Chapter 1 (Domain 1)

Question 1

Executive Misconduct

Answer 1

Misconduct in the executive suite usually reflects a fundamental compliance gap in corporate management. The gap commonly manifests itself as a group of executives in power.

Question 2

FCPA

Answer 2

Foreign Corrupt Practices Act (FCPA)

Question 3

COSO

Answer 3

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Question 4

SOX

Answer 4

US Sarbanes-Oxley Act (SOX)

For NYSE publicly traded corporations, similar to the US government’s own internal controls in the Office of Management and Budget Circular A-123

Question 5

PCI

Answer 5

Payment Card Industry (PCI)

Question 6

What are the two basic components of Regulatory Objective?

Answer 6

1. Evidence of operational integrity
2. Evidence of internal controls to protect valuable assets.

Question 7

What is an asset?

Answer 7

defined as anything of value, including trademarks, patents, secret recipes, durable goods, data files, competent personnel, and clients. Although people are not listed as corporate assets, the loss of key individuals is a genuine business threat.

Question 8

What is a threat?

Answer 8

a negative actor that creates an event that would cause a loss if it occurred.

Question 9

What is a vulnerability?

Answer 9

The access path used by a threat

Question 10

What is your job as an IS auditor?

Answer 10

To verify that assets, threats, and vulnerabilities are properly identified and managed to reduce risk.

Question 11

What are the three data types?

Answer 11

1. Data, 2. Metadate, 3. Authentication Data

Question 12

RMS

Answer 12

Records Management System (RMS)

Question 13

What are the four (4) documents organizations typically have in place?

Answer 13

1. Policy
2. Standard
3. Guidelines
4. Procedures

Question 14

What is a Policy?

Answer 14

(Goals)

A policy is a chief executive mandate to identify a topic of concern containing particular risks to avoid or prevent.

Question 15

What is a Standard?

Answer 15

(Definition of Requirement)

These are mid-level documents containing measurement control points to ensure uniform implementation in support of a policy.

Question 16

What are Guidelines?

Answer 16

(General Instructions)

Provides vague direction of “do this, not that” to provide very limited advice pertaining to how organizational objectives might be obtained. The purpose is to provide information that would aid in making decisions about intended goals (should do), beneficial alternatives (could do), and actions that would not create problems (won’t hurt).

Question 17

What are Procedures?

Answer 17

(How-to Instructions for Success)

These are “cookbook” recipes providing a workflow of specific tasks necessary to achieve minimum compliance to a standard. Details are written in step-by-step format from the very beginning to the end.

Question 18

What is a Fiduciary Relationship?

Answer 18

Is simply one in which you are acting for the benefit of another person and placing the responsibilities to be fair and honest ahead of your own interests.

Question 19

Who is the Auditor?

Answer 19

The auditor is the competent person performing the audit.

Question 20

Who is the Auditee?

Answer 20

The organization and people being audited are collectively called the auditee.

Question 21

Who is the Client?

Answer 21

The client is the person or organization with the authority to request the audit. A client may be the audit committee, external customer, internal audit department, or regulatory group. If the client is internal to the auditee, that client assumes the auditee role.

Question 22

COBIT

Answer 22

Control Objectives for Information and Related Technology (COBIT)

Question 23

What are the two classes of standards?

Answer 23

1. Parent Class with Broad Application across a Variety of Industries - Examples include the ISO 27001 information security management standard, NIST 800-53 controls, and NIST 800-26 (Security Self-Assessment Guide for Information Technology Systems). Older versions of ISO standards frequently bear lower ID numbers.
2. Industry Specific with a Limited Scope - Examples include FFIEC regulations and portions of the HIPAA security rules, which may incorporate only select portions of the parent class standards. More and more industries worldwide are adopting ISO standards as the preferred baseline with specific designated tailoring of attributes to fit the industry.

Question 24

What are the two basic categories of audit testing?

Answer 24

1. Compliance test - Initially audits will verify that items necessary for compliance exist
2. Substantive test - Then items are selected to undergo additional testing to check inside for the substance and integrity of a claim

Question 25

Least Privilege

Answer 25

Refers to providing only the minimum information necessary to complete a required task.

Question 26

What is a risk based approach?

Answer 26

Refers to focusing upon the most important highest risk areas first.

Question 27

What to external auditors do?

Answer 27

Are paid to be independent reviewers for an organization.

Question 28

What do internal auditors do?

Answer 28

Can add enormous value to an organization by providing ongoing efforts that help prepare the organization for an external audit.

Question 29

Auditor’s opinion

Answer 29

A good auditor will use sufficient evidence to formulate their auditor’s opinion, which is really a numeric scoring based on evidence test results. No opinion can be formed when you lack evidence of acceptable quantity, relevance, and reliability.