JACKLINE
Domain 1 (CISA Review Questions, Answers & Explanations
Manual, 12th Edition | Print | English) With Questions And
100% SURE ANSWERS
Terms in this set (151)
Domain 1 (CISA Review Questions, Answers & Explanations Manual, 12th Edition | Print | English)
1/40
,Al-l The internal audit department wrote some C is the correct answer.
scripts that are used for continuous auditing of Justification:
some information systems. The IT department A. The ability of IT to continuously monitor and address any issues on IT systems does not affect
asked for copies of the scripts so that they can use the ability of IS audit to perform a comprehensive audit.
them for setting up a continuous monitoring B. Sharing the scripts may be required by policy for quality assurance and configuration
process on key systems. Does sharing these management, but that does not impair the ability to audit.
scripts with IT affect the ability of the IS auditors to C. IS audit can still review all aspects of the systems. They may not be able to review the
independently and objectively audit the IT effectiveness of the scripts, but they can still audit the systems.
function? D. An audit of an 'IS system encompasses more than just the controls covered in the scripts.
A. Sharing the scripts is not permitted because it
gives IT the ability to pre-audit systems and avoid
an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must
have the ability to review all programs and
software that run on IS systems regardless of audit
independence.
C. Sharing the scripts is permissible if IT
recognizes that audits may still be conducted in
areas not covered in the scripts.
D. Sharing the scripts is not permitted because the
IS auditors who wrote the scripts would not be
permitted toaudi
Domain 1 (CISA Review Questions, Answers & Explanations Manual, 12th Edition | Print | English)
2/40
, C is the correct answer. Justification:
A. The complexity of the organization's operation is a factor in the planning of an audit but does
not
directly affect the 'determination of how much data to collect. The extent of data collection is
subject
Al-2 Which of the following is the BEST, factor for
to the intensity, scope and purpose of the audit.
determining the required extent of data collection
B. Prior findings and issues are factors in the planning of an audit but do not directly affect the
during the planning phase of an IS compliance
determination of how much data to collect. Data must be collected outside of areas of previous
audit?
findings.
C. The extent to which data will be collected during an IS audit is related directly to the purpose,
A. Complexity of the organization's operation
objective and scope of the audit. An audit with a narrow purpose and limited objective and
B. Findings and issues noted from the prior year
scope is most likely to result in less data collection than an audit with a wider purpose and scope.
C. Purpose, objective and scope of the audit
Statistical analysis mayalso determine the extent of data collection, such as sample size or means
D. Auditor's familiarity with the organization
of data collection.
D. An auditor's familiarity with the organization is a factor in the planning of an audit but does not
directly affect the determination of how much data to collect. The audit must be based on
sufficient evidence of the monitoring of controls and not unduly influenced by the auditor's
familiarity with the organization.
We have an expert-written solution to this problem!
Domain 1 (CISA Review Questions, Answers & Explanations Manual, 12th Edition | Print | English)
3/40
, 9/11/24, 10:00 AM
C is the correct answer.
Justification:
A. Auditing the new system does not reflect a risk-based approach. Although the system can
contain sensitive data and may present risk of data loss or disclosure to the organization, without
A1-3 An IS auditor is developing an audit plan for
a risk assessment, the decision to solely audit the newly implemented system is not a risk-based
an environment that includes new systems. The
decision.
organization's management wants the IS auditor to
B. Auditing systems not included in the previous year's scope does not reflect a risk-based
focus on recently implemented systems. How
approach.
should the IS auditor respond?
In addition, management may know about problems with the new system and may be
intentionally trying to steer the audit away from that vulnerable area. Although, at first, the new
A. Audit the new systems as requested by
system may seem to be the riskiest area, an assessment must be conducted rather than relying on
management.
the judgment of the IS auditor or IT manager.
B. Audit systems not included in last year's scope.
C. The best action is to conduct a risk assessment and design the audit plan to cover the areas of
C. Determine the highest-risk systems and plan
highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement
accordingly.
1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach
D. Auditboththesystemsnotinlastyear'sscopeandthe
and supporting methodology to develop the overall IS audit plan and determine priorities for the
newsystems.
effective allocation of IS audit resources."
D. The creation of the audit plan should be performed in cooperation with management and
based on
risk. The IS auditor should not arbitrarily decide on what needs to be audited.
A1-4 An IS auditor is reviewing security controls A is the correct answer. Justification:
for a critical web-based system prior to A. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time
implementation. The results of the penetration test frame, this fact should be highlighted in the audit report and follow-up testing should be
are inconclusive, and the results will not be scheduled for a later date. Management can then determine whether any of the potential
finalized prior to implementation. Which of the weaknesses identified were significant enough to delay the go-live date for the system.
following is the BEST option for the IS auditor? B. It is not acceptable for the IS auditor to ignore areas of potential weakness because conclusive
evidence could not be obtained within the agreed-on audit t~meframe. IS~.cA IS Audit and
A. Publish a report based on the available Assurance
information, highlighting the potential security Standards are violated if these areas are omitted from the audit report.
weaknesses and the requirement for follow-up C. Extending the time frame for the audit and delaying the go-live date is unlikely to be
audit testing. acceptable in this scenario where the system involved is business-critical. In any case, a delay to
B. Publish a report omitting the areas where the the go-live date must be the decision of business management, not the IS auditor. In this
evidence obtained from testing was inconclusive. scenario, the IS auditor should present business management with all available information by the
C. Request a delay ofthe implementation date agreed-on date.
until additional security testing can be completed D. Failure to obtain sufficient evidence in one part of an audit engagement does not justify
and evidence of appropriate controls can be cancelling or postponing the audit; this violates the audit guideline concerning due professional
obtained. care.
D. Inform management that audit work cannot be
completed prior to implementation and
recommend that the Domain
audit be postponed.
1 (CISA Review Questions, Answers & Explanations Manual, 12th Edition | Print | English)
4/40
Domain 1 (CISA Review Questions, Answers & Explanations
Manual, 12th Edition | Print | English) With Questions And
100% SURE ANSWERS
Terms in this set (151)
Domain 1 (CISA Review Questions, Answers & Explanations Manual, 12th Edition | Print | English)
1/40
,Al-l The internal audit department wrote some C is the correct answer.
scripts that are used for continuous auditing of Justification:
some information systems. The IT department A. The ability of IT to continuously monitor and address any issues on IT systems does not affect
asked for copies of the scripts so that they can use the ability of IS audit to perform a comprehensive audit.
them for setting up a continuous monitoring B. Sharing the scripts may be required by policy for quality assurance and configuration
process on key systems. Does sharing these management, but that does not impair the ability to audit.
scripts with IT affect the ability of the IS auditors to C. IS audit can still review all aspects of the systems. They may not be able to review the
independently and objectively audit the IT effectiveness of the scripts, but they can still audit the systems.
function? D. An audit of an 'IS system encompasses more than just the controls covered in the scripts.
A. Sharing the scripts is not permitted because it
gives IT the ability to pre-audit systems and avoid
an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must
have the ability to review all programs and
software that run on IS systems regardless of audit
independence.
C. Sharing the scripts is permissible if IT
recognizes that audits may still be conducted in
areas not covered in the scripts.
D. Sharing the scripts is not permitted because the
IS auditors who wrote the scripts would not be
permitted toaudi
Domain 1 (CISA Review Questions, Answers & Explanations Manual, 12th Edition | Print | English)
2/40
, C is the correct answer. Justification:
A. The complexity of the organization's operation is a factor in the planning of an audit but does
not
directly affect the 'determination of how much data to collect. The extent of data collection is
subject
Al-2 Which of the following is the BEST, factor for
to the intensity, scope and purpose of the audit.
determining the required extent of data collection
B. Prior findings and issues are factors in the planning of an audit but do not directly affect the
during the planning phase of an IS compliance
determination of how much data to collect. Data must be collected outside of areas of previous
audit?
findings.
C. The extent to which data will be collected during an IS audit is related directly to the purpose,
A. Complexity of the organization's operation
objective and scope of the audit. An audit with a narrow purpose and limited objective and
B. Findings and issues noted from the prior year
scope is most likely to result in less data collection than an audit with a wider purpose and scope.
C. Purpose, objective and scope of the audit
Statistical analysis mayalso determine the extent of data collection, such as sample size or means
D. Auditor's familiarity with the organization
of data collection.
D. An auditor's familiarity with the organization is a factor in the planning of an audit but does not
directly affect the determination of how much data to collect. The audit must be based on
sufficient evidence of the monitoring of controls and not unduly influenced by the auditor's
familiarity with the organization.
We have an expert-written solution to this problem!
Domain 1 (CISA Review Questions, Answers & Explanations Manual, 12th Edition | Print | English)
3/40
, 9/11/24, 10:00 AM
C is the correct answer.
Justification:
A. Auditing the new system does not reflect a risk-based approach. Although the system can
contain sensitive data and may present risk of data loss or disclosure to the organization, without
A1-3 An IS auditor is developing an audit plan for
a risk assessment, the decision to solely audit the newly implemented system is not a risk-based
an environment that includes new systems. The
decision.
organization's management wants the IS auditor to
B. Auditing systems not included in the previous year's scope does not reflect a risk-based
focus on recently implemented systems. How
approach.
should the IS auditor respond?
In addition, management may know about problems with the new system and may be
intentionally trying to steer the audit away from that vulnerable area. Although, at first, the new
A. Audit the new systems as requested by
system may seem to be the riskiest area, an assessment must be conducted rather than relying on
management.
the judgment of the IS auditor or IT manager.
B. Audit systems not included in last year's scope.
C. The best action is to conduct a risk assessment and design the audit plan to cover the areas of
C. Determine the highest-risk systems and plan
highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement
accordingly.
1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach
D. Auditboththesystemsnotinlastyear'sscopeandthe
and supporting methodology to develop the overall IS audit plan and determine priorities for the
newsystems.
effective allocation of IS audit resources."
D. The creation of the audit plan should be performed in cooperation with management and
based on
risk. The IS auditor should not arbitrarily decide on what needs to be audited.
A1-4 An IS auditor is reviewing security controls A is the correct answer. Justification:
for a critical web-based system prior to A. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time
implementation. The results of the penetration test frame, this fact should be highlighted in the audit report and follow-up testing should be
are inconclusive, and the results will not be scheduled for a later date. Management can then determine whether any of the potential
finalized prior to implementation. Which of the weaknesses identified were significant enough to delay the go-live date for the system.
following is the BEST option for the IS auditor? B. It is not acceptable for the IS auditor to ignore areas of potential weakness because conclusive
evidence could not be obtained within the agreed-on audit t~meframe. IS~.cA IS Audit and
A. Publish a report based on the available Assurance
information, highlighting the potential security Standards are violated if these areas are omitted from the audit report.
weaknesses and the requirement for follow-up C. Extending the time frame for the audit and delaying the go-live date is unlikely to be
audit testing. acceptable in this scenario where the system involved is business-critical. In any case, a delay to
B. Publish a report omitting the areas where the the go-live date must be the decision of business management, not the IS auditor. In this
evidence obtained from testing was inconclusive. scenario, the IS auditor should present business management with all available information by the
C. Request a delay ofthe implementation date agreed-on date.
until additional security testing can be completed D. Failure to obtain sufficient evidence in one part of an audit engagement does not justify
and evidence of appropriate controls can be cancelling or postponing the audit; this violates the audit guideline concerning due professional
obtained. care.
D. Inform management that audit work cannot be
completed prior to implementation and
recommend that the Domain
audit be postponed.
1 (CISA Review Questions, Answers & Explanations Manual, 12th Edition | Print | English)
4/40
