CISA EXAM REVIEW QUESTIONS
AND 100% CORRECT ANSWERS!!
Which of the following best describes the purpose of performing a risk assessment in
the planning phase of an IS audit:
Establish adequate staffing requirements to complete the IS audit
To provide reasonable assurance that all material items will be addressed
To determine the skills required to perform the IS audit
To develop the audit program and procedures
To provide reasonable assurance that all material items will be addressed.
A risk assessment helps focus the audit procedures on the highest risk areas included in the
scope of the audit.
A financial institution with multiple branch offices has an automated control that
requires the branch manager to approve transactions more than a certain amount. What
type of audit control is this?
Preventative.
An IS auditor is validating a control that involved a review of system generated exception
reports. Which of the following is the best evidence of the effectiveness of the control.
1- Walkthrough with the reviewer of the operation of the control
2- System generated exception report for the review period with the reviewers sign off
3- A sample system generated exceptions report for the review period, with follow-up
,action items noted by the reviewer
4- Management's confirmation of the effectiveness of the control for the review period.
A sample system generated exceptions report for the review period, with follow-up action items
noted by the reviewer.
A sample of a system generated report with evidence that the reviewer followed up on the
exception represents the best possible evidence of the effective operation of the control because
there is documented evidence that the reviewer has reviewed and taken actions based on the
exception report.
Which of the following is the most important skill an IS auditor should develop to
understand the constraints of conducting an audit:
1 - Contingency Planning
2 - IS Management resource allocation
3 - Project Management
4 - Knowledge of internal controls
Project Management
The internal audit department has written some scripts that are used for continuous
auditing of some information systems. The IT department has asked for copies of the
scripts so that they can use them for setting up a continuous monitoring process on key
systems. Would sharing these scripts with IT effect the ability of IS auditors to
independently and objectively audit the IT function?
No. Sharing the scripts is permissible as long as IT recognizes that audits may still be
conducted in areas not covered in the scripts.
IS Audit can still review all aspects of the systems. They may not be able to review
the effectiveness of the scripts themselves, but they can still audit the systems.
When slecting audit procedures, an IS auditor should use professional judgement to
ensure that:
,Sufficient evidence will be collected.
Procedures are processes an IS auditor may follow in an audit engagement. In determining the
appropriateness of any specific procedure, an IS auditor should use professional judgment
appropriate to the specific circumstance. Professional judgement involves a subjective and often
qualitative evaluation of conditions arising in the course of an audit. Judgment address a grey
area where binary (yes/no) decisions are not appropriate and the IS auditor's past experience
plays a key role in making a judgement. The IS auditor should use judgement in assessing the
sufficiency of evidence to be collected. ISACA's guidelines provide information on how to meet
the standards when performing IS audit work.
During the planning s stage of an IS audit, the primary goal of an IS auditor is to
Address audit objectives
ISACA IS Audit and Assurance Standards requires that an IS auditor plan the audit work
to address the audit objectives.
An IS auditor is verifying that some of the policies have not been approved by
managedment (as required by policy), but the employee strictly follow the policies.
What should the IS auditor do first?
A) Ignore the absences of management approval because the employee follow the policies
B) Recommend immediate management approval of the policies
C) Emphasize the importance of approval to management
D) Report the absence of documented approval.
D) Reoirt the absence of documented approval.
The IS auditor must report the findings. Unapproved policies may present a potential risk to the
organization, even if they are being followed, because this technically may prevent manament
from enforcing the policies in some cases, and may present legal issues.
, An IS auditor has been assigned to conduct a test that compares job run logs to computer
job schedules. Which of the following observations would be of the GREATEST concern
to the IS auditor.
A) There are a growing number of emergency changes.
B) There were instances when some jobs were not completed on time
C) There were instances when some jobs were overridden by computer operators
D) Evidence shows that only scheduled jobs were run.
C) There were instances when some jobs were overridden by computer operators.
The overriding of computer processing jobs by computer operators could lead to unauthorized
changes to data programs.
An IS auditor is reviewing security controls for a critical web-based system prior to
implementation. The results of the penetration test are inconclusive, and the results will not
be finalized prior to implementation. Which of the following is the BEST option for the IS
auditor.
A) Publish a report based on the available information, highlighting the potential
security weaknesses and the requirement for follow-up audit testing.
B) Publish a report omitting the areas where the evidence obtained from testing
was inconclusive
C) Request a delay of the implementation date until additional security testing can be
completed and evidence of appropriate controls can be obtained.
D) Inform management that audit work cannot be completed prio to implementation and
recommend that the audit be postponed.
A) Publish a report based on the available information, highlighting the potential security
weaknesses and the requirement for follow up audit testing.
If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-n time
frame, this fact should be highlighted in the audit report and follow up testing should be
AND 100% CORRECT ANSWERS!!
Which of the following best describes the purpose of performing a risk assessment in
the planning phase of an IS audit:
Establish adequate staffing requirements to complete the IS audit
To provide reasonable assurance that all material items will be addressed
To determine the skills required to perform the IS audit
To develop the audit program and procedures
To provide reasonable assurance that all material items will be addressed.
A risk assessment helps focus the audit procedures on the highest risk areas included in the
scope of the audit.
A financial institution with multiple branch offices has an automated control that
requires the branch manager to approve transactions more than a certain amount. What
type of audit control is this?
Preventative.
An IS auditor is validating a control that involved a review of system generated exception
reports. Which of the following is the best evidence of the effectiveness of the control.
1- Walkthrough with the reviewer of the operation of the control
2- System generated exception report for the review period with the reviewers sign off
3- A sample system generated exceptions report for the review period, with follow-up
,action items noted by the reviewer
4- Management's confirmation of the effectiveness of the control for the review period.
A sample system generated exceptions report for the review period, with follow-up action items
noted by the reviewer.
A sample of a system generated report with evidence that the reviewer followed up on the
exception represents the best possible evidence of the effective operation of the control because
there is documented evidence that the reviewer has reviewed and taken actions based on the
exception report.
Which of the following is the most important skill an IS auditor should develop to
understand the constraints of conducting an audit:
1 - Contingency Planning
2 - IS Management resource allocation
3 - Project Management
4 - Knowledge of internal controls
Project Management
The internal audit department has written some scripts that are used for continuous
auditing of some information systems. The IT department has asked for copies of the
scripts so that they can use them for setting up a continuous monitoring process on key
systems. Would sharing these scripts with IT effect the ability of IS auditors to
independently and objectively audit the IT function?
No. Sharing the scripts is permissible as long as IT recognizes that audits may still be
conducted in areas not covered in the scripts.
IS Audit can still review all aspects of the systems. They may not be able to review
the effectiveness of the scripts themselves, but they can still audit the systems.
When slecting audit procedures, an IS auditor should use professional judgement to
ensure that:
,Sufficient evidence will be collected.
Procedures are processes an IS auditor may follow in an audit engagement. In determining the
appropriateness of any specific procedure, an IS auditor should use professional judgment
appropriate to the specific circumstance. Professional judgement involves a subjective and often
qualitative evaluation of conditions arising in the course of an audit. Judgment address a grey
area where binary (yes/no) decisions are not appropriate and the IS auditor's past experience
plays a key role in making a judgement. The IS auditor should use judgement in assessing the
sufficiency of evidence to be collected. ISACA's guidelines provide information on how to meet
the standards when performing IS audit work.
During the planning s stage of an IS audit, the primary goal of an IS auditor is to
Address audit objectives
ISACA IS Audit and Assurance Standards requires that an IS auditor plan the audit work
to address the audit objectives.
An IS auditor is verifying that some of the policies have not been approved by
managedment (as required by policy), but the employee strictly follow the policies.
What should the IS auditor do first?
A) Ignore the absences of management approval because the employee follow the policies
B) Recommend immediate management approval of the policies
C) Emphasize the importance of approval to management
D) Report the absence of documented approval.
D) Reoirt the absence of documented approval.
The IS auditor must report the findings. Unapproved policies may present a potential risk to the
organization, even if they are being followed, because this technically may prevent manament
from enforcing the policies in some cases, and may present legal issues.
, An IS auditor has been assigned to conduct a test that compares job run logs to computer
job schedules. Which of the following observations would be of the GREATEST concern
to the IS auditor.
A) There are a growing number of emergency changes.
B) There were instances when some jobs were not completed on time
C) There were instances when some jobs were overridden by computer operators
D) Evidence shows that only scheduled jobs were run.
C) There were instances when some jobs were overridden by computer operators.
The overriding of computer processing jobs by computer operators could lead to unauthorized
changes to data programs.
An IS auditor is reviewing security controls for a critical web-based system prior to
implementation. The results of the penetration test are inconclusive, and the results will not
be finalized prior to implementation. Which of the following is the BEST option for the IS
auditor.
A) Publish a report based on the available information, highlighting the potential
security weaknesses and the requirement for follow-up audit testing.
B) Publish a report omitting the areas where the evidence obtained from testing
was inconclusive
C) Request a delay of the implementation date until additional security testing can be
completed and evidence of appropriate controls can be obtained.
D) Inform management that audit work cannot be completed prio to implementation and
recommend that the audit be postponed.
A) Publish a report based on the available information, highlighting the potential security
weaknesses and the requirement for follow up audit testing.
If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-n time
frame, this fact should be highlighted in the audit report and follow up testing should be
