Purpose, responsibility, authority and accountability Approval

Professional independence Organizational independence

Domain 1 : Practice Questions (ISACA) Flashcards by Host Mom

Objective of Domain 1: The Process of Auditing Information Systems

Provide audit services in accordance with IT audit standards to assist the organization in protecting and controlling information systems.

How well did you know this?

Not at all

Perfectly

Domain 1 Learning Objectives:

Ensure that the CISA candidate has the knowledge necessary to provide audit services in accordance with IT audit standards to assist the organization with protecting and controlling information systems.

How well did you know this?

Not at all

Perfectly

What are the 5 tasks within this domain that a CISA must know how to perform?

T1.1 Develop and implement a risk-based IT audit strategy in compliance with IT audit standards to ensure that key areas are included.

T1.2 Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization.

T1.3 Conduct audits in accordance with IT audit standards to achieve planned audit objectives.

T1. 4 Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary.

T1.5 Conduct follow-ups or prepare status reports to ensure appropriate actions have been taken by management in a timely manner.

How well did you know this?

Not at all

Perfectly

How many knowledge statements are within the process of auditing information systems domain?

How well did you know this?

Not at all

Perfectly

Organization of the IS Audit Function includes:

• Audit charter (or engagement letter)
– Stating management’s responsibility and objectives for, and delegation of authority to, the IS audit function
– Outlining the overall authority, scope and responsibilities of the audit function
• Approval of the audit charter
• Change in the audit charter

How well did you know this?

Not at all

Perfectly

IS Audit Resource Management

Limited number of IS auditors
Maintenance of their technical competence
Assignment of audit staff

How well did you know this?

Not at all

Perfectly

Audit Planning

Short-term planning
Individual Audit Planning
Long-term planning
Understanding of overall environment

How well did you know this?

Not at all

Perfectly

Things to consider in Audit Planning:

Business practices and functions
New control issues
Information systems and technology
Changing technologies
Changing business processes
Enhanced evaluation techniques

How well did you know this?

Not at all

Perfectly

Effect of Laws and Regulations on IS Audit Planning

Regulatory requirements generally describe the: • Establishment
• Organization
• Responsibilities
• Correlation of the regulation to financial, operational and IS audit functions

How well did you know this?

Not at all

Perfectly

Steps to determine compliance with external requirements:

Identify external requirements
Document pertinent laws and regulations
Assess whether management and the IS function have considered the relevant external requirements
Review internal IS department documents that address adherence to applicable laws
Determine adherence to established procedures

How well did you know this?

Not at all

Perfectly

ISACA Code of Professional Ethics

The Association’s Code of Professional Ethics provides guidance for the professional and personal conduct of members of ISACA and/or certification holders.

How well did you know this?

Not at all

Perfectly

Framework for the ISACA IS Auditing Standards:

Standards www.isaca.org/standards
Guidelines www.isaca.org/guidelines
Tools and Techniques

How well did you know this?

Not at all

Perfectly

Objectives of the ISACA IS Audit and Assurance Standards:

Inform management and other interested parties of the profession’s expectations concerning the work of audit practitioners
Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics

How well did you know this?

Not at all

Perfectly

ISACA IS Audit and Assurance Standards Framework

How well did you know this?

Not at all

Perfectly

S1 - Audit Charter

Purpose, responsibility, authority and accountability

* Approval

How well did you know this?

Not at all

Perfectly

S2 - Independence

Professional independence

* Organizational independence

The IS auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking an active role in setting up and maintaining a well- controlled environment and, accordingly, will assess management’s review and testing of the general IT control environment.
Areas to be assessed include logical and physical security, change management, production control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation.
Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible duties and failure to document all changes. Additionally, the process for deploying operating system updates to servers was found to be only partially effective.In anticipation of the work to be performed by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination.

What should the IS auditor do FIRST?
A. Perform an IT risk assessment.
B. Perform a survey audit of logical access controls.
C. Revise the audit plan to focus on risk-based auditing.
D. Begin testing controls that the IS auditor feels are most critical.

A. Perform an IT risk assessment.

What should the IS auditor do FIRST?

A. Perform an IT risk assessment.
B. Perform a survey audit of logical access controls.
C. Revise the audit plan to focus on risk-based auditing.
D. Begin testing controls that the IS auditor feels are most critical.

A. Perform an IT risk assessment.

An IS auditor is planning to review the security of a financial application for a large company with several locations worldwide. The application system is made up of a web interface, a business logic layer and a database layer. The application is accessed locally through a LAN and remotely through the Internet via a virtual private network (VPN) connection.

The MOST appropriate type of CAATs tool the auditor should use to test security configuration settings for the entire application system is:

A. generalized audit software.
B. test data.
C. utility software.
D. expert system.

C. utility software.

Given that the application is accessed through the Internet, how should the auditor determine whether to perform a detailed review of the firewall rules and virtual private network (VPN) configuration settings?

A. Documented risk analysis
B. Availability of technical expertise
C. Approach used in previous audit
D. IS auditing guidelines and best practices

A. Documented risk analysis

During the review, if the auditor detects that the transaction authorization control objective cannot be met due to a lack of clearly defined roles and privileges in the application, the auditor should FIRST:

A. review the authorization on a sample of transactions.
B. immediately report this finding to upper management.
C. request that auditee management review the appropriateness of access rights for all users.
D. use a generalized audit software to check the integrity of the database.

A. review the authorization on a sample of transactions.

An IS auditor has been appointed to carry out IS audits in an entity for a period of 2 years. After accepting the appointment, the IS auditor noted that:
– The entity has an audit charter that detailed, among other things, the scope and responsibilities of the IS audit function and specifies the audit committee as the overseeing body for audit activity.
– The entity is planning a major increase in IT investment, mainly on account of implementation of a new ERP application, integrating business processes across units dispersed geographically. The ERP implementation is expected to become operational within the next 90 days. The servers supporting the business applications are hosted offsite by a third-party service provider.
– The entity has a new incumbent as chief information security officer (CISO), who reports to the chief financial officer (CFO).
– The entity is subject to regulatory compliance requirements that require its management to certify the effectiveness of the internal control system as it relates to financial reporting. The entity has been recording growth at double the industry average consistently over the last two years. However, the entity has seen increased employee turnover as well.

The FIRST priority of the IS auditor in year 1 should be to study the:
A. previous IS audit reports and plan the audit schedule.
B. audit charter and plan the audit schedule.
C. impact of the new incumbent as CISO.
D. impact of the implementation of a new ERP on the IT environment and plan the audit schedule.

D. impact of the implementation of a new ERP on the IT environment and plan the audit schedule.

The FIRST priority of the IS auditor in year 1 should be to study the:

A. previous IS audit reports and plan the audit schedule.
B. audit charter and plan the audit schedule.
C. impact of the new incumbent as CISO.
D. impact of the implementation of a new ERP on the IT environment and plan the audit schedule.

D. impact of the implementation of a new ERP on the IT environment and plan the audit schedule.

How should the IS auditor evaluate backup and batch processing within computer operations?

A. Plan and carry out an independent review of computer operations.
B. Rely on the service auditor’s report of the service provider.
C. Study the contract between the entity and the service provider.
D. Compare the service delivery report to the service level agreement.

D. Compare the service delivery report to the service level agreement.

Which of the following establishes the overall authority to perform an IS audit? A. The audit scope, with goals and objectives B. A request from management to perform an audit C. The approved audit charter D. The approved audit schedule

C. The approved audit charter

In performing a risk-based audit, which risk assessment is completed initially by the IS auditor? A. Detection risk assessment B. Control risk assessment C. Inherent risk assessment D. Fraud risk assessment

C. Inherent risk assessment

While developing a risk-based audit program, on which of the following would the IS auditor MOST likely focus? A. Business processes B. Critical IT applications C. Operational controls D. Business strategies

A. Business processes

Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed? A. Control risk B. Detection risk C. Inherent risk D. Sampling risk

C. Inherent risk

An IS auditor performing a review of an application’s controls finds a weakness in system software that could materially impact the application. The IS auditor should: A. disregard these control weaknesses, as a system software review is beyond the scope of this review. B. conduct a detailed system software review and report the control weaknesses. C. include in the report a statement that the audit was limited to a review of the application’s controls. D. review the system software controls as relevant and recommend a detailed system software review.

D. review the system software controls as relevant and recommend a detailed system software review.

Which of the following is the MOST important reason why an audit planning process should be reviewed at periodic intervals? A. To plan for deployment of available audit resources B. To consider changes to the risk environment C. To provide inputs for documentation of the audit charter D. To identify the applicable IS audit standards

B. To consider changes to the risk environment

Which of the following is MOST effective for implementing a control self-assessment (CSA) within business units? A. Informal peer reviews B. Facilitated workshops C. Process flow narratives D. Data flow diagrams

B. Facilitated workshops

The FIRST step in planning an audit is to: A. define audit deliverables. B. finalize the audit scope and audit objectives C. gain an understanding of the business’s objectives. D. develop the audit approach or audit strategy.

C. gain an understanding of the business’s objectives.

The approach an IS auditor should use to plan IS audit coverage should be based on: A. risk. B. materiality. C. professional skepticism. D. Sufficiency of audit evidence.

A. risk.

A company performs a daily backup of critical data and software files and stores the backup tapes at an offsite location. The backup tapes are used to restore the files in case of a disruption. This is a: A. preventive control. B. management control. C. corrective control. D. detective control.

C. corrective control.

While planning an audit, an assessment of risk should be made to provide: A. reasonable assurance that the audit will cover material items. B. definite assurance that material items will be covered during the audit work. C. reasonable assurance that all items will be covered by the audit. D. sufficient assurance that all items will be covered during the audit work.

A. reasonable assurance that the audit will cover material items. The ISACA IS Auditing Guideline G15 on planning the IS audit states, “An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems.” Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.

Which of the following sampling methods is MOST useful when testing for compliance? A. Attribute sampling B. Variable sampling C. Stratified mean per unit D. Difference estimation

A. Attribute sampling Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.

Which of the following is the MOST critical step to perform when planning an IS audit? A. Review findings from prior audits. B. Develop plans to conduct a physical security review of the data center facility. C. Review IS security policies and procedures. D. Perform a risk assessment.

D. Perform a risk assessment. Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IT Audit and Assurance Standard S11 (Use of Risk Assessment in Audit Planning). In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation. Detection risk (the risk that a material error is not detected by the IS auditor) is increased for the IS auditor if a risk assessment is not conducted. The review of findings from prior audits is a necessary part of the engagement, but this step is not as critical as conducting a risk assessment. A physical security review of the data center facility is important, but not as critical as performing a risk assessment. Reviewing IS security policies and procedures would normally be conducted during fieldwork, not planning.

After reviewing the disaster recovery plan (DRP) of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting? A. Obtaining management approval of the corrective actions B. Confirming factual accuracy of the findings C. Assisting management in the implementation of corrective actions D. Clarifying the scope and limitations of the audit

B. Confirming factual accuracy of the findings The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on corrective action. Management approval of the corrective actions is not required since this is not the role of the auditor. Implementation of corrective actions should be done after the factual accuracy of findings has been established, but the work of implementing corrective action is not typically assigned to the IS auditor since this would impair the auditor’s independence. Clarifying the scope and limitations of the audit should be done during the entrance meeting, not during the exit meeting.