Download New Updated (July) Isaca CISA Actual Test 261-270

Ensurepass

 

QUESTION 261

An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely:

 

A.

evaluate the record retention plans for off-premises storage.

B.

interview programmers about the procedures currently being followed.

C.

compare utilization records to operations schedules.

D.

review data file access records to test the librarian function.

 

Correct Answer: B

Explanation:

Asking programmers about the procedures currently being followed is useful in determining whether access to program documentation is restricted to authorized persons. Evaluating the record retention plans for off-premises s
torage tests the recovery procedures, not the access control over program documentation. Testing utilization records or data files will not address access security over program documentation.

 

 

QUESTION 262

While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:

 

A.

audit trail of the versioning of the work papers.

B.

approval of the audit phases.

C.

access rights to the work papers.

D.

confidentiality of the work papers.

 

Correct Answer: D

Explanation:

Encryption provides confidentiality for the electronic work papers. Audit trails, audit phase approvals and access to the work papers do not, of themselves, affect the confidentiality but are part of the reason for requiring encryption.

 

 

QUESTION 263

During an implementation review of a multiuser distributed application, an IS auditor finds minor weaknesses in three areas-the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not beingchecked properly. While preparing the audit report, the IS auditor should:

 

A.

record the observations separately with the impact of each of them marked against each respective finding.

B.

advise the manager of probable risks without recording the observations, as the control weaknesses are minor ones.

C.

record the observations and the risk arising from the collective weaknesses.

D.

apprise the departmental heads concerned with each observation and properly document it in the report.

 

Correct Answer: C

Explanation:

Individually the weaknesses are minor; however, together they have the potential to substantially weaken the overall control structure. Choices A and D reflect a failure on the part of an IS auditor to recognize the combined affect of the control weakness. Advising the local manager without reporting the facts and observations would conceal the findings from other stakeholders.

 

 

QUESTION 264

When selecting audit procedures, an IS auditor should use professional judgment to ensure that:

 

A.

sufficient evidence will be collected

B.

all significant deficiencies identified will be corrected within a reasonable period

C.

all material weaknesses will be identified

D.

audit costs will be kept at a minimum level

 

Correct Answer: A

Explanation:

Procedures are processes an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising in the course of an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate and the auditor’s past experience plays a key role in making a judgment. ISACA’s guidelines provide information on how to meet the standards when performing IS audit work.

Identifying material weaknesses is the result of appropriate competence, experience and thoroughness in planning and executing the audit and not of professional judgment. Professional judgment is not a primary input to the financial aspects of the audit.

 

 

QUESTION 265

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?

 

A.

System log analysis

B.

Compliance testing

C.

Forensic analysis

D.

Analytical review

 

Correct Answer: B

Explanation:

Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. It is unlikely that the system log analysis would provide information about the modification of programs. Forensic analysis is a specialized technique for criminal investigation. An analytical review assesses the general control environment of an organization.

 

 

QUESTION 266

While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor’s next step?

 

A.

Observe the response mechanism.

B.

Clear the virus from the network.

C.

Inform appropriate personnel immediately.

D.

Ensure deletion of the virus.

 

Correct Answer: C

Explanation:

The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response. Choice A should be taken after choice C.This will enable an IS auditor to examine the actual workability and effectiveness of the response system. An IS auditor should not make changes to the system being audited, and ensuring the deletion of the virus is a management responsibility.

 

 

QUESTION 267

In planning an audit, the MOST critical step is the identification of the:

 

A.

areas of high risk.

B.

skill sets of the audit staff.

C.

test steps in the audit.

D.

time allotted for the audit.

 

Correct Answer: A

Explanation:

When designing an audit plan, it is important to identify the areas of highest risk to determine the areas to be audited. The skill sets of the audit staff should have been considered before deciding and selecting the audit. Test steps for the auditare not as critical as identifying the areas of risk, and the time allotted for an audit is determined by the areas to be audited, which are primarily selected based on the identification of risks.

 

 

QUESTION 268

Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file?

 

A.

Attribute sampling

B.

Generalized audit software (GAS)

C.

Test data

D.

Integrated test facility (ITF)

 

Correct Answer: B

Explanation:

Generalized audit software (GAS) would enable the auditor to review the entire invoice file to look for those items that meet the selection criteriA. Attribute sampling would aid in identifying records meeting specific conditions, but would not compare one record to another to identify duplicates. To detect duplicate invoice records the IS auditor should check all of the items that meet the criteria and not just a sample of the items. Test data are used to verify program processing, but will notidentify duplicate records. An integrated test facility (ITF) allows the IS auditor to test transactions through the production system, but would not compare records to identify duplicates.

 

 

QUESTION 269

The PRIMARY purpose of an IT forensic audit is:

 

A.

to participate in investigations related to corporate fraud.

B.

the systematic collection of evidence after a system irregularity.

C.

to assess the correctness of an organization’s financial statements

D.

to determine that there has been criminal activity.

 

Correct Answer: B

Explanation:

Choice B describes a forensic audit. The evidence collected could then be used in judicial proceedings. Forensic audits are not limited to corporate fraud. Assessing the correctness of an organization’s financial statements is not the purpose of a forensic audit. Drawing a conclusion as to criminal activity would be part of a legal process and not the objective of a forensic audit.

 

 

QUESTION 270

To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:

 

A.

schedule the audits and monitor the time spent on each audit.

B.

train the IS audit staff on current technology used in the company.

C.

develop the audit plan on the basis of a detailed risk assessment.

D.

monitor progress of audits and initiate cost control measures.

 

Correct Answer: C

Explanation:

Monitoring the time (choice A) and audit programs {choice D), as well as adequate training (choice B), will improve the IS audit staff’s productivity (efficiency and performance), but that which delivers value to the organization are the resources and efforts being dedicated to, and focused on, the higher-risk areas.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …