CISA - Certified Information Systems Auditor IS Audit Planning Questions and Answers

Question 1

An IS auditor is developing a risk-based audit plan. Which of the following is the FIRST step the auditor should perform?

Accepted Answer

Identify the organization's critical assets and business processes.

Answer

Review the findings and workpapers from the previous year's audit.

Answer

Develop the audit scope and objectives for specific high-risk areas.

Answer

Interview senior management to understand their perspective on risk.

Question 2

During the audit planning phase for a financial institution, an IS auditor discovers that a new online banking platform was implemented without a formal risk assessment. Which of the following is the MOST appropriate action for the auditor to take?

Accepted Answer

Expand the audit scope to include a thorough risk assessment of the new platform.

Answer

Immediately report a significant finding of non-compliance to the audit committee.

Answer

Proceed with the original audit plan but note the lack of a risk assessment in the final report.

Answer

Recommend that management commission an independent risk assessment post-implementation.

Question 3

Which of the following is the PRIMARY purpose of an IS audit charter?

Accepted Answer

To establish the authority, scope, and responsibilities of the IS audit function.

Answer

To document the detailed audit procedures and testing methodologies.

Answer

To outline the annual budget and resource allocation for the IS audit function.

Answer

To list the specific systems and applications to be audited during the fiscal year.

Question 4

In a risk-based audit approach, the IS auditor's decisions on the nature, timing, and extent of testing should be PRIMARILY based on the:

Accepted Answer

assessment of inherent and control risks.

Answer

availability of skilled audit staff and resources.

Answer

complexity of the organization's IT environment.

Answer

previous year's audit findings and recommendations.

Question 5

When planning an IS audit, an auditor should review the organization's IT policies, standards, and procedures to:

Accepted Answer

understand the control environment and established control objectives.

Answer

design specific substantive tests to detect fraud.

Answer

determine the required sample sizes for compliance testing.

Answer

evaluate the technical competence of the IT staff.

Question 6

An IS auditor is planning to audit a cloud-based customer relationship management (CRM) system. Which of the following is the MOST important initial step?

Accepted Answer

Requesting and reviewing the Service Organization Control (SOC) 2 report from the cloud vendor.

Answer

Conducting a vulnerability scan of the cloud provider's infrastructure.

Answer

Interviewing the organization's sales team to understand their use of the CRM.

Answer

Verifying the encryption standards used for data in transit to the cloud provider.