| A |
There is not enough evidence to report the finding as a deficiency.
|
| B |
A walkthrough should not be initiated until an analysis is performed to confirm that this could provide the required assurance.
|
| C |
If a sample-size objective cannot be met with the given data, the IS auditor cannot provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit management approval) an alternate testing procedure.
|
| D |
It is not appropriate for an IS auditor to create sample data for the purpose of the audit.
|
| A |
The extent to which data will be collected during an IS audit should be based on the scope, purpose and requirements of the audit and not be constrained by the ease of obtaining the information or by the IS auditor's familiarity with the area being audited.
|
| B |
Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee's ability to find relevant evidence. If evidence is not readily available, the auditor must ensure that other forms of audit are considered to ensure compliance in the area that is subject to audit.
|
| C |
The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An IS audit with a narrow purpose and scope, or just a high-level review, will most likely require less data collection than an audit with a wider purpose and scope.
|
| D |
An IS auditor must be objective and thorough and not subject to audit risk through preconceived expected results based on familiarity with the area being audited.
|
| A |
An audit charter states the authority and reporting requirements for the audit but not the details of maintenance of internal controls.
|
| B |
The audit charter should not be subject to changes in technology and should not significantly change over time. The charter should be approved at the highest level of management.
|
| C |
An audit charter is not at a detailed level and, therefore, does not include specific audit objectives or procedures.
|
| D |
An audit charter should state management's objectives for and delegation of authority to IS auditors.
|
| A |
Checking the test assumptions is a valid quality assurance function.
|
| B |
Correction of code should not be a responsibility of the quality assurance team, because it would not ensure segregation of duties and would impair the team's independence.
|
| C |
Ensuring compliance with development methods is a valid quality assurance function.
|
| D |
Checking the code to ensure proper documentation is a valid quality assurance function
|
| A |
The product must interface with the types of systems used by the organization and provide meaningful data for analysis.
|
| B |
The tool should probably work on more than just financial systems and does not necessarily require implementation of audit hooks.
|
| C |
Although all the requirements that are listed as answer choices are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool works effectively on the systems of the organization being audited.
|
| D |
The tool should be flexible but not necessarily customizable. It should have built-in analysis software tools.
|
| A |
Quarterly risk assessment may be a good technique but not as responsive as continuous auditing.
|
| B |
Using software tools such as computer-assisted audit techniques to analyze transaction data can provide detailed analysis of trends and potential risk, but it is not as effective as continuous auditing, because there may be a time differential between executing the software and analyzing the results.
|
| C |
The sampling of transaction logs is a valid audit technique; however, risk may exist that is not captured in the transaction log, and there may be a potential time lag in the analysis.
|
| D |
The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.
|
| A |
An auditor's familiarity with the organization is a factor in the planning of an audit but does not directly affect the determination of how much data to collect. The audit must be based on sufficient evidence of the monitoring of controls and not unduly influenced by the auditor's familiarity with the organization.
|
| B |
Prior findings and issues are factors in the planning of an audit but do not directly affect the determination of how much data to collect. Data must be collected outside of areas of previous findings.
|
| C |
The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. Statistical analysis may also determine the extent of data collection, such as sample size or means of data collection.
|
| D |
The complexity of the organization's operation is a factor in the planning of an audit but does not directly affect the 'determination of how much data to collect. The extent of data collection is subject to the intensity, scope and purpose of the audit.
|
| A |
Upon completion of a risk assessment, an IS auditor should describe and discuss with management the threats and potential impacts on the assets, and recommendations for addressing the risk. However, this action cannot be done until the controls are identified and the likelihood of the threat is calculated.
|
| B |
It is impossible to determine impact without first identifying the assets affected; therefore, this must already have been completed.
|
| C |
An audit risk assessment is conducted for purposes that are different from management's risk assessment process purposes.
|
| D |
It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.
|
| A |
An IS auditor's role is to detect and document findings and control deficiencies. Part of the audit report is to explain the reasoning behind the findings. The use of shared IDs is not recommended because it does not allow for accountability of transactions. An IS auditor defers to management to decide how to respond to the findings presented.
|
| B |
It is not appropriate for an IS auditor to report findings to the audit committee before conducting a more detailed review and presenting them to management for a response.
|
| C |
It is not the role of an IS auditor to request the removal of IDs from the system.
|
| D |
Review of audit logs would not be useful because shared IDs do not provide for individual accountability.
|
| A |
The time allotted for an audit is determined during the planning process based on the areas to be audited and is primarily based on the requirement for conducting an appropriate audit.
|
| B |
Test steps for the audit are not as critical during the audit planning process as identifying the areas of risk that should be audited.
|
| C |
The skill sets of the audit staff should have been considered before deciding and selecting the audit. Where the skills are inadequate, the organization should consider using external resources.
|
| D |
When designing a risk-based audit plan, it is important to identify the areas of highest risk to determine the areas to be audited.
|
| A |
Responsibility for enforcement and monitoring of controls is primarily the responsibility of management.
|
| B |
The use of continuous audit is not based on the complexity or number of systems being monitored.
|
| C |
Continuous audit allows audit and response to audit issues in a timely manner because audit findings are gathered in near real time.
|
| D |
The continuous audit approach often requires an IS auditor to collect evidence on system reliability while processing is taking place.
|
| A |
Inherent risk is the risk that a material error could occur, if there are no related internal controls to prevent or detect the error. Inherent risk is not usually affected by an IS auditor.
|
| B |
Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue.
|
| C |
Business risk is a probable situation with uncertain frequency and magnitude of loss (or gain). Business Risk is usually not directly affected by an IS auditor.
|
| D |
Control risk is the risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Control risk can be mitigated by the actions of the organization's management.
|
| A |
Substantive tests, not compliance tests, are associated with data integrity.
|
| B |
Determining the reasonableness of financial reporting controls is a very narrow answer in that it is limited to financial reporting. It meets the objective of determining whether the controls are reasonable but does not ensure that the control is working correctly and thereby supporting management expectations and objectives.
|
| C |
Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective of a compliance test is important. IS auditors want reasonable assurance that the controls they are relying on are effective. An effective control is one that meets management expectations and objectives.
|
| D |
It is important that controls operate efficiently, but in this case the intent is to ensure that the controls support management policies and procedures. Therefore, the important issue is whether the controls are operating correctly and thereby meeting the control objective'.
|
| A |
Ending the audit and issuing an opinion will not address identification of potential risk. The auditor should evaluate the practices in place. The recommendation may still be for the organization to develop written procedures. Terminating the audit may prevent achieving one of the basic audit objectives-identification of potential risk.
|
| B |
One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach is to identify and evaluate the existing security practices being followed by the organization and submit the findings and risk to management, with recommendations to document the current controls or enforce the documented procedures.
|
| C |
Because there are no documented procedures, there is no basis against which to test compliance.
|
| D |
IS auditors should not prepare documentation because the process may not be compliant with management objectives and doing so could jeopardize their independence.
|
| A |
Auditing systems not included in the previous year's scope does not reflect a risk-based approach. In addition, management may know about problems with the new system and may be intentionally trying to steer the audit away from that vulnerable area. Although, at first, the new system may seem to be the riskiest area, an assessment must be conducted rather than relying on the judgment of the IS auditor or IT manager.
|
| B |
The best action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources."
|
| C |
Auditing the new system does not reflect a risk-based approach. Although the system can contain sensitive data and may present risk of data loss or disclosure to the organization, without a risk assessment, the decision to solely audit the newly implemented system is not a risk-based decision.
|
| D |
The creation of the audit plan should be performed in cooperation with management and based on risk. The IS auditor should not arbitrarily decide on what needs to be audited.
|
| A |
Changing the scope of the IS audit or conducting a security risk assessment requires more detailed information about the processes and violations being reviewed.
|
| B |
The IS auditor needs to perform substantive testing and additional analysis to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and the factors that caused this incident. The IS auditor should identify whether the issue was caused by managers not following procedures, a problem with the workflow of the automated system or a combination of the two.
|
| C |
The IS auditor must first determine the root cause and impact of the findings and does not have enough information to recommend fixing the workflow issues.
|
| D |
The IS auditor does not yet have enough information to report the problem.
|
| A |
An embedded audit module can enable the IS auditor to evaluate a process and gather audit evidence, but it does not detect errors for a previous period.
|
| B |
An integrated test facility helps to identify a problem as it occurs but does not detect errors for a previous period.
|
| C |
Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and re-computations. An IS auditor, using generalized audit software, can design appropriate tests to recompute the payroll, thereby determining whether, there were overpayments and to whom they were made.
|
| D |
Test data tests for the existence of controls that might prevent overpayments, but it does not detect specific, previous miscalculations.
|
| A |
Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system.
|
| B |
IS auditors should not audit work that they have done, but just participating as a member of the application system project team does not impair an IS auditor's independence.
|
| C |
Designing an embedded audit module does not impair an IS auditor's independence.
|
| D |
An IS auditor's independence is not impaired by providing advice on known good practices.
|
| A |
Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain predefined dollar amount for proper approvals.
|
| B |
Difference estimation sampling examines measure deviations and extraordinary items and is not a good way to measure compliance.
|
| C |
Stratified mean sampling attempts to ensure that the entire population is represented in the sample. This is not an effective way to measure compliance.
|
| D |
Variable sampling is based on the calculation of a mean from a sample extracted from the entire population and using that to estimate the characteristics of the entire population. For example, a sample of 10 items shows an average price of US $10 per item. For the entire population of 1,000 items, the total value is estimated to be US $10,000. This is not a good way to measure compliance with a process.
|
| A |
Auditing the core service and its dependencies with others would most likely be a part of the audit, but the IS auditor must first gain an understanding of the business processes and how the systems support those processes.
|
| B |
A service-oriented architecture relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services.
|
| C |
Sampling the use of service security standards as represented by the Security Assertions Markup Language is an essential follow-up step to understanding services and their allocation to business but is not the initial step.
|
| D |
Reviewing the service level agreements is an essential follow-up step to understanding services and their allocation to business but is not the initial step.
|
| A |
The fact that the employee has worked in IT for many years may not ensure credibility. The IS audit department's needs should be defined, and any candidate should be evaluated against those requirements.
|
| B |
Evaluating an individual's qualifications based on the age of the individual is not a good criterion and is illegal in many parts of the world.
|
| C |
Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities.
|
| D |
Length of service does not ensure technical competency.
|
| A |
Auditors must report material findings to management for action. Informing the users of risk is not the primary responsibility of the IS auditor.
|
| B |
An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing the unauthorized software.
|
| C |
This would detect compliance with software licensing. However, an automated solution might not be the best option in all cases.
|
| D |
The use of unauthorized or illegal software should be prohibited by an organization. An IS auditor must convince the user and management of the risk and the need to eliminate the risk. For example, software piracy can result in exposure and severe fines.
|
| A |
Variable sampling is used to estimate numerical values such as dollar values.
|
| B |
Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.
|
| C |
Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.
|
| D |
Substantive testing substantiates the integrity of actual processing such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized.
|
| A |
Reviewing information security policies and procedures is normally be conducted during fieldwork, not planning.
|
| B |
The findings of a previous audit are of interest to the auditor, but they are not the most critical step. The most critical step involves finding the current issues or high-risk areas, not reviewing the resolution of older issues. A review of historical audit findings could indicate that management is not resolving the items or the recommendation was ineffective.
|
| C |
Executive management is not required to approve the audit plan. It is typically approved by the audit committee or board of directors. Management could recommend areas to audit.
|
| D |
Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.2: "IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements." In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation.
|
| A |
Among other methods, such as document review or walkthrough, tests of controls are the most effective procedures to assess whether controls accurately support operational effectiveness.
|
| B |
Control documents may not always describe the actual process in an accurate manner. Therefore, auditors relying on document review have limited assurance that the control is operating as intended.
|
| C |
Testing of control design assesses whether the control is structured to meet a specific control objective. It does not help determine whether the control is operating effectively.
|
| D |
Performing tests on risk prevention is considered compliance testing. This type of testing is used to determine whether policies are adhered to.
|
| A |
Improved fraud detection is important but not as important as control ownership. It is not a principal objective of CSA.
|
| B |
The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance.
|
| C |
CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit.
|
| D |
Reducing audit expenses is not a key benefit of CSA.
|
| A |
The ability of IT to continuously monitor and address any issues on IT systems does not affect the ability of IS audit to perform a comprehensive audit.
|
| B |
An audit of an 'IS system encompasses more than just the controls covered in the scripts.
|
| C |
Sharing the scripts may be required by policy for quality assurance and configuration management, but that does not impair the ability to audit.
|
| D |
IS audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts, but they can still audit the systems.
|
| A |
If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Management can then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system.
|
| B |
It is not acceptable for the IS auditor to ignore areas of potential weakness because conclusive evidence could not be obtained within the agreed-on audit timeframe. ISACA IS Audit and Assurance Standards are violated if these areas are omitted from the audit report.
|
| C |
Extending the time frame for the audit and delaying the go-live date is unlikely to be acceptable in this scenario where the system involved is business-critical. In any case, a delay to the go-live date must be the decision of business management, not the IS auditor. In this scenario, the IS auditor should present business management with all available information by the agreed-on date.
|
| D |
Failure to obtain sufficient evidence in one part of an audit engagement does not justify cancelling or postponing the audit; this violates the audit guideline concerning due professional care.
|
| A |
Definite assurance that material items will be covered during the audit work is an impractical proposition.
|
| B |
Sufficient assurance that all items will be covered is not as important as ensuring that the audit will cover all material items.
|
| C |
ISACA IS Audit and Assurance Guideline 2202 (Risk Assessment and Audit Planning) states that the applied risk assessment approach should help with the prioritization and scheduling process of the IS audit and assurance work. The risk assessment should support the selection process of areas and items of audit interest and the decision process to design and conduct particular IS audit engagements.
|
| D |
Reasonable assurance that all items will be covered during the audit work is not the correct answer, because primarily material items need to be covered, not all items.
|
| A |
Access controls for resources are based on individuals and not on roles. For a lack of segregation of duties, the IS auditor expects to find that a person has higher levels of access than are ideal. The IS auditor wants to find compensating controls to address this risk.
|
| B |
Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls.
|
| C |
Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties can not be appropriately segregated.
|
| D |
Overlapping controls are two controls addressing the same control objective or exposure. Because primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls.
|