Sample CISA Exam 2008 question for IS Audit Process Area

1. During an implementation review of a multiuser distributed application, the IS auditor finds minor weaknesses in three areas-the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the audit report, the IS auditor should:
A. record the observations separately with the impact of each of them marked against each respective finding.
B. advise the manager of probable risks without recording the observations, as the control weaknesses are minor ones.
C. record the observations and the risk arising from the collective weaknesses.
D. apprise the departmental heads concerned with each observation and properly document it in the report.

Answer C:
Individually the weaknesses are minor; however, together they have the potential to substantially weaken the overall control structure. Choices A and D reflect a failure on the part of the IS auditor to recognize the combined affect of the control weakness. Advising the local manager without reporting the facts and observations would conceal the findings from other stakeholders.

2. During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should:
A. create the procedures document.
B. terminate the audit.
C. conduct compliance testing.
D. identify and evaluate existing practices.

Answer D:
One of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization. An IS auditor should not prepare documentation, and if they did, their independence could be jeopardized. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.

3. Which of the following normally would be the MOST reliable evidence for an auditor?
A. A confirmation letter received from a third party verifying an account balance
B. Assurance from line management that an application is working as designed
C. Trend data obtained from World Wide Web (Internet) sources
D. Ratio analysis developed by the IS auditor from reports supplied by line management

Answer A:
Evidence obtained from independent third parties almost always is considered to be the most reliable. Answers B, C and D would not be considered as reliable.

4. Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean per unit
D. Difference estimation

Answer A:
Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists or not. The other choices are used in substantive testing which involves testing of details or quantity.

5. The PRIMARY purpose of an audit charter is to:
A. document the audit process used by the enterprise.
B. formally document the audit department's plan of action.
C. document a code of professional conduct for the auditor.
D. describe the authority and responsibilities of the audit department.

Answer D:
The audit charter typically sets out the role and responsibility of the internal audit department. It should state management's objectives for and delegation of authority to the audit department. It is rarely changed and does not contain the audit plan or audit process, which is usually part of annual audit planning, nor does it describe a code of professional conduct, since such conduct is set by the profession and not by management.