Information System Auditing Process for CISA

Sample Practice Questions

1. Question 1

   Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?
   1. A. Ensure ownership is assigned.
   2. B. Test corrective actions upon completion.
   3. C. Ensure sufficient audit resources are allocated.
   4. D. Communicate audit results organization-wide.
   Explanation

   The correct answer is: A. Ensure ownership is assigned..

   Ensuring ownership is assigned is the most effective lever for implementation because action plans without a named owner reliably go undone; assigning a single accountable person tied to a target date is the foundation of every functioning remediation program. Testing corrective actions upon completion is a verification step that follows implementation; it cannot drive whether implementation actually happens. Ensuring sufficient audit resources are allocated supports follow-up activity but does not motivate the auditee to act on its own commitments. Communicating audit results organization-wide can apply social pressure but is no substitute for assigning operational responsibility; broad communication can also create defensiveness without changing who is actually responsible. Ownership is the structural mechanism that produces consistent follow-through.

2. Question 2

   An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor's PRIMARY concern is that:
   1. A. a clear business case has been established.
   2. B. the new hardware meets established security standards.
   3. C. a full, visible audit trail will be included.
   4. D. the implementation plan meets user requirements.
   Explanation

   The correct answer is: A. a clear business case has been established..

   A clear business case is the primary concern when auditing a proposed hardware acquisition because the business case is the foundation that justifies the spend, links the purchase to strategic objectives, and sets expected benefits against which post-implementation reviews will measure success; without it, every downstream control is misdirected. New hardware meeting established security standards is important but presupposes the acquisition is justified at all; security follows business need. A full visible audit trail concerns operational controls of the hardware in use, not the decision to acquire it. The implementation plan meeting user requirements addresses deployment quality, again a downstream concern; if the business case is weak, even a well-executed deployment delivers little value, which is why auditors anchor on the case first.

3. Question 3

   Upon completion of audit work, an IS auditor should:
   1. A. provide a report to the auditee stating the initial findings.
   2. B. provide a report to senior management prior to discussion with the auditee.
   3. C. distribute a summary of general findings to the members of the auditing team.
   4. D. review the working papers with the auditee.
   Explanation

   The correct answer is: D. review the working papers with the auditee..

   Reviewing the working papers with the auditee upon completion of audit work is the right action because the review ensures the auditee has seen the basis for conclusions, agrees with the facts, and can supply any missing context before reports are issued, supporting the no-surprises principle in ISACA Standard 1401. Providing a report to the auditee stating initial findings before review skips the validation step. Providing a report to senior management before discussion with the auditee bypasses the auditee's chance to respond, often producing disputes that could have been resolved earlier. Distributing a summary of general findings to the audit team is an internal step and not a substitute for engagement with the auditee. Working-paper review with the auditee is the structural quality gate before reporting.

4. Question 4

   During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same areas simultaneously, which of the following is the BEST approach to optimize resources?
   1. A. Leverage the work performed by external audit for the internal audit testing.
   2. B. Ensure both the internal and external auditors perform the work simultaneously.
   3. C. Roll forward the general controls audit to the subsequent audit year.
   4. D. Request that the external audit team leverage the internal audit work.
   Explanation

   The correct answer is: A. Leverage the work performed by external audit for the internal audit testing..

   Leveraging the work performed by external audit for internal audit testing is the best approach in a simultaneous high-risk engagement because reliance on the work of other experts under ISACA Standard 1206, when their independence and competence are confirmed, allows internal audit to focus its resources on areas the externals do not cover. Having both teams perform the same work simultaneously wastes effort and creates auditee burden. Rolling forward the audit to the next year defers needed assurance over a high-risk area. Requesting that the external team leverage internal audit work inverts the normal reliance flow and is not generally how externals scope their work; their methodology and independence requirements typically preclude relying on internal audit for their financial-statement opinion. Internal reliance on external work, properly evaluated, is the efficient pattern.

5. Question 5

   Which of the following is the PRIMARY role of the IS auditor in an organization's information classification process?
   1. A. Securing information assets in accordance with the classification assigned
   2. B. Validating that assets are protected according to assigned classification
   3. C. Ensuring classification levels align with regulatory guidelines
   4. D. Defining classification levels for information assets within the organization
   Explanation

   The correct answer is: B. Validating that assets are protected according to assigned classification.

   Validating that assets are protected according to their assigned classification is the primary role of the IS auditor in the information-classification process because audit's job is to provide independent assurance over the operation of management's classification scheme, not to perform classification work itself. Securing information assets in accordance with classification is operational and belongs to security and IT operations teams. Ensuring classification levels align with regulatory guidelines is a management responsibility that audit can evaluate but should not perform; that would be a self-review threat at the next assessment. Defining classification levels for assets is management's responsibility, typically the data owner's; auditors must remain outside the classification decision to evaluate it objectively, which is why validation, not definition, is the auditor's role.

Other CISA domains

• Governance and Management of IT (293 questions)
• Information Systems Acquisition, Development and Implementation (276 questions)
• Information Systems Operations and Business Resilience (360 questions)
• Protection of Information Assets (576 questions)