《CISA725题.doc》由会员分享,可在线阅读,更多相关《CISA725题.doc(244页珍藏版)》请在三一办公上搜索。
1、1. An IS auditor is reviewing access to an application to determine whether the 10 most recent new user forms were correctly authorized. This is an example of:A. variable sampling.B. substantive testing. C. compliance testing.D. stop-or-go sampling.The correct answer is:C. Explanation:Compliance tes
2、ting determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual
3、processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be s
4、topped as early as possible and is not appropriate for checking whether procedures have been followed.2. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?A. InherentB. DetectionC. ControlD. BusinessThe correct answer is:B. Explanation:Detection risks
5、are directly affected by the auditors selection of audit procedures and techniques. Inherent risks usually are not affected by the IS auditor. Control risks are controlled by the actions of the companys management. Business risks are not affected by the IS auditor.3. Senior management has requested
6、that an IS auditor assist the departmental management in the implementation of necessary controls. The IS auditor should:A. refuse the assignment since it is not the role of the IS auditor.B. inform management of his/her inability to conduct future audits.C. perform the assignment and future audits
7、with due professional care.D. obtain the approval of user management to perform the implementation and follow-up.The correct answer is:B. Explanation:In this situation the IS auditor should inform management of the impairment of independence in conducting further audits in the auditee area. An IS au
8、ditor can perform nonaudit assignments where the IS auditors expertise can be of use to management; however, by performing the nonaudit assignment, the IS auditor cannot conduct the future audits of the auditee as his/her independence may be compromised. However, the independence of the IS auditor w
9、ill not be impaired when suggesting/recommending controls to the auditee after he audit.4. Overall business risk for a particular threat can be expressed as: A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.B. the magnitude of the impact s
10、hould a threat source successfully exploit the vulnerability.C. the likelihood of a given threat source exploiting a given vulnerability.D. the collective judgment of the risk assessment team.The correct answer is:A. Explanation:Choice A takes into consideration the likelihood and magnitude of the i
11、mpact and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the asset but does not provide the magnitude of the possible damage to the asset. Similarly, choice C considers only the magnitude of the damage and not the po
12、ssibility of a threat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process.5. Which of the following is a substantive test?A. Checking a list of exception reportsB. Ensuring approval for parameter changesC. Using a s
13、tatistical sample to inventory the tape libraryD. Reviewing password history reportsThe correct answer is:C. Explanation:A substantive test confirms the integrity of actual processing. A substantive test would determine if the tape library records are stated correctly. A compliance test determines i
14、f controls are being applied in a manner that is consistent with management policies and procedures. Checking the authorization of exception reports, reviewing authorization for changing parameters and reviewing password history reports are all compliance tests.6. The use of statistical sampling pro
15、cedures helps minimize:A. sampling risk.B. detection risk.C. inherent risk.D. control risk.The correct answer is:B. Explanation:Detection risk is the risk that the IS auditor uses an inadequate test procedure and concludes that material errors do not exist, when in fact they do. Using statistical sa
16、mpling, an IS auditor can quantify how closely the sample should represent the population and quantify the probability of error. Sampling risk is the risk that incorrect assumptions will be made about the characteristics of a population from which a sample is selected. Assuming there are no related
17、compensating controls, inherent risk is the risk that an error exists, which could be material or significant when combined with other errors found during the audit. Statistical sampling will not minimize this. Control risk is the risk that a material error exists, which will not be prevented or det
18、ected on a timely basis by the system of internal controls. This cannot be minimized using statistical sampling.7. Which of the following is a benefit of a risk-based approach to audit planning? Audit:A. scheduling may be performed months in advance.B. budgets are more likely to be met by the IS aud
19、it staff.C. staff will be exposed to a variety of technologies.D. resources are allocated to the areas of highest concern.The correct answer is:D. Explanation:The risk-based approach is designed to ensure audit time is spent on the areas of highest risk. The development of an audit schedule is not a
20、ddressed by a risk-based approach. Audit schedules may be prepared months in advance using various scheduling methods. A risk approach does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be perf
21、ormed in a given year.8. The PRIMARY objective of an IS audit function is to:A. determine whether everyone uses IS resources according to their job description.B. determine whether information systems safeguard assets and maintain data integrity.C. examine books of accounts and relative documentary
22、evidence for the computerized system.D. determine the ability of the organization to detect fraud.The correct answer is:B. Explanation:The primary reason for conducting IS audits is to determine whether a system safeguards assets and maintains data integrity. Examining books of accounts is one of th
23、e processes involved in IS audit, but it is not the primary purpose. Detecting frauds could be a result of an IS audit but is not the purpose for which an IS audit is performed.9. An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized softw
24、are. Which of the following actions should the IS auditor take?A. Personally delete all copies of the unauthorized software.B. Inform the auditee of the unauthorized software, and follow up to confirm deletion.C. Report the use of the unauthorized software and the need to prevent recurrence to audit
25、ee management.D. Take no action, as it is a commonly accepted practice and operations management is responsible for monitoring such use.The correct answer is:C. Explanation:The use of unauthorized or illegal software should be prohibited by an organization. Software piracy results in inherent exposu
26、re and can result in severe fines. The IS auditor must convince the user and user management of the risk and the need to eliminate the risk. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing or deleting the unauthorized software.10. A
27、key element in a risk analysis is:A. audit planning.B. controls.C. vulnerabilities.D. liabilities.The correct answer is:C. Explanation:Vulnerabilities are a key element in the conduct of a risk analysis. Audit planning consists of short- and long-term processes that may detect threats to the informa
28、tion assets. Controls mitigate risks associated with specific threats. Liabilities are part of business and are not inherently a risk.11. An audit charter should:A. be dynamic and change often to coincide with the changing nature of technology and the audit profession.B. clearly state audit objectiv
29、es for and the delegation of authority to the maintenance and review of internal controls.C. document the audit procedures designed to achieve the planned audit objectives.D. outline the overall authority, scope and responsibilities of the audit function.The correct answer is:D. Explanation:An audit
30、 charter should state managements objectives for and delegation of authority to IS audit. This charter should not significantly change over time and should be approved at the highest level of management. An audit charter would not be at a detailed level and, therefore, would not include specific aud
31、it objectives or procedures.12. In a risk-based audit approach, an IS auditor, in addition to risk, would be influenced by:A. the availability of CAATs.B. managements representation.C. organizational structure and job responsibilities.D. the existence of internal and operational controlsThe correct
32、answer is:D. Explanation:The existence of internal and operational controls will have a bearing on the IS auditors approach to the audit. In a risk-based approach, the IS auditor is not only relying on risk, but on internal and operational controls as well as knowledge of the company and the busines
33、s. This type of risk assessment decision can help relate the cost-benefit analysis of a control to the known risk, allowing practical choices. The nature of available testing techniques and managements representations in the approach to perform the audit have little impact on the risk-based audit ap
34、proach. Although organizational structure and job responsibilities need to be considered, they are not directly considered unless they impact internal and operational controls.13. The MAJOR advantage of the risk assessment approach over the baseline approach to information security management is tha
35、t it ensures:A. information assets are overprotected.B. a basic level of protection is applied regardless of asset value.C. appropriate levels of protection are applied to information assets.D. an equal proportion of resources are devoted to protecting all information assets.The correct answer is:C.
36、 Explanation:Full risk assessment determines the level of protection most appropriate to a given level of risk, while the baseline approach merely applies a standard set of protection regardless of risk. There is a cost advantage in not overprotecting information. However, an even bigger advantage i
37、s making sure that no information assets are over- or underprotected. The risk assessment approach will ensure an appropriate level of protection is applied, commensurate with the level of risk and asset value and, therefore, considering asset value. The baseline approach does not allow more resourc
38、es to be directed toward the assets at greater risk, rather than equally directing resources to all assets.14. Which of the following sampling methods is MOST useful when testing for compliance?A. Attribute samplingB. Variable samplingC. Stratified mean per unitD. Difference estimationThe correct an
39、swer is:A. Explanation:Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the qual
40、ity exists. The other choices are used in substantive testing, which involves testing of details or quantity.15. The PRIMARY purpose of an audit charter is to:A. document the audit process used by the enterprise.B. formally document the audit departments plan of action.C. document a code of professi
41、onal conduct for the auditor.D. describe the authority and responsibilities of the audit department.The correct answer is:D. Explanation:The audit charter typically sets out the role and responsibility of the internal audit department. It should state managements objectives for and delegation of aut
42、hority to the audit department. It is rarely changed and does not contain the audit plan or audit process, which is usually part of annual audit planning, nor does it describe a code of professional conduct, since such conduct is set by the profession and not by management.16. Which of the following
43、 is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation?A. Multiple cycles of backup files remain available.B. Access controls establish accountability for e-mail activity. C. Data classification regulates what information should be communicated via e-mai
44、l.D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available.The correct answer is:A. Explanation:Backup files containing documents that supposedly have been deleted could be recovered from these files. Access controls may help establish accountability for the issua
45、nce of a particular document, but this does not provide evidence of the e-mail. Data classification standards may be in place with regards to what should be communicated via e-mail, but the creation of the policy does not provide the information required for litigation purposes.17. The IS department
46、 of an organization wants to ensure that the computer files used in the information processing facility are adequately backed up to allow for proper recovery. This is a(n):A. control procedure.B. control objective.C. corrective control.D. operational control.The correct answer is:B. Explanation:IS c
47、ontrol objectives specify the minimum set of controls to ensure efficiency and effectiveness in the operations and functions within an organization. Control procedures are developed to provide reasonable assurance that specific objectives will be achieved. A corrective control is a category of contr
48、ols that aims to minimize the threat and/or remedy problems that were not prevented or were not initially detected. Operational controls address the day-to-day operational functions and activities, and aid in ensuring that the operations are meeting the desired business objectives.18. An IS auditor
49、is assigned to perform a postimplementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor:A. implemented a specific control during the development of the application system.B. designed an embedded audit module exclusively for auditing the application system.C. participated as a member of the application system project team, but did
