Internal Control - Chapter 3
Which of the following is an example of an application control? A) Only users with a company domain email can access software. B) Only employees at a certain management level can override the system and issue refunds C) Computer passwords must be at least 6 characters long and changed every 90 days. D) all of the above
B - While all employees may be able to access the system only those at a high level can make changes
During an IT audit, you notice that the documentation for an application your client developed does not include a new function you noticed on while browsing through its interface. You should: a. Ask the developer about the documentation b. Assume that the documentation will be updated and circle back to this later c. Interview end users at the company about their use of the function d. A and C
D - One must determine how material this function is in the operations of the business and inform about the lack of documentation. The combination of the two allows one to address lapses in internal controls in the context of materiality.
Which of the following is NOT part of the risk assessment process? a. Likelihood determination b. Impact analysis c. Control recommendations d. Comprehensive understanding
D - comprehensive understanding
When there is an ineffective control found during the process of auditing, which of the following should be done? . a. Doing substantive testing b. Determine how and to what degree the ineffectiveness will affect the whole process. c. Discuss with the manager right away. d. A&B
D. A & B when an ineffective control was found, auditors should first identify the impact of this control to the overall operating cycle. Auditors should also perform substantive testing if necessary.
StarkX is a highly innovative technology company. Due to the nature of its core business, it values the security of its information and invests heavily into its IT control. Employees can only gain access to the information that is classified at their corresponding level unless receiving authorization from a supervisor. Backups of the system are performed on a weekly basis. What key business process(es) is mentioned above? a. Access control management b. Change control management c. Management of data center, network, and support d. Both A and B e. Both A and C
E. granting employees restricted access to information at different levels is an example of Access Control Management; backups of the system is an example of Management of Data Center, Network, and Support
An IT risk/weakness can be quantified for managers/business owners to make decisions regarding IT controls a. True b. False
False - it is impossible to quantify the risk of an IT control weakness and therefore regulatory requirements are slow to catch up to the current environment of IT audit controls. Regulatory requirements are a function politics and it depends on the industry that one is auditing to properly estimate not exactly quantify a risk
Which of the following type of audits ensures that the systems are tested and installed in accordance with the accepted standards for the development of the systems? a. Systems Development b. Computerized System and Applications c. Enterprise Architecture d. Information Processing Facilities
a
Which of the following is NOT a synonym for findings? a. evaluation b. exception c. deviation d. issue
a . evaluation the term findings, exception, deficiency, deviation, problem, and issue are synonymous in the audit world and mean the auditor identifies a situation where controls, procedures or efficiency can be improved. Evaluation is not synonymous to the above items
According to ISACA which list of people is COBIT 5 the most helpful for? a. Managers, executives, and auditors b. Investors and shareholders c. Lower level employees with their duties d. Board of directors
a. COBIT 5 is optimized for people in management positions
Completing insurance policy checklists is best used for which of the following: a. Identify IT risk surrounding financial applications b. Audit testing c. Substantive testing d. Comprehensive understanding of the applications the business uses
a. Identifying IT risk surrounding financial applications
Assume you found an ineffective control on a financial application and now you need to find out the materiality of the issue. What would be the most likely goal as an IT auditor? a. Determine if information is accurate and complete b. Determine if organization is utilizing applicable internal policies c. Determine if organizations is adhering to industry guidelines and best practices d. Determine if organization is following deferral regulations
a. Materiality is a measure of how far off (or close) the mistake is to the correct number. Therefore an ineffective control that results in a slight discrepancy between what it should have been and what was reported has a low materiality
Audit plan should be communicated to? a. the internal audit team b. business functions and other stakeholders c. senior management d. all of above
d
Choose the answer that correctly outlines the amount of phases in the audit process and provides the correct description of each phase a. There are 6 phases of an audit. Risk assessment, preliminary review, test controls, document results, and communication b. There are 5 phases of an audit. IT assessment, test controls, design audit procedures, management review, and opinion decision c. There are 3 phases of an audit. Risk assessment, preliminary review and test controls d. There are 8 phases of an audit. Risk assessment, audit plan, preliminary review, design audit procedures, test controls, substantive testing, document results, and communication
d. 8 phases: Risk assessment, audit plan, preliminary review, design audit procedures, test controls, substantive testing, document results, communication
What is the LEAST effective control you can use to mitigate a risk? a. Mandatory password change evert 60 days b. IP while listing, which restricts login access to application via IP address c. Multi factor authentication (MFA) - example of login controls using NYU Classes call in d. Audit trail tracking, which monitors users access and flags suspicious activity within the application
A - while mandatory password changes every cycle of days is a helpful Security measure, it is the least effective because the user has the power to open a loophole to this IT control, such as writing the new password on a sticky note next to the computer
Which of the following is the best explanation for the direct impact that the IT audit has on the financial statement audit? A. An IT audit is performed and has identified that the controls are in place and operate effectively, thus the financial auditor will be able to do less work (substantive tests) for that particular part of the audit. B. An IT audit is performed and has identified that the controls are in place and operate effectively, thus the financial auditor will be able to do more work for that particular part of the audit. C. An IT audit is performed and has identified that the controls are in place and are not operating effectively, thus the financial auditor will be able to do less work (substantive tests) for that particular part of the audit. D. An IT audit is performed and has identified that no controls are in place in order to protect the financial application, thus the financial auditor will need to perform less substantive tests
A is the correct answer because when it is determined that controls are in place and operate effectively by the IT auditor, this will lead to less work for the financial auditor because they can rely on the controls.
Which of the following is true about COBIT? a. supports the need to research, develop, publicize, and promote up to date internationally accepted IT control objectives b. is an authoritative, local set of generally accepted IT practices c. the benefit of COBIT is that it allows management to identify its problems internally d. COBIT 5 provides an integrated framework that doesn't integrate well with other frameworks
A. Correct. COBIT supports the need to research, develop, publicize, and promote up-to-date internationally accepted IT control objectives.
Which of the following is false about risk assessments? A. Used to determine the extent of potential threats and the risks primarily associated with financial applications rather than IT systems. B. Improve the quality, quantity, and accessibility of planning data, such as risk areas, past audits and results, and budget information. C. Examine potential audit projects in the audit universe and choose those that have the greatest risk exposure to be performed first. D. Provide a framework for allocating audit resources to achieve maximum benefits.
A. False. An effective risk assessment planning process allows auditing to be more flexible and efficient to meet the various types of needs of a changing organization. Risk assessment is also widely used to assist management in identifying and implementing appropriate IT controls for reducing or eliminating those threats and risks during the mitigation process.
At what level is most of the field work of an audit performed including: meeting with personnel, creating audit work papers, and gathering documentation? a. Staff level b. Senior level c. Managers or senior managers d. PPD
A. Staff level The staff level (1-3 year experience) typically performs the field work.
Which of the following is NOT a characteristic of an audit universe: a) Create the audit budget and define scope b) The audit universe documents the key business processes and risks of an organization c) It is an essential building block to a properly risk-based internal audit process d) The audit universe ties the organizational objective to the entire audit process
A. The audit universe is not involves with audit budget and scope. It documents key business process and risk of an organization
As part of ANC Inc.'s trainings to all employees, newly joint employees are provided access to the data center as an integral part of their training to fully understand how the firm operates as a whole. What type of IT Risk does it post to ANC Inc.? a. Risk in Access Control Management b. Risk in Change Control Management c. Risk in Management Data Center, Network and Support d. All of the above
A. access control management prevents unauthorized access to or modification of programs and data. In ANC's example, all new hires were given access to data center, which is exposure to risk
Today's business environment is dynamic and constantly changing which is why it is difficult to keep up with regulatory and organizational changes. Also, there are limited amount of audit resources. Which phase of the audit evaluates and identifies the right audits to focus on? a. Risk assessment b. Audit plan c. Preliminary review d. Test controls
A. risk assessment is the first phase of the audit and it provides explicit criteria for systematically evaluating and selecting the right audits
Which of the following occur in the preliminary review phase of an audit? a. the auditor is gathering deep understanding of the IT environment, including the controls put in place to address potential exposures b. the auditor executes procedures to examine the controls and processes in place c. identifying new risks areas or changed in existing risk areas d. create an annual schedule by determining total audit hours available and assigning universe items to fill the available time
A. the purpose of the preliminary review of an IT audit is to gather a deep understanding of the IT environment within a company and to evaluate how a company responds to those risks and if the controls put in place are operating effectively
How did MiMedx respond to being confronted with meeting its quarterly and annual revenue guidance by legitimate means? A) Hired Arthur Andersen to manipulate its books B) Orchestrated a fradulent scheme to falsely recognize revenue upon shipment to its stocking distributors C) Requested CPM to provide $200,000 upfront payment prior to receiving shipment D) B & C
B
Which of the following is true about IT audits to support financial statement audits? a. If IT controls are found to be in place and operating properly, the financial auditor's work would most likely to be less on the entire part of the audit b. If IT audit finds that IT controls are not operating effectively, the financial auditor should perform a higher amount of substantive testing c. Results of an IT audit over financial applications have an indirect bearing on the substantive testing performed by the financial auditor d. The common objective for IT audits is to support the internal control valuation of a firm
B
Which of these processes is the correct audit process? a. preliminary review, risk assessment, audit plan, design audit procedures, test controls, substantive testing, document results, communication b. risk assessment, audit plan, preliminary review, design audit procedures, test controls, substantive testing, document results, communication c. risk assessment, audit plan, preliminary review, design audit procedures, substantive testing, test controls, document results, communication
B
According to Otero's information technology control and audit, which of the following is a way to identify the risks surrounding financial applications? a. Inquires of low level employees b. Completion of insurance policy checklists c. Review of corporate governance structure d. Consider the costs associated with implementing controls and the impact on users
B - Completion of insurance policy checklist. This risk assessment procedure allows for the management of risk of reimbursement and provides some insight on what has gone wrong in the past. Checklists are also useful because when the company submits a new claim, past insurance policy claims can be reviewed
What is the corresponding entity of AICPA in the case of IT governance and audit? a. COBIT b. ISACA c. CISA d. IFAC
B - ISACA (Information Systems Audit and Control Association), which is a professional association focused on IT governance. While we have AICPA for financial statements, correspondingly we have ISACA for IT. A is incorrect because COBIT is a framework that was created by ISACA. C is incorrect because CISA stands for Cybersecurity & Infrastructure Security Agency. D is incorrect because IFAC stands for International Federation of Accountants.
Which of the following statements is not true about risk assessments? A) Risk assessments can assist in developing the process for planning individual audits. B) Risk assessments can provide an overall approach within which audit engagements can be conducted. C) Risk assessments can identify changes not only in new risk areas but also in existing risk areas. D) Risk assessments can help organizations to determine the extent of potential threats and the risks associated with IT systems and applications.
B - The intent of the audit plan is to provide an overall approach within which audit engagements can be conducted.
The main purpose of COBIT can best be described as: a. To identify and respond to key areas of risk in an organization b. To create optimal value from IT c. To provide reasonable assurance that controls to achieve objectives are present and functioning d. To establish guidelines and standards by which professionals are expected to follow
B - the main purpose of COBIT is to create optimal value from IT by realizing benefits and optimizing risk levels and resource use
Which of the following is NOT why COBIT is useful for enterprises and especially managers? a. to better understand the IT systems b. to better plan the budget for the upcoming year c. to decide adequate levels of security and controls d. to discharge fiduciary responsibilities
B. Since COBIT's main objectives is to help enterprises create their optimal value from IT such as optimizing risk levels and the use of resource. Therefore planning the budget is less related to the use of IT comparing to the rest of them
Which of the following statements about Governance from the COBIT 5 framework is NOT true? a. Guides management by prioritizing objectives. b. Plan, build, run, and monitor the activities and processes used by the organization to pursue the objectives established by the board. c. Evaluates stakeholder needs to identify objectives. d. Monitors overall management's performance.
B. plan build run and monitor the activities and processes used by the organization to pursue the objectives established by the board
Which of the following statements about Risk Assessment from the COBIT 5 framework is NOT true? a. Improve the quality, quantity, and accessibility of planning data, such as risk areas, past audits and results, and budget information. b. Examine potential audit projects and choose those that have the greatest risk exposure to be performed first. c. Comparing answers to supporting documentation, work papers, programs, tests, or other verifiable results d. Provide a framework for allocating audit resources to achieve maximum benefits.
C
Which of these poses an IT Risk? I. Data is archived in back-ups outside the main company's computers II. A user has access to databases outside their normal job function III. A developer for the latest version of the database program is being cut loose by the end of the month due to budget cuts. a. I b. III only c. II and III d. I and III e. All of the above
C II is a correct choice because it can lead to unauthorized modification of databases. III is a correct choice because this event may result in sabotage of the programs needed to run and modify databases.
Which of the following is NOT a part of the IT audit phases? a. Risk assessment b. Design Audit Procedures c. Create ethical code d. Communication
C - Creating an ethical code is a part of internal control management and COBIT, NOT a part of the IT audit phases
Which of the followings best describes the relationship between IT audit and substantive testing? A. IT audit has no direct relationship with substantive testing. B. The more effective IT controls are in place and operating properly, the more substantive testing is needed. C. The more effective IT controls are in place and operating properly, the less substantive testing is needed. D. IT audit is dependent on the results of substantive tests findings.
C - If the IT controls protecting the financial applications are not enough or not operating effectively, the amount of substantive testing performed by the financial auditor will be much higher.
What is the correct order of IT audit phases? A. audit plan b. test controls c. communication d. risk assessment e. preliminary review f. design audit procedures g. document results h. substantive testing A) abdceghf B) dcghabfe C) daefbhgc D) daefhgbc
C - daefbhgc
An effective Risk assessment should NOT: a. identify new risk areas b. improve the quality of audit planning data c. implement strategies to mitigate the risks identified d. determine the level of risk for projects in the audit universe
C - no part of an audit involves implementing any strategies or solutions on behalf the company. This would violate independence
Which of these activities would not fall into the COBIT framework? a. focus on all stakeholders involved in and around the business b. create an environment of strong ethical culture in the organization c. have all IT audit meetings include both management and board of directors d. Review the entire business and evaluate areas using risk based approach
C - there should be a separation between governance objectives (from the board of directors) and managements objectives (to run and monitor activities and processes used in org)
Which of the following would least likely be a difference between an audit program and internal control questionnaire (ICQ)? A. The internal control questionnaire contains questions in order to evaluate the design of the internal control system. B. The audit program is a formal plan to review and test the significant audit subject areas that are disclosed during the fact gathering process. C. The internal control questionnaire includes specific procedures to test the responses received from questions to substantiate the controls identified to be in place and working as anticipated by management. D. The internal control questionnaire checks if controls have been implemented and are able to detect, prevent, or correct a material misstatement.
C is the correct answer because an audit program is actually what includes the specific procedures to test the response received from the questions in order to substantiate that the controls that are identified to be in place are actually working.
Given the choices below, choose all the ones that are included in the audit universe? I. Organization objectives II. Key business processes that support an organization's objectives III. Deciding adequate levels of security and controls IV. Specific audit objectives V. Monitors overall management's performance VI. Controls that mitigate the risks a. I, II, III, and VI b. I, II, III, IV, V, and VI c. I, II, IV, and VI d. II, V, and VI
C. III is not an area included in the audit universe. Instead it is one of the objectives of COBIT 5. V. is not an area included in the audit universe as it describes one of the roles of the board of directors described under principle 5 of COBIT 5
Which of the following company is LEAST likely to rely solely on the COBIT framework to provide assurance that IT security and controls exist? a. A grocery store b. An online-based clothing retailer c. A bank d. A consulting firm
C. A bank As discussed in the lecture, Professor Lanz explained that COBIT is NOT effective in exploring the depth of cybersecurity risks. Also, the framework is very generic. As a result, banks should not rely solely on the COBIT framework to provide assurance that IT security and controls exist. This is because banks manage a large volume of sensitive data about individual customers and businesses.
How do Application Controls rely on General Controls? a. Application Controls have nothing to do with General Controls b. A company can rely on Application Controls in absence of General Controls c. A company can rely on Application Controls if General Controls are good d. A company can rely on Application Controls if General Controls are weak
C. Application Controls are useful if General Controls are strong
Which of the following does relates to Principle 4 in COBIT 5? I. Recognizes that people, skills, and competencies are required for successful completion of all activities II. Promotes good culture, ethics, and behavior in the organization III. Evaluated the needs of their stakeholders to identify objectives IV. Implements processes to achieve overall IT-related goals and objectives a. I, III b. II,IV c. I, II, IV d. I,II, III, IV
C. I, II, IV all related to Principle 4 in COBIT 5. Full list can be seen on pg 60-61 in textbook
What procedures IT auditors perform in order to test controls, processes, and exposures? I. Examining documentary evidence II. Corroborating interview III. Determining the accuracy and completeness of the information IV. Inspection of documentation V. Personal observation A. I, II, III B. I, II, IV C. I, II, IV, V D. III, IV, V E. All of the above
C. I, II, IV, V III is not the procedure that IT auditors perform; instead, it is related to substantive testing
In the financial statement audit, what should the IT auditors most focus on? a. the security of operating system b. testing whether access of programmers is adequate c. checking whether controls are implemented to detect, prevent, or correct a material misstatement d. observing, interviewing, and inspecting existing documentation and flow charting, among others
C. IT auditors should focus on the materiality of financial misstatement.
Which Audit procedures are key in order to test controls? I. Inspection of documentation II. Confirmations III. Interviews IV. Observations a. I & III b. I, II & IV c. I, III, & IV d. All of the above
C. Inspection of documentary evidence such as notes from meetings and programmer notes are important. Interviews are a key part in testing controls to get more information. Personal observations of actual procedures taking place can be key in finding our weak internal controls. Sending our confirmations is not key in order to test controls
When curating an IT Audit Plan, what should an organization AVOID in order to make an audit engagement more productive and effective? (pg 64 & 68) a. write down what everyone participating in the engagement should do b. seeking out experienced auditors c. having a nonflexible, detailed audit plan that the auditors must stick to d. meeting senior members for input
C. It is best to make it amendable and on a case-to-case basis
Which of the following statement incorrectly describes COBIT? a. COBITis based on five principles b. considering the IT needs of internal and external stakeholders and enabling IT to be governed and managed in a holistic manner are principles of the COBIT framework c. COBIT is effective in exploring the depth of cyber security risks d. the COBIT framework is comprehensive, therefore it provides assurances that IT security and controls exists
C. Professor explained that COBIT is NOT effective in exploring the depth of cyber security risks.
Which one of the following statements is NOT true about IT audit processes? a. COBIT 5 is useful for enterprises of all sizes, whether commercial, not for profit or in the public sector b. touring the client company's facilities is a typical way for IT auditor to know about the IT environment c. in IT risk assessment, risk rating is computed by multiplying the probability assigned and the potential loss it could cost d. IT auditor builds a detailed understanding of controls and procedures in place at preliminary review
C. Risk rating is computed by multiplying the probability assigned and the impact level value.
An effective risk assessment planning process DOES NOT allow auditing to: a. identify new risk areas including changes to the organizational regulatory environment b. access current regulatory and legal information c. focus on all potential audits that can be performed d. identify changes in existing risk areas
C. focus on all potential audits that can be performed Risk assessment process does not allow auditing to focus on ALL potential audits that can be perform, given the high number of audits that can be performed and the limited resources available. It is important to focus on the right audits
Who sets the standards in terms of materiality? a. The AICPA b. The SEC c. The auditor's judgement d. The company's management
C. the auditor's professional judgement determines the materiality level that the auditor is willing to accept.
Which of the following statements is true about the COBIT framework? a) COBIT framework applies only to small commercial organizations b) COBIT framework considers the IT needs for internal stakeholders and it does not take into consideration the external stakeholders c) One of the disadvantages of the COBIT framework is that it does not provide integrated framework the aligns easily with other frameworks d) none of the above
D
Which of these is NOT a step in the COBIT 5 framework? a. Covering the enterprise end-to-end b. Meeting the stakeholder needs c. Separating governance from management d. None of the above
D
Which of the following is incorrect about COBIT? a. Helps organizations create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. b. Often used to substantiate IT auditors' internal control assessments and opinions. c. Enables IT to be governed and managed in a holistic manner for the entire organization. d. More effectively used for commercial enterprises rather than not-for-profit organizations.
D - COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not for profit or in the public sector
In a financial statement audit, what do IT auditors mostly focus on? a. The correctness of data entered b. The type of software used c. The number of inputs d. The materiality of configuration
D - For an IT audit, there are no numbers for us, so we usually test the understanding, controls and the compliance to test materiality. For an IT audit, the thing that matters the most is how much a single configuration error (e.g. a configuration of rounding) can lead to a material misstatement. Therefore, Choices A, B, and C are incorrect.
According to Otero's Information Technology Control and Audit, for application systems that process significant financial data, which of the following is not an item of evidential matter the IT auditor would seek to collect? a. Narratives or overview flowcharts of the financial application b. Controls in place supporting the areas of information systems operations c. Controls in place supporting the area of change control management d. None of the above
D - None of the above. All of the answer choices are examples of item of evidential matter that the IT auditor is likely to seek out
Which of the following step is NOT included in the Audit Plan: A. List the audit objectives and describe the context B. Create the audit budget and defines the scope C. Develop the audit schedule D. Review and test each significant audit subject are disclosed during fact gathering E. All of the above
D - The Audit Plan should have 4 minimum steps: 1) list the audit objectives and describe the context 2) develop the audit schedule 3) create the audit budget and defines scope 4) list audit team members, describe audit tasks, determine deadlines (from textbook Page 68) Option D is an explanation of an Audit Program
Which of the followings is incorrect about Audit Universe? A. Audit Universe includes all the potentially relevant audit areas. B. Guidance suggests organizations should establish risk-based plans for audit universes. C. Audit Universe should be in align with the organization's key objectives. D. The audit universe is a fixed and formalized process.
D - The audit universe is an ongoing process. It is dependent on changes, and should be adjusted when organizations, risks and environments change.
Which of the following is incorrect about auditors involved in reviewing financial applications. A. Auditors must ensure that provisions are made for an adequate audit trail so that transactions can be traced forward and backward through the financial application. B. Auditors must ensure that provisions are made for the documentation and existence of controls over the accounting for all data entered into the application and controls to ensure the integrity of those transactions throughout the computerized segment of the application. C. Auditors must ensure that provisions are made for the handling exceptions to, and rejections from, the financial application. D. Auditors must ensure that provisions are made for adequate controls for one single application system.
D. Auditors must ensure that provisions are made for adequate controls between interconnected application systems.
Which of the following are purposes of COBIT? a. to provide specific audit guidelines b. to provide managers with a benchmark of its environment and compare to other organizations c. to provide a framework of generally accepted IT practices or internal control objectives d. Both B and C
D. Both B and C are purposes of COBIT. COBIT is a framework that provides a generally accepted IT practices or control objectives. It also provides a consistent benchmark that allows everyone to get on the same page
What is considered a third-party fradulent and improper transaction? A) Consignment sales B) Contingency sales C) Side letter agreements D) All of the above
D. Can use all of the above third party transactions to manipulate revenue
Which one of the following is not a typical IT audit phase? a. risk assessment b. preliminary review c. test controls d. identify financial applications
D. Identifying financial applications is important in IT audit process, but it is not one of the phases
Which of the following is an example of the Preliminary Review phase in an audit? a. Perform an internal control questionnaire (ICQ) b. perform corroborating interviews c. Delineate the overall approach of the audit and what will be accomplished, the budget, and the time it will take to perform the audit d. The auditor interviews key personnel to understand the clients policies and practices and gains a general level understanding of the company
D. Is an example of an action that an auditor may do during the Preliminary review phase
Which of the following is NOT likely to be included in an IT audit plan to support a financial statement audit? a. list the audit objectives and describe the context b. schedules of the work the auditor performed c. create the audit budget and define scope d. assessing the risk associated with IT auditors' engagement
D. Should not be included in the audit plan. The IT auditors determines whether to accept an audit engagement by assessing engagement risk before the planning phase. On page 68 of textbook "an audit plan, after gathering a comprehensive understanding of the audit universe and the risks associated with each universe item, should: 1 list the audit objectives and describe the context 2. develop the audit schedule 3. create the audit budget and define scope 4. list audit team members describe audit risks, determine deadlines
Which one of the statements is NOT true about Audit Risk Assessment a. Have a process in place to identify or characterize assets b. Define vulnerabilities on those assets and the threat-sources that can trigger them c. Associate assets with correspondent IT and/or business risks. d. Since all risks are equally likely to occur, risk assessments shall be prepared to resolve all risks with equal emphasis
D. Vulnerability is computed by assessing the possibility of risky events happening
Which of the following best describes how risks relating to financials are identified? a. discuss with the team members and set a goal for the audit fieldwork b. ask the clients for information c. read through the previous financial report d. analysis financial statement trends with inspections of relevant documents
D. since risk is the foundation of the audit process and therefore the use of analytical procedures is required for setting the risk of material misstatement and going forward of the audit fieldwork. While the rest of them are more for during the fieldwork when they have to understand the business and the company and industry situation
Which of the following is least likely to be a component of an IT audit plan? a. the identification of applications that support significant business processes b. the assignment of universe items to particular time slots by using a risk ranking process c. the identification and review of the roles of a senior manager relative to senior staff d. the collection of information about possible risk areas arising from ineffective controls
D. the collection of information about possible risk areas arising from ineffective controls Understanding the IT environment including the design of internal controls and the associated risks is part of the audit process rather than the audit plan
IT audit is similar to financial audit in many aspects EXCEPT for: a. SOX compliance and internal audit b. Audit planning c. Materiality D. Risks within the company's IT environment
D. the scope of the IT audit is much broader and deeper for each technology audited, especially within the company's IT environment such as network security, infrastructure audit, mobile application security, cybersecurity, cloud computing, etc
What is the correct order of the audit plan? a. Comprehensive understanding, Risk assessment, objective & context, audit schedule, audit budgeting & scope, team task & deadlines b. Risk assessment, comprehensive understanding, objective & context, audit schedule, audit budgeting & scope, team task & deadlines c. Comprehensive understanding, objective & context, Risk assessment, audit schedule, audit budgeting & scope, team task & deadlines d. Comprehensive understanding, objective & context, audit schedule, audit budgeting & scope, team task & deadlines, Risk assessment
a. Comprehensive understanding, risk assessment, objective and context, audit schedule, audit budgeting and scope, team task and deadlines
Which answer best describes the most common functional audit areas of an organization? a. Sales, marketing, customer service, operations, research and development, finance, human resources, information technology, and legal b. Sales, human resources, and legal c. Human resources, operations, sales, and finance d. Operations and finance
a. Encompasses all of the common audit areas of an organization
Which of the following is the correct in which an IT audit normally progresses? a. Risk assessment, audit plans, audit procedures & results, communications b. Audit plans, risk assessment, audit procedures & results, communications c. Audit procedures, audit plan, risk assessment & results, communications d. Risk assessment, audit procedures, audit plans & results, communications
a. Risk assessment, audit plans, audit procedures & results, communications
How do substantive testing and compliance testing differ? (pg 83) a. Substantive testing is used to determine the accuracy and completeness of the information being generated from an application; Compliance testing is used to confirm that an organization is adhering to application rules. b. Compliance testing is testing the issue of accurate financial data. c. Substantive testing is used to confirm that an organization is adhering to application rules; Compliance testing is used to determine the accuracy and completeness of information being generated from an application. d. Substantive testing is ALWAYS required.
a. Substantive testing is used to determine the accuracy and completeness of the information being generated from an application; Compliance testing is used to confirm that an organization is adhering to application rules.
Which best describes the primary objective of audit planning? a. optimize the use of audit resources b. gain an understanding of the risks associated with different items in the audit universe c. help companies meet stakeholders needs d. allow companies to safeguard against unauthorized access to programs
a. The primary objective of audit planning is to optimize the use of audit resources so that the auditor can effectively budget their time and costs and to achiever their goals.
Is the COBIT 5 framework useful for enterprises of all sizes? a. True b. False
a. True. COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not for profit or in the public sector
Which of the following is not correct when identifying risks during the risk assessment process? a. Asking outsiders for confirmation of some account b. Doing analysis on the financial statement trends c. Giving questionnaire about the risk analysis d. Understanding company operation cycle.
a. asking outsiders for confirmation of some account risk assessment can be done through reading flowchart of operations, using risk analysis questionnaires, analyzing financial statement trends, completing insurance policy checklists and doing reviews or inspections
Which of the following independent situations present the GREATEST risk to a company? a. The company implemented a new billing and invoicing software b. The company made changes to its existing inventory management software c. The company recently expanded its IT personnel d. An IT staff who had restricted server access was fired
a. option A is the correct answer because it is an entirely new software being introduced. As a result, the level of risk is higher and the auditor should assess the employees' knowledge about the software and understand how data is inputted into the system to generate bills and invoices.
Particular threat of an overall business risk indicated as: a. the product of the probability and impact b. the probability of the threat realization c. the valuation of the impact d. the valuation of the risk management team
a. risk is the product of impact and product
The results or findings from an IT audit typically determine: A) The inventory of all potential audit areas within an organization. B) The amount of substantive tests that will be performed by the financial auditors. C) The audit schedule D) Impact analysis
b - the procedures that take place during the IT audit provide the evidence to support the validity and accuracy of the financial records of the organization
Still assuming you found an ineffective control on a financial application and now you need to find out the materiality of the issue. What type of tests would be most beneficial? a. Compliance testing b. Substantive testing c. Testing of Controls d. Risk Testing
b. Substantive testing determine the accuracy and completeness of information being generated by an application
What is a direct benefit of a standard framework for IT controls like COBIT? a. eliminates accounting frauds b. allows comparison among organizations c. boosts revenue and cuts expenses d. receives a better opinion from auditors
b. a standard framework for IT controls like COBIT allows management to benchmark its business environment and compare it to other organizations, which is a direct benefit
Which statement(s) below about audit scope are incorrect? a. Example of areas the scope of an audit reviews are relevant financial applications, databases and networks b. It is not necessary to state general control are BUT should further state the control objectives and control activities c. Includes the critical business process to justify the relevance of the application d. Names of the financial applications and databases should be described along with their hosting information
b. it is necessary to also state general controls. General controls are the basis information of a businesses process
Which of the following is COBIT least oriented toward? a. the assurance that a proper level of security and control exists b. the accurate guidance for achieving an effective cybersecurity action plan c. the cohesive governance of an organization as a whole d. the comparison of internal controls between separate organizations
b. the accurate guidance for achieving an effective Cybersecurity action plan one weakness of COBIT is that the framework does not go into a substantial amount of detail into cybersecurity details. For this purpose the COBIT is often integrated with NIST material to derive an effective cybersecurity model
Which of the following is NOT a part of the procedures adopted by the IT auditor in the process of testing controls of the Information System? a. Asking the same questions to the different personnel in the company and check for any deviation in the answers of different personnel. b. Assess the configured logical settings of the network used to operate the corresponding information system. c. Ensure training of the user personnel in the organisations regarding the use and operations of the financial applications. d. Conduct a disaster recovery exercise to observe the procedures and processes followed by the different personnel.
c
Which of the following best represents a potential action of an auditor if there are no IT controls in place protecting the financial applications of a company? a. No substantive tests will be performed by the auditor b. There will be fewer substantive tests performed by the auditor than if there were many findings of IT controls in place c. The amount of substantive testing performed by the auditor will be much higher d. The auditor must decide what applications will have to be examined at a more detailed level
c. The amount of substantive testing performed by the auditor will be much higher When an auditor finds no IT controls in place, they must have many substantive tests to cover their tracks and assure there is no risk of material misstatement
Which of the following does not accurately describe COBIT? a. it provides a framework to assist organizations understand IT systems in the context of their business b. it creates a standard benchmark between managers, auditors, and the IT department c. companies are required by law to follow this set of practices in order to create a standard among organizations d. IT auditors can utilize COBIT as guidance for their internal control assessments and opinions
c. While COBIT is a set of generally accepted IT practices there is no regulatory requirement for companies to follow it.
Which of the following choices is NOT one of the principles of the COBIT 5 framework? a. meeting stakeholder needs b. separating governance from management c. applying multiple, non-integrated framework d. enabling a holistic approach
c. the COBIT principle related to frameworks states that it should be a single and integrated framework