CISA EXAM QUESTIONS WITH
VERIFIED ANSWERS
Which technique BEST tests for the existence of dual control when auditing the wire
transfer systems of a bank?
A.Analysis of transaction logs
B.Reperformance
C.Observation
D.Interviewing personnel - Answer- C. Observation
An information systems (IS) auditor who was involved in designing an organization's
business continuity plan (BCP) has been assigned to audit the plan. The IS auditor
should:
A.decline the assignment.
B.inform management of the possible conflict of interest after completing the audit
assignment.
C.inform the BCP team of the possible conflict of interest prior to beginning the
assignment.
D.confirm the possibility of conflict of interest to audit management prior to starting the
assignment. - Answer- D. confirm the possibility of conflict of interest to audit
management prior to starting the assignment.
An information systems (IS) auditor performing a review of application controls
evaluates the:
A.efficiency of the application in meeting the business processes.
B.impact of any exposures discovered.
C.business processes served by the application.
D.application optimization. - Answer- B. impact of any exposures discovered.
An appropriate control for ensuring the authenticity of orders received in an electronic
data interchange system application is to:
A.acknowledge receipt of electronic orders with a confirmation message.
B.perform reasonableness checks on quantities ordered before filling orders.
C.verify the identity of senders and determine if orders correspond to contract terms.
D.encrypt electronic orders. - Answer- C. verify the identity of senders and determine if
orders correspond to contract terms.
An information systems (IS) auditor is comparing equipment in production with inventory
records. This type of testing is an example of:
A.substantive testing.
, B.compliance testing.
C.analytical testing.
D.control testing. - Answer- A. substantive testing.
An information systems (IS) auditor is validating a control that involves a review of
system-generated exception reports. Which of the following is the BEST evidence of the
effectiveness of the control?
A.Walk-through with the reviewer of the operation of the control
B.System-generated exception reports for the review period with the reviewer's sign-off
C.A sample system-generated exception report for the review period, with follow-up
action items noted by the reviewer
D.Management's confirmation of the effectiveness of the control for the review period -
Answer- C. A sample system-generated exception report for the review period, with
follow-up action items noted by the reviewer
An information systems (IS) auditor is determining the appropriate sample size for
testing the existence of program change approvals. Previous audits did not indicate any
exceptions, and management has confirmed that no exceptions have been reported for
the review period. In this context, the IS auditor can adopt a:
A.lower confidence coefficient, resulting in a smaller sample size.
B.higher confidence coefficient, resulting in a smaller sample size.
C.higher confidence coefficient, resulting in a larger sample size.
D.lower confidence coefficient, resulting in a larger sample size. - Answer- A. lower
confidence coefficient, resulting in a smaller sample size.
While conducting an audit, an information systems (IS) auditor detects the presence of
a virus. What should be the IS auditor's NEXT step?
A.Observe the response mechanism.
B.Clear the virus from the network.
C.Inform appropriate personnel immediately.
D.Ensure deletion of the virus. - Answer- C. Inform appropriate personnel immediately.
An external information systems (IS) auditor issues an audit report pointing out the lack
of firewall protection features at the perimeter network gateway and recommending a
specific vendor product to address this vulnerability. The IS auditor has failed to
exercise:
A.professional independence.
B.organizational independence.
C.technical competence.
D.professional competence. - Answer- A. professional independence.
What is the BEST action for an information systems (IS) auditor to take when an
outsourced monitoring process for remote access is inadequate and management
disagrees because intrusion detection system (IDS) and firewall controls are in place?
A.Revise the finding in the audit report per management's feedback.
B.Retract the finding because the IDS controls are in place.
VERIFIED ANSWERS
Which technique BEST tests for the existence of dual control when auditing the wire
transfer systems of a bank?
A.Analysis of transaction logs
B.Reperformance
C.Observation
D.Interviewing personnel - Answer- C. Observation
An information systems (IS) auditor who was involved in designing an organization's
business continuity plan (BCP) has been assigned to audit the plan. The IS auditor
should:
A.decline the assignment.
B.inform management of the possible conflict of interest after completing the audit
assignment.
C.inform the BCP team of the possible conflict of interest prior to beginning the
assignment.
D.confirm the possibility of conflict of interest to audit management prior to starting the
assignment. - Answer- D. confirm the possibility of conflict of interest to audit
management prior to starting the assignment.
An information systems (IS) auditor performing a review of application controls
evaluates the:
A.efficiency of the application in meeting the business processes.
B.impact of any exposures discovered.
C.business processes served by the application.
D.application optimization. - Answer- B. impact of any exposures discovered.
An appropriate control for ensuring the authenticity of orders received in an electronic
data interchange system application is to:
A.acknowledge receipt of electronic orders with a confirmation message.
B.perform reasonableness checks on quantities ordered before filling orders.
C.verify the identity of senders and determine if orders correspond to contract terms.
D.encrypt electronic orders. - Answer- C. verify the identity of senders and determine if
orders correspond to contract terms.
An information systems (IS) auditor is comparing equipment in production with inventory
records. This type of testing is an example of:
A.substantive testing.
, B.compliance testing.
C.analytical testing.
D.control testing. - Answer- A. substantive testing.
An information systems (IS) auditor is validating a control that involves a review of
system-generated exception reports. Which of the following is the BEST evidence of the
effectiveness of the control?
A.Walk-through with the reviewer of the operation of the control
B.System-generated exception reports for the review period with the reviewer's sign-off
C.A sample system-generated exception report for the review period, with follow-up
action items noted by the reviewer
D.Management's confirmation of the effectiveness of the control for the review period -
Answer- C. A sample system-generated exception report for the review period, with
follow-up action items noted by the reviewer
An information systems (IS) auditor is determining the appropriate sample size for
testing the existence of program change approvals. Previous audits did not indicate any
exceptions, and management has confirmed that no exceptions have been reported for
the review period. In this context, the IS auditor can adopt a:
A.lower confidence coefficient, resulting in a smaller sample size.
B.higher confidence coefficient, resulting in a smaller sample size.
C.higher confidence coefficient, resulting in a larger sample size.
D.lower confidence coefficient, resulting in a larger sample size. - Answer- A. lower
confidence coefficient, resulting in a smaller sample size.
While conducting an audit, an information systems (IS) auditor detects the presence of
a virus. What should be the IS auditor's NEXT step?
A.Observe the response mechanism.
B.Clear the virus from the network.
C.Inform appropriate personnel immediately.
D.Ensure deletion of the virus. - Answer- C. Inform appropriate personnel immediately.
An external information systems (IS) auditor issues an audit report pointing out the lack
of firewall protection features at the perimeter network gateway and recommending a
specific vendor product to address this vulnerability. The IS auditor has failed to
exercise:
A.professional independence.
B.organizational independence.
C.technical competence.
D.professional competence. - Answer- A. professional independence.
What is the BEST action for an information systems (IS) auditor to take when an
outsourced monitoring process for remote access is inadequate and management
disagrees because intrusion detection system (IDS) and firewall controls are in place?
A.Revise the finding in the audit report per management's feedback.
B.Retract the finding because the IDS controls are in place.
