CISA Area 1 – Q & A – 21 to 25

By: enj

21. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?
A. Inherent
B. Detection
C. Control
D. Business

The correct answer is:
B. Detection

Explanation:
Detection risks are directly affected by the auditor’s selection of audit procedures and techniques. Inherent risks usually are not affected by the IS auditor. Control risks are controlled by the actions of the company’s management. Business risks are not affected by the IS auditor.

22. During a review of a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication, the IS auditor would use:
A. test data to validate data input.
B. test data to determine system sort capabilities.
C. generalized audit software to search for address field duplications.
D. generalized audit software to search for account field duplications.

The correct answer is:
C. generalized audit software to search for address field duplications.

Explanation:
Since the name is not the same (due to name variations), one method to detect duplications would be to compare other common fields, such as addresses. Subsequent review to determine common customer names at these addresses could then be conducted. Searching for duplicate account numbers would not likely find duplications, since customers would most likely have different account numbers for each variation. Test data would not be useful to detect the extent of any data characteristic, but simply to determine how the data were processed.

23. When communicating audit results, IS auditors should remember that ultimately they are responsible to:
A. senior management and/or the audit committee.
B. the manager of the audited entity.
C. the IS audit director.
D. legal authorities.

The correct answer is:
A. senior management and/or the audit committee.

Explanation:
The IS auditor is ultimately responsible to senior management and the audit committee of the board of directors. Even though the IS auditor should discuss the findings with the management staff of the audited entity (choice B), this is done only to gain agreement on the findings and develop a course of corrective action. Choice C is incorrect because the IS audit director should review the report that the IS auditor prepared, but is not the person who will make the decisions regarding the findings and their potential consequences. Choice D is incorrect because the responsibility for reporting to legal authorities would rest with the board of directors and their legal counselors.

24. In an audit of an inventory application, which approach would provide the BEST evidence that purchase orders are valid?
A. Testing whether inappropriate personnel can change application parameters
B. Tracing purchase orders to a computer listing
C. Comparing receiving reports to purchase order details
D. Reviewing the application documentation

The correct answer is:
A. Testing whether inappropriate personnel can change application parameters

Explanation:
To determine purchase order validity, testing access controls will provide the best evidence. Choices B and C are based on after-the-fact approaches, and choice D does not serve the purpose because what is in the system documentation may not be the same as what is happening.

25. An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely:
A. evaluate the record retention plans for off-premises storage.
B. interview programmers about the procedures currently being followed.
C. compare utilization records to operations schedules.
D. review data file access records to test the librarian function.

The correct answer is:
B. interview programmers about the procedures currently being followed.

Explanation:
Asking programmers about the procedures currently being followed is useful in determining whether access to program documentation is restricted to authorized persons. Evaluating the record retention plans for off-premises storage tests the recovery procedures, not the access control over program documentation. Testing utilization records or data files will not address access security over program documentation.

Share!

Leave a Reply

Your email address will not be published. Required fields are marked *

User Online

Back to Top
Get Adobe Flash player