A. The ability of IT to continuously monitor and address any issues on IT systems would not affect the ability of IS audit to perform a comprehensive audit.
B. Sharing the scripts may be required by policy for the sake of quality assurance and configuration management, but that would not impair ...
A. The ability of IT to continuously monitor and address any issues on IT systems would not
affect the ability of IS audit to perform a comprehensive audit.
B. Sharing the scripts may be required by policy for the sake of quality assurance and
configuration management, but that would not impair the ability to audit.
CORRECT C. IS audit can still review all aspects of the systems. They may not be able to
review the effectiveness of the scripts themselves, but they can still audit the systems.
D. An audit of an IS system would encompass more than just the controls covered in the scripts.
- ANS The internal audit department has written some scripts that are used for continuous
auditing of some information systems. The IT department has asked for copies of the scripts so
that they can use them for setting up a continuous monitoring process on key systems. Would
sharing these scripts with IT affect the ability of the IS auditors to independently and objectively
audit the IT function?
Select an answer:
A.
Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and
avoid an accurate, comprehensive audit.
B.
Sharing the scripts is required because IT must have the ability to review all programs and
software that runs on IS systems regardless of audit independence.
C.
,Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in
areas not covered in the scripts.
D.
Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the
scripts would not be permitted to audit any IS systems where the scripts are being used for
monitoring.
A. The audit charter should not be subject to changes in technology and should not significantly
change over time. The charter should be approved at the highest level of management.
B. An audit charter will state the authority and reporting requirements for the audit but not the
details of maintenance of internal controls.
C. An audit charter would not be at a detailed level and, therefore, would not include specific
audit objectives or procedures.
CORRECT D. An audit charter should state management's objectives for and delegation of
authority to IS auditors. - ANS An audit charter should:
A.
be dynamic and change to coincide with the changing nature of technology and the audit
profession.
B.
clearly state audit objectives for, and the delegation of, authority to the maintenance and review
of internal controls.
C.
document the audit procedures designed to achieve the planned audit objectives.
D.
outline the overall authority, scope and responsibilities of the audit function.
A. The continuous audit approach often does require an IS auditor to collect evidence on
system reliability while processing is taking place.
CORRECT B. Continuous audit allows audit and response to audit issues in a timely manner
because audit findings are gathered in near real time.
C. Responsibility for enforcement and monitoring of controls is primarily the responsibility of
management.
,D. The use of continuous audit is not based on the complexity or number of systems being
monitored. - ANS The PRIMARY advantage of a continuous audit approach is that it:
Select an answer:
A.
does not require an IS auditor to collect evidence on system reliability while processing is taking
place.
B.
allows the IS auditor to review and follow up on audit issues in a timely manner.
C.
places the responsibility for enforcement and monitoring of controls on the security department
instead of audit.
D.
simplifies the extraction and correlation of data from multiple and complex systems.
CORRECT A. Control self-assessment (CSA) is predicated on the review of high-risk areas that
either need immediate attention or may require a more thorough review at a later date.
B. CSA requires the involvement of IS auditors and line management. What occurs is that the
internal audit function shifts some of the control monitoring responsibilities to the functional
areas.
C. CSA is not a replacement for traditional audits. CSA is not intended to replace audit's
responsibilities, but to enhance them.
D. CSA does not allow management to relinquish its responsibility for control. - ANS A
PRIMARY benefit derived for an organization employing control self-assessment (CSA)
techniques is that it:
Select an answer:
A.
can identify high-risk areas that might need a detailed review later.
B.
allows IS auditors to independently assess risk.
C.
can be used as a replacement for traditional audits.
D.
allows management to relinquish responsibility for control.
, A. Understanding whether appropriate controls required to mitigate risk are in place is a
resultant effect of an audit.
CORRECT B. In developing a risk-based audit strategy, it is critical that the risk and
vulnerabilities be understood. This will determine the areas to be audited and the extent of
coverage.
C. Audit risk is an inherent aspect of auditing, is directly related to the audit process and is not
relevant to the risk analysis of the environment to be audited.
D. A gap analysis would normally be done to compare the actual state to an expected or
desirable state. - ANS When developing a risk-based audit strategy, an IS auditor should
conduct a risk assessment to ensure that:
Select an answer:
A.
controls needed to mitigate risk are in place.
B.
vulnerabilities and threats are identified.
C.
audit risk is considered.
D.
a gap analysis is appropriate.
A. Monitoring the audits and the time spent on audits would not be effective if the wrong areas
were being audited. It is most important to develop a risk-based audit plan to ensure effective
use of audit resources.
B. The IS auditor may have specialties or the audit team may rely on outside experts to conduct
very specialized audits. It is not necessary for each IS auditor to be trained on all new
technology.
CORRECT C. Monitoring the time and audit programs, as well as adequate training, will
improve the IS audit staff's productivity (efficiency and performance), but that which delivers
value to the organization is ensuring that the resources and efforts being dedicated to audit are
focused on higher-risk areas.
D. Monitoring audits and initiating cost controls will not necessarily ensure the effective use of
audit resources. - ANS To ensure that audit resources deliver the best value to the
organization, the FIRST step would be to:
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller DocLaura. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $12.39. You're not tied to anything after your purchase.
