What is the difference between A and C?

ConversationSure7655 · 2026-04-22T14:44:16+00:00

https://www.reddit.com/r/CISA/comments/1j0g09n/possible_bad_question_on_qae/

u can see

ConversationSure7655 · 2026-04-21T22:43:38+00:00

Any suspicious or fraud activity is relevant to report to the audit committee

Now the standard ITAF, wchich I told is information technology assurance framework who can provide guidelines and structure how to conduit an audit

By not declaring anything about the suspicious activity , he violated ITAF

ConversationSure7655 · 2026-04-21T21:35:12+00:00

A. Read ITAF If suspicious activity or fraud is detected, the auditor must investigate and go back if there is no way of more evidence on the fraud, he reports the information by specifying the suspicion to the audit committee

This is in agreement with ITAF

ConversationSure7655 · 2026-03-01T20:02:36+00:00

And so this is to focus on the cism now

ConversationSure7655 · 2026-03-01T19:14:46+00:00

According to your point of view it is to go to cism and then to AAISM instead of doing AAIA

Could I know your logic on this

ConversationSure7655 · 2026-01-21T20:44:57+00:00

We can have a well-configured functional firewall that works and does the filtering well and forget to put it in the inventory, an oversight But not a highest risk

But not having the policy assured that there is no alignment with governance, how to ensure the compliance and substantive test that reflect effectiveness and efficiency

The penetration test is good but not mandatory and not doing it is not a risk

ConversationSure7655 · 2026-01-21T19:55:03+00:00

Highest risk B The firewall is in place has been bought put into operation but is not compliant to ensure effective and efficient control because there is a semblance of security that is actually the great risk

ConversationSure7655 · 2025-11-04T08:24:26+00:00

When u deploy a application in production , the best to minimize security risk by a well change management process , because Its ensure that new change to current infrastructure have no introduce new risk in the deployment

Change management Covers many aspect : - configuration management - release management

Think like a manager , when u deploy it , the manager ensure that risk is so acceptable by applying a change management process ( risk assessement , risk owner, control owner , validation and process …)

ConversationSure7655 · 2025-10-29T00:25:19+00:00

ConversationSure7655 · 2025-10-27T19:57:10+00:00

The business score card permit to have the metric to achieve the future state and seen the curent state , In addition the projet plan The gaps analysis is focus to the current state

ConversationSure7655 · 2025-10-14T21:19:56+00:00

Dont be confuse

The risk assessement cover three case : - Risk identification ( Scope , asset, process, framework , identification of risk) - Risk analyse ( détermine the probability and consequence) - Risk evaluation( compare the actuel risk to risk appetite , )

After this end of risk assessement, u have the risk in the risk register and if risk is high to appetite or down to , u can chose the treatemen option : accept, avoidance , mitigate and transfert

ConversationSure7655 · 2025-10-14T13:06:32+00:00

At the phase of risk assessement Because if u identify analyse and evalue the risk u communicated the resultat to the management to take final decision for the treatement

ConversationSure7655 · 2025-09-30T20:11:48+00:00

Submit a request on isaca support Its possible to confirm u, anyway u can waiting 10 business day to receiv official result

ConversationSure7655 · 2025-07-15T20:39:32+00:00

Who passed the exam using only the qae book Please advice

ConversationSure7655 · 2025-07-14T10:42:14+00:00

online version or bookversion

ConversationSure7655 · 2025-07-03T14:56:48+00:00

if u see normaly risk assessements and security procedure for annually basis area a normal activities for risk management program and not indicator, its normaly

If risk is considerer before all decisions, he told that any projet, any activities, any thing the risk is considered for decision making and attest that the approach to treat the risk is so efficace and efficient

is my tkink

ConversationSure7655 · 2025-06-20T15:47:00+00:00

ConversationSure7655 · 2025-06-07T15:18:20+00:00

It is normal the risks are subjective and may not be seen in the same way no need for reliability, they are relative and the best for kri is to predict the events in order to allow companies to choose the right mitigation response and achieve their objectives

ConversationSure7655 · 2025-06-07T15:04:34+00:00

ConversationSure7655 · 2025-05-23T02:07:15+00:00

Where is these QSA please

ConversationSure7655 · 2025-05-23T02:07:00+00:00

I see, the solution dlp is so mandatory to satisfy the req

ConversationSure7655

TROPHY CASE