Information Systems Audit

Question 1

The ISACA Code of Professional Ethics 1

Answer 1

Members and ISACA certification holders shall:

1. Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including: audit, control, security and risk management.

Question 2

The ISACA Code of Professional Ethics 2

Answer 2

Members and ISACA certification holders shall:

2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.

Question 3

The ISACA Code of Professional Ethics 3

Answer 3

Members and ISACA certification holders shall:

3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association.

Question 4

The ISACA Code of Professional Ethics 4

Answer 4

Members and ISACA certification holders shall:

4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.

Question 5

The ISACA Code of Professional Ethics 5

Answer 5

Members and ISACA certification holders shall:

5. Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence.

Question 6

The ISACA Code of Professional Ethics 6

Answer 6

Members and ISACA certification holders shall:

6. Inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.

Question 7

The ISACA Code of Professional Ethics 7

Answer 7

Members and ISACA certification holders shall:

7. Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security and risk management.

Question 8

Standards

Answer 8

Mandatory actions, explicit rules, or controls that are designed to support and conform to a policy. A standard should make a policy more meaningful and effective by including accepted specifications for hardware, software, or behavior. Standards should always point to the policy to which they relate.

Standards articulate what must be followed, and they are typically technology platform agnostic.

Question 9

Procedures

Answer 9

Written steps to execute policies through specific, prescribed actions; this is the how in relation to a policy. Procedures tend to be more detailed than policies. They identify the method and state, in a series of steps, exactly how to accomplish an intended task, achieve a desired business or functional outcome, and execute a policy.

A procedure usually is a series of steps to achieve a specific outcome—for example, the particular steps in a company that you have to take to obtain a logon account for a new employee.

If the document is purely procedural steps with a focus on a specific outcome (such as a deliverable), you can treat it as a procedure.

Question 10

Guidelines

Answer 10

An outline for a statement of conduct. This is an additional (optional) document in support of policies, standards, and procedures and provides general guidance on what to do in particular circumstances. Guidelines are not requirements to be met but are strongly recommended.

In comparison, a guideline is more of a use case for a standard. A guideline explains how to comply with a standard. Guidelines are optional, intended to give organizations examples of successful implementation of ISACA standards.

Question 11

Baselines

Answer 11

Platform-specific rules that are accepted across the industry as providing the most effective approach to a specific implementation.

A baseline is platform specific on a set of accepted rules—for example, setting a workstation’s Windows 10 platform to time out after 15 minutes.

For the ISACA exam, remember that if a document is platform specific to implement a specific rule, you can treat it as a baseline.

Question 12

Industry Norm

Answer 12

Emerges from the combination of industry guidance documents and regulation guidance

Question 13

Benefits of Effectively Adopting Industry Guidance

Answer 13

1. Demonstrating to customers compliance with industry best practices
2. Demonstrating the ability to adopt lessons learned across the globe
3. Ensuring that organizations’ products and services meet quality and environmental stewardship
4. Proving through audits that an organization’s systems operate according to accepted norms, as defined by industry standards
5. Ensuring that products and services are produced with acceptable consistency
6. Reacting quickly to emerging events related to technology defects and breaches

Question 14

Important U.S. Industry Guidance

Answer 14

COBIT
ISO
NIST
FIPS

Question 15

COBIT

Answer 15

Control Objectives for Information and Related Technologies (COBIT) was first published in 1996 as one of the first definitive guides for IS auditors. COBIT has evolved into a globally accepted framework, providing an end-to-end business view of the governance of enterprise IT. COBIT 5 is the latest version and is considered a framework that embodies global thought guidance for information systems audit, assurance, and control functions.

Question 16

ISO

Answer 16

International Organization for Standardization (ISO): Since 1987 the ISO has created a series of international standards that define and structure a company’s management systems. These standards are rigorous, and obtaining certification is not easy. While they cover multiple industries, they often are referred to in manufacturing. The standards cover design, manufacturing, production, purchasing, quality control, packaging, handling, storage, shipping, and customer service.

Question 17

NIST

Answer 17

National Institute of Standards and Technology (NIST) standards: NIST, a unit of the U.S. Commerce Department, issues a number of technology-related standards. Most notably, in 2014 the U.S. government issued a NIST Cybersecurity Framework. Initially this framework only applied to U.S. government systems, but today the NIST Cybersecurity Framework has been widely adopted by banking and other industries.

Question 18

FIPS

Answer 18

Federal Information Processing Standards (FIPS): FIPS is a set of U.S. government standards that describe document processing, encryption algorithms, and related information technology standards for use in nonmilitary U.S. government agencies. Government vendors and contractors who work for government agencies must comply with FIPS.

Question 19

Auditing Compliance with Regulatory Standards Steps

Answer 19

1. Based on the industry and jurisdiction locale in which the organization operates, keep an inventory of laws, rules, and regulations that the organization must adhere to.
2. Review the specific laws and regulations with which the organization must be compliant.
3. Determine whether the organization’s policies and procedures and controls reflect these laws and regulations.
4. Determine whether identified standards and procedures adhere to regulatory requirements.
5. Determine whether the employees are adhering to specified standards and procedures or whether discrepancies exist.

Question 20

Compliance Tests

Answer 20

Used to verify conformity.

What does it mean to verify conformity? It means that an audit verifies that the proper controls are in place to ensure compliance to a specific standard. The compliance test, in essence, makes sure the control is in place.

Question 21

Substantive Tests

Answer 21

Used to verify the integrity of claims.

What does the integrity of claims mean? It means the controls are actually working. So compliance tests ensure that controls are in place, and substantive tests ensure that controls are working.

Question 22

Basic Types of Audits

Answer 22

Financial Audit
Integrated Audit
Operational Audit

Question 23

Financial Audit

Answer 23

A financial audit is an audit of financial statements and processes. An IS auditor is typically not involved in a purely financial audit.

Question 24

Integrated Audit

Answer 24

When a financial audit’s scope includes the underlying technology, such as application and network infrastructure, the IS auditor joins the assessment. This type of audit, which covers non-technology (such as financial) controls and technology controls is referred to as an integrated audit. One of the major advantages of an integrated audit is that the business is only audited once rather than twice (for example, for financials and for technology).

Question 25

Operational Audit

Answer 25

An operational audit assesses how well the business operations are managed. This includes reviewing the organization’s policies, key processes, controls, and operating environment. An example of an operations IS audit is an assessment of data center operations.

Question 26

Audit Program

Answer 26

The various audits together.

Each audit program has a specific objective, scope, and predetermined methodology.

Question 27

Compliance Audit

Answer 27

A comprehensive review of an organization’s adherence to regulatory guidelines.