CISA Concepts Flashcards by Host Mom

What is the definition of audit?

Auditing is a detailed and speciﬁc evaluation of a process, procedure, organization, job function, or system, in which results are gathered and reported.

How well did you know this?

Not at all

Perfectly

What is the purpose of ethics?

To mandate the professional and personal conduct of auditors

How well did you know this?

Not at all

Perfectly

According to the ISACA Code of Ethics is an auditor allowed to share the results of an audit with other personnel?

The auditor must maintain confidentiality of the audit unless required by legal authority

How well did you know this?

Not at all

Perfectly

Should the IS audit plan be integrated into the overall audit plan for the organization?

The IS Audit function must fulfill all organizational audit objectives.

How well did you know this?

Not at all

Perfectly

An IS Auditor is best advised to follow the standards provided by ISACA for conducting an planning IS Audits

ISACA audit standards are recommendations for planning IS audits.

How well did you know this?

Not at all

Perfectly

ISACA Audit standard S2 Independence refers to what?

An Auditor should be independent of the area being audited

How well did you know this?

Not at all

Perfectly

Standard S4 Professional Competence, requires the auditor to have the skills to conduct the audit?

appropriate continuing professional education

How well did you know this?

Not at all

Perfectly

The basis for an audit plan should be what?

Risk

How well did you know this?

Not at all

Perfectly

Audit findings and conclusions are supported by what?

Evidence

How well did you know this?

Not at all

Perfectly

When an auditor uses the assistance of outside experts, what obligations does the auditor have to review the work of the experts?

The auditor must apply additional test procedures if the work of outside experts is not adequate

How well did you know this?

Not at all

Perfectly

When an auditor is planning an information system audit and suspects a potential control weakness, what are they obligated to do?

The auditor must consider the materiality of the weakness and plan the audit accordingly.

How well did you know this?

Not at all

Perfectly

What role does risk assessment have in audit planning?

Risk assessment is used to determine the priorities for audit and allocation of audit resources.

How well did you know this?

Not at all

Perfectly

What steps should an auditor take when a material irregularity is discovered?

The auditor should communicate the irregularity to management in a timely manner

How well did you know this?

Not at all

Perfectly

What is the risk to an audit if unusual relationships exist between staff members in the area being audited?

The auditor may be provided inaccurate evidence

How well did you know this?

Not at all

Perfectly

True or False? Supervision of the information systems audit staff should not be necessary if the staff is adequately trained and experienced

TRUE

How well did you know this?

Not at all

Perfectly

Once an audit is completed and submitted does the auditor have any further responsibility?

Yes, the auditor should follow up to ensure that management addressed any audit issues in a timely manner

How well did you know this?

Not at all

Perfectly

IT governance means:

The IT function aligns with business mission, values and objectives

How well did you know this?

Not at all

Perfectly

Relationships with third parties may:

Require the organization to comply with the security standards of the third party

How well did you know this?

Not at all

Perfectly

True or False? The organization does not have to worry about the impact of third party relationships on the security program

FALSE

How well did you know this?

Not at all

Perfectly

The role of an Information Systems Security Steering Committee is to:

Provide feedback from all areas of the organization

How well did you know this?

Not at all

Perfectly

The most effective tool a security department has is:

A security awareness program

How well did you know this?

Not at all

Perfectly

The role of Audit in relation to Information Security is:

The validate the effectiveness of the security program against established metrics

How well did you know this?

Not at all

Perfectly

Who should be responsible for development of a risk management strategy?

The Security Manager

How well did you know this?

Not at all

Perfectly

The security requirements of each member of the organization should be documented in:

Their job descriptions

How well did you know this?

Not at all

Perfectly

What could be the greatest challenge to implementing a new security strategy?

Obtaining buy-in from employees

Which forms of wireless media operate only when there are no obstacles in the transmission path?

Spread spectrum

What best defines electrical noise?

Extraneous signals introduced onto network media.

An audit log is an example of a:

Detective control

A compensating control is used:

When normal controls are not sufficient to mitigate the trick

A disgruntled former employee is a:

Threat

A bug or software flaw is a:

Vulnerability

Encryption is an example of a:

Countermeasure

The examination of risk factors would be an example of:

Risk analysis

True/False: The only real risk mitigation technique is based on effective implementation of technical controls.

FALSE

Should a risk assessment consider controls that are planned but not yet implemented?

Yes, because it would not be appropriate to recommend implementing controls that are already planned

What is the purpose of a control?

Controls are used to resolve vulnerabilities

What is the definition of risk assessment?

The evaluation of the level of risk to an information system.

What is residual risk?

The level of risk that remains after the implementation of controls

What is the primary focus of risk assessment?

Regulatory requirements

What is audit detection risk?

The risk that the tests used during an audit did not discover an error

What is inherent risk?

A risk associated with pre-existing errors in the control environment

What is the first phase of the risk analysis process?

Critical asset identification

What are the components of risk analysis?

Threat, vulnerability and impact

What is the relationship between risk assessment and audit?

Risk assessment is used to identify high-risk areas to be audited

The intent of a control is to:

Reduce the likelihood or impact of the threat

If the materiality is minimal then:

It may be ignored

The determination of materiality is:

Based on the judgment of the auditor

An example of a preventative control is:

B) A security policy

An example of a detective control is:

Review of audit logs

A corrective control is designed to:

Restore systems to normal

An example of a corrective control is:

A business continuity plan

An organization implements a procedure to control changes to the configuration of an information system. This would be an example of a(n):

Administrative Control

Administrative controls are used to:

Monitor compliance with policy

Internal controls may be:

either manual or automated

The development of an IS Audit strategy will include:

Identification of controls to be evaluated

Once the audit strategy is developed, the auditor will:

Communicate the strategy to management.

What control classiﬁcation would an auditor use to monitor an organization's internal corporate network in order to report any unauthorized access attempts?

Detective

The audit charter is an important document. What is included in the audit charter?

The scope of the audit function

Developing an audit plan requires the determination of required personnel resources and?

Arranging for access to the audit area

The audit plan must be designed to ensure compliance with laws and regulations, this will require the knowledge of the regulations and?

A review to ensure management were aware of regulations when developing policies and procedures

The audit plan will be based on:

The stated objectives of the audit

The purpose of audit objectives is to establish whether internal controls are minimizing risk and?

functioning properly

A operational audit is designed to test?

The effectiveness of the organization's internal control environment

What is the purpose of a specialized audit?

A specialized audit tests the services provided by an external organization

What is a primary consideration when performing a forensic audit?

Maintaining proper evidence handling and management techniques

What is the purpose of audit planning?

Audit planning provides a clear overview of the audit before the audit commences

What is the most critical step in audit planning?

Focus on high risk areas

How do laws and regulations affect an audit plan?

The audit plan must be designed to test for compliance with laws and regulations

What is the responsibility of the auditor in relation to fraud

The auditor must always be watchful for fraud while performing an audit

Who should be able to see an audit methodology document?

The audit methodology document is used to communicate with all audit team members

When an auditor finds a minor violation of policy or procedures, what should their course of action be?

Include the violation in the audit report

When an auditor finds a problem that is outside the scope of the audit plan, what should be done?

Consult with audit management about adjusting the scope of the problem

An auditor has found a problem and notified management. The problem was immediately fixed. Should the problem be included in the audit report?

Yes, all material findings should be in the report, but noted as fixed.

True or False? An audit that finds no serious issues may not require the preparation of an audit report

FALSE

All data gathered during an audit is considered?

audit evidence

Common methods of gathering information during an audit include:

Interviewing

When using observation as an audit data gathering method, what is an important concern?

Do not disrupt business operations

What is a characteristic of a divisional organization structure?

Teams operate as separate units within the parent organization

What is the advantage of using CAATS to support an audit

CAATS provide an effective way to collect and analyze data from different electronic systems

When data is gathered to determine whether users are following policies, this is an example of?

Compliance audit

An audit that validates individual transactions to test the effectiveness of a procedure is a?

Substantive audit

What type of audit evidence is considered more reliable?

Obtained from independent parties

An auditor checks 100 transactions to see if they were handled correctly. What type of audit is this

Compliance audit

An audit that checks that all transactions over $5000 require approval by a supervisor is what type of audit?

Substantive audit

An auditor needs to select a certain number of transactions for examination. What method may be used for this?

Statistical sampling

What is the definition of sampling?

Selecting a subset of a larger group of items that will represent the entire group

Which type of sampling depends on auditor judgement?

Non-statistical sampling

When, during the SDLC, is a test plan developed?

During the design phase

What is the purpose of testing?

To uncover any bugs or flaws in the system

Change management and problem management are parts of a:

Configuration management process

What form of systems migration will have the least impact on business operations

Parallel

What task must be done to enable a data migration from an old system to a new one?

Ensure that the data is converted to a format acceptable for the new system