Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 131

  1. Which of the following would be the BEST population to take a sample from when testing program changes?

    • Test library listings
    • Source program listings
    • Program change requests
    • Production library listings

    The best source from which to draw any sample or test of system information is the automated system. The production libraries represent executables that are approved and authorized to process organizational data. Source program listings would be timeintensive. Program change requests are the documents used to initiate change; there is no guarantee that the request has been completed for all changes. Test library listings do not represent the approved and authorized executables.

  2. An integrated test facility is considered a useful audit tool because it:

    • is a cost-efficient approach to auditing application controls.
    • enables the financial and IS auditors to integrate their audit tests.
    • compares processing output with independently calculated data.
    • provides the IS auditor with a tool to analyze a large range of information
    An integrated test facility is considered a useful audit tool because it uses the same programs to compare processing using independently calculated data. This involves setting up dummy entities on an application system and processing test or production data against the entity as a means of verifying processing accuracy.
  3. Data flow diagrams are used by IS auditors to:

    • order data hierarchically.
    • highlight high-level data definitions.
    • graphically summarize data paths and storage.
    • portray step-by-step details of data generation.
    Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.
  4. Which of the following forms of evidence for the auditor would be considered the MOST reliable?

    • An oral statement from the auditee
    • The results of a test performed by an IS auditor
    • An internally generated computer accounting report
    • A confirmation letter received from an outside source
    Evidence obtained from outside sources is usually more reliable than that obtained from within the organization. Confirmation letters received from outside parties, such as those used to verify accounts receivable balances, are usually highly reliable. Testing performed by an auditor may not be reliable, if the auditor did not have a good understanding of the technical area under review.
  5. An IS auditor reviews an organizational chart PRIMARILY for:

    • an understanding of workflows.
    • investigating various communication channels.
    • understanding the responsibilities and authority of individuals.
    • investigating the network connected to different employees.
    An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions. A workflow chart would provide information about the roles of different employees. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.
  6. An IS auditor is performing an audit of a network operating system. Which of the following is a user feature the IS auditor should review?

    • Availability of online network documentation
    • Support of terminal access to remote hosts
    • Handling file transfer between hosts and interuser communications
    • Performance management, audit and control
    Network operating system user features include online availability of network documentation. Other features would be user access to various resources of network hosts, user authorization to access particular resources, and the network and host computers used without special user actions or commands. Choices B, C and D are examples of network operating systems functions.
  7. An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely:

    • evaluate the record retention plans for off-premises storage.
    • interview programmers about the procedures currently being followed.
    • compare utilization records to operations schedules.
    • review data file access records to test the librarian function.
    Asking programmers about the procedures currently being followed is useful in determining whether access to program documentation is restricted to authorized persons. Evaluating the record retention plans for off-premises storage tests the recovery procedures, not the
    access control over program documentation. Testing utilization records or data files will not address access security over program documentation.
  8. Which of the following is an advantage of an integrated test facility (ITF)?

    • It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction.
    • Periodic testing does not require separate test processes.
    • It validates application systems and tests the ongoing operation of the system.
    • The need to prepare test data is eliminated.
    An integrated test facility creates a factitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be isolated from production data.
  9. An IS auditor evaluates the test results of a modification to a system that deals with payment computation. The auditor finds that 50 percent of the calculations do not match predetermined totals. Which of the following would MOST likely be the next step in the audit?

    • Design further tests of the calculations that are in error.
    • Identify variables that may have caused the test results to be inaccurate.
    • Examine some of the test cases to confirm the results.
    • Document the results and prepare a report of findings, conclusions and recommendations.
    An IS auditor should next examine cases where incorrect calculations occurred and confirm the results. After the calculations have been confirmed, further tests can be conducted and reviewed. Report preparation, findings and recommendations would not be made until all results are confirmed.
  10. The BEST method of proving the accuracy of a system tax calculation is by:

    • detailed visual review and analysis of the source code of the calculation programs
    • recreating program logic using generalized audit software to calculate monthly totals.
    • preparing simulated transactions for processing and comparing the results to predetermined results.
    • automatic flowcharting and analysis of the source code of the calculation programs.
    Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for proving accuracy of a tax calculation. Detailed visual review, flowcharting and analysis of source code are not effective methods, and monthly totals would not address the accuracy of individual tax calculations.
  11. An IS auditor performing a review of an application’s controls would evaluate the:

    • efficiency of the application in meeting the business processes.
    • impact of any exposures discovered.
    • business processes served by the application.
    • application’s optimization.
    An application control review involves the evaluation of the application’s automated controls and an assessment of any exposures resulting from the control weaknesses. The other choices may be objectives of an application audit but are not part of an audit restricted to a review of controls.
  12. In an audit of an inventory application, which approach would provide the BEST evidence that purchase orders are valid?

    • Testing whether inappropriate personnel can change application parameters
    • Tracing purchase orders to a computer listing
    • Comparing receiving reports to purchase order details
    • Reviewing the application documentation
    To determine purchase order validity, testing access controls will provide the best evidence. Choices B and C are based on after-the-fact approaches, while choice D does not serve the purpose because what is in the system documentation may not be the same as what is happening.
  13. Which of the following online auditing techniques is most effective for the early detection of errors or irregularities?

    • Embedded audit module
    • Integrated test facility
    • Snapshots
    • Audit hooks
    The audit hook technique involves embedding code in application systems for the examination of selected transactions. This helps an IS auditor to act before an error or an irregularity gets out of hand. An embedded audit module involves embedding specially-written software in the organization’s host application system so that application systems are monitored on a selective basis. An integrated test facility is used when it is not practical to use test data, and snapshots are used when an audit trail is required.
  14. When assessing the design of network monitoring controls, an IS auditor should FIRST review network:

    • topology diagrams.
    • bandwidth usage.
    • traffic analysis reports.
    • bottleneck locations.
    The first step in assessing network monitoring controls should be the review of the adequacy of network documentation, specifically topology diagrams. If this information is not up to date, then monitoring processes and the ability to diagnose problems will not be effective.
  15. While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor’s next step?

    • Observe the response mechanism.
    • Clear the virus from the network.
    • Inform appropriate personnel immediately.
    • Ensure deletion of the virus.
    The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response. Choice A should be taken after choice
    C. This will enable an IS auditor to examine the actual workability and effectiveness of the response system. An IS auditor should not make changes to the system being audited, and ensuring the deletion of the virus is a management responsibility.
  16. A substantive test to verify that tape library inventory records are accurate is:

    • determining whether bar code readers are installed.
    • determining whether the movement of tapes is authorized.
    • conducting a physical count of the tape inventory.
    • checking if receipts and issues of tapes are accurately recorded.
    A substantive test includes gathering evidence to evaluate the integrity of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test. Choices A, B and D are compliance tests.
  17. When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with:

    • analysis.
    • evaluation.
    • preservation.
    • disclosure.
    Preservation and documentation of evidence for review by law enforcement and judicial authorities are of primary concern when conducting an investigation. Failure to properly preserve the evidence could jeopardize the acceptance of the evidence in legal proceedings. Analysis, evaluation and disclosure are important but not of primary concern in a forensic investigation.
  18. An IS auditor interviewing a payroll clerk finds that the answers do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should:

    • conclude that the controls are inadequate.
    • expand the scope to include substantive testing
    • place greater reliance on previous audits.
    • suspend the audit.
    If the answers provided to an IS auditor’s questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests. There is no evidence that whatever controls might exist are either inadequate or adequate. Placing greater reliance on previous audits or suspending the audit are inappropriate actions as they provide no current knowledge of the adequacy of the existing controls.
  19. An IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a vendor product to address this vulnerability. The IS auditor has failed to exercise:

    • professional independence
    • organizational independence.
    • technical competence.
    • professional competence.
    When an IS auditor recommends a specific vendor, they compromise professional independence. Organizational independence has no relevance to the content of an audit report and should be considered at the time of accepting the engagement. Technical and professional competence is not relevant to the requirement of independence.
  20. The PRIMARY reason an IS auditor performs a functional walkthrough during the preliminary phase of an audit assignment is to:

    • understand the business process.
    • comply with auditing standards.
    • identify control weakness.
    • plan substantive testing.
    Understanding the business process is the first step an IS auditor needs to perform. Standards do not require an IS auditor to perform a process walkthrough. Identifying control weaknesses is not the primary reason for the walkthrough and typically occurs at a later stage in the audit, while planning for substantive testing is performed at a later stage in the audit.