CISA Concepts

Question 1

What is the definition of audit?

Answer 1

Auditing is a detailed and specific evaluation of a process, procedure, organization, job function, or system, in which results are gathered and reported.

Question 2

What is the purpose of ethics?

Answer 2

To mandate the professional and personal conduct of auditors

Question 3

According to the ISACA Code of Ethics is an auditor allowed to share the results of an audit with other personnel?

Answer 3

The auditor must maintain confidentiality of the audit unless required by legal authority

Question 4

Should the IS audit plan be integrated into the overall audit plan for the organization?

Answer 4

The IS Audit function must fulfill all organizational audit objectives.

Question 5

An IS Auditor is best advised to follow the standards provided by ISACA for conducting an planning IS Audits

Answer 5

ISACA audit standards are recommendations for planning IS audits.

Question 6

ISACA Audit standard S2 Independence refers to what?

Answer 6

An Auditor should be independent of the area being audited

Question 7

Standard S4 Professional Competence, requires the auditor to have the skills to conduct the audit?

Answer 7

appropriate continuing professional education

Question 8

The basis for an audit plan should be what?

Answer 8

Risk

Question 9

Audit findings and conclusions are supported by what?

Answer 9

Evidence

Question 10

When an auditor uses the assistance of outside experts, what obligations does the auditor have to review the work of the experts?

Answer 10

The auditor must apply additional test procedures if the work of outside experts is not adequate

Question 11

When an auditor is planning an information system audit and suspects a potential control weakness, what are they obligated to do?

Answer 11

The auditor must consider the materiality of the weakness and plan the audit accordingly.

Question 12

What role does risk assessment have in audit planning?

Answer 12

Risk assessment is used to determine the priorities for audit and allocation of audit resources.

Question 13

What steps should an auditor take when a material irregularity is discovered?

Answer 13

The auditor should communicate the irregularity to management in a timely manner

Question 14

What is the risk to an audit if unusual relationships exist between staff members in the area being audited?

Answer 14

The auditor may be provided inaccurate evidence

Question 15

True or False? Supervision of the information systems audit staff should not be necessary if the staff is adequately trained and experienced

Answer 15

TRUE

Question 16

Once an audit is completed and submitted does the auditor have any further responsibility?

Answer 16

Yes, the auditor should follow up to ensure that management addressed any audit issues in a timely manner

Question 17

IT governance means:

Answer 17

The IT function aligns with business mission, values and objectives

Question 18

Relationships with third parties may:

Answer 18

Require the organization to comply with the security standards of the third party

Question 19

True or False? The organization does not have to worry about the impact of third party relationships on the security program

Answer 19

FALSE

Question 20

The role of an Information Systems Security Steering Committee is to:

Answer 20

Provide feedback from all areas of the organization

Question 21

The most effective tool a security department has is:

Answer 21

A security awareness program

Question 22

The role of Audit in relation to Information Security is:

Answer 22

The validate the effectiveness of the security program against established metrics

Question 23

Who should be responsible for development of a risk management strategy?

Answer 23

The Security Manager

Question 24

The security requirements of each member of the organization should be documented in:

Answer 24

Their job descriptions

Question 25

What could be the greatest challenge to implementing a new security strategy?

Answer 25

Obtaining buy-in from employees

Question 26

Which forms of wireless media operate only when there are no obstacles in the transmission path?

Answer 26

Spread spectrum

Question 27

What best defines electrical noise?

Answer 27

Extraneous signals introduced onto network media.

Question 28

An audit log is an example of a:

Answer 28

Detective control

Question 29

A compensating control is used:

Answer 29

When normal controls are not sufficient to mitigate the trick

Question 30

A disgruntled former employee is a:

Answer 30

Threat

Question 31

A bug or software flaw is a:

Answer 31

Vulnerability

Question 32

Encryption is an example of a:

Answer 32

Countermeasure

Question 33

The examination of risk factors would be an example of:

Answer 33

Risk analysis

Question 34

True/False: The only real risk mitigation technique is based on effective implementation of technical controls.

Answer 34

FALSE

Question 35

Should a risk assessment consider controls that are planned but not yet implemented?

Answer 35

Yes, because it would not be appropriate to recommend implementing controls that are already planned

Question 36

What is the purpose of a control?

Answer 36

Controls are used to resolve vulnerabilities

Question 37

What is the definition of risk assessment?

Answer 37

The evaluation of the level of risk to an information system.

Question 38

What is residual risk?

Answer 38

The level of risk that remains after the implementation of controls

Question 39

What is the primary focus of risk assessment?

Answer 39

Regulatory requirements

Question 40

What is audit detection risk?

Answer 40

The risk that the tests used during an audit did not discover an error

Question 41

What is inherent risk?

Answer 41

A risk associated with pre-existing errors in the control environment

Question 42

What is the first phase of the risk analysis process?

Answer 42

Critical asset identification

Question 43

What are the components of risk analysis?

Answer 43

Threat, vulnerability and impact

Question 44

What is the relationship between risk assessment and audit?

Answer 44

Risk assessment is used to identify high-risk areas to be audited

Question 45

The intent of a control is to:

Answer 45

Reduce the likelihood or impact of the threat

Question 46

If the materiality is minimal then:

Answer 46

It may be ignored

Question 47

The determination of materiality is:

Answer 47

Based on the judgment of the auditor

Question 48

An example of a preventative control is:

Answer 48

B) A security policy

Question 49

An example of a detective control is:

Answer 49

Review of audit logs

Question 50

A corrective control is designed to:

Answer 50

Restore systems to normal

Question 51

An example of a corrective control is:

Answer 51

A business continuity plan

Question 52

An organization implements a procedure to control changes to the configuration of an information system. This would be an example of a(n):

Answer 52

Administrative Control

Question 53

Administrative controls are used to:

Answer 53

Monitor compliance with policy

Question 54

Internal controls may be:

Answer 54

either manual or automated

Question 55

The development of an IS Audit strategy will include:

Answer 55

Identification of controls to be evaluated

Question 56

Once the audit strategy is developed, the auditor will:

Answer 56

Communicate the strategy to management.

Question 57

What control classification would an auditor use to monitor an organization’s internal corporate network in order to report any unauthorized access attempts?

Answer 57

Detective

Question 58

The audit charter is an important document. What is included in the audit charter?

Answer 58

The scope of the audit function

Question 59

Developing an audit plan requires the determination of required personnel resources and?

Answer 59

Arranging for access to the audit area

Question 60

The audit plan must be designed to ensure compliance with laws and regulations, this will require the knowledge of the regulations and?

Answer 60

A review to ensure management were aware of regulations when developing policies and procedures

Question 61

The audit plan will be based on:

Answer 61

The stated objectives of the audit

Question 62

The purpose of audit objectives is to establish whether internal controls are minimizing risk and?

Answer 62

functioning properly

Question 63

A operational audit is designed to test?

Answer 63

The effectiveness of the organization’s internal control environment

Question 64

What is the purpose of a specialized audit?

Answer 64

A specialized audit tests the services provided by an external organization

Question 65

What is a primary consideration when performing a forensic audit?

Answer 65

Maintaining proper evidence handling and management techniques

Question 66

What is the purpose of audit planning?

Answer 66

Audit planning provides a clear overview of the audit before the audit commences

Question 67

What is the most critical step in audit planning?

Answer 67

Focus on high risk areas

Question 68

How do laws and regulations affect an audit plan?

Answer 68

The audit plan must be designed to test for compliance with laws and regulations

Question 69

What is the responsibility of the auditor in relation to fraud

Answer 69

The auditor must always be watchful for fraud while performing an audit

Question 70

Who should be able to see an audit methodology document?

Answer 70

The audit methodology document is used to communicate with all audit team members

Question 71

When an auditor finds a minor violation of policy or procedures, what should their course of action be?

Answer 71

Include the violation in the audit report

Question 72

When an auditor finds a problem that is outside the scope of the audit plan, what should be done?

Answer 72

Consult with audit management about adjusting the scope of the problem

Question 73

An auditor has found a problem and notified management. The problem was immediately fixed. Should the problem be included in the audit report?

Answer 73

Yes, all material findings should be in the report, but noted as fixed.

Question 74

True or False? An audit that finds no serious issues may not require the preparation of an audit report

Answer 74

FALSE

Question 75

All data gathered during an audit is considered?

Answer 75

audit evidence

Question 76

Common methods of gathering information during an audit include:

Answer 76

Interviewing

Question 77

When using observation as an audit data gathering method, what is an important concern?

Answer 77

Do not disrupt business operations

Question 78

What is a characteristic of a divisional organization structure?

Answer 78

Teams operate as separate units within the parent organization

Question 79

What is the advantage of using CAATS to support an audit

Answer 79

CAATS provide an effective way to collect and analyze data from different electronic systems

Question 80

When data is gathered to determine whether users are following policies, this is an example of?

Answer 80

Compliance audit

Question 81

An audit that validates individual transactions to test the effectiveness of a procedure is a?

Answer 81

Substantive audit

Question 82

What type of audit evidence is considered more reliable?

Answer 82

Obtained from independent parties

Question 83

An auditor checks 100 transactions to see if they were handled correctly. What type of audit is this

Answer 83

Compliance audit

Question 84

An audit that checks that all transactions over $5000 require approval by a supervisor is what type of audit?

Answer 84

Substantive audit

Question 85

An auditor needs to select a certain number of transactions for examination. What method may be used for this?

Answer 85

Statistical sampling

Question 86

What is the definition of sampling?

Answer 86

Selecting a subset of a larger group of items that will represent the entire group

Question 87

Which type of sampling depends on auditor judgement?

Answer 87

Non-statistical sampling

Question 88

When, during the SDLC, is a test plan developed?

Answer 88

During the design phase

Question 89

What is the purpose of testing?

Answer 89

To uncover any bugs or flaws in the system

Question 90

Change management and problem management are parts of a:

Answer 90

Configuration management process

Question 91

What form of systems migration will have the least impact on business operations

Answer 91

Parallel

Question 92

What task must be done to enable a data migration from an old system to a new one?

Answer 92

Ensure that the data is converted to a format acceptable for the new system