CISA Part 1: Information Systems Auditing Process
The success of control self-assessment depends highly on: line managers assuming a portion of the responsibility for control monitoring. assigning staff managers, the responsibility for building controls. the implementation of a stringent control policy and rule-driven controls. the implementation of supervision and monitoring of controls of assigned duties.
A
What is the MAJOR benefit of conducting a control self-assessment over a traditional audit? It detects risk sooner. It replaces the internal audit function. It reduces audit workload. It reduces audit resource requirements.
A
When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following? The point at which controls are exercised as data flow through the system Only preventive and detective controls are relevant Corrective controls are regarded as compensating Classification allows an IS auditor to determine which controls are missing
A
When selecting audit procedures, an IS auditor should use professional judgment to ensure that: sufficient evidence will be collected. significant deficiencies will be corrected within a reasonable period. all material weaknesses will be identified. audit costs will be kept at a minimum level.
A
Which of the following is an attribute of the control self-assessment approach? Broad stakeholder involvement Auditors are the primary control analysts Limited employee participation Policy driven
A
Which of the following is the key benefit of a control self-assessment? Management ownership of the internal controls supporting business objectives is reinforced. Audit expenses are reduced when the assessment results are an input to external audit work. Fraud detection will be improved because internal business staff are engaged in testing controls. Internal auditors can shift to a consultative approach by using the results of the assessment.
A
Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment? Lack of transaction authorizations Loss or duplication of EDI transmissions Transmission delay Deletion or manipulation of transactions prior to or after establishment of application controls
A
Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process? Participating in the design of the risk management framework Advising on different implementation techniques Facilitating risk awareness training Performing due diligence of the risk management processes
A
Which of the following sampling methods is MOST useful when testing for compliance? Attribute sampling Variable sampling Stratified mean per unit sampling Difference estimation sampling
A
Which of the following situations could impair the independence of an IS auditor? The IS auditor: implemented specific functionality during the development of an application. designed an embedded audit module for auditing an application. participated as a member of an application project team and did not have operational responsibilities. provided consulting advice concerning application good practices.
A
Which of the following would normally be the MOST reliable evidence for an IS auditor? A confirmation letter received from a third party verifying an account balance Assurance from line management that an application is working as designed Trend data obtained from Internet sources Ratio analysis developed by the IS auditor from reports supplied by line management
A
A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a: directive control. corrective control. compensating control. detective control.
B
A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this? Detective Preventive Corrective Directive
B
An IS auditor discovers that devices connected to the network are not included in a network diagram that had been used to develop the scope of the audit. The chief information officer explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST: expand the scope of the IS audit to include the devices that are not on the network diagram. evaluate the impact of the undocumented devices on the audit scope. note a control deficiency because the network diagram has not been approved. plan follow-up audits of the undocumented devices.
B
An IS auditor finds that the answers received during an interview with a payroll clerk do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should: conclude that the controls are inadequate. expand the scope to include substantive testing. place greater reliance on previous audits. suspend the audit.
B
An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank's financial risk is properly addressed, the IS auditor will most likely review which of the following? Privileged access to the wire transfer system Wire transfer procedures Fraud monitoring controls Employee background checks
B
An IS auditor performing a review of application controls would evaluate the: efficiency of the application in meeting the business processes. impact of any exposures discovered. business processes served by the application. application's optimization.
B
During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should: ask the auditee to sign a release form accepting full legal responsibility. elaborate on the significance of the finding and the risk of not correcting it. report the disagreement to the audit committee for resolution. accept the auditee's position because they are the process owners.
B
The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is: control design testing. substantive testing. inspection of relevant documentation. perform tests on risk prevention.
B
The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to: comply with regulatory requirements. provide a basis for drawing reasonable conclusions. ensure complete audit coverage. perform the audit according to the defined scope.
B
The PRIMARY advantage of a continuous audit approach is that it: does not require an IS auditor to collect evidence on system reliability while processing is taking place. allows the IS auditor to review and follow up on audit issues in a timely manner. places the responsibility for enforcement and monitoring of controls on the security department instead of audit. simplifies the extraction and correlation of data from multiple and complex systems.
B
The PRIMARY purpose of an IT forensic audit is: to participate in investigations related to corporate fraud. the systematic collection and analysis of evidence after a system irregularity. to assess the correctness of an organization's financial statements. to preserve evidence of criminal activity.
B
The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk? Inherent Detection Control Business
B
The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation? Generate sample test data Generalized audit software Integrated test facility Embedded audit module
B
When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: controls needed to mitigate risk are in place. vulnerabilities and threats are identified. audit risk is considered. a gap analysis is appropriate.
B
When performing a risk analysis, the IS auditor should FIRST: review the data classification program. identify the organization's information assets. identify the inherent risk of the system. perform a cost-benefit analysis for controls.
B
Which of the following does a lack of adequate controls represent? An impact A vulnerability An asset A threat
B
Which of the following forms of evidence would an IS auditor consider the MOST reliable? An oral statement from the auditee The results of a test performed by an external IS auditor An internally generated computer accounting report A confirmation letter received from an outside source
B
Which of the following is MOST likely to be considered a conflict of interest for an IS auditor who is reviewing a cybersecurity implementation? Delivering cybersecurity awareness training Designing the cybersecurity controls Advising on the cybersecurity framework Conducting the vulnerability assessment
B
Which of the following is in the BEST position to approve changes to the audit charter? Board of directors Audit committee Executive management Director of internal audit
B
Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan? Prioritize the identified risk. Define the audit universe. Identify the critical controls. Determine the testing approach.
B
Which of the following is the MAIN reason to perform a risk assessment in the planning phase of an IS audit? To ensure management's concerns are addressed To provide reasonable assurance material items will be addressed To ensure the audit team will perform audits within budget To develop the audit program and procedures to perform the audit
B
Which of the following is the PRIMARY requirement for reporting IS audit results? The report is: prepared according to a predefined and standard template. backed by sufficient and appropriate audit evidence. comprehensive in coverage of enterprise processes. reviewed and approved by audit management.
B
Which of the following is MOST important for an IS auditor to understand when auditing an e-commerce environment? The technology architecture of the e-commerce environment The policies, procedures and practices forming the control environment The nature and criticality of the business process supported by the application Continuous monitoring of control measures for system availability and reliability
C
Which of the following is MOST important to ensure that effective application controls are maintained? Exception reporting Manager involvement Control self-assessment Peer reviews
C
Which of the following is evaluated as a preventive control by an IS auditor performing an audit? Transaction logs Before and after image reporting Table lookups Tracing and tagging
C
Which of the following is the PRIMARY purpose of a risk-based audit? High-impact areas are addressed first. Audit resources are allocated efficiently. Material areas are addressed first. Management concerns are prioritized.
C
Which of the following represents an example of a preventive control with respect to IT personnel? A security guard stationed at the server room door An intrusion detection system Implementation of a badge entry system for the IT facility A fire suppression system in the server room
C
Which of the following would be the GREATEST concern if audit objectives are not established during the initial phase of an audit program? Key stakeholders are incorrectly identified. Control costs will exceed planned budget. Important business risk may be overlooked. Previously audited areas may be inadvertently included.
C
While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to: continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions. complete the audit and not report the control deficiency because it is not part of the audit scope. continue to test the accounting application controls and include the deficiency in the final report. cease all audit activity until the control deficiency is resolved.
C
he internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function? Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and avoid an accurate, comprehensive audit. Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitorin
C
A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and: length of service, because this will help ensure technical competence. age, because training in audit techniques may be impractical. IT knowledge, because this will bring enhanced credibility to the audit function. ability, as an IS auditor, to be independent of existing IT relationships.
D
An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that: effective preventive controls are enforced. system integrity is ensured. errors can be corrected in a timely fashion. fraud can be detected more quickly.
D
While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the: audit trail of the versioning of the work papers. approval of the audit phases. access rights to the work papers. confidentiality of the work papers.
D
Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience? Internal quality requirements The audit guidelines The audit methodology Professional standards
D
A PRIMARY benefit derived for an organization employing control self-assessment techniques is that it: can identify high-risk areas that might need a detailed review later. allows IS auditors to independently assess risk. can be used as a replacement for traditional audits. allows management to relinquish responsibility for control.
A
A system developer transfers to the audit department to serve as an IT auditor. When production systems are to be reviewed by this employee, which of the following will become the MOST significant concern? The work may be construed as a self-audit. Audit points may largely shift to technical aspects. The employee may not have sufficient control assessment skills. The employee's knowledge of business risk may be limited.
A
An IS auditor finds that a disaster recovery plan for critical business functions does not cover all systems. Which of the following is the MOST appropriate course of action for the IS auditor? Alert management and evaluate the impact of not covering all systems. Cancel the audit. Complete the audit of the systems covered by the existing DRP. Postpone the audit until the systems are added to the DRP.
A
An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture. What is the INITIAL step? Understanding services and their allocation to business processes by reviewing the service repository documentation. Sampling the use of service security standards as represented by the Security Assertions Markup Language . Reviewing the service level agreements established for all system providers. Auditing the core service and its dependencies on other systems.
A
An IS auditor should use statistical sampling and not judgmental (nonstatistical) sampling, when: the probability of error must be objectively quantified. the auditor wants to avoid sampling risk. generalized audit software is unavailable. the tolerable error rate cannot be determined.
A
An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommending a specific vendor product to address this vulnerability. The IS auditor has failed to exercise: professional independence. organizational independence. technical competence. professional competence.
A
An organization uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks and reports for distribution. To BEST ensure payroll data accuracy: payroll reports should be compared to input forms. gross payroll should be recalculated manually. checks should be compared to input forms. checks should be reconciled with output reports.
A
Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should: include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings. not include the finding in the final report because management resolved the item. not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit. include the finding in the closing meeting for discussion purposes only.
A
During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to: address audit objectives. collect sufficient evidence. specify appropriate tests. minimize audit resources.
A
In planning an IS audit, the MOST critical step is the identification of the: areas of significant risk. skill sets of the audit staff. test steps in the audit. time allotted for the audit.
A
In the process of evaluating program change controls, an IS auditor would use source code comparison software to: examine source program changes without information from IS personnel. detect a source program change made between acquiring a copy of the source and the comparison run. identify and validate any differences between the control copy and the production program. ensure that all changes made in the current source copy are tested.
A
The MAIN purpose of the annual IS audit plan is to: Allocate resources for audits. Reduce the impact of audit risk. Develop a training plan for auditors. Minimize the audit costs.
A
The PRIMARY objective of the audit initiation meeting with an IS audit client is to: discuss the scope of the audit. identify resource requirements of the audit. select the methodology of the audit. collect audit evidence.
A
The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of an audit assignment is to: understand the business process. comply with auditing standards. identify control weakness. develop the risk assessment.
A
The purpose of a checksum on an amount field in an electronic data interchange communication of financial transactions is to ensure: integrity. authenticity. authorization. nonrepudiation.
A
While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the: effectiveness of the QA function because it should interact between project management and user management. efficiency of the QA function because it should interact with the project implementation team. effectiveness of the project manager because the project manager should interact with the QA function. efficiency of the project manager because the QA function needs to communicate with the project implementation team.
A
While planning an IS audit, an assessment of risk should be made to provide: reasonable assurance that the audit will cover material items. definite assurance that material items will be covered during the audit work. reasonable assurance that all items will be covered by the audit. sufficient assurance that all items will be covered during the audit work.
A
A substantive test to verify that tape library inventory records are accurate is: determining whether bar code readers are installed. determining whether the movement of tapes is authorized. conducting a physical count of the tape inventory. checking whether receipts and issues of tapes are accurately recorded.
C
An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take? Delete all copies of the unauthorized software. Recommend an automated process to monitor for compliance with software licensing. Report the use of the unauthorized software and the need to prevent recurrence. Warn the end users about the risk of using illegal software.
C
An IS auditor is developing an audit plan for an environment that includes new systems. The organization's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond? Audit the new systems as requested by management. Audit systems not included in last year's scope. Determine the highest-risk systems and plan accordingly. Audit both the systems not in last year's scope and the new systems
C
An IS auditor is reviewing a project risk assessment and notices that the overall residual risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of unauthorized users the project may affect? Control risk Compliance risk Inherent risk Residual risk
C
An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of: variable sampling. substantive testing. compliance testing. stop-or-go sampling.
C
An IS auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. This logging is: an effective preventive control. a valid detective control. not an adequate control. a corrective control.
C
An IS auditor performing an audit of the risk assessment process should FIRST confirm that: reasonable threats to the information assets are identified. technical and organizational vulnerabilities have been analyzed. assets have been identified and ranked. the effects of potential security breaches have been evaluated.
C
An IS auditor reviewing the process of log monitoring wants to evaluate the organization's manual review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose? Inspection Inquiry Walk-through Reperformance
C
An IS auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the: EDI trading partner agreements. physical controls for terminals. authentication techniques for sending and receiving messages. program change control procedures.
C
An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to: acknowledge receipt of electronic orders with a confirmation message. perform reasonableness checks on quantities ordered before filling orders. verify the identity of senders and determine if orders correspond to contract terms. encrypt electronic orders.
C
An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should: remove the IS auditor from the engagement. cancel the engagement. disclose the issue to the client. take steps to restore the IS auditor's independence.
C
Due to unexpected resource constraints of the IS audit team, the audit plan, as originally approved, cannot be completed. Assuming the situation is communicated in the audit report, which course of action is MOST acceptable? Test the adequacy of the control design. Test the operational effectiveness of controls. Focus on auditing high-risk areas. Rely on management testing of controls.
C
The BEST method of confirming the accuracy of a system tax calculation is by: review and analysis of the source code of the calculation programs. recreating program logic using generalized audit software to calculate monthly totals. preparing simulated transactions for processing and comparing the results to predetermined results. automatic flowcharting and analysis of the source code of the calculation programs.
C
The final decision to include a material finding in an audit report should be made by the: audit committee. auditee's manager. IS auditor. chief executive officer of the organization.
C
To ensure that audit resources deliver the best value to the organization, the FIRST step in an audit project is to: schedule the audits and monitor the time spent on each audit. train the IS audit staff on current technology used in the company. develop the audit plan on the basis of a detailed risk assessment. monitor progress of audits and initiate cost control measures.
C
When developing a risk management program, what is the FIRST activity to be performed? Threat assessment Classification of data Inventory of assets Criticality analysis
C
When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of: excessive transaction turnaround time. application interface failure. improper transaction authorization. nonvalidated batch totals.
C
Which audit technique provides the BEST evidence of the segregation of duties in an IT department? Discussion with management Review of the organization chart Observation and interviews Testing of user access rights
C
A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? Key verification One-for-one checking Manual recalculations Functional acknowledgements
D
An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processingorganization discovered the following: The existing DRP was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting attention. The DRP has never been updated, tested or circulated to key management and staff, although interviews show that each would know what action to take for its area if a disruptive incident occurred. The IS auditor's report should recommend that: the deputy chief executive officer (CEO) be censured for failure to approve the plan. a board of senior managers is set up to review the existing plan. the existing plan is approved and circulated to all key management and staff. a manager coordinates the creation of a new or revised plan within a defined time limit.
D
An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: most valuable information assets. IS audit resources to be deployed. auditee personnel to be interviewed. control objectives and activities.
D
An IS auditor should ensure that review of online electronic funds transfer reconciliation procedures should include: vouching. authorizations. corrections. tracing.
D
An audit charter should: be dynamic and change to coincide with the changing nature of technology and the audit profession. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls. document the audit procedures designed to achieve the planned audit objectives. outline the overall authority, scope and responsibilities of the audit function.
D
An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase? Development of an audit program Define the audit scope Identification of key information owners Development of a risk assessment
D
An organization's IS audit charter should specify the: plans for IS audit engagements. objectives and scope of IS audit engagements. detailed training plan for the IS audit staff. role of the IS audit function.
D
As part of audit planning, an IS auditor is designing various data validation tests to effectively detect transposition and transcription errors. Which of the following will BEST help in detecting these errors? Range check Validity check Duplicate check Check digit
D
During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by the user's supervisor would represent the BEST compensating control? Audit trails that show the date and time of the transaction A daily report with the total numbers and dollar amounts of each transaction User account administration Computer log files that show individual transactions
D
During a risk analysis, an IS auditor identifies threats and potential impacts. Next, the IS auditor should: ensure the risk assessment is aligned to management's risk assessment process. identify information assets and the underlying systems. disclose the threats and impacts to management. identify and evaluate the existing controls.
D
During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should: create the procedures document based on the practices. issue an opinion of the current state and end the audit. conduct compliance testing on available data. identify and evaluate existing practices.
D
For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk? Use of computer-assisted audit techniques Quarterly risk assessments Sampling of transaction logs Continuous auditing
D
In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario? Hiring additional staff to provide segregation of duties Preventing the release manager from making program modifications Logging of changes to development libraries Verifying that only approved program changes are implemented
D
The PRIMARY purpose of the IS audit charter is to: establish the organizational structure of the audit department. illustrate the reporting responsibilities of the IS audit function. detail the resource requirements needed for the audit function. outline the responsibility and authority of the IS audit function.
D
The extent to which data will be collected during an IS audit should be determined based on the: availability of critical and required information. auditor's familiarity with the circumstances. auditee's ability to find relevant evidence. purpose and scope of the audit being done.
D
Which of the following choices would be the BEST source of information when developing a risk-based audit plan? Process owners identify key controls. System custodians identify vulnerabilities. Peer auditors understand previous audit results. Senior management identify key business processes.
D
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? Overlapping controls Boundary controls Access controls Compensating controls
D
Which of the following is the FIRST step in an IT risk assessment for a risk-based audit? Identify all IT systems and controls that are relevant to audit objectives. List all controls from the audit program to select ones matching with audit objectives. Review the results of a risk self-assessment. Understand the business, its operating model and key processes.
D
Which of the following is the MOST critical step when planning an IS audit? Review findings from prior audits. Executive management's approval of the audit plan. Review IS security policies and procedures. Perform a risk assessment.
D
Which of the following would be expected to approve the audit charter? Chief financial officer Chief executive officer Audit steering committee Audit committee
D