Which audit technique provides the BEST evidence of the segregation of duties in an IS department

Which audit technique provides the BEST evidence of the segregation of duties in an IT department?

A. Discussion with management

B. Review of the organization chart

C. Observation and interviews

D. Testing of user access rights

You answered B. The correct answer is C.

A. Management may not be aware of the detailed functions of each employee in the IT department, and they may not be aware whether the controls are being followed. Therefore, discussion with the management would provide only limited information regarding segregation of duties.

B. An organization chart would not provide details of the functions of the employees or whether the controls are working correctly.

C. Based on the observations and interviews, the IT auditor can evaluate the segregation of duties. By observing the IS staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IT staff, the auditor can get an overview of the tasks performed.

D. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform. Observation would be a better option because user rights can be changed between audits.

Which of the following would be evaluated as a preventive control by an IS auditor performing an audit?

A.
Transaction logs

B.
Before and after image reporting

C.
Table lookups

D.
Tracing and tagging

You answered D. The correct answer is C.

A. Transaction logs are a detective control and provide audit trails.

B. Before and after image reporting makes it possible to trace the impact that transactions have on computer records. This is a detective control.

C. Table lookups are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered.

D. Tracing and tagging is used to test application systems and controls, but is not a preventive control in itself.

The MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to:

A.
inform the audit committee of the potential issue.

B.
review audit logs for the IDs in question.

C.
document the finding and explain the risk of using shared IDs.

D.
request that the IDs be removed from the system.

You answered B. The correct answer is C.

A. It is not appropriate for an IS auditor to report findings to the audit committee before conducting a more detailed review and presenting them to management for a response.

B. Review of audit logs would not be useful because shared IDs do not provide for individual accountability.

C. An IS auditor's role is to detect and document findings and control deficiencies. Part of the audit report is to explain the reasoning behind the findings. The use of shared IDs is not recommended because it does not allow for accountability of transactions. An IS auditor would defer to management to decide how to respond to the findings presented.

D. It is not the role of an IS auditor to request the removal of IDs from the system.

Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit?

A.
Contingency planning

B.
IS management resource allocation

C.
Project management

D.
Knowledge of internal controls

You answered D. The correct answer is C.

A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques, but this is not essential regarding constraints on the conduct of the audit.

B. IS managers are responsible for resource management of their departments. IS auditors do not manage IS resources.

C. Audits often involve resource management, deliverables, scheduling and deadlines similar to project management good practices.

D. Knowledge of internal controls is fundamental to IS auditors. Professional competence is an auditing standard. A lack of understanding of the control environment would be a constraint on the effectiveness of the audit, but is not the most important skill needed by the IS auditor.

Which of the following situations could impair the independence of an IS auditor? The IS auditor:

A.
implemented specific functionality during the development of an application.

B.
designed an embedded audit module for auditing an application.

C.
participated as a member of an application project team and did not have operational responsibilities.

D.
provided consulting advice concerning application good practices.

You answered C. The correct answer is A.

A. Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system.

B. Designing an embedded audit module does not impair an IS auditor's independence.

C. An IS auditor should not audit work that they have done but just participating as a member of the application system project team does not impair an IS auditor's independence.

D. An IS auditor's independence is not impaired by providing advice on known good practices.

While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to:

A.
continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions.

B.
complete the audit and not report the control deficiency because it is not part of the audit scope.

C.
continue to test the accounting application controls and include the deficiency in the final report.

D.
cease all audit activity until the control deficiency is resolved.

You answered A. The correct answer is C.

A. The IS auditor should not assume that the IT manager will follow through on a verbal notification toward resolving the change management control deficiency, and it is inappropriate to offer consulting services on issues discovered during an audit.

B. While not technically within the audit scope, it is the responsibility of the IS auditor to report findings discovered during an audit that could have a material impact on the effectiveness of controls.

C. It is the responsibility of the IS auditor to report on findings that could have a material impact on the effectiveness of controls—whether or not they are within the scope of the audit.

D. It is not the role of the IS auditor to demand that IT work be completed before performing or completing an audit.

Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank?

A.
Analysis of transaction logs

B.
Re-performance

C.
Observation

D.
Interviewing personnel

You answered A. The correct answer is C.

A. Analysis of transaction logs would help to show that dual control is in place but does not necessarily guarantee that this process is being followed consistently. Therefore, observation would be the better test technique.

B. While re-performance could provide assurance that dual control was in effect, re-performing wire transfers at a bank would not be an option for an IS auditor.

C. Dual control requires that two people carry out an operation. The observation technique would help to ascertain whether two individuals do indeed get involved in execution of the operation and an element of oversight exists. It would also be obvious if one individual is masquerading and filling in the role of the second person.

D. Interviewing personnel would be useful to determine the level of awareness and understanding of the personnel carrying out the operations. However, it would not provide direct evidence confirming the existence of dual control because the information provided may not accurately reflect the process being performed.

A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a:

A.
directive control.

B.
corrective control.

C.
compensating control.

D.
detective control.

You answered D. The correct answer is B.

A. Directive controls, such as IT policies and procedures, would not apply in this case because this is an automated control.

B. Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions, when they are detected. This provides a mechanism to detect when malicious events have happened and correct the situation.

C. A compensating control is used where other controls are not sufficient to protect the system. In this case, the corrective control in place will effectively protect the system from access via an unpatched device.

D. Detective controls exist to detect and report when errors, omissions and unauthorized uses or entries occur.

An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt?

A.
Process narrative

B.
Inquiry

C.
Reperformance

D.
Walk-through

You answered C. The correct answer is D.

A. Process narratives may not be current or complete and may not reflect the actual process in operation.

B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification of evidence.

C. Reperformance is used to evaluate the operating effectiveness of the control rather than the design of the control.

D. Walk-throughs involve a combination of inquiry and inspection of evidence with respect to business process controls. This is the most effective basis for evaluation of the design of the control as it actually exists.

The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?

A.
Inherent

B.
Detection

C.
Control

D.
Business

You answered C. The correct answer is B.

A. Inherent risk is the risk that a material error could occur, assuming that there are no related internal controls to prevent or detect the error. Inherent risk is not usually affected by an IS auditor.

B. Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue.

C. Control risk is the risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Control risk can be mitigated by the actions of the company's management.

D. Business risk is a probable situation with uncertain frequency and magnitude of loss (or gain). Business risk is usually not directly affected by an IS auditor.

During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system?

A.
Dumping the memory content to a file

B.
Generating disk images of the compromised system

C.
Rebooting the system

D.
Removing the system from the network

You answered A. The correct answer is C.

A. Copying the memory contents is a normal forensics procedure where possible. Done carefully, it will not corrupt the evidence.

B. Proper forensics procedures require creating two copies of the images of the system for analysis. Hash values ensure that the copies are accurate.

C. Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory.

D. When investigating a system it is recommended to disconnect it from the network to minimize external infection or access.

In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on?

A.
A size check

B.
A hash total

C.
A validity check

D.
A field check

You answered A. The correct answer is C.

A. A size check is useful because passwords should have a minimum length, but it is not as strong of a control as validity.

B. Passwords are not typically entered in a batch mode, so a hash total would not be effective. More important, a system should not accept incorrect values of a password, so a hash total as a control will not indicate any weak passwords, errors or omissions.

C. A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used—for example, not using a dictionary word, including non-alphabetical characters, etc. An effective password must have several different types of characters: alphabetical, numeric and special.

D. The implementation of a field check would not be as effective as a validity check that verifies that all password criteria have been met.

A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this?

A.
Detective

B.
Preventive

C.
Corrective

D.
Directive

You answered A. The correct answer is B.

A. Detective controls identify events after they have happened. In this case, the action of the branch manager would prevent an event from occurring.

B. Having a manager approve transactions more than a certain amount is considered a preventive control.

C. A corrective control serves to remedy problems discovered by detective controls. In this case, the action of the branch manager is a preventive control.

D. A directive control is a manual control that typically consists of a policy or procedure that specifies what actions are to be performed. In this case, there is an automated control that prevents an event from occurring.

An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?

A.
Inspection

B.
Inquiry

C.
Walk-through

D.
Reperformance

You answered A. The correct answer is C.

A. Inspection is just one component of a walk-through and by itself does not supply enough information to provide a full understanding of the overall process and identify potential control weaknesses.

B. Inquiry provides only general information on how the control is executed. It does not necessarily enable the IS auditor to determine whether the control performer has an in-depth understanding of the control.

C. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses.

D. Reperformance of the control is carried out by the IS auditor and does not provide assurance of the competency of the auditee.

The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function?

A.
Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and avoid an accurate, comprehensive audit.

B.
Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence.

C.
Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts.

D.
Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring.

You answered B. The correct answer is C.

A. The ability of IT to continuously monitor and address any issues on IT systems would not affect the ability of IS audit to perform a comprehensive audit.

B. Sharing the scripts may be required by policy for the sake of quality assurance and configuration management, but that would not impair the ability to audit.

C. IS audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts themselves, but they can still audit the systems.

D. An audit of an IS system would encompass more than just the controls covered in the scripts.

Which of the following is in the BEST position to approve changes to the audit charter?

A.
Board of directors

B.
Audit committee

C.
Executive management

D.
Director of internal audit

You answered D. The correct answer is B.

A. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval.

B. The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee.

C. Executive management is not required to approve the audit charter. The audit committee is in the best position to approve the charter.

D. While the director of internal audit may draft the charter and make changes, the audit committee should have the final approval of the charter.

An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that:

A.
effective preventive controls are enforced.

B.
system integrity is ensured.

C.
errors can be corrected in a timely fashion.

D.
fraud can be detected more quickly.

You answered C. The correct answer is D.

A. Continuous monitoring is detective in nature and, therefore, does not necessarily assist the IS auditor in monitoring for preventive controls. The approach will detect and monitor for errors that have already occurred. In addition, continuous monitoring will benefit the internal audit function in reducing the use of auditing resources and in the timely reporting of errors or inconsistencies.

B. System integrity is typically associated with preventive controls such as input controls and quality assurance reviews. These controls do not typically benefit an internal auditing function implementing continuous monitoring. Continuous monitoring benefits the internal audit function because it reduces the use of auditing resources.

C. Continuous audit will detect errors but not correct them. Error identification and handling is the primary responsibility of management. While audit's responsibility also is to find errors, audit can only report errors, not fix them.

D. Continuous auditing techniques assist the auditing function in reducing the use of auditing resources through continuous collection of evidence. This approach assists IS auditors in identifying fraud in a timely fashion and allows auditors to focus on relevant data.

An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function?

A.
Advise on the adoption of application controls to the new database software.

B.
Provide future estimates of the licensing expenses to the project team.

C.
Recommend to the project manager how to improve the efficiency of the migration.

D.
Review the acceptance test case documentation before the tests are carried out.

You answered A. The correct answer is D.

A. Independence could be compromised if the IS auditor advises on the adoption of specific application controls.

B. Independence could be compromised if the IS auditor were to audit the estimate of future expenses used to support a business case for management approval of the project.

C. Advising the project manager on how to increase the efficiency of the migration may compromise the IS auditor's independence.

D. The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS auditor can advise as to the completeness of the test cases.

Which audit techniques provides best evidence of segregation of duties in an IT department?

Which of the following forms of evidence would an IS auditor consider the most reliable?

Which of the following is the most critical step when planning an IS audit?

Which of the following situations would impair the independence of an IS auditor the IS auditor?