Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

LATIHAN DOMAIN 1: THE PROCESS OF AUDITING INFORMATION SYSTEM

1. The internal audit department of an organization has developed and maintained ACL scripts for continuous
auditing purposes. These scripts were provided to lT management for continuous monitoring purposes. This
situation resulted in a potential conflict related to the auditors independence and objectivity. Which of the
following actions would BEST resolve this issue?
A. The internal audit team should stop sharing the scripts so that lT management must develop its own
scripts.
B. Since continuous monitoring and continuous auditing are similar functions, lT management should assign
the continuous monitoring tasks to the internal audit department.
C. lT management should continue to use the scripts for continuous monitoring purposes with the
understanding that it is responsible for testing and maintaining the scripts that it uses.
D. The internal audit team should review the areas where these scripts are being used and reduce the audit
scope and frequency for those areas.

The Correct Answer : C

When lT management assumes responsibility for testing and maintaining the scripts it uses, the scripts are
then considered to be different from the scripts being used by the internal audit department and lT
management is even free to modify the scripts. Once the scripts are considered to be different, the risk of
impaired objectivity and independence of the internal audit team is greatly reduced. If the internal audit
team stops sharing the scripts, the lT personnel have to create the scripts from scratch or may have to
employ specialists to do this job, which is not a cost-effective solution. Continuous monitoring is a
responsibility of lT management and cannot be handed over to the internal audit team. Continuous auditing
is a function of the audit team and is not a substitute for continuous monitoring. Moreover, the internal
audit team cannot assume that their scripts are being used appropriately by lT management or that their
scripts have not been modified, which then could give erroneous results.

2. A financial services company has a web site used by its independent agents to administer their customer
accounts. During a review of logical access to the system, an IS auditor notices user IDs that appear to be
shared by multiple agency users. The MOST appropriate action for an IS auditor to take is to:
A. inform the audit committee that there is a potential issue.
B. request a detailed review of audit logs for the IDs in question.
C. document the finding and explain the risk of using shared IDs.
D. contact the security manager to request that the IDs be removed from the system.

The Correct Answer : C

An IS auditor's role is to detect and document findings and control deficiencies. Part of the audit report is to
explain the reasoning behind the findings. The use of shared IDs is not recommended because it does not
allow for accountability of transactions. An IS auditor has no proof that a privacy breach has occurred as a
result of the shared IDs. lt is not appropriate for an IS auditor to report findings to the audit committee
before presenting them to management for a response. Review of audit logs would not be useful since
shared IDs do not provide for individual accountability. lt is not the role of an IS auditor to request the
removal of IDs from the system.

Halaman 1 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

3. An IS auditor discovers that devices connected to the network have not been included in a network diagram
that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the
diagram is being updated and awaiting final approval. The IS auditor should FIRST:
A. expand the scope of the IS audit to include the devices that are not on the network diagram.
B. evaluate the impact of the undocumented devices on the audit scope.
C. note a control deficiency because the network diagram has not been updated.
D. plan follow-up audits of the undocumented devices.

The Correct Answer : B

ln a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the
audit. lf the undocumented devices do not impact the audit scope, then they may be excluded from the
current audit engagement. The information provided on a network diagram can vary depending on what is
being illustrated—for example, the network laver, cross connections, etc. lt is important that the IS auditor
does not immediately assume that everything on the network diagram provides information about the risks
affecting a network/system. There is a process in place for documenting and updating the network diagram.
ln this case, there is simply a mismatch in timing between the completion of the approval process and when
the IS audit began. There is no control deficiency to be reported. Planning for follow-up audits of the
undocumented devices is contingent on the risks that the undocumented devices have on the ability of the
entity to meet the audit scope.

4. When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:
A. controls needed to mitigate risks are in place.
B. vulnerabilities and threats are identified.
C. audit risks are considered.
D. a gap analysis is appropriate.

The Correct Answer : B

ln developing a risk-based audit strategy, it is critical that the risks and vulnerabilities be understood. This will
determine the areas to be audited and the extent of coverage Understanding whether appropriate controls
required to mitigate risks are in place is a resultant effect of an audit. Audit risks are inherent aspects of
auditing, are directly related to the audit process and are not relevant to the risk analysis of the environment
to be audited. A gap analysis would normally be done to compare the actual state to an expected or
desirable state.

5. ln a risk-based audit approach, the IS auditor must consider the inherent risk as well as considering:
A. how to eliminate the risk through the application of controls.
B. the balance of loss potential vs. the cost to implement controls.
C. whether the risk is material, regardless of management's tolerance for risk.
D. Whether the residual risk is higher than the insurance coverage purchased.

The Correct Answer : B

Determining the correct balance between the loss potential and the cost to implement controls is a very
important part of an effective risk mitigation strategy. The best internal control is one where the benefit of
implementing the control at least matches the cost. Eliminating risk is very difficult to achieve and often
impossible to attain. Hence, the IS auditor should not recommend that risk be eliminated since this is not
likely to be cost-effective for the organization. Whether the risk is material is not the correct answer since

Halaman 2 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

the risk tolerance of management determines what is material. Insurance coverage is not necessarily the
only control to consider for mitigating residual risk.

6. The PRIMARY objective of a control self-assessment ((ISA) or control self-assurance program is to:
A. Simplify the control monitoring process for the enterprise.
B. replace some internal audit responsibilities.
C. remove responsibility of controls from line managers.
D. shift some of the control monitoring responsibilities to functional areas.

The Correct Answer : D

The primary objective of CSA programs is to leverage the internal audit function by shifting some of the
control monitoring responsibilities to the functional areas. Involvement of management and staff in the
assessment of internal control within their workgroups is critical. The CSA process would not necessarily
simplify the control monitoring process for the enterprise because it would involve additional groups in
performing the self-evaluation. CSA programs are not intended to replace internal audit responsibilities, but
to enhance them. Clients, such as line managers, are responsible for controls in their environment, they
should also be responsible for maintaining the controls. (ISA programs do not remove the responsibility for
controls, but educate management about controls design and monitoring responsibilities.

7. Which of the following is the BEST factor for determining the extent of data collection during the planning
phase of an IS compliance audit?
A. Complexity of the organization's operation
B. Findings and issues noted from the prior year
C. Purpose, objective and scope of the audit
D. Auditor's familiarity with the organization

The Correct Answer : C

The extent to which data will be collected during an IS audit should be related directly to the purpose,
objective and scope of the audit. An audit with a narrow purpose and limited objective and scope would
most likely result in less data collection than an audit with a wider purpose and scope. Complexity of the
organization's operation, prior issues and an auditor's familiarity with the organization would be factors in
the planning of an audit, but would not directly affect the determination of how much data to collect.

8. The PRIMARY advantage of a continuous audit approach is that it:

A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.
B. requires the IS auditor to review and follow up immediately on all information collected.
C. can improve system security when used in time-sharing environments that process a large number of
transactions.
D. does not depend on the complexity of an organization's computer systems.

The Correct Answer : C

The use of continuous auditing techniques can improve system security when used in time-sharing
environments that process a large number of transactions but leave a scarce paper trail Choice A is incorrect
since the continuous audit approach often does require an IS auditor to collect evidence on system reliability
while processing is taking place. Choice B is incorrect since an IS auditor normally would review and follow up
only on material deficiencies or errors detected. Choice D is incorrect since the use of continuous audit
techniques depends on the complexity of an organization's computer systems.

Halaman 3 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

9. A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that
it:
A. can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control.

The Correct Answer : A

CSA is predicated on the review of high-risk areas that either need immediate attention or a more thorough
review at a later date. Choice B is incorrect, because CSA requires the involvement of IS auditors and line
management. What occurs is that the internal audit function shifts some of the control monitoring
responsibilities to the functional areas. Choice C is incorrect because CSA is not a replacement for traditional
audits. CSA is not intended to replace audit's responsibilities, but to enhance them. Choice D is incorrect,
because CSA does not allow management to relinquish its responsibility for control.

10. Which of the following auditing techniques would be the MOST appropriate for a retail business with a large
volume of transactions to address emerging risk proactively?
A. Use of generalized audit software (C-AS)
B. Control self-assessment
C. Sampling of transaction logs
D. Continuous auditing

The Correct Answer : D

The implementation of continuous auditing enables a real-time feed of information to management through
automated reporting processes to achieve quicker implementation of corrective actions by management.
Using software tools such as C-AS to analyze transaction data can provide detailed analysis of trends and
potential risk, but it is not as effective as continuous auditing, because there may be a time differential
between executing the software and analyzing the results. Control self-assessment helps process owners
assess the control environment and educates them on control design and monitoring. The sampling of
transaction logs is a valid audit technique; however, risk may exist that is not captured in the transaction log
and there may be a potential time lag in the analysis.

11. An IS auditor is assigned to perform a post implementation review of an application system. Which of the
following situations may have impaired the independence of the IS auditor? The IS auditor:
A. implemented a specific functionality during the development of the application system.
B. designed an embedded audit module exclusively for auditing the application system.
C. participated as a member of the application system project team, but did not have operational
responsibilities.
D. provided consulting advice concerning application system best practices.

The Correct Answer : A

Independence may be impaired if an IS auditor is, or has been, actively involved in the development,
acquisition and implementation of the application system. Choices B and C are situations that do not impair
an IS auditor's independence. Choice D is incorrect because an IS auditor's independence is not impaired by
providing advice on known best practices.

Halaman 4 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

12. An IS auditor performing a review of an application's controls would evaluate the:

A. efficiency of the application in meeting the business processes.
B. impact of any exposures discovered.
C. business processes served by the application.
D. application's optimization.

The Correct Answer : B

An application control review involves the evaluation of the application's automated controls and an
assessment of any exposures resulting from the control weaknesses. The other choices may be objectives of
an application audit but are not part of an audit restricted to a review of controls.

13. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?
A. Inherent
B. Detection
C. Control
D. Business

The Correct Answer : B

Detection risks are directly affected by the IS auditor's selection of audit procedures and techniques.
Inherent risks are not usually affected by an IS auditor. Control risks can be mitigated by the actions of the
company's management. Business risks are not usually affected by an IS auditor.

14. An IS auditor is conducting a compliance test to determine whether controls support management policies
and procedures. The test will assist an IS auditor in:
A. obtaining an understanding of the control objective.
B. having assurance that the control is operating as designed.
C. determining the integrity of data controls.
D. determining the reasonableness of financial reporting controls.

The Correct Answer : B

Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the
objective of a compliance test is important. IS auditors want reasonable assurance that the controls they are
relying on are effective. Understanding the control objectives is key, but it is not the reason for conducting a
compliance test. Substantive tests, not compliance tests, are associated with data integrity and financial
reporting.

15. An IS auditor is reviewing a software application that is built on the principles of service oriented architecture
(SOA). What is the BEST first step?
A. Understanding services and their allocation to business processes by reviewing the service repository
documentation.
B. Sampling the use of service security standards as represented by the Security Assertions Markup
Language (SAML)
C. Reviewing the service level agreements (SLAs)
D. Auditing any single service and its dependencies with others.

Halaman 5 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

The Correct Answer : A

An SOA relies on the principles of a distributed environment in which services encapsulate business logic as a
black box and might be deliberately combined to depict real-world business
processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of
business processes to services. Choices B and C are not correct because sampling the use of service security
standards as represented by the SAML and reviewing the SLAs are essential follow-up steps to understanding
services and their allocation to business, but are not first steps. Choice D is not correct because auditing any
single service and its dependencies with others would be very time consuming and is not the standard way to
start an SOA audit.

16. When selecting audit procedures, an IS auditor should use professional judgment to ensure that:
A. sufficient evidence will be collected.
B. all significant deficiencies identified will be corrected within a reasonable period.
C. all material weaknesses will be identified.
D. audit costs will be kept at a minimum level.

The Correct Answer : A

Procedures are processes an IS auditor may follow in an audit engagement. ln determining the
appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the
specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of
conditions arising in the course of an audit. Judgment addresses a grey area where binary (yes/no) decisions
are not appropriate and the IS auditor's past experience plays a key role in making a judgment. The IS auditor
should use judgment in assessing the sufficiency of evidence to be collected. lSACA's guidelines provide
information on how to meet the standards when performing IS audit work. Identifying material weaknesses
is the result of appropriate competence, experience and thoroughness in planning and executing the audit
and not of professional judgment. Professional judgment is not a primary input to the financial aspects of the
audit. Audit procedures and use of professional judgment cannot ensure that all deficiencies/weaknesses will
be identified and corrected. Professional judgment.

17. The PRIMARY reason an IS auditor performs a functional walkthrough during the preliminary phase of an
audit assignment is to:
A. understand the business process.
B. comply with auditing standards.
C. identify control weakness.
D. plan substantive testing

The Correct Answer : A

Understanding the business process is the first step an IS auditor needs to perform. ISACA IT audit and
assurance standards encourage adoption of the audit procedures/processes required to assist the IS auditor
in performing IS audits more effectively. However, standards do not require an IS auditor to perform a
process walk-through at the commencement of an audit engagement. Identifying control weaknesses is not
the primary reason for the walk-through and typically occurs at a later stage in the audit. Planning for
substantive testing is performed at a later stage in the audit.

18. When assessing the design of network monitoring controls, an IS auditor should FIRST review network:
A. topology diagrams.
B. bandwidth usage.

Halaman 6 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

C. traffic analysis reports.

D. bottleneck locations.

The Correct Answer : A

The first step in assessing network monitoring controls should be the review of the adequacy of network
documentation, specifically topology diagrams. lf this information is not up to date then monitoring
processes and the ability to diagnose problems will not be effective.

18. During the collection of forensic evidence, which of the following actions would MOST likely result in the
destruction or corruption of evidence on a compromised system?
A. Dumping the memory content to a file
B. Generating disk images of the compromised system
C. Rebooting the system
D. Removing the system from the network

The Correct Answer : C

Rebooting the system may result in a change in the system state and the loss of files and important evidence
stored in memory The other choices are appropriate actions for preserving
evidence.

19. When auditing the provisioning procedures of the identity management (IDM) system of a large organization,
an IS auditor immediately finds a small number of access requests that had not been authorized by managers
through the normal predefined workflow steps and escalation rules. The IS auditor should:
A. perform an additional analysis.
B. Report the problem to the audit committee.
C. conduct a security risk assessment.
D. recommend that the owner of the IDM system fix the workflow issues.

The Correct Answer : A

The IS auditor needs to perform substantive testing and an additional analysis in order to determine why the
approval and workflow processes are not working as intended Before making any recommendation, the IS
auditor should gain a good understanding of the scope of the problem and what factors caused this incident.
The IS auditor should identify whether the issue was caused by managers not following procedures, by a
problem with the workflow of the automated system or a combination of the two. The other options are not
correct because the IS auditor does not have enough information to report the problem, conduct a risk
assessment or recommend fixing the workflow issues.

20. Management instructs a junior IS auditor to prepare and deliver a final report using his/her best judgment
since no senior IS auditor is available to review the work papers. What is the PRIMARY risk of this situation?
A. The loss of reputation because the audit was not performed according to standards
B. The audit report fails to identify and classify critical risks
C. Client management will challenge the findings
D. The audit report may not be approved by audit management.

The Correct Answer : A

Halaman 7 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

ISACA IT Audit and Assurance Standard S6 (Performance of Audit Work), Substandard 03 (Supervision), states
that "lS audit staff should be supervised to provide reasonable assurance that audit objectives are
accomplished and applicable professional auditing standards are met." If one IS auditor completes the entire
audit, including the report, with no review or supervision, then the standard for supervision has not been
met. Violation of audit standards could cause the audit group to lose credibility and even to be at risk of legal
liability as well as to risk loss of accreditation or licensure. If the IS auditor's work is not reviewed, then the
report may fail to identify and classify critical risks that a more experienced IS auditor may have identified
during his/her review. However, this risk is secondary to the risk of losing reputation, credibility and
accreditation/licensure. If the junior IS auditor were to misclassify some risks, client management would be
likely to challenge the findings of the audit that management deems to be insignificant risks. However, this
risk is secondary to the violation risk of not following the standards. Audit management, after its review, may
uncover issues in the report which may lead to a revision of the report prior to management approval. While
this is a valid risk, it is not the primary risk in this scenario

21. An IS auditor is reviewing access to an application to determine whether the 10 most recent new accounts
were appropriately authorized. This is an example of:
A. variable sampling.
B. substantive testing.
C. Compliance testing.
D. stop-or-go sampling.

The Correct Answer : C

Compliance testing determines whether controls are being applied in compliance with policy. This includes
tests to determine whether new accounts were appropriately authorized. Variable sampling is used to
estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual
processing, such as balances on financial statements. The development of substantive tests is often
dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal
controls, then substantive tests can be Minimized. Stop-or-go sampling allows a test to be stopped as early as
possible and is not appropriate for checking whether procedures have been followed.

22. During a security audit of IT processes, an IS auditor found that there were no documented security
procedures. The IS auditor should:
A. create the procedures document.
B. Terminate the audit.
C. conduct compliance testing
D. identify and evaluate existing practices.

The Correct Answer : D

One of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach
would be to identify and evaluate the existing security practices being followed by the organization. IS
auditors should not prepare documentation, as doing so could jeopardize their independence. Terminating
the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since
there are no documented procedures, there is no basis against which to test compliance.

23. Which of the following sampling methods would be the MOST effective to determine whether purchase
orders issued to vendors have been authorized as per the authorization matrix?
A. Variable sampling.

Halaman 8 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

B. Stratified mean per unit.

C. Attribute sampling.
D. Unstratified mean per unit.

The Correct Answer : C

Attribute sampling is the method used for compliance testing. ln this scenario, the operation of control is
being evaluated, and therefore attribute sampling should be used to determine whether the purchase orders
have been approved. Variable sampling is the method used for substantive testing, which involves testing
transactions for quantitative aspects such as monetary values. Stratified mean per unit and unstratified mean
per unit are used in variable sampling.

24. Which of the following would normally be the MOST reliable evidence for an IS auditor?
A. A confirmation letter received from a third party verifying an account balance.
B. Assurance from line management that an application is working as designed.
C. Trend data obtained from World Wide Web (Internet) sources.
D. Ratio analysis developed by the IS auditor from reports supplied by line management.

The Correct Answer : A

Evidence obtained from independent third parties almost always is considered to be the most reliable.
Choices B, C and D would not be considered as reliable.

25. The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to:
A. comply with regulatory requirements.
B. provide a basis for drawing reasonable conclusions.
C. ensure complete audit coverage.
D. perform the audit according to the defined scope.

The Correct Answer : B

The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to
the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only
identifying control weaknesses but also documenting and validating them. Complying with regulatory
requirements, ensuring coverage and the execution of audit are all relevant to an audit but are not the
reason why sufficient and relevant evidence is required.

26. During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor
should:
A. Ask the auditee to sign a release form accepting full legal responsibility.
B. elaborate on the significance of the finding and the risks of not correcting it.
C. report the disagreement to the audit committee for resolution.
D. accept the auditee's position since they are the process owners.

The Correct Answer : B

lf the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify
the risks and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The goal
should be to enlighten the auditee or uncover new information of which an IS auditor may not have been

Halaman 9 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

aware. Anything that appears to threaten the auditee will lessen effective communications and set up an
adversarial relationship. By the same token, an IS auditor should not automatically agree just because the
auditee expresses an alternate point of view.

27. Which of the following BEST describes the objective of an IS auditor discussing the audit findings with the
auditee?
A. Communicate results of the audit to senior management.
B. Develop time lines for the implementation of suggested recommendations.
C. Confirm the findings, and develop a course of corrective action.
D. Identify compensating controls to the identified risks.

The Correct Answer : C

Before communicating the results of an audit to senior management, the IS auditor should discuss the
findings with the auditee. The goal of such a discussion is to confirm the accuracy of the findings and to
develop a course of corrective action. Based on this discussion, the IS auditor will finalize the report and
present the report to relevant levels of senior management.
Based on discussions with senior management the audit committee, the IS auditor may agree to develop an
implementation plan for the suggested recommendations, along with the time lines. At the draft report
stage, discussion with the auditee would seldom be used to identify compensating controls.

28. When preparing an audit report the IS auditor should ensure that the results are supported by:
A. statements from IS management.
B. work papers of other auditors.
C. an organizational control self-assessment.
D. sufficient and appropriate audit evidence.

The Correct Answer : D

lSACA's IT audit and assurance standard on reporting requires that the IS auditor have sufficient and
appropriate audit evidence to support the reported results. Statements from IS management provide a basis
for obtaining concurrence on matters that cannot be verified with empirical evidence. The report should be
based on evidence collected during the course of the review even though the IS auditor may have access to
the work papers of other auditors. The results of an organizational control self-assessment (GSA) could
supplement the audit findings. Choices A, B and C may be referenced during an audit but, of themselves,
would not be considered a sufficient basis for issuing a report.

29. An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain
unauthorized software. Which of the following actions should the IS auditor take?
A. Delete all copies of the unauthorized software.
B. lnform the auditee of the unauthorized software, and follow up to confirm deletion.
C. Report the use of the unauthorized software and the need to prevent recurrence to auditee
management.
D. Warn the end users about the risk of using illegal software.

The Correct Answer : C

The use of unauthorized or illegal software should be prohibited by an organization. Software piracy results
in inherent exposure and can result in severe fines. An IS auditor must convince the user and user

Halaman 10 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

management of the risk and the need to eliminate the risk. An IS auditor should not assume the role of the
enforcing officer and take on any personal involvement in removing or deleting the unauthorized software.

30. Corrective action has been taken by an auditee immediately after the identification of a reportable finding.
The auditor should:
A. include the finding in the final report, because the IS auditor is responsible for an accurate report of all
findings.
B. not include the finding in the final report, because the audit report should include only unresolved
findings.
C. not include the finding in the final report, because corrective action can be verified by the IS auditor
during the audit.
D. include the finding in the closing meeting for discussion purposes only.

The Correct Answer : A

Including the finding in the final report is a generally accepted audit practice. lf an action is taken after the
audit started and before it ended, the audit report should identify the finding and describe the corrective
action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective
actions taken by the auditee should be reported in writing

31. During a review of an outsourced network operations center (NOC), an IS auditor concludes that procedures
to monitor remote network administration activities by the outsourced agency are inadequate. During the
management discussion, the chief information officer (CIO) justifies this issue as a help desk activity, covered
by help desk procedures, and points out that intrusion detection system (IDS) logs are activated and firewall
rules are monitored. What is the BEST course of action for the IS auditor to take?
A. Revise the finding in the audit report per the ClO's feedback.
B. Retract the finding because the IDS log is activated.
C. Retract the finding because the firewall rules are monitored.
D. Document the identified finding in the audit report.

The Correct Answer : D

IS auditor independence would dictate that the additional information provided by the auditee will be taken
into consideration. Normally an IS auditor would not automatically retract or revise the finding.

32. Which of the following should be the FIRST action of an IS auditor during a dispute with a department
manager over audit findings?
A. Retest the control to validate the finding.
B. Engage a third party to validate the finding.
C. lnclude the finding in the report with the department manager's comments.
D. Revalidate the supporting evidence for the finding.

The Correct Answer : D

Conclusions drawn by an IS auditor should be adequately supported by evidence, and any compensating
controls or corrections pointed out by a department manager should be taken into consideration. Therefore,
the first step would be to revalidate the evidence for the finding. Retesting the control would normally occur
after the evidence has been revalidated. While there are cases where a third party may be needed to
perform specialized audit procedures, an IS auditor should first revalidate the supporting evidence to

Halaman 11 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

determine whether there is a need to engage a third party. lf after revalidating and retesting, there are
unsettled disagreements, those issues should be included in the report.

33. The PRIMARY purpose for meeting with auditees priorto formally closing a review is to:
A. confirm that the auditors did not overlook any important issues.
B. gain agreement on the findings.
C. receive feedback on the adequacy of the audit procedures.
D. test the structure of the final presentation.

The Correct Answer : B

The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the
findings. The other choices, though related to the formal closure of an audit, are of secondary importance.

34. Sharing risk is a key factor in which of the following methods of managing risk?
A. Transferring risk
B. Tolerating risk
C. Terminating risk
D. Treating risk

The Correct Answer : A

Transferring risk (e.g., by taking an insurance policy) is a wav to share risk. Tolerating risk means that the risk
is accepted, but not shared. Terminating risk is unlikely to involve sharing the risk because some risk will
remain. Treating or controlling the risk may involve sharing the risk, but it is not a key feature.

35. ln evaluating programmed controls over password management, which of the following is the IS auditor
MOST likely to rely on?
A. A size check
B. A hash total
C. A validity check
D. A field check

The Correct Answer : C

A validity check would be the most useful for the verification of passwords because it would verify that the
required format has been used—for example, not using a dictionary word, including non alpha characters,
etc. An effective password must have several different types of characters: alpha, numeric and special. The
implementation of a field check would eliminate this important requirement and would be the least useful
control for passwords. Passwords can, and should, be the same length. This check is useful because
passwords should have a minimum length, but it is not as strong of a control as validity. Passwords are not
typically entered in a batch mode, so a hash total would not be effective. More importantly, a system should
not accept incorrect values of a password, so a hash total as a control will not find any errors or omissions.

36. While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This
could compromise the:
A. audit trail of the versioning of the work papers.
B. approval of the audit phases.

Halaman 12 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

C. access rights to the work papers.

D. confidentiality of the work papers

The Correct Answer : D

Encryption provides confidentiality for the electronic work papers. Audit trails, audit phase approvals and
access to the work papers do not, of themselves, affect the confidentiality but are
part of the reason for requiring encryption.

37. ln an audit of an inventory application, which approach would provide the BEST evidence that purchase
orders are valid?
A. Testing whether inappropriate personnel can change application parameters
B. Tracing purchase orders to a computer listing
C. Comparing receiving reports to purchase order details
D. Reviewing the application documentation

The Correct Answer : A

To determine purchase order validity, testing access controls will provide the best evidence. Choices B and C
are based on after-the-fact approaches, while choice D does not serve the purpose because what is in the
system documentation may not be the same as what is happening.

38. After reviewing the disaster recovery plan (DRP) of an organization, an IS auditor requests a meeting with
company management to discuss the findings. Which of the following BEST describes the main goal of this
meeting?
A. Obtaining management approval of the corrective actions
B. Confirming factual accuracy of the findings
C. Assisting management in the implementation of corrective actions
D. Clarifying the scope and limitations of the audit

The Correct Answer : B

The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity
for management to agree on corrective action. Management approval of the corrective actions is not
required since this is not the role of the auditor. Implementation of corrective actions should be done after
the factual accuracy of findings has been established, but the work of implementing corrective action is not
typically assigned to the IS auditor since this would impair the auditor's independence. Clarifying the scope
and limitations of the audit should be done during the entrance meeting, not during the exit meeting.

39. An IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter
network gate wav and recommends a vendor product to address this vulnerability. The IS auditor has failed
to exercise:
A. professional independence
B. organizational independence.
C. technical competence.
D. professional competence.

The Correct Answer : A

Halaman 13 dari 14
 Certification Examination Preparation

CISA Review 2013

Favehotel Cihampelas Bandung, 19-23 Agustus 2013

When an IS auditor recommends a specific vendor, that compromises the auditor's professional
independence. Organizational independence has no relevance to the content of an audit report and should
be considered at the time of accepting the engagement. Technical and professional competence is not
relevant to the requirement of independence.

40. While performing an audit of an accounting application's internal data integrity controls, an IS auditor
identifies a major control deficiency in the change management software that supports the accounting
application. The MOST appropriate action for the IS auditor to take is to:
A. continue to test the accounting application controls, verbally inform the lT manager about the change
management software control deficiency and offer consultation on possible solutions.
B. complete the application controls audit, but not report the control deficiency in the change management
software because it is not part of the audit scope.
C. continue to test the accounting application controls and include mention of the change management
software control deficiency in the final report.
D. cease all audit activity until the control deficiency in the change management software is resolved.

The Correct Answer : C

lt is the responsibility of the IS auditor to report on findings that could have a material impact on the
effectiveness of controls—whether or not they are within the scope of the audit The IS auditor should not
assume that the lT manager will follow through on resolving the change management control deficiency, and
it is inappropriate to offer consulting services on issues discovered during an audit. While not technically
within the audit scope, it is the responsibility of the IS auditor to report findings discovered during an audit
that could have a material impact on the effectiveness of controls. lt is not the role of the IS auditor to
demand that lT work be completed before performing or completing an audit.

Halaman 14 dari 14