Review 1 Flashcards

1
Q

Which sampling technique when is used an IS auditor is trying to find at least one exception in a population

A) Variable sampling
B) Stop-or-go sampling
C) Discovery sampling
D) Statistical sampling

A

Answer: C ) Discovery sampling

Discovery sampling is a technique used when an IS auditor is trying to find at least one exception in a population. When an IS auditor is examining a population where even a single exception would represent a high-risk situation (such as embezzlement or fraud), the auditor will recommend a more intensive investigation to determine whether additional exceptions exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Responsibilities of the CISO

A

Compliance management and this is verified through the use of internal and external audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

COBIT is composed of how many IT processes?

A) 11
B) 37
C) 5
D) 32

A

Answer: B ) 37

The COBIT framework contains 37 key IT processes, along with the means for any individual organization to determine how much (and what kind of ) control is appropriate for each organization, based upon its business objectives and how IT supports them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An auditor is auditing a purchase order and needs to select individual purchases to audit. There are a small number of high-value purchase orders. Which sampling technique is best suited for this audit?

A) Stratified sampling
B) Statistical sampling
C) Variable sampling
D) Discovery sampling

A

Answer: A) stratified sampling

The stratified sampling technique permits auditors to select samples with very low or high values or any other rarity, whereas the other techniques are not likely to provide the needed samples.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Video surveillance is an example of which type of control?

A) Preventive only
B) Preventive and deterrent
C) Detective only
D) Detective and deterrent

A

Answer: D) Detective and Deterrent

Video surveillance is both a detective control (because it can record unwanted activity) and a deterrent control (because its presence may deter unwanted activity)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The period from the onset of an outage until the resumption of service is known as the :

A) Recovery time objective (RTO)
B) Recovery Response Objective (RRO)
C) Recovery point objective (RPO)
D) Time to recovery (TTR)

A

Answer: A) Recovery time objective (RTO)

RTO is a key target that is the period from the onset of an outage until the resumption of service, usually measured in hours or days.

RPO is the period for which recent data will be lost,
The recovery response time and the time to recovery are invalid choices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Wich perspective of the standard IT balanced scorecard reports key indicators concerning the perception of IT department effectiveness and values as seen from other (non-IT) corporate executives?

A) Business contribution
B) Operational excellence
C) Innovation
D) User

A

Answer: A) Business contribution

In the business contribution perspective, keys indicators are the perspective of IT department effectiveness and values as seen from other (non-it) corporate executives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

IT Standards

A

Are official, management-approved statements that define the technologies, protocols, suppliers, and method that are used by an IT organization. Standards help drive consistency into IT organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Purpose of pre-audit

A

To permit an audit client to prepare for an upcoming initial audit.

Pre-audit is generally performed on an audit client that has NOT BEEN AUDITED BEFORE, as means for helping it prepare for an upcoming audit. No sample evidence is provided by auditors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An auditor is evaluating a business process and has found that personnel perform tasks consistently, but was told that there are no written procedure documents. What opinion should the auditor write for this process?

A) No exception: The process is effective
B) Major exception: Lack of procedure document
C) Minor exception: Lack of procedure document
D) Minor exception: the process is not effective

A

Answer: C) Minor exception: Lack of procedure document

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An audit manager has directed an auditor to falsify a client’s audit report. What is the auditor’s best response

A) Report the matter to executive management
B) Notify law enforcement
C) Notify the audit Client
D) Resign his or her position

A

Answer : A) Report the matter to executive management

Nothify the executive in his or her chain of command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is an audit program

A

The plan for conducting audits over a certain period, and involves planning resources, scope, objectives, and procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following most accurately describes characteristics of qualitatives risk assessments?

A) A quantitative risk assessment is considerably more difficult and time consuming to perform than a quantitative risk assessment.
B) A Quantitative risk assessment rates risks as high-medium-low
C) A quantitative risk assessment will verify which risk reduction measures are the ones that will make the most difference from a purely financial standpoint.
D) A quantitative risk analysis rate risks in actual probabilities and costs

A

Answer: D) A quantitative risk analysis rate risks in actual probabilities and costs

A quantitative risk assessment is the most difficult to perform, due to requirement for accurate numerical data, such as costs, time, depreciation, and so on. Quantitative risk assessment deals with actual probabilities and costs, whereas qualitative risk assessments indicate rate such as high, mdeium, and low.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The definition of single loss expectancy (SLE) is :

A) The exposure factor for a single loss
B) The probability of a single loss
C) Financial Loss from a single event
D) Fianacial loss from events in a single year.

A

Answer: C) Financial Loss from a single event

Exposure factor (EF) is a percentage of an asset's value, after salvage. 
The financial loss from events in a ssingle year is kown as annual loos expectancy (ALE).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly