1.1a: Risk Assessment Quiz (Doshi)

Question 1

The MOST important step in a risk analysis is to identify (from available choices):

A. competitors.
B. controls.
C. vulnerabilities.
D. liabilities.

Answer 1

C. vulnerabilities

If vulnerabilities are not properly identified, controls and audit planning may not be relevant. Vulnerabilities are a key element in the conduct of a risk analysis

Question 2

In a risk-based audit planning, an IS auditor’s FIRST step is to identify:

A. responsibilities of stakeholders.
B. high-risk areas within the organization.
C. cost center.
D. profit center.

Answer 2

B. high-risk areas within the organization.

The first and most critical step in the process is to identify high-risk areas within the organization. Once high-risk areas have been identified, audit planning to be done accordingly.

Question 3

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:

A. segregation of duties to mitigate risks is in place.
B. all the relevant vulnerabilities and threats are identified.
C. regularity compliance is adhered to.
D. business is profitable.

Answer 3

B. all the relevant vulnerabilities and threats are identified.

In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage.

Question 4

IS Auditor identified certain threats and vulnerabilities in a business process. NEXT, an IS auditor should:

A. identify stakeholder for that business process.
B. identifies information assets and the underlying systems.
C. discloses the threats and impacts to management.
D. identifies and evaluates the existing controls.

Answer 4

D. identifies and evaluates the existing controls.

Before reaching to any conclusion, IS Auditor should evaluate existing controls and its effectiveness. Upon completion of an audit an IS auditor should describe and discuss with management the threats and potential impacts on the assets.

Question 5

Major advantage of risk-based approach for audit planning is:

A. Audit planning can be communicated to client in advance.
B. Audit activity can be completed within allotted budget.
C. Use of latest technology for audit activities.
D. Appropriate utilization of resources for high risk areas.

Answer 5

D. Appropriate utilization of resources for high risk areas.

The risk-based approach is designed to ensure audit time is spent on the areas of highest risk. The development of an audit schedule is not addressed by a risk-based approach. Audit schedules may be prepared months in advance using various scheduling methods. A risk approach does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be performed in a given year.

Question 6

While determining the appropriate level of protection for an information asset an IS auditor should primarily focus on:

A. Criticality of information asset.
B. Cost of information asset.
C. Owner of information asset.
D. Result of vulnerability assessment.

Answer 6

A. Criticality of information asset.

The appropriate level of protection for an asset is determined based on the criticality of the assets. Other factors are not that relevant as compared to sensitivity of information asset to business.

Question 7

The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?

A. Inherent
B. Detection
C. Control
D. Business

Answer 7

B. Detection

Detection risks are directly affected by the auditor’s selection of audit procedures and techniques. Inherent risks usually are not affected by the IS auditor. Control risks are controlled by the actions of the company’s management. Business risks are not affected by the IS auditor.

Question 8

The risk of an IS auditor certifying existence of proper system and procedures without using an inadequate test procedure is an example of:

A. inherent risk.
B. control risk.
C. detection risk.
D. audit risk.

Answer 8

C. detection risk.

This is an example of detection risk. Detection risk is the risk that the auditors fail to detect a material misstatement in the financial statements

Question 9

Overall business risk for a particular threat can be expressed as:

A. a product of the probability and impact.
B. probability of occurrence.
C. magnitude of impact.
D. assumption of the risk assessment team.

Answer 9

A. a product of the probability and impact.

Choice A takes into consideration the likelihood and magnitude of the impact and provides the best measure of the risk to an asset.
Choice B provides only the likelihood of occurrence. Similarly, choice C considers only the magnitude of the damage and not the possibility
of a threat exploiting vulnerability.
Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process.

Question 10

An IS auditor is evaluating management’s risk assessment of information systems. The IS auditor should FIRST review:

A. the controls already in place.
B. the effectiveness of the controls in place.
C. the mechanism for monitoring the risks related to the assets.
D. the threats/vulnerabilities affecting the assets.

Answer 10

D. the threats/vulnerabilities affecting the assets.

One of the key factors to be considered while assessing the risks related to the use of various information systems is the threats and vulnerabilities affecting the assets. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and not during the risk assessment phase. A mechanism to continuously monitor the risks related to assets should
be put in place during the risk monitoring function that follows the risk assessment phase.

Question 11

An IS Auditor is reviewing data center security review. Which of the following steps would an IS auditor normally perform FIRST:

A. Evaluate physical access control.
B. Determine the vulnerabilities/threats to the data center site.
C. Review screening process for hiring security staff
D.Evaluate logical access control.

Answer 11

B. Determine the risks/threats to the data center site.

During planning, the IS auditor should get an overview of the functions being audited and evaluate the audit and business risks.
Choices A and D are part of the audit fieldwork process that occurs subsequent to this planning and preparation.
Choice C is not part of a security review.

Question 12

Risk assessment approach is more suitable when determining the appropriate level of protection for an information asset because it ensures:

A. all information assets are protected.
B. a basic level of protection is applied regardless of asset value.
C. appropriate levels of protection are applied to information assets.
D. only most sensitive information assets are protected.

Answer 12

C. appropriate levels of protection are applied to information assets.

On the basis of risk assessment, assets are classified according to its criticality. Then appropriate level of security is provided to data as per classification

Question 13

In a risk-based audit approach, an IS auditor should FIRST complete a(n):

A. inherent risk assessment.
B. control risk assessment.
C. test of control assessment.
D. substantive test assessment.

Answer 13

A. inherent risk assessment.

The first step in a risk-based audit approach is to gather information about the business and industry to evaluate the inherent risks. After completing the assessment of the inherent risks, the next step is to complete an assessment of the internal control structure. The
controls are then tested and, on the basis of the test results, substantive tests are carried out and assessed.

Question 14

In planning an audit, the MOST critical step is the identification of the:

A. areas of high risk.
B. skill sets of the audit staff.
C. test steps in the audit.
D. time allotted for the audit.

Answer 14

A. areas of high risk.

When designing an audit plan, it is important to identify the areas of highest risk to determine the areas to be audited. The skill sets of the audit staff should have been considered before deciding and selecting the audit. Test steps for the audit are not as critical as identifying the areas of risk, and the time allotted for an audit is determined by the areas to be audited, which are
primarily selected based on the identification of risks.

Question 15

Risk assessment process is:

A. subjective.
B. objective.
C. mathematical.
D. statistical.

Answer 15

A. subjective.

Risk assessment is based on perception of risk officer. There is no defined mathematical or statistical formula for risk assessment. All risk assessment methodologies rely on subjective judgments at some point in the process (e.g., for assigning weightings to the various
parameters).

Question 16

The result of risk management process is used for:

A. forecasting profit
B. post implementation review.
C. designing controls
D. user acceptance testing.

Answer 16

C. designing controls

The ultimate objective of risk management process is to ensure identified risks are managed by designing various controls. The risk management process is about making specific, security-related decisions, such as the level of acceptable risk. Choices A, B and D are not ultimate goals of the risk management process

Question 17

Managing the risk up to acceptable level is the responsibility of:

A. risk management team.
B. senior business management.
C. the chief information officer.
D. the chief security officer.

Answer 17

B. senior business management.

Senior management cannot delegate their accountability for management of risk. They have the ultimate or final responsibility for the effective and efficient operation of the organization.
ChoicesA, C and D should act as advisers to senior management in determining an acceptable risk level.

Question 18

Evaluation of IT risks can be done by:

A. finding threats/vulnerabilities associated with current IT assets.
B. Trend analysis on the basis of past year losses.
C. industry benchmark.
D. reviewing IT control weaknesses identified in audit reports.

Answer 18

A. finding threats/vulnerabilities associated with current IT assets.

To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches.
Choices B, C and D are potentially useful inputs to the risk assessment process, but by themselves not sufficient.

Question 19

An IS auditor is reviewing payroll application. He identified some vulnerability in the system. What would be the next task?

A. Report the vulnerabilities to the management immediately.
B. Examine application development process.
C. Identify threats and likelihood of occurrence.
D. Recommend for new application.

Answer 19

C. Identify threats and likelihood of occurrence.

The IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence.

Question 20

Absence of proper security measures represents a(n):

A. threat.
B. asset.
C. impact.
D. vulnerability.

Answer 20

D. vulnerability.

Vulnerability is a weakness or gap in our protection efforts. Vulnerability can be in form of weak
coding, missing anti-virus, weak access control and other related factors. Vulnerabilities can be
controlled by us. A threat is what we’re trying to protect against. Our enemy could be Earthquake, Fire, Hackers,
Malware, System Failure, Criminals and many other unknown forces. Threats are not in our control.
Lack of adequate security functionality in this context is vulnerability.

Question 21

IS Auditor is developing a risk management program, the FIRST activity to be performed is a(n):

A. vulnerability assessment.
B. evaluation of control.
C. identification of assets.
D. gap analysis.

Answer 21

C. identification of assets

Identification of the assets to be protected is the first step in the development of a risk management program. CISA aspirants should know following steps of risk assessment.

• First step is to identify the assets.
• Second step is to identify relevant risk (vulnerability/threat)
• Third step is to do impact analysis
• Fourth step is to prioritize the risk on the basis of impact
• Fifth step is to evaluate controls.
• Sixth step is to apply appropriate controls

Question 22

Benefit of development of organizational policies by bottom-up approach is that they:

A. covers whole organization.
B. is derived as a result of a risk assessment.
C. will be in line with overall corporate policy.
D. ensures consistency across the organization.

Answer 22

B. is derived as a result of a risk assessment.

A bottom-up approach begins by defining operational-level requirements and policies, which are derived and implemented as the result of risk assessments. Enterprise-level policies are subsequently developed based on a synthesis of existing operational policies. Choices A, C and D are advantages of a top-down approach for developing organizational policies. This approach ensures that the policies will not be in conflict with overall corporate policy and ensure consistency
across the organization.

Question 23

Risk can be mitigated by:

A. Implementing controls
B. Insurance
C. Audit and certification
D. Contracts and service level agreements (SLAs)

Answer 23

A. Implementing (Security and) control practices

Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, and contracts and SLAs are mechanisms of risk allocation

Question 24

MOST important factor while evaluating controls is to ensure that the controls:

A. addresses the risk
B. does not reduce productivity.
C. is less costly than risk.
D. is automotive.

Answer 24

A. addresses the risk

Though all of the above factors are important, it is essential that control should be able to address the risk. When designing controls, it is necessary to consider all the above aspects. In an ideal situation, controls that address all these aspects would be the best controls.

Question 25

The susceptibility of a business or process to make an error that is material in nature, assuming there were no internal controls.

A. Inherent risk
B. Control risk
C. Detection risk
D. Correction risk

Answer 25

A. Inherent risk

Inherent risk means the risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls).

Question 26

The risk that the controls put in place will not prevent, correct, or detect errors on a timely basis.

A. Inherent risk
B. Control risk
C. Detection risk
D. Correction risk

Answer 26

B. Control risk

Control risk means the risk that a misstatement could occur but may not be detected and corrected or prevented by entity’s internal control mechanism.

Question 27

Which of the following factors an IS auditor should primarily consider when determining the acceptable level of risk:

A. Risk acceptance is the responsibility of senior management.
B. All risks do not need to be eliminated for a business to be profitable.
C. Risks must be identified and documented in order to perform proper analysis on them.
D. Line management should be involved in the risk analysis because management sees risks daily that others would not recognize.

Answer 27

C. Risks must be identified and documented in order to perform proper analysis on them.

Though all factors are relevant, primarily consideration should be documentation of identified risk. In order to manage and control a risk, it first must be recognized as a risk. Only after documentation, other factors to be considered

Question 28

Most important step in a risk analysis is to identify:

A) critical assets
B) controls
C) Vulnerabilities
D) Liabilities

Answer 28

A) critical assets

Question 29

IS Auditor is developing a risk management program, the FIRST activity to be performed is a(n):

A) vulnerability assessment
B) evaluation of control
C) identification of assets.
D) gap analysis

Answer 29

C) identification of assets.