+ Reply to Thread
Results 1 to 4 of 4
  1. Member
    Join Date
    Sep 2017
    Posts
    54
    #1

    Default Having hard time understanding the logic behind these answers for CISA

    BrainTrust
    Ready for some brain storming?
    While studying CISA questions, I am having very hard time picking up the right answer, well the right answer according to ISACA. I am almost always able to eliminate the 2 answers but there are several questions that are not technical in nature whose answers I find "controversial" for lack of better words. In some case I have issues with grammar or sentence syntax, others defy the practical experience.
    I want to understand if I am not looking at the scenario properly or otherwise what would you do to arrive at correct answer, at least from the exam perspective.
    Here are some examples of such QnAs that have left me baffled.

    1. Which of the following is the BEST option to ensure that a in in house developed CRM application operates as designed?

    A. User acceptance testing (UAT)

    C. Postimplementation review

    You answered A. The correct answer is C. (How will post implementation review ensure operation as designed? Implementation has already occurred

    2. IS Auditor finds that some output transaction values were wrong because some input values were not entered properly. What is best control to prevent this from happening?

    A. A sample of transactions may be recalculated manually


    B. Limit checks


    Answer is B. I think A is correct because limit check will work to ensure proper format of input data, not correct data necessarily.

    3. An org is doing process re-engineering of marketing process. What is main control IS Auditor should worry about?


    A. the inclusion of the key controls and verify that the controls are in place before implementing the new process.


    D. Separation of duties

    I chose D but A is correct. BUT BUT BUT - We are talking about marketing here. Why would marketing affect assets of org?

    Can someone please enlighten me?
    Reply With Quote Quote  

  2. SS -->
  3. They are watching you NetworkNewb's Avatar
    Join Date
    Feb 2015
    Location
    Off the grid
    Posts
    2,667

    Certifications
    A+/Net+/Sec+, CCENT, CCNA:Sec, CCSK, GCIH
    #2
    Quote Originally Posted by jaguaar View Post
    How will post implementation review ensure operation as designed? Implementation has already occurred
    Right, now they are wanting a review of how the implementation went.


    Quote Originally Posted by jaguaar View Post
    Answer is B. I think A is correct because limit check will work to ensure proper format of input data, not correct data necessarily.
    How would A prevent this from happening in the future? At least option B has a chance to prevent some data to not be improperly entered

    Quote Originally Posted by jaguaar View Post
    I chose D but A is correct. BUT BUT BUT - We are talking about marketing here. Why would marketing affect assets of org?
    Maybe I'm not understanding this one, but why are talking about assets? They are redesigning a process. From an auditing perspective the key controls are what you want to be focused on. A is correct since they want what the auditor's focus is on.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    May 2013
    Posts
    1,265

    Certifications
    CISSP, GWAPT, GSEC, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #3
    The first...UAT happens during development to help make sure no requirements were missed. Postimplementation review is indeed after the fact to make sure the app works in practice instead of just theory during design. I could see how this could be confusing but think of UAT as part of the development process.

    The second...A first of all isn’t a control...also the question specifically says input values were entered incorrectly. They aren’t testing the integrity in this question.

    Third...separation of duties is a type of control but it’s not always possible to be used, and doesn’t hit on ALL the controls needed like answer A. The question doesn’t mention assets so that’s another discussion, but an auditor should be concerned that ALL protections are in place not JUST separation of duties.
    Reply With Quote Quote  

  5. Member
    Join Date
    Sep 2017
    Posts
    54
    #4
    Quote Originally Posted by TechGuru80 View Post
    The first...UAT happens during development to help make sure no requirements were missed. think of UAT as part of the development process.

    The second...A first of all isn’t a control...also the question specifically says input values were entered incorrectly. They aren’t testing the integrity in this question.

    Third...separation of duties is a type of control but it’s not always possible to be used, and doesn’t hit on ALL the controls needed like answer A. The question doesn’t mention assets so that’s another discussion, but an auditor should be concerned that ALL protections are in place not JUST separation of duties.
    1. Yes you do have a strong point about UAT being part of development process. Good Point. Thanks.
    2. I was thinking of manual recalculations as the control from input perspective that someone should recheck the input but then again it is not same as recalculate. Manual recalculation wont work. Agreed.
    3. OK fine, all controls are better than SoD.
    NetworkNewb and TechGuru80 - Thanks a lot for the answers. Big help indeed.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks