CISA - Certified Information Systems Auditor IS Audit Planning Questions and Answers

Question 1

An IS auditor is developing a risk-based audit plan. Which of the following is the FIRST step the auditor should perform?

Accepted Answer

Identify the organization's critical assets and business processes.

Answer

The foundational step in a risk-based audit approach is to understand what is most important to the organization. By identifying critical assets and key business processes, the auditor can then effectively assess the threats and vulnerabilities associated with them to determine areas of highest risk.

Question 2

During the audit planning phase for a financial institution, an IS auditor discovers that a new online banking platform was implemented without a formal risk assessment. Which of the following is the MOST appropriate action for the auditor to take?

Accepted Answer

Expand the audit scope to include a thorough risk assessment of the new platform.

Answer

The discovery of a significant change to the IT environment, especially one implemented without a risk assessment, requires the auditor to adjust the audit plan. Expanding the scope to assess the risks associated with the new platform is the most proactive and responsible action to ensure potential vulnerabilities are identified and evaluated.

Question 3

Which of the following is the PRIMARY purpose of an IS audit charter?

Accepted Answer

To establish the authority, scope, and responsibilities of the IS audit function.

Answer

The audit charter is a high-level document that establishes the authority, independence, scope, and overall responsibility of the audit function. It is approved by the highest level of management and the audit committee and provides the foundation for all audit activities.

Question 4

In a risk-based audit approach, the IS auditor's decisions on the nature, timing, and extent of testing should be PRIMARILY based on the:

Accepted Answer

assessment of inherent and control risks.

Answer

A risk-based approach requires the auditor to focus resources on areas with the greatest potential for material misstatement or control failure. The assessment of inherent risk (the susceptibility of an area to error) and control risk (the risk that controls will fail to prevent or detect an error) is the key driver for determining how, when, and how much testing is needed.

Question 5

When planning an IS audit, an auditor should review the organization's IT policies, standards, and procedures to:

Accepted Answer

understand the control environment and established control objectives.

Answer

Reviewing governance documents like policies, standards, and procedures gives the auditor a clear understanding of management's intent and the established control framework. This forms the basis for evaluating the adequacy and effectiveness of internal controls.

CISA - Certified Information Systems Auditor Practice Test

CISA - Certified Information Systems Auditor Practice Test

CISA - Certified Information Systems Auditor IS Audit Planning Questions and Answers