While planning an is audit, an assessment of risk should be made to provide:

Our sites

• myACCA
• ACCA mail
• ACCA Careers
• ACCA Career Navigator
• ACCA Learning Community
• Your Future

Useful links

• Make a payment
• ACCA-X online courses
• Find an accountant
• ACCA Rulebook
• News
• Work for us

Most popular

• Professional insights
• ACCA Qualification
• Member events and CPD
• Supporting Ukraine
• Past exam papers

Our sites

• myACCA
• ACCA mail
• ACCA Careers
• ACCA Career Navigator
• ACCA Learning Community
• Your Future

Useful links

• Make a payment
• ACCA-X online courses
• Find an accountant
• ACCA Rulebook
• News
• Work for us

Most popular

• Professional insights
• ACCA Qualification
• Member events and CPD
• Supporting Ukraine
• Past exam papers

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

CISA Question 961

Question

An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when:

A. the probability of error must be objectively quantified.
B. the auditor wishes to avoid sampling risk.
C. generalized audit software is unavailable.
D. the tolerable error rate cannot be determined.

Answer

A. the probability of error must be objectively quantified.

Explanation

Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). Choice B is incorrect because sampling risk is the risk of a sample not being representative of the population. This risk exists for both judgment and statistical samples. Choice C is incorrect because statistical sampling does not require the use of generalized audit software. Choice D is incorrect because the tolerable error rate must be predetermined for both judgment and statistical sampling.

CISA Question 962

Question

While planning an audit, an assessment of risk should be made to provide:

A. reasonable assurance that the audit will cover material items.
B. definite assurance that material items will be covered during the audit work.
C. reasonable assurance that all items will be covered by the audit.
D. sufficient assurance that all items will be covered during the audit work.

Answer

A. reasonable assurance that the audit will cover material items.

Explanation

The ISACA IS Auditing Guideline G15 on planning the IS audit states, ‘An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems.’ Definite assurance that material items will be covered during the audit work is an impractical proposition.
Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.

CISA Question 963

Question

The extent to which data will be collected during an IS audit should be determined based on the:

A. availability of critical and required information.
B. auditor’s familiarity with the circumstances.
C. auditee’s ability to find relevant evidence.
D. purpose and scope of the audit being done.

Answer

D. purpose and scope of the audit being done.

Explanation

The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditor’s familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee’s ability to find relevant evidence.

CISA Question 964

Question

In planning an audit, the MOST critical step is the identification of the:

A. areas of high risk.
B. skill sets of the audit staff.
C. test steps in the audit.
D. time allotted for the audit.

Answer

A. areas of high risk.

Explanation

When designing an audit plan, it is important to identify the areas of highest risk to determine the areas to be audited. The skill sets of the audit staff should have been considered before deciding and selecting the audit. Test steps for the audit are not as critical as identifying the areas of risk, and the time allotted for an audit is determined by the areas to be audited, which are primarily selected based on the identification of risks.

CISA Question 965

Question

An IS auditor is evaluating management’s risk assessment of information systems. The IS auditor should FIRST review:

A. the controls already in place.
B. the effectiveness of the controls in place.
C. the mechanism for monitoring the risks related to the assets.
D. the threats/vulnerabilities affecting the assets.

Answer

D. the threats/vulnerabilities affecting the assets.

Explanation

One of the key factors to be considered while assessing the risks related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risks related to the use of information assets should be evaluated in isolation from the installed controls. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and not during the risk assessment phase A mechanism to continuously monitor the risks related to assets should be put in place during the risk monitoring function that follows the risk assessment phase.

CISA Question 966

Question

An organization’s IS audit charter should specify the:

A. short- and long-term plans for IS audit engagements
B. objectives and scope of IS audit engagements.
C. detailed training plan for the IS audit staff.
D. role of the IS audit function.

Answer

D. role of the IS audit function.

Explanation

An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope, and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee. Shortterm and long-term planning is the responsibility of audit management. The objectives and scope of each IS audit should be agreed to in an engagement letter. A training plan, based on the audit plan, should be developed by audit management.

CISA Question 967

Question

To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:

A. schedule the audits and monitor the time spent on each audit.
B. train the IS audit staff on current technology used in the company.
C. develop the audit plan on the basis of a detailed risk assessment.
D. monitor progress of audits and initiate cost control measures.

Answer

C. develop the audit plan on the basis of a detailed risk assessment.

Explanation

Monitoring the time (choice A) and audit programs {choice D), as well as adequate training (choice B), will improve the IS audit staff’s productivity (efficiency and performance), but that which delivers value to the organization are the resources and efforts being dedicated to, and focused on, the higher-risk areas.

CISA Question 968

Question

When developing a risk-based audit strategy, an IS auditor conduct a risk assessment to ensure that:

A. controls needed to mitigate risks are in place.
B. vulnerabilities and threats are identified.
C. audit risks are considered.
D. a gap analysis is appropriate.

Answer

B. vulnerabilities and threats are identified.

Explanation

In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage.
Understanding whether appropriate controls required to mitigate risks are in place is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly related to the audit process and are not relevant to the risk analysis of the environment to be audited. A gap analysis would normally be done to compare the actual state to an expected or desirable state.

CISA Question 969

Question

The PRIMARY advantage of a continuous audit approach is that it:

A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.
B. requires the IS auditor to review and follow up immediately on all information collected.
C. can improve system security when used in time-sharing environments that process a large number of transactions.
D. does not depend on the complexity of an organization’s computer systems.

Answer

C. can improve system security when used in time-sharing environments that process a large number of transactions.

Explanation

The use of continuous auditing techniques can improve system security when used in time- sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place. Choice B is incorrect since an IS auditor normally would review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the use of continuous audit techniques depends on the complexity of an organization’s computer systems.

Which of the following is the most critical step in planning an audit?

When developing a risk management program what is the first activity to be performed?

When developing a risk management program what is the first activity to be performed a threat assessment b classification of data c inventory of assets d criticality analysis?