Embed Doc
Copy Link
Readcast
Collections

CommentGo Back

Download

B1-1An IS auditor is reviewing access to an application to determine whether the 10 most recent "new user" forms werecorrectly authorized. This IS an example of A.variable sampling.B.substantive testing.C.compliance testing.D.stop-or-go sampling.C Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determinewhether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values such as dollar values. Substantive testing substantiates the integrity of actual processing such as balances on financial statements. Thedevelopment of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that thereare adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as earlyas possible and is not appropriate for checking whether procedures have been followed.B1-2 The decisions and actions of an IS auditor are

MOST

likely to affect which of the following risks?A.Inherent

DetectionC.ControlD.BusinessB Detection risks are directly affected by the auditor's selection of audit procedures and techniques. Inherent risks are not usuallyaffected by an IS auditor. Control risks are controlled by the actions of the company management. Business risks are nm affected by an IS auditor.B1-3 Overall business risk for a particular threat can be expressed as:

a product of the probability and magnitude of the impact If a threat successfully exploits a vulnerability.

the magnitude of the impact should a threat source successfully exploit the vulnerability.

the likelihood of a given threat source exploiting a given vulnerability.D.the collective judgment of the risk assessment team.A Choice A takes into consideration the likelihood and magnitude of the impact, and provides the best measure of the risk to anasset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the asset but does not provide the magnitudeof the possible damage to the asset. Similarly, Choice C considers only the magnitude of the damage and not the possibility of athreat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process.B1-4 Which of the following is a substantive test?

Checking a list of exception reportsB.Ensuring approval for parameter changes

Using a statistical sample to inventory the tape library

Reviewing password history reportsCA substantive test confirms the integrity of actual processing. A substantive test would determine if the tape library records arestated correctly. A compliance test determines if controls are being applied in a manner that is consistent with management policies and procedures. Checking the authorization of exception reports, reviewing authorization for changing parameters andreviewing password history reports are compliance tests.B1-5 Which of the following is a benefit of a risk-based approach to audit planning? Audit:

scheduling may be performed months in advance.

budgets are more likely to be met by the IS audit staff C.staff will be exposed to a variety of technologies.

resources are allocated to the areas of highest concern.D The risk-based approach IS designed to ensure audit time is spent on the areas of highest risk. The development of an auditschedule is not addressed by a risk-based approach. Audit schedules may be prepared months in advance using variousscheduling methods. A risk approach does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be performed in a given year.B1-6 An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorizedsoftware. Which of the following actions should the IS auditor take?

A.Personally delete all copies of the unauthorized software

Inform the auditee of the unauthorized software, and follow up to confirm deletion

Report the use of the unauthorized software and the need to prevent recurrence to auditee management

Take no action, as it is a commonly accepted practice and operations management is responsible for monitoring such useC The use of unauthorized or illegal software should be prohibited by an organization. Software piracy results in inherent exposureand can result in severe fines. An IS auditor must convince the user and user management of the risk and the need to eliminatethe risk. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement In removing or deleting the unauthorized software.B1-7 An audit charter should:

be dynamic and change often to coincide with the changing nature of technology and the audit profession.

clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.

document the audit procedures designed to achieve the planned audit objectives.

outline the overall authority, scope and responsibilities of the audit function.D An audit charter should state management's objectives for and delegation of authority to IS audit. This charter should notsignificantly change over time and should be approved at the highest level of management. An audit charter would not be at adetailed level and, therefore, would not include specific audit objectives or procedures.B1-8 The

MAJOR

advantage of the risk assessment approach over the baseline approach to information security management isthat it ensures:

information assets are overprotected.

a basic level of protection is applied regardless of asset value.

appropriate levels of protection are applied to information assets.

an equal proportion of resources are devoted to protecting all information assets.CFull risk assessment determines the level of protection most appropriate to a given level of risk, while the baseline approachmerely applies a standard set of protection regardless of risk. There is a cost advantage in not overprotecting information.However, an even bigger advantage is making sure that no information assets are over- or underprotected. The risk assessmentapproach will ensure an appropriate level of protection is applied, commensurate with the level of risk and asset value and,therefore, considering asset value. The baseline approach does not allow more resources to be directed toward the assets atgreater risk, rather than equally directing resources to all assets.B1-9 Which of the following sampling methods is

MOST

useful when testing for compliance?

Attribute samplingB.Variable samplingC.Stratified mean per unit

Difference estimationA Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that isused to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing toconfirm whether the quality exists. The other Choices are used in substantive testing, Which involves testing of details or quantity.B1-10 Which of the following is the

MOST

likely reason why e-mail systems have become a useful source of evidence for litigation?

Multiple cycles of backup files remain available

Access controls establish accountability for e-mail activity

Data classification regulates what information should be communicated via e-mail

Within the enterprise, a clear policy for using e-mail ensures that evidence is availableA Backup flies containing documents that supposedly have been deleted could be recovered from these files. Access controls mayhelp establish accountability for the issuance of a particular document, but this does not provide evidence of the e-mail. Dataclassification standards may be in place with regards to what should be communicated via e-mail, but the creation of the policydoes not provide the information required for litigation purposes.

B1-11 An IS auditor is assigned to perform a postimplementation review of an application system. Which of the followingsituations may have impaired the independence of the IS auditor? The IS auditor:

implemented a specific control during the development of the application system.

designed an embedded audit module exclusively for auditing the application system.

participated as a member of the application system project team, but did not have operational responsibilities.

provided consulting advice concerning application system best practices.A Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition andimplementation of the application system. Choices B and C are situations that do not impair an IS auditor's independence.Choice D is incorrect because an IS auditor's independence is not impaired by providing advice on known best practices.B1-12 The

PRIMARY

advantage of a continuous audit approach is that it:

does not require an IS auditor to collect evidence on system reliability while processing is taking place.

requires the IS auditor to review and follow up immediately on all information collected.

can improve system security when used in time-sharing environments that process a large number of transactions.

does not depend on the complexity of an organization's computer systems.C The use of continuous auditing techniques can improve system security when used in time-sharing environments that process alarge number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continuous audit approach often doesrequire an IS auditor to collect evidence on system reliability while processing is taking place. Choice B is incorrect since an ISauditor normally would review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the useof continuous audit techniques depends on the complexity of an organization's computer systems.B1-13 The

PRIMARY

purpose of audit trails is to:A.improve response time for users.

establish accountability and responsibility for processed transactions.

improve the operational efficiency of the system.

provide useful information to auditors who may wish to track transactions.B Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing transactionsthrough the system. The objective of enabling software to provide audit trails is not to improve system efficiency since it ofteninvolves additional processing which may, in fact, reduce response time for users. Enabling audit trails involves storage and,thus, occupies disk space. Choice D is also a valid reason; however, it is not the primary reason.B1-14An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should

FIRST

review:A.the controls already in place.

the effectiveness of the controls in place.

the mechanism for monitoring the risks related to the assets.D.the threats/vulnerabilities affecting the assets.DOne of the key factors to be considered while assessing the risks related to the use of various information systems is the threatsand vulnerabilities affecting the assets. The risks related to the use of information assets should he evaluated in isolation from theinstalled controls. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and notduring the risk assessment phase. A mechanism to continuously monitor the risks related to assets should be put in place duringthe risk monitoring function that follows the risk assessment phase.B1-15In planning an audit, the

MOST

critical step is the identification of the:

areas of high risk.

skill sets of the audit staff.

test steps in the audit.

time allotted for the audit.AWhen designing an audit plan, it is important to identify the areas of highest risk to determine the areas to he audited. The skillsets of the audit staff should have been considered before deciding and selecting the audit. Test steps for the audit are not as