FREE Certified Information Systems Auditor MCQ Questions and Answers
Which of the following audit types would be suitable for a provider of financial services, like a payroll service?
Payroll, general accounting, expenditure management, and other financial service providers are the target audience for an SSAE18 audit.
The SSAE18 audit standard has taken the role of the outdated SAS70 audit standard, hence the term "SAS70" is invalid. AUP is inappropriate because it is not a financial services-specific audit and is instead generic in nature. Because a Sarbanes-Oxley audit is meant for the financial business processes of a U.S. public firm, the term "Sarbanes-Oxley" is inappropriate.
The management is starting to wonder about the timeline and completion of an audit project that is going far too long. This audit might be deficient in:
Despite the plausibility of each of these responses, the audit's project management should be the first item to be looked at to ensure that all stakeholders are aware of the audit's goals, timetable, necessary resources, and regular status updates.
The phrase "cooperation from specific auditees" is untrue. Although probable, there isn't enough evidence to make this inference. The phrase "enough skilled auditors" is untrue. Although probable, there isn't enough evidence to make this inference. It's not "clearly specified scope and objectives." Although probable, there isn't enough evidence to make this inference.
Can an auditor depend on the audit client's risk estimate for audit planning?
A certified external party's risk assessment can be used by the auditor to create a risk-based audit strategy. As a result, places with more risk will be investigated more thoroughly than ones with lower risk.
"Yes, in all cases" is untrue since there are specific circumstances in which an auditor cannot rely on a client's risk assessment, such as when the client's risk assessment was conducted by individuals who lacked the necessary qualifications or when there were indications of bias. "No. The auditor is required to conduct their own risk analysis "is untrue because an auditor is not always required to conduct the audit themselves. If it is sound, an external risk assessment can frequently be applied. It is wrong to say "No, the auditor does not require a risk assessment to build an audit plan" because a risk assessment will lead to a stronger, more risk-aware audit plan.
Which statement regarding the ISACA Audit Standards and Audit Guidelines is accurate?
All audit professionals must adhere to ISACA Audit Standards; doing so is a requirement for obtaining and maintaining the CISA certification.
The statement "ISACA Audit Standards are voluntary" is untrue because CISA holders must adhere to ISACA Audit Standards. The statement "ISACA Audit Recommendations are required" is untrue because these guidelines are merely useful suggestions for putting ISACA Audit Standards into practice. Because ISACA Audit Standards are required for all audits, the statement "ISACA Audit Standards are exclusively mandatory for SOX audits" is untrue. Despite this, there are frequently extra audit requirements for particular kinds of audits, like Sarbanes-Oxley (SOX), PCI-DSS, SSAE18, and others.
The user account request and fulfillment process is being audited by an auditor. The auditor cannot inspect every transaction in the event population because there are hundreds of them. A random sample of transactions and some of the transactions for privileged access requests are wanted by the auditor. This kind of sampling is referred to as:
The auditor wants to look at the population and choose a few transactions that are high-risk.
Because some of the transactions are not being chosen at random and because "random sampling" is not the proper name for this technique, the word is misleading. This is not an instance of stratified sampling, hence the term "stratified sampling" is wrong. Because some of the transactions are not being chosen at random, the term "statistical sampling" is misleading.
What is the purpose of the ISACA organizational independence audit standard?
"The location of the IS auditor in the command-and-control structure of the organization should ensure that the IS auditor may work independently," reads ISACA Audit Standard 1002, "Organizational Independence." This lessens the likelihood that the auditor will give a favorable audit conclusion under duress.
Because the audit standard does not mandate that the auditor work in a distinct organization from the auditee, the statement "The auditor should not work in the same organization as the auditee" is untrue. Internal audit divisions do exist in publicly traded American firms. The phrase "to ensure that the auditor has the appearance of independence" is untrue because it's crucial to guarantee both the actuality and the appearance of independence. It is erroneous to say "to ensure that the auditor has a separate operational budget," as independence does not always follow from having a separate budget.
A plan for an audit is being created by an auditor for the accounts payment function. The auditor wishes to choose transactions from low, medium, and big payment amounts rather than randomly choosing transactions to investigate. Which example methodology fits this approach the best?
Selecting samples via stratified sampling entails taking into account a quantifiable value for each sample (in this case, the payment amount). When auditors want to be sure to analyze very high- or very low-value samples that might not be chosen in random sampling, stratified sampling might be helpful.
Since judgemental sampling is by definition not random, the term is erroneous. This would be the next-best option, though. Since non-random sampling is not a sampling technique, the term "non-random sampling" is erroneous. "Statistical sampling" is wrong because if there aren't enough high- or low-value transactions, statistical sampling might not be able to capture them all.