Chapter 1 - Information System Auditing Process, Part A: Planning

Question 1

IS audit is the formal examination and/or testing of information systems to determine whether:

Answer 1

In compliance; IS data & information have appropriate levels of CIA; IS operations are accomplished efficiently & effectively

Question 2

Typical audit process consists of three major phases:

Answer 2

Planning, Fieldwork/Documentation, Reporting/Follow-Up

Question 3

The framework for the ISACA IS Audit & Assurance Standards provides of multiple levels of doucments:

Answer 3

Standards; Guidelines, Tools & Techniques

Question 4

Define mandatory requirements for IS audit & assurance & reporting

Answer 4

Standards

Question 5

Provide guidance in applying IS audit and assurance standards

Answer 5

Guidelines

Question 6

Provide examples of processes an IS auditor might follow in an audit engagement

Answer 6

Tools & techniques

Question 7

ISACA IS Audit & Assurance Standards - three categories

Answer 7

General, Performance, Reporting

Question 8

Provide the guiding principles under which the IS assurance profession operates

Answer 8

General

Question 9

Deal with the conduct of the assignment

Answer 9

Performance

Question 10

Address the types of reports, means of communication and information communicated

Answer 10

Reporting

Question 11

An interrelated set of cross-functional activities or events in the delivery of a specific product or service to a customer.

Answer 11

Business Process

Question 12

Controlled by policies, procedures, practices, and organizational structures designed to provide reasonable assurance hta ta business process will achieve its objectives.

Answer 12

Business Process

Question 13

The individual responsible for identifying process requirements, approving process design, and managing process performance

Answer 13

Business Process Owner

Question 14

The role of the IS internal audit function should be established by an ___

Answer 14

Audit charter (approved by board of directors & audit committee)

Question 15

Should clearly state management’s responsibility and objectives for, and delegation of authority, to the IS audit function

Answer 15

Audit Charter

Question 16

Conducted at the beginning of the audit process to establish the overall audit strategy & detail the specific procedures to be carried out to implement the strategy & complete the audit

Answer 16

Audit Planning

Question 17

Ideally lists all of the processes that may be considered for audit; all of the relevant processes that represent the blueprint of the enterprise’s business

Answer 17

Audit Universe

Question 18

Based on which inputs can be solicited from the business

Answer 18

Reputation Factor

Question 19

Answer 19

Steps to Perform Audit Planning

Question 20

The content of legal regulations pertains to:

Answer 20

Establishment of Regulatory Requirements; Responsibilities assigned to Corresponding Entities; Financial, operational, and IS audit functions

Question 21

Legal requirements placed on audit or IS audit

Answer 21

Audit scope & audit objectives

Question 22

Legal requirements placed on the auditee & its systems, data management, reporting

Answer 22

Internal & External audit & assurance profesionals

Question 23

Buying & selling goods online

Answer 23

Ecommerce

Question 24

Business conducted between orgs

Answer 24

Business to Business (B to B)

Question 25

Business conducted between an org & its customers

Answer 25

Business to Consumer

Question 26

Business conducted between customers, primarily using a third-party platform

Answer 26

Consumer to Consumer

Question 27

Business conducted between a consumer & business

Answer 27

Consumer to Business

Question 28

Business conducted between an org & a public administration

Answer 28

Business to Government

Question 29

Business conducted between a consumer & public administration or government

Answer 29

Consumer to government

Question 30

Software transferred between systems & executed on a local system using cross-platform code without explicit installation by the recipient computer

Answer 30

Mobile code

Question 31

XML associated standards:

Answer 31

Extensible Stylesheet Language (XSL), XML Query (XQuery), XML encryption

Question 32

Ecommerce Risk elements:

Answer 32

Confidentiality, Integrity, Availability, Authentication & Nonrepudiation, Power shift to consumers

Question 33

Requires communication software, translation software, and access to standards

Answer 33

Electronic Data Interchange (EDI)

Question 34

Moves data from one point to another, flags the start and end of an EDI transmission, and determines how acknowledgements are transmitted and reconciled

Answer 34

Communications software

Question 35

Helps build a map and shows how the data fields from the application correspond to elements of an EDI standard

Answer 35

Translation Software

Question 36

Uses map to convert data back and forth between the application and EDI formats

Answer 36

EDI systems/access to standards

Question 37

In reviewing EDI, the audit should be aware of two approaches related to EDI:

Answer 37

Traditional proprietary version, the development of EDI

Question 38

Traditional EDI functions:

Answer 38

Communications handler, EDI interface, Application system

Question 39

Biggest risk to EDI

Answer 39

Transaction authorization

Question 40

EDI audits may involve:

Answer 40

Audit monitors, expert systems

Question 41

Devices installed at EDI workstations to capture transaction as they are received

Answer 41

Audit monitors

Question 42

Without the context of using computer system for internal control checks, consideration be given to having audit monitors evaluate the transactions received

Answer 42

Expert systems

Question 43

Two principal components of Email

Answer 43

Mail servers, clients

Question 44

Enable the capture of data at the time and place that sales transactions occur

Answer 44

Point of sale (POS) systems

Question 45

Effective risk management controls for ebanking:

Answer 45

Board & management oversight; security controls; legal & reputational risk management

Question 46

The electronic transfer of funds between a buyer, seller, and their respective financial institutions

Answer 46

EFT

Question 47

Specialized form of a POS terminal that is designed for the unattended use by a customer of a financial institution

Answer 47

ATM

Question 48

An integral element of the financial services industry & enables providers to emerge within & across countries

Answer 48

Electronic Finance (efinance)

Question 49

Phone technology that allows a computer to detect voice and touch tones using a normal phone call

Answer 49

Integrated Voice Response (IVR)

Question 50

Purchase account functions:

Answer 50

Accounts payable processing, goods received processing, order processing

Question 51

Contains specific information or fact patterns associated with particular subject mater and the rules for interpreting these facts

Answer 51

Knowledge Base (KB)

Question 52

KB can be expressed in several ways:

Answer 52

Decision trees, rules, semantic nets,

Question 53

Use of questionnaires to lead the user through a series of choices, until a conclusion is reached

Answer 53

Decision Trees

Question 54

Expression of declarative knowledge through the use of if-then relationships

Answer 54

Rules

Question 55

Use of a graph in which nodes represent or conceptual objects and the arcs describe the relationship between nodes

Answer 55

Semantic nets

Question 56

Inclusion of knowledge from an expert into the system without the traditional mediation of a software engineer

Answer 56

Knowledge interface

Question 57

Collection of data from nonhuman sources through an expert system

Answer 57

Data interface

Question 58

Linking the business processes between the related entities such as the buyer and the seller

Answer 58

Supply Chain Management (SCM)

Question 59

Prevents, detects, and/or contains an incident and enables recovery from a risk event

Answer 59

Effective Control

Question 60

An objective of one or more operational area(s) or role(s) to be achieved in order to contribute to the fulfillment of strategic goal(s) of the company

Answer 60

Control Objective

Question 61

___ Controls apply to all areas of an organization

Answer 61

General controls

Question 62

Each general control can be translated into an ___ specific control

Answer 62

IS

Question 63

Deployment of audit resources to areas within an organization that represent the greatest risk

Answer 63

Risk-based audit planning

Question 64

The risk that information collected may contain a material error that may go undetected during the course of the audit

Answer 64

Audit risk

Question 65

Audit risk is influenced by:

Answer 65

Inherent risk, Control Risk, Detection Risk, Overall Audit Risk

Question 66

A subset of risk assessment and is used during audit planning to help identity risk and vulnerabilities so an IS auditor can determine the controls needed to mitigate risk

Answer 66

Risk analysis

Question 67

Types of audits and assessments:

Answer 67

IS, Compliance, Financial, Operational, Integrated, Administrative, Specialized (Third Party, Fraud, Forensic), Computer forensic, Functional