These questions were collected from different official ISACA resources and reflect the kind of the questions at the CISA exam. Every question has a detailed answer explanation.
1. An IS auditor, performing a review of an application’s controls, discovers a weakness in system software, which could materially impact the application. The IS auditor should:
A. Disregard these control weaknesses as a system software review is beyond the scope of this review.
B. Conduct a detailed system software review and report the control weaknesses.
C. Include in the report a statement that the audit was limited to a review of the application’s controls.
D. Review the system software controls as relevant and recommend a detailed system software review.
Answer: D
The IS auditor is not expected to ignore control weaknesses just because they are outside the scope of a current review. Further, the conduct of a detailed systems software review may hamper the audit’s schedule and the IS auditor may not be technically competent to do such a review at this time. If there are control weaknesses which have been discovered by the IS auditor, they should be disclosed. By issuing a disclaimer, this responsibility would be waived. Hence, the appropriate option would be to review the systems software as relevant to the review and recommend a detailed systems software for which additional resources may be recommended.
2. The reason for having controls in an IS environment:
A. remains unchanged from a manual environment, but the implemented control features may be different.
B. changes from a manual environment, therefore the implemented control features may be different.
C. changes from a manual environment, but the implemented control features will be the same.
D. remains unchanged from a manual environment and the implemented control features will also be the same.
Answer: A
The internal control objectives apply to all areas, whether manual or automated. There are additional objectives to be achieved in the IS environment, when compared to the manual environment. Common control objectives remain unchanged in both the IS environment and manual environment, although the implementation of the control functions may be different in the IS environment, e.g., the adequacy of backup/recovery in a common internal control objective for IS and manual environment. The specific IS control objective may be to adequately back up the files to allow for proper recovery. This may be achieved by implementing proper control procedures, such as business continuity policy, in the IS department. Therefore, the implementation of the control functions may be different in the IS environment. But the common control objectives in an IS environment remains unchanged from a manual environment.
3. Which of the following types of risks assumes an absence of compensating controls in the area being reviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk
Answer: C
The risk that an error exists that could be material or significant when combined with other errors encountered during the audit, there being no related compensating controls, is the inherent risk. Control risk is the risk that a material error exists that will not be prevented or detected on a timely basis by the system of internal controls. Detection risk is the risk when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist, when they do. Sampling risk is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is taken.
4. An IS auditor is conducting substantive audit tests of a new accounts receivable module. The IS auditor has a tight schedule and limited computer expertise. Which would be the BEST audit technique to use in this situation?
A. Test data
B. Parallel simulation
C. Integrated test facility
D. Embedded audit module
Answer: A
Test data uses a set of hypothetical transactions to verify the program logic and internal control in short a time and for an auditor with minimal IT background. In a parallel simulation, the results produced for an actual program are compared with the results from a program written for the IS auditor; this technique can be time consuming and requires IT expertise. An integrated test facility, enables test data to be continually evaluated when transactions are processed online; this technique is time consuming and requires IT expertise. An embedded audit module is a programmed module that is inserted into an application program to test controls; this technique is time consuming and requires IT expertise.
5. The PRIMARY purpose of compliance tests is to verify whether:
A. controls are implemented as prescribed.
B. documentation is accurate and current.
C. access to users is provided as specified.
D. data validation procedures are provided.
Answer: A
Compliance tests are performed primarily to verify whether controls, as chosen by management, are implemented. Verification of documents is not directly related to compliance testing. Verifying whether access to users is provided is an example of compliance testing. Data validation procedures are part of application controls. Testing whether these are set as parameters and working as envisaged is compliance testing.
6. Which of the following BEST describes the early stages of an IS audit?
A. Observing key organizational facilities.
B. Assessing the IS environment.
C. Understanding business process and environment applicable to the review.
D. Reviewing prior IS audit reports.
Answer: C
Understanding the business process and environment applicable to the review is most representative of what occurs early on, in the course of an audit. Other choices relate to activities actually occurring within this process.
7. The document used by the top management of organizations to delegate authority to the IS audit function is the:
A. long-term audit plan.
B. audit charter.
C. audit planning methodology.
D. steering committee minutes.
Answer: B
The audit charter outlines the overall authority, scope and responsibilities of the audit function to achieve the audit objectives stated in it. This document serves as an instrument for the delegation of authority to the IS audit function. Long-term audit planning relates to those aspects of the audit plan that are impacted by the organization’s IT strategy and environment. Audit planning commences only after the audit charter has been approved by the highest level of management. The audit planning methodologies are decided upon based on the analysis of both long- and short-term audit issues. The steering committee minutes should address the approval of the audit charter but is not the driver that delegates authority.
8. Before reporting results of an audit to senior management, an IS auditor should:
A. Confirm the findings with auditees.
B. Prepare an executive summary and send it to auditee management.
C. Define recommendations and present the findings to the audit committee.
D. Obtain agreement from the auditee on findings and actions to be taken.
Answer: D
Upon completion of an audit, an IS auditor should discuss with auditees the audit objectives for work performed, the test and evaluation techniques used, and the outcome of those tests that led to findings. The auditor should also obtain the agreement/disagreement of the auditee regarding the findings and the actions the auditor plans to take.
9. While developing a risk-based audit program, which of the following would the IS auditor MOST likely focus on?
A. Business processes
B. Critical IT applications
C. Corporate objectives
D. Business strategies
Answer: A
A risk-based audit approach focuses on the understanding of the nature of the business and being able to identify and categorize risk. Business risks impact the long-term viability of a specific business. Thus an IS auditor using a risk-based audit approach must be able to understand business processes.
10. Which of the following is a substantive audit test?
A. Verifying that a management check has been performed regularly
B. Observing that user IDs and passwords are required to sign on the computer
C. Reviewing reports listing short shipments of goods received
D. Reviewing an aged trial balance of accounts receivable
Answer: D
A review of accounts receivable will provide evidence of the validity and propriety of the financial statement balance. Choices A, B and C are compliance tests to determine that policies and procedures are being followed.
11. Which of the following tasks is performed by the same person in a well-controlled information processing facility/computer center?
A. Security administration and management
B. Computer operations and system development
C. System development and change management
D. System development and systems maintenance
Answer: D
It is common for system development and maintenance to be undertaken by the same person. In both cases, the programmer requires access to the source code in the development environment, but should not be allowed access in the production environment. Choice A is not correct because the roles of security administration and change management are incompatible functions. The level of security administration access rights could allow changes to go undetected. Computer operations and system development (choice B) are incompatible since it would be possible for an operator to run a program that he/she had amended. Choice C is incorrect because the combination of system development and change control would allow program modifications to bypass change control approvals.
12. Where adequate segregation of duties between operations and programming are not achievable, the IS auditor should look for:
A. compensating controls.
B. administrative controls.
C. corrective controls.
D. access controls.
Answer: A
The IS auditor should identify compensating controls such as strong computer security, reviewing access control logs, end-user reconciliation of control reports and control information in transaction reports, where adequate segregation of duties is not achievable. Administrative controls deal with operational effectiveness, efficiency and adherence to management policies. Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions once they are detected. Access control is the process that limits and controls access to resources of a computer system.
13. Which of the following would be included in an IS strategic plan?
A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IS department
Answer: B
IS strategic plans must address the needs of the business and meet future business objectives. Hardware purchases may be outlined but not specified and neither budget targets nor development projects are relevant choices. Choices A, C and D are not strategic items.
14. The MOST important responsibility of a data security officer in an organization is:
A. recommending and monitoring data security policies.
B. promoting security awareness within the organization.
C. establishing procedures for IT security policies.
D. administering physical and logical access controls.
Answer: A
A data security officer’s prime responsibility is recommending and monitoring data security policies. Promoting security awareness within the organization is one of the responsibilities of a data security officer. But, it is not as important as recommending and monitoring data security policies. The IT department, not the data security officer, is responsible for establishing procedures for IT security policies recommended by the data security officer and for the administration of physical and logical access controls.
15. Which of the following BEST describes an IT department’s strategic planning process?
A. The IT department will have either short-range or long-range plans depending on the organization’s broader plans and objectives.
B. The IT department’s strategic plan must be time and project oriented, but not so detailed as to address and help determine priorities to meet business needs.
C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements.
D. Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization since technological advances will drive the IT department plans much quicker than organizational plans.
Answer: C
Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements. Typically, the IT department will have both long-range and short-range plans that are consistent and integrated with the organization’s plans. These plans must be time- and project-oriented, as well as addressing the organization’s broader plans for attaining the organization’s goals.
16. When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others?
A. Origination
B. Authorization
C. Recording
D. Correction
Answer: B
Authorization should be separated from all aspects of record keeping (origination, recording, and correction). Such a separation enhances the ability to detect the recording of unauthorized transactions.
17. In a small organization, where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should the IS auditor recommend?
A. Automated logging of changes to development libraries
B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program changes are implemented
D. Access controls to prevent the operator from making program modifications
Answer: C
In smaller organizations, it generally is not appropriate to recruit additional staff to achieve a strict segregation of duties. The IS auditor must look at alternatives. Of the choices, C is the only practical one that has an impact. The IS auditor should recommend processes that detect changes to production source and object code, such as code comparisons so that the changes can be reviewed by a third party on a regular basis. This would be a compensating control process. Choice A, involving logging of changes to development libraries, would not detect changes to production libraries. Choice D is in effect requiring a third party to do the changes, which may not be practical in a small organization.
18. An IT steering committee would MOST likely perform which of the following functions?
A. Placement of a purchase order with the approved IT vendor
B. Installation of systems software and application software
C. Provide liaison between IT department and user department
D. Interview staff for the IT department
Answer: C
A steering committee for information technology is a mechanism to ensure that the information systems strategies are in harmony with the corporate mission and objectives. Such a committee typically serves as a general review board for major IS projects and should not become involved in routine operations. Placement of purchase orders, installation of software and interviewing staff for the IT department are routine operations that are performed by the respective departments. A steering committee would provide a liaison between the IS department and the user department.
19. An IS auditor is auditing the controls relating to employee termination. Which of the following is the MOST important aspect to be reviewed?
A. The related company staff are notified about the termination
B. User ID and passwords of the employee have been deleted
C. The details of employee have been removed from active payroll files
D. Company property provided to the employee has been returned
Answer: B
The highest risk is logical access to information by a terminated employee. This form of access is possible if the user id and password of the terminated employee have not been deleted. If the user id is not disabled or deleted, it is possible that the employee without physically visiting the company can access the information. The potential of loss on account of access to information is much higher, compared to payment of salary and non-return of company property.
20. When reviewing a service level agreement for an outsourced computer center an IS auditor should FIRST determine that:
A. the cost proposed for the services is reasonable.
B. security mechanisms are specified in the agreement.
C. the services in the agreement are based on an analysis of business needs.
D. audit access to the computer center is allowed under the agreement.
Answer: C
The first consideration in reviewing the agreement is to ensure that the business is asking for the most appropriate services to meet its business requirements. There should be evidence that they have considered what services are required, both at present and in the future. The cost is important (choice A), since the business may be paying for levels of services that are not required or are not appropriate, but is not of first importance. Both, audit access (choice D) and security objectives, rather than security mechanisms (choice B), are issues to be considered as part of the review, but are not of first importance.
21. The PRIMARY benefit of database normalization is the:
A. minimization redundancy of information in tables required to satisfy users’ needs.
B. ability to satisfy more queries.
C. maximization of database integrity by providing information in more than one table.
D. minimization of response time through faster processing of information.
Answer: A
The normalization means the elimination of redundant data. Hence, the objective of normalization in relational databases is to minimize the quantum of information by eliminating redundant data in tables, quickly processing users’ requests and maintaining data integrity. Maximizing the quantum of information is against the rules of normalization. If particular information is provided in difference tables, the objective of data integrity may be violated because one table may be updated and not others. Normalization rules advocate storing data in only one table, hence, minimizing the response time through faster processing of information.
22. Which of the following network topologies yields the GREATEST redundancy in the event of the failure of one node?
A. Mesh
B. Star
C. Ring
D. Bus
Answer: A
In mesh configuration, devices are connected with many redundant interconnections among network nodes, thereby, yielding the greatest redundancy in the event that one of the nodes fail, in which case network traffic can be redirected to another node. In star configuration, each station is linked to the main hub. The main hub establishes the connection between stations by message or line switching. Therefore, failure of a node results in the disruption of the network. In ring configuration, all nodes are connected to one another—forming a circle; therefore, the failure of a node results in the disruption of the network. In bus configuration, all devices are linked along one communication line with two end points called the backbone; therefore, the failure of a node results in the disruption of the network.