Practice Questions - CISA Area 1
Practice Questions - CISA Area 1
Practice Questions - CISA Area 1
AREA 1
1. Which of the following BEST describes an integrated test facility?
A. A technique that enables the IS auditor to test a computer application for the purpose of verifying
correct processing
B. The utilization of hardware and/or software to review and test the functioning a computer system
C. A method of using special programming options to permit the printout of the path through a
computer program taken to process a specific transaction
D. A procedure for tagging and extending transactions and master records that are used by an IS
auditor for tests
2. Which of the following processes describes risk assessment? Risk assessment is:
A. subjective.
B.
objective.
C. mathematical.
D. statistical.
3. Which of the following is an advantage of an integrated test facility (ITF)?
A. It uses actual master files or dummies and the IS auditor does not have to review the source of
the transaction.
B. Periodic testing does not require separate test processes.
C. It validates application systems and tests the ongoing operation of the system.
D. It eliminates the need to prepare test data.
4. The use of statistical sampling procedures helps minimize:
A. sampling risk.
B. detection risk.
C. inherent risk.
D. control risk.
5. During an implementation review of a multiuser distributed application, the IS auditor finds minor
weaknesses in three areas-the initial setting of parameters is improperly installed, weak passwords
are being used and some vital reports are not being checked properly. While preparing the audit
report, the IS auditor should:
A. record the observations separately with the impact of each of them marked against each
respective finding.
B. advise the manager of probable risks without recording the observations, as the control
weaknesses are minor ones.
C. record the observations and the risk arising from the collective weaknesses.
D. apprise the departmental heads concerned with each observation and properly document it in the
report.
6. An IS auditor is evaluating a corporate network for a possible penetration by employees. Which of the
following findings should give the IS auditor the GREATEST concern?
A. There are a number of external modems connected to the network.
B. Users can install software on their desktops.
C. Network monitoring is very limited.
D. Many user ids have identical passwords.
7. Which of the following is the MOST likely reason why e-mail systems have become a useful source of
evidence for litigation?
A. Multiple cycles of backup files remain available.
B. Access controls establish accountability for e-mail activity.
C. Data classification regulates what information should be communicated via e-mail.
D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available.
8. An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The manager had
written the password, allocated by the system administrator, inside his/her desk drawer. The IS
auditor should conclude that the:
A. manager's assistant perpetrated the fraud.
B. perpetrator cannot be established beyond doubt.
C. fraud must have been perpetrated by the manager.
D. system administrator perpetrated the fraud.
9. While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS
auditor's next step?
A. Observe the response mechanism.
B. Clear the virus from the network.
C. Inform appropriate personnel immediately.
D. Ensure deletion of the virus.
10. The risk of an IS auditor using an inadequate test procedure and concluding that material errors do
not exist when, in fact, they do is an example of:
A. inherent risk.
B. control risk.
C. detection risk.
D. audit risk.
11. The responsibility, authority and accountability of the IS audit function is appropriately documented in
an audit charter and MUST be:
A. approved by the highest level of management.
B. approved by audit department management.
C. approved by user department management.
D. changed every year before commencement of IS audits.
12. The extent to which data will be collected during an IS audit should be determined based on the:
A. availability of critical and required information.
B. auditor's familiarity with the circumstances.
C. auditee's ability to find relevant evidence.
D. purpose and scope of the audit being done.
14. When assessing the design of network monitoring controls, an IS auditor should FIRST review
network:
A. topology diagrams.
B. bandwidth usage.
C. traffic analysis reports.
D. bottleneck locations.
17. Senior management has requested that an IS auditor assist the departmental management in the
implementation of necessary controls. The IS auditor should:
A. refuse the assignment since it is not the role of the IS auditor.
B. inform management of his/her inability to conduct future audits.
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation and follow-up.
18. Which of the following normally would be the MOST reliable evidence for an auditor?
A. A confirmation letter received from a third party verifying an account balance
B. Assurance from line management that an application is working as designed
C. Trend data obtained from World Wide Web (Internet) sources
D. Ratio analysis developed by the IS auditor from reports supplied by line management
19. Which audit technique provides the BEST evidence of the segregation of duties in an IS department?
A. Discussion with management
B. Review of the organization chart
C. Observation and interviews
D. Testing of user access rights
20. In cases where there is disagreement, during an exit interview, regarding the impact of a finding, the
IS auditor should:
A. ask the auditee to sign a release form accepting full legal responsibility.
B. elaborate on the significance of the finding and the risks of not correcting it.
C. report the disagreement to the audit committee for resolution.
D. accept the auditee's position since they are the process owners.