CISA Exam 318 Questions with Verified Answers,100% CORRECT

CISA Exam 318 Questions with Verified Answers 5 Tasks within the domain covering the process of auditing information systems - CORRECT ANSWER 1. Develop and implement a risk-based IT audit strategy in compliance with IT audit standards to ensure that key areas are included 2. Plan specific audits to determine whether information systems are protected, controlled and provided value to the organization 3. Conduct audits in accordance with IT audit standards to achieve planned audit objectives 4. Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary 5. Conduct follow ups or prepare status reports to ensure that appropriate actions have been taken by management in a timely manner 10 Knowledge Statements within the domain covering the process of auditing information systems - CORRECT ANSWER Knowledge of... 1. ISACA IT Audit and Assurance standards, guidelines, and tools and techniques; code of professional ethics; and other applicable standards 2. risk assessment concepts, tools and techniques in an audit context 3. control objects and controls related to information systems 4. audit planning and audit project management techniques, including follow up 5. fundamental business processes (purchasing, payrolls, accounts payable, accounts receivable) including relevant IT 6. applicable laws and regulations that affect the sopce, evidence collection and preservation, and frequency of audits 7. evidence collection techniques (observation, inquiry, inspectation) 8. different sampling methodologies 9. reporting and communication techniques (faciliatation, negotiation, conflict resolution,) 10. Audit quality assurance systems and frameworks Knowledge Statement 1: Knowledge of the ISACA IT audit and assurance standards, guidelines, and tools and techniques; Code of professional ethics; and other applicable standards... what are the key concepts and explanation - CORRECT ANSWER Key Concepts: Code of Professional ethics and IS audit and assurance standards, guidelines, and tools and techniques explanation: these standards and rules are issued to provide a framework of minimum and essential references regarding how an IS audit should perform work and act in a professional manner Knowledge Statement 2: Knowledge of risk assessment concepts, tools and techniques in an audit context.. what are the key concepts and explanation - CORRECT ANSWER Key Concepts: impact of risks assessment on IS auditing, understanding risks analysis concepts within an auditing context, applying risk analysis techniques during audit planning explanation: overall, the audit plan should be based on business risks related to the use of IT and the IS audit should be aware of the need to focus on this risk. The auditing should be able to put into the practice the risk techniques needed to identify and prioritize business risks within audit scope. The IS auditor must takes steps to minimize associated elements such as sampling risk, detection risks, materially of findings Knowledge Statement 3: Knowledge of control objectives and controls related to Information systems.. what are the key concepts and explanation - CORRECT ANSWER Key concepts: proper auditing planning techniques, understanding control objectives Explanation: understanding control objectives and identifying the key controls that help achieve a properly controlled environment are essential for the effectiveness and efficiency of the IS audit process. Knowledge Statement 4: Knowledge of audit planning and audit project management techinques, including follow up.. what are the key concepts and explanation - CORRECT ANSWER Key concepts: application of audit planning techniques, and impact of IS environment on IS auditing practices and techniques explanation: audit planning request a similar level of preplanning to ensure an appropriate and efficient use of audit resources.. auditors need to understand the planning and management techniques to properly management the audit and avoid an inefficient utilization of resources Knowledge Statement 5: Knowledge of Fundamental business processes (purchasing, payroll, accounts payable, accounts receivable) including relevant IT...what are the key concepts and explanation - CORRECT ANSWER Key concepts: understanding risk analysis concepts within an auditing context, understanding control objectives Explanation: one must understanding the external and internal factors affecting the entity, the entities selection and application of policies and procedures. One must also obtain an understanding of some key components such as the entities strategic management, business model, and corporate governance processes and the kinds of transactions the entity engages in and with whom it transact. Knowledge Statement 6: Knowledge of applicable laws and regulations that affect the scope, evidence collection and preservation, and frequency of audits....what are the key concepts and explanation - CORRECT ANSWER Key concepts: Factors to consider in collection, protection and chain of custody of audit evidence in an IS audit, special considerations in audit documentation for evidence Explanation: laws and regulations often determine scope, frequency, and types of audits, and how reporting requirements are affected Knowledge Statement 7: Knowledge of evidence collection techniques (observation, inquiry, inspections) used to gather, protect and preserve audit evidence....what are the key concepts and explanation - CORRECT ANSWER Key Concepts: Application and relative value of computer - assisted audit techniques, techniques for obtaining evidence, computer-assisted audit techniques, factors to consider in collection, protestation and chain of custody of audit evidence in an IS audit, specialized considerations in audit document for evidence, continues auditing techniques Explanation: findings must be supported by objective evidence. Care should be taken for any evidence that is preserved as a hard copy. Retention policies for electronic evidence be sufficient to preserve evidence that supports the findings. conclusions should be supported by reliable and relevant evidence. Evidence collected follows a life cycle included collection, analysis, and preservation and destruction of evidence. Audit evidence should include information regarding date of creation and original source. continuous auditing measures by an automated reporting process that enables management to be aware of emerging risks or control weaknesses without the need for a regular audit Knowledge Statement 8: Knowledge of different sampling methodologies...what are the key concepts and explanation - CORRECT ANSWER Key concepts: relative use of compliance and substantive testing, basic approaches to sampling their relation to testing approaches Explanation: compliance testing is evidence gathering for the purpose of testing an enterprises compliance with control procedures, this differences from substantive testing in which evidence id gathers to evaluate the integrity of individuals transactions, data or other information. There's a correlation with the level of internal controls and the amount of substantive testing required. Sampling is preformed when the time and cost of considerations preclude a total verification of all transactions or events in a predefined population Knowledge Statement 9: Knowledge of reporting and communication techniques (Facilitation, negotiation, conflict resolution, audit report structure)....what are the key concepts and explanation - CORRECT ANSWER Key Concepts: Understanding reporting standards, applying various communication techniques to the reporting of audit results, applying communication techniques to facilitation roles in control self - assessments Explanation: Communication and negation skills are required throughout the audit activity, successful resolution of audit findings with auditees is essential so that auditees will adopt the recommendations in the report and initiate prompt corrective action Knowledge Statement 10: Knowledge of audit quality assurance systems and frameworks.. what are the key concepts and explanations - CORRECT ANSWER Key Concepts: Impact of IS environment on IS auditing practices and techniqures, points of relevance while using services of other auditors and experts, audit quality evaluation, advantages and disadvantages of CSA, the role of the auditor in CSA, relevance of different technologies drives for CSA in the current business environment, relevance of different approaches in CSA in given context, applying communication techniques to facilitation roles in control self-assessments, audit quality evaluation Explanation: IS is a branch of IS auditing. Auditing standards are the minimum parameters that should be taking. CSA (Control Self Assessment) is a process in which an IS audit can act in the role of facilitator to the business process owners to help them define and assess appropriate controls. results must be interpreting with a certain level of skepticism because process owners are not always objective when assessing their own activates What is the overall authority to perform an IS audit? - CORRECT ANSWER The approved audit charter What is the approved audit charter? - CORRECT ANSWER The approved audit charter outlines the auditor's responsibility, authority and accountability, objectives for, and delegation of authority to, the IS audit function. This document should outline overall authority, scope and responsibilities of the audit function. In performing a risk-based audit, what is the risk assessment that is completed initially by the IS auditor? - CORRECT ANSWER Inherent risk - it exists independently of an audit and can occur because of the nature of the business. To perform the audit the IS auditor needs to understand the business process, and by understanding the business process, the IS auditor better understands the inherent risks. While developing a risk-based audit program, what would an IS auditor most likely focus on? a. business processes b. critical IT application c. operational controls d. business strategies - CORRECT ANSWER Business Processes A risk - based audit approach focuses on the understanding of the nature of the business and being able to identify and categorize risk. Business risks impact the long-term viability of a specific business. An IS auditor using a risk-based audit approach must be able to understand business processes What types of audit risks assumes an absence of compensating controls in the area being reviewed? a. control risk b. detection risk c. inherent risk d. sampling risk - CORRECT ANSWER Inherent Risk. The risk level or exposure without taking into account the actions that management has taken or might take in inherent risk. What is control risk? - CORRECT ANSWER Control risk is the risk that a material error exists that will not be prevented or detected in a timely manner by the system of internal controls. What is detection risks? - CORRECT ANSWER Detection risk is the risk that a material misstatement with a management assertion will not be detected by the auditor substantive tests. What is sampling risks? - CORRECT ANSWER Sampling risk is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is taken. What are substantive tests? - CORRECT ANSWER Substantive Tests are made up of two components: sampling risk and non-sampling risks. Non-sampling risks is the detection risk not related to sampling; it can be due to a variety of reasons, including, but not limited to, human error. Sampling risk is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is taken. What are non-sampling risks? - CORRECT ANSWER Non-sampling risks is the detection risk not related to sampling; it can be due to a variety of reasons, including, but not limited to, human error. An IS auditor performing a review of an application's controls finds a weakness in system software that could materially impact the application. The IS auditor should: - CORRECT ANSWER Review the system software controls as relevant and recommend a detailed system software review. The IS auditor is not expected to ignore control weakness just because they are outside the scope of a current review. Further, the conduct of a detailed systems software review may hamper the audits schedule and the IS auditor may not be technically competent to do such a review at this time. If there are control weaknesses that they have discovered by the IS auditor, they should be disclosed. By issues a disclaimer, this responsibility would be waived. The appropriate option would be to review the systems software as relevant to the review and recommend a detailed system software review for which additional resources may be recommended Which is the most important reason why an audit planning process should be reviewed at periodic intervals? a. to plan for deployment of available audit resources b. to consider changes to the risk environment c. to provide inputs for documentation of the audit charter d. to identify the applicable IS audit standards - CORRECT ANSWER To consider changes to the risk environment Short term and long term issues that drive audit planning can be impacted by the changes in the risk environment, technologies and business processes of the enterprise. Planning for deployment of available audit resources in determined by the audit assignments planned, which is influence by the planning process. Applicability of IS audit standards, guidelines and procedures is universal to any audit engagement and is _________ by short and long term issues - CORRECT ANSWER not influenced by short term and long term issues The _____ reflects the mandate of top management to the audit function and resides at a ______ level. - CORRECT ANSWER The audit charter reflects the mandates of top management to the audit function and resides at a more abstract level. Which of the following is MOST effective for implementing a control self - assessment (CSA) within business unites? a. informal peer reviews b. facilitate workshops c. process flow narratives d. data follow diagrams - CORRECT ANSWER Facilitate workshops - they work will within business units. Process flow narratives and data flow diagrams wouldn't be as effective since they would not necessarily identify and assess all control issues. Informal peer reviews similarly would be less effective for the same reason. What is the first step in planning an audit: - CORRECT ANSWER gain an understanding of the business's mission, objectives and purpose, which in turn identifies the relevant policies, standards, guidelines, procedures, and organization structure. 3 Steps that are dependent upon having a thorough understanding of the business's objectives and purpose? - CORRECT ANSWER 1. defining audit deliverables 2. finalize the audit scope and audit objectives 3. develop the audit approach or audit strategy The approach an IS auditor should use to plan IS audit coverage should be based on... - CORRECT ANSWER Risk - Planning establishes standards and provides guidance on planning an audit. It requires a risk-based approach Back up tapes are used to restore the files in case of disruption. This is a ____ control - CORRECT ANSWER Corrective - a corrective control helps to correct or minimize the impact of a problem What is a preventative control? - CORRECT ANSWER A preventive controls are those that avert problems before they arise What is a management control? - CORRECT ANSWER A management control modifies processing systems to minimize a repeat occurrence of the problem. i.e. back up takes don't modify processing systems and do not fit the definition of a management control What is a detective control? - CORRECT ANSWER Detective controls help to detect and report problems as they occur - back up tapes do not aid in detecting errors - so its not a detective control IS audit can functional as 3 different roles - CORRECT ANSWER 1. Be apart of an internal audit 2. Function as an independent group 3. Integrated within a financial and operational audit to provide IT-related control assurance to the financial or management auditors Difference between the audit charter and an engagement letter? - CORRECT ANSWER The audit charter is an overarching document that covers the entire scope of audit activities in an entity while an engagement letter is more focused on a particular audit exercise that is sound to be initiated in an organization with a specific objective in mind Short-term vs. Long-term - CORRECT ANSWER Short term planning takes into account audit issues that will be covered during the year Long-term planning relates to audit plans that will take into account risk-related issues regarding changes in the organizations IT strategic director that will affective the organization's IT environment what is an audit universe? - CORRECT ANSWER List of all the processes that may be consider for the audit. The processes may be subject to qualitative or quantitative risk assessment by evaluating the risk to defined, relevant risk factors What are risk factors and how are they evaluated? - CORRECT ANSWER Risk factors are factors that influence the frequency and or business impact of risk scenarios. The evaluation of risks should ideally be based on inputs from the business process owners and should be based on objective criteria. What is the difference between objective criteria and subjective criteria? - CORRECT ANSWER Objective is a statement that is completely unbiased. It is not touched by the speaker's previous experiences or tastes. It is verifiable by looking up facts or performing mathematical calculations. Subjective is a statement that has been colored by the character of the speaker or writer. It often has a basis in reality, but reflects the perspective through with the speaker views reality. It cannot be verified using concrete facts and figures What should one look into when your analyzing short term and long term issues: (4 things) How often should you assess issues? - CORRECT ANSWER Annually, you should at least look into... 1. Take into account new control issues 2. Changes in the risk environment 3. Technologies and business processes 4. enhanced evaluation techniques During the annual planning, it should be updated if any key aspects of the risk environment have changed (acquisitions, new regulatory issues, market conditions) The IS auditor must have an understanding of the overall environment under review.. that includes 1. 2. - CORRECT ANSWER 1. business practices and functions relating to the audit subject 2. types of information systems and technology supporting the activity The IS auditor should develop an audit plan that takes into consideration the what 2 things: - CORRECT ANSWER 1. the objectives of the auditee relevant to the audit area and its technology infrastructure. 2. the area under review and its relationship to the organization (strategically, financially, and/or operationally) Governmental and external requires related to computer system practices and controls and to the manner in which, 1. Computer, programs and data are ________ as well as 2. the way data is ___________ - CORRECT ANSWER stored and used processed, transmitted and stored Areas that would impact audit scope and audit objectives? - CORRECT ANSWER 1. Legal requirements (laws, regulatory and contractual agreements) placed on audit or IS audit 2. Legal requirements placed on the auditee and it's systems, data management, reporting, etc. (this is most important to internal and external auditors) What is the Sarbanes - Oxley Act of 2002 required companies to do? - CORRECT ANSWER The Sarbanes - Oxley Act of 2002 now requires an evaluation of an organizations internal controls now provides for new corporate governance rules, regulations and standards for specific public companies included the SEC (Securities and Exchange Commission) registrants. Requires organizations to select and implement a suitable internal control framework (COSO) is most commonly adopted framework by public companies seeking to comply What is the Basel Accords (I, II and III) and what will companies see improvement in? - CORRECT ANSWER The Basel Accords regulate the minimum amount of capital for financial organzations based on thelevel of risk they face. It recommends conditional and capital requirements that manage risk exposure. These conditions will result in improvement in: Credit What conditions does the Basel Committee on Banking Supervision show improvement in if you follow their conditions and requirements - CORRECT ANSWER Improvement in: Credit Risk, Operational Risk Market Risk How would one audit for compliance with laws and regulations? (5 things) 1. Identify... 2. Document... 3. Access... 4. Review... 5. Determine.. - CORRECT ANSWER 1. Identify those government or other relevant external requirements dealing with: electronic data, personal data, copy rights, e-commerce, e-signatures, computer system practices and controls, the way computers, programs, and data are stored, organization or activities of IT services, IT audits 2. Document applicable laws and regulations 3. Access whether the management of the organization and the IS function have considered the relevant external requirements in making plans and setting policies, standards and procedures, as well as business application features 4. Review internal IS department/function/activity documents that address adherence to establish procedures that address these requirements 5. determine if there are procedures in place to ensure contracts or agreements with external IT service providers reflect any legal requirements related to responsibilities What are broken into 3 Standards groups for IS Auditing - CORRECT ANSWER 1. General 2. Performance 3. Reporting What is comprised in the "General" group of IS Auditing? 1. A 2. O 3. P 4. R 5. D 6. P 7. A 8. C - CORRECT ANSWER 1. Audit Charter 2. Organizational Independence 3. Professional Independence 4. Reasonable Expectation 5. Due Professional Care 6. Proficiency 7. Assertions 8. Criteria What is comprised of the Audit Charter? 1. 2. - CORRECT ANSWER The audit charter will indicate the purpose, responsibility, authority, and accountability of the audit function. The IS audit and assurance function shall have the audit charter agreed upon and approved at an appropriate level within the enterprise What is Organizational Independence and how is that applied to IS audit and Assurance function? - CORRECT ANSWER The IS audit and assurance function shall be independent of the area or activity being reviewed to permit objective completion of the audit and assurance engagement. What is professional independence for the IS audit and assurance professional? - CORRECT ANSWER the professional shall be independent and object in both attitude and appearance in all matters related to audit and assurance engagements How does reasonable expectation apply to an IS audit professional? 1. 2. 3. - CORRECT ANSWER 1. professional shall have reasonable expectation that the engagement can be completed in compliance with standards and other professional or industry standards or regulations and result in a professional opinion or conclusion 2. professional shall have reasonable expectation that the scope of the engagement enables conclusion on the subject matter and addresses any restrictions 3. professional shall have reasonable expectation that management understands its obligations and responsibilities with respect to the provision of appropriate, relevant and timely information required to perform the engagement What is Due Professional care? - CORRECT ANSWER observing of applicable professional audit standards, in planning, performing and reporting on the results of engagements Proficiency: The IS audit and assurance professional, collectively with other assisting with the assignment, shall possess... 1. 2. 3. - CORRECT ANSWER 1. adequate skills and proficiency in conducting IS audit and assurance engagements and be professionally competent to perform the work required 2. adequate knowledge of the subject matter 3. Maintain professional competence through appropriate continuing professional education and training The IS audit and assurance professional shall review the _____ against which the subject matter will be assessed to ________ are capable of being audited and that the assertions are sufficient, valid and relevant. - CORRECT ANSWER The IS audit and assurance professional shall review the assertions against which the subject matter will be assessed to determine that such assertions are capable of being audited and that the assertions are sufficient, valid and relevant. The IS audit and assurance professional shall... 1. Select criteria.... 2. Consider the source.. - CORRECT ANSWER 1. select criteria, against which the subject matter will be assessed, that are objectives, complete, relevant, measurable, understandable, widely recognized, authoritative and understood by, or available to, all readers and users of the IS audit or assurance report 2. consider the source of the criteria and focus on those issued by relevant authoritative bodies before accepting lesser - knows criteria What is comprised in the "Performance" group of IS Auditing? 1. 2. 3. 4. 5. 6. 7. - CORRECT ANSWER 1. Engagement Planning 2. Risk Assessment in Planning 3. Performance and Supervision 4. Materiality 5. Evidence 6. Using the work of other experts 7. Irregularity and Illegal Acts "Engagement Planning" is used to address: 1. 2. 3. 4. 5. - CORRECT ANSWER 1. Objective (s), Scope, Timeline and deliverables 2. Compliance with applicable laws and professional auditing standards 3. Use of a risk-based approach, where appropriate 4. engagement specific issues 5. Documentation and reporting requirements Engagement Project Plan should describe the: 1. ____, _____, ______ 2. Timing and _____ - CORRECT ANSWER 1. nature, objectives, timeline and resource requirements 2. timing and extent of audit procedures to complete the engagement Risk Assessment in Planning: The IS audit and Assurance function shall use.. 1. Appropriate.. 2. Identify... 3. Consider... - CORRECT ANSWER 1. appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources 2. identify and assess risk relevant to the area under review, when planning individual engagements 3. consider subject matter risk, audit risk, and related exposure to the enterprise Performance and Supervision: The IS audit and assurance professional shall.. 1. Conduct... 2. Provide... 3. Accept... 4. Obtain... - CORRECT ANSWER 1. Conduct the work in accordance with the approved IS audit plan to over identified risk and within the agreed on schedule 2. provide supervision of the stuff to accomplish the objectives and meet applicable standards 3. accept tasks that are within their knowledge and skills or for which they have reasonable expectation of either acquiring the skills during the engagement or achieving the task under supervision 4. obtain sufficient and appropriate evidence to achieve the audit objectives. Findings and conclusions shall be supported by analysis and interpretation of the evidence Materiality: The IS audit and assurance professional shall consider 1. - CORRECT ANSWER 1. Potential weaknesses or absences of control while planning an engagement, and whether such weaknesses or absences of the controls could result 2. Materiality and its relationship to audit risk while determiningthe nature, timing, and extent of audit procedures 3. Cumulatibe effect of minor control deficiencies or weaknesses and whether the absence of controls translates into a significant deficiency or material weakness The IS audit professional should disclose what 3 things in the report of materiality: 1. 2. 3. - CORRECT ANSWER 1. Absence of controls of ineffective controls 2. Significance of the control deficiency 3. Probability of these weaknesses resulting in a significant deficiency or material weakness Evidence that professionals shall obtain.. 1. Evidence to draw ______ 2. Evidence obtained should support conclusions and ____ - CORRECT ANSWER 1. Evidence to draw reasonable conclusions on which to base the engagement results 2. Evaluate the sufficiency of evidence obtained to support conclusions and achieve engagement objects When using the work of other experts: The audit and assurance processional shall... 1. Access and approve.. 2. Review and evaluate.. 3. Determine if others work.. 4. Dtermine if the work will.. 5. Apply additional.. 6. Provide.. - CORRECT ANSWER 1. Assess and approve other expert's professional qualifications, competencies, relevant experience, and independence and quality control processes prior to the engagement 2. review and evaluate the work of the experts as part of the engagement, and document the conclusion on the extent of use and reliance on their work 3. determine if others work, who are not apart of the engagement team, is complete and conclude on the current engagement objectives, and clearly document the conclusion. 4. determine if the work will be relied on and incorporated directed or referred to separately in the report 5. apply additional tests procedures to gain sufficient and appropriate evidence in circumstances where the work of there does not provide sufficient and appropriate evidence 6. provide an appropriate audit opinion or conclusion and include any scope limitation where required evidence is not obtained through additional test procedures For "irregularity and illegal acts".. the IS audit and assurance professional shall.. 1. 2. 3. - CORRECT ANSWER 1. Consider the risk of irregularities and illegal acts during the engagement 2. Maintain an attitude of professional skepticism during the engagement 3. document and communicate any material irregularities or illegal act to the appropriate party in a timely manner "reporting".. the IS audit and assurance professional shall provide a report to communicate the following: 1. 2. 3. 4. 5. any findings should be supported by the sufficient and appropriate evidence - CORRECT ANSWER 1. identification of the enterprise, the intended recipients and any restrictions on content and circulation 2. the scope, engagement objectives, period of coverage, and nature, timing and extent of the work performed 3. findings, conclusions, and recommendations 4. qualifications or limitations in scope with respect to the engagement 5. Signature, date, and distribution according to the terms of the audit charter or engagement letter The follow-up activities that an audit and assurance professional shall.. - CORRECT ANSWER monitor information to conclude whether management has planned/taken appropriate, timely action to address reported audit findings and recommendations Index of Audit and Assurance guidelines for an audit chart is to assist the IS auditor to prepare an audit chart to define the ____, ______, and ______ of the IS Function. The IS auditor should consider it in determining how to achieve _____of the above standard, use _________ in its application and be prepared to justify any departure. - CORRECT ANSWER Define the responsibility, authority, and accountability Determining how to active implementation of the above standard, use professional judgment in its application and be prepared to justify any departure. Index of Audit and Assurance guidelines for considerations for irregularities and illegal acts is to provide guidance to IS auditors to deal with ______ or ______ they may come across during the performance of audit assignments. This act elaborates on ____ and _____ by IS auditors for _______ and illegal acts. The IS auditor should consider it in determined how to achieve implementation of the previously identified standards, use professional judgment in its application and be prepared to justify any departure - CORRECT ANSWER irregular or illegal activities requirements and considerations irregularities Index of Audit and Assurance has a framework that helps guide the "effect of non-audit role on the IS audit and Assurance professional's independent" is to enable the IS auditor to: 1. Establish.... 2. Consider... 3. Determine... - CORRECT ANSWER 1. Establish when the required independence may be, or may appear to be, impaired 2. Consider potential alternative approaches to the audit process when the required independence is , or may appear to be, impaired 3. Determine the disclosure requirements Index of Audit and Assurance has "follow up activities" that are used as a guideline to provide direction to auditors to... _________ in following up on ______ and audit comments made in reports - CORRECT ANSWER engaged recommendations Standards: Guidelines: Tools and Techniques: - CORRECT ANSWER Standards are defined ad are to be followed by the IS auditor Guidelines provide assistance on how the auditor can implement standards Tools and techniques are not intended to provide exhaustive guidance to the auditor when performing an audit; its example steps the auditor may follow in specific audit assignments to implement the standards Information Technology Assurance Framework (ITAF) is made up of 5 parts: 1. 2. 3. 4. 5. - CORRECT ANSWER 1. General Standards 2. Performance 3. Reporting 4 Guidelines 5. Tools and Techniques "General Standard" of the ITAF Framework is... - CORRECT ANSWER principles in which they operate. They apply conduct to all assignments and deal with ethics, independence, objectivity and due care as well as knowledge, competency and skill "Performance Standards" of the ITAF Framework is... - CORRECT ANSWER Conduct of the specific assignment like planning and supervision, scoping, risk and materiality, resource mobilization, supervision and assignment management, evidence, and exercising of professional judgment and due care "Reporting Standards" of the ITAF Framework is.. - CORRECT ANSWER Address the types of reports, means of communication and the information communicated "Guidelines" of the ITAF Framework is.. "guidelines help clarify what... - CORRECT ANSWER information and direction of the audit area. Guidelines also help clarify the relationship between enterprise activities and initiatives and those undertaken by IT "Guidelines" of the ITAF focus on.... ____, ______, ____ and _____, and related material to assist in planning, executing, assessing, testing, and reporting on IT processes, controls and related audit initiatives. - CORRECT ANSWER Guidelines focus on approaches, mythologies, tools and techniques, and related material to assist in planning, executing, assessing, testing, and reporting on IT processes, controls and related audit initiatives. "Tools and Techniques" of the ITAF Framework is... They are directly linked to... - CORRECT ANSWER Provide specific information on methodologies, tools and templates - and provide direction in their application and use to operationalize the information provided in the guidance Tools and Techniques are directly linked to specific guidelines (I.E. - ISACA publication on SAP - which supports the guideline on enterprise resource planning (ERP) system. The General Standard of "Independence and Objectivity" means the professional must conduct the assignment with... - CORRECT ANSWER an impartial and unbiased frame of mind in addressing the issues and reaching conclusions. The professional must appear independent at all times The General Standard of "Reasonable Expectation" means that... - CORRECT ANSWER the assurance assignment can be completed in accordance with the IS assurance standards, and result in a professional opinion The General Standard of "Management's Acknowledgement" means that... - CORRECT ANSWER management understands his or her obligations and responsibility with respect to the provision of information that may be required in performance the assignment and responsibility to ensure the cooperation of personnel during the audit or assurance activity The General Standard of "Training and Proficiency" means.. - CORRECT ANSWER professionals should have the right skills and proficiency in conducting IS audit and assurance assignments to enable the processionals to perform the work required The General Standard the "Knowledge of the Subject Matter" means... - CORRECT ANSWER the professional should have adequate knowledge of the subject matter The General Standard of "Due Professional care" means.. - CORRECT ANSWER exercising due care in planning, performing and reporting on the results of the assignment The General Standard of "Suitable Criteria" means.. - CORRECT ANSWER subject matter should be evaluated to criteria of: 1. Objectivity - free of bias 2. Measurability - consistent measurement 3. Understandability - communicated clearly and not subject to different interpretations 4. Completeness - complete so all criteria that could affect the audit conclusions about the subject matter are identified and used in conduct of the assignment 5. Relevance - criteria should be relevant to the subject matter and contribute to findings and conclusions that meet the objectives of the IS assurance assignment The Performance Standard of "Planning and Supervision" should address 1. Objective... 2. Criteria.. 3. Level of.. 4. Nature... 5. Possible... 6. Availability 7. Preliminary 8. Resource 9. Nature 10. Conditions 11. Anticipation 12. Nature - CORRECT ANSWER 1. Objective of the assignment 2. Criteria to be used in the assignment 3. Level of assurance required 4. Nature of the subject matter 5. Possible sources of information and evidence 6. Availability of resources 7. Preliminary consultations on risks 8. Resource and expertise requirements 9. Natures, extent and timing of various 10. Conditions that may require extension of modification 11. anticipation of time requirements 12. Nature of the The Performance Standard of "obtaining sufficient evidence" should... - CORRECT ANSWER provide a reasonable basis for the conclusions drawn and expressed in the audit report, should be obtained through inspection, observation, enquiry, confirmation, re-performance analysis and discussion, and the source of the evidence is considered when assessing the audit procedure The Performance Standard of "assignment performance" is... - CORRECT ANSWER scheduled with staff that are using their knowledge or skills, must address the objectives and mandate the audit The Performance Standard of "representation" would include matters that include: 1. 2. 3. 4. 5. 6. 7. 8. 9. - CORRECT ANSWER 1. statement acknowledging responsibility for subject matter and assertions 2. statement by acknowledging responsibility for the criteria 3. statement acknowledging the criteria are appropriate for the purposes 4. list of assertions about the subject matter based on the criteria selection 5. statement that all known matters contradict assertions that have been disclosed 6. statement that all communications from regulators affecting the subject matter or the assertions have been disclosed 7. statement that professionals have been provided access to all relevant information and recons to the subject matter 8. list of events that have occurred in subsequent to the date of the audit report 9. other matters that the IS audit and assurance professional may deem relevant or appropriate Risk Analysis is part of audit planning and helps... - CORRECT ANSWER identify risks and vulnerabilities so the IS auditor can determine the controls needed to mitigate those risks In order to ID risks types and the controls used to mitigate the risks, IS auditors need to know: 1. 2. 3. - CORRECT ANSWER 1. Knowledge of common business risks, 2. Related technology risks and relevant controls 3. must be able evaluate the risk assessment and management techniques used by business managers Business risk may negatively impact the assess, processes or objectives of a specific business or organization. IS auditors focus on... 1. High... 2. Availability or integrity of.... 3. Underlying... - CORRECT ANSWER 1. High risk issues associated with confidentiality, 2. Availability or integrity of sensitive/critical information, 3. Underlying information systems and processes that generate, store, and manipulate such information An IS auditor should have a clear understand of what 4 concepts when analyzing business risks.. - CORRECT ANSWER 1. purpose and nature of the business and the environment it operates in 2. dependence of technology to process and deliver information 3. risk of using IT and how it impacts the achievement of the business goals and objectives 4. overview of business processes and the impact of IT and risks on the business process objectives Definition of risk used within the information security business world.. - CORRECT ANSWER The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization IT risk is business risk associated with the... ____, ____, ____, ____, _____, and _____ of IT within an enterprise. - CORRECT ANSWER use, ownership, operations, involvement, influence and adoption IT risk consists of IT related events that could potentially impact the business. The risk IT framework explains risk and enables users to: 1. 2. 3. - CORRECT ANSWER 1. integrate the management of IT irks into the overall enterprise risk management of the organization 2. make well-informed decisions about the extent of the risk and the risk tolerance of the enterprise 3. understand how to respond to the risk What's the summary of the risk assessment process: 1. 2. 3. 4. 5. 6. - CORRECT ANSWER 1. Identify Business Objectives (BO) 2. Identify Information Assets Supporting the BOs 3. Perform Risk Assessment (RA) (Threat - Vulnerability - Probability - Impact) 4. Perform Risk Mitigation (RM) (Maps risks with controls in place) 5. Perform Risk Treatment (RT) (Treat Significant risks not mitigated by existing controls) 6. Perform Periodic Risk Reevaluation What steps are involved in performing the risk assessment (step 3 in the overall process)... - CORRECT ANSWER 1. Identify the vulnerabilities and threats 2. determine the probability of occurrence 3. determine the impact and safeguards that would mitigate the impact to a level that is acceptable to management Risk Mitigation phase should.. ____, ____, or ____ the risk. - CORRECT ANSWER prevent, detect, or transfer the risk 3 things management considers when assessing the countermeasures to mitigates risks to an acceptable level to management 1. Cost 2. Appetite 3. Preferred risk-reduction methods - CORRECT ANSWER 1. Cost of the control vs. the benefit of minimizing the risk 2. Management's appetite for risk (level of risk the management is prepared to accept) 3. preferred risk - reduction method (terminate the risk, minimize probability of occurrence, minimizing impact, transfer the risk via insurance) Final Phase related to monitoring performance levels of the risks being managed encompasses 3 processes: 1. Risk ____ 2. Risk _____ 3. Risk _____ - CORRECT ANSWER 1. Risk Assessment 2. Risk Mitigation 3. Risk Reevaluation The risk assessment should be an _____ process in an organization that endeavors to continually identify and evaluate risks as they arise and evolve - CORRECT ANSWER on-going process Internal controls are made of up ____, ____, ___, ____ and _____ which are implemented to reduce risks to the organization - CORRECT ANSWER polices, procedures, practices and organizational structures 3 types of internal controls: - CORRECT ANSWER 1. Preventive 2. Detective 3. Corrective 2 aspects controls should address: - CORRECT ANSWER 1. What should be achieved 2. what should be avoided Preventive Control: 1. 2. 3. 4. - CORRECT ANSWER 1. Detects problems before they arise 2. Monitor both operation and imputs 3. Attempt to predict potentional problems before they occur and make adjustments 4. Prevent an error, omission or malicious act from occurring Detective Control: 1. - CORRECT ANSWER 1. used to detect and report the occurrence of an error, omission or malicious act Corrective Control: 1. 2. 3. 4. 5. - CORRECT ANSWER 1. Minimize the impact of the threat 2. Remedy problems discovered by detective controls 3. Identify the cause of a problem 4. Correct errors arising from a problem 5. Modify the processing system(s) to minimize future occurrence of the problem IS Control Objectives are: 1. Statements 2. Comprised 3. Designed - CORRECT ANSWER 1. Statements of the result or purpose by implementing controls around the IS processes 2. Comprised of polices, procedures, practices and organizational structures 3. Designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected Management will need to make choices relative to the control objectives by: 1. 2. 3. 4. - CORRECT ANSWER 1. Selecting those that are applicable 2. Deciding on those that will be implemented 3. Choosing how to implement them (frequency, span, automation) 4. Accepting the risk of not implement those that may apply COBIT's principles provide framework to asset in the governance and management of the enterprise IT - CORRECT ANSWER 1. Meeting Stakeholders Needs 2. Covering the enterprise end to end 3. applying a single integrated framework 4. Enabling holistic approach 5. Separating governance from management Meeting stakeholders need: 1. 2. - CORRECT ANSWER 1. There's a balance between the realization of benefits and the optimization of the risk and use of resources 2. can be customized through the goals, to manageable, specific IT goals and mapping those goals to processes and practices Covering the enterprise end to end: 1. 2. - CORRECT ANSWER 1. doesn't focus on the "IT function" only but information and related technologies as assets that need to be dealt with 2. it includes everything and everyone, internally and externally, and everything relevant to the governance and management of enterprise information and related to IT Applying a single, integrated framework: 1. - CORRECT ANSWER 1. aligns with other relevant standards and frameworks at a high level and can serve as a overarching framework for governance and management of the enterprise IT Enabling a holistic approach: 1. 2. a. b. c. d. e. f. g. - CORRECT ANSWER 1. COBIT has enablers that support the implementation of comprehensive governance and management 2. enablers are things that help achieve the objectives, things like... a. principles, polices and frameworks b. processes c. organizational structures d. culture, ethics and behavior e. information f. services, infrastructure and applications g. people, skills and competencies Separating Governance from Management 1. Definition of Governance 2. Definition of Management - CORRECT ANSWER Governance: ensures stakeholders needs and options are balanced and agreed on objectives to be achieved; settings direction through prioritization and decision making; and monitoring performance and compliance against agreed on direction and objectives Management: plans, builds, runs, and monitors activities in alignment with direction set by the governance body to achieve the enterprise objectives General Controls include: 1. 2. 3. 4. 5. 6. 7. - CORRECT ANSWER 1. Internal Accounting Controls 2. Operational Controls 3. Administrative Controls 4.Organizational policies and procedures 5. Polices on use of documents and records 6. Procedures and practices to access to and use of assets and facilities 7. Physical and logical security policies for facilities, data centers and IT resources 7 Steps in Performing and IS Audit 1. 2. 3. 4. 5. 6. 7. - CORRECT ANSWER 1. Defining the scope 2. formulating audit objectives 3. identifying audit criteria 4. Performing procedures 5. Reviewing and evaluating evidence 6. Forming audit conclusions and opinions 7. Reporting to management Compliance Audit - CORRECT ANSWER specific tests of controls to demonstrate adherence to specific regulatory or industry standards Financial Audit - CORRECT ANSWER this audit is used to assess the accuracy of financial reporting. It will involve detailed, substantive testing Operational Audits - CORRECT ANSWER are designed to evaluate the internal controls structure in a given process or area Integrated Audit - CORRECT ANSWER a. Combines financial and operational audit steps. b. it's performed to assess the overall objectives within an organization, Administrative audit - CORRECT ANSWER It's in order to assess issues related to the efficiency of operational productivity within an organization IS audit - CORRECT ANSWER this process collects and evaluates evidence to determine whether the IS and resources protect the assets, maintain data and integrity. to ensure they have internal controls that provide reasonable assurance that business, operational and control objecties will be met and that undesired events will be prevented, detected and correcting Specialized Audits - CORRECT ANSWER reviews and examine aeras such as services performed by 1. reviews that look at 3rd parties. 2. SSAE 16 - it defines the standards used by a service auditor to assess the internal controls of a service organization 3. the SSAE 16 allows independent auditor's to issue an opinion on the service organization's controls through the SSAE 16 Forensic Audits - CORRECT ANSWER is the auditing specialized in discovering, disclosing and following up on fraud and crimes - forensic professional has been used to investigate corporate fraud and cyber crime What's an Audit Program: - CORRECT ANSWER Audit Program is a step by step set of procedures and instructions that should be performed to complete an audit. It's the strategy and plan that identifies the scope, objectives, and procedures to obtain sufficient, relevant evidence to draw and support audit conclusions and opinions Audit Methodology - CORRECT ANSWER is a set of documented audit procedures designed to achieve planned audit objectives. It's components are the statement of scope, statement of audit objectives and a statement of audit programs The presence of internal control does not altogether ____ fraud - CORRECT ANSWER Eliminate fraud What 2 processes drive an effective risk-based audit - CORRECT ANSWER 1. risk assessment that drives the audit schedule 2. risk assessment that minimizes the audit risk during the execution of an audit ________ will help auditors identify and categorize the types of risks that will better detmerine the risk model or approach in auditing the audit - CORRECT ANSWER understanding the nature of the business A risk assessment can be 1. 2. - CORRECT ANSWER a scheme where risks have been given elaborate weight based on the nature of the business OR 2. a scheme where risks have been given weight based on the significance of the risk Inherent risk - - CORRECT ANSWER it is the risk level or exposure of the process/entity to be audited without taking into account the controls that management has implemented inherent risks exist indpened of an audit and can occur because of the nature of the business Control Risk - CORRECT ANSWER Risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls Detection Risk - CORRECT ANSWER risk that material errors or misstatements that have occurred will not be detected by the IS auditor Overall Audit Risk - CORRECT ANSWER probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred 5 Steps in a Risk-based Audit Approach 1. 2. 3. 4. 5. - CORRECT ANSWER 1. Gather information and plan 2. Obtain understanding of internal control 3. Perform Compliance Tests 4. Perform Substantive Tests 5. Conclude the audit Things you should consider for Step 1 of the Risk-based audit approach: gathering information and plan - CORRECT ANSWER 1. knowledge of business and industry 2. Prior year's audit results 3. Recent financial information 4. regulatory statutes 5. Inhere risk assessments Things you should consider for Step 2 of the Risk-based audit approach: obtaining and understanding of internal controls - CORRECT ANSWER 1. Control environment 2. Control procedures 3. Detection Risk Assessment 4. Control Risk Assessment 5. Equate Total Risk Things you should consider for Step 3 of the Risk - based audit approach: Perform compliance Tests: - CORRECT ANSWER 1. Identify key controls to be tested 2. Perform tests on reliability, risk prevention and adherence to organization policies and procedures Things you should consider for Step 4 of the Risk-Based audit approach: Perform Substantive Tests: - CORRECT ANSWER 1. Analystical Procedures 2. Detailed tests of account balance 3. Other substantive audit procedures Things you should consider for Step 5 of the Risk-Based Audit Approach: Conclude on the audit: - CORRECT ANSWER 1. Create Recommendations 2. Write Audit Report Risk Assessment should... _____, _____, and ____ against criteria for risk acceptance and objectives relevant to the organization - CORRECT ANSWER identify, quantify, and prioritize Risk Mitigation - CORRECT ANSWER applying appropriate controls to reduce the risks Risk Acceptance - CORRECT ANSWER knowingling and objectively not taking action, providing the risk clearly satisfies the organiation's policy and criteria for risk acceptance Risk Avoidance - CORRECT ANSWER Avoiding risks by not allowing actions that would cause the risks to occur Risk transfer/sharing - CORRECT ANSWER transferring the associated risks to other parties. i.e. insurers or suppliers Audit Objectives - CORRECT ANSWER are the specific goals that must be accomplished by the audit. They often focus on substantiating that internal control exist to minimize business risk and they function as expected The IS auditor must have an understand of how general audit objectives can be translated into specific IS control objectives; The basic purpose of any IS audit is to identify control objectives and the ________ that address the objective - CORRECT ANSWER The basic purpose of an IS audit is to identify control objectives and related controls that address the objective Compliance Testing is for the purpose of - CORRECT ANSWER purpose of testing an organiations compliance with control procedures (with management policies and procedures) What's the objective of compliance testing: - CORRECT ANSWER to provide IS auditors with reasonable assurance that the particular control on which the IS auditor plans to rely is operating as the IS auditor perceived in the preliminary evaluation Substantive testing is for the purpose of - CORRECT ANSWER which evidence is gathered to evaluate the integrity of individuals transactions, data, or other information What's the objective of substantive testings - CORRECT ANSWER tests the integrity of actual processing and provides evidence of the validity and integrity of the balances in the financial statements, and the transactions that support these balances If the compliance test reveal that that there are not issues with the internal controls, then the IS audit can ________ the substantive procedures - CORRECT ANSWER minimizing the substantive procedures If the compliance test reveals that there are issues with the internal controls, then the IS auditor can, substantive testing can - CORRECT ANSWER alleviate those doubt Remove doubts 4 tings to evaluate the reliability of audit evidence: 1. 2. 3. 4. - CORRECT ANSWER 1. Independence of the provider of the evidence - information obtained from outside sources are more reliable than from within the organization 2. Qualifications of the individual providing the information/evidence 3. Objectivity of the evidence 4. Timing of our evidence The following techniques are used for gathering evidence: - CORRECT ANSWER 1. Reviewing IS organization structures, IS policies and procedures, IS standards, IS documentation, Interviewing appropriate personnel, observing processes and employee performance, reperformance, walkthroughs Statistical Sampling - CORRECT ANSWER objective method of determining the sample sale and selection criteria. Uses math to calculate the sampling size, select the sample items, and evaluate the sample results and make the inference Non-statistical Sampling - CORRECT ANSWER (judgmental sampling) - uses auditor judgments to determine the method of sampling, the number of items that will be examined from the population (sample size) and the items to select (sample selection) Attribute Sampling (Fixed Sample Size Attribute Sampling or Frequency - Estimating sampling) - CORRECT ANSWER used to estimate the rate (percent) of occurrence of a specific quality (attribute) in a population an example of attribute that might be tested is approval signatures on computer access request forms Stop-or-go Sampling - CORRECT ANSWER helps prevent excessive sampling of an attribute by allowing an audit test to be stopped at the earliest possible moment should be used when the auditor believes there will be a few errors that will be found in a population Discovering Sampling - CORRECT ANSWER sampling model that can be used when the expected occurrence rate is extremely low most often used when the objective of the audit is to seek out (discover) fraud, circumvention of regulations or other irregularities Variable Sampling - known as dollar estimation or mean estimation sampling - CORRECT ANSWER Is a technique used to estimate the monetoary value or some other unit of measure of a population from a sample portion Variable Sampling has 3 different types of quantitative sampling models: - CORRECT ANSWER 1. Stratified mean per unit 2. Un-stratified mean per unit 3. difference estimation Statified mean per unit - CORRECT ANSWER model in which the population is divided into groups and samples are drawn from the various groups is used to produce a smaller overall sample size relative to unstratified mean per unit Unstratified mean per unit - CORRECT ANSWER A statistical model in which a sample mean is calculated and projected as an estimated total Difference Estimation - CORRECT ANSWER A statistical model used to estimate the total difference between audited values and book (unaudited) values based on differences obtained from sample observations Exit Interview should discuss findings and recommendations with management. The audit should do what 3 things: - CORRECT ANSWER 1. ensure that the facts presented in the report are correct 2. ensure that the recommendations are realistic and cost-effective, and if not, seek alternatives through negotiation with auditee management 3. Recommend implementation dates for agreed on recommendations Executive Summary - CORRECT ANSWER Easy to read, concise report that presents findings to management in an understandable manner. They should be presented from a business perspective The Audit Report Structure Should Include: - CORRECT ANSWER 1. Introduction to the report, objectives, scope, processes examined during the audit 2. include the audit findings in separate sections (grouped together in sections by materiality and or intended recipient 3. The IS auditors reservations or qualifications with respect to the audit 4. Detailed audit findings and recommendations 5. Variety of findings, some of which may be quite material while others are minor in nature Audit Documentation should include, at a minimum: 1. Planning.... 2. Descriptions 3. Audit.. 4. Audit.. 5. Use 6. Audit 7. Audit - CORRECT ANSWER 1. Planning and preparation of the audit scope and objectives 2. Description and or walkthrough on the scoped audit area 3. Audit program 4. Audit Steps performed and audit evidence gathered 5. Use of services of other auditors and experts 6. Audit Findings, conclusions, and recommendations 7. Audit documentation relation with document identification and dates 7 Steps in the Control Self Assessment (CSA) - CORRECT ANSWER 0. Identify 1. Identify and Assess Risks 2. Identify and Assess Controls 3. Develop Questionnaire 4. Collect and Analyze Questionnaire 5. Awareness Training 6. Action and Reporting Benefits of the CSA - CORRECT ANSWER 1. Early Detection of Risks 2. More effective and improved internal controls 3. Developing a sense of ownership of the controls and reducing their resistance to control improvement initiatives 4. Increased employee awareness of organiationl obejctibes, and knowledge of risk and internal controls 5. Increased communication between operational and top management 6. Highly motivated employees 7. Improved audit raiting process 8. Reduction in Control COst 9. Assurance provided to stakeholders and customers Disadvantages of CSA - CORRECT ANSWER 1. Could be mistaken as an audit function replacement 2. may be regarded as an additional workload (one more report to be submitted to management 3. Failure to act on improvement suggestions could damage employee morale 4. Lack of motivation may limit effectiveness in the detection of weak controls Attributes to an Traditional Audit Approach - CORRECT ANSWER 1. Assigns Duties/Supervises Staff 2. Policy/Rule-Driven 3. Limited Employee Participation 4. Narrow Stakeholder Focus 5. Auditors and other specialists Attributes to the CSA Audit Approach - CORRECT ANSWER 1. Empowered/Accountable Employees 2. Continuous Improvement/Learning Curve 3. Extensive Employee Participation and Training 4. Broad Stakeholder Focus 5. Staff at all levels, in all functions, are the primary control analysts Integrated Auditing - CORRECT ANSWER Process where audit disciplines are combined to assess key internal controls cover an operation, process or entity. -Focuses on risk When asked to do preliminary work to review if the company is compliant with new regulatory requirements, and the areas to be accessed are logical security, CM, etc, etc. There was many deviations and deficiencies in previous years, the CIO created process flows and narrative to help descript the IT processes to the auditor.. what is the first step in the review process? - CORRECT ANSWER 1. Perform a IT risk assessment. After this assessment is done, it will show which areas are the greatest risk and what control mitigate those risks. The company needs to assess which controls are critical and the process flow and narratives don't do that. When testing program change management, how should the sample be selected? a. Changes to management documents should be selected at random and then tested for appropriateness b. changes to production code should be sampled and tracked appropriate authorizing documentation c. change management documents should be selected based on system critically and examined for appropriateness d. changes to production code should be sampled and tracked back to the system - produced logs indicating that the date and time of change - CORRECT ANSWER B - Changes to production code provide the most appropriate basis for selecting a sample. These sampled changes should be traced to appropriate authoring documentation. The reason why other answers are wrong: 1. a sample chosen from a set of control documents, there is no way to ensure that every change was paired with appropriate control documentation. 2. Selecting from the population of change management documents will not reveal any changes that bypassed the normal approval and documentation process. 3. Comparing production code changes to system - produced logs will not provide evidence of proper approval of changes prior to their being migrated to production What is the most appropriate type of CAAT tool the auditor should use to test security configuration settings for the entire application system is: a. generalized audit software (GAS) b. test data c. utility software d. expert