CISA Certified Information Systems Auditor - Questions + Answers Part 2

Business, Finance, Economics, Accounting, Operations Management, Computer Science, Electrical Engineering, Mechanical Engineering, Civil Engineering, Chemical Engineering, Algebra, Precalculus, Statistics and Probabilty, Advanced Math, Physics, Chemistry, Biology, Nursing, Psychology, Certifications, Tests, Prep, and more.
Post Reply
answerhappygod
Site Admin
Posts: 899603
Joined: Mon Aug 02, 2021 8:13 am

CISA Certified Information Systems Auditor - Questions + Answers Part 2

Post by answerhappygod »

A1-43 The BEST method of confirming the accuracy of a system tax calculation is by:
A. review and analysis of the source code of the calculation programs.
B. recreating program logic using generalized audit software to calculate monthly totals.
C. preparing simulated transactions for processing and comparing the results to predetermined results.
D. automatic flowcharting and analysis of the source code of the calculation programs.
C is the correct answer.
Justification:
A. A review of source code is not an effective method of ensuring that the calculation is being computed correctly.
B. Recreating program logic may lead to errors, and monthly totals are not accurate enough to ensure correct computations.
C. Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation.
D. Flowcharting and analysis of source code are not effective methods to address the accuracy of individual tax calculations.


A1-44 An IS auditor performing a review of application controls would evaluate the:
A. efficiency of the application in meeting the business processes.
B. impact of any exposures discovered.
C. business processes served by the application.
D. application’s optimization.
B is the correct answer.
Justification:
A. The IS auditor is reviewing the effectiveness of the controls, not the suitability of the application to meet business needs.
B. An application control review involves the evaluation of the application’s automated controls and an assessment of any exposures resulting from the control weaknesses.
C. The other choices may be objectives of an application audit but are not part of an audit restricted to a review of the application controls.
D. One area to be reviewed may be the efficiency and optimization of the application, but this is not the area being reviewed in this audit.


A1-45 Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The IS auditor should:
A. include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings.
B. not include the finding in the final report because management resolved the item.
C. not include the finding in the final report, because corrective action can be verified by the IS auditor
during the audit.
D. include the finding in the closing meeting for discussion purposes only.
A is the correct answer.
Justification:
A. Including the finding in the final report is a generally accepted audit practice. If an action is
taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing.
B. The audit report should contain all relevant findings and the response from management even if the finding has been resolved. This would mean that subsequent audits may test for the continued resolution of the control.
C. The audit report should contain the finding so that it is documented and the removal of the control subsequent to the audit would be noticed.
D. The audit report should contain the finding and resolution, and this can be mentioned in the final meeting. The audit report should list all relevant findings and the response from management.


A1-46 The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors?
A. Stop-or-go
B. Classical variable
C. Discovery
D. Probability-proportional-to-size
C is the correct answer.
Justification:
A. Stop-or-go is a sampling method that helps limit the size of a sample and allows the test to be stopped at the earliest possible moment.
B. Classical variable sampling is associated with dollar amounts and has a sample based on a representative sample of the population but is not focused on fraud.
C. Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.
D. Probability-proportional-to-size sampling is typically associated with cluster sampling when there are groups within a sample. The question does not indicate that an IS auditor is searching for a threshold of fraud.


A1-47 When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:
A. controls needed to mitigate risk are in place.
B. vulnerabilities and threats are identified.
C. audit risk is considered.
D. a gap analysis is appropriate.
B is the correct answer.
Justification:
A. Understanding whether appropriate controls required to mitigate risk are in place is a resultant effect of an audit.
B. In developing a risk-based audit strategy, it is critical that the risk and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage.
C. Audit risk is an inherent aspect of auditing, is directly related to the audit process and is not relevant to the risk analysis of the environment to be audited.
D. A gap analysis would normally be done to compare the actual state to an expected or desirable state.


A1-48 During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:
A. ask the auditee to sign a release form accepting full legal responsibility.
B. elaborate on the significance of the finding and the risk of not correcting it.
C. report the disagreement to the audit committee for resolution.
D. accept the auditee’s position because they are the process owners.
B is the correct answer.
Justification:
A. Management is always responsible and liable for risk, but the role of the IS auditor is to inform management of the findings and associated risk discovered in an audit.
B. If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures because the auditee may not fully appreciate
the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, an IS auditor should not automatically agree just because the auditee expresses an alternate point of view.
C. The audit report will contain the finding from the IS auditor and the response from management. It is the responsibility of management to accept risk or mitigate it appropriately. The role of the auditor is to inform management clearly and thoroughly so that the best decision can be made.
D. The IS auditor must be professional, competent and independent. They must not just accept an explanation or argument from management unless the process used to generate the finding was flawed.


A1-49 To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:
A. schedule the audits and monitor the time spent on each audit.
B. train the IS audit staff on current technology used in the company.
C. develop the audit plan on the basis of a detailed risk assessment.
D. monitor progress of audits and initiate cost control measures.
C is the correct answer.
Justification:
A. Monitoring the audits and the time spent on audits would not be effective if the wrong areas were being audited. It is most important to develop a risk-based audit plan to ensure effective use of audit resources.
B. The IS auditor may have specialties or the audit team may rely on outside experts to conduct very specialized audits. It is not necessary for each IS auditor to be trained on all new technology.
C. Monitoring the time and audit programs, as well as adequate training, will improve the IS audit staff’s productivity (efficiency and performance), but that which delivers value to the organization is ensuring that the resources and efforts being dedicated to audit are focused on higher-risk areas.
D. Monitoring audits and initiating cost controls will not necessarily ensure the effective use of audit resources.


A1-50 Which of the following should be the FIRST action of an IS auditor during a dispute with a department manager over audit findings?
A. Retest the control to validate the finding.
B. Engage a third party to validate the finding.
C. Include the finding in the report with the department manager’s comments.
D. Revalidate the supporting evidence for the finding.
D is the correct answer.
Justification:
A. Retesting the control would normally occur after the evidence has been revalidated.
B. While there are cases where a third party may be needed to perform specialized audit procedures,
an IS auditor should first revalidate the supporting evidence to determine whether there is a need to
engage a third party.
C. Before putting a disputed finding or management response in the audit report, the IS auditor should
take care to review the evidence used in the finding to ensure audit accuracy.
D. Conclusions drawn by an IS auditor should be adequately supported by evidence, and any compensating controls or corrections pointed out by a department manager should be taken into consideration. Therefore, the first step would be to revalidate the evidence for the finding. If, after revalidating and retesting, there are unsettled disagreements, those issues should be included in the report.


A1-51 An IS auditor should use statistical sampling, and not judgment (nonstatistical) sampling, when:
A. the probability of error must be objectively quantified.
B. the auditor wants to avoid sampling risk.
C. generalized audit software is unavailable.
D. the tolerable error rate cannot be determined.
A is the correct answer.
Justification:
A. Given an expected error rate and confidence level, statistical sampling is an objective method of
sampling, which helps an IS auditor determine the sample size and quantify the probability of
error (confidence coefficient).
B. Sampling risk is the risk of a sample not being representative of the population. This risk exists for both judgment and statistical samples.
C. Statistical sampling can use generalized audit software, but it is not required.
D. The tolerable error rate must be predetermined for both judgment and statistical sampling.


A1-52 What is the BEST course of action for an IS auditor to take when an outsourced monitoring process for remote access is inadequate and management disagrees because management stated that intrusion detection system (IDS) and firewall controls are in place?
A. Revise the finding in the audit report per management’s feedback.
B. Retract the finding because the IDS controls are in place.
C. Retract the finding because the firewall rules are monitored.
D. Document the identified finding in the audit report.
D is the correct answer.
Justification:
A. The IS auditor may include the management response in the report, but that will not affect the requirement to report the finding.
B. The finding remains valid and the management response will be documented; however, the audit may indicate a need to review the validity of the management response.
C. The finding remains valid and the management response will be documented; however, the audit may indicate a need to review the validity of the management response.
D. IS auditor independence would dictate that the additional information provided by the auditee will be taken into consideration. Normally, an IS auditor would not automatically retract or revise the finding.


A1-53 To ensure that an organization is complying with privacy requirements, an IS auditor should FIRST review:
A. the IT infrastructure.
B. organizational policies, standards and procedures.
C. legal and regulatory requirements.
D. adherence to organizational policies, standards and procedures.
C is the correct answer.
Justification:
A. To comply with requirements, the IS auditor must first know what the requirements are. They can vary from one jurisdiction to another. The IT infrastructure is related to the implementation of the requirements.
B. The policies of the organization are subject to the legal requirements and should be checked for compliance after the legal requirements are reviewed.
C. To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures.
D. Checking for compliance is only done after the IS auditor is assured that the policies, standards and procedures are aligned with the legal requirements.


A1-54 While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor’s next step?
A. Observe the response mechanism.
B. Clear the virus from the network.
C. Inform appropriate personnel immediately.
D. Ensure deletion of the virus.
C is the correct answer.
Justification:
A. Observing the response mechanism should be done after informing appropriate personnel. This will enable an IS auditor to examine the actual workability and effectiveness of the response system.
B. The IS auditor is neither authorized nor capable in most cases of removing the virus from the network.
C. The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response.
D. An IS auditor should not make changes to the system being audited; ensuring the deletion of the virus is a management responsibility.


A1-55 During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:
A. address audit objectives.
B. collect sufficient evidence.
C. specify appropriate tests.
D. minimize audit resources.
A is the correct answer.
Justification:
A. ISACA IS Audit and Assurance Standards require that an IS auditor plan the audit work to
address the audit objectives. The activities described in choices B, C and D are all undertaken to
address audit objectives and, thus, are secondary to choice A.
B. The IS auditor does not collect evidence in the planning stage of an audit.
C. Specifying appropriate tests is not the primary goal of audit planning.
D. Effective use of audit resources is a goal of audit planning, not minimizing audit resources.


A1-56 When selecting audit procedures, an IS auditor should use professional judgment to ensure that:
A. sufficient evidence will be collected.
B. significant deficiencies will be corrected within a reasonable period.
C. all material weaknesses will be identified.
D. audit costs will be kept at a minimum level.
A is the correct answer.
Justification:
A. Procedures are processes an IS auditor may follow in an audit engagement. In determining
the appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising in the course of an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate and the IS auditor’s past experience plays a key role in making a judgment. The IS auditor should use judgment in assessing the sufficiency of evidence to be collected. ISACA’s guidelines provide information on how to meet the standards when performing IS audit work.
B. The correction of deficiencies is the responsibility of management and is not a part of the audit procedure selection process.
C. Identifying material weaknesses is the result of appropriate competence, experience and thoroughness in planning and executing the audit and not of professional judgment. Professional judgment is not a primary input to the financial aspects of the audit. Audit procedures and use of professional judgment cannot ensure that all deficiencies/weaknesses will be identified and corrected.
D. Professional judgment will ensure that audit resources and costs are used wisely, but this is not the primary objective of the auditor when selecting audit procedures.


A1-57 A substantive test to verify that tape library inventory records are accurate is:
A. determining whether bar code readers are installed.
B. determining whether the movement of tapes is authorized.
C. conducting a physical count of the tape inventory.
D. checking whether receipts and issues of tapes are accurately recorded.
C is the correct answer.
Justification:
A. Determining whether bar code readers are installed is a compliance test.
B. Determining whether the movement of tapes is authorized is a compliance test.
C. A substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness,
accuracy or validity) of individual transactions, data or other information. Conducting a
physical count of the tape inventory is a substantive test.
D. Checking whether receipts and issues of tapes are accurately recorded is a compliance test.


A1-58 When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should
be MOST concerned with:
A. analysis.
B. evaluation.
C. preservation.
D. disclosure.
C is the correct answer.
Justification:
A. Analysis is important but not the primary concern related to evidence in a forensic investigation.
B. Evaluation is important but not the primary concern related to evidence in a forensic investigation.
C. Preservation and documentation of evidence for review by law enforcement and judicial
authorities are of primary concern when conducting an investigation. Failure to properly
preserve the evidence could jeopardize the admissibility of the evidence in legal proceedings.
D. Disclosure is important but not of primary concern to the IS auditor in a forensic investigation.


A1-59 An IS auditor interviewing a payroll clerk finds that the answers do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should:
A. conclude that the controls are inadequate.
B. expand the scope to include substantive testing.
C. place greater reliance on previous audits.
D. suspend the audit.
B is the correct answer.
Justification:
A. Based solely on the interview with the payroll clerk, the IS auditor will not be able to collect evidence to conclude on the adequacy of existing controls.
B. If the answers provided to an IS auditor’s questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests.
C. Placing greater reliance on previous audits is an inappropriate action because it provides no current knowledge of the adequacy of the existing controls.
D. Suspending the audit is an inappropriate action because it provides no current knowledge of the adequacy of the existing controls.


A1-60 An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a specific vendor product to address this vulnerability. The IS auditor has failed to exercise:
A. professional independence.
B. organizational independence.
C. technical competence.
D. professional competence.
A is the correct answer.
Justification:
A. When an IS auditor recommends a specific vendor, that compromises the auditor’s
professional independence.
B. Organizational independence has no relevance to the content of an audit report and should be considered at the time of accepting the engagement.
C. Technical competence is not relevant to the requirement of independence.
D. Professional competence is not relevant to the requirement of independence.


A1-61 The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of
an audit assignment is to:
A. understand the business process.
B. comply with auditing standards.
C. identify control weakness.
D. develop the risk assessment.
A is the correct answer.
Justification:
A. Understanding the business process is the first step an IS auditor needs to perform.
B. ISACA IS Audit and Assurance Standards encourage adoption of the audit procedures/processes required
to assist the IS auditor in performing IS audits more effectively. However, standards do not require an IS
auditor to perform a process walk-through at the commencement of an audit engagement.
C. Identifying control weaknesses is not the primary reason for the walk-through and typically occurs at
a later stage in the audit.
D. The main reason is to understand the business process. The risk assessment would be developed after
the business process is understood.


A1-62 In the process of evaluating program change controls, an IS auditor would use source code comparison software to:
A. examine source program changes without information from IS personnel.
B. detect a source program change made between acquiring a copy of the source and the comparison run.
C. confirm that the control copy is the current version of the production program.
D. ensure that all changes made in the current source copy are tested.
A is the correct answer.
Justification:
A. When an IS auditor uses a source code comparison to examine source program changes without
information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify the changes.
B. The changes detected by the source code comparison are between two versions of the software. This will not detect changes made since the acquisition of the copy of the software.
C. This is a function of library management, not source code comparison. An IS auditor will have to gain this assurance separately.
D. Source code comparison will detect all changes between an original and a changed program; however, it will not ensure that the changes have been adequately tested.


A1-63 The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:
A. confirm that the auditors did not overlook any important issues.
B. gain agreement on the findings.
C. receive feedback on the adequacy of the audit procedures.
D. test the structure of the final presentation.
B is the correct answer.
Justification:
A. The closing meeting will identify any misunderstandings or errors in the audit but will not identify any important issues overlooked in the audit.
B. The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings and responses from management.
C. The closing meeting may obtain comments from management on the conduct of the audit but is not intended to be a formal review of the adequacy of the audit procedures.
D. The structure of an audit report and the presentation follows accepted standards and practices. The closing meeting may indicate errors in the audit or presentation but is not intended to test the structure of the presentation.


A1-64 Which of the following audit techniques would BEST help an IS auditor in determining whether there have been unauthorized program changes since the last authorized program update?
A. Test data run
B. Code review
C. Automated code comparison
D. Review of code migration procedures
C is the correct answer.
Justification:
A. Test data runs permit the auditor to verify the processing of preselected transactions but provide no evidence about unauthorized changes or unexercised portions of a program.
B. Code review is the process of reading program source code listings to determine whether the code follows coding standards or contains potential errors or inefficient statements. A code review can be used as a means of code comparison, but it is inefficient and unlikely to detect any changes in the code, especially in a large program.
C. An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure.
D. The review of code migration procedures would not detect unauthorized program changes.


A1-65 When preparing an audit report the IS auditor should ensure that the results are supported by:
A. statements from IS management.
B. work papers of other auditors.
C. an organizational control self-assessment.
D. sufficient and appropriate audit evidence.
D is the correct answer.
Justification:
A. Statements from IS management may be included in the audit analysis but, of themselves, would not be considered a sufficient basis for issuing a report.
B. Work papers from other auditors may be used to substantiate and validate a finding but should not be used without the additional evidence of the work papers from the IS auditor preparing the report.
C. The results of a control self-assessment may assist the IS auditor in determining risk and compliance but on its own is not enough to support the audit report.
D. ISACA’s IS Audit and Assurance Standard on reporting requires that the IS auditor have sufficient and appropriate audit evidence to support the reported results. Statements from IS management provide a basis for obtaining concurrence on matters that cannot be verified with empirical evidence. The report should be based on evidence collected during the course of the review even though the IS auditor may have access to the work papers of other auditors. The results of an organizational control self-assessment (CSA) could supplement the audit findings.


A1-66 Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST:
A. include the statement from management in the audit report.
B. verify the software is in use through testing.
C. include the item in the audit report.
D. discuss the issue with senior management because it could have a negative impact on the organization.
B is the correct answer.
Justification:
A. The statement from management may be included in the audit report, but the auditor should independently validate the statements made by management to ensure completeness and accuracy.
B. When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in report.
C. With respect to this matter, representations obtained from management cannot be independently verif ied.
D. If the organization is using software that is not licensed, the IS auditor, to maintain objectivity and independence, must include this in the report, but the IS auditor should verify that this is in fact the case before presenting it to senior management.


A1-67 The final decision to include a material finding in an audit report should be made by the:
A. audit committee.
B. auditee’s manager.
C. IS auditor.
D. chief executive officer (CEO) of the organization.
C is the correct answer.
Justification:
A. The audit committee should not impair the independence, professionalism and objectivity of the IS auditor by influencing what is included in the audit report.
B. The IS auditor’s manager may recommend what should or should not be included in an audit report, but the auditee’s manager should not influence the content of the report.
C. The IS auditor should make the final decision about what to include or exclude from the audit report.
D. The chief executive officer (CEO) must not provide influence over the content of an audit report as that would be a breach of the independence of the audit function.


A1-68 While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:
A. audit trail of the versioning of the work papers.
B. approval of the audit phases.
C. access rights to the work papers.
D. confidentiality of the work papers.
D is the correct answer.
Justification:
A. Audit trails do not, of themselves, affect the confidentiality but are part of the reason for requiring encryption.
B. Audit phase approvals do not, of themselves, affect the confidentiality of the work papers, but are part of the reason for requiring encryption.
C. Access to the work papers should be limited by need to know; however, a lack of encryption would breach the confidentiality of the work papers, not the access rights to the papers.
D. Encryption provides confidentiality for the electronic work papers.


A1-69 The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to:
A. comply with regulatory requirements.
B. provide a basis for drawing reasonable conclusions.
C. ensure complete audit coverage.
D. perform the audit according to the defined scope.
B is the correct answer.
Justification:
A. Complying with regulatory requirements is relevant to an audit but is not the most important reason why sufficient and relevant evidence is required.
B. The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses but also documenting and validating them.
C. Ensuring coverage is relevant to conducting an IS audit but is not the most important reason why sufficient and relevant evidence is required. The reason for obtaining evidence is to ensure that the audit conclusions are factual and accurate.
D. The execution of an audit to meet its defined scope is relevant to an audit but is not the reason why sufficient and relevant evidence is required.


A1-70 After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:
A. expand activities to determine whether an investigation is warranted.
B. report the matter to the audit committee.
C. report the possibility of fraud to management.
D. consult with external legal counsel to determine the course of action to be taken.
A is the correct answer.
Justification:
A. An IS auditor’s responsibilities for detecting fraud include evaluating fraud indicators and
deciding whether any additional action is necessary or whether an investigation should
be recommended.
B. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation.
C. The IS auditor should report the possibility of fraud to top management only after there is sufficient evidence to launch an investigation. This may be affected by whether management may be involved in the fraud.
D. Normally, the IS auditor does not have authority to consult with external legal counsel.


A1-71 An IS auditor evaluating logical access controls should FIRST:
A. document the controls applied to the potential access paths to the system.
B. test controls over the access paths to determine if they are functional.
C. evaluate the security environment in relation to written policies and practices.
D. obtain an understanding of the security risk to information processing.
D is the correct answer.
Justification:
A. Documentation and evaluation is the second step in assessing the adequacy, efficiency and effectiveness of the controls and is based on the risk to the system that necessitates the controls.
B. The third step is to test the access paths—to determine if the controls are functioning.
C. It is only after the risk is determined and the controls documented that the IS auditor can evaluate
the security environment to assess its adequacy through review of the written policies, observation of
practices and comparison of them to appropriate security good practices.
D. When evaluating logical access controls, an IS auditor should first obtain an understanding
of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk.


A1-72 An organization’s IS audit charter should specify the:
A. plans for IS audit engagements.
B. objectives and scope of IS audit engagements.
C. detailed training plan for the IS audit staff.
D. role of the IS audit function.
D is the correct answer.
Justification:
A. Planning is the responsibility of audit management.
B. The objectives and scope of each IS audit should be agreed on in an engagement letter. The charter
would specify the objectives and scope of the audit function but not of individual engagements.
C. A training plan, based on the audit plan, should be developed by audit management.
D. An IS audit charter establishes the role of the information systems audit function. The charter
should describe the overall authority, scope and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee.


A1-73 Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file?
A. Attribute sampling
B. Computer-assisted audit techniques (CAATs)
C. Compliance testing
D. Integrated test facility (ITF)
B is the correct answer.
Justification:
A. Attribute sampling would aid in identifying records meeting specific conditions, but would not compare one record to another to identify duplicates. To detect duplicate invoice records, the IS auditor should check all of the items that meet the criteria and not just a sample of the items.
B. Computer-assisted audit techniques (CAATs) would enable the IS auditor to review the entire invoice file to look for those items that meet the selection criteria.
C. Compliance testing determines whether controls procedures are adhered to, and using CAATs is the better option because it would most likely be more efficient to search for duplicates.
D. An integrated test facility (ITF) allows the IS auditor to test transactions through the production system, but would not compare records to identify duplicates.


A1-74 When developing a risk management program, what is the FIRST activity to be performed?
A. Threat assessment
B. Classification of data
C. Inventory of assets
D. Criticality analysis
C is the correct answer.
Justification:
A. The assets need to be identified first. A listing of the threats that can affect the assets is a later step in the process.
B. Data classification is required for defining access controls and in criticality analysis, but the assets (including data) need be identified before doing classification.
C. Identification of the assets to be protected is the first step in the development of a risk management program.
D. Criticality analysis is a later step in the process after the assets have been identified.



A1-75 Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?
A. System log analysis
B. Compliance testing
C. Forensic analysis
D. Analytical review
B is the correct answer.
Justification:
A. System log analysis would identify changes and activity on a system but would not identify whether the change was authorized unless conducted as a part of a compliance test.
B. Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently.
C. Forensic analysis is a specialized technique for criminal investigation.
D. An analytical review assesses the general control environment of an organization.


A1-76 During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next?
A. Recommend redesigning the change management process.
B. Gain more assurance on the findings through root cause analysis.
C. Recommend that program migration be stopped until the change process is documented.
D. Document the finding and present it to management.
B is the correct answer.
Justification:
A. While it may be necessary to redesign the change management process, this cannot be done until a root cause analysis is conducted to determine why the current process is not being followed.
B. A change management process is critical to IT production systems. Before recommending
that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management.
C. A business relies on being able to make changes when necessary, and security patches must often be deployed promptly. It would not be feasible to halt all changes until a new process is developed.
D. The results of the audit including the findings of noncompliance will be delivered to management once a root cause analysis of the issue has been completed.


A1-77 During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system?
A. Dumping the memory content to a file
B. Generating disk images of the compromised system
C. Rebooting the system
D. Removing the system from the network
C is the correct answer.
Justification:
A. Copying the memory contents is a normal forensics procedure where possible. Done carefully, it will not corrupt the evidence.
B. Proper forensics procedures require creating two copies of the images of the system for analysis. Hash values ensure that the copies are accurate.
C. Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory.
D. When investigating a system it is recommended to disconnect it from the network to minimize external infection or access.


A1-78 An IS auditor who was involved in designing an organization’s business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should:
A. decline the assignment.
B. inform management of the possible conflict of interest after completing the audit assignment.
C. inform the BCP team of the possible conflict of interest prior to beginning the assignment.
D. communicate the possibility of conflict of interest to audit management prior to starting the assignment.
D is the correct answer.
Justification:
A. Declining the assignment could be acceptable only after obtaining management approval or it is appropriately disclosed to management, audit management and other stakeholders.
B. Approval should be obtained prior to commencement and not after the completion of the assignment.
C. Informing the business continuity planning (BCP) team of the possible conflict of interest prior to
starting the assignment is not the correct answer because the BCP team would not have the authority
to decide on this issue.
D. A possible conflict of interest, likely to affect the IS auditor’s independence, should be brought to the attention of management prior to starting the assignment.


A1-79 The PRIMARY purpose of an IT forensic audit is:
A. to participate in investigations related to corporate fraud.
B. the systematic collection and analysis of evidence after a system irregularity.
C. to assess the correctness of an organization’s financial statements.
D. to preserve evidence of criminal activity.
B is the correct answer.
Justification:
A. Forensic audits are not limited to corporate fraud.
B. The systematic collection and analysis of evidence after a system irregularity best describes a forensic audit. The evidence collected could then be analyzed and used in judicial proceedings.
C. Assessing the correctness of an organization’s financial statements is not the primary purpose of most forensic audits.
D. Forensics is the investigation of evidence related to a crime or misbehavior. Preserving evidence is the forensic process, but not the primary purpose.


A1-80 An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging failed and the backup restarts cannot be confirmed. What should the IS auditor do?
A. Issue an audit finding.
B. Seek an explanation from IS management.
C. Review the classifications of data held on the server.
D. Expand the sample of logs reviewed.
D is the correct answer.
Justification:
A. At this stage it is too preliminary to issue an audit finding. Seeking an explanation from management is advisable, but it would be better to gather additional evidence to properly evaluate the seriousness of the situation.
B. Without gathering more information on the incident and the frequency of the incident, it would be difficult to obtain a meaningful explanation from management.
C. A backup failure, which has not been established at this point, will be serious if it involves critical data. However, the issue is not the importance of the data on the server, where a problem has been detected, but whether a systematic control failure that impacts other servers exists.
D. IS Audit and Assurance Standards require that an IS auditor gather sufficient and appropriate audit evidence. The IS auditor has found a potential problem and now needs to determine whether this is an isolated incident or a systematic control failure.


A1-81 When using an integrated test facility (ITF), an IS auditor should ensure that:
A. production data are used for testing.
B. test data are isolated from production data.
C. a test data generator is used.
D. master files are updated with the test data.
B is the correct answer.
Justification:
A. While using an integrated test facility (ITF) ensures that periodic testing does not require a separate test process, there is a need to isolate test data from production data.
B. An ITF creates a fictitious file in the database, allowing for test transactions to be processed simultaneously with live data. The test data must be kept separate from production data.
C. An IS auditor is not required to use production data or a test data generator.
D. Production master files should not be updated with test data.



A1-82 An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor?
A. There are a growing number of emergency changes.
B. There were instances when some jobs were not completed on time.
C. There were instances when some jobs were overridden by computer operators.
D. Evidence shows that only scheduled jobs were run.
C is the correct answer.
Justification:
A. Emergency changes are acceptable as long as they are properly documented as part of the process.
B. Instances of jobs not being completed on time is a potential issue and should be investigated, but it is
not the greatest concern.
C. The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical.
D. The audit should find that all scheduled jobs were run and that any exceptions were documented. This would not be a violation.


A1-83 An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST:
A. expand the scope of the IS audit to include the devices that are not on the network diagram.
B. evaluate the impact of the undocumented devices on the audit scope.
C. note a control deficiency because the network diagram has not been approved.
D. plan follow-up audits of the undocumented devices.
B is the correct answer.
Justification:
A. It is important that the IS auditor does not immediately assume that everything on the network diagram provides information about the risk affecting a network/system. There is a process in place for documenting and updating the network diagram.
B. In a risk-based approach to an IS audit, the scope is determined by the impact the devices
will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audit engagement. The information provided on a network diagram can vary depending on what is being illustrated—for example, the network layer, cross connections, etc.
C. In this case, there is simply a mismatch in timing between the completion of the approval process and when the IS audit began. There is no control deficiency to be reported.
D. Planning for follow-up audits of the undocumented devices is contingent on the risk that the undocumented devices have on the ability of the entity to meet the audit scope.
Join a community of subject matter experts. Register for FREE to view solutions, replies, and use search function. Request answer by replying!
Post Reply