Question 131: Which of the following is true about the ISACA Audit Standards and Audit Guidelines?
A. ISACA Audit Standards are mandatory.
B. ISACA Audit Standards are optional.
C. ISACA Audit Guidelines are mandatory.
D. ISACA Audit Standards are only mandatory for SOX audits.
Correct Answer: A. ISACA Audit Standards are mandatory.
Explanation: ISACA Audit Standards are mandatory for all audit professionals — compliance with ISACA Audit Standards is a condition for earning and retaining the CISA certification.
“ISACA Audit Standards are optional” is incorrect because ISACA Audit Standards are not optional for CISA certification holders. “ISACA Audit Guidelines are mandatory” is incorrect because ISACA Audit Guidelines are not mandatory, but instead serve as helpful guidelines for the implementation of ISACA Audit Standards. “ISACA Audit Standards are only mandatory for SOX audits” is incorrect because ISACA Audit Standards are mandatory for all audits. That said, often there are additional audit standards for specific types of audits, such as Sarbanes-Oxley (SOX), PCI-DSS, SSAE18, and others.
Question 132: For the purposes of audit planning, can an auditor rely upon the audit client’s risk assessment?
A. Yes, in all cases.
B. Yes, if the risk assessment was performed by a qualified external entity.
C. No. The auditor must perform a risk assessment himself or herself.
D. No. The auditor does not require a risk assessment to develop an audit plan.
Correct Answer: B. Yes, if the risk assessment was performed by a qualified external entity.X
Explanation: An auditor can use a risk assessment performed by a qualified external party to develop a risk-based audit plan. This will result in areas of higher risk being examined more closely than areas of lower risk.
“Yes, in all cases” is incorrect because there are certainly cases where an auditor cannot use a client’s risk assessment — for example, if the client’s risk assessment was performed by unqualified persons or if there were signs of bias. “No. The auditor must perform a risk assessment himself or herself” is incorrect because it is not always necessary for an auditor to perform the audit himself or herself. Often an external risk assessment can be used, provided it is sound. “No. The auditor does not require a risk assessment to develop an audit plan” is incorrect because a risk assessment will result in a better audit plan that is risk-aligned.
Question 133: An auditor is auditing the user account request and fulfillment process. The event population consists of hundreds of transactions, so the auditor cannot view them all. The auditor wants to view a random selection of transactions, as well as some of the transactions for privileged access requests. This type of sampling is known as:
A. Judgmental sampling
B. Random sampling
C. Stratified sampling
D. Statistical sampling
Correct Answer: A. Judgmental sampling
Explanation: The auditor wants to examine the population and select specific high-risk transactions.
“Random sampling” is incorrect because some of the transactions are not being randomly selected, and because “random sampling” is not the official term for this technique. “Stratified sampling” is incorrect because this is not an example of stratified sampling. “Statistical sampling” is incorrect because some of the transactions are not being randomly selected.
Question 134: An auditor is developing an audit plan for an accounts payable function. Rather than randomly selecting transactions to examine, the auditor wants to select transactions from low, medium, and large payment amounts. Which sample methodology is appropriate for this approach?
A. Judgmental sampling
B. Stratified sampling
C. Non-random sampling
D. Statistical sampling
Correct Answer: B. Stratified sampling
Explanation: Stratified sampling involves selecting samples based on some quantified value in each sample (in this case, the payment amount). Stratified sampling is useful for situations like this where auditors want to be sure to examine very high- or very low-value samples that might not be selected in random sampling.
“Judgmental sampling” is incorrect because judgmental sampling is, by definition, not random. However, this would be the next best choice. “Non-random sampling” is incorrect because non-random sampling is not a sampling methodology. “Statistical sampling” is incorrect because statistical sampling might not capture enough of the high- or low-value transactions if there are too few of these.
Question 135: What is the objective of the ISACA audit standard on organizational independence?
A. The auditor’s placement in the organization should ensure the auditor can act independently.
B. The auditor should not work in the same organization as the auditee.
C. To ensure that the auditor has the appearance of independence.
D. To ensure that the auditor has a separate operating budget.
Correct Answer: A. The auditor’s placement in the organization should ensure the auditor can act independently.
Explanation: ISACA audit standard 1002, “Organizational Independence,” states the following: “The IS auditor’s placement in the command-and-control structure of the organization should ensure that the IS auditor can act independently.” This helps to avoid the possibility that the auditor is being coerced into providing a favorable audit opinion.
“The auditor should not work in the same organization as the auditee” is incorrect because the audit standard does not require the auditor to work in a different organization. Indeed, internal audit departments in U.S. public companies are a part of the organization. “To ensure that the auditor has the appearance of independence” is incorrect because it is important to not only ensure the appearance of independence but the fact of independence. “To ensure that the auditor has a separate operating budget” is incorrect because a separate budget does not necessarily equate to independence.
Question 136: Which of the following audit types is appropriate for a financial services provider such as a payroll service?
A. SSAE18
B. SAS70
C. AUP
D. Sarbanes-Oxley
Correct Answer: A. SSAE18
Explanation: An SSAE18 audit is specifically intended for financial service providers such as payroll, general accounting, expense management, and other financial services.
“SAS70” is incorrect because the SAS70 audit standard has been deprecated and replaced by the SSAE18 standard. “AUP” is incorrect because an AUP audit is general purpose in nature and not specifically designed for financial services. “Sarbanes-Oxley” is incorrect because a Sarbanes-Oxley audit is intended for the financial business processes of a U.S. public company.
Question 137: An auditor is auditing an organization’s personnel onboarding process and is examining the background check process. The auditor is mainly interested in whether background checks are performed for all personnel and whether background check results lead to no-hire decisions. Which of the following evidence collection techniques will support this audit objective?
A. Request the full contents of background checks along with hire/no-hire decisions.
B. Request the background check ledger that includes the candidates’ names, results of background checks, and hire/no-hire decisions.
C. Request the hire/no-hire decisions from the auditee.
D. Examine the background check process and note which characteristics for each candidate are included.
Correct Answer: B. Request the background check ledger that includes the candidates’ names, results of background checks, and hire/no-hire decisions.
Explanation: This evidence request will provide enough information for the auditor to understand whether background checks are performed for all positions requiring it, as well as whether any no-hire decisions are made.
“Request the full contents of background checks along with hire/no-hire decisions” is incorrect because the auditor should not need to see the details of individuals’ background checks. This is highly sensitive information. “Request the hire/no-hire decisions from the auditee” is incorrect because this does not reveal the correlation between pass/no-pass results and hire/no-hire decisions. “Examine the background check process and note which characteristics for each candidate are included” is incorrect because this audit requires examination of records, not just examination of the business process.
Question 138: According to ISACA Audit Standard 1202, which types of risks should be considered when planning an audit?
A. Fraud risk
B. Business risk
C. Cybersecurity risk
D. Financial risk
Correct Answer: B. Business risk
Explanation: All types of risks should be considered when planning an audit of a business process or system.
“Fraud risk” is incorrect because fraud risk is not the only risk that should be considered. “Cybersecurity risk” is incorrect, as cybersecurity risk is only one type of risk that should be considered. “Financial risk” is incorrect because financial risk is only one type of risk that should be considered.
Question 139: Which of the following is the best example of a control self-assessment of a user account provisioning process?
A. An examination of Active Directory to ensure that only domain administrators can make user account permission changes
B. Checks to see that only authorized personnel made user account changes
C. Confirmation that all user account changes were approved by appropriate personnel
D. Reconciliation of all user account changes against approved requests in the ticketing system
Correct Answer: D. Reconciliation of all user account changes against approved requests in the ticketing system
Explanation: A reconciliation of all user account changes with approved requests in the ticketing system ensures that all such changes were actually requested and approved.
“An examination of Active Directory to ensure that only domain administrators can make user account permission changes” is incorrect. Confirmation that only domain administrators can make user account changes does not reveal whether the user account provisioning process is effective. “Checks to see that only authorized personnel made user account changes” is incorrect. Checks to see that only authorized personnel made user account changes does not reveal whether the user account provisioning process is effective. “Confirmation that all user account changes were approved by appropriate personnel” is incorrect. Checking whether the approvers of user account changes were appropriate does not reveal whether the process is effective.
Question 140: What are the potential consequences if an IS auditor is a member of ISACA and is CISA certified and violates the ISACA Code of Professional Ethics?
A. Fines
B. Imprisonment
C. Termination of employment
D. Loss of ISACA certifications
Correct Answer: D. Loss of ISACA certifications
Explanation: An ISACA member violating the ISACA Code of Professional Ethics “can result in an investigation into a member’s or certification holder’s conduct and, ultimately, in disciplinary measures,” including loss of certifications.
“Fines” is incorrect because fines are not a part of ISACA disciplinary action. However, if the matter also includes the violation of laws, there may be fines levied in that case. “Imprisonment” is incorrect because imprisonment is not a part of ISACA disciplinary action. However, if the situation also includes the violation of laws, imprisonment is a possible outcome. “Termination of employment” is incorrect, unless the matter is also seen as egregious by the IS auditor’s employer, who may need to terminate the auditor’s employment.