CISA Exam Questions (Information
Systems Auditing Process)With
Correct Solutions!!
When evaluating the collective effect of preventive, detective and corrective controls
within a process, an IS auditor should be aware of which of the following?
A. The point at which controls are exercised as data flow through the system
B. Only preventive and detective controls are relevant
C. Corrective controls are regarded as compensating
D. Classification allows an IS auditor to determine which controls are missing -
ANSWERA.
An IS auditor who has discovered unauthorized transactions during a review of
electronic data interchange (EDI) transactions is likely to recommend improving the:
A. EDI trading partner agreements.
B. physical controls for terminals.
C. authentication techniques for sending and receiving messages.
D. program change control procedures. - ANSWERC.
Which of the following is an attribute of the control self-assessment approach?
A. Broad stakeholder involvement
B. Auditors are the primary control analysts
C. Limited employee participation
D. Policy driven - ANSWERA.
A company has recently upgraded its purchase system to incorporate electronic data
interchange (EDI) transmissions. Which of the following controls should be
implemented in the EDI interface to provide for efficient data mapping?
A. Key verification
B. One-for-one checking
C. Manual recalculations
D. Functional acknowledgements - ANSWERD.
When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:
A. controls needed to mitigate risk are in place.
B. vulnerabilities and threats are identified.
C. audit risk is considered.
D. a gap analysis is appropriate. - ANSWERB.
A PRIMARY benefit derived for an organization employing control self-assessment
techniques is that it:
A. can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control. - ANSWERA.
, During a security audit of IT processes, an IS auditor found that documented security
procedures did not exist. The IS auditor should:
A. create the procedures document based on the practices.
B. issue an opinion of the current state and end the audit.
C. conduct compliance testing on available data.
D. identify and evaluate existing practices. - ANSWERD.
The purpose of a checksum on an amount field in an electronic data interchange
communication of financial transactions is to ensure:
A. integrity.
B. authenticity.
C. authorization.
D. nonrepudiation. - ANSWERA.
In planning an IS audit, the MOST critical step is the identification of the:
A. areas of significant risk.
B. skill sets of the audit staff.
C. test steps in the audit.
D. time allotted for the audit. - ANSWERA.
Which of the following represents the GREATEST potential risk in an electronic data
interchange (EDI) environment?
A. Lack of transaction authorizations
B. Loss or duplication of EDI transmissions
C. Transmission delay
D. Deletion or manipulation of transactions prior to or after establishment of
application controls - ANSWERA.
Which of the following controls would an IS auditor look for in an environment where
duties cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls - ANSWERD.
An IS auditor performing a review of application controls would evaluate the:
A. efficiency of the application in meeting the business processes.
B. impact of any exposures discovered.
C. business processes served by the application.
D. application's optimization. - ANSWERB.
During a risk analysis, an IS auditor identifies threats and potential impacts. Next, the
IS auditor should:
A. ensure the risk assessment is aligned to management's risk assessment process.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls. - ANSWERD.
Systems Auditing Process)With
Correct Solutions!!
When evaluating the collective effect of preventive, detective and corrective controls
within a process, an IS auditor should be aware of which of the following?
A. The point at which controls are exercised as data flow through the system
B. Only preventive and detective controls are relevant
C. Corrective controls are regarded as compensating
D. Classification allows an IS auditor to determine which controls are missing -
ANSWERA.
An IS auditor who has discovered unauthorized transactions during a review of
electronic data interchange (EDI) transactions is likely to recommend improving the:
A. EDI trading partner agreements.
B. physical controls for terminals.
C. authentication techniques for sending and receiving messages.
D. program change control procedures. - ANSWERC.
Which of the following is an attribute of the control self-assessment approach?
A. Broad stakeholder involvement
B. Auditors are the primary control analysts
C. Limited employee participation
D. Policy driven - ANSWERA.
A company has recently upgraded its purchase system to incorporate electronic data
interchange (EDI) transmissions. Which of the following controls should be
implemented in the EDI interface to provide for efficient data mapping?
A. Key verification
B. One-for-one checking
C. Manual recalculations
D. Functional acknowledgements - ANSWERD.
When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:
A. controls needed to mitigate risk are in place.
B. vulnerabilities and threats are identified.
C. audit risk is considered.
D. a gap analysis is appropriate. - ANSWERB.
A PRIMARY benefit derived for an organization employing control self-assessment
techniques is that it:
A. can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control. - ANSWERA.
, During a security audit of IT processes, an IS auditor found that documented security
procedures did not exist. The IS auditor should:
A. create the procedures document based on the practices.
B. issue an opinion of the current state and end the audit.
C. conduct compliance testing on available data.
D. identify and evaluate existing practices. - ANSWERD.
The purpose of a checksum on an amount field in an electronic data interchange
communication of financial transactions is to ensure:
A. integrity.
B. authenticity.
C. authorization.
D. nonrepudiation. - ANSWERA.
In planning an IS audit, the MOST critical step is the identification of the:
A. areas of significant risk.
B. skill sets of the audit staff.
C. test steps in the audit.
D. time allotted for the audit. - ANSWERA.
Which of the following represents the GREATEST potential risk in an electronic data
interchange (EDI) environment?
A. Lack of transaction authorizations
B. Loss or duplication of EDI transmissions
C. Transmission delay
D. Deletion or manipulation of transactions prior to or after establishment of
application controls - ANSWERA.
Which of the following controls would an IS auditor look for in an environment where
duties cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls - ANSWERD.
An IS auditor performing a review of application controls would evaluate the:
A. efficiency of the application in meeting the business processes.
B. impact of any exposures discovered.
C. business processes served by the application.
D. application's optimization. - ANSWERB.
During a risk analysis, an IS auditor identifies threats and potential impacts. Next, the
IS auditor should:
A. ensure the risk assessment is aligned to management's risk assessment process.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls. - ANSWERD.
