CISA: Domain #2, Part A: IT Governance
All documents for this subject (37)
Seller
Follow
lydiaomutho
Content preview
CISA- Planning- Set 1
An audit charter should:
A. be dynamic and change to coincide with the changing nature of technology and the audit
profession.
B. clearly state audit objectives for, and the delegation of, authority to the maintenance and
review of internal controls.
C. document the audit procedures designed to achieve the planned audit objectives.
D. outline the overall authority, scope and responsibilities of the audit function. - ANS-D. outline
the overall authority, scope and responsibilities of the audit function.
An audit charter should state management's objectives for and delegation of authority to IS
auditors.
Which of the following situations could impair the independence of an IS auditor? The IS
auditor:
A. implemented specific functionality during the development of an application.
B. designed an embedded audit module for auditing an application.
C. participated as a member of an application project team and did not have operational
responsibilities.
D. provided consulting advice concerning application good practices. - ANS-A. implemented
specific functionality during the development of an application.
Independence may be impaired if an IS auditor is, or has been, actively involved in the
development, acquisition and implementation of the application system.
In planning an IS audit, the MOST critical step is the identification of the:
A. areas of significant risk.
B. skill sets of the audit staff.
C. test steps in the audit.
D. time allotted for the audit. - ANS-A. areas of significant risk.
When designing a risk-based audit plan, it is important to identify the areas of highest risk to
determine the areas to be audited.
A PRIMARY benefit derived for an organization employing control self-assessment techniques
is that it:
A. can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control. - ANS-A. can identify high-risk
areas that might need a detailed review later.
, Control self-assessment (CSA) is predicated on the review of high-risk areas that either need
immediate attention or may require a more thorough review later.
The extent to which data will be collected during an IS audit should be determined based on the:
A. availability of critical and required information.
B. auditor's familiarity with the circumstances.
C. auditee's ability to find relevant evidence.
D. purpose and scope of the audit being done. - ANS-D. purpose and scope of the audit being
done.
The extent to which data will be collected during an IS audit should be related directly to the
scope and purpose of the audit. An IS audit with a narrow purpose and scope, or just a
high-level review, will most likely require less data collection than an audit with a wider purpose
and scope.
While planning an IS audit, an assessment of risk should be made to provide:
A. reasonable assurance that the audit will cover material items.
B. definite assurance that material items will be covered during the audit work.
C. reasonable assurance that all items will be covered by the audit.
D. sufficient assurance that all items will be covered during the audit work. - ANS-A. reasonable
assurance that the audit will cover material items.
ISACA IS Audit and Assurance Guideline 2202 states that the applied risk assessment
approach should help with the prioritization and scheduling process of the IS audit and
assurance work. The risk assessment should support the selection process of areas and items
of audit interest and the decision process to design and conduct particular IS audit
engagements.
During a security audit of IT processes, an IS auditor found that documented security
procedures did not exist. The IS auditor should:
A. create the procedures document based on the practices.
B. issue an opinion of the current state and end the audit.
C. conduct compliance testing on available data.
D. identify and evaluate existing practices. - ANS-D. identify and evaluate existing practices.
One of the main objectives of an audit is to identify potential risk; therefore, the most proactive
approach is to identify and evaluate the existing security practices being followed by the
organization and submit the findings and risk to management, with recommendations to
document the current controls or enforce the documented procedures.
Which of the following is an attribute of the control self-assessment approach?
A. Broad stakeholder involvement
B. Auditors are the primary control analysts
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller lydiaomutho. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $7.99. You're not tied to anything after your purchase.