Isaca CISA Exam - Topic 6 Question 89 Discussion

Actual exam question for Isaca's CISA exam

Question #: 89
Topic #: 6

[All CISA Questions]

An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?

AIdentify existing mitigating controls.

BDisclose the findings to senior management.

CAssist in drafting corrective actions.

DAttempt to exploit the weakness.

Show Suggested Answer

Suggested Answer: A

When an IS auditor discovers a security weakness in the database configuration, the next course of action should be to identify existing mitigating controls. This involves assessing whether any controls are already in place to address the weakness and mitigate the risk.Understanding the current state of controls helps the auditor determine the severity of the issue and whether additional corrective actions are necessary1.Reference:1(https://www.isaca.org/resources/insights-and-expertise/audit-programs-and-tools)

by Phil at Sep 17, 2024, 08:43 PM

Limited Time Offer

25%

Off

Get Premium CISA Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Barbra

3 months ago

C seems like a good move, but isn't it a bit premature?

upvoted 0 times

...

Carlton

3 months ago

Agree with B, management needs to know ASAP!

upvoted 0 times

...

Oliva

3 months ago

Wait, why would you attempt to exploit the weakness? That sounds risky!

upvoted 0 times

...

Roxanne

4 months ago

I think identifying existing mitigating controls is a good first step too.

upvoted 0 times

...

Mari

4 months ago

Definitely should disclose the findings to senior management.

upvoted 0 times

...

Yasuko

4 months ago

Attempting to exploit the weakness seems risky and unethical. I doubt that's the right approach for an auditor, but I could be wrong.

upvoted 0 times

...

Juan

4 months ago

I practiced a similar question, and I feel like assisting in drafting corrective actions could be a good next step, but it might depend on the severity of the weakness.

upvoted 0 times

...

Coral

4 months ago

I'm not entirely sure, but I remember something about the importance of disclosing findings to management. That might be the right move here.

upvoted 0 times

...

Louann

5 months ago

I think the auditor should first identify existing mitigating controls. It seems like a logical step before escalating the issue.

upvoted 0 times

...

Corinne

5 months ago

Whoa, hold up! Option D, attempting to exploit the weakness, is definitely not the way to go. That could make the situation much worse. I'd steer clear of that one.

upvoted 0 times

...

Ruthann

5 months ago

I'm pretty confident that the right answer is B - disclosing the findings to senior management. That's the responsible thing to do, and they'll be able to oversee the appropriate corrective measures.

upvoted 0 times

...

Dorothy

5 months ago

I'm a bit confused here. Shouldn't the auditor first identify any existing controls that could help mitigate the weakness? Option A seems like a logical first step before deciding on further actions.

upvoted 0 times

...

Adaline

5 months ago

Okay, let's see. The auditor has identified a security weakness, so the next step should be to address that and mitigate the risk. I'm leaning towards option C - assisting in drafting corrective actions.

upvoted 0 times

...

Nickie

5 months ago

Hmm, this is a tricky one. I'll need to carefully consider the options and think through the potential consequences of each course of action.

upvoted 0 times

...

Hoa

5 months ago

Improper segregation of duties is a classic red flag for potential fraud, so I would say that's the most likely answer. The other options could also indicate increased fraud risk, but segregation of duties issues are a clear sign to dig deeper.

upvoted 0 times

...

Pearline

1 year ago

Option D? Really? That's like trying to put out a fire by throwing gasoline on it. Let's stick to the professional approach and go with B or C.

upvoted 0 times

Huey

1 year ago

C) Assist in drafting corrective actions.

upvoted 0 times

...

Dalene

1 year ago

B) Disclose the findings to senior management.

upvoted 0 times

...

Lonny

1 year ago

A) Identify existing mitigating controls.

upvoted 0 times

...

Ernestine

1 year ago

Wait, we can't just start exploiting the weakness, that's like trying to beat a video game by cheating. I'd go with option C - assist in drafting corrective actions to fix this properly.

upvoted 0 times

Winfred

1 year ago

Identifying existing mitigating controls could also be helpful in understanding the current state of security measures.

upvoted 0 times

...

Erick

1 year ago

It's important to work with the team to come up with a solution rather than trying to exploit the weakness.

upvoted 0 times

...

Georgiann

1 year ago

I agree, we should definitely help draft corrective actions to address the security weakness.

upvoted 0 times

...

Jacklyn

1 year ago

Hmm, I think option A is the way to go. Let's see if there are any existing controls that can mitigate the issue before we go nuclear and disclose it to the higher-ups.

upvoted 0 times

...

Coletta

1 year ago

Option B all the way! Transparency is key, and senior management needs to know about this weakness ASAP. Once they're aware, we can work on the corrective actions.

upvoted 0 times

...

Roslyn

1 year ago

I believe the IS auditor should also assist in drafting corrective actions to address the security weakness.

upvoted 0 times

...

Amber

1 year ago

Clearly, option D is a big no-no. We don't want to create more problems than we already have. I'd say B and C are the way to go - disclose it to management and help them fix it.

upvoted 0 times