Pass the Isaca Isaca Certification CISA Questions and answers with CertsForce

A vendor requires privileged access to a key business application. The best recommendation to reduce the risk of data leakage is to implement real-time activity monitoring for privileged roles. This is because real-time activity monitoring can provide visibility and accountability for the actions performed by the vendor with privileged access, such as creating, modifying, deleting, or copying data. Real-time activity monitoring can also enable timely detection and response to any unauthorized or suspicious activities that may indicate data leakage. Including the right-to-audit in the vendor contract is a good practice, but it may not be sufficient to prevent or detect data leakage in a timely manner, as audits are usually performed periodically or on-demand. Performing a review of privileged roles and responsibilities is also a good practice, but it may not address the specific risk of data leakage by the vendor with privileged access. Requiring the vendor to implement job rotation for privileged roles may reduce the risk of collusion or fraud, but it may not prevent or detect data leakage by any individual with privileged access. References: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program Management Guide]

Theprimary roleof an internalIS audit functionis to provideindependent assuranceonrisk management, internal controls, and governance processes.

Option A (Incorrect):While audits may identifycontrol improvements, they donot initiate changes; management is responsible for implementation.

Option B (Incorrect):Compliance audits arepartof IS auditing, but the main focus isassurance on risk and controls, not just compliance.

Option C (Incorrect):Best practices and standards reviews are useful, but theydo not definethecore objectiveof an internal audit.

Option D (Correct):The internal audit function ' smain goalis toassess and assurethe effectiveness of an organization’srisk management and internal controls.

The best answer is A. Using automated tools to collect logs and raise alerts based on use cases.

ISACA’s log management guidance emphasizes building log management programs that use automated collection, correlation, and alerting driven by defined use cases. It specifically discusses configuring use cases and alerts so that relevant events generate actionable alerts. This creates value by improving detection, response speed, and operational visibility at scale.

Option B. Reporting results to senior management can be useful, but that is more about governance reporting than day-to-day monitoring and management.

Option C. Selecting logs only from critical systems may reduce volume, but by itself it does not provide the active monitoring and alerting needed to create operational value.

Option D. Encrypting logs before archiving protects confidentiality and integrity, but it does not best help monitor and manage logs in an operational sense.

Therefore, A is the correct answer because automated log collection and alerting based on defined use cases is the most effective way to turn operational logs into actionable organizational value.

References (Official ISACA):

ISACA Journal, Log Management as an Enabler for Data Protection and Automated Threat Detection.

ISACA Journal, A Framework for SIEM Implementation.

ISACA, Securing Artificial Intelligence: Opportunities and Challenges.

Data collection and obtaining consentis themost critical regulatory requirementwhen using customer data for AI training, especially under laws likeGDPR, CCPA, and ISO 27701.

Collection of Data and Obtaining Consent (Correct Answer – C)

Ensures compliance withprivacy lawsthat require explicit customer consent.

Example:UnderGDPR, companies mustinform usershow their data will be used and allow them toopt out.

AI Algorithm Accuracy (Incorrect – A)

Important formodel performancebutnot a primary legal concern.

Ethical Use of Computing Resources (Incorrect – B)

Ethical considerations are valuable butnot a regulatory priority.

Continuous Monitoring of AI (Incorrect – D)

Ensuresperformance, butregulatory compliance focuses on data privacy.

The greatest concern for an IS auditor in this scenario is that the user department will manage access rights to the new accounting system. This could pose a significant risk of unauthorized access, segregation of duties violations, data tampering and fraud. The IS auditor should ensure that access rights are defined, approved and monitored by an independent function, such as IT security or internal audit. The other options are not as concerning as option C, as they can be mitigated by other controls or procedures. Data migration is an important part of the system replacement project, but it can be performed by another party or verified by the IS auditor. The timing of the replacement near year-end reporting is a challenge, but it can be managed by proper planning, testing and contingency plans. Testing performed by the third-party consultant is acceptable, as long as it is reviewed and validated by the IS auditor or another independent party. References: CISA Review Manual (Digital Version) 1, Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.4: System Implementation.

A source code repository is a system that stores and manages the source code of a software project. A source code repository should be designed to provide secure versioning and backup capabilities for existing code, as these are essential features for concurrent development, code quality, and disaster recovery. Versioning allows developers to track, compare, and revert changes to the code over time. Backup ensures that the code is safely stored and can be restored in case of data loss or corruption.

References

Source Code Repositories: What is a Source Code Repository?

Git Source Code Repository Design Considerations

Best practices for repositories - GitHub Docs

Data classification is the process of tagging data according to its type, sensitivity, and value to the organization. Data transformation is the process of changing the structure and format of data to make it usable for analysis and visualization. Both processes are important for data security and compliance, but they also pose some challenges.

One of the challenges is to ensure that the organization’s data classification policies are preserved during the process of data transformation. This means that the data should retain its original classification level and labels after it is transformed, and that the appropriate controls and protections are applied to the transformed data.

The best way to ensure this is to implement classification labels in metadata during data creation (D). Metadata is data that describes other data, such as its source, format, content, and context. By adding classification labels to metadata, the data can be easily identified and tracked throughout its lifecycle, including during data transformation. The labels can also help enforce the proper access rights and encryption standards for the data, regardless of its state or location.

An incident response team has been notified of a virus outbreak in a network subnet. The next step should be to focus on limiting the damage by containing the virus and preventing it from spreading further. This may involve isolating the affected systems, disconnecting them from the network, blocking malicious traffic or applying patches or antivirus updates. Verifying that the compromised systems are fully functional, documenting the incident and removing and restoring the affected systems are possible steps that could be taken after limiting the damage. References:

[Incident Response Definition]

[Incident Response Process | ISACA]

[Virus Definition]

The greatest risk to an organization’s ability to manage QC processes is the lack of policies and procedures that define the QC objectives, standards, methods, roles, and responsibilities. Without policies and procedures, the QC processes may be inconsistent, ineffective, inefficient, or noncompliant with the relevant regulations and best practices. Policies and procedures provide the foundation and guidance for the QC processes and help to ensure their quality, reliability, and accountability.

References

ISACA CISA Review Manual, 27th Edition, page 253

Quality Control - an overview | ScienceDirect Topics

Quality Control: Meaning, Importance, Definition and Objectives

 The most efficient way to identify segregation of duties violations in a new system is to review a report of security rights in the system. Segregation of duties is a control principle that aims to prevent or detect errors, fraud, or abuse by ensuring that no single individual has the ability to perform incompatible or conflicting functions or activities within a system or process. A report of security rights in the system can provide a comprehensive and accurate overview of the roles, responsibilities, and access levels assigned to different users or groups in the system, and can help to identify any potential segregation of duties violations or risks. The other options are not as efficient as reviewing a report of security rights in the system, because they either rely on observation or testing rather than analysis, or they focus on existing rather than potential violations. References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.2

A Disaster Recovery as a Service (DRaaS) provider is responsible for system recovery procedures, including restoring systems and services in a disaster scenario. This is the core functionality of DRaaS.

Stakeholder Communications (Option B):This is typically managed internally by the organization to ensure alignment with its crisis management plan.

Validation of Recovered Data (Option C):The organization must verify data integrity to meet business requirements.

Maintaining Currency of Data (Option D):While DRaaS may handle data backups, the organization retains responsibility for ensuring the relevance of the data being backed up.

Quarterly steering committee meetings best demonstrate alignment of the IT department with the corporate mission because they provide a regular forum for strategic planning, decision making, and communication between IT leaders and business stakeholders12. Steering committee meetings help to ensure that IT goals and initiatives are aligned with the business vision, mission, and objectives, and that IT performance and value are monitored and evaluated34.

References

1: IT Governance and the Balanced Scorecard - ISACA Journal

2: IT Steering Committee Best Practices: A Recipe for Success

3: What is IT Governance? - Definition from Techopedia

4: CISA Cybersecurity Strategic Plan | CISA

The correct answer is B. Assessing key controls that support the migration.

ISACA guidance explains that internal audit should be involved in cloud procurement, design, and adoption to identify relevant risks and ensure that appropriate controls are in place and operating effectively. That is an assurance role, not a management or implementation role.

Option A is incorrect because mitigating risk to an acceptable level is a management responsibility, not an internal audit responsibility. Internal audit evaluates and provides assurance, but should not own risk treatment in a way that impairs independence.

Option C is incorrect because implementing security controls is also a management or operational responsibility, not the auditor’s role.

Option D is incorrect because budget and resource impact analysis is primarily a management planning function.

Therefore, the correct answer is B, because internal audit’s proper role is to assess whether the key controls supporting the cloud migration are appropriate and effective.

References (Official ISACA):

ISACA Now Blog, Five Major Auditing Challenges in Cloud Computing and How to Overcome Them — internal audit should identify cloud risks and ensure appropriate controls are in place and operating effectively.

ISACA, Now Is the Time for IT Auditors to Perform Advisory Pre-Implementation Reviews — internal audit provides observations and recommendations to enhance the control environment before deployment.

ISACA Journal, Digital Trust and the Audit Function — audit acts as assurance for implementation of required practices.

The primary objective of a disaster recovery plan is recovery of interrupted IT-related activities in a way that minimizes the impact of the disruption. Official ISACA definitions describe disaster recovery as activities and programs designed to return the enterprise to an acceptable condition and restore critical business functions through a DRP. ISACA’s glossary defines a disaster recovery plan (DRP) as a set of human, physical, technical, and procedural resources to recover an interrupted activity within a defined time and cost.

Among the answer choices, A. Minimizing loss of information is the best match. ISACA guidance states that a DRP contains procedures for restoring systems and data, minimizing loss of information and downtime, and ensuring business continuity. This makes option A the strongest answer because it captures a direct purpose of the DRP itself.

Option B (“Assessing the risk of key applications”) is an important planning activity, but it is not the primary objective of the DRP. Risk assessment is part of developing continuity capability, not the ultimate aim of the plan. ISACA continuity guidance treats assessing risks and impacts as a step in the DRP process, not the main end goal.

Option C (“Identifying key business processes”) is also an important prerequisite, typically associated more with business impact analysis and business continuity planning. It helps define what must be protected and restored, but it is not itself the primary objective of the DRP. ISACA distinguishes business continuity activities from disaster recovery, with DR focusing more specifically on restoring IT systems, infrastructure, and data after disruption.

Option D (“Documenting all IT assets”) may support recovery preparedness, but this is clearly not the primary objective of a DRP. Asset documentation is administrative and supportive; the goal of the plan is restoration and recovery with minimal disruption and data loss.

Therefore, A is the correct answer because official ISACA material directly states that the DRP is intended to restore systems and data while minimizing loss of information and downtime.

References (Official ISACA):

ISACA Glossary, Disaster Recovery (DR) and Disaster Recovery Plan (DRP) definitions.

ISACA Now Blog, Disaster Recovery and Business Continuity Preparedness for Cloud-Based Start-Ups — states that a DRP includes restoring systems and data, minimizing loss of information and downtime, and ensuring business continuity.

ISACA Journal, Working Toward a Managed, Mature Business Continuity Plan — distinguishes DR as focusing on rebuilding/recovering site, infrastructure, and data.

ISACA Journal, Information System Contingency Planning Guidance — supports that planning activities such as risk awareness are part of planning, not the primary objective itself.

Real-time replication to a second data center means that any changes made to the primary data center are immediately copied to the secondary data center. This can improve data availability and performance, but also introduces the risk of propagating malicious or erroneous changes to the backup data center. If a cybersecurity attack compromises the primary data center, it may also affect the secondary data center, making it difficult or impossible to recover from the attack using the replicated data. Therefore, option C is the greatest risk associated with this change.

Option A is not correct because version control issues are more likely to occur with batch processing backup, which may create inconsistencies between different versions of the data. Option B is not correct because real-time replication may reduce system performance at the primary data center, but it may also improve system performance at the secondary data center by reducing latency and network traffic. Option D is not correct because although real-time replication may increase IT investment cost, this is not a risk but a trade-off that the organization has to consider.

Clear criteria ensure a consistent, rational approach to risk acceptance decisions, demonstrating management ' s deliberate and informed approach to risk management.

References

ISACA CISA Review Manual (Current Edition) - Chapter on Risk Management

Risk Management Frameworks (e.g., ISO 31000, NIST SP 800-39) - Emphasize the importance of defined risk assessment and decision-making processes.

Access to the spreadsheet is given only to those who require access is the most important control for maintaining the security of data in the spreadsheet. An IS auditor should ensure that the principle of least privilege is applied to limit the access to sensitive financial data and prevent unauthorized disclosure, modification, or deletion. The other options are less important controls that may enhance the accuracy, availability, or integrity of data in the spreadsheet, but not its security. References:

CISA Review Manual (Digital Version), Chapter 6, Section 6.31

CISA Review Questions, Answers and Explanations Database, Question ID 210

 The most critical finding for an IS auditor following up on a recent security incident is that the security weakness facilitating the attack was not identified. This finding indicates that the root cause of the incident was not analyzed, and the vulnerability that allowed the attack to succeed was not remediated. This means that the organization is still exposed to the same or similar attacks in the future, and its security posture has not improved. Identifying and addressing the security weakness is a key step in the incident response process, as it helps to prevent recurrence, mitigate impact, and improve resilience.

The other findings are not as critical as the failure to identify the security weakness, but they are still important issues that should be addressed by the organization. The attack was not automatically blocked by the intrusion detection system (IDS) is a finding that suggests that the IDS was not configured properly, or that it did not have the latest signatures or rules to detect and prevent the attack. The attack could not be traced back to the originating person is a finding that implies that the organization did not have sufficient logging, monitoring, or forensic capabilities to identify and attribute the attacker. Appropriate response documentation was not maintained is a finding that indicates that the organization did not follow a consistent and formal incident response procedure, or that it did not document its actions, decisions, and lessons learned from the incident.

The best control to mitigate attacks that redirect Internet traffic to an unauthorized website is to perform domain name system (DNS) server security hardening. DNS servers are responsible for resolving domain names into IP addresses, and they are often targeted by attackers who want to manipulate or spoof DNS records to redirect usersto malicious websites4. By applying security best practices to DNS servers, such as encrypting DNS traffic, implementing DNSSEC, restricting access and updating patches, the organization can reduce the risk of DNS hijacking attacks. A network-based firewall, user security awareness training and a strong password policy are also important controls, but they are not as effective as DNS server security hardening in preventing this specific type of attack. References:

CISA Review Manual, 27th Edition, page 4021

CISA Review Questions, Answers and Explanations Database - 12 Month Subscription

 Using a continuous auditing module is an audit procedure that would provide the best assurance that an application program is functioning as designed. A continuous auditing module is a software tool that performs automated and continuous testing and monitoring of an application program’s inputs, outputs, processes, and controls. A continuous auditing module can help to verify the accuracy, completeness, validity, reliability, and timeliness of the application program’s data and transactions. A continuous auditing module can also help to identify and report any errors, anomalies, deviations, or exceptions in the application program’s performance or compliance.

The other options are not as effective or relevant as using a continuous auditing module for providing assurance that an application program is functioning as designed. Interviewing business management is a technique for obtaining information and opinions from the users or owners of the application program, but it does not directly test or verify the functionality or quality of the application program. Confirming accounts is a technique for verifying the existence and accuracy of account balances or transactions, but it does not necessarily reflect the design or operation of the application program. Reviewing program documentation is a technique for examining the specifications,requirements, and procedures of the application program, but it does not provide evidence of the actual implementation or execution of the application program.

A project deliverable is a tangible or intangible product or service that is produced as a result of a project and delivered to the customer or stakeholder. A project deliverable can be either an intermediate deliverable that is part of the project process or a final deliverable that is the outcome of the project.

An agile software development methodology is a project management approach that involves breaking the project into phases and emphasizes continuous collaboration and improvement. Teams follow a cycle of planning, executing, and evaluating. Agile software development methodologies value working software over comprehensive documentation and respond to change over following a plan.

Rapidly created working prototypes are most likely to be a project deliverable of an agile software development methodology because they:

Provide early and frequent feedback from customers and stakeholders on the functionality and usability of the software product

Allow for rapid validation and verification of the software requirements and design

Enable continuous improvement and adaptation of the software product based on changing customer needs and expectations

Reduce the risk of delivering a software product that does not meet customer needs or expectations

Increase customer satisfaction and trust by delivering working software products frequently and consistently

Some examples of agile software development methodologies that use rapidly created working prototypes as project deliverables are:

Scrum - a framework that organizes the work into fixed-length sprints (usually 2-4 weeks) and delivers potentially shippable increments of the software product at the end of each sprint1

Extreme Programming (XP) - a methodology that focuses on delivering high-quality software products through practices such as test-driven development, pair programming, continuous integration, and frequent releases2

Rapid Application Development (RAD) - a methodology that emphasizes rapid prototyping and user involvement throughout the software development process3

The other options are not likely to be project deliverables of an agile software development methodology.

Strictly managed software requirements baselines are not likely to be project deliverables of an agile software development methodology. A software requirements baseline is a set of agreed-upon and approved software requirements that serve as the basis for the software design, development, testing, and delivery. A strictly managed software requirements baseline is a software requirements baseline that is controlled and changed only through a formalchange management process. Strictly managed software requirements baselines are more suitable for traditional or waterfall software development methodologies that follow a linear and sequential process of defining, designing, developing, testing, and delivering software products. Strictly managed software requirements baselines are not compatible with agile software development methodologies that embrace change and flexibility in the software requirements based on customer feedback and evolving needs.

Extensive project documentation is not likely to be project deliverables of an agile software development methodology. Project documentation is any written or electronic information that describes or records the activities, processes, results, or decisions of a project. Extensive project documentation is project documentation that covers every aspect of the project in detail and requires significant time and effort to produce and maintain. Extensive project documentation is more suitable for traditional or waterfall software development methodologies that rely on comprehensive documentation to communicate and document the project scope, requirements, design, testing, and delivery. Extensive project documentation is not compatible with agile software development methodologies that value working software over comprehensive documentation and use minimal documentation to support the communication and collaboration among the project team members.

Automated software programming routines are not likely to be project deliverables of an agile software development methodology. Automated software programming routines are programs or scripts that perform repetitive or complex tasks in the software development process without human intervention. Automated software programming routines can improve the efficiency, quality, and consistency of the software development process by reducing human errors, saving time, and enforcing standards. Automated software programming routines can be used in any software development methodology, but they are not specific to agile software development methodologies. Automated software programming routines are not considered as project deliverables because they are not part of the final product that is delivered to the customer.

A project business case is a document that describes the rationale and justification for initiating a project, based on its expected costs, benefits, risks, and feasibility. A project business case provides the most useful information to an IS auditor when selecting projects for inclusion in an IT audit plan, because it helps the IS auditor to:

Understand the purpose, scope, objectives, and deliverables of the project

Assess the alignment of the project with the organization’s strategy, vision, and goals

Evaluate the value proposition and return on investment of the project

Identify the key stakeholders, sponsors, and owners of the project

Analyze the potential risks and issues associated with the project

Compare and prioritize the project with other competing projects

The other possible options are:

A. Project charter: A project charter is a document that formally authorizes and defines the high-level scope, roles, responsibilities, and authority of a project. A project charter provides some useful information to an IS auditor when selecting projects for inclusion in an IT audit plan, but it is not the most useful information. A project charter does not provide enough details about the costs, benefits, risks, and feasibility of the project, which are essential for evaluating its suitability for an IT audit plan.

B. Project plan: A project plan is a document that outlines the detailed scope, schedule, budget, resources, quality, and communication plans of a project. A project plan provides some useful information to an IS auditor when selecting projects for inclusion in an IT audit plan, but it is not the most useful information. A project plan does not provide enough information about the rationale, justification, value proposition, and alignment of the project with the organization’s strategy and goals, which are important for assessing its relevance for an IT audit plan.

C. Project issue log: A project issue log is a document that records and tracks the issues that arise during a project’s execution and how they are resolved. A project issue log provides some useful information to an IS auditor when selecting projects for inclusion in an IT audit plan, but it is not the most useful information. A project issue log does not provide enough information about the purpose, objectives, benefits, and feasibility of the project, which are critical for determining its priority for an IT audit plan.

 Substantive testing provides the most reliable audit evidence on the validity of transactions in a financial application. Substantive testing is an audit procedure that examines the financial statements and supporting documentation to see if they contain errors or misstatements. Substantive testing can help to verify that the transactions recorded in the financial applicationare authorized, complete, accurate, and properly classified. Substantive testing can include methods such as vouching, confirmation, analytical procedures, or physical examination. 

 The best phase of the software development life cycle to initiate the discussion of application controls is the application design phase when process functionalities are finalized. Application controls are the policies, procedures, and techniques that ensure the completeness, accuracy, validity, and authorization of data input, processing, output, and storage in an application. Application controls help prevent, detect, or correct errors and fraud in software applications. Examples of application controls include input validation, edit checks, reconciliation, encryption, access control, audit trails, etc.

The application design phase is when the software requirements are translated into a logical and physical design that specifies how the application will look and work. This phase is the best time to discuss application controls because it allows the developers to incorporate them into the design specifications and ensure that they are aligned with the business objectives and user needs. By discussing application controls early in the design phase, the developers can also avoid costly rework or changes later in the development process.

The other phases are not as optimal as the application design phase to initiate the discussion of application controls. A. Business case development phase when stakeholders are identified. The business case development phase is when the feasibility, scope, objectives, benefits, risks, and costs of a software project are defined and evaluated. This phase is important for obtaining stakeholder approval and support for the project, but it is too early to discuss application controls in detail because the software requirements and functionalities are not yet clear or finalized. B. User acceptance testing (UAT) phase when test scenarios are designed. The user acceptance testing phase is when the software is tested by the end-users or stakeholders to verify that it meets their expectations and requirements. This phase is too late to discuss application controls because it is near the end of the development process and any changes or additions to the application controls would require retesting and revalidation of the software. C. Application coding phase when algorithms are developed to solve business problems. The application coding phase is when the software design is translated into executable code using programming languages and tools. This phase is not ideal to discuss application controls because it is after the design phase and any changes or additions to the application controls would require redesigning and recoding of the software.

 Upon completion of audit work, an IS auditor should distribute a summary of general findings to the members of the auditing team. This is to ensure that the audit team members are aware of the audit results, have an opportunity to provide feedback, and can agree on the audit conclusions and recommendations. Providing a report to senior management prior to discussion with the auditee, providing a report to the auditee stating the initial findings, and reviewing the working papers with the auditee are not appropriate actions for an IS auditor to take upon completion of audit work, as they may compromise the audit independence, objectivity, and quality. References: ISACA CISA Review Manual 27th Edition, page 221

The best way to enable the effectiveness of an agile project for the rapid development of a new software application is to separate the work into sprints. Sprints are short, time-boxed iterations that deliver a potentially releasable product increment at the end of each sprint. Sprints allow agile teams to work in a flexible and adaptive manner, respond quickly to changing customer needs and feedback, and deliver value faster and more frequently. Sprints also help teams to plan, execute, review, and improve their work in a collaborative and transparent way. Project segments, phases, and milestones are not specific to agile projects and do not necessarily enable the effectiveness of an agile project. References: Agile Project Management [Whatis it and How to Start] - Atlassian, CISA Review Manual (Digital Version).

A database conflict occurs when the same data is modified at two separate servers, such as a customer database and a remote call center database, and the changes are not consistent with each other. For example, if a customer updates their phone number at the customer database, and a call center agent updates the same customer’s address at the remote call center database, there is a conflict between the two updates. Database conflicts can cause data inconsistency, corruption, or loss if they are not detected and resolved properly.

Two-way replication is a process of synchronizing data between two databases, so that any changes made in one database are reflected in the other database, and vice versa. Two-way replication can improve data availability, performance, and scalability, but it also increases the risk of database conflicts. Therefore, when assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that database conflicts are managed during replication. This means that the project should have a clear and effective strategy for:

Preventing or minimizing database conflicts by using techniques such as locking, timestamping, or partitioning.

Detecting or identifying database conflicts by using tools such as triggers, logs, or alerts.

Resolving or handling database conflicts by using methods such as priority-based, rule-based, or user-based resolution.

The other possible options are:

B. end users are trained in the replication process: This is not a relevant or important factor for the IS auditor to ensure when assessing a proposed project for the two-way replication of a customer database with a remote call center. End users are not directly involved in the replication process, and they do not need to have detailed knowledge or skills about how replication works. The replication process should be transparent and seamless to the end users, and they should only interact with the data through their applications or interfaces.

C. the source database is backed up on both sites: This is not a sufficient or necessary factor for the IS auditor to ensure when assessing a proposed project for the two-way replication of a customer database with a remote call center. Backing up the source database on both sites can provide some level of data protection and recovery, but it does not address the issue of database conflicts that can occur during replication. Moreover, backing up the source database on both sites may not be feasible or efficient, as it may consume more storage space and network bandwidth, and introduce more complexity and overhead to the replication process.

D. user rights are identical on both databases: This is not a critical or relevant factor for the IS auditor to ensure when assessing a proposed project for the two-way replication of a customer database with a remote call center. User rights are the permissions or privileges that users have to access or modify data in a database. User rights do not directly affect the occurrence or resolution of database conflicts during replication. User rights may vary depending on the role or function of the users in different databases, and they should be defined and enforced according to the security policies and requirements of each database.

File transfer protocol (FTP) is a service that allows users to transfer files between computers over a network. If enabled within firewall rules, FTP would present the greatest risk, as it can expose sensitive data to unauthorized access, modification, or deletion. FTP does not provide encryption or authentication, which makes it vulnerable to eavesdropping, spoofing, and tampering attacks. Simple mail transfer protocol (SMTP), simple object access protocol (SOAP), and hypertext transfer protocol (HTTP) are also services that can be used to exchange data over a network, but they have more security features than FTP, such as encryption, authentication, or validation. References: CISA Review Manual (Digital Version)

 The best way to reduce the immediate risk associated with using an unsupported version of the software is to segregate the outdated software system from the main network. This will limit the exposure of the system to potential attacks and prevent it from compromising other systems on the network. Segregating the system will also reduce the impact of any security incidents that may occur on the system.

Monitoring network traffic attempting to reach the outdated software system (option C) is not the best way to reduce the risk, as it will not prevent or stop any attacks on the system. It will only provide visibility into the network activity and alert the auditee of any suspicious or malicious traffic.

Verifying all patches have been applied to the software system’s outdated version (option A) and closing all unused ports on the outdated software system (option B) are also not the best ways to reduce the risk, as they will not address the underlying issue of using an unsupported version of the software. Patches and ports may still have vulnerabilities that are not fixed by the vendor, and attackers may exploit them to gain access to the system.

Therefore, option D is the correct answer.

Data definition standards within a database primarily support data formatting by establishing how data elements must be structured, represented, and stored. In practical terms, these standards define characteristics such as data type, field length, allowable values, precision, naming conventions, and valid formats. ISACA glossary material includes format checking as a control concept, which directly relates to verifying that data conforms to a prescribed format. That is the closest and strongest match to what data definition standards support.

Option C is correct because data definition standards are about consistency of data structure and representation. When an organization enforces common definitions for fields and attributes, it improves the consistency and usability of data across systems and applications. ISACA governance and data management material emphasizes that defining the format in which data are presented is part of giving data meaning and ensuring quality and usability.

Option A is incorrect because data disposal concerns end-of-life handling of data, such as destruction, archival expiration, and secure deletion. Those activities are governed by retention, records management, privacy, and disposal requirements, not by database data definition standards. ISACA privacy and data lifecycle guidance treats disposal as a separate lifecycle issue.

Option B is incorrect because data retention relates to how long data should be kept for business, legal, regulatory, or operational purposes. Retention policies may rely on data classification and legal obligations, but they are not what data definition standards primarily address.

Option D is incorrect because data confidentiality is mainly supported by access controls, encryption, classification, segregation of duties, and related security controls. Although well-defined data may indirectly help governance, confidentiality is not the main purpose of data definition standards.

Therefore, the best answer is C because enforcing data definition standards within a database most directly supports correct and consistent data formatting.

References (Official ISACA):

ISACA Glossary — Format checking.

ISACA, Unearthing and Enhancing Intelligence and Wisdom Within the COBIT 5 Governance of Information Model — discusses defining the format in which data are presented.

ISACA Journal, IS Audit Basics: Data Management Body of Knowledge—A Summary for Auditors — supports the role of data management standards and quality.

ISACA, SOC Reports for Cloud Security and Privacy — distinguishes use, retention, and disposal from data structure concerns.

After migrating infrastructure to the cloud, it ' s imperative to test the disaster recovery plan (DRP) to ensure its effectiveness in the new environment. Without evidence of DRP testing post-migration, the organization cannot be certain that it can recover and continue operations during a disaster. While updating the DRP and configuring redundancy are essential steps, their effectiveness can only be validated through rigorous testing. Retaining previous infrastructure is less relevant if the cloud environment is properly configured and tested for disaster recovery.

The primary reason for an organization to classify the data stored on its internal networks is to implement data protection requirements1234. Data classification helps organizations understand what data they have, its characteristics, and what security and privacy requirements it needs to meet so that the necessary protections can be achieved3. While determining data retention policy56, complying with the organization’s data policies27, and following industry best practices891011 are important aspects of data classification, they are secondary to the fundamental requirement of implementing data protection requirements.

 The primary advantage of object-oriented technology is enhanced efficiency due to the re-use of elements of logic. Object-oriented technology is a software design model that uses objects, which contain both data and code, to create modular and reusable programs. Objects can be inherited from other objects, which reduces duplication and improves maintainability. Grouping objects into methods for data access, managing sequential program execution for data access, and managing a restricted variety of data types for a data object are not advantages of object-oriented technology. References: ISACA CISA Review Manual 27th Edition, page 304

The NEXT step for the IS auditor after noting that an employee who has recently changed roles within the organization still has previous access rights should be to B. determine the reason why access rights have not been revoked. Identifying the cause of this situation is crucial for understanding whether it’s due to oversight, process gaps, or other factors. Once the reason is determined, appropriate corrective actions can be recommended to ensure that access rights are aligned with the employee’s current role and responsibilities1.

This is because analyzing the data against predefined specifications is a method of data quality assessment that can help the organization achieve a reasonable level of data quality. Data quality assessment is the process of measuring and evaluating the accuracy, completeness, consistency, timeliness, validity, and usability of the data. Predefined specifications are the criteria or standards that define the expected or desired quality of the data. By comparing the actual data with the predefined specifications, the organization can identify and quantify any gaps, errors, or deviations in the data quality, and take corrective actions accordingly12.

Reviewing data against data classification standards (A) is not the best answer, because it is not a method of data quality assessment, but rather a method of data security management. Data classification standards are the rules or guidelines that define the level of sensitivity and confidentiality of the data, and determine the appropriate security and access controls for the data. For example, data can be classified into public, internal, confidential, or restricted categories. Reviewing data against data classification standards can help the organization protect the data from unauthorized or inappropriate use or disclosure, but it does not directly improve the data quality3.

Outsourcing data cleansing to skilled service providers (B) is not the best answer, because it is not a recommendation to help the organization achieve a reasonable level of data quality, but rather a decision to delegate or transfer the responsibility of data quality management to external parties. Data cleansing is the process of detecting and correcting any errors, inconsistencies, or anomalies in the data. Skilled service providers are third-partyvendors or contractors that have the expertise and resources to perform data cleansing tasks. Outsourcing data cleansing to skilled service providers may have some benefits, such as cost savings, efficiency, or scalability, but it also has some risks, such as loss of control, dependency, or liability4.

Consolidating data stored across separate databases into a warehouse © is not the best answer, because it is not a method of data quality assessment, but rather a method of data integration and storage. Data integration is the process of combining and transforming data from different sources and formats into a unified and consistent view. Data warehouse is a centralized repository that stores integrated and historical data for analytical purposes. Consolidating data stored across separate databases into a warehouse can help the organization improve the availability and accessibility of the data, but it does not necessarily improve the data quality.

 A disaster recovery plan (DRP) is a set of detailed, documented guidelines that outline a business’ critical assets and explain how the organization will respond to unplanned incidents. Unplanned incidents or disasters typically include cyberattacks, system failures, power outages, natural disasters, equipment failures, or infrastructure damage1. A DRP aims to minimize the impact of a disaster on the business continuity, data integrity, and service delivery of the organization. A DRP also helps the organization recover from a disaster as quickly and efficiently as possible.

A DRP should include steps for obtaining replacement supplies, as this is an essential part of restoring the normal operation of the organization after a disaster. Replacement supplies may include hardware, software, data, network components, office equipment, or other resources that are needed to resume the business functions and processes that were disrupted by the disaster. Obtaining replacement supplies may involve contacting vendors, suppliers, or partners; activating backup or alternative systems; or purchasing or renting new equipment. A DRP should identify the sources, locations, and costs of the replacement supplies, as well as the procedures and responsibilities for acquiring and installing them.

The other three options are not steps that a DRP should include, as they are either part of the pre-disaster planning process or not directly related to the disaster recovery objectives. Assessing and quantifying risk is a step that should be done before creating a DRP, as it helps identify the potential threats and vulnerabilities that could affect the organization and determine the likelihood and impact of each scenario2. Negotiating contracts with disaster planning consultants is also a pre-disaster activity that may help the organization design, implement, test, and maintain a DRP with external expertise and guidance3. Identifying application control requirements is not a step in a DRP, but rather a part of the application development and maintenance process that ensures the quality, security, and reliability of the software applications used by the organization.

Therefore, obtaining replacement supplies is the correct answer.

The best way to ensure a successful investigation is to preserve digital evidence immediately, including both a forensic image of the system and volatile memory capture where feasible. ISACA defines digital forensics as identifying, preserving, analyzing, and presenting digital evidence in a legally acceptable manner. That makes evidence preservation the first priority.

Option A is correct because creating a system image preserves the state of the disk, while capturing memory preserves volatile information that may be lost if the system is altered, powered off, or rebooted. ISACA’s glossary notes that memory dumps allow analysis of memory contents at the time of failure, which supports preserving volatile evidence for forensic review.

Option B is not the best answer. Isolating the system may help preserve evidence, but by itself it does not collect the volatile and nonvolatile evidence needed for a strong investigation. Evidence preservation is stronger when the system is forensically imaged and memory is captured.

Option C is incorrect because rebooting can destroy volatile evidence and alter timestamps or system state, which can undermine a forensic investigation. That runs directly counter to digital forensics principles centered on preservation.

Option D may be useful later, but interviews are secondary to preserving digital evidence. Human recollection cannot substitute for properly preserved forensic artifacts.

Therefore, A is the best answer because it preserves the most complete and reliable digital evidence for investigation.

References (Official ISACA):

ISACA, Overview of Digital Forensics — digital forensics is the process of identifying, preserving, analyzing and presenting digital evidence.

ISACA Glossary, Digital forensics.

ISACA Glossary, Memory dump.

Enterprise Architecture (EA) governance requires proper oversight and separation of duties to ensure strategic alignment and risk management.

Option A (Correct):If IT application owners have sole authority over architecture approval, there is a high risk of inadequate governance, lack of strategic alignment, and potential conflicts of interest. Architecture decisions should involve multiple stakeholders, including business and security teams, to ensure compliance, security, and business alignment.

Option B (Incorrect):While having the CIO chair the architecture review board might not be ideal, it is not thegreatestconcern. The CIO is a senior leader who can provide oversight and direction, even if additional governance mechanisms should be in place.

Option C (Incorrect):Reviewing security requirements within the EA program is abest practice, as it ensures that security is embedded into enterprise architecture rather than treated as an afterthought.

Option D (Incorrect):Enterprise architecture should ideally encompass both IT and business processes. Governing non-IT-related projects is not inherently problematic, as EA is designed to align business strategy with IT infrastructure.