CISA Certified Information Systems Auditor - Questions + Answers Part 1
Posted: Tue Feb 22, 2022 6:19 am
A1-1 The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function?
A. Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence.
C. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring.
C is the correct answer.
Justification:
A. The ability of IT to continuously monitor and address any issues on IT systems would not affect the ability of IS audit to perform a comprehensive audit.
B. Sharing the scripts may be required by policy for the sake of quality assurance and configuration management, but that would not impair the ability to audit.
C. IS audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts themselves, but they can still audit the systems.
D. An audit of an IS system would encompass more than just the controls covered in the scripts.
A1-2 Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit?
A. Complexity of the organization’s operation
B. Findings and issues noted from the prior year
C. Purpose, objective and scope of the audit
D. Auditor’s familiarity with the organization
C is the correct answer.
Justification:
A. The complexity of the organization’s operation is a factor in the planning of an audit, but does not directly affect the determination of how much data to collect. Extent of data collection is subject to the intensity, scope and purpose of the audit.
B. Prior findings and issues are factors in the planning of an audit, but do not directly affect the determination of how much data to collect. Data must be collected outside of areas of previous findings.
C. The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. Statistical analysis may also determine the extent of data collection such as sample size or means of data collection.
D. An auditor’s familiarity with the organization is a factor in the planning of an audit, but does not directly affect the determination of how much data to collect. The audit must be based on sufficient evidence of the monitoring of controls and not unduly influenced by the auditor’s familiarity with the organization.
A1-3 An IS auditor is developing an audit plan for an environment that includes new systems. The company’s management wants the IS auditor to focus on recently implemented systems. How should the IS
auditor respond?
A. Audit the new systems as requested by management.
B. Audit systems not included in last year’s scope.
C. Determine the highest-risk systems and plan accordingly.
D. Audit both the systems not in last year’s scope and the new systems.
C is the correct answer.
Justification:
A. Auditing the new system does not reflect a risk-based approach. Even though the system could contain sensitive data and may present risk of data loss or disclosure to the organization, without a risk assessment, the decision to solely audit the newly implemented system is not a risk-based decision.
B. Auditing systems not included in the previous year’s scope does not reflect a risk-based approach. In addition, management may know about problems with the new system and may be intentionally trying to steer the audit away from that vulnerable area. Although at first the new system may seem to be
the most risky area, an assessment must be conducted rather than relying on the judgment of the IS auditor or IT manager.
C. The best course of action is to conduct a risk assessment and design the audit plan to cover
the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: “The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources.”
D. The creation of the audit plan should be performed in cooperation with management and based on risk. The IS auditor should not arbitrarily decide on what needs to be audited.
A1-4 An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?
A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.
B. Publish a report omitting the areas where the evidence obtained from testing was inconclusive.
C. Request a delay of the implementation date until additional security testing can be completed and
evidence of appropriate controls can be obtained.
D. Inform management that audit work cannot be completed prior to implementation and recommend
that the audit be postponed.
A is the correct answer.
Justification:
A. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on
time frame, this fact should be highlighted in the audit report and follow-up testing should
be scheduled for a later date. Management could then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system.
B. It is not acceptable for the IS auditor to ignore areas of potential weakness because conclusive evidence could not be obtained within the agreed-on audit time frame. ISACA IS Audit and Assurance Standards would be violated if these areas were omitted from the audit report.
C. Extending the time frame for the audit and delaying the go-live date is unlikely to be acceptable in this scenario where the system involved is business-critical. In any case, a delay to the go-live date must be the decision of business management, not the IS auditor. In this scenario, the IS auditor should present business management with all available information by the agreed-on date.
D. Failure to obtain sufficient evidence in one part of an audit engagement does not justify cancelling or postponing the audit; this would violate the audit guideline concerning due professional care.
A1-5 An IS auditor is verifying IT policies and found that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST?
A. Ignore the absence of management approval because employees follow the policies.
B. Recommend immediate management approval of the policies.
C. Emphasize the importance of approval to management.
D. Report the absence of documented approval.
D is the correct answer.
Justification:
A. Absence of management approval is an important (material) finding and while it is not currently an issue with relation to compliance because the employees are following the policy without approval, it may be a problem at a later time and should be resolved.
B. While the IS auditor would likely recommend that the policies should be approved as soon as possible, and may also remind management of the critical nature of this issue, the first step would be to report this issue to the relevant stakeholders.
C. The first step is to report the finding and provide recommendations later.
D. The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee were terminated as a result of violating a company policy and it was discovered that the policies had not been approved, the company could be faced with an expensive lawsuit.
A1-6 An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should:
A. recommend that this separate project be completed as soon as possible.
B. report this issue as a finding in the audit report.
C. recommend the adoption of the Zachmann framework.
D. re-scope the audit to include the separate project as part of the current audit.
B is the correct answer.
Justification:
A. The IS auditor would not ordinarily provide input on the timing of projects, but rather provide an assessment of the current environment. The most critical issue in this scenario is that the enterprise architecture (EA) is undergoing change, so the IS auditor should be most concerned with reporting this issue.
B. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding.
C. The company is free to choose any EA framework, and the IS auditor should not recommend a specific framework.
D. Changing the scope of an audit to include the secondary project is not required, although a follow-up audit may be desired.
A1-7 What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should:
A. interface with various types of enterprise resource planning (ERP) software and databases.
B. accurately capture data from the organization’s systems without causing excessive
performance problems.
C. introduce audit hooks into the company’s financial systems to support continuous auditing.
D. be customizable and support inclusion of custom programming to aid in investigative analysis.
B is the correct answer.
Justification:
A. The product must interface with the types of systems used by the organization and provide meaningful data for analysis.
B. While all of the choices above are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool will work effectively on the systems of the organization being audited.
C. The tool should probably work on more than just financial systems and will not necessarily require implementation of audit hooks.
D. The tool should be flexible but not necessarily customizable. It should have built-in analysis software tools.
A1-8 A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual’s experience and:
A. length of service, because this will help ensure technical competence.
B. age, because training in audit techniques may be impractical.
C. IT knowledge, because this will bring enhanced credibility to the audit function.
D. ability, as an IS auditor, to be independent of existing IT relationships.
D is the correct answer.
Justification:
A. Length of service will not ensure technical competency.
B. Evaluating an individual’s qualifications based on the age of the individual is not a good criterion and
is illegal in many parts of the world.
C. The fact that the employee has worked in IT for many years may not, in itself, ensure credibility.
The IS audit department’s needs should be defined, and any candidate should be evaluated against
those requirements.
D. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities.
A1-9 For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk?
A. Use of computer-assisted audit techniques (CAATs)
B. Quarterly risk assessments
C. Sampling of transaction logs
D. Continuous auditing
D is the correct answer.
Justification:
A. Using software tools such as computer-assisted audit techniques (CAATs) to analyze transaction data can provide detailed analysis of trends and potential risk, but it is not as effective as continuous auditing, because there may be a time differential between executing the software and analyzing the results.
B. Quarterly risk assessment may be a good technique but not as responsive as continuous auditing.
C. The sampling of transaction logs is a valid audit technique; however, risk may exist that is not
captured in the transaction log, and there may be a potential time lag in the analysis.
D. The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.
A1-10 An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of:
A. variable sampling.
B. substantive testing.
C. compliance testing.
D. stop-or-go sampling.
C is the correct answer.
Justification:
A. Variable sampling is used to estimate numerical values such as dollar values.
B. Substantive testing substantiates the integrity of actual processing such as balances on financial
statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized.
C. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.
D. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.
A1-11 The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?
A. Inherent
B. Detection
C. Control
D. Business
B is the correct answer.
Justification:
A. Inherent risk is the risk that a material error could occur, assuming that there are no related internal controls to prevent or detect the error. Inherent risk is not usually affected by an IS auditor.
B. Detection risk is directly affected by the IS auditor’s selection of audit procedures and
techniques. Detection risk is the risk that a review will not detect or notice a material issue.
C. Control risk is the risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Control risk can be mitigated by the actions of the company’s management.
D. Business risk is a probable situation with uncertain frequency and magnitude of loss (or gain). Business risk is usually not directly affected by an IS auditor.
A1-12 Which of the following is the MOST critical step when planning an IS audit?
A. Review findings from prior audits.
B. Executive management’s approval of the audit plan.
C. Review information security policies and procedures.
D. Perform a risk assessment.
D is the correct answer.
Justification:
A. The findings of a previous audit are of interest to the auditor, but they are not the most critical
step. The most critical step involves finding the current issues or high-risk areas, not reviewing the resolution of older issues. A review of historical audit findings could indicate that management is not resolving the items or the recommendation was ineffective.
B. Executive management is not required to approve the audit plan. It is typically approved by the audit committee or board of directors. Management could recommend areas to audit.
C. Reviewing information security policies and procedures would normally be conducted during fieldwork, not planning.
D. Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.2: “IS audit and assurance professionals shall identify and assess risk relevant
to the area under review, when planning individual engagements.” In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation.
A1-13 An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture (SOA). What is the INITIAL step?
A. Understanding services and their allocation to business processes by reviewing the service repository documentation.
B. Sampling the use of service security standards as represented by the Security Assertions Markup Language (SAML).
C. Reviewing the service level agreements (SLAs) established for all system providers.
D. Auditing the core service and its dependencies on other systems.
A is the correct answer.
Justification:
A. A service-oriented architecture (SOA) relies on the principles of a distributed environment in
which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services.
B. Sampling the use of service security standards as represented by the Security Assertions Markup Language (SAML) is an essential follow-up step to understanding services and their allocation to business, but is not the initial step.
C. Reviewing the service level agreements (SLAs) is an essential follow-up step to understanding services and their allocation to business, but is not the initial step.
D. Auditing the core service and its dependencies with others would most likely be a part of the audit, but the IS auditor must first gain an understanding of the business processes and how the systems support those processes.
A1-14 An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?
A. Delete all copies of the unauthorized software.
B. Recommend an automated process to monitor for compliance with software licensing.
C. Report the use of the unauthorized software and the need to prevent recurrence.
D. Warn the end users about the risk of using illegal software.
C is the correct answer.
Justification:
A. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing the unauthorized software.
B. This would detect compliance with software licensing. However, an automated solution might not be the best option in all cases.
C. The use of unauthorized or illegal software should be prohibited by an organization. An IS auditor must convince the user and management of the risk and the need to eliminate the risk. For example, software piracy can result in exposure and severe fines.
D. Auditors must report material findings to management for action. Informing the users of risk is not the primary responsibility of the IS auditor.
A1-15 An audit charter should:
A. be dynamic and change to coincide with the changing nature of technology and the audit profession.
B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.
C. document the audit procedures designed to achieve the planned audit objectives.
D. outline the overall authority, scope and responsibilities of the audit function.
D is the correct answer.
Justification:
A. The audit charter should not be subject to changes in technology and should not significantly change over time. The charter should be approved at the highest level of management.
B. An audit charter will state the authority and reporting requirements for the audit but not the details of maintenance of internal controls.
C. An audit charter would not be at a detailed level and, therefore, would not include specific audit objectives or procedures.
D. An audit charter should state management’s objectives for and delegation of authority to IS auditors.
A1-16 An IS auditor finds a small number of user access requests that had not been authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should:
A. perform an additional analysis.
B. report the problem to the audit committee.
C. conduct a security risk assessment.
D. recommend that the owner of the identity management (IDM) system fix the workflow issues.
A is the correct answer.
Justification:
A. The IS auditor needs to perform substantive testing and additional analysis to determine
why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and what factors caused this incident. The IS auditor should identify whether the issue was caused by managers not following procedures, by a problem with the workflow of the automated system or a combination of the two.
B. The IS auditor does not yet have enough information to report the problem.
C. Changing the scope of the IS audit or conducting a security risk assessment would require more
detailed information about the processes and violations being reviewed.
D. The IS auditor must first determine the root cause and impact of the findings and does not have
enough information to recommend fixing the workflow issues.
A1-17 Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean per unit sampling
D. Difference estimation sampling
A is the correct answer.
Justification:
A. Attribute sampling is the primary sampling method used for compliance testing. Attribute
sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain pre-defined dollar amount for proper approvals.
B. Variable sampling is based on the calculation of a mean from a sample extracted from the entire population and using that to estimate the characteristics of the entire population. For example, a sample of 10 items shows an average price of US $10 per item. For the entire population of 1,000 items, the total value would be estimated to be US $10,000. This is not a good way to measure compliance with a process.
C. Stratified mean sampling attempts to ensure that the entire population is represented in the sample. This is not an effective way to measure compliance.
D. Difference estimation sampling examines measure deviations and extraordinary items and is not a good way to measure compliance.
A1-18 When testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling would not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?
A. Develop an alternate testing procedure.
B. Report the finding to management.
C. Perform a walk-through of the change management process.
D. Create additional sample data to test additional changes.
A is the correct answer.
Justification:
A. If a sample size objective cannot be met with the given data, the IS auditor would not be able to
provide assurance regarding the testing objective. In this instance, the IS auditor should develop
(with audit management approval) an alternate testing procedure.
B. There is not enough evidence to report the finding as a deficiency.
C. A walk-through should not be initiated until an analysis is performed to confirm that this could
provide the required assurance.
D. It would not be appropriate for an IS auditor to create sample data for the purpose of the audit.
A1-19 Which of the following situations could impair the independence of an IS auditor? The IS auditor:
A. implemented specific functionality during the development of an application.
B. designed an embedded audit module for auditing an application.
C. participated as a member of an application project team and did not have operational responsibilities.
D. provided consulting advice concerning application good practices.
A is the correct answer.
Justification:
A. Independence may be impaired if an IS auditor is, or has been, actively involved in the
development, acquisition and implementation of the application system.
B. Designing an embedded audit module does not impair an IS auditor’s independence.
C. An IS auditor should not audit work that they have done, but just participating as a member of the
application system project team does not impair an IS auditor’s independence.
D. An IS auditor’s independence is not impaired by providing advice on known good practices.
A1-20 The PRIMARY advantage of a continuous audit approach is that it:
A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.
B. allows the IS auditor to review and follow up on audit issues in a timely manner.
C places the responsibility for enforcement and monitoring of controls on the security department
instead of audit.
D. simplifies the extraction and correlation of data from multiple and complex systems.
B is the correct answer.
Justification:
A. The continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place.
B. Continuous audit allows audit and response to audit issues in a timely manner because audit findings are gathered in near real time.
C. Responsibility for enforcement and monitoring of controls is primarily the responsibility of management.
D. The use of continuous audit is not based on the complexity or number of systems being monitored.
A1-21 An IS auditor is evaluating management’s risk assessment of information systems. The IS auditor should FIRST review:
A. the controls in place.
B. the effectiveness of the controls.
C. the mechanism for monitoring the risk.
D. the threats/vulnerabilities affecting the assets.
D is the correct answer.
Justification:
A. The controls are irrelevant until the IS auditor knows the threats and risk that the controls are intended to address.
B. The effectiveness of the controls must be measured in relation to the risk (based on assets, threats and vulnerabilities) that the controls are intended to address.
C. The first step must be to determine the risk that is being managed before reviewing the mechanism of monitoring risk.
D. One of the key factors to be considered while assessing the information systems risk is the value of the systems (the assets) and the threats and vulnerabilities affecting the assets. The risk related to the use of information assets should be evaluated in isolation from the installed controls.
A1-22 In planning an IS audit, the MOST critical step is the identification of the:
A. areas of significant risk.
B. skill sets of the audit staff.
C. test steps in the audit.
D. time allotted for the audit.
A is the correct answer.
Justification:
A. When designing a risk-based audit plan, it is important to identify the areas of highest risk to
determine the areas to be audited.
B. The skill sets of the audit staff should have been considered before deciding and selecting the audit. Where the skills are inadequate, the organization should consider utilizing external resources.
C. Test steps for the audit are not as critical during the audit planning process as identifying the areas of risk that should be audited.
D. The time allotted for an audit is determined during the planning process based on the areas to be audited, and is primarily based on the requirement for conducting an appropriate audit.
A1-23 The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is:
A. control design testing.
B. substantive testing.
C. inspection of relevant documentation.
D. perform tests on risk prevention.
B is the correct answer.
Justification:
A. Testing of control design assesses whether the control is structured to meet a specific control objective. It does not help determine whether the control is operating effectively.
B. Among other methods, such as document review or walk-through, tests of controls are the most effective procedure to assess whether controls accurately support operational effectiveness.
C. Control documents may not always describe the actual process in an accurate manner. Therefore, auditors relying on document review have limited assurance that the control is operating as intended.
D. Performing tests on risk prevention is considered compliance testing. This type of testing is used to determine whether policies are adhered to.
A1-24 The extent to which data will be collected during an IS audit should be determined based on the:
A. availability of critical and required information.
B. auditor’s familiarity with the circumstances.
C. auditee’s ability to find relevant evidence.
D. purpose and scope of the audit being done.
D is the correct answer.
Justification:
A. The extent to which data will be collected during an IS audit should be based on the scope, purpose and requirements of the audit and not be constrained by the ease of obtaining the information or by the IS auditor’s familiarity with the area being audited.
B. An IS auditor must be objective and thorough and not subject to audit risk through preconceived expected results based on familiarity with the area being audited.
C. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee’s ability to find relevant evidence. Where evidence is not readily available, the auditor must ensure that other forms of audit are considered to ensure compliance in the area subject to audit.
D. The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An IS audit with a narrow purpose and scope or just a high-level review would most likely require less data collection than an audit with a wider purpose and scope.
A1-25 While planning an IS audit, an assessment of risk should be made to provide:
A. reasonable assurance that the audit will cover material items.
B. definite assurance that material items will be covered during the audit work.
C. reasonable assurance that all items will be covered by the audit.
D. sufficient assurance that all items will be covered during the audit work.
A is the correct answer.
Justification:
A. ISACA IS Audit and Assurance Guideline 2202 (Risk Assessment and Audit Planning) states that
the applied risk assessment approach should help with the prioritization and scheduling process of the IS audit and assurance work. It should support the selection process of areas and items of audit interest and the decision process to design and conduct particular IS audit engagements.
B. Definite assurance that material items will be covered during the audit work is an impractical proposition.
C. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as
primarily it is material items that need to be covered, not all items.
D. Sufficient assurance that all items will be covered is not as important as ensuring that the audit will
cover all material items.
A1-26 The MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to:
A. inform the audit committee of the potential issue.
B. review audit logs for the IDs in question.
C. document the finding and explain the risk of using shared IDs.
D. request that the IDs be removed from the system.
C is the correct answer.
Justification:
A. It is not appropriate for an IS auditor to report findings to the audit committee before conducting a more detailed review and presenting them to management for a response.
B. Review of audit logs would not be useful because shared IDs do not provide for individual accountability.
C. An IS auditor’s role is to detect and document findings and control deficiencies. Part of the audit report is to explain the reasoning behind the findings. The use of shared IDs is not recommended because it does not allow for accountability of transactions. An IS auditor would defer to management to decide how to respond to the findings presented.
D. It is not the role of an IS auditor to request the removal of IDs from the system.
A1-27 An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to determine:
A. that the control is operating efficiently.
B. that the control is operating as designed.
C. the integrity of data controls.
D. the reasonableness of financial reporting controls.
B is the correct answer.
Justification:
A. It is important that controls operate efficiently, but in this case the intent is to ensure that the controls support management policies and procedures. Therefore, the important issue is whether the controls are operating correctly and thereby meeting the control objective.
B. Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective of a compliance test is important. IS auditors want reasonable assurance that the controls they are relying on are effective. An effective control is one that meets management expectations and objectives.
C. Substantive tests, not compliance tests, are associated with data integrity.
D. Determining the reasonableness of financial reporting controls is a very narrow answer in that
it is limited to financial reporting. It meets the objective of determining whether the controls are reasonable, but does not ensure that the control is working correctly and thereby supporting management expectations and objectives.
A1-28 The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?
A. Generate sample test data
B. Generalized audit software
C. Integrated test facility
D. Embedded audit module
B is the correct answer.
Justification:
A. Test data would test for the existence of controls that might prevent overpayments, but it would not detect specific, previous miscalculations.
B. Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made.
C. An integrated test facility would help identify a problem as it occurs but would not detect errors for a previous period.
D. An embedded audit module can enable the IS auditor to evaluate a process and gather audit evidence, but it would not detect errors for a previous period.
A1-29 During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should:
A. create the procedures document based on the practices.
B. issue an opinion of the current state and end the audit.
C. conduct compliance testing on available data.
D. identify and evaluate existing practices.
D is the correct answer.
Justification:
A. IS auditors should not prepare documentation because the process may not be compliant with management objectives and doing so could jeopardize their independence.
B. Ending the audit and issuing an opinion will not address identification of potential risk. The auditor should evaluate the practices in place. The recommendation could still be for the organization to develop written procedures. Terminating the audit may prevent achieving one of the basic audit objectives, identification of potential risk.
C. Because there are no documented procedures, there is no basis against which to test compliance.
D. One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by
the organization and submit the findings and risk to management with recommendations to document the current controls or enforce the documented procedures.
A1-30 In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:
A. ensure the risk assessment is aligned to management’s risk assessment process.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls.
D is the correct answer.
Justification:
A. An audit risk assessment is conducted for different purposes than management’s risk assessment process.
B. It would be impossible to determine impact without first having identified the assets affected; therefore, this must already have been completed.
C. Upon completion of a risk assessment, an IS auditor should describe and discuss with management the threats and potential impacts on the assets as well as recommendations for addressing the risk. However, this cannot be done until the controls have been identified and the likelihood of the threat has been calculated.
D. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.
A1-31 Which of the following would normally be the MOST reliable evidence for an IS auditor?
A. A confirmation letter received from a third party verifying an account balance
B. Assurance from line management that an application is working as designed
C. Trend data obtained from World Wide Web (Internet) sources
D. Ratio analysis developed by the IS auditor from reports supplied by line management
A is the correct answer.
Justification:
A. Evidence obtained from independent third parties is almost always considered to be more
reliable than assurance provided by local management.
B. Because management is not objective and may not understand the risk and control environment, and they are only providing evidence that the application is working correctly (not the controls), their assurance would not be an acceptable level of trust for audit evidence.
C. Data collected from the Internet is not necessarily trustworthy or independently validated.
D. Ratio analysis can identify trends and deviations from a baseline but is not reliable evidence.
A1-32 When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following?
A. The point at which controls are exercised as data flow through the system
B. Only preventive and detective controls are relevant
C. Corrective controls are regarded as compensating
D. Classification allows an IS auditor to determine which controls are missing
A is the correct answer.
Justification:
A. An IS auditor should focus on when controls are exercised as data flow through a computer system.
B. Corrective controls may also be relevant because they allow an error or problem to be corrected.
C. Corrective controls remove or reduce the effects of errors or irregularities and are not exclusively
regarded as compensating controls.
D. The existence and function of controls is important but not the classification.
A1-33 Which audit technique provides the BEST evidence of the segregation of duties in an IT department?
A. Discussion with management
B. Review of the organization chart
C. Observation and interviews
D. Testing of user access rights
C is the correct answer.
Justification:
A. Management may not be aware of the detailed functions of each employee in the IT department, and they may not be aware whether the controls are being followed. Therefore, discussion with the management would provide only limited information regarding segregation of duties.
B. An organization chart would not provide details of the functions of the employees or whether the controls are working correctly.
C. Based on the observations and interviews, the IS auditor can evaluate the segregation of duties. By observing the IT staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IT staff, the auditor can get an overview of the tasks performed.
D. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform. Observation would be a better option because user rights can be changed between audits.
A1-34 After reviewing the disaster recovery planning (DRP) process of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting?
A. Obtaining management approval of the corrective action plan
B. Confirming factual accuracy of the findings
C. Assisting management in the implementation of corrective actions
D. Prioritizing the resolution of the items
B is the correct answer.
Justification:
A. Management approval of the corrective action plan is not required. Management could elect to implement another corrective action plan to address the risk.
B. The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on or respond to recommendations for corrective action.
C. Implementation of corrective actions should be done after the factual accuracy of findings has been established, but the work of implementing corrective action is not typically assigned to the IS auditor because this would impair the auditor’s independence.
D. Rating the audit findings would provide guidance to management for allocating resources to the high-risk items first.
A1-35 An IS auditor has been asked by management to review a potentially fraudulent transaction. The PRIMARY focus of an IS auditor while evaluating the transaction should be to:
A. maintain impartiality while evaluating the transaction.
B. ensure that the independence of an IS auditor is maintained.
C. assure that the integrity of the evidence is maintained.
D. assess all relevant evidence for the transaction.
C is the correct answer.
Justification:
A. Although it is important for an IS auditor to be impartial, in this case it is more critical that the evidence be preserved.
B. Although it is important for an IS auditor to maintain independence, in this case it is more critical that the evidence be preserved.
C. The IS auditor has been requested to perform an investigation to capture evidence which may be used for legal purposes, and therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law.
D. While it is also important to assess all relevant evidence, it is more important to maintain the chain of custody, which ensures the integrity of evidence.
A1-36 An IS auditor is carrying out a system configuration review. Which of the following would be the BEST evidence in support of the current system configuration settings?
A. System configuration values imported to a spreadsheet by the system administrator
B. Standard report with configuration values retrieved from the system by the IS auditor
C. Dated screenshot of the system configuration settings made available by the system administrator
D. Annual review of approved system configuration values by the business owner
B is the correct answer.
Justification:
A. Evidence provided that is not system-generated information could be modified before it is presented to an IS auditor, and therefore it may not be as reliable as evidence obtained by the IS auditor. For example, a system administrator could change the settings or modify the graphic image before taking a screenshot.
B. Evidence obtained directly from the source by an IS auditor is more reliable than information provided by a system administrator or a business owner because the IS auditor does not have a vested interest in the outcome of the audit.
C. The rules may be modified by the administrator prior to taking the screenshot; therefore, this is not the best evidence.
D. The annual review provided by a business owner may not reflect current information.
A1-37 Data flow diagrams are used by IS auditors to:
A. identify key controls.
B. highlight high-level data definitions.
C. graphically summarize data paths and storage.
D. portray step-by-step details of data generation.
C is the correct answer.
Justification:
A. Identifying key controls is not the focus of data flow diagrams. The focus is as the name states—flow of data.
B. A data dictionary may be used to document data definitions, but the data flow diagram is used to document how data move through a process.
C. Data flow diagrams are used as aids to graph or chart data flow and storage. They trace data from their origination to destination, highlighting the paths and storage of data.
D. The purpose of a data flow diagram is to track the movement of data through a process and is not primarily to document or indicate how data are generated.
A1-38 Which of the following forms of evidence would an IS auditor consider the MOST reliable?
A. An oral statement from the auditee
B. The results of a test performed by an external IS auditor
C. An internally generated computer accounting report
D. A confirmation letter received from an outside source
B is the correct answer.
Justification:
A. An oral statement from the auditee is audit evidence but not as reliable as the results of a test performed by an external IS auditor.
B. An independent test performed by an IS auditor should always be considered a more reliable source of evidence than a confirmation letter from a third party because the letter is the result of an analysis of the process and may not be based on authoritative audit techniques. An audit should consist of a combination of inspection, observation and inquiry by an IS auditor as determined by risk. This provides a standard methodology and “reasonable” assurance that the controls and test results are accurate.
C. An internally generated computer accounting report is audit evidence, but not as reliable as the results of a test performed by an external IS auditor.
D. An independent test performed by an IS auditor should always be considered a more reliable source of evidence than a confirmation letter from a third party because a letter is subjective and may not have been generated as a part of an authoritative audit or conform to audit standards.
A1-39 An IS auditor reviews an organizational chart PRIMARILY for:
A. understanding of the complexity of the organizational structure.
B. investigating various communication channels.
C. understanding the responsibilities and authority of individuals.
D. investigating the network connected to different employees.
C is the correct answer.
Justification:
A. Understanding the complexity of the organizational structure would not be the primary reason to review an organizational chart because the chart will not necessarily depict the complexity.
B. The organizational chart is a key tool for an auditor to understand roles and responsibilities and reporting lines but is not used for examining communications channels.
C. An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions.
D. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.
A1-40 An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control?
A. Walk-through with the reviewer of the operation of the control
B. System-generated exception reports for the review period with the reviewer’s sign-off
C. A sample system-generated exception report for the review period, with follow-up action items noted
by the reviewer
D. Management’s confirmation of the effectiveness of the control for the review period
C is the correct answer.
Justification:
A. A walk-through will highlight how a control is designed to work, but it seldom highlights the effectiveness of the control or exceptions or constraints in the process.
B. Reviewer sign-off does not necessarily demonstrate the effectiveness of the control if the reviewer does not note follow-up actions for the exceptions identified.
C. A sample of a system-generated report with evidence that the reviewer followed up on the exception represents the best possible evidence of the effective operation of the control because there is documented evidence that the reviewer has reviewed and taken actions based on the exception report.
D. Management’s confirmation of effectiveness of the control suffers from lack of independence— management might be biased toward the effectiveness of the controls put in place.
A1-41 Which of the following is an advantage of an integrated test facility (ITF)?
A. It uses actual master files or dummies, and the IS auditor does not have to review the source of the transaction.
B. Periodic testing does not require separate test processes.
C. It validates application systems and ensures the correct operation of the system.
D. The need to prepare test data is eliminated.
B is the correct answer.
Justification:
A. The integrated test facility (ITF) tests a test transaction as if it were a real transaction and validates that transaction processing is being done correctly. It is not related to reviewing the source of a transaction.
B. An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. Careful planning is necessary, and test data must be isolated from production data.
C. An ITF does validate the correct operation of a transaction in an application, but it does not ensure that a system is being operated correctly.
D. The ITF is based on the integration of test data into the normal process flow, so test data is still required.
A1-42 Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix?
A. Variable sampling
B. Stratified mean per unit
C. Attribute sampling
D. Unstratified mean per unit
C is the correct answer.
Justification:
A. Variable sampling is the method used for substantive testing, which involves testing transactions for quantitative aspects such as monetary values.
B. Stratified mean per unit is used in variable sampling.
C. Attribute sampling is the method used for compliance testing. In this scenario, the operation of a control is being evaluated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control.
D. Unstratified mean per unit is used in variable sampling.
A. Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence.
C. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring.
C is the correct answer.
Justification:
A. The ability of IT to continuously monitor and address any issues on IT systems would not affect the ability of IS audit to perform a comprehensive audit.
B. Sharing the scripts may be required by policy for the sake of quality assurance and configuration management, but that would not impair the ability to audit.
C. IS audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts themselves, but they can still audit the systems.
D. An audit of an IS system would encompass more than just the controls covered in the scripts.
A1-2 Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit?
A. Complexity of the organization’s operation
B. Findings and issues noted from the prior year
C. Purpose, objective and scope of the audit
D. Auditor’s familiarity with the organization
C is the correct answer.
Justification:
A. The complexity of the organization’s operation is a factor in the planning of an audit, but does not directly affect the determination of how much data to collect. Extent of data collection is subject to the intensity, scope and purpose of the audit.
B. Prior findings and issues are factors in the planning of an audit, but do not directly affect the determination of how much data to collect. Data must be collected outside of areas of previous findings.
C. The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. Statistical analysis may also determine the extent of data collection such as sample size or means of data collection.
D. An auditor’s familiarity with the organization is a factor in the planning of an audit, but does not directly affect the determination of how much data to collect. The audit must be based on sufficient evidence of the monitoring of controls and not unduly influenced by the auditor’s familiarity with the organization.
A1-3 An IS auditor is developing an audit plan for an environment that includes new systems. The company’s management wants the IS auditor to focus on recently implemented systems. How should the IS
auditor respond?
A. Audit the new systems as requested by management.
B. Audit systems not included in last year’s scope.
C. Determine the highest-risk systems and plan accordingly.
D. Audit both the systems not in last year’s scope and the new systems.
C is the correct answer.
Justification:
A. Auditing the new system does not reflect a risk-based approach. Even though the system could contain sensitive data and may present risk of data loss or disclosure to the organization, without a risk assessment, the decision to solely audit the newly implemented system is not a risk-based decision.
B. Auditing systems not included in the previous year’s scope does not reflect a risk-based approach. In addition, management may know about problems with the new system and may be intentionally trying to steer the audit away from that vulnerable area. Although at first the new system may seem to be
the most risky area, an assessment must be conducted rather than relying on the judgment of the IS auditor or IT manager.
C. The best course of action is to conduct a risk assessment and design the audit plan to cover
the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: “The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources.”
D. The creation of the audit plan should be performed in cooperation with management and based on risk. The IS auditor should not arbitrarily decide on what needs to be audited.
A1-4 An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?
A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.
B. Publish a report omitting the areas where the evidence obtained from testing was inconclusive.
C. Request a delay of the implementation date until additional security testing can be completed and
evidence of appropriate controls can be obtained.
D. Inform management that audit work cannot be completed prior to implementation and recommend
that the audit be postponed.
A is the correct answer.
Justification:
A. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on
time frame, this fact should be highlighted in the audit report and follow-up testing should
be scheduled for a later date. Management could then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system.
B. It is not acceptable for the IS auditor to ignore areas of potential weakness because conclusive evidence could not be obtained within the agreed-on audit time frame. ISACA IS Audit and Assurance Standards would be violated if these areas were omitted from the audit report.
C. Extending the time frame for the audit and delaying the go-live date is unlikely to be acceptable in this scenario where the system involved is business-critical. In any case, a delay to the go-live date must be the decision of business management, not the IS auditor. In this scenario, the IS auditor should present business management with all available information by the agreed-on date.
D. Failure to obtain sufficient evidence in one part of an audit engagement does not justify cancelling or postponing the audit; this would violate the audit guideline concerning due professional care.
A1-5 An IS auditor is verifying IT policies and found that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST?
A. Ignore the absence of management approval because employees follow the policies.
B. Recommend immediate management approval of the policies.
C. Emphasize the importance of approval to management.
D. Report the absence of documented approval.
D is the correct answer.
Justification:
A. Absence of management approval is an important (material) finding and while it is not currently an issue with relation to compliance because the employees are following the policy without approval, it may be a problem at a later time and should be resolved.
B. While the IS auditor would likely recommend that the policies should be approved as soon as possible, and may also remind management of the critical nature of this issue, the first step would be to report this issue to the relevant stakeholders.
C. The first step is to report the finding and provide recommendations later.
D. The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee were terminated as a result of violating a company policy and it was discovered that the policies had not been approved, the company could be faced with an expensive lawsuit.
A1-6 An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should:
A. recommend that this separate project be completed as soon as possible.
B. report this issue as a finding in the audit report.
C. recommend the adoption of the Zachmann framework.
D. re-scope the audit to include the separate project as part of the current audit.
B is the correct answer.
Justification:
A. The IS auditor would not ordinarily provide input on the timing of projects, but rather provide an assessment of the current environment. The most critical issue in this scenario is that the enterprise architecture (EA) is undergoing change, so the IS auditor should be most concerned with reporting this issue.
B. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding.
C. The company is free to choose any EA framework, and the IS auditor should not recommend a specific framework.
D. Changing the scope of an audit to include the secondary project is not required, although a follow-up audit may be desired.
A1-7 What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should:
A. interface with various types of enterprise resource planning (ERP) software and databases.
B. accurately capture data from the organization’s systems without causing excessive
performance problems.
C. introduce audit hooks into the company’s financial systems to support continuous auditing.
D. be customizable and support inclusion of custom programming to aid in investigative analysis.
B is the correct answer.
Justification:
A. The product must interface with the types of systems used by the organization and provide meaningful data for analysis.
B. While all of the choices above are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool will work effectively on the systems of the organization being audited.
C. The tool should probably work on more than just financial systems and will not necessarily require implementation of audit hooks.
D. The tool should be flexible but not necessarily customizable. It should have built-in analysis software tools.
A1-8 A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual’s experience and:
A. length of service, because this will help ensure technical competence.
B. age, because training in audit techniques may be impractical.
C. IT knowledge, because this will bring enhanced credibility to the audit function.
D. ability, as an IS auditor, to be independent of existing IT relationships.
D is the correct answer.
Justification:
A. Length of service will not ensure technical competency.
B. Evaluating an individual’s qualifications based on the age of the individual is not a good criterion and
is illegal in many parts of the world.
C. The fact that the employee has worked in IT for many years may not, in itself, ensure credibility.
The IS audit department’s needs should be defined, and any candidate should be evaluated against
those requirements.
D. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities.
A1-9 For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk?
A. Use of computer-assisted audit techniques (CAATs)
B. Quarterly risk assessments
C. Sampling of transaction logs
D. Continuous auditing
D is the correct answer.
Justification:
A. Using software tools such as computer-assisted audit techniques (CAATs) to analyze transaction data can provide detailed analysis of trends and potential risk, but it is not as effective as continuous auditing, because there may be a time differential between executing the software and analyzing the results.
B. Quarterly risk assessment may be a good technique but not as responsive as continuous auditing.
C. The sampling of transaction logs is a valid audit technique; however, risk may exist that is not
captured in the transaction log, and there may be a potential time lag in the analysis.
D. The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.
A1-10 An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of:
A. variable sampling.
B. substantive testing.
C. compliance testing.
D. stop-or-go sampling.
C is the correct answer.
Justification:
A. Variable sampling is used to estimate numerical values such as dollar values.
B. Substantive testing substantiates the integrity of actual processing such as balances on financial
statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized.
C. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.
D. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.
A1-11 The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?
A. Inherent
B. Detection
C. Control
D. Business
B is the correct answer.
Justification:
A. Inherent risk is the risk that a material error could occur, assuming that there are no related internal controls to prevent or detect the error. Inherent risk is not usually affected by an IS auditor.
B. Detection risk is directly affected by the IS auditor’s selection of audit procedures and
techniques. Detection risk is the risk that a review will not detect or notice a material issue.
C. Control risk is the risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Control risk can be mitigated by the actions of the company’s management.
D. Business risk is a probable situation with uncertain frequency and magnitude of loss (or gain). Business risk is usually not directly affected by an IS auditor.
A1-12 Which of the following is the MOST critical step when planning an IS audit?
A. Review findings from prior audits.
B. Executive management’s approval of the audit plan.
C. Review information security policies and procedures.
D. Perform a risk assessment.
D is the correct answer.
Justification:
A. The findings of a previous audit are of interest to the auditor, but they are not the most critical
step. The most critical step involves finding the current issues or high-risk areas, not reviewing the resolution of older issues. A review of historical audit findings could indicate that management is not resolving the items or the recommendation was ineffective.
B. Executive management is not required to approve the audit plan. It is typically approved by the audit committee or board of directors. Management could recommend areas to audit.
C. Reviewing information security policies and procedures would normally be conducted during fieldwork, not planning.
D. Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.2: “IS audit and assurance professionals shall identify and assess risk relevant
to the area under review, when planning individual engagements.” In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation.
A1-13 An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture (SOA). What is the INITIAL step?
A. Understanding services and their allocation to business processes by reviewing the service repository documentation.
B. Sampling the use of service security standards as represented by the Security Assertions Markup Language (SAML).
C. Reviewing the service level agreements (SLAs) established for all system providers.
D. Auditing the core service and its dependencies on other systems.
A is the correct answer.
Justification:
A. A service-oriented architecture (SOA) relies on the principles of a distributed environment in
which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services.
B. Sampling the use of service security standards as represented by the Security Assertions Markup Language (SAML) is an essential follow-up step to understanding services and their allocation to business, but is not the initial step.
C. Reviewing the service level agreements (SLAs) is an essential follow-up step to understanding services and their allocation to business, but is not the initial step.
D. Auditing the core service and its dependencies with others would most likely be a part of the audit, but the IS auditor must first gain an understanding of the business processes and how the systems support those processes.
A1-14 An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?
A. Delete all copies of the unauthorized software.
B. Recommend an automated process to monitor for compliance with software licensing.
C. Report the use of the unauthorized software and the need to prevent recurrence.
D. Warn the end users about the risk of using illegal software.
C is the correct answer.
Justification:
A. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing the unauthorized software.
B. This would detect compliance with software licensing. However, an automated solution might not be the best option in all cases.
C. The use of unauthorized or illegal software should be prohibited by an organization. An IS auditor must convince the user and management of the risk and the need to eliminate the risk. For example, software piracy can result in exposure and severe fines.
D. Auditors must report material findings to management for action. Informing the users of risk is not the primary responsibility of the IS auditor.
A1-15 An audit charter should:
A. be dynamic and change to coincide with the changing nature of technology and the audit profession.
B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.
C. document the audit procedures designed to achieve the planned audit objectives.
D. outline the overall authority, scope and responsibilities of the audit function.
D is the correct answer.
Justification:
A. The audit charter should not be subject to changes in technology and should not significantly change over time. The charter should be approved at the highest level of management.
B. An audit charter will state the authority and reporting requirements for the audit but not the details of maintenance of internal controls.
C. An audit charter would not be at a detailed level and, therefore, would not include specific audit objectives or procedures.
D. An audit charter should state management’s objectives for and delegation of authority to IS auditors.
A1-16 An IS auditor finds a small number of user access requests that had not been authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should:
A. perform an additional analysis.
B. report the problem to the audit committee.
C. conduct a security risk assessment.
D. recommend that the owner of the identity management (IDM) system fix the workflow issues.
A is the correct answer.
Justification:
A. The IS auditor needs to perform substantive testing and additional analysis to determine
why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and what factors caused this incident. The IS auditor should identify whether the issue was caused by managers not following procedures, by a problem with the workflow of the automated system or a combination of the two.
B. The IS auditor does not yet have enough information to report the problem.
C. Changing the scope of the IS audit or conducting a security risk assessment would require more
detailed information about the processes and violations being reviewed.
D. The IS auditor must first determine the root cause and impact of the findings and does not have
enough information to recommend fixing the workflow issues.
A1-17 Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean per unit sampling
D. Difference estimation sampling
A is the correct answer.
Justification:
A. Attribute sampling is the primary sampling method used for compliance testing. Attribute
sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain pre-defined dollar amount for proper approvals.
B. Variable sampling is based on the calculation of a mean from a sample extracted from the entire population and using that to estimate the characteristics of the entire population. For example, a sample of 10 items shows an average price of US $10 per item. For the entire population of 1,000 items, the total value would be estimated to be US $10,000. This is not a good way to measure compliance with a process.
C. Stratified mean sampling attempts to ensure that the entire population is represented in the sample. This is not an effective way to measure compliance.
D. Difference estimation sampling examines measure deviations and extraordinary items and is not a good way to measure compliance.
A1-18 When testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling would not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?
A. Develop an alternate testing procedure.
B. Report the finding to management.
C. Perform a walk-through of the change management process.
D. Create additional sample data to test additional changes.
A is the correct answer.
Justification:
A. If a sample size objective cannot be met with the given data, the IS auditor would not be able to
provide assurance regarding the testing objective. In this instance, the IS auditor should develop
(with audit management approval) an alternate testing procedure.
B. There is not enough evidence to report the finding as a deficiency.
C. A walk-through should not be initiated until an analysis is performed to confirm that this could
provide the required assurance.
D. It would not be appropriate for an IS auditor to create sample data for the purpose of the audit.
A1-19 Which of the following situations could impair the independence of an IS auditor? The IS auditor:
A. implemented specific functionality during the development of an application.
B. designed an embedded audit module for auditing an application.
C. participated as a member of an application project team and did not have operational responsibilities.
D. provided consulting advice concerning application good practices.
A is the correct answer.
Justification:
A. Independence may be impaired if an IS auditor is, or has been, actively involved in the
development, acquisition and implementation of the application system.
B. Designing an embedded audit module does not impair an IS auditor’s independence.
C. An IS auditor should not audit work that they have done, but just participating as a member of the
application system project team does not impair an IS auditor’s independence.
D. An IS auditor’s independence is not impaired by providing advice on known good practices.
A1-20 The PRIMARY advantage of a continuous audit approach is that it:
A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.
B. allows the IS auditor to review and follow up on audit issues in a timely manner.
C places the responsibility for enforcement and monitoring of controls on the security department
instead of audit.
D. simplifies the extraction and correlation of data from multiple and complex systems.
B is the correct answer.
Justification:
A. The continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place.
B. Continuous audit allows audit and response to audit issues in a timely manner because audit findings are gathered in near real time.
C. Responsibility for enforcement and monitoring of controls is primarily the responsibility of management.
D. The use of continuous audit is not based on the complexity or number of systems being monitored.
A1-21 An IS auditor is evaluating management’s risk assessment of information systems. The IS auditor should FIRST review:
A. the controls in place.
B. the effectiveness of the controls.
C. the mechanism for monitoring the risk.
D. the threats/vulnerabilities affecting the assets.
D is the correct answer.
Justification:
A. The controls are irrelevant until the IS auditor knows the threats and risk that the controls are intended to address.
B. The effectiveness of the controls must be measured in relation to the risk (based on assets, threats and vulnerabilities) that the controls are intended to address.
C. The first step must be to determine the risk that is being managed before reviewing the mechanism of monitoring risk.
D. One of the key factors to be considered while assessing the information systems risk is the value of the systems (the assets) and the threats and vulnerabilities affecting the assets. The risk related to the use of information assets should be evaluated in isolation from the installed controls.
A1-22 In planning an IS audit, the MOST critical step is the identification of the:
A. areas of significant risk.
B. skill sets of the audit staff.
C. test steps in the audit.
D. time allotted for the audit.
A is the correct answer.
Justification:
A. When designing a risk-based audit plan, it is important to identify the areas of highest risk to
determine the areas to be audited.
B. The skill sets of the audit staff should have been considered before deciding and selecting the audit. Where the skills are inadequate, the organization should consider utilizing external resources.
C. Test steps for the audit are not as critical during the audit planning process as identifying the areas of risk that should be audited.
D. The time allotted for an audit is determined during the planning process based on the areas to be audited, and is primarily based on the requirement for conducting an appropriate audit.
A1-23 The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is:
A. control design testing.
B. substantive testing.
C. inspection of relevant documentation.
D. perform tests on risk prevention.
B is the correct answer.
Justification:
A. Testing of control design assesses whether the control is structured to meet a specific control objective. It does not help determine whether the control is operating effectively.
B. Among other methods, such as document review or walk-through, tests of controls are the most effective procedure to assess whether controls accurately support operational effectiveness.
C. Control documents may not always describe the actual process in an accurate manner. Therefore, auditors relying on document review have limited assurance that the control is operating as intended.
D. Performing tests on risk prevention is considered compliance testing. This type of testing is used to determine whether policies are adhered to.
A1-24 The extent to which data will be collected during an IS audit should be determined based on the:
A. availability of critical and required information.
B. auditor’s familiarity with the circumstances.
C. auditee’s ability to find relevant evidence.
D. purpose and scope of the audit being done.
D is the correct answer.
Justification:
A. The extent to which data will be collected during an IS audit should be based on the scope, purpose and requirements of the audit and not be constrained by the ease of obtaining the information or by the IS auditor’s familiarity with the area being audited.
B. An IS auditor must be objective and thorough and not subject to audit risk through preconceived expected results based on familiarity with the area being audited.
C. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee’s ability to find relevant evidence. Where evidence is not readily available, the auditor must ensure that other forms of audit are considered to ensure compliance in the area subject to audit.
D. The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An IS audit with a narrow purpose and scope or just a high-level review would most likely require less data collection than an audit with a wider purpose and scope.
A1-25 While planning an IS audit, an assessment of risk should be made to provide:
A. reasonable assurance that the audit will cover material items.
B. definite assurance that material items will be covered during the audit work.
C. reasonable assurance that all items will be covered by the audit.
D. sufficient assurance that all items will be covered during the audit work.
A is the correct answer.
Justification:
A. ISACA IS Audit and Assurance Guideline 2202 (Risk Assessment and Audit Planning) states that
the applied risk assessment approach should help with the prioritization and scheduling process of the IS audit and assurance work. It should support the selection process of areas and items of audit interest and the decision process to design and conduct particular IS audit engagements.
B. Definite assurance that material items will be covered during the audit work is an impractical proposition.
C. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as
primarily it is material items that need to be covered, not all items.
D. Sufficient assurance that all items will be covered is not as important as ensuring that the audit will
cover all material items.
A1-26 The MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to:
A. inform the audit committee of the potential issue.
B. review audit logs for the IDs in question.
C. document the finding and explain the risk of using shared IDs.
D. request that the IDs be removed from the system.
C is the correct answer.
Justification:
A. It is not appropriate for an IS auditor to report findings to the audit committee before conducting a more detailed review and presenting them to management for a response.
B. Review of audit logs would not be useful because shared IDs do not provide for individual accountability.
C. An IS auditor’s role is to detect and document findings and control deficiencies. Part of the audit report is to explain the reasoning behind the findings. The use of shared IDs is not recommended because it does not allow for accountability of transactions. An IS auditor would defer to management to decide how to respond to the findings presented.
D. It is not the role of an IS auditor to request the removal of IDs from the system.
A1-27 An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to determine:
A. that the control is operating efficiently.
B. that the control is operating as designed.
C. the integrity of data controls.
D. the reasonableness of financial reporting controls.
B is the correct answer.
Justification:
A. It is important that controls operate efficiently, but in this case the intent is to ensure that the controls support management policies and procedures. Therefore, the important issue is whether the controls are operating correctly and thereby meeting the control objective.
B. Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective of a compliance test is important. IS auditors want reasonable assurance that the controls they are relying on are effective. An effective control is one that meets management expectations and objectives.
C. Substantive tests, not compliance tests, are associated with data integrity.
D. Determining the reasonableness of financial reporting controls is a very narrow answer in that
it is limited to financial reporting. It meets the objective of determining whether the controls are reasonable, but does not ensure that the control is working correctly and thereby supporting management expectations and objectives.
A1-28 The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?
A. Generate sample test data
B. Generalized audit software
C. Integrated test facility
D. Embedded audit module
B is the correct answer.
Justification:
A. Test data would test for the existence of controls that might prevent overpayments, but it would not detect specific, previous miscalculations.
B. Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made.
C. An integrated test facility would help identify a problem as it occurs but would not detect errors for a previous period.
D. An embedded audit module can enable the IS auditor to evaluate a process and gather audit evidence, but it would not detect errors for a previous period.
A1-29 During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should:
A. create the procedures document based on the practices.
B. issue an opinion of the current state and end the audit.
C. conduct compliance testing on available data.
D. identify and evaluate existing practices.
D is the correct answer.
Justification:
A. IS auditors should not prepare documentation because the process may not be compliant with management objectives and doing so could jeopardize their independence.
B. Ending the audit and issuing an opinion will not address identification of potential risk. The auditor should evaluate the practices in place. The recommendation could still be for the organization to develop written procedures. Terminating the audit may prevent achieving one of the basic audit objectives, identification of potential risk.
C. Because there are no documented procedures, there is no basis against which to test compliance.
D. One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by
the organization and submit the findings and risk to management with recommendations to document the current controls or enforce the documented procedures.
A1-30 In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:
A. ensure the risk assessment is aligned to management’s risk assessment process.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls.
D is the correct answer.
Justification:
A. An audit risk assessment is conducted for different purposes than management’s risk assessment process.
B. It would be impossible to determine impact without first having identified the assets affected; therefore, this must already have been completed.
C. Upon completion of a risk assessment, an IS auditor should describe and discuss with management the threats and potential impacts on the assets as well as recommendations for addressing the risk. However, this cannot be done until the controls have been identified and the likelihood of the threat has been calculated.
D. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.
A1-31 Which of the following would normally be the MOST reliable evidence for an IS auditor?
A. A confirmation letter received from a third party verifying an account balance
B. Assurance from line management that an application is working as designed
C. Trend data obtained from World Wide Web (Internet) sources
D. Ratio analysis developed by the IS auditor from reports supplied by line management
A is the correct answer.
Justification:
A. Evidence obtained from independent third parties is almost always considered to be more
reliable than assurance provided by local management.
B. Because management is not objective and may not understand the risk and control environment, and they are only providing evidence that the application is working correctly (not the controls), their assurance would not be an acceptable level of trust for audit evidence.
C. Data collected from the Internet is not necessarily trustworthy or independently validated.
D. Ratio analysis can identify trends and deviations from a baseline but is not reliable evidence.
A1-32 When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following?
A. The point at which controls are exercised as data flow through the system
B. Only preventive and detective controls are relevant
C. Corrective controls are regarded as compensating
D. Classification allows an IS auditor to determine which controls are missing
A is the correct answer.
Justification:
A. An IS auditor should focus on when controls are exercised as data flow through a computer system.
B. Corrective controls may also be relevant because they allow an error or problem to be corrected.
C. Corrective controls remove or reduce the effects of errors or irregularities and are not exclusively
regarded as compensating controls.
D. The existence and function of controls is important but not the classification.
A1-33 Which audit technique provides the BEST evidence of the segregation of duties in an IT department?
A. Discussion with management
B. Review of the organization chart
C. Observation and interviews
D. Testing of user access rights
C is the correct answer.
Justification:
A. Management may not be aware of the detailed functions of each employee in the IT department, and they may not be aware whether the controls are being followed. Therefore, discussion with the management would provide only limited information regarding segregation of duties.
B. An organization chart would not provide details of the functions of the employees or whether the controls are working correctly.
C. Based on the observations and interviews, the IS auditor can evaluate the segregation of duties. By observing the IT staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IT staff, the auditor can get an overview of the tasks performed.
D. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform. Observation would be a better option because user rights can be changed between audits.
A1-34 After reviewing the disaster recovery planning (DRP) process of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting?
A. Obtaining management approval of the corrective action plan
B. Confirming factual accuracy of the findings
C. Assisting management in the implementation of corrective actions
D. Prioritizing the resolution of the items
B is the correct answer.
Justification:
A. Management approval of the corrective action plan is not required. Management could elect to implement another corrective action plan to address the risk.
B. The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on or respond to recommendations for corrective action.
C. Implementation of corrective actions should be done after the factual accuracy of findings has been established, but the work of implementing corrective action is not typically assigned to the IS auditor because this would impair the auditor’s independence.
D. Rating the audit findings would provide guidance to management for allocating resources to the high-risk items first.
A1-35 An IS auditor has been asked by management to review a potentially fraudulent transaction. The PRIMARY focus of an IS auditor while evaluating the transaction should be to:
A. maintain impartiality while evaluating the transaction.
B. ensure that the independence of an IS auditor is maintained.
C. assure that the integrity of the evidence is maintained.
D. assess all relevant evidence for the transaction.
C is the correct answer.
Justification:
A. Although it is important for an IS auditor to be impartial, in this case it is more critical that the evidence be preserved.
B. Although it is important for an IS auditor to maintain independence, in this case it is more critical that the evidence be preserved.
C. The IS auditor has been requested to perform an investigation to capture evidence which may be used for legal purposes, and therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law.
D. While it is also important to assess all relevant evidence, it is more important to maintain the chain of custody, which ensures the integrity of evidence.
A1-36 An IS auditor is carrying out a system configuration review. Which of the following would be the BEST evidence in support of the current system configuration settings?
A. System configuration values imported to a spreadsheet by the system administrator
B. Standard report with configuration values retrieved from the system by the IS auditor
C. Dated screenshot of the system configuration settings made available by the system administrator
D. Annual review of approved system configuration values by the business owner
B is the correct answer.
Justification:
A. Evidence provided that is not system-generated information could be modified before it is presented to an IS auditor, and therefore it may not be as reliable as evidence obtained by the IS auditor. For example, a system administrator could change the settings or modify the graphic image before taking a screenshot.
B. Evidence obtained directly from the source by an IS auditor is more reliable than information provided by a system administrator or a business owner because the IS auditor does not have a vested interest in the outcome of the audit.
C. The rules may be modified by the administrator prior to taking the screenshot; therefore, this is not the best evidence.
D. The annual review provided by a business owner may not reflect current information.
A1-37 Data flow diagrams are used by IS auditors to:
A. identify key controls.
B. highlight high-level data definitions.
C. graphically summarize data paths and storage.
D. portray step-by-step details of data generation.
C is the correct answer.
Justification:
A. Identifying key controls is not the focus of data flow diagrams. The focus is as the name states—flow of data.
B. A data dictionary may be used to document data definitions, but the data flow diagram is used to document how data move through a process.
C. Data flow diagrams are used as aids to graph or chart data flow and storage. They trace data from their origination to destination, highlighting the paths and storage of data.
D. The purpose of a data flow diagram is to track the movement of data through a process and is not primarily to document or indicate how data are generated.
A1-38 Which of the following forms of evidence would an IS auditor consider the MOST reliable?
A. An oral statement from the auditee
B. The results of a test performed by an external IS auditor
C. An internally generated computer accounting report
D. A confirmation letter received from an outside source
B is the correct answer.
Justification:
A. An oral statement from the auditee is audit evidence but not as reliable as the results of a test performed by an external IS auditor.
B. An independent test performed by an IS auditor should always be considered a more reliable source of evidence than a confirmation letter from a third party because the letter is the result of an analysis of the process and may not be based on authoritative audit techniques. An audit should consist of a combination of inspection, observation and inquiry by an IS auditor as determined by risk. This provides a standard methodology and “reasonable” assurance that the controls and test results are accurate.
C. An internally generated computer accounting report is audit evidence, but not as reliable as the results of a test performed by an external IS auditor.
D. An independent test performed by an IS auditor should always be considered a more reliable source of evidence than a confirmation letter from a third party because a letter is subjective and may not have been generated as a part of an authoritative audit or conform to audit standards.
A1-39 An IS auditor reviews an organizational chart PRIMARILY for:
A. understanding of the complexity of the organizational structure.
B. investigating various communication channels.
C. understanding the responsibilities and authority of individuals.
D. investigating the network connected to different employees.
C is the correct answer.
Justification:
A. Understanding the complexity of the organizational structure would not be the primary reason to review an organizational chart because the chart will not necessarily depict the complexity.
B. The organizational chart is a key tool for an auditor to understand roles and responsibilities and reporting lines but is not used for examining communications channels.
C. An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions.
D. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.
A1-40 An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control?
A. Walk-through with the reviewer of the operation of the control
B. System-generated exception reports for the review period with the reviewer’s sign-off
C. A sample system-generated exception report for the review period, with follow-up action items noted
by the reviewer
D. Management’s confirmation of the effectiveness of the control for the review period
C is the correct answer.
Justification:
A. A walk-through will highlight how a control is designed to work, but it seldom highlights the effectiveness of the control or exceptions or constraints in the process.
B. Reviewer sign-off does not necessarily demonstrate the effectiveness of the control if the reviewer does not note follow-up actions for the exceptions identified.
C. A sample of a system-generated report with evidence that the reviewer followed up on the exception represents the best possible evidence of the effective operation of the control because there is documented evidence that the reviewer has reviewed and taken actions based on the exception report.
D. Management’s confirmation of effectiveness of the control suffers from lack of independence— management might be biased toward the effectiveness of the controls put in place.
A1-41 Which of the following is an advantage of an integrated test facility (ITF)?
A. It uses actual master files or dummies, and the IS auditor does not have to review the source of the transaction.
B. Periodic testing does not require separate test processes.
C. It validates application systems and ensures the correct operation of the system.
D. The need to prepare test data is eliminated.
B is the correct answer.
Justification:
A. The integrated test facility (ITF) tests a test transaction as if it were a real transaction and validates that transaction processing is being done correctly. It is not related to reviewing the source of a transaction.
B. An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. Careful planning is necessary, and test data must be isolated from production data.
C. An ITF does validate the correct operation of a transaction in an application, but it does not ensure that a system is being operated correctly.
D. The ITF is based on the integration of test data into the normal process flow, so test data is still required.
A1-42 Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix?
A. Variable sampling
B. Stratified mean per unit
C. Attribute sampling
D. Unstratified mean per unit
C is the correct answer.
Justification:
A. Variable sampling is the method used for substantive testing, which involves testing transactions for quantitative aspects such as monetary values.
B. Stratified mean per unit is used in variable sampling.
C. Attribute sampling is the method used for compliance testing. In this scenario, the operation of a control is being evaluated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control.
D. Unstratified mean per unit is used in variable sampling.