Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 231:

  Which of the following are examples of detective controls?

  A. Use of access control software and deploying encryption software
  B. Source code review and echo checks in telecommunications
  C. Check points in production jobs and rerun procedures
  D. Continuity of operations planning and backup procedures
  B. Source code review and echo checks in telecommunications

  ---

  Explanation

• Question 232:

  Which of the following is the BEST way to minimize sampling risk?

  A. Use a larger sample size
  B. Perform statistical sampling
  C. Perform judgmental sampling
  D. Enhance audit testing procedures
  B. Perform statistical sampling

  ---

  Explanation

  Sampling risk is the risk that the auditor's conclusion based on a sample may be different from the conclusion that would be reached if the entire population was tested using the same audit procedure. Sampling risk can lead to either incorrect rejection or incorrect acceptance of the audit objective. The best way to minimize sampling risk is to perform statistical sampling. Statistical sampling is a method of selecting and evaluating a sample using probability theory and mathematical calculations. Statistical sampling allows auditors to measure and control the sampling risk by determining the appropriate sample size and selection method, and evaluating the results using confidence levels and precision intervals. Statistical sampling can also provide more objective and consistent results than judgmental sampling, which relies on the auditor's professional judgment and experience.

  References:

  6: Sampling Risks: Definition, Example, and

  Explanation - Wikiaccounting

  7: Sampling Risk in Audit | Sampling vs non sampling risk - Accountinguide

  9: Audit sampling | ACCA Qualification | Students | ACCA Global

• Question 233:

  Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

  A. Have an independent party review the source calculations
  B. Execute copies of EUC programs out of a secure library
  C. implement complex password controls
  D. Verify EUC results through manual calculations
  B. Execute copies of EUC programs out of a secure library

  ---

  Explanation

  The best way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC) is to execute copies of EUC programs out of a secure library. This will ensure that the original EUC programs are protected from unauthorized changes and that the copies are run in a controlled environment. A secure library is a repository of EUC programs that have been tested, validated, and approved by the appropriate authority. Executing copies of EUC programs out of a secure library can also help with version control, backup, and recovery of EUC programs. Having an independent party review the source calculations, implementing complex password controls, and verifying EUC results through manual calculations are not as effective as executing copies of EUC programs out of a secure library, as they do not prevent or detect unintentional modifications of complex calculations in EUC.

  References: End-User Computing (EUC) Risks: A Comprehensive Guide, End User Computing (EUC) Risk Management

• Question 234:

  Which of the following are examples of corrective controls?

  A. Implementing separation of duties and hash totals
  B. Performing internal audit reviews and remediation activities
  C. Applying rollback scripts and backup procedures
  D. Enforcing disciplinary action and termination procedures
  C. Applying rollback scripts and backup procedures

  ---

  Explanation

  Explanation

• Question 235:

  Which of the following BEST enables an IS auditor to assess whether jobs were completed according to the job schedule?

  A. Console log
  B. Exception log
  C. System schedule
  D. Database schedule
  C. System schedule

  ---

  Explanation

• Question 236:

  Which of the following audit mainly focuses on discovering and disclosing on frauds and crimes?

  A. Compliance Audit
  B. Financial Audit
  C. Integrated Audit
  D. Forensic audit
  D. Forensic audit

  ---

  Explanation

  Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or irregularities

  (including fraud) and giving preventative advice

  What is an audit?

  An audit in general terms is a process of evaluating an individual or organization's accounts. This is usually done by an independent auditing body. Thus, audit involves a competent and independent person obtaining evidence and evaluating

  it objectively with regard to a given entity, which in this case is the subject of audit, in order to establish conformance to a given set of standards. Audit can be on a person, organization, system, enterprise, project or product.

  Compliance Audit

  A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review

  security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These

  audits often overlap traditional audits, but may focus on particular system or data.

  What, precisely, is examined in a compliance audit will vary depending upon whether an organization is a public or private company, what kind of data it handles and if it transmits or stores sensitive financial data. For instance, SOX

  requirements mean that any electronic communication must be backed up and secured with reasonable disaster recovery infrastructure. Health care providers that store or transmit e-health records, like personal health information, are

  subject to HIPAA requirements. Financial services companies that transmit credit card data are subject to PCI DSS requirements. In each case, the organization must be able to demonstrate compliance by producing an audit trail, often

  generated by data from event log management software.

  Financial Audit

  A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not

  absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to provide an objective

  independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and

  consequently reduce the cost of capital of the preparer of the financial statements.

  Operational Audit

  Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit financial data may

  be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Operational audit is a more comprehensive form of an Internal audit.

  The Institute of Internal Auditor (IIA) defines Operational Audit as a systematic process of evaluating an organization's effectiveness, efficiency and economy of operations under management's control and reporting to appropriate persons the

  results of the evaluation along with recommendations for improvement.

  Objectives

  To appraise the effectiveness and efficiency of a division, activity, or operation of the entity in meeting organizational goals.

  To understand the responsibilities and risks faced by an organization.

  To identify, with management participation, opportunities for improving control.

  To provide senior management of the organization with a detailed understanding of the Operations.

  Integrated Audits

  An integrated audit combines financial and operational audit steps. An integrated audit is also performed to assess overall objectives within an organization, related to financial information and asset, safeguarding, efficiency and or internal

  auditors and would include compliance test of internal controls and substantive audit step.

  IS Audit

  An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are

  safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of

  attestation engagement.

  The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets

  and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:

  Will the organization's computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) Will

  the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing

  those risks.

  Forensic Audit

  Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence - in a predefined context - in the area of legal/financial disputes and or irregularities

  (including fraud) and giving preventative advice.

  The purpose of a forensic audit is to use accounting procedures to collect evidence for the prosecution or investigation of financial crimes such as theft or fraud. Forensic audits may be conducted to determine if wrongdoing occurred, or to

  gather materials for the case against an alleged criminal.

  The following answers are incorrect:

  Compliance Audit - A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance

  preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory

  or industry standard. These audits often overlap traditional audits, but may focus on particular system or data.

  Financial Audit- A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable

  assurance, but not absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to provide an

  objective independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and

  consequently reduce the cost of capital of the preparer of the financial statements.

  Integrated Audits - An integrated audit combines financial and operational audit steps. An integrated audit is also performed to assess overall objectives within an organization, related to financial information and asset, safeguarding, efficiency

  and or internal auditors and would include compliance test of internal controls and substantive audit step.

  CISA Review Manual 2014 Page number 44

  http://searchcompliance.techtarget.com/definition/compliance-audit

  http://en.wikipedia.org/wiki/Financial_audit

  http://en.wikipedia.org/wiki/Operational_auditing

  http://en.wikipedia.org/wiki/Information_technology_audit

  http://www.investorwords.com/16445/forensic_audit.html

• Question 237:

  Which of the following is the BEST point in time to conduct a post-implementation review?

  A. After a full processing cycle
  B. Immediately after deployment
  C. After the warranty period
  D. Prior to the annual performance review
  A. After a full processing cycle

  ---

  Explanation

  The best point in time to conduct a post-implementation review is after a full processing cycle. A post-implementation review is a process to evaluate whether the objectives of the project were met, how effective the project was managed, what benefits were realized, and what lessons were learned. A post-implementation review should be conducted after a full processing cycle, which is the period of time required for a system or process to complete all its functions and produce its outputs. This allows for a more accurate and comprehensive assessment of the project's performance, outcomes, impacts, and issues. The other options are not as good as option A. Conducting a post-implementation review immediately after deployment is too soon, because it does not allow enough time for the project's product or service to operate in the real world and generate measurable results. Conducting a post-implementation review after the warranty period is too late, because it may miss some important feedback or opportunities for improvement that could have been addressed earlier. Conducting a post-implementation review prior to the annual performance review is irrelevant, because it does not align with the project's life cycle or objectives.

  References: What is Post-Implementation Review in Project Management?, What Is the Post-Implementation Review (PIR) Process?, Post- implementation review in project management?

• Question 238:

  An IS auditor is providing input to an RFP to acquire a financial application system. Which of the following is MOST important for the auditor to recommend?

  A. The application should meet the organization's requirements.
  B. Audit trails should be included in the design.
  C. Potential suppliers should have experience in the relevant area.
  D. Vendor employee background checks should be conducted regularly.
  B. Audit trails should be included in the design.

  ---

  Explanation

  This is because audit trails are records of system activity and user actions that can provide evidence of the validity and integrity of transactions and data in a financial application system. Audit trails can help to ensure compliance with laws,

  regulations, policies, and standards, as well as to detect and prevent fraud, errors, or misuse of information. Audit trails can also facilitate auditing, monitoring, and evaluation of the financial application system's performance and controls1. The application should meet the organization's requirements (A) is not the best answer, because it is a general and obvious criterion that applies to any application system acquisition, not a specific and important recommendation for a

  financial application system. The organization's requirements should be clearly defined and documented in the RFP, but they may not necessarily include audit trails as a design feature. Potential suppliers should have experience in the

  relevant area ?is not the best answer, because it is a factor that affects the selection of the supplier, not the design of the financial application system. The experience and reputation of potential suppliers should be evaluated and verified

  during the RFP process, but they may not guarantee that the supplier will include audit trails in the design.

  Vendor employee background checks should be conducted regularly (D) is not the best answer, because it is a measure that affects the security and trustworthiness of the vendor, not the design of the financial application system. Vendor

  employee background checks should be performed as part of the vendor management and due diligence process, but they may not ensure that the vendor will include audit trails in the design.

• Question 239:

  While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

  A. determine whether the alternative controls sufficiently mitigate the risk and record the results.
  B. reject the alternative controls and re-prioritize the original issue as high risk.
  C. postpone follow-up activities and escalate the alternative controls to senior audit management.
  D. schedule another audit due to the implementation of alternative controls.
  A. determine whether the alternative controls sufficiently mitigate the risk and record the results.

  ---

  Explanation

• Question 240:

  Which of the following should be of GREATEST concern to an IS auditor when auditing an organization's information security awareness program?

  A. Security awareness training is not included as part of the onboarding process for new hires.
  B. The number of security incidents logged by employees to the help desk has increased in the past year.
  C. Training quizzes are designed and run by a third-party company under a contract with the organization.
  D. Security awareness training is run via the organization's enterprise-wide e-learning portal.
  A. Security awareness training is not included as part of the onboarding process for new hires.

  ---

  Explanation