Show
Our sites
Useful links
Most popular
Our sites
Useful links
Most popular
The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification. CISA Question 961QuestionAn IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when: A. the probability of error must be objectively quantified. AnswerA. the probability of error must be objectively quantified. ExplanationGiven an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). Choice B is incorrect because sampling risk is the risk of a sample not being representative of the population. This risk exists for both judgment and statistical samples. Choice C is incorrect because statistical sampling does not require the use of generalized audit software. Choice D is incorrect because the tolerable error rate must be predetermined for both judgment and statistical sampling. CISA Question 962QuestionWhile planning an audit, an assessment of risk should be made to provide: A. reasonable assurance that the audit will cover material items. AnswerA. reasonable assurance that the audit will cover material items. ExplanationThe ISACA IS Auditing Guideline G15 on planning the IS audit states, ‘An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems.’ Definite assurance that material items will be covered during the audit work is an impractical proposition. CISA Question 963QuestionThe extent to which data will be collected during an IS audit should be determined based on the: A. availability of critical and required information. AnswerD. purpose and scope of the audit being done. ExplanationThe extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditor’s familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee’s ability to find relevant evidence. CISA Question 964QuestionIn planning an audit, the MOST critical step is the identification of the: A. areas of high risk. AnswerA. areas of high risk. ExplanationWhen designing an audit plan, it is important to identify the areas of highest risk to determine the areas to be audited. The skill sets of the audit staff should have been considered before deciding and selecting the audit. Test steps for the audit are not as critical as identifying the areas of risk, and the time allotted for an audit is determined by the areas to be audited, which are primarily selected based on the identification of risks. CISA Question 965QuestionAn IS auditor is evaluating management’s risk assessment of information systems. The IS auditor should FIRST review: A. the controls already in place. AnswerD. the threats/vulnerabilities affecting the assets. ExplanationOne of the key factors to be considered while assessing the risks related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risks related to the use of information assets should be evaluated in isolation from the installed controls. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and not during the risk assessment phase A mechanism to continuously monitor the risks related to assets should be put in place during the risk monitoring function that follows the risk assessment phase. CISA Question 966QuestionAn organization’s IS audit charter should specify the: A. short- and long-term plans for IS audit engagements AnswerD. role of the IS audit function. ExplanationAn IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope, and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee. Shortterm and long-term planning is the responsibility of audit management. The objectives and scope of each IS audit should be agreed to in an engagement letter. A training plan, based on the audit plan, should be developed by audit management. CISA Question 967QuestionTo ensure that audit resources deliver the best value to the organization, the FIRST step would be to: A. schedule the audits and monitor the time spent on each audit. AnswerC. develop the audit plan on the basis of a detailed risk assessment. ExplanationMonitoring the time (choice A) and audit programs {choice D), as well as adequate training (choice B), will improve the IS audit staff’s productivity (efficiency and performance), but that which delivers value to the organization are the resources and efforts being dedicated to, and focused on, the higher-risk areas. CISA Question 968QuestionWhen developing a risk-based audit strategy, an IS auditor conduct a risk assessment to ensure that: A. controls needed to mitigate risks are in place. AnswerB. vulnerabilities and threats are identified. ExplanationIn developing a risk-based audit strategy, it is critical that the risks and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage. CISA Question 969QuestionThe PRIMARY advantage of a continuous audit approach is that it: A. does not require an IS auditor to collect evidence on system reliability while processing is taking place. AnswerC. can improve system security when used in time-sharing environments that process a large number of transactions. ExplanationThe use of continuous auditing techniques can improve system security when used in time- sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place. Choice B is incorrect since an IS auditor normally would review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the use of continuous audit techniques depends on the complexity of an organization’s computer systems. Which of the following is the most critical step in planning an audit?Of all the steps listed, performing a risk assessment is the most critical.
When developing a risk management program what is the first activity to be performed?Step 1: Identify the Risk
The initial step in the risk management process is to identify the risks that the business is exposed to in its operating environment.
When developing a risk management program what is the first activity to be performed a threat assessment b classification of data c inventory of assets d criticality analysis?When developing a risk management program, what is the first activity to be performed? Inventory of assets. Identification of the assets to be protected is the first step in developing a risk management program.
|