DOMAIN 1 - Information System Auditing Process Flashcards
The internal audit department wrote some scripts that are used for continuous auditing of some information systems. The IT department asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Does sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function?
A. Sharing the scripts is not permitted because it gives IT the ability to pre-audit systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review all programs and software that run on IS Systems regardless of audit independence.
C. Sharing the scripts is permissible if IT recognizes that audits may still be conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring.
C. IS audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts, but they can still audit the systems.
Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit?
A. Complexity of the organization’s operation.
B. Findings and issues noted from the prior year.
C. Purpose, objective and scope of the audit.
D. Auditor’s familiarity with the organization.
C. The extent too which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. Statistical analysis may also determine the extent of data collection, such as sample size or means of data collection.
An IS auditor is developing an audit plan for an environment that includes new systems. The organization’s management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?
A. Audit the new systems as requested by management.
B. Audit systems not included in last year’s scope.
C. Determine the highest-risk systems and plan accordingly.
D. Audit both the systems not in last year’s scope and the new systems.
C. The best action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: “The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources.
An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?
A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.
B. Publish a report omitting the areas where the evidence obtained from testing was inconclusive.
C. Request a dela of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained.
D. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed.
A. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Management can then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system.
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls
D. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.
Which of the following is the key benefit of a control self-assessment?
A. Management ownership of the internal controls supporting business objectives is reinforced.
B. Audit expenses are reduced when the assessment results are an input to external audit work.
C. Fraud detection is improved because internal business staff are engaged in testing controls.
D. Internal auditors can shift to a consultative approach by using the results of the assessment.
A. The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance.
What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should:
A. interface with various types of enterprise resource planning software and databases.
B. accurately capture data from the organization’s systems without causing excessive performance problems.
C. introduce audit hooks into the organization’s financial systems to support continuous auditing.
D. be customizable and support inclusion of custom programming to aid in investigative analysis.
B. Although all the requirements that are listed as answer choices are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool works effectively on the systems of the organization being audited.
A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual’s experience and:
A. length of service, because this will help ensure technical competence.
B. age, because training in audit techniques may be impractical.
C. IT knowledge, because this will bring enhanced credibility to the audit function.
D. ability, as an IS auditor, to be independent of existing IT relationships.
Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities.
For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk?
A. Use of computer-assisted audit techniques
B. Quarterly risk assessments
C. Sampling of transaction logs
D. Continuous auditing
D. The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.
An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of:
a. variable sampling
b. substantive testing
c. compliance testing
d. stop-or-go sampling
C. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.
The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?
A. Inherent.
B. Detection.
C. Control.
D. Business.
B. Detection risk is directly affected by the IS auditor’s selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue.
Which of the following is the MOST critical step when planning an IS audit?
A. Review findings from prior audits.
B. Executive management’s approval of the audit plan.
C. Review information security policies and procedures.
D. Perform a risk assessment.
D. Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.2: “IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements.” In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified or evaluation.
An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture. What is the INITIAL step?
A. Understanding services and their allocation to business processes by reviewing the service repository documentation.
B. Sampling the use of service security standards as represented by the Security Assertions Markup Language.
C. Reviewing the service level agreements established for all system providers.
D. Auditing the core service and its dependencies on other systems.
A. A service-oriented architecture relies on the principles of a distributed environment in which services encapsulate business logic black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services.
An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?
A. Delete all copies of the unauthorized software.
B. Recommend an automated process to monitor for compliance with software licensing.
C. Report the use of the unauthorized software and the need to prevent recurrence.
D. Warn the end users about the risk of using illegal software.
C. The use of unauthorized or illegal software should be prohibited by an organization. An IS auditor must convince the user and management of the risk and the need to eliminate the risk. For example, software piracy can result in exposure and severe fines.
An audit charter should:
A. be dynamic and change to coincide with the changing nature of technology and the audit profession.
B. clearly state audit objectives for, and the delegation of, authority to maintenance and review of internal controls.
C. document the audit procedures designed to achieve the planned audit objectives.
D. outline the overall authority, scope and responsibilities of the audit function.
D. An audit charter should state management’s objectives for and delegation of authority to IS auditors.
An IS auditor finds a small number of user access requests that were not authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should:
A. perform an additional analysis
B. report the problem to the audit committee
C. conduct a security risk assessment
D. recommend that the owner of the identity management system fix the workflow issues.
A. The IS auditor needs to perform substantive testing and additional analysis to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and the factors that caused this incident. The IS auditor should identify whether the issue was caused by managers not following procedures, a problem with the workflow of the automated system or a combination of the two.
Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean-per-unit sampling
D. Difference estimation sampling
A. Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain predefined dollar amount of proper approvals.
When testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling does not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?
A. Develop an alternate testing procedure
B. Report the finding to management
C. Perform a walkthrough of the change management process
D. Create additional sample date to test additional changes.
A. If a sample-size objective cannot be met with the given date, the IS auditor cannot provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit management approval) an alternate testing procedure.
Which of the following situations could impair the independence of an IS auditor? The IS auditor:
A. implemented specific functionality during the development of an application.
B. designed an embedded audit module for auditing an application.
C. participated as a member of an application project team and did not have operational responsibilities.
D. provided consulting advice concerning application good practices.
A. Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system.
The PRIMARY advantage of a continuous audit approach is that it:
A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.
B. allows the IS auditor to review and follow up on audit issues in a timely manner.
C. places the responsibility for enforcement and monitoring of controls on the security department instead of audit.
D. simplifies the extraction and correlation of data from multiple and complex systems.
B. Continuous audit allows audit and response to audit issues in a timely manner because audit findings are gathered in near real time.
Which of the following would impair the independence of a quality assurance team?
A. Ensuring compliance with development methods
B. Checking the test assumptions
C. Correcting coding errors during the testing process
D. Checking the code to ensure proper documentation
C. Correction of code should not be a responsibility of the quality assurance team, because it would not ensure segregation of duties and would impair the team’s independence.
In planning an IS audit, the MOST critical step is the identification of the:
A. areas of significant risk
B. skill sets of the audit staff
C. test steps in the audit
D. time allotted for the audit
A. When designing a risk-based audit plan, it is important to identify the areas of highest risk to determine the areas to be audited.
The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is:
A. control design testing.
B. substantive testing.
C. inspection of relevant documentation.
D. perform tests on risk prevention.
B. Among other methods, such as document review or walkthrough, tests of controls are the most effective procedures to assess whether controls accurately support operational effectiveness.
The extent to which data will be collected during an IS audit should be determined based on the:
A. Availability of critical an required information.
B. Auditor’s familiarity with the circumstances.
C. Auditee’s ability to find relevant evidence.
D. Purpose and scope of the audit being done.
D. The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An IS audit with a narrow purpose and scope, or just a high-level review, will most likely require less data collection than an audit with a wider purpose and scope.
While planning an IS audit, an assessment of risk should be made to provide:
A. reasonable assurance that the audit will cover material items.
B. definite assurance that material items will be covered during the audit work.
C. reasonable assurance that all items will be covered by the audit.
D. sufficient assurance that all items will be covered during the audit work.
A. ISACA IS Audit and Assurance Guideline 2202 (Risk Assessment and Audit Planning) states that the applied risk assessment approach should help with the prioritization and scheduling process of the IS audit and assurance work. The risk assessment should support the selection process of areas and items of audit interest and the decision process to design and conduct particular IS audit engagements.
The MOST appropriate action for an IS auditor to take when shared user accounts are discovered to:
A. inform the audit committee of the potential issue.
B. review audit logs for the IDs in question.
C. document the finding and explain the risk of using shared IDs.
D. request that the IDs be removed from the system.
C. An IS auditor’s role is to detect and document findings and control deficiencies. Part of the audit report is to explain the reasoning behind the findings. The use of shared IDs is not recommended because it does not allow for accountability of transactions. An IS auditor defers to management to decide how to respond to the findings presented.
An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to determine:
A. that the control is operating efficiently
B. that the control is operating as designed
C. the integrity of data controls
D. the reasonableness of financial reporting controls
B. Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective a compliance test is important. IS auditors want reasonable assurance that the controls they are relying on are effective. An effective control is one that meets management expectations and objectives.
The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?
A. Generate sample test data
B. Generalized audit software
C. Integrated test facility
D. Embedded audit module
B. Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and re-computations. An IS auditor, using generalized audit software, can design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made.
During a security audit of IT processes, an IS auditor finds that documented security procedures do not exist. The IS auditor should:
A. Create the procedures document based on the practices.
B. Issue an opinion of the current state and end the audit.
C. Conduct compliance testing on available data
D. Identify and evaluate existing practices
D. One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach is to identify and evaluate the existing security practices being followed by the organization and submit the findings and risk to management, with recommendations to document the current controls or enforce the document procedures.
During a risk analysis, an IS auditor identifies threats and potential impacts. Next, the IS auditor should:
A. Ensure the risk assessment is aligned to management’s risk assessment process
B. Identify information assets and the underlying systems
C. Disclose the threats and impacts to management
D. Identify and evaluate the existing controls
D. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.
Which os the following would normally be the MOST reliable evidence for an IS auditor?
A. A confirmation letter received from a third party verifying an account balance
B. Assurance from line management that an application is working as designed
C. Trend data obtained from Internet sources
D. Ratio analysis developed by the IS auditor from reports supplied by line management
A. Evidence obtained from independent third parties is almost always considered to be more reliable than assurance provided by local management
When evaluating the collective effect of preventive, detective, and corrective controls within a process an IS auditor should be aware of which of the following?
A. The point at which controls are exercised as data flow through the system.
B. Only preventive and detective controls are relevant.
C. Corrective controls are regarded as compensating.
D. Classification allows an IS auditor to determine the controls that are missing.
A. An IS auditor should focus on when controls are exercised as data flow through a computer system.
Which audit technique provides the BEST evidence of the segregation of duties in an IT department?
A. Discussion with management
B. Review of the organization chart
C. Observation and interviews
D. Testing of user access rights
C. Based on the observations and interviews, the IS auditor can evaluate the segregation of duties. By observing the IT staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations. By interviewing the IT staff, the auditor can get an overview of the tasks performed.
After reviewing the disaster recovery planning process of an organization, an IS auditor requests a meeting with organization management to discuss the findings. Which of the following BEST describes the main goal of this meeting?
A. Obtain management approval of the corrective action plan.
B. Confirm factual accuracy of the findings.
C. Assist management in the implementation of corrective actions.
D. Prioritize the resolution of the items.
B. The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on or respond to recommendations for corrective action.
An IS auditor should ensure that review of online electronic funds transfer reconciliation procedures include:
A. Vouching
B. Authorizations
C. Corrections
D. Tracing
D. Tracing is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer transaction, the direction on tracing may start from the customer-printed copy of the receipt, proceed to checking the system audit trails and logs, and end with checking the master file records for daily transactions.
An IS auditor is carrying out a system configuration review. Which of the following is the BEST evidence in support of the current system configuration settings?
A. System configuration values that are imported to a spreadsheet by the system administrator
B. Standard report with configuration values that are retrieved from the system by the IS auditor
C. Dated screenshot of the system configuration settings that are made available by the system administrator
D. Annual review of approved system configuration values by the business owner.
B. Evidence that is obtained directly from the source by an IS auditor is more reliable than information that is provided by a system administrator or a business owner, because the IS auditor does not have a vested interest in the outcome of the audit.
The purpose of a checksum on an amount field in an electronic data interchange communication of financial transactions is to ensure:
A. Integrity
B. Authenticity
C. Authorization
D. Nonrepudiation
A. A checksum that is calculated on an amount field and included in the electronic data interchange communication can be used to identify unauthorized modifications.
Which of the following forms of evidence would an IS auditor consider the MOST reliable?
A. An oral statement from the auditee
B. The results of a test that is performed by an external IS auditor
C. An internally generated computer accounting report
D. A confirmation letter that is received from an outside source
B. An independent test that is performed by an IS auditor should always be considered a more reliable sources of evidence than a confirmation letter from a third party, because the letter is the result of an analysis of the process and may not be based on authoritative audit techniques. An audit should consist of a combination of inspection, observation and inquire by an IS auditor as determined by risk. This provides a standard methodology and reasonable assurance that the controls and test results are accurate.
An IS auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the:
A. EDI trading partner agreements
B. Physical controls for terminals
C. Authentication techniques for sending and receiving messages
D. Program change control procedures
C. Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions
An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control?
A. Walk-through the reviewer of the operation of the control
B. System-generated exception reports for the review period with the reviewer’s sign-off
C. A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer
D. Management’s confirmation of the effectiveness of the control for the review period
C. A sample of a system-generated report with evidence that the reviewer followed up on the exception represents the best possible evidence of the effective operation of the control, because there is documented evidence that the reviewer reviewed the exception report and took actions based on the exception report
A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping?
A. Key verification
B. One-for-one checking
C. Manual recalculations
D. Functional acknowledgements
D. Acting as an audit trail for electronic data interchange transactions, functional acknowledgements are one of the main controls used in data mapping.
Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix
A. Variable sampling
B. Stratified mean per unit
C. Attribute sampling
D. Unstratified mean per unit
C. Attribute sampling is the method used for compliance testing. In this scenario, the operation of a control is being valuated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control
The BEST method of confirming the accuracy of a system tax calculation is by:
A. review and analysis of the source code of the calculation programs
B. recreating program logic using generalized audit software to calculate monthly totals
C. preparing simulated transactions for processing and comparing the results to predetermined results
D. automatic flowcharting and analysis of the source code of the calculation programs
C. Preparing stimulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation
An IS auditor performing a review of application controls would evaluate the:
A. efficiency of the application in meeting the business processes
B. impact of any exposures discovered
C. business processes served by the application
D. application’s optimization
B. An application control review involves the evaluation of the application’s automated controls and an assessment of any exposures resulting from the control weakness.
Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The IS auditor should:
A. include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings
B. not include the findings in the final report because management resolved the item
C. not include the findings in the final report because corrective action can be verified by the IS auditor during the audit.
D. include the finding in the closing meeting for discussion purposes only
A. Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing.
The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods will BEST assist the IS auditors?
A. Stop-or-go
B. Classical variable
C. Discovery
D. Probability-proportional-to-size
C. Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred. Therefore, it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.
When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:
A. Controls needed to mitigate risk are in place
B. Vulnerabilities and threats are identified
C. Audit risk is considered
D. A gap analysis is appropriate
B. While developing a risk-based audit strategy, it is critical that the risk and vulnerabilities are understood. They determine the areas to be audited and the extent of coverage.
During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:
A. Ask the auditee to a sign a release form accepting full legal responsibility
B. Elaborate on the significance of the finding and the risk of not correcting it
C. Report the disagreement to the audit committee for resolution
D. Accept the auditee’s position because they are process owners.
B. If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures because the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee lessens effective communications and sets up an adversarial relationship, but an IS auditor should not automatically agree just because the auditee expresses an alternate point of view.
To ensure that audit resources deliver the best value to the organization, the FIRST step in an audit project is to:
A. Schedule the audits and monitor the time spent on each audit
B. Train the IS audit staff on current technology used in the organization
C. Develop the audit plan based on detailed risk assessment
D. Monitor progress of audits and initiate cost control measures
C. Although monitoring the time and audit programs, and adequate training improve the IS audit staff’s productivity (efficiency and performance), ensuring that the resources and efforts being dedicated to audit are focused on higher-risk areas delivers value to the organization.
Which of the following should be the FIRST action of an IS auditor during a dispute with a department manager over audit findings?
A. Retest the control to validate the finding
B. Engage a third party to validate the finding
C. Include the finding in the report with the department manager’s comments
D. Revalidate the supporting evidence for the finding
D. Conclusions drawn by an IS auditor should be adequately supported by evidence, and any compensating controls or corrections that are pointed out by a department manager should be taken into consideration. Therefore, the first step is to revalidate the evidence for the finding. If, after revalidating and retesting, there are unsettled disagreements, those issues should be included in the report.
An IS auditor should use statistical sampling, and not judgement (nonstatistical) sampling, when:
A. The probability of error must be objectively quantified.
B. The auditor wants to avoid sampling risk.
C. Generalized audit software is unavailable.
D. The tolerable error cannot be determined.
A. Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient).
What is the BEST action for an IS auditor to take when an outsourced monitoring process for remote access is inadequate and management disagrees because intrusion detection system (IDS) and firewall controls are in place?
A. Revise the finding in the audit report per management’s feedback
B. Retract the finding because the IDS controls are in place
C. Retract the finding because the firewall rules are monitored
D. Document the identified finding in the audit report
D. IS auditor independence dictates that the additional information provided by the auditee is take into consideration. Normally, an IS auditor does not automatically retract or revise the finding.
An organization uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes and terminations) are completed and delivered to the bank, which prepares the checks and reports for distribution. To BEST ensure payroll data accuracy:
A. Payroll reports should be compared to input forms.
B. Gross payroll should be recalculated manually.
C. Checks should be compared to input forms.
D. Checks should be reconciled with output reports.
A. The best way to confirm data accuracy, when input is provided by the organization and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports.
Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment?
A. Lack of transaction authorizations
B. Loss or duplication EDI transmissions
C. Transmission delay
D. Deletion or manipulation of transactions prior to, or after, establishment of application controls.
A. Because the interaction between parties is electronic, therefore, lack of transaction authorization is the greatest risk.
During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:
A. Address audit objectives
B. Collect sufficient evidence
C. Specify appropriate tests
D. Minimize audit resources
A. ISACA IS Audit and Assurance Standards require that an IS auditor plant the audit work to address the audit objectives. The activities described in the other options are all undertaken to address audit objectives and, thus, are secondary.
When selecting audit procedures, an IS auditor should use professional judgment to ensure that:
A. Sufficient evidence will be collected
B. Significant deficiencies will be corrected within a reasonable period
C. All material weaknesses will be identified
D. Audit costs will be kept at a minimum level
A. Procedures are processes that an IS auditor may follow in an audit engagement. In determining that appropriateness of any specific procedure, an IS auditor should use professional judgment that is appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising during an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate, and the IS auditor’s past experience plays a key role in making a judgment. The IS auditor should use judgment in assessing the sufficiency of evidence to be collected. ISACA’s guidelines provide information on how to meet the standards when performing IS audit work.
A substantive test to verify that tape library inventory records are accurate is:
A. Determining whether bar code readers are installed
B. Determining whether the movement of tapes is authorized
C. Conducting a physical count of the tape inventory
D. Checking whether receipts and issues of tapes are accurately recorded
C. A substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy and validity) of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test
An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system is to:
A. Acknowledge of electronic orders with a confirmation message
B. Perform reasonableness checks on quantities ordered before filling orders
C. Verify the identity of senders and determine if orders correspond to contract terms
D. Encrypt electronic orders
C. An electronic data interchange system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern
An IS auditor finds that the answers received during an interview with a payroll clerk do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should:
A. conclude that the controls are inadequate
B. expand the scope to include substantive testing
C. place greater reliance on previous audits
D. suspend the audit
B. If the answers provided to an IS auditor’s questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests
An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommending a specific vendor product to address this vulnerability. The IS auditor has failed to exercise:
A. Professional independence
B. Organizational independence
C. Technical competence
D. Professional competence
A. When an IS auditor recommends a specific vendor, the auditor’s professional independence is compromised.
The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of an audit assignment is to:
A. Understand the business process
B. Comply with auditing standards
C. Identify control weakness
D. Develop the risk assessment
A. Understanding the business process is the first step an IS auditor needs to perform.
In the process of evaluating program change controls, an IS auditor uses source code comparison software to:
A. Examine source program changes without information from IS personnel
B. Detect a source program change made between acquiring a copy of the source and the comparison run
C. Confirm that the control copy is the current version of the production program
D. Ensure that all changes made in the current source copy are tested.
A. when an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison identifies the changes.
The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:
A. Confirm that the auditors did not overlook any important issues
B. Gain agreement on the findings
C. Receive feedback on the adequacy of the audit procedures
D. Test the structure of the final presentation
B. The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings and responses from management
Which of the following audit techniques BEST helps an IS auditor in determining whether there have been authorized program changes since the last authorized program update?
A. Test data run
B. Code review
C. Automated code comparison
D. Review of code migration procedures
C. An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure.
When preparing an audit report, the IS auditor should ensure that the results are supported by:
A. Statements from IS management
B. Work papers of other auditors
C. An organizational control self-assessment
D. Sufficient and appropriate audit evidence
D.ISACA’s IS Audit and Assurance Standard on reporting requires that the IS auditor has sufficient and appropriate audit evidence to support the reported results. Statements from IS management provide a basis for obtaining concurrence on matters that cannot be verified with empirical evidence. The report should be based on evidence that is collected during the review even though the IS auditor may have access to the work papers of other auditors. The results of an organizational control self-assessment can supplement the audit findings.
While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the:
A. Effectiveness of the QA function because it should interact between project management and user management
B. Efficiency of the QA function because it should interact with the project implementation team
C. Effectiveness of the project manager because the project manager should interact with the QA function
D. Efficiency of the project manager because the QA function needs to communicate with the project implementation team
A. To be effective, the quality assurance (QA) function should be independent of project management. If it is not, project management may put pressure on the QA function to approve an inadequate product.
The final decision to include a material finding in an audit report should be made by the:
A. audit committee
b. auditee’s manager
c. IS auditor
d. chief executive officer
C. The IS auditor should make the final decision about what to include or exclude from the audit report.
While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:
A. Audit trail of the versioning of the work papers
B. Approval of the audit phases
C. Access rights to the work papers
D. Confidentiality of the work papers
D. Encryption provides confidentiality for the electronic work papers.
The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to:
A. Comply with regulatory requirements
B. Provide a basis for drawing reasonable conclusions
C. Ensure complete audit coverage
D. Perform the audit according to the defined scope
B. The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses but also documenting and validating them.
After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:
A. Expand activities to determine whether an investigation is warranted
B. Report the matter to the audit committee
C. Report the possibility of fraud to management
D. Consult with the external legal counsel to determine the course of action to be taken
A. An IS auditor’s responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.
An IS auditor notes that failed login attempts to a core financial system are automatically logged and the
logs are retained for a year by the organization. This logging is:
A. An effective preventive control
B. A valid detective control
C. Not an adequate control
D. A corrective control
C. Generation of an activity log is not a control by itself. It is the review of such a log that makes
the activity a control (i.c., generation plus review equals control).
An organization’s IS audit charter should specify the:
A. plans for IS audit engagements.
B. objectives and scope of IS audit engagements.
C. detailed training plan for the IS audit staff.
D. role of the IS audit function.
D. An IS audit charter establishes the role of the information systems audit function. The charter
should describe the overall authority, scope and responsibilities of the audit function. It should
be approved by the highest level of management and, if available, by the audit committee.
Which of the following should an 1S auditor use to detect duplicate invoice records within an invoice
master file?
A. Attribute sampling
B. Computer-assisted audit techniques
C. Compliance testing
D. Integrated test facility
B. Computer-assisted audit techniques (CAATs) enable the IS auditor to review the entire invoice
file to look for those items that meet the selection criteria.
When developing a risk management program, what is the FIRST activity to be performed?
A. Threat assessment
B. Classification of data
C. Inventory of assets
D. Criticality analysis
C. Identification of the assets to be protected is the first step in the development of a risk
management program.
When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should
PRIMARILY be concerned with the risk of:
A. Excessive transaction turnaround time.
B. Application interface failure.
C. Improper transaction authorization.
D. Nonvalidated batch totals.
C. Foremost among the risk associated with electronic data interchange (EDI) is improper
transaction authorization. Because the interaction with the parties is electronic, there is no
inherent authentication. Improper authentication poses a serious risk of financial loss.
Which of the following would be MOST useful for an IS auditor for accessing and analyzing digital data to
collect relevant audit evidence from diverse software environments?
A. Structured Query Language
B. Application software reports
C. Data analytics controls
D. Computer-assisted auditing techniques
D. CAATs are tools used for accessing data in an electronic form from diverse software
environments, record formats, etc. CAATs serve as useful tools for collecting and evaluating
audit evidence according to audit objectives and can create efficiencies for collecting this
evidence.
Which of the following sampling methods is the MOST appropriate for testing automated invoice
authorization controls to ensure that exceptions are not made for specific users?
A. Variable sampling
B. Judgmental sampling
C. Stratified random sampling
D. Systematic sampling
C. Stratification is the process of dividing a population into subpopulations with similar
characteristics explicitly defined, so that each sampling unit can belong to only one stratum.
This method of sampling ensures that all sampling units in each subgroup have a known,
nonzero chance of selection. It is the most appropriate in this case.
An IS auditor who was involved in designing an organization’s business continuity plan (BCP) has ben
assigned to audit the plan. The IS auditor should:
A. decline the assignment.
B. inform management of the possible conflict of interest after completing the audit assignment.
C. inform the BCP team of the possible conflict of interest prior to beginning the assignment.
D. communicate the possibility of conflict of interest to audit management prior to starting the assignment.
D. A possible conflict of interest, likely to affect the IS auditor’s independence, should be brought
to the attention of management prior to starting the assignment.
The PRIMARY purpose of an IT forensic audit is:
A. To participate in investigations related to corporate fraud.
B. The systematic collection and analysis of evidence after a system irregularity.
C. To assess the correctness of an organization’s financial statements.
D. To preserve evidence of criminal activity.
B. The systematic collection and analysis of evidence after a system irregularity best describes a
forensic audit. The evidence collected can then be analyzed and used in judicial proceedings.
An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging
failed, and the backup restarts cannot be confirmed. What should the IS auditor do?
A. Issue an audit finding.
B. Seek an explanation from IS management.
C. Review the classifications of data held on the server.
D. Expand the sample of logs reviewed.
D. IS Audit and Assurance Standards require that an IS auditor gather sufficient and appropriate
audit evidence. The IS auditor has found a potential problem and now needs to determine
whether this is an isolated incideni or a systematic control failure.
In a small organization, the function of release manager and application programmer are performed by the
same employee. What is the BEST. compensating control in this scenario?
A. Hiring additional staff to provide segregation of duties
B. Preventing the release manager from making program modifications
C. Logging of changes to development libraries
D. Verifying that only approved program changes are implemented
D. Compensating controls are. used to mitigate risk when proper controls are not feasible or
practical. In a small organization, it may not be feasible to hire new staff, which is why a
compensating control may be necessary. Verifying program changes has roughly the same effect
as intended by full segregation of duties.
Which of the following is the FIRST step in an IT risk assessment for a risk-based audit?
A. Identify all IT systems and controls that are relevant to audit objectives.
B. List all controls from the audit program to select ones matching with audit objectives.
C. Review the results of a risk self-assessment.
D. Understand the business, its operating model and key processes.
D. Risk-based auditing must be based on the understanding of the business, operating model and
environment. This is the first step in an iT risk assessment for a risk-based audit.
An IS auditor discovers that devices connected to the network are not included in a network diagram that
had been used to develop the scope of the audit. The chief information officer explains that the diagram is
being updated and awaiting final approval. The IS auditor should FIRST:
A. expand the scope of the IS audit to include the devices that are not on the network diagram.
B. evaluate the impact of the undocumented devices on the audit scope.
C. note a control deficiency because the network diagram has not been approved.
D. plan follow-up audits of the undocumented devices.
B. In a risk-based approach to an IS audit, the scope is determined by the impact that the devices
will have on the audit. If the undocumented devices do not impact the audit scope, then they
may be excluded from the current audit engagement. The information provided on a network
diagram can vary depending on what is being illustrated–for example, the network layer and cross connections
An IS auditor is testing employee access to a large financial system, and the IS auditor selected a sample
from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing?
A. A spreadsheet provided by the system administrator
B. Human resources access documents signed by employees’ managers
C. A list of accounts with access levels generated by the system
D. Observations performed onsite in the presence of a system administrator
C. The access list generated by the system is the most reliable, because it is the most objective
evidence to perform a comparison against the samples selected. The evidence is objective,
because it was generated by the system rather than by an individual.
During a compliance audit of a small bank, the IS auditor notes that the IT and accounting functions
are being performed by the same user of the financial system. Which of the following reviews that are
conducted by the user’s supervisor represents the BEST compensating control?
A. Audit trails that show the date and time of the transaction
B. A daily report with the total numbers and dollar amounts of each transaction
C. User account administration
D. Computer log files that show individual transactions
D. Computer logs record the activities of individuals during their access to a computer system or data
file and record any abnormal activities, such as the modification or deletion of financial data.
A system developer transfers to the audit department to serve as an IT auditor. When production systems
are to be reviewed by this employee, which of the following will become the MOST significant concern?
A. The work may be construed as a self-audit.
B. Audit points may largely shift to technical aspects.
C. The employee may not have sufficient control assessment skills.
D. The employee’s knowledge of business risk may be limited.
A.
Because the employee had been a developer, it is recommended that the audit coverage should
exclude the systems developed by this employee to avoid any conflicts of interests.
Which of the following BEST describes the objective of an IS auditor discussing the audit findings
with the auditee?
A. Communicate results to the auditee.
B. Develop time lines for the implementation of suggested recommendations.
C. Confirm the findings and propose a course of corrective action.
D. Identify compensating controls to the identified risk.
C. Before communicating the results of an audit to senior management, the IS auditor should
discuss the findings with the auditee. The goal of this discussion is to confirm the accuracy of
the findings and to propose or recommend a course of corrective action.
Which of the following responsibilities would MOST likely compromise the independence of an IS auditor
when reviewing the risk management process?
A. Participating in the design of the risk management framework
B. Advising on different implementation techniques
C. Facilitating risk awareness training
D. Performing a due diligence review of the risk management processes
A. Participating in the design of the risk management framework involves designing controls,
which compromises the independence of the IS auditor to audit the risk management process.
Which of the following would be the GREATEST concern if audit objectives are not established during the
initial phase of an audit program?
A. Key stakeholders are incorrectly identified.
B. Control costs will exceed planned budget.
C. Important business risk may be overlooked.
D. Previously audited areas may be inadvertently included.
C. Without an audit scope, the appropriate risk assessment has not been performed, and therefore, the auditor might, not audit those areas of highest risk for the organization.
An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or
system behavior. Which of the following is the MOST suitable for performing that task?
A. Computer-aided software engineering tools
B. Embedded data collection tools
C. Trend/variance detection tools
D. Heuristic scanning tools
C. Trend/variance detection tools look for anomalies in user or system behavior, such as invoices
with increasing invoice numbers.
While performing an audit of an accounting application’s internal data integrity controls, an IS auditor
identifies a major control deficiency in the change management software supporting the accounting
application. The MOST appropriate action for the IS auditor to take is to:
A. Continue to test the accounting application controls and inform the IT manager about the control
deficiency and recommend possible solutions.
B. Complete the audit and not report the control deficiency because it is not part of the audit scope.
C. Continue to test the accounting application controls and include the deficiency in the final report.
D. Cease all audit activity until the control deficiency is resolved.
C. It is the responsibility of the IS auditor to report on findings that can have a material impact on the effectiveness of controls whether or not they are within the scope of the audit.
Which of the following will MOST successfully identify overlapping key controls in business
application systems?
A. Reviewing system functionalities that are attached to complex business processes
B. Submitting lest transactions through an integrated test facility
C. Replacing manual monitoring with an automated auditing solution
D. Testing controls to validate that they are effective
C. As part of the effort to realize continuous audit management, there are cases for introducing
an automated monitoring and auditing solution. All key controls need to be clearly aligned for
systematic implementation; thus, analysts can discover unnecessary or overlapping key controls
in existing systems.
When performing a risk analysis, the IS auditor should FIRST:
A. Review the data classification program.
B. Identify the organization’s information assets.
C. Identify the inherent risk of the system.
D. Perform a cost-benefit analysis for controls.
B. The first step of the risk assessment process is to identify the systems and processes that support the
business objectives because risk to those processes impact the achievement of business goals.
After identifying the findings, the IS auditor should FIRST:
A. Gain agreement on the findings.
B. Determine mitigation measures for the findings.
C. Inform senior management of the findings.
D. Obtain remediation deadlines to close the findings.
A. If findings are not agreed upon and confirmed by both parties, then there may be an issue
during sign-off on the final audit report or while discussing findings with management. When
agreement is obtained with the auditee, it implies the finding is understood and a clear plan of
action can be determined.
A PRIMARY benefit derived for an organization employing control self-assessment techniques is that it:
A. Can identify high-risk areas that might need a detailed review later.
B. Allows IS auditors to independently assess risk.
C. Can be used as a replacement for traditional audits.
D. Allows management to relinquish responsibility for control.
A. Control self-assessment (CSA) is predicated on the review of high-risk areas that either need
immediate attention or may require a more thorough review later.
Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal
IS audit plan?
A. Prioritize the identified risk.
B. Define the audit universe.
C. Identify the critical controls.
D. Determine the testing approach.
B. In a risk based audit approach, the IS auditor identifies risk to the organization based on the
nature of the business. To plan an annual audit cycle, the types of risk must be ranked. To rank
the types of risk, the auditor must first define the audit universe by considering the IT strategic
plan, organizational structure and authorization matrix.
Which of the following is MOST likely be considered a conflict of interest for an IS auditor who is
reviewing a cybersecurity implementation?
A. Delivering cybersecurity awareness training
B. Designing the cybersecurity controls
C. Advising on the cybersecurity framework
D. Conducting the vulnerability assessment
B. If an auditor designs the controls, a conflict of interest arises in the neutrality of the auditor to address deficiencies during an audit. This is in violation of the ISACA Code of Ethics.
An IS auditor identified a business process to be audited. The IS auditor should NEXT identify the:
A. Most valuable information assets.
B. IS audit resources to be deployed.
C. Auditee personnel to be interviewed.
D. Control objectives and activities.
D. After the business process is identified, the IS auditor should first identify the control objectives
and activities associated with the business process that should be validated in the audit.
The effect of which of the following should have priority in planning the scope and objectives of an IS audit?
A. Applicable statutory requirements
B. Applicable corporate standards
C. Applicable industry good practices
D. Organizational policies and procedures
A. The effect of applicable statutory requirements must be factored in while planning an IS
audit—the IS auditor has no options regarding statutory requirements because there can be no
limitation of scope relating to statutory requirements.
An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In
such a circumstance, IS audit management should:
A. Remove the IS auditor from the engagement.
B. Cancel the engagement.
C. Disclose the issue to the client.
D. Take steps to restore the IS auditor’s independence.
C. In circumstances in which the IS auditor’s independence is impaired and the IS auditor
continues to be associated with the audit, the facts surrounding the issue of the IS auditor’s
independence should be disclosed to the appropriate management and in the report.
An IS auditor is planning to evaluate the control design effectiveness that is related to an automated billing
process. Which of the following is the MOST effective approach for the auditor to adopt?:
A. Interview
B.Inquiry
C. Reperformance
D. Walk-through
D. Walk-throughs involve a combination of inquiry and inspection of evidence with respect to
business process controls. This is the most eflective basis for evaluation of the design of the
control, because it actually exists.
Which of the following is the MAIN reason to perform a risk assessment in the planning phase of an IS audit?
A. To ensure management’s concerns are addressed
B. To provide reasonable assurance material items will be addressed
C. To ensure the audit team will perform audits within budget
D. To develop audit program and procedures needed to perform the audit
B. A risk assessment helps to focus the audit procedures on the highest risk areas included in the
scope of the audit. The concept of reasonable assurance is also important.
Which of the following is MOST important to ensure before communicating the audit findings to top
management during the closing meeting?
A. Risk statement includes an explanation of a business impact.
B. Findings are clearly tracked back to evidence.
C. Recommendations address root causes of findings.
D. Remediation plans are provided by responsible parties.
B. Without adequate evidence, the findings hold no ground; therefore, this must be verified before
communicating the findings.
The MAIN advantage of an IS auditor directly extracting data from a general ledger systems is:
A. Reduction of human resources needed to support the audit
B. Reduction in the time to have access to the information
C. Greater flexibility for the audit department
D. Greater assurance of data validity
D. If the IS auditor executes the data extraction, there is greater assurance that the extraction
criteria will not interfere with the required completeness, and, therefore, all required data will
be collected. Asking IT to extract the data may expose the risk of filtering out exceptions that
should be seen by the auditor. Also, if the IS auditor collects the data, all internal references
correlating the various data tables/elements will be understood, and this knowledge may reveal
vital elements to the completeness and correctness of the overall audit activity.
An IS auditor wants to determine the number of purchase orders that are not appropriately approved. Which
of the following sampling techniques should an IS auditor use to make such a conclusion?
A. Attribute
B. Variable
C. Stop-or-go
D. Judgment
A. Attribute sampling is used to test compliance of transactions to controls-in this instance, the
existence of appropriate approval.
An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the
following attributes of evidence is MOST affected by using CAATS?
A. Usefulness
B. Reliability
C. Relevance
D. Adequacy
B. Because the data are directly collected by the IS auditor, the audit findings can be reported with
an emphasis on the reliability of the records that are produced and maintained in the system.
The reliability of the source of information used provides reassurance on the generated findings.
An internal IS audit function is planning a general IS audit. Which of the following activities takes place
during the FIRST step of the planning phase?
A. Development of an audit program
B. Define the audit scope
C. Identification of key information owners
D. Development of a risk assessment
D. A risk assessment should be performed to determine how internal audit resources should be
allocated to ensure that all material items will be addressed.
Which of the following is the MOST important skill that an IS auditor should develop to understand the
constraints of conducting an audit?
A. Managing audit staff
B. Allocating resources
C. Project management
D. Attention to detail
C. Audits often involve resource management, deliverabies, scheduling and deadlines that are
similar to project management good practices.
What is the MAJOR benefit of conducting a control self-assessment over a traditional audit?
A. It detects risk sooner.
B. It replaces the internal audit function.
C. It reduces the audit workload.
D. It reduces audit resource requirements.
A. Control self-assessments (CSAs) require employees to assess the control stature of their own
function. CSAs help to increase the understanding of business risk and internal controls.
Because they are conducted more frequently than audits, CSAs help to identify risk in a timelier manner.
An IS auditor is reviewing a project risk assessment and notices that the overall residual risk level is high:
due to confidentiality requirements. Which of the following types of risk is normally high due to the number
of unauthorized users the project may affect?
A . Control risk
B . Compliance risk
C. Inherent risk
D. Residual risk
C. Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without considering the actions that
management has taken or might take.
An IS auditor discovers a potential material finding. The BEST course of action is to:
A. report the potential finding to business management.
B. discuss the potential finding with the audit committee.
C. increase the scope of the audit.
D. perform additional testing.
D. The IS auditor should perform additional testing to ensure that it is a finding. An auditor can
quickly lose credibility if it is later discovered the finding was not justified or accurate.
Which of the following is in the BEST position to approve changes to the audit charter?
A. Board of directors
B. Audit committee
C. Executive management
D. Director of internal audit
B. The audit committee is a subgroup of the board of directors. The audit department should
report to the audit committee and the audit charter should be approved by the committee.
An IS auditor reviewing the process of log monitoring wants to evaluate the organization’s manual review
process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this
purpose?
A. Inspection
B. Inquiry
C. Walk-through
D. Reperformance
C. Walk-through procedures usually include a combination of inquiry, observation, inspection
of relevant documentation and reperformance of controls. A walk-through of the manual log
review process follows the manual log review process from start to finish to gain a thorough
understanding of the overall process and identify potential control weaknesses.
An IS auditor is comparing equipment in production with inventory records. This type of testing is an
example of:
A. substantive testing.
B. compliance testing.
C. analytical testing.
D. control testing.
A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of
activities or transactions during the audit period.
Which of the following does a lack of adequate controls represent?
A. An impact
B. A vulnerability
C. An asset
D. A threat
B. The lack of adequate controls represents a vulnerability, exposing sensitive information and
data to the risk of malicious damage, attack or unauthorized access by hackers, employee error,
environmental threat or equipment failure. This could result in a loss of sensitive information,
financial loss, legal penalties or other losses.
An IS auditor notes daily reconciliation of visitor access card inventory is not aligned with the
organization’s procedures. Which of the following is the auditor’s BEST course of action?
A. Do not report the lack of reconciliation.
B. Recommend regular physical inventory counts.
C. Report the lack of daily reconciliations.
D. Recommend the implementation of a more secure access system.
C. The IS auditor should report the lack of daily reconciliation as an exception, because a physical
inventory count gives assurance only at a point in time and the practice is not in compliance
with management’s mandated activity.
During an audit, the IS auditor notes the application developer also performs quality assurance testing on
another application. Which of the following is the MOST important course of action for the auditor?
A. Recommend compensating controls.
B. Review the code created by the developer.
C. Analyze the quality assurance dashboards.
D. Report the identified condition.
D. The software quality assurance role should be independent and separate from development and
development activities. The same person should not hold both roles because this would cause a
segregation of duties concern. The IS auditor should report this condition when identified.
An IS auditor is reviewing risk and controls of a bank’s wire transfer system. To ensure that the bank’s
financial risk is properly addressed, the IS auditor will most likely review which of the following?
A. Privileged access to the wire transfer system
B. Wire transfer procedures
C. Fraud monitoring controls
D. Employee background checks
B. Wire transfer procedures include segregation of duties controls. This helps prevent internal
fraud by not allowing one person to initiate, approve and send a wire. Therefore, the IS auditor
should review the procedures as they relate to the wire system.
An IS auditor is determining the appropriate sample size for testing the existence of program change
approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a:
A. lower confidence coefficient, resulting in a smaller sample size.
B. higher confidence coefficient, resulting in a smaller sample size.
C. higher confidence coefficient, resulting in a larger sample size.
D. lower confidence coefficient, resulting in a larger sample size.
A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size.
Why does an audit manager review the staff’s audit papers, even when the IS auditors have many years of
experience?
A. Internal quality requirements
B. The audit guidelines
C. The audit methodology
D. Professional standards
D. Professional standards from ISACA, The Institute of Internal Auditors and the Internations!
Federation of Accountants require supervision of audit staff to accomplish audit objectives and
comply with competence, professional proficiency and documentation requirements, and more.
Which technique will BES’T test for the existence of dual control when auditing the wire transfer systems
of a bank?
A. Analysis of transaction logs
B. Reperformance
C. Observation
D. Interviewing personnel
C. Dual control requires that two people carry out an operation. The observation technique helps
to ascertain whether two individuals d o get involved in execution of the operation and an
element of oversight exists. It is obvious if one individual is masquerading and filling in the role of the second person.
In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor
would MOST likely compensate for this scenario by performing additional:
A. Stop-or-go sampling.
B. Substantive testing.
C. Compliance testing.
D. Discovery sampling.
B. Because both the inherent and control risk are high in this case, additional testing is required.
Substantive testing obtains audit evidence on the completeness, accuracy or existence of
activities or transactions during the audit period.
The PRIMARY objective of the audit initiation meeting with an IS audit client is to:
A. Discuss the scope of the audit.
B. Identify resource requirements of the audit.
C. Select the methodology of the audit.
D. Collect audit evidence.
A. The primary objective of the initiation meeting with an audit client is to help define the scope of the audit.
The PRIMARY purpose of the IS audit charter is to:
A. Establish the organizational structure of the audit department.
B. Illustrate the reporting responsibilities of the is audit function.
C. Detail the resource requirements needed for the audit function.
D. Outline the responsibility and authority of the is audit function.
D. The primary purpose of the IS audit charter is to set forth the purpose, responsibility, authority
and accountability of the IS audit function. The charter document grants authority to the audit
function on behalf of the board of directors and organization stakeholders.
Which of the following is MOST important for an IS auditor to understand when auditing an ecommerce
environment?
A. The technology architecture of the ecommerce environment
B. The policies, procedures and practices forming the control environment
C. The nature and criticality of the business processes supported by the application
D. Continuous monitoring of control measures for system availability and reliability.
C. The ecommerce application enables the execution of business transactions. Therefore, it is
important to understand the nature and criticality of the business process supported by the
ecommerce application to identify specific controls to review.
During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of
segregation of duties within an IT department?
A. Discuss with the IT managers.
B. Review the IT job descriptions.
C. Research past IT audit reports.
D. Evaluate the organizational structure.
A. Discussing the implementation of segregation of duties with the IT managers is the best way to
determine how responsibilities are assigned within the department.
A financial institution with multiple branch offices has an automated control that requires the branch
manager to approve transactions more than a certain amount. What type of audit control is this?
A. Detective
B. Preventive
C. Corrective
D. Directive
B. Having a manager approve transactions more than a certain amount is considered a
preventive control.
During an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to:
A. Include a review of the database controls in the scope.
B. Document for future review.
C. Work with database administrators to correct the issue.
D. Report the weaknesses as observed.
D. Any weakness noticed should be reported, even if it is outside the scope of the current audit. Weaknesses identified during an application software review need to be reported to
management.
A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a:
A. directive control.
B. corrective control.
C. compensating control.
D. detective control.
B. Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions, when they are detected. This provides a mechanism to detect when malicious events
have happened and correct the situation.
Due to unexpected resource constraints of the IS audit team, the audit plan, as originally approved, cannot be completed. Assuming the situation is communicated in the audit report, which course of action is MOST acceptable?
A. Test the adequacy of the control design.
B. Test the operational effectiveness of controls.
C. Focus on auditing high-risk areas.
D. Rely on management testing of controls.
C. Reducing the scope and focusing on auditing high-risk areas is the best course of action.
Which of the following BEST ensures the effectiveness of controls related to interest calculation for an
accounting system?
A. Reperformance
B. Process walk-through
C. Observation
D. Documentation review
A. To ensure the effectiveness of controls, it is most effective to conduct reperformance. When
the same result is obtained after the performance by an independent person, this provides the Strongest assurance
Which of the following choices would be the BEST source of information when developing a risk-based
audit plan?
A. Process owners identify key controls.
B. System custodians identify vulnerabilities.
C. Peer auditors understand previous audit results.
D. Senior management identify key business processes.
D. Developing a risk-based audit plan must start with the identification of key business processes, which determine and identify the risk that needs to be addressed.
While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should:
A. Report the issue to IT management.
B. Discuss the issue with the service
provider.
C. Perform a risk assessment.
D. Perform an access review.
A. During an audit, if there are material issues that are of concern, they need to be reported to management in the audit report.
Which of the following is the PRIMARY requirement for reporting IS audit results? The report is:
A. Prepared according to a predefined and standard template.
B. Backed by sufficient and appropriate audit evidence.
C. Comprehensive in coverage of enterprise processes.
D. Reviewed and approved by audit management.
B. ISACA IS audit standards require that reports should be backed by sufficient and appropriate
audit evidence so that they demonstrate the application of the minimum standard of performance, and the findings and recommendations can be validated, if required.
An IS auditor performing an audit of the risk assessment process should FIRST confirm that:
A. Reasonable threats to the information assets are identified.
B. Technical and organizational vulnerabilities have ben analyzed.
C. Assets have been identified and ranked.
D. The effects of potential security breaches have been evaluated.
C. Identification and ranking of information assets (e.g., data criticality, sensitivity, locations of
assets) will set the tone or scope of how to assess risk in relation to the organizational value of The asset.
Which of the following represents an example of a preventive control with respect to IT personnel?
A. A security guard stationed at the server room door
B. An intrusion detection system
C. Implementation of a badge entry system for the IT facility
D. A fire suppression system in the server room
C. Preventive controls are used to reduce the probability of an adverse event. A badge entry system prevents unauthorized entry to the facility.
Which of the following is an attribute of the control self-assessment approach?
A. Broad stakeholder involvement
B. Auditors are the primary control analysts
C. Limited employee participation
D. Policy driven
A. The control self-assessment (CSA) approach emphasizes management of and accountability
for developing and monitoring the controls of an organization’s business processes. The
attributes of CSA include empowered employees, continuous improvement, extensive employee
participation and training-all of which are representations of broad stakeholder involvement.
An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing
organization discovered the following:
* The existing DRP was compiled two years earlier by a systems analyst in the organization’s IT department
using transaction flow projections from the operations department.
* The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it
is still awaiting attention.
* The DRP has never been updated, tested or circulated to key management and staff, although interviews
show that each would know what action to take for its area if a disruptive incident occurred.
The IS auditor’s report should recommend that:
A. The deputy chief executive officer (CEO) is censured for failure to approve the plan.
B. A board of senior managers is set up to review the existing plan.
C. The existing plan is approved and circulated to all key management and staff.
D. A manager coordinates the creation of a new or revised plan within a defined time limit
D. The primary concern is to establish a workable DRP that reflects current processing volumes to
protect the organization from any disruptive incident.
An IS auditor finds that a disaster recovery plan (DRP) for critical business functions does not cover all systems. Which of the following is the MOST appropriate course of action for the IS auditor?
A. Alert management and evaluate the impact of not covering all systems.
B. Cancel the audit.
C. Complete the audit of the systems covered by the existing DRP.
D. Postpone the audit until the systems are added to the DRP..
A. An IS auditor should make management aware that some systems are omitted from the disaster recovery plan (DRP). An IS auditor should continue the audit and include an evaluation of the
impact of not including all systems in the DRP.
Which of the following is MOST effective for monitoring transactions exceeding predetermined thresholds?
A. Generalized audit software
B. An integrated test facility
C. Regression tests
D. Transaction snapshots
A. Generalized audit software (GAS) is a data analytic tool that can be used to filter large amounts
of data.
Which of the following is MOST important to ensure that effective application controls are maintained?
A. Exception reporting
B. Manager oversight
C. Control self-assessment
D. Peer reviews
C. CSA is the review of business objectives and internal controls in a formal and documented
collaborative process. It includes testing the design of automated application controls.
The success of a control self-assessment depends highly on:
A. Line managers assuming a portion of the responsibility for control monitoring
B. Assigning staff managers, the responsibility for building controls
C. The implementation of a stringent control policy and rule-driven controls
D. The implementation of supervision and monitoring of controls of assigned duties
A. The primary objective of a control self-assessment (CSA) program is to leverage the internal
audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers
assume responsibility for controls. This enables line managers to detect and respond to control errors promptly.
Which of the following is evaluated as a preventive control by an IS auditor performing an audit?
A. Transaction logs
B. Before and after image reporting
C. Table lookups
D. Tracing and tagging
C. Table lookups are preventive controls; input data are checked against predefined tables, which
prevent any undefined data to be entered
Which of the following is a PRIMARY objective of embedding an audit module while developing online
application systems?
A. To collect evidence while transactions are processed
B. To reduce requirements for periodic internal audits
C. To identify and report fraudulent transactions
D. To increase efficiency of the audit function
A. Embedding a module for continuous auditing within an application processing a large number of transactions provides timely collection of audit evidence during processing and is the primary objective. The continuous auditing approach allows the IS auditor to monitor system reliability
on a continuous basis and to gather selective audit evidence through the computer.
An IS audit department considers implementing continuous auditing techniques for a multinational retail enterprise
that requires high availability of its key systems. A PRIMARY benefit of continuous auditing is that:
A. Effective preventive controls are enforced.
B. System integrity is ensured.
C. Errors can be corrected in a timely fashion.
D. Fraud can be detected more quickly.
D. Continuous auditing techniques assist the auditing function in reducing the use of auditing
resources through continuous collection of evidence. This approach assists the IS auditors in
identifying fraud in a timely fashion and allows the auditors to focus on relevant data.
An IS auditor wants to determine the effectiveness of managing user access to a server room. Which of the
following is the BEST evidence uf effectiveness?
A. Observation of a logged event
B. Review of the procedure manual
C. Interview with management
D. Interview with security personnel
A. Observation of the process to reset an employee’s security access to the server room and the
subsequent logging of this event provide the best evidence of the adequacy of the physical
security control.
As part of audit planning, an IS auditor is designing various data validation tests to effectively detect
transposition and transcription errors. Which of the following will BEST help in detecting these errors?
A. Range check
B. Validity check
C. Duplicate check
D. Check digit
D. A check digit is a numeric value that has been calculated mathematically and is added to data to ensure that original data have not been altered or that an incorrect, but valid, match has
occurred. The check digit control is effective in detecting transposition and transcription errors.
The MAIN purpose of the annual IS audit plan is to:
A. Allocate resources for audits.
B. Reduce the impact of audit risk.
C. Develop a training plan for auditors.
D. Minimize the audit costs.
A. Because IS audit assignments need to be accomplished with limited time and human resources, audits are scheduled and prioritized as determined by IS audit management.
Which of the following would be expected to approve the audit charter?
A. Chief financial officer
B. Chief executive officer
C. Audit steering committee
D. Audit committee
D. One of the primary functions of the audit committee is to create and approve the audit charter.
Which of the following is the PRIMARY purpose of a risk-based audit?
A. High-impact areas are addressed first.
B. Audit resources are allocated efficiently.
C. Material areas are addressed first.
D. Management concerns are prioritized.
C. Material risk is audited according to the risk ranking, thus enabling the audit team to
concentrate on high-risk areas first.
An auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT
auditor to take?
A. Discuss the finding with the IT auditor’s manager.
B. Retest the control to confirm the finding.
C. Elevate the risk associated with the control.
D. Discuss the finding with the auditee’s manager.
A. Discussing the disagreement with the auditor’s manager is the best course of action because
other actions can weaken relationships with the auditee and auditor
