Isaca Certification Changed CISA Questions

 The effectiveness of a risk management program can be measured by how well it reduces the residual risk, which is the risk that remains after applying controls, to an acceptable level. Inherent risk is the risk that exists before applying any controls, and it cannot be eliminated completely. Control risk is the risk that the controls fail to prevent or detect a risk event, and it is a component of residual risk. Overall risk is not a meaningful metric for assessing the effectiveness of a risk management program, as it does not account for the impact and likelihood of different risk events. References: CISA Review Manual (Digital Version), Chapter 1, Section 1.2.2

Network topology diagrams are the most important for an IS auditor to review when evaluating the design of controls related to network monitoring, because they show how the network components are connected and configured, and what security measures are in place to protect the network from unauthorized access or attacks. Incident monitoring logs, the ISP service level agreement, and reports of network traffic analysis are useful for evaluating the effectiveness and performance of network monitoring, but not the design of controls. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.3

 The best compensating control when segregation of duties is lacking in a small IS department is transaction log review. Transaction log review can help detect any unauthorized or fraudulent activities performed by IS staff who have access to multiple functions or systems. Transaction log review can also provide an audit trail for accountability and investigation purposes. The other options are not as effective as transaction log review in compensating for the lack of segregation of duties. Background checks are preventive controls that can help screen potential employees for any criminal records or dishonest behavior, but they do not prevent existing employees from abusing their access privileges. User awareness training is a detective control that can help educate users on how to report any suspicious or abnormal activities in the IS environment, but it does not monitor or verify the actions of IS staff. Mandatory holidays are deterrent controls that can discourage IS staff from engaging in fraudulent activities by requiring them to take periodic leave, but they do not prevent or detect such activities when they occur. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

The first course of action that the auditor should recommend after finding that several employees are spending an excessive amount of time using social media sites for personal reasons is to implement policies addressing acceptable usage of social media during working hours. Policies can help define the scope, purpose, rules, and expectations of using social media in the workplace, both for personal and professional reasons. Policies can also specify the consequences of violating the policies, such as disciplinary actions or termination. Policies can help deter employees from misusing social media at work, which could affect their productivity, performance, or security. Policies can also help protect the organization from legal liabilities or reputational damages that could arise from inappropriate or unlawful employee behavior on social media.