Ensurepass

 

QUESTION 241

During a review of a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication, the IS auditor would use:

 

A.

test data to validate data input.

B.

test data to determine system sort capabilities.

C.

generalized audit software to search for address field duplications.

D.

generalized audit software to search for account field duplications.

 

Correct Answer: C

Explanation:

Since the name is not the same (due to name variations), one method to detect duplications would be to compare other common fields, such as addresses. A subsequ
ent review to determine common customer names at these addresses could then be conducted. Searching for duplicate account numbers would not likely find duplications, since customers would most likely have different account numbers for each variation. Test data would not be useful to detect the extent of any data characteristic, but simply to determine how the data were processed.

 

 

 

 

 

 

QUESTION 242

The PRIMARY reason an IS auditor performs a functional walkthrough during the preliminary phase of an audit assignment is to:

 

A.

understand the business process.

B.

comply with auditing standards.

C.

identify control weakness.

D.

plan substantive testing.

 

Correct Answer: A

Explanation:

Understanding the business process is the first step an IS auditor needs to perform. Standards do not require an IS auditor to perform a process walkthrough. Identifying control weaknesses is not the primary reason for the walkthrough and typically occurs at a later stage in the audit, while planning for substantive testing is performed at a later stage in the audit.

 

 

QUESTION 243

Which of the following is a benefit of a risk-based approach to audit planning? Audit:

 

A.

scheduling may be performed months in advance.

B.

budgets are more likely to be met by the IS audit staff.

C.

staff will be exposed to a variety of technologies.

D.

resources are allocated to the areas of highest concern

 

Correct Answer: D

Explanation:

The risk-based approach is designed to ensure audit time is spent on the areas of highest risk. The development of an audit schedule is not addressed by a risk-based approach. Audit schedules may be prepared months in advance using various schedulingmethods. A risk approach does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be performed in a given year.

 

 

QUESTION 244

An IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a vendor product to address this vulnerability. The IS auditor has failed to exercise:

 

A.

professional independence

B.

organizational independence.

C.

technical competence.

D.

professional competence.

 

Correct Answer: A

Explanation:

When an IS auditor recommends a specific vendor, they compromise professional independence. Organizational independence has no relevance to the content of an audit report and should be considered at the time of accepting the engagement. Technical and professional competence is not relevant to the requirement of independence.

 

 

 

 

QUESTION 245

Which of the following is the key benefit of control self-assessment (CSA)?

 

A.

Management ownership of the internal controls supporting business objectives is reinforced.

B.

Audit expenses are reduced when the assessment results are an input to external audit work.

C.

Improved fraud detection since internal business staff are engaged in testing controls

D.

Internal auditors can shift to a consultative approach by using the results of the assessment.

 

Correct Answer: A

Explanation:

The objective of control self-assessment is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance. Reducing audit expenses is not a key benefit of control self-assessment (CSA). improved fraud detection is important, but not as important as ownership, and is not a principal objective of CSA. CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit.

 

 

QUESTION 246

The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?

 

A.

Inherent

B.

Detection

C.

Control

D.

Business

 

Correct Answer: B

Explanation:

Detection risks are directly affected by the auditor’s selection of audit procedures and techniques. Inherent risks are not usually affected by an IS auditor. Control risks are controlled by the actions of the company’s management. Business risks are not affected by an IS auditor.

 

 

QUESTION 247

The extent to which data will be collected during an IS audit should be determined based on the:

 

A.

availability of critical and required information.

B.

auditor’s familiarity with the circumstances.

C.

auditee’s ability to find relevant evidence.

D.

purpose and scope of the audit being done.

 

Correct Answer: D

Explanation:

The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditor’s familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit, and thescope of the audit should not be limited by the auditee’s ability to find relevant evidence.

 

 

 

 

QUESTION 248

During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next?

 

A.

Recommend redesigning the change management process.

B.

Gain more assurance on the findings through root cause analysis.

C.

Recommend that program migration be stopped until the change process is documented.

D.

Document the finding and present it to management.

 

Correct Answer: B

Explanation:

A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management.

 

 

QUESTION 249

An IS auditor interviewing a payroll clerk finds that the answers do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should:

 

A.

conclude that the controls are inadequate.

B.

expand the scope to include substantive testing.

C.

place greater reliance on previous audits.

D.

suspend the audit.

 

Correct Answer: B

Explanation:

If the answers provided to an IS auditor’s questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests. There is no evidence that whatever controls might exist are either inadequate or adequate. Placing greater reliance on previous audits or suspending the audit are inappropriate actions as they provide no current knowledge of the adequacy of the existing controls.

 

 

QUESTION 250

After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:

 

A.

expand activities to determine whether an investigation is warranted.

B.

report the matter to the audit committee.

C.

report the possibility of fraud to top management and ask how they would like to proceed.

D.

consult with external legal counsel to determine the course of action to be taken.

 

Correct Answer: A

Explanation:

An IS auditor’s responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation. Normally, the IS auditor does not have authority to consult with external legal counsel.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: Comp
TIA | VMware | SAP …

Comments are closed.