Contoh soal ujian cisa Area 1 ( Audit process)

Dalam ujian CISA itu soalnya terbagi menjadi bebapa area seperti telah di singgung pada posting sebelummnya. Kali ini saya ingin berbagi mengenai beberapa contoh soal ujian CISA. Soal di bawah ini adalah contoh soal untuk area 1 mengenai Information System Audit Process.

1.An IS auditor is reviewing access to an application to determine whether the 10 most recent “new user” forms were correctly authorized. This is an example of
A. variable sampling.
B. substantive testing.
C. compliance testing.
D. stop-or-go sampling.

2. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?
A. Inherent
B. Detection
C. Control
D. Business

3. Overall business risk for a particular threat can be expressed as:
A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.
B. the magnitude of the impact should a threat source successfully exploit the vulnerability.
C. the likelihood of a given threat source exploiting a given vulnerability.
D. the collective judgment of the risk assessment team.

4. Which of the following is a substantive test?
A. Checking a list of exception reports
B. Ensuring approval for parameter changes
C. Using a statistical sample to inventory the tape library
D. Reviewing password history reports

5.Which of the following is a benefit of a risk-based approach to audit planning? Audit:
A. scheduling may be performed months in advance.
B. budgets are more likely to be met by the IS audit staff.
C. staff will be exposed to a variety of technologies.
D. resources are allocated to the areas of highest concern.

Kunci Jawaban dan penjelasannya:

1.C

Penjelasan :
Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values such as dollar values. Substantive testing substantiates the integrity of actual processing such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.

2.B

Penjelasannya:
Detection risks are directly affected by the auditor’s selection of audit procedures and techniques. Inherent risks are not usually affected by an IS auditor. Control risks are controlled by the actions of the company’s management. Business risks are not affected by an IS auditor.

3.A
Penjelasan :
Choice A takes into consideration the likelihood and magnitude of the impact, and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the asset but does not provide the magnitude of the possible damage to the asset. Similarly, choice C considers only the magnitude of the damage and not the possibility of a threat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process

4.C.
Penjelasan :
A substantive test confirms the integrity of actual processing. A substantive test would determine if the tape library records are stated correctly. A compliance test determines if controls are being applied in a manner that is consistent with management policies and procedures. Checking the authorization of exception reports, reviewing authorization for changing parameters and reviewing password history reports are compliance tests.

5.D
Penjelasan :
The risk-based approach is designed to ensure audit time is spent on the areas of highest risk. The development of an audit schedule is not addressed by a risk-based approach. Audit schedules may be prepared months in advance using various scheduling methods. A risk approach does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a
wider variety of audits will be performed in a given year.