FREE Certified Information Systems Auditor Trivia Questions and Answers
Which risk categories should be taken into account when planning an audit, as per ISACA Audit Standard 1202?
When preparing to audit a company system or process, all potential risks should be taken into account.
False since there are other risks that should also be taken into account, not just fraud risk. Since there are other types of risks that should be taken into account, the term "cybersecurity risk" is inappropriate. Because there are other types of risks that should be taken into account, the term "financial risk" is inappropriate.
The audit charter ought to:
The management's goals for and delegation of power to IS auditors should be stated in the audit charter.
An audit of a change control procedure is being conducted. The control owner provided the following description of the procedure during a walkthrough: "Before Wednesday at 5 o'clock, engineers organize their changes and email the IT manager to inform them. The engineers then carry out their modifications on Friday night during the change window." What conclusions, if any, should the auditor mention?
Requested modifications are not examined, negotiated, and approved as part of the change control process. At the moment, it seems that engineers make adjustments on their own.
The statement "The change control process is adequate as is, but might be enhanced by developing a ledger of modifications" is untrue because the procedure does not include an approval stage. The statement "The change control process is OK as is" is untrue because the procedure necessitates an approval stage. It is erroneous to state "The change control procedure lacks a review step," when the absence of an approval step is a more crucial conclusion.
The audit client argues with the conclusions after receiving a Sarbanes-Oxley audit report from an auditor that lists 12 exceptions. The unhappy audit customer demands a $25,000 fee in exchange for the removal of any six conclusions from the report. The validity of each of the 12 findings was confirmed after a review of the audit findings. How ought the auditor to move forward?
The auditor should first inform his or her management, who will then determine how to proceed. The audit manager will most likely inform the audit committee of the audit client, who may choose to refer the situation to regulatory authorities.
The statements "The auditor should reject the payment and meet the auditee halfway by eliminating three of the findings" and "The auditor should reject the payment and remove six of the findings" are untrue since the auditor should stand by the report and not make any modifications. The statement, "The auditor should report the occurrence to the audit client's audit committee," is inaccurate because it would be appropriate to first alert the manager, who will then determine how to proceed.
Which of the following best exemplifies a user account provisioning process control self-assessment?
All user account modifications are verified to have been requested and approved by comparing them to the approved requests in the ticketing system.
It is erroneous to say "an investigation of Active Directory to guarantee that only domain administrators can perform user account authorization modifications." The fact that only domain administrators have the ability to modify user accounts does not prove that the process of provisioning user accounts is successful. It is false to say that the user account changes were done by only authorized personnel. The effectiveness of the user account provisioning procedure cannot be determined by checking to make sure that only authorized personnel made modifications to the user account. It is improper to say "confirmation that all user account modifications were approved by relevant persons." The effectiveness of the process cannot be determined by examining whether the approvers of user account changes were appropriate.
An auditor is reviewing the background check procedure while inspecting a company's hiring procedure. The auditor is primarily concerned with whether background checks are conducted on all employees and whether the results of those checks result in decisions not to hire someone. Which of the following methods for gathering evidence will support this audit goal?
This request for evidence will give the auditor enough details to determine if background checks been conducted for all positions that require them and whether any no-hire decisions have been made.
It is inappropriate to "request the whole contents of background checks along with hire/no-hire decisions," as the auditor shouldn't require access to the specifics of people's background checks. This is extremely private information. It is improper to say, "Request the hire/no-hire decisions from the auditee," as this conceals the relationship between pass/no-pass outcomes and hire/no-hire decisions. It is erroneous to say, "Examine the background check process and note which attributes for each candidate are included," as this audit necessitates looking at records, not just the business process.
What could happen if an IS auditor breaks the ISACA Code of Professional Ethics when they are members of ISACA and CISA certified?
By violating the ISACA Code of Professional Ethics, an ISACA member "may result in an investigation into their conduct or that of a certification holder and, eventually, in disciplinary measures," including the loss of certifications.
"Fines" is erroneous because ISACA disciplinary action does not include fines. However, sanctions might be imposed if the situation also involves breaking the law. Because imprisonment is not a sanctioned activity by ISACA, the term "imprisonment" is inaccurate. However, jail is a potential possibility if the circumstance also involves breaking the law. Unless the issue is likewise viewed as egregious by the IS auditor's employer, who may need to terminate the auditor's employment, "termination of employment" is inaccurate.