Download New Updated (July) Isaca CISA Actual Test 271-280

Ensurepass

 

 

QUESTION 271

When assessing the design of network monitoring controls, an IS auditor should FIRST review network:

 

A.

topology diagrams.

B.

bandwidth usage.

C.

traffic analysis reports.

D.

bottleneck locations.

 

Correct Answer: A

Explanation:

The first step in assessing network monitoring controls should be the review of the adequacy of
network documentation, specifically topology diagrams. If this information is not up to date, then monitoring processes and the ability to diagnose problems will not be effective.

 

 

QUESTION 272

A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:

 

A.

can identify high-risk areas that might need a detailed review later.

B.

allows IS auditors to independently assess risk.

C.

can be used as a replacement for traditional audits.

D.

allows management to relinquish responsibility for control.

 

Correct Answer: A

Explanation:

CSA is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date. Choice B is incorrect, because CSA requires the involvement of auditors and line management. What occurs is that the internal audit function shifts some of the control monitoring responsibilities to the functional areas. Choice C is incorrect because CSA is not a replacement for traditional audits. CSA is not intended to replace audit’s responsibilities, but to enhance them. Choice D is incorrect, because CSA does not allow management to relinquish its responsibility for control.

 

 

QUESTION 273

The final decision to include a material finding in an audit report should be made by the:

 

A.

audit committee.

B.

auditee’s manager.

C.

IS auditor.

D.

CEO of the organization

 

Correct Answer: C

Explanation:

The IS auditor should make the final decision about what to include or exclude from the audit report. The other choices would limit the independence of the auditor.

 

 

QUESTION 274

Which of the following forms of evidence for the auditor would be considered the MOST reliable?

 

A.

An oral statement from the auditee

B.

The results of a test performed by an IS auditor

C.

An internally generated computer accounting report

D.

A confirmation letter received from an outside source

 

Correct Answer: D

Explanation:

Evidence obtained from outside sources is usually more reliable than that obtained from within the organization. Confirmation letters received from outside parties, such as those used to verify accounts receivable balances, are usually highly reliable. Testing performed by an auditor may not be reliable, if the auditor did not have a good understanding of the technical area under review.

 

 

QUESTION 275

During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should:

 

A.

create the procedures document.

B.

terminate the audit.

C.

conduct compliance testing.

D.

identify and evaluate existing practices.

 

Correct Answer: D

Explanation:

One of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization. IS auditors should not prepare documentation, as doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against whichto test compliance.

 

 

QUESTION 276

An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when:

 

A.

the probability of error must be objectively quantified.

B.

the auditor wishes to avoid sampling risk.

C.

generalized audit software is unavailable.

D.

the tolerable error rate cannot be determined.

 

Correct Answer: A

Explanation:

Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). Choice B is incorrect because sampling risk is the risk of a sample not being representative of the population. This risk exists for both judgment and statistical samples. Choice C is incorrect because statistical sampling does not require the use of generalized audit software. Choice D is incorrect because the tolerable error rate must be predetermined for both judgment and statistical sampling.

 

 

QUESTION 277

Which of the following is an advantage of an integrated test facility (ITF)?

 

A.

It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction.

B.

Periodic testing does not require separate test processes.

C.

It validates application systems and tests the ongoing operation of the system.

D.

The need to prepare test data is eliminated.

 

Correct Answer: B

Explanation:

An integrated test facility creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be isolated from production data.

 

 

QUESTION 278

During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:

 

A.

address audit objectives.

B.

collect sufficient evidence.

C.

specify appropriate tests.

D.

minimize audit resources.

 

Correct Answer: A

Explanation:

ISACA auditing standards require that an IS auditor plan the audit work to address the audit objectives. Choice B is incorrect because the auditor does not collect evidence in the planning stage of an audit. Choices C and D are incorrect because theyare not the primary goals of audit planning. The activities described in choices B, C and D are all undertaken to address audit objectives and are thus secondary to choice A.

 

 

QUESTION 279

While planning an audit, an assessment of risk should be made to provide:

 

A.

reasonable assurance that the audit will cover material items.

B.

definite assurance that material items will be covered during the audit work.

C.

reasonable assurance that all items will be covered by the audit.

D.

sufficient assurance that all items will be covered during the audit work.

 

Correct Answer: A

Explanation:

The ISACA IS Auditing Guideline G15 on planning the IS audit states, ‘An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems.’ Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.

 

 

QUESTION 280

Which of the following would normally be the MOST reliable evidence for an auditor?

 

A.

A confirmation letter received from a third party verifying an account balance

B.

Assurance from line management that an application is working as designed

C.

Trend data obtained from World Wide Web (Internet) sources

D.

Ratio analysts developed by the IS auditor from reports supplied by line management

 

Correct Answer: A

Explanation:

Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …