ISACA QAE - Weird Terms Referenced (Not in ISACA Glossary) Flashcards
“One-for-One Checking”
This validates that transactions are accurate and complete.
“Review of application controls”
“Review of application controls” means the auditor is “reviewing the effectiveness of controls” (not the suitability of the application to meet business needs).
The purpose of this is to evaluate any exposures resulting from control weaknesses identified from the review.
“Gap Analysis”
Compares actual state to an expected or desirable state.
Mainly done at the beginning of a product/service implementation project to assess what is currently in place against the set of requirements that are going to be used for the implementation - helps you assess where there is more required for the process currently in place (ISO 9001).
Gap Analysis is usually done through a questionnaire/document review/similar tool.
Different from Internal Audit.
“Professional Independence” vs. “Organizational Independence”
“Organization Independence” is considered at the time of accepting the engagement and has no relevance to the content of an audit report.
“Professional Independence” is the independence of the individual auditor (i.e. when an IS auditor recommends a specific vendor, the auditor’s professional independence is compromised).
Relationship between “Quality Assurance (QA)” function and “Project Management” function
To be effective, the quality assurance (QA) function should be independent of Project Management. If it is not, Project Management may put pressure on the QA function to approve an inadequate product.
The QA team does not release a product for implementation, as prepared by Project Management, until it meets QA requirements.
The Project Manager responds to issues raised by the QA team.
“Due Diligence Reviews”
Due diligence reviews are a type of audit generally related to mergers and acquisitions.
“Before and after image reporting”
This makes it possible to trace the impact that transactions have on computer records.
This is a DETECTIVE control.
“Directive Controls”
Examples: IT Policies and Procedures
(1) “Embedded Data Collection Tools”
(2) “Trend/Variance Detection Tools”
(3) “Heuristic Scanning Tools”
(1) Embedded Data Collection Tools: Embedded (audit) data collection software, such as systems control audit review file or systems audit review file, is used to provide sampling and production statistics.
(2) Trend/Variance Detection Tools: They look for anomalies in user or system behavior, such as invoices with increasing invoice numbers.
(3) Heuristic Scanning Tools: These are a type of virus scanning used to indicate possible infected traffic. (“Heuristic” meaning to enable you to discover/learn something for yourself).