An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that:fraud can be detected more quickly.An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following:> The existing DRP was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department.> The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting attention.> The DRP has never been updated, tested or circulated to key management and staff, although interviews show that each would know what action to take for its area if a disruptive incident occurred.. The IS auditor's report should recommend that:a manager coordinates the creation of a new or revised plan within a defined time limit.An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?Report the use of the unauthorized software and the need to prevent recurrence.An IS auditor discovers a potential material finding. The BEST course of action is to:perform additional testing.An IS auditor finds a small number of user access requests that were not authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should:perform an additional analysis.An IS auditor finds that a disaster recovery plan for critical business functions does not cover all systems. Which of the following is the MOST appropriate course of action for the IS auditor?Alert management and evaluate the impact of not covering all systems.An IS auditor finds that the answers received during an interview with a payroll clerk do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should:expand the scope to include substantive testing.An IS auditor is carrying out a system configuration review. Which of the following would be the BEST evidence in support of the current system configuration settings?Standard report with configuration values retrieved from the system by the IS auditorAn IS auditor is comparing equipment in production with inventory records. This type of testing is an example of:substantive testing.An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to determine:that the control is operating as designed.An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a:lower confidence coefficient, resulting in a smaller sample size.An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt?Walk-throughAn IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of:compliance testing.An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.
An IS auditor is testing employee access to a large financial system, and the IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing?A list of accounts with access levels generated by the systemAn IS auditor is validating a control that involves a review of system- generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control?A sample system- generated exception report for the review period, with follow- up action items noted by the reviewerAn IS auditor notes daily reconciliation of visitor access card inventory is not aligned with the organization's procedures. Which of the following is the auditor's BEST course of action?Report the lack of daily reconciliations.An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging failed, and the backup restarts cannot be confirmed. What should the IS auditor do?Expand the sample of logs reviewed.An IS auditor should use statistical sampling and not judgmental (nonstatistical) sampling, when:the probability of error must be objectively quantified.An IS auditor uses computer- assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs?ReliabilityAn IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task?Trend/variance detection toolsAn IS auditor wants to determine the effectiveness of managing user access to a server room. Which of the following is the BEST evidence of effectiveness?Observation of a logged event
An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions?AttributeAn IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should:communicate the possibility of conflict of interest to audit management prior to starting the assignment.
The MAIN advantage of an IS auditor directly extracting data from a general ledger systems is:greater assurance of data validityThe MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to:document the finding and explain the risk of using shared IDs.The PRIMARY advantage of a continuous audit approach is that it:allows the IS auditor to review and follow up on audit issues in a timely manner.The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:gain agreement on the findings.A substantive test to verify that tape library inventory records are accurate is:conducting a physical count of the tape inventory.The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?Generalized audit softwareWhat is the BEST course of action for an IS auditor to take when an outsourced monitoring process for remote access is inadequate and management disagrees because management stated that intrusion detection system (IDS) and firewall controls are in place?Document the identified finding in the audit report.What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should:accurately capture data from the organization's systems without causing excessive performance problems.When preparing an audit report the IS auditor should ensure that the results are supported by:sufficient and appropriate audit evidence.When selecting audit procedures, an IS auditor should use professional judgment to ensure that:sufficient evidence will be collected.When testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling would not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?Develop an alternate testing procedure.Which audit technique provides the BEST evidence of the segregation of duties in an IT department?Observation and interviewsWhich of the following audit techniques would BEST help an IS auditor in determining whether there have been unauthorized program changes since the last authorized program update?Automated code comparisonWhich of the following BEST describes the objective of an IS auditor discussing the audit findings with the auditee?Confirm the findings and propose a course of corrective action.Which of the following BEST ensures the effectiveness of controls related to interest calculation for an accounting system?Re- performanceWhich of the following forms of evidence would an IS auditor consider the MOST reliable?The results of a test performed by an external IS auditorWhich of the following is a PRIMARY objective of embedding an audit module while developing online application systems?To collect evidence while transactions are processedWhich of the following is MOST effective for monitoring transactions exceeding predetermined thresholds?Generalized audit softwareWhich of the following is MOST important to ensure before communicating the audit findings to top management during the closing meeting?Findings are clearly tracked back to evidence.Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit?Purpose, objective and scope of the auditWhich of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit?Project managementWhich of the following sampling methods is MOST useful when testing for compliance?Attribute samplingWhich of the following sampling methods is the MOST appropriate for testing automated invoice authorization controls to ensure that exceptions are not made for specific users?Stratified random samplingWhich of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix?Attribute samplingWhich of the following should an IS auditor use to detect duplicate invoice records within an invoice master file?Computer- assisted audit techniquesWhich of the following should be the FIRST action of an IS auditor during a dispute with a department manager over audit findings?Revalidate the supporting evidence for the finding.Which of the following will MOST successfully identify overlapping key controls in business application systems?Replacing manual monitoring with an automated auditing solutionWhich of the following would be MOST useful for an IS auditor for accessing and analyzing digital data to collect relevant audit evidence from diverse software environments?Computer- assisted auditing techniquesWhich of the following would impair the independence of a quality assurance team?Correcting coding errors during the testing processWhich of the following would normally be the MOST reliable evidence for an ISauditor?A confirmation letter received from a third party verifying an account balance
Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank?ObservationWhile auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should:Report the issue to IT managementWhich of the following is the most important skill an IS auditor should develop to understand the constraints of conducting an audit?Which of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit? Project management is correct.
Which of the following best describes the objective of an IS auditor discussing the audit findings with the auditee?Which of the following BEST describes the objective of an IS auditor discussing the audit findings with the auditee? Confirm the findings and propose a course of corrective action.
Which of the following is the most critical step to perform when planning an IS audit?Explanation: In planning an audit, the most critical step is identifying the areas of high risk.
How do you close audit findings?The closing meeting of an audit should include the following items:. Introductions and recording the attendees.. Thanking the attendees for their time and cooperation.. Reminder of the purpose and scope of the audit, as well as the scoring or rating criteria used.. Review and discussion of the preliminary audit findings.. |