Transcription
Continue9199865962 17453247.636364 4345056.4683544 24478800803 14431600953 93369121692 40728934.181818 3684221.4623656 100154155.09524 31253288.642857
Cisa review manual 2016 pdf files download full pdfCisa review manual. Cisa review manual 2021 pdf. Cisa review manual 27th edition pdf.DOMAIN 1—THE PROCESS OF AUDITING INFORMATION SYSTEMS A1-42 Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix? IS management resource allocation C. Assurance from line management that anapplication is working as designed C. Preparation of the IS audit report according to a predefined and standard template may be useful in ensuring that all key aspects are provided in a uniform structure, but this does not demonstrate that audit findings are based on evidence that can be proven, if required. Stratified mean per unit C. In developing arisk-based audit strategy, it is critical that the risk and vulnerabilities be understood. An IS auditor would defer to management to decide how to respond to the findings presented. Embedding a module for continuous auditing within an application processing a large number of transactions provides timely collection of audit evidence during processingand is the primary objective. A1-12 Which of the following is the MOST critical step when planning an IS audit? Only after determining which controls and related relevant information assets are to be validated can the IS auditor decide on the key IS audit resources (with the relevant skill sets) that should be deployed for the audit. The audit must bebased on sufficient evidence of the monitoring of controls and not unduly influenced by the auditor’s familiarity with the organization. A is the correct answer. A1-32 When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following? 511 SAMPLE EXAMANSWER SHEET (POSTTEST). A. To reduce requirements for periodic internal audits C. The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. The item should be confirmed through additional testing before it isreported to management. The numbers of questions, answers and explanations provided in the five domain chapters in this publication provide the CISA candidate with the maximum number of study questions. D is the correct answer. The IT department has asked for copies of the scripts so that they can use them for setting up a continuousmonitoring process on key systems. Unstratified mean per unit C is the correct answer. One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization and submit the findings and risk to management withrecommendations to document the current controls or enforce the documented procedures. Inherent risk is the risk that a material error could occur, assuming that there are no related internal controls to prevent or detect the error. The third step is to test the access paths—to determine if the controls are functioning. A sample of a system-generatedreport with evidence that the reviewer followed up on the exception represents the best possible evidence of the effective operation of the control because there is documented evidence that the reviewer has reviewed and taken actions based on the exception report. Preventive C. organizational independence. This involves identifying controlweaknesses relevant to the scope of the audit. Generalized audit software (GAS) B. What should the IS auditor do FIRST? DOMAIN 1—THE PROCESS OF AUDITING INFORMATION SYSTEMS A1-108 Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit? What should theIS auditor do next? The audit department should report to the audit committee and the audit charter should be approved by the committee. Recreating program logic may lead to errors, and monthly totals are not accurate enough to ensure correct computations. The IS auditor does not collect evidence in the planning stage of an audit. Theobservations are good evidence to understand the internal control structure; however, observations are not efficient for a large number of users. UPDATE 10-1-15 I updated this post with new screenshots and instructions. Informing the users of risk is not the primary responsibility of the IS auditor. Difference estimation sampling A is the correctanswer. Management is always responsible and liable for risk, but the role of the IS auditor is to inform management of the findings and associated risk discovered in an audit. Procedures are part of the IS audit plan and processes are determined by audit management. If the IS auditor cannot gain sufficient assurance for a critical system within theagreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Encryption provides confidentiality for the electronic work papers. To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. professionalcompetence. The fact that the employee has worked in IT for many years may not, in itself, ensure credibility. Review information security policies and procedures. This will not detect changes made since the acquisition of the copy of the software. A1-131 Which of the following choices BEST ensures the effectiveness of controls related to interestcalculation inside an accounting system? Inquiry can be used to understand the controls in a process only if it is accompanied by verification of evidence. Prior findings and issues are factors in the planning of an audit, but do not directly affect the determination of how much data to collect. A1-142 The success of control self-assessment (CSA)depends highly on: A. They are not actual questions from the exam. The impact of an attack against a weakness should be identified so that controls can be evaluated to determine if they effectively mitigate the weaknesses. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. 20 CISA ReviewQuestions, Answers & Explanations Manual 11th Edition ISACA. The audit report will contain the finding from the IS auditor and the response from management. Inherent risk is not usually affected by an IS auditor. The IS auditor should FIRST: A. Evaluating the code created by the application developer is not the appropriate response in this case. schedule the audits and monitor the time spent on each audit. continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions. Provide future estimates of the licensing expenses to the project team. An oral statement from the auditee A B. A gap analysis would normally bedone to compare the actual state to an expected or desirable state. 21 DOMAIN 1—THE PROCESS OF AUDITING INFORMATION SYSTEMS A1-45 Corrective action has been taken by an auditee immediately after the identification of a reportable finding. Before making any recommendation, the IS auditor should gain a good understanding of thescope of the problem and what factors caused this incident. Usefulness B. Identify the critical controls. 4 CISA Review Questions, Answers & Explanations Manual 11th Edition ISACA. Data flow diagrams are used as aids to graph or chart data flow and storage. Identifying material weaknesses is the result of appropriate competence, experience andthoroughness in planning and executing the audit and not of professional judgment. Also, the question pertains to the development process for new application systems, and not to subsequent internal audits. Report the incident to management. It does not help determine whether the control is operating effectively. A1-52 What is the BEST course ofaction for an IS auditor to take when an outsourced monitoring process for remote access is inadequate and management disagrees because management stated that intrusion detection system (IDS) and firewall controls are in place? Review the classifications of data held on the server. Part of the audit report is to explain the reasoning behind thefindings. It should be noted that the CISA Review Questions, Answers & Explanations Manual 11th Edition has been developed to assist CISA candidates in studying and preparing for the CISA exam. recreating program logic using generalized audit software to calculate monthly totals. accurately capture data from the organization’s systemswithout causing excessive performance problems. Changing the scope of an audit to include the secondary project is not required, although a follow-up audit may be desired. Assisting management in the implementation of corrective actions D. All corrective actions taken by the auditee should be reported in writing. Sampling risk is the risk of asample not being representative of the population. This is the most effective basis for evaluation of the design of the control as it actually exists. discovery sampling. Recommend compensating controls. Reducing the scope and focusing on auditing high-risk areas is the best course of action. recommend that the owner of the identity management(IDM) system fix the workflow issues. The IS auditor should formally report the weaknesses as an observation rather than documenting it to address during a future audit. Development of a risk assessment D is the correct answer. An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the DRP. Development of an audit program B. A business relies on being able to make changes when necessary, and security patches must often be deployed promptly. the reasonableness of financial reporting controls. Upon completion of a risk assessment, an IS auditor should describe and discuss with management the threats and potential impacts on theassets as well as recommendations for addressing the risk. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. lower confidence coefficient, resulting in a larger sample size. A lower confidence coefficient will result in the use of a smallersample size. Evidence provided that is not system-generated information could be modified before it is presented to an IS auditor, and therefore it may not be as reliable as evidence obtained by the IS auditor. Understanding services and their allocation to business processes by reviewing the service repository documentation. A1-127 A financialinstitution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. Review of log servers is a detective control in most circumstances. Understanding the business process is the first step an IS auditor needs to perform. The audit committee is a subgroup of theboard of directors. 3 DOMAIN 1—THE PROCESS OF AUDITING INFORMATION SYSTEMS A1-7 What is the PRIMARY requirement that a data mining and auditing software tool should meet? Although interviewing management can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of acontrol. Recommend an automated process to monitor for compliance with software licensing. ii CISA Review Questions, Answers & Explanations Manual 11th Edition ISACA. report the issue to IT management. Finally, the candidate may also want to utilize the CISA Online Review course (www.isaca.org/elearning) for exam preparation. During
testing, the IS auditor did not find that access cards were missing. Computer-assisted audit techniques (CAATs) would enable the IS auditor to review the entire invoice file to look for those items that meet the selection criteria. Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions, when they are detected. Complete the audit of the systems covered by the existing DRP. Tracing and tagging is used to test application systems and controls, but is not a preventive control in itself. investigating various communication channels. The results of a test performed by an external IS auditor C. However, the organization has started a separate project to develop afuture-state representation. The stem may be in the form of a question or incomplete statement. Report the absence of documented approval. Control testing is the same as compliance testing. Industry good practices help plan an audit; however, good practices are not mandatory and can be deviated from to meet organization objectives. A jobpractice study is conducted at least every five years to ensure that the CISA certification is current and relevant. Unstratified mean per unit is used in variable sampling. A1-65 When preparing an audit report the IS auditor should ensure that the results are supported by: A. The review of the test cases will facilitate the objective of a successfulmigration and ensure that proper testing is conducted. Policy-driven is an attribute of a traditional audit approach. stop-or-go sampling. Ending the audit and issuing an opinion will not address identification of potential risk. expand the scope of the IS audit to include the devices that are not on the network diagram. 5 DOMAIN 1—THE PROCESS OFAUDITING INFORMATION SYSTEMS A1-11 The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk? An IS auditor should make management aware that some systems are omitted from the disaster recovery plan (DRP). Planning is the responsibility of audit management. The most critical issue in thisscenario is that the enterprise architecture (EA) is undergoing change, so the IS auditor should be most concerned with reporting this issue. Wire transfer procedures C. Compliance testing D. Classification allows an IS auditor to determine which controls are missing A is the correct answer. When there is an indication that an organization might beusing unlicensed software, the IS auditor should obtain sufficient evidence before including it in report. Although reviewing the procedure manual can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control. In circumstances in which the IS auditor’s independence is impaired andthe IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor’s independence should be disclosed to the appropriate management and in the report. review requested evidence provided by the audit client. purpose and scope of the audit being done. Observation D. Which of the following is the BEST evidenceof effectiveness? Purpose, objective and scope of the audit D. Inherent risk is the risk level or exposure without taking into account the actions that management has taken or might take. To increase efficiency of the audit function A is the correct answer. The IS auditor should make the final decision about what to include or exclude from the auditreport. Review of the summary financial reports would not compensate for the segregation of duties issue. Inventory of assets D. Control self-assessments (CSAs) require employees to assess the control stature of their own function. The effect of security breaches is dependent on the value of the assets and the threats, vulnerabilities and effectivenessof mitigating controls. Based on the observations and interviews, the IS auditor can evaluate the segregation of duties. Corrective D. The purpose of a data flow diagram is to track the movement of data through a process and is not primarily to document or indicate how data are generated. Ignore the absence of management approval becauseemployees follow the policies. Adequacy of audit evidence pulled by CAATs is determined by the processes and personnel who author the data, and the use of CAATs does not have any impact on competence. the integrity of data controls. Continuous audit allows audit and response to audit issues in a timely manner because audit findings are gatheredin near real time. determining whether the movement of tapes is authorized. Attribute B. Request that the system be shut down to preserve evidence. highlight high-level data definitions. Impact is the measure of the consequence (including financial loss, reputational damage, loss of customer confidence) that a threat event may have. document thecontrols applied to the potential access paths to the system. Participating in the design of the risk management framework involves designing controls, which will compromise the independence of the IS auditor to audit the risk management process. The IS auditor has found a potential problem and now needs to determine whether this is an isolatedincident or a systematic control failure. Review of the audit charter C. Which of the following reviews conducted by the user’s supervisor would represent the BEST compensating control? DOMAIN 1—THE PROCESS OF AUDITING INFORMATION SYSTEMS A1-64 Which of the following audit techniques would BEST help an IS auditor in determiningwhether there have been unauthorized program changes since the last authorized program update? 64 CISA Review Questions, Answers & Explanations Manual 11th Edition ISACA. Confirm the findings, and propose a course of corrective action. To determine the skills required to perform the IS audit D. Identify compensating controls to theidentified risk. 45 DOMAIN 1—THE PROCESS OF AUDITING INFORMATION SYSTEMS A1-94 Sharing risk is a key factor in which of the following methods of managing risk? It would also be obvious if one individual is masquerading and filling in the role of the second person. Length of service will not ensure technical competency. Variable samplingC. inform management of the possible conflict of interest after completing the audit assignment. The assets need to be identified first. 42 CISA Review Questions, Answers & Explanations Manual 11th Edition ISACA. CSA requires the involvement of IS auditors and line management. work papers of other auditors. effective preventive controls areenforced. The test will assist the IS auditor to determine: A. Privileged access, such as administrator access, is necessary to manage user account privileges and should not be granted to end users. Discussion with management B. It would be impossible to determine impact without first having identified the assets affected; therefore, this must alreadyhave been completed. The candidate also may want to obtain a copy of the CISA Review Manual 26th Edition, which provides the foundational knowledge of a CISA. The effect of applicable statutory requirements must be factored in while planning an IS audit— the IS auditor has no options in this respect because there can be no limitation of scopein respect to statutory requirements. Audit guidelines exist to provide guidance on how to achieve compliance with professional standards. An audit charter will state the authority and reporting requirements for the audit but not the details of maintenance of internal controls. C. An oral statement from the auditee is audit evidence but not as reliableas the results of a test performed by an external IS auditor. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. Analysis of transaction logs would help to show that dual controlis in place but does not necessarily guarantee that this process is being followed consistently. decline the assignment. test controls over the access paths to determine if they are functional. to preserve evidence of criminal activity. Research past IS audit reports. -Mack Download Links Two sets of links are shown below: Click the first link to accessthe ITauditSecurity blog OneDrive site and download the file(s); click the second link to read the article that describes the file(s). Reperformance C is the correct answer. Failure to obtain sufficient evidence in one part of an audit engagement does not justify cancelling or postponing the audit; this would violate the audit guideline concerning dueprofessional care. the tolerable error rate cannot be determined. The e-commerce application enables the execution of business transactions. The question does not indicate that an IS auditor is searching for a threshold of fraud. Control D. The audit charter is prepared when the audit department is established or as updates are needed. document forfuture review. Test steps for the audit are not as critical during the audit planning process as identifying the areas of risk that should be audited. Limited employee participation D. Peer auditors understand previous audit results. 515 CISA Review Questions, Answers & Explanations Manual 11th Edition ISACA. The software tool should: . report thematter to the audit committee. The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings and responses from management. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process andidentify potential control weaknesses. Auditing the core service and its dependencies with others would most likely be a part of the audit, but the IS auditor must first gain an understanding of the business processes and how the systems support those processes. The primary purpose of the IS audit charter is to set forth the purpose, responsibility,authority and accountability of the IS audit function. A. Business B is the correct answer. Detective controls identify events after they have happened. sufficient and appropriate audit evidence. A confirmation letter received from an outside source B is the correct answer. If the IS auditor executes the data extraction, there is greater assurance that theextraction criteria will not interfere with the required completeness and therefore all required data will be collected. Continuous auditing benefits the internal audit function because it reduces the use of auditing resources to create a more efficient auditing function. interface with various types of enterprise resource planning (ERP) software anddatabases. The finding remains valid and the management response will be documented; however, the audit may indicate a need to review the validity of the management response. By the same token, an IS auditor should not automatically agree just because the auditee expresses an alternate point of view. Therefore, the first step would be torevalidate the evidence for the finding. Emergency changes are acceptable as long as they are properly documented as part of the process. allows IS auditors to independently assess risk. Based on the download stats, I see many people download it successfully all the time. Specifying appropriate tests is not the primary goal of audit planning. An ISauditor can advise as to the completeness of the test cases. Director of internal audit B is the correct answer. Which of the following sampling methods would BEST assist the IS auditors? Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate theexistence of a trail of documentary evidence. As of 9/3/16, the CISA Study Guide has been downloaded over 33.000 times! And I’m no longer counting . Rebooting the system D. Integrated test facility D. production data are used for testing. Compliance risk C. While it may be necessary to redesign the change management process, this cannot bedone until a root cause analysis is conducted to determine why the current process is not being followed. A validity check D. During the course of an audit, if there are material issues that are of concern, they need to be reported immediately. Observation is a valid audit method to verify that operators are using the system appropriately; however,conducting re-performance is a better method. Suspending the audit is an inappropriate action because it provides no current knowledge of the adequacy of the existing controls. Employee background checks B is the correct answer. DOMAIN 1—THE PROCESS OF AUDITING INFORMATION SYSTEMS A1-51 An IS auditor should use statisticalsampling, and not judgment (nonstatistical) sampling, when: A. Additionally, 150 questions have been extracted to provide a sample test with questions in the same proportion as the current CISA job practice. analysis. There is no control deficiency to be reported. CSA is not a replacement for traditional audits. 25 percent Candidates are urged to usethis sample exam and the answer sheet provided to simulate an actual exam. It is the responsibility of management to accept risk or mitigate it appropriately. The independence of the IS auditor cannot be restored while continuing to conduct the audit. The wire transfer procedures are a better control to review to ensure that there is segregation ofduties of the end users to help prevent fraud. The development of substantive tests is often dependent on the outcome of compliance tests. This enables line managers to detect and respond to control errors promptly. The candidate is asked to choose the BEST answer from the options. Based solely on the interview with the payroll clerk, the IS auditorwill not be able to collect evidence to conclude on the adequacy of existing controls. allows management to relinquish responsibility for control. An accounting system that tracks employee telephone calls C is the correct answer. all material weaknesses will be identified. Residual risk C is the correct answer. Work papers from other auditors may beused to substantiate and validate a finding but should not be used without the additional evidence of the work papers from the IS auditor preparing the report. Manager involvement C. When the same result is obtained after the performance by an independent person, this provides the strongest assurance. Done carefully, it will not corrupt theevidence. Where evidence is not readily available, the auditor must ensure that other forms of audit are considered to ensure compliance in the area subject to audit. The evidence is objective because it was generated by the system rather than by an individual. Variable sampling is used in substantive testing situations and deals with populationcharacteristics that vary, such as monetary values and weights. Audit risk is an inherent aspect of auditing, is directly related to the audit process and is not relevant to the risk analysis of the environment to be audited. What is the INITIAL step? The results of a control self-assessment may assist the IS auditor in determining risk and compliance buton its own is not enough to support the audit report. Past IS audit reports are not the best source of information because they may not accurately describe how IT responsibilities are assigned. vulnerabilities and threats are identified. The use of unauthorized or illegal software should be prohibited by an organization. audit committee. The IS auditordoes not yet have enough information to report the problem. ability, as an IS auditor, to be independent of existing IT relationships. At the draft report stage, the IS auditor may recommend various controls to mitigate the risk, but the purpose of the meeting is to validate the findings of the audit with management. CSA is not intended to replaceaudit’s responsibilities, but to enhance them. Determining whether the movement of tapes is authorized is a compliance test. disclosure. The material in this manual consists of 1,000 multiple-choice study questions, answers and explanations, which are organized according to the newly revised (effective 2016) CISA job practice domains. correctivecontrol. Auditing the core service and its dependencies on other systems. The complete CISA job practice can be found at www.isaca.org/cisajobpractice. assets have been identified and ranked. A higher confidence coefficient need not be adopted in this situation because internal controls are strong. Determining the reasonableness of financialreporting controls is a very narrow answer in that it is limited to financial reporting. Another condition a candidate should consider when preparing for the examination is to recognize that IS audit and control is a global profession, and individual perceptions and experiences may not reflect the more global position or circumstance. Management couldelect to implement another corrective action plan to address the risk. Manager involvement is important, but may not be a consistent or well-defined process compared to control self-assessment (CSA). A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used—forexample, not using a dictionary word, including non-alphabetical characters, etc. An ITF does validate the correct operation of a transaction in an application, but it does not ensure that a system is being operated correctly. Risk assessment is required by ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.2:“IS audit and assurance professionals shall identify and a
Cisa review manual 2016 pdf files download full pdf Cisa review manual. Cisa review manual 2021 pdf. Cisa review manual 27th edition pdf. DOMAIN 1—THE PROCESS OF AUDITING INFORMATION SYSTEMS A1-42 Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix?
