DM1: Planning Audits Flashcards
prevents, detects, and/or contains an incidents or enables recovery from risk event
Effective Control
Policies, procedures, practices, and organizational structures implemented to reduce risk
Controls
Who is responsible for establishing controls?
Senior Management
What are the two key aspects of a control?
1) what should be achieved 2) what should be avoided
type of control that detects problems before the arise; monitor operation and inputs; predicts potential problems
Preventative control
type of control that detects and report occurrences of errors or events
Detective Control
type of control that minimizes impact of threats; remedy problems discovered; identify cause of problem; modify processes
Corrective Control
activity that contributes to mitigation of potential risks and the fulfillment of control objectives
Control measures
statements of the desired result or purpose to be achieved by implementing control activities
Control objectives
3 ways to evaluate control environments
Reviewing evidence of well controlled/effective operations, assessing strengths/weaknesses of controls, and determine if controls meet control objectives
strong controls that support weak controls; original controls may be cost-prohibitive or not feasible
Compensating control
two controls that address the same risk where both would be strong enough on its own; provides redundancy in case one fails
Overlapping controls
policies and procedures that focus on effective functioning of all areas across an organization
General controls
risk that a material error exists that would not be prevented or detected by system or internal controls
Control risk
risk that material errors that have occurred that will not be detected by an IS auditor
Detection risk
risk that incorrect assumptions are made about the characteristics of a population from the sample selected
Statistical sampling risk
Why should risk assessments be performed in regular intervals?
To address changes in environment, security requirements, and risk situations.
What should be considered when developing an IS audit plan?
1) coverage of all areas within the scope of IS audit
2) reliability and suitability of risk assessment results from management
3) processes by management to review and report possible risks
4) coverage of risk in related activities relevant to those under review
risk treatment where knowingly and objectively not taking action, provided the risk clearly satisfies the organizations policy and criteria for risk acceptance
Risk acceptance
risk treatment that avoids risk by not allowing actions that would cause a risk to occur
Risk avoidance
risk treatment when appropriate controls to reduce a risk are applied
Risk mitigation
risk treatment where some associated risk are transferred to other parties (not in entirety)
Risk sharing
used to prioritize audits based on the evaluation of risk factors. scored values are then compared and audits are prioritized based on those with highest scores
Scoring system (Risk Assessment)
Type of risk assessment where Decisions are made based on business knowledge, executive management directives, historical events, goals, and environmental factors
Subjective risk assessment
6 steps of IT Risk Management Process
1) Identify business objectives
2) Identify information assets supporting objectives
3) Perform risk assessment
4) Select risk treatments
5) implement controls
6) Perform risk monitoring
