1

Process of is auditing mcqs (isaca)

QUESTION NO: 317

A PRIMARY benefit derived from an organization employing control self-assessment (CSA)

techniques is that it:

A. can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.

D. allows management to relinquish responsibility for control

Answer: A

Explanation: CSA is predicated on the review of high-risk areas that either need immediate
attention or a more thorough review at a later date. Choice B is incorrect, because CSA
requires the involvement of auditors and line management. What occurs is that the internal
audit function shifts some of the control monitoring responsibilities to the functional areas.
Choice C is incorrect because CSA is not a replacement for traditional audits. CSA is not
intended to replace audit's responsibilities, but to enhance them. Choice D is incorrect,
because CSA does not allow management to relinquish its responsibility for control.

QUESTION NO: 318

The success of control self-assessment (CSA) highly depends on:

A. having line managers assume a portion of the responsibility for control monitoring.
B. assigning staff managers the responsibility for building, but not monitoring, controls.
C. the implementation of a stringent control policy and rule-driven controls.
D. the implementation of supervision and the monitoring of controls of assigned duties.
Answer: A

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

2
Process of is auditing mcqs (isaca)
Explanation: The primary objective of a CSA program is to leverage the internal audit
function by shifting some of the control monitoring responsibilities to the functional area
line managers. The success of a control self-assessment (CSA) program depends on the
degree to which line managers assume responsibility for controls- Choices B, C and D are
characteristics of a traditional audit approach, not a CSA approach.

QUESTION NO: 246

An audit charter should:
A. be dynamic and change often to coincide with the changing nature of technology and the
audit profession.
B. clearly state audit objectives for, and the delegation of, authority to the maintenance and
review of internal controls.
C. document the audit procedures designed to achieve the planned audit objectives.
D. outline the overall authority, scope and responsibilities of the audit function.

Answer: D

Explanation: An audit charter should state management's objectives for and delegation of
authority to IS audit. This charter should not significantly change over time and should be
approved at the highest level of management. An audit charter would not be at a detailed
level and, therefore, would not include specific audit objectives or procedures

QUESTION NO: 255

An organization's IS audit charter should specify the:

A. short- and long-term plans for IS audit engagements

B. objectives and scope of IS audit engagements.
C. detailed training plan for the IS audit staff.

D. role of the IS audit function.

Answer: D

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

3
Process of is auditing mcqs (isaca)
Explanation: An IS audit charter establishes the role of the information systems audit
function. The charter should describe the overall authority, scope, and responsibilities of the
audit function. It should be approved by the highest level of management and, if available,
by the audit committee.
Short-term and long-term planning is the responsibility of audit management. The
objectives and scope of each IS audit should be agreed to in an engagement letter. A
training plan, based on the audit plan, should be developed by audit management.

QUESTION NO: 412

The output of the risk management process is an input for making:

A. business plans.
B. audit charters.
C. security policy decisions.
D. software design decisions.

Answer: C

Explanation: The risk management process is about making specific, security-related

decisions, such as the level of acceptable risk. Choices A, B and D are not ultimate goals of
the risk management process.

QUESTION NO: 262

When selecting audit procedures, an IS auditor should use professional judgment to ensure
that:

A. sufficient evidence will be collected.

B. all significant deficiencies identified will be corrected within a reasonable period.
C. all material weaknesses will be identified.
D. audit costs will be kept at a minimum level.

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

4
Process of is auditing mcqs (isaca)
Answer: A

Explanation: Procedures are processes an IS auditor may follow in an audit engagement. In

determining the appropriateness of any specific procedure, an IS auditor should use
professional judgment appropriate to the specific circumstances. Professional judgment
involves a subjective and often qualitative evaluation of conditions arising in the course of
an audit. Judgment addresses a grey area where binary (yes/no) decisions are not
appropriate and the auditor's past experience plays a key role in making a judgment. ISACA's
guidelines provide information on how to meet the standards when performing IS audit
work. Identifying material weaknesses is the result of appropriate competence, experience
and thoroughness in planning and executing the audit and not of professional judgment.
Professional judgment is not a primary input to the financial aspects of the audit.

QUESTION NO: 46
How does the process of systems auditing benefit from using a risk-based approach to audit
planning?

A. Controls testing starts earlier.

B. Auditing resources are allocated to the areas of highest concern.
C. Auditing risk is reduced.

D. Controls testing is more thorough.

Answer: B
Explanation: Allocation of auditing resources to the areas of highest concern is a benefit of
a risk-based approach to audit planning.

QUESTION NO: 245

Which of the following is a benefit of a risk-based approach to audit planning? Audit:

A. scheduling may be performed months in advance.

B. budgets are more likely to be met by the IS audit staff.

C. staff will be exposed to a variety of technologies.

D. resources are allocated to the areas of highest concern

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

5
Process of is auditing mcqs (isaca)

Answer: D

Explanation: The risk-based approach is designed to ensure audit time is spent on the areas
of highest risk. The development of an audit schedule is not addressed by a risk-based
approach. Audit schedules may be prepared months in advance using various scheduling
methods . A risk approach does not have a direct correlation to the audit staff meeting time
budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be
performed in a given year.

QUESTION NO: 254

To ensure that audit resources deliver the best value to the organization, the FIRST step
would be to:

A. schedule the audits and monitor the time spent on each audit.
B. train the IS audit staff on current technology used in the company.
C. develop the audit plan on the basis of a detailed risk assessment.
D. monitor progress of audits and initiate cost control measures.

Answer: C

Explanation: Monitoring the time (choice A) and audit programs {choice D), as well as
adequate training (choice B), will improve the IS audit staff's productivity (efficiency and
performance), but that which delivers value to the organization are the resources and
efforts being dedicated to, and focused on, the higher-risk areas

QUESTION NO: 257

In planning an audit, the MOST critical step is the identification of the:

A. areas of high risk.
B. skill sets of the audit staff.

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

6
Process of is auditing mcqs (isaca)
C. test steps in the audit.
D. time allotted for the audit.

Answer: A

Explanation: When designing an audit plan, it is important to identify the areas of highest
risk to determine the areas to be audited. The skill sets of the audit staff should have been
considered before deciding and selecting the audit. Test steps for the auditare not as critical
as identifying the areas of risk, and the time allotted for an audit is determined by the areas
to be audited, which are primarily selected based on the identification of risks.

QUESTION NO: 261

During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:

A. address audit objectives.

B. collect sufficient evidence.
C. specify appropriate tests.
D. minimize audit resources.

Answer: A

Explanation: ISACA auditing standards require that an IS auditor plan the audit work to
address the audit objectives. Choice B is incorrect because the auditor does not collect
evidence in the planning stage of an audit. Choices C and D are incorrect because they are
not the primary goals of audit planning. The activities described in choices B, C and D are all
undertaken to address audit objectives and are thus secondary to choice A.

QUESTION NO: 297

The PRIMARY reason an IS auditor performs a functional walkthrough during the
preliminary phase of an audit assignment is to:

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

7
Process of is auditing mcqs (isaca)
A. understand the business process.
B. comply with auditing standards.
C. identify control weakness.

D. plan substantive testing.

Answer: A

Explanation: Understanding the business process is the first step an IS auditor needs to
perform. Standards do not require an IS auditor to perform a process walkthrough.
Identifying control weaknesses is not the primary reason for the walkthrough and typically
occurs at a later stage in the audit, while planning for substantive testing is performed at a
later stage in the audit

QUESTION NO: 253

When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:

A. controls needed to mitigate risks are in place.

B. vulnerabilities and threats are identified.
C. audit risks are considered.
D. a gap analysis is appropriate.
Answer: B

Explanation: In developing a risk-based audit strategy, it is critical that the risks and
vulnerabilities be understood. This will determine the areas to be audited and the extent of
coverage. Understanding whether appropriate controls required to mitigate risksare in place
is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly
related to the audit process and are not relevant to the risk analysis of the environment to
be audited. A gap analysis would normally be doneto compare the actual state to an
expected or desirable state.

QUESTION NO: 272

In the course of performing a risk analysis, an IS auditor has identified threats and potential
impacts. Next, the IS auditor should:

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

8
Process of is auditing mcqs (isaca)
A. identify and assess the risk assessment process used by management.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.

D. identify and evaluate the existing controls.

Answer: D
Explanation: It is important for an IS auditor to identify and evaluate the existing controls
and security once the potential threats and possible impacts are identified. Upon
completion of an audit an IS auditor should describe and discuss with management the
threats and potential impacts on the assets

QUESTION NO: 416

A team conducting a risk analysis is having difficulty projecting the financial losses that
could result from a risk. To evaluate the potential losses, the team should:

A. compute the amortization of the related assets.

B. calculate a return on investment (ROI).

C. apply a qualitative approach.
D. spend the time needed to define exactly the loss amount.

Answer: C

Explanation: The common practice, when it is difficult to calculate the financial losses, is to
take a qualitative approach, in which the manager affected by the risk defines the financial
loss in terms of a weighted factor {e.g., one is a very low impact to the business and five is a
very high impact). An ROI is computed when there is predictable savings or revenues that
can be compared to the investment needed to realize the revenues. Amortization is used in
a profit and loss statement, not in computing potential losses. Spending the time needed to
define exactly the total amount is normally a wrong approach. If it has been difficult to
estimate potential losses (e.g., losses derived from erosion of public image due to a hack
attack), that situation is not likely to change, and at the end of the day, the result will be a
not well-supported evaluation.

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

9
Process of is auditing mcqs (isaca)
QUESTION NO: 728

Minimum password length and password complexity verification are examples of:

A. detection controls.
B. control objectives.
C. audit objectives.
D. control procedures.

Answer: D

Explanation: Control procedures are practices established by management to achieve

specific control objectives. Password controls are preventive controls, not detective
controls. Control objectives are declarations of expected results from implementing controls
and audit objectives are the specific goals of an audit.

QUESTION NO: 51

.What type of approach to the development of organizational policies is often driven by risk
assessment?

A. Bottom-up
B. Top-down
C. Comprehensive
D. Integrated

Answer: B

Explanation: A bottom-up approach to the development of organizational policies is

often driven by risk assessment.

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

10
Process of is auditing mcqs (isaca)

QUESTION NO: 130

______________ risk analysis is not always possible because the IS auditor is attempting to
calculate risk using nonquantifiable threats and potential losses. In this event, a
______________ risk assessment is more appropriate. Fill in the blanks.

A. Quantitative; qualitative
B. Qualitative; quantitative
C. Residual; subjective
D. Quantitative; subjective

Answer: A

Explanation: Quantitative risk analysis is not always possible because the IS auditor is
attempting to calculate risk using nonquantifiable threats and potential losses. In this event,
a qualitative risk assessment is more appropriate.

QUESTION NO: 157

What process allows IS management to determine whether the activities of the
organization differ from the planned or expected levels? Choose the BEST answer.

A. Business impact assessment

B. Risk assessment
C. IS assessment methods
D. Key performance indicators (KPIs)

Answer: C
Explanation: IS assessment methods allow IS management to determine whether the
activities of the organization differ from the planned or expected levels.

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

11
Process of is auditing mcqs (isaca)
QUESTION NO: 243
Overall business risk for a particular threat can be expressed as:

A. a product of the probability and magnitude of the impact if a threat successfully exploits a
vulnerability.

B. the magnitude of the impact should a threat source successfully exploit the vulnerability.
C. the likelihood of a given threat source exploiting a given vulnerability.
D. the collective judgment of the risk assessment team.
Answer: A

Explanation: Choice A takes into consideration the likelihood and magnitude of the impact
and provides the best measure of the risk to an asset. Choice B provides only the likelihood
of a threat exploiting a vulnerability in the asset but does not provide the magnitude of the
possible damage to the asset. Similarly, choice C considers only the magnitude of the
damage and not the possibility of a threat exploiting a vulnerability. Choice D defines the
risk on an arbitrary basis and is not suitable for a scientific risk management process.

QUESTION NO: 247

The MAJOR advantage of the risk assessment approach over the baseline approach to
information security management is that it ensures:

A. information assets are overprotected.

B. a basic level of protection is applied regardless of asset value.
C. appropriate levels of protection are applied to information assets.

D. an equal proportion of resources are devoted to protecting all information assets.

Answer: C

Explanation: Full risk assessment determines the level of protection most appropriate to a
given level of risk, while the baseline approach merely applies a standard set of protection
regardless of risk. There is a cost advantage in not overprotecting information. However, an
even bigger advantage is making sure that no information assets are over- or
CISA MCQS SYED SHAHBAZ RAZA ZAIDI
12
Process of is auditing mcqs (isaca)
underprotected . The risk assessment approach will ensure an appropriate level of
protection is applied, commensurate with the level of risk and asset value and, therefore,
considering asset value. The baseline approach does not allow more resources to be
directed toward the assets at greater risk, rather than equally directing resources to all
assets.

QUESTION NO: 253

When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:
A. controls needed to mitigate risks are in place.
B. vulnerabilities and threats are identified.

C. audit risks are considered.

D. a gap analysis is appropriate.

Answer: B

Explanation: In developing a risk-based audit strategy, it is critical that the risks and
vulnerabilities be understood. This will determine the areas to be audited and the extent of
coverage. Understanding whether appropriate controls required to mitigate risksare in place
is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly
related to the audit process and are not relevant to the risk analysis of the environment to
be audited. A gap analysis would normally be doneto compare the actual state to an
expected or desirable state.

QUESTION NO: 254

To ensure that audit resources deliver the best value to the organization, the FIRST step
would be to:

A. schedule the audits and monitor the time spent on each audit.
B. train the IS audit staff on current technology used in the company.
C. develop the audit plan on the basis of a detailed risk assessment.
D. monitor progress of audits and initiate cost control measures.

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

13
Process of is auditing mcqs (isaca)
Answer: C

Explanation: Monitoring the time (choice A) and audit programs {choice D), as well as
adequate training (choice B), will improve the IS audit staff's productivity (efficiency and
performance), but that which delivers value to the organization are the resources and
efforts being dedicated to, and focused on, the higher-risk areas.

QUESTION NO: 256

An IS auditor is evaluating management's risk assessment of information systems. The IS

auditor should FIRST review:

A. the controls already in place.

B. the effectiveness of the controls in place.
C. the mechanism for monitoring the risks related to the assets.
D. the threats/vulnerabilities affecting the assets.

Answer: D

Explanation: One of the key factors to be considered while assessing the risks related to the
use of various information systems is the threats and vulnerabilities affecting the assets. The
risks related to the use of information assets should be evaluated in isolation from the
installed controls. Similarly, the effectiveness of the controls should be considered during
the risk mitigation stage and not during the risk assessment phase A mechanism to
continuously monitor the risks related to assets should be put in place during the risk
monitoring function that follows the risk assessment phase.

QUESTION NO: 272

In the course of performing a risk analysis, an IS auditor has identified threats and potential
impacts. Next, the IS auditor should:

A. identify and assess the risk assessment process used by management.

B. identify information assets and the underlying systems.

C. disclose the threats and impacts to management.

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

14
Process of is auditing mcqs (isaca)
D. identify and evaluate the existing controls.

Answer: D

Explanation: It is important for an IS auditor to identify and evaluate the existing controls
and security once the potential threats and possible impacts are identified. Upon
completion of an audit an IS auditor should describe and discuss with management the
threats and potential impacts on the assets.

QUESTION NO: 367

The advantage of a bottom-up approach to the development of organizational policies is
that the policies:

A. are developed for the organization as a whole.

B. are more likely to be derived as a result of a risk assessment.

C. will not conflict with overall corporate policy.

D. ensure consistency across the organization.

Answer: B

Explanation: A bottom-up approach begins by defining operational-level requirements and

policies, which are derived and implemented as the result of risk assessments. Enterprise-
level policies are subsequently developed based on a synthesis of existing operational
policies. Choices A, C and D are advantages of a top-down approach for developing
organizational policies. This approach ensures that the policies will not be in conflict with
overall corporate policy and ensure consistency across the organization.

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

15
Process of is auditing mcqs (isaca)
QUESTION NO: 396
Which of the following BEST supports the prioritization of new IT projects?

A. Internal control self-assessment (CSA)

B. Information systems audit
C. Investment portfolio analysis
D. Business risk assessment

Answer: C

Explanation: It is most desirable to conduct an investment portfolio analysis, which will

present not only a clear focus on investment strategy, but will provide the rationale for
terminating nonperforming IT projects. Internal control self-assessment {CSA} may highlight
noncompliance to the current policy, but may not necessarily be the best source for driving
the prioritization of IT projects. Like internal CSA, IS audits may provide only part of the
picture for the prioritization of IT projects. Business risk analysis is part of the investment
portfolio analysis but, by itself, is not the best method for prioritizing new IT projects

QUESTION NO: 368

Which of the following is the GREATEST risk of an inadequate policy definition for ownership
of data and systems?

A. User management coordination does not exist.

B. Specific user accountability cannot be established.

C. Unauthorized users may have access to originate, modify or delete data.

D. Audit recommendations may not be implemented.

Answer: C

Explanation: Without a policy defining who has the responsibility for granting access to
specific systems, there is an increased risk that one could gain (be given) system access

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

16
Process of is auditing mcqs (isaca)
when they should not have authorization. By assigning authority to grant access to specific
users, there is a better chance that business objectives will be properly supported.

QUESTION NO: 418

Assessing IT risks is BEST achieved by:

A. evaluating threats associated with existing IT assets and IT projects.

B. using the firm's past actual loss experience to determine current exposure.
C. reviewing published loss statistics from comparable organizations.
D. reviewing IT control weaknesses identified in audit reports.

Answer: A

Explanation: To assess IT risks, threats and vulnerabilities need to be evaluated using

qualitative or quantitative risk assessment approaches. Choices B, C and D are potentially
useful inputs to the risk assessment process, but by themselves are not sufficient.Basing an
assessment on past losses will not adequately reflect inevitable changes to the firm's IT
assets, projects, controls and strategic environment. There are also likely to be problems
with the scope and quality of the loss data available to beassessed . Comparable
organizations will have differences in their IT assets, control environment and strategic
circumstances. Therefore, their loss experience cannot be used to directly assess
organizational IT risk. Control weaknesses identified during audits will be relevant in
assessing threat exposure and further analysis may be needed to assess threat probability.
Depending on the scope of the audit coverage, it is possible that not all of the critical IT
assets and projects will have recently been audited, and there may not be a sufficient
assessment of strategic IT risks.
QUESTION NO: 421

An IS auditor reviewing the risk assessment process of an organization should FIRST:

A. identify the reasonable threats to the information assets.

B. analyze the technical and organizational vulnerabilities.
C. identify and rank the information assets.
D. evaluate the effect of a potential security breach.
CISA MCQS SYED SHAHBAZ RAZA ZAIDI
17
Process of is auditing mcqs (isaca)

Answer: C

Explanation: Identification and ranking of information assets-e.g., data criticality, locations

of assets-will set the tone or scope of how to assess risk in relation to the organizational
value of the asset. Second, the threats facing each of the organization's assets should be
analyzed according to their value to the organization. Third, weaknesses should be
identified so that controls can be evaluated to determine if they mitigate the weaknesses.
Fourth, analyze how these weaknesses, in absence of given controls, would impact the
organization information assets.

QUESTION NO: 556

When reviewing an organization's approved software product list, which of the following is
the MOST important thing to verify?

A. The risks associated with the use of the products are periodically assessed
B. The latest version of software is listed for each product
C. Due to licensing issues the list does not contain open source software
D. After hours support is offered

Answer: A

Explanation: Since the business conditions surrounding vendors may change, it is important
for an organization to conduct periodic risk assessments of the vendor software list. This
might be best incorporated into the IT risk management process. Choices B, C andD are
possible considerations but would not be the most important.

QUESTION NO: 1019

When developing a business continuity plan (BCP), which of the following tools should be
used to gain an understanding of the organization's business processes?

A. Business continuity self-audit

B. Resource recovery analysis

CISA MCQS SYED SHAHBAZ RAZA ZAIDI

18
Process of is auditing mcqs (isaca)
C. Risk assessment
D. Gap analysis

Answer: C

Explanation: Risk assessment and business impact assessment are tools for understanding
business-for business continuity planning. Business continuity self-audit is a tool for
evaluating the adequacy of the BCP, resource recovery analysis is a tool for identifying a
business resumption strategy, while

CISA MCQS SYED SHAHBAZ RAZA ZAIDI