Most Recent Isaca CISA Exam Questions & Answers

The finding that should be the IS auditor's greatest concern is that the data model is not clearly documented. A data model is a representation of the structure, relationships, and constraints of the data used by an application.It is a vital component of the software development process, as it helps to ensure the accuracy, consistency, and quality of the data1.A clear and comprehensive documentation of the data model is essential for the maintenance and support of the application, as it facilitates the understanding, modification, and troubleshooting of the data and the application logic2.

If the organization plans to bring the support and future maintenance of the application back in-house, it will need to have access to the data model documentation from the vendor.Without it, the organization may face difficulties in transferring the knowledge and skills from the vendor to the in-house team, as well as in adapting and enhancing the application to meet changing business needs and requirements3.The lack of data model documentation may also increase the risk of errors, inconsistencies, and inefficiencies in the data and the application performance2.

The other findings are not as concerning as the lack of data model documentation, because they do not directly affect the quality and maintainability of the application.The cost of outsourcing is lower than in-house development is a benefit rather than a risk for the organization, as it implies that outsourcing has helped to save time and money for the organization4. The vendor development team is located overseas is a common practice in outsourcing, and it does not necessarily imply a lower quality or a higher risk of the application.However, it may pose some challenges in terms of communication, coordination, and cultural differences, which can be managed by establishing clear expectations, roles, and responsibilities, as well as using effective tools and methods for communication and collaboration5. A training plan for business users has not been developed is a gap that should be addressed by the organization before deploying the application, as it may affect the user acceptance and satisfaction of the application. However, it does not directly impact the quality or maintainability of the application itself.References:

What is Data Modeling?Definition & Types | Informatica1

Data Modeling Best Practices: Documentation | erwin2

Data Model Documentation - an overview | ScienceDirect Topics3

Outsourcing App Development Pros and Cons -- Droids On Roids4

8 Risks of Software Development Outsourcing & Their Solutions - Acropolium5

Software Training Plan: How to Create One for Your Business - Elinext

The greatest concern associated with a high number of IT policy exceptions approved by management is that the exceptions may result in noncompliance. IT policy exceptions are deviations from the established IT policies that are granted by management for specific reasons and circumstances. However, if there are too many exceptions, it may indicate that the IT policies are not aligned with the business needs, regulatory requirements, or best practices. This may expose the organization to legal, contractual, or reputational risks due to noncompliance. The other options are not as concerning as noncompliance, as they do not have the same potential impact or consequences. The exceptions are likely to continue indefinitely is a possible outcome of a high number of exceptions, but it does not necessarily imply a negative effect on the organization. The exceptions may elevate the level of operational risk is a valid concern, but it can be mitigated by implementing compensating controls or monitoring mechanisms. The exceptions may negatively impact process efficiency is a minor concern, as it does not affect the effectiveness or reliability of the IT processes.References:CISA Review Manual (Digital Version), Chapter 3, Section 3.2

The best guard against the risk of attack by hackers is encryption. Encryption is the process of transforming data into an unreadable format using a secret key or algorithm. Encryption can protect data in transit and at rest from unauthorized access, modification, or disclosure by hackers. Encryption can also ensure the authenticity and integrity of data by using digital signatures or hashes.

Tunneling, message validation, and firewalls are not the best guards against the risk of attack by hackers. Tunneling is a technique that encapsulates one network protocol within another to create a secure connection between two endpoints. Message validation is a process that verifies the format, content, and origin of a message before accepting it. Firewalls are devices or software that filter network traffic based on predefined rules. These controls may help reduce the exposure or impact of hacker attacks, but they do not provide the same level of protection as encryption.

The first thing that the audit manager should do when faced with a situation where only 60% of the audit has been completed and the due date is approaching is to determine where delays have occurred. This can help the audit manager to identify and analyze the root causes of the delays, such as unexpected issues, scope changes, resource constraints, communication problems, etc., and evaluate their impact on the audit objectives, scope, quality, and timeline. Based on this analysis, the audit manager can then decide on the best course of action to address the delays and complete the audit successfully. Assigning additional resources to supplement the audit is a possible option for resolving delays in an audit project, but it is not the first thing that the audit manager should do, as it may not be feasible or effective depending on the availability, cost, and suitability of the additional resources. Escalating to the audit committee is a possible option for communicating delays in an audit project and seeking guidance or support from senior management, but it is not the first thing that the audit manager should do, as it may not be necessary or appropriate depending on the severity and urgency of the delays. Extending the audit deadline is a possible option for accommodating delays in an audit project and ensuring sufficient time for completing the audit tasks and activities, but it is not the first thing that the audit manager should do, as it may not be possible or desirable depending on the contractual obligations, stakeholder expectations, and regulatory requirements.