2019 Review A1-1 -?

Question 1

The internal audit department wrote some scripts that are used for continuous auditing of some information systems. The IT department asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Does sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function?

A. Sharing the scripts is not permitted because it gives IT the ability to pre-audit systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review all programs and software that run on IS systems regardless of audit independence.
C. Sharing the scripts is permissible if IT recognizes that audits may still be conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring.

Answer 1

C. Sharing the scripts is permissible if IT recognizes that audits may still be conducted in areas not covered in the scripts.

Question 2

Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit?

A. Complexity of the organization’s operation
B. Findings and issues noted from the prior year
C. Purpose, objective and scope of the audit
D. Auditor’s familiarity with the organization

Answer 2

C. Purpose, objective and scope of the audit

Question 3

An IS auditor is developing an audit plan for an environment that includes new systems. The organization’s management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?

A. Audit the new systems as requested by management
B. Audit systems not included in last years’s scope.
C. Determine the highest-risk systems and plan accordingly.
D. Audit both the systems not in last year’s scope and the new systems.

Answer 3

C. Determine the highest-risk systems and plan accordingly.

Question 4

An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?

A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.
B. Publish a report omitting the areas where the evidence obtained from testing was inconclusive
C. Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained.
D. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed.

Answer 4

A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.

Question 5

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?

A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls

Answer 5

D. Compensating controls

Question 6

Which of the following is the key benefit of a control self-assessment?

A. Management ownership of the internal controls supporting business objectives is reinforced.
B. Audit expenses are reduced when the assessment results are an input to external audit work.
C. Fraud detection is improved because internal business staff are engaged in testing controls.
D. Internal auditors can shift to a consultative approach by using the results of the assessment.

Answer 6

A. Management ownership of the internal controls supporting business objectives is reinforced.

Question 7

What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should:

A. interface with various types of enterprise resource planning software and databases
B. accurately capture data from the organization’s system without causing excessive performance problems.
C. introduce audit hooks into the organization’s financial systems to support continuous auditing.
D. be customizable and support inclusion of custom programming to aid in investigative analysis.

Answer 7

B. accurately capture data from the organization’s system without causing excessive performance problems.

Question 8

A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual’s experience and:

A. length of service, because this will help ensure technical competence
B. age, because training in audit techniques may be impractical.
C. IT knowledge, because this will bring enhanced credibility to the audit function.
D. ability, as an IS auditor, to be independent of existing IT relationships.

Answer 8

D. ability, as an IS auditor, to be independent of existing IT relationships.

Question 9

For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk?

A. Use of computer-assisted audit techniques
B. Quarterly risk assessments
C. Sampling of transaction logs
D. Continuous auditing

Answer 9

D. Continuous auditing

Question 10

An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of:

A. variable sampling
B. substantive testing
C. compliance testing
D. stop-or-go sampling

Answer 10

C. compliance testing

Question 11

The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?

A. Inherent
B. Detection
C. Control
D. Business

Answer 11

B. Detection

Question 12

Which of the following is the MOST critical step when planning an IS audit?

A. Review findings from prior audits
B. Executive management’s approval of the audit plan
C. Review information security policies and procedures
D. Perform a risk assessment

Answer 12

D. Perform a risk assessment

Question 13

An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture. What is the INITIAL step?

A. Understanding services and their allocation to business processes by reviewing the service repository documentation
B. Sampling the use of service security standards as represented by the Security Assertions Markup Language
C. Reviewing the service level agreements established for all system providers
D. Auditing the core service and its dependencies on other systems.

Answer 13

A. Understanding services and their allocation to business processes by reviewing the service repository documentation

Question 14

An IS auditor conducting s review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?

A. Delete all copies of the unauthorized software.
B. Recommend an automated process to monitor for compliance with software licensing.
C. Report the use of the unauthorized software and the need to prevent recurrence.
D. Warn the end users about the risk of using illegal software.

Answer 14

C. Report the use of the unauthorized software and the need to prevent recurrence.

Question 15

An audit charter should:

A. be dynamic and change to coincide with the changing nature of technology and the audit profession.
B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.
C. document the audit procedures designed to achieve the planned audit objectives.
D. outline the overall authority, scope and responsibilities of the audit function.

Answer 15

D. outline the overall authority, scope and responsibilities of the audit function.

Question 16

An IS auditor finds a small number of user access requests that were not authorized by managers through normal predefined workflow steps and escalation rules, The IS auditor should:

A. perform an additional analysis.
B. report the problem to the audit committee.
C. conduct a security risk assessment.
D. recommend that the owner of the identity management system fix the workflow issues.

Answer 16

A. perform an additional analysis.

Question 17

Which of the following sampling methods is MOST useful when testing for compliance?

A. Attribute sampling
B. Variable sampling
C. Stratified mean-per-unit sampling
D. Difference estimation sampling

Answer 17

A. Attribute sampling

Question 18

When testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling does not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?

A. Develop an alternative testing procedure.
B. Report the finding to management.
C. Perform a walkthrough of the change management process.
D. Create additional sample data to test additional changes.

Answer 18

A. Develop an alternative testing procedure.

Question 19

Which of the following situations could impair the independence of an IS auditor? The IS auditor:

A. implemented specific functionality during the development of an application.
B. designed an embedded audit module for auditing an application.
C. participated as a member of an application project team and did not have operational responsibilities.
D. provided consulting advise concerning application good practices.

Answer 19

A. implemented specific functionality during the development of an application.

Question 20

The PRIMARY advantage of a continuous audit approach is that it:

A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.
B. allows the IS auditor to review and follow up on audit issues in a timely manner.
C. places the responsibility for enforcement and monitoring of control on the security department instead of audit.
D. simplifies the extraction and correlation of data from multiple and complex systems.

Answer 20

B. allows the IS auditor to review and follow up on audit issues in a timely manner.

Question 21

Which of the following would impair the independence of a quality assurance team?

A. Ensuring compliance with development methods
B. Checking the test assumptions
C. Correcting coding errors during the testing process.
D. Checking the code to ensure proper documentation.

Answer 21

C. Correcting coding errors during the testing process.

Question 22

In planning an IS audit, the MOST critical step is the identification of the:

A. areas of significant risk
B. skill sets of the audit staff
C. test steps in audit
D. time allotted for the audit.

Answer 22

A. areas of significant risk

Question 23

The MOST effective audit practices to determine whether the operational effectiveness of controls is properly applied to transaction processing is:

A. control design testing.
B. substantive testing.
C. inspection of relevant documentation.
D. perform tests on risk prevention.

Answer 23

B. substantive testing.

Question 24

The extent to which data will be collected during an IS audit should be determined based on the:

A. Availability of critical and required information.
B. Auditor’s familiarity with the circumstances.
C. Auditee’s ability to find relevant evidence.
D. Purpose and scope of the audit being done.

Answer 24

D. Purpose and scope of the audit being done.

Question 25

While planning an IS audit, an assessment of risk should be made to provide:

A. reasonable assurance that the audit will cover material items.
B. definite assurance that material items will be covered during the audit work.
C. reasonable assurance that all items will be covered by the audit.
D. sufficient assurance that all items will be covered during the audit work.

Answer 25

A. reasonable assurance that the audit will cover material items.