Which of the given sampling method is most useful to an auditor when testing for compliance?
The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification. Show
CISA Question 971QuestionWhich of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation? A. Multiple cycles of backup files remain available. AnswerA. Multiple cycles of backup files remain available. ExplanationBackup files containing documents that supposedly have been deleted could be recovered from these files. Access controls may help establish accountability for the issuance of a particular document, but this does not provide evidence of the e-mail. Data classification standards may be in place with regards to what should be communicated via e-mail, but the creation of the policy does not provide the information required for litigation purposes. CISA Question 972QuestionWhich of the following sampling methods is MOST useful when testing for compliance? A. Attribute sampling AnswerA. Attribute sampling ExplanationAttribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity. CISA Question 973QuestionThe MAJOR advantage of the risk assessment approach over the baseline approach to information security management is that it ensures: A. information assets are overprotected. AnswerC. appropriate levels of protection are applied to information assets. ExplanationFull risk assessment determines the level of protection most appropriate to a given level of risk, while the baseline approach merely applies a standard set of protection regardless of risk. There is a cost advantage in not overprotecting information. However, an even bigger advantage is making sure that no information assets are over- or under protected. The risk assessment approach will ensure an appropriate level of protection is applied, commensurate with the level of risk and asset value and, therefore, considering asset value. The baseline approach does not allow more resources to be directed toward the assets at greater risk, rather than equally directing resources to all assets. CISA Question 974QuestionAn audit charter should: A. be dynamic and change often to coincide with the changing nature of technology and the audit profession. AnswerD. outline the overall authority, scope and responsibilities of the audit function. ExplanationAn audit charter should state management’s objectives for and delegation of authority to IS audit. This charter should not significantly change over time and should be approved at the highest level of management. An audit charter would not be at a detailed level and, therefore, would not include specific audit objectives or procedures. CISA Question 975QuestionWhich of the following is a benefit of a risk-based approach to audit planning? Audit: A. scheduling may be performed months in advance. AnswerD. resources are allocated to the areas of highest concern ExplanationThe risk-based approach is designed to ensure audit time is spent on the areas of highest risk. The development of an audit schedule is not addressed by a risk- based approach. Audit schedules may be prepared months in advance using various scheduling methods. A risk approach does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be performed in a given year. CISA Question 976QuestionWhich of the following is a substantive test? A. Checking a list of exception
reports AnswerC. Using a statistical sample to inventory the tape library ExplanationA substantive test confirms the integrity of actual processing. A substantive test would determine if the tape library records are stated correctly. A compliance test determines if controls are being applied in a manner that is
consistent with management policies and procedures. CISA Question 977QuestionOverall business risk for a particular threat can be expressed as: A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability. AnswerA. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability. ExplanationChoice A takes into consideration the likelihood and magnitude of the impact and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the asset but does not provide the magnitude of the possible damage to the asset. Similarly, choice C considers only the magnitude of the damage and not the possibility of a threat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process. CISA Question 978QuestionThe decisions and actions of an IS auditor are MOST likely to affect which of the following risks? A. Inherent AnswerB. Detection ExplanationDetection risks are directly affected by the auditor’s selection of audit procedures and techniques. Inherent risks are not usually affected by an IS auditor. Control risks are controlled by the actions of the company’s management. Business risks are not affected by an IS auditor. CISA Question 979QuestionAn IS
auditor is reviewing access to an application to determine whether the 10 most recent `new user` forms were correctly authorized. This is an A. variable sampling. AnswerC. compliance testing. ExplanationCompliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing; such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed. CISA Question 980QuestionAn IS auditor is using a statistical sample to inventory the tape library. What type of test would this be considered? A. Substantive AnswerA. Substantive ExplanationUsing a statistical sample to inventory the tape library is an example of a substantive test. Which of the given sampling methods is most useful to an auditor when testing for compliance?Attribute sampling is most often used in compliance tests and variables sampling is most often used in substantive tests.
Which of the following sampling methods is most useful for compliance testing?Attribute samplingExplanation:Attribute sampling is the primary sampling method used for compliance testing.
What is compliance sampling?Related to Compliance Sampling
Testing means that element of inspection that determines the properties or elements, including functional operation of materials, equipment, or their components, by the application of established scientific principles and procedures.
Which of the following sampling methods would be the most effective to determine whether access rights to staffs have been authorized as per the authorization matrix?Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix? C. Attribute sampling is the method used for compliance testing.
|