CISA Exam Questions Tutorials

The first step when conducting an IT risk assessment is to identify assets to be protected, which include hardware, software, data, processes, people, and facilities that support the business objectives and operations of an organization. Identifying assets to be protected helps to establish the scope and boundaries of the risk assessment, as well as the value and criticality of each asset. Identifying potential threats, assessing vulnerabilities, and evaluating controls in place are subsequent steps in the risk assessment process that depend on the identification of assets to be protected. References: CISA Review Manual (Digital Version), Chapter 2: Governance & Management of IT, Section 2.3: IT Risk Management

 It is acceptable for an IS auditor to rely on a third-party provider’s external audit report on service level management when the scope and methodology meet audit requirements. This means that the external audit report covers the same objectives, criteria, standards and procedures that the IS auditor would use to assess the service level management. This way, the IS auditor can avoid duplication of work and reduce audit costs and efforts. The service provider’s certification and accreditation, the report’s confirmation of service levels and the report’s release date are not sufficient to justify reliance on the external audit report. References: CISA Review Manual (Digital Version) , Chapter 2, Section 2.3.3.

 The advantage of using agile software development methodology over the waterfall methodology is that it allows for quicker deliverables. Agile software development is an iterative and incremental approach that emphasizes customer feedback, collaboration, and adaptation. Agile software development delivers working software in short cycles, called sprints, that typically last from two to four weeks. This enables the development team to respond to changing requirements, deliver value faster, and improve quality. Waterfall software development is a linear and sequential approach that follows a predefined set of phases, such as planning, analysis, design, implementation, testing, and maintenance. Waterfall software development requires a clear and stable definition of the project scope, deliverables, and expectations before starting the development process. Waterfall software development can be slow, rigid, and costly, especially if changes occur during the later stages of the project. References: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development & Implementation, Section 3.1: Project Management Practices

The best approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks is to prioritize the organization’s IT risk scenarios. IT risk appetite is the amount and type of IT risk that an organization is willing to accept in pursuit of its objectives. IT risk scenarios are hypothetical situations that describe the potential impact of IT risk events on the organization’s objectives, processes, and resources. By prioritizing the organization’s IT risk scenarios, the IS auditor can identify the most significant IT risks that affect the organization as a whole, and align them with the organization’s strategic goals, values, and culture. Prioritizing the organization’s IT risk scenarios can also help to communicate and monitor the IT risk appetite across the organization, and facilitate consistent and informed decision making. The other approaches (A, B and D) are not effective for determining the overall IT risk appetite of an organization, as they do not consider the impact and likelihood of IT risks on the organization’s objectives, nor do they account for the diversity and complexity of IT risks across different business units. References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of Information Technology, Section 2.3: Information Technology Risk Management