ISACA CISA Certified Information Systems Auditor Exam Questions and Answers – 15

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

CISA Question 1581

Question

In-house personnel performing IS audits should possess which of the following knowledge and/or skills (Choose two.):

A. information systems knowledge commensurate with the scope of the IT environment in question
B. sufficient analytical skills to determine root cause of deficiencies in question
C. sufficient knowledge on secure system coding
D. sufficient knowledge on secure platform development
E. information systems knowledge commensurate outside of the scope of the IT environment in question

Answer

A. information systems knowledge commensurate with the scope of the IT environment in question
B. sufficient analytical skills to determine root cause of deficiencies in question

Explanation

Personnel performing IT audits should have information systems knowledge commensurate with the scope of the institution’s IT environment.
They should also possess sufficient analytical skills to determine the root cause of deficiencies.

CISA Question 1582

Question

The ability of the internal IS audit function to achieve desired objectives depends largely on:

A. the training of audit personnel
B. the background of audit personnel
C. the independence of audit personnel
D. the performance of audit personnel
E. None of the choices.

Answer

C. the independence of audit personnel

Explanation

The ability of the internal audit function to achieve desired objectives depends largely on the independence of audit personnel. Top management should ensure that the audit department does not participate in activities that may compromise its independence.

CISA Question 1583

Question

Well-written risk assessment guidelines for IS auditing should specify which of the following elements at the least (Choose four.)

A. A maximum length for audit cycles.
B. The timing of risk assessments.
C. Documentation requirements.
D. Guidelines for handling special cases.
E. None of the choices.

Answer

A. A maximum length for audit cycles.
B. The timing of risk assessments.
C. Documentation requirements.
D. Guidelines for handling special cases.

Explanation

A well-written risk assessment guidelines should specify a maximum length for audit cycles based on the risk scores and the timing of risk assessments for each department or activity. There should be documentation requirements to support scoring decisions. There should also be guidelines for overriding risk assessments in special cases and the circumstances under which they can be overridden.

CISA Question 1584

Question

Your final audit report should be issued:

A. after an agreement on the observations is reached.
B. before an agreement on the observations is reached.
C. if an agreement on the observations cannot reached.
D. without mentioning the observations.
E. None of the choices.

Answer

A. after an agreement on the observations is reached.

Explanation

Reporting can take the forms of verbal presentation, an issue paper or a written audit report summarizing observations and management’s responses. After agreement is reached on the observations, a final report can be issued.

CISA Question 1585

Question

IS audits should be selected through a risk analysis process to concentrate on:

A. those areas of greatest risk and opportunity for improvements.
B. those areas of least risk and opportunity for improvements.
C. those areas of the greatest financial value.
D. areas led by the key people of the organization.
E. random events.
F. irregular events.

Answer

A. those areas of greatest risk and opportunity for improvements.

Explanation

Audits are typically selected through a risk analysis process to concentrate on those areas of greatest risk and opportunity for improvements.
Audit topics are supposed to be chosen based on potential for cost savings and service improvements.

CISA Question 1586

Question

What should be done to determine the appropriate level of audit coverage for an organization’s IT environment?

A. determine the company’s quarterly budget requirement.
B. define an effective assessment methodology.
C. calculate the company’s yearly budget requirement.
D. define an effective system upgrade methodology.
E. define an effective network implementation methodology.

Answer

B. define an effective assessment methodology.

Explanation

To determine the appropriate level of audit coverage for the organization’s IT environment, you must define an effective assessment methodology and provide objective information to prioritize the allocation of audit resources properly.

CISA Question 1587

Question

Which of the following correctly describes the purpose of an Electronic data processing audit?

A. to collect and evaluate evidence of an organization’s information systems, practices, and operations.
B. to ensure document validity.
C. to verify data accuracy.
D. to collect and evaluate benefits brought by an organization’s information systems to its bottom line.
E. None of the choices.

Answer

A. to collect and evaluate evidence of an organization’s information systems, practices, and operations.

Explanation

An Electronic data processing (EDP) audit is an IT audit. It is the process of collecting and evaluating evidence of an organization’s information systems, practices, and operations.

CISA Question 1588

Question

The use of risk assessment tools for classifying risk factors should be formalized in your IT audit effort through:

A. the use of risk controls.
B. the use of computer assisted functions.
C. using computer assisted audit technology tools.
D. the development of written guidelines.
E. None of the choices.

Answer

D. the development of written guidelines.

Explanation

A successful risk-based IT audit program could be based on an effective scoring system. In establishing a scoring system, management should consider all relevant risk factors and avoid subjectivity. Auditors should develop written guidelines on the use of risk assessment tools and risk factors and review these guidelines with the audit committee.

CISA Question 1589

Question

A successful risk-based IT audit program should be based on:

A. an effective scoring system.
B. an effective PERT diagram.
C. an effective departmental brainstorm session.
D. an effective organization-wide brainstorm session.
E. an effective yearly budget.
F. None of the choices.

Answer

A. an effective scoring system.

Explanation

A successful risk-based IT audit program could be based on an effective scoring system. In establishing a scoring system, management should consider all relevant risk factors and avoid subjectivity. Auditors should develop written guidelines on the use of risk assessment tools and risk factors and review these guidelines with the audit committee.

CISA Question 1590

Question

Talking about application system audit, focus should always be placed on (Choose five.)

A. performance and controls of the system
B. the ability to limit unauthorized access and manipulation
C. input of data are processed correctly
D. output of data are processed correctly
E. changes to the system are properly authorized
F. None of the choices.

Answer

A. performance and controls of the system
B. the ability to limit unauthorized access and manipulation
C. input of data are processed correctly
D. output of data are processed correctly
E. changes to the system are properly authorized

Explanation

Talking about application system audit, focus should be placed on the performance and controls of the system, its ability to limit unauthorized access and manipulation, that input and output of data are processed correctly on the system, that any changes to the system are authorized, and that users have access to the system.