Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ISACA CISA Exam > ISACA ITAF (Performance Standards/Guidelines) > Flashcards

ISACA ITAF (Performance Standards/Guidelines) Flashcards

1
Q

Standards: Risk Assessment in Planning (1201)

A
  1. 1) The IT audit and assurance function shall use an appropriate risk assessment approach (i.e., data-driven with both quantitative and qualitative factors) and supporting methodology to develop the overall IT audit plan and determine priorities for the effective allocation of IT audit resources.
  2. 2) IT audit and assurance practitioners shall identify and assess risk relevant to the area under review when planning individual engagements.
  3. 3) IT audit and assurance practitioners shall consider subject matter risk, audit risk and related exposure to the enterprise when planning audit engagements.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Guidelines: Risk Assessment in Planning (1201) - What is the goal of risk assessment?

A

The goal of risk assessment is to identify the parts of an activity that should receive more audit focus and to reduce the risk of reaching an incorrect conclusion.

AT MINIMUM, the risk assessment should include an analysis of risk related to:

(1) System availability
(2) Data integrity
(3) Business information confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Guidelines: Risk Assessment in Planning (1201) - What are the outcomes of performing a risk assessment?

A
  • Auditors develop an IT audit schedule (framework for the IT audit activities) as a result of risk assessment/
  • Risk assessments are used to quantify and justify the amount of IT audit resources needed to complete the IT audit plan and to meet the requirements for the audit engagement.
  • Used to inform the auditor’s decisions in what areas/business functions should be audited, the amount of time/resources to be allocated to the audit, and the nature/timing/extent of audit procedures.
  • May also help identify which areas/items of interest may warrant Continuous Monitoring by management and Continuous Auditing by practitioners.
  • Helps auditors develop an audit plan that considers both non-IT and IT audit and assurance requirements/activities, as well as addresses the responsibilities set by the audit charter.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Guidelines: Risk Assessment in Planning (1201) - What must an auditor consider when selecting the most appropriate risk assessment methodology?

A

To determine the most appropriate risk assessment methodology, practitioners should consider:

 Type of information required to be collected. Some systems use financial effects as the only measure, which is not always appropriate for IT audit engagements.

 Cost of software or other licenses required to use the methodology

 Extent to which the information required is already available

 Amount of additional information required to be collected before reliable output can be obtained, and the cost of collecting the information (including the required time investment in the collection exercise)

 Opinions of other users of the methodology, and their views of how well it has assisted them in improving the efficiency and/or effectiveness of their audits

 Willingness of those charged with governance of the IT audit area to accept the methodology as the means of determining the type and level of audit work carried out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Guidelines: Risk Assessment in Planning (1201) -

Auditors should recognize that the ____ the materiality threshold is, the ____ precise the audit expectations will be, and the ____ the audit risk.

A

Auditors should recognize that the lower the materiality threshold is, the more precise the audit expectations will be, and the greater the audit risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Guidelines: Risk Assessment in Planning (1201) - To gain additional assurance in instances of high audit risk/low materiality threshold, what must an auditor do?

A

To gain additional assurance in instances of high audit risk or lower materiality threshold, practitioners should compensate either by (1) extending the scope or nature of the IT audit tests or by (2) increasing or extending the substantive testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Guidelines: Risk Assessment in Planning (1201) - Auditors should assess the Control Risk as high unless what is present?

A

Auditors should assess the control risk as high unless relevant internal controls are:

(1) identified
(2) validated via testing (i.e. comparison of performance to design) and proved to be operating effectively

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Guidelines: Risk Assessment in Planning (1201) - Pervasive IT Controls vs. Detailed IT Controls vs. General Controls

A

(1) Pervasive IT Controls: Considered a subset of general controls; they are the general controls that focus on the management and monitoring of the IT environment. They affect all IT-related activities. They affect the reliability of Application Controls (controls in the business process systems) and Detailed IT Controls. Affects ALL IS-related activities.

Weak Pervasive IT Controls should alert auditors to the possibility of a high risk that the controls designed to operate at a detailed level may be ineffective.

(2) Detailed IT Controls: Comprised of Application Controls + General Controls not included in Pervasive IT Controls. These are controls over the acquisition, implementation, delivery, and support of IS systems and services and relate to the governance and management of information and technology.
(3) General Computer Control (“General Controls”): Controls other than Application Controls that relate to the environment within which computer-based application systems are developed, maintained, and operated and therefore all applicable to ALL applications.

The objective of General Controls are to (1) ensure the proper development and implementation of applications, (2) ensure the integrity of program and data files, and (3) ensure integrity of computer operations.

Examples: Implementation of an IS strategy, IS security policy, the organization of IS staff to separate conflicting duties, planning for disaster prevention and recovery (DRP).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Guidelines: Risk Assessment in Planning (1201) - In determining the level of substantive testing required, what should auditors consider?

A

In determining the level of substantive testing required, practitioners should consider:

 Assessment of inherent risk

 Conclusions on control risk following compliance testing

(The higher the assessment of inherent and control risk, the more audit evidence auditors normally should obtain from the performance of substantive audit procedures.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Standards: Audit Scheduling (1202)

A
  1. 1) The IT audit and assurance function shall establish an overall strategic plan resulting in short-term and long-term audit schedules. Short-term planning consists of audits to be performed within the year, while long-term planning is comprised of audits based on risk-related matters within the enterprise’s information and technology (I&T) environment that may be performed in the future.
  2. 2) Both short-term and long-term audit schedules should be agreed upon with those charged with governance and oversight (e.g., audit committee) and communicated within the enterprise.
  3. 3) The IT audit and assurance function shall modify its short-term and/or long-term audit schedules to be responsive to organizational needs (i.e., unexpected events or unplanned initiatives). Any audit displaced to accommodate an audit of an unexpected event or unplanned initiative should be reassigned to a future period.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Standards: Audit Planning (1203)

A

1203.1) IT audit and assurance practitioners shall plan each IT audit and assurance engagement to address the nature, timing and extent of audit procedures to be performed. The plan should include:

 Areas to be audited
 Objectives
 Scope
 Resources (e.g., staff, tools and budget) and schedule dates
 Timeline and deliverables
 Compliance with applicable laws/regulations and professional auditing standards
 Use of a risk-based approach for engagements that are not related to legal or regulatory compliance
 Engagement-specific issues
 Documentation and reporting requirements
 Use of relevant technology and data analysis techniques
 Consideration of the cost of the engagement relative to the potential benefits
 Communication and escalation protocols for situations that may arise during the performance of an IT audit engagement (e.g., scope limitations or unavailability of key personnel)

During fieldwork, it may become necessary to modify audit procedures created during planning as the engagement progresses.

1203.2 IT audit and assurance practitioners shall develop and document an IT audit and assurance engagement program (AUDIT PROGRAM) that describes the step-by-step procedures and instructions to be used to complete the audit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Guidelines: Audit Planning (1203)

Auditor assessment of materiality.

A

During the planning process, practitioners should establish levels of planning materiality such that the audit work will be sufficient to meet the audit objectives and will use audit resources efficiently.

For example, in the review of an existing system, practitioners should evaluate materiality of the various components of the system in planning the audit engagement for the work to be performed. Both qualitative and quantitative aspects should be considered in determining materiality.

Definition - Materiality: An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited. An expression of the relative significance or importance of a particular matter in the context of the enterprise as a whole.

Risk assessments help provide reasonable assurance that all material items will be adequately covered during the engagement. Audit strategies, materiality levels, and resource requirements can then be developed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Guidelines: Performance and Supervision (1204)

Communication of Findings to Auditee

A

After documenting work performed and identifying findings, the next step is performed:

Confirming findings and following up on corrective actions: Practitioners should confirm their findings with the auditee. Should the auditee perform corrective actions on the findings before the end of the audit engagement, practitioners should include the actions taken in the documentation (and conclusion) but also mention the original findings.

Referred to as “Clearing the findings”

Only then are conclusions drawn and the reporting process is initiated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Guidelines: Performance and Supervision (1204)

What factors are used to assess evidence “reliability”?

A

Practitioners should consider reliability of audit evidence (i.e., (1) independence of the provider of the evidence, (2) qualifications of the provider of the information, (3) objectivity of the evidence, and (4) timing of the evidence).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Guidelines: Performance and Supervision (1204)

What should the auditor do when deviations from expectations are identified during testing?

A

If deviations from expectations are identified, practitioners should ask management about the reasons for the differences.

If management’s explanations are adequate, based on practitioners’ professional judgment, practitioners should modify their expectations and reanalyze the evidence and information.

Significant deviations the auditee does not adequately explain should result in audit findings and be communicated to executive management or those charged with governance and oversight of the audit function.

Depending on the circumstances, practitioners may recommend appropriate actions to take (sometimes referred to as “quality improvement program”).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Guidelines: Performance and Supervision (1204)

Who controls the audit engagement “work papers”?

Who approves access to “work papers” (other than to the auditors who performed the work)?

A

IT audit and assurance management controls the audit engagement work papers and provides access to authorized personnel.

Access requests to audit engagement work papers by external auditors should be approved by executive management and those charged with governance.

Access requests by external parties, other than external auditors, should be approved by executive management and those charged with governance and oversight of the audit function, with the advice of legal counsel.

17
Q

Guidelines: Evidence (1205)

What are types of evidence that an auditor should consider?

A

The various types of evidence that practitioners should consider using include:

 Observed processes and existence of physical items (observations of activities, property, and IT functions)

 Documentary evidence (Policies, procedures, data extractions, transaction records, program listings, external confirmation from 3rd parties, etc.)

 Representations (written/oral statements by management about controls/plans for a new system implementation, etc.)

 Analysis (Comparisons, simulations, calculations, and reasoning) Examples include: Benchmarking IT performance against other enterprises/past periods, Comparison of error rates between applications/transactions/users, Re-performance of processes/controls.

18
Q

Guidelines: Evidence (1205)

Procedures used by the auditor to gather evidence (and essentially evaluate/test the evidence)?

A

Evidence can either be gathered through manual audit procedures, computer-assisted audit techniques (CAATs), or a combination of both.

Procedures include:

(1) Inquiry/confirmation (written and oral inquiries)
(2) Observation
(3) Inspection
(4) Analytical Procedures (examining possible relationships between the data or between the data and other relevant information - i.e. examining fluctuations, trends, and inconsistent relationships)
(5) Recalculation/computation (either manually or through use of CAATs)
(6) Reperformance (INDEPENDENT reperformance of procedures/controls)
(7) Other generally accepted methods - i.e. engaging in social engineering, acting as a mystery guest, conducting ethical intrusion testing

19
Q

Guidelines: Evidence (1205)

Considerations for the provider of evidence?

A

When gathering evidence, practitioners should consider the independence and qualifications of the entity providing the evidence.

For example, corroborative audit evidence from an independent third party can be more reliable than audit evidence obtained from the enterprise being audited.

Physical audit evidence is generally more reliable than the representations of an individual.

20
Q

Guidelines: Evidence (1205)

What are the most reliable methods of obtaining/testing evidence, in order from most reliable to least reliable?

A

In general, the reliability of evidence is ranked from low to high based on the procedures used to obtain the evidence, as follows:

 Inquiry and confirmation
 Observation
 Inspection
 Analytical procedures
 Recalculation or computation
 Re-performance
21
Q

Guidelines: Evidence (1205)

When is evidence reliability generally greater (i.e. format of evidence, source, etc.)?

A

Evidence reliability is generally greater when it is:

 In written form, rather than obtained from oral representations
 Obtained directly by the practitioners rather than indirectly by the entity being audited
 Obtained from independent sources
 Certified by an independent party
 Maintained by an independent party

22
Q

Guidelines: Evidence (1205)

The SEC requires financial auditors to retain certain records for what period of time?

A

For enterprises subject to U.S. Securities and Exchange Commission (SEC) requirements, financial auditors must retain certain records for a period of seven years from conclusion of the audit or review.

23
Q

Guidelines: Irregularities and Illegal Acts (1207)

ISACA definition of “Fraud”?

What are examples of fraud and the difference between fraudulent and nonfraudulent irregularities?

A

Fraud: any act involving the use of deception to obtain illegal advantage

Examples include:

  • misappropriation or misuse of company resources/funds/asserts
  • intentionally reporting inaccurate financial results
  • making or altering documents or computer files with the intent to defraud
  • pursuit of a benefit or advantage in violation of company policy
  • authorizing or receiving compensation for goods not received or services not performed
  • authorizing or receiving compensation for hours not worked
  • destruction or disappearance of records/funds/asserts
  • any similar or related irregularity
  • Important: There is a difference between fraudulent and nonfraudulent irregularities:
  • Fraudulent irregularities: Deliberate circumvention of controls with the intent to conceal the perpetuation of fraud; unauthorized use of assets/services; abetting or helping to conceal these types of activities.
  • Nonfraudulent irregularities: Gross negligence (lack/disregard for the obligation to exercise due care/diligence); unintentional illegal acts
24
Q

Guidelines: Irregularities and Illegal Acts (1207)

What does “Misappropriation” mean in terms of illegal acts?

A

Misappropriation: Dishonestly/unfairly taking something (especially money) for one’s own use.

When employees or third parties associated with a business abuse their power and authority and steal from the company through several fraudulent activities, this is known as misappropriation of assets.

Another term for misappropriation of assets is called insider fraud.

Important Terms:
- “Skimming” or “defalcation” (i.e. embezzlement) - the misappropriation of cash before it is recorded in the financial records

25
Q

Guidelines: Irregularities and Illegal Acts (1207)

Reporting of potential irregularities/illegal acts detected by the auditor.

A

Practitioners should inform management and those charged with governance if they have identified situations in which there is a higher level of risk for a potential irregularity or illegal act, even if none is detected.

Irregularity/illegal acts detected should be communicated to management at a higher level than the level at which the irregularities and illegal acts are suspected to have occurred.

Irregularity/illegal acts should ALSO be reported to those charged with governance (Board of Directors, Trustees, Audit Committee, etc.) - if not clearly significant in terms of financial effect/indications of control weakness, reporting at this level may not be required.

If auditors suspect that all levels of management are involved, then findings should be confidentially reporting directly to those charged with enterprise governance. Locals laws may prohibit reporting to parties other than the prescribed legal authority.

IMPORTANT: Auditors should avoid alerting any person who may be involved in the irregularity/illegal act to REDUCE THE POTENTIAL FOR THOSE INDIVIDUALS TO DESTROY/SUPPRESS EVIDENCE.

The External Auditors should also be informed if an irregularity/illegal act is detected.

26
Q

Guidelines: Irregularities and Illegal Acts (1207)

Benefit of using CAATs?

A

Practitioners should review the results of engagement procedures for indications that irregularities or illegal acts may have occurred.

Using computer-assisted audit techniques (CAATs) could aid significantly in the effective and efficient detection of irregularities or illegal acts.

27
Q

Guidelines: Irregularities and Illegal Acts (1207)

What are some indicators of fraud?

A

Practitioners should demonstrate an attitude of professional skepticism. Indicators (sometimes called “fraud” or “red flags”) of persons committing irregularities or illegal acts include:

 Overrides of controls by management (circumventing controls)
 Irregular or poorly explained management behavior
 Consistent overperformance, compared to set targets
 Problems with, or delays in, receiving requested information or evidence
 Transactions not following the normal approval cycles
 Increase in activity of a certain customer
 Increase in complaints from customers
 Deviating access controls for some applications or users

Practitioners should pay close attention if they notice any of these indicators.

28
Q

Guidelines: Irregularities and Illegal Acts (1207)

What should an auditor do when they become aware of a possible irregularity/illegal act?

A

If practitioners become aware of information concerning a possible irregularity or illegal act, they should consider taking the following steps after receiving direction from the appropriate legal authority (i.e. legal counsel):

 Obtain an understanding of the nature of the act
 Understand the circumstances in which the act occurred
 Gather evidence of the act (e.g., letters, system records, computer files, security logs, and customer or vendor information)
 Identify all persons involved in committing the act
 Obtain sufficient supportive information to evaluate the effect of the act
 Perform limited additional procedures to determine the effect of the act and whether additional acts exist
 Document and preserve all evidence and work performed

After the auditor has consulted with audit management, next steps are determined - such as reporting the act to enterprise management, passing further action to internal fraud investigators, and/or reporting to law enforcement or regulators.

When an irregularity involves a member of management, auditors should reconsider the reliability of management’s representations.

ISACA CISA Exam (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions