Al-l The internal audit department wrote some scripts that are used for continuous auditing of some information systems. The IT department asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Does sharing these scripts with IT affe...
Domain 1 (CISA Review Questions,
Answers & Explanations Manual, 12th
Edition | Print | English)Questions &
Answers(GRADED A+)
Al-l The internal audit department wrote some scripts that are used for continuous
auditing of some information systems. The IT department asked for copies of the
scripts so that they can use them for setting up a continuous monitoring process on
key systems. Does sharing these scripts with IT affect the ability of the IS auditors to
independently and objectively audit the IT function?
A. Sharing the scripts is not permitted because it gives IT the ability to pre-audit
systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review all
programs and software that run on IS systems regardless of audit independence.
C. Sharing the scripts is permissible if IT recognizes that audits may still be
conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because the IS auditors who wrote the scripts
would not be
permitted toaudi - ANSWERC is the correct answer.
Justification:
A. The ability of IT to continuously monitor and address any issues on IT systems
does not affect the ability of IS audit to perform a comprehensive audit.
B. Sharing the scripts may be required by policy for quality assurance and
configuration management, but that does not impair the ability to audit.
C. IS audit can still review all aspects of the systems. They may not be able to
review the
effectiveness of the scripts, but they can still audit the systems.
D. An audit of an 'IS system encompasses more than just the controls covered in the
scripts.
Al-2 Which of the following is the BEST, factor for determining the required extent of
data collection during the planning phase of an IS compliance audit?
A. Complexity of the organization's operation
B. Findings and issues noted from the prior year
C. Purpose, objective and scope of the audit
D. Auditor's familiarity with the organization - ANSWERC is the correct answer.
Justification:
A. The complexity of the organization's operation is a factor in the planning of an
audit but does not
directly affect the 'determination of how much data to collect. The extent of data
collection is subject
to the intensity, scope and purpose of the audit.
,B. Prior findings and issues are factors in the planning of an audit but do not directly
affect the determination of how much data to collect. Data must be collected outside
of areas of previous findings.
C. The extent to which data will be collected during an IS audit is related directly to
the purpose, objective and scope of the audit. An audit with a narrow purpose and
limited objective and scope is most likely to result in less data collection than an
audit with a wider purpose and scope. Statistical analysis mayalso determine the
extent of data collection, such as sample size or means of data collection.
D. An auditor's familiarity with the organization is a factor in the planning of an audit
but does not
directly affect the determination of how much data to collect. The audit must be
based on sufficient evidence of the monitoring of controls and not unduly influenced
by the auditor's familiarity with the organization.
A1-4 An IS auditor is reviewing security controls for a critical web-based system prior
to implementation. The results of the penetration test are inconclusive, and the
results will not be finalized prior to implementation. Which of the following is the
BEST option for the IS auditor?
A. Publish a report based on the available information, highlighting the potential
security weaknesses and the requirement for follow-up audit testing.
B. Publish a report omitting the areas where the evidence obtained from testing was
inconclusive.
C. Request a delay ofthe implementation date until additional security testing can be
completed and evidence of appropriate controls can be obtained.
D. Inform management that audit work cannot be completed prior to implementation
and recommend that the audit be postponed. - ANSWERA is the correct answer.
Justification:
A. If the IS auditor cannot gain sufficient assurance for a critical system within the
agreed-on time frame, this fact should be highlighted in the audit report and follow-up
testing should be scheduled for a later date. Management can then determine
whether any of the potential weaknesses identified were significant enough to delay
the go-live date for the system.
B. It is not acceptable for the IS auditor to ignore areas of potential weakness
because conclusive
evidence could not be obtained within the agreed-on audit t~meframe. IS~.cA IS
Audit and Assurance
Standards are violated if these areas are omitted from the audit report.
C. Extending the time frame for the audit and delaying the go-live date is unlikely to
be acceptable in this scenario where the system involved is business-critical. In any
case, a delay to the go-live date must be the decision of business management, not
the IS auditor. In this scenario, the IS auditor should present business management
with all available information by the agreed-on date.
D. Failure to obtain sufficient evidence in one part of an audit engagement does not
justify cancelling or postponing the audit; this violates the audit guideline concerning
due professional care.
Al-5 Which of the following controls would an IS auditor look for in an environment
where duties cannot be appropriately segregated?
,A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls - ANSWERD is the correct answer. Justification:
A. Overlapping controls are two coutrols addressing the same control objective or
exposure. Because primary controls cannot be achieved when duties cannot or are
not appropriately segregated, it is difficult to install overlapping controls.
B. Boundary controls establish the interface between the would-be user of a
computer system and the
computer system itself and are individual-based, not role-based, controls.
C. Access controls for resources are based on individuals and not on roles. For a
lack of segregation of duties, the IS auditor expects to find that a person has higher
levels of access than are ideal. The IS auditor wants to find compensating controls to
address this risk.
D. Compensating controls are internal controls that are intended to reduce the risk of
an existing
orpotential
controlweaknessthatmayarisewhendutiescannotbeappropriatelysegregated.
A1-3 An IS auditor is developing an audit plan for an environment that includes new
systems. The organization's management wants the IS auditor to focus on recently
implemented systems. How should the IS auditor respond?
A. Audit the new systems as requested by management.
B. Audit systems not included in last year's scope.
C. Determine the highest-risk systems and plan accordingly.
D.Auditboththesystemsnotinlastyear'sscopeandthenewsystems. - ANSWERC is the
correct answer.
Justification:
A. Auditing the new system does not reflect a risk-based approach. Although the
system can contain sensitive data and may present risk of data loss or disclosure to
the organization, without a risk assessment, the decision to solely audit the newly
implemented system is not a risk-based decision.
B. Auditing systems not included in the previous year's scope does not reflect a risk-
based approach.
In addition, management may know about problems with the new system and may
be intentionally trying to steer the audit away from that vulnerable area. Although, at
first, the new system may seem to be the riskiest area, an assessment must be
conducted rather than relying on the judgment of the IS auditor or IT manager.
C. The best action is to conduct a risk assessment and design the audit plan to cover
the areas of
highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in
Planning), statement 1202.1: "The IS audit and assurance function shall use an
appropriate risk assessment approach and supporting methodology to develop the
overall IS audit plan and determine priorities for the effective allocation of IS audit
resources."
D. The creation of the audit plan should be performed in cooperation with
management and based on
risk. The IS auditor should not arbitrarily decide on what needs to be audited.
, Al-6 Which of the following is the key benefit of a control self-assessment?
A. Management ownership of the internal controls supporting business objectives is
reinforced.
B. Audit expenses are reduced when the assessment results are an input to external
audit work.
C. Fraud detection is improved because internal business staff are engaged in
testing controls.
D. Internal auditors can shift to a consultative approach by using the results of the
assessment. - ANSWERA is the correct answer. Justification:
A. The objective of control self-assessment (CSA) is to have business management
become more aware of the importance of internal control and their responsibility in
terms of corporate governance.
B. Reducing audit expenses is not a key benefit of CSA.
C. Improved fraud detection is important but not as important as control ownership. It
is not a principal objective of CSA.
D. CSA may give more insights to internal auditors, allowing them to take a more
consultative role;
however, this is an additional benefit, not the key benefit.
Al-7 What is the PRIMARY requirement that a data mining and auditing software tool
should meet? The software tool should:
A. interface with various types of enterprise resource planning software and
databases.
B. accurately capture data from the organization's systems without causing
excessive performance problems.
C. introduce audit hooks into the organization's financial systems to support
continuous auditing.
D. be customizable and support inclusion of custom programming to aid in
investigative analysis. - ANSWERB is the correct answer. Justification:
A. The product must interface with the types of systems used by the organization
and provide meaningful data for analysis.
B. Although all the requirements that are listed as answer choices are desirable in a
software tool evaluated for auditing and data mining purposes, the most critical
requirement is that the tool works effectively on the systems of the organization
being audited.
C. The tool should probably work on more than just financial systems and does not
necessarily require
implementation of audit hooks.
D. The tool should be flexible but not necessarily customizable. It should have built-
in analysis software tools.
Al-8 A long-term IT employee with a strong technical background and broad
managerial experience has applied for a vacant position in the IS audit department.
Determining whether to hire this individual for this position should be PRIMARILY
based on the individual's experience and:
A. length of service, because this will help ensure technical competence.
B. age, because training in audit techniques may be impractical.
C. IT knowledge, because this will bring enhanced credibility to the audit function.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller papersbyjol. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $14.99. You're not tied to anything after your purchase.
