CISA Certified Information Systems Auditor - Questions + Answers Part 3
Posted: Tue Feb 22, 2022 6:38 am
A1-84 An IS auditor is testing employee access to a large financial system, and the IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing?
A. A spreadsheet provided by the system administrator
B. Human resources (HR) access documents signed by employees’ managers
C. A list of accounts with access levels generated by the system
D. Observations performed onsite in the presence of a system administrator
C is the correct answer.
Justification:
A. A spreadsheet supplied by the system administrator may not be complete or may be inaccurate. Documentary evidence should be collected to support the auditee’s spreadsheet.
B. The human resources (HR) access documents signed by managers are good evidence; however, they are not as objective as the system-generated access list because access could have changed or the documents could have been incorrect when they were signed.
C. The access list generated by the system is the most reliable because it is the most objective evidence to perform a comparison against the samples selected. The evidence is objective because it was generated by the system rather than by an individual.
D. The observations are good evidence to understand the internal control structure; however, observations are not efficient for a large number of users. Observations are not objective enough for substantive tests.
A1-85 During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by the user’s supervisor would represent the BEST compensating control?
A. Audit trails that show the date and time of the transaction
B. A daily report with the total numbers and dollar amounts of each transaction
C. User account administration
D. Computer log files that show individual transactions
D is the correct answer.
Justification:
A. An audit trail of only the date and time of the transaction would not be sufficient to compensate for the risk of multiple functions being performed by the same individual.
B. Review of the summary financial reports would not compensate for the segregation of duties issue.
C. Supervisor review of user account administration would be a good control; however, it may not detect
inappropriate activities where a person fills multiple roles.
D. Computer logs will record the activities of individuals during their access to a computer system or data file and will record any abnormal activities, such as the modification or deletion of financial data.
A1-86 An IS auditor suspects an incident is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST?
A. Request that the system be shut down to preserve evidence.
B. Report the incident to management.
C. Ask for immediate suspension of the suspect accounts.
D. Investigate the source and nature of the incident.
B is the correct answer.
Justification:
A. The IS auditor should follow the incident response process of the organization. The auditor is not authorized to shut the system down.
B. Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor’s role to respond to incidents during an audit.
C. The IS auditor is not authorized to lead the investigation or to suspend user accounts. The auditor should report the incident to management.
D. Management is responsible to set up and follow an incident management plan; that is not the responsibility of the IS auditor.
A1-87 Which of the following BEST describes the objective of an IS auditor discussing the audit findings with the auditee?
A. Communicate results to the auditee.
B. Develop time lines for the implementation of suggested recommendations.
C. Confirm the findings, and propose a course of corrective action.
D. Identify compensating controls to the identified risk.
C is the correct answer.
Justification:
A. Based on this discussion, the IS auditor will finalize the report and present the report to relevant levels of senior management after the findings are confirmed. This discussion should, however, also address a timetable for remediation of the audit findings.
B. This discussion will, first of all, inform management of the findings of the audit, and based on these discussions, management may agree to develop an implementation plan for the suggested recommendations, along with the time lines.
C. Before communicating the results of an audit to senior management, the IS auditor should discuss the findings with the auditee. The goal of such a discussion is to confirm the accuracy of the findings and to propose or recommend a course of corrective action.
D. At the draft report stage, the IS auditor may recommend various controls to mitigate the risk, but the purpose of the meeting is to validate the findings of the audit with management.
A1-88 Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process?
A. Participating in the design of the risk management framework
B. Advising on different implementation techniques
C. Facilitating risk awareness training
D. Performing a due diligence review of the risk management processes
A is the correct answer.
Justification:
A. Participating in the design of the risk management framework involves designing controls, which
will compromise the independence of the IS auditor to audit the risk management process.
B. Advising on different implementation techniques will not compromise the IS auditor’s independence because the IS auditor will not be involved in the decision-making process.
C. Facilitating awareness training will not hamper the IS auditor’s independence because the auditor will not be involved in the decision-making process.
D. Due diligence reviews are a type of audit generally related to mergers and acquisitions.
A1-89 An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function?
A. Advise on the adoption of application controls to the new database software.
B. Provide future estimates of the licensing expenses to the project team.
C. Recommend to the project manager how to improve the efficiency of the migration.
D. Review the acceptance test case documentation before the tests are carried out.
D is the correct answer.
Justification:
A. Independence could be compromised if the IS auditor advises on the adoption of specific application controls.
B. Independence could be compromised if the IS auditor were to audit the estimate of future expenses used to support a business case for management approval of the project.
C. Advising the project manager on how to increase the efficiency of the migration may compromise the IS auditor’s independence.
D. The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS auditor can advise as to the completeness of the test cases.
A1-90 An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task?
A. Computer-aided software engineering (CASE) tools
B. Embedded data collection tools
C. Trend/variance detection tools
D. Heuristic scanning tools
C is the correct answer.
Justification:
A. Computer-aided software engineering (CASE) tools are used to assist in software development.
B. Embedded (audit) data collection software, such as systems control audit review file (SCARF) or
systems audit review file (SARF), is used to provide sampling and production statistics, but not to
conduct an audit log analysis.
C. Trend/variance detection tools look for anomalies in user or system behavior, such as invoices with increasing invoice numbers.
D. Heuristic scanning tools are a type of virus scanning used to indicate possible infected traffic.
A1-91 While performing an audit of an accounting application’s internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to:
A. continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions.
B. complete the audit and not report the control deficiency because it is not part of the audit scope.
C. continue to test the accounting application controls and include the deficiency in the final report.
D. cease all audit activity until the control deficiency is resolved.
C is the correct answer.
Justification:
A. The IS auditor should not assume that the IT manager will follow through on a verbal notification toward resolving the change management control deficiency, and it is inappropriate to offer consulting services on issues discovered during an audit.
B. While not technically within the audit scope, it is the responsibility of the IS auditor to report findings discovered during an audit that could have a material impact on the effectiveness of controls.
C. It is the responsibility of the IS auditor to report on findings that could have a material impact on the effectiveness of controls—whether or not they are within the scope of the audit.
D. It is not the role of the IS auditor to demand that IT work be completed before performing or completing an audit.
A1-92 Which of the following will MOST successfully identify overlapping key controls in business application systems?
A. Reviewing system functionalities that are attached to complex business processes
B. Submitting test transactions through an integrated test facility (ITF)
C. Replacing manual monitoring with an automated auditing solution
D. Testing controls to validate that they are effective
C is the correct answer.
Justification:
A. In general, highly complex business processes may have more key controls than business areas with less complexity; however, finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-thought-out key control structure has been established from the beginning, finding any overlap in key controls will not be possible.
B. An integrated test facility (ITF) is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls.
C. As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts have the opportunity to discover unnecessary or overlapping key controls in existing systems.
D. By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls; however, the process of implementing an automated auditing solution would better identify overlapping controls.
A1-93 In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on?
A. A size check
B. A hash total
C. A validity check
D. A field check
C is the correct answer.
Justification:
A. A size check is useful because passwords should have a minimum length, but it is not as strong of a control as validity.
B. Passwords are not typically entered in a batch mode, so a hash total would not be effective. More important, a system should not accept incorrect values of a password, so a hash total as a control will not indicate any weak passwords, errors or omissions.
C. A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used—for example, not using a dictionary word, including non-alphabetical characters, etc. An effective password must have several different types of characters: alphabetical, numeric and special.
D. The implementation of a field check would not be as effective as a validity check that verifies that all password criteria have been met.
A1-94 Sharing risk is a key factor in which of the following methods of managing risk?
A. Transferring risk
B. Tolerating risk
C. Terminating risk
D. Treating risk
A is the correct answer.
Justification:
A. Transferring risk (e.g., by taking an insurance policy) is a way to share risk.
B. Tolerating risk means that the risk is accepted, but not shared.
C. Terminating risk would not involve sharing the risk because the organization has chosen to terminate
the process associated with the risk.
D. There are several ways of treating or controlling the risk, which may involve reducing or sharing the
risk, but this is not as precise an answer as transferring the risk.
A1-95 A PRIMARY benefit derived for an organization employing control self-assessment (CSA) techniques is that it:
A can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control.
A is the correct answer.
Justification:
A. Control self-assessment (CSA) is predicated on the review of high-risk areas that either need
immediate attention or may require a more thorough review at a later date.
B. CSA requires the involvement of IS auditors and line management. What occurs is that the internal audit function shifts some of the control monitoring responsibilities to the functional areas.
C. CSA is not a replacement for traditional audits. CSA is not intended to replace audit’s responsibilities, but to enhance them.
D. CSA does not allow management to relinquish its responsibility for control.
A1-96 Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan?
A. Prioritize the identified risk.
B. Define the audit universe.
C. Identify the critical controls.
D. Determine the testing approach.
B is the correct answer.
Justification:
A. Once the audit universe is defined, the IS auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe.
B. In a risk-based audit approach, the IS auditor identifies risk to the organization based on the nature of the business. In order to plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix.
C. The controls that help in mitigating high-risk areas are generally critical controls and their effectiveness provides assurance on mitigation of risk. However, this cannot be done unless the types of risk are ranked.
D. The testing approach is based on the risk ranking.
A1-97 A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should:
A. compute the amortization of the related assets.
B. calculate a return on investment (ROI).
C. apply a qualitative approach.
D. spend the time needed to define the loss amount exactly.
C is the correct answer.
Justification:
A. Amortization is used in a profit and loss statement, not in computing potential losses.
B. A return on investment (ROI) is computed when there is predictable savings or revenues that can be
compared to the investment needed to realize the revenues.
C. The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact).
D. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change and, at the end of the day, the result will be a not well-supported evaluation.
A1-98 An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:
A. most valuable information assets.
B. IS audit resources to be deployed.
C. auditee personnel to be interviewed.
D. control objectives and activities.
D is the correct answer.
Justification:
A. All assets need to be identified, not just information assets. To determine the key information assets to be audited, the IS auditor should first determine which control objectives and key control activities should be validated. Only information assets that are related to the control objectives and key control activities are relevant for scoping the audit.
B. Only after determining which controls and related relevant information assets are to be validated can the IS auditor decide on the key IS audit resources (with the relevant skill sets) that should be deployed for the audit.
C. Only after determining the key control activities to be validated can the IS auditor identify the relevant process personnel who should be interviewed.
D. Once the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit.
A1-99 The effect of which of the following should have priority in planning the scope and objectives of an IS audit?
A. Applicable statutory requirements
B. Applicable corporate standards
C. Applicable industry good practices
D. Organizational policies and procedures
A is the correct answer.
Justification:
A. The effect of applicable statutory requirements must be factored in while planning an IS audit—
the IS auditor has no options in this respect because there can be no limitation of scope in
respect to statutory requirements.
B. Statutory requirements always take priority over corporate standards.
C. Industry good practices help plan an audit; however, good practices are not mandatory and can be
deviated from to meet organization objectives.
D. Organizational policies and procedures are important, but statutory requirements always take priority.
Organizational policies must be in alignment with statutory requirements.
A1-100 An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should:
A. remove the IS auditor from the engagement.
B. cancel the engagement.
C. disclose the issue to the client.
D. take steps to restore the IS auditor’s independence.
C is the correct answer.
Justification:
A. It is not necessary to withdraw the IS auditor unless there is a statutory limitation, as exists in certain countries.
B. Canceling the engagement is not required if properly disclosed and accepted.
C. In circumstances in which the IS auditor’s independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor’s independence should be disclosed to the appropriate management and in the report.
D. This is not a feasible solution. The independence of the IS auditor cannot be restored while continuing to conduct the audit.
A1-101 An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt?
A. Process narrative
B. Inquiry
C. Reperformance
D. Walk-through
D is the correct answer.
Justification:
A. Process narratives may not be current or complete and may not reflect the actual process in operation.
B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification
of evidence.
C. Reperformance is used to evaluate the operating effectiveness of the control rather than the design of
the control.
D. Walk-throughs involve a combination of inquiry and inspection of evidence with respect to business process controls. This is the most effective basis for evaluation of the design of the control as it actually exists.
A1-102 Which of the following BEST describes the purpose of performing a risk assessment in the planning phase of an IS audit?
A. To establish adequate staffing requirements to complete the IS audit
B. To provide reasonable assurance that all material items will be addressed
C. To determine the skills required to perform the IS audit
D. To develop the audit program and procedures to perform the IS audit
B is the correct answer.
Justification:
A. A risk assessment does not directly influence staffing requirements.
B. A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assurance is important as well.
C. A risk assessment does not identify the skills required to perform an IS audit.
D. A risk assessment is not used in the development of the audit program and procedures.
A1-103 Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as:
A. substantive testing.
B. compliance testing.
C. qualitative analysis.
D. judgment sampling.
A is the correct answer.
Justification:
A. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence
of data at the individual transaction level. This can be achieved by comparing the data in the application to the base document. In this case, comparison is made between accounts payable data and the vendor invoices.
B. Compliance testing involves testing the controls designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period.
C. Qualitative analysis is typically related to risk analysis and should not be used in this scenario.
D. Judgment sampling is a sample that is selected subjectively or not at random, or in which the sampling
results are not evaluated mathematically. This audit probably does not require sampling because all activity in the month will be audited.
A1-104 General ledger (GL) data are required for an audit. Instead of asking IT to extract the data, the IS auditor is granted direct access to the data. What is the MAIN advantage of this approach?
A. Reduction of IT person-hours to support the audit
B. Reduction of the likelihood of errors in the extraction process
C. Greater flexibility for the audit department
D. Greater assurance of data validity
D is the correct answer.
Justification:
A. While the burden on IT staff to support the audit may decrease if the IS auditor directly extracts the dates, this advantage is not as significant as the increased data validity.
B. The risk of errors would increase because IS auditors generally have a wider, but less detailed, technical knowledge of the internal data structure and database technicalities.
C. There may be more flexibility for the IS auditor to adjust the data extracts to meet various audit requirements; however, this is not the main advantage.
D. If the IS auditor executes the data extraction, there is greater assurance that the extraction criteria will not interfere with the required completeness and therefore all required data will be collected. Asking IT to extract the data may expose the risk of filtering out exceptions that should be seen by the auditor. Also, if the IS auditor collects the data, all internal references correlating the various data tables/elements will be understood, and this knowledge may reveal vital elements to the completeness and correctness of the overall audit activity.
A1-105 An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions?
A. Attribute
B. Variable
C. Stop-or-go
D. Judgment
A is the correct answer.
Justification:
A. Attribute sampling is used to test compliance of transactions to controls—in this instance, the
existence of appropriate approval.
B. Variable sampling is used in substantive testing situations and deals with population characteristics that vary, such as monetary values and weights.
C. Stop-or-go sampling is used when the expected occurrence rate is extremely low.
D. Judgment sampling is not relevant here. It refers to a subjective approach of determining sample size
and selection criteria of elements of the sample.
A1-106 An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs?
A. Usefulness
B. Reliability
C. Relevance
D. Adequacy
B is the correct answer.
Justification:
A. Usefulness of audit evidence pulled by computer-assisted audit techniques (CAATs) is determined by the audit objective, and the use of CAATs does not have as direct of an impact on usefulness as reliability does.
B. Because the data are directly collected by the IS auditor, the audit findings can be reported with an emphasis on the reliability of the records that are produced and maintained in the system. The reliability of the source of information used provides reassurance on the findings generated.
C. Relevance of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on relevance as reliability does.
D. Adequacy of audit evidence pulled by CAATs is determined by the processes and personnel who author the data, and the use of CAATs does not have any impact on competence.
A1-107 An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase?
A. Development of an audit program
B. Review of the audit charter
C. Identification of key information owners
D. Development of a risk assessment
D is the correct answer.
Justification:
A. The results of the risk assessment are used for the input for the audit program.
B. The audit charter is prepared when the audit department is established or as updates are needed.
Creation of the audit charter is not related to the audit planning phase because it is part of the internal
audit governance structure that provides independence for the function.
C. A risk assessment must be performed prior to identifying key information owners. Key information
owners are generally not directly involved during the planning process of an audit.
D. A risk assessment should be performed to determine how internal audit resources should be allocated in order to ensure that all material items will be addressed.
A1-108 Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit?
A. Contingency planning
B. IS management resource allocation
C. Project management
D. Knowledge of internal controls
C is the correct answer.
Justification:
A. Contingency planning is often associated with the organization’s operations. IS auditors should have knowledge of contingency planning techniques, but this is not essential regarding constraints on the conduct of the audit.
B. IS managers are responsible for resource management of their departments. IS auditors do not manage IS resources.
C. Audits often involve resource management, deliverables, scheduling and deadlines similar to project management good practices.
D. Knowledge of internal controls is fundamental to IS auditors. Professional competence is an auditing standard. A lack of understanding of the control environment would be a constraint on the effectiveness of the audit, but is not the most important skill needed by the IS auditor.
A1-109 What
is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?
A. It detects risk sooner.
B. It replaces the audit function.
C. It reduces audit workload.
D. It reduces audit resources.
A is the correct answer.
Justification:
A. Control self-assessments (CSAs) require employees to assess the control stature of their own
function. CSAs help increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help identify risk in a more timely manner.
B. CSAs do not replace the audit function; an audit must still be performed to ensure that controls are present.
C. CSAs may not reduce the audit function’s workload and are not a major difference between the two approaches.
D. CSAs do not affect the need for audit resources. While the results of the CSA may serve as a reference point for the audit process, they do not affect the scope or depth of audit work that needs to be performed.
A1-110 An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business areas the project may affect?
A. Control risk
B. Compliance risk
C. Inherent risk
D. Residual risk
C is the correct answer.
Justification:
A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested and would not be due to the number of users or business areas affected.
B. Compliance risk is the penalty applied to current and future earnings for nonconformance to laws and regulations, and may not be impacted by the number of users and business areas affected.
C. Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without taking into account the actions that management has taken or might take.
D. Residual risk is the remaining risk after management has implemented a risk response, and is not based on the number of user or business areas affected.
A1-111 An IS auditor discovers a potential material finding. The BEST course of action is to:
A. report the potential finding to business management.
B. discuss the potential finding with the audit committee.
C. increase the scope of the audit.
D. perform additional testing.
D is the correct answer.
Justification:
A. The item should be confirmed through additional testing before it is reported to management.
B. The item should be confirmed through additional testing before it is discussed with the
audit committee.
C. Additional testing to confirm the potential finding should be within the scope of the engagement.
D. The IS auditor should perform additional testing to ensure that it is a finding. An auditor can
lose credibility if it is later discovered that the finding was not justified.
A1-112 Which of the following is in the BEST position to approve changes to the audit charter?
A. Board of directors
B. Audit committee
C. Executive management
D. Director of internal audit
B is the correct answer.
Justification:
A. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval.
B. The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee.
C. Executive management is not required to approve the audit charter. The audit committee is in the best position to approve the charter.
D. While the director of internal audit may draft the charter and make changes, the audit committee should have the final approval of the charter.
A1-113 An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?
A. Inspection
B. Inquiry
C. Walk-through
D. Reperformance
C is the correct answer.
Justification:
A. Inspection is just one component of a walk-through and by itself does not supply enough information to provide a full understanding of the overall process and identify potential control weaknesses.
B. Inquiry provides only general information on how the control is executed. It does not necessarily enable the IS auditor to determine whether the control performer has an in-depth understanding of the control.
C. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses.
D. Reperformance of the control is carried out by the IS auditor and does not provide assurance of the competency of the auditee.
A1-114 An IS auditor is comparing equipment in production with inventory records. This type of testing is an example of:
A. substantive testing.
B. compliance testing.
C. analytical testing.
D. control testing.
A is the correct answer.
Justification:
A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of
activities or transactions during the audit period.
B. Compliance testing is evidence gathering for the purpose of testing an enterprise’s compliance with control procedures. This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data or other information.
C. Analytical testing evaluates the relationship of two sets of data and discerns inconsistencies in the relationship.
D. Control testing is the same as compliance testing.
A1-115 Which of the following does a lack of adequate controls represent?
A. An impact
B. A vulnerability
C. An asset
D. A threat
B is the correct answer.
Justification:
A. Impact is the measure of the consequence (including financial loss, reputational damage, loss of customer confidence) that a threat event may have.
B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers, employee error, environmental threat or equipment failure. This could result in a loss of sensitive information, financial loss, legal penalties or other losses.
C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure, finances and reputation.
D. A threat is a potential cause of an unwanted incident.
A1-116 An IS auditor notes that daily reconciliation of visitor access card inventory is not carried out as mandated. During testing, the IS auditor did not find that access cards were missing. In this context, the IS auditor should:
A. not report the lack of reconciliation because no discrepancies were discovered.
B. recommend regular physical inventory counts be performed in lieu of daily reconciliation.
C. report the lack of daily reconciliation as an exception.
D. recommend the implementation of a more robust access system.
C is the correct answer.
Justification:
A. Absence of discrepancy in physical count only confirms absence of any impact but cannot be a reason to overlook failure of operation of the control. The issue should be reported because the control was not followed.
B. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report when the current process is deficient.
C. The IS auditor should report the lack of daily reconciliation as an exception because a physical inventory count gives assurance only at a point in time and the practice is not in compliance with management’s mandated activity.
D. While the IS auditor may in some cases recommend a more robust solution, the primary goal is to observe and report when the current process is deficient.
A1-117 During an audit, the IS auditor notes that the application developer also performs quality assurance testing
on a particular application. Which of the following should the IS auditor do?
A. Recommend compensating controls.
B. Review the code created by the developer.
C. Analyze the quality assurance dashboards.
D. Report the identified condition.
D is the correct answer.
Justification:
A. While compensating controls may be a good idea, the primary response in this case should be to report the condition.
B. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response should be to report the condition.
C. Analyzing the quality assurance dashboards can help evaluate the actual impact of the lack of segregation of duties, but does not address the underlying risk. The primary response should be to report the condition.
D. The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified.
A1-118 An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank’s financial risk is properly addressed, the IS auditor will most likely review which of the following?
A. Privileged access to the wire transfer system
B. Wire transfer procedures
C. Fraud monitoring controls
D. Employee background checks
B is the correct answer.
Justification:
A. Privileged access, such as administrator access, is necessary to manage user account privileges and should not be granted to end users. The wire transfer procedures are a better control to review to ensure that there is segregation of duties of the end users to help prevent fraud.
B. Wire transfer procedures include segregation of duties controls. This helps prevent internal fraud by not allowing one person to initiate, approve and send a wire. Therefore, the IS auditor should review the procedures as they relate to the wire system.
C. Fraud monitoring is a detective control and does not prevent financial loss. Segregation of duties is a preventive control.
D. While controls related to background checks are important, the controls related to segregation of duties as found in the wire transfer procedures are more critical.
A1-119 An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a:
A. lower confidence coefficient, resulting in a smaller sample size.
B. higher confidence coefficient, resulting in a smaller sample size.
C. higher confidence coefficient, resulting in a larger sample size.
D. lower confidence coefficient, resulting in a larger sample size.
A is the correct answer.
Justification:
A. When internal controls are strong, a lower confidence coefficient can be adopted, which will
enable the use of a smaller sample size.
B. A higher confidence coefficient will result in the use of a larger sample size.
C. A higher confidence coefficient need not be adopted in this situation because internal controls
are strong.
D. A lower confidence coefficient will result in the use of a smaller sample size.
A1-120 Why does an audit manager review the staff’s audit papers, even when the IS auditors have many years of experience?
A. Internal quality requirements
B. The audit guidelines
C. The audit methodology
D. Professional standards
D is the correct answer.
Justification:
A. Internal quality requirements may exist but are superseded by the requirement of supervision to comply with professional standards.
B. Audit guidelines exist to provide guidance on how to achieve compliance with professional standards. For example, they may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve compliance with professional standards.
C. An audit methodology is a well-configured process/procedure to achieve audit objectives. While an audit methodology is a meaningful tool, supervision is generally driven by compliance with professional standards.
D. Professional standards from ISACA, The Institute of Internal Auditors (IIA) and the International Federation of Accountants (IFAC) require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more.
A1-121 Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank?
A. Analysis of transaction logs
B. Re-performance
C. Observation
D. Interviewing personnel
C is the correct answer.
Justification:
A. Analysis of transaction logs would help to show that dual control is in place but does not necessarily guarantee that this process is being followed consistently. Therefore, observation would be the better test technique.
B. While re-performance could provide assurance that dual control was in effect, re-performing wire transfers at a bank would not be an option for an IS auditor.
C. Dual control requires that two people carry out an operation. The observation technique would help to ascertain whether two individuals do indeed get involved in execution of the operation and an element of oversight exists. It would also be obvious if one individual is masquerading and filling in the role of the second person.
D. Interviewing personnel would be useful to determine the level of awareness and understanding of the personnel carrying out the operations. However, it would not provide direct evidence confirming the existence of dual control because the information provided may not accurately reflect the process being performed.
A1-122 In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional:
A. stop-or-go sampling.
B. substantive testing.
C. compliance testing.
D. discovery sampling.
B is the correct answer.
Justification:
A. Stop-or-go sampling is used when an IS auditor believes few errors will be found in the population, and thus would not be the best type of testing to perform in this case.
B. Because both the inherent and control risk are high in this case, additional testing would be required. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.
C. Compliance testing is evidence gathering for the purpose of testing an enterprise’s compliance with control procedures. While performing compliance testing is important, performing additional substantive testing would be more appropriate in this case.
D. Discovery sampling is a form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population, typically used to test for fraud or other irregularities. In this case, additional substantive testing would be the better option.
A1-123 The PRIMARY objective of the audit initiation meeting with an IS audit client is to:
A. discuss the scope of the audit.
B. identify resource requirements of the audit.
C. select the methodology of the audit.
D. review requested evidence provided by the audit client.
A is the correct answer.
Justification:
A. The primary objective of the initiation meeting with an audit client is to help define the scope of
the audit.
B. Determining the resource requirements of the IS audit is typically done by IS audit management during the early planning phase of the project rather than at the initiation meeting.
C. Selecting the methodology of the audit is not normally an objective of the initiation meeting.
D. For most audits, the audit evidence would be provided during the course of the engagement, and
would not normally be reviewed at the initiation meeting.
A1-124 The PRIMARY purpose of the IS audit charter is to:
A. establish the organizational structure of the audit department.
B. illustrate the reporting responsibilities of the IS audit function.
C. detail the audit processes and procedures performed by the IS audit department.
D. outline the responsibility and authority of the IS audit function.
D is the correct answer.
Justification:
A. The IS audit charter does not set forth the organizational structure of the IS audit department. The charter serves as a directive to create the IS audit function.
B. The IS audit charter does not dictate the reporting requirements of the IS audit department. The charter sets forth the purpose, responsibility, authority and accountability of the information systems audit function.
C. IS audit processes and procedures are not detailed within the IS audit charter. Procedures are part of the IS audit plan and processes are determined by audit management.
D. The primary purpose of the IS audit charter is to set forth the purpose, responsibility, authority and accountability of the IS audit function. The charter document grants authority to the audit function on behalf of the board of directors and company stakeholders.
A1-125 Which of the following choices is MOST important for an IS auditor to understand when auditing an e-commerce environment?
A. The technology architecture of the e-commerce environment
B. The policies, procedure and practices that form the internal control environment
C. The nature and criticality of the business process supported by the application
D. Continuous monitoring of control measures for system availability and reliability
C is the correct answer.
Justification:
A. Understanding the technology architecture of the e-commerce environment is important; however, it is vital that the nature and criticality of the business process supported by the e-commerce application are well understood.
B. While the policies, procedure and practices that form the internal control environment need to be in alignment with the e-commerce environment, this is not the most important element that the IS auditor needs to understand.
C. The e-commerce application enables the execution of business transactions. Therefore, it is important to understand the nature and criticality of the business process supported by the e-commerce application to identify specific controls to review.
D. The availability of the e-commerce environment is important, but this is only one of the aspects to be considered with respect to business processes that are supported by the e-commerce application.
A1-126 During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of segregation of duties within an IT department?
A. Discuss it with the IT managers.
B. Review the job descriptions of the IT functions.
C. Research past IS audit reports.
D. Evaluate the organizational structure.
A is the correct answer.
Justification:
A. Discussing the implementation of segregation of duties with the IT managers is the best way to
determine how responsibilities are assigned within the department.
B. Job descriptions may not be the best source of information because they could be outdated or what is documented in the job descriptions may be different from what is actually performed.
C. Past IS audit reports are not the best source of information because they may not accurately describe how IT responsibilities are assigned.
D. Evaluating the organizational structure may give a limited view on the allocation of IT responsibilities. The responsibilities also may have changed over time.
A1-127 A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this?
A. Detective
B. Preventive
C. Corrective
D. Directive
B is the correct answer.
Justification:
A. Detective controls identify events after they have happened. In this case, the action of the branch manager would prevent an event from occurring.
B. Having a manager approve transactions more than a certain amount is considered a preventive control.
C. A corrective control serves to remedy problems discovered by detective controls. In this case, the action of the branch manager is a preventive control.
D. A directive control is a manual control that typically consists of a policy or procedure that specifies what actions are to be performed. In this case, there is an automated control that prevents an event from occurring.
A1-128 During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to:
A. include a review of the database controls in the scope.
B. document for future review.
C. work with database administrators to correct the issue.
D. report the weaknesses as observed.
D is the correct answer.
Justification:
A. Executing audits and reviews outside the scope is not advisable. In this case, the weakness identified is considered to be a minor issue, and it is sufficient to report the issue and address it at a later time.
B. In this case, the weakness identified is considered to be a minor issue. The IS auditor should formally report the weaknesses as an observation rather than documenting it to address during a future audit.
C. It is not appropriate for the IS auditor to work with database administrators to correct the issue.
D. Any weakness noticed should be reported, even if it is outside the scope of the current audit. Weaknesses identified during the course of an application software review need to be reported to management.
A1-129 A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a:
A. directive control.
B. corrective control.
C. compensating control.
D. detective control.
B is the correct answer.
Justification:
A. Directive controls, such as IT policies and procedures, would not apply in this case because this is an automated control.
B. Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions, when they are detected. This provides a mechanism to detect when malicious events have happened and correct the situation.
C. A compensating control is used where other controls are not sufficient to protect the system. In this case, the corrective control in place will effectively protect the system from access via an unpatched device.
D. Detective controls exist to detect and report when errors, omissions and unauthorized uses or entries occur.
A1-130 Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is MOST acceptable?
A. Test the adequacy of the control design.
B. Test the operational effectiveness of controls.
C. Focus on auditing high-risk areas.
D. Rely on management testing of controls.
C is the correct answer.
Justification:
A. Testing the adequacy of control design is not the best course of action because this does not ensure that controls operate effectively as designed.
B. Testing control operating effectiveness will not ensure that the audit plan is focused on areas of greatest risk.
C. Reducing the scope and focusing on auditing high-risk areas is the best course of action.
D. The reliance on management testing of controls will not provide an objective verification of the control environment.
A1-131 Which of the following choices BEST ensures the effectiveness of controls related to interest calculation inside an accounting system?
A. Re-performance
B. Process walk-through
C. Observation
D. Documentation review
A is the correct answer.
Justification:
A. To ensure the effectiveness of controls, it is most effective to conduct re-performance. When
the same result is obtained after the performance by an independent person, this provides the
strongest assurance.
B. Process walk-through may help the auditor to understand the controls better; however, it may not be as useful as conducting re-performance for a sample of transactions.
C. Observation is a valid audit method to verify that operators are using the system appropriately; however, conducting re-performance is a better method.
D. Documentation review may be of some value for understanding the control environment; however, conducting re-performance is a better method.
A. A spreadsheet provided by the system administrator
B. Human resources (HR) access documents signed by employees’ managers
C. A list of accounts with access levels generated by the system
D. Observations performed onsite in the presence of a system administrator
C is the correct answer.
Justification:
A. A spreadsheet supplied by the system administrator may not be complete or may be inaccurate. Documentary evidence should be collected to support the auditee’s spreadsheet.
B. The human resources (HR) access documents signed by managers are good evidence; however, they are not as objective as the system-generated access list because access could have changed or the documents could have been incorrect when they were signed.
C. The access list generated by the system is the most reliable because it is the most objective evidence to perform a comparison against the samples selected. The evidence is objective because it was generated by the system rather than by an individual.
D. The observations are good evidence to understand the internal control structure; however, observations are not efficient for a large number of users. Observations are not objective enough for substantive tests.
A1-85 During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by the user’s supervisor would represent the BEST compensating control?
A. Audit trails that show the date and time of the transaction
B. A daily report with the total numbers and dollar amounts of each transaction
C. User account administration
D. Computer log files that show individual transactions
D is the correct answer.
Justification:
A. An audit trail of only the date and time of the transaction would not be sufficient to compensate for the risk of multiple functions being performed by the same individual.
B. Review of the summary financial reports would not compensate for the segregation of duties issue.
C. Supervisor review of user account administration would be a good control; however, it may not detect
inappropriate activities where a person fills multiple roles.
D. Computer logs will record the activities of individuals during their access to a computer system or data file and will record any abnormal activities, such as the modification or deletion of financial data.
A1-86 An IS auditor suspects an incident is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST?
A. Request that the system be shut down to preserve evidence.
B. Report the incident to management.
C. Ask for immediate suspension of the suspect accounts.
D. Investigate the source and nature of the incident.
B is the correct answer.
Justification:
A. The IS auditor should follow the incident response process of the organization. The auditor is not authorized to shut the system down.
B. Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor’s role to respond to incidents during an audit.
C. The IS auditor is not authorized to lead the investigation or to suspend user accounts. The auditor should report the incident to management.
D. Management is responsible to set up and follow an incident management plan; that is not the responsibility of the IS auditor.
A1-87 Which of the following BEST describes the objective of an IS auditor discussing the audit findings with the auditee?
A. Communicate results to the auditee.
B. Develop time lines for the implementation of suggested recommendations.
C. Confirm the findings, and propose a course of corrective action.
D. Identify compensating controls to the identified risk.
C is the correct answer.
Justification:
A. Based on this discussion, the IS auditor will finalize the report and present the report to relevant levels of senior management after the findings are confirmed. This discussion should, however, also address a timetable for remediation of the audit findings.
B. This discussion will, first of all, inform management of the findings of the audit, and based on these discussions, management may agree to develop an implementation plan for the suggested recommendations, along with the time lines.
C. Before communicating the results of an audit to senior management, the IS auditor should discuss the findings with the auditee. The goal of such a discussion is to confirm the accuracy of the findings and to propose or recommend a course of corrective action.
D. At the draft report stage, the IS auditor may recommend various controls to mitigate the risk, but the purpose of the meeting is to validate the findings of the audit with management.
A1-88 Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process?
A. Participating in the design of the risk management framework
B. Advising on different implementation techniques
C. Facilitating risk awareness training
D. Performing a due diligence review of the risk management processes
A is the correct answer.
Justification:
A. Participating in the design of the risk management framework involves designing controls, which
will compromise the independence of the IS auditor to audit the risk management process.
B. Advising on different implementation techniques will not compromise the IS auditor’s independence because the IS auditor will not be involved in the decision-making process.
C. Facilitating awareness training will not hamper the IS auditor’s independence because the auditor will not be involved in the decision-making process.
D. Due diligence reviews are a type of audit generally related to mergers and acquisitions.
A1-89 An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function?
A. Advise on the adoption of application controls to the new database software.
B. Provide future estimates of the licensing expenses to the project team.
C. Recommend to the project manager how to improve the efficiency of the migration.
D. Review the acceptance test case documentation before the tests are carried out.
D is the correct answer.
Justification:
A. Independence could be compromised if the IS auditor advises on the adoption of specific application controls.
B. Independence could be compromised if the IS auditor were to audit the estimate of future expenses used to support a business case for management approval of the project.
C. Advising the project manager on how to increase the efficiency of the migration may compromise the IS auditor’s independence.
D. The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS auditor can advise as to the completeness of the test cases.
A1-90 An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task?
A. Computer-aided software engineering (CASE) tools
B. Embedded data collection tools
C. Trend/variance detection tools
D. Heuristic scanning tools
C is the correct answer.
Justification:
A. Computer-aided software engineering (CASE) tools are used to assist in software development.
B. Embedded (audit) data collection software, such as systems control audit review file (SCARF) or
systems audit review file (SARF), is used to provide sampling and production statistics, but not to
conduct an audit log analysis.
C. Trend/variance detection tools look for anomalies in user or system behavior, such as invoices with increasing invoice numbers.
D. Heuristic scanning tools are a type of virus scanning used to indicate possible infected traffic.
A1-91 While performing an audit of an accounting application’s internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to:
A. continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions.
B. complete the audit and not report the control deficiency because it is not part of the audit scope.
C. continue to test the accounting application controls and include the deficiency in the final report.
D. cease all audit activity until the control deficiency is resolved.
C is the correct answer.
Justification:
A. The IS auditor should not assume that the IT manager will follow through on a verbal notification toward resolving the change management control deficiency, and it is inappropriate to offer consulting services on issues discovered during an audit.
B. While not technically within the audit scope, it is the responsibility of the IS auditor to report findings discovered during an audit that could have a material impact on the effectiveness of controls.
C. It is the responsibility of the IS auditor to report on findings that could have a material impact on the effectiveness of controls—whether or not they are within the scope of the audit.
D. It is not the role of the IS auditor to demand that IT work be completed before performing or completing an audit.
A1-92 Which of the following will MOST successfully identify overlapping key controls in business application systems?
A. Reviewing system functionalities that are attached to complex business processes
B. Submitting test transactions through an integrated test facility (ITF)
C. Replacing manual monitoring with an automated auditing solution
D. Testing controls to validate that they are effective
C is the correct answer.
Justification:
A. In general, highly complex business processes may have more key controls than business areas with less complexity; however, finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-thought-out key control structure has been established from the beginning, finding any overlap in key controls will not be possible.
B. An integrated test facility (ITF) is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls.
C. As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts have the opportunity to discover unnecessary or overlapping key controls in existing systems.
D. By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls; however, the process of implementing an automated auditing solution would better identify overlapping controls.
A1-93 In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on?
A. A size check
B. A hash total
C. A validity check
D. A field check
C is the correct answer.
Justification:
A. A size check is useful because passwords should have a minimum length, but it is not as strong of a control as validity.
B. Passwords are not typically entered in a batch mode, so a hash total would not be effective. More important, a system should not accept incorrect values of a password, so a hash total as a control will not indicate any weak passwords, errors or omissions.
C. A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used—for example, not using a dictionary word, including non-alphabetical characters, etc. An effective password must have several different types of characters: alphabetical, numeric and special.
D. The implementation of a field check would not be as effective as a validity check that verifies that all password criteria have been met.
A1-94 Sharing risk is a key factor in which of the following methods of managing risk?
A. Transferring risk
B. Tolerating risk
C. Terminating risk
D. Treating risk
A is the correct answer.
Justification:
A. Transferring risk (e.g., by taking an insurance policy) is a way to share risk.
B. Tolerating risk means that the risk is accepted, but not shared.
C. Terminating risk would not involve sharing the risk because the organization has chosen to terminate
the process associated with the risk.
D. There are several ways of treating or controlling the risk, which may involve reducing or sharing the
risk, but this is not as precise an answer as transferring the risk.
A1-95 A PRIMARY benefit derived for an organization employing control self-assessment (CSA) techniques is that it:
A can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control.
A is the correct answer.
Justification:
A. Control self-assessment (CSA) is predicated on the review of high-risk areas that either need
immediate attention or may require a more thorough review at a later date.
B. CSA requires the involvement of IS auditors and line management. What occurs is that the internal audit function shifts some of the control monitoring responsibilities to the functional areas.
C. CSA is not a replacement for traditional audits. CSA is not intended to replace audit’s responsibilities, but to enhance them.
D. CSA does not allow management to relinquish its responsibility for control.
A1-96 Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan?
A. Prioritize the identified risk.
B. Define the audit universe.
C. Identify the critical controls.
D. Determine the testing approach.
B is the correct answer.
Justification:
A. Once the audit universe is defined, the IS auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe.
B. In a risk-based audit approach, the IS auditor identifies risk to the organization based on the nature of the business. In order to plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix.
C. The controls that help in mitigating high-risk areas are generally critical controls and their effectiveness provides assurance on mitigation of risk. However, this cannot be done unless the types of risk are ranked.
D. The testing approach is based on the risk ranking.
A1-97 A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should:
A. compute the amortization of the related assets.
B. calculate a return on investment (ROI).
C. apply a qualitative approach.
D. spend the time needed to define the loss amount exactly.
C is the correct answer.
Justification:
A. Amortization is used in a profit and loss statement, not in computing potential losses.
B. A return on investment (ROI) is computed when there is predictable savings or revenues that can be
compared to the investment needed to realize the revenues.
C. The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact).
D. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change and, at the end of the day, the result will be a not well-supported evaluation.
A1-98 An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:
A. most valuable information assets.
B. IS audit resources to be deployed.
C. auditee personnel to be interviewed.
D. control objectives and activities.
D is the correct answer.
Justification:
A. All assets need to be identified, not just information assets. To determine the key information assets to be audited, the IS auditor should first determine which control objectives and key control activities should be validated. Only information assets that are related to the control objectives and key control activities are relevant for scoping the audit.
B. Only after determining which controls and related relevant information assets are to be validated can the IS auditor decide on the key IS audit resources (with the relevant skill sets) that should be deployed for the audit.
C. Only after determining the key control activities to be validated can the IS auditor identify the relevant process personnel who should be interviewed.
D. Once the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit.
A1-99 The effect of which of the following should have priority in planning the scope and objectives of an IS audit?
A. Applicable statutory requirements
B. Applicable corporate standards
C. Applicable industry good practices
D. Organizational policies and procedures
A is the correct answer.
Justification:
A. The effect of applicable statutory requirements must be factored in while planning an IS audit—
the IS auditor has no options in this respect because there can be no limitation of scope in
respect to statutory requirements.
B. Statutory requirements always take priority over corporate standards.
C. Industry good practices help plan an audit; however, good practices are not mandatory and can be
deviated from to meet organization objectives.
D. Organizational policies and procedures are important, but statutory requirements always take priority.
Organizational policies must be in alignment with statutory requirements.
A1-100 An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should:
A. remove the IS auditor from the engagement.
B. cancel the engagement.
C. disclose the issue to the client.
D. take steps to restore the IS auditor’s independence.
C is the correct answer.
Justification:
A. It is not necessary to withdraw the IS auditor unless there is a statutory limitation, as exists in certain countries.
B. Canceling the engagement is not required if properly disclosed and accepted.
C. In circumstances in which the IS auditor’s independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor’s independence should be disclosed to the appropriate management and in the report.
D. This is not a feasible solution. The independence of the IS auditor cannot be restored while continuing to conduct the audit.
A1-101 An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt?
A. Process narrative
B. Inquiry
C. Reperformance
D. Walk-through
D is the correct answer.
Justification:
A. Process narratives may not be current or complete and may not reflect the actual process in operation.
B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification
of evidence.
C. Reperformance is used to evaluate the operating effectiveness of the control rather than the design of
the control.
D. Walk-throughs involve a combination of inquiry and inspection of evidence with respect to business process controls. This is the most effective basis for evaluation of the design of the control as it actually exists.
A1-102 Which of the following BEST describes the purpose of performing a risk assessment in the planning phase of an IS audit?
A. To establish adequate staffing requirements to complete the IS audit
B. To provide reasonable assurance that all material items will be addressed
C. To determine the skills required to perform the IS audit
D. To develop the audit program and procedures to perform the IS audit
B is the correct answer.
Justification:
A. A risk assessment does not directly influence staffing requirements.
B. A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assurance is important as well.
C. A risk assessment does not identify the skills required to perform an IS audit.
D. A risk assessment is not used in the development of the audit program and procedures.
A1-103 Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as:
A. substantive testing.
B. compliance testing.
C. qualitative analysis.
D. judgment sampling.
A is the correct answer.
Justification:
A. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence
of data at the individual transaction level. This can be achieved by comparing the data in the application to the base document. In this case, comparison is made between accounts payable data and the vendor invoices.
B. Compliance testing involves testing the controls designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period.
C. Qualitative analysis is typically related to risk analysis and should not be used in this scenario.
D. Judgment sampling is a sample that is selected subjectively or not at random, or in which the sampling
results are not evaluated mathematically. This audit probably does not require sampling because all activity in the month will be audited.
A1-104 General ledger (GL) data are required for an audit. Instead of asking IT to extract the data, the IS auditor is granted direct access to the data. What is the MAIN advantage of this approach?
A. Reduction of IT person-hours to support the audit
B. Reduction of the likelihood of errors in the extraction process
C. Greater flexibility for the audit department
D. Greater assurance of data validity
D is the correct answer.
Justification:
A. While the burden on IT staff to support the audit may decrease if the IS auditor directly extracts the dates, this advantage is not as significant as the increased data validity.
B. The risk of errors would increase because IS auditors generally have a wider, but less detailed, technical knowledge of the internal data structure and database technicalities.
C. There may be more flexibility for the IS auditor to adjust the data extracts to meet various audit requirements; however, this is not the main advantage.
D. If the IS auditor executes the data extraction, there is greater assurance that the extraction criteria will not interfere with the required completeness and therefore all required data will be collected. Asking IT to extract the data may expose the risk of filtering out exceptions that should be seen by the auditor. Also, if the IS auditor collects the data, all internal references correlating the various data tables/elements will be understood, and this knowledge may reveal vital elements to the completeness and correctness of the overall audit activity.
A1-105 An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions?
A. Attribute
B. Variable
C. Stop-or-go
D. Judgment
A is the correct answer.
Justification:
A. Attribute sampling is used to test compliance of transactions to controls—in this instance, the
existence of appropriate approval.
B. Variable sampling is used in substantive testing situations and deals with population characteristics that vary, such as monetary values and weights.
C. Stop-or-go sampling is used when the expected occurrence rate is extremely low.
D. Judgment sampling is not relevant here. It refers to a subjective approach of determining sample size
and selection criteria of elements of the sample.
A1-106 An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs?
A. Usefulness
B. Reliability
C. Relevance
D. Adequacy
B is the correct answer.
Justification:
A. Usefulness of audit evidence pulled by computer-assisted audit techniques (CAATs) is determined by the audit objective, and the use of CAATs does not have as direct of an impact on usefulness as reliability does.
B. Because the data are directly collected by the IS auditor, the audit findings can be reported with an emphasis on the reliability of the records that are produced and maintained in the system. The reliability of the source of information used provides reassurance on the findings generated.
C. Relevance of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on relevance as reliability does.
D. Adequacy of audit evidence pulled by CAATs is determined by the processes and personnel who author the data, and the use of CAATs does not have any impact on competence.
A1-107 An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase?
A. Development of an audit program
B. Review of the audit charter
C. Identification of key information owners
D. Development of a risk assessment
D is the correct answer.
Justification:
A. The results of the risk assessment are used for the input for the audit program.
B. The audit charter is prepared when the audit department is established or as updates are needed.
Creation of the audit charter is not related to the audit planning phase because it is part of the internal
audit governance structure that provides independence for the function.
C. A risk assessment must be performed prior to identifying key information owners. Key information
owners are generally not directly involved during the planning process of an audit.
D. A risk assessment should be performed to determine how internal audit resources should be allocated in order to ensure that all material items will be addressed.
A1-108 Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit?
A. Contingency planning
B. IS management resource allocation
C. Project management
D. Knowledge of internal controls
C is the correct answer.
Justification:
A. Contingency planning is often associated with the organization’s operations. IS auditors should have knowledge of contingency planning techniques, but this is not essential regarding constraints on the conduct of the audit.
B. IS managers are responsible for resource management of their departments. IS auditors do not manage IS resources.
C. Audits often involve resource management, deliverables, scheduling and deadlines similar to project management good practices.
D. Knowledge of internal controls is fundamental to IS auditors. Professional competence is an auditing standard. A lack of understanding of the control environment would be a constraint on the effectiveness of the audit, but is not the most important skill needed by the IS auditor.
A1-109 What
is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?
A. It detects risk sooner.
B. It replaces the audit function.
C. It reduces audit workload.
D. It reduces audit resources.
A is the correct answer.
Justification:
A. Control self-assessments (CSAs) require employees to assess the control stature of their own
function. CSAs help increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help identify risk in a more timely manner.
B. CSAs do not replace the audit function; an audit must still be performed to ensure that controls are present.
C. CSAs may not reduce the audit function’s workload and are not a major difference between the two approaches.
D. CSAs do not affect the need for audit resources. While the results of the CSA may serve as a reference point for the audit process, they do not affect the scope or depth of audit work that needs to be performed.
A1-110 An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business areas the project may affect?
A. Control risk
B. Compliance risk
C. Inherent risk
D. Residual risk
C is the correct answer.
Justification:
A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested and would not be due to the number of users or business areas affected.
B. Compliance risk is the penalty applied to current and future earnings for nonconformance to laws and regulations, and may not be impacted by the number of users and business areas affected.
C. Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without taking into account the actions that management has taken or might take.
D. Residual risk is the remaining risk after management has implemented a risk response, and is not based on the number of user or business areas affected.
A1-111 An IS auditor discovers a potential material finding. The BEST course of action is to:
A. report the potential finding to business management.
B. discuss the potential finding with the audit committee.
C. increase the scope of the audit.
D. perform additional testing.
D is the correct answer.
Justification:
A. The item should be confirmed through additional testing before it is reported to management.
B. The item should be confirmed through additional testing before it is discussed with the
audit committee.
C. Additional testing to confirm the potential finding should be within the scope of the engagement.
D. The IS auditor should perform additional testing to ensure that it is a finding. An auditor can
lose credibility if it is later discovered that the finding was not justified.
A1-112 Which of the following is in the BEST position to approve changes to the audit charter?
A. Board of directors
B. Audit committee
C. Executive management
D. Director of internal audit
B is the correct answer.
Justification:
A. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval.
B. The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee.
C. Executive management is not required to approve the audit charter. The audit committee is in the best position to approve the charter.
D. While the director of internal audit may draft the charter and make changes, the audit committee should have the final approval of the charter.
A1-113 An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?
A. Inspection
B. Inquiry
C. Walk-through
D. Reperformance
C is the correct answer.
Justification:
A. Inspection is just one component of a walk-through and by itself does not supply enough information to provide a full understanding of the overall process and identify potential control weaknesses.
B. Inquiry provides only general information on how the control is executed. It does not necessarily enable the IS auditor to determine whether the control performer has an in-depth understanding of the control.
C. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses.
D. Reperformance of the control is carried out by the IS auditor and does not provide assurance of the competency of the auditee.
A1-114 An IS auditor is comparing equipment in production with inventory records. This type of testing is an example of:
A. substantive testing.
B. compliance testing.
C. analytical testing.
D. control testing.
A is the correct answer.
Justification:
A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of
activities or transactions during the audit period.
B. Compliance testing is evidence gathering for the purpose of testing an enterprise’s compliance with control procedures. This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data or other information.
C. Analytical testing evaluates the relationship of two sets of data and discerns inconsistencies in the relationship.
D. Control testing is the same as compliance testing.
A1-115 Which of the following does a lack of adequate controls represent?
A. An impact
B. A vulnerability
C. An asset
D. A threat
B is the correct answer.
Justification:
A. Impact is the measure of the consequence (including financial loss, reputational damage, loss of customer confidence) that a threat event may have.
B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers, employee error, environmental threat or equipment failure. This could result in a loss of sensitive information, financial loss, legal penalties or other losses.
C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure, finances and reputation.
D. A threat is a potential cause of an unwanted incident.
A1-116 An IS auditor notes that daily reconciliation of visitor access card inventory is not carried out as mandated. During testing, the IS auditor did not find that access cards were missing. In this context, the IS auditor should:
A. not report the lack of reconciliation because no discrepancies were discovered.
B. recommend regular physical inventory counts be performed in lieu of daily reconciliation.
C. report the lack of daily reconciliation as an exception.
D. recommend the implementation of a more robust access system.
C is the correct answer.
Justification:
A. Absence of discrepancy in physical count only confirms absence of any impact but cannot be a reason to overlook failure of operation of the control. The issue should be reported because the control was not followed.
B. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report when the current process is deficient.
C. The IS auditor should report the lack of daily reconciliation as an exception because a physical inventory count gives assurance only at a point in time and the practice is not in compliance with management’s mandated activity.
D. While the IS auditor may in some cases recommend a more robust solution, the primary goal is to observe and report when the current process is deficient.
A1-117 During an audit, the IS auditor notes that the application developer also performs quality assurance testing
on a particular application. Which of the following should the IS auditor do?
A. Recommend compensating controls.
B. Review the code created by the developer.
C. Analyze the quality assurance dashboards.
D. Report the identified condition.
D is the correct answer.
Justification:
A. While compensating controls may be a good idea, the primary response in this case should be to report the condition.
B. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response should be to report the condition.
C. Analyzing the quality assurance dashboards can help evaluate the actual impact of the lack of segregation of duties, but does not address the underlying risk. The primary response should be to report the condition.
D. The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified.
A1-118 An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank’s financial risk is properly addressed, the IS auditor will most likely review which of the following?
A. Privileged access to the wire transfer system
B. Wire transfer procedures
C. Fraud monitoring controls
D. Employee background checks
B is the correct answer.
Justification:
A. Privileged access, such as administrator access, is necessary to manage user account privileges and should not be granted to end users. The wire transfer procedures are a better control to review to ensure that there is segregation of duties of the end users to help prevent fraud.
B. Wire transfer procedures include segregation of duties controls. This helps prevent internal fraud by not allowing one person to initiate, approve and send a wire. Therefore, the IS auditor should review the procedures as they relate to the wire system.
C. Fraud monitoring is a detective control and does not prevent financial loss. Segregation of duties is a preventive control.
D. While controls related to background checks are important, the controls related to segregation of duties as found in the wire transfer procedures are more critical.
A1-119 An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a:
A. lower confidence coefficient, resulting in a smaller sample size.
B. higher confidence coefficient, resulting in a smaller sample size.
C. higher confidence coefficient, resulting in a larger sample size.
D. lower confidence coefficient, resulting in a larger sample size.
A is the correct answer.
Justification:
A. When internal controls are strong, a lower confidence coefficient can be adopted, which will
enable the use of a smaller sample size.
B. A higher confidence coefficient will result in the use of a larger sample size.
C. A higher confidence coefficient need not be adopted in this situation because internal controls
are strong.
D. A lower confidence coefficient will result in the use of a smaller sample size.
A1-120 Why does an audit manager review the staff’s audit papers, even when the IS auditors have many years of experience?
A. Internal quality requirements
B. The audit guidelines
C. The audit methodology
D. Professional standards
D is the correct answer.
Justification:
A. Internal quality requirements may exist but are superseded by the requirement of supervision to comply with professional standards.
B. Audit guidelines exist to provide guidance on how to achieve compliance with professional standards. For example, they may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve compliance with professional standards.
C. An audit methodology is a well-configured process/procedure to achieve audit objectives. While an audit methodology is a meaningful tool, supervision is generally driven by compliance with professional standards.
D. Professional standards from ISACA, The Institute of Internal Auditors (IIA) and the International Federation of Accountants (IFAC) require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more.
A1-121 Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank?
A. Analysis of transaction logs
B. Re-performance
C. Observation
D. Interviewing personnel
C is the correct answer.
Justification:
A. Analysis of transaction logs would help to show that dual control is in place but does not necessarily guarantee that this process is being followed consistently. Therefore, observation would be the better test technique.
B. While re-performance could provide assurance that dual control was in effect, re-performing wire transfers at a bank would not be an option for an IS auditor.
C. Dual control requires that two people carry out an operation. The observation technique would help to ascertain whether two individuals do indeed get involved in execution of the operation and an element of oversight exists. It would also be obvious if one individual is masquerading and filling in the role of the second person.
D. Interviewing personnel would be useful to determine the level of awareness and understanding of the personnel carrying out the operations. However, it would not provide direct evidence confirming the existence of dual control because the information provided may not accurately reflect the process being performed.
A1-122 In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional:
A. stop-or-go sampling.
B. substantive testing.
C. compliance testing.
D. discovery sampling.
B is the correct answer.
Justification:
A. Stop-or-go sampling is used when an IS auditor believes few errors will be found in the population, and thus would not be the best type of testing to perform in this case.
B. Because both the inherent and control risk are high in this case, additional testing would be required. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.
C. Compliance testing is evidence gathering for the purpose of testing an enterprise’s compliance with control procedures. While performing compliance testing is important, performing additional substantive testing would be more appropriate in this case.
D. Discovery sampling is a form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population, typically used to test for fraud or other irregularities. In this case, additional substantive testing would be the better option.
A1-123 The PRIMARY objective of the audit initiation meeting with an IS audit client is to:
A. discuss the scope of the audit.
B. identify resource requirements of the audit.
C. select the methodology of the audit.
D. review requested evidence provided by the audit client.
A is the correct answer.
Justification:
A. The primary objective of the initiation meeting with an audit client is to help define the scope of
the audit.
B. Determining the resource requirements of the IS audit is typically done by IS audit management during the early planning phase of the project rather than at the initiation meeting.
C. Selecting the methodology of the audit is not normally an objective of the initiation meeting.
D. For most audits, the audit evidence would be provided during the course of the engagement, and
would not normally be reviewed at the initiation meeting.
A1-124 The PRIMARY purpose of the IS audit charter is to:
A. establish the organizational structure of the audit department.
B. illustrate the reporting responsibilities of the IS audit function.
C. detail the audit processes and procedures performed by the IS audit department.
D. outline the responsibility and authority of the IS audit function.
D is the correct answer.
Justification:
A. The IS audit charter does not set forth the organizational structure of the IS audit department. The charter serves as a directive to create the IS audit function.
B. The IS audit charter does not dictate the reporting requirements of the IS audit department. The charter sets forth the purpose, responsibility, authority and accountability of the information systems audit function.
C. IS audit processes and procedures are not detailed within the IS audit charter. Procedures are part of the IS audit plan and processes are determined by audit management.
D. The primary purpose of the IS audit charter is to set forth the purpose, responsibility, authority and accountability of the IS audit function. The charter document grants authority to the audit function on behalf of the board of directors and company stakeholders.
A1-125 Which of the following choices is MOST important for an IS auditor to understand when auditing an e-commerce environment?
A. The technology architecture of the e-commerce environment
B. The policies, procedure and practices that form the internal control environment
C. The nature and criticality of the business process supported by the application
D. Continuous monitoring of control measures for system availability and reliability
C is the correct answer.
Justification:
A. Understanding the technology architecture of the e-commerce environment is important; however, it is vital that the nature and criticality of the business process supported by the e-commerce application are well understood.
B. While the policies, procedure and practices that form the internal control environment need to be in alignment with the e-commerce environment, this is not the most important element that the IS auditor needs to understand.
C. The e-commerce application enables the execution of business transactions. Therefore, it is important to understand the nature and criticality of the business process supported by the e-commerce application to identify specific controls to review.
D. The availability of the e-commerce environment is important, but this is only one of the aspects to be considered with respect to business processes that are supported by the e-commerce application.
A1-126 During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of segregation of duties within an IT department?
A. Discuss it with the IT managers.
B. Review the job descriptions of the IT functions.
C. Research past IS audit reports.
D. Evaluate the organizational structure.
A is the correct answer.
Justification:
A. Discussing the implementation of segregation of duties with the IT managers is the best way to
determine how responsibilities are assigned within the department.
B. Job descriptions may not be the best source of information because they could be outdated or what is documented in the job descriptions may be different from what is actually performed.
C. Past IS audit reports are not the best source of information because they may not accurately describe how IT responsibilities are assigned.
D. Evaluating the organizational structure may give a limited view on the allocation of IT responsibilities. The responsibilities also may have changed over time.
A1-127 A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this?
A. Detective
B. Preventive
C. Corrective
D. Directive
B is the correct answer.
Justification:
A. Detective controls identify events after they have happened. In this case, the action of the branch manager would prevent an event from occurring.
B. Having a manager approve transactions more than a certain amount is considered a preventive control.
C. A corrective control serves to remedy problems discovered by detective controls. In this case, the action of the branch manager is a preventive control.
D. A directive control is a manual control that typically consists of a policy or procedure that specifies what actions are to be performed. In this case, there is an automated control that prevents an event from occurring.
A1-128 During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to:
A. include a review of the database controls in the scope.
B. document for future review.
C. work with database administrators to correct the issue.
D. report the weaknesses as observed.
D is the correct answer.
Justification:
A. Executing audits and reviews outside the scope is not advisable. In this case, the weakness identified is considered to be a minor issue, and it is sufficient to report the issue and address it at a later time.
B. In this case, the weakness identified is considered to be a minor issue. The IS auditor should formally report the weaknesses as an observation rather than documenting it to address during a future audit.
C. It is not appropriate for the IS auditor to work with database administrators to correct the issue.
D. Any weakness noticed should be reported, even if it is outside the scope of the current audit. Weaknesses identified during the course of an application software review need to be reported to management.
A1-129 A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a:
A. directive control.
B. corrective control.
C. compensating control.
D. detective control.
B is the correct answer.
Justification:
A. Directive controls, such as IT policies and procedures, would not apply in this case because this is an automated control.
B. Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions, when they are detected. This provides a mechanism to detect when malicious events have happened and correct the situation.
C. A compensating control is used where other controls are not sufficient to protect the system. In this case, the corrective control in place will effectively protect the system from access via an unpatched device.
D. Detective controls exist to detect and report when errors, omissions and unauthorized uses or entries occur.
A1-130 Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is MOST acceptable?
A. Test the adequacy of the control design.
B. Test the operational effectiveness of controls.
C. Focus on auditing high-risk areas.
D. Rely on management testing of controls.
C is the correct answer.
Justification:
A. Testing the adequacy of control design is not the best course of action because this does not ensure that controls operate effectively as designed.
B. Testing control operating effectiveness will not ensure that the audit plan is focused on areas of greatest risk.
C. Reducing the scope and focusing on auditing high-risk areas is the best course of action.
D. The reliance on management testing of controls will not provide an objective verification of the control environment.
A1-131 Which of the following choices BEST ensures the effectiveness of controls related to interest calculation inside an accounting system?
A. Re-performance
B. Process walk-through
C. Observation
D. Documentation review
A is the correct answer.
Justification:
A. To ensure the effectiveness of controls, it is most effective to conduct re-performance. When
the same result is obtained after the performance by an independent person, this provides the
strongest assurance.
B. Process walk-through may help the auditor to understand the controls better; however, it may not be as useful as conducting re-performance for a sample of transactions.
C. Observation is a valid audit method to verify that operators are using the system appropriately; however, conducting re-performance is a better method.
D. Documentation review may be of some value for understanding the control environment; however, conducting re-performance is a better method.