Show
C. Sharing the scripts is permissible if IT recognizes that audits may still be conducted in areas not covered in the scripts.Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit?A. Complexity of the organization's operationB. Findings and issues noted from the prior yearC. Purpose, objective and scope of the auditD. Auditor's familiarity with the organizationC. Purpose, objective and scope of the auditAn IS auditor is developing an audit plan for an environment that includes new systems. The organization's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?A. Audit the new systems as requested by managementB. Audit systems not included in last years's scope.C. Determine the highest-risk systems and plan accordingly.D. Audit both the systems not in last year's scope and the new systems.C. Determine the highest-risk systems and plan accordingly.An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.B. Publish a report omitting the areas where the evidence obtained from testing was inconclusiveC. Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained.D. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed.A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?A. Overlapping controlsB. Boundary controlsC. Access controlsD. Compensating controlsD. Compensating controlsWhich of the following is the key benefit of a control self-assessment?A. Management ownership of the internal controls supporting business objectives is reinforced.B. Audit expenses are reduced when the assessment results are an input to external audit work.C. Fraud detection is improved because internal business staff are engaged in testing controls.D. Internal auditors can shift to a consultative approach by using the results of the assessment.A. Management ownership of the internal controls supporting business objectives is reinforced.What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should:A. interface with various types of enterprise resource planning software and databasesB. accurately capture data from the organization's system without causing excessive performance problems.C. introduce audit hooks into the organization's financial systems to support continuous auditing.D. be customizable and support inclusion of custom programming to aid in investigative analysis.B. accurately capture data from the organization's system without causing excessive performance problems.A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and:A. length of service, because this will help ensure technical competenceB. age, because training in audit techniques may be impractical.C. IT knowledge, because this will bring enhanced credibility to the audit function.D. ability, as an IS auditor, to be independent of existing IT relationships.D. ability, as an IS auditor, to be independent of existing IT relationships.For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk?A. Use of computer-assisted audit techniquesB. Quarterly risk assessmentsC. Sampling of transaction logsD. Continuous auditingD. Continuous auditingAn IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of:A. variable samplingB. substantive testingC. compliance testingD. stop-or-go samplingC. compliance testingThe decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?A. InherentB. DetectionC. ControlD. BusinessB. DetectionWhich of the following is the MOST critical step when planning an IS audit?A. Review findings from prior auditsB. Executive management's approval of the audit planC. Review information security policies and proceduresD. Perform a risk assessmentD. Perform a risk assessmentAn IS auditor is reviewing a software application that is built on the principles of service-oriented architecture. What is the INITIAL step?A. Understanding services and their allocation to business processes by reviewing the service repository documentation B. Sampling the use of service security standards as represented by the Security Assertions Markup LanguageC. Reviewing the service level agreements established for all system providersD. Auditing the core service and its dependencies on other systems.A. Understanding services and their allocation to business processes by reviewing the service repository documentationAn IS auditor conducting s review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?A. Delete all copies of the unauthorized software.B. Recommend an automated process to monitor for compliance with software licensing.C. Report the use of the unauthorized software and the need to prevent recurrence.D. Warn the end users about the risk of using illegal software.C. Report the use of the unauthorized software and the need to prevent recurrence.An audit charter should:A. be dynamic and change to coincide with the changing nature of technology and the audit profession.B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.C. document the audit procedures designed to achieve the planned audit objectives.D. outline the overall authority, scope and responsibilities of the audit function.D. outline the overall authority, scope and responsibilities of the audit function.An IS auditor finds a small number of user access requests that were not authorized by managers through normal predefined workflow steps and escalation rules, The IS auditor should:A. perform an additional analysis.B. report the problem to the audit committee.C. conduct a security risk assessment.D. recommend that the owner of the identity management system fix the workflow issues.A. perform an additional analysis.Which of the following sampling methods is MOST useful when testing for compliance?A. Attribute samplingB. Variable samplingC. Stratified mean-per-unit samplingD. Difference estimation samplingA. Attribute samplingWhen testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling does not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?A. Develop an alternative testing procedure.B. Report the finding to management.C. Perform a walkthrough of the change management process.D. Create additional sample data to test additional changes.A. Develop an alternative testing procedure.Which of the following situations could impair the independence of an IS auditor? The IS auditor:A. implemented specific functionality during the development of an application.B. designed an embedded audit module for auditing an application.C. participated as a member of an application project team and did not have operational responsibilities.D. provided consulting advise concerning application good practices.A. implemented specific functionality during the development of an application.The PRIMARY advantage of a continuous audit approach is that it:A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.B. allows the IS auditor to review and follow up on audit issues in a timely manner.C. places the responsibility for enforcement and monitoring of control on the security department instead of audit.D. simplifies the extraction and correlation of data from multiple and complex systems.B. allows the IS auditor to review and follow up on audit issues in a timely manner.Which of the following would impair the independence of a quality assurance team?A. Ensuring compliance with development methodsB. Checking the test assumptionsC. Correcting coding errors during the testing process.D. Checking the code to ensure proper documentation.C. Correcting coding errors during the testing process.In planning an IS audit, the MOST critical step is the identification of the:A. areas of significant riskB. skill sets of the audit staffC. test steps in auditD. time allotted for the audit.A. areas of significant riskThe MOST effective audit practices to determine whether the operational effectiveness of controls is properly applied to transaction processing is:A. control design testing.B. substantive testing.C. inspection of relevant documentation.D. perform tests on risk prevention.B. substantive testing.The extent to which data will be collected during an IS audit should be determined based on the:A. Availability of critical and required information.B. Auditor's familiarity with the circumstances.C. Auditee's ability to find relevant evidence.D. Purpose and scope of the audit being done.D. Purpose and scope of the audit being done.While planning an IS audit, an assessment of risk should be made to provide:A. reasonable assurance that the audit will cover material items.B. definite assurance that material items will be covered during the audit work.C. reasonable assurance that all items will be covered by the audit.D. sufficient assurance that all items will be covered during the audit work.A. reasonable assurance that the audit will cover material items.What are the factors to be considered during audit planning?Audit Plan
The planned nature, timing, and extent of the risk assessment procedures; The planned nature, timing, and extent of tests of controls and substantive procedures;12 and. Other planned audit procedures required to be performed so that the engagement complies with PCAOB standards.
What are the 4 phases of an audit process?Although every audit process is unique, the audit process is similar for most engagements and normally consists of four stages: Planning (sometimes called Survey or Preliminary Review), Fieldwork, Audit Report and Follow-up Review.
Which is the best method of gathering data for audit?Either statistical or nonstatistical sampling methods can be used to collect audit evidence and to control risk. Specific data-gathering tools and techniques include interviews, questionnaires, checklists, focus groups, observations, unobtrusive measures, and anecdotal records (see Exhibit 3.1).
What is the planning stage of an audit?Audit Planning is the development of the overall strategy for the audit. Nature, extent, and timing of audit planning vary with the size and complexity of the organization, Auditors' experience with the organization and knowledge of its businesses. The activities are to: Conduct a preliminary fact-finding.
|
Which of the following is the best factor for determining the required data during audit planning phase?
zusammenhängende Posts
Urheberrechte © © 2024 decemle Inc.
