Audit Charter CISA Exam Notes, 18 Practice MCQs

❌ Option 1 — Incorrect. The CIO is responsible for IT strategy, operations, and systems — the very domains that the IS audit function is mandated to independently evaluate. Allowing the CIO to approve the charter that governs the audit function would create a direct conflict of interest, enabling the CIO to define or limit the scope and authority of a function meant to provide independent oversight of their own area. This fundamentally undermines audit independence.

✅ Option 2 — Correct. The audit charter must be approved by the audit committee or board — the highest governance body responsible for audit oversight. This approval ensures that the charter reflects the organization’s governance expectations, grants the audit function genuine authority and independence, and cannot be altered or overridden by operational management. Board-level approval is what gives the charter its organizational weight and protects the audit function from interference.

❌ Option 3 — Incorrect. The IT steering committee focuses on IT investment priorities, project governance, and technology strategy. While it plays an important role in IT governance, it is not the appropriate body to approve the IS audit charter because it is operationally oriented and does not represent the independent governance oversight that charter approval requires. Approval by an IT-focused committee could also introduce bias toward limiting audit authority over IT systems.

❌ Option 4 — Incorrect. While the IS audit manager or chief audit executive typically drafts or proposes the charter, the CEO approving it upon their recommendation does not provide the same governance independence as audit committee or board approval. The CEO is part of executive management — the function that internal audit is partly designed to provide assurance over. Charter approval must rest with a governance body independent of executive management to preserve the integrity of the audit function.

❌ Option 1 — Incorrect. The audit charter is an internal governance document that establishes the standing authority, independence, and mandate of the organization’s own IS audit function. It applies to the internal audit department — not to external firms engaged on a project basis. An external audit firm operates under its own professional standards and the terms negotiated for the specific engagement, not the client organization’s internal charter.

✅ Option 2 — Correct. When an external IS audit firm is engaged, the engagement letter is the document that formally defines the terms of the relationship. It typically covers the scope and objectives of the audit, the responsibilities of both parties, the timeline, deliverables, fees, and the professional standards under which the work will be performed. The engagement letter serves as the contractual and professional foundation for the external audit assignment.

❌ Option 3 — Incorrect. The internal audit manual documents the methodology, procedures, and standards used by the internal audit function. It guides how internal auditors conduct their work but has no applicability to an external firm engaged under a separate professional relationship. An external auditor operates under their own firm’s methodology and applicable professional standards — not the client’s internal procedures manual.

❌ Option 4 — Incorrect. A service level agreement defines performance expectations, responsibilities, and metrics between a service provider and its internal or external customers — typically in an IT or operational context. It governs ongoing service delivery relationships, not discrete professional audit engagements. An SLA does not establish audit scope, objectives, or professional obligations in the way an engagement letter does.

❌ Option 1 — Incorrect. Detailed test scripts — step-by-step instructions for executing specific audit procedures — belong in the audit program, which is developed during planning for each individual engagement. The charter is a high-level governance document that establishes the audit function’s mandate and authority. Embedding procedural testing detail in the charter would confuse governance with methodology and undermine the charter’s purpose as a stable, enduring document.

✅ Option 2 — Correct. Access rights to relevant records, systems, and personnel is a standard and essential component of the audit charter. Without this provision, the audit function lacks the formal authority to obtain the evidence it needs to conduct independent and effective audits. Explicit charter language on access rights also gives the audit team recourse when access is denied — allowing escalation based on a documented, governance-approved mandate.

❌ Option 3 — Incorrect. Audit objectives and scope for individual engagements are defined in the audit engagement letter or audit program — not the charter. The charter may define the overall high-level scope of the audit function’s mandate, but the specific objectives and scope of each audit are determined during engagement planning. Including engagement-level scope in the charter would make it unwieldy, unstable, and require constant revision.

❌ Option 4 — Incorrect. Management’s agreed corrective actions from prior audits belong in audit reports and follow-up documentation — they are outputs of completed engagements. The charter is a forward-looking governance document that establishes the conditions under which audits will be conducted. Including historical corrective actions in the charter would conflate governance structure with audit history and misrepresent the charter’s foundational purpose.

❌ Option 1 — Incorrect. Updating the charter before every engagement confuses the audit charter with the audit engagement letter or audit program — documents that are indeed engagement-specific. The charter is a standing governance document that provides stable, long-term authority for the entire audit function. Revising it for each engagement would erode its authority, create inconsistency, and undermine the stable organizational mandate it is designed to provide.

✅ Option 2 — Correct. The audit charter should be reviewed periodically — typically annually — but updated only when significant changes justify it, such as organizational restructuring, changes in regulatory requirements, shifts in the audit function’s mandate, or changes in reporting relationships. This approach preserves the charter’s stability and authority while ensuring it remains current and relevant. Unnecessary revisions weaken the charter’s standing as a foundational governance document.

❌ Option 3 — Incorrect. Allowing auditee disputes about authority or scope to trigger charter changes would fundamentally undermine audit independence. The charter establishes the audit function’s mandate — it is not a negotiating document. If the auditee’s challenge has merit, the appropriate response is to clarify or escalate through governance channels — not to revise the charter in response to resistance. Charter changes require senior management and audit committee approval, not auditee agreement.

❌ Option 4 — Incorrect. Annual updates on a fixed schedule — regardless of whether changes are warranted — introduce unnecessary revisions that could create ambiguity, disrupt stable governance, and consume resources without adding value. A periodic review is appropriate to confirm the charter remains current, but an automatic update cycle implies changes will be made whether or not they are justified. The trigger for revision should always be substantive organizational or regulatory change, not the calendar.

✅ Option 1 — Correct. When the IS audit function reports to the CIO, independence is fundamentally impaired because the CIO is responsible for the IT operations and systems that the IS audit function is meant to independently evaluate. This creates a structural conflict of interest — the audit function’s priorities, scope, and findings could be influenced or suppressed by the very executive whose domain is under review. Professional standards require the audit function to report to a governance body — such as the audit committee — to preserve objectivity.

❌ Option 2 — Incorrect. While a CIO-aligned reporting structure could theoretically result in selective access to evidence, restricted access is a consequence that may or may not materialize — it depends on how the CIO exercises their authority. Impaired independence, by contrast, is an inherent structural concern that exists regardless of whether the CIO actively interferes. The risk to independence is immediate and unconditional; evidence access issues are situational.

❌ Option 3 — Incorrect. Reduced audit scope due to resource constraints is a risk in any reporting relationship — it is not specific to reporting under the CIO. Resource allocation decisions could be influenced by any executive. While a CIO might have motivation to limit IT audit scope, this is a potential downstream consequence of the independence impairment rather than a standalone concern in its own right.

❌ Option 4 — Incorrect. Increased audit risk from insufficient IT coverage is also a general audit quality concern not specifically tied to the reporting relationship. Audit risk is influenced by factors such as risk assessment quality, testing methodology, and resource availability — none of which are direct products of reporting to the CIO. The core and most direct concern arising from this reporting structure remains the structural threat to independence.

❌ Option 1 — Is part of the charter. Audit authority is a core component of the audit charter. It formally establishes the IS audit function’s right to access systems, records, and personnel — and defines the boundaries of what the function is empowered to do. Without a clear authority statement, the charter fails its primary purpose of giving the audit function organizational standing.

❌ Option 2 — Is part of the charter. The reporting relationship defines to whom the IS audit function is accountable — typically functionally to the audit committee and administratively to senior management. This is a fundamental charter element because it directly protects auditor independence by ensuring the function is not subordinate to the management whose activities it evaluates.

❌ Option 3 — Is part of the charter. High-level audit scope defines the domains, systems, processes, and organizational areas that fall within the IS audit function’s mandate. While individual engagements have their own specific scope statements, the charter establishes the overall boundaries of the function’s authority — ensuring there is no ambiguity about what the audit team is empowered to review.

✅ Option 4 — NOT part of the charter. Step-by-step control testing procedures belong in the audit program — a fieldwork-level document developed for specific engagements. The charter is a high-level governance document that establishes authority, independence, and mandate. It does not prescribe how individual controls are tested. Embedding operational testing procedures in the charter would conflate strategic governance with tactical execution and undermine the charter’s purpose as a stable, enduring document.

✅ Option 1 — Correct. In CISA terms, the audit charter is most directly aligned with the objective of ensuring the IS audit function’s independence and authority. The charter is the governance instrument that formally establishes the audit function’s mandate, defines its organizational positioning, grants access rights, and protects its objectivity from management interference. These are the foundational conditions that make all other audit activities professionally credible and effective.

❌ Option 2 — Incorrect. Substantive testing is a fieldwork-level activity focused on verifying the accuracy and completeness of transactions and data. It operates within an audit engagement under a defined audit program. The charter operates at a governance level — it does not prescribe or relate to the specific testing procedures used during individual audits. Associating the charter with substantive testing conflates governance with methodology.

❌ Option 3 — Incorrect. The audit committee’s responsibilities — including reviewing management responses — are typically defined through board governance policies, committee terms of reference, and regulatory requirements. While the charter may reference the audit committee as the functional reporting line, it does not define the committee’s own internal responsibilities. The charter governs the audit function, not the governance body to which it reports.

❌ Option 4 — Incorrect. Defining the scope and objectives of individual audit engagements is the purpose of the audit engagement letter or audit program — not the charter. The charter establishes the overarching, standing authority of the entire IS audit function across all engagements. Scope and objectives are engagement-specific decisions made during planning, informed by but distinct from the broader mandate established in the charter.

❌ Option 1 — Incorrect. While the absence of a charter may make it harder to secure organizational buy-in for the audit plan, this is a secondary consequence rather than the biggest risk. Lack of support for the audit plan is a practical challenge — but it stems from the more fundamental problem that without a charter, the audit function has no formal authority or mandate that obligates the organization to cooperate in the first place.

✅ Option 2 — Correct. The audit charter is the document that formally establishes the IS audit function’s authority, independence, and scope — approved by senior management and the audit committee. Without it, the audit function has no governance-backed mandate to access systems, personnel, or records; no formal protection of its independence from management interference; and no recognized standing within the organization. This exposes every audit activity to challenge and renders the function unable to fulfill its core assurance purpose.

❌ Option 3 — Incorrect. Management resistance to audit findings is a relationship and communication challenge that can occur even when a charter exists. The acceptance of findings depends on the quality of evidence, clarity of reporting, and relationship between auditors and management — not solely on the existence of a charter. While a charter strengthens the audit function’s position, its absence does not directly cause findings to be rejected.

❌ Option 4 — Incorrect. Reporting obligations to the audit committee are typically defined by governance policies, regulatory requirements, and professional standards — not exclusively by the audit charter. While the charter may reinforce these obligations, unclear reporting timelines are a procedural gap rather than the biggest risk of operating without a charter. The fundamental risk remains the absence of formal authority and independence that the charter is specifically designed to establish.

❌ Option 1 — Incorrect. Performance standards under ISACA govern how audit work is planned and executed — covering areas such as risk assessment, audit planning, resource management, and evidence gathering. These standards address the conduct of individual engagements. The audit charter, however, is not engagement-specific; it is a standing governance document that establishes the audit function’s authority and mandate — placing it above the engagement level addressed by performance standards.

✅ Option 2 — Correct. Under ISACA’s IS Audit and Assurance Standards framework, the audit charter falls within General Standards — specifically ISACA Standard 1001, which requires that the charter define the purpose, authority, responsibility, and accountability of the IS audit function. General standards establish the foundational requirements for the audit function’s existence, independence, and mandate — the level at which the charter operates.

❌ Option 3 — Incorrect. Reporting standards govern how audit findings, conclusions, and recommendations are communicated to stakeholders — covering the content, format, and distribution of audit reports. The charter does not communicate findings; it establishes the function’s authority to conduct audits in the first place. Associating the charter with reporting standards conflates the governance of the audit function with the output of individual audit engagements.

❌ Option 4 — Incorrect. Implementation standards under ISACA provide guidance tailored to specific types of assurance or advisory engagements — they are applied situationally depending on the nature of the audit work being performed. The audit charter is not type-specific; it applies universally to the entire IS audit function regardless of the nature of any particular engagement. Its scope and applicability place it firmly in general standards, not implementation-level guidance.

❌ Option 1 — Incorrect. Escalating directly to senior management before establishing the basis for access authority is premature. If the auditor does not first confirm that the charter grants unrestricted access rights, the escalation lacks a formal foundation. The charter must be consulted first to determine whether the access denial is a legitimate limitation or a violation of the audit function’s established authority — only then can escalation be pursued with a clear, defensible position.

✅ Option 2 — Correct. The audit charter is the foundational document that defines the IS audit function’s authority, including the right to unrestricted access to systems, records, and personnel. When access is denied, the auditor’s first step is to refer to the charter to confirm whether that access right exists. If the charter establishes unrestricted access, the denial is a violation of audit authority and provides the basis for escalation. This step ensures any further action is grounded in formal governance rather than informal pressure.

❌ Option 3 — Incorrect. Accepting a confidentiality claim as justification to exclude a database from audit scope — without first verifying audit authority — allows the application owner’s preference to override the audit function’s mandate. Confidentiality of data does not exempt systems from audit scrutiny; auditors routinely handle sensitive data under confidentiality obligations. Adjusting scope based on this claim, without consulting the charter, represents an unjustified and potentially harmful concession.

❌ Option 4 — Incorrect. Documenting the denial as a scope limitation and proceeding without the database prematurely accepts the access restriction as legitimate. A scope limitation should only be declared after the auditor has confirmed authority, attempted appropriate escalation, and exhausted reasonable means of obtaining access. Documenting a limitation at the first point of resistance — before consulting the charter or escalating — effectively surrenders audit authority without justification.

❌ Option 1 — Incorrect. The absence of a risk assessment reference in the audit program is a planning quality concern — it suggests the audit scope may not be risk-driven — but it does not indicate that the charter itself is inadequate. The charter establishes authority and mandate; the audit program is an operational document. A weak audit program reflects poor execution, not a deficient charter.

✅ Option 2 — Correct. An adequate audit charter must grant the IS audit function unrestricted and independent access to systems, personnel, and records. If the function requires approval from IT management before it can audit IT systems, this signals that the charter either fails to establish this access right or that management authority has been permitted to override it. This is a direct indicator of charter inadequacy — the very governance structure that should protect audit independence has broken down.

❌ Option 3 — Incorrect. Omitting management responses from audit reports is a reporting quality deficiency, not a charter issue. The charter defines the audit function’s authority, scope, and independence — it does not prescribe the specific components of an audit report. Report content standards are governed by professional auditing standards and internal policies, not the charter itself.

❌ Option 4 — Incorrect. While limiting the audit function to advisory recommendations with no formal reporting obligations would be a serious governance weakness, this describes a scenario involving the scope and effectiveness of the audit function rather than a deficiency in the charter document itself. More critically, this option describes an outcome that could result from an inadequate charter — but Option 2 more directly and specifically identifies a charter inadequacy through a concrete, observable indicator.

❌ Option 1 — Incorrect. While continuous improvement is a sound professional principle, applying it to the audit charter through mandatory quarterly updates misunderstands the charter’s nature and purpose. The charter is a governance document that establishes stable authority and independence — not an operational document that should be revised frequently. Routine updates without substantive justification risk introducing ambiguity, weakening the charter’s authority, and creating unnecessary administrative burden.

✅ Option 2 — Correct. The audit charter is designed to provide a stable, long-term foundation for the audit function’s authority, independence, and mandate. It should be reviewed periodically — typically annually — and updated only when there are genuine justifications such as organizational restructuring, changes in regulatory requirements, or shifts in audit scope. Explaining this to the audit committee reflects professional judgment and protects the integrity of the charter as a governance instrument.

❌ Option 3 — Incorrect. Formal audit committee approval of charter updates is indeed appropriate when changes occur, but agreeing to quarterly updates — even with governance oversight — still accepts the flawed premise that frequent updates are warranted. The issue is not whether updates should be approved, but whether they should be triggered on a fixed quarterly schedule regardless of need. Governance oversight does not justify unnecessary revisions.

❌ Option 4 — Incorrect. Framing quarterly reviews as administrative exercises without substantive changes may appear to satisfy the audit committee’s request while avoiding real modifications, but this approach is misleading and creates a false record of charter activity. If no substantive changes are warranted, the appropriate response is to explain why the charter should remain as-is — not to conduct nominal reviews that add no value and may create confusion about the document’s current status.

❌ Option 1 — Incorrect. An audit methodology and procedures manual is an important operational document that guides how audits are conducted, but it presupposes that the audit function already has defined authority, scope, and organizational standing. Without a charter establishing the function’s mandate first, a procedures manual has no governance foundation to operate within — it describes how to audit without having established the right to audit.

✅ Option 2 — Correct. The audit charter must be established first because it is the foundational governance document that defines the IS audit function’s purpose, authority, scope, independence, and access rights — formally approved by senior management and the audit committee. Without a charter, the audit department has no organizational mandate, no defined authority to access systems and records, and no formal standing to conduct or report on audits. Everything else — planning, fieldwork, reporting — depends on this foundation.

❌ Option 3 — Incorrect. Developing a risk-based annual audit plan is an essential early activity, but it is a planning output that follows from the charter. The annual plan defines which areas will be audited during the year — a decision that requires the charter to first establish what falls within the audit function’s authority and scope. Planning without a charter means allocating resources for work the function may not be authorized to perform.

❌ Option 4 — Incorrect. Audit report templates and communication protocols are operational tools that support the reporting phase of individual audits. While useful, they are procedural artifacts that can be developed once the function is operational. Establishing communication formats before the function has a defined mandate and authority puts process ahead of governance — a secondary concern compared to the foundational need for a charter.

✅ Option 1 — Correct. The audit charter is the foundational document that defines the IS audit function’s mandate, authority, scope, and access rights — as approved by senior management and the audit committee. When a business manager disputes whether a process falls within audit’s authority, the charter is the definitive reference that either confirms or limits that authority. It is the auditor’s primary instrument for resolving jurisdictional challenges.

❌ Option 2 — Incorrect. The risk register identifies areas of organizational risk and informs audit prioritization, but it does not define or confer audit authority. Even if a process appears in the risk register as high-risk, that does not automatically establish the audit function’s right to review it. Authority is a governance question answered by the charter — not a risk management document.

❌ Option 3 — Incorrect. Prior audit reports may show that a process has been audited before, which could support the argument that it falls within scope, but prior practice does not formally establish authority. A process may have been audited previously by agreement or oversight without it being explicitly authorized in the charter. The charter — not historical precedent — is the authoritative source on audit jurisdiction.

❌ Option 4 — Incorrect. The audit engagement letter defines the scope, objectives, and terms of a specific audit engagement — it is not the same as the audit charter. While the engagement letter may reference charter authority, it does not itself establish the audit function’s overall mandate or authority over the organization. A business manager challenging audit authority requires reference to the overarching charter, not the terms of a single engagement.

❌ Option 1 — Incorrect. This option reverses the correct reporting relationship. Functional reporting — which governs audit priorities, scope, and findings — must go to the audit committee to preserve independence. If functional authority rests with the CIO, the IS audit team’s priorities and conclusions could be influenced by the very IT function it is meant to audit, creating a direct threat to objectivity and independence.

✅ Option 2 — Correct. The greatest independence is achieved when the IS audit function reports functionally to the audit committee — an independent governance body — for matters of audit scope, findings, and professional standards, while reporting administratively to senior management for day-to-day operational matters such as budgeting and HR. This structure ensures that audit priorities and conclusions cannot be manipulated by the operational management whose activities are being evaluated.

❌ Option 3 — Incorrect. Reporting functionally to the CFO and administratively to the COO places the audit function under executive management on both dimensions. Neither the CFO nor the COO provides the governance-level independence that an audit committee represents. Both are operational executives with potential stakes in audit outcomes, which creates a structural conflict of interest that undermines the independence of the audit function.

❌ Option 4 — Incorrect. This option also reverses the critical relationship. Administrative reporting to the audit committee and functional reporting to senior management means that day-to-day operational matters go to the governance body while the substantive audit agenda is shaped by management. This structure allows management — whose activities are subject to audit — to influence what gets audited and how, compromising the independence that functional reporting to the audit committee is specifically designed to protect.

❌ Option 1 — Not a threat to independence. Reviewing firewall configurations is a standard IS audit procedure within the charter’s authority to evaluate IT controls. The auditor is examining and assessing an existing control — not creating or operating it. This is a legitimate assurance activity that does not impair objectivity or introduce a self-review threat.

❌ Option 2 — Not a threat to independence. Reperforming a user access review is one of the strongest audit procedures available — the auditor independently re-executes a control to verify its effectiveness. This is entirely within audit scope and actually strengthens the quality of evidence. It does not involve the auditor taking ownership of or responsibility for the control itself.

✅ Option 3 — Threatens independence. Designing and implementing access control procedures crosses the critical boundary between assurance and management responsibilities. If the auditor designs and implements a control, they assume ownership of it — and any subsequent audit of that control would constitute a self-review, fundamentally impairing objectivity. Regardless of charter authority, auditors must never assume operational or design responsibility for the controls they are meant to independently evaluate.

❌ Option 4 — Not a threat to independence. Reporting control weaknesses to the audit committee is a core audit responsibility and a cornerstone of the independent assurance function. Direct reporting to governance bodies — bypassing management where necessary — is specifically designed to protect auditor independence, not threaten it. This activity reinforces the audit function’s accountability to the board rather than to the management whose activities are being audited.

✅ Option 1 — Correct. Without explicit charter provisions granting unrestricted access to records, personnel, and systems, the audit function has no formal authority to compel cooperation. If access is denied or restricted — whether by system owners, process managers, or IT teams — the auditor has no mandate to override that resistance. This directly risks the auditor’s ability to gather sufficient appropriate evidence, which is the foundation of any valid audit conclusion.

❌ Option 2 — Incorrect. Audit independence relates to the auditor’s freedom from bias and conflicts of interest — it is established through organizational positioning and professional standards, not solely through charter language about access rights. While a weak charter may reflect poor governance, the absence of an access clause does not in itself create an independence problem. The more direct and immediate risk is operational — the inability to obtain evidence.

❌ Option 3 — Incorrect. Facing resistance when requesting access is a likely consequence of an incomplete charter, but it describes a symptom rather than the greatest risk. The auditor encountering pushback is problematic only because of what it leads to — an inability to gather sufficient evidence. The risk is the evidence gap itself, not the friction encountered along the way. This option stops one step short of identifying the true impact.

❌ Option 4 — Incorrect. Documenting access limitations in work papers is a professional obligation when limitations occur, but credibility risk from undocumented limitations is a secondary concern. The greatest risk remains the fundamental inability to complete the audit effectively. A well-documented access limitation does not resolve the underlying problem — it only records it. The primary risk is evidentiary, not reputational.

❌ Option 1 — Incorrect. Scope limitation refers to restrictions on the auditor’s ability to access information, systems, or personnel needed to complete the audit. While scope limitations are a legitimate charter concern, the scenario does not describe any access restriction. The issue here is not what the auditor can review, but whether the auditor should be performing this review at all given their prior involvement.

✅ Option 2 — Correct. The most relevant charter-related issue is professional independence and conflict of interest. An auditor who previously worked as a consultant on the system being audited has a self-review threat — they would effectively be evaluating their own prior work. This impairs objectivity, undermines the credibility of the audit, and violates the independence requirements that the audit charter is designed to protect. The auditor should be recused from this engagement.

❌ Option 3 — Incorrect. Whether the audit charter covers third-party implemented systems is a scope and authority question that applies regardless of who is performing the audit. It does not address the specific risk introduced by the auditor’s personal prior involvement. Even if the charter fully authorizes the audit, the independence concern remains and must be separately addressed.

❌ Option 4 — Incorrect. While undisclosed prior consulting work would compound the independence problem, the core issue exists whether or not the prior work is disclosed. Disclosure may be a required step in managing the conflict, but it does not resolve it. The fundamental charter concern is the conflict of interest itself — not the disclosure status — and that concern requires the auditor’s removal from the engagement, not merely transparency about their background.