Review 1 Flashcards
Which sampling technique when is used an IS auditor is trying to find at least one exception in a population
A) Variable sampling
B) Stop-or-go sampling
C) Discovery sampling
D) Statistical sampling
Answer: C ) Discovery sampling
Discovery sampling is a technique used when an IS auditor is trying to find at least one exception in a population. When an IS auditor is examining a population where even a single exception would represent a high-risk situation (such as embezzlement or fraud), the auditor will recommend a more intensive investigation to determine whether additional exceptions exist.
Responsibilities of the CISO
Compliance management and this is verified through the use of internal and external audits
COBIT is composed of how many IT processes?
A) 11
B) 37
C) 5
D) 32
Answer: B ) 37
The COBIT framework contains 37 key IT processes, along with the means for any individual organization to determine how much (and what kind of ) control is appropriate for each organization, based upon its business objectives and how IT supports them
An auditor is auditing a purchase order and needs to select individual purchases to audit. There are a small number of high-value purchase orders. Which sampling technique is best suited for this audit?
A) Stratified sampling
B) Statistical sampling
C) Variable sampling
D) Discovery sampling
Answer: A) stratified sampling
The stratified sampling technique permits auditors to select samples with very low or high values or any other rarity, whereas the other techniques are not likely to provide the needed samples.
Video surveillance is an example of which type of control?
A) Preventive only
B) Preventive and deterrent
C) Detective only
D) Detective and deterrent
Answer: D) Detective and Deterrent
Video surveillance is both a detective control (because it can record unwanted activity) and a deterrent control (because its presence may deter unwanted activity)
The period from the onset of an outage until the resumption of service is known as the :
A) Recovery time objective (RTO)
B) Recovery Response Objective (RRO)
C) Recovery point objective (RPO)
D) Time to recovery (TTR)
Answer: A) Recovery time objective (RTO)
RTO is a key target that is the period from the onset of an outage until the resumption of service, usually measured in hours or days.
RPO is the period for which recent data will be lost,
The recovery response time and the time to recovery are invalid choices.
Which perspective of the standard IT balanced scorecard reports key indicators concerning the perception of IT department effectiveness and values as seen from other (non-IT) corporate executives?
A) Business contribution
B) Operational excellence
C) Innovation
D) User
Answer: A) Business contribution
In the business contribution perspective, keys indicators are the perspective of IT department effectiveness and values as seen from other (non-it) corporate executives.
IT Standards
Are official, management-approved statements that define the technologies, protocols, suppliers, and method that are used by an IT organization. Standards help drive consistency into IT organization.
Purpose of pre-audit
To permit an audit client to prepare for an upcoming initial audit.
Pre-audit is generally performed on an audit client that has NOT BEEN AUDITED BEFORE, as means for helping it prepare for an upcoming audit.
No sample evidence is provided by auditors
An auditor is evaluating a business process and has found that personnel perform tasks consistently, but was told that there are no written procedure documents. What opinion should the auditor write for this process?
A) No exception: The process is effective
B) Major exception: Lack of procedure document
C) Minor exception: Lack of procedure document
D) Minor exception: the process is not effective
Answer: C) Minor exception: Lack of procedure document
An audit manager has directed an auditor to falsify a client’s audit report. What is the auditor’s best response
A) Report the matter to executive management
B) Notify law enforcement
C) Notify the audit Client
D) Resign his or her position
Answer : A) Report the matter to executive management
Nothify the executive in his or her chain of command.
What is an audit program
The plan for conducting audits over a certain period, and involves planning resources, scope, objectives, and procedures.
Which of the following most accurately describes characteristics of qualitatives risk assessments?
A) A quantitative risk assessment is considerably more difficult and time consuming to perform than a quantitative risk assessment.
B) A Quantitative risk assessment rates risks as high-medium-low
C) A quantitative risk assessment will verify which risk reduction measures are the ones that will make the most difference from a purely financial standpoint.
D) A quantitative risk analysis rate risks in actual probabilities and costs
Answer: D) A quantitative risk analysis rate risks in actual probabilities and costs
A quantitative risk assessment is the most difficult to perform, due to requirement for accurate numerical data, such as costs, time, depreciation, and so on. Quantitative risk assessment deals with actual probabilities and costs, whereas qualitative risk assessments indicate rate such as high, mdeium, and low.
The definition of single loss expectancy (SLE) is :
A) The exposure factor for a single loss
B) The probability of a single loss
C) Financial Loss from a single event
D) Fianacial loss from events in a single year.
Answer: C) Financial Loss from a single event
Exposure factor (EF) is a percentage of an asset's value, after salvage. The financial loss from events in a ssingle year is kown as annual loos expectancy (ALE).
If an organization chooses to implement a control self-assessment program, the auditor should participate primarily as a:
A) Monitor
B) Facilitator
C) Project leader
D) The auditor should not participate in the organization’s CSA program because doing so would create a potential conflict of interest.
B) Facilitator
Answer: B. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a facilitator.