CISA Concepts Flashcards
What is the definition of audit?
Auditing is a detailed and specific evaluation of a process, procedure, organization, job function, or system, in which results are gathered and reported.
What is the purpose of ethics?
To mandate the professional and personal conduct of auditors
According to the ISACA Code of Ethics is an auditor allowed to share the results of an audit with other personnel?
The auditor must maintain confidentiality of the audit unless required by legal authority
Should the IS audit plan be integrated into the overall audit plan for the organization?
The IS Audit function must fulfill all organizational audit objectives.
An IS Auditor is best advised to follow the standards provided by ISACA for conducting an planning IS Audits
ISACA audit standards are recommendations for planning IS audits.
ISACA Audit standard S2 Independence refers to what?
An Auditor should be independent of the area being audited
Standard S4 Professional Competence, requires the auditor to have the skills to conduct the audit?
appropriate continuing professional education
The basis for an audit plan should be what?
Risk
Audit findings and conclusions are supported by what?
Evidence
When an auditor uses the assistance of outside experts, what obligations does the auditor have to review the work of the experts?
The auditor must apply additional test procedures if the work of outside experts is not adequate
When an auditor is planning an information system audit and suspects a potential control weakness, what are they obligated to do?
The auditor must consider the materiality of the weakness and plan the audit accordingly.
What role does risk assessment have in audit planning?
Risk assessment is used to determine the priorities for audit and allocation of audit resources.
What steps should an auditor take when a material irregularity is discovered?
The auditor should communicate the irregularity to management in a timely manner
What is the risk to an audit if unusual relationships exist between staff members in the area being audited?
The auditor may be provided inaccurate evidence
True or False? Supervision of the information systems audit staff should not be necessary if the staff is adequately trained and experienced
TRUE
Once an audit is completed and submitted does the auditor have any further responsibility?
Yes, the auditor should follow up to ensure that management addressed any audit issues in a timely manner
IT governance means:
The IT function aligns with business mission, values and objectives
Relationships with third parties may:
Require the organization to comply with the security standards of the third party
True or False? The organization does not have to worry about the impact of third party relationships on the security program
FALSE
The role of an Information Systems Security Steering Committee is to:
Provide feedback from all areas of the organization
The most effective tool a security department has is:
A security awareness program
The role of Audit in relation to Information Security is:
The validate the effectiveness of the security program against established metrics
Who should be responsible for development of a risk management strategy?
The Security Manager
The security requirements of each member of the organization should be documented in:
Their job descriptions
What could be the greatest challenge to implementing a new security strategy?
Obtaining buy-in from employees
Which forms of wireless media operate only when there are no obstacles in the transmission path?
Spread spectrum
What best defines electrical noise?
Extraneous signals introduced onto network media.
An audit log is an example of a:
Detective control
A compensating control is used:
When normal controls are not sufficient to mitigate the trick
A disgruntled former employee is a:
Threat
A bug or software flaw is a:
Vulnerability
Encryption is an example of a:
Countermeasure
The examination of risk factors would be an example of:
Risk analysis
True/False: The only real risk mitigation technique is based on effective implementation of technical controls.
FALSE
Should a risk assessment consider controls that are planned but not yet implemented?
Yes, because it would not be appropriate to recommend implementing controls that are already planned
What is the purpose of a control?
Controls are used to resolve vulnerabilities
What is the definition of risk assessment?
The evaluation of the level of risk to an information system.
What is residual risk?
The level of risk that remains after the implementation of controls
What is the primary focus of risk assessment?
Regulatory requirements
What is audit detection risk?
The risk that the tests used during an audit did not discover an error
What is inherent risk?
A risk associated with pre-existing errors in the control environment
What is the first phase of the risk analysis process?
Critical asset identification
What are the components of risk analysis?
Threat, vulnerability and impact
What is the relationship between risk assessment and audit?
Risk assessment is used to identify high-risk areas to be audited
The intent of a control is to:
Reduce the likelihood or impact of the threat
If the materiality is minimal then:
It may be ignored
The determination of materiality is:
Based on the judgment of the auditor
An example of a preventative control is:
B) A security policy
An example of a detective control is:
Review of audit logs
A corrective control is designed to:
Restore systems to normal
An example of a corrective control is:
A business continuity plan
An organization implements a procedure to control changes to the configuration of an information system. This would be an example of a(n):
Administrative Control
Administrative controls are used to:
Monitor compliance with policy
Internal controls may be:
either manual or automated
The development of an IS Audit strategy will include:
Identification of controls to be evaluated
Once the audit strategy is developed, the auditor will:
Communicate the strategy to management.
What control classification would an auditor use to monitor an organization’s internal corporate network in order to report any unauthorized access attempts?
Detective
The audit charter is an important document. What is included in the audit charter?
The scope of the audit function
Developing an audit plan requires the determination of required personnel resources and?
Arranging for access to the audit area
The audit plan must be designed to ensure compliance with laws and regulations, this will require the knowledge of the regulations and?
A review to ensure management were aware of regulations when developing policies and procedures
The audit plan will be based on:
The stated objectives of the audit
The purpose of audit objectives is to establish whether internal controls are minimizing risk and?
functioning properly
A operational audit is designed to test?
The effectiveness of the organization’s internal control environment
What is the purpose of a specialized audit?
A specialized audit tests the services provided by an external organization
What is a primary consideration when performing a forensic audit?
Maintaining proper evidence handling and management techniques
What is the purpose of audit planning?
Audit planning provides a clear overview of the audit before the audit commences
What is the most critical step in audit planning?
Focus on high risk areas
How do laws and regulations affect an audit plan?
The audit plan must be designed to test for compliance with laws and regulations
What is the responsibility of the auditor in relation to fraud
The auditor must always be watchful for fraud while performing an audit
Who should be able to see an audit methodology document?
The audit methodology document is used to communicate with all audit team members
When an auditor finds a minor violation of policy or procedures, what should their course of action be?
Include the violation in the audit report
When an auditor finds a problem that is outside the scope of the audit plan, what should be done?
Consult with audit management about adjusting the scope of the problem
An auditor has found a problem and notified management. The problem was immediately fixed. Should the problem be included in the audit report?
Yes, all material findings should be in the report, but noted as fixed.
True or False? An audit that finds no serious issues may not require the preparation of an audit report
FALSE
All data gathered during an audit is considered?
audit evidence
Common methods of gathering information during an audit include:
Interviewing
When using observation as an audit data gathering method, what is an important concern?
Do not disrupt business operations
What is a characteristic of a divisional organization structure?
Teams operate as separate units within the parent organization
What is the advantage of using CAATS to support an audit
CAATS provide an effective way to collect and analyze data from different electronic systems
When data is gathered to determine whether users are following policies, this is an example of?
Compliance audit
An audit that validates individual transactions to test the effectiveness of a procedure is a?
Substantive audit
What type of audit evidence is considered more reliable?
Obtained from independent parties
An auditor checks 100 transactions to see if they were handled correctly. What type of audit is this
Compliance audit
An audit that checks that all transactions over $5000 require approval by a supervisor is what type of audit?
Substantive audit
An auditor needs to select a certain number of transactions for examination. What method may be used for this?
Statistical sampling
What is the definition of sampling?
Selecting a subset of a larger group of items that will represent the entire group
Which type of sampling depends on auditor judgement?
Non-statistical sampling
When, during the SDLC, is a test plan developed?
During the design phase
What is the purpose of testing?
To uncover any bugs or flaws in the system
Change management and problem management are parts of a:
Configuration management process
What form of systems migration will have the least impact on business operations
Parallel
What task must be done to enable a data migration from an old system to a new one?
Ensure that the data is converted to a format acceptable for the new system
