Domain 1 - IS Audit Planning & Execution

Question 1

What is the steps in IS Audit Process?

Answer 1

1) Planning
2) Perform risk assessment
3) Prepare audit program
4) Perform preliminary controls review of audit area or subject to assess initial control risk & materiality
5) Evaluate the audit area or subject
6) Gather evidence
7) Perform compliance testing

Question 2

What is Detection Risk?

Answer 2

The risk that material errors or misstatements will not be detected by the auditor

Question 3

What is Control Risk?

Answer 3

The risk that material error exists that would not be prevented or detected on a timely basis by the system of internal controls

Question 4

What is Inherent Risk?

Answer 4

The risk that a material error could occur, assuming no related internal controls to prevent or detect the error

Question 5

What is Audit Risk?

Answer 5

The risk that:
1) information or financial reports may contain material errors; or
2) IS auditor may not detect an error that has occurred; or
3) It is also the level of risk an auditor is prepared to accept during an audit engagement

Question 6

Audit Program should include?

Answer 6

Scope, audit objectives, audit procedures, & administrative details such as planning & reporting

Question 7

Definition of Internal Controls

Answer 7

Internal controls are developed to provide reasonable assurance that a company’s business objectives will be achieved & undesired risk events will be prevented, detected & corrected.

Question 8

Definition of Control Objectives

Answer 8

Control Objectives specify minimum set of controls necessary to ensure efficiency & effectiveness. It determines how an internal control should function

Question 9

Definition of Control Procedures

Answer 9

Control Procedures are developed to provide reasonable assurance that specific objectives will be achieved

Question 10

Audit Charter should be approved by?

Answer 10

Audit Committee

Question 11

Primary purpose of IT Forensic Audit?

Answer 11

Systematic collection & analysis of evidence after a system irregularity. The evidence collected can then used in judicial proceedings.

Question 12

First step in IS audit planning phase

Answer 12

Development of risk assessment. This is to determine how an internal audit resources should be allocated to ensure all material items are addressed.

Question 13

What is the steps in Risk Management Process?

Answer 13

1) Identify Business Objectives (BO)
2) Identify Information Assets supporting the BO
3) Perform Risk Assessment - Threats, Vulnerability & Impact
4) Risk Mitigation - map risk items with controls in place

Question 14

What is attribute sampling?

Answer 14

Attribute sampling attempts to estimate the rate of occurrence of a specific quality (attribute) in a population & is used in compliance testing to confirm whether the quality exists. It is appropriate for testing true or false, correct or incorrect function questions.

Question 15

Benefit of Control Self-Assessment (CSA)?

Answer 15

1) reinforce management’s ownership of internal controls
2) ensures that internal controls continue to enforce business objectives

Question 16

What is Stratified Random Sampling?

Answer 16

Stratification is the process of dividing a population into subpopulations with similar characteristics explicitly defined, so that each sampling unit can belong to only 1 stratum. This ensures all sampling units in each subgroup have a known, nonzero chance of selection - in other words, gets picked for each subgroup!

It is most appropriate for testing automated invoice authorization.

Question 17

Difference between Corrective & Detective controls

Answer 17

Corrective controls are designed to correct errors, omissions & unauthorized uses & intrusions, when detected. This provides a mechanism to detect when malicious events have happened & correct the situation.

While Detective controls exist to detect & report when errors, omissions & unauthorized uses or entries occur.

Question 18

What is Functional Acknowledgement in EDI?

Answer 18

It is a type of message that contains information about status of received messages between 2 trading partners such as whether it was accepted, rejected or if there were any errors or exceptions.

It is one of the main controls used in data mapping. It act as an audit trail for EDI transactions.

Question 19

What is the greatest risk in EDI environment?

Answer 19

Lack of authorization is the greatest risk in EDI environment because the interaction between parties is electronic, there is no inherent authentication occurring.

Question 20

What is a Checksum?

Answer 20

It is also known as “hashes” & the way it identifies modification is through comparison of the original hash value & the received data’s hash value.

A checksum that is calculated on an amount field & included in EDI communication can be used to identify unauthorized modifications (INTEGRITY).

Question 21

What is Table Lookups?

Answer 21

It is a preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered

Question 22

What is Check Digit?

Answer 22

It is a numeric value that has been calculated mathematically & is added to data to ensure that original data have not been altered or that an incorrect but valid, match has occurred.

The check digit control is effective in detecting transposition & transcription errors.

Question 23

What is Walk-through Test?

Answer 23

Walk-through test usually include combination of inquiry, observation, inspection of relevant documentation & reperformance of controls.

It reviews the process from start to finish to gain thorough understanding of the overall process & identify potential control weaknesses.

Question 24

What is Regression Testing?

Answer 24

Regression tests are used to test new versions of software to ensure previous changes & functionality are not inadvertently overwritten or disabled by new changes.

Question 25

What is computer log files?

Answer 25

Computer logs record activities of individuals during their access to a computer system or data file & record any abnormal activities such as the modification or deletion of data.

Question 26

Primary benefit of Continuous Auditing

Answer 26

Enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.

Question 27

When should Audit Scope be determine?

Answer 27

Audit scope is established at the client audit initiation meeting