Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 521:

  Internal audit reports should be PRIMARILY written for and communicated to:

  A. audit management, as they are responsible for the quality of the audit.
  B. external auditors, as they provide an opinion on the financial statements.
  C. auditees, as they will eventually have to implement the recommendations.
  D. senior management, as they should be informed about the identified risks.
  A. audit management, as they are responsible for the quality of the audit.

  ---

  Explanation

• Question 522:

  Which of the following audit risk is related to exposure of a process or entity to be audited without taking into account the control that management has implemented?

  A. Inherent Risk
  B. Control Risk
  C. Detection Risk
  D. Overall Audit Risk
  A. Inherent Risk

  ---

  Explanation

  Inherent Risk is the risk level or exposure of a process or entity to be audited without taking into account the control that management has implemented. Inherent risk exists independent of an audit and can occur because of the nature of the

  business.

  For your exam you should know below information about audit risk:

  Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue unqualified report due to the auditor's failure to detect material misstatement either due to error or fraud. This risk is composed of inherent risk (IR), control

  risk (CR) and detection risk (DR), and can be calculated thus:

  AR = IR ?CR ?DR

  Inherent Risk

  Auditors must determine risks when working with clients. One type of risk to be aware of is inherent risk. While assessing this level of risk, you ignore whether the client has internal controls in place (such as a secondary review of financial

  statements) in order to help mitigate the inherent risk. You consider the strength of the internal controls when assessing the client's control risk. Your job when assessing inherent risk is to evaluate how susceptible the financial statement

  assertions are to material misstatement given the nature of the client's business. A few key factors can increase inherent risk.

  Environment and external factors: Here are some examples of environment and external factors that can lead to high inherent risk:

  Rapid change: A business whose inventory becomes obsolete quickly experiences high inherent risk.

  Expiring patents: Any business in the pharmaceutical industry also has inherently risky environment and external factors. Drug patents eventually expire, which means the company faces competition from other manufacturers marketing the

  same drug under a generic label.

  State of the economy: The general level of economic growth is another external factor affecting all businesses.

  Availability of financing: Another external factor is interest rates and the associated availability of financing. If your client is having problems meeting its short-term cash payments, available loans with low interest rates may mean the difference

  between your client staying in business or having to close its doors.

  Prior-period misstatements: If a company has made mistakes in prior years that weren't material (meaning they weren't significant enough to have to change), those errors still exist in the financial statements. You have to aggregate prior-

  period misstatements with current year misstatements to see if you need to ask the client to adjust the account for the total misstatement.

  You may think an understatement in one year compensates for an overstatement in another year. In auditing, this assumption isn't true. Say you work a cash register and one night the register comes up $20 short. The next week, you

  somehow came up $20 over my draw count. The $20 differences are added together to represent the total amount of your mistakes which is $40 and not zero. Zero would indicate no mistakes at all had occurred.

  Susceptibility to theft or fraud: If a certain asset is susceptible to theft or fraud, the account or balance level may be considered inherently risky. For example, if a client has a lot of customers who pay in cash, the balance sheet cash account is

  going to have risk associated with theft or fraud because of the fact that cash is more easily diverted than customer checks or credit card payments.

  Looking at industry statistics relating to inventory theft, you may also decide to consider the inventory account as inherently risky. Small inventory items can further increase the risk of this account valuation being incorrect because those items

  are easier to conceal (and therefore easier to steal).

  Control Risk

  Control risk has been defined under International Standards of Auditing (ISAs) as following:

  The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or

  detected and corrected, on a timely basis by the entity's internal control.

  In simple words control risk is the probability that a material misstatement exists in an assertion because that misstatement was not either prevented from entering entity's financial information or it was not detected and corrected by the

  internal control system of the entity.

  It is the responsibility of the management and those charged with governance to implement internal control system and maintain it appropriately which includes managing control risk.

  There can be many reasons for control risk to arise and why it cannot be eliminated absolutely. But some of them are as follows:

  Cost-benefit constraints

  Circumvention of controls

  Inappropriate design of controls

  Inappropriate application of controls

  Lack of control environment and accountability

  Novel situations

  Outdated controls

  Inappropriate segregation of duties

  Detection Risk

  Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements.

  An auditor must apply audit procedures to detect material misstatements in the financial statements whether due to fraud or error. Misapplication or omission of critical audit procedures may result in a material misstatement remaining

  undetected by the auditor. Some detection risk is always present due to the inherent limitations of the audit such as the use of sampling for the selection of transactions.

  Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed testing.

  The following answers are incorrect:

  Control Risk - The risk that material error exist that would not be prevented or detected on timely basis by the system of internal controls.

  Detection risk - The risk that material errors or misstatements that have occurred will not be detected by an IS auditor.

  Overall audit risk - The probability that information or financial report may contain material errors and that the auditor may not detect an error that has occurred. An objective in formulating the audit approach is to limit the audit risk in the area

  under security so the overall audit risk is at sufficiently low level at the completion of the examination.

  CISA review manual 2014 page number 50

  http://en.wikipedia.org/wiki/Audit_risk

  http://www.dummies.com/how-to/content/how-to-assess-inherent-risk-in-an-audit.html

  http://pakaccountants.com/what-is-control-risk/

  http://accounting-simplified.com/audit/risk-assessment/audit-risk.html

• Question 523:

  Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

  A. Legal and compliance requirements
  B. Customer agreements
  C. Data classification
  D. Organizational policies and procedures
  D. Organizational policies and procedures

  ---

  Explanation

  The organizational policies and procedures are the first source of guidance for an IS auditor when planning a customer data privacy audit. They provide the framework and objectives for ensuring compliance with legal and regulatory requirements, customer agreements and data classification. The IS auditor should review them first to understand the scope, roles and responsibilities, standards and controls related to customer data privacy in the organization. The other options are also important, but they are secondary sources of information that should be reviewed after the organizational policies and procedures.

  References: CISA Review Manual (Digital Version) 1, Chapter 2: Governance and Management of Information Technology, Section 2.5: Privacy Principles and Policies.

• Question 524:

  Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?

  A. Analysis of industry benchmarks
  B. Identification of organizational goals
  C. Analysis of quantitative benefits
  D. Implementation of a balanced scorecard
  B. Identification of organizational goals

  ---

  Explanation

  The first thing that should be performed before key performance indicators (KPIs) can be implemented is the identification of organizational goals. This is because KPIs are measurable values that demonstrate how effectively an organization is achieving its key business objectives4. Therefore, it is necessary that the organization defines its goals clearly and aligns them with its vision, mission, and strategy. By identifying its goals, the organization can then determine what KPIs are relevant and meaningful to measure its progress and performance .

  References: 4: CISA Review Manual (Digital Version), Chapter

  2: Governance and Management of IT, Section 2.3: Benefits Realization, page 77 : CISA Online Review Course, Module 2: Governance and Management of IT, Lesson 2.3: Benefits Realization : ISACA Journal Volume 1, 2020, Article: How to Measure Anything in IT Governance

• Question 525:

  Which of the following is the BEST reason to implement a data retention policy?

  A. To limit the liability associated with storing and protecting information
  B. To document business objectives for processing data within the organization
  C. To assign responsibility and ownership for data protection outside IT
  D. To establish a recovery point detective (RPO) for (toaster recovery procedures
  A. To limit the liability associated with storing and protecting information

  ---

  Explanation

  The best reason to implement a data retention policy is to limit the liability associated with storing and protecting information. A data retention policy is a document that defines how long data should be kept by an organization and how they should be disposed of when they are no longer needed. A data retention policy should comply with the applicable laws and regulations that govern the data retention requirements and obligations of organizations, such as tax laws, privacy laws, or industry standards4. Implementing a data retention policy can help to limit the liability associated with storing and protecting information by reducing the amount of data that need to be stored and secured, minimizing the risk of data breaches or leaks, ensuring compliance with legal or contractual obligations, and avoiding potential fines or penalties for non- compliance5. The other options are less relevant or incorrect because:

  B. Documenting business objectives for processing data within the organization is not a reason to implement a data retention policy, as it is more related to data governance than data retention. Data governance refers to the policies, procedures, and controls that define how data are collected, used, managed, and shared within an organization. Data governance helps to ensure that data are aligned with business objectives and support decision making6.

  C. Assigning responsibility and ownership for data protection outside IT is not a reason to implement a data retention policy, as it is more related to data accountability than data retention. Data accountability refers to the identification and assignment of roles and responsibilities for data protection among different stakeholders within an organization. Data accountability helps to ensure that data are handled appropriately and securely by authorized parties7.

  D. Establishing a recovery point objective (RPO) for disaster recovery procedures is not a reason to implement a data retention policy, as it is more related to data backup than data retention. Data backup refers to the process of creating copies of data that can be restored in case of data loss or corruption. Data backup helps to ensure that data are available and recoverable in case of disaster8. RPO is a measure of the maximum amount of data that can be lost or acceptable in case of disaster9.

  References: Data Retention Policy - ISACA, Data Retention - ISACA, Data Governance - ISACA, Data Accountability - ISACA, Data Backup - ISACA, Recovery Point Objective - ISACA

• Question 526:

  Which of the following staff should an IS auditor interview FIRST to obtain a general overview of the various technologies used across different programs?

  A. Technical architect
  B. Enterprise architect
  C. Program manager
  D. Solution architect
  B. Enterprise architect

  ---

  Explanation

• Question 527:

  An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?

  A. Percentage of new hires that have completed the training.
  B. Number of new hires who have violated enterprise security policies.
  C. Number of reported incidents by new hires.
  D. Percentage of new hires who report incidents
  A. Percentage of new hires that have completed the training.

  ---

  Explanation

  The best metric to assure compliance with the policy of providing security awareness training to all new employees is the percentage of new hires that have completed the training, as this directly measures the extent to which the policy is implemented and enforced. The number of new hires who have violated enterprise security policies, the number of reported incidents by new hires, and the percentage of new hires who report incidents are not directly related to the policy, as they may depend on other factors such as the nature and frequency of threats, the effectiveness of security controls, and the reporting culture of the organization.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.7

• Question 528:

  During a review of an insurance company's claims system, the IS auditor learns that claims for specific medical procedures are acceptable only from females. This is an example of a:

  A. key verification.
  B. completeness check.
  C. reasonableness check.
  D. logical relationship check.
  D. logical relationship check.

  ---

  Explanation

• Question 529:

  An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.

  What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted application?

  A. Financial regulations affecting the organization
  B. Data center physical access controls whore the application is hosted
  C. Privacy regulations affecting the organization
  D. Per-unit cost charged by the hosting services provider for storage
  C. Privacy regulations affecting the organization

  ---

  Explanation

  This is because privacy regulations are laws or rules that protect the personal information of individuals from unauthorized access, use, disclosure, or transfer by third parties. Payroll audit documentation may contain sensitive and confidential data, such as employee names, salaries, benefits, taxes, deductions, and bank accounts. If the audit management application is hosted by a third party in a different country, the organization may need to comply with the privacy regulations of both its own country and the host country, as well as any international or regional agreements or frameworks that apply. Privacy regulations may impose various requirements and obligations on the organization, such as obtaining consent from the data subjects, implementing appropriate security measures, notifying data breaches, and ensuring data quality and accuracy. Privacy regulations may also grant various rights to the data subjects, such as accessing, correcting, deleting, or transferring their data. Failing to comply with privacy regulations may expose the organization to significant risks and consequences, such as legal actions, fines, sanctions, reputational damage, or loss of trust. Some examples of privacy regulations affecting the organization are: The General Data Protection Regulation (GDPR), which is a comprehensive and strict privacy regulation that applies to any organization that processes personal data of individuals in the European Union (EU) or offers goods or services to them, regardless of where the organization or the data is located1. The California Consumer Privacy Act (CCPA), which is a broad and influential privacy regulation that applies to any organization that collects personal information of California residents and meets certain thresholds of revenue, data volume, or data sharing. The Health Insurance Portability and Accountability Act (HIPAA), which is a sector- specific privacy regulation that applies to any organization that handles protected health information (PHI) of individuals in the United States, such as health care providers, health plans, or health care clearinghouses3. Therefore, before using an audit management application hosted by a third party in a different country, the internal audit team should conduct a thorough assessment of the privacy regulations affecting the organization and ensure that they have adequate policies, procedures, and controls in place to comply with them.

• Question 530:

  A bank performed minor changes to the interest calculation computer program. Which of the following techniques would provide the STRONGEST evidence to determine whether the interest calculations are correct?

  A. Source code review
  B. Parallel simulation using audit software
  C. Manual verification of a sample of the results
  D. Review of the quality assurance (QA) test results
  B. Parallel simulation using audit software

  ---

  Explanation

  Parallel simulation involves running the same data through two systems and comparing the results. In this case, the bank's data would be processed using both the modified interest calculation program and an audit software. The results from both systems would then be compared to check for discrepancies. This technique provides strong evidence of the correctness of interest calculations as it directly tests the program's output against a known and trusted output. While source code review, manual verification of a sample of results, and review of QA test results8910 can also provide valuable insights, they do not offer the same level of direct, comparative evidence as parallel simulation

  References: Parallel simulation in IT testing - Universal CPA Review 5 code review best practices - Work Life by Atlassian How to Make Good Code Reviews Better - Stack Overflow Guidelines for the validation and verification of quantitative and qualitative test methods - Mathematics LibreTexts Method Validation and Verification - University of Utah Sample Procedure for Method Validation - NIST Method validation and verification - CFS Good Practices for Quality Assurance Reviewers: Assessing Evidence of Supervisory Review - IGNET How do quality assurance engineers test calculations? - Software Quality Assurance and Testing Stack Exchange Quality Assurance/Quality Control (QA/QC) Plan and Procedures - UNFCCC