Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1001:

  The PRIMARY focus of audit follow-up reports should be to:

  A. assess if new risks have developed.
  B. determine if audit recommendations have been implemented.
  C. verify the completion date of the implementation.
  D. determine if past findings are still relevant.
  B. determine if audit recommendations have been implemented.

  ---

  Explanation

• Question 1002:

  Which of the following is the client organization's responsibility in a Software as a Service (SaaS) environment?

  A. Detecting unauthorized access
  B. Ensuring that users are properly authorized
  C. Ensuring the data is available when needed
  D. Preventing insertion of malicious code
  B. Ensuring that users are properly authorized

  ---

  Explanation

• Question 1003:

  When evaluating the ability of a disaster recovery plan to enable the recovery of IT processing capabilities, it is MOST important for the IS auditor to verify the plan is:

  A. stored at an offsite location
  B. communicated to department heads
  C. regularly reviewed
  D. periodically tested
  C. regularly reviewed

  ---

  Explanation

• Question 1004:

  An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data Which of the following is the PRIMARY advantage of this approach?

  A. Audit transparency
  B. Data confidentiality
  C. Professionalism
  D. Audit efficiency
  D. Audit efficiency

  ---

  Explanation

  The primary advantage of this approach is that it improves audit efficiency. Audit efficiency is the measure of how well the audit resources are used to achieve the audit objectives. Audit efficiency can be enhanced by using methods or techniques that can save time, cost, or effort without compromising the quality or scope of the audit. By requesting direct access to data required to perform audit procedures instead of asking management to provide the data, the auditor can reduce the dependency on management's cooperation, availability, or timeliness. The auditor can also avoid potential delays, errors, or biases that may occur when management provides the data.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.41 CISA Online Review Course, Domain 1, Module 1, Lesson 42

• Question 1005:

  When deciding whether a third party can be used in resolving a suspected security breach, which of the following should be the MOST important consideration for IT management?

  A. Third-party cost
  B. Incident priority rating
  C. Data sensitivity
  D. Audit approval
  C. Data sensitivity

  ---

  Explanation

• Question 1006:

  Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

  A. Target architecture is defined at a technical level.
  B. The previous year's IT strategic goals were not achieved.
  C. Strategic IT goals are derived solely from the latest market trends.
  D. Financial estimates of new initiatives are disclosed within the document.
  C. Strategic IT goals are derived solely from the latest market trends.

  ---

  Explanation

  The most concerning thing for an IS auditor reviewing an IT strategy document is that the strategic IT goals are derived solely from the latest market trends. An IT strategy document is a blueprint that defines how an organization will use technology to achieve its goals. It should be based on a thorough analysis of the organization's internal and external factors, such as its vision, mission, values, objectives, strengths, weaknesses, opportunities, threats, customers, competitors, regulations, and industry standards. An IT strategy document should also align with the organization's business strategy and reflect its unique needs and capabilities. If an IT strategy document is derived solely from the latest market trends, it may not be relevant or appropriate for the organization's specific situation. It may also lack coherence, consistency, feasibility, or sustainability. The other options are not as concerning as option

  C. Target architecture is defined at a technical level is not a concern for an IS auditor reviewing an IT strategy document. Target architecture is the desired state of an organization's IT systems in terms of their structure, functionality, performance, security, interoperability, and integration. Defining target architecture at a technical level can help an IS auditor to understand how the organization plans to achieve its strategic IT goals and what technical requirements and standards it needs to follow. The previous year's IT strategic goals were not achieved is not a concern for an IS auditor reviewing an IT strategy document. The previous year's IT strategic goals are the outcomes that the organization intended to accomplish with its IT initiatives in the past year. Not achieving these goals may indicate some challenges or gaps in the organization's IT performance or execution. However, this does not necessarily affect the quality or validity of the current IT strategy document. An IS auditor should focus on evaluating whether the current IT strategy document is realistic, measurable, achievable, relevant, and time-bound. Financial estimates of new initiatives are disclosed within the document is not a concern for an IS auditor reviewing an IT strategy document. Financial estimates are projections of the costs and benefits of new initiatives that are part of the IT strategy document. Disclosing financial estimates within the document can help an IS auditor to assess whether the new initiatives are aligned with the organization's budget and resources and whether they provide value for money.

  References: IT Strategy Template for a Successful Strategic Plan | Gartner, Definitive Guide to Developing an IT Strategy and Roadmap - CioPages, An Example of a Well-Developed IT Strategy Plan - Resolute

• Question 1007:

  During a help desk review, an IS auditor determines the call abandonment rate exceeds agreed-upon service levels. What conclusions can be drawn from this finding?

  A. There are insufficient telephone lines available to the help desk.
  B. There is insufficient staff to handle the help desk call volume.
  C. Help desk staff are unable to resolve a sufficient number of problems on the first call.
  D. Users are finding solutions from alternative sources.
  B. There is insufficient staff to handle the help desk call volume.

  ---

  Explanation

• Question 1008:

  Which of the following audit risk is related to material errors or misstatements that have occurred that will not be detected by an IS auditor?

  A. Inherent Risk
  B. Control Risk
  C. Detection Risk
  D. Overall Audit Risk
  C. Detection Risk

  ---

  Explanation

  The risk that material errors or misstatements that have occurred will not be detected by an IS auditor. Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements. An auditor must apply audit procedures to detect material misstatements in the financial statements whether due to fraud or error. Misapplication or omission of critical audit procedures may result in a material misstatement remaining undetected by the auditor. Some detection risk is always present due to the inherent limitations of the audit such as the use of sampling for the selection of transactions. Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed testing.

  For your exam you should know below information about audit risk:

  Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue unqualified report due to the auditor's failure to detect material misstatement either due to error or fraud. This risk is composed of inherent risk (IR), control risk (CR) and detection risk (DR), and can be calculated thus:

  AR = IR ?CR ?DR

  Inherent Risk

  Auditors must determine risks when working with clients. One type of risk to be aware of is inherent risk. While assessing this level of risk, you ignore whether the client has internal controls in place (such as a secondary review of financial

  statements) in order to help mitigate the inherent risk. You consider the strength of the internal controls when assessing the client's control risk. Your job when assessing inherent risk is to evaluate how susceptible the financial statement

  assertions are to material misstatement given the nature of the client's business. A few key factors can increase inherent risk.

  Environment and external factors: Here are some examples of environment and external factors that can lead to high inherent risk:

  Rapid change: A business whose inventory becomes obsolete quickly experiences high inherent risk.

  Expiring patents: Any business in the pharmaceutical industry also has inherently risky environment and external factors. Drug patents eventually expire, which means the company faces competition from other manufacturers marketing the

  same drug under a generic label.

  State of the economy: The general level of economic growth is another external factor affecting all businesses.

  Availability of financing: Another external factor is interest rates and the associated availability of financing. If your client is having problems meeting its short-term cash payments, available loans with low interest rates may mean the difference

  between your client staying in business or having to close its doors.

  Prior-period misstatements: If a company has made mistakes in prior years that weren't material (meaning they weren't significant enough to have to change), those errors still exist in the financial statements. You have to aggregate prior-

  period misstatements with current year misstatements to see if you need to ask the client to adjust the account for the total misstatement.

  You may think an understatement in one year compensates for an overstatement in another year. In auditing, this assumption isn't true. Say you work a cash register and one night the register comes up $20 short. The next week, you

  somehow came up $20 over my draw count. The $20 differences are added together to represent the total amount of your mistakes which is $40 and not zero. Zero would indicate no mistakes at all had occurred.

  Susceptibility to theft or fraud: If a certain asset is susceptible to theft or fraud, the account or balance level may be considered inherently risky. For example, if a client has a lot of customers who pay in cash, the balance sheet cash account is

  going to have risk associated with theft or fraud because of the fact that cash is more easily diverted than customer checks or credit card payments.

  Looking at industry statistics relating to inventory theft, you may also decide to consider the inventory account as inherently risky. Small inventory items can further increase the risk of this account valuation being incorrect because those items

  are easier to conceal (and therefore easier to steal).

  Control Risk

  Control risk has been defined under International Standards of Auditing (ISAs) as following:

  The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or

  detected and corrected, on a timely basis by the entity's internal control.

  In simple words control risk is the probability that a material misstatement exists in an assertion because that misstatement was not either prevented from entering entity's financial information or it was not detected and corrected by the

  internal control system of the entity.

  It is the responsibility of the management and those charged with governance to implement internal control system and maintain it appropriately which includes managing control risk.

  There can be many reasons for control risk to arise and why it cannot be eliminated absolutely. But some of them are as follows:

  Cost-benefit constraints

  Circumvention of controls

  Inappropriate design of controls

  Inappropriate application of controls

  Lack of control environment and accountability

  Novel situations

  Outdated controls

  Inappropriate segregation of duties

  Detection Risk

  Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements.

  An auditor must apply audit procedures to detect material misstatements in the financial statements whether due to fraud or error. Misapplication or omission of critical audit procedures may result in a material misstatement remaining

  undetected by the auditor. Some detection risk is always present due to the inherent limitations of the audit such as the use of sampling for the selection of transactions.

  Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed testing.

  The following answers are incorrect:

  Inherent Risk - It is the risk level or exposure of a process or entity to be audited without taking into account the control that management has implemented.

  Control Risk - The risk that material error exist that would not be prevented or detected on timely basis by the system of internal controls.

  Overall audit risk - The probability that information or financial report may contain material errors and that the auditor may not detect an error that has occurred. An objective in formulating the audit approach is to limit the audit risk in the area

  under security so the overall audit risk is at sufficiently low level at the completion of the examination.

  CISA review manual 2014 page number 50

  http://en.wikipedia.org/wiki/Audit_risk

  http://www.dummies.com/how-to/content/how-to-assess-inherent-risk-in-an-audit.html

  http://pakaccountants.com/what-is-control-risk/

  http://accounting-simplified.com/audit/risk-assessment/audit-risk.html

• Question 1009:

  An organization plans to eliminate pilot releases and instead deliver all functionality in a single release. Which of the following is the GREATEST risk with this approach?

  A. Likelihood of scope creep over time
  B. Increased oversight required to track projects
  C. Inability to track project costs
  D. Releasing critical deficiencies into production
  D. Releasing critical deficiencies into production

  ---

  Explanation

• Question 1010:

  Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?

  A. Staff members who failed the test did not receive follow-up education
  B. Test results were not communicated to staff members.
  C. Staff members were not notified about the test beforehand.
  D. Security awareness training was not provided prior to the test.
  A. Staff members who failed the test did not receive follow-up education

  ---

  Explanation

  The IS auditor should be most concerned about the lack of follow-up education for staff members who failed the phishing simulation test. Phishing simulation tests are designed to assess the level of awareness and susceptibility of staff members to phishing attacks, and to provide feedback and training to improve their security behavior. If staff members who failed the test do not receive follow-up education, they will not learn from their mistakes and may continue to fall victim to real phishing attacks, which could compromise the security of the organization. The other options are less concerning for the IS auditor: Test results were not communicated to staff members. This is not ideal, as staff members should receive feedback on their performance and learn from the test results. However, this does not necessarily mean that they did not receive any training or education on how to avoid phishing attacks. Staff members were not notified about the test beforehand. This is a common practice for phishing simulation tests, as it mimics the real-world scenario where staff members do not know when they will receive a phishing email. The purpose of the test is to measure their spontaneous reaction and awareness, not their preparedness or compliance. Security awareness training was not provided prior to the test. This is not a major concern, as the test can serve as a baseline measurement of the current level of awareness and susceptibility of staff members, and as a starting point for providing tailored training and education based on the test results.