ff
Question An IT auditor reviewed the transactions log of an audit engagement partner and discovered some suspicious activity, which may be interpreted as potential fraud. However, the auditor was not able to determine the circumstances around the incidents or obtain further evidence. The auditor decided to disclose this information in case there are questions in the audit quality assurance review. In taking this action, the auditor has: A.violated auditing standards because the auditor should inform the appropriate authorities/management of the suspected fraud. B.violated laws because unlawful activities should have been reported to the appropriate regulatory agency. C.not violated auditing standards because the auditor has committed to disclose the facts, when required. D.not violated auditing standards because there is a lack of evidence as to whether a fraud has been committed or not.
A In situations where auditors are not able to obtain sufficient or appropriate audit evidence necessary to achieve the audit objectives, they should disclose the situation to audit management and, if necessary, to those charged with audit governance, as per established procedures. Restrictions or limitations on the scope of the audit and achievement of the audit objectives should also be disclosed in the communication of the audit results. The auditor should also inform the appropriate authorities in the enterprise if the indicators of the fraud are sufficient to recommend an investigation. Thus, the auditor has a duty to act even though the available facts do not prove that an irregularity has occurred. Auditors should disclose all material facts and findings known to them that, if not disclosed, may distort the reporting of activities under review.
The MOST effective audit practice to determine whether controls accurately support the operational effectiveness of transaction processing is: A.control design testing. B.substantive testing. C.inspection of relevant documentation. D.perform tests on risk prevention
B Among other methods, such as document review or walkthrough, tests of controls are the most effective procedures to assess whether controls accurately support operational effectiveness.
What BEST describes the risk that information collected may contain a material error that may go undetected during information systems (IS) auditing? A.Inherent risk B.Audit risk C.Control risk D.Detection risk
B Audit risk is the probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred.
The decisions and actions of an information systems (IS) auditor are MOST likely to affect which of the following types of risk? A.Inherent B.Detection C.Control D.Business
B Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue.
Question The PRIMARY purpose of an IT forensic audit is: A.to participate in investigations related to corporate fraud. B.to enable the systematic collection and analysis of evidence after a system irregularity. C.To assess the correctness of an organization's financial statements. D.to preserve evidence of criminal activity.
B The systematic collection and analysis of evidence after a system irregularity best describes a forensic audit. The evidence collected can then be analyzed and used in judicial proceedings.
Question An information systems (IS) auditor is reviewing risk and controls of the wire transfer system of a bank. To ensure that the bank financial risk is properly addressed, the IS auditor most likely reviews which of the following? A.Privileged access to the wire transfer system B.Wire transfer procedures C.Fraud monitoring controls D.Employee background checks
B Wire transfer procedures include separation of duties controls. This helps prevent internal fraud by not allowing one person to initiate, approve and send a wire. Therefore, the information systems (IS) auditor should review the procedures as they relate to the wire system.
Question Which of the following is MOST important for an information systems (IS) auditor to understand when auditing an ecommerce environment? A.The technology architecture of the ecommerce environment B.The policies, procedures and practices forming the control environment C.The nature and criticality of the business processes supported by the application D.Continuous monitoring of control measures for system availability and reliability
C The ecommerce application enables the execution of business transactions. Therefore, it is important to understand the nature and criticality of the business processes supported by the ecommerce application to identify specific controls to review.
Question In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario? A.Hiring additional staff to provide separation of duties B.Preventing the release manager from making program modifications C.Logging of changes to development libraries D.Verifying that only approved program changes are implemented
Compensating controls are used to mitigate risk when proper controls are not feasible or practical. In a small organization, it may not be feasible to hire new staff, which is why a compensating control may be necessary. Verifying program changes has roughly the same effect as intended by full separation of duties.
Question How would data analytics BEST help in information systems (IS) auditing? A.Ensuring that the information systems (IS) auditing process is completed on time and accurate B.Automating auditing process and examining a large quantity of data C.Improving auditing quality and decreasing human intervention D.Detecting potential issues with the IS controls of an organization
D IS auditing, being a risk-based process, should be able to detect the potential issues within IS controls and conclude whether those controls are well-designed and effective.
Question An information systems (IS) auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a: A.lower confidence coefficient, resulting in a smaller sample size. B.higher confidence coefficient, resulting in a smaller sample size. C.higher confidence coefficient, resulting in a larger sample size. D.lower confidence coefficient, resulting in a larger sample size.
When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size.
Question In the process of evaluating program change controls, an information systems (IS) auditor uses source code comparison software to:
a When an information systems (IS) auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison identifies the changes.
Question A financial enterprise has had difficulties establishing clear responsibilities between its IT strategy committee and its IT steering committee. Which of the following responsibilities would MOST likely be assigned to its IT steering committee? A.Approving IT project plans and budgets B.Aligning IT to business objectives C.Advising on IT compliance risk D.Promoting IT governance practices
a An IT steering committee typically has a variety of responsibilities, including approving IT project plans and budgets. Issues related to business objectives, risk and governance are responsibilities that are generally assigned to an IT strategy committee because it provides insight and advice to the board.
.After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following is the GREATEST risk? A.Project management and progress reporting are combined in a project management office that is driven by external consultants. B.The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. C.The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other organization's legacy systems. D.The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.
b The efforts should be consolidated to ensure alignment with the overall strategy of the postmerger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house-developed legacy applications.
Question Which of the following is the PRIMARY critical success factor of a control self-assessment (CSA) program? A.Assigning a knowledgeable and experienced information systems (IS) auditor as a facilitator for the CSA program B.Conducting a meeting with the business unit representatives, including relevant staff and management C.Developing the measures of success for each CSA phase (planning, implementation and monitoring) D.Identifying the actions needed to increase the likelihood of achieving the business unit's objective
b The meeting with the business unit representatives at the beginning of the process is crucial to identify the business unit's primary objective to determine the reliability of the internal control system afterward.
Which of the following is in the BEST position to approve changes to the audit charter? A.Board of directors B.Audit committee C.Executive management D.Director of internal audit
b The board of directors does not need to approve the charter; it is best presented to the audit committee for approval. The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee. Executive management is not required to approve the audit charter and will not have the independence to approve the charter. The audit committee is in the best position to approve the charter because it is an independent and senior group. Although the director of internal audit may draft the charter and make changes, the audit committee should have the final approval of the charter.
Question An information systems (IS) auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. This logging is: A.an effective preventive control. B.a valid detective control. C.not an adequate control. D.a corrective control.
c Generation of an activity log is not a control by itself. It is the review of such a log that makes the activity a control (i.e., generation plus review equals control).
Question Which of the following sampling methods is the MOST appropriate for testing automated invoice authorization controls to ensure that exceptions are not made for specific users? A.Variable sampling B.Judgmental sampling C.Stratified random sampling D.Systematic sampling
c Stratification is the process of dividing a population into subpopulations with similar characteristics explicitly defined, so that each sampling unit can belong to only one stratum. This method of sampling ensures that all sampling units in each subgroup have a known, nonzero chance of selection. It is the most appropriate method in this case.
An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to: A.acknowledge receipt of electronic orders with a confirmation message. B.perform reasonableness checks on quantities ordered before filling orders. C.verify the identity of senders and determine if orders correspond to contract terms. D.encrypt electronic orders.
c An electronic data interchange system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern.
Question An information systems (IS) auditor performing an audit of the risk assessment process should FIRST confirm that: A.reasonable threats to information assets are identified. B.technical and organizational vulnerabilities have been analyzed. C.assets have been identified and ranked. D.the effects of potential security breaches have been evaluated.
c Identification and ranking of information assets (e.g., data criticality, sensitivity, locations of assets) sets the tone or scope of how to assess risk in relation to the organizational value of the asset.
An external information systems (IS) auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should: A.remove the IS auditor from the engagement. B.cancel the engagement. C.disclose the issue to the client. D.take steps to restore the IS auditor's independence.
c In circumstances in which the IS auditor's independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor's independence should be disclosed to the appropriate management and in the report.
Question An information systems (IS) auditor is reviewing a project risk assessment and notices that the overall residual risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of unauthorized users the project may affect?
c Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without considering the actions that management has taken or might take.
Which of the following should an information systems (IS) auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? A.Define a balanced scorecard (BSC) for measuring performance. B.Consider user satisfaction in the key performance indicators (KPIs). C.Select projects according to business benefits and risk. D.Modify the yearly process of defining the project portfolio.
c Prioritization of projects on the basis of their expected benefit(s) to business, and the related risk, is the best measure for achieving alignment of the project portfolio to an organization's strategic priorities.
Question The development, implementation and integration of capability and maturity modeling quality tools, techniques and processes will MAINLY facilitate and foster the quality of: A.enterprise IT strategies and policies. B.enterprise IT processes and procedures. C.enterprise IT governance. D.enterprise IT standards and frameworks.
c Quality management strategies and policies embedded into IT governance outline how the IT strategies, policies, processes, procedures and standards are maintained, used and improved over time as the enterprise changes.
Which of the following BEST describes the focus of an information systems (IS) auditor when auditing the enterprise architecture (EA)? The IS auditor should: A.follow the overall EA and use the EA as the main source of information. B.use the EA organizational requirements as the audit criteria to assess the conformity of the EA against those requirements. C.ensure that the information systems are in line with the EA and meet the enterprise's objectives. D.review the EA documentation to assess whether the EA conforms with the enterprise's requirements.
c The aim of conducting an audit on the EA is to know whether information systems are in line with the EA and meet the enterprise's objectives.
Which of the following is an implementation risk within the process of decision support systems (DSSs)? A.Management control B.Semi-structured dimensions C.Inability to specify purpose and usage patterns D.Changes in decision processes
c The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a DSS.
Question An information systems (IS) auditor is assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? A.An audit clause is present in all contracts. B.The service level agreement (SLA) of each contract is substantiated by appropriate key performance indicators (KPIs). C.The contractual warranties of the providers support the business needs of the organization. D.At contract termination, support is guaranteed by each outsourcer for new outsourcers.
c The primary requirement is for the services provided by the outsource supplier to meet the needs of the business.
Effective IT governance requires organizational structures and processes to ensure that: A.risk is maintained at a level acceptable for IT management. B.the business strategy is derived from an IT strategy. C.IT governance is separate and distinct from overall governance. D.the IT strategy extends the organization strategies and objectives.
d Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization IT sustains and extends the organization strategies and objectives, and that the strategy is aligned with business strategy.
An information systems (IS) auditor reviews one day of logs for a remotely managed server and finds one case where logging failed, and the backup restarts cannot be confirmed. What should the IS auditor do? A.Issue an audit finding. B.Seek an explanation from IS management. C.Review the classifications of data held on the server. D.Expand the sample of logs reviewed.
d IS Audit and Assurance Standards require that an IS auditor gather sufficient and appropriate audit evidence. The IS auditor found a potential problem and now needs to determine whether this is an isolated incident or a systematic control failure.
Question An organization is considering making a major investment to upgrade technology. Which of the following choices is the MOST important to consider? A.A cost analysis B.The security risk of the current technology C.Compatibility with existing systems D.A risk analysis
d Prior to implementing new technology, an organization should perform a risk assessment, which is then presented to business unit management for review and acceptance.
Question Which of the following BEST describes the function of control self-assessment? A.Quality control B.Quality assessment C.Quality planning D.Quality assurance (QA)
d Quality assurance (QA) is often achieved by the information systems (IS) auditor serving as a consultant, advising and facilitating business areas to participate in process improvement and control. One such approach is through the process of control self-assessment.
An information systems (IS) auditor is verifying IT policies and finds that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST? A.Ignore the absence of management approval because employees follow the policies. B.Recommend immediate management approval of the policies. C.Emphasize the importance of approval to management. D.Report the absence of documented approval.
d The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee was terminated as a result of violating an organizational policy, and it was discovered that the policies had not been approved, the organization may face a lawsuit.
Question An information systems (IS) audit group has been involved in the integration of an automated audit tool kit with an existing enterprise resource planning system. Due to enterprise resource planning (ERP) performance issues, the audit tool kit is not permitted to go live. What should the IS auditor's BEST recommendation be? A.Review the implementation of selected integrated controls. B.Request additional information systems (IS) audit resources. C.Request vendor technical support to resolve performance issues. D.Review the results of stress tests during user acceptance testing.
d The appropriate recommendation is to review the results of stress tests conducted during user acceptance testing that demonstrated the performance issues.
he PRIMARY goal of using maturity models in (information systems (IS)) is to: A.measure the current maturity levels of a certain aspect of an IS organization in a meaningful way. B.prioritize what the organization should do to reach higher maturity levels. C.help gain senior management understanding, commitment and support for IS. D.enable stakeholders to clearly identify strengths and areas of improvement.
d The main purpose of using maturity models is to enable stakeholders to clearly identify strengths and areas of improvement in IS after assessing the current maturity levels and to prioritize the improvement initiatives before gaining senior management support.
auditor conducting a review of disaster recovery planning at a financial processing organization discovers The existing DRP was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. The DRP was presented to the deputy CEO for approval and formal issue, but it is still awaiting attention. The DRP has never been updated, tested or circulated to key management and staff, although interviews show that each would know what action to take for its area if a disruptive incident occurred. The IS auditor's report should recommend that: A.the deputy CEO is censured for failure to approve the plan. B.a group of senior managers is set up to review the existing plan. C.the existing plan is approved and circulated to all key management and staff. D.a manager coordinates the creation of a new or revised plan within a defined time limit.
d The primary concern is to establish a workable DRP that reflects current processing volumes to protect the organization from any disruptive incident.
Which of the following is the PRIMARY objective of an IT performance measurement process? A.Minimize errors B.Gather performance data C.Establish performance baselines D.Optimize performance
d of the process. An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability, and make budget decisions.
Question An internal information systems (IS) audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase? A.Developing an audit program B.Defining the audit scope C.Identifying key information owners D.Developing a risk assessment
d A risk assessment should be performed to determine how internal audit resources should be allocated to ensure that all material items will be addressed.
When reviewing an organization's strategic IT plan, an information systems (IS) auditor should expect to find: A.an assessment of the fit of the organization's application portfolio with business objectives. B.actions to reduce hardware procurement cost. C.a listing of approved suppliers of IT contract resources. D.a description of the technical architecture for the organization's network perimeter security
a An assessment of how well an organization's application portfolio supports the organization's business objectives is a key component of the overall IT strategic planning process. This assessment drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc. can support the business objectives. The purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization's business objectives.
Question After initial investigation, an information systems (IS) auditor has reasons to believe that fraud may be present. The IS auditor should: A.expand activities to determine whether an investigation is warranted. B.report the matter to the audit committee. C.report the possibility of fraud to management. D.consult with external legal counsel to determine the course of action to be taken.
a An information systems (IS) auditor's responsibilities for detecting fraud include evaluating fraud indicators, and deciding whether any additional action is necessary or whether an investigation should be recommended.
Question Which of the following is MOST critical for the successful implementation and maintenance of a security policy? A.Assimilation of the framework and intent of a written security policy by all appropriate parties B.Management support and approval for the implementation and maintenance of a security policy C.Enforcement of security rules by providing punitive actions for any violation of security rules D.Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
a Assimilation of the framework and intent of a written security policy by all levels of management and users of the system are critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective.
Question An information systems (IS) auditor is performing a review of an organization's governance model. Which of the following should be of MOST concern to the auditor? A.The information security policy is not periodically reviewed by senior management. B.A policy ensuring systems are patched in a timely manner does not exist. C.The audit committee did not review the organization's mission statement. D.An organizational policy related to information asset protection does not exist.
a Data security policies should be reviewed/refreshed once every year to reflect changes in the organization's environment. Policies are fundamental to the organization's governance structure, and, therefore, this is the greatest concern.
Question What is the PRIMARY reason for an information systems (IS) auditor to exercise due professional care? A.To get reasonable assurance that IS controls are well-designed and effective B.To eliminate inherent, control and detection risk associated with IS audit C.To detect errors, misstatements or fraudulent transactions in IS and report them D.To make sure that evidence collected during the IS audit is appropriate and sufficient
a Exercising due professional care helps the information systems (IS) auditor to get reasonable, but not absolute, assurance that audit risk is reduced and evidence that is collected about the design and effectiveness of IS controls is appropriate and sufficient.
While conducting an audit of a service provider, an information systems (IS) auditor observes that the service provider has outsourced a part of the work to another provider. Because the work involves confidential information, the IS auditor's PRIMARY concern should be that the: A.requirement for securely protecting information can be compromised. B.contract may be terminated because prior permission from the outsourcer was not obtained. C.other service provider to whom work has been outsourced is not subject to audit. D.outsourcer will approach the other service provider directly for further work.
a Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. When a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised.
A driver of IT governance, transparency of IT cost, value and risk is primarily achieved through: A.performance measurement. B.strategic alignment. C.value delivery. D.resource management.
a Performance measurement includes setting and monitoring measurable objectives that the IT processes need to achieve to deliver (process outcome), and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.
Question Which of the following does an information systems (IS) auditor consider the MOST relevant to short-term planning for an IT department? A.Allocating resources B.Adapting to changing technologies C.Conducting control self-assessments (CSAs) D.Evaluating hardware needs
a The IT department should specifically consider the way resources are allocated in the short term. The information systems (IS) auditor ensures that the resources are being managed adequately.
Question Which of the following is a KEY benefit of a control self-assessment (CSA)? A.Management ownership of the internal controls supporting business objectives is reinforced. B.Audit expenses are reduced when the assessment results are an input to external audit work. C.Fraud detection is improved because internal business staff are engaged in testing controls. D.Internal auditors can shift to a consultative approach by using the results of the assessment.
a The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance.
The ultimate purpose of IT governance is to: A.encourage optimal use of IT. B.reduce IT costs. C.decentralize IT resources across the organization. D.centralize control of IT.
a The purpose of IT governance is to direct the IT endeavors to ensure that IT performance meets the objectives of aligning IT with the enterprise's objectives and the realization of promised benefits. Thus, generating business value and mitigating the risks associated with IT, results in the optimal use of IT.
Question An information systems (IS) auditor is reviewing a software application that is built on the principles of service-oriented architecture. What is the INITIAL step? A.Understanding services and their allocation to business processes by reviewing the service repository documentation B.Sampling the use of service security standards as represented by the Security Assertions Markup Language (SAML) C.Reviewing the service level agreements established for all system providers D.Auditing the core service and its dependencies on other systems
a ustification A service-oriented architecture relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the information systems (IS) auditor to comprehend the mapping of business processes to services.
Question When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? A.Transfer B.Mitigation C.Avoidance D.Acceptance
b A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery plan (DRP), it is a risk mitigation strategy.
Question An information systems (IS) auditor performing a review of application controls evaluates the: A.efficiency of the application in meeting the business processes. B.impact of any exposures discovered. C.business processes served by the application. D.application optimization.
b An application control review involves the evaluation of the application automated controls and an assessment of any exposures resulting from the control weaknesses.
Question Which of the following is the BEST enabler for strategic alignment between business and IT? A.Maturity model B.Goals and metrics C.Control objectives D.Responsible, accountable, consulted, informed (RACI) chart
b Goals and metrics ensure that IT goals are set based on business goals, and they are the best enablers of strategic alignment.
