Which of the following IS the best factor for determining the extent of data collection during the planning phase of an IS compliance audit?

An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to determine:

That the control is operating as designed

Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective of a compliance test is important. IS auditors want reasonable assurance that the controls they are relying on are effective. An effective control is one that meets management expectations and objectives.

When developing a risk management program, what is the first activity to be performed?

Inventory of assets.

Identification of the assets to be protected is the first step in developing a risk management program.

The primary purpose of an IT forensic audit is:

The systemic collection and analysis of evidence after a system irregularity.

Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is most acceptable:

Test the adequacy of the control design
Test the operational effectiveness of the control
Focus on auditing high risk areas
Relying on management testing of controls.

Focus on high risk areas. Reducing the scope and focusing on auditing high-risk areas is the bets course of action.

While planning an IS audit, an assessment of risk should be made to provide:

Reasonable assurance that the audit will cover material items.

ISACA IS Audit and Assurance Guideline 2202 (Risk Assessment in Planning) states that the applied risk assessment approach should help with the prioritization and scheduling process of the IS audit and assurance work. It should support the selection process of areas and items of audit interest and the decision process to design and conduct particular IS audit engagements.

Which of the following best describes the purpose of performing a risk assessment in the planning phase of an IS audit:

Establish adequate staffing requirements to complete the IS audit
To provide reasonable assurance that all material items will be addressed
To determine the skills required to perform the IS audit
To develop the audit program and procedures

To provide reasonable assurance that all material items will be addressed.

A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit.

A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this?

Preventative.

An IS auditor is validating a control that involved a review of system generated exception reports. Which of the following is the best evidence of the effectiveness of the control.

1- Walkthrough with the reviewer of the operation of the control
2- System generated exception report for the review period with the reviewers sign off
3- A sample system generated exceptions report for the review period, with follow-up action items noted by the reviewer
4- Management's confirmation of the effectiveness of the control for the review period.

A sample system generated exceptions report for the review period, with follow-up action items noted by the reviewer.

A sample of a system generated report with evidence that the reviewer followed up on the exception represents the best possible evidence of the effective operation of the control because there is documented evidence that the reviewer has reviewed and taken actions based on the exception report.

Which of the following is the most important skill an IS auditor should develop to understand the constraints of conducting an audit:

1 - Contingency Planning
2 - IS Management resource allocation
3 - Project Management
4 - Knowledge of internal controls

Project Management

The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT effect the ability of IS auditors to independently and objectively audit the IT function?

No. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts.

IS Audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts themselves, but they can still audit the systems.

When slecting audit procedures, an IS auditor should use professional judgement to ensure that:

Sufficient evidence will be collected.

Procedures are processes an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the specific circumstance. Professional judgement involves a subjective and often qualitative evaluation of conditions arising in the course of an audit. Judgment address a grey area where binary (yes/no) decisions are not appropriate and the IS auditor's past experience plays a key role in making a judgement. The IS auditor should use judgement in assessing the sufficiency of evidence to be collected. ISACA's guidelines provide information on how to meet the standards when performing IS audit work.

During the planning s stage of an IS audit, the primary goal of an IS auditor is to

Address audit objectives

ISACA IS Audit and Assurance Standards requires that an IS auditor plan the audit work to address the audit objectives.

An IS auditor is verifying that some of the policies have not been approved by managedment (as required by policy), but the employee strictly follow the policies. What should the IS auditor do first?

A) Ignore the absences of management approval because the employee follow the policies
B) Recommend immediate management approval of the policies
C) Emphasize the importance of approval to management
D) Report the absence of documented approval.

D) Reoirt the absence of documented approval.

The IS auditor must report the findings. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technically may prevent manament from enforcing the policies in some cases, and may present legal issues.

An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor.

A) There are a growing number of emergency changes.
B) There were instances when some jobs were not completed on time
C) There were instances when some jobs were overridden by computer operators
D) Evidence shows that only scheduled jobs were run.

C) There were instances when some jobs were overridden by computer operators.

The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data programs.

An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor.

A) Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.
B) Publish a report omitting the areas where the evidence obtained from testing was inconclusive
C) Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained.
D) Inform management that audit work cannot be completed prio to implementation and recommend that the audit be postponed.

A) Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow up audit testing.

If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-n time frame, this fact should be highlighted in the audit report and follow up testing should be scheduled for a later date. Management could then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system.

Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank?

A) Analysis of transaction logs
B) Re-performance
C) Observation
D) Interviewing personnel

C) Observation

Dual Control requires that two people carry out an operation. The obersvation technique would help to ascertain whether two individuals do indeed get involved in execution of the operation and an element of oversight exists, It would be obvious if one individual is masquerading and filling in the role of the second person.

An IS auditor is conducting a review of software usage and licensing discovers that numerous PCs contained unauthorized software. Which of the following actions should the IS auditor take?

A) Delet all copies of the unauthorized software
B) Recommend an audit process to monitor for compliance with software licensing
C) Report the use of the unauthorized software and the need to prevent recurrence.
D) Warn the end users about the risk of using illegal software.

C) Report the use of the unauthorized software and the need to prevent recurrence.

The use of unauthorized or illegal software should be prohibited by the organization. AN IS auditor must convince the user and management of the risk and the need to eliminate the risk.

When preparing an audit report, the IS auditor should ensure tha the results are supported by:

Sufficient and appropriate audit evidence.

Which of the following best descries the objective of an IS auditor discussing the audit findings with the auditee?

A) Communicate results to the auditee
B) Develop time lines for the implementation fo suggested recommendations

...

What is the best factor for determining the required extent of data collection during the planning phase of an IS compliance audit?

Purpose, Objective, and Scope of the audit.

The extent to which data will be collected during an IS audit is related directly to the purpose, objective, and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. Statistical analysis may also determine the extent of data collcetion as sample size or means of data collection.

What is the best course of action for an IS auditor o take when an outsourced monitoring process for remote access is inadequate and management disagrees, because management states that intrusion detection systems and firewall controls are in place?

Document the identified finding in the audit report.

IS auditor independence would dictate that the additional information provided by the auditee will be taken into consideration. Normally, an IS auditor would not automatically retract or revise the finding.

An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. What is this an example of?

Compliance testing

Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were approximately authorized.

The primary purpose of the IS audit charter is to:

Outline the responsibility and authority of the IS audit function.

An IS audit charter sets for the purpose, responsibility, authority, and accountability of the IS audit function. The charter document grants authority to the audit function on behalf of the board of directors and company stakeholders.

The decisions and actions of an IS auditor are most likely to affect which of the following types of risk:

1) Inherent
2) Detection
3) Control
4) Business

Detection

Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue.

Data flow diagrams are used by IS auditors to:

Graphically summarize data paths and storage.

They trace data from their origination to destination, highlighting the paths and storage of data.

The most important reason for an IS auditor is to obtain sufficient and appropriate evidence is to

Provide a basis for drawing reasonable conclusions.

The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses, but also documenting and validating them.

During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of segregation of duties within an IT department?

A. Discuss it with the IT managers.

B. Review the job descriptions of the IT functions.

C. Research past IS audit reports.

D. Evaluate the organizational structure.

Discuss it with the IT managers.

Discussing the implementation of segregation of duties with the IT managers is the best way to determine how responsibilities are assigned within the department.

Which of the following choices would be the BEST source of information when developing a risk-based audit plan?

A. Process owners identify key controls.

B. System custodians identify vulnerabilities.

C. Peer auditors understand previous audit results.

D. Senior management identify key business processes.

Senior management identify key business processes.

Developing a risk-based audit plan must start with the identification of key business processes, which will determine and identify the risk that needs to be addressed.

An organization's IS audit charter should specify the:

Role of the IS audit function.

An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee.

After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should

A. expand activities to determine whether an investigation is warranted.

B. report the matter to the audit committee.

C. report the possibility of fraud to management.

D. consult with external legal counsel to determine the course of action to be taken.

Expand activities to determine whether an investigation is warranted.

An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended

An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging failed and the backup restarts cannot be confirmed. What should the IS auditor do?

Expand the sample of logs reviewed.

IS Audit and Assurance Standards require that an IS auditor gather sufficient and appropriate audit evidence. The IS auditor has found a potential problem and now needs to determine whether this is an isolated incident or a systematic control failure.

In the process of evaluating program change controls, an IS auditor would use source code comparison software to:

examine source program changes without information from IS personnel.

When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify the changes.

After reviewing the disaster recovery planning (DRP) process of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting?

A. Obtaining management approval of the corrective action plan

B. Confirming factual accuracy of the findings

C. Assisting management in the implementation of corrective actions

D. Prioritizing the resolution of the items

Confirming factual accuracy of the findings

The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on or respond to recommendations for corrective action.

Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds?

A. Generalized audit software (GAS)

B. Integrated test facility

C. Regression tests

D. Snapshots

Generalized audit software (GAS)

Generalized audit software (GAS) is a data analytic tool that can be used to filter large amounts of data.

While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:

Confidentiality of the work papers.

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should:

apply a qualitative approach.

The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact).

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:

Vulnerabilities and threats are identified.

In developing a risk-based audit strategy, it is critical that the risk and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage.

An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:

A. most valuable information assets.

B. IS audit resources to be deployed.

C. auditee personnel to be interviewed.

D. control objectives and activities.

control objectives and activities.

Once the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit.

During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system?

A. Dumping the memory content to a file

B. Generating disk images of the compromised system

C. Rebooting the system

D. Removing the system from the network

Rebooting the system

Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory.

Sharing risk is a key factor in which of the following methods of managing risk?

A. Transferring risk

B. Tolerating risk

C. Terminating risk

D. Treating risk

Transferring risk

Which of the following would be evaluated as a preventive control by an IS auditor performing an audit?

A. Transaction logs

B. Before and after image reporting

C. Table lookups

D. Tracing and tagging

Table lookups

Table lookups are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered.

Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file?

A. Attribute sampling

B. Computer-assisted audit techniques (CAATs)

C. Compliance testing

D. Integrated test facility (ITF)

Computer assisted audit techniques

CAATS would allow an IS auditor to review the entire invoice file to look for those items that meet the selection criteria.

The final decision to include a material finding in an audit report should be made by who?

The IS auditor.

An external IS auditor issues an audit report pointing out the lack of firewall protection at the perimeter network gateway and recommends a specific vendor product to address this vulnerability. The IS auditor has failed to exercise:

Professional independence.

While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should:

A.. report the issue to IT management.

B. discuss the issue with the service provider.

C. perform a risk assessment.

D. perform an access review.

report the issue to IT management.

During the course of an audit, if there are material issues that are of concern, they need to be reported immediately.

An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor most likely employ to fulfill this purpose?

A. Inspection

B. Inquiry

C. Walk-through

D. Re performance

Walk through

Walk through procedures usually include a combination of inquiry, observation, inspection of relevant documentation and re performance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish t gain a thorough understanding of the overall process and identify potential control weaknesses.

Which of the following situations could impair the independence of an IS auditor? The IS auditor:

A.
implemented specific functionality during the development of an application.

B.
designed an embedded audit module for auditing an application.

C.
participated as a member of an application project team and did not have operational responsibilities.

D.
provided consulting advice concerning application good practices.

Implemented specific functionality during the development of an application.

Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system.

During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by the user's supervisor would represent the BEST compensating control?

A.
Audit trails that show the date and time of the transaction

B.
A daily report with the total numbers and dollar amounts of each transaction

C.
User account administration

D.
Computer log files that show individual transactions

Computer log files that show individual transactions

Computer logs will record the activities of individuals during their access to a computer system or data file and will record any abnormal activities, such as the modification or deletion of financial data.

An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should:

A.
remove the IS auditor from the engagement.

B.
cancel the engagement.

C.
disclose the issue to the client.

D.
take steps to restore the IS auditor's independence.

disclose the issue to the client.

In circumstances in which the IS auditor's independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor's independence should be disclosed to the appropriate management and in the report.

The internal audit IS team is auditing controls over sales return and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors?

A. Stop-or-Go
B. Classic Variable
C. Discovery
D. Probability proportional to size

Discovery.

Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.

Go to Next QuestionGuess and Mark WrongGlossaryTask StatementsAcronymsEnd Session
An IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should:

A.
decline the assignment.

B.
inform management of the possible conflict of interest after completing the audit assignment.

C.
inform the BCP team of the possible conflict of interest prior to beginning the assignment.

D.
communicate the possibility of conflict of interest to audit management prior to starting the assignment.

communicate the possibility of conflict of interest to audit management prior to starting the assignment.

A possible conflict of interest, likely to affect the IS auditor's independence, should be brought to the attention of management prior to starting the assignment.

The PRIMARY objective of the audit initiation meeting with an IS audit client is to:

A.
discuss the scope of the audit.

B.
identify resource requirements of the audit.

C.
select the methodology of the audit.

D.
review requested evidence provided by the audit client.

discuss the scope of the audit.

The primary objective of the initiation meeting with an audit client is to help define the scope of the audit.

An IS auditor has been asked by management to review a potentially fraudulent transaction. The PRIMARY focus of an IS auditor while evaluating the transaction should be to:

A.
maintain impartiality while evaluating the transaction.

B.
ensure that the independence of an IS auditor is maintained.

C.
assure that the integrity of the evidence is maintained.

D.
assess all relevant evidence for the transaction.

assure that the integrity of the evidence is maintained

The IS auditor has been requested to perform an investigation to capture evidence which may be used for legal purposes, and therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law.

The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:

A.
confirm that the auditors did not overlook any important issues.

B.
gain agreement on the findings.

C.
receive feedback on the adequacy of the audit procedures.

D.
test the structure of the final presentation.

gain agreement on the findings.

The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings and responses from management.

While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the account application. The MOST appropriate action for the IS auditor to take is to:

A.
continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions.

B.
complete the audit and not report the control deficiency because it is not part of the audit scope.

C.
continue to test the accounting application controls and include the deficiency in the final report.

D.
cease all audit activity until the control deficiency is resolved.

Continue to test the accounting application controls and include the deficiency in the final report.

It is the responsibility of the IS auditor to report on findings that could have a material impact on the effectiveness of controls—whether or not they are within the scope of the audit.

A primary benefit derived fro an organization employing control self assessment (CSA) techniques is that:

A.
can identify high-risk areas that might need a detailed review later.

B.
allows IS auditors to independently assess risk.

C.
can be used as a replacement for traditional audits.

D.
allows management to relinquish responsibility for control.

It can identify high risk areas that might need a detailed review later.

Control self-assessment (CSA) is predicated on the review of high-risk areas that either need immediate attention or may require a more thorough review at a later date.

An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to determine:

A.
that the control is operating efficiently.

B.
that the control is operating as designed.

C.
the integrity of data controls.

D.
the reasonableness of financial reporting controls.

that the control is operating as designed.

Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective of a compliance test is important. IS auditors want reasonable assurance that the controls they are relying on are effective. An effective control is one that meets management expectations and objectives.

When using an integrated test facility (ITF), an IS auditor should ensure that:

A.
production data are used for testing.

B.
test data are isolated from production data.

C.
a test data generator is used.

D.
master files are updated with the test data.

test data are isolated from production data.

An ITF creates a fictitious file in the database, allowing for test transactions to be processed simultaneously with live data. The test data must be kept separate from production data.

The MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to:

A.
inform the audit committee of the potential issue.

B.
review audit logs for the IDs in question.

C.
document the finding and explain the risk of using shared IDs.

D.
request that the IDs be removed from the system.

document the finding and explain the risk of using shared IDs.

An IS auditor's role is to detect and document findings and control deficiencies. Part of the audit report is to explain the reasoning behind the findings. The use of shared IDs is not recommended because it does not allow for accountability of transactions. An IS auditor would defer to management to decide how to respond to the findings presented.

The BEST method of confirming the accuracy of a system tax calculation is by:

A.
review and analysis of the source code of the calculation programs.

B.
recreating program logic using generalized audit software to calculate monthly totals.

C.
preparing simulated transactions for processing and comparing the results to predetermined results.

D.
automatic flowcharting and analysis of the source code of the calculation programs.

Preparing simulated transactions for processing and comparing the results to predetermined results.

Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation.

An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture (SOA). What is the Initial step?

...

After reviewing the disaster recovery planning (DRP) process of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting?

A.
Obtaining management approval of the corrective action plan

B.
Confirming factual accuracy of the findings

C.
Assisting management in the implementation of corrective actions

D.
Prioritizing the resolution of the items

...

The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors?

A.
Stop-or-go

B.
Classical variable

C.
Discovery

D.
Probability-proportional-to-size

Discovery

Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.

When auditing a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that it does not cover all of the systems. Which of the following is the MOST appropriate action for the IS auditor?

A.
Alert management and evaluate the impact of not covering all systems.

B.
Cancel the audit.

C.
Complete the audit of the systems covered by the existing disaster recovery plan (DRP).

D.
Postpone the audit until the systems are added to the DRP.

Alert management and evaluate the impact of not covering all systems.

An IS auditor should make management aware that some systems are omitted from the disaster recovery plan (DRP). An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the DRP

The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?

A.
Generate sample test data

B.
Generalized audit software

C.
Integrated test facility

D.
Embedded audit module

Generalized audit software

Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made.

A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and:

A.
length of service, because this will help ensure technical competence.

B.
age, because training in audit techniques may be impractical.

C.
IT knowledge, because this will bring enhanced credibility to the audit function.

D.
ability, as an IS auditor, to be independent of existing IT relationships.

ability, as an IS auditor, to be independent of existing IT relationships.

Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities.

Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should:

A.
include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings.

B.
not include the finding in the final report because management resolved the item.

C.
not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit.

D.
include the finding in the closing meeting for discussion purposes only.

include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings.

Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing.

An IS auditor performing an audit of the newly installed Voice-over Internet Protocol(VoIP) system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern?

A.
The local area network (LAN) switches are not connected to uninterruptible power supply (UPS) units.

B.
Network cabling is disorganized and not properly labeled.

C.
The telephones are using the same cable used for LAN connections.

D.
The wiring closet also contains power lines and breaker panels.

The local area network (LAN) switches are not connected to uninterruptible power supply (UPS) units.

Voice-over Internet Protocol (VoIP) telephone systems use standard network cabling and typically each telephone gets power over the network cable (power over Ethernet [POE]) from the wiring closet where the network switch is installed. If the local area network (LAN) switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls.

In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:

A.
ensure the risk assessment is aligned to management's risk assessment process.

B.
identify information assets and the underlying systems.

C.
disclose the threats and impacts to management.

D.
identify and evaluate the existing controls.

identify and evaluate the existing controls.

It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.

An IS auditor suspects an incident is occurring while an audit is being performed on a financial system. What should the IS auditor do first?

A. Request that the system be shut down to preserve evidence
B. Report the incident to management
C. Ask for the immediate suspensions of suspect accounts.
D. Investigate the source and nature of the incident.

Report the incident to management

Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor's role to respond to incidents during an audit

An organizations' IS charter should specify the:

Role of the IS audit function.

An IS audit charter established the role of the information systems audit function. The charter should describe the overall authority, scope, and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee.

An IS auditor performing an audit of the risk assessment process should FIRST confirm that:

A.
reasonable threats to the information assets are identified.

B.
technical and organizational vulnerabilities have been analyzed.

C.
assets have been identified and ranked.

D.
the effects of potential security breaches have been evaluated.

Assets have been identified and ranked.

Identification and ranking of information assets (e.g., data criticality, sensitivity, locations of assets) will set the tone or scope of how to assess risk in relation to the organizational value of the asset.

An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST:

A.
expand the scope of the IS audit to include the devices that are not on the network diagram.

B.
evaluate the impact of the undocumented devices on the audit scope.

C.
note a control deficiency because the network diagram has not been approved.

D.
plan follow-up audits of the undocumented devices.

evaluate the impact of the undocumented devices on the audit scope.

In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audit engagement. The information provided on a network diagram can vary depending on what is being illustrated—for example, the network layer, cross connections, etc.

To ensure that an organization is complying with privacy requirements, an IS auditor should FIRST review:

A. the IT infrastructure
B. organizational policies, standards, and procedures
C. legal and regulatory requirements
D. adherence to organizational policies, standards, and procedures

legal and regulatory requirements.

To ensure that the organization is complying with the privacy issues, an IS auditor should address legal and regulatory requirements first,. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards, and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards, and procedures.

Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as:

A.
substantive testing.

B.
compliance testing.

C.
qualitative analysis.

D.
judgment sampling.

substantive testing.

Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of data at the individual transaction level. This can be achieved by comparing the data in the application to the base document. In this case, comparison is made between accounts payable data and the vendor invoices.

Which of the following is an attribute of the control self-assessment (CSA) approach?

A.
Broad stakeholder involvement

B.
Auditors are the primary control analysts

C.
Limited employee participation

D.
Policy driven

Broad stakeholder involvement

The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization's business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training—all of which are representations of broad stakeholder involvement.

An IS auditor is comparing equipment in production with inventory records. This type of testing is an example of:

A.
substantive testing.

B.
compliance testing.

C.
analytical testing.

D.
control testing.

Substantive testing

Substantive testing obtains audit evidence on the completeness, accuracy, or existence of activities or transactions during the audit period.

Which of the following does a lack of adequate controls represent?

A.
An impact

B.
A vulnerability

C.
An asset

D.
A threat

A vulnerability

The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers, employee error, environmental threat or equipment failure. This could result in a loss of sensitive information, financial loss, legal penalties or other losses.

During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a particular application. Which of the following should the IS auditor do?

A.
Recommend compensating controls.

B.
Review the code created by the developer.

C.
Analyze the quality assurance dashboards.

D.
Report the identified condition.

Report the identified condition.

The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified.

During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to:

A.
include a review of the database controls in the scope.

B.
document for future review.

C.
work with database administrators to correct the issue.

D.
report the weaknesses as observed.

report the weaknesses as observed.

Any weakness noticed should be reported, even if it is outside the scope of the current audit. Weaknesses identified during the course of an application software review need to be reported to management.

Which of the following would normally be the MOST reliable evidence for an IS auditor?

A.
A confirmation letter received from a third party verifying an account balance

B.
Assurance from line management that an application is working as designed

C.
Trend data obtained from World Wide Web (Internet) sources

D.
Ratio analysis developed by the IS auditor from reports supplied by line management

A confirmation letter received from a third party verifying an account balance.

Evidence obtained from independent third parties is almost always considered to be more reliable than assurance provided by local management.

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?

A.
System log analysis

B.
Compliance testing

C.
Forensic analysis

D.
Analytical review

Compliance testing.

Determining that only authorizes modifications are made to a production programs would require the change management process to be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently,.

An audit charter should:

A.
be dynamic and change to coincide with the changing nature of technology and the audit profession.

B.
clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.

C.
document the audit procedures designed to achieve the planned audit objectives.

D.
outline the overall authority, scope and responsibilities of the audit function.

outline the overall authority, scope and responsibilities of the audit function.

An IS auditor is developing an audit plan for an environment that includes new systems. The company's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?

A.
Audit the new systems as requested by management.

B.
Audit systems not included in last year's scope.

C.
Determine the highest-risk systems and plan accordingly.

D.
Audit both the systems not in last year's scope and the new systems

Determine the highest-risk systems and plan accordingly.

The best course of action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources."

An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions?

A.
Attribute

B.
Variable

C.
Stop-or-go

D.
Judgment

Attribute

Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate approval.

An IS auditor interviewing a payroll clerk finds that the answers do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should:

A.
conclude that the controls are inadequate.

B.
expand the scope to include substantive testing.

C.
place greater reliance on previous audits.

D.
suspend the audit.

expand the scope to include substantive testing.

If the answers provided to an IS auditor's questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests.

An IS auditor is carrying out a system configuration review. Which of the following would be the BEST evidence in support of the current system configuration settings?

A.
System configuration values imported to a spreadsheet by the system administrator

B.
Standard report with configuration values retrieved from the system by the IS auditor

C.
Dated screenshot of the system configuration settings made available by the system administrator

D.
Annual review of approved system configuration values by the business owner

Standard report with configuration values retrieved from the system by the IS auditor

Evidence obtained directly from the source by an IS auditor is more reliable than information provided by a system administrator or a business owner because the IS auditor does not have a vested interest in the outcome of the audit.

The PRIMARY purpose of an IT forensic audit is:

A.
to participate in investigations related to corporate fraud.

B.
the systematic collection and analysis of evidence after a system irregularity.

C.
to assess the correctness of an organization's financial statements.

D.
to preserve evidence of criminal activity.

...

Which of the following is the most critical step to perform when planning an IS audit?

What are the factors affecting audit planning?

Which of the following is the main reason to perform a risk assessment in the planning phase of an IS audit?

When developing a risk