Review 1 Flashcards

1
Q

Which sampling technique when is used an IS auditor is trying to find at least one exception in a population

A) Variable sampling
B) Stop-or-go sampling
C) Discovery sampling
D) Statistical sampling

A

Answer: C ) Discovery sampling

Discovery sampling is a technique used when an IS auditor is trying to find at least one exception in a population. When an IS auditor is examining a population where even a single exception would represent a high-risk situation (such as embezzlement or fraud), the auditor will recommend a more intensive investigation to determine whether additional exceptions exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Responsibilities of the CISO

A

Compliance management and this is verified through the use of internal and external audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

COBIT is composed of how many IT processes?

A) 11
B) 37
C) 5
D) 32

A

Answer: B ) 37

The COBIT framework contains 37 key IT processes, along with the means for any individual organization to determine how much (and what kind of ) control is appropriate for each organization, based upon its business objectives and how IT supports them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An auditor is auditing a purchase order and needs to select individual purchases to audit. There are a small number of high-value purchase orders. Which sampling technique is best suited for this audit?

A) Stratified sampling
B) Statistical sampling
C) Variable sampling
D) Discovery sampling

A

Answer: A) stratified sampling

The stratified sampling technique permits auditors to select samples with very low or high values or any other rarity, whereas the other techniques are not likely to provide the needed samples.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Video surveillance is an example of which type of control?

A) Preventive only
B) Preventive and deterrent
C) Detective only
D) Detective and deterrent

A

Answer: D) Detective and Deterrent

Video surveillance is both a detective control (because it can record unwanted activity) and a deterrent control (because its presence may deter unwanted activity)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The period from the onset of an outage until the resumption of service is known as the :

A) Recovery time objective (RTO)
B) Recovery Response Objective (RRO)
C) Recovery point objective (RPO)
D) Time to recovery (TTR)

A

Answer: A) Recovery time objective (RTO)

RTO is a key target that is the period from the onset of an outage until the resumption of service, usually measured in hours or days.

RPO is the period for which recent data will be lost,
The recovery response time and the time to recovery are invalid choices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which perspective of the standard IT balanced scorecard reports key indicators concerning the perception of IT department effectiveness and values as seen from other (non-IT) corporate executives?

A) Business contribution
B) Operational excellence
C) Innovation
D) User

A

Answer: A) Business contribution

In the business contribution perspective, keys indicators are the perspective of IT department effectiveness and values as seen from other (non-it) corporate executives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

IT Standards

A

Are official, management-approved statements that define the technologies, protocols, suppliers, and method that are used by an IT organization. Standards help drive consistency into IT organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Purpose of pre-audit

A

To permit an audit client to prepare for an upcoming initial audit.

Pre-audit is generally performed on an audit client that has NOT BEEN AUDITED BEFORE, as means for helping it prepare for an upcoming audit.
No sample evidence is provided by auditors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An auditor is evaluating a business process and has found that personnel perform tasks consistently, but was told that there are no written procedure documents. What opinion should the auditor write for this process?

A) No exception: The process is effective
B) Major exception: Lack of procedure document
C) Minor exception: Lack of procedure document
D) Minor exception: the process is not effective

A

Answer: C) Minor exception: Lack of procedure document

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An audit manager has directed an auditor to falsify a client’s audit report. What is the auditor’s best response

A) Report the matter to executive management
B) Notify law enforcement
C) Notify the audit Client
D) Resign his or her position

A

Answer : A) Report the matter to executive management

Nothify the executive in his or her chain of command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is an audit program

A

The plan for conducting audits over a certain period, and involves planning resources, scope, objectives, and procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following most accurately describes characteristics of qualitatives risk assessments?

A) A quantitative risk assessment is considerably more difficult and time consuming to perform than a quantitative risk assessment.
B) A Quantitative risk assessment rates risks as high-medium-low
C) A quantitative risk assessment will verify which risk reduction measures are the ones that will make the most difference from a purely financial standpoint.
D) A quantitative risk analysis rate risks in actual probabilities and costs

A

Answer: D) A quantitative risk analysis rate risks in actual probabilities and costs

A quantitative risk assessment is the most difficult to perform, due to requirement for accurate numerical data, such as costs, time, depreciation, and so on. Quantitative risk assessment deals with actual probabilities and costs, whereas qualitative risk assessments indicate rate such as high, mdeium, and low.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The definition of single loss expectancy (SLE) is :

A) The exposure factor for a single loss
B) The probability of a single loss
C) Financial Loss from a single event
D) Fianacial loss from events in a single year.

A

Answer: C) Financial Loss from a single event

Exposure factor (EF) is a percentage of an asset's value, after salvage. 
The financial loss from events in a ssingle year is kown as annual loos expectancy (ALE).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

If an organization chooses to implement a control self-assessment program, the auditor should participate primarily as a:

A) Monitor
B) Facilitator
C) Project leader
D) The auditor should not participate in the organization’s CSA program because doing so would create a potential conflict of interest.

A

B) Facilitator

Answer: B. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a facilitator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following elements must be present to properly log activities and achieve accountability for actions performed by a user?

A) Identification and authorization only
B) Authentication and authorization only
C) Identification and authentication only
D) Authorization only

A

C) Identification and authentication only

Answer: C. If proper identification and authentication are not performed during access control, no accountability can exist for any action performed.

17
Q

When initially planning a risk-based audit, which of the following steps is MOST critical?

A) Evaluating the organization’s entire environment as a whole
B) Establishing an audit methodology based on accepted frameworks, such as COBIT or COSO
C) Documenting procedures to ensure that the auditor achieves the planned audit objectives
D) The identification of the areas of high risk for controls failure

A

D) The identification of the areas of high risk for controls failure

Answer: D. In planning an audit, the MOST critical step is identifying areas of high risk.

18
Q

What is the PRIMARY purpose of audit trails?

A) To better evaluate and correct audit risk resulting from potential errors the auditor might have committed by failing to detect controls failure
B) To establish a chronological chain of events for audit work performed
C) To establish accountability and responsibility for processed transactions
D) To compensate for a lack of proper segregation of duties

A

C) To establish accountability and responsibility for processed transactions

Answer: C. Although secure audit trails and other logging are used as a compensatory control for a lack of proper segregation of duties, the primary purpose of audit trails is to establish accountability and responsibility for processed transactions.

19
Q

Which of the following is the MOST appropriate type of risk to be associated with authorized program exits (trap doors)?

A. Inherent
B. Audit
C. Detection
D. Business

A

A. Inherent

Answer: A. Inherent risk is associated with authorized program exits (trap doors).

20
Q

When performing an audit of an organization’s systems, the auditor’s first step should
be to:

A) Develop a strategic audit plan
B) Gain an understanding of the focus of the business of the organization
C) Perform an initial risk assessment to provide the foundation for a risk-based audit
D) Determine and define audit scope and materiality

A

B) Gain an understanding of the focus of the business of the organization

Answer: B. The IS auditor’s first step is to understand the business focus of the organization. Until the auditor has a good understanding of the organization’s business goals, objectives, and operations, the auditor will not be able to competently complete any of the other tasks listed.

21
Q

Which of the following risks results when the auditor uses an insufficient test procedure, resulting in the auditor’s ill-informed conclusion that material errors do not exist, when, in fact, they do?

A) Business risk
B) Detection risk
C) Audit risk
D) Inherent risk

A

B) Detection risk

Answer: B. Detection risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when, in fact, they do.

22
Q

Which of the following is considered the MOST significant advantage of implementing a continuous auditing approach?

A) It can improve system security when used in time-sharing environments that process a large number of transactions.
B) It can provide more actionable audit results because of the increased input from management and staff.
C) It can identify high-risk areas that might need a detailed review later.
D) It can significantly reduce the amount of resources necessary for performing the audit because time constraints are more relaxed.

A

A) It can improve system security when used in time-sharing environments that process a large number of transactions.

Answer: A. The PRIMARY advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions.

23
Q

When an IS auditor finds evidence of minor weaknesses in controls, such as use of weak passwords, or poor monitoring of reports, which of the following courses of action is MOST appropriate for the auditor?

A) Take corrective action by informing affected users and management of the controls vulnerabilities
B) Realize that such minor weaknesses of controls are usually not material to the audit
C) Immediately report such weaknesses to IT management
D) Take no corrective action whatsoever, and simply record the observations and associated risk arising from the collective weaknesses into the audit report

A

D) Take no corrective action whatsoever, and simply record the observations and associated risk arising from the collective weaknesses into the audit report

Answer: D. While preparing the audit report, the IS auditor should record the observations and the risk arising from the collective weaknesses.

24
Q

Which of the following is considered to present the GREATEST challenge to using test data for validating processing?

A) Potential corruption of actual live data
B) Creation of test data that covers all possible valid and invalid conditions
C) Test results being compared to expected results from live processing
D) Data isolation issues associated with high-speed transaction processing

A

B) Creation of test data that covers all possible valid and invalid conditions

Answer: B. Creating test data that covers all possible valid and invalid conditions is often the greatest challenge in using test data.

25
Q

Quantitative risk analysis steps and calculations in the proper sequential order

A
  1. Determine the asset value (AV).
  2. Identify threats to the asset.
  3. Identify the exposure factor for each asset in relation to the threat.
  4. Calculate the single loss expectancy.
  5. Determine the annual rate of occurrence.
  6. Calculate the annualized loss expectancy for each asset.