T1.

3 Conduct audits in accordance with IS audit standards

1. The internal audit department has written some scripts that are used for continuous
auditing of some information systems. The IT department has asked for copies of the
scripts so that they can use them for setting up a continuous monitoring process on key
systems. Would sharing these scripts with IT affect the ability of the IS auditors to
independently and objectively audit the IT function?
A Sharing the scripts is not permitted because it would give IT the ability to pre-
audit systems and avoid an accurate, comprehensive audit.
B Sharing the scripts is required because IT must have the ability to review all
programs and software that runs on IS systems regardless of audit
independence.
C Sharing the scripts is permissible as long as IT recognizes that audits may still be
conducted in areas not covered in the scripts.
D Sharing the scripts is not permitted because it would mean that the IS auditors
who wrote the scripts would not be permitted to audit any IS systems where
the scripts are being used for monitoring.

A. The ability of IT to continuously monitor and address any issues on IT systems would
not affect the ability of IS audit to perform a comprehensive audit.
B. Sharing the scripts may be required by policy for the sake of quality assurance and
configuration management, but that would not impair the ability to audit.
C. IS audit can still review all aspects of the systems. They may not be able to review the
effectiveness of the scripts themselves, but they can still audit the systems.
D. An audit of an IS system would encompass more than just the controls covered in the
scripts.
C ISACA ID: C1026; TS 1.1 or 1.3 (A1-1 in 2016 book)

Page 1 of 602
T1.3 Conduct audits in accordance with IS audit standards
2. An audit charter should:
A be dynamic and change to coincide with the changing nature of technology and
the audit profession.
B clearly state audit objectives for, and the delegation of, authority to the
maintenance and review of internal controls.
C document the audit procedures designed to achieve the planned audit
objectives.
D outline the overall authority, scope and responsibilities of the audit function.

A. The audit charter should not be subject to changes in technology and should not
significantly change over time. The charter should be approved at the highest level of
management.
B. An audit charter will state the authority and reporting requirements for the audit but
not the details of maintenance of internal controls.
C. An audit charter would not be at a detailed level and, therefore, would not include
specific audit objectives or procedures.

authority to IS auditors.
D ISACA ID: C0011; TS 1.3 (A1-15 in 2016 book)

3. The PRIMARY advantage of a continuous audit approach is that it:

A does not require an IS auditor to collect evidence on system reliability while
processing is taking place.
B allows the IS auditor to review and follow up on audit issues in a timely manner.
C places the responsibility for enforcement and monitoring of controls on the
security department instead of audit.
D simplifies the extraction and correlation of data from multiple and complex
systems.

A. The continuous audit approach often does require an IS auditor to collect evidence on
system reliability while processing is taking place.
B. Continuous audit allows audit and response to audit issues in a timely manner
because audit findings are gathered in near real time.
C. Responsibility for enforcement and monitoring of controls is primarily the responsibility
of management.
D. The use of continuous audit is not based on the complexity or number of systems being
monitored.
B ISACA ID: C0019; TS 1.1 (A1-20 in 2016 book)

Page 2 of 602
T1.1 Execute risk-based IS audit strategy
4. A PRIMARY benefit derived for an organization employing control self-assessment (CSA)
techniques is that it:
A can identify high-risk areas that might need a detailed review later.
B allows IS auditors to independently assess risk.
C can be used as a replacement for traditional audits.
D allows management to relinquish responsibility for control.

A. Control self-assessment (CSA) is predicated on the review of high-risk areas that

either need immediate attention or may require a more thorough review at a later
date.
B. CSA requires the involvement of IS auditors and line management. What occurs is that
the internal audit function shifts some of the control monitoring responsibilities to the
functional areas.
C.
responsibilities, but to enhance them.
D. CSA does not allow management to relinquish its responsibility for control.
A ISACA ID: C0031; TS 1.1 (A1-95 in 2016 book)

5. When developing a risk-based audit strategy, an IS auditor should conduct a risk

assessment to ensure that:
A controls needed to mitigate risk are in place.
B vulnerabilities and threats are identified.
C audit risk is considered.
D a gap analysis is appropriate.

A. Understanding whether appropriate controls required to mitigate risk are in place is a

resultant effect of an audit.
B. In developing a risk-based audit strategy, it is critical that the risk and vulnerabilities
be understood. This will determine the areas to be audited and the extent of coverage.
C. Audit risk is an inherent aspect of auditing, is directly related to the audit process and is
not relevant to the risk analysis of the environment to be audited.
D. A gap analysis would normally be done to compare the actual state to an expected or
desirable state.
B ISACA ID: C0627; TS 1.1 (A1-47 in 2016 book)

Page 3 of 602
T1.1 Execute risk-based IS audit strategy
6. To ensure that audit resources deliver the best value to the organization, the FIRST step
would be to:
A schedule the audits and monitor the time spent on each audit.
B train the IS audit staff on current technology used in the company.
C develop the audit plan on the basis of a detailed risk assessment.
D monitor progress of audits and initiate cost control measures.

A. Monitoring the audits and the time spent on audits would not be effective if the wrong
areas were being audited. It is most important to develop a risk-based audit plan to
ensure effective use of audit resources.
B. The IS auditor may have specialties or the audit team may rely on outside experts to
conduct very specialized audits. It is not necessary for each IS auditor to be trained on all
new technology.
C. Monitoring the time and audit programs, as well as adequate training, will improve

value to the organization is ensuring that the resources and efforts being dedicated to
audit are focused on higher-risk areas.
D. Monitoring audits and initiating cost controls will not necessarily ensure the effective
use of audit resources.
C ISACA ID: C0630; TS 1.1 (A1-49 in 2016 book)

7. An organization's IS audit charter should specify the:

A plans for IS audit engagements.
B objectives and scope of IS audit engagements.
C detailed training plan for the IS audit staff.
D role of the IS audit function.

A. Planning is the responsibility of audit management.

B. The objectives and scope of each IS audit should be agreed on in an engagement letter.
The charter would specify the objectives and scope of the audit function but not of
individual engagements.
C. A training plan, based on the audit plan, should be developed by audit management.
D. An IS audit charter establishes the role of the information systems audit function.
The charter should describe the overall authority, scope and responsibilities of the
audit function. It should be approved by the highest level of management and, if
available, by the audit committee.
D ISACA ID: C0926; TS 1.1 (A1-72 in 2016 book)

Page 4 of 602
T1.3 Conduct audits in accordance with IS audit standards
8. An IS auditor discovers that devices connected to the network have not been included in
a network diagram that had been used to develop the scope of the audit. The chief
information officer (CIO) explains that the diagram is being updated and awaiting final
approval. The IS auditor should FIRST:
A expand the scope of the IS audit to include the devices that are not on the
network diagram.
B evaluate the impact of the undocumented devices on the audit scope.
C note a control deficiency because the network diagram has not been approved.
D plan follow-up audits of the undocumented devices.

A. It is important that the IS auditor does not immediately assume that everything on the
network diagram provides information about the risk affecting a network/system. There is
a process in place for documenting and updating the network diagram.
B. In a risk-based approach to an IS audit, the scope is determined by the impact the
devices will have on the audit. If the undocumented devices do not impact the audit
scope, then they may be excluded from the current audit engagement. The information
provided on a network diagram can vary depending on what is being illustrated for
example, the network layer, cross connections, etc.
C. In this case, there is simply a mismatch in timing between the completion of the
approval process and when the IS audit began. There is no control deficiency to be
reported.
D. Planning for follow-up audits of the undocumented devices is contingent on the risk
that the undocumented devices have on the ability of the entity to meet the audit scope.
B ISACA ID: C1149; TS 1.3, A1-83 in 2016 book

9. Which of the following responsibilities would MOST likely compromise the

independence of an IS auditor when reviewing the risk management process?
A Participating in the design of the risk management framework
B Advising on different implementation techniques
C Facilitating risk awareness training
D Performing due diligence of the risk management processes

A. Participating in the design of the risk management framework involves designing

controls, which will compromise the independence of the IS auditor to audit the risk
management process.
B.
independence because the IS auditor will not be involved in the decision-making process.
C.
the auditor will not be involved in the decision-making process.
D. Due diligence reviews are a type of audit generally related to mergers and acquisitions.
A ISACA ID: C1154; TS 1.3, A1-88 in 2016 book

Page 5 of 602
T1.3 Conduct audits in accordance with IS audit standards
10. Which of the following is the BEST factor for determining the required extent of data
collection during the planning phase of an IS compliance audit?
A Complexity of the organization's operation
B Findings and issues noted from the prior year
C Purpose, objective and scope of the audit
D Auditor's familiarity with the organization

A.
but does not directly affect the determination of how much data to collect. Extent of data
collection is subject to the intensity, scope and purpose of the audit.
B. Prior findings and issues are factors in the planning of an audit, but do not directly
affect the determination of how much data to collect. Data must be collected outside of
areas of previous findings.
C. The extent to which data will be collected during an IS audit is related directly to the
purpose, objective and scope of the audit. An audit with a narrow purpose and limited
objective and scope is most likely to result in less data collection than an audit with a
wider purpose and scope. Statistical analysis may also determine the extent of data
collection such as sample size or means of data collection.
D.
does not directly affect the determination of how much data to collect. The audit must be
based on sufficient evidence of the monitoring of controls and not unduly influenced by

C 2012 Supplement Question; ISACA ID: C1248; TS 1.1 (Q A1-2 in 2016 ISACA book)

Page 6 of 602
T1.1 Execute risk-based IS audit strategy
11. For a retail business with a large volume of transactions, which of the following audit
techniques is the MOST appropriate for addressing emerging risk?
A Use of computer-assisted audit techniques (CAATs)
B Quarterly risk assessments
C Sampling of transaction logs
D Continuous auditing

A. Using software tools such as computer-assisted audit techniques (CAATs) to analyze

transaction data can provide detailed analysis of trends and potential risk, but it is not as
effective as continuous auditing, because there may be a time differential between
executing the software and analyzing the results.
B. Quarterly risk assessment may be a good technique but not as responsive as
continuous auditing.
C. The sampling of transaction logs is a valid audit technique; however, risk may exist that
is not captured in the transaction log, and there may be a potential time lag in the
analysis.
D. The implementation of continuous auditing enables a real-time feed of information
to management through automated reporting processes so that management may
implement corrective actions more quickly.
D 2012 Supplement Question; ISACA ID: C1250; TS 1.1 (A1-9 in 2016 book)

12. The MOST appropriate action for an IS auditor to take when shared user accounts are
discovered is to:
A inform the audit committee of the potential issue.
B review audit logs for the IDs in question.
C document the finding and explain the risk of using shared IDs.
D request that the IDs be removed from the system.

A. It is not appropriate for an IS auditor to report findings to the audit committee before
conducting a more detailed review and presenting them to management for a response.
B. Review of audit logs would not be useful because shared IDs do not provide for
individual accountability.

of the audit report is to explain the reasoning behind the findings. The use of shared IDs
is not recommended because it does not allow for accountability of transactions. An IS
auditor would defer to management to decide how to respond to the findings
presented.
D. It is not the role of an IS auditor to request the removal of IDs from the system.
C 2012 Supplement Question; ISACA ID: C1251; TS 1.4 (A1-26 in 2016 book)

Page 7 of 602
T1.2 Plan audits to det if IS are protected & provide value
13. Which of the following is the FIRST step performed prior to creating a risk ranking for
the annual internal IS audit plan?
A Prioritize the identified risk.
B Define the audit universe.
C Identify the critical controls.
D Determine the testing approach.

A. Once the audit universe is defined, the IS auditor can prioritize risk based on its overall
impact on different operational areas of the organization covered under the audit
universe.
B. In a risk-based audit approach, the IS auditor identifies risk to the organization based
on the nature of the business. In order to plan an annual audit cycle, the types of risk
must be ranked. To rank the types of risk, the auditor must first define the audit
universe by considering the IT strategic plan, organizational structure and authorization
matrix.
C. The controls that help in mitigating high-risk areas are generally critical controls and
their effectiveness provides assurance on mitigation of risk. However, this cannot be done
unless the types of risk are ranked.
D. The testing approach is based on the risk ranking.
B Joleary: 2013 Supplement Question; C1348, Task Statement 1.2, A1-96 in 2016 book

14. An internal IS audit function is planning a general IS audit. Which of the following
activities takes place during the FIRST step of the planning phase?
A Development of an audit program
B Review of the audit charter
C Identification of key information owners
D Development of a risk assessment

A. The results of the risk assessment are used for the input for the audit program.
B. The audit charter is prepared when the audit department is established or as updates
are needed. Creation of the audit charter is not related to the audit planning phase
because it is part of the internal audit governance structure that provides independence
for the function.
C. A risk assessment must be performed prior to identifying key information owners. Key
information owners are generally not directly involved during the planning process of an
audit.
D. A risk assessment should be performed to determine how internal audit resources
should be allocated in order to ensure that all material items will be addressed.
D 2013 Supplement Question; AS1-13, C1360, Task Statement 1.2, A1-107 in 2016 book

Page 8 of 602
T1.1 Execute risk-based IS audit strategy
15. An IS auditor is developing an audit plan for an environment that includes new systems.

systems. How should the IS auditor respond?

A Audit the new systems as requested by management.
B
C Determine the highest-risk systems and plan accordingly.
D

A. Auditing the new system does not reflect a risk-based approach. Even though the
system could contain sensitive data and may present risk of data loss or disclosure to the
organization, without a risk assessment, the decision to solely audit the newly
implemented system is not a risk-based decision
B. -based
approach. In addition, management may know about problems with the new system and
may be intentionally trying to steer the audit away from that vulnerable area. Although at
first the new system may seem to be the most risky area, an assessment must be
conducted rather than relying on the judgment of the IS auditor or IT manager.
C. The best course of action is to conduct a risk assessment and design the audit plan to
cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk
Assessment in Planning), statement 1202.1: "The IS audit and assurance function shall
use an appropriate risk assessment approach and supporting methodology to develop
the overall IS audit plan and determine priorities for the effective allocation of IS audit
resources."
D. The creation of the audit plan should be performed in cooperation with management
and based on risk. The IS auditor should not arbitrarily decide on what needs to be
audited.
C ISACA ID: C1028; TS 1.1 (A1-3 in 2016 book)

Page 9 of 602
T1.2 Plan audits to det if IS are protected & provide value
16. The decisions and actions of an IS auditor are MOST likely to affect which of the
following types of risk?
A Inherent
B Detection
C Control
D Business

A. Inherent risk is the risk that a material error could occur, assuming that there are no
related internal controls to prevent or detect the error. Inherent risk is not usually
affected by an IS auditor.

and techniques. Detection risk is the risk that a review will not detect or notice a
material issue.
C. Control risk is the risk that a material error exists that would not be prevented or
detected on a timely basis by the system of internal controls. Control risk can be mitigated

D. Business risk is a probable situation with uncertain frequency and magnitude of loss (or
gain). Business risk is usually not directly affected by an IS auditor.
B ISACA ID: C0002; TS 1.2 (A1-11 in 2016 book)

Page 10 of 602
T1.1 Execute risk-based IS audit strategy
17. Which of the following is the MOST critical step when planning an IS audit?
A Review findings from prior audits.
B
C Review IS security policies and procedures.
D Perform a risk assessment.

A. The findings of a previous audit are of interest to the auditor, but they are not the most
critical step. The most critical step involves finding the current issues or high-risk areas,
not reviewing the resolution of older issues. A review of historical audit findings could
indicate that management is not resolving the items or the recommendation was
ineffective.
B. Executive management is not required to approve the audit plan. It is typically
approved by the audit committee or board of directors. Management could recommend
areas to audit.
C. Reviewing information security policies and procedures would normally be conducted
during fieldwork, not planning.
D. Of all the steps listed, performing a risk assessment is the most critical. Risk
assessment is required by ISACA IS Audit and Assurance Standard 1202 (Risk

identify and assess risk relevant to the area under review, when planning individual

performed, then high-risk areas of the auditee systems or operations may not be
identified for evaluation.
D ISACA ID: C1126; TS 1.1 (A1-12 in 2016 book)

Page 11 of 602
T1.2 Plan audits to det if IS are protected & provide value
18. An IS auditor is reviewing a software application that is built on the principles of service-
oriented architecture (SOA). What is the INITIAL step?
A Understanding services and their allocation to business processes by reviewing
the service repository documentation.
B Sampling the use of service security standards as represented by the Security
Assertions Markup Language (SAML).
C Reviewing the service level agreements (SLAs) established for all system
providers.
D Auditing the core service and its dependencies on other systems.

A. A service-oriented architecture (SOA) relies on the principles of a distributed

environment in which services encapsulate business logic as a black box and might be
deliberately combined to depict real-world business processes. Before reviewing
services in detail, it is essential for the IS auditor to comprehend the mapping of
business processes to services.
B. Sampling the use of service security standards as represented by the Security
Assertions Markup Language (SAML) is an essential follow-up step to understanding
services and their allocation to business, but is not the initial step.
C. Reviewing the service level agreements (SLAs) is an essential follow-up step to
understanding services and their allocation to business, but is not the initial step.
D. Auditing the core service and its dependencies with others would most likely be a part
of the audit, but the IS auditor must first gain an understanding of the business processes
and how the systems support those processes.
A ISACA ID: C1127; TS 1.2 (A1-13 in 2016 book)

Page 12 of 602
T1.3 Conduct audits in accordance with IS audit standards
19. Which of the following situations could impair the independence of an IS auditor? The IS
auditor:
A implemented specific functionality during the development of an application.
B designed an embedded audit module for auditing an application.
C participated as a member of an application project team and did not have
operational responsibilities.
D provided consulting advice concerning application good practices.

A. Independence may be impaired if an IS auditor is, or has been, actively involved in

the development, acquisition and implementation of the application system.
B.
C. An IS auditor should not audit work that they have done but just participating as a

independence.
D.
practices.
A ISACA ID: C0018; TS 1.3 (A1-19 in 2016 book)

20. An IS auditor is evaluating management's risk assessment of information systems. The IS

auditor should FIRST review:
A the controls in place.
B the effectiveness of the controls.
C the mechanism for monitoring the risk.
D the threats/vulnerabilities affecting the assets.

A. The controls are irrelevant until the IS auditor knows the threats and risk that the
controls are intended to address.
B. The effectiveness of the controls must be measured in relation to the risk (based on
assets, threats and vulnerabilities) that the controls are intended to address.
C. The first step must be to determine the risk that is being managed before reviewing the
mechanism of monitoring risk.
D. One of the key factors to be considered while assessing the information systems risk
is the value of the systems (the assets) and the threats and vulnerabilities affecting the
assets. The risk related to the use of information assets should be evaluated in isolation
from the installed controls.
D ISACA ID: C0029; TS 1.2 (A1-21 in 2016 book)

Page 13 of 602
T1.2 Plan audits to det if IS are protected & provide value
21. In planning an IS audit, the MOST critical step is the identification of the:
A areas of significant risk.
B skill sets of the audit staff.
C test steps in the audit.
D time allotted for the audit.

A. When designing a risk-based audit plan, it is important to identify the areas of

highest risk to determine the areas to be audited.
B. The skill sets of the audit staff should have been considered before deciding and
selecting the audit. Where the skills are inadequate, the organization should consider
utilizing external resources.
C. Test steps for the audit are not as critical during the audit planning process as
identifying the areas of risk that should be audited.
D. The time allotted for an audit is determined during the planning process based on the
areas to be audited, and is primarily based on the requirement for conducting an
appropriate audit.
A ISACA ID: C0030; TS 1.2 (A1-22 in 2016 book)

22. The extent to which data will be collected during an IS audit should be determined based
on the:
A availability of critical and required information.
B auditor's familiarity with the circumstances.
C auditee's ability to find relevant evidence.
D purpose and scope of the audit being done.

A. The extent to which data will be collected during an IS audit should be based on the
scope, purpose and requirements of the audit and not be constrained by the ease of

B. An IS auditor must be objective and thorough and not subject to audit risk through
preconceived expected results based on familiarity with the area being audited.
C. Collecting all the required evidence is a required element of an IS audit, and the scope

evidence is not readily available, the auditor must ensure that other forms of audit are
considered to ensure compliance in the area subject to audit.
D. The extent to which data will be collected during an IS audit should be related
directly to the scope and purpose of the audit. An IS audit with a narrow purpose and
scope or just a high-level review would most likely require less data collection than an
audit with a wider purpose and scope.
D ISACA ID: C0032; TS 1.2 (A1-24 in 2016 book)

Page 14 of 602
T1.2 Plan audits to det if IS are protected & provide value
23. While planning an IS audit, an assessment of risk should be made to provide:
A reasonable assurance that the audit will cover material items.
B definite assurance that material items will be covered during the audit work.
C reasonable assurance that all items will be covered by the audit.
D sufficient assurance that all items will be covered during the audit work.

A. ISACA IS Audit and Assurance Guideline 2202 (Risk Assessment in Planning) states
that the applied risk assessment approach should help with the prioritization and
scheduling process of the IS audit and assurance work. It should support the selection
process of areas and items of audit interest and the decision process to design and
conduct particular IS audit engagements.
B. Definite assurance that material items will be covered during the audit work is an
impractical proposition.
C. Reasonable assurance that all items will be covered during the audit work is not the
correct answer, as primarily it is material items that need to be covered, not all items.
D. Sufficient assurance that all items will be covered is not as important as ensuring that
the audit will cover all material items.
A ISACA ID: C0034; TS 1.2 (A1-25 in 2016 book)

24. Which audit technique provides the BEST evidence of the segregation of duties in an IT
department?
A Discussion with management
B Review of the organization chart
C Observation and interviews
D Testing of user access rights

A. Management may not be aware of the detailed functions of each employee in the IT
department, and they may not be aware whether the controls are being followed.
Therefore, discussion with the management would provide only limited information
regarding segregation of duties.
B. An organization chart would not provide details of the functions of the employees or
whether the controls are working correctly.
C. Based on the observations and interviews, the IT auditor can evaluate the
segregation of duties. By observing the IS staff performing their tasks, an IS auditor can
identify whether they are performing any incompatible operations, and by interviewing
the IT staff, the auditor can get an overview of the tasks performed.
D. Testing of user rights would provide information about the rights they have within the
IS systems, but would not provide complete information about the functions they
perform. Observation would be a better option because user rights can be changed
between audits.
C ISACA ID: C0053; TS 1.4 (A1-33 in 2016 book)

Page 15 of 602
T1.2 Plan audits to det if IS are protected & provide value
25. Data flow diagrams are used by IS auditors to:
A identify key controls.
B highlight high-level data definitions.
C graphically summarize data paths and storage.
D portray step-by-step details of data generation.

A. Identifying key controls is not the focus of data flow diagrams. The focus is as the name
states flow of data.
B. A data dictionary may be used to document data definitions, but the data flow diagram
is used to document how data move through a process.
C. Data flow diagrams are used as aids to graph or chart data flow and storage. They
trace data from their origination to destination, highlighting the paths and storage of
data.
D. The purpose of a data flow diagram is to track the movement of data through a process
and is not primarily to document or indicate how data are generated.
C ISACA ID: C0058; TS 1.2 or 1.3 (A1-37 in 2016 book)

26. An IS auditor reviews an organizational chart PRIMARILY for:

A an understanding of the complexity of the organizational structure.
B investigating various communication channels.
C understanding the responsibilities and authority of individuals.
D investigating the network connected to different employees.

A. Understanding the complexity of the organizational structure would not be the primary
reason to review an organizational chart because the chart will not necessarily depict the
complexity.
B. The organizational chart is a key tool for an auditor to understand roles and
responsibilities and reporting lines but is not used for examining communications
channels.
C. An organizational chart provides information about the responsibilities and authority
of individuals in the organization. This helps an IS auditor to know if there is a proper
segregation of functions.
D. A network diagram will provide information about the usage of various communication
channels and will indicate the connection of users to the network.
C ISACA ID: C0060; TS 1.2 (A1-39 in 2016 book)

Page 16 of 602
T1.2 Plan audits to det if IS are protected & provide value
27. Which of the following is an advantage of an integrated test facility (ITF)?
A It uses actual master files or dummies and the IS auditor does not have to
review the source of the transaction.
B Periodic testing does not require separate test processes.
C It validates application systems and ensures the correct operation of the
system.
D The need to prepare test data is eliminated.

A. The integrated test facility (ITF) tests a test transaction as if it were a real transaction
and validates that transaction processing is being done correctly. It is not related to
reviewing the source of a transaction.
B. An ITF creates a fictitious entity in the database to process test transactions
simultaneously with live input. Its advantage is that periodic testing does not require
separate test processes. Careful planning is necessary, and test data must be isolated
from production data.
C. An ITF does validate the correct operation of a transaction in an application, but it does
not ensure that a system is being operated correctly.
D. The ITF is based on the integration of test data into the normal process flow, so test
data is still required.
B ISACA ID: C0064; TS 1.2 or 1.3 (A1-41 in 2016 book)

28. An IS auditor performing a review of application controls would evaluate the:

A efficiency of the application in meeting the business processes.
B impact of any exposures discovered.
C business processes served by the application.
D application's optimization.

A. The IS auditor is reviewing the effectiveness of the controls, not the suitability of the
application to meet business needs.

controls and an assessment of any exposures resulting from the control weaknesses.
C. The other choices may be objectives of an application audit but are not part of an audit
restricted to a review of the application controls.
D. One area to be reviewed may be the efficiency and optimization of the application, but
this is not the area being reviewed in this audit.
B ISACA ID: C0068; TS 1.2 (A1-44 in 2016 book)

Page 17 of 602
T1.2 Plan audits to det if IS are protected & provide value
29. An IS auditor should use statistical sampling and not judgmental (nonstatistical)
sampling, when:
A the probability of error must be objectively quantified.
B the auditor wants to avoid sampling risk.
C generalized audit software is unavailable.
D the tolerable error rate cannot be determined.

A. Given an expected error rate and confidence level, statistical sampling is an objective
method of sampling, which helps an IS auditor determine the sample size and quantify
the probability of error (confidence coefficient).
B. Sampling risk is the risk of a sample not being representative of the population. This
risk exists for both judgment and statistical samples.
C. Statistical sampling can use generalized audit software, but it is not required.
D. The tolerable error rate must be predetermined for both judgment and statistical
sampling.
A ISACA ID: C0632; TS 1.2 (A1-51 in 2016 book)

30. During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:
A address audit objectives.
B collect sufficient evidence.
C specify appropriate tests.
D minimize audit resources.

A. ISACA IS Audit and Assurance Standards require that an IS auditor plan the audit
work to address the audit objectives. The activities described in choices B, C and D are
all undertaken to address audit objectives and, thus, are secondary to choice A.
B. The IS auditor does not collect evidence in the planning stage of an audit.
C. Specifying appropriate tests is not the primary goal of audit planning.
D. Effective use of audit resources is a goal of audit planning, not minimizing audit
resources.
A ISACA ID: C0726; TS 1.2 (A1-55 in 2016 book)

Page 18 of 602
T1.2 Plan audits to det if IS are protected & provide value
31. When selecting audit procedures, an IS auditor should use professional judgment to
ensure that:
A sufficient evidence will be collected.
B significant deficiencies will be corrected within a reasonable period.
C all material weaknesses will be identified.
D audit costs will be kept at a minimum level.

A. Procedures are processes an IS auditor may follow in an audit engagement. In

determining the appropriateness of any specific procedure, an IS auditor should use
professional judgment appropriate to the specific circumstances. Professional judgment
involves a subjective and often qualitative evaluation of conditions arising in the course
of an audit. Judgment addresses a grey area where binary (yes/no) decisions are not

The IS auditor should use judgment in assessing the sufficiency of evidence to be

performing IS audit work.

B. The correction of deficiencies is the responsibility of management and is not a part of
the audit procedure selection process.
C. Identifying material weaknesses is the result of appropriate competence, experience
and thoroughness in planning and executing the audit and not of professional judgment.
Professional judgment is not a primary input to the financial aspects of the audit. Audit
procedures and use of professional judgment cannot ensure that all
deficiencies/weaknesses will be identified and corrected.
D. Professional judgment will ensure that audit resources and costs are used wisely, but
this is not the primary objective of the auditor when selecting audit procedures.
A ISACA ID: C0727; TS 1.2 (A1-56 in 2016 book)

Page 19 of 602
T1.2 Plan audits to det if IS are protected & provide value
32. The PRIMARY reason an IS auditor performs a functional walk-through during the
preliminary phase of an audit assignment is to:
A understand the business process.
B comply with auditing standards.
C identify control weakness.
D develop the risk assessment.

A. Understanding the business process is the first step an IS auditor needs to perform.
B. ISACA IS Audit and Assurance Standards encourage adoption of the audit
procedures/processes required to assist the IS auditor in performing IS audits more
effectively. However, standards do not require an IS auditor to perform a process walk-
through at the commencement of an audit engagement.
C. Identifying control weaknesses is not the primary reason for the walk-through and
typically occurs at a later stage in the audit.
D. The main reason is to understand the business process. The risk assessment would be
developed after the business process is understood.
A ISACA ID: C0734; TS 1.2 (A1-61 in 2016 book)

33. An IS auditor evaluating logical access controls should FIRST:

A document the controls applied to the potential access paths to the system.
B test controls over the access paths to determine if they are functional.
C evaluate the security environment in relation to written policies and practices.
D obtain an understanding of the security risk to information processing.

A. Documentation and evaluation is the second step in assessing the adequacy, efficiency
and effectiveness of the controls and is based on the risk to the system that necessitates
the controls.
B. The third step is to test the access paths to determine if the controls are functioning.
C. It is only after the risk is determined and the controls documented that the IS auditor
can evaluate the security environment to assess its adequacy through review of the
written policies, observation of practices and comparison of them to appropriate security
good practices.
D. When evaluating logical access controls, an IS auditor should first obtain an
understanding of the security risk facing information processing by reviewing relevant
documentation, by inquiries, and conducting a risk assessment. This is necessary so that
the IS auditor can ensure the controls are adequate to address risk.
D ISACA ID: C0835; TS 1.2 (A1-71 in 2016 book)

Page 20 of 602
T1.4 Communicate audit results
34. During a change control audit of a production system, an IS auditor finds that the change
management process is not formally documented and that some migration procedures
failed. What should the IS auditor do next?
A Recommend redesigning the change management process.
B Gain more assurance on the findings through root cause analysis.
C Recommend that program migration be stopped until the change process is
documented.
D Document the finding and present it to management.

A. While it may be necessary to redesign the change management process, this cannot be
done until a root cause analysis is conducted to determine why the current process is not
being followed.
B. A change management process is critical to IT production systems. Before
recommending that the organization take any other action (e.g., stopping migrations,
redesigning the change management process), the IS auditor should gain assurance that
the incidents reported are related to deficiencies in the change management process
and not caused by some process other than change management.
C. A business relies on being able to make changes when necessary, and security patches
must often be deployed promptly. It would not be feasible to halt all changes until a new
process is developed.
D. The results of the audit including the findings of noncompliance will be delivered to
management once a root cause analysis of the issue has been completed.
B ISACA ID: C0931; TS 1.4 (A1-76 in 2016 book)

35. The PRIMARY purpose of an IT forensic audit is:

A to participate in investigations related to corporate fraud.
B the systematic collection and analysis of evidence after a system irregularity.
C to assess the correctness of an organization's financial statements.
D to preserve evidence of criminal activity.

A. Forensic audits are not limited to corporate fraud.

B. The systematic collection and analysis of evidence best describes a forensic audit.
The evidence collected could then be analyzed and used in judicial proceedings.
C.
purpose of most forensic audits.
D. Forensics is the investigation of evidence related to a crime or misbehavior. Preserving
evidence is the forensic process, but not the primary purpose.
B ISACA ID: C0934; TS 1.2 (A1-79 in 2016 book)

Page 21 of 602
T1.3 Conduct audits in accordance with IS audit standards
36. An IS auditor reviews one day of logs for a remotely managed server and finds one case
where logging failed and the backup restarts cannot be confirmed. What should the IS
auditor do?
A Issue an audit finding.
B Seek an explanation from IS management.
C Review the classifications of data held on the server.
D Expand the sample of logs reviewed.

A. At this stage it is too preliminary to issue an audit finding. Seeking an explanation from
management is advisable, but it would be better to gather additional evidence to properly
evaluate the seriousness of the situation.
B. Without gathering more information on the incident and the frequency of the incident,
it would be difficult to obtain a meaningful explanation from management.
C. A backup failure, which has not been established at this point, will be serious if it
involves critical data. However, the issue is not the importance of the data on the server,
where a problem has been detected, but whether a systematic control failure that
impacts other servers exists.
D. IS Audit and Assurance Standards require that an IS auditor gather sufficient and
appropriate audit evidence. The IS auditor has found a potential problem and now
needs to determine whether this is an isolated incident or a systematic control failure.
D ISACA ID: C0935; TS 1.3 (A1-80 in 2016 book)

Page 22 of 602
T1.3 Conduct audits in accordance with IS audit standards
37. An IS auditor is conducting a compliance test to determine whether controls support
management policies and procedures. The test will assist the IS auditor to determine:
A that the control is operating efficiently.
B that the control is operating as designed.
C the integrity of data controls.
D the reasonableness of financial reporting controls.

A. It is important that controls operate efficiently, but in this case the intent is to ensure
that the controls support management policies and procedures. Therefore, the important
issue is whether the controls are operating correctly and thereby meeting the control
objective.
B. Compliance tests can be used to test the existence and effectiveness of a defined
process. Understanding the objective of a compliance test is important. IS auditors
want reasonable assurance that the controls they are relying on are effective. An
effective control is one that meets management expectations and objectives.
C. Substantive tests, not compliance tests, are associated with data integrity.
D. Determining the reasonableness of financial reporting controls is a very narrow answer
in that it is limited to financial reporting. It meets the objective of determining whether
the controls are reasonable, but does not ensure that the control is working correctly and
thereby supporting management expectations and objectives.
B 2012 Supplement Question; ISACA ID: C1252; TS 1.3; A1-27 in 2016 book.

38. An IS auditor has been asked by management to review a potentially fraudulent

transaction. The PRIMARY focus of an IS auditor while evaluating the transaction should
be to:
A maintain impartiality while evaluating the transaction.
B ensure that the independence of an IS auditor is maintained.
C assure that the integrity of the evidence is maintained.
D assess all relevant evidence for the transaction.

A. Although it is important for an IS auditor to be impartial, in this case it is more critical

that the evidence be preserved.
B. Although it is important for an IS auditor to maintain independence, in this case it is
more critical that the evidence be preserved.
C. The IS auditor has been requested to perform an investigation to capture evidence
which may be used for legal purposes, and therefore, maintaining the integrity of the
evidence should be the foremost goal. Improperly handled computer evidence is
subject to being ruled inadmissible in a court of law.
D. While it is also important to assess all relevant evidence, it is more important to
maintain the chain of custody, which ensures the integrity of evidence.
C 2012 Supplement Question; ISACA ID: C1253; TS 1.3, A1-35 in 2016 book.

Page 23 of 602
T1.2 Plan audits to det if IS are protected & provide value
39. An IS auditor has identified a business process to be audited. The IS auditor should NEXT
identify the:
A most valuable information assets.
B IS audit resources to be deployed.
C auditee personnel to be interviewed.
D control objectives and activities.

A. All assets need to be identified, not just information assets. To determine the key
information assets to be audited, the IS auditor should first determine which control
objectives and key control activities should be validated. Only information assets that are
related to the control objectives and key control activities are relevant for scoping the
audit.
B. Only after determining which controls and related relevant information assets are to be
validated can the IS auditor decide on the key IS audit resources (with the relevant skill
sets) that should be deployed for the audit.
C. Only after determining the key control activities to be validated can the IS auditor
identify the relevant process personnel who should be interviewed.
D. Once the business process is identified, the IS auditor should first identify the control
objectives and activities associated with the business process that should be validated
in the audit.
D 2013 Supplement Question; C1350, Task Statement 1.2, A1-98 in 2016 book

40. Which of the following BEST describes the purpose of performing a risk assessment in
the planning phase of an IS audit?
A To establish adequate staffing requirements to complete the IS audit
B To provide reasonable assurance that all material items will be addressed
C To determine the skills required to perform the IS audit
D To develop the audit program and procedures to perform the IS audit

A. A risk assessment does not directly influence staffing requirements.

B. A risk assessment helps focus the audit procedures on the highest risk areas included
in the scope of the audit. The concept of reasonable assurance is important as well.
C. A risk assessment does not identify the skills required to perform an IS audit.
D. A risk assessment is not used in the development of the audit program and procedures.
B 2013 Supplement Question; AS1-8, C1355, Task Statement 1.1

Page 24 of 602
T1.2 Plan audits to det if IS are protected & provide value
41. Comparing data from an accounts payable application with invoices received from
vendors in the month of December is BEST described as:
A substantive testing.
B compliance testing.
C qualitative analysis.
D judgment sampling.

A. Substantive testing involves obtaining audit evidence on the completeness, accuracy

or existence of data at the individual transaction level. This can be achieved by
comparing the data in the application to the base document. In this case, comparison is
made between accounts payable data and the vendor invoices.
B. Compliance testing involves testing the controls designed to obtain audit evidence on
both the effectiveness of the controls and their operation during the audit period.
C. Qualitative analysis is typically related to risk analysis and should not be used in this
scenario.
D. Judgment sampling is a sample that is selected subjectively or not at random, or in
which the sampling results are not evaluated mathematically. This audit probably does
not require sampling because all activity in the month will be audited.
A Joleary: 2013 Supplement Question; AS1-9, C1356, Task Statement 1.2

42. An IS auditor wants to determine the number of purchase orders not appropriately
approved. Which of the following sampling techniques should an IS auditor use to draw
such conclusions?
A Attribute
B Variable
C Stop-or-go
D Judgment

A. Attribute sampling is used to test compliance of transactions to controls in this

instance, the existence of appropriate approval.
B. Variable sampling is used in substantive testing situations and deals with population
characteristics that vary, such as monetary values and weights.
C. Stop-or-go sampling is used when the expected occurrence rate is extremely low.
D. Judgment sampling is not relevant here. It refers to a subjective approach of
determining sample size and selection criteria of elements of the sample.
A Joleary: 2013 Supplement Question; AS1-11, C1358, Task Statement 1.2

Page 25 of 602
T1.2 Plan audits to det if IS are protected & provide value
43. An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze
data. Which of the following attributes of evidence is MOST affected by the use of
CAATs?
A Usefulness
B Reliability
C Relevance
D Adequacy

A. Usefulness of audit evidence pulled by computer-assisted audit techniques (CAATs) is

determined by the audit objective, and the use of CAATs does not have as direct of an
impact on usefulness as reliability does.
B. Because the data are directly collected by the IS auditor, the audit findings can be
reported with an emphasis on the reliability of the records that are produced and
maintained in the system. The reliability of the source of information used provides
reassurance on the findings generated.
C. Relevance of audit evidence pulled by CAATs is determined by the audit objective, and
the use of CAATs does not have as direct of an impact on relevance as reliability does.
D. Adequacy of audit evidence pulled by CAATs is determined by the processes and
personnel who author the data, and the use of CAATs does not have any impact on
competence.
B Joleary: 2013 Supplement Question; AS1-12, C1359, Task Statement 1.2

Page 26 of 602
T1.4 Communicate audit results
44. An IS auditor is reviewing security controls for a critical web-based system prior to
implementation. The results of the penetration test are inconclusive, and the results will
not be finalized prior to implementation. Which of the following is the BEST option for
the IS auditor??
A Publish a report based on the available information, highlighting the potential
security weaknesses and the requirement for follow-up audit testing.
B Publish a report omitting the areas where the evidence obtained from testing
was inconclusive.
C Request a delay of the implementation date until additional security testing can
be completed and evidence of appropriate controls can be obtained.
D Inform management that audit work cannot be completed prior to
implementation and recommend that the audit be postponed.

A. If the IS auditor cannot gain sufficient assurance for a critical system within the
agreed-on time frame, this fact should be highlighted in the audit report and follow-up
testing should be scheduled for a later date. Management could then determine
whether any of the potential weaknesses identified were significant enough to delay
the go-live date for the system.
B. It is not acceptable for the IS auditor to ignore areas of potential weakness because
conclusive evidence could not be obtained within the agreed-on audit time frame. ISACA
IS Audit and Assurance Standards would be violated if these areas were omitted from the
audit report.
C. Extending the time frame for the audit and delaying the go-live date is unlikely to be
acceptable in this scenario where the system involved is business-critical. In any case, a
delay to the go-live date must be the decision of business management, not the IS
auditor. In this scenario, the IS auditor should present business management with all
available information by the agreed-on date.
D. Failure to obtain sufficient evidence in one part of an audit engagement does not
justify cancelling or postponing the audit; this would violate the audit guideline
concerning due professional care.
A ISACA ID: C1029; TS 1.4 (A1-4 in 2016 book)

Page 27 of 602
T1.2 Plan audits to det if IS are protected & provide value
45. What is the PRIMARY requirement that a data mining and auditing software tool should
meet? The software tool should:
A interface with various types of enterprise resource planning (ERP) software and
databases.
B
excessive performance problems.
C introduce audit hooks into the company's financial systems to support
continuous auditing.
D be customizable and support inclusion of custom programming to aid in
investigative analysis.

A. The product must interface with the types of systems used by the organization and
provide meaningful data for analysis.
B. While all of the choices above are desirable in a software tool evaluated for auditing
and data mining purposes, the most critical requirement is that the tool will work
effectively on the systems of the organization being audited.
C. The tool should probably work on more than just financial systems and will not
necessarily require implementation of audit hooks.
D. The tool should be flexible but not necessarily customizable. It should have built-in
analysis software tools.
B ISACA ID: C1032; TS 1.2 (A1-7 in 2016 book)

46. An IS auditor is reviewing access to an application to determine whether recently added

accounts were appropriately authorized. This is an example of:
A variable sampling.
B substantive testing.
C compliance testing.
D stop-or-go sampling.

A. Variable sampling is used to estimate numerical values such as dollar values.

B. Substantive testing substantiates the integrity of actual processing such as balances on
financial statements. The development of substantive tests is often dependent on the
outcome of compliance tests. If compliance tests indicate that there are adequate internal
controls, then substantive tests can be minimized.
C. Compliance testing determines whether controls are being applied in compliance
with policy. This includes tests to determine whether new accounts were appropriately
authorized.
D. Stop-or-go sampling allows a test to be stopped as early as possible and is not
appropriate for checking whether procedures have been followed.
C ISACA ID: C0001; TS 1.3 (A1-10 in 2016 book)

Page 28 of 602
T1.3 Conduct audits in accordance with IS audit standards
47. An IS auditor finds a small number of user access requests that had not been authorized
by managers through the normal predefined workflow steps and escalation rules. The IS
auditor should:
A perform an additional analysis.
B report the problem to the audit committee.
C conduct a security risk assessment.
D recommend that the owner of the identity management (IDM) system fix the
workflow issues.

A. The IS auditor needs to perform substantive testing and additional analysis to

determine why the approval and workflow processes are not working as intended.
Before making any recommendation, the IS auditor should gain a good understanding
of the scope of the problem and what factors caused this incident. The IS auditor should
identify whether the issue was caused by managers not following procedures, by a
problem with the workflow of the automated system or a combination of the two.
B. The IS auditor does not yet have enough information to report the problem.
C. Changing the scope of the IS audit or conducting a security risk assessment would
require more detailed information about the processes and violations being reviewed.
D. The IS auditor must first determine the root cause and impact of the findings and does
not have enough information to recommend fixing the workflow issues.
A ISACA ID: C1128; TS 1.3 (A1-16 in 2016 book)

Page 29 of 602
T1.2 Plan audits to det if IS are protected & provide value
48. Which of the following sampling methods is MOST useful when testing for compliance?
A Attribute sampling
B Variable sampling
C Stratified mean per unit sampling
D Difference estimation sampling

A. Attribute sampling is the primary sampling method used for compliance testing.
Attribute sampling is a sampling model that is used to estimate the rate of occurrence
of a specific quality (attribute) in a population and is used in compliance testing to
confirm whether the quality exists. For example, an attribute sample may check all
transactions over a certain pre-defined dollar amount for proper approvals.
B. Variable sampling is based on the calculation of a mean from a sample extracted from
the entire population and using that to estimate the characteristics of the entire
population. For example, a sample of 10 items shows an average price of US $10 per item.
For the entire population of 1,000 items, the total value would be estimated to be US
$10,000. This is not a good way to measure compliance with a process.
C. Stratified mean sampling attempts to ensure that the entire population is represented
in the sample. This is not an effective way to measure compliance.
D. Difference estimation sampling examines measure deviations and extraordinary items
and is not a good way to measure compliance.
A ISACA ID: C0014; TS 1.2 (A1-17 in 2016 book)

49. When testing program change requests for a remote system, an IS auditor finds that the
number of changes available for sampling would not provide a reasonable level of
assurance. What is the MOST appropriate action for the IS auditor to take?
A Develop an alternate testing procedure.
B Report the finding to management.
C Perform a walk-through of the change management process.
D Create additional sample data to test additional changes.

A. If a sample size objective cannot be met with the given data, the IS auditor would not
be able to provide assurance regarding the testing objective. In this instance, the IS
auditor should develop (with audit management approval) an alternate testing
procedure.
B. There is not enough evidence to report the finding as a deficiency.
C. A walk-through should not be initiated until an analysis is performed to confirm that
this could provide the required assurance.
D. It would not be appropriate for an IS auditor to create sample data for the purpose of
the audit.
A ISACA ID: C1129; TS 1.3 (A1-18 in 2016 book)

Page 30 of 602
T1.2 Plan audits to det if IS are protected & provide value
50. The vice president of human resources has requested an IS audit to identify payroll
overpayments for the previous year. Which would be the BEST audit technique to use in
this situation?
A Generate sample test data
B Generalized audit software
C Integrated test facility
D Embedded audit module

A. Test data would test for the existence of controls that might prevent overpayments,
but it would not detect specific, previous miscalculations.
B. Generalized audit software features include mathematical computations,
stratification, statistical analysis, sequence checking, duplicate checking and
recomputations. An IS auditor, using generalized audit software, could design
appropriate tests to recompute the payroll, thereby determining whether there were
overpayments and to whom they were made.
C. An integrated test facility would help identify a problem as it occurs but would not
detect errors for a previous period.
D. An embedded audit module can enable the IS auditor to evaluate a process and gather
audit evidence, but it would not detect errors for a previous period.
B ISACA ID: C0043; TS 1. (A1-28 in 2016 book)

Page 31 of 602