Page | 1
CISA DOMAIN 1 QUESTIONS WITH
DETAILED VERIFIED ANSWERS
An IS auditor is conducting a compliance test to determine whether
controls support management policies and procedures. The test will assist
the IS auditor to determine: Ans: That the control is operating as
designed
Compliance tests can be used to test the existence and effectiveness of a
defined process. Understanding the objective of a compliance test is
important. IS auditors want reasonable assurance that the controls they
are relying on are effective. An effective control is one that meets
management expectations and objectives.
When developing a risk management program, what is the first activity to
be performed? Ans: Inventory of assets.
Identification of the assets to be protected is the first step in developing a
risk management program.
The primary purpose of an IT forensic audit is: Ans: The systemic
collection and analysis of evidence after a system irregularity.
Due to resource constraints of the IS audit team, the audit plan as
originally approved cannot be completed. Assuming that the situation is
communicated in the audit report, which course of action is most
acceptable:
Test the adequacy of the control design
Test the operational effectiveness of the control
Focus on auditing high risk areas
Relying on management testing of controls. Ans: Focus on high risk
areas. Reducing the scope and focusing on auditing high-risk areas is the
bets course of action.
, Page | 2
While planning an IS audit, an assessment of risk should be made to
provide: Ans: Reasonable assurance that the audit will cover material
items.
ISACA IS Audit and Assurance Guideline 2202 (Risk Assessment in
Planning) states that the applied risk assessment approach should help
with the prioritization and scheduling process of the IS audit and
assurance work. It should support the selection process of areas and
items of audit interest and the decision process to design and conduct
particular IS audit engagements.
Which of the following best describes the purpose of performing a risk
assessment in the planning phase of an IS audit:
Establish adequate staffing requirements to complete the IS audit
To provide reasonable assurance that all material items will be addressed
To determine the skills required to perform the IS audit
To develop the audit program and procedures Ans: To provide
reasonable assurance that all material items will be addressed.
A risk assessment helps focus the audit procedures on the highest risk
areas included in the scope of the audit.
A financial institution with multiple branch offices has an automated
control that requires the branch manager to approve transactions more
than a certain amount. What type of audit control is this? Ans:
Preventative.
An IS auditor is validating a control that involved a review of system
generated exception reports. Which of the following is the best evidence
of the effectiveness of the control.
1- Walkthrough with the reviewer of the operation of the control
2- System generated exception report for the review period with the
reviewers sign off
, Page | 3
3- A sample system generated exceptions report for the review period,
with follow-up action items noted by the reviewer
4- Management's confirmation of the effectiveness of the control for the
review period. Ans: A sample system generated exceptions report for
the review period, with follow-up action items noted by the reviewer.
A sample of a system generated report with evidence that the reviewer
followed up on the exception represents the best possible evidence of the
effective operation of the control because there is documented evidence
that the reviewer has reviewed and taken actions based on the exception
report.
Which of the following is the most important skill an IS auditor should
develop to understand the constraints of conducting an audit:
1 - Contingency Planning
2 - IS Management resource allocation
3 - Project Management
4 - Knowledge of internal controls Ans: Project Management
The internal audit department has written some scripts that are used for
continuous auditing of some information systems. The IT department has
asked for copies of the scripts so that they can use them for setting up a
continuous monitoring process on key systems. Would sharing these
scripts with IT effect the ability of IS auditors to independently and
objectively audit the IT function? Ans: No. Sharing the scripts is
permissible as long as IT recognizes that audits may still be conducted in
areas not covered in the scripts.
IS Audit can still review all aspects of the systems. They may not be able
to review the effectiveness of the scripts themselves, but they can still
audit the systems.
When slecting audit procedures, an IS auditor should use professional
judgement to ensure that: Ans: Sufficient evidence will be collected.
, Page | 4
Procedures are processes an IS auditor may follow in an audit
engagement. In determining the appropriateness of any specific
procedure, an IS auditor should use professional judgment appropriate to
the specific circumstance. Professional judgement involves a subjective
and often qualitative evaluation of conditions arising in the course of an
audit. Judgment address a grey area where binary (yes/no) decisions are
not appropriate and the IS auditor's past experience plays a key role in
making a judgement. The IS auditor should use judgement in assessing
the sufficiency of evidence to be collected. ISACA's guidelines provide
information on how to meet the standards when performing IS audit
work.
During the planning s stage of an IS audit, the primary goal of an IS
auditor is to Ans: Address audit objectives
ISACA IS Audit and Assurance Standards requires that an IS auditor plan
the audit work to address the audit objectives.
An IS auditor is verifying that some of the policies have not been
approved by managedment (as required by policy), but the employee
strictly follow the policies. What should the IS auditor do first?
A) Ignore the absences of management approval because the employee
follow the policies
B) Recommend immediate management approval of the policies
C) Emphasize the importance of approval to management
D) Report the absence of documented approval. Ans: D) Reoirt the
absence of documented approval.
The IS auditor must report the findings. Unapproved policies may present
a potential risk to the organization, even if they are being followed,
because this technically may prevent manament from enforcing the
policies in some cases, and may present legal issues.
An IS auditor has been assigned to conduct a test that compares job run
logs to computer job schedules. Which of the following observations
would be of the GREATEST concern to the IS auditor.
CISA DOMAIN 1 QUESTIONS WITH
DETAILED VERIFIED ANSWERS
An IS auditor is conducting a compliance test to determine whether
controls support management policies and procedures. The test will assist
the IS auditor to determine: Ans: That the control is operating as
designed
Compliance tests can be used to test the existence and effectiveness of a
defined process. Understanding the objective of a compliance test is
important. IS auditors want reasonable assurance that the controls they
are relying on are effective. An effective control is one that meets
management expectations and objectives.
When developing a risk management program, what is the first activity to
be performed? Ans: Inventory of assets.
Identification of the assets to be protected is the first step in developing a
risk management program.
The primary purpose of an IT forensic audit is: Ans: The systemic
collection and analysis of evidence after a system irregularity.
Due to resource constraints of the IS audit team, the audit plan as
originally approved cannot be completed. Assuming that the situation is
communicated in the audit report, which course of action is most
acceptable:
Test the adequacy of the control design
Test the operational effectiveness of the control
Focus on auditing high risk areas
Relying on management testing of controls. Ans: Focus on high risk
areas. Reducing the scope and focusing on auditing high-risk areas is the
bets course of action.
, Page | 2
While planning an IS audit, an assessment of risk should be made to
provide: Ans: Reasonable assurance that the audit will cover material
items.
ISACA IS Audit and Assurance Guideline 2202 (Risk Assessment in
Planning) states that the applied risk assessment approach should help
with the prioritization and scheduling process of the IS audit and
assurance work. It should support the selection process of areas and
items of audit interest and the decision process to design and conduct
particular IS audit engagements.
Which of the following best describes the purpose of performing a risk
assessment in the planning phase of an IS audit:
Establish adequate staffing requirements to complete the IS audit
To provide reasonable assurance that all material items will be addressed
To determine the skills required to perform the IS audit
To develop the audit program and procedures Ans: To provide
reasonable assurance that all material items will be addressed.
A risk assessment helps focus the audit procedures on the highest risk
areas included in the scope of the audit.
A financial institution with multiple branch offices has an automated
control that requires the branch manager to approve transactions more
than a certain amount. What type of audit control is this? Ans:
Preventative.
An IS auditor is validating a control that involved a review of system
generated exception reports. Which of the following is the best evidence
of the effectiveness of the control.
1- Walkthrough with the reviewer of the operation of the control
2- System generated exception report for the review period with the
reviewers sign off
, Page | 3
3- A sample system generated exceptions report for the review period,
with follow-up action items noted by the reviewer
4- Management's confirmation of the effectiveness of the control for the
review period. Ans: A sample system generated exceptions report for
the review period, with follow-up action items noted by the reviewer.
A sample of a system generated report with evidence that the reviewer
followed up on the exception represents the best possible evidence of the
effective operation of the control because there is documented evidence
that the reviewer has reviewed and taken actions based on the exception
report.
Which of the following is the most important skill an IS auditor should
develop to understand the constraints of conducting an audit:
1 - Contingency Planning
2 - IS Management resource allocation
3 - Project Management
4 - Knowledge of internal controls Ans: Project Management
The internal audit department has written some scripts that are used for
continuous auditing of some information systems. The IT department has
asked for copies of the scripts so that they can use them for setting up a
continuous monitoring process on key systems. Would sharing these
scripts with IT effect the ability of IS auditors to independently and
objectively audit the IT function? Ans: No. Sharing the scripts is
permissible as long as IT recognizes that audits may still be conducted in
areas not covered in the scripts.
IS Audit can still review all aspects of the systems. They may not be able
to review the effectiveness of the scripts themselves, but they can still
audit the systems.
When slecting audit procedures, an IS auditor should use professional
judgement to ensure that: Ans: Sufficient evidence will be collected.
, Page | 4
Procedures are processes an IS auditor may follow in an audit
engagement. In determining the appropriateness of any specific
procedure, an IS auditor should use professional judgment appropriate to
the specific circumstance. Professional judgement involves a subjective
and often qualitative evaluation of conditions arising in the course of an
audit. Judgment address a grey area where binary (yes/no) decisions are
not appropriate and the IS auditor's past experience plays a key role in
making a judgement. The IS auditor should use judgement in assessing
the sufficiency of evidence to be collected. ISACA's guidelines provide
information on how to meet the standards when performing IS audit
work.
During the planning s stage of an IS audit, the primary goal of an IS
auditor is to Ans: Address audit objectives
ISACA IS Audit and Assurance Standards requires that an IS auditor plan
the audit work to address the audit objectives.
An IS auditor is verifying that some of the policies have not been
approved by managedment (as required by policy), but the employee
strictly follow the policies. What should the IS auditor do first?
A) Ignore the absences of management approval because the employee
follow the policies
B) Recommend immediate management approval of the policies
C) Emphasize the importance of approval to management
D) Report the absence of documented approval. Ans: D) Reoirt the
absence of documented approval.
The IS auditor must report the findings. Unapproved policies may present
a potential risk to the organization, even if they are being followed,
because this technically may prevent manament from enforcing the
policies in some cases, and may present legal issues.
An IS auditor has been assigned to conduct a test that compares job run
logs to computer job schedules. Which of the following observations
would be of the GREATEST concern to the IS auditor.
