Domain 1- Risk Management

Question 1

Audit Plan

Answer 1

Detailed Risk Assessment

Question 2

continuous audit approach

Answer 2

Continuous audit allows audit and response to audit issues in a timely manner because audit findings are gathered in near real time.Responsibility for enforcement and monitoring of controls is primarily the responsibility of management.

Question 3

risk-based audit strategy,

Answer 3

In developing a risk-based audit strategy, it is critical that the risk and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage.

Question 4

IS audit charter

Answer 4

ole of the IS audit function.

Question 5

emerging risk

Answer 5

The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.

Question 6

computer-assisted audit techniques (CAATs)

Answer 6

Using software tools such as computer-assisted audit techniques (CAATs) to analyze transaction data can provide detailed analysis of trends and potential risk, but it is not as effective as continuous auditing, because there may be a time differential between executing the software and analyzing the results.

Question 7

Risk Analysis Process

Answer 7

1. Identify threats
2. Potential impacts- including assests and systems
3. existing controls

Question 8

Control self-assessment (CSA)

Answer 8

Control self-assessment (CSA) is predicated on the review of high-risk areas that either need immediate attention or may require a more thorough review at a later date.

Question 9

Project management

Answer 9

Audits often involve resource management, deliverables, scheduling and deadlines similar to project management good practices.

Question 10

validity check

Answer 10

A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used

Question 11

complying with privacy requirements

Answer 11

To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures.

Question 12

source code comparison

Answer 12

When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify the changes.

Question 13

Trend/variance detection tools

Answer 13

Trend/variance detection tools look for anomalies in user or system behavior, such as invoices with increasing invoice numbers.

Question 14

Heuristic scanning tools

Answer 14

Heuristic scanning tools are a type of virus scanning used to indicate possible infected traffic.

Question 15

lower confidence coefficient

Answer 15

will enable the use of a smaller sample size.

Question 16

risk-based audit approach

Answer 16

In a risk-based audit approach, the IS auditor identifies risk to the organization based on the nature of the business. In order to plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix.

Question 17

Integrated test facility (ITF)

Answer 17

An integrated test facility (ITF) is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls.

Question 18

sampling

Answer 18

A. Stop-or-go is a sampling method that helps limit the size of a sample and allows the test to be stopped at the earliest possible moment.

B. Classical variable sampling is associated with dollar amounts and has a sample based on a representative sample of the population but is not focused on fraud.

C. Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.

D. Probability-proportional-to-size sampling is typically associated with cluster sampling when there are groups within a sample. The question does not indicate that an IS auditor is searching for a threshold of fraud.

Question 19

Applicable statutory requirements

Answer 19

A. The effect of applicable statutory requirements must be factored in while planning an IS audit—the IS auditor has no options in this respect because there can be no limitation of scope in respect to statutory requirements

Question 20

Types of testing

Answer 20

A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.

B. Compliance testing is evidence gathering for the purpose of testing an enterprise’s compliance with control procedures. This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data or other information.

C. Analytical testing evaluates the relationship of two sets of data and discerns inconsistencies in the relationship.

D. Control testing is the same as compliance testing.

Question 21

statistical sampling and not judgmental (nonstatistical) sampling, when:

Answer 21

. Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient).

Question 22

Generalized audit software

Answer 22

Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made.

Question 23

corrective control

Answer 23

identifies an issue and then corrects it

Question 24

risk-based audit plan

Answer 24

Developing a risk-based audit plan must start with the identification of key business processes, which will determine and identify the risk that needs to be addressed.

Question 25

Professional standards from ISACA, The Institute of Internal Auditors (IIA) and the International Federation of Accountants (IFAC)

Answer 25

require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more.

Question 26

observations and interviews,

Answer 26

By observing the IS staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IT staff, the auditor can get an overview of the tasks performed.

Question 27

Vulnerability

Answer 27

lack of adequate control