Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISA review questions > Secrets of a Successful Auditor > Flashcards

Secrets of a Successful Auditor Flashcards

1
Q

Assessments and audits have several points in common. Which of the following statements provides the best description of an assessment compared to an audit?

A. Audits are more formal than assessments.
B. They are similar in nature; the difference is in wording.
C. Both provide reports that can be used for licensing purposes.
D. Assessment reports provide a high assurance of the situation.

A

A.

An assessment is less formal than an audit. The purpose of an assessment is to determine value based on relevance. Assessments have a lower value because they are not a regimented independent audit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Which of the following statements is true?

A. The auditee is the person running the audit, and the client is the subject of the audit.

B. The auditor is the person running the audit, and the client is the subject of the audit.

C. The client is the person setting the scope for the audit, and the auditor performs the work.

D. The client pays for the audit, and the auditor sets the scope of the audit that will follow.

A

C.

The client sets the scope of the audit. The auditee is the target (subject) of the audit. The auditor designs the audit plan according to the client’s scope and then performs the audit in accordance with published audit standards and procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who should issue the organizational policies?

A. Policies should originate from the bottom and move up to the department manager for approval.

B. The auditor should issue the policies in accordance with standards, and they should be authorized by the highest level of management to ensure compliance.

C. The policy should be signed and enforced by any level of management.

D. The policy should be signed and enforced by the highest level of management.

A

D.

Policies should be signed, issued, and enforced by the highest level of management to ensure compliance by the organization. It is the responsibility of management (not the auditor) to implement internal controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Which of the following options is true about the term auditor independence?

A. It is not an issue for auditors working for a consulting company.
B. It is required for an external audit.
C. An internal auditor must undergo certification training to be independent.
D. The audit committee bestows independence upon the auditor.

A

B.

The auditor must be independent. Having a personal relationship with the organization being audited could result in a biased opinion. The business relationship is also an issue if the organization has influence over the auditor. The goal is to be fair, objective, and unrelated to the subject of the audit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Which of the following assurance methods is acceptable for external use, including licensing?

A. Independent audit
B. Assessment
C. External audit
D. Internal audit

A

A.

An independent audit is the only one acceptable for external use, including licensing. Internal audits usually lack the independence required because the internal auditor may be overly concerned about their job. Assessments are less formal than an actual audit. External audits could be limited in scope to only what the customer or vendor wants to see.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the definition of a standard as compared to a guideline?

A. Standards are discretionary controls used with guidelines to aid the reader’s decision process.

B. Standards are mandatory controls designed to support a policy. Following guidelines is discretionary.

C. Guidelines are recommended controls necessary to support standards, which are discretionary.

D. Guidelines are intended to designate a policy, whereas standards are used in the absence of a policy.

A

B.

A standard is implemented to ensure a minimum level of uniform compliance. Guidelines are advisory information used in the absence of a standard. Compliance to standards is mandatory; compliance to guidelines is discretionary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is not defined as a non-audit role?

A. System designer
B. Operational staff member
C. Auditor
D. Organizational manager

A

C.

Every role except an auditor is a nonaudit role. Anyone in a nonaudit role is disqualified from being an independent auditor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is the best description of an ongoing audit program for regulatory compliance?

A. An audit is performed once for the entire year and then repeated by using the same information for each successive year.

B. An audit may be automated by using audit program software.

C An audit is a series of unique projects of short duration that add up to cover all the steps necessary for annual compliance.

D. An audit is a series of assessments performed by the auditee for the purpose of licensing and regulatory compliance.

A

C.

Projects are unique and usually of limited duration, for a fixed period of time with a definite start and stop date. The projects may be coupled into a series of projects
to fulfill an ongoing operational need, such as an annual audit program or perpetual quality program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the purpose of ISACA’s professional ethics statement?

A. To clearly specify acceptable and unacceptable behavior
B. To provide procedural advisement to the new IS auditor
C. To provide instructions on how to deal with irregularities and illegal acts by the client
D. To provide advice on when it is acceptable for the auditor to deviate from audit standards

A

A.

This statement specifies that IS auditors are expected to fulfill their duties with the highest standards of honest and truthful representation. It is unacceptable to violate the fiduciary relationship with your client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

10 The auditor’s final opinion is to be based on which of the following?

A. The objectives and verbal statements made by management
B. An understanding of management’s desired audit results
C. The audit committee’s specifications
D. The results of evidence and testing

A

D.

The auditor is to be a professional skeptic who tests assertions of management and renders an opinion based on the evidence discovered during the audit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are common types of audits?

A. Forensic, accounting, verification, regulatory
B. Integrated, operational, compliance, administrative
C. Financial, SAS‐74, compliance, administrative
D. Information systems, SAS‐70, regulatory, procedural

A

B.

All of the audit types listed are valid except procedural, SAS‐74, verification, and regulatory. The valid audit types are financial, operational (SAS‐70), integrated (SAS‐94), compliance, administrative, forensic, and information systems. A forensic audit is used to discover information about a possible crime.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

12 What is the difference between a policy and a procedure?

A. Compliance to a policy is discretionary, and compliance to a procedure is mandatory.

B. A procedure provides discretionary advice to aid in decision-making. The policy defines specific requirements to ensure compliance.

C. A policy is a high‐level document signed by a person of authority, and compliance is mandatory. A procedure defines the mandatory steps to attain compliance.

D. A policy is a mid‐level document issued to advise the reader of desired actions in the absence of a standard. The procedure describes suggested steps to use.

A

C.

A policy is signed by the person of highest authority to ensure compliance by the members of the organization. Compliance to policies, standards, and procedures is mandatory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the purpose of standard terms of reference?

A. To meet the legal requirement of regulatory compliance
B. To prove who is responsible
C. To ensure honest and unbiased communication
D. To ensure that requirements are clearly identified in a regulation

A

C.

Standard terms of reference are used between the auditor and everyone else to ensure honest and unbiased communication. Without standard terminology, it would be difficult to know whether we were discussing the same issue or agreed on the same outcome.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following in a business organization will be held liable by the government for failures of internal controls?

A. President, vice presidents, and other true corporate officers

B. Board of directors, president, vice presidents, department directors, and managers

C. All members of management

D. Board of directors, CEO, CFO, CIO, and department directors

A

A.

Officers of the organization will typically hold the title of vice president or higher. A CIO might not be a corporate officer, unless the position is located in the parent organization. A division‐level CIO may or may not be a true corporate officer. Those holding the position of department director and below are seldom held liable by the government for internal control failure. A department director is a supporting manager to the vice president.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is true concerning the roles of data owner, data user, and data custodian?

A. The data user implements controls as necessary.
B. The data custodian is responsible for specifying acceptable usage.
C. The data owner specifies controls.
D. The data custodian specifies security classification.

A

C.

The data owner specifies controls, is responsible for acceptable use, and appoints the data custodian. The data users will comply with acceptable use and report violations. The data custodian will protect information and ensure its availability. The custodian will also provide support to the users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does fiduciary responsibility mean?

A. To use information gained for personal interests without breaching confidentiality of the client.

B. To act for the benefit of another person and place the responsibilities to be fair and honest ahead of your own interest.

C To follow the desires of the client and maintain total confidentiality even if illegal acts are discovered. The auditor shall never disclose information from an audit in order to protect the client.

D. None of the above.

A

B.

Accountants, auditors, and lawyers act on behalf of their client’s best interests unless doing so places them in violation of the law. It is the highest standard of duty implied by law for a trustee and guardian.

17
Q

How does the auditor derive a final opinion?

A. From evidence gathered and the auditor’s observations
B. By representations and assurances of management
C. By testing the compliance of language used in organizational policies
D. Under advice of the audit committee

A

A.

A final opinion is based on evidence gathered and testing. The purpose of an audit is to challenge the assertions of management. Evidence is gathered that will support or disprove claims.

18
Q

How should the auditor assist in the remediation of problems found during the audit?

A. The auditor should take ownership of the issue and participate in designing the plan for fixing the problem.

B. The auditor should decide whether the problem is major or minor and then advise the auditee with a specific solution after considering the impact to the business.

C. The auditor should help the auditees. The auditor can add value by defining the specific steps necessary for remediation of the problem.

D. The auditor should never take ownership of problems found. Auditors are encouraged to provide general advice to the auditee, including an explanation of what to look for during the audit.

A

D.

The auditor must never take ownership of the problems found. The auditor may provide general advice to the auditee and demonstrate what they are looking for during the audit. The auditee needs to design their own remediation plan. Auditors who participate in detailed remediation planning are no longer objective nor independent.

19
Q

The (blank) type of audit checks attributes against the design specifications.
A. Process
B. System
C. Compliance
D. Product

A

D.

Product audits compare design specifications (feature, size, color, markings, and so forth) against the attributes of the finished product. The CISA may use this type of audit during certification of custom‐built software programs or prior to software release from a development company.

20
Q

Why is it necessary to protect audit documentation and work papers?

A. The evidence gathered in an audit must be disclosed for regulatory compliance.
B. A paper trail is necessary to prove the auditor is right and the auditee is wrong.
C. The auditor will have to prove illegal activity in a court of law.
D. Audit documentation work papers may reveal confidential information that should not be lost or disclosed.

A

D.

The auditor may discover information that could cause some level of damage to the client if disclosed. The information could trigger additional actions by a perpetrator. In addition, the auditor shall implement controls to ensure security and data backup of their work.

21
Q

What is the difference between the words should and shall when used in regulations?

A. Shall represents discretionary requirements, and should provides advice to the reader.

B. Should indicates mandatory actions, whereas shall provides advisory information recommending actions when appropriate.

C Should and shall are comparable in meaning. The difference is based on the individual circumstances faced by the audit.

D. Should indicates actions that are discretionary according to need, whereas shall
the action is mandatory regardless of financial impact.

A

D.

Should represents discretionary information in a regulation. Shall indicates that compliance is mandatory regardless of profit or loss.

22
Q

The audit may uncover irregularities and illegal acts that require disclosure. The auditor is obligated to promptly disclose this information to the authorities.

A. True
B. False

A

B.

The auditor should contact one level of management above where the suspected activity took place. If the problem involved managers responsible for internal controls, the auditor should report it to the highest level of management available, which is usually the audit committee. Auditors should never contact the authorities directly unless advised to do so by their own attorney.

23
Q

Which of the following statements is not true regarding the audit committee?

A. Executives inside the organization oversee the audit committee and are responsible for keeping the committee busy working on compliance programs.

B. Executives can be hired and fired by the audit committee because this committee is responsible for management oversight.

C The audit committee is composed of members from the board of directors. This committee has the authority to hire external auditors, and external auditors may meet with the committee on a quarterly basis without other executives present.

D. The audit committee provides senior executives a method of bringing problems into a confidential discussion for the purpose of exploring a resolution.

A

A.

All of the answers except A are true. The audit committee is responsible for management oversight of the executives. The audit committee is usually composed of board members who provide executives a forum to discuss problems in order to rectify the situation. The audit committee can hire or fire anyone in the organization, usually focusing their attention on external auditors and senior executives.

24
Q

What term simply means the right people of authority looked at the issue, made an intelligent decision, and took appropriate action?

A. Leadership
B. Corporate responsibility
C Chain of command
D. Governance

A

D.

Governance means the right people of authority made a decision. Governance occurs at the top level of management to prevent anarchy. Decisions made at too low a level below the executives may be an indicator of lack of governance.

25
Q

What is the difference between a threat and a vulnerability?

A. Threats are the path that can be exploited by a vulnerability.
B. Threats are risks and become a vulnerability if they occur.
C Vulnerabilities are a path that can be taken by a threat, resulting in a loss.
D. Vulnerability is a negative event that will cause a loss if it occurs.

A

C.

Threats are negative events that cause a loss if they occur. Vulnerabilities are paths that allow a threat to occur.

CISA review questions (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions