Domain 1: The Process of Auditing Information Systems - PART 1 A

Question 1

An appropriate control for ensuring the AUTHENTICITY of orders received in an electronic data interchange system application is to:

Answer 1

VERIFY the identity of senders and determine if orders correspond to contract terms.

Question 2

As part of audit planning, an IS auditor is designing various data validation tests to effectively detect transposition and transcription errors. Which of the following will BEST help in detecting these errors?

Answer 2

Check digit

Question 3

An AUDIT CHARTER should (3):

Answer 3

OUTLINE the overall (1) authority, (2) scope and (3) responsibilities of the audit FUNCTION.

Question 4

A centralized antivirus system DETERMINES whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a:

Answer 4

CORRECTIVE control.

Question 5

A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following CONTROLS should be implemented in the EDI interface to provide for efficient data mapping?

Answer 5

Functional ACKNOWLEDGEMENTS

Question 6

Due to unexpected resource constraints of the IS audit team, the AUDIT PLAN, as originally approved, cannot be completed. Assuming the situation is communicated in the audit report, which course of action is MOST acceptable?

Answer 6

FOCUS on auditing high-RISK areas.

Question 7

During a compliance audit of a small bank, the IS auditor notes that BOTH the IT and accounting FUNCTIONS are being performed by the same user of the financial system. Which of the following reviews conducted by the user’s supervisor would represent the BEST compensating control?

Answer 7

Examine computer LOG files that show INDIVIDUAL transactions.

Question 8

During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:

Answer 8

Elaborate on the significance of the finding and the risk of not correcting it.

Question 9

During a risk analysis, an IS auditor identifies threats and potential impacts. Next, the IS auditor should:

Answer 9

Identify and evaluate the existing controls.

Question 10

During a security audit of IT processes, an IS auditor FOUND that documented security procedures did NOT EXIST. The IS auditor should:

Answer 10

IDENTIFY and EVALUATE existing practices.

Question 11

During the PLANNING stage of an IS audit, the PRIMARY goal of an IS auditor is to:

Answer 11

Address audit OBJECTIVES

Question 12

The EXTENT to which data will be collected during an IS audit should be determined based on the:

Answer 12

PURPOSE and scope of the audit being done.

Question 13

An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should:

Answer 13

DISCLOSE the issue to the client.

Question 14

An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and RECOMMENDING a SPECIFIC vendor product to address this vulnerability. The IS auditor has failed to exercise:

Answer 14

Professional INDEPENDENCE.

Question 15

The FINAL decision to include a material finding in an audit REPORT should be made by the:

Answer 15

IS auditor

Question 16

A financial institution with multiple branch offices has an AUTOMATED control that requires the branch manager to APROVE transactions more than a certain amount. What type of audit control is this?

Answer 16

Preventive

Question 17

For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing EMERGING risk?

Answer 17

CONTINUOUS auditing

Question 18

In a small organization, the FUNCTION of release manager and application programmer are performed by the SAME employee. What is the BEST compensating CONTROL in this scenario?

Answer 18

VERIFY that only approved program changes are implemented

Question 19

In PLANNING an IS audit, the MOST critical STEP is:

Answer 19

The IDENTIFICATION of the areas of SIGNIFICANT risk.

Question 20

The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function?

Answer 20

Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts.

Question 21

An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase?

Answer 21

Development of a risk assessment

Question 22

An IS auditor discovers that devices connected to the network are not included in a network diagram that had been used to develop the scope of the audit. The chief information officer explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST:

Answer 22

Evaluate the impact of the undocumented devices on the audit scope.

Question 23

An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:

Answer 23

Control objectives and activities.

Question 24

An IS auditor is developing an audit plan for an environment that includes new systems. The organization’s management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?

Answer 24

Determine the highest-risk systems and plan accordingly.

Question 25

An IS auditor is reviewing a project risk assessment and notices that the overall residual risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of unauthorized users the project may affect?

Answer 25

Inherent risk

Question 26

An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture. What is the INITIAL step?

Answer 26

Understanding services and their allocation to business processes by reviewing the service repository documentation.

Question 27

An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank’s financial risk is properly addressed, the IS auditor will most likely review which of the following?

Answer 27

Wire transfer procedures

Question 28

An IS auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. This logging is:

Answer 28

Not an adequate control.

Question 29

An IS auditor performing an audit of the risk assessment process should FIRST confirm that:

Answer 29

Assets have been identified and ranked

Question 30

An IS auditor performing a review of application controls would evaluate the:

Answer 30

Impact of any exposures discovered.

Question 31

An IS auditor reviewing the process of log monitoring wants to evaluate the organization’s manual review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?

Answer 31

Walk-through

Question 32

An IS auditor should ensure that review of online electronic funds transfer reconciliation procedures should include:

Answer 32

Tracing.

Question 33

An IS auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the:

Answer 33

Authentication techniques for sending and receiving messages.

Question 34

A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual’s experience and:

Answer 34

Ability, as an IS auditor, to be independent of existing IT relationships.

Question 35

The MAIN purpose of the annual IS audit plan is to:

Answer 35

Allocate resources for audits.

Question 36

The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is:

Answer 36

Substantive testing.

Question 37

The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to:

Answer 37

Provide a basis for drawing reasonable conclusions.

Question 38

An organization’s IS AUDIT CHARTER should specify the:

Answer 38

ROLE of the IS audit FUNCTION

Question 39

An organization uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks and reports for distribution. To BEST ensure payroll data accuracy:

Answer 39

Payroll reports should be COMPARED to input forms.

Question 40

A PRIMARY benefit derived for an organization employing control self- assessment (CSA) techniques is that it:

Answer 40

Can IDENTIFY high-RISK areas that might need a detailed review later.

Question 41

The PRIMARY objective of the audit INITIATION meeting with an IS audit client is to:

Answer 41

discuss the SCOPE of the audit.

Question 42

The PRIMARY purpose of an IT FORENSIC audit is:

Answer 42

the systematic COLLECTION and analysis of EVIDENCE after a system irregularity.

Question 43

The PRIMARY purpose of the IS audit charter is to:

Answer 43

outline the RESPONSIBILITY and AUTHORITY of the IS audit function.

Question 44

The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of an audit assignment is to:

Answer 44

UNDERSTAND the business PROCESS.

Question 45

The PURPOSE of a CHECKSUM on an amount field in an electronic data interchange communication of financial transactions is to ensure:

Answer 45

INTEGRITY.

Question 46

The success of control self-assessment (CSA) DEPENDS highly on:

Answer 46

line managers assuming a portion of the responsibility for control monitoring.

Question 47

A system developer transfers to the audit department to serve as an IT auditor. When production systems are to be reviewed by this employee, which of the following will become the MOST significant concern?

Answer 47

The work may be construed as a self-audit.

Question 48

To ensure that audit resources deliver the best value to the organization, the FIRST step in an audit project is to:

Answer 48

develop the audit PLAN on the basis of a detailed RISK assessment.

Question 49

What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?

Answer 49

It detects risk sooner.

Question 50

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:

Answer 50

vulnerabilities and threats are identified.

Question 51

When developing a risk management program, what is the FIRST activity to be performed?

Answer 51

Inventory of assets

Question 52

When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following?

Answer 52

The point at which controls are exercised as data flow through the system

Question 53

When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of:

Answer 53

improper transaction authorization.

Question 54

When performing a risk analysis, the IS auditor should FIRST:

Answer 54

IDENTIFY the organization’s information ASSETS.

Question 55

Which of the following choices would be the BEST source of information when developing a risk-based audit plan?

Answer 55

Senior management identify key business processes.

Question 56

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?

Answer 56

Compensating controls

Question 57

Which of the following does a lack of adequate controls represent?

Answer 57

A vulnerability

Question 58

Which of the following is an attribute of the control self- assessment approach?

Answer 58

Broad stakeholder involvement

Question 59

Which of the following is evaluated as a preventive control by an IS auditor performing an audit?

Answer 59

Table lookups

Question 60

Which of the following is in the BEST position to approve changes to the audit charter?

Answer 60

Audit committee

Question 61

Which of the following is MOST important for an IS auditor to understand when auditing an e- commerce environment?

Answer 61

The nature and criticality of the business process supported by the application

Question 62

Which of the following is MOST important to ensure that effective application controls are maintained?

Answer 62

Control self- assessment

Question 63

Which of the following is MOST likely be considered a conflict of interest for an IS auditor who is reviewing a cybersecurity implementation?

Answer 63

Designing the cybersecurity controls

Question 64

Which of the following is the FIRST step in an IT risk assessment for a risk-based audit?

Answer 64

Understand the business, its operating model and key processes.

Question 65

Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan?

Answer 65

Define the audit universe.

Question 66

Which of the following is the key benefit of a control self- assessment?

Answer 66

Management ownership of the internal controls supporting business objectives is reinforced.

Question 67

Which of the following is the MAIN reason to perform a risk assessment in the planning phase of an IS audit?

Answer 67

To provide reasonable assurance material items will be addressed

Question 68

Which of the following is the MOST critical step when planning an IS audit?

Answer 68

Perform a risk assessment.

Question 69

Which of the following is the PRIMARY purpose of a risk-based audit?

Answer 69

Material areas are addressed first.

Question 70

Which of the following is the PRIMARY requirement for reporting IS audit results? The report is:

Answer 70

Backed by sufficient and appropriate audit evidence.

Question 71

Which of the following represents an example of a preventive control with respect to IT personnel?

Answer 71

Implementation of a badge entry system for the IT facility

Question 72

Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment?

Answer 72

Lack of transaction authorizations

Question 73

Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process?

Answer 73

Participating in the design of the risk management framework

Question 74

Which of the following situations could impair the independence of an IS auditor? The IS auditor:

Answer 74

Implemented specific functionality during the development of an application

Question 75

Which of the following would be expected to approve the audit charter?

Answer 75

Audit committee

Question 76

Which of the following would be the GREATEST concern if audit objectives are not established during the initial phase of an audit program?

Answer 76

Important business risk may be overlooked

Question 77

While performing an audit of an accounting application’s internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to:

Answer 77

Continue to test the accounting application controls and include the deficiency in the final report.

Question 78

While planning an IS audit, an assessment of risk should be made to provide:

Answer 78

Reasonable assurance that the audit will cover material items.

Question 79

While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:

Answer 79

Confidentiality of the work papers.

Question 80

Why does an audit manager review the staff’s audit papers, even when the IS auditors have many years of experience?

Answer 80

Professional standards