Review 3 Flashcards

1
Q

Which ISAC guideline would an auditor use to help prepare the final report for an audit?

A) 2401, Reporting
B) 1402, Follow-up Activities
C) 2402, Follow-up Activities
D) 1401, Reporting

A

Answer: A) 2401, Reporting

2401 describes how an IS auditor should comply with ISACA auditing standards on the development of audit findings, audit opinion, and audit report.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which organizational role is typically involved with the design of applications, including changes in the application’s original design?

A) Software developer/programmer
B) System architect
C) System Analyst
D) Software tester

A

Answer: C) System Analyst

System Analysts are typically involved with the design of applications, including changes in an application’s original design: the other positions are involved with other phases and processes associated with the system development life cycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An auditor has delivered to an auditor. The auditee disagrees with one of the findings in the report. The best response for the auditor is to:

A) Include auditee management comments in the audit report.
B) Permit the auditee to describe its disagreement
with the audit results.
C) Refund fee paid by the auditee organization
D) Report the auditee to regulators

A

Answer: B) Permit the auditee to describe its disagreement with the audit results.

The best first step dealing with an auditee’s disagreement is to listen to the substance of the disagreement. It is possible that the auditor has not fully understood the system or process that was audited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An auditor is auditing a retail store chain and needs to select individual stores to audit. There are newer stores with newer technology and older stores with older technology. Which sampling technique is best suited for this audit?

A) Statistical sampling
B) Judgmental sampling
C) Attribute sampling
D) Discovery sampling

A

Answer: B) Judgmental sampling

Judgment sampling enables the auditor to select some stores with older technology and some with new technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

All of the following are often included as contract provision when outsourcing a product or process EXCEPT.

A) Ownership of intellectual property
B) Profit margin
C) Dispute resolution
D) Service level agreement

A

Answer: B) Profit margin

Ownership o intellectual property, dispute resolution, and service and level agreements should all be included as contract provisions when outsourcing or processes to another organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what is the cutover test

A

It’s the most intrusive type of disaster recovery test, as it involves the most planning and resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A company performing due diligence on a cloud-based service provider has requested an audit report. The service provider provided an audit report for its data center hosting provider. How should the company proceed?

A) Thank the service provider for providing the audit report
B) Examine the audit report for significant deficiencies and material weaknesses.
C) Request an audit report for the service provider’s own operations.
D) File the report in its due diligence recordkeeping.

A

Answer: C) Request an audit report for the service provider’s own operations.

Because that report includes the service provider’s systems and processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The purpose for an auditor to follow up with management well after the completion of the audit is to:

A) Remind management of audit exceptions
B) Show interest and concern for the organization’s health
C) Remind management of its need to remediate all audit findings
D) Increase the chances of performing additional audits in the future

A

Answer: B) Show interest and concern for the organization’s health

The purpose of for post-audit follow-up is to give the auditor an opportunity to show interest and concern for the organization’s well-being.

The purpose of the audit is to point out opportunities for improvement; follow-up communication helps to improve the auditor-auditee partnership.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

All of the following are considered legal forms of intellectual property EXCEPT:

A) Source code
B) Design
C) Processes
D) Protocol standards.

A

Answer:D) Protocol standards

Protocol standards are open, well-known standards used throughout the IT industry, and usually are not specific to an organization.

Source Code, Design, and processes are generally developed by the organization and protected as intellectual property.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What an auditor examining a business process would want to examine

A

The process charter, architecture, process and procedure documents, and business records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which two factors figure significantly in the risk analysis process in terms of evaluating different risk mitigation solution

A

Exposure factor (EF) and annualized rate of occurrence (ARO)

Threats and impacts (EF) ; and likelihood of occurence (ARO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the first phase of a risk analysis

A

Evaluating business process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The type of control used to determine the accuracy and integrity of transactions that flow through processes and information systems is called:

A) Compliance testing
B) Validation testing
C) Substantive testing
D) Controls testing

A

Answer: C) Substantive testing

COMPLIANCE testing is used to determine whether control procedures have beeen properly designed and implemented, and that they are operating properly.

VALIDATING testing is used to determine if a mitigating control adequately addresses and identified vulnerability.

CONTROL testing in an incorrect term in this contextt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What sampling is used when an auditor is trying to find at least one exception in a population

A

Discovery sampling.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a Data flow diagram (DFD)

A

It illustartes the flow of information bewteen IT components in business terms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

which segregation of duties require tow or more persons to approve certain transactions?

A

Transaction authorization

17
Q

Which component of the ZAchman framework is decribed as conceptual, logical, or physical, depending upon the functional model or context?

A

Data

18
Q

An auditor has insufficient local storage to collect evidence during an audit. What is the audtor’s best course of action?

A

Collect the evidence when the auditor has sufficient storage to collect the evidence.

19
Q

Whcih part of the audit report can be used as evidence for other organizations that an audit has taken place.

A

Cover letter
It describes the audit, its scope and purpose, and findings.Often the cover letter is used as evidence to other organizations that the audit took place.

20
Q

What is the purpose of the ISACA IT Assurance Framework?

A

Define ethical behavior and required audit standards,

21
Q

Which ISACA auditing quideline provides additional details regarding types of evidence, how evidence can be represented, and selecting and gathering evidence?

A) 1204, Materiality
B) 2207, Irregularities and illegals Acts
C) 1205, Evidence
D) 2205, Evidence

A

Answer: D) 2205, Evidence

The standards (100 series) do not provide this information to this detail, and the correct guideline is not 2207