Correct Answer: D

Identifying business processes associated with personal data exchange with the affected jurisdiction is the most helpful activity in making an assessment of the organization's level of exposure in the affected country. An IS auditor should

understand how the organization's business operations and functions rely on or involve the cross- border transfer of personal data, as well as the potential impacts and risks of the new regulation on the business continuity and compliance.

The other options are less helpful activities that may provide additional information or context for the assessment, but not its primary focus. References:

CISA Review Manual (Digital Version), Chapter 7, Section 7.4.21 CISA Review Questions, Answers and Explanations Database, Question ID 221

Correct Answer: C

Attribute sampling is a method of audit sampling that is used to test the effectiveness of controls by measuring the rate of deviation from a prescribed procedure or attribute. Attribute sampling is suitable for testing compliance with the data center's physical access log system, as the auditor can compare the identification document numbers and photos of the visitors with the records in the system and determine whether there are any discrepancies or errors. Attribute sampling can also provide an estimate of the deviation rate in the population and allow the auditor to draw a conclusion about the operating effectiveness of the control. Variable sampling, on the other hand, is a method of audit sampling that is used to estimate the amount or value of a population by measuring a characteristic of interest, such as monetary value, quantity, or size. Variable sampling is not appropriate for testing compliance with the data center's physical access log system, as the auditor is not interested in estimating the value of the population, but rather in testing whether the system is operating as intended. Quota sampling and haphazard sampling are both examples of non-statistical sampling methods that do not use probability theory to select a sample. Quota sampling involves selecting a sample based on certain criteria or quotas, such as age, gender, or location. Haphazard sampling involves selecting a sample without any specific plan or method. Both methods are not suitable for testing compliance with the data center's physical access log system, as they do not ensure that the sample is representative of the population and do not allow the auditor to measure the sampling risk or project the results to the population. Therefore, attribute sampling is the most useful sampling method for an IS auditor conducting compliance testing for the effectiveness of the data center's physical access log system. References: Audit Sampling - What Is It, Methods, Example, Advantage, Reason ISA 530: Audit sampling | ICAEW

Correct Answer: A

The best indication to an IS auditor that management's post-implementation review was effective is that lessons learned were documented and applied, as this shows that the management has identified and addressed the issues and gaps that arose during the implementation, and has improved the processes and practices for future projects. Business and IT stakeholders participating in the post-implementation review is a good practice, but it does not guarantee that the review was effective or that the outcomes were implemented. Post-implementation review being a formal phase in the system development life cycle (SDLC) is a requirement, but it does not ensure that the review was effective or that the outcomes were implemented. Internal audit follow-up being completed without any findings is a desirable result, but it does not indicate that the management's post- implementation review was effective or that the outcomes were implemented. References: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.2: Project Management Practices1

Correct Answer: D

Correct Answer: A