In planning an IS audit, the MOST critical step is the identification of the

(1) Most important step in a risk analysis is to identify:

A. competitors.
B. controls.
C. vulnerabilities.
D. liabilities.

Answer: C. vulnerabilities

Explanation: If vulnerabilities are not properly identified, controls and audit planning may not be
relevant. Vulnerabilities are a key element in the conduct of a risk analysis

(2) In a risk-based audit planning, an IS auditor's first step is to identify:

A. responsibilities of stakeholders.
B. high-risk areas within the organization.
C. cost center.
D. profit center.

Answer: B. high-risk areas within the organization.

Explanation: The first and most critical step in the process is to identify high-risk areas within the
organization. Once high-risk areas have been identified, audit planning to be done accordingly.

(3) When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to
ensure that:

A. segregation of duties to mitigate risks is in place.
B. all the relevant vulnerabilities and threats are identified.
C. regularity compliance is adhered to.
D. business is profitable.

Answer: B. all the relevant vulnerabilities and threats are identified.

Explanation: In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities
be understood. This will determine the areas to be audited and the extent of coverage.

(4) IS Auditor identified certain threats and vulnerabilities in a business process. Next, an IS auditor should:

A. identify stakeholder for that business process.
B. identifies information assets and the underlying systems.
C. discloses the threats and impacts to management.
D. identifies and evaluates the existing controls.

Answer: D. identifies and evaluates the existing controls.

Explanation: Before reaching to any conclusion, IS Auditor should evaluate existing controls and its
effectiveness. Upon completion of an audit an IS auditor should describe and discuss with
management the threats and potential impacts on the assets.

(5) Major advantage of risk-based approach for audit planning is:

A. Audit planning can be communicated to client in advance.
B. Audit activity can be completed within allotted budget.
C. Use of latest technology for audit activities.
D. Appropriate utilization of resources for high risk areas.

Answer: D. Appropriate utilization of resources for high risk areas.

Explanation: The risk-based approach is designed to ensure audit time is spent on the areas of
highest risk. The development of an audit schedule is not addressed by a risk-based approach. Audit
schedules may be prepared months in advance using various scheduling methods. A risk approach
does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor
does it necessarily mean a wider variety of audits will be performed in a given year.

(6) While determining the appropriate level of protection for an information asset an IS auditor
should primarily focus on:

A. Criticality of information asset.
B. Cost of information asset.
C. Owner of information asset.
D. Result of vulnerability assessment.

Answer: A. Criticality of information asset.

Explanation: The appropriate level of protection for an asset is determined based on the criticality
of the assets. Other factors are not that relevant as compared to sensitivity of information asset to
business.

(7) The decisions and actions of an IS auditor are MOST likely to affect which of the following
risks?

A. Inherent
B. Detection
C. Control
D. Business

Answer: B. Detection

Explanation: Detection risks are directly affected by the auditor's selection of audit procedures and
techniques. Inherent risks usually are not affected by the IS auditor. Control risks are controlled by
the actions of the company's management. Business risks are not affected by the IS auditor.

(8) The risk of an IS auditor certifying existence of proper system and procedures without using an
inadequate test procedure is an example of:

A. inherent risk.
B. control risk.
C. detection risk.
D. audit risk.

Answer: C. detection risk.

Explanation: This is an example of detection risk. Detection risk is the risk that the auditors fail to
detect a material misstatement in the financial statements

(9) Overall business risk for a particular threat can be expressed as:

A. a product of the probability and impact.
B. probability of occurrence.
C. magnitude of impact.
D. assumption of the risk assessment team.

Answer: A. a product of the probability and impact.

Explanation: Choice A takes into consideration the likelihood and magnitude of the impact and
provides the best measure of the risk to an asset. Choice B provides only the likelihood of
occurrence. Similarly, choice C considers only the magnitude of the damage and not the possibility
of a threat exploiting vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable
for a scientific risk management process.

(10) An IS auditor is evaluating management's risk assessment of information systems. The IS
auditor should FIRST review:

A. the controls already in place.
B. the effectiveness of the controls in place.
C. the mechanism for monitoring the risks related to the assets.
D. the threats/vulnerabilities affecting the assets.

Answer: D. the threats/vulnerabilities affecting the assets.

Explanation: One of the key factors to be considered while assessing the risks related to the use of
various information systems is the threats and vulnerabilities affecting the assets. Similarly, the
effectiveness of the controls should be considered during the risk mitigation stage and not during
the risk assessment phase. A mechanism to continuously monitor the risks related to assets should
be put in place during the risk monitoring function that follows the risk assessment phase.

(11) An IS Auditor is reviewing data center security review. Which of the following steps would an
IS auditor normally perform FIRST:

A. Evaluate physical access control.
B. Determine the vulnerabilities/threats to the data center site.
C. Review screening process for hiring security staff
D.Evaluate logical access control.

Answer: B. Determine the risks/threats to the data center site.

Explanation: During planning, the IS auditor should get an overview of the functions being audited
and evaluate the audit and business risks. Choices A and D are part of the audit fieldwork process
that occurs subsequent to this planning and preparation. Choice C is not part of a security review.

(12) Risk assessment approach is more suitable when determining the appropriate level of
protection for an information asset because it ensures:

A. all information assets are protected.
B. a basic level of protection is applied regardless of asset value.
C. appropriate levels of protection are applied to information assets.
D. only most sensitive information assets are protected.

Answer: C. appropriate levels of protection are applied to information assets.

Explanation:
On the basis of risk assessment, assets are classified according to its criticality. Then appropriate
level of security is provided to data as per classification

(13) In a risk-based audit approach, an IS auditor should FIRST complete a (n):

A. inherent risk assessment.
B. control risk assessment.
C. test of control assessment.
D. substantive test assessment.

Answer: A. inherent risk assessment.

Explanation: The first step in a risk-based audit approach is to gather information about the
business and industry to evaluate the inherent risks. After completing the assessment of the
inherent risks, the next step is to complete an assessment of the internal control structure. The
controls are then tested and, on the basis of the test results, substantive tests are carried out and
assessed.

(14) In planning an audit, the MOST critical step is the identification of the:

A. areas of high risk.
B. skill sets of the audit staff.
C. test steps in the audit.
D. time allotted for the audit.

Answer: A. areas of high risk.

Explanation: When designing an audit plan, it is important to identify the areas of highest risk to
determine the areas to be audited. The skill sets of the audit staff should have been considered
before deciding and selecting the audit. Test steps for the audit are not as critical as identifying the
areas of risk, and the time allotted for an audit is determined by the areas to be audited, which are
primarily selected based on the identification of risks.

(15) Risk assessment process is:

A. subjective.
B. objective.
C. mathematical.
D. statistical.

Answer: A. subjective.

Explanation: Risk assessment is based on perception of risk officer. There is no defined
mathematical or statistical formula for risk assessment. All risk assessment methodologies rely on
subjective judgments at some point in the process (e.g., for assigning weightings to the various
parameters).

(16) The result of risk management process is used for:

A. forecasting profit
B. post implementation review.
C. designing controls
D. user acceptance testing.

Answer: C. designing controls

Explanation:
The ultimate objective of risk management process is to ensure identified risks are managed by
designing various controls. The risk management process is about making specific, security-related
decisions, such as the level of acceptable risk. Choices A, B and D are not ultimate goals of the risk
management process

(17) Managing the risk up to acceptable level is the responsibility of:

A. risk management team.
B. senior business management.
C. the chief information officer.
D. the chief security officer.

Answer: B. senior business management.

Explanation:
Senior management cannot delegate their accountability for management of risk. They have the
ultimate or final responsibility for the effective and efficient operation of the organization. Choices
A, C and D should act as advisers to senior management in determining an acceptable risk level.

(18) Evaluation of IT risks can be done by:

A. finding threats/vulnerabilities associated with current IT assets.
B. Trend analysis on the basis of past year losses.
C. industry benchmark.
D. reviewing IT control weaknesses identified in audit reports.

Answer: A. finding threats/vulnerabilities associated with current IT assets.

Explanation: To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or
quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk
assessment process, but by themselves not sufficient.

(19) An IS auditor is reviewing payroll application. He identified some vulnerability in the system. What would be the next task?

A. Report the vulnerabilities to the management immediately.
B. Examine application development process.
C. Identify threats and likelihood of occurrence.
D. Recommend for new application.

Answer: C. Identify threats and likelihood of occurrence.

Explanation: The IS auditor must identify the assets, look for vulnerabilities, and then identify the
threats and the likelihood of occurrence.

(20) Absence of proper security measures represents a(n):

A. threat.
B. asset.
C. impact.
D. vulnerability.

Answer: D. vulnerability.

Explanation:
Vulnerability is a weakness or gap in our protection efforts. Vulnerability can be in form of weak
coding, missing anti-virus, weak access control and other related factors. Vulnerabilities can be
controlled by us.
A threat is what we’re trying to protect against. Our enemy could be Earthquake, Fire, Hackers,
Malware, System Failure, Criminals and many other unknown forces. Threats are not in our
control.
Lack of adequate security functionality in this context is vulnerability.

(21) IS Auditor is developing a risk management program, the FIRST activity to be performed is
a(n):

A. vulnerability assessment.
B. evaluation of control.
C. identification of assets.
D. gap analysis.

Answer: C. identification of assets

Explanation: Identification of the assets to be protected is the first step in the development of a risk
management program. CISA aspirants should know following steps of risk assessment.
• First step is to identify the assets.
• Second step is to identify relevant risk (vulnerability/threat)
• Third step is to do impact analysis
• Fourth step is to prioritize the risk on the basis of impact
• Fifth step is to evaluate controls.
• Sixth step is to apply appropriate controls

(22) Benefit of development of organizational policies by bottom-up approach is that they:

A. covers whole organization.
B. is derived as a result of a risk assessment.
C. will be in line with overall corporate policy.
D. ensures consistency across the organization.

Answer: B. is derived as a result of a risk assessment.

Explanation:
A bottom-up approach begins by defining operational-level requirements and policies, which are
derived and implemented as the result of risk assessments. Enterprise-level policies are
subsequently developed based on a synthesis of existing operational policies. Choices A, C and D
are advantages of a top-down approach for developing organizational policies. This approach
ensures that the policies will not be in conflict with overall corporate policy and ensure consistency
across the organization.

(23)Risk can be mitigated by:

A. Implementing controls
B. Insurance
C. Audit and certification
D. Contracts and service level agreements (SLAs)

Answer: A. Security and control practices

Explanation:
Risks are mitigated by implementing appropriate security and control practices. Insurance is a
mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, and
contracts and SLAs are mechanisms of risk allocation

(24) Most important factor while evaluating controls is to ensure that the controls:
A. addresses the risk
B. does not reduce productivity.
C. is less costly than risk.
D. is automotive.

Answer: A. addresses the risk

Explanation:
Though all of the above factors are important, it is essential that control should be able to address
the risk. When designing controls, it is necessary to consider all the above aspects. In an ideal
situation, controls that address all these aspects would be the best controls.

(25) The susceptibility of a business or process to make an error that is material in nature,
assuming there were no internal controls.

A. Inherent risk
B. Control risk
C. Detection risk
D. Correction risk

Answer: A. Inherent risk

Explanation:
Inherent risk means the risk that an activity would pose if no controls or other mitigating factors
were in place (the gross risk or risk before controls).

(26) The risk that the controls put in place will not prevent, correct, or detect errors on a timely basis.

A. Inherent risk
B. Control risk
C. Detection risk
D. Correction risk

Answer: B. Control risk

Explanation:
Control risk means the risk that a misstatement could occur but may not be detected and corrected
or prevented by entity's internal control mechanism.

(27) Which of the following factors an IS auditor should primarily consider when determining the
acceptable level of risk:

A. Risk acceptance is the responsibility of senior management.
B. All risks do not need to be eliminated for a business to be profitable.
C. Risks must be identified and documented in order to perform proper analysis on them.
D. Line management should be involved in the risk analysis because management sees risks daily
that others would not recognize.

Answer: C. Risks must be identified and documented in order to perform proper analysis on them.

Explanation:
Though all factors are relevant, primarily consideration should be documentation of identified risk.
In order to manage and control a risk, it first must be recognized as a risk. Only after
documentation, other factors to be considered