CISA STUDY GUIDE QUESTIONS WITH
COMPLETE SOLUTIONS
Most important step in risk analysis is to identify
a. Competitors
b. controls
c. vulnerabilities
d. liabilities - ANSWER-c. vulnerabilities
In a risk based audit planning, an IS auditor's first step is to identify:
a. responsibilities of stakeholders
b. high-risk areas within the organization
c. cost centre
d. profit centre - ANSWER-b. high-risk areas within the organization
When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:
a. segregation of duties to mitigate risks is in place
b. all the relevant vulnerabilities and threats are identified
c. regularity compliance is adhered to
d. business is profitable - ANSWER-b. all the relevant vulnerabilities and threats are
identified
IS auditor identified certain threats and vulnerabilities in a business process. Next, an IS
auditor should:
a. identify stakeholder for that business process
b. identifies information. assets and the underlying systems
c. discloses the threats and impacts to management
d. identifies and evaluates the existing controls - ANSWER-d. identifies and evaluates
the existing controls
Major advantaged of risk based approach for audit planning is:
a. Audit planning can be communicated to client in advance
b. Audit activity can be completed within allotted budget
c. use of latest technology for audit activities
d. Appropriate utilisation of resources for high risk areas - ANSWER-d. Appropriate
utilisation of resources for high risk areas
,While determining the appropriate level of protection for an information asset an IS
auditor should primarily focus on:
a. Criticality of information assets
b. cost of information assets
c. Owner of information asset
d. result of vulnerability assessment - ANSWER-a. Criticality of information assets
The decisions and actions of an IS auditor are MOST likely to affect which of the
following risks?
a. Inherent
b. Detection
c. Control
d. Business - ANSWER-b. Detection
The risk of an IS auditor certifying existence of proper system and procedures without
using an inadequate test procedure is an example of:
a. internet risk
b. control risk
c. detection risk
d. audit risk - ANSWER-c. Detection risk
Overall business risk for a particular threat can be expressed as:
a. a product of the probability. and impact
b. probability of occurrence
c. magnitude of impact
d. assumption of the risk assessment team - ANSWER-a. a product of the probability.
and impact
Most important factor while evaluating controls is to ensure that the controls:
a. addresses the risk
b. does not reduce productivity
c. is less costly than risk
d. is automotive - ANSWER-a. addresses the risk
The susceptibility of a business or process to make an error that is material in nature,
assuming there were no internal controls:
a. inherent risk
b. control risk
c. detection risk
d. correction risk - ANSWER-a. inherent risk
,The risk that the controls put in place will not prevent, correct, for detect errors on a
timely basis
a. inherent risk
b. control risk
c. detection risk
d. correction risk - ANSWER-b. control risk
Which of the following factors an IS auditor should primarily consider when determining
the acceptable level of risk:
a. risk acceptance is the responsibility of senior management
b. all risks do not need to be eliminated for a business to be profittable
c. risks must be identified and documented in order to perform proper analysis on them
d. line management should be involved in the risk analysis because management sees
risks daily that others would not recognize - ANSWER-c. risks must be identified and
documented in order to perform proper analysis on them
An audit charter should state management's objectives for and delegation of authority to
IS audit and MUST be:
a. approved by the top management
approved by Chief Audit Officer
c. approved bye IS department
d. approved by IT steering committee - ANSWER-a. approved by the top management
The audit chapter should be approved by the highest level of management and should:
a. is updated often to upgrade with the changing nature of technology and the audit
profession
b. include audit calendar along with resource allocation
c. include plan of action in case of disruption of business services
d. outlines the overall authority, scope, and responsibilities of the audit function -
ANSWER-d. outlines the overall authority, scope, and responsibilities of the audit
function
Primary purpose of an audit chapter is two:
a. describe audit procedure
b. define resource requirement for audit department
c. prescribe the code of ethics used by the auditor
d. to prescribe authority and responsibilities of audit department - ANSWER-d. to
prescribe authority and responsibilities of audit department
, An IS auditor is evaluating management's risk assessment of information systems. The
IS auditor should FIRST review:
a. the controls already in place
b. the effectiveness of the controls in place
c. mechanism for monitoring the risks related to the assets
d. the threats/vulnerabilities affecting the assets - ANSWER-d. the threats/vulnerabilities
affecting the assets
An IS auditor is reviewing data centre security review. Which of the following steps
would an IS auditor normally perform FIRST:
a. evaluate physical access controls
b. determine the risks/threats to the data centre site
c. review screening process for hiring security staff
d. evaluate logical access control - ANSWER-b. determine the risks/threats to the data
centre site
Risk Assessment approach is more suitable when determining the appropriate level of
protection for an information asset because it ensures:
a. all information assets are protected
b. a basic level of protection is applied regardless of assets value
c. appropriate levels of protection are applied to information assets
d. only most sensitive information assets are protected - ANSWER-c. appropriate levels
of protection are applied to information assets
In a risk-based audit approach, an IS auditor should FIRST complete a(n):
a. inherent risk assessment
b. control risk assessment
c. test of control assessment
d. substantive test assessment - ANSWER-a. inherent risk assessment
In planning an audit, the MOST critical step is the identification of the:
a. areas of high risk
b. skill sets of the audit staff
c. test steps in the audit
d. time allotted for the audit - ANSWER-a. areas of high risk
Risk assessment process is:
a. subjective
b. objective
c. mathematical
COMPLETE SOLUTIONS
Most important step in risk analysis is to identify
a. Competitors
b. controls
c. vulnerabilities
d. liabilities - ANSWER-c. vulnerabilities
In a risk based audit planning, an IS auditor's first step is to identify:
a. responsibilities of stakeholders
b. high-risk areas within the organization
c. cost centre
d. profit centre - ANSWER-b. high-risk areas within the organization
When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:
a. segregation of duties to mitigate risks is in place
b. all the relevant vulnerabilities and threats are identified
c. regularity compliance is adhered to
d. business is profitable - ANSWER-b. all the relevant vulnerabilities and threats are
identified
IS auditor identified certain threats and vulnerabilities in a business process. Next, an IS
auditor should:
a. identify stakeholder for that business process
b. identifies information. assets and the underlying systems
c. discloses the threats and impacts to management
d. identifies and evaluates the existing controls - ANSWER-d. identifies and evaluates
the existing controls
Major advantaged of risk based approach for audit planning is:
a. Audit planning can be communicated to client in advance
b. Audit activity can be completed within allotted budget
c. use of latest technology for audit activities
d. Appropriate utilisation of resources for high risk areas - ANSWER-d. Appropriate
utilisation of resources for high risk areas
,While determining the appropriate level of protection for an information asset an IS
auditor should primarily focus on:
a. Criticality of information assets
b. cost of information assets
c. Owner of information asset
d. result of vulnerability assessment - ANSWER-a. Criticality of information assets
The decisions and actions of an IS auditor are MOST likely to affect which of the
following risks?
a. Inherent
b. Detection
c. Control
d. Business - ANSWER-b. Detection
The risk of an IS auditor certifying existence of proper system and procedures without
using an inadequate test procedure is an example of:
a. internet risk
b. control risk
c. detection risk
d. audit risk - ANSWER-c. Detection risk
Overall business risk for a particular threat can be expressed as:
a. a product of the probability. and impact
b. probability of occurrence
c. magnitude of impact
d. assumption of the risk assessment team - ANSWER-a. a product of the probability.
and impact
Most important factor while evaluating controls is to ensure that the controls:
a. addresses the risk
b. does not reduce productivity
c. is less costly than risk
d. is automotive - ANSWER-a. addresses the risk
The susceptibility of a business or process to make an error that is material in nature,
assuming there were no internal controls:
a. inherent risk
b. control risk
c. detection risk
d. correction risk - ANSWER-a. inherent risk
,The risk that the controls put in place will not prevent, correct, for detect errors on a
timely basis
a. inherent risk
b. control risk
c. detection risk
d. correction risk - ANSWER-b. control risk
Which of the following factors an IS auditor should primarily consider when determining
the acceptable level of risk:
a. risk acceptance is the responsibility of senior management
b. all risks do not need to be eliminated for a business to be profittable
c. risks must be identified and documented in order to perform proper analysis on them
d. line management should be involved in the risk analysis because management sees
risks daily that others would not recognize - ANSWER-c. risks must be identified and
documented in order to perform proper analysis on them
An audit charter should state management's objectives for and delegation of authority to
IS audit and MUST be:
a. approved by the top management
approved by Chief Audit Officer
c. approved bye IS department
d. approved by IT steering committee - ANSWER-a. approved by the top management
The audit chapter should be approved by the highest level of management and should:
a. is updated often to upgrade with the changing nature of technology and the audit
profession
b. include audit calendar along with resource allocation
c. include plan of action in case of disruption of business services
d. outlines the overall authority, scope, and responsibilities of the audit function -
ANSWER-d. outlines the overall authority, scope, and responsibilities of the audit
function
Primary purpose of an audit chapter is two:
a. describe audit procedure
b. define resource requirement for audit department
c. prescribe the code of ethics used by the auditor
d. to prescribe authority and responsibilities of audit department - ANSWER-d. to
prescribe authority and responsibilities of audit department
, An IS auditor is evaluating management's risk assessment of information systems. The
IS auditor should FIRST review:
a. the controls already in place
b. the effectiveness of the controls in place
c. mechanism for monitoring the risks related to the assets
d. the threats/vulnerabilities affecting the assets - ANSWER-d. the threats/vulnerabilities
affecting the assets
An IS auditor is reviewing data centre security review. Which of the following steps
would an IS auditor normally perform FIRST:
a. evaluate physical access controls
b. determine the risks/threats to the data centre site
c. review screening process for hiring security staff
d. evaluate logical access control - ANSWER-b. determine the risks/threats to the data
centre site
Risk Assessment approach is more suitable when determining the appropriate level of
protection for an information asset because it ensures:
a. all information assets are protected
b. a basic level of protection is applied regardless of assets value
c. appropriate levels of protection are applied to information assets
d. only most sensitive information assets are protected - ANSWER-c. appropriate levels
of protection are applied to information assets
In a risk-based audit approach, an IS auditor should FIRST complete a(n):
a. inherent risk assessment
b. control risk assessment
c. test of control assessment
d. substantive test assessment - ANSWER-a. inherent risk assessment
In planning an audit, the MOST critical step is the identification of the:
a. areas of high risk
b. skill sets of the audit staff
c. test steps in the audit
d. time allotted for the audit - ANSWER-a. areas of high risk
Risk assessment process is:
a. subjective
b. objective
c. mathematical
