CISA Concepts Flashcards

1
Q

What is the definition of audit?

A

Auditing is a detailed and specific evaluation of a process, procedure, organization, job function, or system, in which results are gathered and reported.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the purpose of ethics?

A

To mandate the professional and personal conduct of auditors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

According to the ISACA Code of Ethics is an auditor allowed to share the results of an audit with other personnel?

A

The auditor must maintain confidentiality of the audit unless required by legal authority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Should the IS audit plan be integrated into the overall audit plan for the organization?

A

The IS Audit function must fulfill all organizational audit objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An IS Auditor is best advised to follow the standards provided by ISACA for conducting an planning IS Audits

A

ISACA audit standards are recommendations for planning IS audits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

ISACA Audit standard S2 Independence refers to what?

A

An Auditor should be independent of the area being audited

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Standard S4 Professional Competence, requires the auditor to have the skills to conduct the audit?

A

appropriate continuing professional education

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The basis for an audit plan should be what?

A

Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Audit findings and conclusions are supported by what?

A

Evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When an auditor uses the assistance of outside experts, what obligations does the auditor have to review the work of the experts?

A

The auditor must apply additional test procedures if the work of outside experts is not adequate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When an auditor is planning an information system audit and suspects a potential control weakness, what are they obligated to do?

A

The auditor must consider the materiality of the weakness and plan the audit accordingly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What role does risk assessment have in audit planning?

A

Risk assessment is used to determine the priorities for audit and allocation of audit resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What steps should an auditor take when a material irregularity is discovered?

A

The auditor should communicate the irregularity to management in a timely manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the risk to an audit if unusual relationships exist between staff members in the area being audited?

A

The auditor may be provided inaccurate evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

True or False? Supervision of the information systems audit staff should not be necessary if the staff is adequately trained and experienced

A

TRUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Once an audit is completed and submitted does the auditor have any further responsibility?

A

Yes, the auditor should follow up to ensure that management addressed any audit issues in a timely manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

IT governance means:

A

The IT function aligns with business mission, values and objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Relationships with third parties may:

A

Require the organization to comply with the security standards of the third party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

True or False? The organization does not have to worry about the impact of third party relationships on the security program

A

FALSE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The role of an Information Systems Security Steering Committee is to:

A

Provide feedback from all areas of the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The most effective tool a security department has is:

A

A security awareness program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The role of Audit in relation to Information Security is:

A

The validate the effectiveness of the security program against established metrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Who should be responsible for development of a risk management strategy?

A

The Security Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

The security requirements of each member of the organization should be documented in:

A

Their job descriptions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What could be the greatest challenge to implementing a new security strategy?
Obtaining buy-in from employees
26
Which forms of wireless media operate only when there are no obstacles in the transmission path?
Spread spectrum
27
What best defines electrical noise?
Extraneous signals introduced onto network media.
28
An audit log is an example of a:
Detective control
29
A compensating control is used:
When normal controls are not sufficient to mitigate the trick
30
A disgruntled former employee is a:
Threat
31
A bug or software flaw is a:
Vulnerability
32
Encryption is an example of a:
Countermeasure
33
The examination of risk factors would be an example of:
Risk analysis
34
True/False: The only real risk mitigation technique is based on effective implementation of technical controls.
FALSE
35
Should a risk assessment consider controls that are planned but not yet implemented?
Yes, because it would not be appropriate to recommend implementing controls that are already planned
36
What is the purpose of a control?
Controls are used to resolve vulnerabilities
37
What is the definition of risk assessment?
The evaluation of the level of risk to an information system.
38
What is residual risk?
The level of risk that remains after the implementation of controls
39
What is the primary focus of risk assessment?
Regulatory requirements
40
What is audit detection risk?
The risk that the tests used during an audit did not discover an error
41
What is inherent risk?
A risk associated with pre-existing errors in the control environment
42
What is the first phase of the risk analysis process?
Critical asset identification
43
What are the components of risk analysis?
Threat, vulnerability and impact
44
What is the relationship between risk assessment and audit?
Risk assessment is used to identify high-risk areas to be audited
45
The intent of a control is to:
Reduce the likelihood or impact of the threat
46
If the materiality is minimal then:
It may be ignored
47
The determination of materiality is:
Based on the judgment of the auditor
48
An example of a preventative control is:
B) A security policy
49
An example of a detective control is:
Review of audit logs
50
A corrective control is designed to:
Restore systems to normal
51
An example of a corrective control is:
A business continuity plan
52
An organization implements a procedure to control changes to the configuration of an information system. This would be an example of a(n):
Administrative Control
53
Administrative controls are used to:
Monitor compliance with policy
54
Internal controls may be:
either manual or automated
55
The development of an IS Audit strategy will include:
Identification of controls to be evaluated
56
Once the audit strategy is developed, the auditor will:
Communicate the strategy to management.
57
What control classification would an auditor use to monitor an organization's internal corporate network in order to report any unauthorized access attempts?
Detective
58
The audit charter is an important document. What is included in the audit charter?
The scope of the audit function
59
Developing an audit plan requires the determination of required personnel resources and?
Arranging for access to the audit area
60
The audit plan must be designed to ensure compliance with laws and regulations, this will require the knowledge of the regulations and?
A review to ensure management were aware of regulations when developing policies and procedures
61
The audit plan will be based on:
The stated objectives of the audit
62
The purpose of audit objectives is to establish whether internal controls are minimizing risk and?
functioning properly
63
A operational audit is designed to test?
The effectiveness of the organization's internal control environment
64
What is the purpose of a specialized audit?
A specialized audit tests the services provided by an external organization
65
What is a primary consideration when performing a forensic audit?
Maintaining proper evidence handling and management techniques
66
What is the purpose of audit planning?
Audit planning provides a clear overview of the audit before the audit commences
67
What is the most critical step in audit planning?
Focus on high risk areas
68
How do laws and regulations affect an audit plan?
The audit plan must be designed to test for compliance with laws and regulations
69
What is the responsibility of the auditor in relation to fraud
The auditor must always be watchful for fraud while performing an audit
70
Who should be able to see an audit methodology document?
The audit methodology document is used to communicate with all audit team members
71
When an auditor finds a minor violation of policy or procedures, what should their course of action be?
Include the violation in the audit report
72
When an auditor finds a problem that is outside the scope of the audit plan, what should be done?
Consult with audit management about adjusting the scope of the problem
73
An auditor has found a problem and notified management. The problem was immediately fixed. Should the problem be included in the audit report?
Yes, all material findings should be in the report, but noted as fixed.
74
True or False? An audit that finds no serious issues may not require the preparation of an audit report
FALSE
75
All data gathered during an audit is considered?
audit evidence
76
Common methods of gathering information during an audit include:
Interviewing
77
When using observation as an audit data gathering method, what is an important concern?
Do not disrupt business operations
78
What is a characteristic of a divisional organization structure?
Teams operate as separate units within the parent organization
79
What is the advantage of using CAATS to support an audit
CAATS provide an effective way to collect and analyze data from different electronic systems
80
When data is gathered to determine whether users are following policies, this is an example of?
Compliance audit
81
An audit that validates individual transactions to test the effectiveness of a procedure is a?
Substantive audit
82
What type of audit evidence is considered more reliable?
Obtained from independent parties
83
An auditor checks 100 transactions to see if they were handled correctly. What type of audit is this
Compliance audit
84
An audit that checks that all transactions over $5000 require approval by a supervisor is what type of audit?
Substantive audit
85
An auditor needs to select a certain number of transactions for examination. What method may be used for this?
Statistical sampling
86
What is the definition of sampling?
Selecting a subset of a larger group of items that will represent the entire group
87
Which type of sampling depends on auditor judgement?
Non-statistical sampling
88
When, during the SDLC, is a test plan developed?
During the design phase
89
What is the purpose of testing?
To uncover any bugs or flaws in the system
90
Change management and problem management are parts of a:
Configuration management process
91
What form of systems migration will have the least impact on business operations
Parallel
92
What task must be done to enable a data migration from an old system to a new one?
Ensure that the data is converted to a format acceptable for the new system