tut qns Flashcards
Even though generalized retrieval software already existed before audit software was developed, why do auditors prefer to develop their own software packages?
It increases auditor independence by reducing the reliance on the auditee
It makes an easy to use all in one package containing data retrieval and auditing functions for auditors
Why has the disappearance of paper-based audit trails motivated the implementation and use of concurrent auditing techniques?
The disappearance of paper-based audit means that systems collect audit trail data themselves
Concurrent auditing will allow auditors to collect independent data, separate from the electronic audit trail collected by the systems
Concurrent auditing will collect the required data effectively which increases the speed of data collection
Why two reasons why do people respond to questions in an interview?
They are compelled to do so because of their job responsibility
They think that it might improve their working conditions
What is considered a successful interview? List two prerequisite factors to achieve a successful interview.
An interview is considered successful when the interviewees feel that the interview helps them to attain their goals, not to hinder them
2 factors:
Motivation for auditees to respond positively to the questions raised by the auditor
Auditors display of empathy with auditees to promote a spirit of trust and respect
How can auditors use the measurements taken from the performance measurement tools to assist in improving efficiency of a system?
For operational systems, measurements provide data for diagnosis of problems and their rectification
Data can be used to estimate values of parameters in the simulation of future computer systems
In your own words, explain the importance of audit evidence in an audit.
It supports the auditor during the audit process and attests to the confidence that the management is following the right procedures with respect to the controls in place.
With respect to risk control, how can audit evidence help in this regard?
Control risk is the risk that the control fails
Audit evidence collected in relation to the functionality of the control can be used to conclude the probability of failure in the control
In confirmation and inspection of records type of evidence, it is generally assumed that data from independent systems are more trustworthy. Explain why this is so.
The reliability of records depends on its source; if a record is obtained independently, it is more reliable than a record that is customised by the auditee.
Furthermore, evidence from a independent system can be used to confirm the evidence obtained from the auditee
You are required to audit a system which relies on a control that is largely manual. The system is heavily relied upon by the organisation and the control is the only one present to ensure data integrity. Prescribe a suitable sampling for this and explain your reasons. (Hint: You do not need to indicate an exact size; a relative term like large, medium or small sample sizes will do.)
Large sample size as the control is relied on heavily and manual, presence of human error is non zero hence a large sample size is required to ensure the proper functioning of the system
To ensure that the control is functioning as expected.
If the result of the audit is negative, an alternative more reliable control should be explored
Why are humans considered a more dangerous threat-source than nature
Humans have motivation to carry out the threat as well as the ability to utilise resources.
Nature on the other hand are not autonomous beings and have no motivation, they also have a fixed set of threats actions which is known beforehand.
In risk management, it is required to compile a comprehensive list of threats. Outline a suitable way that this can be done.
Threat-source identification and Motivation and threat actions.
Identify the potential threat-sources and compile a threat statement listing potential threat-sources that are applicable to the IT system being evaluated.
Once you identify the threat sources, identify the motivation and the threat actions that emanate from that source,
Should development of policies be a bottom-up or top-down process? Explain.
It should be a top-down process
Policies are meant to reflect the enterprise’s beliefs, goals and objectives
These elements originate from the management, not the staff
Furthermore, for policies to be effective, there should be incentives (such as punishments or rewards) for people to adhere to them.
In developing information security policies, how should responsibilities and compliance be handled? Explain.
Spell out the roles played by management, staff and who should be responsible for day-to-day administration of the policy
Compliance
Who is responsible for ensuring compliance
What happens when the policy is violated
Give management leeway in resolving issues on a case by case basis
Other than the information security policy, what other 2 types of policies are there? Briefly describe them.
Topic-specific policy
Focuses on a particular issue or area at a time
Application-specific policy
Focuses on a particular system or application
Should policies be modified after being created? Give some examples of when policies need to be modified.
Policies should be modified but not too often
They should be modified when
The company’s goals and structures change
When the policy becomes obsolete due to various reasons, including technological advancements
When the company’s iT systems have undergone a major overhaul
