CISA模拟625道题

《CISA模拟625道题》由会员分享，可在线阅读，更多相关《CISA模拟625道题（328页珍藏版）》请在装配图网上搜索。

1、1. The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?A. Test dataB. Generalized audit softwareC. Integrated test facilityD. Embedded audit moduleThe correct answer is:B

2、. Generalized audit softwareYou answered correctly.Explanation:Generalized audit software features include mathematical computations, stratification层化, 成层, 阶层的形成, statistical analysis, sequence checking, duplicate checking and recomputations. The IS auditor, using generalized audit software, could d

3、esign appropriate tests to recompute the payroll and, thereby, determine if there were overpayments and to whom they were made. Test data would test for the existence of controls that might prevent overpayments, but it would not detect specific, previous miscalculations. 误算, 估错 Neither an integrated

4、综合的, 完整的test facility nor an embedded audit module would detect errors for a previous period.Area: 12. Reviewing managements long-term strategic plans helps the IS auditor:A. gain an understanding of an organizations goals and objectives.B. test the enterprises internal controls.C. assess the organi

5、zations reliance on information systems.D. determine the number of audit resources needed.The correct answer is:A. gain an understanding of an organizations goals and objectives.You did not answer the question.Explanation:Strategic planning sets corporate or departmental objectives into motion. Stra

6、tegic planning is time- and project-oriented, but must also address and help determine priorities to meet business needs. Reviewing long-term strategic plans would not achieve the objectives expressed by the other choices.Area: 13. During a security audit of IT processes, an IS auditor found that th

7、ere were no documented security procedures. The IS auditor should:A. create the procedures document.B. terminate the audit.C. conduct compliance testing.D. identify and evaluate existing practices.The correct answer is:D. identify and evaluate existing practices.You did not answer the question.Expla

8、nation:One of the main objectives of an audit is to identify potential risks; therefore, the most proactive心理前摄的approach would be to identify and evaluate the existing security practices being followed by the organization. An IS auditor should not prepare documentation, and if they did, their indepe

9、ndence could be jeopardized. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.Area: 14. The traditional role of an IS auditor in a contr

10、ol self-assessment (CSA) should be that of:A. facilitator.B. manager.C. partner.D. stakeholder.The correct answer is:A. facilitator.You did not answer the question.Explanation:When CSA programs are established, IS auditors become internal control professionals and assessment facilitators. IS auditor

11、s are the facilitators and the client (management and staff) is the participant in the CSA process. During a CSA workshop, instead of the IS auditor performing detailed audit procedures, they should lead and guide the clients in assessing their environment. Choices B, C and D should not be roles of

12、the IS auditor. These roles are more appropriate for the client.Area: 15. When communicating audit results, IS auditors should remember that ultimately they are responsible to:A. senior management and/or the audit committee.B. the manager of the audited entity.C. the IS audit director.D. legal autho

13、rities.The correct answer is:A. senior management and/or the audit committee.You did not answer the question.Explanation:The IS auditor is ultimately responsible to senior management and the audit committee of the board of directors. Even though the IS auditor should discuss the findings with the ma

14、nagement staff of the audited entity (choice B), this is done only to gain agreement on the findings and to develop a course of corrective action. Choice C is incorrect because the IS audit director should review the report that the IS auditor prepared, but is not the person who will make the decisi

15、ons regarding the findings and their potential consequences. Choice D is incorrect because the responsibility for reporting to legal authorities would rest with the board of directors and their legal counselors.Area: 16. An IS auditor is evaluating managements risk assessment of information systems.

16、 The IS auditor should FIRST review:A. the controls already in place.B. the effectiveness of the controls in place.C. the mechanism for monitoring the risks related to the assets.D. the threats/vulnerabilities affecting the assets.The correct answer is:D. the threats/vulnerabilities affecting the as

17、sets.You did not answer the question.Explanation:One of the key factors to be considered while assessing the risks related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risks related to the use of information assets should be evaluated in isol

18、ation from the installed controls. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and not during the risk assessment phase. A mechanism to continuously monitor the risks related to assets should be put in place during the risk monitoring function t

19、hat follows the risk assessment phase.Area: 17. In planning an audit, the MOST critical step is the identification of the:A. areas of high risk.B. skill sets of the audit staff.C. test steps in the audit.D. time allotted for the audit.The correct answer is:A. areas of high risk.You did not answer th

20、e question.Explanation:When designing an audit plan, it is important to identify the areas of highest risk to determine the areas to be audited. The skill sets of the audit staff should have been considered before deciding and selecting the audit. Test steps for the audit are not as critical as iden

21、tifying the areas of risk, and the time allotted for an audit is determined by the areas to be audited, which are primarily selected based on the identification of risks.Area: 18. Which of the following is the GREATEST challenge in using test data?A. Ensuring the program version tested is the same a

22、s the production programB. Creating test data that covers all possible valid and invalid conditionsC. Minimizing the impact of additional transactions on the application being testedD. Processing the test data under an auditors supervisionThe correct answer is:B. Creating test data that covers all p

23、ossible valid and invalid conditionsYou did not answer the question.Explanation:The effectiveness of test data is determined by the comprehensiveness of the coverage of all the key controls to be tested. If the test data does not cover all valid and invalid conditions, there is a risk that relevant

24、control weakness may remain undetected. Changes in the program, for the period covered under audit, may have been done to remove bugs or for additional functionalities. However, as the test data approach involves testing of data for the audit period, changes in the program tested may have minimal im

25、pact. Applications with current technology are usually not impacted by additional transactions. Test data is developed by the auditor; however, it is not necessary that processing be under an auditors supervision, since the input data will be verified by the outputs.Area: 19. Overall business risk f

26、or a particular threat can be expressed as:A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.B. the magnitude of the impact should a threat source successfully exploit the vulnerability.C. the likelihood of a given threat source exploiting

27、a given vulnerability.D. the collective judgment of the risk assessment team.The correct answer is:A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.You did not answer the question.Explanation:Choice A takes into consideration both the like

28、lihood and magnitude大小, 数量, 巨大, 广大, 量级of the impact and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the asset but does not provide the magnitude of the possible damage to the asset. Similarly, choice C considers o

29、nly the magnitude of the damage and not the possibility of a threat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process.Area: 110. Which of the following is a substantive独立存在的, 真实的, 有实质的, 大量的, 巨额的test?A. Checking a

30、list of exception reportsB. Ensuring approval for parameter changesC. Using a statistical sample to inventory the tape libraryD. Reviewing password history reportsThe correct answer is:C. Using a statistical sample to inventory the tape libraryYou did not answer the question.Explanation:A substantiv

31、e test confirms the integrity of actual processing. A substantive test would determine if the tape library records are stated correctly. A compliance test determines if controls are being applied in a manner that is consistent with management policies and procedures. Checking the authorization of ex

32、ception reports, reviewing authorization for changing parameters and reviewing password history reports are all compliance tests.Area: 111. Which of the following should be the FIRST step of an IS audit?A. Create a flowchart of the decision branches.B. Gain an understanding of the environment under

33、review.C. Perform a risk assessment.D. Develop the audit plan.The correct answer is:B. Gain an understanding of the environment under review.You did not answer the question.Explanation:An auditor needs to gain an understanding of the processes prior to creating a flowchart. Based on the scope of the

34、 audit, the IS auditor should gain an understanding of the environment under review, and then carry out a risk assessment. Finally, on the basis of understanding the environment under review and the risk assessment, the IS auditor should prepare an audit plan.Area: 112. The use of statistical sampli

35、ng procedures helps minimize:A. sampling risk.B. detection risk.C. inherent risk.D. control risk.The correct answer is:B. detection risk.You did not answer the question.Explanation:Detection risk is the risk that the IS auditor uses an inadequate test procedure and concludes that material errors do

36、not exist, when in fact they do. Using statistical sampling, an IS auditor can quantify how closely the sample should represent the population and quantify the probability of error. Sampling risk is the risk that incorrect assumptions will be made about the characteristics of a population from which

37、 a sample is selected. Assuming there are no related compensating controls, inherent risk is the risk that an error exists, which could be material or significant when combined with other errors found during the audit. Statistical sampling will not minimize this. Control risk is the risk that a mate

38、rial error exists, which will not be prevented or detected on a timely basis by the system of internal controls. This cannot be minimized using statistical sampling.Area: 113. Which of the following is a benefit of a risk-based approach to audit planning? Audit:A. scheduling may be performed months

39、in advance.B. budgets are more likely to be met by the IS audit staff.C. staff will be exposed to a variety of technologies.D. resources are allocated to the areas of highest concern.The correct answer is:D. resources are allocated to the areas of highest concern.You did not answer the question.Expl

40、anation:The risk-based approach is designed to ensure audit time is spent on the areas of highest risk. The development of an audit schedule is not addressed by a risk-based approach. Audit schedules may be prepared months in advance using various scheduling methods. A risk approach does not have a

41、direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be performed in a given year.Area: 114. Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The audit

42、or should:A. include the finding in the final report because the IS auditor is responsible for an accurate report of all findings.B. not include the finding in the final report because the audit report should include only unresolved findings.C. not include the finding in the final report because cor

43、rective action can be verified by the IS auditor during the audit.D. include the finding in the closing meeting for discussion purposes only.The correct answer is:A. include the finding in the final report because the IS auditor is responsible for an accurate report of all findings.You did not answe

44、r the question.Explanation:Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the si

45、tuation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing.Area: 115. The PRIMARY objective of an IS audit function is to:A. determine whether everyone uses IS resources according to their job description.B. determine whether informati

46、on systems safeguard assets, and maintain data integrity.C. examine books of accounts and relative documentary evidence for the computerized system.D. determine the ability of the organization to detect fraud.The correct answer is:B. determine whether information systems safeguard assets, and mainta

47、in data integrity.You did not answer the question.Explanation:The primary reason for conducting IS audits is to determine whether a system safeguards assets and maintains data integrity. Examining books of accounts is one of the processes involved in IS audit, but it is not the primary purpose. Dete

48、cting frauds could be a result of an IS audit but is not the purpose for which an IS audit is performed.Area: 116. In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, an IS auditor should: A. identify and assess the risk assessment process u

49、sed by management.B. identify information assets and the underlying systems.C. disclose the threats and impacts to management.D. identify and evaluate the existing controls.The correct answer is:D. identify and evaluate the existing controls.You did not answer the question.Explanation:It is importan

50、t for an IS auditor to identify and evaluate the existing controls and security once the potential threats and possible impacts are identified. Upon completion of an audit an IS auditor should describe and discuss with management the threats and potential impacts on the assets.Area: 117. Which of th

51、e following should be of MOST concern to an IS auditor?A. Lack of reporting of a successful attack on the networkB. Failure to notify police of an attempted intrusionC. Lack of periodic examination of access rightsD. Lack of notification to the public of an intrusionThe correct answer is:A. Lack of

52、reporting of a successful attack on the networkYou did not answer the question.Explanation:Not reporting an intrusion is equivalent to an IS auditor hiding a malicious intrusion, which would be a professional mistake. Although notification to the police may be required and the lack of a periodic exa

53、mination of access rights might be a concern, they do not represent as big a concern as the failure to report the attack. Reporting to the public is not a requirement and is dependent on the organizations desire, or lack thereof, to make the intrusion known.Area: 118. Which of the following is an IS

54、 control objective?A. Output reports are locked in a safe place.B. Duplicate transactions do not occur.C. System backup/recovery procedures are updated periodically.D. System design and development meet users requirements.The correct answer is:B. Duplicate transactions do not occur.You did not answe

55、r the question.Explanation:Preventing duplicate transactions is a control objective. Having output reports locked in a safe place is an internal accounting control system, backup/recovery procedures are an operational control, and system design and development meeting user requirement is an administ

56、rative control.Area: 119. A key element in a risk analysis is/are:A. audit planning.B. controls.C. vulnerabilities.D. liabilities.The correct answer is:C. vulnerabilities.You did not answer the question.Explanation:Vulnerabilities弱点, 攻击are a key element in the conduct of a risk analysis. Audit plann

57、ing consists of short- and longterm processes that may detect threats to the information assets. Controls mitigate risks associated with specific threats. Liabilities are part of business and are not inherently a risk.Area: 120. An audit charter should:A. be dynamic and change often to coincide with

58、 the changing nature of technology and the audit profession.B. clearly state audit objectives for the delegation of authority for the maintenance and review of internal controls.C. document the audit procedures designed to achieve the planned audit objectives.D. outline the overall authority, scope

59、and responsibilities of the audit function.The correct answer is:D. outline the overall authority, scope and responsibilities of the audit function.You did not answer the question.Explanation:An audit charter should state managements objectives for, and delegation of authority to, IS audit. This cha

60、rter should not significantly change over time and should be approved at the highest level of management. An audit charter would not be at a detailed level and, therefore, would not include specific audit objectives or procedures.Area: 121. During a review of the controls over the process of definin

61、g IT service levels, an IS auditor would MOST likely interview the:A. systems programmer.B. legal staff.C. business unit manager.D. application programmer.The correct answer is:C. business unit manager.You did not answer the question.Explanation:Understanding the business requirements is key in defi

62、ning the service levels. While each of the other entities listed may provide some definition, the best choice here is the business unit manager because of the knowledge this person has of the requirements of the organization.Area: 122. In a risk-based audit approach, an IS auditor, in addition to ri

63、sk, would be influenced by:A. the availability of CAATs.B. managements representation.C. organizational structure and job responsibilities.D. the existence of internal and operational controlsThe correct answer is:D. the existence of internal and operational controlsYou did not answer the question.E

64、xplanation:The existence of internal and operational controls will have a bearing on the IS auditors approach to the audit. In a risk-based approach, the IS auditor is not just relying on risk, but also on internal and operational controls as well as knowledge of the company and the business. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk, allowing practical choices. The nature of available testing techniq