A |
Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions.
|
B |
The electronic data interchange trading partner agreements minimize exposure to legal issues but do not resolve the problem of unauthorized transactions.
|
C |
Change control procedures do not resolve the issue of unauthorized transactions.
|
D |
Physical control is important and may provide protection from unauthorized people accessing the system but does not provide protection from unauthorized transactions by authorized users.
|
A |
A review of source code is not an effective method of ensuring that the calculation is being computed correctly.
|
B |
Creating program logic may lead to errors, and monthly totals are not accurate enough to ensure correct computations.
|
C |
Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation.
|
D |
Flowcharting and analysis of source code are not effective methods to address the accuracy of individual tax calculations.
|
A |
An independent test that is performed by an IS auditor should always be considered a more reliable source of evidence than a confirmation letter from a third party, because the letter is the result of an analysis of the process and may not be based on authoritative audit techniques. An audit should consist of a combination of inspection, observation and inquiry by an IS auditor as determined by risk. This provides a standard methodology and reasonable assurance that the controls and test results are accurate.
|
B |
An independent test performed by an IS auditor should always be considered a more reliable source of evidence than a confirmation letter from a third party, because a letter is subjective and may not have been generated as a part of an authoritative audit or conform to audit standards.
|
C |
An internally generated computer accounting report is audit evidence, but is not as reliable as the results of a test performed by an external IS auditor.
|
D |
An oral statement from the auditee is audit evidence but not as reliable as the results of a test that is performed by an external IS auditor.
|
A |
An electronic data interchange system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern.
|
B |
Acknowledging the receipt of electronic orders with a confirming message is good practice but will not authenticate orders from customers.
|
C |
Encrypting sensitive messages is an appropriate step but does not prove authenticity of messages received.
|
D |
Performing reasonableness checks on quantities ordered before placing orders is a control for ensuring the correctness of the organization's orders, not the authenticity of its customers' orders.
|
A |
Procedures are processes that an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment that is appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising during an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate, and the IS auditor's past experience plays a key role in making a judgment. The IS auditor should use judgment in assessing the sufficiency of evidence to be collected. ISACA's guidelines provide information on how to meet the standards when performing IS audit work.
|
B |
Professional judgment ensures that audit resources and costs are used wisely, but this is not the primary objective of the auditor when selecting audit procedures.
|
C |
Identifying material weaknesses is the result of appropriate competence, experience and thoroughness in planning and executing the audit, and not of professional judgment. Professional judgment is not a primary input to the financial aspects of the audit. Audit procedures and use of professional judgment cannot ensure that all deficiencies/weaknesses will be identified and corrected.
|
D |
The correction of deficiencies is the responsibility of management and is not a part of the audit procedure selection process.
|
A |
IS auditor independence dictates that the additional information provided by the auditee is taken into consideration. Normally, an IS auditor does not automatically retract or revise the finding.
|
B |
The finding remains valid and the management response is documented; however, the audit may indicate a need to review the validity of the management response.
|
C |
The IS auditor may include the management response in the report, but that will not affect the requirement to report the finding.
|
D |
The finding remains valid and the management response is documented; however, the audit may indicate a need to review the validity of the management response.
|
A |
Rating the audit findings provides guidance to management for allocating resources to the high-risk items first.
|
B |
The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on or respond to recommendations for corrective action.
|
C |
Management approval of the corrective action plan is not required. Management can elect to implement another corrective action plan to address the risk.
|
D |
Implementation of corrective actions should be done after the factual accuracy of findings is established, but the work of implementing corrective action is not typically assigned to the IS auditor, because this impairs the auditor's independence.
|
A |
Manual recalculations are used to verify that the processing is correct but do not map data.
|
B |
Acting as an audit trail for electronic data interchange transactions, functional acknowledgments are one of the main controls used in data mapping.
|
C |
Key verification is used for encryption and protection of data but not for data mapping.
|
D |
One-for-one checking validates that transactions are accurate and complete but does not map data.
|
A |
Understanding whether appropriate controls that are required to mitigate risk are in place is a resultant effect of an audit.
|
B |
A gap analysis is normally done to compare the actual state to an expected or desirable state.
|
C |
While developing a risk-based audit strategy, it is critical that the risk and vulnerabilities are understood. They determine the areas to be audited and the extent of coverage.
|
D |
Audit risk is an inherent aspect of auditing, directly related to the audit process and not relevant to the risk analysis of the environment to be audited.
|
A |
The audit report should contain all relevant findings and the response from management even if the finding has been resolved. This would mean that subsequent audits may test for the continued resolution of the control.
|
B |
The audit report should contain the finding so that it is documented and the removal of the control subsequent to the audit would be noticed.
|
C |
The audit report should contain the finding and resolution, and this can be mentioned in the final meeting. The audit report should list all relevant findings and the response from management.
|
D |
Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing. .
|
A |
Unstratified mean per unit is used in variable sampling.
|
B |
Variable sampling is the method used for substantive testing, which involves testing transactions for quantitative aspects such as monetary values.
|
C |
Attribute sampling is the method used for compliance testing. In this scenario, the operation of a control is being evaluated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control.
|
D |
Stratified mean per unit is used in variable sampling.
|
A |
Determining whether the movement of tapes is authorized is a compliance test.
|
B |
A substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy and validity) of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test.
|
C |
Determining whether bar code readers are installed is a compliance test.
|
D |
Checking whether receipts and issues of tapes are accurately recorded is a compliance test.
|
A |
Because management is not objective and may not understand the risk and control environment, and they are only providing evidence that the application is working correctly (not the controls), their assurance is not an acceptable level of trust for audit evidence.
|
B |
Data collected from the Internet is not always trustworthy or independently validated.
|
C |
Evidence obtained from independent third parties is almost always considered to be more reliable than assurance provided by local management.
|
D |
Ratio analysis can identify trends and deviations from a baseline but is not reliable evidence.
|
A |
Authenticity cannot be established by a checksum alone and needs other controls.
|
B |
Non Repudiation can be ensured by using digital signatures.
|
C |
Authorization cannot be established by a checksum alone and needs other controls.
|
D |
A checksum that is calculated on an amount field and included in the electronic data interchange communication can be used to identify unauthorized modifications.
|
A |
One area to be reviewed may be the efficiency and optimization of the application, but this is not the area being reviewed in this audit.
|
B |
An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses.
|
C |
The IS auditor is reviewing the effectiveness of the controls, not the suitability of the application to meet business needs.
|
D |
The other choices may be objectives of an application audit but are not part of an audit restricted to a review of the application controls.
|
A |
Statistical sampling can use generalized audit software, but it is not required.
|
B |
The tolerable error rate must be predetermined for both judgment and statistical sampling.
|
C |
Sampling risk is the risk of a sample not being representative of the population. This risk exists for judgment and statistical samples.
|
D |
Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient).
|
A |
Management's confirmation of effectiveness of the control suffers from lack of independence management might be biased toward the effectiveness of the controls put in place.
|
B |
A sample of a system-generated report with evidence that the reviewer followed up on the exception represents the best' possible evidence of the effective operation of the control, because there is documented evidence that the reviewer reviewed the exception report and took actions based on the exception report.
|
C |
Reviewer sign-off does not demonstrate the effectiveness of the control if the reviewer does not note follow-up actions for the exceptions identified.
|
D |
A walk-through highlights how a control is designed to work, but it seldom highlights the effectiveness of the control, or exceptions or constraints in the process.
|
A |
The best way to confirm data accuracy, when input is provided by the organization and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports.
|
B |
Recalculating gross payroll manually only verifies whether the processing is correct and not the data accuracy of inputs.
|
C |
Comparing checks to input forms is not feasible because checks contain the processed information and input forms contain the input data.
|
D |
Reconciling Checks with output reports only confirms that checks were issued as stated on output reports.
|
A |
Professional competence is not relevant to the requirement of independence.
|
B |
Technical competence is not relevant to the requirement of independence.
|
C |
Organizational independence has no relevance to the content of an audit report and should be considered at the time of accepting the engagement.
|
D |
When an IS auditor recommends a specific vendor, the auditor's professional independence is compromised.
|
A |
Monitoring audits and initiating cost controls does not ensure the effective use of audit resources.
|
B |
Although monitoring the time and audit programs, and adequate training improve the IS audit staff's productivity (efficiency and performance), ensuring that the resources and efforts being dedicated to audit are focused on higher-risk areas delivers value to the organization.
|
C |
Monitoring The audits and the time spent on audits is not effective if the wrong areas are being audited. It is most important to develop a risk-based audit plan to ensure effective use of audit resources.
|
D |
The IS auditor may have specialties, or the audit team may rely on outside experts to conduct very specialized audits. It is not necessary for each IS auditor to be trained on all new technology.
|
A |
Stop-or-go is a sampling method that helps limit the size of a sample and allows the test to be stopped at the earliest possible moment.
|
B |
Probability-proportional-to-size sampling is typically associated with cluster sampling when there are groups within a sample. The question does not indicate that an IS auditor is searching for a threshold of fraud.
|
C |
Classical variable sampling is associated with dollar amounts and has a sample based on a representative sample of the population but is not focused on fraud.
|
D |
Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred. Therefore, it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.
|
A |
The IS auditor does not collect evidence in the planning stage of an audit.
|
B |
Specifying appropriate tests is not the primary goal of audit planning.
|
C |
Effective use of audit resources is a goal of audit planning, not minimizing audit resources.
|
D |
ISACA IS Audit and Assurance Standards require that an IS auditor plan the audit work to address the audit objectives. The activities described in the other options are all undertaken to address audit objectives and, thus, are secondary.
|
A |
Vouching is usually performed during the funds transfer, not during the reconciliation effort.
|
B |
Correction entries should be reviewed during a reconciliation; however, they are normally done by an individual other than the person entrusted to do reconciliations and are not as important as tracing.
|
C |
In online processing, authorizations are normally done automatically by the system, not during the reconciliation.
|
D |
Tracing is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer transactions, the direction on tracing may start from the customer-printed copy of the receipt, proceed to checking the system audit trails and logs, and end with checking the master file records for daily transactions.
|
A |
Deletion or manipulation of transactions prior to, or after, establishment of application controls is an example of risk. Logging detects any alteration to the data, and the impact is not as great as that of unauthorized transactions.
|
B |
Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data.
|
C |
Because the interaction between parties is electronic, there is no inherent authentication occurring; therefore, lack of transaction authorization is the greatest risk.
|
D |
Loss or duplication of electronic data interchange transmissions is an example of risk, but because all transactions should be logged,.the impact is not as great as that of unauthorized transactions.
|
A |
Based on the observations and interviews, the IS auditor can evaluate the segregation of duties. By observing the IT staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations. By interviewing the IT staff, the auditor can get an overview of the tasks performed.
|
B |
Management may not be aware of the detailed functions of each employee in the IT department and whether the controls are being followed. Therefore, discussion with the management provides only limited information regarding segregation of duties.
|
C |
Testing of user rights provides information about the rights users have within the IS systems but does not provide complete information about the functions they perform. Observation is a better option because user rights can be changed between audits.
|
D |
An organization chart does not provide details of the functions of the employees or whether the controls are working correctly.
|
A |
Conclusions drawn by an IS auditor should be adequately supported by evidence, and any compensating controls or corrections that are pointed out by a department manager should be taken into consideration. Therefore, the first step is to revalidate the evidence for the finding. If, after revalidating and retesting, there are unsettled disagreements, those issues should be included in the report.
|
B |
Before putting a disputed finding or management response in the audit report, the IS auditor should take care to review the evidence that is used in the finding to ensure audit accuracy.
|
C |
Retesting the control normally occurs after the evidence has been revalidated.
|
D |
Although there are cases where a third party may be needed to perform specialized audit procedures, an IS auditor should first revalidate the supporting evidence to determine whether there is a need to engage a third party.
|
A |
Evidence that is obtained directly from the source by an IS auditor is more reliable than information that is provided by a system administrator or a business owner, because the IS auditor does not have a vested interest in the outcome of the audit.
|
B |
Evidence that is not system-generated information can be modified before it is presented to an IS auditor. Therefore, it may not be as reliable as evidence that is obtained by the IS auditor. For example, a system administrator can change the settings or modify the graphic image before taking a screenshot.
|
C |
The annual review provided by a business owner may not reflect current information
|
D |
The rules may be modified by the administrator prior to taking the screenshot; therefore, this is not the best evidence.
|
A |
Corrective controls remove or reduce the effects of errors or irregularities and are not exclusively regarded as compensating controls.
|
B |
Corrective controls may also be relevant because they allow an error or problem to be corrected.
|
C |
The existence and function of controls are important but not the classification.
|
D |
An IS auditor should focus on when controls are exercised as data flow through a computer system.
|
A |
Suspending the audit is an inappropriate action, because it provides no current knowledge of the adequacy of the existing controls.
|
B |
Placing greater reliance on previous audits is an inappropriate action, because it provides no current knowledge of the adequacy of the existing controls.
|
C |
If the answers provided to an IS auditor's questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests.
|
D |
Based solely on the interview with the payroll clerk, the IS auditor will not be able to collect evidence to conclude on the adequacy of existing controls.
|
A |
H the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures because the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor communications and sets up an adversarial relationship, but an IS auditor should not automatically agree just because the auditee expresses an alternate point of view.may not have been aware. Anything that appears to threaten the auditee lessens effective
|
B |
The audit report contains the finding from the IS auditor and the response from management. It is the responsibility of management to accept risk or mitigate it appropriately. The role of the auditor is to inform management clearly and thoroughly so that the best decision can 1:Jemade.
|
C |
Management is always responsible and liable for risk. The role of the IS auditor is to inform management of the findings and associated risk discovered in an audit.
|
D |
The IS auditor must be professional,competent and independent.They must not just accept an explanation or argument from management,unless the process used to generate the finding was flawed.
|