CISA Exam Questions (Information Systems Auditing
Process)
When evaluating the A.
collective effect of
preventive, detective and
corrective controls within a
process, an IS auditor should
be aware of which of the
following?
A. The point at which controls
are exercised as data flow
through the system
B. Only preventive and
detective controls are
relevant
C. Corrective controls are
regarded as compensating
D. Classification allows an IS
auditor to
determine which controls are
,missing
An IS auditor who has C.
discovered unauthorized
transactions during a review
of electronic data
interchange (EDI)
transactions is likely to
recommend improving the:
A. EDI trading partner
agreements.
B. physical controls for terminals.
C. authentication techniques
for sending and receiving
messages.
D. program change control
procedures.
,Which of the following is an A.
attribute of the control self-
assessment approach?
A. Broad stakeholder
involvement
B. Auditors are the primary
control analysts
C. Limited employee participation
D. Policy driven
A company has recently D.
upgraded its purchase
system to incorporate
electronic data interchange
(EDI) transmissions. Which of
the following controls should
be implemented in the EDI
interface to provide for
efficient data mapping?
A. Key verification
B. One-for-one checking
C. Manual recalculations
D. Functional acknowledgements
When developing a risk-based B.
audit strategy, an IS auditor
should conduct a risk
, assessment to ensure that:
A. controls needed to
mitigate risk are in place.
B. vulnerabilities and threats are
identified.
C. audit risk is considered.
D. a gap analysis is appropriate.
A PRIMARY benefit derived A.
for an organization employing
control self- assessment
techniques is that it:
A. can identify high-risk areas
that might need a detailed
review later.
B. allows IS auditors to
independently assess risk.
C. can be used as a
replacement for traditional
audits.
D. allows management to
relinquish responsibility
for control.
In planning an IS audit, the A.
MOST critical step is the
identification of the:
A. areas of significant risk.
Process)
When evaluating the A.
collective effect of
preventive, detective and
corrective controls within a
process, an IS auditor should
be aware of which of the
following?
A. The point at which controls
are exercised as data flow
through the system
B. Only preventive and
detective controls are
relevant
C. Corrective controls are
regarded as compensating
D. Classification allows an IS
auditor to
determine which controls are
,missing
An IS auditor who has C.
discovered unauthorized
transactions during a review
of electronic data
interchange (EDI)
transactions is likely to
recommend improving the:
A. EDI trading partner
agreements.
B. physical controls for terminals.
C. authentication techniques
for sending and receiving
messages.
D. program change control
procedures.
,Which of the following is an A.
attribute of the control self-
assessment approach?
A. Broad stakeholder
involvement
B. Auditors are the primary
control analysts
C. Limited employee participation
D. Policy driven
A company has recently D.
upgraded its purchase
system to incorporate
electronic data interchange
(EDI) transmissions. Which of
the following controls should
be implemented in the EDI
interface to provide for
efficient data mapping?
A. Key verification
B. One-for-one checking
C. Manual recalculations
D. Functional acknowledgements
When developing a risk-based B.
audit strategy, an IS auditor
should conduct a risk
, assessment to ensure that:
A. controls needed to
mitigate risk are in place.
B. vulnerabilities and threats are
identified.
C. audit risk is considered.
D. a gap analysis is appropriate.
A PRIMARY benefit derived A.
for an organization employing
control self- assessment
techniques is that it:
A. can identify high-risk areas
that might need a detailed
review later.
B. allows IS auditors to
independently assess risk.
C. can be used as a
replacement for traditional
audits.
D. allows management to
relinquish responsibility
for control.
In planning an IS audit, the A.
MOST critical step is the
identification of the:
A. areas of significant risk.
