Case Study 1: IT Enabled Assurance Services

Answers

1. What should an IS Auditor do FIRST, when he observed that two users are constantly
trying to access some external sources?

A. Issue an Audit Finding

B. Inform the management and expand the sample to get further evidences.
C. Seek Explanations from Management
D. Ask for clarification from the Firewall Vendor

The Correct Answer is: B

A. Directly issuing an Audit Finding, without gathering sufficient and appropriate

audit evidence is not the proper practice as per the Standards.
B. IS Audit and Assurance Standards suggest that an IS Auditor should gather
sufficient and appropriate audit evidence on which his opinion is based.
Here the IS Auditor needs to determine whether this is an isolated incident
or a systematic failure. It would be a good practice to make management
informed about the incident.
C. Directly seeking explanations from management, without gathering sufficient and
appropriate audit evidence is not the proper practice as per the Standards.
D. Directly asking clarifications from Firewall Vendor without investigating the matter
further is not the proper practice on the part of IS Auditor.

2. An IS Auditor found one security loophole in the System. However, when the IT
Management got to know about it, immediately corrected it. The IS Auditor should:
A. Include the same in his Audit Report.
B. Don’t include in the Audit Report as the same is corrected.
C. Don’t include in the Audit Report but discuss the same in Exit Interview for
recommendation.
D. Don’t include in the Audit Report and send a letter of appreciation to IT
Management.

The Correct Answer is: A

A. As per the IS Audit and Assurance Standards, any finding, whether
subsequently corrected or not should be included in the IS Audit Report as
well as the matter was rectified beyond the audit period.
B. Not including the finding as it is corrected is not the proper treatment as per IS
Audit and Assurance Standards.
C. Not including the finding and discussing the same only at Exit Interview is not the
proper treatment as per IS Audit and Assurance Standards.
D. Not including the material audit finding is not the proper treatment as per IS Audit
and Assurance Standards. A Letter of appreciation has nothing to do with
Auditor’s Responsibilities of including material finding in IS Audit Report.

3. IS Auditor rightly found one weakness in the Firewall implementation and he

recommended the name of technical expert to address the weakness. The IS Auditor
has failed to maintain:
A. Professional Competence
 B. Organizational Independence
C. Professional Independence
D. Personal Competence

The Correct Answer is: C

A. Professional Competence is nowhere failed as the diagnosis of the Auditor is

correct.
B. Organizational Independence has no role to play here as in the given question
only one matter is involved which is related to only one of the area of
organization.
C. Professional Independence carries the highest weight age in Assurance
Services field. If due to any action of the IS Auditor, his capacity to carry
out audit independently is hindered then the same amounts to failure to
maintain Professional Independence.
D. Personal Competence has no role to play here.
 Case Study 2: CAAT
Answers

1. What should IS auditor do first?

A. Perform an IT Risk assessment
B. Perform a survey audit of logical access control
C. Revise the Audit plan to focus on risk-based auditing
D. Begin testing controls that the IS Auditor feels are most critical

The Correct Answer is: A

A. An IT Risk assessment should be performed first to ascertain which areas

present the greatest risks and what controls mitigate those risks. Although
narratives and process flows have been created, the organization has not
yet assessed which controls are critical.
B. Survey audit would be undertaken after performing IT Risk Assessment.
C. Revising the audit plan been done mainly after IT risk assessment.
D. Testing controls are the activities after IT risk assessment.

2. While auditing program change management, how the sample should be selected?
A. Change management documents should be selected at random and examined
for appropriateness
B. Changes to production code should be sampled and traced to the appropriate
authorizing documents
C. Change management documents should be selected based on system criticality
and examined for appropriateness
D. Changes to production code should be sampled and traced back to system-
produced logs indicating the date and time of the change.

The Correct Answer is: B

A. When testing a control, it is advisable to trace from the item being controlled to
the relevant control documentation. When a sample is chosen from a set on
control documents, there is no way to ensure that every change was
accompanied by appropriate control documentation.
B. Changes to production code provide the most appropriate basis for
selecting sample. These sampled changes should then be traced to
appropriate authorizing documentation.
C. Selecting from the population of change management documents will not reveal
any changes that bypassed the normal approval and documentation process.
D. Comparing production code changes to system produced logs will not provide
evidence of proper approval of changes prior to their being migrated to
production.

3. The most appropriate CAAT tools the auditor should use to test security configuration
settings for the entire application system is:
A. Generalised Audit Software (GAS)
B. Test data
C. Utility software
D. Expert system.