Information Systems Auditing - Planning 2 Flashcards

1
Q

True/ False

Generation of an activity log is a control by itself.

A

FALSE

Generation of an activity log is NOT a control by itself.

It is the review of such a log that makes the activity a control (i.e., generation plus review equals control)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

WHAT is a BENEFIT of conducting a control self-assessment (CSA) over a traditional audit?

A

THE detection of risk sooner

WHY? - (1) CSAs require employees to assess the control stature of their own function;

(2) they help to increase the understanding of business risk and internal controls
(3) CSAs are conducted more frequently than audits which help to identify risk in a timelier manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

WHAT audit technique would best assist an IS auditor in evaluating an organization’s manual review process?

A

A Walkthrough

WHY? - Because this procedure usually includes a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

WHAT would an IS auditor most likely review to ensure a bank’s financial risk is properly addressed?

A

Their Fraud Monitoring Controls

i.e. wire transfer procedures (for example) include segregation of duties controls; which helps prevent internal fraud by not allowing one person to initiate, approve and send a wire

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

WHAT is a PRIMARY benefit of continuous auditing?

A

That fraud can be detected more quickly

i.e. Continuous auditing techniques assist the auditing function in reducing the use of auditing resources through continuous collection of evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a primary objective of the audit initiation meeting with an IS audit client?

A

To discuss the scope of the audit

i.e. the primary objective of the initiation meeting with the client is to define the scope of the audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

WHAT is the primary purpose of the IS audit charter?

A

To outline the responsibility and authority of the IS audit function

i.e. The charter document grants authority to the audit function on behalf of the board of directors and organization stakeholders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

WHAT is most important for an IS auditor to understand when auditing an e-commerce environment?

A

The nature and criticality of the business process supported by the application

i.e. It is important for the IS auditor to understand the nature and criticality of the business process supported by the e-commerce application to identify specific controls to review

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

WHAT should the IS auditor do First when performing a risk analysis?

A

Identify the organization’s information assets

i.e. The first step of the risk assessment process is to identify the systems and processes that support the business objectives

WHY? - Because risk to those processes impacts the achievement of business goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What audit technique would best help an IS auditor to effectively detect transposition and transcription errors?

A

Check digit

i.e. this is a numeric value that has been calculated mathematically and is added to data to ensure that original data have not been altered or that an incorrect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

WHAT is the main purpose of an annual IS audit plan?

A

To allocate resources for audits

WHY? - Because IS audit assignments need to be accomplished with limited time and human resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

WHAT is the primary objective of a risk-based audit?

A

THAT Material areas are addressed first

WHY? - Because material risk is audited according to the risk ranking; this enables the audit team to concentrate on high-risk areas first

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a major concern for an IS Auditor reviewing application controls?

A

To evaluate the impact of any exposures discovered

WHY? - Because this application controls review involves the evaluation of the application’s automated controls and an assessment of any exposures resulting from the control weaknesses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How would an IS audit team evaluate the potential impact of financial losses that could result from a risk?

A

By applying a qualitative approach

i.e. The common practice when it is difficult to calculate the financial losses is to take a qualitative approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

True or False.

The output of a risk management process is an input for making a business plan.

A

FALSE.

The output of a risk management process is an input for making a security policy decision

i.e. The risk management process is about making specific, security-related decisions, such as the level of acceptable risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

WHICH member of an organization is responsible for the approval of an information security policy?

A

The Board of directors

Note: This is usually the responsibility of top management or the board of directors

17
Q

WHAT area would benefit most from the involvement of senior management?

A

The development of strategic plans

i.e. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives

18
Q

During what phase in system development would user acceptance test plans be prepared?

A

Requirements definition

i.e. the project team will be working with the users to define their precise objectives and functional needs