Professional Documents
Culture Documents
Tipe 1 Tipe 2
An IS auditor is evaluating data mining and Which of the following represents
auditing software to be used in future IS
audits. What is the PRIMARY ability that the
an example of a preventive control
IS auditor should look for in the software with respect to IT personnel?
tool? The software tool should
a)review of visitor logs for the
a)Interface with various types of enterprise
resource planning (ERP) software and
data center
databases b)A log server which track logon
b)Preserve data integrity and not modify IP addreses of users
source data in any way
c)Introduce audit hooks into the company's c)Implementation of a badge
financial systems to support continuous entry system for the IT facility
auditing
d)An accounting system which
d)Be customizable and support inclusion of
custom programming to aid in tracks employee telephone
investigative analysis calls
Soal 2
Tipe 1 Tipe 2
An IS auditor is reviewing the process The internal audit department of organization has been
developed and maintained ACL scripts for continuous
performed for the protection of digital auditing purposes. These scripts were provided to IT
evidence. Which of the following findings management for continuous monitoring purposes. This
situation resulted in a potential conflict related to the
should present the MOST concern to the auditor's independence and objectivity. Which of the
IS auditor? following actions would BEST resolve this issue?
a)The internal audit team should stop sharing the scripts
a)The owner of the system was not so that IT management mus developed its own scrips
present at the time of evidence b)Since continuous monitoring & continuous auditing are
retrieval similar function. IT management should assign the
continuous monitoring task to the internal audit
b)The system was powered off by an department
investigator c)IT management should continue to use the scripts for
continuous monitoring purposes with the
c)There are no documented logs of the understanding that it is responsible for testing and
maintaining the scripts that it uses
transportation of evidence
d)The internal audit team should review the areas where
d)The contents of the random access these scripts are being used and reduce the audit
scope and frequency for those areas
memory (RAM) were not backed up
Soal 4
Tipe 1 Tipe 2
Which of the following is the most In a risk based audit approach, the IS
significant risk of changing from using a auditor must consider the inherent risk
traditional audit approach to a facilitated as well as considering:
control self-assessment (FCSA)
workshop approach without adequate a)how to eliminate the risk through
planning and preparation? the application of controls
a)FCSA workshops may not provide b)the balance of loss potential Vs.
enough independence the cost to implement controls
b)The audit work will not be completed c)whether the risk is material
on time regardless of management's
c)Critical risk issues may not be tolerance for risk
identified by the process d)whether the residual risk is higher
d)The final report will not be able to be than the insurance coverage
released to senior management purchased
Soal 5
Tipe 1 Tipe 2
An IS auditor is developing an audit plan for a repeat An IS auditor has been asked to review the security
client. The auditor reviews the prior year audit plan controls for a critical web-based order system shortly
and finds that the previous plan was designed to before the scheduled go-live date. The auditor conducts
review the company network and e-mail systems, a penetration test which produces inconclusive results
which were newly implemented last year, but the plan and additional testing cannot be concluded by the
did not include reviewing the e-commerce web completion date agreed for the audit. Which of the
server. The company IT manager indicates that this following is the BEST option for the auditor?
year the organization prefers to focus the audit on a a)Publish a report based on the available information,
newly-implemented enterprise resource planning highlighting the potential security weaknesses and
(ERP) application. How should the IS auditor the requirement for the follow-up audit testing
respond? b)Publish a report omitting the areas where the
a)Audit the new ERP application as requested by evidence obtained from testing was inconclusive
the IT manager c)Request a delay of the go-live date until additional
security testing can be completed and evidence of
b)Audit the e-commerce server since it was not
appropriate controls can be obtained
audited last year
d)Inform management that audit work cannot be
c)Determine the highest-risk systems and plan the completed within the agreed time frame and
audit based on the results recommend that the audit be postponed
d)Audit both the e-commerce server and the ERP
application
Soal 6
An IS auditor has been asked to review the security An IS auditor is developing an audit plan for a repeat
controls for a critical web-based order system shortly client. The auditor reviews the prior year audit plan
before the scheduled go-live date. The auditor conducts and finds that the previous plan was designed to
a penetration test which produces inconclusive results review the company network and e-mail systems,
and additional testing cannot be concluded by the which were newly implemented last year, but the plan
completion date agreed for the audit. Which of the did not include reviewing the e-commerce web
following is the BEST option for the auditor? server. The company IT manager indicates that this
a)Publish a report based on the available information, year the organization prefers to focus the audit on a
highlighting the potential security weaknesses and newly-implemented enterprise resource planning
the requirement for the follow-up audit testing (ERP) application. How should the IS auditor
b)Publish a report omitting the areas where the respond?
evidence obtained from testing was inconclusive a)Audit the new ERP application as requested by
c)Request a delay of the go-live date until additional the IT manager
security testing can be completed and evidence of
b)Audit the e-commerce server since it was not
appropriate controls can be obtained
audited last year
d)Inform management that audit work cannot be
completed within the agreed time frame and c)Determine the highest-risk systems and plan the
recommend that the audit be postponed audit based on the results
d)Audit both the e-commerce server and the ERP
application
Soal 7
Tipe 1 Tipe 2
In a risk based audit approach, the IS Which of the following is the most
auditor must consider the inherent risk significant risk of changing from using a
as well as considering: traditional audit approach to a facilitated
control self-assessment (FCSA)
a)how to eliminate the risk through workshop approach without adequate
the application of controls planning and preparation?
b)the balance of loss potential Vs. a)FCSA workshops may not provide
the cost to implement controls enough independence
c)whether the risk is material b)The audit work will not be completed
regardless of management's on time
tolerance for risk c)Critical risk issues may not be
d)whether the residual risk is higher identified by the process
than the insurance coverage d)The final report will not be able to be
purchased released to senior management
Soal 8
Tipe 1 Tipe 2
The internal audit department of organization has been An IS auditor is reviewing the process
developed and maintained ACL scripts for continuous
auditing purposes. These scripts were provided to IT performed for the protection of digital
management for continuous monitoring purposes. This evidence. Which of the following findings
situation resulted in a potential conflict related to the
auditor's independence and objectivity. Which of the should present the MOST concern to the
following actions would BEST resolve this issue? IS auditor?
a)The internal audit team should stop sharing the scripts
so that IT management mus developed its own scrips a)The owner of the system was not
b)Since continuous monitoring & continuous auditing are present at the time of evidence
similar function. IT management should assign the retrieval
continuous monitoring task to the internal audit
department b)The system was powered off by an
c)IT management should continue to use the scripts for investigator
continuous monitoring purposes with the
understanding that it is responsible for testing and c)There are no documented logs of the
maintaining the scripts that it uses
transportation of evidence
d)The internal audit team should review the areas where
these scripts are being used and reduce the audit d)The contents of the random access
scope and frequency for those areas
memory (RAM) were not backed up
Soal 9
Tipe 1 Tipe 2