蠢货连错了两次!!
When performing a review of a business process reengineering (BPR) effort, which of the following is of PRIMARY concern? A. Controls are eliminated as part of the streamlining BPR effort. B. Resources are not adequate to support the BPR process. C. The audit department does not have a consulting role in the BPR effort. D. The BPR effort includes employees with limited knowledge of the process area.
A is the correct answer. Justification A primary risk of BPR is that controls are eliminated as part of the reengineering effort. This is the primary concern. The BPR process can be a resource-intensive initiative; however, the more important issue is whether critical controls are eliminated as a result of the BPR effort. Although BPR efforts often involve many different business functions, it is not a significant concern if audit is not involved, and, in most cases, it is not appropriate for audit to be involved in such an effort. A recommended good practice for BPR is to include individuals from all parts of the enterprise, even those with limited knowledge of the process area. Therefore, this is not a concern.
When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following? A. The point at which controls are exercised as data flow through the system B. Only preventive and detective controls are relevant C. Corrective controls are regarded as compensating D. Classification allows an IS auditor to determine which controls are missing
A is the correct answer. Justification An IS auditor should focus on when controls are exercised as data flow through a computer system. Corrective controls may also be relevant because they allow an error or problem to be corrected. Corrective controls remove or reduce the effects of errors or irregularities and are not exclusively regarded as compensating controls. Classification allows an IS auditor to determine which controls are missing is incorrect. The existence and function of controls is important but not the classification.
IS control objectives are useful to IS auditors because they provide the basis for understanding the: A. desired result or purpose of implementing specific control procedures. B. best IS security control practices relevant to a specific entity. C. techniques for securing information. D. security policy.
A is the correct answer. Justification An IS control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IS activity. Control objectives provide the actual objectives for implementing controls and may or may not be based on good practices. Techniques are the means of achieving an objective, but it is more important to know the reason and objective for the control than to understand the technique itself. This mandates the use of IS controls, but the controls are not used to understand policy.
Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy: A. is driven by an IT department's objectives. B. is published, but users are not required to read the policy. C. does not include information security procedures. D. has not been updated in over a year.
A is the correct answer. Justification Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals. Policies should be written so that users can understand each policy, and employees should be able to easily access the policies. The fact that users have not read the policy is not the greatest concern because they still may be compliant with the policy. Policies should not contain procedures. Procedures are established to assist with policy implementation and compliance. Policies should be reviewed annually, but they might not necessarily be updated annually unless there are significant changes in the environment such as new laws, rules or regulations. Domain
An IS auditor finds a small number of user access requests that were not authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should: A. perform an additional analysis. B. report the problem to the audit committee. C. conduct a security risk assessment. D. recommend that the owner of the identity management system fix the workflow issues.
A is the correct answer. Justification The IS auditor needs to perform substantive testing and additional analysis to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and the factors that caused this incident. The IS auditor should identify whether the issue was caused by managers not following procedures, a problem with the workflow of the automated system or a combination of the two. The IS auditor does not yet have enough information to report the problem. Changing the scope of the IS audit or conducting a security risk assessment requires more detailed information about the processes and violations being reviewed. The IS auditor must first determine the root cause and impact of the findings and does not have enough information to recommend fixing the workflow issues.
Which of the following is MOST important to consider when reviewing the classification levels of information assets? A. Potential loss B. Financial cost C. Potential threats D. Cost of insurance
A is the correct answer. Justification The best basis for asset classification is an understanding of the total losses a business may incur if the asset is compromised. Typically, estimating these losses requires a review of criticality and sensitivity beyond financial cost, such as operational and strategic. The value of an asset can be greater than its monetary cost, such as impact to reputation and brand. The classification of an asset does not change based on potential threats. Insurance would be obtained based on asset classification.
Which of the following is the key benefit of a control self-assessment? A. Management ownership of the internal controls supporting business objectives is reinforced. B. Audit expenses are reduced when the assessment results are an input to external audit work. C. Fraud detection will be improved because internal business staff are engaged in testing controls. D. Internal auditors can shift to a consultative approach by using the results of the assessment.
A is the correct answer. Justification The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance. This is not a key benefit of CSA. Improved fraud detection is important but not as important as control ownership. It is not a principal objective of CSA. CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit.
An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation? A. Existing IT mechanisms enabling compliance B. Alignment of the policy to the business strategy C. Current and future technology initiatives D. Regulatory compliance objectives defined in the policy
A is the correct answer. Justification The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy. Policies should be aligned with the business strategy, but this does not affect an organization's ability to comply with the policy upon implementation. They should be driven by the needs of the business and would not affect an organization's ability to comply with the policy. Regulatory compliance objectives may be defined in the IT policy, but that would not facilitate compliance with the policy. Defining objectives would only result in the organization knowing the desired state and would not aid in achieving compliance.
The success of control self-assessment depends highly on: A. line managers assuming a portion of the responsibility for control monitoring. B. assigning staff managers, the responsibility for building controls. C. the implementation of a stringent control policy and rule-driven controls. D. the implementation of supervision and monitoring of controls of assigned duties.
A is the correct answer. Justification The primary objective of a control self-assessment (CSA) program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly. CSA requires managers to participate in the monitoring of controls. The implementation of stringent controls will not ensure controls are working correctly. Better supervision is a compensating and detective control and may assist in ensuring control effectiveness but would work best when used in a formal process such as CSA.
Involvement of senior management is MOST important in the development of: A. strategic plans. B. IT policies. C. IT procedures. D. standards and guidelines.
A is the correct answer. Justification These provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. These are created and enforced by IT management and information security. They are structured to support the overall strategic plan. These are developed to support IT policies. Senior management is not involved in the development of procedures. These are developed to support IT policies. Senior management is not involved in the development of standards, baselines and guidelines.
An IS audit department is planning to minimize the risk of short-term employees. Activities contributing to this objective are documented procedures, knowledge sharing, cross-training and: A. succession planning. B. staff job evaluation. C. responsibilities definitions. D. employee award programs.
A is the correct answer. Justification This ensures that internal personnel with the potential to fill key positions in the organization are identified and developed. Job evaluation is the process of determining the worth of one job in relation to that of the other jobs in a company so that a fair and equitable wage and salary system can be established. Staff responsibilities definitions provide for well-defined roles and responsibilities; however, they do not minimize dependency on key individuals. These provide motivation; however, they do not minimize dependency on key individuals.
Which of the following is MOST critical for the successful implementation and maintenance of a security policy? A. Assimilation of the framework and intent of a written security policy by all appropriate parties B. Management support and approval for the implementation and maintenance of a security policy C. Enforcement of security rules by providing punitive actions for any violation of security rules D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
A is the correct answer. Justification This is critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective. Management support and commitment is, no doubt, important, but for successful implementation and maintenance of a security policy, educating the users on the importance of security is paramount. Punitive actions are needed to enforce the policy but are not the key to successful implementation. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules is important, but it is dependent on the support and education of management and users on the importance of security.
In the process of evaluating program change controls, an IS auditor would use source code comparison software to: A. examine source program changes without information from IS personnel. B. detect a source program change made between acquiring a copy of the source and the comparison run. C. identify and validate any differences between the control copy and the production program. D. ensure that all changes made in the current source copy are tested.
A is the correct answer. Justification When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes, because the source code comparison identifies the changes. The changes detected by the source code comparison are between two versions of the software. This does not detect changes made since the acquisition of the copy of the software. Confirmation that the current production program is the same as the control copy could be made through evaluation of program change controls. Source code comparison detects all changes between an original and a changed program; however, the comparison will not ensure that the changes have been adequately tested.
When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control? A. Restricting physical access to computing equipment B. Reviewing transaction and application logs C. Performing background checks prior to hiring IT staff D. Locking user sessions after a specified period of inactivity
B is the correct answer. Justification A. IT support staff usually require physical access to computing equipment to perform their job functions. It would not be reasonable to take this away. B. This directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse, because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught. C. Performing background checks is a useful control to ensure IT staff are trustworthy and competent but does not directly address the lack of an optimal segregation of duties. D. This acts to prevent unauthorized users from gaining system access, but the issue of a lack of segregation of duties is more the misuse (deliberately or inadvertently) of access privileges that have officially been granted.
When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control? A. Restricting physical access to computing equipment B. Reviewing transaction and application logs c. Performing background checks prior to hiring IT staff D. Locking user sessions after a specified period of inactivity
B is the correct answer. Justification A. IT support staff usually require physical access to computing equipment to perform their job functions. It would not be reasonable to take this away. B. This directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse, because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught. C. Performing background checks is a useful control to ensure IT staff are trustworthy and competent but does not directly address the lack of an optimal segregation of duties. D. This acts to prevent unauthorized users from gaining system access, but the issue of a lack of segregation of duties is more the misuse (deliberately or inadvertently) of access privileges that have officially been granted.
When performing a risk analysis, the IS auditor should FIRST: A. review the data classification program. B. identify the organization's information assets. C. identify the inherent risk of the system. D. perform a cost-benefit analysis for controls.
B is the correct answer. Justification After the business objectives and the underlying systems are identified, the greatest degree of risk management effort should be focused towards those assets containing data considered most sensitive to the organization. The data classification program assists the IS auditor in identifying these assets. The first step of the risk assessment process is to identify the systems and processes that support the business objectives because risk to those processes impacts the achievement of business goals. Inherent risk is the exposure without considering the actions that management has taken or might take. The purpose of a risk assessment is to identify vulnerabilities so that mitigating controls can be established. However, one must first understand the business and its supporting systems to best identify systems requiring the most risk assessment effort. Designing and implementing controls to mitigate inherent risk of critical systems can only be performed after the above steps have been taken.
An IS auditor discovers that devices connected to the network are not included in a network diagram that had been used to develop the scope of the audit. The chief information officer explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST: A. expand the scope of the IS audit to include the devices that are not on the network diagram. B. evaluate the impact of the undocumented devices on the audit scope. C. note a control deficiency because the network diagram has not been approved. D. plan follow-up audits of the undocumented devices. Solution
B is the correct answer. Justification It is important that the IS auditor does not immediately assume that everything on the network diagram provides information about the risk affecting a network/system. There is a process in place for documenting and updating the network diagram. In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audit engagement. The information provided on a network diagram can vary depending on what is being illustrated—for example, the network layer, cross connections, etc. In this case, there is simply a mismatch in timing between the completion of the approval process and when the IS audit began. There is no control deficiency to be reported. Planning for follow-up audits of the undocumented devices is contingent on the risk that the undocumented devices have on the ability of the entity to meet the audit scope.
During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should: A.ask the auditee to sign a release form accepting full legal responsibility. B.elaborate on the significance of the finding and the risk of not correcting it. C.report the disagreement to the audit committee for resolution. D.accept the auditee's position because they are the process owners.
B is the correct answer. Justification Management is always responsible and liable for risk. The role of the IS auditor is to inform management of the findings and associated risk discovered in an audit. If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures because the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee lessens effective communications and sets up an adversarial relationship, but an IS auditor should not automatically agree just because the auditee expresses an alternate point of view. The audit report contains the finding from the IS auditor and the response from management. It is the responsibility of management to accept risk or mitigate it appropriately. The role of the auditor is to inform management clearly and thoroughly so that the best decision can be made. The IS auditor must be professional, competent and independent. They must not just accept an explanation or argument from management, unless the process used to generate the finding was flawed.
An IS auditor performing a review of application controls would evaluate the: A. efficiency of the application in meeting the business processes. B. impact of any exposures discovered. C. business processes served by the application. D. application's optimization.
B is the correct answer. Justification The IS auditor is reviewing the effectiveness of the controls, not the suitability of the application to meet business needs. An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses. This is not part of an audit restricted to a review of the application controls. One area to be reviewed may be the efficiency and optimization of the application, but this is not the area being reviewed in this audit.
An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? A. Risk reduction B. Risk transfer C. Risk avoidance D. Risk mitigation
B is the correct answer. Justification This is a term synonymous with risk mitigation. Risk reduction lowers risk to a level commensurate with the organization's risk appetite. Risk reduction treats the risk, while risk transfer does not always address compliance risk. This typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist. This does not expose the organization to compliance risk because the business practice that caused the inherent risk to exist is no longer being pursued. This will still expose the organization to a certain amount of risk. Risk mitigation lowers risk to a level commensurate with the organization's risk appetite. However, risk transference is the best answer because risk mitigation treats the risk, while risk transfer does not necessarily address compliance risk.
The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk? A. Inherent B. Detection C. Control D. Business
B is the correct answer. Justification This is the risk that a material error could occur, if there are no related internal controls to prevent or detect the error. Inherent risk is not usually affected by an IS auditor. This is directly affected by the IS auditor's selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue. This is the risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Control risk can be mitigated by the actions of the organization's management. This is a probable situation with uncertain frequency and magnitude of loss (or gain). Business risk is usually not directly affected by an IS auditor.
When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: A. controls needed to mitigate risk are in place. B. vulnerabilities and threats are identified. C. audit risk is considered. D. a gap analysis is appropriate.
B is the correct answer. Justification Understanding whether appropriate controls that are required to mitigate risk are in place is a resultant effect of an audit. While developing a risk-based audit strategy, it is critical that the risk and vulnerabilities are understood. They determine the areas to be audited and the extent of coverage. Audit risk is an inherent aspect of auditing, directly related to the audit process and not relevant to the risk analysis of the environment to be audited. A gap analysis is normally done to compare the actual state to an expected or desirable state.
The BEST method of confirming the accuracy of a system tax calculation is by: A. review and analysis of the source code of the calculation programs. B. recreating program logic using generalized audit software to calculate monthly totals. C. preparing simulated transactions for processing and comparing the results to predetermined results. D. automatic flowcharting and analysis of the source code of the calculation programs.
C is the correct answer. Justification A review of source code is not an effective method of ensuring that the calculation is being computed correctly. Recreating program logic may lead to errors, and monthly totals are not accurate enough to ensure correct computations. This is the best method for confirming the accuracy of a tax calculation. Flowcharting and analysis of source code are not effective methods to address the accuracy of individual tax calculations.
Which of the following represents an example of a preventive control with respect to IT personnel? A. A security guard stationed at the server room door B. An intrusion detection system C. Implementation of a badge entry system for the IT facility D. A fire suppression system in the server room
C is the correct answer. Justification A security guard stationed at the server room door is a deterrent control. An intrusion detection system is a detective control. Preventive controls are used to reduce the probability of an adverse event. A badge entry system prevents unauthorized entry to the facility. A fire suppression system is a corrective control.
When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies: A. are aligned with globally accepted industry good practices. B. are approved by the board of directors and senior management. C. strike a balance between business and security requirements. D. provide direction for implementing security procedures.
C is the correct answer. Justification A. An organization is not required to base its IT policies on industry good practices. Policies must be based on the culture and business requirements of the organization. B. It is essential that policies be approved; however, that is not the primary focus during the development of the policies. C. Because information security policies must be aligned with an organization's business and security objectives, this is the primary focus of the IS auditor when reviewing the development of information security policies. D. Policies cannot provide direction if they are not aligned with business requirements.
A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that: A. the security controls of the application may not meet requirements. B. the application may not meet the requirements of the business users. C. the application technology may be inconsistent with the enterprise architecture. D. the application may create unanticipated support issues for IT. Solution
C is the correct answer. Justification Although security controls should be a requirement for any application, the primary focus of the EA is to ensure that new applications are consistent with enterprise standards. Although the use of standard supported technology may be more secure, this is not the primary benefit of the EA. When selecting an application, the business requirements and the suitability of the application for the IT environment must be considered. If the business units selected their application without IT involvement, they are more likely to choose a solution that fits their business process the best with less emphasis on how compatible and supportable the solution will be in the enterprise, and this is not a concern. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system that is not part of the EA for the business, this increases the cost and complexity of the solution and ultimately delivers less value to the business. Although any new software implementation may create support issues, the primary benefit of the EA is ensuring that the IT solutions deliver value to the business. Decreased support costs may be a benefit of the EA, but the lack of IT involvement in this case would not affect the support requirements.
The initial step in establishing an information security program is the: A. development and implementation of an information security standards manual. B. performance of a comprehensive security control review by the IS auditor. C. adoption of a corporate information security policy statement. D. purchase of security access control software.
C is the correct answer. Justification The security program is driven by policy and the standards are driven by the program. The initial step is to have a policy and ensure that the program is based on the policy. Audit and monitoring of controls related to the program can only come after the program is set up. A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program. Access control software is an important security control but only after the policy and program are defined.
An IS auditor performing an audit of the risk assessment process should FIRST confirm that: A. reasonable threats to the information assets are identified. B. technical and organizational vulnerabilities have been analyzed. C. assets have been identified and ranked. D. the effects of potential security breaches have been evaluated.
C is the correct answer. Justification The threats facing each of the organization's assets should be analyzed according to their value to the organization. This occurs after identifying and ranking assets. Analyzing how these weaknesses, in the absence of mitigating controls, will impact the organization's information assets occurs after the assets and weaknesses have been identified. Identification and ranking of information assets (e.g., data criticality, sensitivity, locations of assets) will set the tone or scope of how to assess risk in relation to the organizational value of the asset. The effect of security breaches is dependent on the value of the assets and the threats, vulnerabilities and effectiveness of mitigating controls. The impact of an attack against a weakness should be identified so that controls can be evaluated to determine if they effectively mitigate the weaknesses.
An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to: A. acknowledge receipt of electronic orders with a confirmation message. B. perform reasonableness checks on quantities ordered before filling orders. C. verify the identity of senders and determine if orders correspond to contract terms. D. encrypt electronic orders.
C is the correct answer. Justification This is good practice but will not authenticate orders from customers. This is a control for ensuring the correctness of the organization's orders, not the authenticity of its customers' orders. An electronic data interchange system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. This is an appropriate step but does not prove authenticity of messages received.
An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging failed, and the backup restarts cannot be confirmed. What should the IS auditor do? A. Issue an audit finding. B. Seek an explanation from IS management. C. Review the classifications of data held on the server. D. Expand the sample of logs reviewed.
D is the correct answer. Justification At this stage it is too preliminary to issue an audit finding. Seeking an explanation from management is advisable, but it is better to gather additional evidence to properly evaluate the seriousness of the situation. Without gathering more information on the incident and the frequency of the incident, it is difficult to obtain a meaningful explanation from management. A backup failure, which has not been established at this point, will be serious if it involves critical data. However, the issue is not the importance of the data on the server, where a problem has been detected, but whether a systematic control failure that impacts other servers exists. IS Audit and Assurance Standards require that an IS auditor gather sufficient and appropriate audit evidence. The IS auditor has found a potential problem and now needs to determine whether this is an isolated incident or a systematic control failure.
An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review? A. Controls are implemented based on cost-benefit analysis. B. The risk management framework is based on global standards. C. The approval process for risk response is in place. D. IT risk is presented in business terms.
D is the correct answer. Justification Controls to mitigate risk must be implemented based on cost-benefit analysis; however, the cost-benefit analysis is effective only if risk is presented in business terms. A risk management framework based on global standards helps in ensuring completeness; however, organizations must adapt it to suit specific business requirements. Approvals for risk response come later in the process. For risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms.
During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should: A. create the procedures document based on the practices. B. issue an opinion of the current state and end the audit. C. conduct compliance testing on available data. D. identify and evaluate existing practices.
D is the correct answer. Justification IS auditors should not prepare documentation because the process may not be compliant with management objectives and doing so could jeopardize their independence. Ending the audit and issuing an opinion will not address identification of potential risk. The auditor should evaluate the practices in place. The recommendation may still be for the organization to develop written procedures. Terminating the audit may prevent achieving one of the basic audit objectives—identification of potential risk. Because there are no documented procedures, there is no basis against which to test compliance. One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach is to identify and evaluate the existing security practices being followed by the organization and submit the findings and risk to management, with recommendations to document the current controls or enforce the documented procedures.
The extent to which data will be collected during an IS audit should be determined based on the: A. availability of critical and required information. B. auditor's familiarity with the circumstances. C. auditee's ability to find relevant evidence. D. purpose and scope of the audit being done.
D is the correct answer. Justification The extent to which data will be collected during an IS audit should be based on the scope, purpose and requirements of the audit and not be constrained by the ease of obtaining the information or by the IS auditor's familiarity with the area being audited. An IS auditor must be objective and thorough and not subject to audit risk through preconceived expected results based on familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee's ability to find relevant evidence. If evidence is not readily available, the auditor must ensure that other forms of audit are considered to ensure compliance in the area that is subject to audit. The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An IS audit with a narrow purpose and scope, or just a high-level review, will most likely require less data collection than an audit with a wider purpose and scope.
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls
D is the correct answer. Justification These are two controls addressing the same control objective or exposure. Because primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls. Access controls for resources are based on individuals and not on roles. For a lack of segregation of duties, the IS auditor expects to find that a person has higher levels of access than are ideal. The IS auditor wants to find compensating controls to address this risk. These are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.
Which of the following should be the FIRST action of an IS auditor during a dispute with a department manager over audit findings? A. Retest the control to validate the finding. B. Engage a third party to validate the finding. C. Include the finding in the report with the department manager's comments. D. Revalidate the supporting evidence for the finding.
D is the correct answer. Justification This normally occurs after the evidence has been revalidated. Although there are cases where a third party may be needed to perform specialized audit procedures, an IS auditor should first revalidate the supporting evidence to determine whether there is a need to engage a third party. Before putting a disputed finding or management response in the audit report, the IS auditor should take care to review the evidence that is used in the finding to ensure audit accuracy. Conclusions drawn by an IS auditor should be adequately supported by evidence, and any compensating controls or corrections that are pointed out by a department manager should be taken into consideration. Therefore, the first step is to revalidate the evidence for the finding. If, after revalidating and retesting, there are unsettled disagreements, those issues should be included in the report.
For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk? A. Use of computer-assisted audit techniques B. Quarterly risk assessments C. Sampling of transaction logs D. Continuous auditing
D is the correct answer. Justification Using software tools such as computer-assisted audit techniques to analyze transaction data can provide detailed analysis of trends and potential risk, but it is not as effective as continuous auditing, because there may be a time differential between executing the software and analyzing the results. This may be a good technique, but it is not as responsive as continuous auditing. This is a valid audit technique; however, risk may exist that is not captured in the transaction log, and there may be a potential time lag in the analysis. The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.