CISA Cert Exam Guide latest Updated
Answered 100% Correct
Which of the following best describes a baseline document?
a. A PCI industry standard requiring a 15-minute session timeout
b. Installation step recommendations from the vendor for an Active Directory server
c. A network topography diagram of the Active Directory forest
d. Security configuration settings for an Active Directory server - ANSWER D. A
baseline is correct because it is a platform-specific rule related to the security
configuration for an Active Directory server. Answers A, B, and C are not platform
specific.
Which of the following best describes integrated auditing?
a. Integrated auditing places internal control in the hands of management and reduces
the time between the audit and the time of reporting.
b. Integrated auditing combines the operational audit function, the financial audit
function, and the IS audit function.
c. Integrated auditing combines the operational audit function and the IS audit function.
d. Integrated auditing combines the financial audit function and the IS audit function -
ANSWER B. Integrated auditing is a methodology that combines the operational audit
function, the financial audit function, and the IS audit function. Therefore, Answers C
and D are incorrect because they do not list all three types of functions to be integrated.
Answer A is incorrect because it describes control self-assessment (CSA), which is
used to verify the reliability of internal controls and places internal controls in the hands
of management
Which storage of evidence would best preserve the chain of custody of evidence
obtained during an audit?
a. Locked department safe behind card access doors
b. Offsite location, such as home, out of reach by anyone at work
c. Archival at a third-party offsite facility
d. Locked cabinet on the department floor with only one key, in the possession of the
auditor - ANSWER D. The best choice would be a locked cabinet on the department
floor with only one key, in the possession of the auditor. With only one key in the
auditor's possession, there is clear accountability, and access is limited to one person.
Answer A is incorrect because multiple individuals may still have access to the safe.
Answer B is incorrect because it would call into question the security of the home and
the ability to restrict access to family members. Answer C is incorrect because third-
party access cannot be verified in a third-party site, given the way the facts were
presented.
Which of the following best describes risk that can be caused by the failure of internal
controls and can result in a material error?
a. Residual risk
,b. Inherent risk
c. Detection risk
d. Control risk - ANSWER D. A control risk is risk caused by failure of internal controls; it
can result in a material error. Answer A is incorrect because residual risk is the amount
of risk the organization is willing to accept. Answer B is incorrect because inherent risk
is the risk that can occur because of the lack of compensating controls. Combined,
inherent risks can create a material risk. Answer C is incorrect because detection risk is
the risk if an auditor does not design tests in such a way as to detect a material risk
Which of the following is not one of the best techniques for gathering evidence during
an audit?
a. Attend board meetings
b. Examine and review actual procedures and processes
c. Verify employee security awareness training and knowledge
d. Examine reporting relationships to verify segregation of duties - ANSWER A.
Attending board meetings is not one of the best ways to gather evidence during an
audit. The best ways to gather evidence include observing employee activity, examining
and reviewing procedures and processes, verifying employee security awareness
training and knowledge, and examining reporting relationships to verify segregation of
duties.
Which of the following is not an advantage of control self-assessment (CSA)?
a. CSA helps provide early detection of risks.
b. CSA is an audit function replacement.
c. CSA reduces control costs.
d. CSA provides increased levels of assurance. - ANSWER B. CSA is not an audit
function replacement. Answers A, C, and D are all advantages of CSA.
If an auditor cannot obtain the material needed to complete an audit, what type of
opinion should the auditor issue?
a. Unqualified opinion
b. Qualified opinion
c. Adverse opinion
d. Disclaimer - ANSWER D. A disclaimer is used when an auditor cannot obtain
appropriate evidence to base an opinion.
Which of the following is the best example of general control procedures?
a. Internal accounting controls used to safeguard financial records
b. Business continuity and disaster-recovery procedures that provide reasonable
assurance that the organization is secure against disasters
c. Procedures that provide reasonable assurance for the control of access to data and
programs
d. Procedures that provide reasonable assurance and have been developed to control
and manage data-processing operations - ANSWER A. Internal accounting controls
used to safeguard financial records are an example of a general control procedure.
Answers B, C, and D all describe information system control procedures.
, Which of the following describes a significant level of risk that the organization is
unwilling to accept?
a. Detection risk
b. Material risk
c. Business risk
d. Irregularities - ANSWER B. The word material describes a significant level of risk that
the organization is unwilling to accept. Answers A, C, and D do not define the term.
Which of the following is the most accurate description of a substantive test in which the
data represents fake entities such as products, items, or departments?
a. Parallel tests
b. Integrated test facility
c. Embedded audit module
d. Test data - ANSWER B. An integrated test facility is a type of substantive test that
uses data represented by fake entities, such as products, items, or departments.
Answer A is incorrect because a parallel test compares real results to those generated
by the auditor to compare the control function. Answer C is incorrect because
embedded audit modules identify and report specific transactions or other information,
based on predetermined criteria. Answer D is incorrect because test data uses
theoretical transactions to validate program logic and control mechanisms.
You need to review an organization's balance sheet for material transactions. Which of
the following would be the best sampling technique?
a. Attribute sampling
b. Frequency estimating sampling
c. Stop-and-go sampling
d. Variable sampling - ANSWER D. Variable sampling would be the best sampling
technique to review an organization's balance sheet for material transactions. It is also
known as dollar estimation. Answer A is incorrect because attribute sampling is used to
determine the rate of occurrence. Answer B is incorrect because frequency sampling is
another name for attribute sampling; both terms describe the same sampling technique.
Answer C is incorrect because stop-and-go sampling is used when an auditor believes
that only a few errors will be found in a population.
Which of the following best describes types of questions that might be on the CISA
exam related to how to implement specific risk types discussed in this chapter?
a. Task statements
b. Operational audits
c. Knowledge statements
d. Integrated audits - ANSWER A. Task statements describe how to apply knowledge
statements. Answers B and D are types of audits, not domain question types. Answer C
is incorrect because knowledge statements questions are the facts you are expected to
know.
Which of the following is not a benefit of CSA?
Answered 100% Correct
Which of the following best describes a baseline document?
a. A PCI industry standard requiring a 15-minute session timeout
b. Installation step recommendations from the vendor for an Active Directory server
c. A network topography diagram of the Active Directory forest
d. Security configuration settings for an Active Directory server - ANSWER D. A
baseline is correct because it is a platform-specific rule related to the security
configuration for an Active Directory server. Answers A, B, and C are not platform
specific.
Which of the following best describes integrated auditing?
a. Integrated auditing places internal control in the hands of management and reduces
the time between the audit and the time of reporting.
b. Integrated auditing combines the operational audit function, the financial audit
function, and the IS audit function.
c. Integrated auditing combines the operational audit function and the IS audit function.
d. Integrated auditing combines the financial audit function and the IS audit function -
ANSWER B. Integrated auditing is a methodology that combines the operational audit
function, the financial audit function, and the IS audit function. Therefore, Answers C
and D are incorrect because they do not list all three types of functions to be integrated.
Answer A is incorrect because it describes control self-assessment (CSA), which is
used to verify the reliability of internal controls and places internal controls in the hands
of management
Which storage of evidence would best preserve the chain of custody of evidence
obtained during an audit?
a. Locked department safe behind card access doors
b. Offsite location, such as home, out of reach by anyone at work
c. Archival at a third-party offsite facility
d. Locked cabinet on the department floor with only one key, in the possession of the
auditor - ANSWER D. The best choice would be a locked cabinet on the department
floor with only one key, in the possession of the auditor. With only one key in the
auditor's possession, there is clear accountability, and access is limited to one person.
Answer A is incorrect because multiple individuals may still have access to the safe.
Answer B is incorrect because it would call into question the security of the home and
the ability to restrict access to family members. Answer C is incorrect because third-
party access cannot be verified in a third-party site, given the way the facts were
presented.
Which of the following best describes risk that can be caused by the failure of internal
controls and can result in a material error?
a. Residual risk
,b. Inherent risk
c. Detection risk
d. Control risk - ANSWER D. A control risk is risk caused by failure of internal controls; it
can result in a material error. Answer A is incorrect because residual risk is the amount
of risk the organization is willing to accept. Answer B is incorrect because inherent risk
is the risk that can occur because of the lack of compensating controls. Combined,
inherent risks can create a material risk. Answer C is incorrect because detection risk is
the risk if an auditor does not design tests in such a way as to detect a material risk
Which of the following is not one of the best techniques for gathering evidence during
an audit?
a. Attend board meetings
b. Examine and review actual procedures and processes
c. Verify employee security awareness training and knowledge
d. Examine reporting relationships to verify segregation of duties - ANSWER A.
Attending board meetings is not one of the best ways to gather evidence during an
audit. The best ways to gather evidence include observing employee activity, examining
and reviewing procedures and processes, verifying employee security awareness
training and knowledge, and examining reporting relationships to verify segregation of
duties.
Which of the following is not an advantage of control self-assessment (CSA)?
a. CSA helps provide early detection of risks.
b. CSA is an audit function replacement.
c. CSA reduces control costs.
d. CSA provides increased levels of assurance. - ANSWER B. CSA is not an audit
function replacement. Answers A, C, and D are all advantages of CSA.
If an auditor cannot obtain the material needed to complete an audit, what type of
opinion should the auditor issue?
a. Unqualified opinion
b. Qualified opinion
c. Adverse opinion
d. Disclaimer - ANSWER D. A disclaimer is used when an auditor cannot obtain
appropriate evidence to base an opinion.
Which of the following is the best example of general control procedures?
a. Internal accounting controls used to safeguard financial records
b. Business continuity and disaster-recovery procedures that provide reasonable
assurance that the organization is secure against disasters
c. Procedures that provide reasonable assurance for the control of access to data and
programs
d. Procedures that provide reasonable assurance and have been developed to control
and manage data-processing operations - ANSWER A. Internal accounting controls
used to safeguard financial records are an example of a general control procedure.
Answers B, C, and D all describe information system control procedures.
, Which of the following describes a significant level of risk that the organization is
unwilling to accept?
a. Detection risk
b. Material risk
c. Business risk
d. Irregularities - ANSWER B. The word material describes a significant level of risk that
the organization is unwilling to accept. Answers A, C, and D do not define the term.
Which of the following is the most accurate description of a substantive test in which the
data represents fake entities such as products, items, or departments?
a. Parallel tests
b. Integrated test facility
c. Embedded audit module
d. Test data - ANSWER B. An integrated test facility is a type of substantive test that
uses data represented by fake entities, such as products, items, or departments.
Answer A is incorrect because a parallel test compares real results to those generated
by the auditor to compare the control function. Answer C is incorrect because
embedded audit modules identify and report specific transactions or other information,
based on predetermined criteria. Answer D is incorrect because test data uses
theoretical transactions to validate program logic and control mechanisms.
You need to review an organization's balance sheet for material transactions. Which of
the following would be the best sampling technique?
a. Attribute sampling
b. Frequency estimating sampling
c. Stop-and-go sampling
d. Variable sampling - ANSWER D. Variable sampling would be the best sampling
technique to review an organization's balance sheet for material transactions. It is also
known as dollar estimation. Answer A is incorrect because attribute sampling is used to
determine the rate of occurrence. Answer B is incorrect because frequency sampling is
another name for attribute sampling; both terms describe the same sampling technique.
Answer C is incorrect because stop-and-go sampling is used when an auditor believes
that only a few errors will be found in a population.
Which of the following best describes types of questions that might be on the CISA
exam related to how to implement specific risk types discussed in this chapter?
a. Task statements
b. Operational audits
c. Knowledge statements
d. Integrated audits - ANSWER A. Task statements describe how to apply knowledge
statements. Answers B and D are types of audits, not domain question types. Answer C
is incorrect because knowledge statements questions are the facts you are expected to
know.
Which of the following is not a benefit of CSA?
