Chapter 1 Case Studies Flashcards
The IS auditor has been asked to perform preliminary work
that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking
an active role in setting up and maintaining a well-controlled environment, and accordingly, will assess management’s
review and testing of the general IT control environment. Areas
to be assessed include logical and physical security, change management, production control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation. Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible
duties and failure to document all changes. Additionally, the process for deploying OS updates to servers was found to be only partially effective. In anticipation of the work to be performed
by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination.
What should the IS auditor do FIRST?
A. Perform an IT risk assessment.
B. Perform a survey audit of logical access controls.
C. Revise the audit plan to focus on risk-based auditing.
D. Begin testing controls that the IS auditor feels are most critical.
A. Perform an IT risk assessment.
An IT risk assessment should be performed first to ascertain which areas present the greatest risk and what controls mitigate that risk. Although narratives and process flows have been created, the organization has not yet assessed which controls are critical. All other choices would be undertaken after performing the IT risk assessment.
The IS auditor has been asked to perform preliminary work
that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking
an active role in setting up and maintaining a well-controlled environment, and accordingly, will assess management’s
review and testing of the general IT control environment. Areas
to be assessed include logical and physical security, change management, production control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation. Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible
duties and failure to document all changes. Additionally, the process for deploying OS updates to servers was found to be only partially effective. In anticipation of the work to be performed
by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination.
When testing program change management, how should the sample be selected?
A. Change management documents should be selected at random and examined for appropriateness.
B. Changes to production code should be sampled and traced to appropriate authorizing documentation.
C. Change management documents should be selected based on system criticality and examined for appropriateness.
D. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time of the change.
B. Changes to production code should be sampled and traced to appropriate authorizing documentation.
When testing a control, it is advisable to trace from the item being controlled to the relevant control documentation. When a sample is chosen from a set of control documents, there is no way to ensure that every change was accompanied by appropriate control documentation. Accordingly, changes to production code provide the most appropriate basis for selecting a sample. These sampled changes should then be traced to appropriate authorizing documentation. In contrast, selecting from the population of change management documents
will not reveal any changes that bypassed the normal approval and documentation process. Similarly, comparing production code changes to system-produced logs will not provide evidence of proper approval of changes prior to their being migrated to production.
An IS auditor is planning to review the security of a financial application for a large company with several locations worldwide. The application system is made up of a web interface, a business logic layer and a database layer. The application is accessed locally through a LAN and remotely through the Internet via a virtual private network (VPN) connection.
The MOST appropriate type of CAATs tool the auditor should use to test security configuration settings for the entire application system is:
A. generalized audit software (GAS).
B. test data.
C. utility software.
D. expert system.
C. utility software.
When testing the security of the entire application system—including OSs, database and application security—the auditor will most likely use a utility software that assists in reviewing the configuration settings. In contrast, the auditor might use GAS
to perform a substantive testing of data and configuration files of the application. Test data are normally used to check the integrity of the data and expert systems are used to inquire on specific topics.
An IS auditor is planning to review the security of a financial application for a large company with several locations worldwide. The application system is made up of a web interface, a business logic layer and a database layer. The application is accessed locally through a LAN and remotely through the Internet via a virtual private network (VPN) connection.
Given that the application is accessed through the Internet, how should the auditor determine whether to perform a detailed review of the firewall rules and VPN configuration settings?
A. Documented risk analysis
B. Availability of technical expertise
C. Approach used in previous audit
D. IS auditing guidelines and best practices
A. Documented risk analysis
In order to decide if the audit scope should include specific infrastructure components (in this case, the firewall rules and VPN configuration settings), the auditor should perform and document a risk analysis in order to determine which sections present the greatest risk and include these sections in the audit scope. The risk analysis may consider factors such as previous revisions to the system, related security incidents within the company or other companies of the same sectors, resources available to do the review and others. Availability of technical expertise and the approach used in previous audits may be taken into consideration; however, these should be of secondary importance. IS auditing guidelines and best practices provide
a guide to the auditor on how to comply with IS audit standards, but by themselves they would not be sufficient to make this decision.
An IS auditor is planning to review the security of a financial application for a large company with several locations worldwide. The application system is made up of a web interface, a business logic layer and a database layer. The application is accessed locally through a LAN and remotely through the Internet via a virtual private network (VPN) connection.
During the review, if the auditor detects that the transaction authorization control objective cannot be met due to a lack of clearly defined roles and privileges in the application, the auditor should FIRST:
A. review the authorization on a sample of transactions.
B. immediately report this finding to upper management. C. request that auditee management review the
appropriateness of access rights for all users.
D. use GAS to check the integrity of the database.
A. review the authorization on a sample of transactions.
The auditor should first review the authorization on a sample of transactions in order to determine and be able to report the impact and materiality of this issue. Whether the auditor would immediately report the issue or wait until the end of the audit to report this finding will depend on the impact and materiality of the issue, which would require reviewing a sample of transactions. The use of GAS to check the integrity of the database would not help the auditor assess the impact of this issue.
An IS auditor has been appointed to carry out IS audits in an entity for a period of two years. After accepting the appointment the IS auditor noted that:
• The entity has an audit charter that detailed, among other things,
the scope and responsibilities of the IS audit function and specifies
the audit committee as the overseeing body for audit activity.
• The entity is planning a major increase in IT investment, mainly on
account of implementation of a new ERP application, integrating business processes across units dispersed geographically. The ERP implementation is expected to become operational within the next 90 days. The servers supporting the business applications are hosted offsite by a third-party service provider.
• The entity has a new incumbent as chief information security officer (CISO) who reports to the chief financial officer (CFO).
• The entity is subject to regulatory compliance requirements that require its management to certify the effectiveness of the internal control system as it relates to financial reporting. The entity has been recording consistent growth over the last two years at double the industry average. However, the entity has seen increased employee turnover as well.
The FIRST priority of the IS auditor in year one should be to study the:
A. previous IS audit reports and plan the audit schedule. B. audit charter and plan the audit schedule.
C. impact of the new incumbent as CISO.
D. impact of the implementation of a new ERP on the IT
environment and plan the audit schedule.
D. impact of the implementation of a new ERP on the IT
environment and plan the audit schedule.
In terms of priority, because the implementation of the new ERP will have far reaching consequences on the way IS controls are configured in the system, the IS auditor should study the impact of implementation of the ERP and plan the audit schedule accordingly. Preferably, the IS auditor should discuss the audit plan with the external auditor and the internal audit division of the entity to make the audit more effective and useful for the entity.
An IS auditor has been appointed to carry out IS audits in an entity for a period of two years. After accepting the appointment the IS auditor noted that:
• The entity has an audit charter that detailed, among other things,
the scope and responsibilities of the IS audit function and specifies
the audit committee as the overseeing body for audit activity.
• The entity is planning a major increase in IT investment, mainly on
account of implementation of a new ERP application, integrating business processes across units dispersed geographically. The ERP implementation is expected to become operational within the next 90 days. The servers supporting the business applications are hosted offsite by a third-party service provider.
• The entity has a new incumbent as chief information security officer (CISO) who reports to the chief financial officer (CFO).
• The entity is subject to regulatory compliance requirements that require its management to certify the effectiveness of the internal control system as it relates to financial reporting. The entity has been recording consistent growth over the last two years at double the industry average. However, the entity has seen increased employee turnover as well.
How should the IS auditor evaluate backup and batch processing within computer operations?
A. Plan and carry out an independent review of computer operations.
B. Rely on the service auditor’s report of the service provider. C. Study the contract between the entity and the service
provider.
D. Compare the service delivery report to the service level agreement.
D. Compare the service delivery report to the service level agreement.
The service delivery report that captures the actual performance of the service provider against the contractually agreed-on levels provides the best and most objective basis for evaluation of the computer operations. The service auditor’s report is likely to be more useful from a controls evaluation perspective for the external auditor of the entity.
