Correct Answer: C

The best compensating control when segregation of duties is lacking in a small IS department is transaction log review. Transaction log review can help detect any unauthorized or fraudulent activities performed by IS staff who have access to multiple functions or systems. Transaction log review can also provide an audit trail for accountability and investigation purposes. The other options are not as effective as transaction log review in compensating for the lack of segregation of duties. Background checks are preventive controls that can help screen potential employees for any criminal records or dishonest behavior, but they do not prevent existing employees from abusing their access privileges. User awareness training is a detective control that can help educate users on how to report any suspicious or abnormal activities in the IS environment, but it does not monitor or verify the actions of IS staff. Mandatory holidays are deterrent controls that can discourage IS staff from engaging in fraudulent activities by requiring them to take periodic leave, but they do not prevent or detect such activities when they occur. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

Correct Answer: A

Stress testing is a type of performance testing that evaluates the behavior and reliability of a system under extreme conditions, such as high workload, limited resources, or concurrent users. Stress testing should ideally be carried out under a test environment with production workloads, as this would simulate the most realistic and demanding scenario for the system without affecting the actual production environment. A production environment with production workloads is not suitable for stress testing, as it could cause disruption or damage to the system and its users. A production environment with test data is not suitable for stress testing, as it could compromise the integrity and security of the production data. A test environment with test data is not suitable for stress testing, as it could underestimate the potential issues and risks that could occur in the production environment. References: CISA Review Manual, 27th Edition, pages 471-4721 CISA Review Questions, Answers and Explanations Database, Question ID: 261

Correct Answer: D

The first step in assessing the controls within a newly implemented call center is to evaluate the operational risk associated with the call center. This will help the IS auditor to identify the potential threats, vulnerabilities, and impacts that could affect the call center's objectives, performance, and availability. The evaluation of operational risk will also provide a basis for determining the scope, objectives, and approach of the audit. The other options are possible audit procedures, but they are not the first step in the audit process. References: ISACA Frameworks: Blueprints for Success, CISA Review Manual (Digital Version)

Correct Answer: A

The best way to identify whether the IT help desk is meeting service level agreements (SLAs) is A. Review exception reports. Exception reports are documents that highlight any deviations from the agreed service levels, such as breaches,

delays, or failures. They can help the IT help desk to monitor their performance, identify root causes, and implement corrective actions. Reviewing exception reports can also help the IT help desk to communicate with the end users and

stakeholders about any service issues and their resolution.

Reference: IT help desk support SLA, Section 4: Reporting and Reviewing Service Levels, Page 3.

Correct Answer: B

Correct Answer: D

A mirror backup is a type of backup that creates an exact copy of the source data to the destination, without using any compression or encryption. A mirror backup is the best backup scheme to recommend given the need for a shorter restoration time in the event of a disruption, because it allows for the fastest and easiest recovery of data. A mirror backup does not store any previous versions of the files, so it only reflects the current state of the source data. Therefore, a mirror backup requires less storage space than a full backup, but more than an incremental or differential backup. A differential backup is a type of backup that stores the changes made to the source data since the last full backup. A differential backup requires less storage space and time than a full backup, but more than an incremental backup. However, a differential backup also requires more time and resources to restore than a mirror or full backup, because it needs to combine the last full backup and the latest differential backup to recover the data. A full backup is a type of backup that copies all the files and folders from the source data to the destination, regardless of whether they have changed or not. A full backup provides the most complete protection of data and the simplest recovery process, but it also requires the most storage space and time to perform. A full backup is usually done periodically, such as weekly or monthly, and followed by incremental or differential backups. An incremental backup is a type of backup that stores the changes made to the source data since the last backup, whether it was a full or an incremental backup. An incremental backup requires the least storage space and time to perform, but it also requires the most time and resources to restore, because it needs to combine all the previous backups in chronological order to recover the data.

Correct Answer: B

Correct Answer: A

For your exam you should know below information about agile development:

Agile software development is a group of software development methods based on iterative and incremental development, where requirements and solutions evolve through collaboration between self-organizing, cross-functional teams. It promotes adaptive planning, evolutionary development and delivery, a time-boxed iterative approach, and encourages rapid and flexible response to change. It is a conceptual framework that promotes foreseen tight iterations throughout the development cycle.

Agile Development

The Agile Manifesto introduced the term in 2001. Since then, the Agile Movement, with all its values, principles, methods, practices, tools, champions and practitioners, philosophies and cultures, has significantly changed the landscape of the

modern software engineering and commercial software development in the Internet era.

Agile principles

The Agile Manifesto is based on twelve principles:

Customer satisfaction by rapid delivery of useful software

Welcome changing requirements, even late in development

Working software is delivered frequently (weeks rather than months)

Close, daily cooperation between business people and developers

Projects are built around motivated individuals, who should be trusted

Face-to-face conversation is the best form of communication (co-location)

Working software is the principal measure of progress

Sustainable development, able to maintain a constant pace

Continuous attention to technical excellence and good design

Simplicity--the art of maximizing the amount of work not done--is essential

Self-organizing teams

Regular adaptation to changing circumstances

What is Scrum?

Scrum is the most popular way of introducing Agility due to its simplicity and flexibility. Because of this popularity, many organizations claim to be "doing Scrum" but aren't doing anything close to Scrum's actual definition. Scrum emphasizes

empirical feedback, team self-management, and striving to build properly tested product increments within short iterations. Doing Scrum as it's actually defined usually comes into conflict with existing habits at established non-Agile

organizations.

The following were incorrect answers:

Software prototyping- Software prototyping, refers to the activity of creating prototypes of software applications, i.e., incomplete versions of the software program being developed. It is an activity that can occur in software development and is

comparable to prototyping as known from other fields, such as mechanical engineering or manufacturing.

Rapid application development (RAD) is a software development methodology that uses minimal planning in favor of rapid prototyping. The "planning" of software developed using RAD is interleaved with writing the software itself. The lack of

extensive per-planning generally allows software to be written much faster, and makes it easier to change requirements.

Component Based Development - It is a reuse-based approach to defining, implementing and composing loosely coupled independent components into systems. This practice aims to bring about an equally wide-ranging degree of benefits in

both the short-term and the long-term for the software itself and for organizations that sponsor such software.

Reference:

CISA review manual 2014 Page number 194

Correct Answer: B

Correct Answer: D