Isaca Certified Information Systems Auditor CISA Question # 46 Topic 5 Discussion

CISA Exam Topic 5 Question 46 Discussion:

Question #: 46

Topic #: 5

A business has requested an audit to determine whether information stored in an application is adequately protected. Which of the following is the MOST important action before the audit work begins?

Review remediation reports

Establish control objectives.

Assess the threat landscape.

Perform penetration testing.

Get Premium CISA Questions

Explanation

The most important action before the audit work begins is to establish control objectives. Control objectives are the specific goals or outcomes that the audit intends to achieve or verify in relation to the information protection in the application1. Control objectives provide the basis for designing and performing the audit procedures, evaluating the audit evidence, and reporting the audit findings and recommendations2. Control objectives also help to align the audit scope and criteria with the business needs and expectations, and to ensure that the audit is relevant, reliable, and efficient3.

Some examples of control objectives for an information protection audit are:

To ensure that the information stored in the application is classified according to its sensitivity, value, and regulatory requirements

To ensure that the information stored in the application is encrypted, masked, or anonymized as appropriate

To ensure that the information stored in the application is accessible only by authorized users and processes

To ensure that the information stored in the application is backed up, restored, and retained according to the business continuity and retention policies

To ensure that the information stored in the application is monitored, logged, and audited for any unauthorized or anomalous activities

Therefore, option B is the correct answer.

Option A is not correct because reviewing remediation reports is not the most important action before the audit work begins. Remediation reports are documents that describe how previous audit findings or issues have been resolved or addressed by the auditee4. While reviewing remediation reports may be useful for understanding the current state of information protection in the application, it is not a prerequisite for defining the control objectives of the audit.

Option C is not correct because assessing the threat landscape is not the most important action before the audit work begins. The threat landscape is the set of potential sources, methods, and impacts of cyberattacks or data breaches that may affect the information stored in the application5. While assessing the threat landscape may be helpful for identifying and prioritizing the risks and vulnerabilities of information protection in the application, it is not a prerequisite for defining the control objectives of the audit.

Option D is not correct because performing penetration testing is not the most important action before the audit work begins. Penetration testing is a technique that simulates real-world cyberattacks or data breaches to test the security and resilience of information systems or applications.

Actual exam question for Isaca CISA exam by Eris4752 at Aug 3, 2025, 7:02:53 PM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Isaca Certified Information Systems Auditor CISA Question # 46 Topic 5 Discussion

Isaca Certified Information Systems Auditor CISA Question # 46 Topic 5 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Isaca Certified Information Systems Auditor CISA Question # 46 Topic 5 Discussion

Isaca Certified Information Systems Auditor CISA Question # 46 Topic 5 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval