CISA Exam-Test 5 /30 443 Sorry, Your time is over CISA Exam-Test 5 1 / 30 1. The effect of which of the following should have priority in planning the scope and objectives of an IS audit? Applicable industry good practices Organizational policies and procedures Applicable statutory requirements Applicable corporate standards The effect of applicable statutory requirements must be factored in while planning an IS audit—the IS auditor has no options in this respect because there can be no limitation of scope in respect to statutory requirements. 2 / 30 2. The PRIMARY purpose for meeting with auditees prior to formally closing a review is to: gain agreement on the findings. confirm that the auditors did not overlook any important issues. test the structure of the final presentation. receive feedback on the adequacy of the audit procedures. The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings and responses from management. 3 / 30 3. Upon completion of audit work, an IS auditor should: provide a report to senior management prior to discussion with the auditee. provide a report to the auditee stating the initial findings. distribute a summary of general findings to the members of the auditing team. review the working papers with the auditee. 4 / 30 4. Which of the following should be the FIRST action of an IS auditor during a dispute with a department manager over audit findings? Include the finding in the report with the department manager's comments. Revalidate the supporting evidence for the finding. Engage a third party to validate the finding. Retest the control to validate the finding. Conclusions drawn by an IS auditor should be adequately supported by evidence, and any compensating controls or corrections pointed out by a department manager should be taken into consideration. Therefore, the first step would be to revalidate the evidence for the finding. If, after revalidating and retesting, there are unsettled disagreements, those issues should be included in the report. 5 / 30 5. General ledger (GL) data are required for an audit. Instead of asking IT to extract the data, the IS auditor is granted direct access to the data. What is the MAIN advantage of this approach? Reduction of the likelihood of errors in the extraction process Greater flexibility for the audit department Greater assurance of data validity Reduction of IT person-hours to support the audit If the IS auditor executes the data extraction, there is greater assurance that the extraction criteria will not interfere with the required completeness and therefore all required data will be collected. Asking IT to extract the data may expose the risk of filtering out exceptions that should be seen by the auditor. Also, if the IS auditor collects the data, all internal references correlating the various data tables/elements will be understood, and this knowledge may reveal vital elements to the completeness and correctness of the overall audit activity. 6 / 30 6. What is the BEST course of action for an IS auditor to take when an outsourced monitoring process for remote access is inadequate and management disagrees because management stated that intrusion detection system (IDS) and firewall controls are in place? Retract the finding because the firewall rules are monitored. Revise the finding in the audit report per management's feedback. Retract the finding because the IDS controls are in place. Document the identified finding in the audit report. IS auditor independence would dictate that the additional information provided by the auditee will be taken into consideration. Normally, an IS auditor would not automatically retract or revise the finding. 7 / 30 7. An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take? Warn the end users about the risk of using illegal software. Report the use of the unauthorized software and the need to prevent recurrence. Recommend an automated process to monitor for compliance with software licensing. Delete all copies of the unauthorized software. The use of unauthorized or illegal software should be prohibited by an organization. An IS auditor must convince the user and management of the risk and the need to eliminate the risk. For example, software piracy can result in exposure and severe fines. 8 / 30 8. While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to: cease all audit activity until the control deficiency is resolved complete the audit and not report the control deficiency because it is not part of the audit scope. continue to test the accounting application controls and include the deficiency in the final report. continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions. It is the responsibility of the IS auditor to report on findings that could have a material impact on the effectiveness of controls—whether or not they are within the scope of the audit. 9 / 30 9. The MOST effective way to determine if IT is meeting business requirements is to establish: industry benchmarks. a capability model. key performance indicators (KPIs) organizational goals 10 / 30 10. When preparing an audit report the IS auditor should ensure that the results are supported by: work papers of other auditors. sufficient and appropriate audit evidence. an organizational control self-assessment. statements from IS management. ISACA's IS Audit and Assurance Standard on reporting requires that the IS auditor have sufficient and appropriate audit evidence to support the reported results. Statements from IS management provide a basis for obtaining concurrence on matters that cannot be verified with empirical evidence. The report should be based on evidence collected during the course of the review even though the IS auditor may have access to the work papers of other auditors. The results of an organizational control self-assessment (CSA) could supplement the audit findings. 11 / 30 11. An IS auditor suspects an incident is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST? Request that the system be shut down to preserve evidence. Ask for immediate suspension of the suspect accounts. Report the incident to management. Investigate the source and nature of the incident. Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor's role to respond to incidents during an audit. 12 / 30 12. Which of the following would BEST provide executive management with current information on IT-related costs and IT performance indicators? Risk register IT dashboard Continuous audit reports IT service-management plan 13 / 30 13. Which of the following is the PRIMARY advantage of the IT portfolio management approach over the balanced scorecard approach when managing IT investments? Agility in adjusting investment decisions. The influence of qualitative factors on investment decisions. Use of the organization's risk appetite in investment decisions Incorporation of organizational strategy in investment decisions 14 / 30 14. The final decision to include a material finding in an audit report should be made by the: audit committee. IS auditor. chief executive officer (CEO) of the organization auditee's manager. The IS auditor should make the final decision about what to include or exclude from the audit report. 15 / 30 15. When an IS auditor evaluates key performance indicators (KPls) (or IT initiatives, it is MOST important that the KPIs indicate IT deliverables are process driven. IT solutions are within budget IT objectives are measured IT resources are fully utilized 16 / 30 16. Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should: include the finding in the closing meeting for discussion purposes only. not include the finding in the final report because management resolved the item. not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit. include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings. Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing. 17 / 30 17. A company is using a software developer for a project. At which of the following points should the software quality assurance (QA) plan be developed? Prior to acceptance testing As part of the design phase During the feasibility phase As part of software definition 18 / 30 18. An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a specific vendor product to address this vulnerability. The IS auditor has failed to exercise: professional independence technical competence. professional competence. organizational independence. When an IS auditor recommends a specific vendor, that compromises the auditor's professional independence. 19 / 30 19. To ensure the integrity of a recovered database, which of the following would be MOST useful? Application transaction logs Database defragmentation tools copy of the data dictionary Before-and-after transaction images 20 / 30 20. During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should: accept the auditee's position because they are the process owners. report the disagreement to the audit committee for resolution. elaborate on the significance of the finding and the risk of not correcting it. ask the auditee to sign a release form accepting full legal responsibility. If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures because the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, an IS auditor should not automatically agree just because the auditee expresses an alternate point of view. 21 / 30 21. Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit? Knowledge of internal controls IS management resource allocation Project management Contingency planning Audits often involve resource management, deliverables, scheduling and deadlines similar to project management good practices. 22 / 30 22. An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt? Inquiry Process narrative Walk-through Reperformance Walk-throughs involve a combination of inquiry and inspection of evidence with respect to business process controls. This is the most effective basis for evaluation of the design of the control as it actually exists. 23 / 30 23. Which of the following is an IS auditor s GREATEST concern when an organization does not regularly update software on individual workstations in the internal environment? The system may have version control issues. System functionality may not meet business requirements. The organization may not be in compliance with licensing agreement. The organization may be more susceptible to cyber-attacks 24 / 30 24. After reviewing the disaster recovery planning (DRP) process of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting? Prioritizing the resolution of the items Confirming factual accuracy of the findings Assisting management in the implementation of corrective actions Obtaining management approval of the corrective action plan The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on or respond to recommendations for corrective action. 25 / 30 25. The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors? Classical variable Probability-proportional-to-size Stop-or-go Discovery Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place. 26 / 30 26. When testing segregation of duties, which of the following audit techniques provides the MOST reliable evidence? Reviewing departmental procedure handbooks Observing daily operations for the area in scope Evaluating the department structure via the organizational chart Interviewing managers and end users 27 / 30 27. Which of the following will MOST effectively help to manage the challenges associated with end user-developed application systems? Introducing redundant support capacity Developing classifications based on risk Applying control practices used by IT Prohibiting creation of executable files 28 / 30 28. An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should: take steps to restore the IS auditor's independence. remove the IS auditor from the engagement. cancel the engagement. disclose the issue to the client. In circumstances in which the IS auditor's independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor's independence should be disclosed to the appropriate management and in the report. 29 / 30 29. Which of the following BEST describes the objective of an IS auditor discussing the audit findings with the auditee? Confirm the findings, and propose a course of corrective action. Communicate results to the auditee. Identify compensating controls to the identified risk. Develop time lines for the implementation of suggested recommendations. Before communicating the results of an audit to senior management, the IS auditor should discuss the findings with the auditee. The goal of such a discussion is to confirm the accuracy of the findings and to propose or recommend a course of corrective action. 30 / 30 30. In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on? A validity check A field check A hash total A size check A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used—for example, not using a dictionary word, including non-alphabetical characters, etc. An effective password must have several different types of characters: alphabetical, numeric and special. Your score is LinkedIn Facebook Twitter Exit