Certified Information Systems Auditor (CISA) (CISA) practice questions

An IS auditor is preparing the annual audit plan for a mid-sized retail bank. Senior management has asked that prior-year findings drive the selection of auditable units, while the audit committee has asked for coverage that reflects the bank's current risk profile. Which approach should the IS auditor adopt as the PRIMARY basis for selecting auditable units?

• AAssess inherent risk, control risk and detection risk for each auditable unit and allocate effort to the highest residual risk areas.check_circle Correct
• BSchedule each auditable unit on a fixed three-year rotation so every system is covered at least once in the cycle.
• CRe-audit every area where the previous year's report contained a high-rated finding before considering any new auditable units.
• DPrioritise the auditable units that the available audit staff have the strongest technical familiarity with for the coming year.

Why A is correct: This is the risk-based audit planning model required by ISACA standards; effort is concentrated where residual risk is highest, which is the defensible basis for an annual plan.

Why B is wrong: Fixed-rotation cycles are tempting because they look fair and predictable, but ISACA standards require selection driven by current inherent and control risk, not calendar rotation that ignores threat changes.

Why C is wrong: Following up prior findings is necessary but partial; it anchors the plan on history rather than the current risk profile and leaves emerging high-risk areas uncovered.

Why D is wrong: Staffing convenience is tempting in a resource-constrained team, but ISACA requires the plan to be driven by risk; auditor availability informs delivery, not selection.

During scoping of an annual audit, the chief information officer offers the IS auditor a paid weekend role helping to redesign the access-provisioning workflow that the auditor is scheduled to review three months later. According to the ISACA Code of Professional Ethics, what should the IS auditor do FIRST?

• AAccept the engagement, document the dual role in the working papers and proceed with the planned audit under heightened supervision.
• BDecline the design work and disclose the offer to the audit committee or other appropriate governance body before continuing planning.check_circle Correct
• CAccept the design work but request that a peer auditor sign the eventual report so that independence in appearance is preserved.
• DDefer a decision until after the planned audit is complete, then accept the design role once the report has been issued.

Why A is wrong: Documentation alone does not cure the conflict; the auditor would be opining on a control they helped design, which impairs independence in appearance and in fact.

Why B is correct: The ISACA Code requires the auditor to maintain independence and objectivity; declining design work over a process they will audit, and disclosing the offer, is the correct first response.

Why C is wrong: Swapping the signer is tempting because it appears to insulate the report, but the firm or function still has a self-review threat and the engagement remains compromised.

Why D is wrong: Deferring looks neutral, yet accepting future paid work from an auditee during planning still creates a familiarity and self-interest threat that should be disclosed now.

An IS auditor is scoping a review of a new cloud-based human resources system. The vendor cannot reconfigure the application to enforce maker-checker on bulk salary uploads in time for go-live, so the project sponsor proposes a quarterly reconciliation of upload files against approved change tickets. How should the IS auditor categorise the proposed reconciliation when documenting the control environment?

• AAs a preventive control that stops unauthorised salary changes from reaching the production payroll ledger.
• BAs a corrective control that automatically reverses any unauthorised salary uploads found in the production ledger.
• CAs a compensating control that substitutes for the missing maker-checker preventive control on bulk uploads.check_circle Correct
• DAs a directive control that instructs payroll staff how the bulk-upload approval workflow is supposed to operate.

Why A is wrong: Preventive controls act before the event; a reconciliation performed quarterly reviews entries after they have posted, so calling it preventive misclassifies its timing.

Why B is wrong: Corrective controls restore a correct state after detection; a reconciliation surfaces variances but does not, by itself, reverse the transactions it identifies.

Why C is correct: Compensating controls are introduced when a primary control cannot be implemented; the reconciliation provides a substitute assurance over the same risk and should be documented as such.

Why D is wrong: Directive controls are policies and procedures that set expectation; a reconciliation activity is an operating control, not a statement of how staff should behave.