Professional Documents
Culture Documents
The PRIMARY objective of the audit initiation meeting with an IS audit client
is to:
A. discuss the scope of the audit.
B. identify resource requirements of the audit.
C. select the methodology of the audit.
D. collect audit evidence.
discuss the scope of the audit. (The primary objective of the initiation
meeting with an audit client is to help define the scope of the audit. B is
incorrect because determining the resource requirements of the IS audit is
typically done by IS audit management during the early planning phase of
the project rather than at the initiation meeting. C is incorrect because
selecting the audit methodology is different from the objective of the
initiation meeting. D is incorrect because for most audits, collecting audit
evidence is performed during the engagement and is not normally collected
during the initiation meeting.)
The PRIMARY reason an IS auditor performs a functional walk-through during
the preliminary phase of an audit assignment is to:
A. understand the business process.
B. comply with auditing standards.
C. identify control weakness.
D. develop the risk assessment.
understand the business process. (This is the first step an IS auditor needs
to perform. B is incorrect because the Standards encourage adopting the
audit procedures/processes required to assist the IS auditor in performing
IS audits more effectively. However, standards do not require an IS auditor
to perform a process walk-through at the commencement of an audit
engagement. C is incorrect because this is not the primary reason for the
walk-through and typically occurs later in the audit. D is incorrect because
the risk assessment is developed after the business process is understood.)
A company has recently upgraded its purchase system to incorporate electronic
data interchange (EDI) transmissions. Which of the following controls should
be implemented in the EDI interface to provide for efficient data mapping?
A. Key verification
B. One-for-one checking
C. Manual recalculations
D. Functional acknowledgements
Functional acknowledgements (Acting as an audit trail for electronic data
interchange transactions, functional acknowledgments are one of the main
controls used in data mapping. Key verification is used for data encryption
and protection but not for mapping. One-for-one checking validates that
transactions are accurate and complete but does not map data. Manual
recalculations verify that the processing is correct but do not map data.)
Which of the following is the segregation of duties an example of?
A. Preventive control
B. Detective control
C. Corrective control
D. Deterrent control
Preventive control (Segregation of duties is an attempt to prevent fraud or
irregularities by segregating duties such that no single employee can
commit fraud or other irregularities.)
An external IS auditor issues an audit report pointing out the lack of firewall
protection features at the perimeter network gateway and recommending a
specific vendor product to address this vulnerability. The IS auditor has failed to
exercise:
A. professional independence.
B. organizational independence.
C. technical competence.
D. professional competence.
professional independence. (When an IS auditor recommends a specific
vendor, the auditor's professional independence is compromised. B is
incorrect because this has no relevance to the content of an audit report
and should be considered when accepting the engagement. C and D are
incorrect because they are not relevant to the requirement of
independence.)
Which of the following represents an example of a preventive control with
respect to IT personnel?
A. A security guard stationed at the server room door
B. An intrusion detection system
C. Implementation of a badge entry system for the IT facility
D. A fire suppression system in the server room
Implementation of a badge entry system for the IT facility (Preventive
controls are used to reduce the probability of an adverse event. A badge
entry system prevents unauthorized entry to the facility. A is incorrect
because a security guard stationed at the server room door is a deterrent
control. B is incorrect because an intrusion detection system is a detective
control. D is incorrect because a fire suppression system is a corrective
control.)
What kind of control is a control that enables a deficiency or another
irregularity to be corrected before a loss occurs?
A. Preventive control
B. Detective control
C. Corrective control
D. Deterrent control
Corrective control (Corrective controls are designed to minimize the
impact of a threat event once it has occurred and help restore the routine
operations of the business.)
Which of the following situations could impair the independence of an IS
auditor? The IS auditor:
A. implemented specific functionality during the development of an application.
B. designed an embedded audit module for auditing an application.
C. participated as a member of an application project team and did not have
operational responsibilities.
D. provided consulting advice concerning application good practices.
implemented specific functionality during the development of an
application. (Independence may be impaired if an IS auditor is, or has
been, actively involved in developing, acquiring, and implementing the
application system. Designing an embedded audit module does not impair
an IS auditor's independence. IS auditors should not audit their work, but
participating in the application system project team does not impair an IS
auditor's independence. An IS auditor's independence is not impaired by
providing advice on known good practices.)
Which of the following is the PRIMARY requirement for reporting IS audit
results? The report is:
A. prepared according to a predefined and standard template.
B. backed by sufficient and appropriate audit evidence.
C. comprehensive in coverage of enterprise processes.
D. reviewed and approved by audit management.
backed by sufficient and appropriate audit evidence. (IS audit standards
require that reports be backed by sufficient and appropriate audit evidence
to demonstrate the application of the minimum standard of performance,
and the findings and recommendations can be validated if required. A is
incorrect because this may be useful in ensuring that all key aspects are
provided in a uniform structure. However, this must demonstrate that
audit findings are based on evidence that can be proven if required. C is
incorrect because a risk assessment process defines the scope and coverage
of IS audits, which may only sometimes provide comprehensive coverage of
enterprise processes. D is incorrect because while from an operational
standpoint, an audit report should be reviewed and approved by audit
management, the more critical consideration is that all conclusions are
backed by sufficient and appropriate audit evidence.)
Which of the following is the best course of action if it is not possible to cover
the total audit scope due to resource constraints?
A. Concentrate on last year's audit findings
B. Rely on the management assurance of internal controls.
C. Focus on high-risk areas.
D. Concentrate on the effectiveness of controls.
Focus on high-risk areas. (The best course of action is to reduce the audit
scope and focus on high-risk areas. The other options do not concentrate on
areas requiring more audit focus.)
An IS auditor has identified a business process to be audited. The IS auditor
should NEXT identify the:
A. most valuable information assets.
B. IS audit resources to be deployed.
C. auditee personnel to be interviewed.
D. control objectives and activities.
control objectives and activities. (After identifying the business process, the
auditor should identify the control objectives and activities associated with
the business process validated in the audit. A is incorrect because all assets
need to be identified. To determine the key information assets to be audited,
the auditor should determine which control objectives and key control
activities should be validated. B is incorrect because only after determining
which controls and related relevant information assets are to be validated
can the IS auditor decide on the key IS audit resources (with the relevant
skill sets) that should be deployed for the audit. C is incorrect because only
after determining the key control activities to be validated can the auditor
identify the relevant process personnel who should be interviewed.)
Barriers or warning signs are examples of what kind of control?
A. Preventive control
B. Detective control
C. Corrective control
D. Deterrent control
Deterrent control (A deterrent control is anything intended to warn a
potential attacker not to attack.)
Which of the following controls would an IS auditor look for in an environment
where duties cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls
Compensating controls (These are internal controls that are intended to
reduce the risk of an existing or potential control weakness that may arise
when duties cannot be appropriately segregated. A is incorrect because
These two controls address the same control objective or exposure. It is
difficult to install overlapping controls because primary controls cannot be
achieved when duties cannot or are not appropriately segregated. B is
incorrect because boundary controls establish the interface between the
would-be user of a computer system and the computer system itself and are
individual-based, not role-based, controls. C is incorrect because resource
access controls are based on individuals and not roles. For a lack of
segregation of duties, the IS auditor expects to find that a person has higher
access levels than ideal. The IS auditor wants to find compensating controls
to address this risk.)
Utilizing a service of only qualified resource is an example of:
A. Preventive control
B. Detective control
C. Corrective control
D. Internal control
Preventive control (Employing only qualified personnel is an attempt to
prevent errors or other irregularities.)
What should be the next course of action for an IS auditor once the potential
material findings are discovered?
A. Discuss the potential findings with the business unit
B. Conduct additional testing
C. Report the potential findings to the audit committee
D. Recommend closure of the findings before the issuance of a report
Conduct additional testing (The best course of action is to perform
additional testing to confirm the correctness of the audit findings. Only
based on sufficient objective evidence should audit findings be reported.
Additional testing should confirm findings before they are discussed with
the business unit or reported to the audit committee.)
An IS auditor who has discovered unauthorized transactions during a review of
electronic data interchange (EDI) transactions is likely to recommend
improving the:
A. EDI trading partner agreements.
B. physical controls for terminals.
C. authentication techniques for sending and receiving messages.
D. program change control procedures.
authentication techniques for sending and receiving messages. (They play a
key role in minimizing exposure to unauthorized transactions. A is
incorrect because these minimize exposure to legal issues but do not resolve
the problem of unauthorized transactions. B is incorrect because this is
important and may provide protection from unauthorized people accessing
the system but does not provide protection from unauthorized transactions
by authorized users. D is incorrect because change control procedures do
not resolve the issue of unauthorized transactions.)
A check subroutine that identifies an error and makes a correction before
enabling the process to continue is an example of what kind of control?
A. Preventive control
B. Detective control
C. Corrective control
D. Deterrent control
Corrective control (The check subroutine corrects the error. It modifies the
processing system and minimizes the likelihood of future problem
occurrences.)
The requirement of biometric access for physical facilities is an example of
what kind of control?
A. Preventive control
B. Detective control
C. Corrective control
D. Deterrent control
Preventive control (Access control aims to prevent access by unauthorized
persons. It prevents omissions, errors, or malicious acts from occurring)
What is the primary consideration when evaluating the acceptable level of risk?
A. The acceptance of risk by higher management
B. That not all risks need to be addressed
C. That all relevant risks must be recognized and documented for analysis
D. The involvement of line management in risk analysis
That all relevant risks must be recognized and documented for analysis (It
is most important that identified risks are properly documented. After
proper documentation, other factors should be considered.)
The internal audit department has written some scripts that are used for
continuous auditing of some information systems. The IT department has asked
for copies of the scripts so that they can use them for setting up a continuous
monitoring process on key systems. Would sharing these scripts with IT affect
the ability of the IS auditors to independently and objectively audit the IT
function?
A. Sharing the scripts is not permitted because it would give IT the ability to
pre-audit systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review all
programs and software that runs on IS systems regardless of audit
independence.
C. Sharing the scripts is permissible as long as IT recognizes that audits may
still be conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because it would mean that the IS
auditors who wrote the scripts would not be permitted to audit any IS systems
where the scripts are being used for monitoring.
Sharing the scripts is permissible as long as IT recognizes that audits may
still be conducted in areas not covered in the scripts. (IS audit can still
review all aspects of the systems. They may not be able to review the
effectiveness of the scripts, but they can still audit the systems. A is
incorrect because the ability of IT to monitor and address any issues on IT
systems continuously does not affect the ability of IS audit to perform a
comprehensive audit. B is incorrect because sharing the scripts may be
required by policy for quality assurance and configuration management,
but that does not impair the ability to audit. D is incorrect because an audit
of an IS system encompasses more than just the controls covered in the
scripts.)
Which of the following would be a major concern in the absence of established
audit objectives?
A. Not being able to determine the audit's budget
B. Not being able to identify key stakeholders
C. Not being able to determine key business risks
D. Not being able to determine previous audit findings
Not being able to determine key business risks (In the absence of audit
objectives, an audit scope cannot be determined; hence, a key business risk
may not be identified. The auditor might not audit areas of highest risk for
the organization. Other options are secondary concerns.)
An IS audit department is considering implementing continuous auditing
techniques for a multinational retail enterprise that processes a large volume of
transactions per day. A PRIMARY benefit of continuous auditing is that:
A. effective preventive controls are enforced.
B. system integrity is ensured.
C. errors can be corrected in a timely fashion.
D. fraud can be detected more quickly.
fraud can be detected more quickly. (Continuous auditing techniques assist
the auditing function in reducing the use of auditing resources through
continuous evidence collection. This approach helps the auditors identify
fraud in a timely fashion and allows the auditors to focus on relevant data.
A is wrong because continuous monitoring is detective and does not
necessarily assist the auditor in monitoring preventive controls. The
approach will detect and monitor for errors that have already occurred. In
addition, continuous monitoring will benefit the internal audit function by
reducing the use of auditing resources and timely reporting of errors. B is
wrong because system integrity is associated with preventive controls such
as input controls and quality assurance reviews. C is wrong because
continuous audits will detect errors. Correcting errors is a management
function.)
The purpose of a checksum on an amount field in an electronic data interchange
communication of financial transactions is to ensure:
A. integrity.
B. authenticity.
C. authorization.
D. nonrepudiation.
integrity. (A checksum calculated on an amount field and included in the
electronic data interchange communication can be used to identify
unauthorized modifications. B and C are incorrect because a checksum
cannot establish this alone and needs other controls. D is incorrect because
this can be ensured by using digital signatures.)
An "echo" message in a telecommunications protocol is an example of what
kind of control?
A. Preventive control
B. Detective control
C. Corrective control
D. Compensating control
Detective control (Detective controls use controls that detect and report the
prevalence of an error, omission, or malicious act.)
Which of the following is in the BEST position to approve changes to the audit
charter?
A. Board of directors
B. Audit committee
C. Executive management
D. Director of internal audit
Audit committee (The audit committee is a subgroup of the board of
directors. The audit department should report to the audit committee, and
the committee should approve the audit charter. A is incorrect because the
board of directors does not need to approve the charter; it is best presented
to the audit committee for approval. C is incorrect because executive
management is not required to approve the audit charter and will not have
the independence to approve the charter. The audit committee is best
positioned to approve the charter because it is an independent and senior
group. D is incorrect because while the director of internal audit may draft
the charter and make changes, the audit committee should have the final
approval of the charter.)
An organization uses a bank to process its weekly payroll. Time sheets and
payroll adjustment forms (e.g., hourly rate changes, terminations) are completed
and delivered to the bank, which prepares checks and reports for distribution.
To BEST ensure payroll data accuracy:
A. payroll reports should be compared to input forms.
B. gross payroll should be recalculated manually.
C. checks should be compared to input forms.
D. checks should be reconciled with output reports.
payroll reports should be compared to input forms. (The best way to
confirm data accuracy, when input is provided by the organization and
output is generated by the bank, is to verify the data input (input forms)
with the results of the payroll reports. Recalculating gross payroll manually
only verifies whether the processing is correct and not the data accuracy of
inputs. Comparing checks to input forms is not feasible because checks
contain the processed information and input forms contain the input data.
Reconciling checks with output reports only confirms that checks were
issued as stated on output reports.)
Checkpoints in a production job are examples of what kind of control?
A. Preventive control
B. Detective control
C. Corrective control
D. Compensating control
Detective control (Detective controls detect and report the prevalence of an
error, omission, or malicious act.)
In a small organization, the function of release manager and application
programmer are performed by the same employee. What is
the BEST compensating control in this scenario?
A. Hiring additional staff to provide segregation of duties
B. Preventing the release manager from making program modifications
C. Logging of changes to development libraries
D. Verifying that only approved program changes are implemented
Verifying that only approved program changes are implemented
(Compensating controls are used to mitigate risk when proper controls are
not feasible or practical. Hiring new staff may be challenging in a small
organization, so compensating control may be necessary. Verifying
program changes has roughly the same effect as intended by the complete
segregation of duties. A is incorrect because establishing segregation of
duties is not a compensating control but a preventive control. Hiring new
staff may be challenging in a small organization, so compensating control
may be necessary. B is incorrect because since the release manager is
performing dual roles, preventing them from making program
modifications is not feasible, and, in a small organization, segregation of
duties may not be possible. C is incorrect because logging changes to
development libraries does not detect changes to production libraries.)
As part of audit planning, an IS auditor is designing various data validation tests
to effectively detect transposition and transcription errors. Which of the
following will BEST help in detecting these errors?
A. Range check
B. Validity check
C. Duplicate check
D. Check digit
Check digit (A check digit is a numeric value calculated mathematically
and added to data to ensure that original data have not been altered or that
an incorrect but valid match has occurred. The check digit control is
effective in detecting transposition and transcription errors. A is incorrect
because range checks can only ensure that data falls within a
predetermined range but cannot detect transposition errors. B is incorrect
because validity checks are generally programmed checking of data
validity by predetermined criteria. C is incorrect because duplicate check
analysis tests defined or selected primary keys for duplicate primary key
values.)
Particular threat of an overall business risk indicated as:
A. The product of the probability and impact
B. The probability of threat realization
C. The valuation of the impact
D. The valuation of the risk management team
The product of the probability and impact (Risk is the product of impact
and product. Option A considers both probability and impact. Option B
considers only the probability of occurrence. Option C considers only the
quantum of the impact. Option D does not apply to the structured and
scientific risk assessment process.)
An IS auditor performing a review of application controls would evaluate the:
A. efficiency of the application in meeting the business processes.
B. impact of any exposures discovered.
C. business processes served by the application.
D. application's optimization.
impact of any exposures discovered. (An application control review
involves the evaluation of the application's automated controls and an
assessment of any exposures resulting from the control weaknesses. A is
incorrect because the IS auditor is reviewing the controls' effectiveness, not
the application's suitability to meet business needs. C is incorrect because
this is not part of an audit restricted to a review of the application controls.
D is incorrect because one area to be reviewed may be the efficiency and
optimization of the application, but this is not the area being reviewed in
this audit.)
The prime consideration in determining the objective and scope of an audit is:
A. The statutory requirements applicable to the organization
B. The policies and procedures of the organization
C. The complexity of the business process
D. The organization's structure
The statutory requirements applicable to the organization (The prime
consideration in determining the objective and scope of an audit is the
statutory requirements applicable to the organization. The auditor cannot
limit the scope relating to statutory requirements. Although the other
factors are important, the prime consideration should be given to the full
coverage of statutory requirements.)
An external IS auditor discovers that systems in the scope of the audit were
implemented by an associate. In such a circumstance, IS audit management
should:
A. remove the IS auditor from the engagement.
B. cancel the engagement.
C. disclose the issue to the client.
D. take steps to restore the IS auditor's independence.
disclose the issue to the client. (In circumstances in which the IS auditor's
independence is impaired, and the IS auditor continues to be associated
with the audit, the facts surrounding the issue of the IS auditor's
independence should be disclosed to the appropriate management and in
the report. A is incorrect because it is not necessary to withdraw the IS
auditor unless a statutory limitation exists in certain countries. B is
incorrect because canceling the engagement is not required if properly
disclosed and accepted. D is incorrect because this is not a feasible solution.
The independence of the IS auditor cannot be restored while continuing to
conduct the audit.)
The extent to which data will be collected during an IS audit should be
determined based on the:
A. availability of critical and required information.
B. auditor's familiarity with the circumstances.
C. auditee's ability to find relevant evidence.
D. purpose and scope of the audit being done.
purpose and scope of the audit being done. (The extent of data collection
during an IS audit should be related directly to the scope and purpose of
the audit. An IS audit with a narrow purpose and scope or a high-level
review will likely require less data collection. A is wrong because there
should be no constraints on the ease of obtaining the information or the
auditor's familiarity. B is wrong because an auditor must be objective,
thorough, and not subject to audit risk through preconceived results based
on familiarity with the audited area. C is wrong because collecting all the
required evidence is a required element of an IS audit, and the scope of the
audit should not be limited by the auditee's ability to find relevant
evidence. If evidence is not readily available, the auditor must ensure that
other forms of audit are considered to ensure compliance in the area
subject to audit.)
Which of the following is the most critical aspect of a risk analysis?
A. Identifying competitors
B. Identifying the existing controls
C. Identifying vulnerabilities
D. Identifying the reporting matrix of the organization
Identifying vulnerabilities (Identifying vulnerabilities is an important
aspect of conducting a risk assessment. If a vulnerability is appropriately
recognized, controls and audit planning may not be effective.)
What is the best approach when focusing an audit on a high-risk area?
A. Perform the audit to identify the control failures
B. Perform the audit and then perform a risk assessment
C. Perform a risk assessment first and then concentrate control tests in the high
risk areas
D. Increase sampling rates in high-risk areas
Perform a risk assessment first and then concentrate control tests in the
high risk areas (Based on risk assessment, the audit team should devote
more testing resources to high-risk areas.)
An IS auditor has been assigned to audit a business continuity plan. The same
auditor was involved in designing the business continuity plan. The IS auditor
should:
A. Accept the assignment
B. Provide a disclaimer of conflict of interest to audit management before
accepting the audit
C. Provide a disclaimer of conflict of interest to the business continuity team
before accepting the audit
D. Request audit management not to conduct the audit as the business
continuity plan is well-designed
Provide a disclaimer of conflict of interest to audit management before
accepting the audit (It is the responsibility of the IS auditor to
communicate any possible conflict of interest to audit management that can
impact the IS auditor's independence. Audit management will make
further calls on this aspect.)
Which of the following is correct with respect to confidence correlation?
A. A small sample size gives a high correlation of confidence.
B. The confidence coefficient may be lowered if the auditor knows that internal
controls are stringent.
C. A low correlation of confidence will lead to a high sample size.
D. A high sample size gives a low correlation of confidence.
The confidence coefficient may be lowered if the auditor knows that
internal controls are stringent. (The confidence coefficient, or confidence
level, is a measure of the accuracy and confidence of the quality of the
sample. Sample size and confidence correlation are directly related. A high
sample size will give a high confidence coefficient. A confidence
coefficient/sample size may be lowered if the auditor knows that the
internal controls are stringent. When the internal control environment is
strong, detail testing is not required; hence, a small sample size is required.)
Controls that minimize the impact of a threat are what kind of controls?
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Corrective controls (Corrective controls are designed to minimize the
impact of a threat event once it has occurred and help restore the routine
operations of a business.)
The MOST important reason for an IS auditor to obtain sufficient and
appropriate audit evidence is to:
A. comply with regulatory requirements.
B. provide a basis for drawing reasonable conclusions.
C. ensure complete audit coverage.
D. perform the audit according to the defined scope.
provide a basis for drawing reasonable conclusions. (The scope of an IS
audit is defined by its objectives, and it involves identifying control
weaknesses relevant to the scope of the audit. Obtaining sufficient and
appropriate evidence assists the auditor in identifying control weaknesses
and documenting and validating them. A is wrong because this is relevant
to an audit but is not the most important reason why sufficient and relevant
evidence is required. C is wrong because ensuring coverage is relevant to
conducting an IS audit but is not the most important reason why sufficient
and relevant evidence is required. The reason for obtaining evidence is to
ensure the audit conclusions are factual and accurate. D is wrong because
the execution of an audit to meet its defined scope is relevant to an audit
but is not the reason why sufficient and relevant evidence is required.)
Which of the following is the next step once the audit findings have been
identified?
A. Discuss it with auditee management to find agreement on the findings
B. Determine remedial measures for the findings
C. Inform senior management about the findings
D. Obtain assurance from management to close the findings
Discuss it with auditee management to find agreement on the findings
(After identifying the findings, the IS auditor should reach an agreement on
the finding with auditee management. If the findings are not agreed upon,
then there may be an issue at a later stage. When an agreement is obtained,
it implies that the finding is understood and further action can be
determined.)
During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is
to:
A. address audit objectives.
B. collect sufficient evidence.
C. specify appropriate tests.
D. minimize audit resources.
address audit objectives. (ISACA Standards require that an IS auditor plan
the audit work to address the audit objectives. The activities described in
the other options are all undertaken to address audit objectives and, thus,
are secondary. B is incorrect because the IS Auditor needs to collect
evidence in the planning stage of an audit. C is incorrect because this is not
the primary goal of audit planning. D is incorrect because effective use of
audit resources is a goal of audit planning, not minimizing audit resources.)
Controls that remedy problems observed by means of detective controls are
what kind of controls?
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Corrective controls (Corrective controls are designed to minimize the
impact of a threat event once it has occurred and help in restoring to the
routine operations of a business. They provide a remedy to problems
discovered by detective controls.)
When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:
A. controls needed to mitigate risk are in place.
B. vulnerabilities and threats are identified.
C. audit risk is considered.
D. a gap analysis is appropriate.
vulnerabilities and threats are identified. (While developing a risk-based
audit strategy, it is critical that the risks and vulnerabilities are understood.
They determine the areas to be audited and the extent of coverage. A is
incorrect because understanding whether appropriate controls required to
mitigate risk are in place is a resultant effect of an audit. C is incorrect
because audit risk is an inherent aspect of auditing, directly related to the
audit process and irrelevant to the risk analysis of the environment to be
audited. D is incorrect because a gap analysis normally compares the actual
state to an expected or desirable state.)
What does a lack of appropriate control measures indicate?
A. Threat
B. Magnitude of impact
C. Probability of occurrence
D. Vulnerability
Vulnerability (A lack of security measures indicates a weakness or
vulnerability. A vulnerability can be a lack of up-to-date anti-virus, weak
software coding, poor access control, etc. It must be noted that the
organization can control vulnerabilities.)
Controls that indirectly address a risk or address the absence of controls that
would otherwise directly act upon that risk are what kind of controls?
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Compensating controls (Compensating controls are an alternate measure
employed to ensure that weaknesses in a system are not exploited. In many
cases, a strong control in one area can compensate for weaknesses in other
areas.)
A PRIMARY benefit derived for an organization employing control self-
assessment techniques is that it:
A. can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control.
can identify high-risk areas that might need a detailed review later.
(Control self-assessment (CSA) is predicated on the review of high-risk
areas that either need immediate attention or may require a more thorough
review later. B is incorrect because CSA requires the involvement of IS
auditors and line management. The internal audit function shifts some
control monitoring responsibilities to the functional areas. C is incorrect
because CSA is not a replacement for traditional audits. CSA is not
intended to replace audit responsibilities but to enhance them. D is
incorrect because CSA does not allow management to relinquish its
responsibility for control.)
Which of the following represents the risk that the controls will not prevent,
correct, or detect errors in a timely manner?
A. Inherent risk
B. Control risk
C. Detection risk
D. Correction risk
Control risk (Control risk refers to the risk that internal controls fail to
prevent or detect. Control risk refers to risk the organization's internal
control system will not be able to detect, correct, or prevent.)
Which of the following is the MOST critical step when planning an IS audit?
A. Review findings from prior audits.
B. Executive management’s approval of the audit plan.
C. Review IS security policies and procedures.
D. Perform a risk assessment.
Perform a risk assessment. (IS audit and assurance professionals shall
identify and assess risk relevant to the area under review when planning
individual engagements. If a risk assessment is not performed, high-risk
areas of the auditee systems or operations may not be evaluated. A is wrong
because the previous audit findings are of interest to the auditor, but there
are more critical steps. The most critical step involves finding the high-risk
areas, not reviewing the resolution of older issues. A review of previous
audit findings could indicate that management needs to resolve items, or
there could be a more effective recommendation. B is wrong because
executive management is not required to approve the audit plan but they
could recommend areas to audit. C is wrong because reviewing information
security policies and procedures is normally conducted during fieldwork,
not planning.)
When evaluating the controls of an electronic data interchange (EDI)
application, an IS auditor should PRIMARILY be concerned with the risk of:
A. excessive transaction turnaround time.
B. application interface failure.
C. improper transaction authorization.
D. nonvalidated batch totals.
improper transaction authorization. (Foremost among the risks associated
with electronic data interchange (EDI) is improper transaction
authorization. Because the interaction with the parties is electronic, there is
no inherent authentication. Improper authentication poses a serious risk of
financial loss. A is incorrect because an excessive turnaround time is an
inconvenience but not a serious risk. B is incorrect because the failure of
the application interface is a risk but not the most serious issue. Usually,
such a problem is temporary and easily fixed. D is incorrect because the
integrity of EDI transactions is important but less significant than the risk
of unauthorized transactions.)
Controls that predict potential problems before their occurrence are what kind
of controls?
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Preventive controls (Preventive controls detect problems before they arise
and prevent omissions, errors, or malicious acts.)
When evaluating the collective effect of preventive, detective and corrective
controls within a process, an IS auditor should be aware of which of the
following?
A. The point at which controls are exercised as data flow through the system
B. Only preventive and detective controls are relevant
C. Corrective controls are regarded as compensating
D. Classification allows an IS auditor to determine which controls are missing
The point at which controls are exercised as data flow through the system
(An IS auditor should focus on when controls are exercised as data flow
through a computer system. B is incorrect because corrective controls may
also be relevant since they allow an error or problem to be corrected. C is
incorrect because corrective controls remove or reduce the effects of errors
or irregularities and are not exclusively regarded as compensating controls.
D is incorrect because classification allows an IS auditor to determine
which controls are missing is incorrect. The existence and function of
controls are important but not the classification.)
Which of the following is the FIRST step performed prior to creating a risk
ranking for the annual internal IS audit plan?
A. Prioritize the identified risk.
B. Define the audit universe.
C. Identify the critical controls.
D. Determine the testing approach.
Define the audit universe. (In a risk-based audit approach, the IS auditor
identifies risk to the organization based on the nature of the business. To
plan an annual audit cycle, the types of risk must be ranked. To rank the
types of risk, the auditor must first define the audit universe by considering
the IT strategic plan, organizational structure, and authorization matrix. A
is wrong because after the audit universe is defined, the IS auditor can
prioritize risk based on its overall impact on different operational areas of
the organization covered under the audit universe. C is wrong because the
controls that help mitigate high-risk areas are generally critical controls,
and their effectiveness provides assurance on mitigating risk. However, this
can only be done if the types of risk are ranked. D is wrong because the
testing approach is based on the risk ranking.)
The first step to review a service-oriented application is:
A. To understand services and their allocation to business processes
B. To review the coding process in accordance with service security standards
C. To review the service level agreement
D. To audit the application security procedure
To understand services and their allocation to business processes (Service-
level architecture relies on the principle of multiple clients. The first step of
the assignment is to understand how the services are allocated to different
business units. Once this is done, the auditor will have a sufficient idea
about the risk environment based on which further audit procedures can be
developed.)
Why does an audit manager review the staff's audit papers, even when the IS
auditors have many years of experience?
A. Internal quality requirements
B. The audit guidelines
C. The audit methodology
D. Professional standards
Professional standards (Professional standards require supervision of audit
staff to accomplish audit objectives and comply with competence,
professional proficiency and documentation requirements, and more. A is
wrong because they may exist but are superseded by the supervision
required to comply with professional standards. B is wrong because these
exist to guide how to achieve compliance with professional standards. For
example, they may provide insights into the purpose of supervision and
examples of how supervisory duties are to be performed to achieve
compliance with professional standards. C is wrong because this is a well-
configured process/procedure to achieve audit objectives. While an audit
methodology is a meaningful tool, supervision is generally driven by
compliance with professional standards.)
The actions of the IS auditor is most likely to influence which of the following
risks?
A. Inherent
B. Detection
C. Control
D. Business
Detection (Detection risk refers to the risk that an internal audit fails to
prevent or detect. Inherent risk refers to the risk that exists before applying
any controls. Control risk refers to the risk internal controls fail to prevent
or detect. Inadequate audit procedures do not impact business risks.)
areas of significant risk. (When designing a risk-based audit plan, it is important
to identify the areas of highest risk to determine the areas to be audited. B is
incorrect because this should have been considered before deciding and
selecting the audit. Where the skills are inadequate, the organization should
consider using external resources. C is incorrect because these are not as critical
during the audit planning process as identifying the areas of risk that should be
audited. D is incorrect because this is determined during the planning process
based on the areas to be audited and primarily based on the requirement for an
appropriate audit.)
In planning an IS audit, the MOST critical step is the identification of the:
A. areas of significant risk.
B. skill sets of the audit staff.
C. test steps in the audit.
D. time allotted for the audit.
Detective controls are used to determine whether an error has occurred and
corrective controls fix problems before losses occur. (Detective controls are
designed to detect or indicate that an error has occurred. Examples of detective
controls include audits, hash totals, echo controls, and so on. Corrective controls
are designed to correct a risk or deficiency to prevent losses. Examples of
corrective controls include business continuity planning, backup procedures,
and more.)
Which of the following statements best describes detective controls and
corrective controls?
A. Both controls can prevent the occurrence of errors
B. Detective controls are used to avoid financial loss and corrective controls are
used to avoid operational risks
C. Detective controls are used as a deterrent check and corrective controls are
used to make management aware that an error has occurred
D. Detective controls are used to determine whether an error has occurred and
corrective controls fix problems before losses occur.
To give the auditor an overview for control testing (Based on control objectives,
an auditor can plan control testing to evaluate the effectiveness and efficiency of
implemented controls.)
Why are control objectives defined in an audit program?
A. To give the auditor an overview for control testing
B. To restrict the auditor to testing only documented controls
C. To prevent management from altering the scope of the audit
D. To help the auditor to plan for the resource requirements
Wire transfer procedures (Wire transfer procedures include segregation of duties
and help prevent internal fraud by not allowing one person to initiate, approve,
and send a wire. Therefore, the auditor should review the procedures related to
the wiring system. A is wrong because privileged access, such as administrator
access, is necessary to manage user account privileges and should not be
granted to end users. The wire transfer procedures are a better control to review
to ensure that the end users' duties are segregated to help prevent fraud. C is
wrong because fraud monitoring is a detective control and does not prevent
financial loss. Segregation of duties is a preventive control that is part of the
wire transfer procedures. D is wrong because controls related to background
checks are important; the controls related to the segregation of duties, as found
in the wire transfer procedures, are more critical.)
An IS auditor is reviewing risk and controls of a bank wire transfer system. To
ensure that the bank's financial risk is properly addressed, the IS auditor will
most likely review which of the following?
A. Privileged access to the wire transfer system
B. Wire transfer procedures
C. Fraud monitoring controls
D. Employee background checks
Control risk (Control risk is a term that signifies the possibility that a control
will fail to prevent or detect unwanted actions.)
Which of the following risks represents a process failure to detect a serious
error?
A. Detective risk
B. Inherent risk
C. Sampling risk
D. Control risk
outline the overall authority, scope and responsibilities of the audit function.
(An audit charter should state management's objectives for and delegation of
authority to IS auditors. A is wrong because the audit charter should not be
subject to technological changes and should not significantly change over time.
The charter should be approved at the highest level of management. B is wrong
because an audit charter states the authority and reporting requirements for the
audit but not the details of the maintenance of internal controls. C is wrong
because documenting the audit procedures designed to achieve the planned
audit objectives in the audit charter is not at a detailed level and, therefore, does
not include specific audit objectives or procedures.)
An audit charter should:
A. be dynamic and change to coincide with the changing nature of technology
and the audit profession.
B. clearly state audit objectives for, and the delegation of, authority to the
maintenance and review of internal controls.
C. document the audit procedures designed to achieve the planned audit
objectives.
D. outline the overall authority, scope and responsibilities of the audit function.
The key business process identified by senior management (To design a risk-
based audit plan, identifying the key business process is very important to
determine the area of audit focus. Once the key business process is identified,
the other options can be evaluated for further information.)
The most reliable source of information when designing a risk-based audit plan
is:
A. Key controls identified by the process owner
B. The key business process identified by senior management
C. Vulnerabilities identified by the process owner
D. The previous audit findings
identify and evaluate existing practices. (One of the main objectives of an audit
is to identify potential risks; the most proactive approach is to identify and
evaluate existing security practices and submit findings and risks to
management, with recommendations to document the current controls or
enforce the documented procedures. A is wrong because auditors should not
prepare documentation. After all, the process may need to be more compliant
with management objectives, and doing so could jeopardize their independence.
B is wrong because ending the audit and issuing an opinion will not address
identifying potential risks. The auditor should evaluate the practices in place.
The recommendation is to develop written procedures. Terminating the audit
may prevent identifying potential risks. C is wrong because there are no
documented procedures or basis against which to test compliance.)
During a security audit of IT processes, an IS auditor found that documented
security procedures did not exist. The IS auditor should:
A. create the procedures document based on the practices.
B. issue an opinion of the current state and end the audit.
C. conduct compliance testing on available data.
D. identify and evaluate existing practices.
Inventory of assets (The first step in developing a risk management program is
the identification of the assets to be protected. The other steps are to be followed
later once the inventory of assets is available.)
Which of the following is the first activity to be performed when developing a
risk management program?
A. A vulnerability assessment
B. Data classification
C. Inventory of assets
D. Process walk-through
Identifying high-risk processes (Identifying high-risk processes is the first and
most critical step in risk-based audit planning. Audit planning should be done
by high-risk areas.)
What is the initial step in risk-focused audit planning?
A. Identifying the role and responsibility of the relevant function
B. Identifying high-risk processes
C. Identifying the budget
D. Identifying the profit function
Attribute sampling. (The attribute sampling method is often used to test whether
or not a company's internal controls are being correctly followed. Attribute
sampling is used for compliance testing, and variable sampling is used for
substantive testing.)
Which sampling method will be best to ascertain the correctness of system
access rights as per the approved authorization matrix?
A. Heterogeneous sampling
B. Attribute sampling.
C. Homogeneous sampling
D. Stop-or-go sampling
To ensure that critical vulnerabilities and threats are recognized (The
identification of vulnerabilities and threats is critical in developing a risk-based
audit strategy. This will help in the determination of the processes to be
considered in the scope of the audit. The audit team can concentrate on high-
risk areas.)
What is the main objective of conducting a risk assessment?
A. To determine the segregation of duties for critical functions
B. To ensure that critical vulnerabilities and threats are recognized
C. To ensure that regulations are complied with
D. To ensure business profitability
Senior management identify key business processes. (Developing a risk-based
audit plan must start with identifying key business processes, which determine
and identify the risk that needs to be addressed. A is wrong because process
owners should be consulted to identify key controls, senior management is a
better source to identify more important business processes. B is wrong because
system custodians are a good source for better understanding the risks and
controls for specific applications; however, senior management is a better
source for identifying more important business processes. C is wrong because
reviewing previous audit results is one input into audit planning; however, if
previous audits focused on a limited or a restricted scope or if the key business
processes have changed and/or new business processes have been introduced,
then this does not contribute to the development of a risk-based audit plan.)
Which of the following choices would be the BEST source of information when
developing a risk-based audit plan?
A. Process owners identify key controls.
B. System custodians identify vulnerabilities.
C. Peer auditors understand previous audit results.
D. Senior management identify key business processes.
Compliance testing (Compliance testing helps to determine the presence of
controls. It indicates whether controls are being applied consistently. It helps to
evaluate whether new accounts were appropriately authorized.)
To determine the correct processing of the last 50 new user requisitions, which
of the following is best?
A. Discovery Sampling
B. Substantive testing
C. Compliance testing
D. Stop or Go Sampling
identify and evaluate the existing controls. (It is important for an IS auditor to
identify and evaluate the existence and effectiveness of existing and planned
controls so that the risk level can be calculated after the potential threats and
possible impacts are identified. A is incorrect because an audit risk assessment
is conducted for purposes different from management's risk assessment process.
B is incorrect because it is impossible to determine impact without identifying
the assets affected; therefore, this must already have been completed. C is
incorrect because, upon completion of a risk assessment, an IS auditor should
describe and discuss with management the threats and potential impacts on the
assets and recommendations for addressing the risk. However, this action cannot
be done until the controls are identified and the likelihood of the threat is
calculated.)
During a risk analysis, an IS auditor identifies threats and potential impacts.
Next, the IS auditor should:
A. ensure the risk assessment is aligned to management's risk assessment
process.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls.
To address the audit's objectives (The primary goal when planning for an IS
audit is to address the audit objective. All the other options are secondary
goals.)
What is the primary goal during the planning phase of an IS audit?
A. To address the audit's objectives
B. To obtain evidence
C. To determine the audit's test
D. To minimize the audit's cost
Reviewing the threats and vulnerabilities impacting the assets (Identifying
vulnerabilities and threats is the first step in a risk assessment process. Once the
threats and vulnerabilities are identified, the auditor should evaluate existing
controls and their effectiveness to conclude the residual risk. Continuous risk
monitoring is implemented during the risk monitoring function.)
Which of the following is the first step in performing risk assessments of
information systems?
A. Reviewing the appropriateness of existing controls
B. Reviewing the effectiveness of existing controls
C. Reviewing the asset-related risk surveillance mechanism
D. Reviewing the threats and vulnerabilities impacting the assets
ability, as an IS auditor, to be independent of existing IT relationships.
(Independence should be continually assessed by the auditor and management.
This assessment should consider such factors as changes in personal
relationships, financial interests, and prior job assignments and responsibilities.
A is incorrect because this does not ensure technical competency. B is incorrect
because this is illegal in many parts of the world. C is incorrect because the fact
that the employee has worked in IT for many years may not ensure credibility.
The IS audit department's needs should be defined, and any candidate should be
evaluated against those requirements.)
A long-term IT employee with a strong technical background and broad
managerial experience has applied for a vacant position in the IS audit
department. Determining whether to hire this individual for this position should
be PRIMARILY based on the individual's experience and:
A. length of service, because this will help ensure technical competence.
B. age, because training in audit techniques may be impractical.
C. IT knowledge, because this will bring enhanced credibility to the audit
function.
D. ability, as an IS auditor, to be independent of existing IT relationships.
Identifying and analyzing the current controls (Once the threats and
vulnerabilities are identified, the auditor should evaluate existing controls to
conclude residual risk.)
What should be the next step of an IS auditor after identifying threats and
vulnerabilities in a business process?
A. Identifying the relevant process owner
B. Identifying the relevant information assets
C. Reporting the threat and its impact to the audit committee
D. Identifying and analyzing the current controls
To understand the business process (The main reason for a functional
walkthrough is to have a basic idea and knowledge about the business process.
Once the business process is understood, an assessment can be carried out.)
What is the primary reason for a functional walk-through?
A. To understand the business process
B. To review control effectiveness
C. To comply with auditing standards
D. To determine the audit's fees
Determine the highest-risk systems and plan accordingly. (The best action is to
conduct a risk assessment and design the audit plan to cover the highest risk
areas. The IS audit function shall use an appropriate risk assessment approach
and supporting methodology to develop the overall IS audit plan and determine
priorities for allocating IS audit resources effectively. A is wrong because
auditing new systems requested by management needs to reflect a risk-based
approach. The system can contain sensitive data and may present a risk of data
loss or disclosure to the organization. B is wrong because auditing systems not
included in last year's scope do not reflect a risk-based approach. Management
may know about problems with the new system and intentionally try to steer the
audit away from that vulnerable area. D is wrong because creating a risk-based
audit plan should be performed in cooperation with management.)
An IS auditor is developing an audit plan for an environment that includes new
systems. The organization's management wants the IS auditor to focus on
recently implemented systems. How should the IS auditor respond?
A. Audit the new systems as requested by management.
B. Audit systems not included in last year's scope.
C. Determine the highest-risk systems and plan accordingly.
D. Audit both the systems not in last year's scope and the new systems
The focus on high-risk areas (The main advantage of a risk-focused audit is that
the auditor can focus on areas of high risk. This will help to plan an audit so that
the audit team can concentrate on the high-risk processes.)
Which of the following is the main benefit of risk-based audit planning?
A. The communication of audit planning to the client in advance
B. The completion of the audit activity within the allocated budget constraints
C. The use of the latest auditing technology
D. The focus on high-risk areas
Identification of the assets (Identifying critical assets is the first step in
developing a risk assessment process.)
Which of the following is the first step in a risk management program?
A. Determining a vulnerability
B. Determining existing controls
C. Identification of the assets
D. Conducting a gap analysis
line managers assuming a portion of the responsibility for control monitoring.
(The primary objective of a control self-assessment (CSA) program is to
leverage the internal audit function by shifting some control monitoring
responsibilities to the functional area line managers. The success of a CSA
program depends on the degree to which line managers assume control
responsibility. This enables line managers to detect and respond to control errors
promptly. B is incorrect because CSA requires managers to participate in the
monitoring of controls. C is incorrect because implementing stringent controls
will not ensure that controls are working correctly. D is incorrect because better
supervision is a compensating and detective control and may assist in ensuring
control effectiveness but would work best when used in a formal process such
as CSA.)
The success of control self-assessment depends highly on:
A. line managers assuming a portion of the responsibility for control
monitoring.
B. assigning staff managers, the responsibility for building controls.
C. the implementation of a stringent control policy and rule-driven controls.
D. the implementation of supervision and monitoring of controls of assigned
duties.
A vulnerability (The lack of adequate controls represents a vulnerability,
exposing sensitive information and data to the risk of malicious damage, attack
or unauthorized access by hackers, employee error, environmental threat, or
equipment failure. This could result in a loss of sensitive information, financial
loss, legal penalties, or other losses. A is incorrect because the impact is the
measure of the consequence (including financial loss, reputational damage, and
loss of customer confidence) that a threat event may have. C is incorrect
because an asset is something of either tangible or intangible value worth
protecting, including people, systems, infrastructure, finances, and reputation. D
is incorrect because a threat is a potential cause of an unwanted incident.)
Which of the following does a lack of adequate controls represent?
A. An impact
B. A vulnerability
C. An asset
D. A threat
The criticality of the IT asset (Protecting an asset will involve costs. It is
important to understand the criticality of assets when designing appropriate
levels of protection.)
Which of the following should be the primary focus when considering the level
of security of an IT asset?
A. The criticality of the IT asset
B. The value of IT the asset
C. The owner of IT the asset
D. The business continuity arrangement for the IT asset
Finding vulnerabilities and threats that are applicable to IT assets (The biggest
factor in evaluating IT risk is finding and evaluating threats and vulnerabilities
associated with IT assets. The other options, though very important factors for
the risk assessment process, are less important than option A.)
Which of the following is a major factor in the evaluation of IT risks?
A. Finding vulnerabilities and threats that are applicable to IT assets
B. Analyzing loss expectancy
C. Benchmarking with industry
D. Analyzing previous audit reports
Detection risk (Detection risk refers to the risk that an internal audit fails to
prevent or detect.)
What is the risk of an inadequate audit methodology known as?
A. The procedural aspect
B. Control risk
C. Detection risk
D. Residual risk
Focus on auditing high-risk areas. (Reducing the scope and focusing on auditing
high-risk areas is the best course of action. A is incorrect because testing the
adequacy of control design is not the best course of action because this does not
ensure that controls operate effectively as designed. B is incorrect because
testing control operating effectiveness does not ensure the audit plan focuses on
areas of greatest risk. D is incorrect because the reliance on management testing
of controls does not provide objective verification of the control environment.)
Due to unexpected resource constraints of the IS audit team, the audit plan, as
originally approved, cannot be completed. Assuming the situation is
communicated in the audit report, which course of action is MOST acceptable?
A. Test the adequacy of the control design.
B. Test the operational effectiveness of controls.
C. Focus on auditing high-risk areas.
D. Rely on management testing of controls.
Participating in the design of the risk management framework (This involves
designing controls, which compromises the independence of the IS auditor to
audit the risk management process. B is incorrect because this does not
compromise the IS auditor's independence. After all, the IS auditor will not be
involved in the decision-making process. C is incorrect because this does not
hamper the IS auditor's independence. After all, the auditor will not be involved
in the decision-making process. D is incorrect because due diligence reviews are
a type of audit generally related to mergers and acquisitions.)
Which of the following responsibilities would MOST likely compromise the
independence of an IS auditor when reviewing the risk management process?
A. Participating in the design of the risk management framework
B. Advising on different implementation techniques
C. Facilitating risk awareness training
D. Performing due diligence of the risk management processes
Management ownership of the internal controls supporting business objectives
is reinforced. (The objective of control self-assessment (CSA) is to have
business management become more aware of the importance of internal control
and their responsibility in terms of corporate governance. B is incorrect because
this is not a key benefit of CSA. C is incorrect because improved fraud
detection is important but not as important as control ownership. It is not a
principal objective of CSA. D is incorrect because CSA may give more insights
to internal auditors, allowing them to take a more consultative role; however,
this is an additional benefit, not the key benefit.)
Which of the following is the key benefit of a control self-assessment?
A. Management ownership of the internal controls supporting business
objectives is reinforced.
B. Audit expenses are reduced when the assessment results are an input to
external audit work.
C. Fraud detection will be improved because internal business staff are engaged
in testing controls.
D. Internal auditors can shift to a consultative approach by using the results of
the assessment.
verify the identity of senders and determine if orders correspond to contract
terms. (An electronic data interchange system is subject not only to the usual
risk exposures of computer systems but also to those arising from the potential
ineffectiveness of controls on the part of the trading partner and the third-party
service provider, making authentication of users and messages a major security
concern. A is incorrect because this is good practice but will not authenticate
customer orders. B is incorrect because this is a control for ensuring the
correctness of the organization's orders, not the authenticity of its customers'
orders. D is incorrect because this is an appropriate step but does not prove the
authenticity of messages received.)
An appropriate control for ensuring the authenticity of orders received in an
electronic data interchange system application is to:
A. acknowledge receipt of electronic orders with a confirmation message.
B. perform reasonableness checks on quantities ordered before filling orders.
C. verify the identity of senders and determine if orders correspond to contract
terms.
D. encrypt electronic orders.
Helps to mitigate risk (The most important factor for implementing controls is
to ensure that the controls address the risk.)
The most important factor when implementing controls is ensuring that the
control does which of the following?
A. Helps to mitigate risk
B. Does not impact productivity
C. Is cost effective
D. Is automated
Implementing relevant controls (The risk management process includes
assessing risk and, based on the outcome, designing various controls. The risk
assessment process aims to address the recognized risks by implementing
appropriate controls.)
What is the outcome of a risk assessment exercise utilized for?
A. Estimating profits
B. Calculating the ROI
C. Implementing relevant controls
D. Conducting user acceptance testing
assets have been identified and ranked. (Identification and ranking of
information assets (e.g., data criticality, sensitivity, locations of assets) will set
the tone or scope of assessing risk with the asset's organizational value. A is
wrong because organizations should analyze the threats to their assets. Each
asset should be analyzed according to its value to the organization. It occurs
after identifying and ranking assets. B is wrong because analyzing how these
weaknesses will impact the organization's information assets occurs after the
identified assets and weaknesses. D is wrong because the effect of security
breaches depends on the value of the assets and the threats, vulnerabilities, and
effectiveness of mitigating controls. The impact of an attack against a weakness
should be identified so that controls be evaluated to determine if they effectively
mitigate the weaknesses.)
An IS auditor performing an audit of the risk assessment process
should FIRST confirm that:
A. reasonable threats to the information assets are identified.
B. technical and organizational vulnerabilities have been analyzed.
C. assets have been identified and ranked.
D. the effects of potential security breaches have been evaluated.
Senior business management (Top business management has the final authority
and responsibility for the organization's smooth operation. They should refrain
from further delegating their responsibility for risk management. The other
options should help authorities determine the organization's risk appetite.)
With whom does the responsibility of managing risk to an acceptable level rest?
A. The risk management team
B. Senior business management
C. The chief information officer
D. The chief security officer
To determine the control objectives and activities (Once the business process to
be audited is identified, the next step is to identify the control objectives and
activities associated with the business processes. The next step is to identify the
audit resources. The audit universe is to be determined prior to the finalization
of the audit scope.)
What will be the immediate step once the business process to be audited is
identified?
A. To determine the audit universe
B. To determine the audit resources
C. To determine the key stakeholders
D. To determine the control objectives and activities
substantive testing. (Among other methods, such as document review or
walkthrough, tests of controls are the most effective procedures to assess
whether controls accurately support operational effectiveness. A is incorrect
because testing of control design assesses whether the control is structured to
meet a specific control objective. It does not help determine whether the control
is operating effectively. C is incorrect because control documents may not
accurately describe the process. Therefore, auditors relying on document review
have limited assurance that the control operates as intended. D is incorrect
because performing tests on risk prevention is incorrect. This is considered
compliance testing to determine whether policies are adhered to.)
The MOST effective audit practice to determine whether the operational
effectiveness of controls is properly applied to transaction processing is:
A. control design testing.
B. substantive testing.
C. inspection of relevant documentation.
D. perform tests on risk prevention.
Control self-assessment (CSA is reviewing business objectives and internal
controls in a formal and documented collaborative process. It includes testing
the design of automated application controls. A is incorrect because this only
looks at errors or problems but will not ensure controls are still working. B is
incorrect because this is important but may not be a consistent or well-defined
process compared to CSA. D is incorrect because these lack the direct
involvement of audit specialists and management.)
Which of the following is MOST important to ensure that effective application
controls are maintained?
A. Exception reporting
B. Manager involvement
C. Control self-assessment
D. Peer reviews
Determining the high-risk processes (In risk-based planning, it is very important
to determine high-risk areas. This will help to determine the areas to be
audited.)
In a risk-focused audit, which of the following is the most critical step?
A. Determining the high-risk processes
B. Determining the capability of audit resources
C. Determining the audit procedure
D. Determining the audit schedule
Conducting a risk assessment (A risk assessment is the first step to be
performed to allocate audit resources as per the high risks of the organization.
The other options are to be followed once the risk assessment is prepared.)
The first step in the planning phase of an audit is:
A. Designing an audit program
B. The allocation of audit resources
C. Identification of key stakeholders
D. Conducting a risk assessment
Identifying threats and their likelihood of occurrence (Once the critical assets
are identified, the next step is to determine vulnerabilities and then look at
threats and their probability of occurrence.)
An IS auditor has determined a few vulnerabilities in a critical application.
What should their next step be?
A. Reporting the risk to the audit committee immediately
B. Determining a system development methodology
C. Identifying threats and their likelihood of occurrence
D. Recommending the development of a new system
When the probability of error must be objectively quantified (To quantify the
probability of error objectively, there should not be any involvement of
subjectivity. In all such scenarios, statistical sampling is preferred.)
Statistical sampling is preferred over non-statistical sampling:
A. To reduce sampling error
B. For an inexperienced auditor
C. When the probability of error must be objectively quantified
D. To reduce audit error
Preventive (Having a manager approve transactions more than a certain amount
is considered a preventive control. A is incorrect because detective controls
identify events after they have happened. In this case, the action of the branch
manager would prevent an event from occurring. C is incorrect because a
corrective control remedies problems discovered by detective controls. In this
case, the action of the branch manager is a preventive control. D is incorrect
because a directive control is a manual control consisting of a policy or
procedure specifying actions to be performed. In this case, an automated control
prevents an event from occurring.)
A financial institution with multiple branch offices has an automated control
that requires the branch manager to approve transactions more than a certain
amount. What type of audit control is this?
A. Detective
B. Preventive
C. Corrective
D. Directive
Table lookups (These are preventive controls; input data are checked against
predefined tables, which prevent any undefined data from being entered. A is
incorrect because they are a detective control and provide audit trails. B is
incorrect because this makes it possible to trace the impact of transactions on
computer records. This is a detective control. D is incorrect because it is used to
test application systems and controls but is not a preventive control.)
Which of the following is evaluated as a preventive control by an IS auditor
performing an audit?
A. Transaction logs
B. Before and after image reporting
C. Table lookups
D. Tracing and tagging
continue to test the accounting application controls and include the deficiency in
the final report. (It is the responsibility of the IS auditor to report on findings
that can have a material impact on the effectiveness of controls—whether or not
they are within the scope of the audit. A is incorrect because the IS auditor
should not assume that the IT manager will follow through on a verbal
notification to resolve the change management control deficiency, and it is
inappropriate to offer consulting services on issues discovered during an audit.
B is incorrect because although not technically within the audit scope, it is the
responsibility of the IS auditor to report findings discovered during an audit that
can have a material impact on the effectiveness of controls. D is incorrect
because it is not the role of the IS auditor to demand that IT work be completed
before performing or completing an audit.)
While performing an audit of an accounting application's internal data integrity
controls, an IS auditor identifies a major control deficiency in the change
management software supporting the accounting application.
The MOST appropriate action for the IS auditor to take is to:
A. continue to test the accounting application controls and inform the IT
manager about the control deficiency and recommend possible solutions.
B. complete the audit and not report the control deficiency because it is not part
of the audit scope.
C. continue to test the accounting application controls and include the
deficiency in the final report.
D. cease all audit activity until the control deficiency is resolved.
Understand the business, its operating model and key processes. (Risk-based
auditing must be based on understanding the business, operating model, and
environment. This is the first step in an IT risk assessment for a risk-based
audit. A is incorrect because understanding the business environment comes
first, followed by understanding the IT environment. B is incorrect because this
is not the first step of risk assessment. This step follows understanding the
business environment and the IT systems. C is incorrect because a risk self-
assessment is optional and applicable for some audit engagements.)
Which of the following is the FIRST step in an IT risk assessment for a risk-
based audit?
A. Identify all IT systems and controls that are relevant to audit objectives.
B. List all controls from the audit program to select ones matching with audit
objectives.
C. Review the results of a risk self-assessment.
D. Understand the business, its operating model and key processes.
They are created on the basis of risk analysis. (In the bottom-up approach,
process risks are identified and considered. The approach starts by considering
the process-level requirements and operational-level risk. The other options are
the benefits of the top-down approach. In the top-down approach, policies are
consistent across the organization and there is no conflict with overall corporate
policy.)
What is the advantage of the bottom-up approach to the development of
enterprise policies?
A. They cover the whole organization.
B. They are created on the basis of risk analysis.
C. They are reviewed by top management.
D. They support consistency of procedure.
Attribute sampling (For compliance testing, attribute sampling will be most
relevant.)
Which sampling method that will be MOST meaningful for compliance testing?
A. Attribute sampling
B. Variable sampling
C. Discovery sampling
D. Stop-or-go sampling
Development of a risk assessment (A risk assessment should be performed to
determine how internal audit resources should be allocated to ensure that all
material items will be addressed. A is incorrect because the risk assessment
results are used for the input for the audit program. B is incorrect because the
risk assessment output helps define the scope. C is incorrect because a risk
assessment must be performed before identifying key information owners. Key
information owners are generally not directly involved during the planning
process of an audit.)
An internal IS audit function is planning a general IS audit. Which of the
following activities takes place during the FIRST step of the planning phase?
A. Development of an audit program
B. Define the audit scope
C. Identification of key information owners
D. Development of a risk assessment
Understanding services and their allocation to business processes by reviewing
the service repository documentation. (A service-oriented architecture relies on
the principles of a distributed environment in which services encapsulate
business logic as a black box and might be deliberately combined to depict real-
world business processes. Before reviewing services in detail, the auditor needs
to understand mapping business processes to services. B is wrong because it is
an essential follow-up step to understanding services and their allocation to
business but differs from the initial step. C is wrong because it is an essential
follow-up step to understanding services and their allocation to business, but
differs from the initial step. D is wrong because this would most likely be a part
of the audit, but the auditor must first understand the business processes and
how the systems support those processes.)
An IS auditor is reviewing a software application that is built on the principles
of service-oriented architecture. What is the INITIAL step?
A. Understanding services and their allocation to business processes by
reviewing the service repository documentation.
B. Sampling the use of service security standards as represented by the Security
Assertions Markup Language.
C. Reviewing the service level agreements established for all system providers.
D. Auditing the core service and its dependencies on other systems.
tracing. (This transaction reconciliation effort involves following the transaction
from the original source to its final destination. In electronic funds transfer
transactions, the direction on tracing may start from the customer-printed copy
of the receipt, proceed to check the system audit trails and logs, and end with
checking the master file records for daily transactions. A is incorrect because
this is usually performed during the funds transfer, not the reconciliation effort.
B is incorrect because, in online processing, authorizations are normally done
automatically by the system, not during the reconciliation. C is incorrect
because corrections are entries that should be reviewed during a reconciliation;
however, they are normally done by someone other than the person entrusted to
do reconciliations and are less important than tracing.)
An IS auditor should ensure that review of online electronic funds transfer
reconciliation procedures should include:
A. vouching.
B. authorizations.
C. corrections.
D. tracing.
Discovery sampling (Discovery sampling is widely used to detect a fraudulent
transaction. Even if only a single error is discovered, there is a possibility that
the internal control system could be compromised. That one error may be
sufficient to require an examination of the entire population or to formulate a
new plan for further action. If one instance of fraud is found, the auditor is
confident that fraud exists. Stop-or-go sampling is used when only a few errors
are expected in a sample. Attribute sampling is used for compliance testing and
variable sampling for substantive testing.)
The sampling method to be used when there is indication of fraud is:
A. Attribute sampling
B. Variable sampling
C. Discovery sampling
D. Stop-or-go sampling
Implementing the controls (Risks are managed and reduced by incorporating
proper security and relevant controls. Through insurance, the risk is transferred.
Auditing and certification help provide assurance, while SLAs help allocate
risk.)
The mitigation of risk can be done through which of the following?
A. Implementing the controls
B. Outsourcing
C. Audit and certification
D. Service level agreements (SLAs)
the systematic collection and analysis of evidence after a system irregularity.
(This best describes a forensic audit. The evidence collected can then be
analyzed and used in judicial proceedings. A is incorrect because forensic audits
are not limited to corporate fraud. C is incorrect because assessing the
correctness of an organization's financial statements is not the primary purpose
of most forensic audits. D is incorrect because forensics is the investigation of
evidence related to a crime or misbehavior. Preserving evidence is the forensic
process, but not the primary purpose.)
The PRIMARY purpose of an IT forensic audit is:
A. to participate in investigations related to corporate fraud.
B. the systematic collection and analysis of evidence after a system irregularity.
C. to assess the correctness of an organization's financial statements.
D. to preserve evidence of criminal activity.
role of the IS audit function. (An IS audit charter establishes the role of the
information systems audit function. The charter should describe the overall
authority, scope, and responsibilities of the audit function. It should be approved
by the highest level of management and, if available, by the audit committee. A
is incorrect because planning is the responsibility of audit management. B is
incorrect because these should be agreed on in an engagement letter. The charter
would specify the objectives and scope of the audit function but not of
individual engagements. C is incorrect because a training plan based on the
audit plan should be developed by audit management.)
An organization's IS audit charter should specify the:
A. plans for IS audit engagements.
B. objectives and scope of IS audit engagements.
C. detailed training plan for the IS audit staff.
D. role of the IS audit function.
Inherent risk (Gross risk or risk before controls is inherent risk.)
The absence of internal control mechanisms is known as what?
A. Inherent risk
B. Control risk
C. Detection risk
D. Correction risk
To provide reasonable assurance about the audit coverage of material items
(Risk assessment helps identify the organization's top risks, the auditor can
focus the audit procedure on the highest risk areas. It helps to provide
reasonable assurance about the coverage of material items.)
Which of the following is the prime reason for performing a risk assessment?
A. To address management concerns
B. To provide reasonable assurance about the audit coverage of material items
C. To ensure budget adherence
D. To allocate the audit resources
outline the responsibility and authority of the IS audit function. (The primary
purpose of the IS audit charter is to set forth the purpose, responsibility,
authority, and accountability of the IS audit function. The charter document
grants authority to the audit function on behalf of the board of directors and
organization stakeholders. A is incorrect because the IS audit charter does not
set forth the organizational structure of the IS audit department. The charter
serves as a directive to create the IS audit function. B is incorrect because the IS
audit charter does not dictate the reporting requirements of the IS audit
department. The charter sets forth the information systems audit function's
purpose, responsibility, authority, and accountability. C is incorrect because the
audit determines resources and not the charter.)
The PRIMARY purpose of the IS audit charter is to:
A. establish the organizational structure of the audit department.
B. illustrate the reporting responsibilities of the IS audit function.
C. detail the resource requirements needed for the audit function.
D. outline the responsibility and authority of the IS audit function.
evaluate the impact of the undocumented devices on the audit scope. (In a risk-
based approach to an IS audit, the scope is determined by the device's impact on
the audit. Undocumented devices may be excluded from the current audit
engagement if they do not impact the scope. The information on a network
diagram can vary depending on the illustration. A is wrong because the auditor
can't assume that everything on the network diagram provides information about
the risk affecting a network/system. C is wrong because, in this case, there is
simply a mismatch in timing between the completion of the approval process
and when the IS audit began. There is no control deficiency to be reported. D is
wrong because planning for follow-up audits of the undocumented devices is
contingent on the risk that the undocumented devices have on the ability of the
entity to meet the audit scope.)
An IS auditor discovers that devices connected to the network are not included
in a network diagram that had been used to develop the scope of the audit. The
chief information officer explains that the diagram is being updated and
awaiting final approval. The IS auditor should FIRST:
A. expand the scope of the IS audit to include the devices that are not on the
network diagram.
B. evaluate the impact of the undocumented devices on the audit scope.
C. note a control deficiency because the network diagram has not been
approved.
D. plan follow-up audits of the undocumented devices.
Continuous auditing (The implementation of continuous auditing enables a real-
time feed of information to management through automated reporting processes
so that management may implement corrective actions more quickly. A is
incorrect because software tools such as computer-assisted audit techniques to
analyze transaction data can provide a detailed analysis of trends and potential
risks. However, it is not as effective as continuous auditing because there may
be a time differential between executing the software and analyzing the results.
B is incorrect because this technique may be good but less responsive than
continuous auditing. C is incorrect because this is a valid audit technique;
however, the risk not captured in the transaction log may exist, and there may be
a potential time lag in the analysis.)
For a retail business with a large volume of transactions, which of the following
audit techniques is the MOST appropriate for addressing emerging risk?
A. Use of computer-assisted audit techniques
B. Quarterly risk assessments
C. Sampling of transaction logs
D. Continuous auditing
Walk-through (These procedures usually include a combination of inquiry,
observation, inspection of relevant documentation, and reperformance of
controls. A walk-through of the manual log review process follows the manual
log review process from start to finish to gain a thorough understanding of the
overall process and identify potential control weaknesses. A is wrong because
this is just one component of a walk-through and, by itself, needs to supply
more information to provide a complete understanding of the overall process
and identify potential control weaknesses. B is wrong because this provides
only general information on how the control is executed. It does not necessarily
enable the IS auditor to determine whether the control performer understands
the control. D is wrong because the IS auditor carries out reperformance of the
control and does not provide assurance of the competency of the auditee.)
An IS auditor reviewing the process of log monitoring wants to evaluate the
organization’s manual review process. Which of the following audit techniques
would the auditor MOST likely employ to fulfill this purpose?
A. Inspection
B. Inquiry
C. Walk-through
D. Reperformance
Reasonable assurance about the coverage of material items (The auditor does
not provide absolute assurance but only reasonable assurance. Absolutes are not
attainable due to the inherent limitations of audits, such as professional
judgment, sampling, and testing.)
An information system audit provides:
A. Reasonable assurance about the coverage of material items
B. Definite assurance about the coverage of material items
C. Reasonable assurance about the coverage of all the items
D. No assurance about the coverage of material items
Collect more evidence for further investigation (An IS auditor should further
evaluate the evidence to decide on the recommendation of a detailed
examination.)
An IS auditor has a strong suspicion of fraud during a preliminary investigation.
What should they do next?
A. Collect more evidence for further investigation
B. Report directly to the audit committee
C. Report the probability of fraud to senior officials
D. Obtain an external legal opinion
effectiveness of the QA function because it should interact between project
management and user management. (To be effective, the quality assurance (QA)
function should be independent of project management. Project management
may pressure the QA function to approve an inadequate product if not. B is
incorrect because the efficiency of the QA function is not impacted by
interacting with the project implementation team. The QA team does not release
a product for implementation until it meets QA requirements. C is incorrect
because the project manager responds to the issues raised by the QA team. This
does not impact the effectiveness of the project manager. D is incorrect because
the QA function's interaction with the project implementation team should not
impact the efficiency of the project manager.)
While evaluating software development practices in an organization, an IS
auditor notes that the quality assurance (QA) function reports to project
management. The MOST important concern for an IS auditor is the:
A. effectiveness of the QA function because it should interact between project
management and user management.
B. efficiency of the QA function because it should interact with the project
implementation team.
C. effectiveness of the project manager because the project manager should
interact with the QA function.
D. efficiency of the project manager because the QA function needs to
communicate with the project implementation team.
Discovery sampling (Discovery sampling is widely used to detect a fraudulent
transaction. Even if only a single error is discovered, there is a possibility that
the internal control system could be compromised. That one error may be
sufficient to require an examination of the entire population or to formulate a
new plan for further action. If one instance of fraud is found, the auditor is
confident that fraud exists.)
The best sampling method when an IS auditor is concerned about fraud is:
A. Stop-or-go sampling
B. Discovery sampling
C. Classical sampling
D. Subjective sampling
corrective control. (Corrective controls are designed to correct errors,
omissions, unauthorized uses, and intrusions when detected. This provides a
mechanism to detect malicious events and correct the situation. A is incorrect
because directive controls, such as IT policies and procedures, do not apply
because this is an automated control. C is incorrect because a compensating
control is used where other controls are insufficient to protect the system. In this
case, the corrective control in place will effectively protect the system from
access via an unpatched device. D is incorrect because detective controls exist
to detect and report when errors, omissions, and unauthorized uses or entries
occur.)
A centralized antivirus system determines whether each personal computer has
the latest signature files and installs the latest signature files before allowing a
PC to connect to the network. This is an example of a:
A. directive control.
B. corrective control.
C. compensating control.
D. detective control.
Develop an audit plan on the basis of the risk assessment. (Out of all the options
given, the first step of the audit project is to develop the audit plan after
considering the results of the risk assessment.)
Which of the following is the first step in an audit project?
A. Prepare the audit schedule and monitor it
B. Provide training to IS audit staff on the latest technology used in the
organization
.C. Develop an audit plan on the basis of the risk assessment.
D. Monitor the progress of the audit.
Computer log files that show individual transactions (Computer logs record the
activities of individuals during their access to a computer system or data file and
record any abnormal activities, such as the modification or deletion of financial
data. A is incorrect because an audit trail of only the transaction date and time is
insufficient to compensate for the risk of multiple functions being performed by
the same individual. B is incorrect because reviewing the summary financial
reports does not compensate for the segregation of duties issue. C is incorrect
because a supervisor review of user account administration can be a good
control; however, it may not detect inappropriate activities where a person fills
multiple roles.)
During a compliance audit of a small bank, the IS auditor notes that both the IT
and accounting functions are being performed by the same user of the financial
system. Which of the following reviews conducted by the user's supervisor
would represent the BEST compensating control?
A. Audit trails that show the date and time of the transaction
B. A daily report with the total numbers and dollar amounts of each transaction
C. User account administration
D. Computer log files that show individual transactions
not an adequate control. (Generation of an activity log is not a control by itself.
The review of such a log makes the activity a control (i.e., generation plus
review equals control). A is incorrect because generating an activity log is not a
preventive control because it cannot prevent inappropriate access. B is incorrect
because generating an activity log is not a detective control. After all, it does not
help detect inappropriate access unless it is reviewed by appropriate personnel.
D is incorrect because generating an activity log is not a corrective control.
After all, it does not correct the effect of inappropriate access.)
An IS auditor notes that failed login attempts to a core financial system are
automatically logged and the logs are retained for a year by the organization.
This logging is:
A. an effective preventive control.
B. a valid detective control.
C. not an adequate control.
D. a corrective control.
Allocate resources for audits. (Because IS audit assignments must be
accomplished with limited time and human resources, audits are scheduled and
prioritized as determined by IS audit management. B is incorrect because audit
risk is inherent to all audits, and the schedule has no bearing on the impact of
audit risk. C is incorrect because developing a training plan for auditors is
important, but it is not the main purpose of an IS audit plan. D is incorrect
because minimizing the audit costs could be one of the objectives of the annual
IS audit plan. However, this would result from ensuring audit resources are used
effectively.)
The MAIN purpose of the annual IS audit plan is to:
A. Allocate resources for audits.
B. Reduce the impact of audit risk.
C. Develop a training plan for auditors.
D. Minimize the audit costs.
Important business risk may be overlooked. (Without an audit scope, the
appropriate risk assessment has not been performed; therefore, the auditor might
not audit those areas of highest risk for the organization. A is incorrect because,
in certain cases, it may be more difficult to discuss findings when incorrect
stakeholders are identified, thus delaying the communication of audit findings.
However, this is not as concerning as important business risk not being included
in the audit scope. B is incorrect because many factors determine the cost of
controls. Therefore, it is difficult to state that only audit objectives determine
the control cost. However, this is not as important if a key risk is not identified.
D is incorrect because auditing previously audited areas is not an efficient use of
resources; however, this is not as big of a concern as the key risk not being
identified.)
Which of the following would be the GREATEST concern if audit objectives
are not established during the initial phase of an audit program?
A. Key stakeholders are incorrectly identified.
B. Control costs will exceed planned budget.
C. Important business risk may be overlooked.
D. Previously audited areas may be inadvertently included.
Inherent risk (This is normally high due to the number of users and business
areas that may be affected. Inherent risk is the risk level or exposure without
considering the actions that management has taken or might take. A is incorrect
because this can be high, but it is not due to internal controls not being
identified, evaluated, or tested, and it is not due to the number of users or
business areas affected. B is incorrect because compliance risk is the penalty
applied to current and future earnings for nonconformance to laws and
regulations and may not be impacted by the number of users and business areas
affected. D is incorrect this is the remaining risk after management has
implemented a risk response and is not based on the number of users or business
areas affected.)
An IS auditor is reviewing a project risk assessment and notices that the overall
residual risk level is high due to confidentiality requirements. Which of the
following types of risk is normally high due to the number of unauthorized
users the project may affect?
A. Control risk
B. Compliance risk
C. Inherent risk
D. Residual risk
The work may be construed as a self-audit. (Because the employee had been a
developer, it is recommended that the audit coverage exclude the systems
developed by this employee to avoid any conflicts of interest. B is incorrect
because the employee has a technical background. The audit findings may tend
to focus on technical matters. However, this is usually corrected in the review
process before it is carried out in production. C is incorrect because auditing is a
new role for this employee; it is less of a concern and may need more control
assessment skills. However, this can be addressed by on-the-job training and is
less of a concern than a potential conflict of interest. D is incorrect because this
employee was previously employed in the organization's IT department; it is
possible to build upon the employee's current understanding of the business to
address any gaps in knowledge.)
A system developer transfers to the audit department to serve as an IT auditor.
When production systems are to be reviewed by this employee, which of the
following will become the MOST significant concern?
A. The work may be construed as a self-audit.
B. Audit points may largely shift to technical aspects.
C. The employee may not have sufficient control assessment skills.
D. The employee’s knowledge of business risk may be limited.
Material areas are addressed first. (Material risk is audited according to the risk
ranking, thus enabling the audit team to concentrate on high-risk areas first. A is
incorrect because high impact does not necessarily indicate high risk. Risk also
takes into consideration probability. B is incorrect because a risk-based audit
approach addresses resource allocation, which is not the primary function of a
risk-based audit approach. D is incorrect because management concerns may
not be aligned with high-risk areas.)
Which of the following is the PRIMARY purpose of a risk-based audit?
A. High-impact areas are addressed first.
B. Audit resources are allocated efficiently.
C. Material areas are addressed first.
D. Management concerns are prioritized.
Lower confidence coefficient, which leads to a lower sample size (The
confidence coefficient, or confidence level, is a measure of the accuracy and
confidence about the quality of the sample. Sample size and confidence
correlation are directly related. A high sample size will give a high confidence
coefficient. When there is a strong internal control, the confidence coefficient
may be lowered, so there will be a review of only a few samples.)
In the case of a strong internal control, an auditor can adopt a:
A. High confidence coefficient and a selection of small samples
B. Low confidence coefficient and a selection of large samples
C. Higher confidence coefficient, which leads to a larger sample size
D. Lower confidence coefficient, which leads to a lower sample size
identify the organization's information assets. (The first step of the risk
assessment process is to identify systems and processes that support the
business objectives because the risk to those processes impacts the achievement
of business goals. A is wrong because after the business objectives and
underlying systems are identified, the effort should focus on the most sensitive
data assets. The data classification program assists the auditor in identifying
these assets. C is wrong because Inherent risk is the exposure without
considering management's actions. A risk assessment aims to identify
vulnerabilities so controls can be mitigated. One must understand the business
and its supporting systems to identify the systems that require the most risk
assessment. D is wrong because designing and implementing controls to
mitigate inherent risk can only be performed after everything else.)
When performing a risk analysis, the IS auditor should FIRST:
A. review the data classification program.
B. identify the organization’s information assets.
C. identify the inherent risk of the system.
D. perform a cost-benefit analysis for controls.
The use of a statistical sample to verify the inventory of a tape library (In
substantive testing, the accuracy and integrity of the transaction and balances
are verified. A substantive test is used to verify the inventory.)
The best example of a substantive test is:
A. To ascertain compliance with firewall rules
B. To ascertain compliance with a change management policy
C. The use of a statistical sample to verify the inventory of a tape library
D. To review the reports that capture the password history
Designing the cybersecurity controls (If an auditor designs the controls, a
conflict of interest arises in the neutrality of the auditor to address deficiencies
during an audit. This violates the ISACA Code of Ethics. A is incorrect because
this is typically an operational responsibility. However, it is not nearly as strong
a conflict of interest as the auditor designing controls and then reviewing them.
C is incorrect because part of the role of an IS auditor can be to advise on a
cybersecurity framework, provided that such advice does not rise to the level of
designing specific controls that the auditor would later review. D is incorrect
because this can be the responsibility of the IS auditor and does not present a
conflict of interest.)
Which of the following is MOST likely to be considered a conflict of interest
for an IS auditor who is reviewing a cybersecurity implementation?
A. Delivering cybersecurity awareness training
B. Designing the cybersecurity controls
C. Advising on the cybersecurity framework
D. Conducting the vulnerability assessment
While substantive testing tests the details, compliance testing tests the controls.
(Compliance testing is used to evaluate the existence of the control. In
substantive testing, the accuracy and integrity of the transaction and balances
are verified.)
The difference between compliance testing and substantive testing is that:
A. While substantive testing tests the controls, compliance testing tests the
details.
B. While substantive testing tests the details, compliance testing tests the
controls.
C. While substantive testing verifies the correctness of trail balance, compliance
testing tests the financial statements.
D. While substantive testing tests the internal controls, compliance testing tests
the internal requirements
The nature and criticality of the business process supported by the application
(The e-commerce application enables the execution of business transactions.
Therefore, it is essential to understand the nature and criticality of the business
process supported by the e-commerce application to identify specific controls to
review. A is wrong because understanding the technology architecture of the e-
commerce environment is essential; however, the nature of the business process
supported by the e-commerce application must be well understood. B is wrong
because the policies, procedures, and practices that form the internal control
environment must align with the e-commerce environment; there are other
essential elements the IS auditor needs to understand. D is wrong because the
availability of the e-commerce environment is necessary, but this is only one of
the aspects to be considered.)
Which of the following is MOST important for an IS auditor to understand
when auditing an e-commerce environment?
A. The technology architecture of the e-commerce environment
B. The policies, procedures and practices forming the control environment
C. The nature and criticality of the business process supported by the
application
D. Continuous monitoring of control measures for system availability and
reliability
A compliance test (Compliance testing is used to evaluate the existence of the
control. In substantive testing, the accuracy and integrity of the transaction and
balances are verified. In the given case, verifying that only active users have
access to critical systems requires evaluating the existence of controls, and
hence, a compliance test is used.)
To determine that only active users have access to a critical system, which of the
following is best?
A. A compliance test
B. A substantive test
C. A statistical sample
D. Judgment sampling
It detects risk sooner. (Control self-assessments (CSAs) require employees to
assess the control stature of their function. CSAs help to increase the
understanding of business risk and internal controls. Because they are
conducted more frequently than audits, CSAs help to identify risk in a timelier
manner. B is incorrect because CSAs do not replace the internal audit function;
an audit must still be performed to ensure controls are present. C is incorrect
because CSAs may not reduce the audit function's workload and are not a major
difference between the two approaches. D is incorrect because CSAs do not
affect the need for audit resources. Although the results of the CSA may serve as
a reference point for the audit process, they do not affect the scope or depth of
audit work that needs to be performed.)
What is the MAJOR benefit of conducting a control self-assessment over a
traditional audit?
A. It detects risk sooner.
B. It replaces the internal audit function.
C. It reduces audit workload.
D. It reduces audit resource requirements.
The risks of control are within acceptable norms. (It must be noted that the
outcome of compliance testing is used to make a plan for a substantive test. If
the outcome of compliance testing indicates the existence of effective internal
control, then substantive testing may not be required or may be reduced.
However, if the outcome of compliance testing indicates a poor internal control
system, then more rigorous substantive testing is required. Thus, a substantive
test procedure can be reduced if the compliance test concludes that risks of
control are within an acceptable level.)
The substantive test procedure can be reduced if, after a compliance test, it is
concluded that:
A. It would be too expensive for a substantive test.
B. The organization has weak controls.
C. The inherent risk is low.
D. The risks of control are within acceptable norms.
allows the IS auditor to review and follow up on audit issues in a timely manner.
(Continuous audit allows audit and response to audit issues promptly because
audit findings are gathered in near real time. A is incorrect because the
continuous audit approach often requires an IS auditor to collect evidence on
system reliability while processing occurs. C is incorrect because responsibility
for enforcement and monitoring controls is primarily management's
responsibility. D is incorrect because the use of continuous audit is not based on
the complexity or number of systems being monitored.)
The PRIMARY advantage of a continuous audit approach is that it:
A. does not require an IS auditor to collect evidence on system reliability while
processing is taking place.
B. allows the IS auditor to review and follow up on audit issues in a timely
manner.
C. places the responsibility for enforcement and monitoring of controls on the
security department instead of audit.
D. simplifies the extraction and correlation of data from multiple and complex
systems.
A review of the accounts receivable for an aged trial balance (Compliance
testing is used to evaluate the existence of the control. In substantive testing, the
accuracy and integrity of the transaction and balances are verified.)
An example of a substantive audit test includes:
A. Ascertaining periodic management checks and controls
B. Ascertaining logical access controls
C. A review of reports detailing short shipments of the goods
D. A review of the accounts receivable for an aged trial balance
Generalized audit software (Generalized audit software features include
mathematical computations, stratification, statistical analysis, sequence
checking, duplicate checking, and re-computations. Using generalized audit
software, an IS auditor can design appropriate tests to recompute the payroll,
thereby determining whether there were overpayments and to whom they were
made. A is incorrect because test data tests for the existence of controls that
might prevent overpayments, but it does not detect specific, previous
miscalculations. C is incorrect because it helps identify a problem as it occurs
but does not detect errors for a previous period. D is incorrect because this can
enable the IS auditor to evaluate a process and gather audit evidence, but it does
not detect errors for a previous period.)
The vice president of human resources has requested an IS audit to identify
payroll overpayments for the previous year. Which would be the BEST audit
technique to use in this situation?
A. Generate sample test data
B. Generalized audit software
C. Integrated test facility
D. Embedded audit module
To ascertain the adequacy, effectiveness, and efficiency of controls.
(Compliance tests are conducted to ascertain the controls adequacy,
effectiveness, and efficiency.)
Which of the following is the objective of a compliance test?
A. To ascertain the adequacy, effectiveness, and efficiency of controls.
B. To ascertain appropriate documentation.
C. Users are granted access as specified.
D. Data validation procedures are provided.
A substantive test (In substantive testing, evidence is gathered to evaluate the
accuracy of the data or other information. Using a statistical sample to inventory
the tape library is a good example of a substantive test.)
The use of a statistical sample to inventory the tape library is considered as:
A. A substantive test
B. A compliance test
C. An integrated test
D. A continuous audit
A compliance test of the program library controls (Compliance tests are
conducted to ascertain controls adequacy, effectiveness, and efficiency. A
compliance test will be used to determine whether the program library controls
are working properly.)
To determine whether the source and object versions are the same, what
procedure is performed?
A. A substantive test of the program library controls
B. A compliance test of the program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls
Substantive testing (Compliance testing is used to evaluate the existence of the
control. Compliance tests are conducted to ascertain controls adequacy,
effectiveness, and efficiency. In substantive testing, the accuracy and integrity
of the transaction and balances are verified.)
Evidence gathering to determine the accuracy of an individual transaction or
data is:
A. Substantive testing
B. Compliance testing
C. Stop-or-go testing
D. Discovery testing
Correcting coding errors during the testing process (Correction of code should
not be a responsibility of the quality assurance team because it would not ensure
segregation of duties and would impair the team's independence. A, B, and D
are incorrect because they are valid quality assurance functions.)
Which of the following would impair the independence of a quality assurance
team?
A. Ensuring compliance with development methods
B. Checking the test assumptions
C. Correcting coding errors during the testing process
D. Checking the code to ensure proper documentation
The objective and scope of the audit (The objective and scope of the audit are
the best factors to determine the extent of the data requirements. A limited scope
may not require huge data collection. A wider scope may require more data for
analysis and sample verification. The other options do not directly impact the
extent of data collection.)
The most significant factor that impacts the extent of the data requirements for
an audit is:
A. The extent of automation
B. The previous audit observations
C. The objective and scope of the audit
D. The auditor's expertise
Report the use of the unauthorized software and the need to prevent recurrence.
(The use of unauthorized or illegal software should be prohibited by an
organization. An IS auditor must convince the user and management of the risk
and the need to eliminate the risk. For example, software piracy can result in
exposure and severe fines. A is wrong because an IS auditor should not assume
the role of the enforcing officer and take on any personal involvement in
removing the unauthorized software. B is wrong because this would detect
compliance with software licensing. However, an automated solution might not
be the best option in all cases. D is wrong because auditors must report material
findings to management for action. Informing the users of risk is not the
primary responsibility of the IS auditor.)
An IS auditor conducting a review of software usage and licensing discovers
that numerous PCs contain unauthorized software. Which of the following
actions should the IS auditor take?
A. Delete all copies of the unauthorized software.
B. Recommend an automated process to monitor for compliance with software
licensing.
C. Report the use of the unauthorized software and the need to prevent
recurrence.
D. Warn the end users about the risk of using illegal software.
Publish the report and highlight the risk of implementation before considering
the results of penetration testing (In the case of the unavailability of evidence,
the auditor should report the relevant risk in the audit report. The auditor should
not wait until the results are made available. The auditor is not required to
conduct a penetration test, which is beyond the scope of an audit.)
While reviewing the implementation of an application, it is observed that the
results of penetration are not yet declared and will not be finalized prior to
implementation. What is the IS auditor's best option?
A. Publish the report and highlight the risk of implementation before
considering the results of penetration testing
B. Publish the report without commenting on penetration testing as the results
are inconclusive.
C. Publish the report only when the penetration reports are made available
D. Conduct a penetration test and evaluate the test results
Automated code comparison (This is comparing two versions of the same
program to determine whether the two correspond. It is an efficient technique
because it is an automated procedure. A is incorrect because this permits the
auditor to verify the processing of preselected transactions but provides no
evidence about unauthorized changes or unexercised portions of a program. B is
incorrect because this is the reading of program source code listings to
determine whether the code follows coding standards or contains potential
errors or inefficient statements. A code review can be used as a means of code
comparison, but it is inefficient and unlikely to detect any changes in the code,
especially in a large program. D is incorrect because this does not detect
unauthorized program changes.)
Which of the following audit techniques would BEST help an IS auditor in
determining whether there have been unauthorized program changes since the
last authorized program update?
A. Test data run
B. Code review
C. Automated code comparison
D. Review of code migration procedures
To design an alternative test procedure (If the sample size is insufficient, the
auditor should develop an alternative test procedure to evaluate the change
management process.)
While reviewing a change management process, it is observed that the number
of changes that are available for sampling does not give reasonable assurance.
What is the best option for the IS auditor?
A. To design an alternative test procedure
B. To publish the report on the basis of the samples available
C. To conduct an interview with the staff associated with the process
D. To create a dummy sample for verification
gain agreement on the findings. (The primary purpose of meeting with auditees
prior to formally closing a review is to gain agreement on the findings and
responses from management. A is incorrect because the closing meeting
identifies any misunderstandings or errors in the audit but does not identify any
important issues overlooked in the audit. C is incorrect because the closing
meeting may obtain comments from management on the conduct of the audit
but is not intended to be a formal review of the adequacy of the audit
procedures. D is incorrect because the structure of an audit report and the
presentation follows accepted standards and practices. The closing meeting may
indicate errors in the audit or presentation but is not intended to test the
structure of the presentation.)
The PRIMARY purpose for meeting with auditees prior to formally closing a
review is to:
A. confirm that the auditors did not overlook any important issues.
B. gain agreement on the findings.
C. receive feedback on the adequacy of the audit procedures.
D. test the structure of the final presentation.
The purpose, scope, and objective of the audit (The purpose, scope, and
objective of the audit directly determine the extent of the data requirements. The
availability of information should not constrain it, the auditor's experience, or
the business's nature.)
Which of the following ascertains the extent of the data requirements for the
audit?
A. The availability of information
B. The experience of the auditor
C. The nature of the business
D. The purpose, scope, and objective of the audit
the probability of error must be objectively quantified. (Given an expected error
rate and confidence level, statistical sampling is an objective method of
sampling, which helps an IS auditor determine the sample size and quantify the
probability of error (confidence coefficient). B is incorrect because sampling
risk is the risk of a sample not being representative of the population. This risk
exists for judgment and statistical samples. C is incorrect because statistical
sampling can use generalized audit software, but it is not required. D is
incorrect because the tolerable error rate must be predetermined for both
judgment and statistical sampling.)
An IS auditor should use statistical sampling and not judgmental (nonstatistical)
sampling, when:
A. the probability of error must be objectively quantified.
B. the auditor wants to avoid sampling risk.
C. generalized audit software is unavailable.
D. the tolerable error rate cannot be determined.
Confirmation letter from a relevant third party verifying an account balance
(Evidence obtained from independent third parties is almost always considered
more reliable than assurance provided by local management. B is wrong
because data collected from the Internet is not always trustworthy or
independently validated. C is wrong because management is not objective and
may not understand the risk and control environment. They only provide
evidence that the application is working correctly (not the controls). Their
assurance is not an acceptable level of trust for audit evidence. D is wrong
because ratio analysis can identify trends and deviations from a baseline but is
unreliable evidence.)
Which of the following can be considered MOST reliable evidence for an IS
auditor?
A. Confirmation letter from a relevant third party verifying an account balance
B. Information available on open source
C. Assurance from line management that an application is working as designed
D. Ratio analysis developed by the IS auditor from reports supplied by line
management
the threats/vulnerabilities affecting the assets. (One of the key factors to be
considered while assessing the information systems risk is the value of the
systems (the assets) and the threats and vulnerabilities affecting the assets. The
risk related to the use of information assets should be evaluated in isolation
from the installed controls. A is incorrect because the controls are irrelevant
until the IS auditor knows the threats and risks that the controls are intended to
address. B is incorrect because the effectiveness of the controls must be
measured to the risk (based on assets, threats, and vulnerabilities) that the
controls are intended to address. C is incorrect because the first step must be to
determine the risk being managed before reviewing the mechanism of
monitoring risk.)
An IS auditor is evaluating management's risk assessment of information
systems. The IS auditor should FIRST review:
A. the controls are in place.
B. the effectiveness of the controls.
C .the mechanism for monitoring the risk.
D. the threats/vulnerabilities affecting the assets.
A sample system-generated exception report for the review period, with follow-
up action items noted by the reviewer (A sample of a system-generated report
with evidence that the reviewer followed up on the exception represents the best
possible evidence of the effective operation of the control because there is
documented evidence that the reviewer has reviewed and taken actions based on
the exception report. A is wrong because a walk-through will highlight how a
control is designed to work, but it does not highlight the effectiveness of the
control. B is wrong because reviewer sign-off only demonstrates the control's
effectiveness if the reviewer notes follow-up actions for the exceptions
identified. D is wrong because management's confirmation of the effectiveness
of the control suffers from a lack of independence—management might be
biased toward the effectiveness of the controls put in place.)
An IS auditor is validating a control that involves a review of system-generated
exception reports. Which of the following is the BEST evidence of the
effectiveness of the control?
A. Walk-through with the reviewer of the operation of the control
B. System-generated exception reports for the review period with the reviewer's
sign-off
C. A sample system-generated exception report for the review period, with
follow-up action items noted by the reviewer
D. Management's confirmation of the effectiveness of the control for the review
period
Expand the sample of logs reviewed. (Standards require an IS auditor to gather
sufficient and appropriate audit evidence. The IS auditor has found a potential
problem and needs to determine whether this is an isolated incident or a
systematic control failure. A is wrong because, at this stage, it is too preliminary
to issue an audit finding. Seeking an explanation from management is advisable,
but it would be better to gather additional evidence to evaluate the situation's
seriousness properly. B is wrong because gathering more information on the
incident and the frequency of the incident would make it easier to obtain a
meaningful explanation from management. C is wrong because a backup failure
will be serious if it involves critical data. However, the issue is not the
importance of the data on the server, where a problem is detected, but whether a
systematic control failure that impacts other servers exists.)
An IS auditor reviews one day of logs for a remotely managed server and finds
one case where logging failed and the backup restarts cannot be confirmed.
What should the IS auditor do?
A. Issue an audit finding.
B. Seek an explanation from IS management.
C. Review the classifications of data held on the server.
D. Expand the sample of logs reviewed.
obtain an understanding of the security risk to information processing. (When
evaluating logical access controls, an auditor should first understand the
security risk facing information processing by reviewing relevant
documentation and inquiries and conducting a risk assessment. It is necessary so
that the auditor can ensure the controls are adequate to address risk. A is wrong
because documentation and evaluation is the second step and is based on the
risk to the system that necessitates the controls. B is wrong because the third
step is to test the access paths—to determine if the controls are functioning. C is
wrong because it is only after the risk is determined and the controls
documented that the auditor can evaluate the security environment to assess its
adequacy through reviewing written policies, observing practices, and
comparing them to appropriate security good practices.)
An IS auditor evaluating logical access controls should FIRST:
A. document the controls applied to the potential access paths to the system.
B. test controls over the access paths to determine if they are functional.
C. evaluate the security environment in relation to written policies and
practices.
D. obtain an understanding of the security risk to information processing.
Report the incident to management. (Reporting the suspected incident to
management will help initiate the incident response process, which is the most
appropriate action. Management is responsible for making decisions regarding
the appropriate response. It is not the IS auditor's role to respond to incidents
during an audit. A is wrong because the IS auditor should follow the
organization's incident response process. The auditor is not authorized to shut
the system down. C is wrong because the IS auditor is not authorized to lead the
investigation or suspend user accounts. The auditor should report the incident to
management. D is wrong because management is responsible for setting up and
following an incident management plan; that is not the responsibility of the IS
auditor.)
An IS auditor suspects an incident is occurring while an audit is being
performed on a financial system. What should the IS auditor do FIRST?
A. Request that the system be shut down to preserve evidence.
B. Report the incident to management.
C. Ask for immediate suspension of the suspect accounts.
D. Investigate the source and nature of the incident.
Discuss it with the IT managers. (Discussing the implementation of segregation
of duties with the IT managers is the best way to determine how responsibilities
are assigned within the department. B is wrong because job descriptions may
not be the best source of information because they could be outdated, or what is
documented in the job descriptions may differ from what is performed. C is
wrong because past IS audit reports are not the best source of information
because they may not accurately describe how IT responsibilities are assigned.
D is wrong because evaluating the organizational structure may give a limited
view on the allocation of IT responsibilities. The responsibilities also may have
changed over time.)
During an IS audit, what is the BEST way for an IS auditor to evaluate the
implementation of segregation of duties within an IT department?
A. Discuss it with the IT managers.
B. Review the job descriptions of the IT functions.
C. Research past IS audit reports.
D. Evaluate the organizational structure.
Detection (This is directly affected by the IS auditor's selection of audit
procedures and techniques. Detection risk is the risk that a review will not
detect or notice a material issue. A is wrong because this is the risk that a
material error could occur if there are no related internal controls to prevent or
detect the error. Inherent risk is not usually affected by an IS auditor. C is wrong
because this is the risk that a material error exists that would not be prevented or
detected on a timely basis by the system of internal controls. Control risk can be
mitigated by the actions of the organization's management. D is wrong because
this is a probable situation with uncertain frequency and magnitude of loss (or
gain). Business risk is usually not directly affected by an IS auditor.)
The decisions and actions of an IS auditor are MOST likely to affect which of
the following types of risk?
A. Inherent
B. Detection
C. Control
D. Business
Observation and interview (Observation and interview by an IS auditor can be
considered the best evidence compared to the other options. A user access
review does not provide complete information compared to an interview. Also,
user access can be changed between audits. Management assurance and
organization charts can be considered as additional evidence; however,
observation and interview are considered as more reliable evidence.)
The best evidence for the existence of the segregation of duties is:
A. Management assurance
B. Information derived from an organization chart
C. Observation and interview
D. Review of user access
There were instances when some jobs were overridden by computer operators.
(Computer operators' overriding of computer processing jobs could lead to
unauthorized changes to data or programs. This is a control concern; thus, it is
always critical. A is wrong because emergency changes are acceptable as long
as they are properly documented as part of the process. B is wrong because jobs
not being completed on time are a potential issue and should be investigated,
but it is not the greatest concern. D is wrong because the audit should find that
all scheduled jobs were run and any exceptions were documented. This would
not be a violation.)
An IS auditor has been assigned to conduct a test that compares job run logs to
computer job schedules. Which of the following observations would be of the
GREATEST concern to the IS auditor?
A. There are a growing number of emergency changes.
B. There were instances when some jobs were not completed on time.
C. There were instances when some jobs were overridden by computer
operators.
D. Evidence shows that only scheduled jobs were run.
include the finding in the final report, because the IS auditor is responsible for
an accurate report of all findings. (If an action is taken after the audit starts and
before it ends, audit report should identify the finding and describe corrective
action taken. An audit report should reflect the situation at start of audit. All
corrective actions taken by the auditee should be reported in writing. B is wrong
because audit report should contain relevant findings and management's
response, even if finding is resolved. This means that subsequent audits may test
for continued control resolution. C is wrong because audit report should contain
findings so they are documented, and removal of control after the audit would
be noticed. D is wrong because audit report should include findings and
resolution, which can be mentioned in final meeting. The audit report should list
all relevant findings and management responses.)
Corrective action has been taken by an auditee immediately after the
identification of a reportable finding. The auditor should:
A. include the finding in the final report, because the IS auditor is responsible
for an accurate report of all findings.
B. not include the finding in the final report because management resolved the
item.
C. not include the finding in the final report, because corrective action can be
verified by the IS auditor during the audit.
D. include the finding in the closing meeting for discussion purposes only.
A configuration report extracted from the system directly by the audit team
(Evidence collected directly from the source by the audit team is considered
more reliable compared to the other options.)
Which of the following can be considered best evidence to determine system
configuration settings?
A. A system configuration report extracted by the system administrator
B. A configuration report extracted from the system directly by the audit team
C. The documentation of configuration maintained by the IT team
D. An approved configuration setting note
compliance testing. (Compliance testing determines whether controls are being
applied in compliance with policy. This includes tests to determine whether new
accounts were appropriately authorized. A is wrong because variable sampling
is used to estimate numerical values such as dollar values. B is wrong because
substantive testing substantiates the integrity of actual processing, such as
balances on financial statements. The development of substantive tests often
depends on compliance tests' outcomes. If compliance tests indicate that there
are adequate internal controls, then substantive tests can be minimized. D is
wrong because stop-or-go sampling allows a test to be stopped as early as
possible and is inappropriate for checking whether procedures have been
followed.)
An IS auditor is reviewing access to an application to determine whether
recently added accounts were appropriately authorized. This is an example of:
A. variable sampling.
B. substantive testing.
C. compliance testing.
D. stop-or-go sampling.
Attribute sampling (It is the primary sampling method used for compliance
testing. Attribute sampling is a sampling model used to estimate the rate of
occurrence of a specific quality (attribute) in a population and is used in
compliance testing to confirm whether the quality exists. For example, an
attribute sample may check all transactions over a predefined dollar amount for
proper approvals. B is wrong because it is based on calculating a mean from a
sample extracted from the entire population and using that to estimate the
characteristics of the entire population. For example, a sample of 10 items
shows an average price of US $10 per item. For the entire population of 1,000
items, the total value is estimated to be US $10,000. C is wrong because this
attempts to ensure that the entire population is represented in the sample. D is
wrong because this examines measure deviations and extraordinary items.)
Which of the following sampling methods is MOST useful when testing for
compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean per unit sampling
D. Difference estimation sampling
IS audit reports (Option A and C do not have the element of independence. An
audit report by a qualified auditor is considered more reliable than a
confirmation letter from a third party.)
Which of the following can be considered the most reliable information?
A. Oral declaration by management
B. IS audit reports
C. Data provided by management
D. Confirmation letter received from a third party
preservation. (Preservation and documentation of evidence for review by law
enforcement and judicial authorities are of primary concern when conducting an
investigation. Failure to properly preserve the evidence could jeopardize the
admissibility of the evidence in legal proceedings. The other options are
important but not the primary concerns related to evidence in a forensic
investigation.)
When performing a computer forensic investigation, in regard to the evidence
gathered, an IS auditor should be MOST concerned with:
A. analysis.
B. evaluation.
C. preservation.
D. disclosure.
expand the scope to include substantive testing. (If documented procedures or
job descriptions do not confirm the answers provided to an IS auditor's
questions, the IS auditor should expand the scope of testing the controls and
include additional substantive tests. A is wrong because it is based solely on the
interview with the payroll clerk, the IS auditor will not be able to collect
evidence to conclude on the adequacy of existing controls. C and D are wrong
because they are inappropriate actions and provide no current knowledge of the
adequacy of the existing controls.
An IS auditor finds that the answers received during an interview with a payroll
clerk do not support job descriptions and documented procedures. Under these
circumstances, the IS auditor should:
A. conclude that the controls are inadequate.
B. expand the scope to include substantive testing.
C. place greater reliance on previous audits.
D. suspend the audit.
A sample exception report along with a follow-up action plan (A review of the
exception report and a follow-up action represents the best possible evidence. It
determines that the control process is in place and follow-up actions are taken
for exceptions.)
The best evidence to determine the effectiveness of control involving the review
of system generated exceptional reports is:
A. A walkthrough of the control process
B. Approved documented control process
C. A sample exception report along with a follow-up action plan
D. Management assurance
Gain more assurance on the findings through root cause analysis. (A change
management process is critical to IT production systems. Before recommending
that the organization take any other action, the auditor should gain assurance
that the incidents reported are related to deficiencies in the change management
process. A is wrong because while it may be necessary to redesign the change
management process, this can't be done until a root cause analysis is conducted
to determine why the current process is not being followed. C is wrong because
a business relies on being able to make changes when necessary. Security
patches must often be deployed promptly. It would only be feasible to halt all
changes once a new process is developed. D is wrong because the results of the
audit, including the findings of noncompliance, will be delivered to
management once a root cause analysis of the issue has been completed.)
During a change control audit of a production system, an IS auditor finds that
the change management process is not formally documented and that some
migration procedures failed. What should the IS auditor do next?
A. Recommend redesigning the change management process.
B. Gain more assurance on the findings through root cause analysis.
C. Recommend that program migration be stopped until the change process is
documented.
D. Document the finding and present it to management.
conducting a physical count of the tape inventory. (A substantive test includes
gathering evidence to evaluate the integrity (i.e., the completeness, accuracy,
and validity) of individual transactions, data, or other information. Conducting a
physical count of the tape inventory is a substantive test. A, B, and D are wrong
because they are compliance tests.)
A substantive test to verify that tape library inventory records are accurate is:
A. determining whether bar code readers are installed.
B. determining whether the movement of tapes is authorized.
C. conducting a physical count of the tape inventory.
D. checking whether receipts and issues of tapes are accurately recorded.
The creation of simulated transactions for processing and comparing results for
correctness (The most effective evidence is to create simulated transactions for
verification. The other options do give a good indication about the accuracy of
logic; however, Option B can be considered as best evidence.)
The best evidence to determine the accuracy of system logic for transaction
processing is:
A. A review of the source code
B. The creation of simulated transactions for processing and comparing results
for correctness
C. An interview with the system developer
D. An approved UAT report
Compliance testing (Determining that only authorized modifications are made
to production programs would require the change management process to be
reviewed to evaluate the existence of a trail of documentary evidence.
Compliance testing helps verify that the change management process has been
applied consistently. A is wrong because system log analysis would identify
changes and activity on a system but would only identify whether the change
was authorized if conducted as a part of a compliance test. C is wrong because
forensic analysis is a specialized technique for criminal investigation. D is
wrong because an analytical review assesses the general control environment of
an organization.)
Which of the following would an IS auditor use to determine if unauthorized
modifications were made to production programs?
A. System log analysis
B. Compliance testing
C. Forensic analysis
D. Analytical review
preparing simulated transactions for processing and comparing the results to
predetermined results. (Preparing simulated transactions for processing and
comparing the results to predetermined results is the best method for confirming
the accuracy of a tax calculation. A is wrong because reviewing source code is
not an effective method of ensuring the calculation is correctly computed. B is
wrong because recreating program logic may lead to errors, and monthly totals
are inaccurate enough to ensure correct computations. D is wrong because
flowcharting and analysis of source code are not effective methods to address
the accuracy of individual tax calculations.)
The BEST method of confirming the accuracy of a system tax calculation is by:
A. review and analysis of the source code of the calculation programs.
B. recreating program logic using generalized audit software to calculate
monthly totals.
C. preparing simulated transactions for processing and comparing the results to
predetermined results.
D. automatic flowcharting and analysis of the source code of the calculation
programs.
expand activities to determine whether an investigation is warranted. (An IS
auditor's responsibilities for detecting fraud include evaluating fraud indicators
and deciding whether additional action is necessary or an investigation should
be recommended. B is wrong because the IS auditor should notify the
appropriate authorities within the organization only if it has determined that the
indicators of fraud are sufficient to recommend an investigation. C is wrong
because the IS auditor should report the possibility of fraud to top management
only after sufficient evidence to launch an investigation. This may be affected
by whether management may be involved in the fraud. D is wrong because
normally, the IS auditor does not have the authority to consult with external
legal counsel.)
After initial investigation, an IS auditor has reasons to believe that fraud may be
present. The IS auditor should:
A. expand activities to determine whether an investigation is warranted.
B. report the matter to the audit committee.
C. report the possibility of fraud to management.
D. consult with external legal counsel to determine the course of action to be
taken.
Appropriate audit evidence will be collected (Primarily, an IS auditor's
professional judgment is required to collect sufficient audit evidence. An audit
need not necessarily identify all the deficiencies. Auditee management is
responsible for taking corrective action. Completing an audit within the defined
timeline is an important element, but the primary objective of the audit
procedure is to collect sufficient evidence.)
An IS auditor should use professional judgement primarily to ensure:
A. Appropriate audit evidence will be collected
B. All deficiencies will be detected
C. Significant risk will be corrected within a reasonable time
D. An audit will be completed within the defined time frame
Inform appropriate personnel immediately. (The first thing an IS auditor should
do after detecting the virus is to alert the organization to its presence and then
wait for their response. A is wrong because observing the response mechanism
should be done after informing the appropriate personnel. This will enable an IS
auditor to examine the actual workability and effectiveness of the response
system. B is wrong because the IS auditor is neither authorized nor capable of
removing the virus from the network in most cases. D is wrong because an IS
auditor should not change the system being audited; ensuring the deletion of the
virus is a management responsibility.)
While conducting an audit, an IS auditor detects the presence of a virus. What
should be the IS auditor's next step?
A. Observe the response mechanism.
B. Clear the virus from the network.
C. Inform appropriate personnel immediately.
D. Ensure deletion of the virus.
sufficient evidence will be collected. (Procedures are processes an auditor may
follow in an audit engagement. An auditor should use professional judgment to
determine the appropriateness of any particular procedure. Professional
judgment involves subjective and qualitative evaluation of conditions that arise
during an audit. It addresses a grey area where binary decisions are
inappropriate, and the auditor's experience plays a key role. B is wrong because
correcting deficiencies is the responsibility of management. C is wrong because
identifying material weaknesses results from appropriate competence,
experience, and thoroughness in audit planning and execution. Audit procedures
and professional judgment can't ensure all weaknesses are identified and
corrected. D is wrong because professional judgment ensures audit resources
and costs are used wisely, but is not the primary objective.)
When selecting audit procedures, an IS auditor should use professional
judgment to ensure that:
A. sufficient evidence will be collected.
B. significant deficiencies will be corrected within a reasonable period.
C. all material weaknesses will be identified.
D. audit costs will be kept at a minimum level.
Sufficient and appropriate audit evidence (The audit team should ensure that
their reporting is based on objective evidence. Evidence should be sufficient and
appropriate to the audit findings.)
An IS auditor should ensure that the audit findings are supported by:
A. The confirmation form auditee management.
B. The audit program
C. A closure recommendation
D. Sufficient and appropriate audit evidence
Develop an alternate testing procedure. (If a sample size objective cannot be
met with the given data, the IS auditor cannot provide assurance regarding the
testing objective. In this instance, the IS auditor should develop (with audit
management approval) an alternate testing procedure. B is wrong because there
is insufficient evidence to report the finding as a deficiency. C is wrong because
a walk-through should only be initiated once an analysis is performed to
confirm that this could provide the required assurance. D is wrong because it
would not be appropriate for an IS auditor to create sample data for the audit.)
When testing program change requests for a remote system, an IS auditor finds
that the number of changes available for sampling would not provide a
reasonable level of assurance. What is the MOST appropriate action for the IS
auditor to take?
A. Develop an alternate testing procedure.
B. Report the finding to management.
C. Perform a walk-through of the change management process.
D. Create additional sample data to test additional changes.
Revalidate the supporting evidence for the finding. (Conclusions drawn by an
auditor should be adequately supported by evidence, and any compensating
controls or corrections pointed out by a department manager should be
considered. Therefore, the first step would be to revalidate the evidence for the
finding. If there are unsettled disagreements after revalidating and retesting, the
report should include those issues. A is wrong because retesting the control
occurs typically after the evidence has been revalidated. B is wrong because
while there are cases where a third party may be needed to perform specialized
audit procedures, an auditor should first revalidate the supporting evidence to
determine if there is a need for a third party. C is wrong because before putting a
disputed finding or management response in the audit report, the auditor should
review the evidence used in the finding to ensure audit accuracy.)
Which of the following should be the FIRST action of an IS auditor during a
dispute with a department manager over audit findings?
A. Retest the control to validate the finding.
B. Engage a third party to validate the finding.
C. Include the finding in the report with the department manager's comments.
D. Revalidate the supporting evidence for the finding.
Alert management and evaluate the impact of not covering all systems. (An IS
auditor should inform management that some systems are omitted from the
disaster recovery plan (DRP). An IS auditor should continue the audit and
include an evaluation of the impact of not including all systems in the DRP. B is
wrong because canceling the audit is an inappropriate action. C is wrong
because ignoring that some systems are not covered would violate audit
standards that require reporting all material findings and is inappropriate. D is
wrong because postponing the audit is an inappropriate action. The audit should
be completed according to the initial scope with identification to management
of the risk of systems not being covered.)
An IS auditor finds that a disaster recovery plan for critical business functions
does not cover all systems. Which of the following is the MOST appropriate
course of action for the IS auditor?
A. Alert management and evaluate the impact of not covering all systems.
B. Cancel the audit.
C. Complete the audit of the systems covered by the existing DRP.
D. Postpone the audit until the systems are added to the DRP.
To provide reasonable basis of drawing a conclusion (Audit evidence helps the
IS auditor to draw a conclusion about the subject under audit. Audit evidence
can be used to trace back the audit finding)
Sufficient audit evidence is obtained:
A. To comply with statutory requirements
B. To provide reasonable basis of drawing a conclusion
C. To justify audit coverage
D. To justify cost of audit
Standard report with configuration values retrieved from the system by the IS
auditor (Evidence obtained directly from the source by an IS auditor is more
reliable than information provided by a system administrator or a business
owner because the IS auditor does not have a vested interest in the audit's
outcome. A is wrong because evidence provided that is not system-generated
information could be modified before it is presented to an IS auditor. Therefore,
it may not be as reliable as evidence obtained by the IS auditor. For example, a
system administrator could change the settings or modify the graphic image
before taking a screenshot. C is wrong because the administrator may modify
the rules before taking the screenshot; therefore, this is not the best evidence. D
is wrong because the annual review a business owner provides may not reflect
current information.)
An IS auditor is carrying out a system configuration review. Which of the
following would be the BEST evidence in support of the current system
configuration settings?
A. System configuration values imported to a spreadsheet by the system
administrator
B. Standard report with configuration values retrieved from the system by the IS
auditor
C. Dated screenshot of the system configuration settings made available by the
system administrator
D. Annual review of approved system configuration values by the business
owner
The results of a test performed by an external IS auditor (An independent test
that an auditor performs should always be considered more reliable than a third-
party confirmation letter because the letter is the result of an analysis of the
process and may not be based on authoritative audit techniques. An audit should
consist of inspection, observation, and inquiry as determined by risk. This
provides a standard methodology and reasonable assurance that controls and test
results are accurate. A and C are wrong because this is audit evidence but less
reliable than the test results performed by an external auditor. D is wrong
because a letter is subjective and may not have been generated as a part of an
authoritative audit or conform to audit standards.)
Which of the following forms of evidence would an IS auditor consider
the MOST reliable?
A. An oral statement from the auditee
B. The results of a test performed by an external IS auditor
C. An internally generated computer accounting report
D. A confirmation letter received from an outside source
CAATs (CAATs are the most effective auditing tools for computerized
environments.)
The most effective tool for obtaining audit evidence through digital data is:
A. Structured Query Language
B. Extracted reports from applications
C. Risk and control testing tools
D. CAATs
Reliability (The use of CAAT ensures the reliability of audit evidence as data is
directly collected, processed, and analyzed by the IS auditor. The source of
information is considered reliable. The use of CAAT does not directly impact
the other options.)
The use of a CAAT tool will impact which of the following attributes of
evidence?
A. Appropriateness
B. Sufficiency
C. Reliability
D. Relevance
More reliability of data (CAAT provides assurance about the reliability of the
data. This is a major advantage over all the other options.)
The prime advantage of an audit team directly extracting data from a general
ledger system is:
A. No dependency on an auditee
B. Quicker access to information
C. More flexibility in the audit process
D. More reliability of data
Reperformance (In reperformance, a transaction is processed again, and results
are compared to validate the transaction. This gives the strongest evidence
among all the other options. When the same result is obtained after performance
by an independent person, it provides assurance about the accuracy of the
system logic.)
The best evidence to determine the accuracy of system logic for transaction
processing is:
A. Reperformance
B. Interview
C. Observation
D. Review of documentation
assure that the integrity of the evidence is maintained. (The IS auditor has been
requested to perform an investigation to capture evidence that may be used for
legal purposes; therefore, maintaining the integrity of the evidence should be the
foremost goal. Improperly handled computer evidence is subject to being ruled
inadmissible in a court of law. A is wrong because although it is important for
an IS auditor to be impartial, in this case, it is more critical that the evidence be
preserved. B is wrong because although it is important for an IS auditor to
maintain independence, in this case, it is more critical that the evidence be
preserved. D is wrong because while assessing all relevant evidence is
important, it is more important to maintain the chain of custody, which ensures
the integrity of evidence.)
An IS auditor has been asked by management to review a potentially fraudulent
transaction. The PRIMARY focus of an IS auditor while evaluating the
transaction should be to:
A. maintain impartiality while evaluating the transaction.
B. ensure that the independence of an IS auditor is maintained.
C. assure that the integrity of the evidence is maintained.
D. assess all relevant evidence for the transaction.
a manager coordinates the creation of a new or revised plan within a defined
time limit. (The primary concern is establishing a workable DRP that reflects
current processing volumes to protect the organization from disruptive
incidents. A is wrong because censuring the deputy CEO will not improve the
current situation and is generally outside the scope of an auditor to recommend.
B is wrong because establishing a board to review the DRP may achieve an
updated DRP but is not likely to be a speedy operation; issuing the existing DRP
would be imprudent without first ensuring it is workable. C is wrong because
the current DRP may be unacceptable or ineffective, and recommending the
approval of the DRP may be unwise. The best way to develop a DRP quickly is
to make an experienced manager responsible for coordinating the knowledge of
other managers into a formal document within a defined time limit.)
An IS auditor conducting a review of disaster recovery planning (DRP) at a
financial processing organization discovered the following:
- The existing DRP was compiled two years earlier by a systems analyst in the
organization's IT department using transaction flow projections from the
operations department.
- The DRP was presented to the deputy chief executive officer (CEO) for
approval and formal issue, but it is still awaiting attention.
- The DRP has never been updated, tested or circulated to key management and
staff, although interviews show that each would know what action to take for its
area if a disruptive incident occurred.
Which of the following sampling methods is the MOST appropriate for testing
automated invoice authorization controls to ensure that exceptions are not made
for specific users?
A. Variable sampling
B. Judgmental sampling
C. Stratified random sampling
D. Systematic sampling
Stratified random sampling (Stratification divides a population into
subpopulations with explicitly defined similar characteristics so each
sampling unit can belong to only one stratum. This sampling method
ensures that all sampling units in each subgroup have a known, nonzero
chance of selection. A is wrong because this is used for substantive testing to
determine the monetary or volumetric impact of characteristics of a
population. B is wrong because, in judgmental sampling, professionals
place a bias on the sample. It should be noted that it is not statistically
based, and results should be unrestricted over the population because the
sample is unlikely to be representative of the population. D is wrong
because this involves selecting sampling units using a fixed interval between
selections, with the first interval having a random start.)
To review the adequacy of management's remediation action plan, the most
important factor is:
A. The approval of the remediation action by senior management
B. The man-days required for future audit work
C. Potential cost savings
D. The criticality of the audit findings
The criticality of the audit findings (A remediation action plan should align
with the audit findings' criticality.)
The BEST way to schedule a follow-up for audit findings is to:
A. Schedule a follow-up audit based on closure due dates
B. Schedule a follow-up audit only during the next audit cycle
C. Schedule a follow-up audit on a surprise basis to determine whether
remediation is in progress
D. Schedule a follow-up audit when findings escalate to incidents
Schedule a follow-up audit based on closure due dates (It is always advised
to schedule a follow-up audit based on closure due dates.)