Audit Phase CISA Exam Notes, 36 Practice Questions

❌ Option 1 — Incorrect. Fieldwork is the execution phase where the auditor carries out the procedures defined during planning — performing tests, gathering evidence, and documenting findings. By the time fieldwork begins, audit objectives, scope, and approach have already been established. Fieldwork follows the plan; it does not create it.

✅ Option 2 — Correct. Planning is the phase where the auditor defines the audit objectives — what the audit aims to achieve; the audit scope — the boundaries of what will and will not be reviewed; and the audit approach — the methodology and procedures to be used. These foundational decisions shape every subsequent phase and ensure the audit is purposeful, focused, and aligned with organizational risk.

❌ Option 3 — Incorrect. Reporting occurs after fieldwork is complete and involves communicating findings, recommendations, and conclusions to management and governance bodies. By this phase, objectives and scope are long established and have already guided the entire fieldwork effort. Reporting synthesizes what was found — it does not define what was to be looked at.

❌ Option 4 — Incorrect. Follow-up is the final phase of the audit cycle, focused on verifying whether management has implemented agreed corrective actions. It is entirely dependent on the findings and recommendations already reported — and by extension, the scope and objectives defined during planning. It has no role in establishing any foundational audit parameters.

❌ Option 1 — Incorrect. Preparing the final audit report is the primary activity of the reporting phase — it occurs after fieldwork has been completed and findings have been evidenced. Attempting to prepare a report during planning would be premature since no evidence has yet been gathered. The sequence of audit phases exists precisely because each phase depends on the outputs of the previous one.

✅ Option 2 — Correct. Risk assessment is the most critical activity during audit planning because it determines where audit resources should be focused, which areas carry the greatest exposure, and what the audit objectives and scope should be. Without a sound risk assessment, the entire audit program lacks a defensible basis — testing could be misdirected toward low-risk areas while significant vulnerabilities go unexamined.

❌ Option 3 — Incorrect. Substantive testing is a fieldwork activity performed to verify the accuracy and completeness of transactions and data. It requires an audit program to guide it, which itself depends on a completed risk assessment. Performing substantive testing during planning would mean testing without a defined scope, objectives, or understanding of where risk lies — an inefficient and professionally unsound approach.

❌ Option 4 — Incorrect. While reviewing prior audit procedures can inform current planning, simply replicating last year’s audit program is not sound practice. The control environment, organizational priorities, and risk landscape evolve over time. The audit program must be developed fresh each cycle based on the current risk assessment — not carried forward from prior years without critical evaluation of its continued relevance.

❌ Option 1 — Incorrect. Planning is focused on defining the audit scope, objectives, and approach — including performing risk assessments, reviewing prior audit results, and developing the audit program. While planning informs what evidence will be needed and how it will be collected, it does not involve the actual gathering of audit evidence. Evidence collection is a fieldwork activity.

✅ Option 2 — Correct. Fieldwork is the phase where the auditor executes the audit program by performing tests, inspections, observations, and inquiries to gather sufficient and reliable evidence in support of audit findings and conclusions. It is the operational core of the audit engagement where evidence is directly collected, examined, and documented.

❌ Option 3 — Incorrect. Reporting involves synthesizing and communicating the evidence and conclusions already gathered during fieldwork — it does not involve primary evidence collection. During reporting, the auditor drafts findings, prepares the audit report, discusses conclusions with management, and incorporates management responses. The evidence base at this point should already be complete.

❌ Option 4 — Incorrect. Follow-up does involve a form of evidence gathering — verifying that corrective actions have been implemented — but this is a narrow, targeted activity focused on remediation confirmation rather than the broad, systematic collection of audit evidence. The primary evidence-gathering phase remains fieldwork; follow-up evidence collection is secondary and purpose-limited.

❌ Option 1 — Incorrect. Audit documentation records the evidence and procedures performed — it does not reduce or replace the need for testing. Testing must be performed first; documentation captures the results. Suggesting that documentation substitutes for testing reverses the relationship between the two and misrepresents the role of work papers in the audit process.

✅ Option 2 — Correct. The primary purpose of audit documentation is to provide a complete, organized record of the evidence gathered, procedures performed, and conclusions reached — thereby supporting the audit findings and overall audit opinion. It demonstrates that the audit was conducted in accordance with professional standards, provides a basis for supervisory review, and supports the defensibility of audit conclusions if challenged.

❌ Option 3 — Incorrect. Communicating findings to auditee management is the purpose of the audit report — not audit documentation. Work papers are internal documents that support the auditor’s conclusions; they are not typically shared with management as the formal means of communicating findings. Conflating internal documentation with external reporting misrepresents the function of each.

❌ Option 4 — Incorrect. While audit documentation may incidentally demonstrate adherence to the audit charter and engagement letter, this is not its primary purpose. Demonstrating charter compliance is a governance and quality assurance consideration. The core function of documentation remains the support of findings and conclusions — providing the evidentiary foundation that makes those conclusions professionally defensible and reviewable.

❌ Option 1 — Incorrect. Separating management responses into a standalone document undermines the transparency and completeness of the final audit report. Management responses are a standard component of the report itself — they provide accountability, demonstrate management’s commitment to remediation, and give report readers a complete picture of both the findings and the planned corrective actions in one place.

✅ Option 2 — Correct. A final audit report normally includes the findings — describing identified control weaknesses or issues; recommendations — suggesting corrective actions to address those findings; and management responses — capturing management’s position, agreed actions, and remediation timelines. Together these three components fulfill the audit report’s purpose of communicating results, driving accountability, and facilitating corrective action.

❌ Option 3 — Incorrect. Audit procedures, sampling methodology, and evidence inventory belong in audit work papers — the internal documentation supporting the audit. While these are essential to the audit process, they are not typically included in the final report issued to management and governance bodies. The final report communicates conclusions and recommendations, not the technical mechanics of how the audit was conducted.

❌ Option 4 — Incorrect. Limiting the final report to an executive summary and audit objectives — while reserving findings for internal work papers — would defeat the primary purpose of the report. Findings are the most critical output of any audit engagement. Withholding them from the formal report would leave management, the audit committee, and other stakeholders without the information they need to assess risk and drive remediation.

✅ Option 1 — Correct. The primary purpose of the follow-up phase is to determine whether management has implemented the corrective actions agreed upon in response to audit findings. Follow-up closes the loop on the audit cycle by verifying that identified risks and control weaknesses have been addressed — not merely acknowledged — and that the agreed remediation has been executed in practice.

❌ Option 2 — Incorrect. The sufficiency and appropriateness of audit evidence is assessed during fieldwork and quality review — not during follow-up. By the time follow-up occurs, the audit report has already been issued. Revisiting fieldwork evidence quality at this stage is neither the purpose nor the scope of follow-up procedures.

❌ Option 3 — Incorrect. While this option sounds very close to the correct answer, it subtly overstates the scope of follow-up. Confirming that controls are now operating effectively may be part of a detailed follow-up review, but the primary determination in standard follow-up is whether corrective actions were implemented — not a full re-assessment of operational effectiveness, which would constitute a new audit procedure.

❌ Option 4 — Incorrect. Evaluating whether the original risk assessment was accurate is a reflective quality assurance activity — not a follow-up procedure. Follow-up is forward-looking, focused on whether remediation has occurred. Retrospective assessment of planning decisions belongs to audit quality management processes, not the follow-up phase of a specific engagement.

❌ Option 1 — Incorrect. Equal coverage of all areas regardless of risk is an inefficient use of limited resources and is inconsistent with risk-based auditing principles. Not all areas carry the same level of risk — applying uniform effort means under-investing in high-risk areas while expending resources on low-risk areas that may not warrant the same level of scrutiny. Resource constraints make prioritization not just acceptable but necessary.

✅ Option 2 — Correct. Risk-based auditing requires that limited resources be directed where they will have the greatest impact — specifically, areas with the highest risk exposure. By focusing on high-risk areas, the auditor maximizes the value of the audit, ensures the most significant threats to the organization receive appropriate scrutiny, and fulfills the core purpose of audit as a risk management function.

❌ Option 3 — Incorrect. Prioritizing recently audited areas inverts sound audit logic. Areas that were recently audited and found satisfactory are generally lower priority — their control environment has recently been assessed. Audit resources should flow toward areas that are higher risk, have not been recently reviewed, or where prior findings suggest persistent control weaknesses.

❌ Option 4 — Incorrect. Selecting audit areas based solely on management preference fundamentally compromises auditor independence. Management has an inherent interest in directing attention away from areas of weakness or sensitivity, meaning preference-driven scoping introduces significant bias into the audit process. While management input can be a useful data point during planning, audit prioritization must ultimately be driven by an objective, evidence-based risk assessment — not by what management finds convenient or comfortable to have reviewed.

❌ Option 1 — Incorrect. Equal coverage of all areas regardless of risk is an inefficient use of limited resources and is inconsistent with risk-based auditing principles. Not all areas carry the same level of risk — applying uniform effort means under-investing in high-risk areas while expending resources on low-risk areas that may not warrant the same level of scrutiny. Resource constraints make prioritization not just acceptable but necessary.
✅ Option 2 — Correct. Risk-based auditing requires that limited resources be directed where they will have the greatest impact — specifically, areas with the highest risk exposure. By focusing on high-risk areas, the auditor maximizes the value of the audit, ensures the most significant threats to the organization receive appropriate scrutiny, and fulfills the core purpose of audit as a risk management function.
❌ Option 3 — Incorrect. Prioritizing recently audited areas inverts sound audit logic. Areas that were recently audited and found satisfactory are generally lower priority — their control environment has recently been assessed. Audit resources should flow toward areas that are higher risk, have not been recently reviewed, or where prior findings suggest persistent control weaknesses.
❌ Option 4 — Incorrect. Allocating resources based on documentation complexity has no basis in auditing standards. Extensive documentation does not equate to higher risk, and ease of access to documentation should not drive audit prioritization. This approach could result in significant risks being overlooked simply because their documentation is sparse or harder to navigate.

✅ Option 1 — Correct. Before issuing the final audit report, professional standards require the auditor to discuss findings with auditee management. This step — typically conducted through an exit meeting or draft report review — ensures that findings are factually accurate, gives management the opportunity to provide additional context or evidence, and allows management’s responses and remediation plans to be incorporated. It upholds fairness, transparency, and the integrity of the audit process.

❌ Option 2 — Incorrect. Limiting the final report to only those findings management has formally acknowledged would fundamentally compromise audit independence. Management’s acknowledgment is not a prerequisite for reporting a finding — findings must be reported if they are supported by sufficient appropriate evidence, regardless of whether the auditee agrees. Selectively reporting only accepted findings would render the audit meaningless as an independent assurance function.

❌ Option 3 — Incorrect. Withholding the final report pending management’s acceptance conflates the purpose of management review with management approval. The pre-issuance discussion is meant to ensure factual accuracy and allow management responses — not to give management veto power over the report’s contents. Delaying issuance until management confirms acceptability compromises auditor independence and timeliness of reporting.

❌ Option 4 — Incorrect. Issuing the report without any management review bypasses a critical quality control step. The pre-issuance discussion exists to catch factual errors, incorporate management’s perspective, and ensure the report reflects a complete and balanced picture. Skipping this step risks issuing a report that contains inaccuracies or omits important context — damaging both the auditor’s credibility and the fairness of the process.

❌ Option 1 — Incorrect. Revising a finding to align with management’s preferred view of impact — without new evidence or a valid professional basis — compromises audit independence and objectivity. The auditor’s assessment of impact must be grounded in evidence and professional judgment, not adjusted to satisfy the auditee. Management disagreement alone is not a sufficient reason to change a finding.

✅ Option 2 — Correct. When the auditee disputes the impact of a finding, the auditor’s first responsibility is to engage professionally and constructively — clearly explaining the identified risk, the potential consequences of not addressing the weakness, and the basis for the impact assessment. This gives management the opportunity to understand the auditor’s rationale and provides a foundation for productive dialogue. It also upholds the auditor’s professional obligation to communicate findings effectively.

❌ Option 3 — Incorrect. While noting management’s disagreement in the report is a legitimate and sometimes necessary step, doing so without any discussion bypasses the auditor’s responsibility to communicate findings effectively. The exit meeting exists precisely to facilitate dialogue about findings. Documenting a disagreement without first attempting to explain and resolve it through professional discussion is premature and fails the spirit of the audit process.

❌ Option 4 — Incorrect. Escalating to the audit committee before exhausting direct dialogue with management is premature and procedurally inappropriate. Governance escalation is a last resort when disagreements cannot be resolved through professional engagement. Bypassing that process at the first sign of disagreement undermines the relationship between auditor and management and may appear adversarial without cause.

❌ Option 1 — Incorrect. Management representations — regardless of how formally or confidently they are made — are among the weakest forms of audit evidence. Management has an inherent interest in demonstrating that findings have been addressed, which introduces bias. Accepting a statement without independent verification violates professional skepticism and the requirement for sufficient appropriate evidence to support conclusions.

✅ Option 2 — Correct. During follow-up, the auditor must independently verify that the remediation has actually been implemented and is functioning as intended. This involves reviewing updated documentation, inspecting system configurations, re-performing tests, or examining records that demonstrate the control is now in place and operating effectively. Only evidence-based verification justifies closing a finding.

❌ Option 3 — Incorrect. Updating the audit report based solely on management’s confirmation — without independent verification — carries the same weakness as accepting their statement outright. The audit report is a professional document that must reflect evidence-supported conclusions. Amending it based on unverified representations undermines its reliability and the auditor’s credibility.

❌ Option 4 — Incorrect. A written management sign-off is a formal acknowledgment but it remains a management representation — not independent evidence of remediation. Its written form does not elevate it above other representations in the reliability hierarchy. The auditor’s obligation is to verify the actual state of the control, not to collect acknowledgments of claimed remediation.

❌ Option 1 — Incorrect. Prior audit reports provide valuable historical context but cannot replace a current risk assessment. The control environment, organizational structure, systems, and risk landscape evolve over time. Relying solely on prior findings without performing a fresh risk assessment risks missing new or changed risks that were not present during previous audits.

✅ Option 2 — Correct. Reviewing prior audit reports during planning helps the auditor understand the historical control environment, identify recurring issues, assess management’s track record in addressing findings, and build a more informed audit approach. It provides essential context that shapes the current audit’s focus, risk assessment, and scope — without replacing any current planning activities.

❌ Option 3 — Incorrect. Carrying forward prior conclusions — even in a seemingly stable control environment — bypasses the auditor’s obligation to independently verify current conditions. Controls may appear unchanged on the surface while having deteriorated in practice. Each audit cycle requires fresh, independent assessment; prior conclusions serve as background context, not transferable evidence.

❌ Option 4 — Incorrect. Benchmarking current scope against what was previously tested is a by-product of reviewing prior reports, but it is not the main purpose. Using prior scope as a template risks perpetuating coverage gaps or outdated focus areas. The primary purpose is to understand historical findings and issues — which then informs but does not dictate the current audit’s scope and approach.

❌ Option 1 — Incorrect. While auditors must respect their defined scope, professional standards require the exercise of due professional care when significant risks are identified — even near the boundaries of scope. Ignoring a major control deficiency solely on jurisdictional grounds would be a failure of professional responsibility. The auditor has an obligation to at least acknowledge and communicate significant risks that come to their attention.

❌ Option 2 — Incorrect. Reporting a finding immediately without validation — regardless of how significant it appears — violates the requirement for sufficient appropriate evidence. A major finding reported without proper assessment risks being inaccurate, incomplete, or misleading. Even out-of-scope observations must be substantiated before being formally communicated to avoid causing unwarranted alarm or unfair conclusions.

✅ Option 3 — Correct. When a significant issue is identified slightly outside scope, the auditor should perform a preliminary review of the relevant controls to assess the nature and severity of the deficiency. If the review confirms a material concern, the auditor should recommend that a more detailed, formally scoped review be conducted. This approach balances professional responsibility with the boundaries of the current engagement.

❌ Option 4 — Incorrect. Formally expanding the full audit scope mid-engagement to absorb an out-of-scope component is neither efficient nor appropriate without proper authorization. Scope changes require management approval, resource assessment, and revised planning. The more proportionate and professional response is to perform a preliminary review and recommend a separate, properly scoped follow-up — rather than unilaterally expanding the current engagement.

❌ Option 1 — Incorrect. The fact that a control weakness was corrected during the audit does not eliminate the obligation to report it. The weakness existed during the audit period and represents a real gap in the control environment. Excluding it from the report would create an incomplete picture of the organization’s control posture and deprive stakeholders of important historical context about vulnerabilities that were present.

✅ Option 2 — Correct. The finding should be included in the final report because it reflects a genuine control weakness that existed during the audit period. However, professional reporting standards also require the auditor to acknowledge management’s prompt corrective action. This provides a complete and balanced account — documenting both the weakness identified and the response taken — which serves governance, accountability, and transparency objectives.

❌ Option 3 — Incorrect. Deferring the report to confirm sustainability of the correction confuses the purpose of the current audit report with follow-up responsibilities. The audit report documents what was found during the audit period. Sustainability of the correction is a matter for follow-up testing in a subsequent audit cycle — it is not a prerequisite for reporting a finding that has already been evidenced and corrected.

❌ Option 4 — Incorrect. Omitting the corrective action from the report in the name of objectivity actually undermines objectivity. A complete and fair audit report presents the full picture — including both the deficiency and the response to it. Withholding information about management’s corrective action would create a misleadingly negative impression and fail the standard of balanced, accurate reporting.

✅ Option 1 — Correct. When management disputes a finding by asserting that a compensating control mitigates the risk, the auditor’s first responsibility is to objectively evaluate that claim. This means revalidating the original evidence and independently assessing whether the compensating control actually operates effectively and sufficiently reduces the identified risk. Professional skepticism requires neither automatic acceptance nor automatic rejection — it requires evidence-based evaluation.

❌ Option 2 — Incorrect. Retaining the finding without any further review of management’s compensating control argument is equally unprofessional as accepting it blindly. If management raises a substantive point about risk mitigation, the auditor has a professional obligation to consider it objectively. Dismissing it outright without evaluation undermines the credibility and fairness of the audit process.

❌ Option 3 — Incorrect. Escalating to senior management or the audit committee is a legitimate step — but only after the auditor has exhausted direct evaluation and discussion. Escalation is appropriate when a genuine, evidence-based disagreement cannot be resolved between the auditor and management. Going directly to governance bodies before completing the evaluation bypasses due process and may appear premature or adversarial.

❌ Option 4 — Incorrect. Accepting management’s explanation without independent testing or evidence evaluation violates the principle of professional skepticism. Management has an inherent interest in minimizing findings, which means their representations about compensating controls must be substantiated — not simply taken at face value. Updating the finding based on an unverified assertion compromises audit integrity and objectivity.

❌ Option 1 — Incorrect. The mere existence of a control does not satisfy the audit finding. Follow-up testing must confirm not only that a control was implemented but that it is operating effectively. A control that exists on paper or in design but fails in practice provides no actual risk mitigation. Closing the finding at this stage would misrepresent the true state of remediation.

✅ Option 2 — Correct. When follow-up reveals that a control has been implemented but is not operating effectively, the auditor must report the remediation as incomplete or ineffective. The original finding remains unresolved until the control demonstrably works as intended. Transparent reporting of ineffective remediation is essential for governance, accountability, and continued risk management.

❌ Option 3 — Incorrect. Partially closing a finding based on design effectiveness alone conflates two distinct concepts. Design effectiveness asks whether the control is capable of achieving its objective if operated as intended; operating effectiveness asks whether it actually does so in practice. A finding related to a control risk cannot be partially resolved on design grounds alone when operational failure has been directly observed.

❌ Option 4 — Incorrect. Deferring a known ineffective control to the next audit cycle without reporting creates an unacceptable gap in risk oversight. Follow-up procedures exist precisely to ensure timely resolution of audit findings. Delaying action because management made an attempt — regardless of outcome — undermines the purpose of the follow-up process and leaves a confirmed control weakness unaddressed and unreported.

❌ Option 1 — Not a concern. Step-by-step procedures are a hallmark of a well-constructed audit program. They ensure consistency, provide guidance to audit staff of varying experience levels, and create a repeatable, documented basis for fieldwork. Their presence is a positive indicator of program quality, not a red flag.

❌ Option 2 — Not a concern. Alignment to audit objectives is a fundamental requirement of any audit program. It ensures that every procedure performed has a clear purpose tied to what the audit is trying to achieve. This is expected and desirable — its absence would be the concern, not its presence.

✅ Option 3 — Most concerning. An audit program developed without reference to risk assessment results is disconnected from the very foundation that should drive audit scope, focus, and resource allocation. Risk assessment determines where the greatest threats and vulnerabilities lie — ignoring it means the audit program may waste effort on low-risk areas while leaving high-risk areas untested. This is a critical professional deficiency.

❌ Option 4 — Not a concern. Identifying evidence requirements in the audit program is a sign of thorough planning. It ensures auditors know what they need to collect before fieldwork begins, reducing the likelihood of incomplete evidence and rework. This is a positive quality attribute of the program, not a concern.

❌ Option 1 — Incorrect. Materiality determines the significance of a finding but does not override the requirement for sufficient evidence. In fact, the more material a finding, the more critical it is to ensure the evidence base is solid before reporting. Reporting an unsupported material finding exposes the audit function to credibility challenges, legal risk, and potential harm to the auditee if the conclusion turns out to be wrong.

✅ Option 2 — Correct. When fieldwork is complete but evidence is insufficient for a potentially material finding, the auditor must perform additional testing to close the evidence gap before concluding. Auditing standards require that findings be supported by sufficient appropriate evidence. The fact that fieldwork is nominally complete does not preclude the auditor from returning to gather more evidence when a material matter is at stake.

❌ Option 3 — Incorrect. Downgrading a potentially material finding to an informal observation simply to avoid an evidence gap is not a professionally acceptable resolution. The classification of a finding should be driven by its nature and risk significance — not by the auditor’s ability to gather evidence. If the issue is potentially material, it warrants the effort of additional testing rather than a reduced classification.

❌ Option 4 — Incorrect. Escalating an insufficiently evidenced finding directly to the audit committee is premature and potentially harmful. Governance bodies rely on auditors to present conclusions that are already supported by evidence. Presenting an unsubstantiated material finding to the audit committee without completing the necessary testing undermines the audit function’s credibility and may trigger unnecessary alarm or action based on incomplete information.

❌ Option 1 — Incorrect. Verbal explanations are considered the weakest form of audit evidence regardless of the technical expertise of the person providing them. They rely entirely on individual memory, honesty, and interpretation, and cannot be independently verified or objectively examined. Professional standards require verbal evidence to always be corroborated by stronger, documentary or direct evidence.

❌ Option 2 — Incorrect. Screenshots provided by the auditee — even from technically knowledgeable staff such as application owners — are inherently limited in reliability. Screenshots can be easily manipulated, selectively captured, or staged to show a favorable state. Since the auditor did not obtain them directly, their authenticity cannot be fully assured without additional corroboration.

✅ Option 3 — Correct. Evidence obtained directly by the auditor through independent testing eliminates reliance on the auditee’s representations, documents, or interpretations. When the IS auditor personally performs the test and observes the results firsthand, the evidence is free from auditee bias and manipulation — making it the most reliable form among the options presented.

❌ Option 4 — Incorrect. Internal management reports are prepared by the auditee organization for its own operational purposes. While useful as a starting point, they are subject to management’s framing, selective inclusion, and potential bias. Being internally generated and not independently verified, they rank lower in the reliability hierarchy compared to evidence the auditor obtains and controls directly.

✅ Option 1 — Correct. Auditing standards universally require that audit findings be supported by evidence that is both sufficient (enough in quantity to support the conclusion) and appropriate (relevant and reliable in quality). These two attributes work together — neither alone is adequate. A finding lacking either dimension cannot be professionally defended or reported with confidence.

❌ Option 2 — Incorrect. Relevance is indeed one component of appropriateness and therefore important, but pairing it with “internally generated” undermines the combination. Internally generated evidence carries inherent reliability limitations due to the auditee’s potential bias. The standard requires appropriateness — which includes reliability — not just relevance from any source.

❌ Option 3 — Incorrect. Corroboration and formal documentation are desirable evidence characteristics that strengthen audit conclusions, but they are not the foundational standard. Evidence can be formally documented yet still insufficient in quantity or irrelevant to the objective. The professional standard anchors on sufficiency and appropriateness — not on form or corroboration alone.

❌ Option 4 — Incorrect. Independence is a determinant of reliability — one dimension of appropriateness — but technical complexity is not a recognized audit evidence attribute at all. Complex evidence is not inherently better evidence. Pairing a partial truth with an irrelevant attribute makes this combination both incomplete and misleading as a standard for supporting audit findings.

❌ Option 1 — Incorrect. Reliability of the evidence source is a component of appropriateness, not sufficiency. Appropriateness addresses the quality of evidence — whether it is relevant and reliable — while sufficiency addresses quantity. An auditor can have highly reliable evidence that is still insufficient if there is not enough of it to support a conclusion.

✅ Option 2 — Correct. Sufficiency refers to the quantity or amount of audit evidence needed to support audit conclusions. It asks the question: “Do we have enough evidence?” The required quantity is influenced by factors such as risk level, materiality, and the quality of the evidence itself — higher quality evidence may reduce the quantity needed, but the concept itself remains fundamentally about amount.

❌ Option 3 — Incorrect. Independence of the evidence provider is a determinant of reliability, which is a component of appropriateness. Evidence from independent external sources is considered more reliable, but this speaks to quality rather than quantity. Sufficiency is concerned with whether the auditor has gathered enough evidence, regardless of where it came from.

❌ Option 4 — Incorrect. Relevance of evidence to the audit objective is the other component of appropriateness alongside reliability. Relevance asks whether the evidence logically connects to what is being tested — a quality measure, not a quantity measure. Confusing relevance with sufficiency is a common error, as both are necessary attributes of good audit evidence but address entirely different dimensions.

❌ Option 1 — Incorrect. Quantity of evidence relates to sufficiency — a separate but complementary attribute of audit evidence. Sufficiency asks “do we have enough evidence?” while appropriateness asks “is the evidence we have actually meaningful and trustworthy?” An auditor can have an abundance of evidence that is still inappropriate if it lacks relevance or reliability.

✅ Option 2 — Correct. Appropriateness is the measure of the quality of audit evidence, encompassing two dimensions: relevance — whether the evidence logically relates to the audit objective — and reliability — whether the evidence can be trusted to accurately represent the underlying facts. Together these determine whether evidence is fit for purpose in supporting audit conclusions.

❌ Option 3 — Incorrect. Consistency of evidence across procedures relates to corroboration — the degree to which multiple sources or methods point to the same conclusion. While corroboration contributes to overall evidence strength, it is not the definition of appropriateness. Evidence can be consistent yet still lack relevance to the specific audit objective being tested.

❌ Option 4 — Incorrect. Timeliness relates to whether evidence reflects the period under audit, which is an aspect of relevance — one component of appropriateness — but it is not the full definition. Appropriateness encompasses both relevance and reliability together, making timeliness alone an incomplete and therefore incorrect answer.

❌ Option 1 — Incorrect. Oral evidence — even when provided formally during a structured interview — is among the least reliable forms of audit evidence. It depends entirely on the honesty, accuracy, and recollection of the individual providing it, and cannot be independently verified. Formality of the setting does not improve the inherent weakness of oral representations.

❌ Option 2 — Incorrect. Internally generated evidence with strong internal controls is more reliable than evidence from a poorly controlled environment, but it still carries inherent limitations. The auditee has a vested interest in the outcome of the audit, which introduces the risk of bias, manipulation, or selective presentation — regardless of how robust the controls appear to be.

✅ Option 3 — Correct. Evidence obtained from independent external sources — such as third-party confirmations, regulatory filings, or vendor records — is generally considered the most reliable because it is free from the auditee’s influence or bias. Independence of source is one of the key determinants of evidence reliability in auditing standards.

❌ Option 4 — Incorrect. Cross-referencing multiple internal sources may improve consistency and completeness, but it does not overcome the fundamental reliability limitation of internally generated evidence. If the auditee controls all the systems and the cross-referencing process itself, the evidence remains subject to the same organizational bias and cannot be elevated to the reliability level of independent external sources.

❌ Option 1 — Incorrect. Management representations, regardless of the seniority of the source, are considered weak audit evidence on their own. They reflect what management believes or wants the auditor to believe, but carry inherent bias and cannot substitute for independently obtained corroborating evidence. Professional skepticism requires the auditor to verify, not simply accept.

✅ Option 2 — Correct. The appropriate next step is to corroborate the management representation by examining objective evidence — in this case, actual access review records, logs, tickets, or sign-off documentation that demonstrate quarterly reviews took place. This transforms an unverified claim into a supported, evidenced conclusion consistent with auditing standards.

❌ Option 3 — Incorrect. Escalating an unverified management representation to the audit committee is premature and procedurally inappropriate at this stage. The audit committee is not responsible for confirming operational claims — that is the auditor’s job through evidence-gathering. Escalation to governance bodies is reserved for significant findings or independence concerns, not routine verification steps.

❌ Option 4 — Incorrect. Closing an audit procedure based solely on a formal management representation — without independent verification — violates the fundamental principle of sufficient appropriate evidence. A formal written statement does not elevate a representation to the level of corroborated evidence. Formality of the confirmation does not substitute for objectivity and independence of the evidence source.

❌ Option 1 — Incorrect. Determining whether a control operates effectively and consistently over a period of time requires full controls testing — typically involving sampling of transactions across the audit period. A walkthrough traces only a single transaction end-to-end and cannot provide conclusions about consistency or sustained performance over time.

✅ Option 2 — Correct. A walkthrough involves tracing a single transaction through the entire process from initiation to completion, while discussing the steps with relevant personnel. Its primary purpose is to confirm that the auditor’s understanding of the control design is accurate and that the control is understood and applied as documented. It validates design, not sustained operational effectiveness.

❌ Option 3 — Incorrect. Independent validation or testing by a third party is a separate assurance activity — not the purpose or outcome of a walkthrough. A walkthrough is performed by the auditor to build understanding of process design, not to certify that prior testing has been conducted by others.

❌ Option 4 — Incorrect. Assessing whether control deviations have been identified and remediated is the purpose of follow-up procedures, conducted after audit findings have been communicated to management. A walkthrough is performed during fieldwork planning or early fieldwork stages, well before any findings or remediation activities are in scope.

❌ Option 1 — Incorrect. Inquiry is considered the weakest form of audit evidence because it relies entirely on the representations of individuals who may be biased, mistaken, or uninformed. While inquiry is useful for gaining understanding, it cannot stand alone as evidence of operating effectiveness and must be corroborated by stronger procedures.

✅ Option 2 — Correct. Reperformance — where the auditor independently re-executes the control using the same inputs and procedures — provides the strongest evidence of operating effectiveness. It directly demonstrates that the control works as intended because the auditor has personally verified the outcome, eliminating reliance on the representations of others.

❌ Option 3 — Incorrect. Reviewing a policy document provides evidence of control design — that a control has been formally defined and documented — but says nothing about whether the control is actually being executed in practice. A well-written policy can coexist with poor or no compliance, making this insufficient evidence of operating effectiveness.

❌ Option 4 — Incorrect. Observation provides stronger evidence than inquiry or document review, but it has a key limitation — it only captures control performance at the moment of observation. The control owner may behave differently when being watched, and observation cannot confirm consistent operation over a period of time. Reperformance is therefore more reliable as it independently verifies the outcome rather than simply watching someone else perform it.

❌ Option 1 — Incorrect. Determining whether account balances and transactions are free from material misstatement is the purpose of substantive testing, not compliance testing. Substantive testing examines the accuracy and completeness of underlying data directly, whereas compliance testing focuses on whether prescribed controls and procedures are actually being followed.

✅ Option 2 — Correct. Compliance testing — also called controls testing — is used to determine whether established controls, policies, and procedures are being adhered to in practice. It answers the question: “Are people following the rules?” rather than examining the accuracy of the data produced.

❌ Option 3 — Incorrect. Evaluating whether control design is adequate to mitigate identified risks is part of risk assessment and control design evaluation — typically performed during the planning phase of an audit. Compliance testing assumes controls exist and tests whether they are operating as intended, not whether their design is appropriate.

❌ Option 4 — Incorrect. Verifying whether exceptions have been properly remediated is the purpose of follow-up testing, a distinct audit phase conducted after findings have been reported. Compliance testing occurs during fieldwork to assess current adherence, not to evaluate management’s response to prior audit findings.

❌ Option 1 — Incorrect. Determining whether a control policy exists is associated with compliance testing (also called controls testing), not substantive testing. Compliance testing focuses on whether controls are in place and being followed, whereas substantive testing focuses on the accuracy and completeness of the underlying data and transactions themselves.

✅ Option 2 — Correct. Substantive testing is designed to detect material misstatements or errors in financial or operational data. It directly examines transactions, balances, and records to verify their accuracy, completeness, and validity — independent of whether controls exist or function properly.

❌ Option 3 — Incorrect. Evaluating whether controls are designed and operating effectively is the purpose of controls testing, not substantive testing. An auditor may perform substantive testing precisely when controls are weak or absent — to directly verify data integrity rather than relying on controls to ensure it.

❌ Option 4 — Incorrect. Confirming whether control exceptions were escalated and remediated is part of follow-up testing or compliance monitoring — evaluating the organization’s response to known control failures. This is distinct from substantive testing, which independently examines transaction-level data without reference to prior control exceptions.

❌ Option 1 — Incorrect. Relevance and reliability are both required attributes of audit evidence — neither alone is sufficient. Relevant evidence tells us the information relates to the audit objective, but unreliable evidence cannot be trusted to accurately represent the facts. Using unreliable evidence risks drawing incorrect or unsupportable conclusions.

✅ Option 2 — Correct. When evidence is relevant but lacks reliability, the auditor should seek corroborating evidence from a more dependable source to strengthen the basis for conclusions. This could include obtaining evidence from independent external sources, system-generated reports with strong controls, or original source documents rather than summaries.

❌ Option 3 — Incorrect. Discarding relevant evidence entirely is unnecessarily wasteful and not required. The issue is reliability, not relevance — the evidence still points in the right direction. The appropriate response is to supplement it with more reliable sources, not abandon the work already performed.

❌ Option 4 — Incorrect. Simply documenting a reliability limitation without taking corrective action is insufficient for a material finding. Acknowledging a weakness in evidence quality does not resolve it. Reporting findings that rest on unreliable evidence — even with a noted caveat — falls short of the auditor’s professional duty to obtain sufficient appropriate evidence before concluding.

❌ Option 1 — Incorrect. Although audit work papers contain information about the auditee’s processes and systems, auditee management does not own them. The auditee is the subject of the audit, not the preparer. Ownership lies with whoever created and is responsible for the documentation — the auditor.

✅ Option 2 — Correct. Audit work papers are the property of the auditing entity or auditor who prepared them. They serve as evidence of the audit work performed and support the audit conclusions. While external parties such as regulators may request access, ownership and control remain with the auditing organization.

❌ Option 3 — Incorrect. The process owner is the individual responsible for a specific business area being audited. While their activities and controls are documented within the work papers, that does not confer ownership. The process owner has no claim over audit documentation simply because it covers their domain.

❌ Option 4 — Incorrect. Joint ownership is not a recognized standard in auditing. Establishing shared ownership would create conflicts over confidentiality, access rights, and control of sensitive audit findings. Clear, singular ownership by the auditing entity is essential to maintain independence and protect the integrity of audit documentation.

❌ Option 1 — Incorrect. The legitimacy of a request — even when made formally in writing — does not by itself authorize disclosure. Audit documentation is confidential and its release must follow established approval protocols. Acting on appearance alone bypasses necessary governance and legal considerations.

✅ Option 2 — Correct. Audit documentation is confidential and proprietary. Before releasing any documentation to an external party, the auditor must first obtain appropriate authorization — which typically involves legal counsel and senior management review — to ensure compliance with confidentiality obligations, legal requirements, and organizational policies.

❌ Option 3 — Incorrect. Selectively sharing only the final report while withholding work papers is not a sanctioned approach to handling external requests. This is an unauthorized decision made by the auditor alone. All disclosures, whether full or partial, require proper approval regardless of what is being shared.

❌ Option 4 — Incorrect. While referring the matter to the chief audit executive (CAE) is a reasonable step, doing so while bypassing legal or senior management is insufficient. External requests for audit documentation carry potential legal implications that require appropriate escalation beyond the CAE alone, particularly when confidentiality or regulatory obligations are involved.

❌ Option 1 — Incorrect. Even when an external expert is highly qualified, their work cannot be accepted without evaluation. The auditor must assess whether the expert’s methodology, assumptions, and conclusions are appropriate and consistent with the audit objectives. Blind acceptance undermines professional skepticism.

✅ Option 2 — Correct. The IS auditor retains full responsibility for the audit engagement, including work performed by external experts. This means verifying the expert’s qualifications and competence, understanding the scope of their work, and critically reviewing their findings before incorporating them into audit conclusions.

❌ Option 3 — Incorrect. While an expert may contribute technical knowledge within their domain, audit conclusions always remain the auditor’s responsibility. Delegating conclusions — even within a narrow technical area — is a violation of the auditor’s professional obligation and independence.

❌ Option 4 — Incorrect. Audit findings, regardless of their source, must go through the auditor’s review and judgment before being communicated. Bypassing this review and directly disclosing an expert’s unvetted findings to management compromises the audit process and could result in misleading or unsupported communications.

❌ Option 1 — Incorrect. Full administrative access grants the ability to create, modify, and delete data — far beyond what an auditor needs. Requesting such access violates the principle of least privilege and could compromise data integrity, raise independence concerns, and even expose the auditor to accusations of tampering.

✅ Option 2 — Correct. When using CAATs on production data, read-only access is the appropriate request. It allows the auditor to extract, query, and analyze data without any risk of altering or corrupting the production environment. This aligns with auditing standards and the principle of least privilege.

❌ Option 3 — Incorrect. While query-level access with logging sounds controlled and reasonable, it may still permit actions beyond simple reading depending on how database permissions are configured. Read-only access is the more precise and universally accepted standard for audit purposes.

❌ Option 4 — Incorrect. Temporary elevated access under dual control is a mechanism typically used for break-glass or emergency situations requiring privileged system actions. Routine audit analysis using CAATs does not qualify as an emergency and does not warrant elevated privileges regardless of the controls around it.

❌ Option 1 — Incorrect. Speed is never the primary concern in a fraud investigation. Rushing to complete a report at the expense of thoroughness and evidence integrity could result in flawed conclusions, legal challenges, or an incomplete picture of the fraud.

✅ Option 2 — Correct. In a suspected fraud situation, preserving evidence integrity is paramount. Evidence must be collected, handled, and stored in a way that maintains its authenticity and chain of custody — otherwise it may be inadmissible in legal proceedings or challenged in disciplinary actions.

❌ Option 3 — Incorrect. While forensically sound collection is part of preserving integrity, it is a method rather than the overarching primary concern. The broader principle — integrity preservation — encompasses forensic soundness along with chain of custody, documentation, and protection from tampering.

❌ Option 4 — Incorrect. Coordinating with legal counsel is a prudent step in fraud investigations, but it is a procedural action rather than the primary concern regarding evidence itself. The auditor’s core responsibility remains focused on evidence integrity regardless of whether legal counsel is involved.

Option 1 — Incorrect. Reporting a material finding without sufficient evidence violates auditing standards. A finding must be supported by sufficient, appropriate evidence before it can be formally reported. Premature reporting risks credibility and may lead to unfair conclusions.

Option 2 — Correct. When a potentially material finding exists but evidence is limited, the auditor’s professional responsibility is to perform additional testing to gather enough appropriate evidence before drawing conclusions. This aligns with auditing standards requiring evidence to be sufficient and appropriate.

Option 3 — Incorrect. The decision to report a finding is the auditor’s professional judgment — not management’s. Asking management undermines auditor independence, which is a fundamental principle of auditing. Management has an inherent conflict of interest in such decisions.

Option 4 — Incorrect. Deferring a material finding without proper basis is a failure of due professional care. Material findings require timely follow-through. Classifying something as low-risk simply to avoid addressing insufficient evidence is a compromise of audit integrity.

Option 1 — Correct. Relevance in auditing means the evidence must have a logical, direct connection to the audit objective or finding being examined. If evidence doesn’t relate to what’s being audited, it holds no value regardless of its quality or source.

Option 2 — Incorrect. This describes sufficiency — a separate quality of audit evidence referring to the quantity or volume of evidence needed to support audit conclusions. You can have sufficient but irrelevant evidence.

Option 3 — Incorrect. This describes reliability — evidence from independent external sources is considered more reliable, but reliability and relevance are distinct attributes. Evidence can be externally sourced yet still irrelevant to the audit objective.

Option 4 — Incorrect. This describes objectivity/reproducibility — the idea that evidence should yield consistent results. Again, a separate audit evidence attribute that does not define relevance.