CISA Question #191: Real Exam Question with Answer & Explanation

Question

A bank has developed an automated credit decision engine for loan applications based on defined rules. Which of the following is the BEST way to gain assurance for the design and operating effectiveness of the rules?

Options

• AConduct scenario-based testing in a testing environment
• BPerform a walk-through of system function with an end user in the live environment
• CInspect the technical design documentation and manual
• DReview the change testing report summary and confirm its approval

Explanation

Scenario-based testing in a controlled testing environment is the best approach because it provides direct, hands-on evidence of both whether the rules were built correctly (design effectiveness) and whether they produce the right outputs under real conditions (operating effectiveness) - no other option addresses both dimensions simultaneously. Option B (walk-through in live environment) is limited in scope, exposes real customers to risk, and is more of an understanding exercise than a rigorous assurance technique. Option C (reviewing documentation) only tells you what was intended, not what the system actually does, so it fails the operating effectiveness test. Option D (reviewing a change testing report summary) is indirect - you're relying on someone else's summarized results rather than generating your own evidence, which reduces assurance quality.

Memory tip: The two-word phrase "design AND operating" is your signal - only active testing can prove both. Whenever a question asks for assurance over both dimensions of a control, look for the answer that involves actually running the system, not reading about it.

No community discussion yet for this question.