences of external factors on the data center’s security. Neighboring organizations’ operations may pose direct or indirect threats to the data center, such as physical damage, network interference, or shared vulnerabilities.

The audit finding that should be of greatest concern is that tasks defined on the critical path do not have resources allocated, as this means that the project is likely to face significant delays and cost overruns, since the critical path is the sequence of activities that determines the minimum time required to complete the project. The actual start times of some activities being later than originally scheduled may indicate some minor deviations from the project plan, but they may not necessarily affect the overall project completion time if they are not on the critical path. The project manager lacking formal certification may affect the quality and efficiency of the project management process, but it does not necessarily imply that the project manager is incompetent or unqualified. Milestones have been defined for all project products, but they may not be realistic or achievable if they do not take into account the resource constraints and dependencies of the critical path tasks. References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.3: IT Project Management

The business owner is the person or entity that has the authority and responsibility for defining the purpose and scope of the processing of personal data, as well as the expected outcomes and benefits. The business owner is also accountable for ensuring that the processing of personal data complies with the applicable laws and regulations, such as the General Data Protection Regulation (GDPR) or the Data Protection Act 2018 (DPA 2018).

One of the requirements of the GDPR and the DPA 2018 is to adhere to the principle of storage limitation, which states that personal data should be kept for no longer than is necessary for the purposes for which it is processed1. This means that the business owner should determine and justify how long they need to retain personal data, based on factors such as:

The nature and sensitivity of the personal data

The legal or contractual obligations or rights that apply to the personal data

The business or operational needs and expectations that depend on the personal data

The risks and impacts that may arise from retaining or deleting the personal data

The business owner should also establish and document the conditions and methods for the destruction of personal data, such as:

The criteria and triggers for deciding when to destroy personal data

The procedures and tools for securely erasing or anonymising personal data

The roles and responsibilities for carrying out and overseeing the destruction of personal data

The records and reports for verifying and evidencing the destruction of personal data

Therefore, retention periods and conditions for the destruction of personal data should be determined by the business owner, as they are in charge of defining and managing the processing of personal data, as well as ensuring its compliance with the law.

The auditor’s primary course of action is to evaluate the impact of the partial compliance. When a control is only partially operating as designed, the auditor must first assess significance: what risk remains, what objectives are affected, and whether the deviation is material enough to become a reportable finding. ISACA audit and follow-up guidance emphasizes capturing and following up on significant issues and deficiencies, which implies the need for impact evaluation before deciding on reporting or recommendations.

Option B is correct because evaluating impact is what determines the seriousness of the deficiency and the appropriate audit response. Without understanding the effect of the deviation, the auditor cannot appropriately decide whether to escalate it, report it, or recommend redesign.

Option C is important and usually happens during audit communication, but discussion with control owners is not the primary analytical step. The auditor must first understand the risk and significance of the partial compliance.

Option D is incorrect because not every partial deviation should automatically become a final-report finding. The auditor should first evaluate whether the issue is significant and reportable. ISACA follow-up guidance specifically refers to significant issues/findings.

Option A is also incorrect because recommending redesign may be appropriate later, but only after the auditor understands the impact and whether the problem is design-related, operating-related, or user-adoption-related.

Therefore, B is the best answer because impact evaluation comes before escalation, formal reporting, or redesign recommendations.

References (Official ISACA):

ISACA Journal, Enhancing the Audit Follow-up Process Using COBIT 5 — significant issues/findings should be captured and followed up.

ISACA Journal, An Approach Toward Sarbanes-Oxley ITGC Risk Assessment — supports a risk-based evaluation approach focused on control process areas.

ISACA, How Effective Is Your Cybersecurity Audit — effectiveness depends on evaluating gaps and their implications.

 When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor’s best recommendation is to place an intrusion detection system (IDS) between the firewall and the Internet, as this would provide an additional layer of security and alert the organization of any malicious traffic that bypasses or penetrates the firewall. Placing an IDS between the firewall and the demilitarized zone (DMZ), the organization’s web server, or the organization’s network would not be as effective, as it would only monitor the traffic that has already passed through the firewall. References: CISA Review Manual (DigitalVersion), Chapter 5, Section 5.4.3

Regression testing is the most appropriate testing method for assessing whether system integrity has been maintained after changes have been made. Regression testing is a type of software testing that ensures that previously developed and tested software still performs as expected after a change1 Regression testing helps to detectany defects or errors that may have been introduced or uncovered due to the change2 Regression testing can be performed at different levels of testing, such as unit, integration, system, and acceptance3

Unit testing is a type of software testing that verifies the functionality of individual components or units of code. Unit testing is usually performed by developers before integrating the code with other components. Unit testing helps to identify and fix errors at an early stage of development, but it does not ensure that the system as a whole works as expected after a change.

Integration testing is a type of software testing that verifies the functionality, performance, and reliability of the interactions between different components or units of code. Integration testing is usually performed after unit testing and before system testing. Integration testing helps to identify and fix errors that may occur when different components are integrated, but it does not ensure that the system as a whole works as expected after a change.

Acceptance testing is a type of software testing that verifies whether the system meets the user requirements and expectations. Acceptance testing is usually performed by end-users or customersafter system testing and before deploying the system to production. Acceptance testing helps to ensure that the system delivers the desired value and quality to the users, but it does not ensure that the system as a whole works as expected after a change.

The primary purpose of a Business Impact Analysis (BIA) is to prioritize the restoration of systems and applications (D) based on their criticality to business operations. A BIA assesses the impact of disruptions, identifies critical processes, and determines recovery time objectives (RTOs) and recovery point objectives (RPOs).

Other options:

Identifying legal obligations (A) is an aspect of compliance but not the primary benefit of a BIA.

Providing updates on disaster risk levels (B) falls under risk management rather than BIA objectives.

Delineating employee responsibilities (C) is part of business continuity planning (BCP), not the BIA’s main goal.

Comprehensive and Detailed Explanation:

The most important step in a privacy audit is to ensure that all risks associated with PII handling are identified. This requires analyzing the entire PII data life cycle—from collection, processing, storage, and transfer to retention and destruction.

Option A: Reviewing data management controls is part of the audit but is narrower than life cycle coverage.

Option B: Privacy training is necessary, but training alone doesn’t ensure compliance.

Option C: Reviewing third-party agreements is important but only covers outsourced risks.

Option D: Provides comprehensive coverage of privacy risks across all stages.

???? ISACA Reference: CISA Review Manual 27th Edition, Domain 5, section on data privacy, data life cycle, and PII risks.

The greatest concern for an IS auditor reviewing contracts for licensed software that executes a critical business process is that software escrow was not negotiated. Software escrow is an arrangement where a third-party holds a copy of the source code and documentation of a licensed software in a secure location. The software escrow agreement specifies the conditions under which the licensee can access the escrowed materials, such as in case of bankruptcy, termination, or breach of contract by the licensor. Software escrow is important for ensuring the continuity and availability of a critical business process that depends on a licensed software. Without software escrow, the licensee may face significant risks and challenges in maintaining, modifying, or recovering the software in case of any disruption or dispute with the licensor. References:

CISA Review Manual (Digital Version)

CISA Questions, Answers and Explanations Database

 Audit observations are the findings and recommendations that result from an audit engagement. Audit observations should be first communicated with the auditee during fieldwork, which is the stage of the audit process where the auditor collects and analyzes evidence to evaluate the audit objectives1. Communicating audit observations during fieldwork has several benefits, such as2:

It allows the auditor to verify the accuracy and completeness of the observations, and to obtain additional information or clarification from the auditee if needed.

It enables the auditor to discuss the root causes, impacts, and risks of the observations, and to solicit the auditee’s input on possible corrective actions and implementation timelines.

It helps to build rapport and trust between the auditor and the auditee, and to avoid surprises or disagreements at the end of the audit.

It facilitates timely resolution of audit observations, and reduces the risk of audit delays or disputes.

Therefore, option B is the correct answer.

Option A is not correct because communicating audit observations when drafting the report is too late, as it may lead to misunderstandings, conflicts, or revisions that could have been avoided if the observations were communicated earlier. Option C is not correct because communicating audit observations at the end of fieldwork is also not ideal, as it may not leave enough time for the auditor and the auditee to discuss and agree on the observations and recommendations. Option D is not correct because communicating audit observations within the audit report is the final step of the audit process, not the first.

Comprehensive and Detailed Explanation:

The primary purpose of vulnerability assessments is to identify known weaknesses before they can be exploited by attackers.

Option A: Security awareness is a benefit but not the main purpose.

Option C: Improving posture is an outcome, not the direct purpose.

Option D: Protection against threats is broader than vulnerability assessment.

???? ISACA Reference: CISA Review Manual 27th Edition, Domain 5, section on vulnerability management and assessments.

This means that the organization should obtain the source code from the escrow agent and compare it with the current version of the application that they are using. The organization should then identify and apply any changes or updates that are missing or different in the escrow version, so that it matches the current version. This way, the organization can ensure that they have a complete and accurate copy of the source code that reflects their current needs and requirements.

Bringing the escrow version up to date can help the organization to avoid or reduce the risks and costs associated with using an outdated or incompatible version of the source code. For example, an older version of the source code may have bugs, errors, or vulnerabilities that could affect the functionality, security, or performance of the application. An older version of the source code mayalso lack some features, enhancements, or integrations that could improve the usability, efficiency, or value of the application. An older version of the source code may also not comply with some standards, regulations, or contracts that could affect the quality, reliability, or legality of the application1.

The other options are not as good as bringing the escrow version up to date for the organization. Option A, analyzing a new application that meets the current requirements, is a possible option but it may be more time-consuming, expensive, and risky than updating the existing application. The organization may have to go through a complex and lengthy process of selecting, acquiring, implementing, testing, and migrating to a new application, which could disrupt their operations and performance. The organization may also have to deal with compatibility, interoperability, or data quality issues when switching to a new application2. Option B, performing an analysis to determine the business risk, is a necessary step but not a recommendation for the organization. The organization should already be aware of the business risk of using an application whose vendor has gone out of business and whose escrow has an older version of the source code. The organization should focus on finding and implementing a solution to mitigate or eliminate this risk3. Option D, developing a maintenance plan to support the application using the existing code, is not a feasible option because it assumes that the organization has access to the existing code. However, this is not the case because the vendor has gone out of business and the escrow has an older version of the source code. The organization cannot support or maintain an application without having a complete and accurate copy of its source code.

The auditor should be most concerned about the information security policy not being approved by the policy owner. This is because the policy owner is the person who has the authority and accountability for ensuring that the policy is implemented and enforced. Without the policy owner’s approval, the policy may not reflect the organization’s objectives, risks, and compliance requirements. The policy owner is usually a senior executive or a board member who has a stake in the information security governance. The other options are less critical than the policy owner’s approval, although they may also indicate some weaknesses in the policy development and maintenance process. References:

CISA Review Manual (Digital Version), Chapter 1, Section 1.21

CISA Online Review Course, Domain 5, Module 1, Lesson 12

A change log is a record of all changes made to a system or application, including the date, time, description, and approval of each change. A change log can help an IS auditor to trace the source and authorization of a modification to a system’s security settings. A system event correlation report is a tool that analyzes data from multiple sources to identify patterns and anomalies that indicate potential security incidents. A database log is a record of all transactions and activities performed on a database, such as queries, updates, and backups. A security incident and event management (SIEM) report is a tool that collects, analyzes, and reports on data from various sources to detect and respond to security incidents. 

Before selecting a SaaS vendor, the most important action is to complete a risk assessment. A risk assessment is a process of identifying, analyzing, and evaluating the potential risks associated with outsourcing software and IT infrastructure to a third-party provider. A risk assessment helps to determine the impact and likelihood of various threats, such as data breaches, service disruptions, vendor lock-in, compliance issues, and legal disputes. A risk assessment also helps to identify the mitigation strategies and controls that can reduce or eliminate the risks.

A risk assessment is more important than determining service level requirements, performing a business impact analysis (BIA), or conducting a vendor audit because it provides the basis for these other actions. Service level requirements are the expectations and obligations that define the quality and quantity of service that the vendor must provide to the customer. A BIA is a process of assessing the potential effects of an interruption or disruption of critical business functions or processes due to an incident or disaster. A vendor audit is a process of verifying the vendor’s compliance with the contract terms, service levels, security policies, and best practices.

Service level requirements, BIA, and vendor audit are all important actions for selecting a SaaS vendor, but they depend on the results of the risk assessment. For example, service level requirements should reflect the risk appetite and tolerance of the customer, which are determined by the risk assessment. A BIA should prioritize the recovery of the most critical and vulnerable business functions or processes, which are identified by the risk assessment. A vendor audit should focus on the areas of highest risk and concern, which are highlighted by the risk assessment.

Therefore, an IS auditor should recommend to management that completing a risk assessment is the most important action before selecting a SaaS vendor.

Deep packet inspection (DPI) is a core capability of data loss prevention (DLP) tools that allows the analysis of the content of data packets in transit. This helps detect the unauthorized movement of sensitive data by examining packet-level details.

Network Traffic Logs (Option A):These provide historical data but do not actively detect data in transit.

Data Inventory (Option C):Useful for identifying where sensitive data resides but not for monitoring its movement.

Proprietary Encryption (Option D):Protects data but does not detect unauthorized transmission.

This directly addresses the gap for new hires, creates a consistent expectation regardless of hiring date, and formalizes the process within organizational policy.

References

ISACA CISA Review Manual (Current Edition) - Chapters on Information Security Policies, Training and Awareness

Industry Best Practices for Security Awareness - Emphasize the importance of timely and comprehensive training for new employees.

The audit team’s most important course of action is to consult the legal department to understand the procedure for requesting data from a different jurisdiction, as this will ensure that the data analytics techniques are compliant with the applicable laws and regulations of both countries12. Requesting data from a foreign branch may involve legal risks such as data privacy, data sovereignty, and data protection34, and the audit team should seek legal guidance before proceeding with the data extraction and analysis.

References

1: Data Analytics and Auditing Standards 2: Data Analytics and the Audit Process 3: Data Privacy and Data Protection: US Law and Legislation 4: Data Sovereignty: What It Is and Why It Matters

The best document for an IS auditor to use in detecting a weakness in segregation of duties is a process flowchart. A process flowchart is a diagram that illustrates the sequence of steps, activities, tasks, or decisions involved in a business process. A process flowchart can help detect a weakness in segregation of duties by showing who performs what actions or roles in a process, and whether there is any overlap or conflict of interest among them. The other options are not as useful as a process flowchart in detecting a weakness in segregation of duties, as they do not show who performs what actions or roles in a process. A system flowchart is a diagram that illustrates the components, functions, interactions, or logic of an information system. A data flow diagram is a diagram that illustrates how data flows from sources to destinations through processes, stores, or external entities. An entity-relationship diagram is a diagram that illustrates how entities (such as tables) are related to each other through attributes (such as keys) in a database. References: CISA ReviewManual (Digital Version), Chapter 3, Section 3.2

 The type of control that is in place when an organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified is directive. Directive controls are those that guide or direct the actions of individuals or groups to achieve a desired outcome. Directive controls can also help to prevent or reduce the occurrence of undesirable events. Hiring policies and procedures are examples of directive controls that aim to ensure that only qualified and competent personnel are employed to perform IT-related tasks. References:

CISA Review Manual (Digital Version), Chapter 4, Section 4.11

CISA Online Review Course, Domain 1, Module 2, Lesson 12

 The internal audit manager should have a reporting line to the audit committee, which is an independent body that oversees the internal audit function and ensures its objectivity and accountability. Reporting functionally to a senior management official may compromise the independence and clarity of the internal audit reporting process, as senior management may have a vested interest in the audit results or influence the audit scope and priorities. *References: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 1002 Independence, “The chief audit executive (CAE)should report functionally to the board or its equivalent (e.g., audit committee) and administratively to executive management.” 1

 The record-locking option of a database management system (DBMS) serves to eliminate the risk of concurrent updates to a record by different users or transactions. Record locking is a technique of preventing simultaneous access to data in a database, to prevent inconsistent results1. For example, if two bank clerks try to update the same bank account for two different transactions, record locking can ensure that only one clerk can modify the record at a time, while the other has to wait until the lock is released. This way, the record will reflect both transactions correctly and avoid data corruption.

Record locking does not serve to allow database administrators (DBAs) to record the activities of users. This is a function of auditing or logging, which can track the actions performed by users on the database2. Record locking does not affect the ability of DBAs to monitor or audit user activities.

Record locking does not serve to restrict users from changing certain values within records. This is a function of access control or authorization, which can enforce rules or policies on what data users can view or modify2. Record locking does not affect the permissions or privileges of users on the database.

Record locking does not serve to allow users to lock others out of their files. This is a function of encryption or password protection, which can secure files from unauthorized access or modification3. Record locking does not affect the security or confidentiality of files on the database.

The most critical factor for the effective implementation of IT governance is a supportive corporate culture. A supportive corporate culture is one that fosters collaboration, communication and commitment among all stakeholders involved in IT governance processes. A supportive corporate culture also promotes a shared vision, values and goals for IT governance across the organization. Strong risk management practices, internal auditor commitment or documented policies are important elements for IT governance implementation, but they are not sufficient without a supportive corporate culture. References: ISACA, CISA Review Manual, 27th Edition, 2018, page 41

Monitoringcapacity utilizationsupportsavailabilityby ensuring thatresources remain functional and do not exceed operational limits.

Option A (Incorrect):Integrityensures that data isaccurate and unaltered, but monitoring capacity thresholds primarily relates tosystem availability.

Option B (Correct):Availabilityensures that systems remainaccessible and functional, and monitoring capacity utilization helpsprevent downtimeandservice disruptions.

Option C (Incorrect):Confidentialityensures that data isprotected from unauthorized access, which is unrelated to capacity monitoring.

Option D (Incorrect):Nonrepudiationensures that actions can betraced to specific individuals, but it does not relate tocapacity monitoring.

 An organization’s audit charter primarily describes the auditors’ authority to conduct audits. The audit charter is a formal document that defines the purpose, scope, responsibilities, and reporting relationships of the internal audit function. It also establishes the auditors’ right of access to information, records, personnel, and physical properties relevant to their work. The audit charter provides the basis for the auditors’ independence and accountability to the governing body and senior management. 

 Version control is a process of managing changes to an application or a document. It ensures that only the latest approved version of the application is used by end-users, which reduces the risk of errors, inconsistencies, and unauthorized modifications. Version control also allows tracking the history of changes and restoring previous versions if needed. 

In cloud environments, responsibility for controls is split between the provider and the customer. The division depends on the service model (IaaS, PaaS, SaaS). Misunderstanding the shared responsibility model can create gaps in control coverage, where critical risks may not be managed by either party. SLA penalties (A) are contractual issues, not audit priorities. Availability reports (B) and business process redesign (D) are relevant but not as fundamental as defining control ownership. ISACA’s cloud audit guidelines stress that proper scoping begins with understanding shared responsibilities to avoid assurance gaps.

References (ISACA): ISACA Cloud Computing Audit Program; ISACA Journal – Shared Responsibility in Cloud.

Ineffective incident detectionis the greatest concern becauseearly detection is crucialfor minimizing damage from security incidents. If an organization fails to detect incidentspromptly, attackers may exploit vulnerabilities for extended periods.

Ineffective Incident Detection (Correct Answer – A)

Leads todelayed response, increasingpotential damage.

Example:A company fails to detect a ransomware attack forseveral days, allowing significant data loss.

Ineffective Incident Dashboard (Incorrect – B)

A dashboard helpsvisualizeincidents but doesnot impact detection.

Ineffective Incident Classification (Incorrect – C)

Important, butmisclassificationis asecondary issueif detection fails.

Ineffective Post-Incident Review (Incorrect – D)

Affectsfuture improvementsbut does notimpact immediate response.

The best way to validate that appropriate security controls are in place to prevent data loss is to review compliance with data loss and applicable mobile device user acceptance policies. This will ensure that the organization has established clear rules and guidelines for employees to follow when connecting their personal devices to company-owned computers. A walk-through, a DLP tool configuration, and a security awareness training are not sufficient to validate the effectiveness of the controls, as they may not cover all possible scenarios and risks. References: IT Audit Fundamentals Certificate Resources

The correct answer is B. Management’s commitment to information security. Management’s commitment to information security is the most critical factor for the success of an information security program, as it provides the leadership, support, and resources needed to establish and maintain a secure environment. Management’s commitment to information security can be demonstrated by:

Setting the vision, mission, and goals for information security, and aligning them with the organization’s strategies and objectives1.

Establishing and enforcing the policies, standards, and procedures for information security, and ensuring compliance with relevant laws and regulations1.

Allocating sufficient budget, staff, and technology for information security, and investing in training and awareness programs2.

Promoting a culture of security within the organization, and engaging with stakeholders and partners to foster trust and collaboration2.

The best test to provide assurance that a health care organization is handling patient data appropriately is compliance with local laws and regulations, as these are the primary sources of authority and obligation for data protection and privacy. Compliance with action plans, industry standards, or organizational policies and procedures are also important, but they may not cover all the legal requirements or reflect the currentbest practices for handling patient data. References: CISA Review Manual (Digital Version), Chapter 2, Section 2.3

 The most critical finding for an IS auditor following up on a recent security incident is that the security weakness facilitating the attack was not identified. This finding indicates that the root cause of the incident was not analyzed, and the vulnerability that allowed the attack to succeed was not remediated. This means that the organization is still exposed to the same or similar attacks in the future, and its security posture has not improved. Identifying and addressing the security weakness is a key step in the incident response process, as it helps to prevent recurrence, mitigate impact, and improve resilience.

The other findings are not as critical as the failure to identify the security weakness, but they are still important issues that should be addressed by the organization. The attack was not automatically blocked by the intrusion detection system (IDS) is a finding that suggests that the IDS was not configured properly, or that it did not have the latest signatures or rules to detect and prevent the attack. The attack could not be traced back to the originating person is a finding that implies that the organization did not have sufficient logging, monitoring, or forensic capabilities to identify and attribute the attacker. Appropriate response documentation was not maintained is a finding that indicates that the organization did not follow a consistent and formal incident response procedure, or that it did not document its actions, decisions, and lessons learned from the incident.

An IS auditor should be consulted during the requirements definition phase to recommend security controls. This ensures that security considerations are integrated from the beginning of the software development life cycle, leading to more secure software design and implementation.

References

ISACA CISA Review Manual 27th Edition, Page 240-241 (SDLC Phases)

 Data leakage prevention (DLP) is the process of preventing unauthorized access, disclosure, or transfer of sensitive data. In a multi-tenant cloud environment, where multiple customers share the same infrastructure and resources, DLP is a critical challenge. One of the best methods to enforce DLP in such an environment is to require tenants to implement data classification policies. Data classification policies define the types and levels of sensitivity of data, and the corresponding security controls and measures to protect them. By implementing data classification policies, tenants can ensure that their data is properly labeled, encrypted, segregated, and monitored according to their specific requirements and compliance standards. This can help prevent data leakage from accidental or malicious actions by other tenants, cloud service providers, or external parties.

Comprehensive and Detailed Explanation:

In PKI, when a document is digitally signed:

The signer uses their private key to create the signature.

The recipient uses the signer’s public key to decrypt and verify the signature.

If the decrypted hash matches the document’s computed hash, the document is authentic and unaltered.

Option A: Correct — verification is done with the public key.

Option B: Incorrect — the private key is only used to sign, not verify.

Option C: Wrong — the receiver’s public key is irrelevant.

Option D: Not applicable — audit history is not part of PKI validation.

???? ISACA Reference: CISA Review Manual 27th Edition, Domain 5, section on PKI and digital signatures.

Data disposal controls are the measures that ensure that data are securely and permanently erased or destroyed when they are no longer needed or authorized to be retained. Data disposal controls support business strategic objectives by reducing the risk of data breaches, complying with dataprivacy regulations, optimizing the use of storage resources, and enhancing the reputation and trust of the organization1.

A media sanitization policy is a document that defines the roles, responsibilities, procedures, and standards for sanitizing different types of media that contain sensitive or confidential data. Media sanitization is the process of removing or modifying data on a media device to make it unreadable or unrecoverable by any means. Media sanitization can be achieved by various methods, such as overwriting, degaussing, encryption, or physical destruction2.

A media sanitization policy would provide an IS auditor with the greatest assurance that data disposal controls support business strategic objectives because it demonstrates that the organization has a clear and consistent approach to protect its data from unauthorized access or disclosure throughout the data life cycle. Amedia sanitization policy also helps the organization to comply with various data privacy regulations, such as the EU General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS), that require proper disposal of personal or sensitive data3.

The other options are not as effective as a media sanitization policy in providing assurance that data disposal controls support business strategic objectives. A media recycling policy is a document that defines the criteria and procedures for reusing media devices that have been sanitized or erased. A media recycling policy can help the organization to save costsand reduce environmental impact, but it does not address how the data are disposed of in the first place4. A media labeling policy is a document that defines the rules and standards for labeling media devices that contain sensitive or confidential data. A media labeling policy can help the organization to identify and classify its data assets, but it does not specify how the data are sanitized or destroyed when they are no longer needed. A media shredding policy is a document that defines the methods and procedures for physically destroying media devices that contain sensitive or confidential data. A media shredding policy can be a part of a media sanitization policy, but it is not sufficient to cover all types of media devices or data disposal scenarios.

Reviewing the last compile date of production programs is the most efficient way to detect unauthorized changes to production programs, as it can quickly identify any discrepancies between the expected and actual dates of program modification. The last compile date is a timestamp that indicates when a program was last compiled or translated from source code to executable code. Any changes to the source code would require a recompilation, which would update the last compile date. The IS auditor can compare the last compile date of production programs with the authorizedchange requests and reports to verify that only approved changes were implemented. The other options are not as efficient as option A, as they are more time-consuming, labor-intensive or error-prone. Manually comparing code in production programs to controlled copies is a method of verifying that the code in production matches the code in a secure repository or library, but it requires access to both versions of code and a tool or technique to compare them line by line. Periodically running and reviewing test data against production programs is a method of verifying that the programs produce the expected outputs and results, but it requires designing, executing and evaluating test cases for each program. Verifying user management approval of modifications is a method of verifying that the changes to production programs were authorized and documented, but it does not ensure that the changes were implemented correctly or accurately. References: CISA Review Manual (Digital Version) , Chapter 4: Information Systems Operations and Business Resilience, Section 4.3: Change Management Practices.

The best answer is D. The dataset for training the model was obtained from an unreliable source.

ISACA’s AI and ML guidance places strong emphasis on the quality, reliability, and validation of input and training data. ISACA notes that controls must validate each data source and that corrupted or poor-quality training data can lead to poor-quality outcomes. If the training dataset comes from an unreliable source, the model’s predictions may be fundamentally flawed, biased, manipulated, or unauditable from the start.

Option A. Open source programming language is not inherently a concern. The language itself does not determine whether the model is reliable or controlled.

Option B. Tested with data from the same population as the training data is a common validation step and not inherently problematic by itself.

Option C. Accuracy decreased with a different population can be a concern about generalizability, but in this question it is less fundamental than unreliable training data. If the source data itself is untrustworthy, all downstream results are suspect.

Therefore, D is the correct answer because unreliable training data creates the most serious foundational risk to the model’s validity and trustworthiness.

References (Official ISACA):

ISACA Journal, Developing Trustworthy AI: Understanding the Inputs.

ISACA Journal, Artificial Intelligence’s Impact on Auditing—Emerging Technologies.

ISACA press release, New ISACA Publications Highlight Machine Learning Technology and Compliance Risk for Auditors.

ISACA, AI Algorithm Audits: Key Control Considerations.

The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (DRP) should be of greatest concern to the auditor when reviewing a bank’s SLA with a third-party provider that hosts the bank’s secondary data center. This is because the RTO is the maximum acceptable time for restoring a system or an application after a disaster or a disruption. A longer RTO than the DRP means that the bank maynot be able to resume its critical business operations within the expected time frame, which may result insignificant financial losses, reputational damage, customer dissatisfaction, or regulatory non-compliance12.

The SLA has not been reviewed in more than a year is not the greatest concern, although it is a good practice to review and update the SLA periodically to ensure that it reflects the current business needs and expectations, as well as any changes in the service provider’s capabilities or performance. However, a lack of review does not necessarily imply a lack of compliance or quality of service, as long as the SLA is still valid and enforceable34.

Backup data is hosted online only is not the greatest concern, although it may pose some security risks if the backup data is not encrypted or protected by adequate access controls. Online backup data means that the backup data is stored on a remote server that can be accessed via the Internet, which may offer some advantages such as faster recovery, lower cost, and higher availability than offline backup data that is stored on physical media such as tapes or disks. However, online backup data also requires reliable network connectivity and bandwidth, as well as proper security measures to prevent unauthorized access or tampering56.

The recovery point objective (RPO) has a shorter duration than documented in the DRP is not the greatest concern, although it may indicate some inconsistency or misalignment between the SLA and the DRP. The RPO is the maximum acceptable amount of data loss measured in time from a disaster or a disruption. A shorter RPO than the DRP means that the bank may lose less data than expected, which may be beneficial for its business continuity and recovery. However, a shorter RPO may also imply more frequent backups, which may increase the cost and complexity ofthe backup process