Chapter 1 Self Assessment

Question 1

Which of the following outlines the overall authority to perform an IS audit?

A. The audit scope with goals and objectives
B. A request from management to perform an audit
C. The approved audit charter
D. The approved audit schedule

Answer 1

C. The approved audit charter

The approved audit charter outlines the auditor’s responsibility, authority and accountability.

Question 2

In performing a risk-based audit, which risk assessment is completed FIRST by an IS auditor?

A. Detection risk assessment B. Control risk assessment
C. Inherent risk assessment
D. Fraud risk assessment

Answer 2

C. Inherent risk assessment

Question 3

Which of the following would an IS auditor MOST likely focus on when developing a risk-based audit program?

A. Business processes
B. Administrative controls
C. Environmental controls
D. Business strategies

Answer 3

A. Business processes

Question 4

Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed?

A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk

Answer 4

C. Inherent risk

The risk level or exposure without taking into account the actions that management has taken or might take is inherent risk.

Question 5

An IS auditor performing a review of an application’s controls finds a weakness in system software that could materially impact the application. In this situation, an IS auditor should:

A. Disregard these control weaknesses because a system software review is beyond the scope of this review.
B. Conduct a detailed system software review and report the control weaknesses.
C. Include in the report a statement that the audit was limited to a review of the application’s controls.
D. Review the system software controls as relevant and recommend a detailed system software review.

Answer 5

D. Review the system software controls as relevant and recommend a detailed system software review.

The appropriate option would be to review the systems software as relevant to the review and recommend a detailed systems software review for which additional resources may be recommended.

Question 6

Which of the following is the MOST important reason why an audit planning process should be reviewed at periodic intervals?

A. To plan for deployment of available audit resources
B. To consider changes to the risk environment
C. To provide inputs for documentation of the audit charter
D. To identify the applicable IS audit standards

Answer 6

B. To consider changes to the risk environment

Short- and long-term issues that drive audit planning can be heavily impacted by changes to the risk environment, technologies and business processes of the enterprise.

Question 7

Which of the following is MOST effective for implementing a control self-assessment (CSA) within business units?

A. Informal peer reviews
B. Facilitated workshops
C. Process flow narratives
D. Data flow diagrams

Answer 7

B. Facilitated workshops

Facilitated workshops work well within business units.

Question 8

Which of the following would an IS auditor perform FIRST when planning an IS audit?

A. Define audit deliverables.
B. Finalize the audit scope and audit objectives.
C. Gain an understanding of the business’s objectives and purpose.
D. Develop the audit approach or audit strategy.

Answer 8

C. Gain an understanding of the business’s objectives and purpose.

Question 9

The approach an IS auditor should use to plan IS audit coverage should be based on:

A. risk.
B. materiality.
C. fraud monitoring.
D. sufficiency of audit evidence.

Answer 9

A. risk.

Question 10

An organization performs a daily backup of critical data and software files and stores the backup tapes at an offsite location. The backup tapes are used to restore the files in case of a disruption. This is an example of a:

A. preventive control.
B. management control.
C. corrective control.
D. detective control.

Answer 10

C. corrective control.

Question 11

While developing a risk-based audit program, on which of the following would the IS auditor MOST likely focus?

A. Business processes
B. Administrative controls
C. Operational controls
D. Business strategies

Answer 11

A. Business processes

A risk-based audit approach focuses on the understanding of the nature of the business
and being able to identify and categorize risk. Business risk impacts the long-term viability of a specific business. Thus, an IS auditor using a risk-based audit approach must be able to understand business processes.

Question 12

In performing a risk-based audit, which risk assessment is completed INITIALLY by the IS auditor?

A. Detection risk assessment
B. Control risk assessment
C. Inherent risk assessment
D. Fraud risk assessment

Answer 12

C. Inherent risk assessment

Inherent risk exists independently of an audit and can occur because of the nature of the business. To successfully conduct an audit, it is important to be aware of the related business processes. To perform the audit, the IS auditor needs to understand the business process, and by understanding the business process, the IS auditor better understands the inherent risk.

Question 13

The FIRST step in planning an audit is to:

A. define audit deliverables.
B. finalize the audit scope and audit objectives.
C. gain an understanding of the business’ objectives.
D. develop the audit approach or audit strategy.

Answer 13

C. gain an understanding of the business’ objectives.

The first step in audit planning is to gain
an understanding of the business’s mission, objectives and purpose, which in turn identifies the relevant policies, standards, guidelines, procedures and organization structure.

Question 14

The approach an IS auditor should use to plan IS audit coverage should be based on:

A. risk.
B. materiality.
C. professional skepticism.
D. sufficiency of audit evidence.

Answer 14

A. risk.

ISACA IS Audit and Assurance Standard 1202, Planning, establishes standards and provides guidance on planning an audit. It requires a risk-based approach.

Question 15

A company performs a daily backup of critical data and software files, and stores the backup tapes at an offsite location. The backup tapes are used to restore the files in case of a disruption. This is a:

A. preventive control.
B. management control.
C. corrective control.
D. detective control.

Answer 15

C. corrective control.

A corrective control helps to correct or minimize the impact of a problem. Backup tapes can be used for restoring the files in case of damage of files, thereby reducing the impact of a disruption.

Question 16

Which of the following best describes integrated auditing?

A. Integrated auditing places internal control in the hands of management and reduces
the time between the audit and the time of reporting.
B. Integrated auditing combines the operational audit function, the financial audit function, and the IS audit function.
C. Integrated auditing combines the operational audit function and the IS audit function.
D. Integrated auditing combines the financial audit function and the IS audit function.

Answer 16

B. Integrated auditing combines the operational audit function, the financial audit func- tion, and the IS audit function.

Question 17

Which type of sampling would best be used to uncover fraud or other attempts to bypass regulations?

A. Attribute sampling
B. Frequency estimating sampling
C. Stop-and-go sampling
D. Discovery sampling

Answer 17

D. Discovery sampling

Question 18

Which of the following best describes this statement: This risk can be caused by the failure of internal controls and can result in a material error.

A. Audit risk
B. Inherent risk
C. Detection risk
D. Control risk

Answer 18

D. Control risk

Question 19

Which of the following is not one of the best techniques for gathering evidence during an audit?

A. Attend board meetings
B. Examine and review actual procedures and processes
C. Verify employee security awareness training and knowledge
D. Examine actual reporting relationships to verify segregation of duties

Answer 19

A. Attend board meetings

Question 20

Which of the following is not an advantage of the control self-assessment (CSA)?

A. CSA helps provide early detection of risks.
B. CSA is an audit function replacement.
C. CSA reduces control costs.
D. CSA provides increased levels of assurance.

Answer 20

B. CSA is an audit function replacement.

Question 21

Which of the following is the best example of a detective control?

A. Intrusion-prevention systems
B. User registration process
C. Variance reports
D. Access-control software

Answer 21

C. Variance reports

Question 22

Which of the following is the best example of a general control procedure?

A. Internal accounting controls used to safeguard financial records
B. Business continuity and disaster-recovery procedures that provide reasonable assurance that the organization is secure against disasters
C. Procedures that provide reasonable assurance for the control of access to data and programs
D. Procedures providing reasonable assurance that have been developed to control and manage data-processing operations

Answer 22

A. Internal accounting controls used to safeguard financial records

Question 23

Which of the following describes a significant level of risk that the organization is unwilling to accept?

A. Detection risk
B. Material risk
C. Business risk
D. Irregularities

Answer 23

B. Material risk

Question 24

Which of the following is the most accurate description of a substantive test in which the data rep- resents fake entities such as products, items, or departments?

A. Parallel tests
B. Integrated test facility
C. Embedded audit module
D. Test data

Answer 24

B. Integrated test facility

Question 25

You need to review an organization’s balance sheet for material transactions. Which of the follow- ing would be the best sampling technique?

A. Attribute sampling
B. Frequency estimating sampling
C. Stop-and-go sampling
D. Variable sampling

Answer 25

D. Variable sampling