Exam (elaborations)
DOMAIN 1 (CISA REVIEW QUESTIONS, ANSWERS & EXPLANATIONS MANUAL, 12TH EDITION | PRINT | ENGLISH)
- Course
- Institution
DOMAIN 1 (CISA REVIEW QUESTIONS, ANSWERS & EXPLANATIONS MANUAL, 12TH EDITION | PRINT | ENGLISH)
[Show more]
Seller
Follow
GEEKA
Reviews received
Content preview
DOMAIN 1 (CISA REVIEW QUESTIONS, ANSWERS &EXPLANATIONS MANUAL, 12TH EDITION | PRINT |
ENGLISH)
Al-l The internal audit department wrote some scripts that are used for continuous
auditing of some information systems. The IT department asked for copies of the scripts
so that they can use them for setting up a continuous monitoring process on key
systems. Does sharing these scripts with IT affect the ability of the IS auditors to
independently and objectively audit the IT function?
A. Sharing the scripts is not permitted because it gives IT the ability to pre-audit
systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review all
programs and software that run on IS systems regardless of audit independence.
C. Sharing the scripts is permissible if IT recognizes that audits may still be conducted
in areas not covered in the scripts.
D. Sharing the scripts is not permitted because the IS auditors who wrote the scripts
would not be
permitted toaudi - Answers -C is the correct answer.
Justification:
A. The ability of IT to continuously monitor and address any issues on IT systems does
not affect the ability of IS audit to perform a comprehensive audit.
B. Sharing the scripts may be required by policy for quality assurance and configuration
management, but that does not impair the ability to audit.
C. IS audit can still review all aspects of the systems. They may not be able to review
the
effectiveness of the scripts, but they can still audit the systems.
D. An audit of an 'IS system encompasses more than just the controls covered in the
scripts.
Al-5 Which of the following controls would an IS auditor look for in an environment
where duties cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls - Answers -D is the correct answer. Justification:
A. Overlapping controls are two coutrols addressing the same control objective or
exposure. Because primary controls cannot be achieved when duties cannot or are not
appropriately segregated, it is difficult to install overlapping controls.
B. Boundary controls establish the interface between the would-be user of a computer
system and the
computer system itself and are individual-based, not role-based, controls.
,C. Access controls for resources are based on individuals and not on roles. For a lack of
segregation of duties, the IS auditor expects to find that a person has higher levels of
access than are ideal. The IS auditor wants to find compensating controls to address
this risk.
D. Compensating controls are internal controls that are intended to reduce the risk of an
existing
orpotential controlweaknessthatmayarisewhendutiescannotbeappropriatelysegregated.
Al-6 Which of the following is the key benefit of a control self-assessment?
A. Management ownership of the internal controls supporting business objectives is
reinforced.
B. Audit expenses are reduced when the assessment results are an input to external
audit work.
C. Fraud detection is improved because internal business staff are engaged in testing
controls.
D. Internal auditors can shift to a consultative approach by using the results of the
assessment. - Answers -A is the correct answer. Justification:
A. The objective of control self-assessment (CSA) is to have business management
become more aware of the importance of internal control and their responsibility in
terms of corporate governance.
B. Reducing audit expenses is not a key benefit of CSA.
C. Improved fraud detection is important but not as important as control ownership. It is
not a principal objective of CSA.
D. CSA may give more insights to internal auditors, allowing them to take a more
consultative role;
however, this is an additional benefit, not the key benefit.
Al-7 What is the PRIMARY requirement that a data mining and auditing software tool
should meet? The software tool should:
A. interface with various types of enterprise resource planning software and databases.
B. accurately capture data from the organization's systems without causing excessive
performance problems.
C. introduce audit hooks into the organization's financial systems to support continuous
auditing.
D. be customizable and support inclusion of custom programming to aid in investigative
analysis. - Answers -B is the correct answer. Justification:
A. The product must interface with the types of systems used by the organization and
provide meaningful data for analysis.
B. Although all the requirements that are listed as answer choices are desirable in a
software tool evaluated for auditing and data mining purposes, the most critical
requirement is that the tool works effectively on the systems of the organization being
audited.
C. The tool should probably work on more than just financial systems and does not
necessarily require
implementation of audit hooks.
,D. The tool should be flexible but not necessarily customizable. It should have built-in
analysis software tools.
Al-8 A long-term IT employee with a strong technical background and broad managerial
experience has applied for a vacant position in the IS audit department. Determining
whether to hire this individual for this position should be PRIMARILY based on the
individual's experience and:
A. length of service, because this will help ensure technical competence.
B. age, because training in audit techniques may be impractical.
C. IT knowledge, because this will bring enhanced credibility to the audit function.
D. ability, as an IS auditor, to be independent of existing IT relationships. - Answers -D
is the correct answer. Justification:
A. Length of service does not ensure technical competency.
B. Evaluating an individual's qualifications based on the age of the individual is not a
good criterion and is illegal in many parts of the world.
C. The fact that the employee has worked in IT for many years may not ensure
credibility. The IS audit department's needs should be defined, and any candidate
should be evaluated against those requirements.
D. Independence should be continually assessed by the auditor and management. This
assessment should consider such factors as changes in personal relationships, financial
interests, and prior job assignments and responsibilities.
At-9 For a retail business with a large volume of transactions, which of the following
audit techniques is the
MOST appropriate for addressing emerging risk?
A. Use of computer-assisted audit techniques
B. Quarterly risk assessments
C. Sampling of transaction logs
D. Continuous auditing - Answers -D is the correct answer. Justification:
A. Using software tools such as computer-assisted audit techniques to analyze
transaction data can provide detailed analysis of trends and potential risk, but it is not as
effective as continuous auditing, because there may be a time differential between
executing the software and analyzing the results.
B. Quarterly risk assessment may be a good technique but not as responsive as
continuous auditing.
C. The sampling of transaction logs is a valid audit technique; however, risk may exist
that is not captured in the transaction log, and there may be a potential time lag in the
analysis.
D. The implementation of continuous auditing enables a real-time feed of information to
management through automated reporting processes so that management may
implement corrective actions more quickly.
At-tO An IS auditor is reviewing access to an application to determine whether recently
added accounts were appropriately authorized. This is an example of:
, A. variable sampling.
B. substantive testing.
C. compliance testing.
D. stop-or-go sampling. - Answers -C is the correct answer. Justification:
A. Variable sampling is used to estimate numerical values such as dollar values.
B. Substantive testing substantiates the integrity of actual processing such as balances
on financial statements. The development of substantive tests is often dependent on the
outcome of compliance tests. If compliance tests indicate that there are adequate
internal controls, then substantive tests can be minimized.
C. Compliance testing determines whether controls are being applied in compliance
with policy.
This includes tests to determine whether new accounts were appropriately authorized.
D. Stop-or-go sampling allows a test to be stopped as early as possible and is not
appropriate for checking whether procedures have been followed.
ll The decisions and actions of an IS auditor are MOST likely to affect which of the
following types of risk?
A. Inherent
B. Detection
C. Control
D. Business - Answers -B is the correct answer. Justification:
A. Inherent risk is the risk that a material error could occur, if there are no related
internal controls to prevent or detect the error. Inherent risk is not usually affected by an
IS auditor.
B. Detection risk is directly affected by the IS auditor's selection of audit procedures and
techniques. Detection risk is the risk that a review will not detect or notice a material
issue.
C. Control risk is the risk that a material error exists that would not be prevented or
detected on a timely basis by the system of internal controls. Control risk can be
mitigated by the actions of the organization's management.
D. Business risk is a probable situation with uncertain frequency and magnitude ofloss
(or gain).
Businessrisk isusuallynotdirectlyaffectedbyanISauditor.
Al-12 Which of the following is the MOST critical step when planning an IS audit?
A. Review findings from prior audits
B. Executive management's approval of the audit plan
C. Review information security policies and procedures
D. Perform a risk assessment - Answers -D is the correct answer. Justification:
A. The findings of a previous audit are of interest to the auditor, but they are not the
most critical
step. The most critical step involves finding the current issues or high-risk areas, not
reviewing the resolution of older issues. A review of historical audit findings could
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller GEEKA. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for CA$20.79. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
79271 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now