ISACA CISA Certified Information Systems Auditor Exam Questions and Answers – 9

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

CISA Question 901

Question

An IT steering committee should review information systems PRIMARILY to assess:

A. whether IT processes support business requirements.
B. if proposed system functionality is adequate
C. the stability of existing software.
D. the complexity of installed technology.

Answer

A. whether IT processes support business requirements.

Explanation

The role of an IT steering committee is to ensure that the IS department is in harmony with the organization’s mission and objectives. To ensure this, the committee must determine whether IS processes support the business requirements. Assessing proposed additional functionality and evaluating software stability and the complexity of technology are too narrow in scope to ensure that IT processes are, in fact, supporting the organization’s goals.

CISA Question 902

Question

Which of the following is the key benefit of control self-assessment (CSA)?

A. Management ownership of the internal controls supporting business objectives is reinforced.
B. Audit expenses are reduced when the assessment results are an input to external audit work.
C. Improved fraud detection since internal business staff are engaged in testing controls
D. Internal auditors can shift to a consultative approach by using the results of the assessment.

Answer

A. Management ownership of the internal controls supporting business objectives is reinforced.

Explanation

The objective of control self-assessment is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance.
Reducing audit expenses is not a key benefit of control self-assessment (CSA). improved fraud detection is important, but not as important as ownership, and is not a principal objective of CSA. CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit.

CISA Question 903

Question

Which of the following is an attribute of the control self-assessment (CSA) approach?

A. Broad stakeholder involvement
B. Auditors are the primary control analysts
C. Limited employee participation
D. Policy driven

Answer

A. Broad stakeholder involvement

Explanation

The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization’s business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training, at! of which are representations of broad stakeholder involvement. Choices B, C and D are attributes of a traditional audit approach.

CISA Question 904

Question

The success of control self-assessment (CSA) highly depends on:

A. having line managers assume a portion of the responsibility for control monitoring.
B. assigning staff managers the responsibility for building, but not monitoring, controls.
C. the implementation of a stringent control policy and rule-driven controls.
D. the implementation of supervision and the monitoring of controls of assigned duties.

Answer

A. having line managers assume a portion of the responsibility for control monitoring.

Explanation

The primary objective of a CSA program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a control self-assessment (CSA) program depends on the degree to which line managers assume responsibility for controlsChoices B, C and D are characteristics of a traditional audit approach, not a CSA approach.

CISA Question 905

Question

The final decision to include a material finding in an audit report should be made by the:

A. audit committee.
B. auditee’s manager.
C. IS auditor.
D. CEO of the organization

Answer

C. IS auditor.

Explanation

The IS auditor should make the final decision about what to include or exclude from the audit report. The other choices would limit the independence of the auditor.

CISA Question 906

Question

When preparing an audit report, the IS auditor should ensure that the results are supported by:

A. statements from IS management.
B. workpapers of other auditors.
C. an organizational control self-assessment.
D. sufficient and appropriate audit evidence.

Answer

D. sufficient and appropriate audit evidence.

Explanation

ISACA’s standard on ‘reporting’ requires the IS auditor have sufficient and appropriate audit evidence to support the reported results.
Statements from IS management provide a basis for obtaining concurrence on matters that cannot be verified with empirical evidence. The report should be based on evidence collected during the course of the review even though the auditor may have access to the work papers of other auditors. The results of an organizational control self-assessment (CSA) could supplement the audit findings. Choices A, B and C might be referenced during an audit but, of themselves, would not be considered a sufficient basis for issuing a report.

CISA Question 907

Question

During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:

A. ask the auditee to sign a release form accepting full legal responsibility.
B. elaborate on the significance of the finding and the risks of not correcting it.
C. report the disagreement to the audit committee for resolution.
D. accept the auditee’s position since they are the process owners.

Answer

B. elaborate on the significance of the finding and the risks of not correcting it.

Explanation

If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risks and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, an IS auditor should not automatically agree just because the auditee expresses an alternate point of view.

CISA Question 908

Question

During an implementation review of a multiuser distributed application, an IS auditor finds minor weaknesses in three areas-the initial setting of
parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the
audit report, the IS auditor should:

A. record the observations separately with the impact of each of them marked against each respective finding.
B. advise the manager of probable risks without recording the observations, as the control weaknesses are minor ones.
C. record the observations and the risk arising from the collective weaknesses.
D. apprise the departmental heads concerned with each observation and properly document it in the report.

Answer

C. record the observations and the risk arising from the collective weaknesses.

Explanation

Individually the weaknesses are minor; however, together they have the potential to substantially weaken the overall control structure. Choices A and D reflect a failure on the part of an IS auditor to recognize the combined effect of the control weakness. Advising the local manager without reporting the facts and observations would conceal the findings from other stakeholders.

CISA Question 909

Question

Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should:

A. include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings.
B. not include the finding in the final report, because the audit report should include only unresolved findings.
C. not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit.
D. include the finding in the closing meeting for discussion purposes only.

Answer

A. include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings.

Explanation

Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing.

CISA Question 910

Question

An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the
following actions should the IS auditor take?

A. Personally delete all copies of the unauthorized software.
B. Inform the auditee of the unauthorized software, and follow up to confirm deletion.
C. Report the use of the unauthorized software and the need to prevent recurrence to auditee management.
D. Take no action, as it is a commonly accepted practice and operations management is responsible for monitoring such use.

Answer

C. Report the use of the unauthorized software and the need to prevent recurrence to auditee management.

Explanation

The use of unauthorized or illegal software should be prohibited by an organization. Software piracy results in inherent exposure and can result in severe fines. An IS auditor must convince the user and user management of the risk and the need to eliminate the risk. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing or deleting the unauthorized software.