- (Topic 1)
Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

1. A. Audit cycle defined in the audit plan
2. B. Complexity of management's action plans
3. C. Recommendation from executive management
4. D. Residual risk from the findings of previous audits

Correct Answer: D
Residual risk from the findings of previous audits should be the primary basis for prioritizing follow-up audits, because it reflects the level of exposure and potential impact that remains after management has implemented corrective actions or accepted the risk. Follow-up audits should focus on verifying whether the residual risk is within acceptable levels and whether the corrective actions are effective and sustainable. Audit cycle defined in the audit plan, complexity of management’s action plans, and recommendation from executive management are not valid criteria for prioritizing follow-up audits, because they do not consider the residual risk from previous audits. References:
CISA Review Manual (Digital Version), Chapter 2, Section 2.4.3

- (Topic 2)
Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

1. A. Audit charter
2. B. IT steering committee
3. C. Information security policy
4. D. Audit best practices

Correct Answer: A
The audit charter is the document that defines the purpose, authority and responsibility of the IS audit function. It provides IS audit professionals with the best source of direction for performing audit functions, as it establishes the scope, objectives, reporting lines, independence, accountability and resources of the IS audit function. The IT steering committee is a governance body that oversees the strategic alignment, prioritization and direction of IT initiatives, but it does not provide specific guidance for IS audit functions. The information security policy is a document that defines the rules and principles for protecting information assets in the organization, but it does not cover all aspects of IS audit functions. Audit best practices are general guidelines and recommendations for conducting effective and efficient audits, but they are not binding or authoritative sources of direction for IS audit functions. References: CISA Review Manual (Digital Version) 1, Chapter 1: Information Systems Auditing Process, Section 1.1: Audit Charter.