Information Systems Auditing - Planning 2 Flashcards
True/ False
Generation of an activity log is a control by itself.
FALSE
Generation of an activity log is NOT a control by itself.
It is the review of such a log that makes the activity a control (i.e., generation plus review equals control)
WHAT is a BENEFIT of conducting a control self-assessment (CSA) over a traditional audit?
THE detection of risk sooner
WHY? - (1) CSAs require employees to assess the control stature of their own function;
(2) they help to increase the understanding of business risk and internal controls
(3) CSAs are conducted more frequently than audits which help to identify risk in a timelier manner
WHAT audit technique would best assist an IS auditor in evaluating an organization’s manual review process?
A Walkthrough
WHY? - Because this procedure usually includes a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls
WHAT would an IS auditor most likely review to ensure a bank’s financial risk is properly addressed?
Their Fraud Monitoring Controls
i.e. wire transfer procedures (for example) include segregation of duties controls; which helps prevent internal fraud by not allowing one person to initiate, approve and send a wire
WHAT is a PRIMARY benefit of continuous auditing?
That fraud can be detected more quickly
i.e. Continuous auditing techniques assist the auditing function in reducing the use of auditing resources through continuous collection of evidence
What is a primary objective of the audit initiation meeting with an IS audit client?
To discuss the scope of the audit
i.e. the primary objective of the initiation meeting with the client is to define the scope of the audit
WHAT is the primary purpose of the IS audit charter?
To outline the responsibility and authority of the IS audit function
i.e. The charter document grants authority to the audit function on behalf of the board of directors and organization stakeholders
WHAT is most important for an IS auditor to understand when auditing an e-commerce environment?
The nature and criticality of the business process supported by the application
i.e. It is important for the IS auditor to understand the nature and criticality of the business process supported by the e-commerce application to identify specific controls to review
WHAT should the IS auditor do First when performing a risk analysis?
Identify the organization’s information assets
i.e. The first step of the risk assessment process is to identify the systems and processes that support the business objectives
WHY? - Because risk to those processes impacts the achievement of business goals
What audit technique would best help an IS auditor to effectively detect transposition and transcription errors?
Check digit
i.e. this is a numeric value that has been calculated mathematically and is added to data to ensure that original data have not been altered or that an incorrect
WHAT is the main purpose of an annual IS audit plan?
To allocate resources for audits
WHY? - Because IS audit assignments need to be accomplished with limited time and human resources
WHAT is the primary objective of a risk-based audit?
THAT Material areas are addressed first
WHY? - Because material risk is audited according to the risk ranking; this enables the audit team to concentrate on high-risk areas first
What is a major concern for an IS Auditor reviewing application controls?
To evaluate the impact of any exposures discovered
WHY? - Because this application controls review involves the evaluation of the application’s automated controls and an assessment of any exposures resulting from the control weaknesses
How would an IS audit team evaluate the potential impact of financial losses that could result from a risk?
By applying a qualitative approach
i.e. The common practice when it is difficult to calculate the financial losses is to take a qualitative approach
True or False.
The output of a risk management process is an input for making a business plan.
FALSE.
The output of a risk management process is an input for making a security policy decision
i.e. The risk management process is about making specific, security-related decisions, such as the level of acceptable risk