DM1: Planning Audits Flashcards

1
Q

prevents, detects, and/or contains an incidents or enables recovery from risk event

A

Effective Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Policies, procedures, practices, and organizational structures implemented to reduce risk

A

Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who is responsible for establishing controls?

A

Senior Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the two key aspects of a control?

A

1) what should be achieved 2) what should be avoided

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

type of control that detects problems before the arise; monitor operation and inputs; predicts potential problems

A

Preventative control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

type of control that detects and report occurrences of errors or events

A

Detective Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

type of control that minimizes impact of threats; remedy problems discovered; identify cause of problem; modify processes

A

Corrective Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

activity that contributes to mitigation of potential risks and the fulfillment of control objectives

A

Control measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

statements of the desired result or purpose to be achieved by implementing control activities

A

Control objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

3 ways to evaluate control environments

A

Reviewing evidence of well controlled/effective operations, assessing strengths/weaknesses of controls, and determine if controls meet control objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

strong controls that support weak controls; original controls may be cost-prohibitive or not feasible

A

Compensating control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

two controls that address the same risk where both would be strong enough on its own; provides redundancy in case one fails

A

Overlapping controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

policies and procedures that focus on effective functioning of all areas across an organization

A

General controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

risk that a material error exists that would not be prevented or detected by system or internal controls

A

Control risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

risk that material errors that have occurred that will not be detected by an IS auditor

A

Detection risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

risk that incorrect assumptions are made about the characteristics of a population from the sample selected

A

Statistical sampling risk

17
Q

Why should risk assessments be performed in regular intervals?

A

To address changes in environment, security requirements, and risk situations.

18
Q

What should be considered when developing an IS audit plan?

A

1) coverage of all areas within the scope of IS audit
2) reliability and suitability of risk assessment results from management
3) processes by management to review and report possible risks
4) coverage of risk in related activities relevant to those under review

19
Q

risk treatment where knowingly and objectively not taking action, provided the risk clearly satisfies the organizations policy and criteria for risk acceptance

A

Risk acceptance

20
Q

risk treatment that avoids risk by not allowing actions that would cause a risk to occur

A

Risk avoidance

21
Q

risk treatment when appropriate controls to reduce a risk are applied

A

Risk mitigation

22
Q

risk treatment where some associated risk are transferred to other parties (not in entirety)

A

Risk sharing

23
Q

used to prioritize audits based on the evaluation of risk factors. scored values are then compared and audits are prioritized based on those with highest scores

A

Scoring system (Risk Assessment)

24
Q

Type of risk assessment where Decisions are made based on business knowledge, executive management directives, historical events, goals, and environmental factors

A

Subjective risk assessment

25
Q

6 steps of IT Risk Management Process

A

1) Identify business objectives
2) Identify information assets supporting objectives
3) Perform risk assessment
4) Select risk treatments
5) implement controls
6) Perform risk monitoring