Audit Phases CISA Exam Notes, 36 Practice Questions

Correct: Option A – Relevant evidence directly supports the audit objective, test, or finding.

Wrong: Option B – Ease of availability does not make evidence relevant. Option C – System age does not determine relevance. Option D – Verbal summaries may help but are generally weaker and may not be directly relevant.

Correct: Option B – Potentially material findings must be supported by sufficient and appropriate evidence before reporting.

Wrong: Option A – Reporting without adequate support is inappropriate. Option C – Management should not decide whether the auditor reports a valid finding. Option D – The issue should not be removed without completing validation.

Correct: Option B – In suspected fraud or forensic situations, evidence preservation is critical because evidence may be used in legal proceedings.

Wrong: Option A – Speed should not compromise evidence integrity. Option C – Broad notification may compromise the investigation. Option D – Reducing scope may prevent proper evaluation.

Correct: Option B – Read-only access protects production data from unauthorized changes while allowing analysis.

Wrong: Option A – Admin access creates unnecessary risk. Option C – Developer access is not needed for audit data analysis. Option D – Emergency access should not be used for routine audit work.

Correct: Option B – The auditor should evaluate the expert’s competence, objectivity, and work quality.

Wrong: Option A – Blind reliance on expert work is inappropriate. Option C – Responsibility for audit conclusions is not fully transferred. Option D – Relevant expert work should be documented.

Correct: Option B – Access to audit documentation by external parties should be approved appropriately, often involving senior management and legal counsel.

Wrong: Option A – The auditor should not release work papers based only on apparent legitimacy. Option C – Informal notes may still be sensitive audit documentation. Option D – The process owner alone should not decide on release of auditor work papers.

Correct: Option C – Audit work papers are generally the property of the auditor or audit organization.

Wrong: Option A – Management may provide information but does not own the auditor’s work papers. Option B – Process owners may be subjects of audit, not owners of work papers. Option D – Regulators may request access, but they do not own the work papers.

Correct: Option B – Evidence must be both relevant and reliable; weak evidence should be corroborated.

Wrong: Option A – Relevance alone is not enough. Option C – Ignoring the issue may miss a valid finding. Option D – Reporting without reliable support is premature.

Correct: Option B – Substantive testing examines transactions or data in detail for accuracy, completeness, or validity.

Wrong: Option A – Existence of policy is usually checked through inspection/compliance review. Option C – Audit charter approval is governance-related. Option D – Annual plan review relates to audit governance/planning.

Correct: Option B – Compliance testing checks whether policies, procedures, and controls are followed.

Wrong: Option A – This is closer to substantive testing. Option C – Report distribution is administrative. Option D – Management acceptance relates to reporting, not compliance testing.

Correct: Option C – Reperformance directly tests whether a control operates as intended.

Wrong: Option A – Inquiry alone provides weak evidence. Option B – Policy review supports design understanding, not operating effectiveness. Option D – Prior reports are useful for planning, not current operating effectiveness.

Correct: Option B – A walkthrough helps the auditor understand control design and process flow.

Wrong: Option A – Operating effectiveness requires testing, often through reperformance or sample testing. Option C – Financial transaction accuracy is usually tested through substantive procedures. Option D – Corrective action verification occurs during follow-up.

Correct: Option B – Management representation should be corroborated with supporting evidence.

Wrong: Option A – Management assertion alone is not sufficient. Option C – A statement is not automatically a finding. Option D – The auditor must verify before concluding.

Correct: Option C – Independent external evidence is generally more reliable than internal or oral evidence.

Wrong: Option A – Oral management evidence is relatively weak. Option B – Internal evidence may be useful but can be biased or manipulated. Option D – Informal summaries may lack completeness and reliability.

Correct: Option B – Appropriateness means the evidence is relevant and reliable.

Wrong: Option A – Quantity relates to sufficiency. Option C – Interviews may help but do not alone determine appropriateness. Option D – Report length has no direct relationship to evidence quality.

Correct: Option B – Sufficiency refers to whether enough evidence has been gathered.

Wrong: Option A – Reliability relates to appropriateness, not sufficiency. Option C – Independence affects reliability. Option D – Complexity does not determine sufficiency.

Correct: Option A – Audit conclusions should be based on evidence that is sufficient in quantity and appropriate in quality.

Wrong: Option B – Verbal and informal evidence alone is generally weak. Option C – Historical evidence may help, but current relevant evidence is needed. Option D – Evidence does not need to be complex; it needs to be relevant and reliable.

Correct: Option C – Evidence obtained directly by the auditor through independent testing is generally the most reliable.

Wrong: Option A – Oral evidence is weaker than written or independently obtained evidence. Option B – A screenshot from management may be useful but can be altered or incomplete. Option D – Internal reports are useful but less reliable than auditor-obtained evidence.

Correct: Option B – Potentially material findings require sufficient and appropriate evidence before reporting.

Wrong: Option A – Reporting without adequate support is inappropriate. Option C – A potentially material issue should not be ignored. Option D – Management self-certification alone is not sufficient audit evidence.

Correct: Option C – The audit program should be based on objectives and risk assessment results; ignoring risk may miss high-risk areas.

Wrong: Option A – Step-by-step procedures are expected in an audit program. Option B – Alignment to objectives is desirable. Option D – Identifying evidence requirements supports effective fieldwork.

Correct: Option B – Follow-up should verify both implementation and effectiveness. If the control does not operate effectively, remediation is incomplete.

Wrong: Option A – Existence of a control does not prove effectiveness. Option C – Good faith does not eliminate unresolved risk. Option D – Ineffective remediation should be tracked and escalated as appropriate rather than ignored.

Correct: Option A – The auditor should revalidate evidence and evaluate whether the compensating control effectively reduces risk.

Wrong: Option B – A finding should not be removed without evidence-based analysis. Option C – Escalation may be needed later if disagreement remains unresolved. Option D – Management’s explanation should be considered but not accepted without validation.

Correct: Option B – Findings identified during the audit should be reported, along with corrective action taken.

Wrong: Option A – Correction does not erase the existence of the weakness during the audit period. Option C – Residual risk still needs assessment and documentation. Option D – The final report should accurately reflect audit results.

Correct: Option C – If a weakness could materially affect the audited area, the auditor should consider relevant controls and recommend further review or scope adjustment as needed.

Wrong: Option A – Significant related weaknesses should not be ignored. Option B – Reporting without validation is premature. Option D – Canceling the audit is unnecessary unless justified by exceptional circumstances.

Correct: Option B – Reviewing prior reports helps identify known risks, recurring issues, and unresolved findings.

Wrong: Option A – A current risk assessment is still necessary. Option C – Prior conclusions should not be copied without current evidence. Option D – Fieldwork remains necessary to gather current audit evidence.

Correct: Option B – Follow-up requires verifying that corrective action has been implemented and is effective.

Wrong: Option A – Management assertion alone is not sufficient evidence. Option C – Original findings should remain part of the audit record. Option D – A focused follow-up is often sufficient; a full audit is not automatically required.

Correct: Option B – When management disagrees, the auditor should explain the significance of the finding and risk of not correcting it.

Wrong: Option A – A valid finding should not be removed solely due to disagreement. Option C – Regulator escalation is not the normal first step. Option D – The audit should continue with proper documentation and reporting.

Correct: Option A – Findings should be discussed with auditee management to confirm factual accuracy and obtain responses.

Wrong: Option B – Disagreement does not automatically invalidate a finding. Option C – Findings must be supported by sufficient evidence. Option D – Corrective actions can be tracked during follow-up after the report is issued.

Correct: Option B – Risk-based planning directs limited audit resources to the highest-risk areas.

Wrong: Option A – Equal coverage may waste effort on low-risk areas. Option C – Delaying does not address current risks. Option D – Management input is useful but should not override risk-based prioritization.

Correct: Option B – A potential finding must be supported by sufficient and appropriate evidence before reporting.

Wrong: Option A – Reporting is premature without validation. Option C – Removing the item from scope is inappropriate without justification. Option D – Management may remediate later, but the auditor must first validate and document the issue.

Correct: Option C – Follow-up tracks and verifies whether management implemented agreed corrective actions.

Wrong: Option A – Defining objectives is part of planning. Option B – Evidence documentation occurs during fieldwork/documentation. Option D – Scope approval is part of planning.

Correct: Option C – The final audit report normally includes findings, recommendations, conclusions, and management responses/action plans.

Wrong: Option A – Detailed audit procedures are retained in work papers. Option B – The report should include the auditor’s findings, not only management’s opinion. Option D – Prior unresolved findings may be relevant, but the report is not limited to them.

Correct: Option B – Audit documentation records procedures performed, evidence obtained, findings, and conclusions.

Wrong: Option A – Documentation supports testing but does not replace it. Option C – Management action plans may be captured but are not approved through documentation. Option D – Follow-up remains necessary to confirm remediation.

Correct: Option B – Fieldwork includes evidence collection, interviews, observations, control testing, and data analysis.

Wrong: Option A – Planning defines objectives, scope, and audit approach. Option C – Reporting summarizes findings and recommendations. Option D – Follow-up verifies remediation after reporting.

Correct: Option B – Risk assessment is critical because it identifies high-risk areas and helps prioritize audit resources.

Wrong: Option A – Final reporting occurs after fieldwork. Option C – Substantive testing occurs during fieldwork. Option D – Follow-up occurs after the audit report is issued.

Correct: Option B – Planning includes defining the audit subject, objectives, scope, risk assessment, audit approach, and resource requirements.

Wrong: Option A – Fieldwork focuses on evidence collection and testing controls. Option C – Reporting communicates audit results and recommendations. Option D – Follow-up verifies corrective actions after reporting.