Certified Information System Auditor
What is the primary requirement that a data mining and auditing software tool standard tool should meet? The software tool should:
Accurately capture data from the organizations systems without causing excessive performance problems.
The primary advantage of a continuous audit approach is that it:
Allows the IS auditor to review and follow up on audit issues in a timely manner
An audit charter should:
An audit charter should state managements objectives for and delegation of authority to Is auditors.
Which of the following sampling methods is most useful when testing for compliance?
Attribute sampling
Which of the following sampling methods would be the most effective to determine whether purses order issued to vendors have been authorized as per the authorization matrix
Attribute sampling
An IS auditor who has discovered unauthorized transaction during a review of electronic data interchange EDI transaction is likely to recommend improving the:
Authentication techniques for sending and receiving messages
Which of the following audit techniques best helps an IS auditor in determining whether there have been unauthorized program changes since the last authorized program update
Automate code comparison
The internal audit department wrote some scripts that are used for continuous auditing of some information systems. The IT department asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Does sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function?
Sharing scripts is permissible if IT recognizes that audits may still be conducted in areas not covered in the scripts.
An IS auditor is carrying out a system configuration review. Which of the following is the best evidence in support of the current system configuration settings?
Standard report with configuration values that are retrieved from the system by the IS auditor.
When selecting audit procedures, an IS auditor should use professional judgement to ensure that:
Sufficient evidence will be collected
An is auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditors to determine:
That the control is operating as designed.
Which of the following outlines the overall authority to perform an IS audit?
The approved audit charter
An IS auditor should use statistical sampling and not judgement (nonstatistical) sampling, when:
The probability of error must be objectively quantified
Which of the following forms of evidence would an IS auditor consider the most reliable?
The results of a test that is performed by an external IS auditor
A system developer transfers to the audit department to serve as an IT auditor. when production systems are to be reviewed by this employee, which if the following is will become the most significant concern?
The work may be construed as a self audit
Which of the following is the most important reason why an audit planning process should be reviewed at periodic intervals?
To consider changes to the risk environment
An IS auditor should ensure that review of online electronic funds transfer reconciliation procedure include:
Tracing
An Is auditor wants to analyze audit traits, on critical servers to discover potential anomalies in user or system behavior. Which of the following is the most suitable performing that task?
Trend/variance detection tools
Which of the following is the First step in an IT risk assessment for a risk based audit?
Understand the business, its operating model and key processes.
An is auditor is reviewing a software application that is build on the principles of service oriented architecture. What is the initial step?
Understanding services and their allocations to business processes by reviewing the service repository documentation.
A appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to
Verify the identity of senders and determine if orders correspond to contract terms
In a small organization the function of release manager and application programmer are performed by the same employee. What is the best compensating control in this scenario?
Verifying that only approved program changes are implemented
When developing a risk based audit strategy, an IS auditor should conduct a risk assessment to ensure that:
Vulnerability and threats are identified
The final decision to include a material finding in au sunder report should be made by the
IS auditor
Which of the following situations could impair the independence of an IS auditor? The IS auditor:
Implemented specific functionality during the development of an application
Which of the following would be the greatest concern if audit objectives are not established during the initial phase of an audit program?
Important business risk may be overlooked
When evaluating control of an electronic data interchange application an IS auditor should primarily be concerned with the risk of
Improper transaction authorization
Corrective action has been taken by an audited immediately after the identification of a reportable finding. The IS auditor should:
Including the findings in the final report, because the IS auditor is responsible for an curate report of all findings.
Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed?
Inherent risk
In performing a risk based audit, which risk assessment is completed first by an IS auditor?
Inherent risk assessment
The purpose of a checksum on an amount field in an electronic data interchange communication of financial transactions is to ensure:
Integrity
When developing a risk management program, what is the first activity to be performed
Inventory of assets
Which of the following represents the greatest potential risk in an electronic data interchange EDI environment?
Lack of transaction authorizations
Which of the following is the key benefit of a control self-assessment?
Management ownership of the internal controls supporting business objective is reinforced.
An IS auditor notes that that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. this logging is:
Not an adequate controls because generation of the audit log is not the control but the review of the audit log is a control
Which audit techniques provide the best evidence of segregation of duties in an IT department?
Observations and interviews
Which of the following responsibilities would most likely compromise the independence of an IS auditor when reviewing the risk management process?
Participating in the design of the risk management framework
An organization uses a bank to process its weekly payroll. Timesheets and payroll adjustment forms (e.g., hourly rate changes and terminations) are completed and delivered to the bank, which prepares the checks and reports for distribution. To best ensure payroll data accuracy:
Payroll reports should be compared to input forms.
Which of the following is the most critical step when planning an IS audit?
Perform a risk assessment
An is auditor finds a small number of user access request that we're not authorized by managers through the normal predefined workflow steps and escalations rules. The IS auditor should:
Perform and additional analysis
The best method of confirming the accuracy of a system tax calculations is by:
Preparing simulated transactions for processing and comparing the results to predetermined results.
An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommending a specific vendor product to address this vulnerability. The IS auditor has failed to exercise:
Professional independence
An is auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive and the results will not be finalized prior to implementation. Which of the following is the best option for the IS auditor?
Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for the follow-up audit testing.
Which of the following is the best factor for determine the required extent of data collection during the planning phase of an IS compliance audit?
Purpose, objective, and scope of the audit
Which of the following should be the first action an IS auditor during a dispute with a department manager over an audit findings?
Reevaluate the supporting evidence for the finding
Which of the following will most successfully identify overlapping key controls in business application systems
Replacing manual monitoring with an automated auditing solution
An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?
Report the use of the unauthorized software and the need to prevent recurrence.
An IS auditor performing a review of an applications controlled finds a weakness in system software that could materially impact the application. In this situation an is auditor should:
Review the system software controls as relevant and recommended a detailed system software review
The approach an IS auditor should use to plan IS audits coverage should be based on
Risk
An organization's IS audit charter should specify the:
Role of the IS audit function
The primary purpose of an IT forensic audit is
the systematic collection and analysis of evidence after a system irregularity.
The primary reason an Is auditor performs a functional walk through during the preliminary phase of an audit assignment is to:
understand the business process.
Which of the following is most effective for implementing a control self assessment within small business units?
Facilitated workshops
A company has recently upgraded its purchased system to incorporate electronic data interchange EDI transmissions. Which of the following contours should be implemented in the EDI interface to provide for efficient data mapping?
Functional acknowledgements , acting as an audit trail for the EDI transactions
The primary purpose for meeting with auditors prior to formally closing a review is to:
Gain agreement on the findings
Which of the following sampling methods is the most appropriate for testing automated invoice authorization controls to ensure that exceptions are not made for specific users
stratified random sampling
The most effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is:
substantive testing
When preparing an audit report, the IS auditor should ensure that the results are supported by:
sufficient appropriate audit evidence
An is Auditor is testing employee access to a larger financial system, and the Is auditors selected a sample from the current employee list provided by audited. Which of the following evidence is the most reliable to support the testing?
A list of accounts with access levels generated by the systems
An IS auditor is validating a control that involves a review of system-generated exception reports. which of the following is the best evidence of the effectiveness of the control?
A sample system generated exception report for the review period, with follow up action items noted by the reviewer.
Which of the following would an IS auditor perform first when planning an ISAudit?
Gain an understanding of the business objectives and purpose
A long term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determine whether to hire the individuals for this position should be primarily based on the individuals experience and:
Ability, as an IS auditor, to be independent of existing IT relationships
An IS auditor discovers that devices connect to the network are not included in a network diagram that had been used to develop the scope of the audit. The chief information officer explains that the diagram is being updated and awaiting final approval. The Is auditor should first:
Evaluate the impact of the undocumented devices on the audit scope
In the process of evaluating program change control an IS auditor uses source code comparisons software to
Examine source program changes without information from IS personnel
Which of the following would be an IS auditor most likely focus on when developing a risk based audit program?
Business processes
After initial investigation an Is auditor has reason to believe that fraud may be present. The IS auditor should
Expand activities to determine whether an investigation is warranted
The extent to which data will be collected during an IS audit should be determined based on the:
purpose and scope of the audit being done.
Which of the following would impair the independence of a quality assurance team?
Correcting coding errors during the testing process
An organization performs a daily backup of critical data and software files and stores the backup tapes at an offsite location. The backup tapes are used to restore the files in case of disruption. This is an example of a:
Corrective control
An IS auditor received one day of logs for remotely managed server and finds one case where logging failed and the back up restarts cannot be confirmed. What should the IS auditor do?
Expand the sample of logs reviewed
An IS auditor finds that the answers received during an interview with a payroll clerk do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should
Expand the scope to include substantive testing
An IS auditor who was involved in designing an organizations business continuity plan bcc has been assigned to audit the plan. The IS auditor should:
Communicate the possibility of conflict of interest to audit management prior to starting the assignment
Which of the following control would an IS auditor look for in an environment where duties cannot be appropriately segregated?
Compensating controls
An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of:
Compliance testing
An IS reviewing access to an application to determine whether recently added accounts were appropriately. This is an example of:
Compliance testing
Which of the following would be the most useful for an IS auditor for accessing and analyzing digital data to collect relevant audit evidence from diverse software environments
Computer assisted audit techniques
During a compliance audit of a small bank the Is auditor notes that the IT and accounting functions are being performed by the same user of the financial system. which of the following reveiws that are conducted by the user,s supervisors represents the best compensating control?
Computer log files that show individual transactions
A substantive test to verify that tape library inventory record are accurate is:
Conducting a physical count of the tape inventory
while reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could comprise the:
Confidentiality of the work papers
After reviewing the disaster recovery planning process of an organization, an IS auditor requests a meeting with organization management to discuss the findings. Which of the following best describes the main goal of the meeting?
Confirm factual accuracy of the findings
Which of the following best describes the objective of an Is auditor discussing the audit findings with tithe auditee?
Confirm the findings and propose a course of corrective action
While performing an audit of an accounting applications internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. the most appropriate action for the Is auditor to take is to:
Continue to test the accounting application controls and include the deficiency in the final report
For a retail business with a large volume of transactions, which of the following audit techniques is the most appropriate for addressing emerging risk
Continuous auditing
While evaluating software development practices in an organization an Is auditor notes that the quality assurance QA function reports to project management. The most important concern for an Is auditor is the
Effectiveness of the QA function because it should interact between project management and user management
The decisions and actions of an IS auditor are most likely to affect which of the following types of risk?
Detection
An IS auditor is developing an audit plan for an environment that includes new systems. The organizations management wants the IS auditor to focus on recently implements systems. How should the IS auditor respond?
Determine the high risk systems and plan accordingly
When testing program changes for a remote system an IS auditor finds that the number of changes available for sampling does not provide reasonable level of assurance. What is the most appropriate action for the IS auditor to take?
Develop an alternate testing procedure
To ensure audit resources deliver best value to the organization, the first step in an audit projects is to:
Develop the audit plan based on a detailed risk assessment
The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods will best assist the IS auditor?
Discovery sampling because it is used when IS auditors are trying to determine whether a type of event has occurred. Therefore, it is best to assess the risk of fraud and to identify whether a single occurrence has taken place.
The most appropriate action for the IS auditor to take when shared user accounts are discovered is to:
Document the findings and explain the risk of using shared IDs.
What is the best action for an IS auditor to take when an outsourced monitoring process for remote access is inadequate and management disagrees because intrusion detection system (IDS) and firewall controls are in place?
Document the identified findings in the audit report
During an exit interview, in cases where there us a disagreement regarding the impact of a finding, an IS auditor should:
Elaborate on significance of the findings and the risk of not correcting it
During the planning stage of an is audit, the primary goal of an IS auditor is to:
address audit objectives.
In planning an IS audit the most critical step is the identification of the:
areas of significant risk.
Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file?
computer assisted audit techniques - these enable auditors to review the entire invoice file to look for those items that meet selection criteria
While planning an IS audit, an assessment of risk should be made to provide:
reasonable assurance that the audit will cover material items.
The most important reason for an Is auditor to obtain sufficient and appropriate audit evidence is to
provide a basis for drawing reasonable conclusions.
After identifying the findings the IS auditor should first
gain agreement on the findings.
When performing a risk analysis the IS auditor should first
identify the organization's information assets
An IS auditor performing a review of application controls would evaluate the:
impact of any exposures discovered.