Chapter 1 - Risk Assessment Flashcards

Question 1

Q

What are the five learning objectives of Chapter 1?

Hints
Types - RA involved BE apply IT in relationship FR
Environment - understand BE and BP, esp IT risks to AIS and FR
Model - understand and apply ARM as defined by RBS - IR, CR, RMM
Walk - Understanding and evaluation of controls
Report - draft RA report

Answer

A

To understand the types of risk assessments involved in a business entity and how they apply to IT and its relationship to financial reporting
To understand the business environment and business processes, especially the risk IT itself brings to accounting information systems and financial reporting
To understand and apply the audit risk model as defined in the risk based standards - Inherent Risk; Control Risk and Risk of Material Misstatement
To enhance one’s understanding and evaluation of controls using walk-throughs
To understand the most effective process of drafting a risk assessment report

Question 2

Q

What is a risk assessment?
What is the definition of risk assessment?

Hints:

initial what? - of what? - that may impact what?
MM or what? Vul… -Vul of what? - Based on what?

Answer

A

The initial evaluation of risks that may affect the possibility of a material misstatement or the vulnerability of an organization’s assets based on initial assumptions, research and uncertainties.

Dimension 1, CITP BOK

Question 3

Q

Is a risk based audit more effective than other approaches? Why or why not?

Answer

A

Yes. In recent years, all types of audits have become risk-based in their approaches. Standards by various professional organizations reflect this modern view that a risk-based audit is more effective than other approaches.

Question 4

Q

What is the nick-name for the group of standards from a professional organization that gives guidance on the risk based approach to auditing?

Answer

A

The nickname is “Risk Based Standards”. The AICPA

issued a group of risk based standards in 2006, effective 2007.

Question 5

Q

Why are SAS 104 through SAS 111 important?

Hints:
How many standards?
Rigorously do what? 
RMM where?
Understand what is done by who?
What audit to they affect?
Who's role and responsibility is described?
Who is impacted in business and industry?

Answer

A

These eight new standards (2007) require both the auditor and the entity to rigorously assess the risks of material misstatement of the financial statements and understand what the entity is doing to mitigate them.

Key Standards
Affect the financial statement audit
Role and responsibility of the IT auditor in the financial statement auditor
and affects management and auditors in business and industry

Question 6

Q

How do the eight standards, SAS 104 - SAS 111, impact CITPs?

Answer

A

These are the Statements on Auditing Standards (SAS) (AICPA, Professional Standards). These are referred to as the “risks standards”. Consideration of IT in financial audits and RMM (public accounting); and IT risks, automated controls, and IT General Controls (ITGC) in business and industry.

Question 7

Q

What is SAS 99?

Answer

A

No. 99, Consideration of Fraud in a Financial Statement Audit (AU sec. 316. Consideration of fraud risks, anti-fraud controls, and fraud auditing in financial audits (public accounting); anti-fraud programs (Business and Industry). This is one of the professional standards that impacts CITPS. Statement on Auditing Standards (SAS) (AICPA, Professional Standards)

Question 8

Q

What is the “Fraud standard”?

Answer

A

SAS No. 99. SAS 99 requires consideration of fraud risks; anti-fraud controls; and fraud auditing in financial audits (public accounting); and anti-fraud programs (B&I)

Question 9

Q

What are the “risks standards”?

Answer

A

SAS No. 104 - 111 - rquires consideration of IT in financial audits and RMM (public accounting); and IT risks, automated controls, and IT General Controls (ITGC) B&I

Question 10

Q

What are the relevant models for risk?

Answer

A

Relevant models for risk include

Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Control Objectives for Information and related Technology (COBIT), Information Systems Audit and Control Association
Prevent, Detect, Control (P-D-C) model

Question 11

Q

In the risk based approach to auditing, what risks are concerns to the IT auditor?

Answer

A

The risks that are concerns to the IT auditor include areas of:

Data Integrity
Data / Systems / IT Security
IT Operational effectiveness and
Systemized processes and controls

Question 12

Q

What does the CITP BOK focus on?

Answer

A

The dimension of the CITP BOK focuses on the roles and responsibilities of the CITP in both public accounting and business and industry and in applying the risk based approach to identify, evaluate and mitigate relevant IT risks.

Question 13

Q

What is the Risk Based Approach (RBA)? What does it do?

Answer

A

The Risk Based Approach (RBA) is key to the current financial audit and most other assurance services as well. This approach:

Expands the role of the IT auditor in the financial statement audits because of the need to assess risks and associate it with IT and risks associated with the controls embedded in IT.
IT auditor needs to identify key relevant elements of systems and technology to ensure that IT related risks are appropriately considered.

VIV - FIX THIS CARD - SOMETHING’S NOT QUITE RIGHT

Page 1-4

Question 14

Q

What are the three primary areas of risk assessments for CITPs?

Answer

A

1) Enterprise Risk Assessments, page 1-11
2) Financial Statement Risk Assessment, page 1-12
3) IT Risk Assessment, page 1-15

Question 15

Q

What are the two perspectives of CITPs for risk assessments?

Answer

A

The risk assessment process is constrained by the perspective and goal of the particular activity, whether it is external (for example, financial audits) or internal (for example, operational audits).
Externally - the risk assessment scopes risks that are in the IT space, have a relatively high risk of material misstatement, and are associated with financial reporting processes, data, or reports.
Internally - different goals, not constrained by external criteria. Internal CITPs will probably include some risk that external CITPs exclude.

Question 16

Q

How much should the external CITP put IT risks into the scope of an engagement?

Answer

A

The CITP should be careful - not all IT risks end up in the scope of the engagement. For example, risks that do not end up in the scope of the audit are:
- Significant IT risks, but there is no risk of material misstatement
- Significant IT risks, but a compensating (or downstream) control mitigates the risk
The CITP should take care to ensure all relevant IT risks are in scope, but IT risks that do not lead to risk of material misstatement should be excluded from the scope of the engagement.

Question 17

Q

What are the two ways of ranking risks?

Explain the two ways of ranking risks.

Answer

A

You can rank risks by using a scatter plot or by using a scorecard. A scatter plot is a graph with four quadrants, with significance on the vertical axis and likelihood on the horizontal axis. A scorecard is a simple ranking is a listing of risks from high to low, based on the auditor’s judgment.

Question 18

Q

Are scatter plots more useful in risk management than simple ranking

Answer

A

Yes, scatter plots are more useful because they are generally considered easier to understand. They are more visual and provide a more efficient and effective application of risk assessment by ranking risks into groupings or similar ratings (quadrants).
Because scatter plots draw attention to the risks that need to be addressed in some order or precedence, they are easier to apply than a simple ranking.

Question 19

Q

What are the six steps of the risk assessment life cycle?

Answer

A

The six steps of the risk assessment life cycle are:

 1) Recognize
 2) Rate
 3) Rank
 4) Respond  
 5) Report  and
 6) Review

Question 20

Q

In the risk assessment life cycle, describe Step 1 - Recognize.

Answer

A

The first step in a risk assessment is to use a formal, structured, effective process where the objective is to identify, as much as possible, the relevant, material risks that could potentially adversely affect the entity.

Question 21

Q

In the risk assessment life cycle, describe Step 2 - Rate.

Answer

A

The second step in a risk assessment process is to assess the level of risk for each individual risk identified. This process usually begins with a rating of the significance of the impact of the risk identified. That significance could be as simple as high, medium, or low impact. It can also be much more sophisticated, for example a significance rating factor based on a percentage scale from 0 to 100. Some risks may be assessed low enough to be ignored.

Question 22

Q

In the risk assessment life cycle, describe Step 3 - Rank.

Answer

A

After Step 2, where risks are rated (based on significance and likelihood), the next step is to organize the risks in order of priority.

Question 23

Q

In the risk assessment life cycle, describe Step 4 - Respond.

Answer

A

In this step, management develops appropriate responses to the higher risks. Management should formally develop mitigating controls, actions, or plans to sufficiently mitigate all of the risks to an acceptable level. Some risks will already be at an acceptable level, and will therefore not need to be mitigated further.

Question 24

Q

In the risk assessment life cycle, describe Step 5 - Report.

Answer

A

After management has identified, assessed, ranked, and provided mitigating actions, that information needs to be documented. Management should create a report or document that provides a formal and structured conclusion to the risk assessment process to this point.

Question 25

Q

In the risk assessment life cycle, describe Step 6 - Review.

Answer

A

“Review” is the process of monitoring the risks, individually and in groups, and monitoring the effectiveness of risk mitigation. This is critical in keeping risks at an acceptable level.

Question 26

Q

In the risk assessment process, in Step 2 - Rate, what is another common phase in this step other than to rate significance?

Answer

A

Another common phase in this step is to rate the likelihood that the risk will come to fruition and not be prevented. A simple approach is high, medium, or low probability, or it could be more granular as 0.00 to 1.00 or a percentage.

Question 27

Q

In Step 3 - Ranking - of the risk assessment process, how are risk scores obtained? What do we do with them after we have them?

Answer

A

To obtain a risk score, simply multiply the significance factor times the likelihood factor. The risk score results can then be ordered to rank the risks in a scorecard manner. A scorecard is when the risks are ranked in a simple list from based on their risk scores. Instead of using a scorecard, the risk scores can be plotted on a traditional scatter plot.

Question 28

Q

When is a scatter plot used?

Describe a scatter plot.

Answer

A

A scatter plot can be used in Step 3 - Rank - of the Risk assessment process. A scatter plot is a graph with four quadrants. Significance is plotted on the X (vertical) axis. Likelihood is plotted on the Y (horizontal) axis. The graph is then divided into four quadrants, as follows:
1 - Quadrant 4 - High Risk
2 - Quadrants 2 and 3 - Medium Risk
3 - Quadrant 1 - Low Risk

Question 29

Q

What does management need to do when performing risk assessments?

Answer

A

Management needs to do a formal ranking of risks, and use a structured process to get to that ranking. Management also needs to document the process (for example rational, approach, method used) and results.

Question 30

Q

In Step 6 - Review - of the Risk Assessment process, what activity is critical in keeping risks at an acceptable level?

Answer

A

Any risk assessment, especially as it relates to IT, needs to be reviewed regularly. Monitoring the risks, individually and in groups, and monitoring the risk mitigation effectiveness is critical in keeping risk at an acceptable level.

New risks emerge, while old risks can increase or decrease. Controls or other mitigations can lose effectiveness, and alternative mitigations can become more efficient or effective than the ones in existence. Because of these factors, a regular review is important to an effective risk assessment and risk management program. The CITP should not only see that management performs periodic risk assessments, but also should see that management has implemented a formal and structured approach to monitoring and responding to risks appropriately.

By monitoring, management could return to Step 4 - Respond; or revisit the other steps of the risk assessment process before responding. This is the life cycle approach to risk assessment - it is a continual process that ends and begins again in a cyclical process.

Question 31

Q

Give the COSO definition of ERM

Answer

A

The COSO ERM begins by defining ERM as:

“… a process, effected by an entity’s board of directors, management, and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives.”

Question 32

Q

What are the three dimensions of the COSO ERM model?

Which are of interest to the CITP?

Answer

A

The three components are:
- Risk components (8)
- Risk management objectives (4)
- Entity / unit components (proprietary to the entity)
All of these are of interest to CITPS in business and industry. The external CITP (IT auditor) finds ERM useful to review and evaluate a client’s risk management system and results, for purposes of the engagement objectives.

Question 33

Q

What are the Risk-based audit phases?

In which phase will the CITP need to gather evidence about IT-related inherent risk in order to make a reasonable assessment of the RMM for a client?

Answer

A

Risk assessment phase
Audit planning phase
Further audit procedures
During the risk assessment phase of a financial audit, the CITP will need to gather evidence about RMM.

Question 34

Q

Are further audit procedures (FAP) linked to specific risks?

Answer

A

Yes. The RBA standards require further audit procedures to be developed from a financial statement risk assessment, where the FAP are linked to specific risks.
Not only are they linked to specific risks, but also the level of the substantive procedure (or other FAP) should be appropriate for that level of risk. That is, for high risk RMM, the FAP needs to be one of the more powerful ones; for example, re-performance.

Question 35

Q

When should the risk assessment phase occur for a financial statement audit?

Answer

A

The risk assessment phase typically should occur in the last quarter of the fiscal year under audit, and possibly in some other quarter during the fiscal year. For controls to be considered effective in audits of publicly traded companies, those controls must be operationally effective throughout the fiscal year.

Question 36

Q

What are the two perspectives that a financial statement risk assessment can be viewed?

Answer

A

Financial statement risk assessment can be viewed by two primary perspectives.

1) The financial reporting process that leads to the financial reports; and
2) The financial statements themselves.

Question 37

Q

What are the relevant components of a process flowchart? Why are flowcharts important?

Answer

A

Relevant components:  
- Systems
- Data sources
- Relevant processes
- Controls, and
- Workflows
Flowcharts are important because often, tracking entire processes using flowcharts becomes critical for the CITP to be able to identify potential IT-related risks associated with the data that will end up in the financial statements, and risks associated with automated business processes and IT-embedded controls.

Question 38

Q

What are the (process) components of an IT risk assessment?

Answer

A

Process: Applications
Process: Data storage (Integrity, security and reliability)
Process: Communications
Process: Data transfers

Question 39

Q

Describe the bulls-eye approach to a data focused risk assessment

Answer

A

Data is at the center of the bulls-eye. Outward, are applications; then operating system; then network.

Question 40

Q

In reviewing Applications, which type of systems / applications have the most risk?

Answer

A

Customized software developed by the entity has the most risk. Vendor customized software has the next level of risk. Commercial off-the-shelf software (COTS), from reliable vendors, has the least risk.

Question 41

Q

Why is customized software developed by the entity the most risky type of application?

Answer

A

There is a relatively high IR for applications developed in-house because of the nature of programming. It is very difficult to develop an application, even when tested, and put into operations without any bugs or glitches (Murphy’s IT law). The probability of something being wrong once an application is developed and implemented is almost 100 percent.

Question 42

Q

Why are COTS applications less risky?

Answer

A

Generally speaking, the application situation with the least risk is a COTS package AND the vendor is reliable. The assumption is that a vendor with a large set of customers where the application has been in existence for some years is relatively reliable; more reliable than home-grown applications.

Question 43

Q

Why does data storage have a high inherent risk?

Answer

A

The nature of the modern database is to be enterprise-wide in scope; that is, a single database holds an enormous portion of the data the enterprise has captured. If an unauthorized person gets access to the entity’s database, that person has access to a large portion of the entity’s data.

Database risk is why a database administrator (DBA) has such a high inherent risk. IR associated with a DBA is why there should be strict and broad mitigating controls, such as proper SoD for the DBA. The DBA might be able to circumvent strong network and application controls.

Question 44

Q

How important is data to the CITP?

Answer

A

It can be argued that financial statement data is the hub of all IT risks associated with financial statement audits. It can be argued, from the perspective of the external CITP, that it is all about the data.

This is partially mitigated because in reality, the data is generally under the control of applications. That is, data is accessed, changed and reported from applications - very few people have direct access to the data.

Question 45

Q

Why do we call applications “front doors”? Why is this important?

Answer

A

Generally, access to data is obtained via the application that houses the data (known as the “front door”). Access to applications allows a user access t the data it houses. This fact is why it is so important to identify the key, relevant systems for accounting applications and financial statement reporting in order to assess this type of IT risk.

Question 46

Q

Why do we call operating systems “back doors”? Why is this important?

Answer

A

Data is accessed through applications; applications and data are housed in operating systems (the third ring of data-focused risk assessment bulls-eye). Operating systems control who can obtain access t the applications.

Unfortunately, the data can be access directly by the operating system as well (known as the “back door”). Administrators of the o/s need this level of access to keep the system working properly.

This is important because unauthorized access to the o/s also present a high IR of access to data.

Question 47

Q

Why is the “communications” aspect of the IT risk assessment important?

Answer

A

Sometimes relevant data is communicated across networked lines or systems. This situation usually carries a relatively high IR because of the susceptibility of intrusions or unauthorized interceptions.

Question 48

Q

Why is the “Data Transfers” aspect of the IT risk assessment important?

Answer

A

A special type of communications is data transfers. Any time data is transferred from one system to another, that process has high IR. Manual, semi-automated, and automated transfers; all have high IR.

Manual transfers have the highest risk because of the nature of manually rekeying data.

Question 49

Q

What is end user computing (EUC)?

Answer

A

EUC occurs when
- the employee is using a tool that is customizable,
- the employee makes raw data entries,
- the employee builds calculations or processes, or
- some combination of all of these.
Excel worksheets are an example of EUC.

Question 50

Q

Why is EUC considered to be high risk?

Answer

A

EUC is considered to be relatively high in IR because of the employee dependent circumstances. Usually, EUC involves employees who have an insufficient knowledge, ability, and expertise related to IT and controls, and who lack proper SoD. SoD is missing because the employee develops the tool; runs the tool; and has virtually sole custody of the tool.

Question 51

Q

Describe semi-automated transfers and their level of risk.

Answer

A

When data is exported into some kind of file (ASCII or CSV) and then manually imported into Excel or a similar tool. This type of transfer has a little less IR than manual key entry because it does not involve the manual rekeying of data. Since the receiving system is EUC, their is still relatively high IR, especially related to fraud, because it is fairly easy for the end user to manipulate the data in the spreadsheet offline from the primary accounting information system (AIS).

Question 52

Q

Describe an automated transfer and its level of risk.

Answer

A

An automated transfer is when the entity or a third party has written middleware to transfer data from one computerized system to another. While this type of transfer is generally considered relatively high IR as a process, it is has the lowest risk of the three data transfer processes (manual, semi-automated and automated) because data is transferred without human intervention and because the receiving system is an automated system (not Excel or an Access database).

Question 53

Q

Describe security risk assessments (audits). Are all of the risks relevant in a security audit relevant for a financial statement audit?

Answer

A

Security audits are a special case of risk assessment. Some of a security audit is irrelevant to a financial audit, and some of it is not, and some depends on the circumstances. For example, logical access plays a key role in assessing IT risk for a financial statement audit, and it is also a key risk in a security risk assessment.

For a financial audit, some of the risks in a security audit would not be relevant. For example, if an intruder gained access at the network level only to be frustrated by strong access controls at the application level, the perimeter controls could be seen as irrelevant for a financial statement audit. However, perimeter weaknesses are critically important in security risk assessments.

Question 54

Q

What are the elements of the business environment that relate directly to the role and responsibilities of the CITP?

Answer

A

For the business environment:

Computer operations
IT general controls
IT policies and procedures are all elements of the business environment, and all examples of areas in which the CITP can make contributions or would examine when performing risk assessments.

Question 55

Q

What are the elements of business processes that relate directly to the role and responsibilities of the CITP?

Answer

A

In order for a CITP to properly evaluate IT controls, he must have an understanding of the entity’s business processes. For example, automated controls are embedded in automated business processes.

?? I don’t follow this discussion, page 1-21 of the book.

Question 56

Q

Issues related to the executive management function need to be considered in the framework of what?

Answer

A

Issues need to be considered in the framework of the primary functions of management: plan, organize, direct and control. In these functions, one can identify areas of risk and opportunities from controls. The CITP should be familiar with the IT risk implications and considerations of these functions.

Question 57

Q

Name and describe four key aspects of executive managements’ single, composite strategic plan. .

Answer

A

Executive management’s single, composite strategic plan has the following four components:

 1) The strategic plan - executive management should provide general guidance for the primary roles and responsibilities of IT in the organization.
 2) Risk assessment including plans to mitigate identified risks - executive management should do an IT risk assessment in order to effectively mitigate risks that can potentially adversely affect the business, its operations, its ability to compete effectively, its ability to reach its strategic goals and objectives.
  3) Plans for an operational budget and capital budget for the IT function.
  4) A plan for how to assess the value of the IT portfolio, on individual projects, or as a strategic resource.  The capital budget should be aligned with valuation ROI to mitigate the risk of IT inefficiencies.

Question 58

Q

In executive management’s strategic plan, what primary roles and responsibilities of the IT organization should be described?

Answer

A

Vison or purpose statement regarding the overall role of IT for the entity;
Provide general direction for future developments and changes in IT
Formal mechanism for making sure IT meets strategic objectives and is valued by some objective measure (for example, ROI)
Other long-term issues should also be provided for in the plan

Question 59

Q

“Organize” A major responsibility of executive management related to IT is to ensure the entity acquires the necessary resources to accomplish its goals and objectives. Describe some of the resources.

Answer

A

Infrastructure
Hardware
Software
Qualified IT personnel
Finances
Facilities

Question 60

Q

Why is the organization chart important?

Answer

A

Another aspect of organizational structural planning is the organization chart. This chart and structure is vital to risk because management could fail to properly segregate incompatible IT functions and thereby increase risk in all associated IT, systems, business processes, and automated control.

Question 61

Q

Name a few reasons why application development should be segregated from application maintenance.

Answer

A

1) “Second set of eyes” - a deterrent to malicious code because the independent, second person has a chance of detecting bad code
2) Documentation - given that a different person is going to maintain the application, there is a good likelihood that adequate documentation of the original application exists
3) SoD - segregation of duties is valuable in identifying coding errors that might go unnoticed by the original programmer and end users. The maintenance programmer has some probability of spotting erroneous code while maintaining it.

Question 62

Q

Why is software program development separate from operations?

Answer

A

The programmer is in the position of knowing or creating ways around the controls. If a programmer were also a user, then the programmer can deliberately create errors or fraud.

Question 63

Q

What are the two methods of setting an IT capital budget?

What are some risks regarding how management chooses to spend money (capital outlays for IT?

Answer

A

There are two approaches for IT capital outlays - have a formal structured process for developing a capital budget, or to present business cases to the BoD on an ad hoc basis for approval. The choice of method matter because the structured process reduces risk, while the ad hoc process increases risks. The risks are:

1) IT projects will fail to be delivered on time, within budget and be fully functional;
2) IT projects will fail to meet the strategies of the entity;
3) The IT function will not develop the most effective technologies and systems and
4) The entity will spend more money than necessary.

Question 64

Q

In the executive management functions of plan, organize, direct and control, describe the “direct” function and why is it important.

Answer

A

The purpose of management’s direction function is to ensure compliance with objectives, policies, procedures and business processes. Much direction revolves around management’s ability to motivate employees. Regarding IT, communication by management is the most significant part of direction. Communication around the following areas are important:

1) Policies and procedures
2) How IT personnel can receive more training; expertise or knowledge;
3) Expectations - such as job descriptions; and
4) The formal process3es related to the IT function

Answer 65

A

The controlling function’s purpose is to determine whether actual procedures, processes, and practices of the IT function comply with management’s planned activities. Controlling is probably the most relevant of the functions to CITPs as it naturally includes all types of controls, including any intended to mitigate risks.

Answer 66

A

Strategic Plan (role and responsibilities of the IT function)
Risk Assessment (IT)
Budgeting Plans (IT)
How to Value IT
Policies and Procedures (IT(

Answer 67

A

Acquire resources to support the IT function
Dynamic IT portfolio
IT function structure (centralize vs. decentralize)
IT organization (IT SoD)
Operational budget (IT)
Capital budget

Answer 68

A

Communicating to IT personnel P&P
Communicating to IT personnel expectations
Communicating to IT personnel advancement opportunities
Communicating to the remainder of the entity the role and responsibilities of the IT function
Managing the IT function efficiently and effectively, especially addressing risks

Answer 69

A

IT projects and costs by IT Governance (or surrogate)
Computer operations
Quality of systems and technologies
Quality of training of users
Data integrity, security and reliance
Systems and technologies security
Adequacy of automated controls in applicatinos

Answer 70

A

The more complex an entity (or business process, or economic transaction), the greater the inherent risk (IR). Complexity of the entity has an indirect impact on the risk assessment.

The more complex business processes are, the more risk in performing those processes.
The more complex the transactions are, the more risk those transactions will be recorded, valued, and processed properly.
The more the complex the entity’s IT, the more risk there is in everything.

Answer 71

A

The AICPA has adopted the following audit risk model as an aid in determining the level of acceptable audit risk:

AR = IR x CR x DR

Audit is a function of three primary risks: Inherent Risk; Control Risk and Detection Risk

Answer 72

A

One taxonomy for ITGCs is the IT control environment, change management, logical access controls, data backups and recovery, and third party IT suppliers.

Answer 73

A

The IT control environment includes elements such as IT strategy; IT governance; project management; managing the IT function, and related topics. The goal is to minimize the risks associated with the IT function in general.

Answer 74

A

Change management involves processes, structure, and P&P related to all changes in IT including all software and hardware changes, with the intent of controlling the risk associated with changes to IT.

Answer 75

A

Logical access controls involve properly restricting access to applications and data in order to reduce risks associated with unauthorized or improper access.

Answer 76

A

Data backup and recovery involves risks associated with traumatic IT events from.

Answer 77

A

Third party IT suppliers is the risk associated with outsourcing key or significant IT functionality to vendors, and the risks associated with their controls.

Answer 78

A

An automated control will execute the control the same way every time. To ensure the IT performs the control on each and every instance in the same manner, the CITP can test one transaction through the process for validity. Generally speaking, because automated controls are more reliable than an equal and effectively designed manual control, it is acceptable to test one transaction in an automated process to verify that the process works as intended.

Answer 79

A

The RMM process framework has the following steps: IR; Type of risk: Risk Level; Controls; Controls Assessed; to get RMM.
IR - Identify the account balances, class of transactions or disclosures that have a RMM
Type of risk - Error or fraud
risk Level - The relevant assertion regarding the IR or the financial statement as a whole
Controls - identify the controls that could mitigate the IRs identified
CR Assessed - To what degree are these controls effective in reducing the RMM
RMM - Combine the IR and CR to determine the level of risk for each specific RMM

Answer 80

A

A walk-through is the act of tracing a transaction through organizational records, procedures, and business processes. The auditor’s primary objective when performing a walkthrough is to develop an understanding of transaction flow that is, how transactions are:

Initiated
Authorized
Recorded
Processed and
Reported

Answer 81

A

A walk-through is a non-technical approach to learning how a particular process or transaction works. Walk-throughs help the CITP determine what controls are being used and how effective they might be operating. AS 5 state that walk throughs are the procedure of choice when attempting to understand key processes and control. At the points at which important processing procedures occur, the auditor questions the employee about their understanding of what is required by the entity’s prescribed procedures and controls.

Answer 82

A

A walkthrough by itself is a preliminary step in the overall testing process. Walkthrough procedures could include a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls. Together, these tests allow the auditor to gain a sufficient understanding of the process and to be able to identify important points at which a necessary control is missing, operating ineffectively, or not designed properly.

Answer 83

A

Walkthroughs are required when certifying financial reporting controls under SOX 404.

Answer 84

A

Based on the concept of key controls, the IT auditor will choose the BPs and controls that are relevant. They become relevant if (1) they are associated with financial statement data or the financial reporting processes, (2) they are IT related or IT-dependent, and (3) they are related to the RMM.

Answer 85

A

The IT auditor will need to measure the “strength” (that is, reliance) of the key controls. In order to make a valid measure of the relevant automated control in place, the IT auditor needs a “ruler” or a benchmark. Usually, the benchmark is the designed purpose of the control. Another option is best practice, if an applicable one exists.

Answer 86

A

Once the IT risk assessment is completed, the CITP will need to generate a report documenting the inputs, processes, and results with evidence for the conclusions in the report. The report should have most, if not all of the following sections:

IT Control Environment
Risk Assessment
IT Governance
Budget
Best Practices
Change Management
DRP / Business Continuity
InfoSec - Information Security

Answer 87

A

SAS 110 requires auditors to “link” further audit procedures to identified risks by providing the type f procedure that can provide the level of assurance required for the level of risk. That is, a high risk requires a high-powered FAP. The types, from the least to the most assurance are: Inquiry, Observation, Inspection, and Re-Performance.

Answer 88

A

No. Flowcharts are not essential to walkthroughs. The use of flowcharts may be beneficial in providing insights to the role of IT in financial processes and in identifying IT related inherent risk.

Answer 89

A

Same as risk standards, plus internal controls over financial reporting (ICFR), integrated audits, and SOX 404 requirements

Brainscape's Knowledge GenomeTM

Chapter 1 - Risk Assessment Flashcards

Brainscape's Knowledge Genome^TM