CISA: Domain #1, Part A: Planning
The MAIN purpose of the annual IS audit plan is to:
Allocate resources for audits.
Which of the following is in the BEST position to approve changes to the audit charter?
Audit Committee. The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee.
Which of the following would be expected to approve the audit charter?
Audit committee
An IS auditor performing an audit of the risk assessment process should FIRST confirm that:
assets have been identified and ranked. This sets the tone or scope of how to assess risk in relation to the organizational value of the asset.
An IS auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the:
authentication techniques for sending and receiving messages. They play a key role in minimizing exposure to unauthorized transactions.
Due to unexpected resource constraints of the IS audit team, the audit plan, as originally approved, cannot be completed. Assuming the situation is communicated in the audit report, which course of action is MOST acceptable?
Focus on auditing high-risk areas.
A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping?
Functional acknowledgements. Acting as an audit trail for electronic data interchange transactions, functional acknowledgments are one of the main controls used in data mapping.
The final decision to include a material finding in an audit report should be made by the:
IS auditor.
What is the most critical step in planning the IS Audit?
Identify areas of highest risk and determine the areas to be audited.
How might the IS Auditor's independence be impaired?
If the IS auditor has or is actively involved in the development, acquisition, and implementation of the application system.
Which of the following represents an example of a preventive control with respect to IT personnel?
Implementation of a badge entry system for the IT facility.
Which of the following would be the GREATEST concern if audit objectives are not established during the initial phase of an audit program?
Important business risk may be overlooked. Without an audit scope, the appropriate risk assessment has not been performed, and therefore, the auditor might not audit those areas of highest risk for the organization.
An IS auditor is reviewing a project risk assessment and notices that the overall residual risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of unauthorized users the project may affect?
Inherent risk
When developing a risk management program, what is the FIRST activity to be performed?
Inventory of assets. Identification of the assets to be protected is the first step in the development of a risk management program.
What is the MAJOR benefit of conducting a control self-assessment over a traditional audit?
It detects risk sooner.
Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment?
Lack of transaction authorizations. Because the interaction between parties is electronic, there is no inherent authentication occurring; therefore, lack of transaction authorization is the greatest risk.
Which of the following is the key benefit of a control self-assessment?
Management ownership of the internal controls supporting business objectives is reinforced. The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance.
Which of the following is the PRIMARY requirement for reporting IS audit results? The report is:
backed by sufficient and appropriate audit evidence.
While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:
confidentiality of the work papers. Encryption provides confidentiality for the electronic work papers.
While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to:
continue to test the accounting application controls and include the deficiency in the final report. It is the responsibility of the IS auditor to report on findings that can have a material impact on the effectiveness of controls—whether or not they are within the scope of the audit.
An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:
control objectives and activities.
A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a:
corrective control. designed to correct errors, omissions and unauthorized uses and intrusions, when they are detected. This provides a mechanism to detect when malicious events have happened and correct the situation.
Which of the following is the PRIMARY purpose of a risk-based audit?
Material areas are addressed first.
Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process?
Participating in the design of the risk management framework
Which of the following is the MOST critical step when planning an IS audit?
Perform a risk assessment.
A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this?
Preventive
Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience?
Professional standards. Professional standards from ISACA, The Institute of Internal Auditors and the International Federation of Accountants require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more.
The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function?
Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts.
An Audit Charter should state what?
State Management's objectives for and delegation of authority to IS auditors. It is not detail level.
Which of the following is evaluated as a preventive control by an IS auditor performing an audit?
Table lookups. input data are checked against predefined tables, which prevent any undefined data to be entered.
Which of the following is MOST important for an IS auditor to understand when auditing an e-commerce environment?
The e-commerce application enables the execution of business transactions. Therefore, it is important to understand the nature and criticality of the business process supported by the e-commerce application to identify specific controls to review. You have to understand this first before you can understand the architecture in relation to the business transactions.
When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following?
The point at which controls are exercised as data flow through the system. An IS auditor should focus on when controls are exercised as data flow through a computer system.
The extent to which data will be collected during an IS audit should be determined based on what?
The scope and purpose of the audit.
Audit Steering Committee
The steering committee would most likely be composed of various members of senior management whose purpose is to work under the framework of the audit charter and would not approve the charter itself.
A system developer transfers to the audit department to serve as an IT auditor. When production systems are to be reviewed by this employee, which of the following will become the MOST significant concern
The work may be construed as a self-audit. Because the employee had been a developer, it is recommended that the audit coverage should exclude the systems developed by this employee to avoid any conflicts of interests.
Which of the following is the MAIN reason to perform a risk assessment in the planning phase of an IS audit?
To provide reasonable assurance material items will be addressed.
Which of the following is the FIRST step in an IT risk assessment for a risk-based audit?
Understand the business, its operating model and key processes.
An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture. What is the INITIAL step?
Understanding services and their allocation to business processes by reviewing the service repository documentation. A service-oriented architecture relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services.
In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario?
Verifying that only approved program changes are implemented. Has roughly the same effect of segregation of duties.
To ensure that audit resources deliver the best value to the organization, the FIRST step in an audit project is to:
develop the audit plan on the basis of a detailed risk assessment. Although monitoring the time and audit programs, and adequate training improve the IS audit staff's productivity (efficiency and performance), ensuring that the resources and efforts being dedicated to audit are focused on higher-risk areas delivers value to the organization.
An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should:
disclose the issue to the client.
While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the:
effectiveness of the QA function because it should interact between project management and user management. To be effective, the quality assurance (QA) function should be independent of project management. If it is not, project management may put pressure on the QA function to approve an inadequate product.
During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:
elaborate on the significance of the finding and the risk of not correcting it. If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures because the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee lessens effective communications and sets up an adversarial relationship, but an IS auditor should not automatically agree just because the auditee expresses an alternate point of view.
An IS auditor discovers that devices connected to the network are not included in a network diagram that had been used to develop the scope of the audit. The chief information officer explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST:
evaluate the impact of the undocumented devices on the audit scope.
An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that:
fraud can be detected more quickly. Errors will be detected as well, but detection does not equal correction.
The PRIMARY objective of the audit initiation meeting with an IS audit client is to:
help define & discuss the scope of the audit.
During IS Planning, and assessment of Risk is made to provide what?
help with prioritization and scheduling process.
During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should:
identify and evaluate existing practices. One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach is to identify and evaluate the existing security practices being followed by the organization and submit the findings and risk to management, with recommendations to document the current controls or enforce the documented procedures.
During a risk analysis, an IS auditor identifies threats and potential impacts. Next, the IS auditor should:
identify and evaluate the existing controls. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.
When performing a risk analysis, the IS auditor should FIRST:
identify the organization's information assets. The first step of the risk assessment process is to identify the systems and processes that support the business objectives because risk to those processes impacts the achievement of business goals.
An IS auditor performing a review of application controls would evaluate the:
impact of any exposures discovered. An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses.
When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of:
improper transaction authorization. Foremost among the risk associated with electronic data interchange (EDI) is improper transaction authorization. Because the interaction with the parties is electronic, there is no inherent authentication. Improper authentication poses a serious risk of financial loss.
The purpose of a checksum on an amount field in an electronic data interchange communication of financial transactions is to ensure:
integrity. calculated on an amount field and included in the electronic data interchange communication can be used to identify unauthorized modifications.
The success of control self-assessment depends highly on:
line managers assuming a portion of the responsibility for control monitoring. The primary objective of a control self-assessment (CSA) program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly.
An IS auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. This logging is:
not an adequate control. Generation of an activity log is not a control by itself. It is the review of such a log that makes the activity a control (i.e., generation plus review equals control).
The PRIMARY purpose of the IS audit charter is to:
outline the responsibility and authority of the IS audit function.
An organization uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks and reports for distribution. To BEST ensure payroll data accuracy:
payroll reports should be compared to input forms. The best way to confirm data accuracy, when input is provided by the organization and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports.
An IS auditor reviewing the process of log monitoring wants to evaluate the organization's manual review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?
Walk-through. These procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses.
An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommending a specific vendor product to address this vulnerability. The IS auditor has failed to exercise:
professional independence.
The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to:
provide a basis for drawing reasonable conclusions.
An organization's IS audit charter should specify the:
role of the IS audit function.
The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is:
substantive testing.
The PRIMARY purpose of an IT forensic audit is:
the systematic collection and analysis of evidence after a system irregularity.
An IS auditor should ensure that review of online electronic funds transfer reconciliation procedures should include:
tracing. This is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer transactions, the direction on tracing may start from the customer-printed copy of the receipt, proceed to checking the system audit trails and logs, and end with checking the master file records for daily transactions.
The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of an audit assignment is to:
understand the business process.
An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to:
verify the identity of senders and determine if orders correspond to contract terms. An electronic data interchange system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern.
When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:
vulnerabilities and threats are identified. While developing a risk-based audit strategy, it is critical that the risk and vulnerabilities are understood. They determine the areas to be audited and the extent of coverage.
An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank's financial risk is properly addressed, the IS auditor will most likely review which of the following?
Wire transfer procedures. Wire transfer procedures include segregation of duties controls. This helps prevent internal fraud by not allowing one person to initiate, approve and send a wire. Therefore, the IS auditor should review the procedures as they relate to the wire system.
What is a Directive Control?
a manual control that typically consists of a policy or procedure that specifies what actions are to be performed. In this case, there is an automated control that prevents an event from occurring.
What is a Check Digit?
a numeric value that has been calculated mathematically and is added to data to ensure that original data have not been altered or that an incorrect, but valid, match has occurred. The check digit control is effective in detecting transposition and transcription errors.
A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and:
ability, as an IS auditor, to be independent of existing IT relationships. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities.
During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:
address audit objectives. ISACA IS Audit and Assurance Standards require that an IS auditor plan the audit work to address the audit objectives. The activities described in the other options are all undertaken to address audit objectives and, thus, are secondary.
Which of the following does a lack of adequate controls represent?
A vulnerability
Which of the following is an attribute of the control self-assessment approach?
Broad stakeholder involvement
What is a primary benefit for an organization employing Control Self-Assessment techniques?
Can identify high-risk areas that might need a detailed review later. or need immediate attention.
As part of audit planning, an IS auditor is designing various data validation tests to effectively detect transposition and transcription errors. Which of the following will BEST help in detecting these errors?
Check digit
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?
Compensating controls. These are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.
During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by the user's supervisor would represent the BEST compensating control?
Computer log files that show individual transactions. Computer logs record the activities of individuals during their access to a computer system or data file and record any abnormal activities, such as the modification or deletion of financial data.
For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk?
Continuous auditing. enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.
Which of the following is MOST important to ensure that effective application controls are maintained?
Control self-assessment
Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan?
Define the audit universe. In a risk-based audit approach, the IS auditor identifies risk to the organization based on the nature of the business. To plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix.
Which of the following is MOST likely to be considered a conflict of interest for an IS auditor who is reviewing a cybersecurity implementation?
Designing the cybersecurity controls
An IS auditor is developing an audit plan for an environment that includes new systems. The organization's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?
Determine the highest-risk systems and plan accordingly.
An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase?
Development of a risk assessment