CISA Domain 1
Preventative.
A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this?
ability, as an IS auditor, to be independent of existing IT relationships. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities.
A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and: A. length of service, because this will help ensure technical competence. B. age, because training in audit techniques may be impractical. C. IT knowledge, because this will bring enhanced credibility to the audit function. D. ability, as an IS auditor, to be independent of existing IT relationships.
It can identify high risk areas that might need a detailed review later. Control self-assessment (CSA) is predicated on the review of high-risk areas that either need immediate attention or may require a more thorough review at a later date.
A primary benefit derived fro an organization employing control self assessment (CSA) techniques is that: A. can identify high-risk areas that might need a detailed review later. B. allows IS auditors to independently assess risk. C. can be used as a replacement for traditional audits. D. allows management to relinquish responsibility for control.
apply a qualitative approach. The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact).
A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should:
Expand activities to determine whether an investigation is warranted. An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended
After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should A. expand activities to determine whether an investigation is warranted. B. report the matter to the audit committee. C. report the possibility of fraud to management. D. consult with external legal counsel to determine the course of action to be taken.
Confirming factual accuracy of the findings The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on or respond to recommendations for corrective action.
After reviewing the disaster recovery planning (DRP) process of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting? A. Obtaining management approval of the corrective action plan B. Confirming factual accuracy of the findings C. Assisting management in the implementation of corrective actions D. Prioritizing the resolution of the items
evaluate the impact of the undocumented devices on the audit scope. In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audit engagement. The information provided on a network diagram can vary depending on what is being illustrated—for example, the network layer, cross connections, etc.
An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST: A. expand the scope of the IS audit to include the devices that are not on the network diagram. B. evaluate the impact of the undocumented devices on the audit scope. C. note a control deficiency because the network diagram has not been approved. D. plan follow-up audits of the undocumented devices.
assure that the integrity of the evidence is maintained The IS auditor has been requested to perform an investigation to capture evidence which may be used for legal purposes, and therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law.
An IS auditor has been asked by management to review a potentially fraudulent transaction. The PRIMARY focus of an IS auditor while evaluating the transaction should be to: A. maintain impartiality while evaluating the transaction. B. ensure that the independence of an IS auditor is maintained. C. assure that the integrity of the evidence is maintained. D. assess all relevant evidence for the transaction.
C) There were instances when some jobs were overridden by computer operators. The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data programs.
An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor. A) There are a growing number of emergency changes. B) There were instances when some jobs were not completed on time C) There were instances when some jobs were overridden by computer operators D) Evidence shows that only scheduled jobs were run.
control objectives and activities. Once the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit.
An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: A. most valuable information assets. B. IS audit resources to be deployed. C. auditee personnel to be interviewed. D. control objectives and activities.
expand the scope to include substantive testing. If the answers provided to an IS auditor's questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests.
An IS auditor interviewing a payroll clerk finds that the answers do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should: A. conclude that the controls are inadequate. B. expand the scope to include substantive testing. C. place greater reliance on previous audits. D. suspend the audit.
Standard report with configuration values retrieved from the system by the IS auditor Evidence obtained directly from the source by an IS auditor is more reliable than information provided by a system administrator or a business owner because the IS auditor does not have a vested interest in the outcome of the audit.
An IS auditor is carrying out a system configuration review. Which of the following would be the BEST evidence in support of the current system configuration settings? A. System configuration values imported to a spreadsheet by the system administrator B. Standard report with configuration values retrieved from the system by the IS auditor C. Dated screenshot of the system configuration settings made available by the system administrator D. Annual review of approved system configuration values by the business owner
Substantive testing Substantive testing obtains audit evidence on the completeness, accuracy, or existence of activities or transactions during the audit period.
An IS auditor is comparing equipment in production with inventory records. This type of testing is an example of: A. substantive testing. B. compliance testing. C. analytical testing. D. control testing.
That the control is operating as designed Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective of a compliance test is important. IS auditors want reasonable assurance that the controls they are relying on are effective. An effective control is one that meets management expectations and objectives.
An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to determine:
that the control is operating as designed. Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective of a compliance test is important. IS auditors want reasonable assurance that the controls they are relying on are effective. An effective control is one that meets management expectations and objectives.
An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to determine: A. that the control is operating efficiently. B. that the control is operating as designed. C. the integrity of data controls. D. the reasonableness of financial reporting controls.
C) Report the use of the unauthorized software and the need to prevent recurrence. The use of unauthorized or illegal software should be prohibited by the organization. AN IS auditor must convince the user and management of the risk and the need to eliminate the risk.
An IS auditor is conducting a review of software usage and licensing discovers that numerous PCs contained unauthorized software. Which of the following actions should the IS auditor take? A) Delet all copies of the unauthorized software B) Recommend an audit process to monitor for compliance with software licensing C) Report the use of the unauthorized software and the need to prevent recurrence. D) Warn the end users about the risk of using illegal software.
Determine the highest-risk systems and plan accordingly. The best course of action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources."
An IS auditor is developing an audit plan for an environment that includes new systems. The company's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond? A. Audit the new systems as requested by management. B. Audit systems not included in last year's scope. C. Determine the highest-risk systems and plan accordingly. D. Audit both the systems not in last year's scope and the new systems
Compliance testing Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were approximately authorized.
An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. What is this an example of?
A) Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow up audit testing. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-n time frame, this fact should be highlighted in the audit report and follow up testing should be scheduled for a later date. Management could then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system.
An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor. A) Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. B) Publish a report omitting the areas where the evidence obtained from testing was inconclusive C) Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained. D) Inform management that audit work cannot be completed prio to implementation and recommend that the audit be postponed.
A sample system generated exceptions report for the review period, with follow-up action items noted by the reviewer. A sample of a system generated report with evidence that the reviewer followed up on the exception represents the best possible evidence of the effective operation of the control because there is documented evidence that the reviewer has reviewed and taken actions based on the exception report.
An IS auditor is validating a control that involved a review of system generated exception reports. Which of the following is the best evidence of the effectiveness of the control. 1- Walkthrough with the reviewer of the operation of the control 2- System generated exception report for the review period with the reviewers sign off 3- A sample system generated exceptions report for the review period, with follow-up action items noted by the reviewer 4- Management's confirmation of the effectiveness of the control for the review period.
D) Reoirt the absence of documented approval. The IS auditor must report the findings. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technically may prevent manament from enforcing the policies in some cases, and may present legal issues.
An IS auditor is verifying that some of the policies have not been approved by managedment (as required by policy), but the employee strictly follow the policies. What should the IS auditor do first? A) Ignore the absences of management approval because the employee follow the policies B) Recommend immediate management approval of the policies C) Emphasize the importance of approval to management D) Report the absence of documented approval.
The local area network (LAN) switches are not connected to uninterruptible power supply (UPS) units. Voice-over Internet Protocol (VoIP) telephone systems use standard network cabling and typically each telephone gets power over the network cable (power over Ethernet [POE]) from the wiring closet where the network switch is installed. If the local area network (LAN) switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls.
An IS auditor performing an audit of the newly installed Voice-over Internet Protocol(VoIP) system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern? A. The local area network (LAN) switches are not connected to uninterruptible power supply (UPS) units. B. Network cabling is disorganized and not properly labeled. C. The telephones are using the same cable used for LAN connections. D. The wiring closet also contains power lines and breaker panels.
Assets have been identified and ranked. Identification and ranking of information assets (e.g., data criticality, sensitivity, locations of assets) will set the tone or scope of how to assess risk in relation to the organizational value of the asset.
An IS auditor performing an audit of the risk assessment process should FIRST confirm that: A. reasonable threats to the information assets are identified. B. technical and organizational vulnerabilities have been analyzed. C. assets have been identified and ranked. D. the effects of potential security breaches have been evaluated.
Walk through Walk through procedures usually include a combination of inquiry, observation, inspection of relevant documentation and re performance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish t gain a thorough understanding of the overall process and identify potential control weaknesses.
An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor most likely employ to fulfill this purpose? A. Inspection B. Inquiry C. Walk-through D. Re performance
Expand the sample of logs reviewed. IS Audit and Assurance Standards require that an IS auditor gather sufficient and appropriate audit evidence. The IS auditor has found a potential problem and now needs to determine whether this is an isolated incident or a systematic control failure.
An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging failed and the backup restarts cannot be confirmed. What should the IS auditor do?
Report the incident to management Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor's role to respond to incidents during an audit
An IS auditor suspects an incident is occurring while an audit is being performed on a financial system. What should the IS auditor do first? A. Request that the system be shut down to preserve evidence B. Report the incident to management C. Ask for the immediate suspensions of suspect accounts. D. Investigate the source and nature of the incident.
Attribute Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate approval.
An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions? A. Attribute B. Variable C. Stop-or-go D. Judgment
outline the overall authority, scope and responsibilities of the audit function.
An audit charter should: A. be dynamic and change to coincide with the changing nature of technology and the audit profession. B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls. C. document the audit procedures designed to achieve the planned audit objectives. D. outline the overall authority, scope and responsibilities of the audit function.
disclose the issue to the client. In circumstances in which the IS auditor's independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor's independence should be disclosed to the appropriate management and in the report.
An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should: A. remove the IS auditor from the engagement. B. cancel the engagement. C. disclose the issue to the client. D. take steps to restore the IS auditor's independence.
Professional independence.
An external IS auditor issues an audit report pointing out the lack of firewall protection at the perimeter network gateway and recommends a specific vendor product to address this vulnerability. The IS auditor has failed to exercise:
Role of the IS audit function. An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee.
An organization's IS audit charter should specify the:
Role of the IS audit function. An IS audit charter established the role of the information systems audit function. The charter should describe the overall authority, scope, and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee.
An organizations' IS charter should specify the:
substantive testing. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of data at the individual transaction level. This can be achieved by comparing the data in the application to the base document. In this case, comparison is made between accounts payable data and the vendor invoices.
Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as: A. substantive testing. B. compliance testing. C. qualitative analysis. D. judgment sampling.
include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings. Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing.
Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should: A. include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings. B. not include the finding in the final report because management resolved the item. C. not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit. D. include the finding in the closing meeting for discussion purposes only.
Graphically summarize data paths and storage. They trace data from their origination to destination, highlighting the paths and storage of data.
Data flow diagrams are used by IS auditors to:
Focus on high risk areas. Reducing the scope and focusing on auditing high-risk areas is the bets course of action.
Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is most acceptable: Test the adequacy of the control design Test the operational effectiveness of the control Focus on auditing high risk areas Relying on management testing of controls.
Computer log files that show individual transactions Computer logs will record the activities of individuals during their access to a computer system or data file and will record any abnormal activities, such as the modification or deletion of financial data.
During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by the user's supervisor would represent the BEST compensating control? A. Audit trails that show the date and time of the transaction B. A daily report with the total numbers and dollar amounts of each transaction C. User account administration D. Computer log files that show individual transactions
Discuss it with the IT managers. Discussing the implementation of segregation of duties with the IT managers is the best way to determine how responsibilities are assigned within the department.
During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of segregation of duties within an IT department? A. Discuss it with the IT managers. B. Review the job descriptions of the IT functions. C. Research past IS audit reports. D. Evaluate the organizational structure.
Report the identified condition. The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified.
During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a particular application. Which of the following should the IS auditor do? A. Recommend compensating controls. B. Review the code created by the developer. C. Analyze the quality assurance dashboards. D. Report the identified condition.
Rebooting the system Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory.
During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system? A. Dumping the memory content to a file B. Generating disk images of the compromised system C. Rebooting the system D. Removing the system from the network
report the weaknesses as observed. Any weakness noticed should be reported, even if it is outside the scope of the current audit. Weaknesses identified during the course of an application software review need to be reported to management.
During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to: A. include a review of the database controls in the scope. B. document for future review. C. work with database administrators to correct the issue. D. report the weaknesses as observed.
Address audit objectives ISACA IS Audit and Assurance Standards requires that an IS auditor plan the audit work to address the audit objectives.
During the planning s stage of an IS audit, the primary goal of an IS auditor is to
communicate the possibility of conflict of interest to audit management prior to starting the assignment. A possible conflict of interest, likely to affect the IS auditor's independence, should be brought to the attention of management prior to starting the assignment.
Go to Next QuestionGuess and Mark WrongGlossaryTask StatementsAcronymsEnd Session An IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should: A. decline the assignment. B. inform management of the possible conflict of interest after completing the audit assignment. C. inform the BCP team of the possible conflict of interest prior to beginning the assignment. D. communicate the possibility of conflict of interest to audit management prior to starting the assignment.
identify and evaluate the existing controls. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.
In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should: A. ensure the risk assessment is aligned to management's risk assessment process. B. identify information assets and the underlying systems. C. disclose the threats and impacts to management. D. identify and evaluate the existing controls.
examine source program changes without information from IS personnel. When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify the changes.
In the process of evaluating program change controls, an IS auditor would use source code comparison software to:
Transferring risk
Sharing risk is a key factor in which of the following methods of managing risk? A. Transferring risk B. Tolerating risk C. Terminating risk D. Treating risk
Preparing simulated transactions for processing and comparing the results to predetermined results. Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation.
The BEST method of confirming the accuracy of a system tax calculation is by: A. review and analysis of the source code of the calculation programs. B. recreating program logic using generalized audit software to calculate monthly totals. C. preparing simulated transactions for processing and comparing the results to predetermined results. D. automatic flowcharting and analysis of the source code of the calculation programs.
document the finding and explain the risk of using shared IDs. An IS auditor's role is to detect and document findings and control deficiencies. Part of the audit report is to explain the reasoning behind the findings. The use of shared IDs is not recommended because it does not allow for accountability of transactions. An IS auditor would defer to management to decide how to respond to the findings presented.
The MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to: A. inform the audit committee of the potential issue. B. review audit logs for the IDs in question. C. document the finding and explain the risk of using shared IDs. D. request that the IDs be removed from the system.
discuss the scope of the audit. The primary objective of the initiation meeting with an audit client is to help define the scope of the audit.
The PRIMARY objective of the audit initiation meeting with an IS audit client is to: A. discuss the scope of the audit. B. identify resource requirements of the audit. C. select the methodology of the audit. D. review requested evidence provided by the audit client.
gain agreement on the findings. The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings and responses from management.
The PRIMARY purpose for meeting with auditees prior to formally closing a review is to: A. confirm that the auditors did not overlook any important issues. B. gain agreement on the findings. C. receive feedback on the adequacy of the audit procedures. D. test the structure of the final presentation.
Detection Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue.
The decisions and actions of an IS auditor are most likely to affect which of the following types of risk: 1) Inherent 2) Detection 3) Control 4) Business
The IS auditor.
The final decision to include a material finding in an audit report should be made by who?
Discovery Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.
The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors? A. Stop-or-go B. Classical variable C. Discovery D. Probability-proportional-to-size
Discovery. Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.
The internal audit IS team is auditing controls over sales return and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors? A. Stop-or-Go B. Classic Variable C. Discovery D. Probability proportional to size
No. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. IS Audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts themselves, but they can still audit the systems.
The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT effect the ability of IS auditors to independently and objectively audit the IT function?
Provide a basis for drawing reasonable conclusions. The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses, but also documenting and validating them.
The most important reason for an IS auditor is to obtain sufficient and appropriate evidence is to
The systemic collection and analysis of evidence after a system irregularity.
The primary purpose of an IT forensic audit is:
Outline the responsibility and authority of the IS audit function. An IS audit charter sets for the purpose, responsibility, authority, and accountability of the IS audit function. The charter document grants authority to the audit function on behalf of the board of directors and company stakeholders.
The primary purpose of the IS audit charter is to:
Generalized audit software Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made.
The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation? A. Generate sample test data B. Generalized audit software C. Integrated test facility D. Embedded audit module
legal and regulatory requirements. To ensure that the organization is complying with the privacy issues, an IS auditor should address legal and regulatory requirements first,. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards, and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards, and procedures.
To ensure that an organization is complying with privacy requirements, an IS auditor should FIRST review: A. the IT infrastructure B. organizational policies, standards, and procedures C. legal and regulatory requirements D. adherence to organizational policies, standards, and procedures
Document the identified finding in the audit report. IS auditor independence would dictate that the additional information provided by the auditee will be taken into consideration. Normally, an IS auditor would not automatically retract or revise the finding.
What is the best course of action for an IS auditor o take when an outsourced monitoring process for remote access is inadequate and management disagrees, because management states that intrusion detection systems and firewall controls are in place?
Purpose, Objective, and Scope of the audit. The extent to which data will be collected during an IS audit is related directly to the purpose, objective, and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. Statistical analysis may also determine the extent of data collcetion as sample size or means of data collection.
What is the best factor for determining the required extent of data collection during the planning phase of an IS compliance audit?
Alert management and evaluate the impact of not covering all systems. An IS auditor should make management aware that some systems are omitted from the disaster recovery plan (DRP). An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the DRP
When auditing a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that it does not cover all of the systems. Which of the following is the MOST appropriate action for the IS auditor? A. Alert management and evaluate the impact of not covering all systems. B. Cancel the audit. C. Complete the audit of the systems covered by the existing disaster recovery plan (DRP). D. Postpone the audit until the systems are added to the DRP.
Inventory of assets. Identification of the assets to be protected is the first step in developing a risk management program.
When developing a risk management program, what is the first activity to be performed?
Vulnerabilities and threats are identified. In developing a risk-based audit strategy, it is critical that the risk and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage.
When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:
Sufficient and appropriate audit evidence.
When preparing an audit report, the IS auditor should ensure tha the results are supported by:
Sufficient evidence will be collected. Procedures are processes an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the specific circumstance. Professional judgement involves a subjective and often qualitative evaluation of conditions arising in the course of an audit. Judgment address a grey area where binary (yes/no) decisions are not appropriate and the IS auditor's past experience plays a key role in making a judgement. The IS auditor should use judgement in assessing the sufficiency of evidence to be collected. ISACA's guidelines provide information on how to meet the standards when performing IS audit work.
When slecting audit procedures, an IS auditor should use professional judgement to ensure that:
test data are isolated from production data. An ITF creates a fictitious file in the database, allowing for test transactions to be processed simultaneously with live data. The test data must be kept separate from production data.
When using an integrated test facility (ITF), an IS auditor should ensure that: A. production data are used for testing. B. test data are isolated from production data. C. a test data generator is used. D. master files are updated with the test data.
To provide reasonable assurance that all material items will be addressed. A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit.
Which of the following best describes the purpose of performing a risk assessment in the planning phase of an IS audit: Establish adequate staffing requirements to complete the IS audit To provide reasonable assurance that all material items will be addressed To determine the skills required to perform the IS audit To develop the audit program and procedures
Senior management identify key business processes. Developing a risk-based audit plan must start with the identification of key business processes, which will determine and identify the risk that needs to be addressed.
Which of the following choices would be the BEST source of information when developing a risk-based audit plan? A. Process owners identify key controls. B. System custodians identify vulnerabilities. C. Peer auditors understand previous audit results. D. Senior management identify key business processes.
A vulnerability The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers, employee error, environmental threat or equipment failure. This could result in a loss of sensitive information, financial loss, legal penalties or other losses.
Which of the following does a lack of adequate controls represent? A. An impact B. A vulnerability C. An asset D. A threat
Broad stakeholder involvement The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization's business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training—all of which are representations of broad stakeholder involvement.
Which of the following is an attribute of the control self-assessment (CSA) approach? A. Broad stakeholder involvement B. Auditors are the primary control analysts C. Limited employee participation D. Policy driven
Generalized audit software (GAS) Generalized audit software (GAS) is a data analytic tool that can be used to filter large amounts of data.
Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds? A. Generalized audit software (GAS) B. Integrated test facility C. Regression tests D. Snapshots
Project Management
Which of the following is the most important skill an IS auditor should develop to understand the constraints of conducting an audit: 1 - Contingency Planning 2 - IS Management resource allocation 3 - Project Management 4 - Knowledge of internal controls
Computer assisted audit techniques CAATS would allow an IS auditor to review the entire invoice file to look for those items that meet the selection criteria.
Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file? A. Attribute sampling B. Computer-assisted audit techniques (CAATs) C. Compliance testing D. Integrated test facility (ITF)
Implemented specific functionality during the development of an application. Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system.
Which of the following situations could impair the independence of an IS auditor? The IS auditor: A. implemented specific functionality during the development of an application. B. designed an embedded audit module for auditing an application. C. participated as a member of an application project team and did not have operational responsibilities. D. provided consulting advice concerning application good practices.
Compliance testing. Determining that only authorizes modifications are made to a production programs would require the change management process to be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently,.
Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? A. System log analysis B. Compliance testing C. Forensic analysis D. Analytical review
Table lookups Table lookups are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered.
Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? A. Transaction logs B. Before and after image reporting C. Table lookups D. Tracing and tagging
A confirmation letter received from a third party verifying an account balance. Evidence obtained from independent third parties is almost always considered to be more reliable than assurance provided by local management.
Which of the following would normally be the MOST reliable evidence for an IS auditor? A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as designed C. Trend data obtained from World Wide Web (Internet) sources D. Ratio analysis developed by the IS auditor from reports supplied by line management
C) Observation Dual Control requires that two people carry out an operation. The obersvation technique would help to ascertain whether two individuals do indeed get involved in execution of the operation and an element of oversight exists, It would be obvious if one individual is masquerading and filling in the role of the second person.
Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank? A) Analysis of transaction logs B) Re-performance C) Observation D) Interviewing personnel
report the issue to IT management. During the course of an audit, if there are material issues that are of concern, they need to be reported immediately.
While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should: A.. report the issue to IT management. B. discuss the issue with the service provider. C. perform a risk assessment. D. perform an access review.
Continue to test the accounting application controls and include the deficiency in the final report. It is the responsibility of the IS auditor to report on findings that could have a material impact on the effectiveness of controls—whether or not they are within the scope of the audit.
While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the account application. The MOST appropriate action for the IS auditor to take is to: A. continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions. B. complete the audit and not report the control deficiency because it is not part of the audit scope. C. continue to test the accounting application controls and include the deficiency in the final report. D. cease all audit activity until the control deficiency is resolved.
Reasonable assurance that the audit will cover material items. ISACA IS Audit and Assurance Guideline 2202 (Risk Assessment in Planning) states that the applied risk assessment approach should help with the prioritization and scheduling process of the IS audit and assurance work. It should support the selection process of areas and items of audit interest and the decision process to design and conduct particular IS audit engagements.
While planning an IS audit, an assessment of risk should be made to provide:
Confidentiality of the work papers.
While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:
