CISA Chapter 1 Practice

CISA Chapter 1 Practice
Which of the following is the first step in risk-based audit planning?

A. To identify the requirements of relevant stakeholders
B. To identify high-risk processes in the company
C. To identify the budget
D. To identify the profit function
To identify high-risk processes in the company
Which of the following is a major advantage of a risk-based approach to audit
planning?
A. Advance communication of the audit plan
B. Completion of the audit exercise within the allotted time and budget
C. The collection of audit fees in advance
D. Optimum use of audit resources for high-risk processes
Optimum use of audit resources for high-risk processes
When testing program change management, how should the sample be selected?
A. Change management documents should be selected at random and then
tested for appropriateness
B. Changes to production code should be sampled and traced to appropriate
authorizing documentation
C. Change management documents should be selected based on system
criticality and examined for appropriateness.
D. Changes to production code should be sampled and traced back to system-
produced logs indicating the date and time of change
Changes to production code should be sampled and traced to appropriate
authorizing documentation
When testing the logical security, the IS auditor is MOST concerned when
observing:
A. The system administrator account is known by everybody.
B. The passwords are not enforced to change frequently.
C. The network administrator is given excessive permissions.
D. Changes to production code should be sampled and traced back to system-
produced logs indicating the date and time of the change.
The system administrator account is known by everybody. (The system
administrator account being known by everybody is the most dangerous. In
that case, any user could perform any action in the system, including file
access, permission, and parameter adjustment.)
Which of the following would be expected to approve the audit charter?
A. Chief financial officer
B. Chief executive officer
C. Audit steering committee
D. Audit committee
Audit committee (One of the primary functions of the audit committee is to
create and approve the audit charter. A is incorrect because the CFO does
not approve the audit charter but may be responsible for allocating funds
in support of the audit charter. The CFO may also be a part of the audit or
steering committee but would not approve the charter independently. B is
incorrect because the CEO does not approve the audit charter. The CEO
may be informed, but they are independent of the audit committee. C is
incorrect because the steering committee would most likely be composed of
various members of senior management whose purpose is to work under
the framework of the audit charter and would not approve the charter
itself.)
What is the most appropriate type of CAAT tool the auditor should use to test
security configuration settings for the entire application system is:
a. generalized audit software (GAS)
b. test data
c. utility software
d. expert system
utility software (when testing the security of the entire application systems -
including OS, DB and APP security - you'll most likely use utility software)
If the application is access through the internet, how should the auditor
determine whither to perform a detailed review of the fire rules and VPN
configuration settings?
a. documented risk analysis
b. availability of technical expertise
c. approach used in previous audit
d. IS auditing guidelines and best practices
documented risk analysis
The scope, authority, and responsibility of the IS audit function is defined by:
A. The head of the IT department
B. The operational head of the department
C. The head of audit
D. Approved Audit Charter
Approved Audit Charter (The overall scope, authority, and responsibility
of the internal audit department is outlined in the audit charter. Top
management/board members should approve the audit charter. The other
options are not correct.)
Audit charter primarily includes:
A. Objectives and scope of operational audits
B. Training requirement of audit staff
C. The annual audit plan
D. The authority given to the audit function
The authority given to the audit function
Which of the following is the best reason for a senior audit manager reviewing
the work of an auditor?
A. Quality requirements
B. SLA requirements
C. Professional standards
D. Client requirements
Professional standards (The professional standards issued by ISACA, IIA,
and the International Federation of Accounts require the review of the
work of an auditor by a senior audit manager to ensure that the audit
objectives are met and the audit is conducted per the accepted procedures.)
During an exit interview, in cases where there is disagreement regarding the
impact of a finding, an IS auditor should:
A. ask the auditee to sign a release form accepting full legal responsibility.
B. elaborate on the significance of the finding and the risk of not correcting it.
C. report the disagreement to the audit committee for resolution.
D. accept the auditee's position because they are the process owners.
elaborate on the significance of the finding and the risk of not correcting it.
(If the auditee disagrees with the impact of a finding, it is essential for an IS
auditor to elaborate and clarify the risk and exposures because the auditee
may not fully appreciate the magnitude of the exposure. The goal should be
to enlighten the auditee or uncover new information that an IS auditor may
not have been aware of. Anything threatening the auditee lessens effective
communications and sets up an adversarial relationship. However, an IS
auditor should only sometimes agree because the auditee expresses an
alternate point of view. Management is always responsible and liable for
risk and mitigate it appropriately. The IS auditor should inform
management of findings and associated risks discovered in an audit. The
audit report contains the IS auditor's findings and management's
response.)
Which of the following should be the first exercise while reviewing data center
security?
A. The evaluation of the physical security arrangement
B. The evaluation of threats and vulnerabilities applicable to the data center
C. The evaluation of the business continuity arrangement for the data center
D. The evaluation of the logical security arrangement
The evaluation of threats and vulnerabilities applicable to the data center
(Out of the given options, the first step in evaluating a data center's
security controls is evaluating the data center's threats and vulnerabilities.
Options A and D are followed once the vulnerabilities and threats are
identified. Option C is not considered as a part of a security analysis.)
Which of the following is the most important aspect of planning an audit?
A. To identify high-risk processes
B. Identifying the experience and capabilities of audit staff
C. Identifying control testing procedures of the audit
D. Determining the audit schedule
To identify high-risk processes
The FIRST priority of the IS auditor in year one should be the study the:
A. Previous audit reports and plan the audit schedule.
B. Audit charter and plan the audit schedule.
C. Impact of the increased employee turnover.
D. Impact of the implementation of a new ERP on the IT environment.
Audit charter and plan the audit schedule.
if the auditor detects the transaction authorization control objective cannot be

met due to a lack of clearly defined roles and privileges in the application, the
auditor should first:
a. review the authorization on a sample of transactions
b. immediately report this findings to upper management
c. request the auditee management review the appropriateness of access rights
for all users
d. use a GAS to check the integrity of the database
review the authorization on a sample of transactions (Review the
authorization of a sample of transactions in order to determine and be able
to report the impact and materiality of the issue. After you determine the
impact of the issue, then you would report the issue, or because the impact
and materiality will then be terminated after the review of the sample of
transactions. Using the GAS to check the integrity of the database would
not help the auditor assess the issue's impact.)
How should the IS auditor evaluate backup and batch processing within a
computer operation?
A. Plan and carry out an independent review of computer operations
B. Rely on the service auditor's report of the service provider
C. Study the contract between the entity and the service provider
D. Compare the service delivery report to the service level agreement
Plan and carry out an independent review of computer operations
Which of the following represents the GREATEST potential risk in an
electronic data interchange (EDI) environment?
A. Lack of transaction authorizations
B. Loss or duplication of EDI transmissions
C. Transmission delay
D. Deletion or manipulation of transactions prior to or after establishment of
application controls
Lack of transaction authorizations (The interaction between parties is
electronic, and no inherent authentication occurs; therefore, lack of
transaction authorization is the greatest risk. B is incorrect because this is
an example of risk, but because all transactions should be logged, the
impact could be better than that of unauthorized transactions. C is
incorrect because this may terminate the process or hold the line until the
normal time for processing has elapsed; however, there will be no data loss.
D is incorrect because this is an example of risk. Logging detects any
alteration to the data, and the impact is not as great as that of unauthorized
transactions.)
An audit charter should be approved by:
A. Higher management
B. The head of audit
C. The Information Security department
D. The project steering committee
Higher management (Ideally, top management should approve the audit
charter. The approved audit charter is the basis on which the chief audit
officer carries out audit processes. The IS department and the IT steering
committee should not be involved in preparing the audit charter.)
The audit charter should:
A. Be frequently upgraded as per changes in technology and the audit
profession
B. Incorporate yearly audit planning
C. Incorporate business continuity requirements
D. Incorporate the scope, authority, and responsibility of the audit department
Incorporate the scope, authority, and responsibility of the audit department
(The overall scope, authority, and responsibility of the audit function is
outlined in an audit charter. The charter should not be frequently modified.
The audit charter will not cover procedural aspects such as the audit
calendar and resource allocation. Business continuity arrangements should
ideally be incorporated in the BCP document, and it should not form part
of the audit charter.)
The prime objective of an audit charter is to:
A. Document the procedural aspect of an audit
B. Document system and staff requirements to conduct the audit
C. Document the ethics and code of conduct for the audit department
D. Document the responsibility and authority of the audit department
Document the responsibility and authority of the audit department (The
main purpose of the audit charter is to define the auditor's roles and
responsibilities. The audit charter should empower auditors to perform
their work. Procedural aspects such as audit procedure, resource
allocation, and ethical standards should not be a part of the audit charter.)
The document that delegates authority to the audit department is:
A. The audit planner
B. The audit charter
C. The IT policy
D. The risk assessment and treatment document
The audit charter (The audit charter includes the overall scope,
responsibility, and authority of the audit department. Audit planning is
included in the audit calendar. The risk assessment and treatment plan
should contain details of identified risks and their mitigating controls. The
compendium of audit observations contains a summary of critical audit
observations for top management.)
What does the classification of information assets help to ensure?
A. The protection of all IT assets
B. That a fundamental level of security is implemented irrespective of the value
of assets
C. That information assets are subject to suitable levels of protection
D. That only critical IT assets are protected
That information assets are subject to suitable levels of protection (Data
classification helps determine the appropriate level of protection for
information assets. Having a specific level of information security is
important when protecting data and other IT assets.)
The final decision to include a material finding in an audit report should be
made by the:
A. audit committee.
B. auditee's manager.
C. IS auditor.
D. chief executive officer of the organization.
IS auditor. (The IS auditor should decide what to include or exclude from
the audit report. A is incorrect because the audit committee should uphold
the IS auditor's independence, professionalism, and objectivity by
influencing what is included in the audit report. B is incorrect because The
IS auditor's manager may recommend what should or should not be
included in an audit report. However, the auditee's manager should avoid
influencing the report's content. D is incorrect because the CEO must
refrain from influencing an audit report's content. After all, that would
breach the audit function's independence.)
The prime reason for the review of an organization chart is to:
A. Get details related to the flow of data
B. Analyze the department-wise employee ratio
C. Understand the authority and responsibility of individuals
D. Analyze department-wise IT assets
Understand the authority and responsibility of individuals (An
organization chart is used to derive details about the authority and
responsibility of relevant functions in the organization. It will help to
understand whether proper segregation of duties exists.)
An IS auditor would be primarily influenced by:
A. The charter of the audit department
B. The representation by management
C. The structure of the organization
D. The number of outsourcing arrangements
The charter of the audit department (The overall scope, authority, and
responsibility of the audit department is outlined in the audit charter.
Primarily, the actions of the audit team will be influenced and guided by
this charter.)
Which of the following risks can be mitigated by statistical sampling?
A. Audit risk
B. Detection risk
C. Inherent risk
D. Sampling risk
Detection risk (Detection risk can be minimized by statistical sampling.
Detection risk is the risk that the auditor may fail to detect material control
deficiency. As statistical sampling does not involve any subjectivity, the
chance of failure is minimum. Thus, detection risk can be reduced by the
use of statistical sampling. The other risks cannot be minimized using
statistical sampling.)
Which of the following is the result of a risk management process?
A. A corporate strategic plan
B. A charter incorporating the audit policy
C. Decisions regarding the security policy
D. Outsourcing arrangements
Decisions regarding the security policy (Based on the outcome of the risk
management process, the organization determines the security
requirements. The results of the risk management process do not directly
impact other choices.)
While planning an IS audit, an assessment of risk should be made to provide:
A. reasonable assurance that the audit will cover material items.
B. definite assurance that material items will be covered during the audit work.
C. reasonable assurance that all items will be covered by the audit.
D. sufficient assurance that all items will be covered during the audit work.
reasonable assurance that the audit will cover material items. (The applied
risk assessment approach should help prioritize and schedule the IS audit
and assurance work. The risk assessment should support selecting areas
and items of audit interest and the decision process to design and conduct
particular IS audit engagements. B is incorrect because this is an
impractical proposition. C is incorrect because reasonable assurance that
all items will be covered during the audit work is incorrect. After all,
primarily material items need to be covered, not all items. D is incorrect
because this is less important than ensuring the audit covers all material
items.)
Which of the following should be included in an audit charter?
A. Annual audit planning
B. The audit function's reporting structure
C. Guidelines for drafting audit reports
D. An annual audit calendar
The audit function's reporting structure (The overall scope, authority, and
responsibility of the audit department are outlined in the audit charter. It
should also document the reporting matrix of the audit function. Generally,
the head of the audit reports to an audit committee.)
Which of the following functions is governed by the audit charter?
A. The information technology function
B. The external audit function
C. The internal audit function
D. The information security function
The internal audit function (The overall scope, authority, and responsibility
of the internal audit department are outlined in the audit charter. The
authority, scope, and responsibilities of the external audit are governed by
the engagement letter.)
Which of the following covers the overall authority to perform an IS audit?
A. The audit scope with goals and objectives
B. Management's request to perform an audit
C. The approved audit charter
D. The approved audit schedule
The approved audit charter (An internal audit charter is an official
document that comprises the internal audit department's objectives,
authority, responsibilities, and delegation of authority)
The audit function should be reported to the audit committee of the board
because:
A. The audit function has few resources
B. The audit function must be independent of the business function and should
have direct access to the audit committee of the board
C. No other function should use the resources of the audit function
D. The audit function can use their own authority to complete the audit on
priority basis
The audit function must be independent of the business function and
should have direct access to the audit committee of the board (The audit
function should be independent of influence and bias. Having direct and
immediate access to the audit committee can enable auditors to raise major
irregularities and concerns without any influence from business functions.)
Which of the following is the MAIN reason to perform a risk assessment in the
planning phase of an IS audit?
A. To ensure management’s concerns are addressed
B. To provide reasonable assurance material items will be addressed
C. To ensure the audit team will perform audits within budget
D. To develop the audit program and procedures to perform the audit
To provide reasonable assurance, material items will be addressed (A risk
assessment helps to focus the audit procedures on the highest risk areas
included in the scope of the audit. The concept of reasonable assurance is
also important. A is incorrect because management concerns do not affect
the risk assessment process. If management has concerns and wants the
auditor to focus on a certain area, the auditor should ensure adequate time
is allocated to address the concerns. C is incorrect because a risk
assessment determines where to place time and personnel resources, while
budget constraints are limited to time resources. D is incorrect because a
risk assessment is used to allocate resources to audits.)
When developing a risk management program, what is the FIRST activity to be
performed?
A. Threat assessment
B. Classification of data
C. Inventory of assets
D. Criticality analysis
Inventory of assets (Identification of the assets to be protected is the first
step in developing a risk management program. A listing of the threats that
can affect the assets is a later step in the process. Data classification is
required for defining access controls and in criticality analysis, but the
assets (including data) must be identified before classification. Criticality
analysis is a later step in the process after the assets have been identified.)
The best objective for the creation of an audit charter is to:
A. Determine the audit resource requirements
B. Document the mission and long-term strategy of the audit department
C. Determine the code of conduct for the audit team
D. Provide the authority and responsibility of the audit function
Provide the authority and responsibility of the audit function (The
charter's main purpose is to define the auditor's roles and responsibilities.
The audit charter empowers the audit function to carry out its work. The
other options are not relevant to this purpose.)
To ensure that audit resources deliver the best value to the organization,
the FIRST step in an audit project is to:
A. schedule the audits and monitor the time spent on each audit.
B. train the IS audit staff on current technology used in the company.
C. develop the audit plan on the basis of a detailed risk assessment.
D. monitor progress of audits and initiate cost control measures.
develop the audit plan on the basis of a detailed risk assessment. (Although
monitoring the time and audit programs and adequate training improve
the IS audit staff's productivity (efficiency and performance), ensuring that
the resources and efforts dedicated to audit are focused on higher-risk
areas delivers value to the organization. Monitoring the audits and the time
spent on audits is not effective if the wrong areas are being audited.
Developing a risk-based audit plan is most important to ensure the effective
use of audit resources. The IS auditor may have specialties or the audit
team may rely on outside experts to conduct specialized audits. Each IS
auditor doesn't need to be trained on all new technology. Monitoring the
progress of audits and initiating cost control measures do not ensure the
effective use of audit resources.)
Main objective of an audit charter is to:
A. Document the annual audit plan
B. Document audit procedures
C. Describes the auditors' authority to conduct audits
D. Describes the auditors' code of conduct
Describes the auditors' authority to conduct audits
Which of the following options best describes the process of assessing a risk?
A. Subject-oriented
B. Object-oriented
C. Mathematics-oriented
D. Statistics-oriented
Subject-oriented (To determine risk, you need to calculate probability and
impact. Probability is based on estimates and estimates are always
subjective. Risk assessment is based on perception.)
Which of the following is the area of greatest concern in an EDI process?
A. No logging and monitoring of EDI transactions.
B. Senior management has not approved the EDI process.
C. The contract for a trading partner has not been entered.
D. EDI using a dedicated channel for communication.
The contract for a trading partner has not been entered. (Legal liability
cannot be enforced without an agreement between trading partners. There
may be uncertainty concerning legal liability. This will be the area of most
concern. A dedicated communication channel is considered a good control
for EDI transactions.)
What is the process of using well-designed documentation to prevent errors an
example of?
A. Preventive control
B. Detective control
C. Corrective control
D. Deterrent control
Preventive control (Well-designed documents attempt to prevent errors by
implementing efficient and effective operational procedures in the
organization.)
Encryption helps in achieving which of the following objectives in an EDI
environment?
A. Ensuring the confidentiality and integrity of transactions
B. Detecting invalid transactions
C. Validating and ensuring the reconciliation of totals between the EDI and
trading partner
D. Providing functional acknowledgment to the sender
Ensuring the confidentiality and integrity of transactions (Encryption is a
technical control through which plaintext is converted into encrypted (non-
readable) text. Encryption processes are implemented to ensure the
integrity and confidentiality of transactions.)
In an EDI environment, which of the following procedures ensures the
completeness of an inbound transaction?
A. The process for transaction authentication
B. The build segment count coming to the transaction set trailer of the sender
C. An audit trail
D. The segregation of duties for high-risk transactions
The build segment count coming to the transaction set trailer of the sender
(Building a segment count total ensures the completeness of inbound
transactions in an EDI environment.)
In which of the following processes are details entered by one employee
reentered by another employee to check their accuracy?
A. Reasonableness check
B. Key verification
C. Control total
D. Completeness check
Key verification (The same field is filled in twice, and a machine compares
the entries for verification and validation. A reasonableness check ensures
the logical reasoning of an input transaction. The control total is a system-
based control that ensures that all relevant data is captured. A sequence
check ensures the continuity of serial numbers. Completeness controls
ensure the presence of input for all required fields.)
Which of the following is used in an e-commerce application to ensure that a
transaction is enforceable?
A. Access control
B. Authentication
C. Encryption
D. Non-repudiation
Non-repudiation (non-repudiation is a control that ensures that the sender
cannot deny a transaction. It ensures that a transaction is enforceable.)
While reviewing sensitive electronic work papers, the IS auditor noticed that
they were not encrypted. This could compromise the:
A. audit trail of the versioning of the work papers.
B. approval of the audit phases.
C. access rights to the work papers.
D. confidentiality of the work papers.
confidentiality of the work papers. (Encryption provides confidentiality for
the electronic work papers. Audit trails do not, by themselves, affect the
confidentiality, but are part of the reason for requiring encryption. Audit
phase approvals do not, by themselves, affect the confidentiality of the
work papers, but are part of the reason for requiring encryption. Access to
the work papers should be limited by need to know; however, a lack of
encryption breaches the confidentiality of the work papers, not the access
rights to the papers.)
The first step in developing an annual internal IS audit plan is to:
A. Identify the threats and vulnerabilities
B. Determine the audit universe
C. Determine the control environment
D. Determine the sampling approach
Determine the audit universe (The first step is to determine the audit
universe for the organization. The audit universe is the list of all the
processes and systems under the scope of the audit. Once the audit universe
is identified, critical processes and systems will be identified based on their
value to the organization. A risk assessment of these critical systems and
processes should be done, and accordingly, an audit plan should be
designed.)
Which of the following should be performed first in a risk-focused audit?
A. Analyzing inherent risk
B. Analyzing residual risk
C. Analyzing the controls assessment
D. Analyzing the substantive assessment
Analyzing inherent risk (The inherent risk assessment is the assessment of
risk at a gross level without considering the impact of controls. The first
step in a risk-focused audit is to obtain relevant details about the industry
and organization to consider the inherent risk level.)
Controls that are designed to prevent omissions, errors, or negative acts from
occurring are which kind of controls?
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Preventive controls (Preventive controls are incorporated to prevent a
threat event and thus avoid its potential impact. Detective controls are
implemented to detect threat events once they have occurred. Detective
controls aim to reduce the impact of an event. Corrective controls are
designed to minimize the impact of a threat event once it has occurred and
help restore a business to its routine operations. Compensating controls are
alternate measures employed to ensure that weaknesses in a system are not
exploited. In many cases, a strong control in one area can compensate for a
weakness in another.)
In a risk-based audit approach, which of the following is the least relevant to
audit planning?
A. The adoption of a mature technology by the organization
B. The risk culture and risk awareness of the organization
C. The legal regulatory impact
D. Previous audit findings
The adoption of a mature technology by the organization (Technology
adoption may have a small impact while planning an audit compared to
other options. All the options are important, but the technology's maturity
alone has the least influence on an organization's risk assessment.)
What are controls that are put in place to indicate or detect an error?
D. Deterrent controls
Detective controls (Preventive controls are incorporated in such a way that
prevents a threat event and thus avoids its potential impact. Detective
controls are implemented to detect threat events once they have occurred.
Detective controls aim to reduce the impact of an event. Corrective controls
are designed to minimize the impact of a threat event once it has occurred
and help restore a business to its routine operations. Compensating controls
are alternate measures employed to ensure that weaknesses in a system are
not exploited. In many cases, a strong control in one area can compensate
for a weakness in another.)
Which of the following is an attribute of the control self-assessment approach?
A. Broad stakeholder involvement
B. Auditors are the primary control analysts
C. Limited employee participation
D. Policy driven
Broad stakeholder involvement (The control self-assessment (CSA)
approach emphasizes management and accountability for developing and
monitoring the controls of an organization's business processes. The
attributes of CSA include empowered employees, continuous improvement,
extensive employee participation, and training—all representations of
broad stakeholder involvement. B is incorrect because IS auditors are the
primary control analysts in a traditional audit approach. CSA involves
many stakeholders, not just auditors. C and D are incorrect because this is
an attribute of a traditional audit approach.)
The PRIMARY objective of the audit initiation meeting with an IS audit client
is to:
A. discuss the scope of the audit.
B. identify resource requirements of the audit.
C. select the methodology of the audit.
D. collect audit evidence.
discuss the scope of the audit. (The primary objective of the initiation
meeting with an audit client is to help define the scope of the audit. B is
incorrect because determining the resource requirements of the IS audit is
typically done by IS audit management during the early planning phase of
the project rather than at the initiation meeting. C is incorrect because
selecting the audit methodology is different from the objective of the
initiation meeting. D is incorrect because for most audits, collecting audit
evidence is performed during the engagement and is not normally collected
during the initiation meeting.)
The PRIMARY reason an IS auditor performs a functional walk-through during
the preliminary phase of an audit assignment is to:
A. understand the business process.
B. comply with auditing standards.
C. identify control weakness.
D. develop the risk assessment.
understand the business process. (This is the first step an IS auditor needs
to perform. B is incorrect because the Standards encourage adopting the
audit procedures/processes required to assist the IS auditor in performing
IS audits more effectively. However, standards do not require an IS auditor
to perform a process walk-through at the commencement of an audit
engagement. C is incorrect because this is not the primary reason for the
walk-through and typically occurs later in the audit. D is incorrect because
the risk assessment is developed after the business process is understood.)
A company has recently upgraded its purchase system to incorporate electronic
data interchange (EDI) transmissions. Which of the following controls should
be implemented in the EDI interface to provide for efficient data mapping?
A. Key verification
B. One-for-one checking
C. Manual recalculations
D. Functional acknowledgements
Functional acknowledgements (Acting as an audit trail for electronic data
interchange transactions, functional acknowledgments are one of the main
controls used in data mapping. Key verification is used for data encryption
and protection but not for mapping. One-for-one checking validates that
transactions are accurate and complete but does not map data. Manual
recalculations verify that the processing is correct but do not map data.)
Which of the following is the segregation of duties an example of?
Preventive control (Segregation of duties is an attempt to prevent fraud or
irregularities by segregating duties such that no single employee can
commit fraud or other irregularities.)
An external IS auditor issues an audit report pointing out the lack of firewall
protection features at the perimeter network gateway and recommending a
specific vendor product to address this vulnerability. The IS auditor has failed to
exercise:
A. professional independence.
B. organizational independence.
C. technical competence.
D. professional competence.
professional independence. (When an IS auditor recommends a specific
vendor, the auditor's professional independence is compromised. B is
incorrect because this has no relevance to the content of an audit report
and should be considered when accepting the engagement. C and D are
incorrect because they are not relevant to the requirement of
independence.)
Which of the following represents an example of a preventive control with
respect to IT personnel?
A. A security guard stationed at the server room door
B. An intrusion detection system
C. Implementation of a badge entry system for the IT facility
D. A fire suppression system in the server room
Implementation of a badge entry system for the IT facility (Preventive
controls are used to reduce the probability of an adverse event. A badge
entry system prevents unauthorized entry to the facility. A is incorrect
because a security guard stationed at the server room door is a deterrent
control. B is incorrect because an intrusion detection system is a detective
control. D is incorrect because a fire suppression system is a corrective
control.)
What kind of control is a control that enables a deficiency or another
irregularity to be corrected before a loss occurs?
Corrective control (Corrective controls are designed to minimize the
impact of a threat event once it has occurred and help restore the routine
operations of the business.)
Which of the following situations could impair the independence of an IS
auditor? The IS auditor:
A. implemented specific functionality during the development of an application.
B. designed an embedded audit module for auditing an application.
C. participated as a member of an application project team and did not have
operational responsibilities.
D. provided consulting advice concerning application good practices.
implemented specific functionality during the development of an
application. (Independence may be impaired if an IS auditor is, or has
been, actively involved in developing, acquiring, and implementing the
application system. Designing an embedded audit module does not impair
an IS auditor's independence. IS auditors should not audit their work, but
participating in the application system project team does not impair an IS
auditor's independence. An IS auditor's independence is not impaired by
providing advice on known good practices.)
Which of the following is the PRIMARY requirement for reporting IS audit
results? The report is:
A. prepared according to a predefined and standard template.
B. backed by sufficient and appropriate audit evidence.
C. comprehensive in coverage of enterprise processes.
D. reviewed and approved by audit management.
backed by sufficient and appropriate audit evidence. (IS audit standards
require that reports be backed by sufficient and appropriate audit evidence
to demonstrate the application of the minimum standard of performance,
and the findings and recommendations can be validated if required. A is
incorrect because this may be useful in ensuring that all key aspects are
provided in a uniform structure. However, this must demonstrate that
audit findings are based on evidence that can be proven if required. C is
incorrect because a risk assessment process defines the scope and coverage
of IS audits, which may only sometimes provide comprehensive coverage of
enterprise processes. D is incorrect because while from an operational
standpoint, an audit report should be reviewed and approved by audit
management, the more critical consideration is that all conclusions are
backed by sufficient and appropriate audit evidence.)
Which of the following is the best course of action if it is not possible to cover
the total audit scope due to resource constraints?
A. Concentrate on last year's audit findings
B. Rely on the management assurance of internal controls.
C. Focus on high-risk areas.
D. Concentrate on the effectiveness of controls.
Focus on high-risk areas. (The best course of action is to reduce the audit
scope and focus on high-risk areas. The other options do not concentrate on
areas requiring more audit focus.)
An IS auditor has identified a business process to be audited. The IS auditor
should NEXT identify the:
A. most valuable information assets.
B. IS audit resources to be deployed.
C. auditee personnel to be interviewed.
D. control objectives and activities.
control objectives and activities. (After identifying the business process, the
auditor should identify the control objectives and activities associated with
the business process validated in the audit. A is incorrect because all assets
need to be identified. To determine the key information assets to be audited,
the auditor should determine which control objectives and key control
activities should be validated. B is incorrect because only after determining
which controls and related relevant information assets are to be validated
can the IS auditor decide on the key IS audit resources (with the relevant
skill sets) that should be deployed for the audit. C is incorrect because only
after determining the key control activities to be validated can the auditor
identify the relevant process personnel who should be interviewed.)
Barriers or warning signs are examples of what kind of control?
Deterrent control (A deterrent control is anything intended to warn a
potential attacker not to attack.)
Which of the following controls would an IS auditor look for in an environment
where duties cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
Compensating controls (These are internal controls that are intended to
reduce the risk of an existing or potential control weakness that may arise
when duties cannot be appropriately segregated. A is incorrect because
These two controls address the same control objective or exposure. It is
difficult to install overlapping controls because primary controls cannot be
achieved when duties cannot or are not appropriately segregated. B is
incorrect because boundary controls establish the interface between the
would-be user of a computer system and the computer system itself and are
individual-based, not role-based, controls. C is incorrect because resource
access controls are based on individuals and not roles. For a lack of
segregation of duties, the IS auditor expects to find that a person has higher
access levels than ideal. The IS auditor wants to find compensating controls
to address this risk.)
Utilizing a service of only qualified resource is an example of:
D. Internal control
Preventive control (Employing only qualified personnel is an attempt to
prevent errors or other irregularities.)
What should be the next course of action for an IS auditor once the potential
material findings are discovered?
A. Discuss the potential findings with the business unit
B. Conduct additional testing
C. Report the potential findings to the audit committee
D. Recommend closure of the findings before the issuance of a report
Conduct additional testing (The best course of action is to perform
additional testing to confirm the correctness of the audit findings. Only
based on sufficient objective evidence should audit findings be reported.
Additional testing should confirm findings before they are discussed with
the business unit or reported to the audit committee.)
An IS auditor who has discovered unauthorized transactions during a review of
electronic data interchange (EDI) transactions is likely to recommend
improving the:
A. EDI trading partner agreements.
B. physical controls for terminals.
C. authentication techniques for sending and receiving messages.
D. program change control procedures.
authentication techniques for sending and receiving messages. (They play a
key role in minimizing exposure to unauthorized transactions. A is
incorrect because these minimize exposure to legal issues but do not resolve
the problem of unauthorized transactions. B is incorrect because this is
important and may provide protection from unauthorized people accessing
the system but does not provide protection from unauthorized transactions
by authorized users. D is incorrect because change control procedures do
not resolve the issue of unauthorized transactions.)
A check subroutine that identifies an error and makes a correction before
enabling the process to continue is an example of what kind of control?
Corrective control (The check subroutine corrects the error. It modifies the
processing system and minimizes the likelihood of future problem
occurrences.)
The requirement of biometric access for physical facilities is an example of
what kind of control?
Preventive control (Access control aims to prevent access by unauthorized
persons. It prevents omissions, errors, or malicious acts from occurring)
What is the primary consideration when evaluating the acceptable level of risk?
A. The acceptance of risk by higher management
B. That not all risks need to be addressed
C. That all relevant risks must be recognized and documented for analysis
D. The involvement of line management in risk analysis
That all relevant risks must be recognized and documented for analysis (It
is most important that identified risks are properly documented. After
proper documentation, other factors should be considered.)
The internal audit department has written some scripts that are used for
continuous auditing of some information systems. The IT department has asked
for copies of the scripts so that they can use them for setting up a continuous
monitoring process on key systems. Would sharing these scripts with IT affect
the ability of the IS auditors to independently and objectively audit the IT
function?
A. Sharing the scripts is not permitted because it would give IT the ability to
pre-audit systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review all
programs and software that runs on IS systems regardless of audit
independence.
C. Sharing the scripts is permissible as long as IT recognizes that audits may
still be conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because it would mean that the IS
auditors who wrote the scripts would not be permitted to audit any IS systems
where the scripts are being used for monitoring.
Sharing the scripts is permissible as long as IT recognizes that audits may
still be conducted in areas not covered in the scripts. (IS audit can still
review all aspects of the systems. They may not be able to review the
effectiveness of the scripts, but they can still audit the systems. A is
incorrect because the ability of IT to monitor and address any issues on IT
systems continuously does not affect the ability of IS audit to perform a
comprehensive audit. B is incorrect because sharing the scripts may be
required by policy for quality assurance and configuration management,
but that does not impair the ability to audit. D is incorrect because an audit
of an IS system encompasses more than just the controls covered in the
scripts.)
Which of the following would be a major concern in the absence of established
audit objectives?
A. Not being able to determine the audit's budget
B. Not being able to identify key stakeholders
C. Not being able to determine key business risks
D. Not being able to determine previous audit findings
Not being able to determine key business risks (In the absence of audit
objectives, an audit scope cannot be determined; hence, a key business risk
may not be identified. The auditor might not audit areas of highest risk for
the organization. Other options are secondary concerns.)
An IS audit department is considering implementing continuous auditing
techniques for a multinational retail enterprise that processes a large volume of
transactions per day. A PRIMARY benefit of continuous auditing is that:
A. effective preventive controls are enforced.
B. system integrity is ensured.
C. errors can be corrected in a timely fashion.
D. fraud can be detected more quickly.
fraud can be detected more quickly. (Continuous auditing techniques assist
the auditing function in reducing the use of auditing resources through
continuous evidence collection. This approach helps the auditors identify
fraud in a timely fashion and allows the auditors to focus on relevant data.
A is wrong because continuous monitoring is detective and does not
necessarily assist the auditor in monitoring preventive controls. The
approach will detect and monitor for errors that have already occurred. In
addition, continuous monitoring will benefit the internal audit function by
reducing the use of auditing resources and timely reporting of errors. B is
wrong because system integrity is associated with preventive controls such
as input controls and quality assurance reviews. C is wrong because
continuous audits will detect errors. Correcting errors is a management
function.)
The purpose of a checksum on an amount field in an electronic data interchange
communication of financial transactions is to ensure:
A. integrity.
B. authenticity.
C. authorization.
D. nonrepudiation.
integrity. (A checksum calculated on an amount field and included in the
electronic data interchange communication can be used to identify
unauthorized modifications. B and C are incorrect because a checksum
cannot establish this alone and needs other controls. D is incorrect because
this can be ensured by using digital signatures.)
An "echo" message in a telecommunications protocol is an example of what
kind of control?
D. Compensating control
Detective control (Detective controls use controls that detect and report the
prevalence of an error, omission, or malicious act.)
Which of the following is in the BEST position to approve changes to the audit
charter?
A. Board of directors
B. Audit committee
C. Executive management
D. Director of internal audit
Audit committee (The audit committee is a subgroup of the board of
directors. The audit department should report to the audit committee, and
the committee should approve the audit charter. A is incorrect because the
board of directors does not need to approve the charter; it is best presented
to the audit committee for approval. C is incorrect because executive
management is not required to approve the audit charter and will not have
the independence to approve the charter. The audit committee is best
positioned to approve the charter because it is an independent and senior
group. D is incorrect because while the director of internal audit may draft
the charter and make changes, the audit committee should have the final
approval of the charter.)
An organization uses a bank to process its weekly payroll. Time sheets and
payroll adjustment forms (e.g., hourly rate changes, terminations) are completed
and delivered to the bank, which prepares checks and reports for distribution.
To BEST ensure payroll data accuracy:
A. payroll reports should be compared to input forms.
B. gross payroll should be recalculated manually.
C. checks should be compared to input forms.
D. checks should be reconciled with output reports.
payroll reports should be compared to input forms. (The best way to
confirm data accuracy, when input is provided by the organization and
output is generated by the bank, is to verify the data input (input forms)
with the results of the payroll reports. Recalculating gross payroll manually
only verifies whether the processing is correct and not the data accuracy of
inputs. Comparing checks to input forms is not feasible because checks
contain the processed information and input forms contain the input data.
Reconciling checks with output reports only confirms that checks were
issued as stated on output reports.)
Checkpoints in a production job are examples of what kind of control?
D. Compensating control
Detective control (Detective controls detect and report the prevalence of an
error, omission, or malicious act.)
In a small organization, the function of release manager and application
programmer are performed by the same employee. What is
the BEST compensating control in this scenario?
A. Hiring additional staff to provide segregation of duties
B. Preventing the release manager from making program modifications
C. Logging of changes to development libraries
D. Verifying that only approved program changes are implemented
Verifying that only approved program changes are implemented
(Compensating controls are used to mitigate risk when proper controls are
not feasible or practical. Hiring new staff may be challenging in a small
organization, so compensating control may be necessary. Verifying
program changes has roughly the same effect as intended by the complete
segregation of duties. A is incorrect because establishing segregation of
duties is not a compensating control but a preventive control. Hiring new
staff may be challenging in a small organization, so compensating control
may be necessary. B is incorrect because since the release manager is
performing dual roles, preventing them from making program
modifications is not feasible, and, in a small organization, segregation of
duties may not be possible. C is incorrect because logging changes to
development libraries does not detect changes to production libraries.)
As part of audit planning, an IS auditor is designing various data validation tests
to effectively detect transposition and transcription errors. Which of the
following will BEST help in detecting these errors?
A. Range check
B. Validity check
C. Duplicate check
D. Check digit
Check digit (A check digit is a numeric value calculated mathematically
and added to data to ensure that original data have not been altered or that
an incorrect but valid match has occurred. The check digit control is
effective in detecting transposition and transcription errors. A is incorrect
because range checks can only ensure that data falls within a
predetermined range but cannot detect transposition errors. B is incorrect
because validity checks are generally programmed checking of data
validity by predetermined criteria. C is incorrect because duplicate check
analysis tests defined or selected primary keys for duplicate primary key
values.)
Particular threat of an overall business risk indicated as:
A. The product of the probability and impact
B. The probability of threat realization
C. The valuation of the impact
D. The valuation of the risk management team
The product of the probability and impact (Risk is the product of impact
and product. Option A considers both probability and impact. Option B
considers only the probability of occurrence. Option C considers only the
quantum of the impact. Option D does not apply to the structured and
scientific risk assessment process.)
An IS auditor performing a review of application controls would evaluate the:
A. efficiency of the application in meeting the business processes.
B. impact of any exposures discovered.
C. business processes served by the application.
D. application's optimization.
impact of any exposures discovered. (An application control review
involves the evaluation of the application's automated controls and an
assessment of any exposures resulting from the control weaknesses. A is
incorrect because the IS auditor is reviewing the controls' effectiveness, not
the application's suitability to meet business needs. C is incorrect because
this is not part of an audit restricted to a review of the application controls.
D is incorrect because one area to be reviewed may be the efficiency and
optimization of the application, but this is not the area being reviewed in
this audit.)
The prime consideration in determining the objective and scope of an audit is:
A. The statutory requirements applicable to the organization
B. The policies and procedures of the organization
C. The complexity of the business process
D. The organization's structure
The statutory requirements applicable to the organization (The prime
consideration in determining the objective and scope of an audit is the
statutory requirements applicable to the organization. The auditor cannot
limit the scope relating to statutory requirements. Although the other
factors are important, the prime consideration should be given to the full
coverage of statutory requirements.)
An external IS auditor discovers that systems in the scope of the audit were
implemented by an associate. In such a circumstance, IS audit management
should:
A. remove the IS auditor from the engagement.
B. cancel the engagement.
C. disclose the issue to the client.
D. take steps to restore the IS auditor's independence.
disclose the issue to the client. (In circumstances in which the IS auditor's
independence is impaired, and the IS auditor continues to be associated
with the audit, the facts surrounding the issue of the IS auditor's
independence should be disclosed to the appropriate management and in
the report. A is incorrect because it is not necessary to withdraw the IS
auditor unless a statutory limitation exists in certain countries. B is
incorrect because canceling the engagement is not required if properly
disclosed and accepted. D is incorrect because this is not a feasible solution.
The independence of the IS auditor cannot be restored while continuing to
conduct the audit.)
The extent to which data will be collected during an IS audit should be
determined based on the:
A. availability of critical and required information.
B. auditor's familiarity with the circumstances.
C. auditee's ability to find relevant evidence.
D. purpose and scope of the audit being done.
purpose and scope of the audit being done. (The extent of data collection
during an IS audit should be related directly to the scope and purpose of
the audit. An IS audit with a narrow purpose and scope or a high-level
review will likely require less data collection. A is wrong because there
should be no constraints on the ease of obtaining the information or the
auditor's familiarity. B is wrong because an auditor must be objective,
thorough, and not subject to audit risk through preconceived results based
on familiarity with the audited area. C is wrong because collecting all the
required evidence is a required element of an IS audit, and the scope of the
audit should not be limited by the auditee's ability to find relevant
evidence. If evidence is not readily available, the auditor must ensure that
other forms of audit are considered to ensure compliance in the area
subject to audit.)
Which of the following is the most critical aspect of a risk analysis?
A. Identifying competitors
B. Identifying the existing controls
C. Identifying vulnerabilities
D. Identifying the reporting matrix of the organization
Identifying vulnerabilities (Identifying vulnerabilities is an important
aspect of conducting a risk assessment. If a vulnerability is appropriately
recognized, controls and audit planning may not be effective.)
What is the best approach when focusing an audit on a high-risk area?
A. Perform the audit to identify the control failures
B. Perform the audit and then perform a risk assessment
C. Perform a risk assessment first and then concentrate control tests in the high
risk areas
D. Increase sampling rates in high-risk areas
Perform a risk assessment first and then concentrate control tests in the
high risk areas (Based on risk assessment, the audit team should devote
more testing resources to high-risk areas.)
An IS auditor has been assigned to audit a business continuity plan. The same
auditor was involved in designing the business continuity plan. The IS auditor
should:
A. Accept the assignment
B. Provide a disclaimer of conflict of interest to audit management before
accepting the audit
C. Provide a disclaimer of conflict of interest to the business continuity team
before accepting the audit
D. Request audit management not to conduct the audit as the business
continuity plan is well-designed
Provide a disclaimer of conflict of interest to audit management before
accepting the audit (It is the responsibility of the IS auditor to
communicate any possible conflict of interest to audit management that can
impact the IS auditor's independence. Audit management will make
further calls on this aspect.)
Which of the following is correct with respect to confidence correlation?
A. A small sample size gives a high correlation of confidence.
B. The confidence coefficient may be lowered if the auditor knows that internal
controls are stringent.
C. A low correlation of confidence will lead to a high sample size.
D. A high sample size gives a low correlation of confidence.
The confidence coefficient may be lowered if the auditor knows that
internal controls are stringent. (The confidence coefficient, or confidence
level, is a measure of the accuracy and confidence of the quality of the
sample. Sample size and confidence correlation are directly related. A high
sample size will give a high confidence coefficient. A confidence
coefficient/sample size may be lowered if the auditor knows that the
internal controls are stringent. When the internal control environment is
strong, detail testing is not required; hence, a small sample size is required.)
Controls that minimize the impact of a threat are what kind of controls?
Corrective controls (Corrective controls are designed to minimize the
impact of a threat event once it has occurred and help restore the routine
operations of a business.)
The MOST important reason for an IS auditor to obtain sufficient and
appropriate audit evidence is to:
A. comply with regulatory requirements.
B. provide a basis for drawing reasonable conclusions.
C. ensure complete audit coverage.
D. perform the audit according to the defined scope.
provide a basis for drawing reasonable conclusions. (The scope of an IS
audit is defined by its objectives, and it involves identifying control
weaknesses relevant to the scope of the audit. Obtaining sufficient and
appropriate evidence assists the auditor in identifying control weaknesses
and documenting and validating them. A is wrong because this is relevant
to an audit but is not the most important reason why sufficient and relevant
evidence is required. C is wrong because ensuring coverage is relevant to
conducting an IS audit but is not the most important reason why sufficient
and relevant evidence is required. The reason for obtaining evidence is to
ensure the audit conclusions are factual and accurate. D is wrong because
the execution of an audit to meet its defined scope is relevant to an audit
but is not the reason why sufficient and relevant evidence is required.)
Which of the following is the next step once the audit findings have been
identified?
A. Discuss it with auditee management to find agreement on the findings
B. Determine remedial measures for the findings
C. Inform senior management about the findings
D. Obtain assurance from management to close the findings
Discuss it with auditee management to find agreement on the findings
(After identifying the findings, the IS auditor should reach an agreement on
the finding with auditee management. If the findings are not agreed upon,
then there may be an issue at a later stage. When an agreement is obtained,
it implies that the finding is understood and further action can be
determined.)
During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is
to:
A. address audit objectives.
B. collect sufficient evidence.
C. specify appropriate tests.
D. minimize audit resources.
address audit objectives. (ISACA Standards require that an IS auditor plan
the audit work to address the audit objectives. The activities described in
the other options are all undertaken to address audit objectives and, thus,
are secondary. B is incorrect because the IS Auditor needs to collect
evidence in the planning stage of an audit. C is incorrect because this is not
the primary goal of audit planning. D is incorrect because effective use of
audit resources is a goal of audit planning, not minimizing audit resources.)
Controls that remedy problems observed by means of detective controls are
what kind of controls?
Corrective controls (Corrective controls are designed to minimize the
impact of a threat event once it has occurred and help in restoring to the
routine operations of a business. They provide a remedy to problems
discovered by detective controls.)
When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:
A. controls needed to mitigate risk are in place.
B. vulnerabilities and threats are identified.
C. audit risk is considered.
D. a gap analysis is appropriate.
vulnerabilities and threats are identified. (While developing a risk-based
audit strategy, it is critical that the risks and vulnerabilities are understood.
They determine the areas to be audited and the extent of coverage. A is
incorrect because understanding whether appropriate controls required to
mitigate risk are in place is a resultant effect of an audit. C is incorrect
because audit risk is an inherent aspect of auditing, directly related to the
audit process and irrelevant to the risk analysis of the environment to be
audited. D is incorrect because a gap analysis normally compares the actual
state to an expected or desirable state.)
What does a lack of appropriate control measures indicate?
A. Threat
B. Magnitude of impact
C. Probability of occurrence
D. Vulnerability
Vulnerability (A lack of security measures indicates a weakness or
vulnerability. A vulnerability can be a lack of up-to-date anti-virus, weak
software coding, poor access control, etc. It must be noted that the
organization can control vulnerabilities.)
Controls that indirectly address a risk or address the absence of controls that
would otherwise directly act upon that risk are what kind of controls?
Compensating controls (Compensating controls are an alternate measure
employed to ensure that weaknesses in a system are not exploited. In many
cases, a strong control in one area can compensate for weaknesses in other
areas.)
A PRIMARY benefit derived for an organization employing control self-
assessment techniques is that it:
A. can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control.
can identify high-risk areas that might need a detailed review later.
(Control self-assessment (CSA) is predicated on the review of high-risk
areas that either need immediate attention or may require a more thorough
review later. B is incorrect because CSA requires the involvement of IS
auditors and line management. The internal audit function shifts some
control monitoring responsibilities to the functional areas. C is incorrect
because CSA is not a replacement for traditional audits. CSA is not
intended to replace audit responsibilities but to enhance them. D is
incorrect because CSA does not allow management to relinquish its
responsibility for control.)
Which of the following represents the risk that the controls will not prevent,
correct, or detect errors in a timely manner?
A. Inherent risk
B. Control risk
C. Detection risk
D. Correction risk
Control risk (Control risk refers to the risk that internal controls fail to
prevent or detect. Control risk refers to risk the organization's internal
control system will not be able to detect, correct, or prevent.)
Which of the following is the MOST critical step when planning an IS audit?
A. Review findings from prior audits.
B. Executive management’s approval of the audit plan.
C. Review IS security policies and procedures.
D. Perform a risk assessment.
Perform a risk assessment. (IS audit and assurance professionals shall
identify and assess risk relevant to the area under review when planning
individual engagements. If a risk assessment is not performed, high-risk
areas of the auditee systems or operations may not be evaluated. A is wrong
because the previous audit findings are of interest to the auditor, but there
are more critical steps. The most critical step involves finding the high-risk
areas, not reviewing the resolution of older issues. A review of previous
audit findings could indicate that management needs to resolve items, or
there could be a more effective recommendation. B is wrong because
executive management is not required to approve the audit plan but they
could recommend areas to audit. C is wrong because reviewing information
security policies and procedures is normally conducted during fieldwork,
not planning.)
When evaluating the controls of an electronic data interchange (EDI)
application, an IS auditor should PRIMARILY be concerned with the risk of:
A. excessive transaction turnaround time.
B. application interface failure.
C. improper transaction authorization.
D. nonvalidated batch totals.
improper transaction authorization. (Foremost among the risks associated
with electronic data interchange (EDI) is improper transaction
authorization. Because the interaction with the parties is electronic, there is
no inherent authentication. Improper authentication poses a serious risk of
financial loss. A is incorrect because an excessive turnaround time is an
inconvenience but not a serious risk. B is incorrect because the failure of
the application interface is a risk but not the most serious issue. Usually,
such a problem is temporary and easily fixed. D is incorrect because the
integrity of EDI transactions is important but less significant than the risk
of unauthorized transactions.)
Controls that predict potential problems before their occurrence are what kind
of controls?
Preventive controls (Preventive controls detect problems before they arise
and prevent omissions, errors, or malicious acts.)
When evaluating the collective effect of preventive, detective and corrective
controls within a process, an IS auditor should be aware of which of the
following?
A. The point at which controls are exercised as data flow through the system
B. Only preventive and detective controls are relevant
C. Corrective controls are regarded as compensating
D. Classification allows an IS auditor to determine which controls are missing
The point at which controls are exercised as data flow through the system
(An IS auditor should focus on when controls are exercised as data flow
through a computer system. B is incorrect because corrective controls may
also be relevant since they allow an error or problem to be corrected. C is
incorrect because corrective controls remove or reduce the effects of errors
or irregularities and are not exclusively regarded as compensating controls.
D is incorrect because classification allows an IS auditor to determine
which controls are missing is incorrect. The existence and function of
controls are important but not the classification.)
Which of the following is the FIRST step performed prior to creating a risk
ranking for the annual internal IS audit plan?
A. Prioritize the identified risk.
B. Define the audit universe.
C. Identify the critical controls.
D. Determine the testing approach.
Define the audit universe. (In a risk-based audit approach, the IS auditor
identifies risk to the organization based on the nature of the business. To
plan an annual audit cycle, the types of risk must be ranked. To rank the
types of risk, the auditor must first define the audit universe by considering
the IT strategic plan, organizational structure, and authorization matrix. A
is wrong because after the audit universe is defined, the IS auditor can
prioritize risk based on its overall impact on different operational areas of
the organization covered under the audit universe. C is wrong because the
controls that help mitigate high-risk areas are generally critical controls,
and their effectiveness provides assurance on mitigating risk. However, this
can only be done if the types of risk are ranked. D is wrong because the
testing approach is based on the risk ranking.)
The first step to review a service-oriented application is:
A. To understand services and their allocation to business processes
B. To review the coding process in accordance with service security standards
C. To review the service level agreement
D. To audit the application security procedure
To understand services and their allocation to business processes (Service-
level architecture relies on the principle of multiple clients. The first step of
the assignment is to understand how the services are allocated to different
business units. Once this is done, the auditor will have a sufficient idea
about the risk environment based on which further audit procedures can be
developed.)
Why does an audit manager review the staff's audit papers, even when the IS
auditors have many years of experience?
A. Internal quality requirements
B. The audit guidelines
C. The audit methodology
D. Professional standards
Professional standards (Professional standards require supervision of audit
staff to accomplish audit objectives and comply with competence,
professional proficiency and documentation requirements, and more. A is
wrong because they may exist but are superseded by the supervision
required to comply with professional standards. B is wrong because these
exist to guide how to achieve compliance with professional standards. For
example, they may provide insights into the purpose of supervision and
examples of how supervisory duties are to be performed to achieve
compliance with professional standards. C is wrong because this is a well-
configured process/procedure to achieve audit objectives. While an audit
methodology is a meaningful tool, supervision is generally driven by
compliance with professional standards.)
The actions of the IS auditor is most likely to influence which of the following
risks?
A. Inherent
B. Detection
C. Control
D. Business
Detection (Detection risk refers to the risk that an internal audit fails to
prevent or detect. Inherent risk refers to the risk that exists before applying
any controls. Control risk refers to the risk internal controls fail to prevent
or detect. Inadequate audit procedures do not impact business risks.)
areas of significant risk. (When designing a risk-based audit plan, it is important
to identify the areas of highest risk to determine the areas to be audited. B is
incorrect because this should have been considered before deciding and
selecting the audit. Where the skills are inadequate, the organization should
consider using external resources. C is incorrect because these are not as critical
during the audit planning process as identifying the areas of risk that should be
audited. D is incorrect because this is determined during the planning process
based on the areas to be audited and primarily based on the requirement for an
appropriate audit.)
In planning an IS audit, the MOST critical step is the identification of the:
A. areas of significant risk.
B. skill sets of the audit staff.
C. test steps in the audit.
D. time allotted for the audit.
Detective controls are used to determine whether an error has occurred and
corrective controls fix problems before losses occur. (Detective controls are
designed to detect or indicate that an error has occurred. Examples of detective
controls include audits, hash totals, echo controls, and so on. Corrective controls
are designed to correct a risk or deficiency to prevent losses. Examples of
corrective controls include business continuity planning, backup procedures,
and more.)
Which of the following statements best describes detective controls and
corrective controls?
A. Both controls can prevent the occurrence of errors
B. Detective controls are used to avoid financial loss and corrective controls are
used to avoid operational risks
C. Detective controls are used as a deterrent check and corrective controls are
used to make management aware that an error has occurred
D. Detective controls are used to determine whether an error has occurred and
corrective controls fix problems before losses occur.
To give the auditor an overview for control testing (Based on control objectives,
an auditor can plan control testing to evaluate the effectiveness and efficiency of
implemented controls.)
Why are control objectives defined in an audit program?
A. To give the auditor an overview for control testing
B. To restrict the auditor to testing only documented controls
C. To prevent management from altering the scope of the audit
D. To help the auditor to plan for the resource requirements
Wire transfer procedures (Wire transfer procedures include segregation of duties
and help prevent internal fraud by not allowing one person to initiate, approve,
and send a wire. Therefore, the auditor should review the procedures related to
the wiring system. A is wrong because privileged access, such as administrator
access, is necessary to manage user account privileges and should not be
granted to end users. The wire transfer procedures are a better control to review
to ensure that the end users' duties are segregated to help prevent fraud. C is
wrong because fraud monitoring is a detective control and does not prevent
financial loss. Segregation of duties is a preventive control that is part of the
wire transfer procedures. D is wrong because controls related to background
checks are important; the controls related to the segregation of duties, as found
in the wire transfer procedures, are more critical.)
An IS auditor is reviewing risk and controls of a bank wire transfer system. To
ensure that the bank's financial risk is properly addressed, the IS auditor will
most likely review which of the following?
A. Privileged access to the wire transfer system
B. Wire transfer procedures
C. Fraud monitoring controls
D. Employee background checks
Control risk (Control risk is a term that signifies the possibility that a control
will fail to prevent or detect unwanted actions.)
Which of the following risks represents a process failure to detect a serious
error?
A. Detective risk
B. Inherent risk
C. Sampling risk
D. Control risk
outline the overall authority, scope and responsibilities of the audit function.
(An audit charter should state management's objectives for and delegation of
authority to IS auditors. A is wrong because the audit charter should not be
subject to technological changes and should not significantly change over time.
The charter should be approved at the highest level of management. B is wrong
because an audit charter states the authority and reporting requirements for the
audit but not the details of the maintenance of internal controls. C is wrong
because documenting the audit procedures designed to achieve the planned
audit objectives in the audit charter is not at a detailed level and, therefore, does
not include specific audit objectives or procedures.)
An audit charter should:
A. be dynamic and change to coincide with the changing nature of technology
and the audit profession.
B. clearly state audit objectives for, and the delegation of, authority to the
maintenance and review of internal controls.
C. document the audit procedures designed to achieve the planned audit
objectives.
D. outline the overall authority, scope and responsibilities of the audit function.
The key business process identified by senior management (To design a risk-
based audit plan, identifying the key business process is very important to
determine the area of audit focus. Once the key business process is identified,
the other options can be evaluated for further information.)
The most reliable source of information when designing a risk-based audit plan
is:
A. Key controls identified by the process owner
B. The key business process identified by senior management
C. Vulnerabilities identified by the process owner
D. The previous audit findings
identify and evaluate existing practices. (One of the main objectives of an audit
is to identify potential risks; the most proactive approach is to identify and
evaluate existing security practices and submit findings and risks to
management, with recommendations to document the current controls or
enforce the documented procedures. A is wrong because auditors should not
prepare documentation. After all, the process may need to be more compliant
with management objectives, and doing so could jeopardize their independence.
B is wrong because ending the audit and issuing an opinion will not address
identifying potential risks. The auditor should evaluate the practices in place.
The recommendation is to develop written procedures. Terminating the audit
may prevent identifying potential risks. C is wrong because there are no
documented procedures or basis against which to test compliance.)
During a security audit of IT processes, an IS auditor found that documented
security procedures did not exist. The IS auditor should:
A. create the procedures document based on the practices.
B. issue an opinion of the current state and end the audit.
C. conduct compliance testing on available data.
D. identify and evaluate existing practices.
Inventory of assets (The first step in developing a risk management program is
the identification of the assets to be protected. The other steps are to be followed
later once the inventory of assets is available.)
Which of the following is the first activity to be performed when developing a
risk management program?
A. A vulnerability assessment
B. Data classification
C. Inventory of assets
D. Process walk-through
Identifying high-risk processes (Identifying high-risk processes is the first and
most critical step in risk-based audit planning. Audit planning should be done
by high-risk areas.)
What is the initial step in risk-focused audit planning?
A. Identifying the role and responsibility of the relevant function
B. Identifying high-risk processes
C. Identifying the budget
D. Identifying the profit function
Attribute sampling. (The attribute sampling method is often used to test whether
or not a company's internal controls are being correctly followed. Attribute
sampling is used for compliance testing, and variable sampling is used for
substantive testing.)
Which sampling method will be best to ascertain the correctness of system
access rights as per the approved authorization matrix?
A. Heterogeneous sampling
B. Attribute sampling.
C. Homogeneous sampling
D. Stop-or-go sampling
To ensure that critical vulnerabilities and threats are recognized (The
identification of vulnerabilities and threats is critical in developing a risk-based
audit strategy. This will help in the determination of the processes to be
considered in the scope of the audit. The audit team can concentrate on high-
risk areas.)
What is the main objective of conducting a risk assessment?
A. To determine the segregation of duties for critical functions
B. To ensure that critical vulnerabilities and threats are recognized
C. To ensure that regulations are complied with
D. To ensure business profitability
Senior management identify key business processes. (Developing a risk-based
audit plan must start with identifying key business processes, which determine
and identify the risk that needs to be addressed. A is wrong because process
owners should be consulted to identify key controls, senior management is a
better source to identify more important business processes. B is wrong because
system custodians are a good source for better understanding the risks and
controls for specific applications; however, senior management is a better
source for identifying more important business processes. C is wrong because
reviewing previous audit results is one input into audit planning; however, if
previous audits focused on a limited or a restricted scope or if the key business
processes have changed and/or new business processes have been introduced,
then this does not contribute to the development of a risk-based audit plan.)
Which of the following choices would be the BEST source of information when
developing a risk-based audit plan?
A. Process owners identify key controls.
B. System custodians identify vulnerabilities.
C. Peer auditors understand previous audit results.
D. Senior management identify key business processes.
Compliance testing (Compliance testing helps to determine the presence of
controls. It indicates whether controls are being applied consistently. It helps to
evaluate whether new accounts were appropriately authorized.)
To determine the correct processing of the last 50 new user requisitions, which
of the following is best?
A. Discovery Sampling
B. Substantive testing
C. Compliance testing
D. Stop or Go Sampling
identify and evaluate the existing controls. (It is important for an IS auditor to
identify and evaluate the existence and effectiveness of existing and planned
controls so that the risk level can be calculated after the potential threats and
possible impacts are identified. A is incorrect because an audit risk assessment
is conducted for purposes different from management's risk assessment process.
B is incorrect because it is impossible to determine impact without identifying
the assets affected; therefore, this must already have been completed. C is
incorrect because, upon completion of a risk assessment, an IS auditor should
describe and discuss with management the threats and potential impacts on the
assets and recommendations for addressing the risk. However, this action cannot
be done until the controls are identified and the likelihood of the threat is
calculated.)
During a risk analysis, an IS auditor identifies threats and potential impacts.
Next, the IS auditor should:
A. ensure the risk assessment is aligned to management's risk assessment
process.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls.
To address the audit's objectives (The primary goal when planning for an IS
audit is to address the audit objective. All the other options are secondary
goals.)
What is the primary goal during the planning phase of an IS audit?
A. To address the audit's objectives
B. To obtain evidence
C. To determine the audit's test
D. To minimize the audit's cost
Reviewing the threats and vulnerabilities impacting the assets (Identifying
vulnerabilities and threats is the first step in a risk assessment process. Once the
threats and vulnerabilities are identified, the auditor should evaluate existing
controls and their effectiveness to conclude the residual risk. Continuous risk
monitoring is implemented during the risk monitoring function.)
Which of the following is the first step in performing risk assessments of
information systems?
A. Reviewing the appropriateness of existing controls
B. Reviewing the effectiveness of existing controls
C. Reviewing the asset-related risk surveillance mechanism
D. Reviewing the threats and vulnerabilities impacting the assets
ability, as an IS auditor, to be independent of existing IT relationships.
(Independence should be continually assessed by the auditor and management.
This assessment should consider such factors as changes in personal
relationships, financial interests, and prior job assignments and responsibilities.
A is incorrect because this does not ensure technical competency. B is incorrect
because this is illegal in many parts of the world. C is incorrect because the fact
that the employee has worked in IT for many years may not ensure credibility.
The IS audit department's needs should be defined, and any candidate should be
evaluated against those requirements.)
A long-term IT employee with a strong technical background and broad
managerial experience has applied for a vacant position in the IS audit
department. Determining whether to hire this individual for this position should
be PRIMARILY based on the individual's experience and:
A. length of service, because this will help ensure technical competence.
B. age, because training in audit techniques may be impractical.
C. IT knowledge, because this will bring enhanced credibility to the audit
function.
D. ability, as an IS auditor, to be independent of existing IT relationships.
Identifying and analyzing the current controls (Once the threats and
vulnerabilities are identified, the auditor should evaluate existing controls to
conclude residual risk.)
What should be the next step of an IS auditor after identifying threats and
vulnerabilities in a business process?
A. Identifying the relevant process owner
B. Identifying the relevant information assets
C. Reporting the threat and its impact to the audit committee
D. Identifying and analyzing the current controls
To understand the business process (The main reason for a functional
walkthrough is to have a basic idea and knowledge about the business process.
Once the business process is understood, an assessment can be carried out.)
What is the primary reason for a functional walk-through?
A. To understand the business process
B. To review control effectiveness
C. To comply with auditing standards
D. To determine the audit's fees
Determine the highest-risk systems and plan accordingly. (The best action is to
conduct a risk assessment and design the audit plan to cover the highest risk
areas. The IS audit function shall use an appropriate risk assessment approach
and supporting methodology to develop the overall IS audit plan and determine
priorities for allocating IS audit resources effectively. A is wrong because
auditing new systems requested by management needs to reflect a risk-based
approach. The system can contain sensitive data and may present a risk of data
loss or disclosure to the organization. B is wrong because auditing systems not
included in last year's scope do not reflect a risk-based approach. Management
may know about problems with the new system and intentionally try to steer the
audit away from that vulnerable area. D is wrong because creating a risk-based
audit plan should be performed in cooperation with management.)
An IS auditor is developing an audit plan for an environment that includes new
systems. The organization's management wants the IS auditor to focus on
recently implemented systems. How should the IS auditor respond?
A. Audit the new systems as requested by management.
B. Audit systems not included in last year's scope.
C. Determine the highest-risk systems and plan accordingly.
D. Audit both the systems not in last year's scope and the new systems
The focus on high-risk areas (The main advantage of a risk-focused audit is that
the auditor can focus on areas of high risk. This will help to plan an audit so that
the audit team can concentrate on the high-risk processes.)
Which of the following is the main benefit of risk-based audit planning?
A. The communication of audit planning to the client in advance
B. The completion of the audit activity within the allocated budget constraints
C. The use of the latest auditing technology
D. The focus on high-risk areas
Identification of the assets (Identifying critical assets is the first step in
developing a risk assessment process.)
Which of the following is the first step in a risk management program?
A. Determining a vulnerability
B. Determining existing controls
C. Identification of the assets
D. Conducting a gap analysis
line managers assuming a portion of the responsibility for control monitoring.
(The primary objective of a control self-assessment (CSA) program is to
leverage the internal audit function by shifting some control monitoring
responsibilities to the functional area line managers. The success of a CSA
program depends on the degree to which line managers assume control
responsibility. This enables line managers to detect and respond to control errors
promptly. B is incorrect because CSA requires managers to participate in the
monitoring of controls. C is incorrect because implementing stringent controls
will not ensure that controls are working correctly. D is incorrect because better
supervision is a compensating and detective control and may assist in ensuring
control effectiveness but would work best when used in a formal process such
as CSA.)
The success of control self-assessment depends highly on:
A. line managers assuming a portion of the responsibility for control
monitoring.
B. assigning staff managers, the responsibility for building controls.
C. the implementation of a stringent control policy and rule-driven controls.
D. the implementation of supervision and monitoring of controls of assigned
duties.
A vulnerability (The lack of adequate controls represents a vulnerability,
exposing sensitive information and data to the risk of malicious damage, attack
or unauthorized access by hackers, employee error, environmental threat, or
equipment failure. This could result in a loss of sensitive information, financial
loss, legal penalties, or other losses. A is incorrect because the impact is the
measure of the consequence (including financial loss, reputational damage, and
loss of customer confidence) that a threat event may have. C is incorrect
because an asset is something of either tangible or intangible value worth
protecting, including people, systems, infrastructure, finances, and reputation. D
is incorrect because a threat is a potential cause of an unwanted incident.)
Which of the following does a lack of adequate controls represent?
A. An impact
B. A vulnerability
C. An asset
D. A threat
The criticality of the IT asset (Protecting an asset will involve costs. It is
important to understand the criticality of assets when designing appropriate
levels of protection.)
Which of the following should be the primary focus when considering the level
of security of an IT asset?
A. The criticality of the IT asset
B. The value of IT the asset
C. The owner of IT the asset
D. The business continuity arrangement for the IT asset
Finding vulnerabilities and threats that are applicable to IT assets (The biggest
factor in evaluating IT risk is finding and evaluating threats and vulnerabilities
associated with IT assets. The other options, though very important factors for
the risk assessment process, are less important than option A.)
Which of the following is a major factor in the evaluation of IT risks?
A. Finding vulnerabilities and threats that are applicable to IT assets
B. Analyzing loss expectancy
C. Benchmarking with industry
D. Analyzing previous audit reports
Detection risk (Detection risk refers to the risk that an internal audit fails to
prevent or detect.)
What is the risk of an inadequate audit methodology known as?
A. The procedural aspect
B. Control risk
C. Detection risk
D. Residual risk
Focus on auditing high-risk areas. (Reducing the scope and focusing on auditing
high-risk areas is the best course of action. A is incorrect because testing the
adequacy of control design is not the best course of action because this does not
ensure that controls operate effectively as designed. B is incorrect because
testing control operating effectiveness does not ensure the audit plan focuses on
areas of greatest risk. D is incorrect because the reliance on management testing
of controls does not provide objective verification of the control environment.)
Due to unexpected resource constraints of the IS audit team, the audit plan, as
originally approved, cannot be completed. Assuming the situation is
communicated in the audit report, which course of action is MOST acceptable?
A. Test the adequacy of the control design.
B. Test the operational effectiveness of controls.
C. Focus on auditing high-risk areas.
D. Rely on management testing of controls.
Participating in the design of the risk management framework (This involves
designing controls, which compromises the independence of the IS auditor to
audit the risk management process. B is incorrect because this does not
compromise the IS auditor's independence. After all, the IS auditor will not be
involved in the decision-making process. C is incorrect because this does not
hamper the IS auditor's independence. After all, the auditor will not be involved
in the decision-making process. D is incorrect because due diligence reviews are
a type of audit generally related to mergers and acquisitions.)
Which of the following responsibilities would MOST likely compromise the
independence of an IS auditor when reviewing the risk management process?
A. Participating in the design of the risk management framework
B. Advising on different implementation techniques
C. Facilitating risk awareness training
D. Performing due diligence of the risk management processes
Management ownership of the internal controls supporting business objectives
is reinforced. (The objective of control self-assessment (CSA) is to have
business management become more aware of the importance of internal control
and their responsibility in terms of corporate governance. B is incorrect because
this is not a key benefit of CSA. C is incorrect because improved fraud
detection is important but not as important as control ownership. It is not a
principal objective of CSA. D is incorrect because CSA may give more insights
to internal auditors, allowing them to take a more consultative role; however,
this is an additional benefit, not the key benefit.)
Which of the following is the key benefit of a control self-assessment?
A. Management ownership of the internal controls supporting business
objectives is reinforced.
B. Audit expenses are reduced when the assessment results are an input to
external audit work.
C. Fraud detection will be improved because internal business staff are engaged
in testing controls.
D. Internal auditors can shift to a consultative approach by using the results of
the assessment.
verify the identity of senders and determine if orders correspond to contract
terms. (An electronic data interchange system is subject not only to the usual
risk exposures of computer systems but also to those arising from the potential
ineffectiveness of controls on the part of the trading partner and the third-party
service provider, making authentication of users and messages a major security
concern. A is incorrect because this is good practice but will not authenticate
customer orders. B is incorrect because this is a control for ensuring the
correctness of the organization's orders, not the authenticity of its customers'
orders. D is incorrect because this is an appropriate step but does not prove the
authenticity of messages received.)
An appropriate control for ensuring the authenticity of orders received in an
electronic data interchange system application is to:
A. acknowledge receipt of electronic orders with a confirmation message.
B. perform reasonableness checks on quantities ordered before filling orders.
C. verify the identity of senders and determine if orders correspond to contract
terms.
D. encrypt electronic orders.
Helps to mitigate risk (The most important factor for implementing controls is
to ensure that the controls address the risk.)
The most important factor when implementing controls is ensuring that the
control does which of the following?
A. Helps to mitigate risk
B. Does not impact productivity
C. Is cost effective
D. Is automated
Implementing relevant controls (The risk management process includes
assessing risk and, based on the outcome, designing various controls. The risk
assessment process aims to address the recognized risks by implementing
appropriate controls.)
What is the outcome of a risk assessment exercise utilized for?
A. Estimating profits
B. Calculating the ROI
C. Implementing relevant controls
D. Conducting user acceptance testing
assets have been identified and ranked. (Identification and ranking of
information assets (e.g., data criticality, sensitivity, locations of assets) will set
the tone or scope of assessing risk with the asset's organizational value. A is
wrong because organizations should analyze the threats to their assets. Each
asset should be analyzed according to its value to the organization. It occurs
after identifying and ranking assets. B is wrong because analyzing how these
weaknesses will impact the organization's information assets occurs after the
identified assets and weaknesses. D is wrong because the effect of security
breaches depends on the value of the assets and the threats, vulnerabilities, and
effectiveness of mitigating controls. The impact of an attack against a weakness
should be identified so that controls be evaluated to determine if they effectively
mitigate the weaknesses.)
An IS auditor performing an audit of the risk assessment process
should FIRST confirm that:
A. reasonable threats to the information assets are identified.
B. technical and organizational vulnerabilities have been analyzed.
C. assets have been identified and ranked.
D. the effects of potential security breaches have been evaluated.
Senior business management (Top business management has the final authority
and responsibility for the organization's smooth operation. They should refrain
from further delegating their responsibility for risk management. The other
options should help authorities determine the organization's risk appetite.)
With whom does the responsibility of managing risk to an acceptable level rest?
A. The risk management team
B. Senior business management
C. The chief information officer
D. The chief security officer
To determine the control objectives and activities (Once the business process to
be audited is identified, the next step is to identify the control objectives and
activities associated with the business processes. The next step is to identify the
audit resources. The audit universe is to be determined prior to the finalization
of the audit scope.)
What will be the immediate step once the business process to be audited is
identified?
A. To determine the audit universe
B. To determine the audit resources
C. To determine the key stakeholders
D. To determine the control objectives and activities
substantive testing. (Among other methods, such as document review or
walkthrough, tests of controls are the most effective procedures to assess
whether controls accurately support operational effectiveness. A is incorrect
because testing of control design assesses whether the control is structured to
meet a specific control objective. It does not help determine whether the control
is operating effectively. C is incorrect because control documents may not
accurately describe the process. Therefore, auditors relying on document review
have limited assurance that the control operates as intended. D is incorrect
because performing tests on risk prevention is incorrect. This is considered
compliance testing to determine whether policies are adhered to.)
The MOST effective audit practice to determine whether the operational
effectiveness of controls is properly applied to transaction processing is:
A. control design testing.
B. substantive testing.
C. inspection of relevant documentation.
D. perform tests on risk prevention.
Control self-assessment (CSA is reviewing business objectives and internal
controls in a formal and documented collaborative process. It includes testing
the design of automated application controls. A is incorrect because this only
looks at errors or problems but will not ensure controls are still working. B is
incorrect because this is important but may not be a consistent or well-defined
process compared to CSA. D is incorrect because these lack the direct
involvement of audit specialists and management.)
Which of the following is MOST important to ensure that effective application
controls are maintained?
A. Exception reporting
B. Manager involvement
C. Control self-assessment
D. Peer reviews
Determining the high-risk processes (In risk-based planning, it is very important
to determine high-risk areas. This will help to determine the areas to be
audited.)
In a risk-focused audit, which of the following is the most critical step?
A. Determining the high-risk processes
B. Determining the capability of audit resources
C. Determining the audit procedure
D. Determining the audit schedule
Conducting a risk assessment (A risk assessment is the first step to be
performed to allocate audit resources as per the high risks of the organization.
The other options are to be followed once the risk assessment is prepared.)
The first step in the planning phase of an audit is:
A. Designing an audit program
B. The allocation of audit resources
C. Identification of key stakeholders
D. Conducting a risk assessment
Identifying threats and their likelihood of occurrence (Once the critical assets
are identified, the next step is to determine vulnerabilities and then look at
threats and their probability of occurrence.)
An IS auditor has determined a few vulnerabilities in a critical application.
What should their next step be?
A. Reporting the risk to the audit committee immediately
B. Determining a system development methodology
C. Identifying threats and their likelihood of occurrence
D. Recommending the development of a new system
When the probability of error must be objectively quantified (To quantify the
probability of error objectively, there should not be any involvement of
subjectivity. In all such scenarios, statistical sampling is preferred.)
Statistical sampling is preferred over non-statistical sampling:
A. To reduce sampling error
B. For an inexperienced auditor
C. When the probability of error must be objectively quantified
D. To reduce audit error
Preventive (Having a manager approve transactions more than a certain amount
is considered a preventive control. A is incorrect because detective controls
identify events after they have happened. In this case, the action of the branch
manager would prevent an event from occurring. C is incorrect because a
corrective control remedies problems discovered by detective controls. In this
case, the action of the branch manager is a preventive control. D is incorrect
because a directive control is a manual control consisting of a policy or
procedure specifying actions to be performed. In this case, an automated control
prevents an event from occurring.)
A financial institution with multiple branch offices has an automated control
that requires the branch manager to approve transactions more than a certain
amount. What type of audit control is this?
A. Detective
B. Preventive
C. Corrective
D. Directive
Table lookups (These are preventive controls; input data are checked against
predefined tables, which prevent any undefined data from being entered. A is
incorrect because they are a detective control and provide audit trails. B is
incorrect because this makes it possible to trace the impact of transactions on
computer records. This is a detective control. D is incorrect because it is used to
test application systems and controls but is not a preventive control.)
Which of the following is evaluated as a preventive control by an IS auditor
performing an audit?
A. Transaction logs
B. Before and after image reporting
C. Table lookups
D. Tracing and tagging
continue to test the accounting application controls and include the deficiency in
the final report. (It is the responsibility of the IS auditor to report on findings
that can have a material impact on the effectiveness of controls—whether or not
they are within the scope of the audit. A is incorrect because the IS auditor
should not assume that the IT manager will follow through on a verbal
notification to resolve the change management control deficiency, and it is
inappropriate to offer consulting services on issues discovered during an audit.
B is incorrect because although not technically within the audit scope, it is the
responsibility of the IS auditor to report findings discovered during an audit that
can have a material impact on the effectiveness of controls. D is incorrect
because it is not the role of the IS auditor to demand that IT work be completed
before performing or completing an audit.)
While performing an audit of an accounting application's internal data integrity
controls, an IS auditor identifies a major control deficiency in the change
management software supporting the accounting application.
The MOST appropriate action for the IS auditor to take is to:
A. continue to test the accounting application controls and inform the IT
manager about the control deficiency and recommend possible solutions.
B. complete the audit and not report the control deficiency because it is not part
of the audit scope.
C. continue to test the accounting application controls and include the
deficiency in the final report.
D. cease all audit activity until the control deficiency is resolved.
Understand the business, its operating model and key processes. (Risk-based
auditing must be based on understanding the business, operating model, and
environment. This is the first step in an IT risk assessment for a risk-based
audit. A is incorrect because understanding the business environment comes
first, followed by understanding the IT environment. B is incorrect because this
is not the first step of risk assessment. This step follows understanding the
business environment and the IT systems. C is incorrect because a risk self-
assessment is optional and applicable for some audit engagements.)
Which of the following is the FIRST step in an IT risk assessment for a risk-
based audit?
A. Identify all IT systems and controls that are relevant to audit objectives.
B. List all controls from the audit program to select ones matching with audit
objectives.
C. Review the results of a risk self-assessment.
D. Understand the business, its operating model and key processes.
They are created on the basis of risk analysis. (In the bottom-up approach,
process risks are identified and considered. The approach starts by considering
the process-level requirements and operational-level risk. The other options are
the benefits of the top-down approach. In the top-down approach, policies are
consistent across the organization and there is no conflict with overall corporate
policy.)
What is the advantage of the bottom-up approach to the development of
enterprise policies?
A. They cover the whole organization.
B. They are created on the basis of risk analysis.
C. They are reviewed by top management.
D. They support consistency of procedure.
Attribute sampling (For compliance testing, attribute sampling will be most
relevant.)
Which sampling method that will be MOST meaningful for compliance testing?
A. Attribute sampling
B. Variable sampling
C. Discovery sampling
Development of a risk assessment (A risk assessment should be performed to
determine how internal audit resources should be allocated to ensure that all
material items will be addressed. A is incorrect because the risk assessment
results are used for the input for the audit program. B is incorrect because the
risk assessment output helps define the scope. C is incorrect because a risk
assessment must be performed before identifying key information owners. Key
information owners are generally not directly involved during the planning
process of an audit.)
An internal IS audit function is planning a general IS audit. Which of the
following activities takes place during the FIRST step of the planning phase?
A. Development of an audit program
B. Define the audit scope
C. Identification of key information owners
D. Development of a risk assessment
Understanding services and their allocation to business processes by reviewing
the service repository documentation. (A service-oriented architecture relies on
the principles of a distributed environment in which services encapsulate
business logic as a black box and might be deliberately combined to depict real-
world business processes. Before reviewing services in detail, the auditor needs
to understand mapping business processes to services. B is wrong because it is
an essential follow-up step to understanding services and their allocation to
business but differs from the initial step. C is wrong because it is an essential
follow-up step to understanding services and their allocation to business, but
differs from the initial step. D is wrong because this would most likely be a part
of the audit, but the auditor must first understand the business processes and
how the systems support those processes.)
An IS auditor is reviewing a software application that is built on the principles
of service-oriented architecture. What is the INITIAL step?
A. Understanding services and their allocation to business processes by
reviewing the service repository documentation.
B. Sampling the use of service security standards as represented by the Security
Assertions Markup Language.
C. Reviewing the service level agreements established for all system providers.
D. Auditing the core service and its dependencies on other systems.
tracing. (This transaction reconciliation effort involves following the transaction
from the original source to its final destination. In electronic funds transfer
transactions, the direction on tracing may start from the customer-printed copy
of the receipt, proceed to check the system audit trails and logs, and end with
checking the master file records for daily transactions. A is incorrect because
this is usually performed during the funds transfer, not the reconciliation effort.
B is incorrect because, in online processing, authorizations are normally done
automatically by the system, not during the reconciliation. C is incorrect
because corrections are entries that should be reviewed during a reconciliation;
however, they are normally done by someone other than the person entrusted to
do reconciliations and are less important than tracing.)
An IS auditor should ensure that review of online electronic funds transfer
reconciliation procedures should include:
A. vouching.
B. authorizations.
C. corrections.
D. tracing.
Discovery sampling (Discovery sampling is widely used to detect a fraudulent
transaction. Even if only a single error is discovered, there is a possibility that
the internal control system could be compromised. That one error may be
sufficient to require an examination of the entire population or to formulate a
new plan for further action. If one instance of fraud is found, the auditor is
confident that fraud exists. Stop-or-go sampling is used when only a few errors
are expected in a sample. Attribute sampling is used for compliance testing and
variable sampling for substantive testing.)
The sampling method to be used when there is indication of fraud is:
C. Discovery sampling
Implementing the controls (Risks are managed and reduced by incorporating
proper security and relevant controls. Through insurance, the risk is transferred.
Auditing and certification help provide assurance, while SLAs help allocate
risk.)
The mitigation of risk can be done through which of the following?
A. Implementing the controls
B. Outsourcing
C. Audit and certification
D. Service level agreements (SLAs)
the systematic collection and analysis of evidence after a system irregularity.
(This best describes a forensic audit. The evidence collected can then be
analyzed and used in judicial proceedings. A is incorrect because forensic audits
are not limited to corporate fraud. C is incorrect because assessing the
correctness of an organization's financial statements is not the primary purpose
of most forensic audits. D is incorrect because forensics is the investigation of
evidence related to a crime or misbehavior. Preserving evidence is the forensic
process, but not the primary purpose.)
The PRIMARY purpose of an IT forensic audit is:
A. to participate in investigations related to corporate fraud.
B. the systematic collection and analysis of evidence after a system irregularity.
C. to assess the correctness of an organization's financial statements.
D. to preserve evidence of criminal activity.
role of the IS audit function. (An IS audit charter establishes the role of the
information systems audit function. The charter should describe the overall
authority, scope, and responsibilities of the audit function. It should be approved
by the highest level of management and, if available, by the audit committee. A
is incorrect because planning is the responsibility of audit management. B is
incorrect because these should be agreed on in an engagement letter. The charter
would specify the objectives and scope of the audit function but not of
individual engagements. C is incorrect because a training plan based on the
audit plan should be developed by audit management.)
An organization's IS audit charter should specify the:
A. plans for IS audit engagements.
B. objectives and scope of IS audit engagements.
C. detailed training plan for the IS audit staff.
D. role of the IS audit function.
Inherent risk (Gross risk or risk before controls is inherent risk.)
The absence of internal control mechanisms is known as what?
A. Inherent risk
B. Control risk
C. Detection risk
D. Correction risk
To provide reasonable assurance about the audit coverage of material items
(Risk assessment helps identify the organization's top risks, the auditor can
focus the audit procedure on the highest risk areas. It helps to provide
reasonable assurance about the coverage of material items.)
Which of the following is the prime reason for performing a risk assessment?
A. To address management concerns
B. To provide reasonable assurance about the audit coverage of material items
C. To ensure budget adherence
D. To allocate the audit resources
outline the responsibility and authority of the IS audit function. (The primary
purpose of the IS audit charter is to set forth the purpose, responsibility,
authority, and accountability of the IS audit function. The charter document
grants authority to the audit function on behalf of the board of directors and
organization stakeholders. A is incorrect because the IS audit charter does not
set forth the organizational structure of the IS audit department. The charter
serves as a directive to create the IS audit function. B is incorrect because the IS
audit charter does not dictate the reporting requirements of the IS audit
department. The charter sets forth the information systems audit function's
purpose, responsibility, authority, and accountability. C is incorrect because the
audit determines resources and not the charter.)
The PRIMARY purpose of the IS audit charter is to:
A. establish the organizational structure of the audit department.
B. illustrate the reporting responsibilities of the IS audit function.
C. detail the resource requirements needed for the audit function.
D. outline the responsibility and authority of the IS audit function.
evaluate the impact of the undocumented devices on the audit scope. (In a risk-
based approach to an IS audit, the scope is determined by the device's impact on
the audit. Undocumented devices may be excluded from the current audit
engagement if they do not impact the scope. The information on a network
diagram can vary depending on the illustration. A is wrong because the auditor
can't assume that everything on the network diagram provides information about
the risk affecting a network/system. C is wrong because, in this case, there is
simply a mismatch in timing between the completion of the approval process
and when the IS audit began. There is no control deficiency to be reported. D is
wrong because planning for follow-up audits of the undocumented devices is
contingent on the risk that the undocumented devices have on the ability of the
entity to meet the audit scope.)
An IS auditor discovers that devices connected to the network are not included
in a network diagram that had been used to develop the scope of the audit. The
chief information officer explains that the diagram is being updated and
awaiting final approval. The IS auditor should FIRST:
A. expand the scope of the IS audit to include the devices that are not on the
network diagram.
B. evaluate the impact of the undocumented devices on the audit scope.
C. note a control deficiency because the network diagram has not been
approved.
D. plan follow-up audits of the undocumented devices.
Continuous auditing (The implementation of continuous auditing enables a real-
time feed of information to management through automated reporting processes
so that management may implement corrective actions more quickly. A is
incorrect because software tools such as computer-assisted audit techniques to
analyze transaction data can provide a detailed analysis of trends and potential
risks. However, it is not as effective as continuous auditing because there may
be a time differential between executing the software and analyzing the results.
B is incorrect because this technique may be good but less responsive than
continuous auditing. C is incorrect because this is a valid audit technique;
however, the risk not captured in the transaction log may exist, and there may be
a potential time lag in the analysis.)
For a retail business with a large volume of transactions, which of the following
audit techniques is the MOST appropriate for addressing emerging risk?
A. Use of computer-assisted audit techniques
B. Quarterly risk assessments
C. Sampling of transaction logs
D. Continuous auditing
Walk-through (These procedures usually include a combination of inquiry,
observation, inspection of relevant documentation, and reperformance of
controls. A walk-through of the manual log review process follows the manual
log review process from start to finish to gain a thorough understanding of the
overall process and identify potential control weaknesses. A is wrong because
this is just one component of a walk-through and, by itself, needs to supply
more information to provide a complete understanding of the overall process
and identify potential control weaknesses. B is wrong because this provides
only general information on how the control is executed. It does not necessarily
enable the IS auditor to determine whether the control performer understands
the control. D is wrong because the IS auditor carries out reperformance of the
control and does not provide assurance of the competency of the auditee.)
An IS auditor reviewing the process of log monitoring wants to evaluate the
organization’s manual review process. Which of the following audit techniques
would the auditor MOST likely employ to fulfill this purpose?
A. Inspection
B. Inquiry
C. Walk-through
D. Reperformance
Reasonable assurance about the coverage of material items (The auditor does
not provide absolute assurance but only reasonable assurance. Absolutes are not
attainable due to the inherent limitations of audits, such as professional
judgment, sampling, and testing.)
An information system audit provides:
A. Reasonable assurance about the coverage of material items
B. Definite assurance about the coverage of material items
C. Reasonable assurance about the coverage of all the items
D. No assurance about the coverage of material items
Collect more evidence for further investigation (An IS auditor should further
evaluate the evidence to decide on the recommendation of a detailed
examination.)
An IS auditor has a strong suspicion of fraud during a preliminary investigation.
What should they do next?
A. Collect more evidence for further investigation
B. Report directly to the audit committee
C. Report the probability of fraud to senior officials
D. Obtain an external legal opinion
effectiveness of the QA function because it should interact between project
management and user management. (To be effective, the quality assurance (QA)
function should be independent of project management. Project management
may pressure the QA function to approve an inadequate product if not. B is
incorrect because the efficiency of the QA function is not impacted by
interacting with the project implementation team. The QA team does not release
a product for implementation until it meets QA requirements. C is incorrect
because the project manager responds to the issues raised by the QA team. This
does not impact the effectiveness of the project manager. D is incorrect because
the QA function's interaction with the project implementation team should not
impact the efficiency of the project manager.)
While evaluating software development practices in an organization, an IS
auditor notes that the quality assurance (QA) function reports to project
management. The MOST important concern for an IS auditor is the:
A. effectiveness of the QA function because it should interact between project
management and user management.
B. efficiency of the QA function because it should interact with the project
implementation team.
C. effectiveness of the project manager because the project manager should
interact with the QA function.
D. efficiency of the project manager because the QA function needs to
communicate with the project implementation team.
Discovery sampling (Discovery sampling is widely used to detect a fraudulent
transaction. Even if only a single error is discovered, there is a possibility that
the internal control system could be compromised. That one error may be
sufficient to require an examination of the entire population or to formulate a
new plan for further action. If one instance of fraud is found, the auditor is
confident that fraud exists.)
The best sampling method when an IS auditor is concerned about fraud is:
A. Stop-or-go sampling
B. Discovery sampling
C. Classical sampling
D. Subjective sampling
corrective control. (Corrective controls are designed to correct errors,
omissions, unauthorized uses, and intrusions when detected. This provides a
mechanism to detect malicious events and correct the situation. A is incorrect
because directive controls, such as IT policies and procedures, do not apply
because this is an automated control. C is incorrect because a compensating
control is used where other controls are insufficient to protect the system. In this
case, the corrective control in place will effectively protect the system from
access via an unpatched device. D is incorrect because detective controls exist
to detect and report when errors, omissions, and unauthorized uses or entries
occur.)
A centralized antivirus system determines whether each personal computer has
the latest signature files and installs the latest signature files before allowing a
PC to connect to the network. This is an example of a:
A. directive control.
B. corrective control.
C. compensating control.
D. detective control.
Develop an audit plan on the basis of the risk assessment. (Out of all the options
given, the first step of the audit project is to develop the audit plan after
considering the results of the risk assessment.)
Which of the following is the first step in an audit project?
A. Prepare the audit schedule and monitor it
B. Provide training to IS audit staff on the latest technology used in the
organization
.C. Develop an audit plan on the basis of the risk assessment.
D. Monitor the progress of the audit.
Computer log files that show individual transactions (Computer logs record the
activities of individuals during their access to a computer system or data file and
record any abnormal activities, such as the modification or deletion of financial
data. A is incorrect because an audit trail of only the transaction date and time is
insufficient to compensate for the risk of multiple functions being performed by
the same individual. B is incorrect because reviewing the summary financial
reports does not compensate for the segregation of duties issue. C is incorrect
because a supervisor review of user account administration can be a good
control; however, it may not detect inappropriate activities where a person fills
multiple roles.)
During a compliance audit of a small bank, the IS auditor notes that both the IT
and accounting functions are being performed by the same user of the financial
system. Which of the following reviews conducted by the user's supervisor
would represent the BEST compensating control?
A. Audit trails that show the date and time of the transaction
B. A daily report with the total numbers and dollar amounts of each transaction
C. User account administration
D. Computer log files that show individual transactions
not an adequate control. (Generation of an activity log is not a control by itself.
The review of such a log makes the activity a control (i.e., generation plus
review equals control). A is incorrect because generating an activity log is not a
preventive control because it cannot prevent inappropriate access. B is incorrect
because generating an activity log is not a detective control. After all, it does not
help detect inappropriate access unless it is reviewed by appropriate personnel.
D is incorrect because generating an activity log is not a corrective control.
After all, it does not correct the effect of inappropriate access.)
An IS auditor notes that failed login attempts to a core financial system are
automatically logged and the logs are retained for a year by the organization.
This logging is:
A. an effective preventive control.
B. a valid detective control.
C. not an adequate control.
D. a corrective control.
Allocate resources for audits. (Because IS audit assignments must be
accomplished with limited time and human resources, audits are scheduled and
prioritized as determined by IS audit management. B is incorrect because audit
risk is inherent to all audits, and the schedule has no bearing on the impact of
audit risk. C is incorrect because developing a training plan for auditors is
important, but it is not the main purpose of an IS audit plan. D is incorrect
because minimizing the audit costs could be one of the objectives of the annual
IS audit plan. However, this would result from ensuring audit resources are used
effectively.)
The MAIN purpose of the annual IS audit plan is to:
A. Allocate resources for audits.
B. Reduce the impact of audit risk.
C. Develop a training plan for auditors.
D. Minimize the audit costs.
Important business risk may be overlooked. (Without an audit scope, the
appropriate risk assessment has not been performed; therefore, the auditor might
not audit those areas of highest risk for the organization. A is incorrect because,
in certain cases, it may be more difficult to discuss findings when incorrect
stakeholders are identified, thus delaying the communication of audit findings.
However, this is not as concerning as important business risk not being included
in the audit scope. B is incorrect because many factors determine the cost of
controls. Therefore, it is difficult to state that only audit objectives determine
the control cost. However, this is not as important if a key risk is not identified.
D is incorrect because auditing previously audited areas is not an efficient use of
resources; however, this is not as big of a concern as the key risk not being
identified.)
Which of the following would be the GREATEST concern if audit objectives
are not established during the initial phase of an audit program?
A. Key stakeholders are incorrectly identified.
B. Control costs will exceed planned budget.
C. Important business risk may be overlooked.
D. Previously audited areas may be inadvertently included.
Inherent risk (This is normally high due to the number of users and business
areas that may be affected. Inherent risk is the risk level or exposure without
considering the actions that management has taken or might take. A is incorrect
because this can be high, but it is not due to internal controls not being
identified, evaluated, or tested, and it is not due to the number of users or
business areas affected. B is incorrect because compliance risk is the penalty
applied to current and future earnings for nonconformance to laws and
regulations and may not be impacted by the number of users and business areas
affected. D is incorrect this is the remaining risk after management has
implemented a risk response and is not based on the number of users or business
areas affected.)
An IS auditor is reviewing a project risk assessment and notices that the overall
residual risk level is high due to confidentiality requirements. Which of the
following types of risk is normally high due to the number of unauthorized
users the project may affect?
A. Control risk
B. Compliance risk
C. Inherent risk
D. Residual risk
The work may be construed as a self-audit. (Because the employee had been a
developer, it is recommended that the audit coverage exclude the systems
developed by this employee to avoid any conflicts of interest. B is incorrect
because the employee has a technical background. The audit findings may tend
to focus on technical matters. However, this is usually corrected in the review
process before it is carried out in production. C is incorrect because auditing is a
new role for this employee; it is less of a concern and may need more control
assessment skills. However, this can be addressed by on-the-job training and is
less of a concern than a potential conflict of interest. D is incorrect because this
employee was previously employed in the organization's IT department; it is
possible to build upon the employee's current understanding of the business to
address any gaps in knowledge.)
A system developer transfers to the audit department to serve as an IT auditor.
When production systems are to be reviewed by this employee, which of the
following will become the MOST significant concern?
A. The work may be construed as a self-audit.
B. Audit points may largely shift to technical aspects.
C. The employee may not have sufficient control assessment skills.
D. The employee’s knowledge of business risk may be limited.
Material areas are addressed first. (Material risk is audited according to the risk
ranking, thus enabling the audit team to concentrate on high-risk areas first. A is
incorrect because high impact does not necessarily indicate high risk. Risk also
takes into consideration probability. B is incorrect because a risk-based audit
approach addresses resource allocation, which is not the primary function of a
risk-based audit approach. D is incorrect because management concerns may
not be aligned with high-risk areas.)
Which of the following is the PRIMARY purpose of a risk-based audit?
A. High-impact areas are addressed first.
B. Audit resources are allocated efficiently.
C. Material areas are addressed first.
D. Management concerns are prioritized.
Lower confidence coefficient, which leads to a lower sample size (The
confidence coefficient, or confidence level, is a measure of the accuracy and
confidence about the quality of the sample. Sample size and confidence
correlation are directly related. A high sample size will give a high confidence
coefficient. When there is a strong internal control, the confidence coefficient
may be lowered, so there will be a review of only a few samples.)
In the case of a strong internal control, an auditor can adopt a:
A. High confidence coefficient and a selection of small samples
B. Low confidence coefficient and a selection of large samples
C. Higher confidence coefficient, which leads to a larger sample size
D. Lower confidence coefficient, which leads to a lower sample size
identify the organization's information assets. (The first step of the risk
assessment process is to identify systems and processes that support the
business objectives because the risk to those processes impacts the achievement
of business goals. A is wrong because after the business objectives and
underlying systems are identified, the effort should focus on the most sensitive
data assets. The data classification program assists the auditor in identifying
these assets. C is wrong because Inherent risk is the exposure without
considering management's actions. A risk assessment aims to identify
vulnerabilities so controls can be mitigated. One must understand the business
and its supporting systems to identify the systems that require the most risk
assessment. D is wrong because designing and implementing controls to
mitigate inherent risk can only be performed after everything else.)
When performing a risk analysis, the IS auditor should FIRST:
A. review the data classification program.
B. identify the organization’s information assets.
C. identify the inherent risk of the system.
D. perform a cost-benefit analysis for controls.
The use of a statistical sample to verify the inventory of a tape library (In
substantive testing, the accuracy and integrity of the transaction and balances
are verified. A substantive test is used to verify the inventory.)
The best example of a substantive test is:
A. To ascertain compliance with firewall rules
B. To ascertain compliance with a change management policy
C. The use of a statistical sample to verify the inventory of a tape library
D. To review the reports that capture the password history
Designing the cybersecurity controls (If an auditor designs the controls, a
conflict of interest arises in the neutrality of the auditor to address deficiencies
during an audit. This violates the ISACA Code of Ethics. A is incorrect because
this is typically an operational responsibility. However, it is not nearly as strong
a conflict of interest as the auditor designing controls and then reviewing them.
C is incorrect because part of the role of an IS auditor can be to advise on a
cybersecurity framework, provided that such advice does not rise to the level of
designing specific controls that the auditor would later review. D is incorrect
because this can be the responsibility of the IS auditor and does not present a
conflict of interest.)
Which of the following is MOST likely to be considered a conflict of interest
for an IS auditor who is reviewing a cybersecurity implementation?
A. Delivering cybersecurity awareness training
B. Designing the cybersecurity controls
C. Advising on the cybersecurity framework
D. Conducting the vulnerability assessment
While substantive testing tests the details, compliance testing tests the controls.
(Compliance testing is used to evaluate the existence of the control. In
substantive testing, the accuracy and integrity of the transaction and balances
are verified.)
The difference between compliance testing and substantive testing is that:
A. While substantive testing tests the controls, compliance testing tests the
details.
B. While substantive testing tests the details, compliance testing tests the
controls.
C. While substantive testing verifies the correctness of trail balance, compliance
testing tests the financial statements.
D. While substantive testing tests the internal controls, compliance testing tests
the internal requirements
The nature and criticality of the business process supported by the application
(The e-commerce application enables the execution of business transactions.
Therefore, it is essential to understand the nature and criticality of the business
process supported by the e-commerce application to identify specific controls to
review. A is wrong because understanding the technology architecture of the e-
commerce environment is essential; however, the nature of the business process
supported by the e-commerce application must be well understood. B is wrong
because the policies, procedures, and practices that form the internal control
environment must align with the e-commerce environment; there are other
essential elements the IS auditor needs to understand. D is wrong because the
availability of the e-commerce environment is necessary, but this is only one of
the aspects to be considered.)
Which of the following is MOST important for an IS auditor to understand
when auditing an e-commerce environment?
A. The technology architecture of the e-commerce environment
B. The policies, procedures and practices forming the control environment
C. The nature and criticality of the business process supported by the
application
D. Continuous monitoring of control measures for system availability and
reliability
A compliance test (Compliance testing is used to evaluate the existence of the
control. In substantive testing, the accuracy and integrity of the transaction and
balances are verified. In the given case, verifying that only active users have
access to critical systems requires evaluating the existence of controls, and
hence, a compliance test is used.)
To determine that only active users have access to a critical system, which of the
following is best?
A. A compliance test
B. A substantive test
C. A statistical sample
D. Judgment sampling
It detects risk sooner. (Control self-assessments (CSAs) require employees to
assess the control stature of their function. CSAs help to increase the
understanding of business risk and internal controls. Because they are
conducted more frequently than audits, CSAs help to identify risk in a timelier
manner. B is incorrect because CSAs do not replace the internal audit function;
an audit must still be performed to ensure controls are present. C is incorrect
because CSAs may not reduce the audit function's workload and are not a major
difference between the two approaches. D is incorrect because CSAs do not
affect the need for audit resources. Although the results of the CSA may serve as
a reference point for the audit process, they do not affect the scope or depth of
audit work that needs to be performed.)
What is the MAJOR benefit of conducting a control self-assessment over a
traditional audit?
A. It detects risk sooner.
B. It replaces the internal audit function.
C. It reduces audit workload.
D. It reduces audit resource requirements.
The risks of control are within acceptable norms. (It must be noted that the
outcome of compliance testing is used to make a plan for a substantive test. If
the outcome of compliance testing indicates the existence of effective internal
control, then substantive testing may not be required or may be reduced.
However, if the outcome of compliance testing indicates a poor internal control
system, then more rigorous substantive testing is required. Thus, a substantive
test procedure can be reduced if the compliance test concludes that risks of
control are within an acceptable level.)
The substantive test procedure can be reduced if, after a compliance test, it is
concluded that:
A. It would be too expensive for a substantive test.
B. The organization has weak controls.
C. The inherent risk is low.
D. The risks of control are within acceptable norms.
allows the IS auditor to review and follow up on audit issues in a timely manner.
(Continuous audit allows audit and response to audit issues promptly because
audit findings are gathered in near real time. A is incorrect because the
continuous audit approach often requires an IS auditor to collect evidence on
system reliability while processing occurs. C is incorrect because responsibility
for enforcement and monitoring controls is primarily management's
responsibility. D is incorrect because the use of continuous audit is not based on
the complexity or number of systems being monitored.)
The PRIMARY advantage of a continuous audit approach is that it:
A. does not require an IS auditor to collect evidence on system reliability while
processing is taking place.
B. allows the IS auditor to review and follow up on audit issues in a timely
manner.
C. places the responsibility for enforcement and monitoring of controls on the
security department instead of audit.
D. simplifies the extraction and correlation of data from multiple and complex
systems.
A review of the accounts receivable for an aged trial balance (Compliance
testing is used to evaluate the existence of the control. In substantive testing, the
accuracy and integrity of the transaction and balances are verified.)
An example of a substantive audit test includes:
A. Ascertaining periodic management checks and controls
B. Ascertaining logical access controls
C. A review of reports detailing short shipments of the goods
D. A review of the accounts receivable for an aged trial balance
Generalized audit software (Generalized audit software features include
mathematical computations, stratification, statistical analysis, sequence
checking, duplicate checking, and re-computations. Using generalized audit
software, an IS auditor can design appropriate tests to recompute the payroll,
thereby determining whether there were overpayments and to whom they were
made. A is incorrect because test data tests for the existence of controls that
might prevent overpayments, but it does not detect specific, previous
miscalculations. C is incorrect because it helps identify a problem as it occurs
but does not detect errors for a previous period. D is incorrect because this can
enable the IS auditor to evaluate a process and gather audit evidence, but it does
not detect errors for a previous period.)
The vice president of human resources has requested an IS audit to identify
payroll overpayments for the previous year. Which would be the BEST audit
technique to use in this situation?
A. Generate sample test data
B. Generalized audit software
C. Integrated test facility
D. Embedded audit module
To ascertain the adequacy, effectiveness, and efficiency of controls.
(Compliance tests are conducted to ascertain the controls adequacy,
effectiveness, and efficiency.)
Which of the following is the objective of a compliance test?
A. To ascertain the adequacy, effectiveness, and efficiency of controls.
B. To ascertain appropriate documentation.
C. Users are granted access as specified.
D. Data validation procedures are provided.
A substantive test (In substantive testing, evidence is gathered to evaluate the
accuracy of the data or other information. Using a statistical sample to inventory
the tape library is a good example of a substantive test.)
The use of a statistical sample to inventory the tape library is considered as:
A. A substantive test
B. A compliance test
C. An integrated test
D. A continuous audit
A compliance test of the program library controls (Compliance tests are
conducted to ascertain controls adequacy, effectiveness, and efficiency. A
compliance test will be used to determine whether the program library controls
are working properly.)
To determine whether the source and object versions are the same, what
procedure is performed?
A. A substantive test of the program library controls
B. A compliance test of the program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls
Substantive testing (Compliance testing is used to evaluate the existence of the
control. Compliance tests are conducted to ascertain controls adequacy,
effectiveness, and efficiency. In substantive testing, the accuracy and integrity
of the transaction and balances are verified.)
Evidence gathering to determine the accuracy of an individual transaction or
data is:
A. Substantive testing
B. Compliance testing
C. Stop-or-go testing
D. Discovery testing
Correcting coding errors during the testing process (Correction of code should
not be a responsibility of the quality assurance team because it would not ensure
segregation of duties and would impair the team's independence. A, B, and D
are incorrect because they are valid quality assurance functions.)
Which of the following would impair the independence of a quality assurance
team?
A. Ensuring compliance with development methods
B. Checking the test assumptions
C. Correcting coding errors during the testing process
D. Checking the code to ensure proper documentation
The objective and scope of the audit (The objective and scope of the audit are
the best factors to determine the extent of the data requirements. A limited scope
may not require huge data collection. A wider scope may require more data for
analysis and sample verification. The other options do not directly impact the
extent of data collection.)
The most significant factor that impacts the extent of the data requirements for
an audit is:
A. The extent of automation
B. The previous audit observations
C. The objective and scope of the audit
D. The auditor's expertise
Report the use of the unauthorized software and the need to prevent recurrence.
(The use of unauthorized or illegal software should be prohibited by an
organization. An IS auditor must convince the user and management of the risk
and the need to eliminate the risk. For example, software piracy can result in
exposure and severe fines. A is wrong because an IS auditor should not assume
the role of the enforcing officer and take on any personal involvement in
removing the unauthorized software. B is wrong because this would detect
compliance with software licensing. However, an automated solution might not
be the best option in all cases. D is wrong because auditors must report material
findings to management for action. Informing the users of risk is not the
primary responsibility of the IS auditor.)
An IS auditor conducting a review of software usage and licensing discovers
that numerous PCs contain unauthorized software. Which of the following
actions should the IS auditor take?
A. Delete all copies of the unauthorized software.
B. Recommend an automated process to monitor for compliance with software
licensing.
C. Report the use of the unauthorized software and the need to prevent
recurrence.
D. Warn the end users about the risk of using illegal software.
Publish the report and highlight the risk of implementation before considering
the results of penetration testing (In the case of the unavailability of evidence,
the auditor should report the relevant risk in the audit report. The auditor should
not wait until the results are made available. The auditor is not required to
conduct a penetration test, which is beyond the scope of an audit.)
While reviewing the implementation of an application, it is observed that the
results of penetration are not yet declared and will not be finalized prior to
implementation. What is the IS auditor's best option?
A. Publish the report and highlight the risk of implementation before
considering the results of penetration testing
B. Publish the report without commenting on penetration testing as the results
are inconclusive.
C. Publish the report only when the penetration reports are made available
D. Conduct a penetration test and evaluate the test results
Automated code comparison (This is comparing two versions of the same
program to determine whether the two correspond. It is an efficient technique
because it is an automated procedure. A is incorrect because this permits the
auditor to verify the processing of preselected transactions but provides no
evidence about unauthorized changes or unexercised portions of a program. B is
incorrect because this is the reading of program source code listings to
determine whether the code follows coding standards or contains potential
errors or inefficient statements. A code review can be used as a means of code
comparison, but it is inefficient and unlikely to detect any changes in the code,
especially in a large program. D is incorrect because this does not detect
unauthorized program changes.)
Which of the following audit techniques would BEST help an IS auditor in
determining whether there have been unauthorized program changes since the
last authorized program update?
A. Test data run
B. Code review
C. Automated code comparison
D. Review of code migration procedures
To design an alternative test procedure (If the sample size is insufficient, the
auditor should develop an alternative test procedure to evaluate the change
management process.)
While reviewing a change management process, it is observed that the number
of changes that are available for sampling does not give reasonable assurance.
What is the best option for the IS auditor?
A. To design an alternative test procedure
B. To publish the report on the basis of the samples available
C. To conduct an interview with the staff associated with the process
D. To create a dummy sample for verification
gain agreement on the findings. (The primary purpose of meeting with auditees
prior to formally closing a review is to gain agreement on the findings and
responses from management. A is incorrect because the closing meeting
identifies any misunderstandings or errors in the audit but does not identify any
important issues overlooked in the audit. C is incorrect because the closing
meeting may obtain comments from management on the conduct of the audit
but is not intended to be a formal review of the adequacy of the audit
procedures. D is incorrect because the structure of an audit report and the
presentation follows accepted standards and practices. The closing meeting may
indicate errors in the audit or presentation but is not intended to test the
structure of the presentation.)
The PRIMARY purpose for meeting with auditees prior to formally closing a
review is to:
A. confirm that the auditors did not overlook any important issues.
B. gain agreement on the findings.
C. receive feedback on the adequacy of the audit procedures.
D. test the structure of the final presentation.
The purpose, scope, and objective of the audit (The purpose, scope, and
objective of the audit directly determine the extent of the data requirements. The
availability of information should not constrain it, the auditor's experience, or
the business's nature.)
Which of the following ascertains the extent of the data requirements for the
audit?
A. The availability of information
B. The experience of the auditor
C. The nature of the business
D. The purpose, scope, and objective of the audit
the probability of error must be objectively quantified. (Given an expected error
rate and confidence level, statistical sampling is an objective method of
sampling, which helps an IS auditor determine the sample size and quantify the
probability of error (confidence coefficient). B is incorrect because sampling
risk is the risk of a sample not being representative of the population. This risk
exists for judgment and statistical samples. C is incorrect because statistical
sampling can use generalized audit software, but it is not required. D is
incorrect because the tolerable error rate must be predetermined for both
judgment and statistical sampling.)
An IS auditor should use statistical sampling and not judgmental (nonstatistical)
sampling, when:
A. the probability of error must be objectively quantified.
B. the auditor wants to avoid sampling risk.
C. generalized audit software is unavailable.
D. the tolerable error rate cannot be determined.
Confirmation letter from a relevant third party verifying an account balance
(Evidence obtained from independent third parties is almost always considered
more reliable than assurance provided by local management. B is wrong
because data collected from the Internet is not always trustworthy or
independently validated. C is wrong because management is not objective and
may not understand the risk and control environment. They only provide
evidence that the application is working correctly (not the controls). Their
assurance is not an acceptable level of trust for audit evidence. D is wrong
because ratio analysis can identify trends and deviations from a baseline but is
unreliable evidence.)
Which of the following can be considered MOST reliable evidence for an IS
auditor?
A. Confirmation letter from a relevant third party verifying an account balance
B. Information available on open source
C. Assurance from line management that an application is working as designed
D. Ratio analysis developed by the IS auditor from reports supplied by line
management
the threats/vulnerabilities affecting the assets. (One of the key factors to be
considered while assessing the information systems risk is the value of the
systems (the assets) and the threats and vulnerabilities affecting the assets. The
risk related to the use of information assets should be evaluated in isolation
from the installed controls. A is incorrect because the controls are irrelevant
until the IS auditor knows the threats and risks that the controls are intended to
address. B is incorrect because the effectiveness of the controls must be
measured to the risk (based on assets, threats, and vulnerabilities) that the
controls are intended to address. C is incorrect because the first step must be to
determine the risk being managed before reviewing the mechanism of
monitoring risk.)
An IS auditor is evaluating management's risk assessment of information
systems. The IS auditor should FIRST review:
A. the controls are in place.
B. the effectiveness of the controls.
C .the mechanism for monitoring the risk.
D. the threats/vulnerabilities affecting the assets.
A sample system-generated exception report for the review period, with follow-
up action items noted by the reviewer (A sample of a system-generated report
with evidence that the reviewer followed up on the exception represents the best
possible evidence of the effective operation of the control because there is
documented evidence that the reviewer has reviewed and taken actions based on
the exception report. A is wrong because a walk-through will highlight how a
control is designed to work, but it does not highlight the effectiveness of the
control. B is wrong because reviewer sign-off only demonstrates the control's
effectiveness if the reviewer notes follow-up actions for the exceptions
identified. D is wrong because management's confirmation of the effectiveness
of the control suffers from a lack of independence—management might be
biased toward the effectiveness of the controls put in place.)
An IS auditor is validating a control that involves a review of system-generated
exception reports. Which of the following is the BEST evidence of the
effectiveness of the control?
A. Walk-through with the reviewer of the operation of the control
B. System-generated exception reports for the review period with the reviewer's
sign-off
C. A sample system-generated exception report for the review period, with
follow-up action items noted by the reviewer
D. Management's confirmation of the effectiveness of the control for the review
period
Expand the sample of logs reviewed. (Standards require an IS auditor to gather
sufficient and appropriate audit evidence. The IS auditor has found a potential
problem and needs to determine whether this is an isolated incident or a
systematic control failure. A is wrong because, at this stage, it is too preliminary
to issue an audit finding. Seeking an explanation from management is advisable,
but it would be better to gather additional evidence to evaluate the situation's
seriousness properly. B is wrong because gathering more information on the
incident and the frequency of the incident would make it easier to obtain a
meaningful explanation from management. C is wrong because a backup failure
will be serious if it involves critical data. However, the issue is not the
importance of the data on the server, where a problem is detected, but whether a
systematic control failure that impacts other servers exists.)
An IS auditor reviews one day of logs for a remotely managed server and finds
one case where logging failed and the backup restarts cannot be confirmed.
What should the IS auditor do?
A. Issue an audit finding.
B. Seek an explanation from IS management.
C. Review the classifications of data held on the server.
D. Expand the sample of logs reviewed.
obtain an understanding of the security risk to information processing. (When
evaluating logical access controls, an auditor should first understand the
security risk facing information processing by reviewing relevant
documentation and inquiries and conducting a risk assessment. It is necessary so
that the auditor can ensure the controls are adequate to address risk. A is wrong
because documentation and evaluation is the second step and is based on the
risk to the system that necessitates the controls. B is wrong because the third
step is to test the access paths—to determine if the controls are functioning. C is
wrong because it is only after the risk is determined and the controls
documented that the auditor can evaluate the security environment to assess its
adequacy through reviewing written policies, observing practices, and
comparing them to appropriate security good practices.)
An IS auditor evaluating logical access controls should FIRST:
A. document the controls applied to the potential access paths to the system.
B. test controls over the access paths to determine if they are functional.
C. evaluate the security environment in relation to written policies and
practices.
D. obtain an understanding of the security risk to information processing.
Report the incident to management. (Reporting the suspected incident to
management will help initiate the incident response process, which is the most
appropriate action. Management is responsible for making decisions regarding
the appropriate response. It is not the IS auditor's role to respond to incidents
during an audit. A is wrong because the IS auditor should follow the
organization's incident response process. The auditor is not authorized to shut
the system down. C is wrong because the IS auditor is not authorized to lead the
investigation or suspend user accounts. The auditor should report the incident to
management. D is wrong because management is responsible for setting up and
following an incident management plan; that is not the responsibility of the IS
auditor.)
An IS auditor suspects an incident is occurring while an audit is being
performed on a financial system. What should the IS auditor do FIRST?
A. Request that the system be shut down to preserve evidence.
B. Report the incident to management.
C. Ask for immediate suspension of the suspect accounts.
D. Investigate the source and nature of the incident.
Discuss it with the IT managers. (Discussing the implementation of segregation
of duties with the IT managers is the best way to determine how responsibilities
are assigned within the department. B is wrong because job descriptions may
not be the best source of information because they could be outdated, or what is
documented in the job descriptions may differ from what is performed. C is
wrong because past IS audit reports are not the best source of information
because they may not accurately describe how IT responsibilities are assigned.
D is wrong because evaluating the organizational structure may give a limited
view on the allocation of IT responsibilities. The responsibilities also may have
changed over time.)
During an IS audit, what is the BEST way for an IS auditor to evaluate the
implementation of segregation of duties within an IT department?
A. Discuss it with the IT managers.
B. Review the job descriptions of the IT functions.
C. Research past IS audit reports.
D. Evaluate the organizational structure.
Detection (This is directly affected by the IS auditor's selection of audit
procedures and techniques. Detection risk is the risk that a review will not
detect or notice a material issue. A is wrong because this is the risk that a
material error could occur if there are no related internal controls to prevent or
detect the error. Inherent risk is not usually affected by an IS auditor. C is wrong
because this is the risk that a material error exists that would not be prevented or
detected on a timely basis by the system of internal controls. Control risk can be
mitigated by the actions of the organization's management. D is wrong because
this is a probable situation with uncertain frequency and magnitude of loss (or
gain). Business risk is usually not directly affected by an IS auditor.)
The decisions and actions of an IS auditor are MOST likely to affect which of
the following types of risk?
A. Inherent
B. Detection
C. Control
D. Business
Observation and interview (Observation and interview by an IS auditor can be
considered the best evidence compared to the other options. A user access
review does not provide complete information compared to an interview. Also,
user access can be changed between audits. Management assurance and
organization charts can be considered as additional evidence; however,
observation and interview are considered as more reliable evidence.)
The best evidence for the existence of the segregation of duties is:
A. Management assurance
B. Information derived from an organization chart
C. Observation and interview
D. Review of user access
There were instances when some jobs were overridden by computer operators.
(Computer operators' overriding of computer processing jobs could lead to
unauthorized changes to data or programs. This is a control concern; thus, it is
always critical. A is wrong because emergency changes are acceptable as long
as they are properly documented as part of the process. B is wrong because jobs
not being completed on time are a potential issue and should be investigated,
but it is not the greatest concern. D is wrong because the audit should find that
all scheduled jobs were run and any exceptions were documented. This would
not be a violation.)
An IS auditor has been assigned to conduct a test that compares job run logs to
computer job schedules. Which of the following observations would be of the
GREATEST concern to the IS auditor?
A. There are a growing number of emergency changes.
B. There were instances when some jobs were not completed on time.
C. There were instances when some jobs were overridden by computer
operators.
D. Evidence shows that only scheduled jobs were run.
include the finding in the final report, because the IS auditor is responsible for
an accurate report of all findings. (If an action is taken after the audit starts and
before it ends, audit report should identify the finding and describe corrective
action taken. An audit report should reflect the situation at start of audit. All
corrective actions taken by the auditee should be reported in writing. B is wrong
because audit report should contain relevant findings and management's
response, even if finding is resolved. This means that subsequent audits may test
for continued control resolution. C is wrong because audit report should contain
findings so they are documented, and removal of control after the audit would
be noticed. D is wrong because audit report should include findings and
resolution, which can be mentioned in final meeting. The audit report should list
all relevant findings and management responses.)
Corrective action has been taken by an auditee immediately after the
identification of a reportable finding. The auditor should:
A. include the finding in the final report, because the IS auditor is responsible
for an accurate report of all findings.
B. not include the finding in the final report because management resolved the
item.
C. not include the finding in the final report, because corrective action can be
verified by the IS auditor during the audit.
D. include the finding in the closing meeting for discussion purposes only.
A configuration report extracted from the system directly by the audit team
(Evidence collected directly from the source by the audit team is considered
more reliable compared to the other options.)
Which of the following can be considered best evidence to determine system
A. A system configuration report extracted by the system administrator
B. A configuration report extracted from the system directly by the audit team
C. The documentation of configuration maintained by the IT team
D. An approved configuration setting note
compliance testing. (Compliance testing determines whether controls are being
applied in compliance with policy. This includes tests to determine whether new
accounts were appropriately authorized. A is wrong because variable sampling
is used to estimate numerical values such as dollar values. B is wrong because
substantive testing substantiates the integrity of actual processing, such as
balances on financial statements. The development of substantive tests often
depends on compliance tests' outcomes. If compliance tests indicate that there
are adequate internal controls, then substantive tests can be minimized. D is
wrong because stop-or-go sampling allows a test to be stopped as early as
possible and is inappropriate for checking whether procedures have been
followed.)
An IS auditor is reviewing access to an application to determine whether
recently added accounts were appropriately authorized. This is an example of:
A. variable sampling.
C. compliance testing.
D. stop-or-go sampling.
Attribute sampling (It is the primary sampling method used for compliance
testing. Attribute sampling is a sampling model used to estimate the rate of
occurrence of a specific quality (attribute) in a population and is used in
compliance testing to confirm whether the quality exists. For example, an
attribute sample may check all transactions over a predefined dollar amount for
proper approvals. B is wrong because it is based on calculating a mean from a
sample extracted from the entire population and using that to estimate the
characteristics of the entire population. For example, a sample of 10 items
shows an average price of US $10 per item. For the entire population of 1,000
items, the total value is estimated to be US $10,000. C is wrong because this
attempts to ensure that the entire population is represented in the sample. D is
wrong because this examines measure deviations and extraordinary items.)
Which of the following sampling methods is MOST useful when testing for
compliance?
C. Stratified mean per unit sampling
D. Difference estimation sampling
IS audit reports (Option A and C do not have the element of independence. An
audit report by a qualified auditor is considered more reliable than a
confirmation letter from a third party.)
Which of the following can be considered the most reliable information?
A. Oral declaration by management
B. IS audit reports
C. Data provided by management
D. Confirmation letter received from a third party
preservation. (Preservation and documentation of evidence for review by law
enforcement and judicial authorities are of primary concern when conducting an
investigation. Failure to properly preserve the evidence could jeopardize the
admissibility of the evidence in legal proceedings. The other options are
important but not the primary concerns related to evidence in a forensic
investigation.)
When performing a computer forensic investigation, in regard to the evidence
gathered, an IS auditor should be MOST concerned with:
A. analysis.
B. evaluation.
C. preservation.
D. disclosure.
expand the scope to include substantive testing. (If documented procedures or
job descriptions do not confirm the answers provided to an IS auditor's
questions, the IS auditor should expand the scope of testing the controls and
include additional substantive tests. A is wrong because it is based solely on the
interview with the payroll clerk, the IS auditor will not be able to collect
evidence to conclude on the adequacy of existing controls. C and D are wrong
because they are inappropriate actions and provide no current knowledge of the
adequacy of the existing controls.
An IS auditor finds that the answers received during an interview with a payroll
clerk do not support job descriptions and documented procedures. Under these
circumstances, the IS auditor should:
A. conclude that the controls are inadequate.
B. expand the scope to include substantive testing.
C. place greater reliance on previous audits.
D. suspend the audit.
A sample exception report along with a follow-up action plan (A review of the
exception report and a follow-up action represents the best possible evidence. It
determines that the control process is in place and follow-up actions are taken
for exceptions.)
The best evidence to determine the effectiveness of control involving the review
of system generated exceptional reports is:
A. A walkthrough of the control process
B. Approved documented control process
C. A sample exception report along with a follow-up action plan
D. Management assurance
Gain more assurance on the findings through root cause analysis. (A change
management process is critical to IT production systems. Before recommending
that the organization take any other action, the auditor should gain assurance
that the incidents reported are related to deficiencies in the change management
process. A is wrong because while it may be necessary to redesign the change
management process, this can't be done until a root cause analysis is conducted
to determine why the current process is not being followed. C is wrong because
a business relies on being able to make changes when necessary. Security
patches must often be deployed promptly. It would only be feasible to halt all
changes once a new process is developed. D is wrong because the results of the
audit, including the findings of noncompliance, will be delivered to
management once a root cause analysis of the issue has been completed.)
During a change control audit of a production system, an IS auditor finds that
the change management process is not formally documented and that some
migration procedures failed. What should the IS auditor do next?
A. Recommend redesigning the change management process.
B. Gain more assurance on the findings through root cause analysis.
C. Recommend that program migration be stopped until the change process is
documented.
D. Document the finding and present it to management.
conducting a physical count of the tape inventory. (A substantive test includes
gathering evidence to evaluate the integrity (i.e., the completeness, accuracy,
and validity) of individual transactions, data, or other information. Conducting a
physical count of the tape inventory is a substantive test. A, B, and D are wrong
because they are compliance tests.)
A substantive test to verify that tape library inventory records are accurate is:
A. determining whether bar code readers are installed.
B. determining whether the movement of tapes is authorized.
C. conducting a physical count of the tape inventory.
D. checking whether receipts and issues of tapes are accurately recorded.
The creation of simulated transactions for processing and comparing results for
correctness (The most effective evidence is to create simulated transactions for
verification. The other options do give a good indication about the accuracy of
logic; however, Option B can be considered as best evidence.)
The best evidence to determine the accuracy of system logic for transaction
processing is:
A. A review of the source code
B. The creation of simulated transactions for processing and comparing results
for correctness
C. An interview with the system developer
D. An approved UAT report
Compliance testing (Determining that only authorized modifications are made
to production programs would require the change management process to be
reviewed to evaluate the existence of a trail of documentary evidence.
Compliance testing helps verify that the change management process has been
applied consistently. A is wrong because system log analysis would identify
changes and activity on a system but would only identify whether the change
was authorized if conducted as a part of a compliance test. C is wrong because
forensic analysis is a specialized technique for criminal investigation. D is
wrong because an analytical review assesses the general control environment of
an organization.)
Which of the following would an IS auditor use to determine if unauthorized
modifications were made to production programs?
A. System log analysis
B. Compliance testing
C. Forensic analysis
D. Analytical review
preparing simulated transactions for processing and comparing the results to
predetermined results. (Preparing simulated transactions for processing and
comparing the results to predetermined results is the best method for confirming
the accuracy of a tax calculation. A is wrong because reviewing source code is
not an effective method of ensuring the calculation is correctly computed. B is
wrong because recreating program logic may lead to errors, and monthly totals
are inaccurate enough to ensure correct computations. D is wrong because
flowcharting and analysis of source code are not effective methods to address
the accuracy of individual tax calculations.)
The BEST method of confirming the accuracy of a system tax calculation is by:
A. review and analysis of the source code of the calculation programs.
B. recreating program logic using generalized audit software to calculate
monthly totals.
C. preparing simulated transactions for processing and comparing the results to
predetermined results.
D. automatic flowcharting and analysis of the source code of the calculation
programs.
expand activities to determine whether an investigation is warranted. (An IS
auditor's responsibilities for detecting fraud include evaluating fraud indicators
and deciding whether additional action is necessary or an investigation should
be recommended. B is wrong because the IS auditor should notify the
appropriate authorities within the organization only if it has determined that the
indicators of fraud are sufficient to recommend an investigation. C is wrong
because the IS auditor should report the possibility of fraud to top management
only after sufficient evidence to launch an investigation. This may be affected
by whether management may be involved in the fraud. D is wrong because
normally, the IS auditor does not have the authority to consult with external
legal counsel.)
After initial investigation, an IS auditor has reasons to believe that fraud may be
present. The IS auditor should:
A. expand activities to determine whether an investigation is warranted.
B. report the matter to the audit committee.
C. report the possibility of fraud to management.
D. consult with external legal counsel to determine the course of action to be
taken.
Appropriate audit evidence will be collected (Primarily, an IS auditor's
professional judgment is required to collect sufficient audit evidence. An audit
need not necessarily identify all the deficiencies. Auditee management is
responsible for taking corrective action. Completing an audit within the defined
timeline is an important element, but the primary objective of the audit
procedure is to collect sufficient evidence.)
An IS auditor should use professional judgement primarily to ensure:
A. Appropriate audit evidence will be collected
B. All deficiencies will be detected
C. Significant risk will be corrected within a reasonable time
D. An audit will be completed within the defined time frame
Inform appropriate personnel immediately. (The first thing an IS auditor should
do after detecting the virus is to alert the organization to its presence and then
wait for their response. A is wrong because observing the response mechanism
should be done after informing the appropriate personnel. This will enable an IS
auditor to examine the actual workability and effectiveness of the response
system. B is wrong because the IS auditor is neither authorized nor capable of
removing the virus from the network in most cases. D is wrong because an IS
auditor should not change the system being audited; ensuring the deletion of the
virus is a management responsibility.)
While conducting an audit, an IS auditor detects the presence of a virus. What
should be the IS auditor's next step?
A. Observe the response mechanism.
B. Clear the virus from the network.
C. Inform appropriate personnel immediately.
D. Ensure deletion of the virus.
sufficient evidence will be collected. (Procedures are processes an auditor may
follow in an audit engagement. An auditor should use professional judgment to
determine the appropriateness of any particular procedure. Professional
judgment involves subjective and qualitative evaluation of conditions that arise
during an audit. It addresses a grey area where binary decisions are
inappropriate, and the auditor's experience plays a key role. B is wrong because
correcting deficiencies is the responsibility of management. C is wrong because
identifying material weaknesses results from appropriate competence,
experience, and thoroughness in audit planning and execution. Audit procedures
and professional judgment can't ensure all weaknesses are identified and
corrected. D is wrong because professional judgment ensures audit resources
and costs are used wisely, but is not the primary objective.)
When selecting audit procedures, an IS auditor should use professional
judgment to ensure that:
A. sufficient evidence will be collected.
B. significant deficiencies will be corrected within a reasonable period.
C. all material weaknesses will be identified.
D. audit costs will be kept at a minimum level.
Sufficient and appropriate audit evidence (The audit team should ensure that
their reporting is based on objective evidence. Evidence should be sufficient and
appropriate to the audit findings.)
An IS auditor should ensure that the audit findings are supported by:
A. The confirmation form auditee management.
B. The audit program
C. A closure recommendation
D. Sufficient and appropriate audit evidence
Develop an alternate testing procedure. (If a sample size objective cannot be
met with the given data, the IS auditor cannot provide assurance regarding the
testing objective. In this instance, the IS auditor should develop (with audit
management approval) an alternate testing procedure. B is wrong because there
is insufficient evidence to report the finding as a deficiency. C is wrong because
a walk-through should only be initiated once an analysis is performed to
confirm that this could provide the required assurance. D is wrong because it
would not be appropriate for an IS auditor to create sample data for the audit.)
When testing program change requests for a remote system, an IS auditor finds
that the number of changes available for sampling would not provide a
reasonable level of assurance. What is the MOST appropriate action for the IS
auditor to take?
A. Develop an alternate testing procedure.
B. Report the finding to management.
C. Perform a walk-through of the change management process.
D. Create additional sample data to test additional changes.
Revalidate the supporting evidence for the finding. (Conclusions drawn by an
auditor should be adequately supported by evidence, and any compensating
controls or corrections pointed out by a department manager should be
considered. Therefore, the first step would be to revalidate the evidence for the
finding. If there are unsettled disagreements after revalidating and retesting, the
report should include those issues. A is wrong because retesting the control
occurs typically after the evidence has been revalidated. B is wrong because
while there are cases where a third party may be needed to perform specialized
audit procedures, an auditor should first revalidate the supporting evidence to
determine if there is a need for a third party. C is wrong because before putting a
disputed finding or management response in the audit report, the auditor should
review the evidence used in the finding to ensure audit accuracy.)
Which of the following should be the FIRST action of an IS auditor during a
dispute with a department manager over audit findings?
A. Retest the control to validate the finding.
B. Engage a third party to validate the finding.
C. Include the finding in the report with the department manager's comments.
D. Revalidate the supporting evidence for the finding.
Alert management and evaluate the impact of not covering all systems. (An IS
auditor should inform management that some systems are omitted from the
disaster recovery plan (DRP). An IS auditor should continue the audit and
include an evaluation of the impact of not including all systems in the DRP. B is
wrong because canceling the audit is an inappropriate action. C is wrong
because ignoring that some systems are not covered would violate audit
standards that require reporting all material findings and is inappropriate. D is
wrong because postponing the audit is an inappropriate action. The audit should
be completed according to the initial scope with identification to management
of the risk of systems not being covered.)
An IS auditor finds that a disaster recovery plan for critical business functions
does not cover all systems. Which of the following is the MOST appropriate
course of action for the IS auditor?
A. Alert management and evaluate the impact of not covering all systems.
B. Cancel the audit.
C. Complete the audit of the systems covered by the existing DRP.
D. Postpone the audit until the systems are added to the DRP.
To provide reasonable basis of drawing a conclusion (Audit evidence helps the
IS auditor to draw a conclusion about the subject under audit. Audit evidence
can be used to trace back the audit finding)
Sufficient audit evidence is obtained:
A. To comply with statutory requirements
B. To provide reasonable basis of drawing a conclusion
C. To justify audit coverage
D. To justify cost of audit
Standard report with configuration values retrieved from the system by the IS
auditor (Evidence obtained directly from the source by an IS auditor is more
reliable than information provided by a system administrator or a business
owner because the IS auditor does not have a vested interest in the audit's
outcome. A is wrong because evidence provided that is not system-generated
information could be modified before it is presented to an IS auditor. Therefore,
it may not be as reliable as evidence obtained by the IS auditor. For example, a
system administrator could change the settings or modify the graphic image
before taking a screenshot. C is wrong because the administrator may modify
the rules before taking the screenshot; therefore, this is not the best evidence. D
is wrong because the annual review a business owner provides may not reflect
current information.)
An IS auditor is carrying out a system configuration review. Which of the
following would be the BEST evidence in support of the current system
A. System configuration values imported to a spreadsheet by the system
administrator
B. Standard report with configuration values retrieved from the system by the IS
auditor
C. Dated screenshot of the system configuration settings made available by the
system administrator
D. Annual review of approved system configuration values by the business
owner
The results of a test performed by an external IS auditor (An independent test
that an auditor performs should always be considered more reliable than a third-
party confirmation letter because the letter is the result of an analysis of the
process and may not be based on authoritative audit techniques. An audit should
consist of inspection, observation, and inquiry as determined by risk. This
provides a standard methodology and reasonable assurance that controls and test
results are accurate. A and C are wrong because this is audit evidence but less
reliable than the test results performed by an external auditor. D is wrong
because a letter is subjective and may not have been generated as a part of an
authoritative audit or conform to audit standards.)
Which of the following forms of evidence would an IS auditor consider
the MOST reliable?
A. An oral statement from the auditee
B. The results of a test performed by an external IS auditor
C. An internally generated computer accounting report
D. A confirmation letter received from an outside source
CAATs (CAATs are the most effective auditing tools for computerized
environments.)
The most effective tool for obtaining audit evidence through digital data is:
A. Structured Query Language
B. Extracted reports from applications
C. Risk and control testing tools
D. CAATs
Reliability (The use of CAAT ensures the reliability of audit evidence as data is
directly collected, processed, and analyzed by the IS auditor. The source of
information is considered reliable. The use of CAAT does not directly impact
the other options.)
The use of a CAAT tool will impact which of the following attributes of
evidence?
A. Appropriateness
B. Sufficiency
C. Reliability
D. Relevance
More reliability of data (CAAT provides assurance about the reliability of the
data. This is a major advantage over all the other options.)
The prime advantage of an audit team directly extracting data from a general
ledger system is:
A. No dependency on an auditee
B. Quicker access to information
C. More flexibility in the audit process
D. More reliability of data
Reperformance (In reperformance, a transaction is processed again, and results
are compared to validate the transaction. This gives the strongest evidence
among all the other options. When the same result is obtained after performance
by an independent person, it provides assurance about the accuracy of the
system logic.)
The best evidence to determine the accuracy of system logic for transaction
processing is:
A. Reperformance
B. Interview
C. Observation
D. Review of documentation
assure that the integrity of the evidence is maintained. (The IS auditor has been
requested to perform an investigation to capture evidence that may be used for
legal purposes; therefore, maintaining the integrity of the evidence should be the
foremost goal. Improperly handled computer evidence is subject to being ruled
inadmissible in a court of law. A is wrong because although it is important for
an IS auditor to be impartial, in this case, it is more critical that the evidence be
preserved. B is wrong because although it is important for an IS auditor to
maintain independence, in this case, it is more critical that the evidence be
preserved. D is wrong because while assessing all relevant evidence is
important, it is more important to maintain the chain of custody, which ensures
the integrity of evidence.)
An IS auditor has been asked by management to review a potentially fraudulent
transaction. The PRIMARY focus of an IS auditor while evaluating the
transaction should be to:
A. maintain impartiality while evaluating the transaction.
B. ensure that the independence of an IS auditor is maintained.
C. assure that the integrity of the evidence is maintained.
D. assess all relevant evidence for the transaction.
a manager coordinates the creation of a new or revised plan within a defined
time limit. (The primary concern is establishing a workable DRP that reflects
current processing volumes to protect the organization from disruptive
incidents. A is wrong because censuring the deputy CEO will not improve the
current situation and is generally outside the scope of an auditor to recommend.
B is wrong because establishing a board to review the DRP may achieve an
updated DRP but is not likely to be a speedy operation; issuing the existing DRP
would be imprudent without first ensuring it is workable. C is wrong because
the current DRP may be unacceptable or ineffective, and recommending the
approval of the DRP may be unwise. The best way to develop a DRP quickly is
to make an experienced manager responsible for coordinating the knowledge of
other managers into a formal document within a defined time limit.)
An IS auditor conducting a review of disaster recovery planning (DRP) at a
financial processing organization discovered the following:
- The existing DRP was compiled two years earlier by a systems analyst in the
organization's IT department using transaction flow projections from the
operations department.
- The DRP was presented to the deputy chief executive officer (CEO) for
approval and formal issue, but it is still awaiting attention.
- The DRP has never been updated, tested or circulated to key management and
staff, although interviews show that each would know what action to take for its
area if a disruptive incident occurred.
The IS auditor's report should recommend that:

A. the deputy chief executive officer (CEO) be censured for failure to approve
the plan.
B. a board of senior managers is set up to review the existing plan.
C. the existing plan is approved and circulated to all key management and staff.
D. a manager coordinates the creation of a new or revised plan within a defined
time limit.
Determining the analytics targets and range (The first step will be determining
the objectives and the scope of analytics, followed by Option C, Option B, and
Option A.)
Which of the following steps will be taken first to carry out data analytics?
A. A review of the results/conclusion by a qualified person
B. Determining the data's adequacy and accuracy
C. The requirement to capture and collect data
D. Determining the analytics targets and range
Greater assurance of data validity (If the auditor executes the data extraction,
there is greater assurance that the extraction criteria will not interfere with the
required completeness, and required data will be collected. Asking IT to extract
data may expose the risk of filtering out exceptions for the auditor. If the auditor
collects the data, all internal references correlating the various elements will be
understood, which may reveal vital elements to the completeness and
correctness of the overall audit activity. A is wrong because the burden on IT
staff to support the audit may decrease if the auditor extracts the dates. B is
wrong because if the risk of errors increases, auditors generally have a wider but
less technical knowledge of the internal data structure and database. C is wrong
because there may be more flexibility for the auditor to adjust the date
extractions to meet various audit requirements.)
General ledger (GL) data are required for an audit. Instead of asking IT to
extract the data, the IS auditor is granted direct access to the data. What is the
MAIN advantage of this approach?
A. Reduction of IT person-hours to support the audit
B. Reduction of the likelihood of errors in the extraction process
C. Greater flexibility for the audit department
D. Greater assurance of data validity
sufficient and appropriate audit evidence. (The auditor should have sufficient
and appropriate evidence to support the reported results. Statements from IS
management provide a basis for obtaining concurrence on matters that can't be
verified with empirical evidence. The report should be based on evidence
collected during the review, even though the IS auditor may have access to the
work papers of other auditors. The results of an organizational CSA can
supplement the audit findings. A is wrong because this could be included in the
audit analysis but must be considered a sufficient basis for issuing a report. B is
wrong because it may be used to substantiate and validate a finding but should
be used with additional work papers from the auditor who is preparing the
report. C is wrong because the results of a CSA may assist the auditor in
determining risk and compliance, but more is needed to support the report.)
When preparing an audit report the IS auditor should ensure that the results are
supported by:
A. statements from IS management.
B. work papers of other auditors.
C. an organizational control self-assessment.
D. sufficient and appropriate audit evidence.
It provides reliability for the source of information and thus reassurance on the
audit findings (The most important aspect will be the reliability of the
information. The other aspects are important but not as important as Option C.)
The prime benefit of the usage of CAAT is:
A. It is very useful in the case of a complex environment or processes
B. It ensures the independence of auditors while capturing the relevant data
C. It provides reliability for the source of information and thus reassurance on
the audit findings
D. It is a cost-effective method for audit activities
Purpose, objective, and scope of the audit (The extent of data collection during
an IS audit is directly related to the audit's purpose, objective, and scope. An
audit with a narrow purpose and limited objective and scope will likely result in
less data collection. Statistical analysis may also determine the extent of data
collection, such as sample size or means of data collection. The other options
are factors in audit planning but they don't determine how much data to collect.
The audit must be based on sufficient evidence of monitoring controls and not
unduly influenced by the auditor's familiarity with the organization.)
Which of the following is the BEST factor for determining the required extent
of data collection during the planning phase of an IS compliance audit?
A. Complexity of the organization's operation
B. Findings and issues noted from the prior year
C. Purpose, objective, and scope of the audit
D. Auditor's familiarity with the organization
Observation and interviews (Based on observations and interviews, the auditor
can evaluate the segregation of duties. By observing the IT staff performing
their tasks, an auditor can identify whether they perform any incompatible
operations. The auditor can get an overview of tasks performed by interviewing
the IT staff. A is wrong because management may need to be made aware of the
detailed functions of each employee in the IT department and whether the
controls are being followed. Therefore, discussion with management provides
limited information regarding segregation of duties. B is wrong because an
organization chart needs to provide details of the functions of employees or
whether controls are working correctly. D is wrong because this provides
information about rights users have within IS systems but needs to provide
complete information about their functions.)
Which audit technique provides the BEST evidence of the segregation of duties
in an IT department?
A. Discussion with management
B. Review of the organization chart
C. Observation and interviews
D. Testing of user access rights
To ensure the integrity of imported data by safeguarding its authenticity,
integrity, and confidentiality (The most important aspect will be to ensure the
data's authenticity, integrity, and confidentiality. The others are important
aspects but not as important as Option A.)
Which of the following is a prime consideration when using CAAT?
A. To ensure the integrity of imported data by safeguarding its authenticity,
integrity, and confidentiality
B. To obtain approval for installing the CAAT software on the auditee servers
C. To provide access to CAAT to trained and experienced auditors only
D. To only use a licensed version of CAAT
Periodic testing does not require separate test processes. (An ITF creates a
fictitious entity in the database to process test transactions simultaneously with
live input. Its advantage is that periodic testing does not require separate test
processes. Careful planning is necessary, and test data must be isolated from
production data. A is wrong because the integrated test facility (ITF) tests a test
transaction as if it were a real transaction, validating that transaction processing
is being done correctly. It is not related to reviewing the source of a transaction.
C is wrong because an ITF validates the correct operation of a transaction in an
application but does not ensure that a system is being operated correctly. D is
wrong because the ITF is based on integrating test data into the normal process
flow, so test data is still required.)
Which of the following is an advantage of an integrated test facility (ITF)?
A. It uses actual master files or dummies, and the IS auditor does not have to
review the source of the transaction.
B. Periodic testing does not require separate test processes.
C. It validates application systems and ensures the correct operation of the
system.
D. The need to prepare test data is eliminated.
examine source program changes without information from IS personnel.
(When an IS auditor uses a source code comparison to examine source program
changes without information from IS personnel, the IS auditor has an objective,
independent, and relatively complete assurance of program changes because the
source code comparison identifies the changes. B is wrong because the changes
detected by the source code comparison are between two software versions.
This does not detect changes made since the acquisition of the copy of the
software. C is wrong because confirmation that the current production program
is the same as the control copy could be made by evaluating program change
controls. D is wrong because source code comparison detects all changes
between an original and a changed program; however, the comparison will not
ensure that the changes have been adequately tested.)
In the process of evaluating program change controls, an IS auditor would use
source code comparison software to:
A. examine source program changes without information from IS personnel.
B. detect a source program change made between acquiring a copy of the source
and the comparison run.
C. identify and validate any differences between the control copy and the
production program.
D. ensure that all changes made in the current source copy are tested.
Use of CAATs to perform substantive testing (Substantive testing using CAATs
will be the best way to ensure that calculations are performed correctly by the
system.)
The best way to determine the proper functioning of the system calculation is:
A. To verify the existence of the segregation of duties
B. Use of CAATs to perform substantive testing
C. To interview the process owner
D. To obtain post-change approval from management
Document the identified finding in the audit report. (IS auditor independence
would dictate that the additional information the auditee provides will be
considered. Normally, an IS auditor would not automatically. A is wrong
because the IS auditor may include the management response in the report, but
that will not affect the requirement to report the finding. B and C are wrong
because the finding remains valid, and the management response will be
documented; however, the audit may indicate a need to review the validity of
the management response.)
What is the BEST course of action for an IS auditor to take when an outsourced
monitoring process for remote access is inadequate and management disagrees
because management stated that intrusion detection system (IDS) and firewall
controls are in place?
A. Revise the finding in the audit report per management's feedback.
B. Retract the finding because the IDS controls are in place.
C. Retract the finding because the firewall rules are monitored.
D. Document the identified finding in the audit report.
Computer-assisted audit techniques (These enable the IS auditor to review the
entire invoice file to look for those items that meet the selection criteria. A is
wrong because this aids in identifying records meeting specific conditions but
does not compare one record to another to identify duplicates. To detect
duplicate invoice records, the IS auditor should check all items that meet the
criteria, not just a sample. C is wrong because this determines whether controls
procedures are adhered to. Using CAATs is the better option because searching
for duplicates is most likely more efficient. D is wrong because this allows the
IS auditor to test transactions through the production system but does not
compare records to identify duplicates.)
Which of the following should an IS auditor use to detect duplicate invoice
records within an invoice master file?
B. Computer-assisted audit techniques
C. Compliance testing
D. Integrated test facility
Snapshots (The snapshots technique captures snaps or pictures of the transaction
as it is processed at different stages in the system. Details are captured both
before and after the execution of the transaction. The correctness of the
transaction is verified by validating the before-processing and after-processing
snaps of the transactions. Snapshot is useful when an audit trail is required.)
The best audit method when an audit trail is required is:
A. SCARF
B. CIS
C. Audit hooks
D. Snapshots
test data are isolated from production data. (An ITF creates a fictitious file in
the database, allowing for test transactions to be processed simultaneously with
live data. The test data must be kept separate from production data. A is wrong
because while using an integrated test facility (ITF) ensures that periodic testing
does not require a separate test process, there is a need to isolate test data from
production data. C is wrong because an IS auditor is not required to use
production data or a test data generator. D is wrong because production master
files should not be updated with test data.)
When using an integrated test facility (ITF), an IS auditor should ensure that:
A. production data are used for testing.
B. test data are isolated from production data.
C. a test data generator is used.
D. master files are updated with the test data.
Confirming factual accuracy of the findings. (The goal of the meeting is to
confirm the factual accuracy of the audit findings and present an opportunity for
management to agree on or respond to recommendations for corrective action. A
is wrong because management approval of the corrective action plan is not
required. Management can elect to implement another corrective action plan to
address the risk. C is wrong because implementing corrective actions should be
done after the factual accuracy of findings is established. However,
implementing corrective action is not typically assigned to the IS auditor
because this impairs the auditor's independence. D is wrong because rating the
audit findings first guides management in allocating resources to high-risk
items.)
After reviewing the disaster recovery planning process of an organization, an IS
auditor requests a meeting with organization management to discuss the
findings. Which of the following BEST describes the main goal of this meeting?
A. Obtaining management approval of the corrective action plan.
B. Confirming factual accuracy of the findings.
C. Assisting management in the implementation of corrective actions.
D. Prioritizing the resolution of the items.
Setting up a separate test environment/test process is not required (A fictitious
entity is created in the live environment. There is no need to create separate test
processes as a live environment is used.)
An important feature of ITF is:
A. Testing is done on live data
B. Setting up a separate test environment/test process is not required
C. As a continuous audit tool, ITF reviews the continuous operation of the
system
D. ITF does not require test data
document the finding and explain the risk of using shared IDs. (An IS auditor's
role is to detect and document findings and control deficiencies. Part of the
audit report is to explain the reasoning behind the findings. The use of shared
IDs is not recommended because it does not allow for accountability of
transactions. An IS auditor would defer to management to decide how to
respond to the findings presented. A is wrong because it is inappropriate for an
IS auditor to report findings to the audit committee before conducting a more
detailed review and presenting them to management for a response. B is wrong
because a review of audit logs would not be useful because shared IDs do not
provide for individual accountability. D is wrong because it is not the role of an
IS auditor to request the removal of IDs from the system.)
The MOST appropriate action for an IS auditor to take when shared user
accounts are discovered is to:
A. inform the audit committee of the potential issue.
B. review audit logs for the IDs in question.
C. document the finding and explain the risk of using shared IDs.
D. request that the IDs be removed from the system.
Determine whether compensating controls are in place.
An IS auditor is reviewing system access and discovers an excessive number of
users with privileged access. The IS auditor discusses the situation with the
system administrator, who states that some personnel in other departments need
privileged access and management has approved the access. Which of the
following would be the BEST course of action for the IS auditor?
A. Determine whether compensating controls are in place.
B. Document the issue in the audit report.
C. Recommend an update to the procedures.
D. Discuss the issue with senior management.
Confirm the findings and propose a course of corrective action. (Before
communicating the results of an audit to senior management, the auditor should
discuss the findings with the auditee. The goal of this discussion is to confirm
the accuracy of the findings and to propose or recommend a course of corrective
action. A is wrong because the IS auditor will finalize and present the report to
relevant senior management levels after confirming the findings. This
discussion should also address a timetable for remediation of audit findings. B
is wrong because this discussion informs management of the audit findings, and
management may agree to develop an implementation plan for the suggested
recommendations, along with the timelines. D is wrong because, at the draft
report stage, the auditor may recommend various controls for risk mitigation.
However, the meeting aims to validate the audit findings with management.)
Which of the following BEST describes the objective of an IS auditor
discussing the audit findings with the auditee?
A. Communicate results to the auditee.
B. Develop time lines for the implementation of suggested recommendations.
C. Confirm the findings and propose a course of corrective action.
D. Identify compensating controls to the identified risk.
The verification of system processing (In the ITF technique, a test transaction is
entered. The processing results of the test transaction are compared with the
expected results to determine the accuracy of the processing. If the processed
results match the expected results, it determines that processing is happening
correctly.)
ITF is best used for:
A. The verification of system processing
B. The verification of system integration
C. The generation of test data
D. The continuous auditing of system data
Publish a report based on the available information, highlighting the potential
security weaknesses and the requirement for follow-up audit testing. (If the
auditor can't gain sufficient assurance for a critical system within the agreed-on
time frame, it should be highlighted in the audit report, and schedule follow-up
testing. Management could then determine if any weaknesses were identified to
delay the date. B is wrong because it is unacceptable for the auditor to ignore
weakness when conclusive evidence couldn't be obtained within the time frame.
C is wrong because management should decide to extend the time frame, and
delaying the date is unacceptable since the system is business-critical. The
auditor should present management with all available information. D is wrong
because failure to obtain sufficient evidence in one part of an engagement
doesn't justify postponing and would violate due professional care.)
An IS auditor is reviewing security controls for a critical web-based system
prior to implementation. The results of the penetration test are inconclusive, and
the results will not be finalized prior to implementation. Which of the following
is the BEST option for the IS auditor?
A. Publish a report based on the available information, highlighting the
potential security weaknesses and the requirement for follow-up audit testing.
B. Publish a report omitting the areas where the evidence obtained from testing
was inconclusive.
C. Request a delay of the implementation date until additional security testing
can be completed and evidence of appropriate controls can be obtained.
D. Inform management that audit work cannot be completed prior to
implementation and recommend that the audit be postponed.
that the control is operating as designed. (Compliance tests can be used to test
the existence and effectiveness of a defined process. Auditors want reasonable
assurance that the controls they rely on are effective. An effective control meets
management expectations and objectives. A is wrong because controls must
operate efficiently and support management policies and procedures. Therefore,
the critical issue is whether the controls operate correctly and meet the control
objective. C is wrong because substantive tests are associated with data
integrity. D is wrong because determining the reasonableness of financial
reporting controls is a very narrow answer in that it is limited to financial
reporting. It meets the objective of determining whether the controls are
reasonable but does not ensure that the control works correctly, thereby
supporting management expectations and objectives.)
An IS auditor is conducting a compliance test to determine whether controls
support management policies and procedures. The test will assist the IS auditor
to determine:
A. that the control is operating efficiently.
B. that the control is operating as designed.
C. the integrity of data controls.
D. the reasonableness of financial reporting controls.
Audit hooks (In the audit hook technique, a code is embedded into the
application systems to review the selected transactions. The audit team can act
as soon as possible before an error or an irregularity comes out of hand. They
have low complexity in the criteria design and are also very useful for
identifying fraud or an error early.)
The best continuous auditing technique for the early detection of errors or
irregularities is:
A. SCARF
B. ITF
C. CIS
D. Audit hooks
perform an additional analysis. (The auditor needs to perform substantive
testing and additional analysis to determine why the approval and workflow
processes are not working as intended. Before making any recommendation, the
auditor should understand the problem's scope and what factors caused this
incident. The auditor should identify whether the issue was caused by managers
not following procedures, a problem with the workflow of the automated
system, or a combination of the two. B is wrong because the auditor still needs
more information to report the problem. C is wrong because changing the scope
of the IS audit or conducting a security risk assessment would require more
detailed information about the processes and violations being reviewed. D is
wrong because the auditor must first determine the root cause and impact of the
findings and needs more information to recommend fixing the workflow
issues.)
An IS auditor finds a small number of user access requests that had not been
authorized by managers through the normal predefined workflow steps and
escalation rules. The IS auditor should:
A. perform an additional analysis.
B. report the problem to the audit committee.
C. conduct a security risk assessment.
D. recommend that the owner of the identity management (IDM) system fix the
workflow issues.
communicate the possibility of conflict of interest to audit management prior to
starting the assignment. (A possible conflict of interest, likely to affect the IS
auditor's independence, should be brought to the attention of management prior
to starting the assignment. A is wrong because declining the assignment could
be acceptable only after obtaining management approval or it is appropriately
disclosed to management, audit management, and other stakeholders. B is
wrong because approval should be obtained before commencement and not after
the completion of the assignment. C is wrong because informing the BCP team
of the possible conflict of interest before starting the assignment is not the
correct answer because the BCP team has no authority to decide on this issue.)
An IS auditor who was involved in designing an organization's business
continuity plan (BCP) has been assigned to audit the plan. The IS auditor
should:
A. decline the assignment.
B. inform management of the possible conflict of interest after completing the
audit assignment.
C. inform the BCP team of the possible conflict of interest prior to beginning
the assignment.
D. communicate the possibility of conflict of interest to audit management prior
to starting the assignment.
CIS (CIS is useful for identifying transactions per predefined criteria in a
complex environment. CIS replicates or simulates the processing of the
application system. In this technique, the simulator identifies transactions as per
the predefined parameters. Identified transactions are then audited for
correctness. CIS decides whether errors exist between the results and the
application system's results. If any discrepancies are noted, they are written to
the exception log file. Audit hooks cannot concentrate on detailed criteria as
they are low complexity and focus only on specific conditions when identifying
transactions for review. ITF validates system processing by entering test data
into the system.)
The best auditing tool to capture transactions as per the predefined criteria is:
A. Embedded Audit Modules (EAMs)
B. CIS
C. SCARF
D. Audit hooks
The results of the test transaction are compared with the predetermined results
to validate the system processing (In the ITF technique, a test transaction is
entered. The processing results of the test transaction are compared with the
expected results to determine the accuracy of the processing. If the processed
results match the expected results, it determines that the processing is happening
correctly.)
An important feature of ITF is:
A. An ongoing review of the actual transactions
B. The generation of test data
C. The results of the test transaction are compared with the predetermined
results to validate the system processing
D. Analyzing a large range of information
Generalized audit software (The IS auditor could design suitable tests to
identify excess inventory using generalized audit software. The test information
would not be relevant here as the data must be audited. ITF and EAM cannot
identify errors for a previous period.)
The best technique to identify excess inventory for the previous year is:
A. Analyzing the test data
B. Generalized audit software
C. CIS
D. ITF
Walk-through (Walk-throughs involve a combination of inquiry and inspection
of evidence with respect to business process controls. This is the most effective
basis for evaluation of the design of the control as it exists. A is wrong because
process narratives may not be current or complete and may not reflect the actual
process in operation. B is wrong because inquiry can be used to understand the
controls in a process only if it is accompanied by verification of evidence. C is
wrong because reperformance is used to evaluate the control's operating
effectiveness rather than the control's design.)
An IS auditor is planning to evaluate the control design effectiveness related to
an automated billing process. Which of the following is the MOST effective
approach for the auditor to adopt?
A. Process narrative
B. Inquiry
C. Reperformance
D. Walk-through
A list of accounts with access levels generated by the system (The access list
generated by the system is the most reliable because it is the most objective
evidence to perform a comparison against the selected samples. The evidence is
objective because it was generated by the system rather than an individual. A is
wrong because the spreadsheet may need to be completed or inaccurate.
Documentary evidence should be collected to support the auditee's spreadsheet.
B is wrong because the human resources access documents signed by managers
are good evidence; however, they are not as objective as the system-generated
access list because access may have changed, or the documents may have been
wrong when they were signed. D is wrong because observations are good
evidence to understand the internal control structure; however, observations are
inefficient for many users and not objective enough for substantive tests.)
An IS auditor is testing employee access to a large financial system, and the IS
auditor selected a sample from the current employee list provided by the
auditee. Which of the following evidence is the MOST reliable to support the
testing?
A. A spreadsheet provided by the system administrator
B. Human resources access documents signed by employees' managers
C. A list of accounts with access levels generated by the system
D. Observations performed onsite in the presence of a system administrator
Report the observation and risk in the final report (It is advisable to report the
finding even if the auditee takes corrective action. For any action taken based on
audit observation, the audit report should identify the finding and describe the
corrective action taken.)
Which of the following should an IS auditor do when an auditee has taken
immediate corrective action of audit findings?
A. Exclude the finding from the final report without verifying the corrective
action
B. Report the observation and risk in the final report
C. Verify the correction and if appropriately closed, it should be excluded from
the report
D. A call of the inclusion/exclusion should be taken after a discussion of the
finding with auditee management
Trend/variance detection tools (Trend/variance detection tools look for
anomalies in user or system behavior, such as invoices with increasing invoice
numbers. A is wrong because computer-aided software engineering (CASE)
tools assist in software development. B is wrong because embedded (audit) data
collection software, such as systems control audit review file (SCARF) or
systems audit review file (SARF), is used to provide sampling and production
statistics but not to conduct an audit log analysis. D is wrong because heuristic
scanning tools are virus scanning used to indicate possible infected traffic.)
An IS auditor wants to analyze audit trails on critical servers to discover
potential anomalies in user or system behavior. Which of the following is the
MOST suitable for performing that task?
A. Computer-aided software engineering (CASE) tools
B. Embedded data collection tools
C. Trend/variance detection tools
D. Heuristic scanning tools
perform additional testing. (The IS auditor should perform additional testing to
ensure that it is a finding. An auditor can lose credibility if it is later discovered
that the finding was unjustified. A is wrong because the item should be
confirmed through additional testing before it is reported to management. B is
wrong because the item should be confirmed through additional testing before it
is discussed with the audit committee. C is wrong because additional testing to
confirm the potential finding should be within the scope of the engagement.)
An IS auditor discovers a potential material finding. The BEST course of action
is to:
A. report the potential finding to business management.
B. discuss the potential finding with the audit committee.
C. increase the scope of the audit.
D. perform additional testing.
Replacing manual monitoring with an automated auditing solution (For
systematic implementation, all key controls must be aligned so analysts can
discover overlapping key controls in existing systems. A is wrong because
highly complex business processes may have more key controls than business
areas with less complexity; however, unnecessary controls in complex areas are
sometimes possible. If a well-thought-out key control structure had been
established, overlapping key controls would be impossible. B is wrong because
an ITF is an audit technique that tests the accuracy of the application system
processes. It may find control flaws, but it would be difficult to find overlapping
key controls. D is wrong because if an auditor tests controls to validate their
effectiveness, they can identify overlapping controls; however, implementing an
automated auditing solution would better identify them.)
Which of the following will MOST successfully identify overlapping key
controls in business application systems?
A. Reviewing system functionalities that are attached to complex business
processes
B. Submitting test transactions through an integrated test facility
C. Replacing manual monitoring with an automated auditing solution
D. Testing controls to validate that they are effective
To inform audit management and suggest retesting the controls (The audit team
should inform the management and suggest retesting the critical controls.)
The best course of action for an audit team if they find prior audit reports
without work papers is:
A. To postpone the audit until work papers are available
B. To continue the audit while relying on previous audit reports
C. For the controls for the highest risk area to be retested
D. To inform audit management and suggest retesting the controls
Applicable statutory requirements (The effect of applicable statutory
requirements must be factored in while planning an IS audit—the IS auditor has
no options in this respect because there can be no scope limitation concerning
statutory requirements. B is wrong because statutory requirements always take
priority over corporate standards. C is wrong because industry good practices
help plan an audit; however, good practices are not mandatory and can be
deviated from to meet organization objectives. D is wrong because
organizational policies and procedures are important, but statutory requirements
always take priority. Organizational policies must be in alignment with statutory
requirements.)
The effect of which of the following should have priority in planning the scope
and objectives of an IS audit?
A. Applicable statutory requirements
B. Applicable corporate standards
C. Applicable industry good practices
D. Organizational policies and procedures
Generalized audit software (This is a data analytic tool that can filter large
amounts of data. B is wrong because integrated test facilities test the processing
of the data and cannot be used to monitor real-time transactions. C is wrong
because these are used to test new software versions to ensure that previous
changes and functionality are not inadvertently overwritten or disabled by the
new changes. D is wrong because gathering information through snapshots
alone is not sufficient. GAS will assist with an analysis of the data.)
Which of the following is MOST effective for monitoring transactions
exceeding predetermined thresholds?
A. Generalized audit software
B. An integrated test facility
C. Regression tests
D. Transaction snapshots
Discussing audit observations (The major purpose of the closure meeting is to
discuss gaps, conclusions, and recommendations. This communication helps to
address misunderstandings or the misinterpretation of facts.)
An auditor should hold the closure meeting with the objective of:
A. Discussing audit observations
B. Correcting deficiencies
C. Assessing the audit staff performance
D. Presenting the final audit report
Attribute (Attribute sampling is used to test compliance of transactions to
controls—in this instance, the existence of appropriate approval. B is wrong
because variable sampling is used in substantive testing situations and deals
with varying population characteristics, such as monetary values and weights. C
is wrong because stop-or-go sampling is used when the expected occurrence
rate is extremely low. D is wrong because judgment sampling is not relevant
here. It refers to a subjective approach to determining sample size and selection
criteria of sample elements.)
An IS auditor wants to determine the number of purchase orders not
appropriately approved. Which of the following sampling techniques should an
IS auditor use to draw such conclusions?
A. Attribute
B. Variable
C. Stop-or-go
D. Judgment
accurately capture data from the organization's systems without causing
excessive performance problems. (Although all the requirements listed as
answer choices are desirable in a software tool evaluated for auditing and data
mining purposes, the most critical requirement is that the tool works effectively
on the systems of the organization being audited. A is wrong because the
product must interface with the organization's systems and provide meaningful
data for analysis. C is wrong because the tool should probably work on more
than just financial systems and does not necessarily require the implementation
of audit hooks. D is wrong because the tool should be flexible but not
necessarily customizable. It should have built-in analysis software tools.)
What is the PRIMARY requirement that a data mining and auditing software
tool should meet? The software tool should:
A. interface with various types of enterprise resource planning software and
databases.
B. accurately capture data from the organization’s systems without causing
excessive performance problems.
C. introduce audit hooks into the company's financial systems to support
continuous auditing.
D. be customizable and support inclusion of custom programming to aid in
investigative analysis.
Senior management and/or the audit committee (The audit team is finally
responsible for the communication of audit results to the audit committee of the
board and senior management. It is the board of directors who should report to
legal authorities.)
An IS auditor is responsible for the communication of audit results to:
A. Legal authorities
B. Senior management and/or the audit committee
C. The manager of the audited entity
D. The compliance manager
Discovery (Discovery sampling is used when an IS auditor is trying to
determine whether a type of event has occurred; therefore, it is suited to assess
the risk of fraud and identify whether a single occurrence has occurred. A is
wrong because stop-or-go is a sampling method that helps limit the size of a
sample and allows the test to be stopped at the earliest possible moment. B is
wrong because classical variable sampling is associated with dollar amounts and
has a sample based on a representative sample of the population but is not
focused on fraud. D is wrong because probability-proportional-to-size sampling
is typically associated with cluster sampling when there are groups within a
sample. The question does not indicate that an IS auditor is searching for a fraud
threshold.)
The internal IS audit team is auditing controls over sales returns and is
concerned about fraud. Which of the following sampling methods would BEST
assist the IS auditors?
A. Stop-or-go
B. Classical variable
C. Discovery
D. Probability-proportional-to-size
Attribute sampling (This is the method used for compliance testing. In this
scenario, the operation of a control is being evaluated. Therefore, the attribute of
whether each purchase order was correctly authorized would be used to
determine compliance with the control. A is wrong because this is the method
used for substantive testing, which involves testing transactions for quantitative
aspects such as monetary values. B and D are wrong because they are used in
variable sampling.)
Which of the following sampling methods would be the MOST effective to
determine whether purchase orders issued to vendors have been authorized as
per the authorization matrix?
A. Variable sampling
B. Stratified mean per unit
C. Attribute sampling
D. Unstratified mean per unit
Ensuring that there have been no misunderstandings or misinterpretations of
facts (Closing meeting helps to enhance the understanding between the auditor
and the auditee regarding what was presented, discussed, and agreed upon.
Choice A is incorrect because the auditee can implement controls after a period.
The auditee will be given time to respond formally. Choices B and C are also
not the objectives of the audit closure meeting.)
An auditor should hold the closure meeting with the objective of:
A. Allowing auditees to implement recommendations as soon as possible
B. Enabling auditors to explain complicated findings before a written report is
issued
C. Allowing auditors to gain confidence in management
D. Ensuring that there have been no misunderstandings or misinterpretations of
facts
A validity check (A validity check would be the most useful for verifying
passwords because it would verify that the required format has been used—for
example, not using a dictionary word, including non-alphabetical characters,
etc. An effective password must have several alphabetical, numeric, and special
characters. A is wrong because a size check is valid. After all, passwords should
have a minimum length, but it is not as strong of a control as validity. B is
wrong because passwords are not typically entered in batch mode, so a hash
total would not be effective. More importantly, a system should not accept
incorrect password values, so a hash total as a control will not indicate any
weak passwords, errors, or omissions. D is wrong because implementing a field
check would be less effective than a validity check verifying that all password
criteria have been met.)
In evaluating programmed controls over password management, which of the
following is the IS auditor MOST likely to rely on?
A. A size check
B. A hash total
C. A validity check
D. A field check
report the weaknesses as observed. (Any weakness noticed should be reported,
even if it is outside the scope of the current audit. Weaknesses identified during
an application software review need to be reported to management. A is wrong
because executing audits and reviews outside the scope is not advisable. In this
case, the weakness identified is considered to be a minor issue, and it is
sufficient to report the issue and address it at a later time. B is wrong because in
this case, the weakness identified is considered to be a minor issue. The IS
auditor should formally report the weaknesses as an observation rather than
documenting it to address during a future audit. C is wrong because it is not
appropriate for the IS auditor to work with database administrators to correct the
issue.)
During the course of an application software review, an IS auditor identified
minor weaknesses in a relevant database environment that is out of scope for the
audit. The BEST option is to:
A. include a review of the database controls in the scope.
B. document for future review.
C. work with database administrators to correct the issue.
D. report the weaknesses as observed.
Revalidate the supporting evidence for the audit evidence (It is advisable to
revalidate the supporting evidence first to ensure that the auditor has sufficient
objective evidence to support the conclusion drawn. Also, the auditor should
consider compensating controls, if any. If, even after revalidating, some
disagreement persists, then it should be included in the report.)
Which of the following should be the first action in the case of non-agreement
by the department manager over the audit findings?
A. Once again test controls to validate the audit finding
B. Ask a third party to confirm the audit observation
C. Report the findings with the auditee comments
D. Revalidate the supporting evidence for the audit evidence
identify and evaluate the existing controls. (It is important for an IS auditor to
identify and evaluate the existence and effectiveness of existing and planned
controls so that the risk level can be calculated after the potential threats and
possible impacts are identified. A is wrong because an audit risk assessment is
conducted for purposes different from management's risk assessment process. B
is wrong because it would be impossible to determine impact without
identifying the assets affected; therefore, this must already have been
completed. C is wrong because, upon completion of a risk assessment, an IS
auditor should describe and discuss with management the threats and potential
impacts on the assets and recommendations for addressing the risk. However,
this cannot be done until the controls have been identified and the likelihood of
the threat has been calculated.)
In the course of performing a risk analysis, an IS auditor has identified threats
and potential impacts. Next, the IS auditor should:
A. ensure the risk assessment is aligned to management's risk assessment
process.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls.
Project management (Audits often involve resource management, deliverables,
scheduling, and deadlines, similar to project management good practices. A is
wrong because this is not the only aspect of conducting an audit. B is wrong
because these resources, including time and personnel, are needed for overall
project management skills. D is wrong because this is needed, but it is not a
constraint of conducting audits.)
Which of the following is the MOST important skill that an IS auditor should
develop to understand the constraints of conducting an audit?
A. Managing audit staff
B. Allocating resources
C. Project management
D. Attention to detail
Gain agreement on the findings (The goal of such a discussion is to confirm the
relevance and accuracy of the audit observation and to discuss a course of
correction.)
The main reason for meeting with auditees before formally releasing the audit
report is to:
A. Ensure all the important issues are covered
B. Gain agreement on the findings
C. Obtain feedback on the audit procedures
D. Finalize the structure of the final audit report
evaluate the impact of the undocumented devices on the audit scope. (In a risk-
based approach to an IS audit, the scope is determined by the devices' impact on
the audit. Undocumented devices may be excluded from the current audit
engagement if they do not impact the scope. The information on a network
diagram can vary depending on what is being illustrated. A is wrong because the
auditor can't immediately assume everything on the network diagram provides
information about the risk affecting a network/system. There is a process in
place for documenting and updating the network diagram. C is wrong because
there is simply a mismatch in timing between the completion of approval
process and when the IS audit began and no control deficiency to be reported. D
is wrong because planning follow-up audits of undocumented devices is
contingent on the risk that undocumented devices have on the entity to meet the
audit scope.)
An IS auditor discovers that devices connected to the network have not been
included in a network diagram that had been used to develop the scope of the
audit. The chief information officer (CIO) explains that the diagram is being
updated and awaiting final approval. The IS auditor should FIRST:
A. expand the scope of the IS audit to include the devices that are not on the
network diagram.
B. evaluate the impact of the undocumented devices on the audit scope.
C. note a control deficiency because the network diagram has not been
approved.
D. plan follow-up audits of the undocumented devices.
To collect evidence while transactions are processed (Embedding a module for
continuous auditing within an application processing a large number of
transactions provides a timely collection of audit evidence during processing.
The continuous auditing approach allows the auditor to monitor system
reliability continuously and gather selective audit evidence through the
computer. B is wrong because an embedded audit module enhances internal
audit effectiveness by ensuring timely availability of required evidence. It may
not reduce the requirements for periodic internal audits, but it will increase
efficiency. C is wrong because an audit module collects data on transactions that
may help identify fraudulent transactions, but it doesn't identify fraudulent
transactions inherently. D is wrong because increased efficiency may be a
benefit of an embedded audit module, but it is not the primary objective.)
Which of the following is a PRIMARY objective of embedding an audit module
while developing online application systems?
A. To collect evidence while transactions are processed
B. To reduce requirements for periodic internal audits
C. To identify and report fraudulent transactions
D. To increase efficiency of the audit function
Determine the impact of the non-inclusion of a critical system in the DRP (The
audit should be continued as per the original plan. The IS auditor should
evaluate the impact of not covering all the systems in the DRP. Also, they
should inform management about the omissions.)
Which of the following should an IS auditor do when they find that a critical
Disaster Recovery Plan (DRP) does not cover all of the systems?
A. Determine the impact of the non-inclusion of a critical system in the DRP
B. Postpone the audit
C. Continue an audit of the existing DRP
D. Call for an explanation from management for not covering all the systems
An enterprise is developing a strategy to upgrade to a newer version of its
database software. Which of the following tasks can an IS auditor perform
without compromising the objectivity of the IS audit function?
A. Advise on the adoption of application controls to the new database software.
B. Provide future estimates of the licensing expenses to the project team.
C. Recommend to the project manager how to improve the efficiency of the
migration.
D. Review the acceptance test case documentation before the tests are carried
out.
Review the acceptance test case documentation before the tests are carried
out. (Reviewing the test cases will facilitate the objective of a successful
migration and ensure that proper testing is conducted. An IS auditor can
advise as to the completeness of the test cases. A is wrong because
independence could be compromised if the IS auditor advises on adopting
specific application controls. B is wrong because independence could be
compromised if the IS auditor were to audit the estimate of future expenses
used to support a business case for project management approval. C is
wrong because advising the project manager on increasing the migration's
efficiency may compromise the IS auditor's independence.)
An IS auditor is determining the appropriate sample size for testing the
existence of program change approvals. Previous audits did not indicate any
exceptions, and management has confirmed that no exceptions have been
reported for the review period. In this context, the IS auditor can adopt a:
A. lower confidence coefficient, resulting in a smaller sample size.
B. higher confidence coefficient, resulting in a smaller sample size.
C. higher confidence coefficient, resulting in a larger sample size.
D. lower confidence coefficient, resulting in a larger sample size.
lower confidence coefficient, resulting in a smaller sample size. (When

internal controls are strong, a lower confidence coefficient can be adopted,
enabling a smaller sample size. B is wrong because a higher confidence
coefficient will result in the use of a larger sample size. C is wrong because
internal controls are strong and a higher confidence coefficient need not be
adopted in this situation. D is wrong because a lower confidence coefficient
will result in the use of a smaller sample size.)
The main reason for meeting with auditees before formally releasing the audit
report is to:
A. Seek management approval for the corrective action plan.
B. Validate the accuracy of the audit findings.
C. Assist in the management of the correction of the audit findings.
D. Prioritize the resolution of the audit findings.
Validate the accuracy of the audit findings. (The goal of such a discussion is
to confirm the relevance of the audit observation and to discuss the course
of correction.)
Although management has stated otherwise, an IS auditor has reasons to believe
that the organization is using software that is not licensed. In this situation, the
IS auditor should FIRST:
A. include the statement from management in the audit report.
B. verify the software is in use through testing.
C. include the item in the audit report.
D. discuss the issue with senior management because it could have a negative
impact on the organization.
verify the software is in use through testing. (When there is an indication
that an organization might be using unlicensed software, the IS auditor
should obtain sufficient evidence before including it in the report. A is
wrong because the statement from management may be included in the
audit report. Still, the auditor should independently validate the statements
made by management to ensure completeness and accuracy. C is wrong
because representations obtained from management cannot be
independently verified. D is wrong because if the organization is using
software that is not licensed, the IS auditor, to maintain objectivity and
independence, must include this in the report. Still, the IS auditor should
verify that this is, in fact, the case before presenting it to senior
management.)
Which technique would BEST test for the existence of dual control when
auditing the wire transfer systems of a bank?
A. Analysis of transaction logs
B. Re-performance
C. Observation
D. Interviewing personnel
Observation (Dual control requires that two people carry out an operation.
Observation helps decide whether two individuals get involved in executing
the operation and an element of oversight exists. It is obvious if one
individual is masquerading and filling in the second person's role. A is
wrong because this would help show that dual control is in place but only
sometimes guarantees that this process is followed consistently. B is wrong
because although re-performance could assure that dual control was in
effect, re-performing wire transfers at a bank would not be an option for an
IS auditor. D is wrong because this is useful to determine the awareness
level and understanding of the personnel carrying out the operations.
However, it does not provide direct evidence confirming the existence of
dual control because the information provided may not accurately reflect
the process being performed.)
Which of the following should an IS auditor do when they observe minor
weaknesses in the database that are beyond the scope of the audit?
A. Include that database in the scope
B. Note down the weakness for future review
C. Work with database administrators to correct the weakness
D. Report the weakness in the audit report
Report the weakness in the audit report (Even if the weakness is beyond the
scope of the audit, it should be reported to management. Extending the
audit scope to cover the full database is not advisable. The IS auditor
should report the weaknesses as an observation rather than documenting it
for a future audit. It is not suitable for the IS auditor to work with database
administrators to correct the issue.)
Comparing data from an accounts payable application with invoices received
from vendors in the month of December is BEST described as:
A. substantive testing.
B. compliance testing.
C. qualitative analysis.
D. judgment sampling.
substantive testing. (Substantive testing involves obtaining audit evidence
on data's completeness, accuracy, or existence at the individual transaction
level. This can be achieved by comparing the data in the application to the
base document. In this case, the comparison between accounts payable data
and vendor invoices is made. B is wrong because compliance testing
involves testing the controls designed to obtain audit evidence on the
controls' effectiveness and their operation during the audit period. C is
wrong because qualitative analysis is typically related to risk analysis and
should not be used in this scenario. D is wrong because judgment sampling
is a sample selected subjectively or not at random or in which the sampling
results are not evaluated mathematically. This audit probably does not
require sampling because all activity in the month will be audited.)
The MAIN advantage of an IS auditor directly extracting data from a general
ledger systems is:
A. reduction of human resources needed to support the audit.
B. reduction in the time to have access to the information.
C. greater flexibility for the audit department
D. greater assurance of data validity
greater assurance of data validity (If the auditor executes the data
extraction, there is greater assurance that extraction criteria will not
interfere with the required completeness, and all required data will be
collected. Asking IT to extract the data may expose the risk of filtering out
exceptions the auditor should see. If the auditor collects the data, all
internal references correlating various elements will be understood, and
this knowledge may reveal vital elements to completeness and correctness
of overall audit activity. A is wrong because the burden on human resources
to support the audit may decrease if the auditor directly extracts. B is
wrong because this will not necessarily reduce the time to access the
information, and time must be scheduled for training and granting access.
C is wrong because there may be more flexibility for the auditor to adjust
data extractions to meet audit requirements.)
Which of the following should an IS auditor do when they observe major
weaknesses in the change management application supporting the finance
application?
A. Continue a review of the finance application and report deficiency of the
change management application to the IT manager
B. Complete a review of the finance application and ignore the deficiency as it
is not part of the audit scope
C. Formally report the deficiency in the audit report
D. Cease audit activity until the deficiency is corrected
Formally report the deficiency in the audit report (It is the responsibility of
the audit team to report on findings that could significantly impact the
effectiveness of controls—whether they are within the scope of the audit or
not.)
An IS auditor uses computer-assisted audit techniques (CAATs) to collect and

analyze data. Which of the following attributes of evidence is MOST affected
by the use of CAATs?
A. Usefulness
B. Reliability
C. Relevance
D. Adequacy
Reliability (Because the IS auditor directly collects the data, the audit
findings can be reported emphasizing the reliability of the records
produced and maintained in the system. The reliability of the source of
information used provides reassurance on the findings generated. A is
wrong because the audit objective determines the usefulness of audit
evidence pulled by computer-assisted audit techniques (CAATs), and the
use of CAATs does not have as direct of an impact on usefulness as
reliability does. C is wrong because the audit objective determines the
relevance of audit evidence pulled by CAATs, and the use of CAATs does
not directly impact relevance or reliability. D is wrong because the
adequacy of audit evidence pulled by CAATs is determined by the processes
and personnel who author the data, and the use of CAATs does not have
any impact on competence.)
Which of the following BEST ensures the effectiveness of controls related to
interest calculation for an accounting system?
A. Re-performance
B. Process walk-through
C. Observation
D. Documentation review
Re-performance (To ensure the effectiveness of controls, it is most effective
to conduct re-performance. When the same result is obtained after the
performance by an independent person, this provides the strongest
assurance. B is wrong because this may help the auditor understand the
controls better; however, it may not be as useful as conducting re-
performance for a sample of transactions. C is wrong because this is a valid
audit method to verify that operators are using the system appropriately;
however, conducting re-performance is a better method. D is wrong
because this may be of some value for understanding the control
environment; however, conducting re-performance is a better method.)
The prime objective of an audit team discussing the audit findings with the
auditee is:
A. Briefing about audit results
B. Finalizing timelines for corrective actions
C. Confirming audit findings and proposing a course of corrective action
D. Identifying compensating controls for the audit findings
Confirming audit findings and proposing a course of corrective action (The
goal of such a discussion is to confirm the relevance of the audit
observation and to discuss a course of correction.)
During the collection of forensic evidence, which of the following actions
would MOST likely result in the destruction or corruption of evidence on a
compromised system?
A. Dumping the memory content to a file
B. Generating disk images of the compromised system
C. Rebooting the system
D. Removing the system from the network
Rebooting the system (Rebooting the system may result in a change in the
system state and the loss of files and important evidence stored in memory.
A is wrong because copying the memory contents is a normal forensics
procedure where possible. Done carefully, it will not corrupt the evidence.
B is wrong because proper forensics procedures require creating two copies
of the images of the system for analysis. Hash values ensure that the copies
are accurate. D is wrong because when investigating a system, it is
recommended to disconnect it from the network to minimize external
infection or access.)
An IS auditor notes daily reconciliation of visitor access card inventory is not
aligned with the organization’s procedures. Which of the following is the
auditor’s BEST course of action?
A. Do not report the lack of reconciliation.
B. Recommend regular physical inventory counts.
C. Report the lack of daily reconciliations.
D. Recommend the implementation of a more secure access system.
Report the lack of daily reconciliations. (The IS auditor should report the
lack of daily reconciliation as an exception because a physical inventory
count gives assurance only at a point in time, and the practice does not
comply with management's mandated activity. A is wrong because the
absence of discrepancy in physical count only confirms the absence of any
impact but cannot be a reason to overlook the failure of operation of the
control. The issue should be reported because the control was not followed.
B is wrong because while the IS auditor may sometimes recommend a
change in procedures, the primary goal is to observe and report when the
current process is deficient. D is wrong because while the IS auditor may
sometimes recommend a more secure solution, the primary goal is to
observe and report when the current process is deficient.)
An IS auditor is reviewing a critical application that has not yet been
implemented. Certain evidence is not yet available. The auditor should:
A. Issue the audit report based on the available information, highlighting the
potential security weaknesses and the requirement for follow-up audit testing
B. Issue the audit report, ignoring the areas where evidence is not available
C. Request for a delay of the implementation date until evidence is available
D. Cease the audit due to lack of evidence
Issue the audit report based on the available information, highlighting the
potential security weaknesses and the requirement for follow-up audit
testing (The lack of evidence should be highlighted in the audit report, and
follow-up testing should be scheduled later.)
An IS auditor reviews an organizational chart PRIMARILY for:
A. an understanding of the complexity of the organizational structure.
B. investigating various communication channels.
C. understanding the responsibilities and authority of individuals.
D. investigating the network connected to different employees.
understanding the responsibilities and authority of individuals. (An
organizational chart provides information about the responsibilities and
authority of individuals in the organization. This helps an IS auditor to
know if there is a proper segregation of functions. A is wrong because
understanding the complexity of the organizational structure would not be
the primary reason to review an organizational chart because the chart will
not necessarily depict the complexity. B is wrong because the organizational
chart is a key tool for an auditor to understand roles, responsibilities, and
reporting lines but is not used to examine communications channels. D is
wrong because the network diagram will provide information about the
usage of various communication channels and will indicate the connection
of users to the network.)
An auditee disagrees with an audit finding. Which of the following is
the BEST course of action for the IT auditor to take?
A. Discuss the finding with the IT auditor's manager.
B. Retest the control to confirm the finding.
C. Elevate the risk associated with the control.
D. Discuss the finding with the auditee's manager.
Discuss the finding with the IT auditor's manager. (Discussing the
disagreement with the auditor's manager is the best course of action
because other actions can weaken relationships with the auditee and
auditor. B is wrong because this may unnecessarily expend human and time
resources. The audit manager should determine if controls need to be
retested. C is wrong because elevating the risk will not address the
disagreement. D is wrong because it is usually best to consult the audit
manager prior to escalating the issue the auditee's manager. This could
prove to be an adversarial action.)
An IS auditor has observed inadequate controls of remote access for a critical
application. The auditor should:
A. Revise the finding, considering the management views
B. Withdraw the finding because the IDS controls are in place
C. Withdraw the finding because firewall rules are monitored
D. Document the audit findings in the audit report
Document the audit findings in the audit report (The IS auditor should
take into account the management view; however, they should
independently evaluate the risk related to the audit findings. Normally, an
IS auditor would not automatically delete or revise the findings.)
While auditing a third-party IT service provider, an IS auditor discovered that

access reviews were not being performed as required by the contract. The IS
auditor should:
A. report the issue to IT management.
B. discuss the issue with the service provider.
C. perform a risk assessment.
D. perform an access review.
report the issue to IT management. (During an audit, if material issues are
of concern, they need to be reported to management in the audit report. B
is wrong because the IS auditor may discuss the issue with the service
provider; however, the appropriate response is to report the issue to IT
management because they are ultimately responsible. C is wrong because
this issue can serve as input for a future risk assessment, but the issue of
noncompliance should be reported to management regardless of whether
the IS auditor believes there is a significant risk. D is wrong because the IS
auditor could perform an access review as part of the audit to determine if
there are errors, but not on behalf of the third-party IT service provider. It
is more important to report the issue in the audit report to management.)
Which of the following would be MOST useful for an IS auditor for accessing
and analyzing digital data to collect relevant audit evidence from diverse
software environments?
A. Structured Query Language
B. Application software reports
C. Data analytics controls
D. Computer-assisted auditing techniques
Computer-assisted auditing techniques (Computer-assisted auditing
techniques (CAATs) are tools used for accessing data in an electronic form
from diverse software environments, record formats, etc. CAATs are useful
tools for collecting and evaluating audit evidence according to audit
objectives and can create efficiencies for collecting this evidence. A is wrong
because this provides auditors options to query specific database tables
according to audit objectives. However, skills are required to query specific
databases, and a user must be able to understand the record structure to
access the data. B is wrong because reports from application software may
be useful, but they are not as beneficial as CAATs. C is wrong because these
might be a good technique to use for control testing, but they are not as
comprehensive as CAATs.)
The audit team should ensure that the audit findings are supported by:
A. A response from auditee management
B. A risk assessment document of the organization
C. Audit evidence
D. The work papers of other auditors
Audit evidence (The audit team should have sufficient and appropriate
audit evidence to support the audit findings.)
In a risk-based IS audit, where both inherent and control risk have been assessed
as high, an IS auditor would MOST likely compensate for this scenario by
performing additional:
A. stop-or-go sampling.
C. compliance testing.
D. discovery sampling.
substantive testing. (Because the inherent and control risks are high in this
case, additional testing is required. Substantive testing obtains audit
evidence on the completeness, accuracy, or existence of activities or
transactions during the audit period. A is wrong because this is used when
an IS auditor believes few errors will be found in the population, and, thus,
is not the best type of testing to perform in this case. C is wrong because
this is evidence gathering to test an enterprise's compliance with control
procedures. Although compliance testing is important, additional
substantive testing is more appropriate. D is wrong because this form of
attribute sampling determines a specified probability of finding at least one
example of an occurrence (attribute) in a population, typically used to test
for fraud or other irregularities. In this case, additional substantive testing
is the better option.)
Which of the following should an IS auditor do if an auditee does not agree with
the audit findings?
A. Take a statement from the auditee accepting full legal responsibility
B. Explain the impact of the findings and the risk of not correcting it
C. Inform the audit committee of the disagreement for resolution
D. Exclude the finding, considering the auditee's view
Explain the impact of the findings and the risk of not correcting it (It is
important for an audit team to make management aware about the risk
and possible impact of the findings.)
An IS auditor is comparing equipment in production with inventory records.
This type of testing is an example of:
A. substantive testing.
B. compliance testing.
C. analytical testing.
D. control testing.
substantive testing. (This obtains audit evidence on the completeness,
accuracy, or existence of activities or transactions during the audit period.
B is wrong because this is evidence gathering to test an enterprise's
compliance with control procedures. This differs from substantive testing,
in which evidence is gathered to evaluate the integrity of individual
transactions, data, or other information. C is wrong because this evaluates
the relationship between two sets of data and discerns inconsistencies in the
relationship. D is wrong because this is the same as compliance testing.)
The BEST way for an IS auditor to follow up on the closure activities is to:
A. Provide management with a remediation timeline and verify adherence
B. Conduct a review of the controls after the projected remediation date
C. Continue to audit the failed controls according to the audit schedule
D. Review the progress of remediation regularly
Conduct a review of the controls after the projected remediation date. (A
confirmatory audit should be conducted per the timelines management
agreed on for corrective action. It is not advisable to dictate the timelines
for remediation action. Also, a review of progress at frequent intervals may
not be feasible. It will not make sense to continue auditing a failed control
before remediation action.)
Which of the following sampling methods is the MOST appropriate for testing
automated invoice authorization controls to ensure that exceptions are not made
for specific users?
A. Variable sampling
B. Judgmental sampling
C. Stratified random sampling
D. Systematic sampling
Stratified random sampling (Stratification divides a population into
subpopulations with explicitly defined similar characteristics so each
sampling unit can belong to only one stratum. This sampling method
ensures that all sampling units in each subgroup have a known, nonzero
chance of selection. A is wrong because this is used for substantive testing to
determine the monetary or volumetric impact of characteristics of a
population. B is wrong because, in judgmental sampling, professionals
place a bias on the sample. It should be noted that it is not statistically
based, and results should be unrestricted over the population because the
sample is unlikely to be representative of the population. D is wrong
because this involves selecting sampling units using a fixed interval between
selections, with the first interval having a random start.)
To review the adequacy of management's remediation action plan, the most
important factor is:
A. The approval of the remediation action by senior management
B. The man-days required for future audit work
C. Potential cost savings
D. The criticality of the audit findings
The criticality of the audit findings (A remediation action plan should align
with the audit findings' criticality.)
The BEST way to schedule a follow-up for audit findings is to:
A. Schedule a follow-up audit based on closure due dates
B. Schedule a follow-up audit only during the next audit cycle
C. Schedule a follow-up audit on a surprise basis to determine whether
remediation is in progress
D. Schedule a follow-up audit when findings escalate to incidents
Schedule a follow-up audit based on closure due dates (It is always advised
to schedule a follow-up audit based on closure due dates.)
Which of the following is the main objective of conducting follow-up audits?

A. To validate the correctness of the reported findings
B. To validate the remediation action
C. To validate the risk assessment
D. To gather evidence for management reporting
To validate the remediation action (The main objective of a follow-up audit
is to ensure and validate the corrective action.)
Which of the following is MOST important to ensure before communicating the
audit findings to top management during the closing meeting?
A. Risk statement includes an explanation of a business impact.
B. Findings are clearly tracked back to evidence.
C. Recommendations address root causes of findings.
D. Remediation plans are provided by responsible parties.
Findings are clearly tracked back to evidence. (Without adequate evidence,
the findings hold no ground; therefore, this must be verified before
communicating the findings. A is wrong because it is important to have a
well-elaborated risk statement; however, it might not be relevant if the
findings are not accurate. C is wrong because it is important to address the
root causes of findings, and it may be not included in the report. However,
it might not be relevant if the findings are not accurate. D is wrong because,
in some cases, top management might expect to see remediation plans
during the debriefing of the findings; however, the accuracy of findings
should be proved first.)
During an audit, the IS auditor notes the application developer also performs
quality assurance testing on another application. Which of the following is
the MOST important course of action for the auditor?
A. Recommend compensating controls.
B. Review the code created by the developer.
C. Analyze the quality assurance dashboards.
D. Report the identified condition.
Report the identified condition. (The software quality assurance role
should be independent and separate from development and development
activities. The same person shouldn't hold both roles because this would
cause concern about segregation of duties. The auditor should report this
condition when identified. A is wrong because although compensating
controls may be a good idea, the primary response should be to report the
condition because the risk associated with this should be reported to the
users of the audit report. B is wrong because evaluating the code created by
the application developer is not the appropriate response in this case. The
auditor may evaluate a sample of changes to determine whether the
developer tested their code. C is wrong because analyzing the quality
assurance dashboards can help evaluate the actual impact of the lack of
segregation of duties but does not address the underlying risk.)
An IS auditor wants to determine the effectiveness of managing user access to a
server room. Which of the following is the BEST evidence of effectiveness?
A. Observation of a logged event
B. Review of the procedure manual
C. Interview with management
D. Interview with security personnel
Observation of a logged event (Observation of the process to reset an
employee's security access to the server room and the subsequent logging of
this event provide the best evidence of the adequacy of the physical security
control. B is wrong because although reviewing the procedure manual can
help gain an overall understanding of a process, it is not evidence of the
effectiveness of the execution of a control. C is wrong because although
interviewing management can help gain an overall understanding of a
process, it is not evidence of the effectiveness of the execution of a control.
D is wrong because although interviewing security personnel can help gain
an overall understanding of a process, it is not evidence of the effectiveness
of the execution of a control.)
An IS auditor is evaluating control of self-assessment program in an
organization. What is the MAIN objective for implementing control self-
assessment (CSA) program?
A. To replace audit responsibilities
B. To enhance employee's capabilities
C. To comply with regulatory requirements
D. To concentrate on high risk areas
To concentrate on high risk areas
An IS Auditor has been asked by the management to support its CSA program.
The role of an IS auditor in a control self-assessment should be that of:
A. Program in charge
B. Program manager
C. Program partner
D. Program facilitator
Program facilitator
For successful control self-assessment, it is essential to:
A. Design stringent control policy
B. Have auditors take responsibility for control monitoring
C. Have line managers take responsibility for control monitoring
D. Implement stringent control policy
Have line managers take responsibility for control monitoring
An IS monitor has been asked to participate in the implementation of control
self-assessment program. The auditor should participate primarily as a:
A. Team leader
B. The auditor should not participate as it would create conflict of interest
C. Facilitator
D. Project controller
Facilitator
An IS auditor has been asked to facilitate a control self-assessment program.
Which of the following is an objective of a CAS program?
A. Replacement of audit responsibilities
B. Enhancement of audit responsibilities
C. To evaluate risk management program
D. To provide audit training
Enhancement of audit responsibilities
Which of the following is the BEST time to perform a control self-assessment

involving all concerned parties?
A. Post issuance of audit report
B. During preliminary survey
C. During compliance test
D. Preparation of the audit report
During preliminary survey
A PRIMARY advantage of control self-assessment (CSA) techniques is that:
A. It ascertains high-risk areas that might need a detailed review
B. Risk can be assessed independently by IS auditors
C. It replaces audit activities
D. It allows management to delegate responsibility and control
It ascertains high-risk areas that might need a detailed review
IS auditor is facilitating a CSA program. Which of the following is the MOST
important requirement for a successful CSA?
A. Ability of auditor to act as a workshop facilitator
B. Simplicity of the CSA program
C. Frequency of CSA program
D. Involvement of line managers
Involvement of line managers
An organization has implemented a CSA program. What is the advantage of
CSA over traditional audit?
A. Early identification of risk
B. Reduction in audit workload
C. Increase in cost of control
D. Reduction in audit resources
Early identification of risk
The prime objective of implementing the CSA structure is:
A. To replace audit responsibilities
B. To enhance employees' capacity
C. Compliance with regulatory requirements
D. Concentration on critical processes and high-risk areas
Concentration on critical processes and high-risk areas (The objective of
CSA is to involve functional staff to monitor the high-risk processes. CSA
aims to educate line management in the area of control responsibility and
monitoring. The replacement of audit functions is not the objective of
CSA.)
An IS auditor's role in implementing a CSA should be:
A. They're in charge.
B. They're a sponsor.
C. They're a reviewer.
D. They're a facilitator.
They're a facilitator. (An IS auditor is expected to facilitate the CSA
program. The IS auditor should play the role of guide and mentor during a
CSA workshop. Line managers should be trained for assessing underlying
risks and implementing new controls. The other options are not the role of
the IS auditor. Client staff should assume these roles.)
The most important factor for the successful implementation of a CSA program
is:
A. To document a robust control policy
B. To make auditors responsible for control monitoring
C. To make line managers take charge of control monitoring
D. To implement a robust control policy
To make line managers take charge of control monitoring (The involvement
of line management in control monitoring is one of the success factors for
an effective CSA program. The success of CSA depends on the level of
involvement of the line managers in control monitoring.)
When implementing a CSA program, an IS auditor should participate primarily
as a:
A. Program controller
B. The auditor should not participate as it would create a potential conflict of
interest.
C. Program facilitator
D. Program leader
Program facilitator (An IS auditor is expected to facilitate the CSA
program. The IS auditor should play the role of guide and mentor during a
CSA workshop. Line managers should be trained for assessing underlying
risks and implementing new controls. The other options are not the role of
the IS auditor. Client staff should assume these roles.)
Which of the following is the CSA program's objective?
A. To replace audit responsibility
B. To enhance audit responsibility
C. To evaluate the risk management program
D. To determine the audit scope
To enhance audit responsibility (The following are some of the important
objectives of the CSA program: To focus on critical areas and processes for
enhancing the auditor's responsibility through the involvement of line
management in monitoring the control effectiveness. The other choices are
methods for CSA to achieve the objectives)
The best period to conduct a CSA program involving all the concerned parties
is:
A. After the issuance of the audit report
B. During the preliminary survey
C. After compliance testing
D. After the completion of the risk assessment
During the preliminary survey (The objective of CSA is to involve line
management in assessing and monitoring the business risks and
effectiveness of controls. Line management is required to understand the
underlying risk of the business process and identify the relevant controls.
The preliminary survey stage is the best time to conduct CSA. The other
options may not be effective for conducting CSA.)
The primary purpose of a CSA structure is:
A. To substitute for the audit responsibilities
B. To substitute for the risk management program
C. To comply with regulatory requirements
D. To enhance the audit responsibilities
To enhance the audit responsibilities (The following are some of the
important objectives of the CSA program: To focus on critical areas and
processes for enhancing the auditor's responsibility by involving line
management in monitoring the control effectiveness.)
A PRIMARY advantage of the CSA program is that:
A. It identifies high-risk areas that may need to be reviewed in detail later
B. IS auditors can independently assess the risks
C. It replaces risk management activities
D. It enables management to delegate responsibility for control
It identifies high-risk areas that may need to be reviewed in detail later
(CSA assists in identifying high-risk areas that need to be reviewed and
monitored. The risks need to be evaluated jointly with business staff. CSA
enhances the audit responsibilities, and accountability for controls remains
with management.)
The MOST significant element for a successful CSA is:
A. The capability of a workshop facilitator
B. The documentation of the CSA program
C. The design of the CSA program
D. The involvement of line managers
The involvement of line managers (One of the benefits of CSA is the
involvement of functional staff in risk and control assessment. This helps in
the early identification of the risk. Line management is required to
understand the underlying risk of the business process and identify the
relevant controls. The involvement of the line manager ensures that high-
risk items are identified and addressed at the earliest opportunity. This
process will help in the early identification of risks.)
The main purpose of a CSA structure is:
A. To concentrate on critical processes and areas of high risk
B. To arrange a training workshop
C. To reduce the cost of control
D. To replace the audit activities
To concentrate on critical processes and areas of high risk (The following
are some of the important objectives of the CSA program: To focus on
critical areas and processes For the enhancement of the auditor's
responsibility through the involvement of line management in monitoring
the control effectiveness)
A PRIMARY advantage of the CSA program is that it:
A. Helps in the early detection of risks
B. Helps in reducing audit activities
C. Helps to reduce the cost of control
D. Helps to reduce audit resources
Helps in the early detection of risks (One of the benefits of CSA is the
involvement of functional staff in risk and control assessment. This helps in
the early identification of the risk. Line management is required to
understand the underlying risk of the business process and identify the
relevant controls. The involvement of the line manager ensures that high-
risk items are identified and addressed at the earliest opportunity. This
process will help in the early identification of risks.)
The goal of IT risk analysis is to:
A. enable the alignment of IT risk management with enterprise risk
management (ERM).
B. enable the prioritization of risk responses.
C. satisfy legal and regulatory compliance requirements.
D. identify known threats and vulnerabilities to information assets.
enable the prioritization of risk responses. (Risk analysis is a process by
which the likelihood and magnitude of IT risk scenarios are estimated. Risk
analysis is conducted to ensure that the high-risk information assets are
managed before addressing low-risk assets. Risk prioritization helps
maximize ROI for risk responses. A is wrong because aligning IT risk
management with ERM is important to ensure the cost-effectiveness of risk
management. C is wrong because risk analysis evaluates risk based on
likelihood and impact and includes financial, environmental, regulatory,
and other risks. D is wrong because risk analysis occurs after risk
identification and evaluation. Risk identification determines known threats
and vulnerabilities. Risk evaluation assesses risks and creates valid risk
scenarios. Risk analysis quantifies risk along with likelihood and impact to
facilitate risk response prioritization.)
An IS auditor found that the enterprise architecture (EA) recently adopted by an
organization has an adequate current-state representation. However, the
organization has started a separate project to develop a future-state
representation. The IS auditor should:
A. recommend that this separate project be completed as soon as possible.
B. report this issue as a finding in the audit report.
C. recommend the adoption of the Zachmann framework.
D. re-scope the audit to include the separate project as part of the current audit.
report this issue as a finding in the audit report. (It is critical for the EA to
include the future state because the gap between the current state and the
future state will determine IT strategic and tactical plans. If the EA does
not have a future-state representation, it is incomplete, and this issue
should be reported as a finding. A is wrong because the IS auditor would
not ordinarily provide input on the timing of projects but rather provide an
assessment of the current environment. The most critical issue in this
scenario is that the EA is changing, so the IS auditor should be most
concerned with reporting this issue. C is wrong because the company can
choose any EA framework, and the IS auditor should not recommend a
specific framework. D is wrong because changing the scope of an audit to
include the secondary project is optional, although a follow-up audit may
be desired.)
An IS auditor who is auditing an application determines that, due to resource
constraints, one user holds roles as both a developer and a release coordinator.
Which of the following options would the IS auditor MOST likely recommend?
A. Revoke the user's developer access.
B. Revoke the user's release coordinator access.
C. Management review of user activities
D. Periodic audit of user activities
Management review of user activities (If an individual requires roles with
conflicting segregation of duties, the best control is to monitor that
individual's access to the production environment. Although this is not the
preferred method of resolving segregation of duties conflicts, it is the best-
compensating control given the current business circumstances. A is wrong
because revoking access would prevent the developer from performing
assigned duties. The segregation of duties cannot be eliminated; secondary
controls in management review can be applied. B is wrong because
revoking access would prevent the release coordinator from performing
assigned duties. The segregation of duties cannot be eliminated; secondary
controls in management review can be applied. D is wrong because periodic
independent reviews, such as an audit, while useful, would not serve as
adequate control in this situation.)
An IS auditor is evaluating the controls around provisioning visitor access cards
to the organization's IT facility. The IS auditor notes that daily reconciliation of
visitor card inventory is not carried out as mandated. However, an inventory
count carried out by the IS auditor reveals no missing access cards. In this
context, the IS auditor should:
A. disregard the lack of reconciliation because no discrepancies were
discovered
B. recommend regular physical inventory counts be performed in lieu of daily
reconciliation.
C. report the lack of daily reconciliation as an exception.
D. recommend the implementation of a biometric access system.
report the lack of daily reconciliation as an exception.
Although management has stated otherwise, an IS auditor has reasons to believe
that the organization is using software that is not licensed. In this situation, the
IS auditor should:
A. include the statement of management in the audit report.
B. identify whether such software is, indeed, being used by the organization.
C. reconfirm with management the usage of the software.
D. discuss the issue with senior management because reporting this could have
a negative impact on the organization.
identify whether such software is, indeed, being used by the organization.
(When there is an indication that an organization might be using
unlicensed software, the IS auditor should obtain sufficient evidence before
including it in the report. A is wrong because the statement from
management may be included in the audit report. However, the auditor
should independently validate the statements made by management to
ensure completeness and accuracy. B is wrong because when there is an
indication that an organization might be using unlicensed software, the IS
auditor should obtain sufficient evidence before including it in the report. D
is wrong because if the organization is using non-licensed software, the IS
auditor must include this in the report to maintain objectivity and
independence. However, the IS auditor should verify that this is, in fact, the
case before presenting it to senior management.)

CISA Chapter 1 Practice

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISA Chapter 1 Practice

Uploaded by

Copyright:

Available Formats

CISA Chapter 1 Practice

Which of the following is the first step in risk-based audit planning?

if the auditor detects the transaction authorization control objective cannot be

The IS auditor's report should recommend that:

lower confidence coefficient, resulting in a smaller sample size. (When

An IS auditor uses computer-assisted audit techniques (CAATs) to collect and

While auditing a third-party IT service provider, an IS auditor discovered that

Which of the following is the main objective of conducting follow-up audits?

Which of the following is the BEST time to perform a control self-assessment

You might also like