CISA Domain 1: The Process of Auditing Information Systems
False Acceptance Rate (FAR)
A measurement of the percentage of invalid users that will be falsely accepted by the system. This is called a Type II error. Type II errors are more dangerous than Type I errors.
False Rejection Rate (FRR)
A measurement of valid users that will be falsely rejected by the system. This is called a Type I error.
While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should: a. report the issue to IT management b. perform an access review c. contact the third party d. perform a risk assessment
A. report the issue to IT management During an audit, if there are material issues that are of concern, they need to be reported to management in the audit report.
The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation? a. Generate sample test data b. Generalized audit software c. Integrated test facility d. Embedded audit module
B. Generalized audit software This features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and re-computations. An IS auditor, using generalized audit software, can design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made
Which of the following is an attribute of the control self-assessment approach? a. Broad stakeholder involvement b. Auditors are the primary control analysts c. Limited employee participation d. Policy driven
Broad stakeholder involvement is correct. The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization's business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training—all of which are representations of broad stakeholder involvement.
Which of the following is evaluated as a preventive control by an IS auditor performing an audit? a. Transaction logs b. Before and after image reporting c. Table lookups d. Tracing and tagging
C - table lookups these are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered.
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? a. boundary controls b. overlapping controls c. compensating controls d. access controls
Compensating controls is correct. These are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.
During an audit, the IS auditor notes the application developer also performs quality assurance testing on another application. Which of the following is the MOST important course of action for the auditor? a. Recommend compensating controls. b. Review the code created by the developer. c. Analyze the quality assurance dashboards. d. Report the identified condition.
D - Report the identified condition. The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified.
An IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should: a. decline the assignment. b. inform management of the possible conflict of interest after completing the audit assignment. c. inform the BCP team of the possible conflict of interest prior to beginning the assignment. d. communicate the possibility of conflict of interest to audit management prior to starting the assignment.
D. communicate the possibility of conflict of interest to audit management prior to starting the assignment. A possible conflict of interest, likely to affect the IS auditor's independence, should be brought to the attention of management prior to starting the assignment.
The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk? a. inherent b. detection c. control d. business
Detection risk is correct. This is directly affected by the IS auditor's selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue.
tracing and tagging
The tagging and tracing of transactions approach involves the selection of certain transactions as they are entered into the system and using software to follow these transactions throughout the various processing steps, each of which if normally printed.
boundary controls
These establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls
Audit guidelines
These exist to provide guidance on how to achieve compliance with professional standards. For example, they may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve compliance with professional standards.
discovery sampling
This is a form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population, typically used to test for fraud or other irregularities. In this case, additional substantive testing is the better option.
Tracing
This is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer transactions, the direction on tracing may start from the customer-printed copy of the receipt, proceed to checking the system audit trails and logs, and end with checking the master file records for daily transactions.
Compliance Testing
This is evidence gathering for the purpose of testing an enterprise's compliance with control procedures.
Inherent Risk
This is the risk that a material error could occur, if there are no related internal controls to prevent or detect the error. Inherent risk is not usually affected by an IS auditor. Ex: financial transactions that require complex calculations are inherently more likely to be misstated than simple calculations
stop or go sampling
This is used when an IS auditor believes few errors will be found in the population
Before and after image reporting
This makes it possible to trace the impact that transactions have on computer records. This is a detective control.
Directive Controls
Those controls dictated by organizational and legal authorities. being directed to have controls in place by legal/organizational authorities
An IS auditor should ensure that review of online electronic funds transfer reconciliation procedures should include: a. vouching b. authorizations c. tracing d. corrections
Tracing This is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer transactions, the direction on tracing may start from the customer-printed copy of the receipt, proceed to checking the system audit trails and logs, and end with checking the master file records for daily transactions.
Vouching
Vouching is a procedure followed in the process of the audit to authorise the credibility of the entries entered in the books of accounts. In simple and easier words, it is a precise investigation of the presented documents of the firm by an auditor to check the correctness and accuracy of such documents. It is the foremost step of the auditing process based on which auditor performs his work and prepare an audit report. ex:"i'll vouch for you' i'll say you are credbile
User Datagram Protocol (UDP)
With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network. Prior communications are not required in order to set up communication channels or data paths. It has no handshaking dialogues, and thus exposes the user's program to any unreliability of the underlying network; there is no guarantee of delivery, ordering, or duplicate protection. Time-sensitive applications often use UDP because dropping packets is preferable to waiting for packets delayed due to retransmission large files divided into datagrams for quicker transmission
Service-oriented architecture (SOA)
a business-driven enterprise architecture that supports integrating a business as linked, repeatable activities, tasks, or services relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. - reduce cost, increase scalability, promote interactions
audit methodology
a set of documented audit procedures designed to achieve planned audit objectives; components include a statement of scope, statement of objectives, and a statement of audit programs
Heuristic scanning tools
a type of virus scanning used to indicate possible infected traffic.
The effect of which of the following should have priority in planning the scope and objectives of an IS audit? a. Applicable statutory requirements b. Applicable corporate standards c. Applicable industry good practices d. Organizational policies and procedures
a. Applicable statutory requirements The effect of applicable statutory requirements must be factored in while planning an IS audit—the IS auditor has no options regarding statutory requirements because there can be no limitation of scope relating to statutory requirements.
An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging failed, and the backup restarts cannot be confirmed. What should the IS auditor do? a. Expand the sample of logs reviewed b. Issue an audit finding. c. Review the classifications of data held on the server. d. Seek an explanation from IS management.
a. Expand the sample of logs reviewed IS Audit and Assurance Standards require that an IS auditor gather sufficient and appropriate audit evidence. The IS auditor has found a potential problem and now needs to determine whether this is an isolated incident or a systematic control failure.
An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important? a. False-acceptance rate b. Equal-error rate c. False-rejection rate d. False-identification rate
a. False-acceptance rate the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied. In an organization with high security requirements, limiting the number of false acceptances is more important that the impact on the false reject rate.
Which of the following is MOST effective for monitoring transactions exceeding predetermined thresholds? a. Generalized audit software b. An integrated test facility c. Regression tests d. Transaction snapshots
a. Generalized audit software ex; think XM processing
Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process? a. Participating in the design of the risk management framework b. Advising on different implementation techniques c. Facilitating risk awareness training d. Performing due diligence of the risk management processes
a. Participating in the design of the risk management framework This involves designing controls, which compromises the independence of the IS auditor to audit the risk manageme
An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor? a. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. b. Publish a report omitting the areas where the evidence obtained from testing was inconclusive. c. Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained. d. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed.
a. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Management can then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system.
An IS auditor is comparing equipment in production with inventory records. This type of testing is an example of: a. substantive testing b. compliance testing c. analytical testing d. control testing
a. Substantive testing This obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.
A system developer transfers to the audit department to serve as an IT auditor. When production systems are to be reviewed by this employee, which of the following will become the MOST significant concern? a. The work may be construed as a self-audit. b. Audit points may largely shift to technical aspects. c. The employee may not have sufficient control assessment skills. d. The employee's knowledge of business risk may be limited.
a. The work may be construed as a self-audit. Because the employee had been a developer, it is recommended that the audit coverage should exclude the systems developed by this employee to avoid any conflicts of interests.
An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture. What is the INITIAL step? a. Understanding services and their allocation to business processes by reviewing the service repository documentation.
a. Understanding services and their allocation to business processes by reviewing the service repository documentation.
During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to: a. address audit objectives. b. collect sufficient evidence. c. specify appropriate tests. d. minimize audit resources.
a. address audit objectives. ISACA IS Audit and Assurance Standards require that an IS auditor plan the audit work to address the audit objectives. The activities described in the other options are all undertaken to address audit objectives and, thus, are secondary.
A PRIMARY benefit derived for an organization employing control self-assessment techniques is that it: a. can identify high-risk areas that might need a detailed review later. b. allows IS auditors to independently assess risk. c. can be used as a replacement for traditional audits. d. allows management to relinquish responsibility for control.
a. can identify high-risk areas that might need a detailed review later. Control self-assessment (CSA) is predicated on the review of high-risk areas that either need immediate attention or may require a more thorough review later. CSA is used to enhance audits not replace them **
During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of segregation of duties within an IT department? a. discuss with IT managers b. review organizational chart/structure c. research past IT audit reports d. Review IT job descriptions
a. discuss with IT managers Discussing the implementation of segregation of duties with the IT managers is the best way to determine how responsibilities are assigned within the department.
In the process of evaluating program change controls, an IS auditor would use source code comparison software to: a. examine source program changes without information from IS personnel b. detect a source program change made between acquiring a copy of the source and the comparison run. c. identify and validate any differences between the control copy and the production program. d. ensure that all changes made in the current source copy are tested.
a. examine source program changes without information from IS personnel When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes, because the source code comparison identifies the changes.
Internet - Web Server - Firewall - Organization's network To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system between the: a. firewall and the organization's network. b. Internet and the firewall. c. Internet and the web server. d. web server and the firewall.
a. firewall and the organization's network. Attack attempts that could not be recognized by the firewall will be detected if a network-based intrusion detection system (IDS) is placed between the firewall and the organization's network. think the attack already got through the firewall
After identifying the findings, the IS auditor should FIRST: a. gain agreement on the findings. b. determine mitigation measures for the findings. c. inform senior management of the findings. d. obtain remediation deadlines to close the findings.
a. gain agreement on the findings. If findings are not agreed upon and confirmed by both parties, then there may be an issue during sign-off on the final audit report or while discussing findings with management. When agreement is obtained with the auditee, it implies the finding is understood and a clear plan of action can be determined. think about nypa they tell the client and they agree before sending report
Which of the following situations could impair the independence of an IS auditor? The IS auditor: a. implemented specific functionality during the development of an application. b. designed an embedded audit module for auditing an application. c. participated as a member of an application project team and did not have operational responsibilities. d. provided consulting advice concerning application good practices.
a. implemented specific functionality during the development of an application. Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system.
Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should: a. include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings. b. not include the finding in the final report because management resolved the item c. not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit. d. include the finding in the closing meeting for discussion purposes only.
a. include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing.
What is the MAJOR benefit of conducting a control self-assessment over a traditional audit? a. It detects risk sooner. b. It replaces the internal audit function. c. It reduces audit workload. d. It reduces audit resource requirements.
a. it detects risk sooner b/c it is continuous Control self-assessments (CSAs) require employees to assess the control stature of their own function. CSAs help to increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help to identify risk in a timelier manner.
A characteristic of User Datagram Protocol in network communications is: a. packets may arrive out of order. b. increased communication latency. c. incompatibility with packet broadcast. d. error correction may slow down processing.
a. packets may arrive out of order. User Datagram Protocol (UDP) uses a simple transmission model without implicit handshaking routines for providing reliability, ordering or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated or get dropped.
An IS auditor finds a small number of user access requests that were not authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should: a. perform an additional analysis. b. report the problem to the audit committee. c. conduct a security risk assessment d. recommend that the owner of the identity management system fix the workflow issues
a. perform an additional analysis. The IS auditor needs to perform substantive testing and additional analysis to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and the factors that caused this incident. The IS auditor should identify whether the issue was caused by managers not following procedures, a problem with the workflow of the automated system or a combination of the two.
Which of the following BEST ensures the effectiveness of controls related to interest calculation for an accounting system? a. re-performance b. process walkthrough c. observation d. documentation review
a. re-performance To ensure the effectiveness of controls, it is most effective to conduct re-performance. When the same result is obtained after the performance by an independent person, this provides the strongest assurance. * think depreciation calculation auto control sji
An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt? a. walkthrough b. reperformance c. interview d. inquiry
a. walkthrough Walk-throughs involve a combination of inquiry and inspection of evidence with respect to business process controls. This is the most effective basis for evaluation of the design of the control, because it actually exists.
After reviewing the disaster recovery planning process of an organization, an IS auditor requests a meeting with organization management to discuss the findings. Which of the following BEST describes the main goal of this meeting? a. Obtaining management approval of the corrective action plan. b. Confirming factual accuracy of the findings. c. Assisting management in the implementation of corrective actions. d. Prioritizing the resolution of the items.
b. Confirming factual accuracy of the findings. The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on or respond to recommendations for corrective action.
Which of the following is MOST important to ensure before communicating the audit findings to top management during the closing meeting? a. Risk statement includes an explanation of a business impact. b. Findings are clearly tracked back to evidence. c. Recommendations address root causes of findings. d. Remediation plans are provided by responsible parties.
b. Findings are clearly tracked back to evidence. Without adequate evidence, the findings hold no ground; therefore, this must be verified before communicating the findings.
An IS auditor is carrying out a system configuration review. Which of the following would be the BEST evidence in support of the current system configuration settings? a. System configuration values imported to a spreadsheet by the system administrator b. Standard report with configuration values retrieved from the system by the IS auditor c. Dated screenshot of the system configuration settings made available by the system administrator d. Annual review of approved system configuration values by the business owner
b. Standard report with configuration values retrieved from the system by the IS auditor Evidence that is obtained directly from the source by an IS auditor is more reliable than information that is provided by a system administrator or a business owner, because the IS auditor does not have a vested interest in the outcome of the audit.
An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of: a. variable testing b. compliance testing c. substantive testing d. stop or go sampling
b. compliance testing his determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.
A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a: a. compensating control. b. corrective control. c. directive control. d. detective control.
b. corrective control Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions, when they are detected. This provides a mechanism to detect when malicious events have happened and correct the situation.
An auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT auditor to take? a. discuss with the auditee's manager b. discuss with the it auditors manager c. retest to confirm finding d. elevate the risk associated with the control
b. discuss with it auditor's manager Discussing the disagreement with the auditor's manager is the best course of action because other actions can weaken relationships with the auditee and auditor.
During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should: a. ask the auditee to sign a release form accepting full legal responsibility. b. elaborate on the significance of the finding and the risk of not correcting it. c. report the disagreement to the audit committee for resolution d. accept the auditee's position because they are the process owners.
b. elaborate on the significance of the finding and the risk of not correcting it. If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures because the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee lessens effective communications and sets up an adversarial relationship, but an IS auditor should not automatically agree just because the auditee expresses an alternate point of view.
An IS auditor discovers that devices connected to the network are not included in a network diagram that had been used to develop the scope of the audit. The chief information officer explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST: a. expand the scope of the IS audit to include the devices that are not on the network diagram. b. evaluate the impact of the undocumented devices on the audit scope. c. note a control deficiency because the network diagram has not been approved. d. plan follow-up audits of the undocumented devices.
b. evaluate the impact of the undocumented devices on the audit scope. In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audit engagement. The information provided on a network diagram can vary depending on what is being illustrated—for example, the network layer, cross connections, etc.
An IS auditor finds that the answers received during an interview with a payroll clerk do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should: a. conclude that the controls are inadequate. b. expand the scope to include substantive testing. c. place greater reliance on previous audits. d. suspend the audit.
b. expand the scope to include substantive testing If the answers provided to an IS auditor's questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests.
When performing a risk analysis, the IS auditor should FIRST: a. review the data classification program. b. identify the organization's information assets c. identify the inherent risk of the system. d. perform a cost-benefit analysis for controls.
b. identify the organization's information assets The first step of the risk assessment process is to identify the systems and processes that support the business objectives because risk to those processes impacts the achievement of business goals.
An IS auditor performing a review of application controls would evaluate the: a. efficiency of the application in meeting the business processes. b. impact of any exposures discovered c. business processes served by the application. d. application's optimization
b. impact of any exposures discovered An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses.
An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs? a. Usefulness b. Reliability c. Relevance d. Adequacy
b. reliability Because the data are directly collected by the IS auditor, the audit findings can be reported with an emphasis on the reliability of the records that are produced and maintained in the system. The reliability of the source of information used provides reassurance on the generated findings.
In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional: a. stop or go sampling b. substantive procedures c. compliance testing d. discovery sampling
b. substantive procedures Because both the inherent and control risk are high in this case, additional testing is required. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.
The PRIMARY purpose of an IT forensic audit is: a. to participate in investigations related to corporate fraud. b. the systematic collection and analysis of evidence after a system irregularity. c. to assess the correctness of an organization's financial statements d. to preserve evidence of criminal activity
b. the systematic collection and analysis of evidence after a system irregularity The evidence collected can then be analyzed and used in judicial proceedings.
For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk? a. Sampling of transaction logs b. Use of computer-assisted audit techniques c. Continuous auditing d. Quarterly risk assessments
c - continuous auditing The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly
Which of the following forms of evidence would an IS auditor consider the MOST reliable? a. An internally generated computer accounting report b. An oral statement from the auditee c. The results of a test performed by an external IS auditor d. A confirmation letter received from an outside source
c - the results of a test performed by an outside source An independent test that is performed by an IS auditor should always be considered a more reliable source of evidence than a confirmation letter from a third party, because the letter is the result of an analysis of the process and may not be based on authoritative audit techniques. An audit should consist of a combination of inspection, observation and inquiry by an IS auditor as determined by risk. This provides a standard methodology and reasonable assurance that the controls and test results are accurate.
An IS auditor is testing employee access to a large financial system, and the IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing? a. A spreadsheet provided by the system administrator b. Human resources access documents signed by employees' managers c. A list of accounts with access levels generated by the system d. Observations performed onsite in the presence of a system administrator
c. A list of accounts with access levels generated by the system The access list generated by the system is the most reliable, because it is the most objective evidence to perform a comparison against the samples selected. The evidence is objective, because it was generated by the system rather than by an individual. this is what we commonly receive when performing audits
An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control? a. Walk-through with the reviewer of the operation of the control b. System-generated exception reports for the review period with the reviewer's sign-off c. A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer d. Management's confirmation of the effectiveness of the control for the review period
c. A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer This represents the best possible evidence of the effective operation of the control, because there is documented evidence that the reviewer reviewed the exception report and took actions based on the exception report.
An IS auditor is developing an audit plan for an environment that includes new systems. The organization's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond? a. Audit the new systems as requested by management. b. Audit systems not included in last year's scope. c. Determine the highest-risk systems and plan accordingly. d. Audit both the systems not in last year's scope and the new systems
c. Determine the highest-risk systems and plan accordingly. The best action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources.
A web server is attacked and compromised. Organizational policy states that incident response should balance containment of an attack with retaining freedom for later legal action against an attacker. Under the circumstances, which of the following should be performed FIRST? a. Dump the volatile storage data to a disk. b. Run the server in a fail-safe mode. c. Disconnect the web server from the network. d. Shut down the web server.
c. Disconnect the web server from the network. The first action is to disconnect the web server from the network to secure the device for investigation, contain the damage and prevent more actions by the attacker.
When developing a risk management program, what is the FIRST activity to be performed? a. Threat assessment b. Classification of data c. Inventory of assets d. Criticality analysis
c. Inventory of assets need to know what assets you are assessing risk for Identification of the assets to be protected is the first step in the development of a risk management program.
Which of the following is the PRIMARY purpose of a risk-based audit? a. High-impact areas are addressed first. b. Audit resources are allocated efficiently. c. Material areas are addressed first. d. Management concerns are prioritized.
c. Material areas are addressed first. Material risk is audited according to the risk ranking, thus enabling the audit team to concentrate on high-risk areas first.
Which audit technique provides the BEST evidence of the segregation of duties in an IT department? a. Discussion with management b. Review of the organization chart c. Observation and interviews d. Testing of user access rights
c. Observation and interviews By observing the IT staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations. By interviewing the IT staff, the auditor can get an overview of the tasks performed. inquiry alone is not enough
Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit? a. Complexity of the organization's operation b. Findings and issues noted from the prior year c. Purpose, objective and scope of the audit d. Auditor's familiarity with the organization
c. Purpose, objective and scope of the audit The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. Statistical analysis may also determine the extent of data collection, such as sample size or means of data collection.
Which of the following will MOST successfully identify overlapping key controls in business application systems? a. Reviewing system functionalities that are attached to complex business processes b. Submitting test transactions through an integrated test facility c. Replacing manual monitoring with an automated auditing solution d. Testing controls to validate that they are effective
c. Replacing manual monitoring with an automated auditing solution As part of the effort to realize continuous audit management, there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts can discover unnecessary or overlapping key controls in existing systems.
Which of the following sampling methods is the MOST appropriate for testing automated invoice authorization controls to ensure that exceptions are not made for specific users? a. Variable sampling b. Judgmental sampling c. Stratified random sampling d. Systematic sampling
c. Stratified random sampling Stratification is the process of dividing a population into subpopulations with similar characteristics explicitly defined, so that each sampling unit can belong to only one stratum. This method of sampling ensures that all sampling units in each subgroup have a known, nonzero chance of selection. It is the most appropriate in this case.
Which of the following is MOST important for an IS auditor to understand when auditing an e-commerce environment? a. The technology architecture of the e-commerce environment b. The policies, procedures and practices forming the control environment c. The nature and criticality of the business process supported by the application d. Continuous monitoring of control measures for system availability and reliability
c. The nature and criticality of the business process supported by the application The e-commerce application enables the execution of business transactions. Therefore, it is important to understand the nature and criticality of the business process supported by the e-commerce application to identify specific controls to review.
When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following? a. Only preventive and detective controls are relevant b. Corrective controls are regarded as compensating c. The point at which controls are exercised as data flow through the system d. Classification allows an IS auditor to determine which controls are missing
c. The point at which controls are exercised as data flow through the system An IS auditor should focus on when controls are exercised as data flow through a computer system.
An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task? a. Computer-aided software engineering tools b. Embedded data collection tools c. Trend/variance detection tools d. Heuristic scanning tools
c. Trend/variance detection tools key word - anomalies
Which of the following audit techniques would BEST help an IS auditor in determining whether there have been unauthorized program changes since the last authorized program update? a. test data run b. code review c. automated code comparison d. review of code migration procedures
c. automated code comparison This is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure.
An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should: a. remove the IS auditor from the engagement. b. cancel the engagement. c. disclose the issue to the client. d. take steps to restore the IS auditor's independence.
c. disclose the issue to the client. In circumstances in which the IS auditor's independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor's independence should be disclosed to the appropriate management and in the report. It is not necessary to withdraw the IS auditor unless there is a statutory limitation, which exists in certain countries. The independence of the IS auditor cannot be restored while continuing to conduct the audit.
The MAIN advantage of an IS auditor directly extracting data from a general ledger systems is: a. reduction of human resources needed to support the audit b. reduction in the time to have access to the information c. greater flexibility for the audit department d. greater assurance of data validity
c. greater flexibility for the audit department If the IS auditor executes the data extraction, there is greater assurance that the extraction criteria will not interfere with the required completeness, and, therefore, all required data will be collected. Asking IT to extract the data may expose the risk of filtering out exceptions that should be seen by the auditor. Also, if the IS auditor collects the data, all internal references correlating the various data tables/elements will be understood, and this knowledge may reveal vital elements to the completeness and correctness of the overall audit activity.
When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of: a. excessive transaction turnaround time. b. application interface failure. c. improper transaction authorization. d. nonvalidated batch totals.
c. improper transaction authorization. Foremost among the risk associated with electronic data interchange (EDI) is improper transaction authorization. Because the interaction with the parties is electronic, there is no inherent authentication. Improper authentication poses a serious risk of financial loss.
An IS auditor is reviewing a project risk assessment and notices that the overall residual risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of unauthorized users the project may affect? a. Control risk b. Compliance risk c. Inherent risk d. Residual risk
c. inherent risk This is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without considering the actions that management has taken or might take.
Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank? a. Analysis of transaction logs b. Re-performance c. Observation d. Interviewing personnel
c. observation Dual control requires that two people carry out an operation. The observation technique helps to ascertain whether two individuals do get involved in execution of the operation and an element of oversight exists. It is obvious if one individual is masquerading and filling in the role of the second person.
Which of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit? a. managing staff b. allocating resources c. project management d. attention to detail
c. project management Audits often involve resource management, deliverables, scheduling and deadlines that are similar to project management good practices.
During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by the user's supervisor would represent the BEST compensating control? a. Audit trails that show the date and time of the transaction b. A daily report with the total numbers and dollar amounts of each transaction c. User account administration d. Computer log files that show individual transactions
d. Computer log files that show individual transactions Computer logs record the activities of individuals during their access to a computer system or data file and record any abnormal activities, such as the modification or deletion of financial data.
Which of the following would be MOST useful for an IS auditor for accessing and analyzing digital data to collect relevant audit evidence from diverse software environments? a. Structured Query Language b. Application software reports c. Data analytics controls d. Computer-assisted auditing techniques
d. Computer-assisted auditing techniques Computer-assisted auditing techniques (CAATs) are tools used for accessing data in an electronic form from diverse software environments, record formats, etc. CAATs serve as useful tools for collecting and evaluating audit evidence according to audit objectives and can create efficiencies for collecting this evidence.
Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience? a. Internal quality requirements b. The audit guidelines c. The audit methodology d. Professional standards
d. Professional standards Professional standards from ISACA, The Institute of Internal Auditors and the International Federation of Accountants require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more.
In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario? a. Hiring additional staff to provide segregation of duties b. Preventing the release manager from making program modifications c. Logging of changes to development libraries d. Verifying that only approved program changes are implemented
d. Verifying that only approved program changes are implemented other options may not be feasible in a small environment
While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to: a. continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions. b. complete the audit and not report the control deficiency because it is not part of the audit scope. c. cease all audit activity until the control deficiency is resolved. d. continue to test the accounting application controls and include the deficiency in the final report.
d. continue to test the accounting application controls and include the deficiency in the final report. It is the responsibility of the IS auditor to report on findings that can have a material impact on the effectiveness of controls—whether or not they are within the scope of the audit.
An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: a. most valuable information assets. b. IS audit resources to be deployed. c. auditee personnel to be interviewed. d. control objectives and activities.
d. control objectives and activities. After the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit.
The MOST important element for the effective design of an information security policy is the: a. threat landscape. b. prior security incidents. c. emerging technologies. d. enterprise risk appetite.
d. enterprise risk appetite The risk appetite is the amount of risk on a broad level that an entity is willing to accept in pursuit of its mission to meet its strategic objectives. The purpose of the information security policy is to manage information risk to an acceptable level, so that the policy is principally aligned with the risk appetite.
During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to: a. include a review of the database controls in the scope. b. document for future review. c. work with database administrators to correct the issue. d. report the weaknesses as observed.
d. report the weaknesses as observed. Any weakness noticed should be reported, even if it is outside the scope of the current audit. Weaknesses identified during an application software review need to be reported to management.
An organization's IS audit charter should specify the: a. plans for IS audit engagements. b. objectives and scope of IS audit engagements. c. detailed training plan for the IS audit staff. d. role of the IS audit function.
d. role of the IS audit function. An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee. think of chartering a boat, you are renting the boat -- when you charter audit you are asking for audit services therefore the audit charter explains the services that will be provided
Substantive testing
evidence gathering for the purposes of evaluating the integrity of individual transactions, data or other information; substantiates the integrity of actual processing review of a substantial amount of transactions (a lot) Review of completeness and accuracy of those transactions
false identification rate
he probability that an authorized person is identified, but is assigned a false ID.
Control Risk
his is the risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Control risk can be mitigated by the actions of the organization's management.
Embedded data collection tools
such as systems control audit review file or systems audit review file, is used to provide sampling and production statistics, but not to conduct an audit log analysis.
Detection Risk
the risk that a review will not detect or notice a material issue
Table lookups
these are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered.
Business Risk
this is a probable situation with uncertain frequency and magnitude of loss (or gain). Business risk is usually not directly affected by an IS auditor.
