Review 3 Flashcards
Which ISAC guideline would an auditor use to help prepare the final report for an audit?
A) 2401, Reporting
B) 1402, Follow-up Activities
C) 2402, Follow-up Activities
D) 1401, Reporting
A) 2401, Reporting
2401 describes how an IS auditor should comply with ISACA auditing standards on the development of audit findings, audit opinion, and audit report.
Which organizational role is typically involved with the design of applications, including changes in the application’s original design?
A) Software developer/programmer
B) System architect
C) System Analyst
D) Software tester
C) System Analyst
System Analysts are typically involved with the design of applications, including changes in an application’s original design: the other positions are involved with other phases and processes associated with the system development life cycle.
An auditor has delivered to an auditor. The auditee disagrees with one of the findings in the report. The best response for the auditor is to:
A) Include auditee management comments in the audit report.
B) Permit the auditee to describe its disagreement
with the audit results.
C) Refund fee paid by the auditee organization
D) Report the auditee to regulators
Answer: B) Permit the auditee to describe its disagreement with the audit results.
The best first step dealing with an auditee’s disagreement is to listen to the substance of the disagreement. It is possible that the auditor has not fully understood the system or process that was audited.
An auditor is auditing a retail store chain and needs to select individual stores to audit. There are newer stores with newer technology and older stores with older technology. Which sampling technique is best suited for this audit?
A) Statistical sampling
B) Judgmental sampling
C) Attribute sampling
D) Discovery sampling
Answer: B) Judgmental sampling
Judgment sampling enables the auditor to select some stores with older technology and some with new technology.
All of the following are often included as contract provision when outsourcing a product or process EXCEPT.
A) Ownership of intellectual property
B) Profit margin
C) Dispute resolution
D) Service level agreement
Answer: B) Profit margin
Ownership o intellectual property, dispute resolution, and service and level agreements should all be included as contract provisions when outsourcing or processes to another organization.
what is the cutover test
It’s the most intrusive type of disaster recovery test, as it involves the most planning and resources.
A company performing due diligence on a cloud-based service provider has requested an audit report. The service provider provided an audit report for its data center hosting provider. How should the company proceed?
A) Thank the service provider for providing the audit report
B) Examine the audit report for significant deficiencies and material weaknesses.
C) Request an audit report for the service provider’s own operations.
D) File the report in its due diligence recordkeeping.
Answer: C) Request an audit report for the service provider’s own operations.
Because that report includes the service provider’s systems and processes.
The purpose for an auditor to follow up with management well after the completion of the audit is to:
A) Remind management of audit exceptions
B) Show interest and concern for the organization’s health
C) Remind management of its need to remediate all audit findings
D) Increase the chances of performing additional audits in the future
Answer: B) Show interest and concern for the organization’s health
The purpose of for post-audit follow-up is to give the auditor an opportunity to show interest and concern for the organization’s well-being.
The purpose of the audit is to point out opportunities for improvement; follow-up communication helps to improve the auditor-auditee partnership.
All of the following are considered legal forms of intellectual property EXCEPT:
A) Source code
B) Design
C) Processes
D) Protocol standards.
Answer:D) Protocol standards
Protocol standards are open, well-known standards used throughout the IT industry, and usually are not specific to an organization.
Source Code, Design, and processes are generally developed by the organization and protected as intellectual property.
What an auditor examining a business process would want to examine
The process charter, architecture, process and procedure documents, and business records.
Which two factors figure significantly in the risk analysis process in terms of evaluating different risk mitigation solution
Exposure factor (EF) and annualized rate of occurrence (ARO)
Threats and impacts (EF) ; and likelihood of occurence (ARO)
What is the first phase of a risk analysis
Evaluating business process.
The type of control used to determine the accuracy and integrity of transactions that flow through processes and information systems is called:
A) Compliance testing
B) Validation testing
C) Substantive testing
D) Controls testing
Answer: C) Substantive testing
COMPLIANCE testing is used to determine whether control procedures have beeen properly designed and implemented, and that they are operating properly.
VALIDATING testing is used to determine if a mitigating control adequately addresses and identified vulnerability.
CONTROL testing in an incorrect term in this contextt.
What sampling is used when an auditor is trying to find at least one exception in a population
Discovery sampling.
What is a Data flow diagram (DFD)
It illustartes the flow of information bewteen IT components in business terms.