Questionary

Nro Question

Which of the following is false concerning a control

1
self‐assessment (CSA)?

Who has responsibility for setting the scope of the

2
audit?
During audit planning, several documents are
produced in support of the project. Which of these
3 is used to identify the person responsible for
specific tasks in order to gain funding and ensure
quality?

Which of the following would be a concern of the

4 auditor that should be explained in the
audit report along with the findings?

The auditor is permitted to deviate from

professional audit standards when they feel it is
5
necessary; which of the following is true regarding
such deviation?

Auditors base their report on findings, evidence,

and the results of testing. It’s more of a score than
6
an opinion. Which of the following types of
evidence sampling refer to a 100 percent sample?

Which of the following types of risk are of the most

7
interest to an IS auditor?

The two types of tests are referred to as

8 ____________ and ________________ using
sampling methods.

Which of these types of computer‐assisted audit

tools (CAATs) is designed to process
9
dummy transactions during the processing of
genuine transactions?

Page 1
 Questionary

Which of the following conditions is false in regard

10 to using the work of other people
during your audit?

Which type of audit may be used for regulatory

11
licensing or external reporting?

Audits are intended to be conducted in accordance

12
with which of the following ideals?

Which of the following is not t a type of quantitative

13
sampling model?

What is the principal issue concerning the use of

14
CAAT?

15 What is the purpose of the audit charter?

Which of the following describes the relationship

16 between compliance testing and
substantive testing?

17 What is the purpose of continuous auditing?

Page 2
 Questionary

Which term best describes the difference between

18 the audit sample and the total
Population?

What is the biggest issue with the decision to

19
transfer risk to an outsourced contractor?

20 Which is not a purpose of risk analysis?

Which is the best document to help define the

relationship of the independent auditor and
21
provide evidence of the agreed‐upon terms and
conditions?

ISACA refers to testing for strong controls. What is

22
the best description of a strong control?

Failing to prevent or detect a material error would

23
represent which type of risk?

What is the best data collection technique the

24
auditor can use if the resources are available?

An IS auditor is performing a review of an

application and finds something that might be
25
illegal. The IS auditor should do which of the
following?

Page 3
 Questionary

Options
A. Empowers the user to take ownership and accountability
B. Eliminates the need for a traditional audit
C. May be used to identify high‐risk areas for later review
D. Will not have the level of independence provided by an
external auditor
A. Auditor
B. Client
C. Audit manager
D. Auditee
A. Skills matrix
B. Procurement matrix
C. Task matrix
D. Activities matrix
A. Detailed list of audit objectives
B. The need by the current auditor to communicate with the
prior auditor
C. Communicating results directly to the chairperson of the
audit committee
D. Undue restrictions placed by management on evidence use
or audit procedures
A. Standards are designed for discretionary use.
B. Deviation is almost unheard of and would require significant
justification.
C. Deviation depends on the authority granted in the audit
charter.
D. The unique characteristics of the client will require auditor
flexibility.
A. Attribute
B. Stop‐and‐go
C. Cell
D. Discovery
A. Control, detection, noncompliance, risk of strike
B. Inherent, noninherent, control, lack of control
C. Sampling, control, detection, inherent
D. Unknown, quantifiable, cumulative

A. Substantive tests, compliance tests, variable and attribute

B. Compliance tests, substantive tests, variable and discovery
C. Predictive tests, compliance tests, stop‐and‐go and
difference estimation
D. Integrity tests, compliance tests, stratified mean and
unstratified mean

A. Continuous and intermittent simulation

B. Embedded program audit hooks
C. Embedded audit module
D. Online event monitor

Page 4
 Questionary

A. Ensure independence of the provider.

B. Accept the work based on job position.
C. Use agreed‐upon scope and approach.
D. Provide supervision and review.

A. Qualified audit
B. Independent assessment
C. Control self‐assessment
D. Traditional audit

A. Specific directives from management concerning evidence

and procedure
B. Reporting and communication
C. Assessment of the organizational controls
D. Adherence to standards, guidelines, and best practices
A. Difference estimation
B. Stratified mean per unit
C. Unstratified mean per unit
D. Qualitative estimation per unit
A. The capability of the software vendor.
B. Possible cost, complexity, and the security of output.
C. Inability of automated tools to consider the human
characteristics of the environment.
D. Documentary evidence is more effective.
A. To engage external auditors
B. To grant responsibility, authority, and accountability
C. To authorize the creation of the audit committee
D. To provide detailed planning of the audit
A. Compliance testing checks for the presence of controls;
substantive testing checks the integrity of internal contents.
B. Substantive testing tests for presence; compliance testing
tests actual contents.
C. The tests are identical in nature; the difference is whether
the audit subject is under the Sarbanes–Oxley Act.
D. Compliance testing tests individual account balances;
substantive testing checks for written corporate policies.

A. To assist managers with automated testing

B. To govern, control, and manage the organization
C. To challenge and review assurances
D. To provide daily coordination of all audit activities

Page 5
 Questionary

A. Precision
B. Tolerable error rate
C. Level of risk
D. Analytic delta

A. There is potential for uncontrollable increase in operating

cost over time.
B. Outsourcing shifts the entire risk to the contractor.
C. The company still retains liability for whatever happens.
D. Outsourcing shields the company from intrinsic risks.
A. Support risk‐based audit decisions
B. Assist the auditor in determining audit objectives
C. Assist the auditor in identifying risks and threats
D. Ensure absolute safety during the audit

A. Audit charter
B. Annual audit plan
C. Engagement letter
D. Auditor’s report
A. Effective implementation of multiple controls targeting the
same objective
B. Preventive control that stops the problem from ever
occurring
C. Using at least one control in each of the three categories of
detective, corrective, and preventive
D. Implementing comprehensive pervasive controls inside of an
ERP application
A. Overall audit risk
B. Detection risk
C. Inherent risk
D. Control risk
A. Surveys that create a broad sample
B. Review of existing documentation
C. Auditor observation
D. Interviews
A. Disregard or ignore the finding because this is beyond the
scope of this review
B. Conduct a detailed investigation to aid the authorities in
catching the culprit
C. Immediately notify the auditee of the finding
D. Seek legal advice before finishing the audit

Page 6
 Questionary

Answer

Eliminates the need for a traditional audit

Client

Skills matrix

Undue restrictions placed by management on evidence use

or audit procedures

Deviation is almost unheard of and would require

significant justification.

Discovery

Sampling, control, detection, inherent

Substantive tests, compliance tests, variable and attribute

Embedded audit module

Page 7
 Questionary

Accept the work based on job position

Traditional audit

Adherence to standards, guidelines, and best practices

Qualitative estimation per unit

Possible cost, complexity, and the security of output.

To grant responsibility, authority, and accountability

Compliance testing checks for the presence of controls;

substantive testing checks the integrity of internal
contents.

To assist managers with automated testing

Page 8
 Questionary

Precision

The company still retains liability for whatever happens.

Ensure absolute safety during the audit

Engagement letter

Effective implementation of multiple controls targeting the

same objective

Detection risk

Interviews

Seek legal advice before finishing the audit

Page 9
 Questionary

Justification

All of the statements are true except B. A CSA is not a

substitute for a traditional
Audit.

Every audit is paid for and requested by a client, who is

responsible for setting the scope, granting authority, and
providing access to the auditee.
A skills matrix is used to identify the skills of each person and to
ensure that the right person is performing the task. Using a
skills matrix in planning is an excellent method to justify proper
funding for training or additional personnel

Undue restrictions on scope would be a major concern as

would the lack of time or the inability to obtain sufficient reliable
evidence.

Standards are mandatory, and any deviation would require

justification.

Discovery sampling is used to find 100 percent of everything

possible when fraud is suspected or the likelihood of finding
evidence is low. All the other possible choices are valid
sampling methods used in compliance testing.

The answers including risk of strike, lack of control, and

unknown are distractors.

Answer B is incorrect because compliance testing uses

discovery sampling to detect fraud. C and D are distractors

Embedded audit module (EAM) processes dummy transactions

during the processing of genuine transactions. The intention is
to determine whether the system is functioning correctly.

Page 10
 Questionary

The auditor should never base the decision on the job position
of the other person. All of the other choices are vague but
truthful. Always assess the independence of the provider, check
their qualifications, agree on scope and procedures used, and
supervise and review their work. Don’t use it if the results are
questionable or fail to follow very high adherence to audit
standards.
Traditional independent audits are conducted with formality and
adherence to standards necessary for regulatory licensing and
external reporting. It’s true that there is always a shady auditor
ready to lie for a client. The world expects an independent audit
to be conducted by a qualified auditor representing a high
degree of truth. Assessments are too informal and therefore
can be used only internally in the
organization.

Audits should adhere to standards, guidelines, and best

practices. Answer A represents a restriction on scope. B and C
are components of answer D.

Difference estimation, stratified mean, and unstratified mean

are valid sample types for substantive testing. Qualitative
estimation is just a distractor.

CAATs are able to perform faster than humans and produce

more accurate data in functional testing. Cost, training, and
security of output are major considerations.

The audit charter’s purpose is to grant the right to audit and

delegate responsibility, authority, and accountability.

Substantive testing checks the substance or integrity of a

transaction. Compliance testing looks for presence of controls
or control attributes.

Continuous monitoring only signals a known error has occurred.

Continuous auditing uses ongoing automated testing to ensure
technical security modifications (controls) are still functioning
and active. A good example is free Security Controls
Automation Protocol (SCAP); these scripts can be run by
command line, in batch jobs, audit utilities, and other programs.
SCAP rechecks all the security seals installed after the default
installation are still functioning. This must be run after every
hotfix, patch, or software update.

Page 11
 Questionary

The compliance test uses precision to describe the rate of

occurrence out of the sample population. The compliance
testing uses precision to describe the expected error rate of the
sample compared to total population. Precision is usually
expressed as a percentage.

The work can be outsourced; however, the liability for failure

remains with the company. One example is the worldwide
automobile air bag recall over the last few years. Almost every
vehicle manufacturer suffered financial liability for their
subcontactor. Liability cannot be outsourced.
Risk analysis is used to determine whether the audit has any
chance of representing the truth. Nothing in the realm of IS
auditing is absolute because of the abstract nature of
technology implementations.
The engagement letter is used with independent auditors to
define the relationship. This letter serves as a record to
document the understanding and agreement between the audit
committee and the independent auditor. It provides the
independent auditor the responsibility, accountability, and
authority to conduct the audit.
Strong controls will implement multiple types of detective,
corrective, and preventive controls using a combined approach
of administrative methods, physical methods, and technical
methods. This is referred to as depth of control, hopefully using
all nine layers. Using the bare minimum would be a weak
control.

A detection risk is that you would fail to detect that a material

error has occurred.

Interviewing selected personnel is the best technique during the

beginning of the audit. Surveys, document review, and
observations generate a lower yield. In‐depth technical testing
is the next mandatory step after interviews.

Seek competent legal advice. It is not the auditor’s job to detect

potentially illegal acts; however, the auditor should seek the aid
of a lawyer concerning liability and
reporting requirements.

Page 12
 Examen Essentials

Nro Key Word What ?

How to conduct IS audits in accordance with

1
published standards, guidelines, and best practices

2 Continuous auditing methods

Understand
How evidence is analyzed for reporting conformity
3
or nonconformity.

The role of traditional audits compared to control

4
self‐assessment (CSA).

How to develop and implement a risk‐based audit

5
strategy.

6 The auditing practices and techniques.

Some of the various types of computer‐assisted

7
audit tools (CAATs).

The techniques to gather information and manage

8
the evidence life cycle.
Know

9 The types of evidence and evidence grading

Page 13
 Examen Essentials

10 How to deal with irregular and illegal acts

How to advise clients on implementing risk

11 management and control practices
while maintaining independence

Yourself with the types of audit tests and sample

12 Familiarize
selection

13 Familiar with how to plan for specific audits

Be
Familiar with IS control objectives and performing
14
control assessment.

Able to communicate issues, potential risks, and

15
audit results.

Page 14
 Examen Essentials

Description
You are expected to follow published audit standards to ensure
thoroughness and consistency. Deviations from standards and
guidelines is rare. Any deviation must be well documented, but
results may not be accepted by the audit
community. The purpose of best practices is to aid you by
identifying useful procedures and techniques. Design every
audit to adhere to standards.
Continuous audit methods such as audit hooks or SCARF with
embedded audit modules (SCARF/EAM) are used in
environments where it is not possible to interrupt production.
It is unlikely that an auditor could be truly independent if the
auditor were involved with the subject of the audit. Auditor
independence is an additional assurance of truth.
Control self‐assessments are designed to empower the
customer’s staff. The intention is to generate awareness and
ownership of problems. A control self‐assessment is an
excellent way to improve the performance of an organization
between traditional audits. The traditional audit is still necessary
to the independence requirement.
Focus on areas of high value. The risk assessment will help to
determine whether the audit will yield meaningful information.
Certain types of conditions may be difficult to audit. The audit
must be based on meaningful evidence that is materially
relevant.
Well‐established IS auditing procedures
ensure thoroughness and consistency necessary for a
successful audit. Good audits will implement a well‐thought‐out
sequence of procedures to evaluate materially relevant
samples. ISACA provides foundation knowledge that should
you implement during your audit. Effective sample selection of
meaningful tests should yield materially relevant results.
Computer‐assisted audit tools are software tools that can
provide detailed analysis of computer systems configuration,
vulnerability, logs, and other information. The CAAT output
should be kept confidential because of the potentially sensitive
nature of its contents.
You can collect information through traditional sources of
business records, computer data files, and CAAT. Meaningful
information can be obtained through personal interviews,
workshops, and surveys. All information and evidence should
be recorded and tracked. The evidence life cycle consists of
identification, collection, preservation, analysis, safe storage,
and finally its return to the owner. Evidence used for criminal
prosecution must be handled with the highest degree of care.
Evidence that is mishandled will void legal claims and may
result in punitive legal action.
The best evidence will tell its own story. The best evidence will
prove or disprove a point. The best evidence is both objective
and independent. The timing of evidence must be considered
when calculating its useful value. Evidence that is late and
subjective will be of low value. Material evidence will have a
bearing on the final outcome. Irrelevant evidence will not affect
the final decision.

Page 15
 Examen Essentials

It is possible that you could encounter evidence of irregular or

illegal acts. Communicate the discoveries to the next level of
management higher than where the act occurred. Such a
discovery involving persons responsible for internal controls
must be reported to the absolute highest level of management.
Consult your attorney for legal advice
You are encouraged to educate your client and help increase
awareness of control issues. Do not participate in specific
discussions of design or architecture. You must not work on
fixing problems if you are expected to be independent. A client
may hire one auditor for remediation and use a separate,
unrelated auditor for the audit. You cannot be independent if
you participate in the audit subject.
Audit tests can be substantive or compliance based. It is
important to select an appropriate sample in order to generate
data to reflect the actual situation. Audit test procedures and
sample selection methods must be well documented to ensure
verifiable and reproducible tests. The sample may be selected
based on physical characteristics, value, or size of population.

The CISA needs to understand the constraints and

requirements of individual audits. It is your job to identify the
resource requirements, sampling requirements, test methods,
and procedures to be used. You will identify appropriate
personnel to be interviewed. The interview process must be
scheduled and must implement predefined questions for the
purpose of gathering data. An audit involving third‐party
personnel will present its own unique challenges
High‐level controls are categorized as general controls,
pervasive controls, detailed controls, and application controls.
Internal controls are intended to be preventive, detective, and
corrective. Each control may be implemented using
administrative methods, physical methods, and technical
methods. The purpose of the controls is to prevent harm and
protect an asset. You are responsible for evaluating the
effectiveness of controls.
You are expected to communicate materially relevant issues to
management through the audit reporting process. Issues of
high significance should be communicated directly to the audit
committee. The final results of each audit should be verifiable
and reproducible. All communication must convey the facts
without placing blame on individuals.

Page 16