Ch 2

Question 1

Name some soft skills

Answer 1

Honest 
Ethical
Attention to detail
Professionalism
Listening 
Leadership

Question 2

Name some hard skills

Answer 2

Technical competence
Knowledge needed to accomplish work
writing
Thinking
Project Mgmt
Critical Thinking

Question 3

Honest

Answer 3

soft

Question 4

Ethical

Answer 4

soft

Question 5

Attention to detail

Answer 5

soft

Question 6

Verbal and written skill

Answer 6

Hard

Question 7

Analytic skill

Answer 7

Hard

Question 8

Interpersonal skill

Answer 8

Soft

Question 9

Professional and willingness to take lead

Answer 9

Soft

Question 10

Project management and Organizational skill

Answer 10

Hard

Question 11

Critical Thinking

Answer 11

Hard

Question 12

Professional Ethics describe

Answer 12

principles and values that govern acceptable behaivor

Question 13

What does client mean

Answer 13

Leadership of the area you are auditing

Question 14

CISA auditors must be

Answer 14

Honest and Transparent

Question 15

Define Standards

Answer 15

Mandatory actions, Explicit Rules or Controls designed to support and conform to policy through hardware, software or behaivor

Question 16

What makes policy more meaningful and effective

Answer 16

Standards

Question 17

Standards should always point to

Answer 17

Policy

Question 18

Procedures are

Answer 18

Written steps to execute policy

Question 19

Which one is more detailed Policy or Procedures?

Answer 19

Procedures

Question 20

What is an outline for a statement of conduct

Answer 20

Guideline

Question 21

Are guidelines mandatory to follow

Answer 21

No

Question 22

Do guidelines provide general guidance

Answer 22

Yes

Question 23

Are guidelines Requirements that need to met or are they recommended

Answer 23

Recommended

Question 24

Whats a baseline

Answer 24

specific rules that are accepted across the industry as providing the most effective approach to a specific implementation

Question 25

Name some regulatory standards

Answer 25

HIPPA
SOX
Base III
PCI
FISMA
COSO
SCADA
FACTA

Question 26

HIPPA

Answer 26

Healthcare

Question 27

SOX

Answer 27

Financial

Question 28

Base III

Answer 28

Risk Mgmt Bankin

Question 29

PCI

Answer 29

Credit Cards

Question 30

FISMA

Answer 30

US Govt Security Standards

Question 31

COSO

Answer 31

Financial Fraud Reporting

Question 32

SCADA

Answer 32

Security for Automated Systems

Question 33

FACTA

Answer 33

Reduce Fraud and ID Theft

Question 34

Is regulatory guidance early, on time, or late

Answer 34

Late

Question 35

Most cyber laws are written before or after a major breach

Answer 35

After

Question 36

Name some industry guidance organizations

Answer 36

COBIT
ISO
NIST
FIPS

Question 37

Name the types of audits

Answer 37

Financial
Integrated
Operational

Question 38

What is a financial audit

Answer 38

Audit of financial statements and processes. Usually doesn’t include the IT auditor

Question 39

Integrated Audit

Answer 39

Includes a financial and technical audit

Question 40

What are the key risk types

Answer 40

Inherent
Control
Detection

Question 41

Define Detection Risk

Answer 41

Misstatements or material errors have occurred and were not detected

Question 42

What is an inherent risk

Answer 42

Naturally occurring risk because of the nature of business before controls are applied

Question 43

Describe a control risk

Answer 43

Risk that internal controls will not prevent a material error

Question 44

How does ISACA define material

Answer 44

Item of significance that has a real impact on the organization

Question 45

Given the nature of driving, would no speed limits be an inherent risk

Answer 45

Yes

Question 46

What type of risk is it if your dirver airbag does not deploy

Answer 46

It is a control risk

Question 47

What type of risk is an audit

Answer 47

Detection risk

Question 48

Is an audit a type of detection risk?

Answer 48

Yes

Question 49

What is a risk that is (Inherent Risk - Controls)

Answer 49

Residual risk

Question 50

What is left up to the professional opinion of the auditor

Answer 50

Quantitative analysis and qualitative judgement

Question 51

What is quantative analysis

Answer 51

Conclusion based on a series of measurements

Question 52

What is a qualitative judgement

Answer 52

Judgment based on a broad understanding of business and asks the question what might go wrong

Question 53

What is risk mangaement

Answer 53

Identifying, assessing, mitigating and montioring risks

Question 54

What is the risk management process

Answer 54

Implement a risk mgmt program
ID Assests
ID threats
Perform risk analysis
Disposition risk
Montior

Question 55

Is Risk mgmt a part of corporate governance

Answer 55

Yes

Question 56

Who supports and funds risk mgmt

Answer 56

Senior Leadership

Question 57

The risk mgmt leader should have good Project mgmt skills

Answer 57

Yes

Question 58

What are the risk courses of action

Answer 58

Avoid
Reduce
Accept
Transfer

Question 59

Is monitoring risk important

Answer 59

Yes

Question 60

Why are controls used

Answer 60

To comply with internal policies, regulatory expectations and reduce risk

Question 61

What is risk tolerance

Answer 61

Right controls to reduce risk to an acceptable level

Question 62

Audited systems must meet which requirement

Answer 62

Regalatory and legal requirements

Question 63

Do controls typically start with hihg-level policy and applies to all areas of the company

Answer 63

Yes

Question 64

Name the two categories of procedures

Answer 64

General Control Procedures

IS Control Procedures

Question 65

Controls are what

Answer 65

Preventative, Detective, Corrective

Question 66

Name a preventative control

Answer 66

Access Control List

Question 67

Name a detective control

Answer 67

IDS

Security Log

Question 68

Name a corrective control

Answer 68

IPS

Backup Power Supply

Question 69

What type of control stops a threat immediately

Answer 69

Preventative

Question 70

What tyoe of control identifies a threat after the fact

Answer 70

Detective

Question 71

What type of control tries to remediate the risk of a threat after the fact?

Answer 71

Corrective

Question 72

Who has a fiduciary responsibility of special trust and confidence with the client

Answer 72

The auditor

Question 73

What is the purpose of an IS audit

Answer 73

To evaluate controls against a predetermined control objectives

Question 74

Audit Methodology

Answer 74

Documented approach for performing an audit in a consistent and repeatable manner

Question 75

How does an audit methodology meet the audit objectives

Answer 75

By defingin the following:
Statement of Work
Statement of Scope
Statement of Audit Objectives

Question 76

Name the steps of the audit process

Answer 76

Audit Subjects
Audit Objective
Audit Scope
Pre Audit Planning 
Data Gathering
Evaluation of test results
Communication with management
Preparation of audit report

Question 77

In chain of custody, an auditor must be able to…

Answer 77

Account for who had access to the data
Ensure that access to the data is controlled
Show that the information was protected from tampering

Question 78

What is evidence handling

Answer 78

Handling of any information obtained during the audit

Question 79

Audit evidence should be

Answer 79

Sufficient 
Usable
Reliable
Relevant
Effective

Question 80

Give examples of work papers

Answer 80

Findings
Activities
Tests

Question 81

Work Papers should be properly dated, labled, detailed, clear alnd self contained

Answer 81

Yes

Question 82

What provides confidentiality for Work Papers

Answer 82

Encryption

Question 83

What provides availability for work papers

Answer 83

Backups

Question 84

What provides authorized access for work papers

Answer 84

Access control lists

Question 85

What should be considered for electronic work papers

Answer 85

Encryption
Access lists
Backups
Audit trails and controls

Question 86

Software audit tools used for statistical sampling and data analysis

Answer 86

Computer assisted audit tools

Question 87

Sampling produces…

Answer 87

Generalized results for the population as a whole

Question 88

What are some sampling methods

Answer 88

Statistical
Non Statistical
Variable
Attribute

Question 89

What are teh parts of attribute sampling

Answer 89

Frequency estimating
Stop and Go
Discovery

Question 90

What are a few ways to ensure compliance

Answer 90

Sampling or Monitoring

Question 91

Continuous monitoring is good for which types of processes

Answer 91

Processes that capture, manipulate, store and disseminate data

Question 92

What are the six preconditions that should be present before an org can adopt continuous auditing

Answer 92

System must have acceptable characteristics

System must be reliable, have existing controls and collect data on the systems

System must have a highly automated secondary control system

Auditor must be proficient in the technology

Audit Process must offer a reliable method for obtaining the audit procedure results

Verifiable controls of the audit reporting process must exist

Question 93

QA strives to improve two key attributes

Answer 93

Quality and adherence

Question 94

Best way to avoid surprises

Answer 94

Communicate Communicate Communicate

Question 95

Name the four opinions that an auditor can have

Answer 95

Unqualified

Qualified

Adverse

Disclaimer

Question 96

Opinions can be applied to what

Answer 96

Entire report or single finding

Question 97

What are the three types of audit ratings

Answer 97

Unrated
Satisfactory
Unsatisfactory