November 22 Domain 1 133 Questions (All)

the answer is B. A. Directive controls, such as IT policies and procedures, would not apply in this case because this is an automated control. B. Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions, when they are detected. This provides a mechanism to detect when malicious events have happened and correct the situation. C. A compensating control is used where other controls are not sufficient to protect the system. In this case, the corrective control in place will effectively protect the system from access via an unpatched device. D. Detective controls exist to detect and report when errors, omissions and unauthorized uses or entries occur.

A central antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a: A. directive control. B. corrective control. C. compensating control. D. detective control.

You are correct, the answer is C. A. It is not appropriate for an IS auditor to report findings to the audit committee before conducting a more detailed review and presenting them to management for a response. B. Review of audit logs would not be useful because shared IDs do not provide for individual accountability. C. An IS auditor's role is to detect and document findings and control deficiencies. Part of the audit report is to explain the reasoning behind the findings. The use of shared IDs is not recommended because it does not allow for accountability of transactions. An IS auditor would defer to management to decide how to respond to the findings presented. D. It is not the role of an IS auditor to request the removal of IDs from the system.

A financial services company has a web site used by its independent agents to administer their customer accounts. During a review of logical access to the system, an IS auditor notices that user IDs are shared among agents. The MOST appropriate action for an IS auditor to take is to: A. inform the audit committee that there is a potential issue. B. request a detailed review of audit logs for the IDs in question. C. document the finding and explain the risk of using shared IDs. D. contact the security manager to request that the IDs be removed from the system.

You answered D. The correct answer is C. A. Determining whether bar code readers are installed is a compliance test. B. Determining whether the movement of tapes is authorized is a compliance test. C. A substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy or validity) of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test. D. Checking whether receipts and issues of tapes are accurately recorded is a compliance test.

A substantive test to verify that tape library inventory records are accurate is: A. determining whether bar code readers are installed. B. determining whether the movement of tapes is authorized. C. conducting a physical count of the tape inventory. D. checking whether receipts and issues of tapes are accurately recorded.

the answer is A. A. An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. B. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation. C. The IS auditor should report the possibility of fraud to top management only after there is sufficient evidence to launch an investigation. This may be affected by whether top management may be involved in the fraud. D. Normally, the IS auditor does not have authority to consult with external legal counsel.

After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should: A. expand activities to determine whether an investigation is warranted. B. report the matter to the audit committee. C. report the possibility of fraud to top management and ask how they would like to proceed. D. consult with external legal counsel to determine the course of action to be taken.

You are correct, the answer is B. A. Management approval of the corrective actions is not required because this is not the role of the IS auditor. B. The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on or respond to recommendations for corrective action. C. Implementation of corrective actions should be done after the factual accuracy of findings has been established, but the work of implementing corrective action is not typically assigned to the IS auditor because this would impair the auditor's independence. D. Clarifying the scope and limitations of the audit should be done during the entrance meeting, not during the exit meeting.

After reviewing the disaster recovery planning (DRP) process of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting? A. Obtaining management approval of the corrective actions B. Confirming factual accuracy of the findings C. Assisting management in the implementation of corrective actions D. Clarifying the scope and limitations of the audit

You are correct, the answer is B. A. The statement from management may be included in the audit report, but the auditor should independently validate the statements made by management to ensure completeness and accuracy. B. When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in report. C. With respect to this matter, representations obtained from management cannot be independently verified. D. If the organization is using software that is not licensed, the IS auditor, to maintain objectivity and independence, must include this in the report, but the IS auditor should verify that this is in fact the case before presenting it to senior management.

Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should: A. include the statement of management in the audit report. B. identify whether such software is, indeed, being used by the organization. C. reconfirm with management the usage of the software. D. discuss the issue with senior management because reporting this could have a negative impact on the organization.

You answered B. The correct answer is C. A. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing the unauthorized software. B. The IS auditor should report the violation and request a response, but the nature of the response—whether to delete the software or not (perhaps license it instead)—is a decision of management. C. The use of unauthorized or illegal software should be prohibited by an organization. An IS auditor must convince the user and user management of the risk and the need to eliminate the risk. For example, software piracy can result in exposure and severe fines. D. Auditors must report material findings to management for action. Informing the users of risk is not the primary responsibility of the IS auditor.

An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take? A. Delete all copies of the unauthorized software. B. Inform the auditee of the unauthorized software, and follow up to confirm deletion. C. Report the use of the unauthorized software and the need to prevent recurrence to auditee management. D. Warn the end users about the risk of using illegal software.

You answered A. The correct answer is B. A. It is important that the IS auditor does not immediately assume that everything on the network diagram provides information about the risk affecting a network/system. There is a process in place for documenting and updating the network diagram. B. In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audit engagement. The information provided on a network diagram can vary depending on what is being illustrated—for example, the network layer, cross connections, etc. C. In this case, there is simply a mismatch in timing between the completion of the approval process and when the IS audit began. There is no control deficiency to be reported. D. Planning for follow-up audits of the undocumented devices is contingent on the risk that the undocumented devices have on the ability of the entity to meet the audit scope.

An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST: A. expand the scope of the IS audit to include the devices that are not on the network diagram. B. evaluate the impact of the undocumented devices on the audit scope. C. note a control deficiency because the network diagram has not been updated. D. plan follow-up audits of the undocumented devices.

You answered C. The correct answer is D. A. Documentation and evaluation is the second step in assessing the adequacy, efficiency and effectiveness of the controls and is based on the risk to the system that necessitates the controls. B. The third step is to test the access paths—to determine if the controls are functioning. C. It is only after the risk is determined and the controls documented that the IS auditor can evaluate the security environment to assess its adequacy through review of the written policies, observation of practices and comparison of them to appropriate security best practices. D. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk.

An IS auditor evaluating logical access controls should FIRST: A. document the controls applied to the potential access paths to the system. B. test controls over the access paths to determine if they are functional. C. evaluate the security environment in relation to written policies and practices. D. obtain an understanding of the security risk to information processing.

You are correct, the answer is C. A. Although it is important for an IS auditor to be impartial, in this case it is more critical that the evidence be preserved. B. Although it is important for an IS auditor to maintain independence, in this case it is more critical that the evidence be preserved. C. The IS auditor has been requested to perform an investigation to capture evidence which may be used for legal purposes, and therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law. D. While it is also important to assess all relevant evidence, it is more important to maintain the chain of custody, which ensures the integrity of evidence.

An IS auditor has been asked by management to review a potentially fraudulent transaction. The PRIMARY focus of an IS auditor while evaluating the transaction should be to: A. maintain impartiality while evaluating the transaction. B. ensure that the independence of an IS auditor is maintained. C. assure that the integrity of the evidence is maintained. D. assess all relevant evidence for the transaction.

the answer is A. A. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Management could then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system. B. It is not acceptable for the IS auditor to ignore areas of potential weakness because conclusive evidence could not be obtained within the agreed-on audit time frame. ISACA IS Audit and Assurance Standards would be violated if these areas were omitted from the audit report. C. Extending the time frame for the audit and delaying the go-live date is unlikely to be acceptable in this scenario where the system involved is business-critical. In any case, a delay to the go-live date must be the decision of business management, not the IS auditor. In this scenario, the IS auditor should present business management with all available information by the agreed-on date. D. Failure to obtain sufficient evidence in one part of an audit engagement does not justify cancelling or postponing the audit; this would violate the audit guideline concerning due professional care.

An IS auditor has been asked to review the security controls for a critical web-based order system shortly before the scheduled go-live date. The IS auditor conducts a penetration test which produces inconclusive results and additional testing cannot be concluded by the completion date agreed on for the audit. Which of the following is the BEST option for the IS auditor? A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. B. Publish a report omitting the areas where the evidence obtained from testing was inconclusive. C. Request a delay of the go-live date until additional security testing can be completed and evidence of appropriate controls can be obtained. D. Inform management that audit work cannot be completed within the agreed time frame and recommend that the audit be postponed.

You answered A. The correct answer is C. A. Emergency changes are acceptable as long as they are properly documented as part of the process. B. Instances of jobs not being completed on time is a potential issue and should be investigated, but it is not the greatest concern. C. The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical. D. The audit should find that all scheduled jobs were run and that any exceptions were documented. This would not be a violation.

An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor? A. There are a growing number of emergency changes. B. There were instances when some jobs were not completed on time. C. There were instances when some jobs were overridden by computer operators. D. Evidence shows that only scheduled jobs were run.

You are correct, the answer is D. A. All assets need to be identified, not just information assets. To determine the key information assets to be audited, the IS auditor should first determine which control objectives and key control activities should be validated. Only information assets that are related to the control objectives and key control activities are relevant for scoping the audit. B. Only after determining which controls and related relevant information assets are to be validated can the IS auditor decide on the key IS audit resources (with the relevant skill sets) that should be deployed for the audit. C. Only after determining the key control activities to be validated can the IS auditor identify the relevant process personnel who should be interviewed. D. Once the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit.

An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: A. most valuable information assets. B. IS audit resources to be deployed. C. auditee personnel to be interviewed. D. control objectives and activities.

You are correct, the answer is A. A. Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system. B. Designing an embedded audit module does not impair an IS auditor's independence. C. An IS auditor should not audit work that they have done, but just participating as a member of the application system project team does not impair an IS auditor's independence. D. An IS auditor's independence is not impaired by providing advice on known best practices.

An IS auditor is assigned to perform a postimplementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor: A. implemented a specific functionality during the development of the application system. B. designed an embedded audit module exclusively for auditing the application system. C. participated as a member of the application system project team, but did not have operational responsibilities. D. provided consulting advice concerning application system best practices.

You are correct, the answer is C. A. An audit measures compliance with laws, regulations, policies and procedures. The first step will be to know what the compliance requirements are; a later step would be to check the network layout. B. The IT infrastructure and organizational chart are important but not the first step. The first step must be to know the context of the audit—laws, policies, etc. C. Legal and regulatory requirements will define the audit criteria and therefore should be reviewed first. D. The IS auditor would review the legal and regulatory requirements regarding data privacy, validate that the organizational policies and procedures are in alignment, and then ensure that they are being followed.

An IS auditor is conducting a compliance audit of a health care organization operating an online system that contains sensitive health care information. Which of the following should an IS auditor FIRST review? A. Network diagram and firewall rules surrounding the online system B. IT infrastructure and IS department organizational chart C. Legal and regulatory requirements regarding data privacy D. Adherence to organizational policies and procedures

The correct answer is A. A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size. B. A higher confidence coefficient will result in the use of a larger sample size. C. A higher confidence coefficient need not be adopted in this situation because internal controls are strong. D. A lower confidence coefficient will result in the use of a smaller sample size.

An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a: A. lower confidence coefficient, resulting in a smaller sample size. B. higher confidence coefficient, resulting in a smaller sample size. C. higher confidence coefficient, resulting in a larger sample size. D. lower confidence coefficient, resulting in a larger sample size.

You are correct, the answer is C. A. Auditing the new ERP application does not reflect a risk-based approach. Although ERP systems typically contain sensitive data and may present risk of data loss or disclosure to the organization, without a risk assessment, the decision to solely audit the ERP system is not a risk-based decision. B. Auditing the e-commerce server because it was not audited last year does not reflect a risk-based approach. In addition, the IT manager may know about problems with the e-commerce server and may be intentionally trying to steer the audit away from that vulnerable area. Although at first glance e-commerce may seem to be the most risky area, an assessment must be conducted rather than relying on the judgment of the IS auditor or IT manager. C. The best course of action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources." D. The creation of the audit plan should be performed in cooperation with management and based on risk. The IS auditor should not arbitrarily decide on what needs to be audited.

An IS auditor is developing an audit plan for a repeat client. The IS auditor reviews the prior-year audit plan and finds that the previous plan was designed to review the company's network and email systems, which were newly implemented last year, but the plan did not include reviewing the e-commerce web server. The company IT manager indicates that this year the organization prefers to focus the audit on a newly-implemented enterprise resource planning (ERP) application. How should the IS auditor respond? A. Audit the new ERP application as requested by the IT manager. B. Audit the e-commerce server because it was not audited last year. C. Determine the highest-risk systems and plan the audit based on the results. D. Audit both the e-commerce server and the ERP application.

You are correct, the answer is B. A. The product must interface with the types of systems used by the organization and provide meaningful data for analysis. B. While all of the choices above are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool will work effectively on the systems of the organization being audited. C. The tool should probably work on more than just financial systems and will not necessarily require implementation of audit hooks. D. The tool should be flexible but not necessarily customizable. It should have built-in analysis software tools.

An IS auditor is evaluating data mining and auditing software to be used in future IS audits. What is the PRIMARY requirement that the software tool should meet? The software tool should: A. interface with various types of enterprise resource planning (ERP) software and databases. B. accurately capture data from the organization's systems without causing excessive performance problems. C. introduce audit hooks into the company's financial systems to support continuous auditing. D. be customizable and support inclusion of custom programming to aid in investigative analysis.

the answer is A. A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. B. Compliance testing is evidence gathering for the purpose of testing an enterprise's compliance with control procedures. This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data or other information. C. Analytical testing evaluates the relationship of two sets of data and discerns inconsistencies in the relationship. D. Control testing is the same as compliance testing.

An IS auditor is evaluating processes put in place by management at a storage location containing computer equipment. One of the test procedures compares the equipment on location with the inventory records. This type of testing procedure executed by the IS auditor is an example of: A. substantive testing. B. compliance testing. C. analytical testing. D. control testing.

You answered B. The correct answer is C. A. Absence of discrepancy in physical count only confirms absence of any impact, but cannot be a reason to overlook failure of operation of the control. B. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report when the current process is deficient. C. The IS auditor should report the lack of daily reconciliation as an exception because a physical inventory count gives assurance only at a point in time and the practice is not in compliance with management's mandated activity. D. While the IS auditor may in some cases recommend a solution, the primary goal is to observe and report when the current process is deficient.

An IS auditor is evaluating the controls around provisioning visitor access cards to the organization's IT facility. The IS auditor notes that daily reconciliation of visitor card inventory is not carried out as mandated. However, an inventory count carried out by the IS auditor reveals no missing access cards. In this context, the IS auditor should: A. disregard the lack of reconciliation because no discrepancies were discovered. B. recommend regular physical inventory counts be performed in lieu of daily reconciliation. C. report the lack of daily reconciliation as an exception. D. recommend the implementation of a biometric access system.

You are correct, the answer is D. A. Process narratives may not be current or complete and may not reflect the actual process in operation. B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification of evidence. C. Reperformance is used to evaluate the operating effectiveness of the control rather than the design of the control. D. Walk-throughs involve a combination of inquiry and inspection of evidence with respect to business process controls. This is the most effective basis for evaluation of the design of the control as it actually exists.

An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt? A. Process narrative B. Inquiry C. Reperformance D. Walk-through

The correct answer is C. A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested, and would not be due to the number of users or business areas affected. B. Compliance risk is the penalty applied to current and future earnings for nonconformance to laws and regulations, and may not be impacted by the number of users and business areas affected. C. Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without taking into account the actions that management has taken or might take. D. Residual risk is the remaining risk after management has implemented a risk response, and is not based on the number of user or business areas affected.

An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business areas the project may affect? A. Control risk B. Compliance risk C. Inherent risk D. Residual risk

You answered C. The correct answer is A. A. A service-oriented architecture (SOA) relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services. B. Sampling the use of service security standards as represented by the Security Assertions Markup Language (SAML) is an essential follow-up step to understanding services and their allocation to business, but is not the initial step. C. Reviewing the service level agreements (SLAs) is an essential follow-up step to understanding services and their allocation to business, but is not the initial step. D. Auditing the core service and its dependencies with others would most likely be a part of the audit, but the IS auditor must first gain an understanding of the business processes and how the systems support those processes.

An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture (SOA). What is the INITIAL step? A. Understanding services and their allocation to business processes by reviewing the service repository documentation. B. Sampling the use of service security standards as represented by the Security Assertions Markup Language (SAML). C. Reviewing the service level agreements (SLAs) established for all system providers. D. Auditing the core service and its dependencies on other systems.

The correct answer is C. A. Variable sampling is used to estimate numerical values such as dollar values. B. Substantive testing substantiates the integrity of actual processing such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. C. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. D. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.

An IS auditor is reviewing access to an application to determine whether the 10 most recent new accounts were appropriately authorized. This is an example of: A. variable sampling. B. substantive testing. C. compliance testing. D. stop-or-go sampling.

You are correct, the answer is B. A. Privileged access, such as administrator access, is necessary to manage user account privileges and should not be granted to end users. The wire transfer procedures are a better control to review to ensure that there is segregation of duties of the end users to help prevent fraud. B. Wire transfer procedures include segregation of duties controls. This helps prevent internal fraud by not allowing one person to initiate, approve and send a wire. Therefore, the IS auditor should review the procedures as they relate to the wire system. C. Fraud monitoring is a detective control and does not prevent financial loss. Segregation of duties is a preventive control. D. While controls related to background checks are important, the controls related to segregation of duties as found in the wire transfer procedures are more critical.

An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank's financial risk is properly addressed, the IS auditor will most likely review which of the following? A. Privileged access to the wire transfer system B. Wire transfer procedures C. Fraud monitoring controls D. Employee background checks

The correct answer is C. A. The owner of the system may be present at the time of evidence retrieval, but this is not absolutely necessary. In some cases, the owner could be the subject of the investigation. B. In most cases, it is required that the investigator power off the machine to create a forensic image of the hard drive, so this is not an issue. Prior to powering off the machine, the investigator would normally photograph what is on the screen of the computer and identify what documents are open and any other information that may be relevant. It is important that the investigator power off the machine rather than performing a shutdown procedure. Many operating systems perform a cleanup of temporary files during shutdown, which potentially would destroy valuable evidence. C. It is very important that evidence be handled properly through a documented chain of custody and never modified improperly in a physical or, more important, logical manner. The goal of this process is to be able to testify truthfully in court that the technical investigator did not modify the data in any improper manner. If the investigator does not have sufficient documentation of the handling of manual or digital evidence, the defense will try to prevent the admission of evidence based on the fact that it may have been tampered with or modified. Note that legal requirements for digital evidence preservation could vary from country to country, so local laws should be taken into consideration. D. Depending on the type of system being accessed, it may not be possible to capture an image of the contents of random access memory (RAM).

An IS auditor is reviewing the process performed for the protection of digital evidence. Which of the following findings should be of MOST concern to the IS auditor? A. The owner of the system was not present at the time of the evidence retrieval. B. The system was powered off by an investigator. C. There are no documented logs of the transportation of evidence. D. The contents of the random access memory (RAM) were not backed up.

You are correct, the answer is C. A. A walk-through will highlight how a control is designed to work, but it seldom highlights the effectiveness of the control or exceptions or constraints in the process. B. Reviewer sign-off does not necessarily demonstrate the effectiveness of the control if the reviewer does not note follow-up actions for the exceptions identified. C. A sample of a system-generated report with evidence that the reviewer followed up on the exception represents the best possible evidence of the effective operation of the control because there is documented evidence that the reviewer has reviewed and taken actions based on the exception report. D. Management's confirmation of effectiveness of the control suffers from lack of independence—management might be biased toward the effectiveness of the controls put in place.

An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control? A. Walk-through with the reviewer of the operation of the control B. System-generated exception reports for the review period with the reviewer's sign-off C. A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer D. Management's confirmation of the effectiveness of the control for the review period

You answered A. The correct answer is C. A. Inspection is just one component of a walk-through and by itself does not supply enough information to provide a full understanding of the overall process and identify potential control weaknesses. B. Inquiry provides only general information on how the control is executed. It does not necessarily enable the IS auditor to determine whether the control performer has an in-depth understanding of the control. C. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses. D. Reperformance of the control is carried out by the IS auditor and does not provide assurance of the competency of the auditee.

An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose? A. Inspection B. Inquiry C. Walk-through D. Reperformance

You are correct, the answer is C. A. A workflow diagram would provide information about the roles of different employees. This is not the purpose of an organizational chart. B. The organizational chart is a key tool for an auditor to understand roles and responsibilities and reporting lines, but is not used for examining communications channels. C. An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions. D. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.

An IS auditor reviews an organizational chart PRIMARILY for: A. an understanding of workflows. B. investigating various communication channels. C. understanding the responsibilities and authority of individuals. D. investigating the network connected to different employees.

the answer is A. A. Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). B. Sampling risk is the risk of a sample not being representative of the population. This risk exists for both judgment and statistical samples. C. Statistical sampling can use generalized audit software, but it is not required. D. The tolerable error rate must be predetermined for both judgment and statistical sampling.

An IS auditor should use statistical sampling and not judgmental (nonstatistical) sampling, when: A. the probability of error must be objectively quantified. B. the auditor wishes to avoid sampling risk. C. generalized audit software is unavailable. D. the tolerable error rate cannot be determined.

You answered D. The correct answer is B. A. The IS auditor should follow the incident response process of the organization. The auditor is not authorized to shut the system down. B. Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor's role to respond to incidents during an audit. C. The IS auditor is not authorized to lead the investigation or to suspend user accounts. The auditor should report the incident to management. D. Management is responsible to set up and follow an incident management plan; that is not the responsibility of the IS auditor.

An IS auditor suspects an incident (attack) is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST? A. Request that the system be shut down to preserve evidence. B. Report the incident to management. C. Ask for immediate suspension of the suspect accounts. D. Immediately investigate the source and nature of the incident.

You are correct, the answer is B. A. Usefulness of audit evidence pulled by computer-assisted audit techniques (CAATs) is determined by the audit objective, and the use of CAATs does not have as direct of an impact on usefulness as reliability does. B. Because the data are directly collected by the IS auditor, the audit findings can be reported with an emphasis on the reliability of the records that are produced and maintained in the system. The reliability of the source of information used provides reassurance on the findings generated. C. Relevance of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on relevance as reliability does. D. Adequacy of audit evidence pulled by CAATs is determined by the processes and personnel who author the data, and the use of CAATs does not have any impact on competence.

An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs? A. Usefulness B. Reliability C. Relevance D. Adequacy

You answered B. The correct answer is C. A. Computer-aided software engineering (CASE) tools are used to assist in software development. B. Embedded (audit) data collection software, such as systems control audit review file (SCARF) or systems audit review file (SARF), is used to provide sampling and production statistics, but not to conduct an audit log analysis. C. Trend/variance detection tools look for anomalies in user or system behavior, such as invoices with increasing invoice numbers. D. Heuristic scanning tools are a type of virus scanning used to indicate possible infected traffic.

An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task? A. Computer-aided software engineering (CASE) tools B. Embedded data collection tools C. Trend/variance detection tools D. Heuristic scanning tools

You are correct, the answer is D. A. The audit charter should not be subject to changes in technology and should not significantly change over time. The charter should be approved at the highest level of management. B. An audit charter will state the authority and reporting requirements for the audit, but not the details of maintenance of internal controls. C. An audit charter would not be at a detailed level and, therefore, would not include specific audit objectives or procedures. D. An audit charter should state management's objectives for and delegation of authority to IS auditors.

An audit charter should: A. be dynamic and change often to coincide with the changing nature of technology and the audit profession. B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls. C. document the audit procedures designed to achieve the planned audit objectives. D. outline the overall authority, scope and responsibilities of the audit function.

You answered A. The correct answer is D. Review** A. Independence could be compromised if the IS auditor advises on the adoption of specific application controls. B. Independence could be compromised if the IS auditor were to audit the estimate of future expenses used to support a business case for management approval of the project. C. Advising the project manager on how to increase the efficiency of the migration may compromise the IS auditor's independence. D. The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS auditor can advise as to the completeness of the test cases.

An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function? A. Advise on the adoption of application controls to the new database software. B. Provide future estimates of the licensing expenses to the project team. C. Recommend at the project planning meeting how to improve the efficiency of the migration. D. Review the acceptance test case documentation before the tests are carried out.

You are correct, the answer is A. A. When an IS auditor recommends a specific vendor, that compromises the auditor's professional independence. B. Organizational independence has no relevance to the content of an audit report and should be considered at the time of accepting the engagement. C. Technical competence is not relevant to the requirement of independence. D. Professional competence is not relevant to the requirement of independence.

An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a specific vendor product to address this vulnerability. The IS auditor has failed to exercise: A. professional independence B. organizational independence. C. technical competence. D. professional competence.

You are correct, the answer is D. A. The results of the risk assessment are used for the input for the audit program. B. The audit charter is prepared when the audit department is established or as updates are needed. Creation of the audit charter is not related to the audit planning phase because it is part of the internal audit governance structure that provides independence for the function. C. A risk assessment must be performed prior to identifying key information owners. Key information owners are generally not directly involved during the planning process of an audit. D. A risk assessment should be performed to determine how internal audit resources should be allocated in order to ensure that all material items will be addressed.

An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase? A. Development of an audit program B. Review of the audit charter C. Identification of key information owners D. Performance of a risk assessment

You are correct, the answer is D. A. Short-term and long-term planning is the responsibility of audit management. B. The objectives and scope of each IS audit should be agreed on in an engagement letter. The charter would specify the objectives and scope of the audit function but not of individual engagements. C. A training plan, based on the audit plan, should be developed by audit management. D. An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee.

An organization's IS audit charter should specify the: A. short- and long-term plans for IS audit engagements. B. objectives and scope of IS audit engagements. C. detailed training plan for the IS audit staff. D. role of the IS audit function.

the answer is A. A. Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing. B. The audit report should contain all relevant findings and the response from management even if the finding has been resolved. This would mean that subsequent audits may test for the continued resolution of the control. C. The audit report should contain the finding so that it is documented and the removal of the control subsequent to the audit would be noticed. D. The audit report should contain the finding and resolution, and this can be mentioned in the final meeting. The audit report should list all relevant findings and the response from management.

Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should: A. include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings. B. not include the finding in the final report, because the audit report should include only unresolved findings. C. not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit. D. include the finding in the closing meeting for discussion purposes only.

You are correct, the answer is B. A. While it may be necessary to redesign the change management process, this cannot be done until a root cause analysis is conducted to determine why the current process is not being followed. B. A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management. C. A business relies on being able to make changes when necessary, and security patches must often be deployed promptly. It would not be feasible to halt all changes until a new process is developed. D. The results of the audit including the findings of noncompliance will be delivered to management once a root cause analysis of the issue has been completed.

During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next? A. Recommend redesigning the change management process. B. Gain more assurance on the findings through root cause analysis. C. Recommend that program migration be stopped until the change process is documented. D. Document the finding and present it to management.

You answered A. The correct answer is D. A. The IS auditor may include the management response in the report, but that will not affect the requirement to report the finding. B. The finding remains valid and the management response will be documented; however, the audit may indicate a need to review the validity of the management response. C. The finding remains valid and the management response will be documented; however, the audit may indicate a need to review the validity of the management response. D. IS auditor independence would dictate that the additional information provided by the auditee will be taken into consideration. Normally, an IS auditor would not automatically retract or revise the finding.

During a review of an outsourced network operations center (NOC), an IS auditor concludes that procedures to monitor remote network administration activities by the outsourced agency are inadequate. During the management discussion, the chief information officer (CIO) justifies this issue as a help desk activity, covered by help desk procedures, and points out that intrusion detection system (IDS) logs are activated and firewall rules are monitored. What is the BEST course of action for the IS auditor to take? A. Revise the finding in the audit report per the CIO's feedback. B. Retract the finding because the IDS log is activated. C. Retract the finding because the firewall rules are monitored. D. Document the identified finding in the audit report.

You are correct, the answer is D. A. IS auditors should not prepare documentation because the process may not be compliant with management objectives, and doing so could jeopardize their independence. B. Terminating the audit may prevent achieving one of the basic audit objectives, identification of potential risk. C. Because there are no documented procedures, there is no basis against which to test compliance. D. One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization and submit the findings and risk to management with recommendations to document the current controls or enforce the documented procedures.

During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should: A. create the procedures document. B. terminate the audit. C. conduct compliance testing. D. identify and evaluate existing practices.

The correct answer is A. A. Discussing the implementation of segregation of duties with the IT managers is the best way to determine how responsibilities are assigned within the department. B. Job descriptions may not be the best source of information because they could be outdated or what is documented in the job descriptions may be different from what is actually performed. C. Past IS audit reports are not the best source of information because they may not accurately describe how IT responsibilities are assigned. D. Evaluating the organizational structure may give a limited view on the allocation of IT responsibilities. The responsibilities also may have changed over time.

During an IS audit, what is the BEST way for an IS auditor to evaluate the implementation of segregation of duties within an IT department? A. Discuss it with the IT managers. B. Review the job descriptions of the IT functions. C. Research past IS audit reports. D. Evaluate the organizational structure.

You are correct, the answer is D. A. While compensating controls may be a good idea, the primary response in this case should be to report the condition. B. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response should be to report the condition. C. Analyzing the quality assurance dashboards can help evaluate the actual impact of the lack of segregation of duties, but does not address the underlying risk. The primary response should be to report the condition. D. The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified.

During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a particular application. Which of the following should the IS auditor do? A. Recommend compensating controls. B. Review the code created by the developer. C. Analyze the quality assurance dashboards. D. Report the identified condition.

You are correct, the answer is B. A. Management is always responsible and liable for risk, but the role of the IS auditor is to inform management of the findings and associated risk discovered in an audit. B. If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures because the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, an IS auditor should not automatically agree just because the auditee expresses an alternate point of view. C. The audit report will contain the finding from the IS auditor and the response from management. It is the responsibility of management to accept risk or mitigate it appropriately. The role of the auditor is to inform management clearly and thoroughly so that the best decision can be made. D. The IS auditor must be professional, competent and independent. They must not just accept an explanation or argument from management unless the process used to generate the finding was flawed.

During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should: A. ask the auditee to sign a release form accepting full legal responsibility. B. elaborate on the significance of the finding and the risk of not correcting it. C. report the disagreement to the audit committee for resolution. D. accept the auditee's position because they are the process owners.

the answer is C. A. It is not necessary to withdraw the IS auditor unless there is a statutory limitation, as exists in certain countries. B. Canceling the engagement is not required if properly disclosed and accepted. C. In circumstances in which the IS auditor's independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor's independence should be disclosed to the appropriate management and in the report. D. This is not a feasible solution. The independence of the IS auditor cannot be restored while continuing to conduct the audit.

During external audit, an IS auditor discovers that systems that are in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should: A. remove the IS auditor from the engagement. B. cancel the engagement. C. disclose the issue to the client. D. take steps to restore the IS auditor's independence.

the answer is C. A. Copying the memory contents is a normal forensics procedure where possible. Done carefully, it will not corrupt the evidence. B. Proper forensics procedures require creating two copies of the images of the system for analysis. Hash values ensure that the copies are accurate. C. Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory. D. When investigating a system it is recommended to disconnect it from the network to minimize external infection or access.

During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system? A. Dumping the memory content to a file B. Generating disk images of the compromised system C. Rebooting the system D. Removing the system from the network

You are correct, the answer is D. A. Executing audits and reviews outside the scope is not advisable. In this case, the weakness identified is considered to be a minor issue, and it is sufficient to report the issue and address it at a later time. B. In this case, the weakness identified is considered to be a minor issue. The IS auditor should formally report the weaknesses as an observation rather than documenting it to address during a future audit. C. It is not appropriate for the IS auditor to work with database administrators to correct the issue. D. Any weakness noticed should be reported, even if it is outside the scope of the current audit. Weaknesses identified during the course of an application software review need to be reported to management.

During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to: A. include a review of the database controls as part of the scope. B. document for future review. C. work with database administrators to correct the issue. D. formally report the weaknesses as observed.

You are correct, the answer is A. A. ISACA IS Audit and Assurance Standards require that an IS auditor plan the audit work to address the audit objectives. The activities described in choices B, C and D are all undertaken to address audit objectives and, thus, are secondary to choice A. B. The IS auditor does not collect evidence in the planning stage of an audit. C. Specifying appropriate tests is not the primary goal of audit planning. D. Effective use of audit resources is a goal of audit planning, not minimizing audit resources.

During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to: A. address audit objectives. B. collect sufficient evidence. C. specify appropriate tests. D. minimize audit resources.

You answered A. The correct answer is D. A. Using software tools such as computer-assisted audit techniques (CAATs) to analyze transaction data can provide detailed analysis of trends and potential risk, but it is not as effective as continuous auditing, because there may be a time differential between executing the software and analyzing the results. B. Quarterly risk assessment may be a good technique, but not as responsive as continuous auditing. C. The sampling of transaction logs is a valid audit technique; however, risk may exist that is not captured in the transaction log, and there may be a potential time lag in the analysis. D. The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.

For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk proactively? A. Use of computer-assisted audit techniques (CAATs) ` B. Quarterly risk assessment C. Sampling of transaction logs D. Continuous auditing

The correct answer is B. A. Stop-or-go sampling is used when an IS auditor believes few errors will be found in the population, and thus would not be the best type of testing to perform in this case. B. Because both the inherent and control risk are high in this case, additional testing would be required. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. C. Compliance testing is evidence gathering for the purpose of testing an enterprise's compliance with control procedures. While performing compliance testing is important, performing additional substantive testing would be more appropriate in this case. D. Discovery sampling is a form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population, typically used to test for fraud or other irregularities. In this case, additional substantive testing would be the better option.

In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional: A. stop-or-go sampling. B. substantive testing. C. compliance testing. D. discovery sampling.

You are correct, the answer is C. A. A size check is useful because passwords should have a minimum length, but it is not as strong of a control as validity. B. Passwords are not typically entered in a batch mode, so a hash total would not be effective. More important, a system should not accept incorrect values of a password, so a hash total as a control will not indicate any weak passwords, errors or omissions. C. A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used—for example, not using a dictionary word, including non-alphabetical characters, etc. An effective password must have several different types of characters: alphabetical, numeric and special. D. The implementation of a field check would not be as effective as a validity check that verifies that all password criteria have been met.

In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on? A. A size check B. A hash total C. A validity check D. A field check

The correct answer is D. A. The review of the risk assessment process should be done at the start of the risk analysis. Because the threats and impact have already been determined, there must already be a risk assessment process in place. B. It would be impossible to determine impact without first having identified the assets affected; therefore, this must already have been completed. C. Upon completion of a risk assessment, an IS auditor should describe and discuss with management the threats and potential impacts on the assets as well as recommendations for addressing the risk. However, this cannot be done until the controls have been identified and the likelihood of the threat has been calculated. D. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.

In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should: A. identify and assess the risk assessment process used by management. B. identify information assets and the underlying systems. C. disclose the threats and impacts to management. D. identify and evaluate the existing controls.

You answered B. The correct answer is A. A. When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify the changes. B. The changes detected by the source code comparison are between two versions of the software. This will not detect changes made since the acquisition of the copy of the software. C. This is a function of library management, not source code comparison. An IS auditor will have to gain this assurance separately. D. Source code comparison will detect all changes between an original and a changed program; however, it will not ensure that the changes have been adequately tested.

In the process of evaluating program change controls, an IS auditor would use source code comparison software to: A. examine source program changes without information from IS personnel. B. detect a source program change made between acquiring a copy of the source and the comparison run. C. confirm that the control copy is the current version of the production program. D. ensure that all changes made in the current source copy are tested.

You answered B. The correct answer is C. A. Detailed visual review of source code is not an effective method of ensuring that the calculation is being computed correctly. B. Recreating program logic may lead to errors, and monthly totals are not accurate enough to ensure correct computations. C. Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation. D. Flowcharting and analysis of source code are not effective methods to address the accuracy of individual tax calculations.

The BEST method of confirming the accuracy of a system tax calculation is by: A. detailed visual review and analysis of the source code of the calculation programs. B. recreating program logic using generalized audit software to calculate monthly totals. C. preparing simulated transactions for processing and comparing the results to predetermined results. D. automatic flowcharting and analysis of the source code of the calculation programs.

The correct answer is B. A. The continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place. B. Continuous audit allows audit and response to audit issues in a timely manner because audit findings are gathered in near real time. C. Responsibility for enforcement and monitoring of controls is primarily the responsibility of management. D. The use of continuous audit is not based on the complexity or number of systems being monitored.

The PRIMARY advantage of a continuous audit approach is that it: A. does not require an IS auditor to collect evidence on system reliability while processing is taking place. B. allows the IS auditor to review and follow up on audit issues in a timely manner. C. places the responsibility for enforcement and monitoring of controls on the security department instead of audit. D. simplifies the extraction and correlation of data from multiple and complex systems.

You answered C. The correct answer is B. A. Forensic audits are not limited to corporate fraud. B. The systematic collection and analysis of evidence best describes a forensic audit. The evidence collected could then be analyzed and used in judicial proceedings. C. Assessing the correctness of an organization's financial statements is not the primary purpose of most forensic audits. D. Forensics is the investigation of evidence related to a crime or misbehavior. Preserving evidence is the forensic process, but not the primary purpose.

The PRIMARY purpose of an IT forensic audit is: A. to participate in investigations related to corporate fraud. B. the systematic collection and analysis of evidence after a system irregularity. C. to assess the correctness of an organization's financial statements. D. to preserve evidence of criminal activity.

You are correct, the answer is A. A. Understanding the business process is the first step an IS auditor needs to perform. B. ISACA IS Audit and Assurance Standards encourage adoption of the audit procedures/processes required to assist the IS auditor in performing IS audits more effectively. However, standards do not require an IS auditor to perform a process walk-through at the commencement of an audit engagement. C. Identifying control weaknesses is not the primary reason for the walk-through and typically occurs at a later stage in the audit. D. Conducting a walk-through enables the IS auditor to understand the business process. This may support planning for substantive testing at a later stage in the audit, but is not the primary reason for the walk-through.

The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of an audit assignment is to: A. understand the business process. B. comply with auditing standards. C. identify control weakness. D. plan substantive testing.

You answered D. The correct answer is B. A. Inherent risk is the risk that a material error could occur, assuming that there are no related internal controls to prevent or detect the error. Inherent risk is not usually affected by an IS auditor. B. Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue. C. Control risk is the risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Control risk can be mitigated by the actions of the company's management. D. Business risk is a probable situation with uncertain frequency and magnitude of loss (or gain). Business risk is usually not directly affected by an IS auditor.

The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk? A. Inherent B. Detection C. Control D. Business

You answered B. The correct answer is A. A. The effect of applicable statutory requirements must be factored in while planning an IS audit—the IS auditor has no options in this respect because there can be no limitation of scope in respect to statutory requirements. B. Statutory requirements always take priority over corporate standards. C. Industry best practices help plan an audit; however, best practices are not mandatory and can be deviated from to meet organization objectives. D. Organizational policies and procedures are important, but statutory requirements always take priority. Organizational policies must be in alignment with statutory requirements.

The effect of which of the following should have priority in planning the scope and objectives of an IS audit? A. Applicable statutory requirements B. Applicable corporate standards C. Applicable industry best practices D. Organizational policies and procedures

You are correct, the answer is C. A. The audit committee should not impair the independence, professionalism and objectivity of the IS auditor by influencing what is included in the audit report. B. The IS auditor's manager may recommend what should or should not be included in an audit report, but the auditee's manager should not influence the content of the report. C. The IS auditor should make the final decision about what to include or exclude from the audit report. D. The chief executive officer (CEO) must not provide influence over the content of an audit report as that would be a breach of the independence of the audit function.

The final decision to include a material finding in an audit report should be made by the: A. audit committee. B. auditee's manager. C. IS auditor. D. chief executive officer (CEO) of the organization.

You are correct, the answer is C. A. The ability of IT to continuously monitor and address any issues on IT systems would not affect the ability of IS audit to perform a comprehensive audit. B. Sharing the scripts may be required by policy for the sake of quality assurance and configuration management, but that would not impair the ability to audit. C. IS audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts themselves, but they can still audit the systems. D. An audit of an IS system would encompass more than just the controls covered in the scripts.

The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function? A. Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and avoid an accurate, comprehensive audit. B. Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence. C. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. D. Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring.

the answer is B. A. Test data would test for the existence of controls that might prevent overpayments, but it would not detect specific, previous miscalculations. B. Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made. C. An integrated test facility would help identify a problem as it occurs, but would not detect errors for a previous period. D. An embedded audit module can enable the IS auditor to evaluate a process and gather audit evidence, but it would not detect errors for a previous period.

The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation? A. Generate sample test data B. Generalized audit software C. Integrated test facility D. Embedded audit module

You are correct, the answer is A. A. Control self-assessments (CSAs) require employees to assess the control stature of their own function. CSAs help increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help identify risk in a more timely manner. B. CSAs do not replace the audit function; an audit must still be performed to ensure that controls are present. C. CSAs may not reduce the audit function's workload and are not a major difference between the two approaches. D. CSAs do not affect the need for audit resources. While the results of the CSA may serve as a reference point for the audit process, they do not affect the scope or depth of audit work that needs to be performed.

What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit? A. It detects risk sooner. B. It replaces the audit function. C. It reduces audit workload. D. It reduces audit resources.

You answered D. The correct answer is A. A. The first step in assessing network monitoring controls should be the review of the existence, completeness, accuracy and adequacy of network documentation, specifically topology diagrams. If this information is not up to date, then monitoring processes and the ability to diagnose problems will not be effective. B. The first step must be to review network layout, not network usage such as bandwidth. C. The first step in a network audit would be to gather network data but not to analyze it. D. The second step in the network audit would be to determine any potential problems in the network layout, such as bottlenecks, inadequate separation, bypassing of controls, etc.

When assessing the design of network monitoring controls, an IS auditor should FIRST review network: A. topology diagrams. B. bandwidth usage. C. traffic analysis reports. D. bottleneck locations.

You answered C. The correct answer is A. A. The IS auditor needs to perform substantive testing and additional analysis to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and what factors caused this incident. The IS auditor should identify whether the issue was caused by managers not following procedures, by a problem with the workflow of the automated system or a combination of the two. B. The IS auditor does not yet have enough information to report the problem. C. Changing the scope of the IS audit or conducting a security risk assessment would require more detailed information about the processes and violations being reviewed. D. The IS auditor must first determine the root cause and impact of the findings and does not have enough information to recommend fixing the workflow issues.

When auditing the provisioning procedures of the identity management (IDM) system of a large organization, an IS auditor immediately finds a small number of access requests that had not been authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should: A. perform an additional analysis. B. report the problem to the audit committee. C. conduct a security risk assessment. D. recommend that the owner of the IDM system fix the workflow issues.

You answered C. The correct answer is B. A. Understanding whether appropriate controls required to mitigate risk are in place is a resultant effect of an audit. B. In developing a risk-based audit strategy, it is critical that the risk and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage. C. Audit risk is an inherent aspect of auditing, is directly related to the audit process and is not relevant to the risk analysis of the environment to be audited. D. A gap analysis would normally be done to compare the actual state to an expected or desirable state.

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: A. controls needed to mitigate risk are in place. B. vulnerabilities and threats are identified. C. audit risk is considered. D. a gap analysis is appropriate.

You are correct, the answer is A. A. An IS auditor should focus on when controls are exercised as data flow through a computer system. B. Corrective controls may also be relevant because they allow an error or problem to be corrected. C. Corrective controls remove or reduce the effects of errors or irregularities and are not exclusively regarded as compensating controls. D. The existence and function of controls is important, but not the classification.

When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following? A. The point at which controls are exercised as data flow through the system B. Only preventive and detective controls are relevant C. Corrective controls can only be regarded as compensating D. Classification allows an IS auditor to determine which controls are missing

You are correct, the answer is C. A. Antivirus controls are only one of many possible performance problems and are secondary to understanding the overall architecture of the network. B. Protocols used on the network are rarely the root cause of performance issues and are secondary to understanding the overall architecture of the network. C. By reviewing the network topology, the IS auditor can quickly gain a high-level perspective of potential points of failure or bottlenecks. The IS auditor will be directed to specific areas of the network which may require more detailed analysis. D. The configuration of network devices may definitely affect performance, but is secondary to understanding the overall architecture of the network.

When performance issues are discovered during an assessment of the organization's network, the MOST efficient way for the IS auditor to proceed is to examine the: A. antivirus controls that have been put in place. B. protocols used on the network. C. network topology. D. configuration of network devices.

The correct answer is C. A. Antivirus controls are only one of many possible performance problems and are secondary to understanding the overall architecture of the network. B. Protocols used on the network are rarely the root cause of performance issues and are secondary to understanding the overall architecture of the network. C. By reviewing the network topology, the IS auditor can quickly gain a high-level perspective of potential points of failure or bottlenecks. The IS auditor will be directed to specific areas of the network which may require more detailed analysis. D. The configuration of network devices may definitely affect performance, but is secondary to understanding the overall architecture of the network.

When performance issues are discovered during an assessment of the organization's network, the MOST efficient way for the IS auditor to proceed is to examine the: A. antivirus controls that have been put in place. B. protocols used on the network. C. network topology. D. configuration of network devices.

You answered D. The correct answer is C. A. Analysis is important, but not the primary concern related to evidence in a forensic investigation. B. Evaluation is important, but not the primary concern related to evidence in a forensic investigation. C. Preservation and documentation of evidence for review by law enforcement and judicial authorities are of primary concern when conducting an investigation. Failure to properly preserve the evidence could jeopardize the admissibility of the evidence in legal proceedings. D. Disclosure is important, but not of primary concern to the IS auditor in a forensic investigation.

When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with: A. analysis. B. evaluation. C. preservation. D. disclosure.

You answered C. The correct answer is A. A. Procedures are processes an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising in the course of an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate and the IS auditor's past experience plays a key role in making a judgment. The IS auditor should use judgment in assessing the sufficiency of evidence to be collected. ISACA's guidelines provide information on how to meet the standards when performing IS audit work. B. The correction of deficiencies is the responsibility of management and is not a part of the audit procedure selection process. C. Identifying material weaknesses is the result of appropriate competence, experience and thoroughness in planning and executing the audit and not of professional judgment. Professional judgment is not a primary input to the financial aspects of the audit. Audit procedures and use of professional judgment cannot ensure that all deficiencies/weaknesses will be identified and corrected. D. Professional judgment will ensure that audit resources and costs are used wisely, but this is not the primary objective of the auditor when selecting audit procedures.

When selecting audit procedures, an IS auditor should use professional judgment to ensure that: A. sufficient evidence will be collected. B. all significant deficiencies identified will be corrected within a reasonable period. C. all material weaknesses will be identified. D. audit costs will be kept at a minimum level.

You answered B. The correct answer is A. A. If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit management approval) an alternate testing procedure. B. There is not enough evidence to report the finding as a deficiency. C. A walk-through should not be initiated until an analysis is performed to confirm that this could provide the required assurance. D. It would not be appropriate for an IS auditor to create sample data for the purpose of the audit.

When testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling was too small to provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take? A. Develop an alternate testing procedure. B. Report the finding to management as a deficiency. C. Perform a walk-through of the change management process. D. Create additional sample changes to programs.

You are correct, the answer is B. A. While using an integrated test facility (ITF) ensures that periodic testing does not require a separate test process, there is a need to isolate test data from production data. B. An ITF creates a fictitious file in the database, allowing for test transactions to be processed simultaneously with live data. The test data must be kept separate from production data. C. An IS auditor is not required to use production data or a test data generator. D. Production master files should not be updated with test data.

When using an integrated test facility (ITF), an IS auditor should ensure that: A. production data are used for testing. B. test data are isolated from production data. C. a test data generator is used. D. master files are updated with the test data.

You answered D. The correct answer is C. A. Management may not be aware of the detailed functions of each employee in the IS department, and they may not be aware whether the controls are being followed. Therefore, discussion with the management would provide only limited information regarding segregation of duties. B. An organization chart would not provide details of the functions of the employees or whether the controls are working correctly. C. Based on the observations and interviews, the IS auditor can evaluate the segregation of duties. By observing the IS staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IS staff, the auditor can get an overview of the tasks performed. D. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform.

Which audit technique provides the BEST evidence of the segregation of duties in an IS department? A. Discussion with management B. Review of the organization chart C. Observation and interviews D. Testing of user access rights

You answered A. The correct answer is C. A. Based on this discussion, the IS auditor will finalize the report and present the report to relevant levels of senior management. This discussion should, however, also address a timetable for remediation of the audit findings. B. This discussion will, first of all, inform management of the findings of the audit and, based on these discussions, management may agree to develop an implementation plan for the suggested recommendations, along with the time lines. C. Before communicating the results of an audit to senior management, the IS auditor should discuss the findings with the auditee. The goal of such a discussion is to confirm the accuracy of the findings and to propose or recommend a course of corrective action. D. At the draft report stage, the IS auditor may recommend various controls to mitigate the risk, but the purpose of the meeting is to validate the findings of the audit with management.

Which of the following BEST describes the objective of an IS auditor discussing the audit findings with the auditee? A. Communicate results of the audit to senior management. B. Develop time lines for the implementation of suggested recommendations. C. Confirm the findings, and propose a course of corrective action. D. Identify compensating controls to the identified risk.

You are correct, the answer is B. A. A risk assessment does not directly influence staffing requirements. B. A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assurance is important as well. C. A risk assessment does not identify the knowledge required to perform an IS audit. D. A risk assessment is not used in the development of the audit program and procedures.

Which of the following BEST describes the purpose of performing a risk assessment in the planning phase of an IS audit? A. To establish adequate staffing requirements to complete the IS audit B. To provide reasonable assurance that all material items will be addressed C. To determine the knowledge required to perform the IS audit D. To develop the audit program and procedures to perform the IS audit

You are correct, the answer is C. A. Test data runs permit the auditor to verify the processing of preselected transactions, but provide no evidence about unauthorized changes or unexercised portions of a program. B. Code review is the process of reading program source code listings to determine whether the code follows coding standards or contains potential errors or inefficient statements. A code review can be used as a means of code comparison, but it is inefficient and unlikely to detect any changes in the code, especially in a large program. C. An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure. D. The review of code migration procedures would not detect unauthorized program changes.

Which of the following audit techniques would BEST help an IS auditor in determining whether there have been unauthorized program changes since the last authorized program update? A. Test data run B. Code review C. Automated code comparison D. Review of code migration procedures

You answered D. The correct answer is A. A. To ensure the effectiveness of controls, it is most effective to conduct re-performance. When the same result is obtained after the performance by an independent person, this provides the strongest assurance. B. Process walk-through may help the auditor to understand the controls better; however, it may not be as useful as conducting re-performance for a sample of transactions. C. Observation is a valid audit method to verify that operators are using the system appropriately; however, conducting re-performance is a better method. D. Documentation review may be of some value for understanding the control environment; however, conducting re-performance is a better method.

Which of the following choices BEST ensures the effectiveness of controls related to interest calculation inside an accounting system? A. Re-performance B. Process walk-through C. Observation D. Documentation review

You are correct, the answer is C. A. Understanding the technology architecture of the e-commerce environment is important; however, it is vital that the nature and criticality of the business process supported by the e-commerce application are well understood. B. While the policies, procedure and practices that form the internal control environment need to be in alignment with the e-commerce environment, this is not the most important element that the IS auditor needs to understand. C. The e-commerce application enables the execution of business transactions. Therefore, it is important to understand the nature and criticality of the business process supported by the e-commerce application to identify specific controls to review. D. The availability of the e-commerce environment is important, but this is only one of the aspects to be considered with respect to business processes that are supported by the e-commerce application.

Which of the following choices is MOST important for an IS auditor to understand when auditing an e-commerce environment? A. The technology architecture of the e-commerce environment B. The policies, procedure and practices that form the internal control environment C. The nature and criticality of the business process supported by the e-commerce application D. Continuous monitoring of control measures for system availability and reliability

You answered C. The correct answer is B. A. The integrated test facility (ITF) tests a test transaction as if it were a real transaction and validates that transaction processing is being done correctly. It is not related to reviewing the source of a transaction. B. An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. Careful planning is necessary, and test data must be isolated from production data. C. An ITF does validate the correct operation of a transaction in an application, but it does not ensure that a system is being operated correctly. D. The ITF is based on the integration of test data into the normal process flow, so test data is still required.

Which of the following is an advantage of an integrated test facility (ITF)? A. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. B. Periodic testing does not require separate test processes. C. It validates application systems and ensures the correct operation of the system. D. The need to prepare test data is eliminated.

You answered D. The correct answer is B. A. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval. B. The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee. C. Executive management is not required to approve the audit charter. The audit committee is in the best position to approve the charter. D. While the director of internal audit may draft the charter and make changes, the audit committee should have the final approval of the charter.

Which of the following is in the BEST position to approve changes to the audit charter? A. Board of directors B. Audit committee C. Executive management D. Director of internal audit

You answered A. The correct answer is B. A. Once the audit universe is defined, the IS auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe. B. In a risk-based audit approach, the IS auditor identifies risk to the organization based on the nature of the business. In order to plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix. C. The controls that help in mitigating high-risk areas are generally critical controls and their effectiveness provides assurance on mitigation of risk. However, this cannot be done unless the types of risk are ranked. D. The testing approach is based on the risk ranking.

Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan? A. Prioritize the identified risk. B. Define the audit universe. C. Identify the critical controls. D. Determine the testing approach.

You are correct, the answer is D. A. The findings of a previous audit are of interest to the auditor, but they are not the most critical step. The most critical step involves finding the current issues, not reviewing the resolution of older issues. B. A physical security review of the data center facility is important, but is a very narrow scope and not as critical as performing a risk assessment. C. Reviewing information security policies and procedures would normally be conducted during fieldwork, not planning. D. Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IS Audit and Assurance Standard 1202 Risk Assessment in Planning, statement 1202.2: "IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements." In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation.

Which of the following is the MOST critical step to perform when planning an IS audit? A. Review findings from prior audits. B. Develop plans to conduct a physical security review of the data center facility. C. Review IS security policies and procedures. D. Perform a risk assessment.

You answered A. The correct answer is C. A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques, but this is not essential regarding constraints on the conduct of the audit. B. IS managers are responsible for resource management of their departments. IS auditors do not manage IS resources. C. Audits often involve resource management, deliverables, scheduling and deadlines similar to project management best practices. D. Knowledge of internal controls is fundamental to IS auditors. Professional competence is an auditing standard. A lack of understanding of the control environment would be a constraint on the effectiveness of the audit, but is not the most important skill needed by the IS auditor.

Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit? A. Contingency planning B. IS management resource allocation C. Project management D. Knowledge of internal controls

the answer is B. A. Preparation of the IS audit report according to a predefined and standard template may be useful in ensuring that all key aspects are provided in a uniform structure, but this does not demonstrate that audit findings are based on evidence that can be proven, if required. B. ISACA IS audit standards require that reports should be backed by sufficient and appropriate audit evidence so that they demonstrate the application of the minimum standard of performance and the findings and recommendations can be validated, if required. C. The scope and coverage of IS audit is defined by a risk assessment process, which may not always provide comprehensive coverage of processes of the enterprise. D. While from an operational standpoint an audit report should be reviewed and approved by audit management, the more critical consideration is that all conclusions are backed by sufficient and appropriate audit evidence.

Which of the following is the PRIMARY requirement in reporting results of an IS audit? The report is: A. prepared according to a predefined and standard template. B. backed by sufficient and appropriate audit evidence. C. comprehensive in coverage of enterprise processes. D. reviewed and approved by audit management.

You answered B. The correct answer is A. A. Participating in the design of the risk management framework involves designing controls, which will compromise the independence of the IS auditor to audit the risk management process. B. Advising on different implementation techniques will not compromise the IS auditor's independence because the IS auditor will not be involved in the decision-making process. C. Facilitating awareness training will not hamper the IS auditor's independence because the auditor will not be involved in the decision-making process. D. Due diligence reviews are a type of audit generally related to mergers and acquisitions.

Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process? A. Participating in the design of the risk management framework B. Advising on different implementation techniques C. Facilitating risk awareness training D. Performing due diligence of the risk management processes

the answer is A. A. Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain pre-defined dollar amount for proper approvals. B. Variable sampling is based on the calculation of a mean from a sample extracted from the entire population and using that to estimate the characteristics of the entire population. For example, a sample of 10 items shows an average price of US $10 per item. For the entire population of 1,000 items, the total value would be estimated to be US $10,000. This is not a good way to measure compliance with a process. C. Stratified mean sampling attempts to ensure that the entire population is represented in the sample. This is not an effective way to measure compliance. D. Difference estimation sampling examines measure deviations and extraordinary items and is not a good way to measure compliance.

Which of the following sampling methods is MOST useful when testing for compliance? A. Attribute sampling B. Variable sampling C. Stratified mean per unit sampling D. Difference estimation sampling

You are correct, the answer is C. A. Variable sampling is the method used for substantive testing, which involves testing transactions for quantitative aspects such as monetary values. B. Stratified mean per unit is used in variable sampling. C. Attribute sampling is the method used for compliance testing. In this scenario, the operation of a control is being evaluated, and therefore the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control. D. Unstratified mean per unit is used in variable sampling.

Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix? A. Variable sampling B. Stratified mean per unit C. Attribute sampling D. Unstratified mean per unit

You are correct, the answer is B. A. Attribute sampling would aid in identifying records meeting specific conditions, but would not compare one record to another to identify duplicates. To detect duplicate invoice records, the IS auditor should check all of the items that meet the criteria and not just a sample of the items. B. Computer-assisted audit techniques (CAATs) would enable the IS auditor to review the entire invoice file to look for those items that meet the selection criteria. C. Test data are used to verify program processing, but will not identify duplicate records. D. An integrated test facility (ITF) allows the IS auditor to test transactions through the production system, but would not compare records to identify duplicates.

Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file? A. Attribute sampling B. Computer-assisted audit techniques (CAATs) C. Test data D. Integrated test facility (ITF)

The correct answer is D. A. Retesting the control would normally occur after the evidence has been revalidated. B. While there are cases where a third party may be needed to perform specialized audit procedures, an IS auditor should first revalidate the supporting evidence to determine whether there is a need to engage a third party. C. Before putting a disputed finding or management response in the audit report, the IS auditor should take care to review the evidence used in the finding to ensure audit accuracy. D. Conclusions drawn by an IS auditor should be adequately supported by evidence, and any compensating controls or corrections pointed out by a department manager should be taken into consideration. Therefore, the first step would be to revalidate the evidence for the finding. If, after revalidating and retesting, there are unsettled disagreements, those issues should be included in the report.

Which of the following should be the FIRST action of an IS auditor during a dispute with a department manager over audit findings? A. Retest the control to validate the finding. B. Engage a third party to validate the finding. C. Include the finding in the report with the department manager's comments. D. Revalidate the supporting evidence for the finding.

You answered D. The correct answer is C. A. In general, highly complex business processes may have more key controls than business areas with less complexity; however, finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-thought-out key control structure has been established from the beginning, finding any overlap in key controls will not be possible. B. An integrated test facility (ITF) is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls. C. As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts have the opportunity to come across unnecessary or overlapping key controls in existing systems. D. By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls; however, the process of implementing an automated auditing solution would better identify overlapping controls.

Which of the following will MOST successfully identify overlapping key controls in business application systems? A. Reviewing system functionalities that are attached to complex business processes B. Submitting test transactions through an integrated test facility (ITF) C. Replacing manual monitoring with an automated auditing solution D. Testing controls to validate that they are effective

You answered A. The correct answer is B. A. System log analysis would identify changes and activity on a system, but would not identify whether the change was authorized unless conducted as a part of a compliance test. B. Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. C. Forensic analysis is a specialized technique for criminal investigation. D. An analytical review assesses the general control environment of an organization.

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? A. System log analysis B. Compliance testing C. Forensic analysis D. Analytical review

the answer is C. A. A report of security rights in the enterprise resource planning (ERP) system would be voluminous and time consuming to review; therefore, this technique is not as effective as building a matrix. B. As complexities increase, it becomes more difficult to verify the effectiveness of the systems, and complexity is not, in itself, a link to segregation of duties. C. Because the objective is to identify violations in segregation of duties, it is necessary to define the logic that will identify conflicts in authorization. A matrix could be developed to identify these conflicts. D. It is good practice to review recent access rights violation cases; however, it may require a significant amount of time to truly identify which violations actually resulted from an inappropriate segregation of duties and in most cases would not identify a lack of segregation of duties where both persons had authorized but inappropriate access.

Which of the following would be the MOST effective audit technique for identifying segregation of duties violations in a new enterprise resource planning (ERP) implementation? A. Reviewing a report of security rights in the system B. Reviewing the complexities of authorization objects C. Building a matrix to identify security roles and potential conflicts in authorization D. Examining recent access rights violation cases

You are correct, the answer is A. A. Evidence obtained from independent third parties is almost always considered to be more reliable than assurance provided by local management. B. Because management is not objective and may not understand the risk and control environment, and they are only providing evidence that the application is working correctly (not the controls), their assurance would not be an acceptable level of trust for audit evidence. C. Data collected from the Internet is not necessarily trustworthy or independently validated. D. Ratio analysis can identify trends and deviations from a baseline, but is not reliable evidence.

Which of the following would normally be the MOST reliable evidence for an IS auditor? A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as designed C. Trend data obtained from World Wide Web (Internet) sources D. Ratio analysis developed by the IS auditor from reports supplied by line management

the answer is C. A. Analysis of transaction logs would help to show that dual control is in place, but does not necessarily guarantee that this process is being followed consistently. Therefore, observation would be the better test technique. B. While re-performance could provide assurance that dual control was in effect, re-performing wire transfers at a bank would not be an option for an IS auditor. C. Dual control requires that two people carry out an operation. The observation technique would help to ascertain whether two individuals do indeed get involved in execution of the operation and an element of oversight exists. It would also be obvious if one individual is masquerading and filling in the role of the second person. D. Interviewing personnel would be useful to determine the level of awareness and understanding of the personnel carrying out the operations. However, it would not provide direct evidence confirming the existence of dual control because the information provided may not accurately reflect the process being performed.

Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank? A. Analysis of transaction logs B. Re-performance C. Observation D. Interviewing personnel

You answered D. The correct answer is A. A. During the course of an audit, if there are material issues that are of concern, they need to be reported immediately. B. The IS auditor may discuss the issue with the service provider to clarify it; however, the appropriate response is to report the issue to IT management. C. This issue can serve as an input for a future risk assessment, but the issue of noncompliance should be reported to management regardless of whether the IS auditor believes that there is a significant risk. D. The IS auditor should not perform an access review on behalf of the third-party IT service provider. The control may be re-performed to determine any actual violations resulting from the lack of review.

While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should: A. report the issue to IT management. B. discuss the issue with the service provider. C. perform a risk assessment. D. perform an access review.

You answered A. The correct answer is C. A. The IS auditor should not assume that the IT manager will follow through on a verbal notification toward resolving the change management control deficiency, and it is inappropriate to offer consulting services on issues discovered during an audit. B. While not technically within the audit scope, it is the responsibility of the IS auditor to report findings discovered during an audit that could have a material impact on the effectiveness of controls. C. It is the responsibility of the IS auditor to report on findings that could have a material impact on the effectiveness of controls—whether or not they are within the scope of the audit. D. It is not the role of the IS auditor to demand that IT work be completed before performing or completing an audit.

While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software that supports the accounting application. The MOST appropriate action for the IS auditor to take is to: A. continue to test the accounting application controls, verbally inform the IT manager about the change management software control deficiency and offer consultation on possible solutions. B. complete the application controls audit, but not report the control deficiency in the change management software because it is not part of the audit scope. C. continue to test the accounting application controls and include mention of the change management software control deficiency in the final report. D. cease all audit activity until the control deficiency in the change management software is resolved.

The correct answer is A. A. ISACA IS Audit and Assurance Guideline 2202 on Risk Assessment in Planning states that the applied risk assessment approach should help with the prioritization and scheduling process of the IS audit and assurance work. It should support the selection process of areas and items of audit interest and the decision process to design and conduct particular IS audit engagements. B. Definite assurance that material items will be covered during the audit work is an impractical proposition. C. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as primarily it is material items that need to be covered, not all items. D. Sufficient assurance that all items will be covered is not as important as ensuring that the audit will cover all material items.

While planning an IS audit, an assessment of risk should be made to provide: A. reasonable assurance that the audit will cover material items. B. definite assurance that material items will be covered during the audit work. C. reasonable assurance that all items will be covered by the audit. D. sufficient assurance that all items will be covered during the audit work.

You are correct, the answer is D. A. Internal quality requirements may exist, but are superseded by the requirement of supervision to comply with professional standards. B. Audit guidelines exist to provide guidance on how to achieve compliance with professional standards. For example, they may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve compliance with professional standards. C. An audit methodology is a well-configured process/procedure to achieve audit objectives. While an audit methodology is a meaningful tool, supervision is generally driven by compliance with professional standards. D. Professional standards from ISACA, The Institute of Internal Auditors (IIA) and the International Federation of Accountants (IFAC) require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more.

Why does an audit manager review audit papers from an IS auditor, even when the auditor has more than 10 years of experience? A. Supervision is required to comply with internal quality requirements. B. Supervision is required to comply with the audit guidelines. C. Supervision is required to comply with the audit methodology. D. Supervision is required to comply with professional standards.