Information System Auditing - Planning

Question 1

What would be considered a “MOST” critical step in planning an Information Systems (IS) Audit?

Answer 1

Identification of the areas of significant risk

Note: It is important to identify the areas of highest risk (which will determine the areas to be audited)

Question 2

What should an IS Auditor do when they find that documented security procedures do NOT exist?

Answer 2

Identify and evaluate existing practices

Note: One main objective of an audit is to identify potential risk - the most proactive approach is to identify and evaluate existing security practices being followed

Question 3

What would be considered a “PRIMARY” motive in deciding whether or NOT to hire an IT employee for a long-term IS audit position?

Answer 3

An ability as an IS auditor to be independent of existing IT relationships

Question 4

What is the FIRST activity to be performed when developing a risk management program?

Answer 4

Completing an inventory of assets

i.e. identifying the assets to be protected is the first step in risk management program development

Question 5

WHAT is the purpose of a “checksum” on an amount field in an electronic data interchange (EDI) communication for a financial transaction?

Answer 5

Integrity

i.e. The “checksum” function can be used to identify unauthorized modifications

Question 6

What control should be implemented into an electronic data interchange (EDI) interface for efficient data mapping?

Answer 6

Functional Acknowledgement

WHY? - Because this acts as an audit trail for the EDI interface and is used as one of the main controls in data mapping

Question 7

What is the best way to ensure payroll data accuracy for a company that uses a bank for weekly payroll?

Answer 7

Comparing input forms to payroll reports

i.e. payroll reports should be compared to input forms

WHY? - Because this helps verify the data input (input forms) with the results of the payroll reports

This is the best way to confirm data accuracy when input is provided by the organization and output is generated by the bank

Question 8

What is a key dependent of control self-assessment (CSA)?

Answer 8

Line managers assuming a portion of the responsibility for control monitoring

WHY? - Because the primary objective of a CSA program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers

Question 9

WHO should make the final decision to include a material finding in an audit report?

Answer 9

THE IS Auditor

WHY? - Because the IS Auditor should make all final decisions on what to include (or exclude) from the report

Question 10

What is the risk if the IS Auditor observes the electronic work papers were not encrypted?

Answer 10

Confidentiality of the work papers

Encryption provides confidentiality for the electronic work papers

Question 11

WHAT should the IS Auditor confirm “First” when performing an audit of the risk assessment process?

Answer 11

Assets have been identified and ranked.

i.e. Identifying and ranking of information assets (E.g. data criticality, sensitivity, locations of assets) will set the tone or scope of how to assess risk in relation to the organizational value of the asset.

Question 12

What should be specified in the IS audit charter?

Answer 12

THE role of the IS audit function

WHY? - Because the IS audit charter establishes the role of the information systems audit function - and describe the overall authority, scope and responsibilities of the audit function.

Question 13

WHAT would be considered a “Key Benefit” of a Control Self-Assessment (CSA)?

Answer 13

That management ownership of the internal controls supporting business objectives is reinforced

WHY? - Because the objective of CSA is to have business management become more aware of the importance of internal control and their responsibility

Question 14

What is a main concern of an IS auditor when reviewing the quality assurance (QA) function in an organization and who the report to?

Answer 14

The effectiveness of the QA function because it should interact between project and user management

WHY? - Because to be effective, the QA function should be independent of project management. If not, project management may put pressure on the QA function to approve an inadequate product

Question 15

What is an initial step when an IS auditor is reviewing a software application that has service-oriented architecture?

Answer 15

To gain an understanding of the services and their allocation to business processes - by reviewing the service repository documentation

i.e. it is essential for the IS auditor to comprehend the mapping of business processes to services; before reviewing services in detail

Question 16

What would compromise the independence of an IS auditor when reviewing the risk management process?

Answer 16

Participating in the design of the risk management framework

WHY? - Because this involves designing controls which would compromise the independence of the IS auditor to audit the risk management process

Question 17

WHAT would be considered a “preventive” control by an IS auditor performing an audit?

Answer 17

Table lookups

WHY? - Because input data is checked against predefined tables; which prevents undefined data from being entered

Question 18

Which of the following audit techniques is most appropriate for addressing emerging risk (involving large volumes of transactions?

Answer 18

Continuous auditing

WHY? - Because continuous auditing enables a real-time feed of information to management through automated reporting processes - helping management implement corrective action plans more quickly

Question 19

WHAT should an IS auditor do after identifying a business process to be audited?

Answer 19

Identify the control objectives and activities

i.e. the IS auditor should identify the control objectives and activities with the business process that should be validated in the audit

Question 20

What would be considered a FIRST step in the planning phase of an IS audit?

Answer 20

Development of a risk assessment

WHY? - Because the risk assessment performed will help determine how internal audit resources should be allocated to ensure that all material items will be addressed.