DM1: Planning Audits

Question 1

prevents, detects, and/or contains an incidents or enables recovery from risk event

Answer 1

Effective Control

Question 2

Policies, procedures, practices, and organizational structures implemented to reduce risk

Answer 2

Controls

Question 3

Who is responsible for establishing controls?

Answer 3

Senior Management

Question 4

What are the two key aspects of a control?

Answer 4

1) what should be achieved 2) what should be avoided

Question 5

type of control that detects problems before the arise; monitor operation and inputs; predicts potential problems

Answer 5

Preventative control

Question 6

type of control that detects and report occurrences of errors or events

Answer 6

Detective Control

Question 7

type of control that minimizes impact of threats; remedy problems discovered; identify cause of problem; modify processes

Answer 7

Corrective Control

Question 8

activity that contributes to mitigation of potential risks and the fulfillment of control objectives

Answer 8

Control measures

Question 9

statements of the desired result or purpose to be achieved by implementing control activities

Answer 9

Control objectives

Question 10

3 ways to evaluate control environments

Answer 10

Reviewing evidence of well controlled/effective operations, assessing strengths/weaknesses of controls, and determine if controls meet control objectives

Question 11

strong controls that support weak controls; original controls may be cost-prohibitive or not feasible

Answer 11

Compensating control

Question 12

two controls that address the same risk where both would be strong enough on its own; provides redundancy in case one fails

Answer 12

Overlapping controls

Question 13

policies and procedures that focus on effective functioning of all areas across an organization

Answer 13

General controls

Question 14

risk that a material error exists that would not be prevented or detected by system or internal controls

Answer 14

Control risk

Question 15

risk that material errors that have occurred that will not be detected by an IS auditor

Answer 15

Detection risk

Question 16

risk that incorrect assumptions are made about the characteristics of a population from the sample selected

Answer 16

Statistical sampling risk

Question 17

Why should risk assessments be performed in regular intervals?

Answer 17

To address changes in environment, security requirements, and risk situations.

Question 18

What should be considered when developing an IS audit plan?

Answer 18

1) coverage of all areas within the scope of IS audit
2) reliability and suitability of risk assessment results from management
3) processes by management to review and report possible risks
4) coverage of risk in related activities relevant to those under review

Question 19

risk treatment where knowingly and objectively not taking action, provided the risk clearly satisfies the organizations policy and criteria for risk acceptance

Answer 19

Risk acceptance

Question 20

risk treatment that avoids risk by not allowing actions that would cause a risk to occur

Answer 20

Risk avoidance

Question 21

risk treatment when appropriate controls to reduce a risk are applied

Answer 21

Risk mitigation

Question 22

risk treatment where some associated risk are transferred to other parties (not in entirety)

Answer 22

Risk sharing

Question 23

used to prioritize audits based on the evaluation of risk factors. scored values are then compared and audits are prioritized based on those with highest scores

Answer 23

Scoring system (Risk Assessment)

Question 24

Type of risk assessment where Decisions are made based on business knowledge, executive management directives, historical events, goals, and environmental factors

Answer 24

Subjective risk assessment

Question 25

6 steps of IT Risk Management Process

Answer 25

1) Identify business objectives
2) Identify information assets supporting objectives
3) Perform risk assessment
4) Select risk treatments
5) implement controls
6) Perform risk monitoring