Domain 1 LearnZapp

Question 1

Which are more formal - audits or assessments?

Answer 1

Audits

Question 2

<blank> is the person setting the scope for the audit, and the <blank> performs the work.
</blank></blank>

Answer 2

Client, auditor

Question 3

Who signs and enforces the policy?

Answer 3

highest level of management

Question 4

<blank> is required for an external audit
</blank>

Answer 4

Auditor independence

Question 5

<blank> are mandatory controls designed to support a policy. <blank> is discretionary.
</blank></blank>

Answer 5

Standards, guidelines

Question 6

Best description of an ongoing audit program for regulatory compliance

Answer 6

An audit is a series of unique projects of short duration that add up to cover all the steps necessary for annual compliance.

Question 7

Purpose of ISACA’s professional ethics statement

Answer 7

to clearly specify acceptable and unacceptable behavior

Question 8

Auditor’s final opinion to be based on…

Answer 8

results of evidence and testing

Question 9

Common types of audits

Answer 9

integrated, operational, compliance, administrative

Question 10

Difference between policy and procedure

Answer 10

Policy is a high-level document signed by a person of authority, and compliance is mandatory. A procedure defines the mandatory steps to attain compliance.

Question 11

Purpose of standard terms or regulation

Answer 11

to ensure honest and unbiased communication

Question 12

In business organization, who will be held by the governance for failures of internal controls?

Answer 12

president, vp and other corporate officers

Question 13

Who specifies controls?

Answer 13

Data owner

Question 14

What is fiduciary responsibility?

Answer 14

Act for the benefit of another person and place the responsibilities to be fair and honest ahead of your own interest

Question 15

How does an auditor derive a final opinion?

Answer 15

evidence gathered and auditor’s observations

Question 16

How should an auditor assist in the remediation of problems found during the audit?

Answer 16

Auditor should never take ownership of problems found. Auditors are encouraged to provide general advice to the auditee, including an explanation of what to look for during the audit.

Question 17

The <blank> type of audit checks attributes against the design specifications</blank>

Answer 17

product

Question 18

Why is it necessary to protect audit documentation and work papers?

Answer 18

Audit documentation and work papers may reveal confidential information that should not be lost or disclosed

Question 19

Difference between ‘should’ and ‘shall.’

Answer 19

Should indicates actions that are discretionary according to need, whereas shall means the action is mandatory regardless of financial impact.

Question 20

Audit may uncover irregularities and illegal acts that require disclosure.

Answer 20

False

Question 21

What is not true regarding audit committee?

Answer 21

Executives inside the organization oversee the audit committee and are responsible for keeping the committee busy working on compliance programs.

Question 22

What is called having the right people look at the issue, make an intelligent decision and take appropriate action?

Answer 22

Governance

Question 23

What is the difference between threat and vulnerability?

Answer 23

Vulnerabilities are a path that can be taken by a threat, resulting in a loss

Question 24

What is false concerning a control self-assessment?

Answer 24

Eliminates the need for a traditional audit

Question 25

Who has the responsibility for setting scope of the audit?

Answer 25

client

Question 26

Documentation used to identify the person responsible for specific tasks

Answer 26

skills matrix

Question 27

What is a concern of the auditor that should be explained in the audit report along with the findings?

Answer 27

undue restrictions placed by management on evidence use or audit procedures

Question 28

Auditor permitted to deviate from professional audit standards when they feel it necessary…

Answer 28

Deviation is almost unheard of and would require significant justification

Question 29

Which type of evidence sampling refer to a 100% sample?

Answer 29

discovery

Question 30

Types of risk are of most interest to IS auditor…

Answer 30

sampling, control, detection, inherent

Question 31

What type of CAAT is designed to process dummy transactions during the process of genuine transactions?

Answer 31

embedded audit module

Question 32

What are two types of tests?

Answer 32

substantive and compliance using variable and attribute sampling methods

Question 33

What is false in regard to using the work of other people during your audit?

Answer 33

Accept the work based on job position

Question 34

What is another name for an audit used for regulatory licensing or external report?

Answer 34

traditional audit

Question 35

Audits are intended to be conducted in accordance with?

Answer 35

Adherence to standards, guidelines and best practices

Question 36

What is not a quantitative sampling method?

Answer 36

Qualitative estimation per unit

Question 37

What is the principle issue concerning use of CAAT?

Answer 37

possible cost, complexity and security of output

Question 38

What is the purpose of an audit charter?

Answer 38

grant responsibility, authority and accountability

Question 39

What is the difference between compliance and substantive testing?

Answer 39

Compliance testing covers checks for the presence of controls; substantive tests check the integrity of internal controls

Question 40

What is the purpose of continuous auditing?

Answer 40

Assist managers with automated tests

Question 41

What is the difference between audit sample and total population?

Answer 41

precision

Question 42

What is the biggest issue with the decision to transfer risk to an outsourced contractor?

Answer 42

Company still retains liability for whatever happens

Question 43

What is NOT a purpose of risk analysis?

Answer 43

ensure absolute safety during the audit

Question 44

What is the best document to help define the relationship of the independent auditor and provide evidence of the agreed-upon terms and conditions?

Answer 44

engagement letter

Question 45

ISACA refers to testing strong control. What is the best description of a strong control?

Answer 45

effective implementation of multiple controls targeting the same objective

Question 46

What type of risk fails to prevent or detect a material error?

Answer 46

detection risk

Question 47

What is the best data collection technique the auditor can use if the resources are available?

Answer 47

interviews

Question 48

An IS auditor is performing a review of an application and finds something that might be illegal. What should the IS auditor do?

Answer 48

seek legal advice before finishing the audit

Question 49

Who is responsible for providing internal controls to detect, correct, and prevent irregularities and illegal acts?

Answer 49

Board of Directors

Question 50

What is the purpose of an audit committee?

Answer 50

to challenge and review assurances

Question 51

What is a concern that the auditor should explain in the audit report along with their findings?

Answer 51

undue restrictions placed by management on evidence use or audit procedure

Question 52

During performance of an audit, a reportable finding is identified with auditee. The auditee immediately fixed the problem upon identification. What is true as a result of interaction?

Answer 52

Auditor lists the finding as it existed

Question 53

What is the primary benefit of using risk-based approach to audit planning?

Answer 53

allocates resources to the areas of highest concern

Question 54

What is the best choice to ensure that internal control objectives are met?

Answer 54

suitable systems for tracking and reporting incidents are used

Question 55

What is true concern reporting by internal auditors?

Answer 55

The corresponding value of the audit report is low

Question 56

Auditor is permitted to deviate from professional audit standards when they feel it is necessary because…

Answer 56

deviating from standards is almost unheard of and would require significant justification

Question 57

What is the best definition of auditing?

Answer 57

Review of past history using evidence to tell the story

Question 58

What is a sampling method is used when likelihood of finding evidence is low

Answer 58

discovery - known as 100% sample

Question 59

What is the hierarchy of controls from highest to lowest?

Answer 59

general, pervasive, detailed, application

Question 60

What is not one of the 3 major control types?

Answer 60

deterrent (major: detective, preventive, corrective)

Question 61

After presenting the report at the conclusion of an audit, the lead auditor discovers the omission of a procedure. What should the auditor do next?

Answer 61

cancel the report if audit alternates cannot compensate for the deficiency

Question 62

What does the function of the auditor provide?

Answer 62

second set of eyes, which are external to the subject under review

Question 63

What is the best way for an auditor to prove their competence to perform an audit?

Answer 63

citing each point in a regulation with an audit objective and specific test

Question 64

What is true concerning the auditor’s qualified opinion?

Answer 64

auditor has reservations about the findings

Question 65

What is the best example of implementing a detective control via administrative methods?

Answer 65

auditing of system configuration and log files

Question 66

A nonstatistical audit sample, known as judgmental sample, is defined as?

Answer 66

haphazard

Question 67

What is the primary purpose of an audit charter?

Answer 67

Assign the auditor responsibility, authority and accountability

Question 68

What audit tool incorporates dummy transactions into the normal processing on a system?

Answer 68

integrated test facility - aka embedded audit module

Question 69

Internal controls are developed to provide <blank> assurance that a company's business objectives will be achieved and undesired risk events will be <blank></blank></blank>

Answer 69

reasonable; prevented, detected and corrected

Question 70

What is a fundamental limitation of internal controls?

Answer 70

Management may exempt themselves from controls

Question 71

A systems audit is responsible for performing tests that <blank> material weaknesses of internal controls.</blank>

Answer 71

detect

Question 72

Reliability of an application’s audit trail may be questionable if ….

Answer 72

users can amend audit trail records when correcting system errors

Question 73

An IS auditor would perform a <blank> test of program library controls to determine if the source and object versions are the same.</blank>

Answer 73

compliance

Question 74

Risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when in fact they do is an example of <blank> risk.</blank>

Answer 74

detection

Question 75

If an IS auditor discovers a Trojan horse that was produced by a known virus and exploits a vulnerability of an OS, the auditor should ….

Answer 75

ensure that the malicious code is remove before doing anything else

Question 76

Prior audit results lack supporting work papers and proper documentation; what should the IS auditor do?

Answer 76

Inform audit management and propose retesting the controls

Question 77

What is the primary objective of a logical access control review?

Answer 77

ensure that access is granted per organization’s authorities

Question 78

Risk of shared user accounts is that user responsibility ….

Answer 78

cannot be established

Question 79

IS auditor observes some data entry operators leave their computers in the midst of data entry without logging off, the auditor should ….

Answer 79

recommend implementing a screensaver password to prevent unauthorized access

Question 80

If an IS auditor discovers evidence of fraud perpetrated with a user’s user id that has been shared, then the auditor knows ….

Answer 80

the perpetrator cannot be established beyond doubt

Question 81

IS auditor discovers a design weakness in an application’s access controls, what should they do?

Answer 81

further investigate the impact of the vulnerability prior to recommending compensating actions to management

Question 82

Most effective control for reducing the exposure to the risk of unauthorized access of data transmitted to and from remote sites?

Answer 82

encryption

Question 83

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure….

Answer 83

vulnerabilities and threats are identified

Question 84

To ensure audit resources deliver the best value to the organization, the first step would be to ….

Answer 84

develop the audit plan on the basis of a detailed risk assessment

Question 85

Best factor for determining the extent of data collection during the planning phase of an IS compliance audit?

Answer 85

purpose, objective and scope of an audit

Question 86

Decisions and actions of an IS auditor are most like to affect <blank> risk.</blank>

Answer 86

detection

Question 87

Initial step in auditing access controls in a client/server environment…

Answer 87

Identify network access points

Question 88

<blank> most directly addresses the issue of security policy awareness.
</blank>

Answer 88

employee training

Question 89

IS auditor performing telecom access control review should be concerned primarily with ….

Answer 89

authentication and authorization of the user prior to granting access to system resources

Question 90

The <blank> auditing method features a <blank> level of complexity. This can be used by the auditor to effectively audit a system running in production.</blank></blank>

Answer 90

snapshot, low

Question 91

<blank> provides the basis for security policy decisions.
</blank>

Answer 91

Risk management

Question 92

Once a security policy has been designed and approved, what is the most important step?

Answer 92

distribute the policy to users

Question 93

IT control objectives are useful to IS auditors because they provide the bases for understanding ….

Answer 93

the desired result or purpose of implementing specific control procedures

Question 94

During a controls audit, what would be the most important document to the auditor?

Answer 94

Facility blueprint showing access paths

Question 95

Risk related to the ability to perform an audit and gather meaningful evidence…

Answer 95

detection risk

Question 96

Sampling method most useful in compliance audit…

Answer 96

attribute

Question 97

Which stage are interviewees identified?

Answer 97

pre-audit planning

Question 98

Condition is likely to represent a control failure and therefore be a concern to the auditor.

Answer 98

Policy without an underlying standard of monitoring and enforcement

Question 99

IS control objectives (protect a system from a loss) include all of the following except…

Answer 99

identifying individual threats to a system

Question 100

When could the auditor safely agree to deviate from the published audit standards?

Answer 100

never

Question 101

A <blank> is used to ensure that batch data is completely and accurately transferred between 2 systems.</blank>

Answer 101

control total

Question 102

When auditing the conversion of an accounting system, an IS auditor should verify the existence of …..

Answer 102

control total bit

Question 103

What is the primary issue regarding auditor independence?

Answer 103

Independent auditors must not work on the target of the audit

Question 104

An IS auditor’s primary concern when application developers wish to use a copy of yesterday’s production transaction file for volume tests is that ….

Answer 104

unauthorized access to sensitive data may result

Question 105

Key steps in selection of a sample of an audit test include all of the following except….

Answer 105

substantive testing

Question 106

What is true concerning discovery of potentially illegal activity?

Answer 106

Evidence surrounding discovery should be disclosed to the next-higher level of management

Question 107

What is a sample method used in compliance testing?

Answer 107

attribute sampling

Question 108

<blank> should be the IS auditor's primary concern when they are conducting a review of an application system after users have completed acceptance testing
</blank>

Answer 108

determining if there are unresolved issues

Question 109

What is NOT an acceptable method of risk management?

Answer 109

intentionally skipping the disclosure of a threat

Question 110

How does an auditor develop a professional opinion?

Answer 110

gathering of evidence and corresponding test results

Question 111

disabling normalization controls in the DB management system can result in <blank> redundancy of data</blank>

Answer 111

an unnecessary increase in

Question 112

Reverse engineering will likely involve …..

Answer 112

violation of license agreements

Question 113

What is the primary purpose of SLA?

Answer 113

define, agreed on, record, and manage the required levels of service

Question 114

During a systems audit, the configuration parameters are reviewed by the auditor. What is the auditor’s primary concern?

Answer 114

Settings meet the minimum requirements for proper security

Question 115

What is designed primarily to minimize the impact after an event occurs?

Answer 115

corrective

Question 116

What can help an IS auditor determine compliance with an organization’s change control procedures?

Answer 116

Identifying changes that have occurred and verifying approvals

Question 117

If an IS auditor reviewing a DB application discovers that the current configuration does not match the originally designed structure, the auditor should then….

Answer 117

determine if the modifications were properly approved

Question 118

What is the primary objective of a control self-assessment?

Answer 118

To empower worker to assess the active controls

Question 119

Utilizing audit software to compare the object code of two programs is an audit technique used to test program <blank>.</blank>

Answer 119

changes

Question 120

Quality is defined as <blank>. With good <blank>, you can expect quality to be present. With poor or missing <blank> it is unlikely that quality could occur.</blank></blank></blank>

Answer 120

adherence to specifications, specifications, specifications

Question 121

An auditor can best evaluate program change controls by using <blank> to independently examine source program changes.</blank>

Answer 121

source code comparison software

Question 122

What is the biggest concern withe regards to controls?

Answer 122

authorization

Question 123

During the review of a biometrics system operation, the IS auditor should first review the stage of <blank>.</blank>

Answer 123

enrollment

Question 124

What is the quantifiable method similar to demographics and used to separate the total population into unique groups into unique groups of similar attributes?

Answer 124

stratified mean per unit

Question 125

specifying a minimum password length and complexity are control <blank> that help accomplish a control <blank>.</blank></blank>

Answer 125

procedures, objective

Question 126

approach not acceptable for gathering information for a risk analysis…

Answer 126

sending an email explaining the basics of risk analysis and asking for their cooperation and suggestions

Question 127

True statement concerning materiality

Answer 127

Information that would change the outcome of the audit is material

Question 128

what is the best demonstration of the auditor independence requirement?

Answer 128

audit and advise without fixing or designing the solution

Question 129

what is the most common issue with audit logs?

Answer 129

Logs are not sufficiently reviewed and analyzed

Question 130

What is the type of audit that evaluates both financial records and the internal control structure in a given process or area?

Answer 130

integrated audit

Question 131

What is the primary advantage of a continuous audit approach?

Answer 131

can improve system security when used in time-sharing environments that process a large number of transactions

Question 132

What is the most appropriate audit technique for a retail business with a large volume of transactions to address emerging risk?

Answer 132

continuous auditing

Question 133

What is the first step performed prior to creating a risk ranking for the annual internal IS audit plan?

Answer 133

define the audit universe

Question 134

What is the best reason to meet with an auditee prior to closing an audit or review is …..

Answer 134

to confirm agreement on the findings

Question 135

What is the primary response to resolving suspicions of unlicensed software usage?

Answer 135

determine if the software is actually being used by the organization

Question 136

<blank> makes the final decision to include a material finding in an audit report.
</blank>

Answer 136

information systems auditor

Question 137

Failure to protect sensitive electronic work papers represents a risk of a breach of <blank></blank>

Answer 137

confidentiality

Question 138

<blank> should specify the role of the audit function
</blank>

Answer 138

audit charter

Question 139

<blank> is used to determine if unauthorized changes were made to production programs
</blank>

Answer 139

compliance testing

Question 140

What risk is defined as the possibility of the existence of a material error that could not be prevented or detected?

Answer 140

control

Question 141

If negative audit findings are not remediated by the target date specified in response to an audit report, an auditor would then ….

Answer 141

evaluate the residual risk from unresolved issues

Question 142

What should an auditor do if systems tests do not provide conclusive results?

Answer 142

complete the report and provide testing results achieved, but emphasize the need to perform further testing to ensure accuracy of the findings

Question 143

What is a natural risk that always exist?

Answer 143

inherent

Question 144

Auditing IT operational capability, what provides the best evidence of whether adequate recovery and restart procedures exist?

Answer 144

review operations documentation

Question 145

What is most important when protecting digital evidence?

Answer 145

transportation of evidence is carefully documented and logged

Question 146

Without adequate planning and preparation, what is the MOST critical risk in changing from a traditional audit approach to a facilitated control self-assessment?

Answer 146

Failure to identify critical risk issues

Question 147

A systems auditor should review <blank> to evaluate planning and investment in IT assets.</blank>

Answer 147

IT balanced scorecard

Question 148

An auditor should place more emphasis on an organization’s <blank> when reviewing its IT project portfolio.</blank>

Answer 148

business plan

Question 149

A formal IT risk management methodology should consider <blank> within its scope</blank>

Answer 149

entire IT environment

Question 150

Following the evidence rule, what could the auditor use to best determine that a given policy is actually being used?

Answer 150

enforcement emails

Question 151

An SLA between an organization and a vendor should always include <blank></blank>

Answer 151

provisions for independent audit reports or the right to full audit access

Question 152

Which control classification attempts to minimize the impact of a threat?

Answer 152

corrective

Question 153

Which sampling method should be used when there is almost no margin of error or the risk of failure is very high?

Answer 153

discovery

Question 154

What is most likely encountered in a SaaS environment?

Answer 154

performance issues due to the internet delivery method

Question 155

Compensating controls are primarily intended to compensate for what issue?

Answer 155

separation

Question 156

<blank> provides the greatest redundancy and least risk of business interruption when a new system is deployed
</blank>

Answer 156

running a new system in parallel with the old system

Question 157

When reviewing any newly implemented business process, an IS auditor is most concerned with determining ….

Answer 157

if controls are in place to protect assets and informational resources