Cisa Questionnaire The Is Audit Process Information Technology Essay

Cisa Questionnaire The Is Audit Process Information Technology EssayThis is sample example of contour, as it states whether controls atomic number 18 figure outal as per the policy. This result ac cognizeledge taking samples of new physical exerciser rate creation forms and match it to ensure fulfil is world followed. Variable sampling is utilise to circumscribe numerical value. material sampling experiments the integrity of process such as credit / debit values, balances on financial statements. Stop or go sampling technique prohibits extravagant sampling of an attri hardlye.The Stop and go statistical sampling technique in a scenario where it is believed or perceived that relatively few errors depart be exposed, so there is point in wasting over sampling of an attribute.Use of statistical sample for tape library inventory is an example of ____ type of sampling technique.VariableSubstantiveComplianceStop or goAns. B storyThis is an example of substantive sampling whi ch confirms the integrity of a process. This stress go out determine whether tape library records atomic number 18 stated in a congeal manner.What is the major benefit of riskiness of exposure based canvass planning come near?Planning scheduling in advance over monthsStaff exposure to varied technologiesResources eitherocation to areas of top concernBudget requirements are met by visit moduleAns. C expositionThe physical object of risk based analyze preliminary is focus on areas where risk is high. Various scheduling methods are utilize to prepare audit schedules and it does non come under risk based climax. It besides does non relate to budget requirements met by staff and number of audits performed in a splitn year.Examples of substantive sampling technique includeReview of password history reportsApproval for configuration parameters changesTape library inventory verificatory list of exception reportsAns. C descriptionTape library inventory is an example of su bstantive sampling as it confirms the integrity of a process associated with find out whether tape records are stated in a correct manner. All others are example of compliance sampling as they determine whether the process in practice is inline with the established policies and procedures.The characteristic of an audit charter isIs dynamic is nature and keeps changing frequently as the technology changesIt contains the objectives of audit, maintenance and criticism of internal records by delegated authorityDetailed audit proceduresOverall scope, ownership and responsibility of audit functionAns. D storyAudit charter states issuement objectives, scope, ownership and relegation of responsibility of audit function. It should not change frequently and approved by higher management. Also it does not contain detail audit procedures.The attendant actions and finalitys pretend the ___ type of risk in a major manner.InherentDetectionControlBusinessAns. BExplanationAuditor selection / decisions during the audit process find direct impact on detection risks, such as enough number of samples not taken into make doation etc. Company actions manage the control risks and business and inherent risks are also not impacted by attender.Particular threat to overall business risk can be articulated in terms ofLikelihood and magnitude of impact , where threat successfully exploited a vulnerabilityMagnitude of impact, where source of threat successfully exploited a vulnerabilityProbability of a hurln source of threat exploiting a vulnerabilityRisk estimate team group decisionAns. AExplanationThe cream A addresses both likelihood and magnitude of impact and measures risk to an asset in better(p) manner. Choice B doesnt consider the magnitude of doable damage to an asset. Choice C dont consider the possibility of damage due to source threat exploiting a vulnerability and choice D is an arbitrary method of ascertain risk and it is not a scientific risk management appr oach.Risk management approach over baseline approach in reading security management gives a major advantage in terms ofOver justification of information assetsBase level protection to all assets irrespective of asset valueAdequate protection applied to all information assetsEqual level of protection for all information assetsAns. CExplanationBaseline approach applies a standard set of protection to all information assets whereas the risk management based approach determines the level of protection to be applied depending on a given level of risk. This saves the costs incurred on overprotection of an information asset. In baseline approach equal level of protection is applied for all information assets irrespective of asset value so as a result around assets could be under protective and some could be overprotective.Which interrogatory method is some effective when doing the compliance testing?Attribute samplingVariable samplingStratified mean per unit inconsistency estimationAns . AExplanationChoice A is book in this scenario. As attribute sampling model estimate the tempo of occurrence of a specific quality in a population to confirm whether quality is present in compliance testing. The other means of sampling are used in substantive testing where details and quantity testing is done.Why email is considered a useful source of tell in litigation in IS audit process?Wide use of email arrangements in enterprises as medium of colloquyAccess control mechanisms to establish email communication righteousnessBackup and archiving of information flowing through email systemsData classification guidelines dictating information flow via email systemsAns. CExplanationOption C is most appropriate as archived/ backed up email files, may contain rolls which have been deleted and could be recovered. Access controls besides establish accountability but dont give evidence of the email. Data classification standardizes what to be communicated by email but dont provi de information privationed for litigation process.A post implementation review of an screening is scheduled by IS auditor. What could be the affirmable situation which can hamper the independent assessment of IS auditor.Involved in the development of specific application and implemented specific functionality / controlIntegrated an embedded audit module in the application for auditing purposeWas member of application system project team but not wantd at operational levelGiven advice on considering best practices while system was in development stageAns. AExplanationChoice A is most appropriate in this scenario because the auditor independence is impaired in case he was involved actively during the development, encyclopaedism and implementation of the new application. Choice B and C dont hamper auditor independence. And Choice D is not correct as auditor independence is not hampered by given advice on best known practices.What is the benefit of continuous audit approachCollectio n of evidence is not required on system reliability during the processing stageReview and follow up on all information bundle upedImprovement in overall security in clipping sharing environment where gigantic number of proceeding processedNo dependency on complexity of organizations systemsAns. CExplanationChoice C is most appropriate w.r.t to continuous audit process major benefit as overall security is improved in time sharing environments where gargantuan number of transactions is processed but leaving insufficient trail of papers. Choice A is not correct as auditor need to collect evidence while processing is ON. Choice B is also not correct in this case as auditor does review and follows up on errors and material deficiency. Choice D is also incorrect as complexity of organization systems determines the use of continuous audit process technique.The objective of enabling audit trail isBetter response time for usersInstitute Accountability of processed transactionsImproving o perational energy of systemsBetter tracking of transactions to give useful information to auditorsAns. BExplanationChoice B is most appropriate in this scenario as accountability and responsibility can be established for processed transactions and tracing could be done end to end. Enabling audit trail dont improve user experience as it might involve additional processing which may impact user response time in other way. Choice D could also be considered valid but it is not the main reason for the purpose of enabling audit trails.In a risk based audit strategy, risk assessment is done by IS auditor to ensureRisk mitigation controls are in placeThreats and vulnerabilities are identifiedRisks related to audit are taken into consideration hatchway outline is done as per the needAns. BExplanationChoice B is most appropriate in this scenario. Identification of threats and vulnerabilities is crucial in determining the scope of audit. Effect of an audit would be to develop controls to mit igate risks. Audit risks are not relevant to risk analysis of environment. Gap analysis compares the developed state to expected or desired state. A gap could be result of a risk not being correctly addressed or missed out.In order to achieve best value to organization in terms of audit resources we should Do audit scheduling and measure the time spent on auditsTraining of audit staff on latest audit technologiesChalk out detailed plan based on risk assessmentProgress monitoring of audits and have cost control measures in placeAns. CExplanationChoice C is most appropriate in this scenario. This will deliver value to organization in terms of dedicating resources on higher risk areas. Choice A, B and D will improve the staff productivity lonesome(prenominal).An IS audit charter includesPlan for IS audit engagementsScope and objective of audit engagementTraining plan for audit staffIS audit function roleAns. DExplanationChoice D is relevant in this scenario. Choice A is responsibili ty of audit management. Scope and objective is agreed on engagement letter and training of staff is again responsibility of audit management based on audit plan.In the evaluation of risk assessment of Information system. The IS auditor will first reviewControls in placeEffectiveness of implemented controlsMonitoring mechanism for risks related to assetsThreats/ vulnerabilities impacting assetsAns. DExplanationRisks associated with utilize assets need to be evaluated first so choice D is most appropriate in this scenario. Controls effectiveness is part of risk mitigation stage and risk monitoring is part of risk monitoring function after risk assessment phase.During an audit plan, the most critical pervert isHigh risk areas realisationSkill set identification of audit teamIdentification of test steps in auditIdentification of time allotted to auditAns. AExplanationThe choice A is appropriate in this scenario. The identification of high risk areas is most critical step as that will determine the areas to be focused during the audit. Skill set is determined before audit to begin. Test steps and time for audit is determined on the basis of areas to be audited.How ofttimes selective information to be still during audit process will be determined on the basis of hush of obtaining the information recordsFamiliarity with the environment to be auditedEase of obtaining the evidenceScope and purpose of auditAns. DExplanationScope and purpose will determine the amount of sample selective information to be collected during the audit. All other choices are irrelevant in this scenario as audit process is not hampered by ease of obtaining records or evidences or familiarity with the environment.During the audit plan, assessment of risk should provideAn office that audit will cover material itemsMaterial items would be covered definitely during the audit conk outReasonable assurance that All items will be covered by audit workAssurance to suffice that all items will be covered during the audit workAns. AExplanationChoice A. ISACA audit guideline G15 clearly states that An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. Definite assurance clause in choice B is impractical, option C is also not correct as it states all items.Statistical sampling should be used by IS auditor and not judgmental sampling in the scenarioObjective quantification of error fortuneAvoidance of sampling risk by auditorGeneral use audit software program is availableUnable to determine the tolerable error rateAns. AExplanationWith an expected error rate and confidence level, objective method of sampling is statistical in nature as it helps auditor to determine size of sample and quantify error probability or likelihood. Choice B is not correct because sampling risk is risk of sample. Choice C is also incorrect as statistical sampling doesnt need general software. Choice D is also incorrec t because tolerable error rate is predetermined in statistical and judgmental sampling.The primary goal of an auditor during the IS audit planning stage isAddress audit objectivesSufficient evidence collection put forward appropriate testsUse less audit resourcesAns. AExplanationAs per ISACA guidelines auditor plan must address audit objectives. Choice B is not correct because evidence is not collected at planning stage. Choice C and D are also incorrect because they are not initial goals of audit plan.During an audit procedure selection, auditor will have to use professional judgment to ascertainSufficient evidence collectionIdentification of substantive deficiencies and there correction in reasonable time periodMaterial weakness identifiedMaintain minimal level of audit costsAns. AExplanationProfessional judgment during the course of an audit process involves subjective and qualitative evaluation of conditions. It is based more on past experience of auditor and auditor past expe rience plays a key role in this. Identification of material weaknesses is result of experience and planning thoroughness and also it does not charter with financial aspects of audit as stated in choice D.While evaluating logical access controls an auditor firstDocumentation of controls applied to all possible access paths to systemTesting of controls to access paths to determine they are functionalEvaluation of security environment w.r.t. policies and procedures laid downObtaining an understanding of security risks to information processing facilitiesAns. DExplanationChoice D is most appropriate in this scenario. The first step is to gather security risks to information processing facilities, by studying documentation, inquiries and doing risk assessment. Documentation and evaluation is next step. Third step is to test access paths to ensure controls functionality. The last is auditor evaluation of security environment.The objective of rhetorical audit is toParticipation in invest igations related to corporate fraudEvidence collection on systematic basis after system geometrical irregularityAssessment of correctness of organizations financial statementsDetermine if there was any criminal activityAns. BExplanationChoice B is correct as evidence collection is used for juridical process. They are not however for corporate frauds. Financial statements correctness determination is not purpose of forensic audit. And criminal activity could be part of legal process but it is not the objective of forensic audit.An auditor is reviewing a backup log report of remote innkeeper backup. One of the entries in the backup log indicates failure to login to remote server for backup and there is no entry in log which confirms that backup was restarted. What IS auditor should do?Issue audit findingExplanation required from IS managementIssue a non complianceIncrease sample of logs to be reviewedAns. DExplanationChoice D is appropriate in this case. Before issue audit finding or seeking explanation, or issue of non compliance auditor take to gather additional evidence to properly evaluate the situation.For the purpose of auditing critical servers audit trail, auditor wants to use _______ tool to determine the potential irregularity in the user or system.CASE toolsEmbedded data collection toolHeuristics scanning tool bring down/variance detection toolsAns. DExplanationTrend/variance detection tools are used for determining the potential irregularity in the user or system. CASE tools are used in software development and embedded data collection tool is used for sample collection and Heuristics scanning tool used to detect virus infections.What could be the possible cause of great concern for an auditor while evaluating a corporate network for possible penetration from employees?Number of external modems connected to networkUsers have right to install software on there desktopsLimited network monitoring or no monitoring at allUser ids with kindred passwo rdsAns. DExplanationChoice D is most appropriate in this scenario. It is the greatest threat. Choice A threat is there but depends on use of valid user id. In choice b likelihood is not high due to technical knowledge needed for penetration. meshing monitoring is a means for detection.What is the major benefit of using computer forensic softwares in investigations?Preservation of electronic evidenceSaving time and costsMore expeditious and effectiveEfficient search for violation of Intellectual property rightsAns. AExplanationThe main purpose of forensic software is to preserve the chain of electronic evidence for investigation purpose. Others choice B and C are concerns to identify good / poor forensic software. Choice D is example of using forensic software.Data is imported from client database by auditor, now the next step is to confirm imported data is complete, what step need to be followed to verify the same. tally control arrive of imported data with cowcatcher dataSort d ata to confirm data is in same order as the accepted dataReview first 100 records of imported data with first 100 records of original dataCategory wise filtering of data and matching them to original dataAns. AExplanationThe logical step in this scenario would be option A. this will confirm the completeness of process. Sorting may not be applicable in this scenario because original data may not be sorted order. Reviewing partial data does not suffice the purpose either. Filtering data would also need control totals to be established to ensure completeness of data.An audit is to be conducted to identify payroll overpayments in last year. Which audit technique would be best appropriate in this scenario?Data testingUse of general audit softwareIntegrated test facilityEmbedded audit moduleAns. BExplanationGeneral auditing softwares include mathematical calculations, stratification, statistical analysis, sequence and duplicate checks and re-computations. So auditor can use appropriate t ests to re-compute payroll data. Test data would not detect the anomalies and overpayments. Integrated test facility and embedded edit modules cannot detect previous errors.During an audit process, auditor finds out that security procedures are not authenticated what he should do?Auditor create procedure documentStop auditDo compliance testingEvaluate and identify exiting practices being followedAns. DExplanationThe purpose of audit is to identify risks, so the most appropriate approach would be identify and evaluate current practices being followed. Auditors dont create documentation, compliance testing cannot be done as no document is there and stopping audit will jeopardize the objective of audit i.e. risks identification.Threats and their potential impacts are identified during the course of an risk analysis stage what should be next most appropriate step?Identification and assessment of risk assessment approach of managementIdentification of all information assets and systemsD isclosure of threats and impacts to managementIdentification and evaluation of existing controlsAns. DExplanationThe next step would be choice D. once the threats and impacts are identified. Next step is to share them with management.Out of the following which one is the most significant concern for an auditor?Non reporting of network bombardmentNotification failure to police of an attempted intrusionPeriodic review of access rights not presentNo notification of intrusion to publicAns. AExplanationFailure to report a network attack is major cause of concern. Reporting to public is organization choice and notification to police is also matter of choice. Periodic examination of access rights could be causing of concern but not as big as option A.Which is the most secure evidence for an auditor out of the followingLetter from 3rd party on complianceLine management assurance that application is performing as per designInformation obtained from wwwReports supplied by organization manag ement to auditorAns. AExplanationThe most reliable evidence is the one given by external party. Choice B, C and D are not considered reliable.While evaluating a process on the basis of preventive, detective and corrective controls, an IS auditor should know?The point at which controls used as data flow through systemPreventive and detectives controls are only relevant onesCorrective controls are only relevantClassification is required to determine which controls are absentAns. AExplanationChoice A is most appropriate. Choice B and C are incorrect as all controls are important. Choice D is also not correct because functioning of controls is important and not its classification.The best evidence of duties separationism is identified by using ____ audit technique?Discussions with managementOrganization chart reviewInterviews and observationsUser access rights testingAns. CExplanation base on choice C an auditor can evaluate the duties segregation. Management may not be aware of detail ed functioning, organization chart only depicts hierarchy of reporting, and testing will only tell user rights but will not give any details on function being performed by users.While reviewing a customer master file, auditor discovers that many customer names are appearing in duplicate causing sportswoman in customer first names. How auditor will determine the amount of extra in this scenario?Testing data to validate inputTesting data to check sorting capabilitiesUse general audit software to detect address field duplicationsUse general audit software to detect account field duplicationsAns. CExplanationAs names are not same, so we need to use some other field to determine duplication such as address field. Test data will not help in this case and searching on account number may not yield desired result because customers could have different account numbers for each entry.While testing for program changes what is the best population to take aim sample from?Library listings testi ngListing of source programsChange request programsListing of production libraryAns. DExplanationThe best source to plenty sample or test system is automated system. Choice B would be time consuming. Program change request are initial documents to give lessons changes test libraries dont present approved and authorized executables.An integrated test facility is an efficient tool for auditAudit of application control in a cost effective mannerIntegrating audit tests for financial and IS auditorsComparison of processing output with independently calculated dataTool to analyze large range of informationAns. CExplanationIt is a useful audit tool because it uses similar program to compare processing with independently calculated data. This involves reach up dummy entities and processing test/production data.IS auditors use data flow diagrams toHierarchical ordering of dataHighlighting high level data definitionsSummarize data paths and retentivity in graphical mannerStep by step deta ils of data generation portraitAns. CExplanationData flow diagrams are used to chart flow of data and storage. They dont order data in hierarchical manner. Data flow not inescapably match hierarchy or order of data generation.Review of organization chart is done by auditor toUnderstand workflowsIdentify all communication channelsResponsibility and authority of individualsNetwork diagram connected to different employeesAns. CExplanationOrganization chart always depicts the responsibility and authority of individuals in an organization. This is required to understand the segregation of functions.While performing an audit of network operating system, an auditor should review the following user feature?Network document availability onlineSupport for terminal access to remote systemsFile transfer handling between users and hostsAudit, control and performance managementAns. AExplanationNetwork operating system user features comprise online availability of network documentation. Choice B, C and D are some examples of network OS functions.In order to ascertain that access to program documentation is only restricted to authorize users, an auditor should checkEvaluation of retention plan for off site storageProcedures being followed by programmersComparison of utilization records to operational scheduleReview data access recordsAns. BExplanationInterview of programmers to understand procedures being followed is the best way to ascertain the access to program documentation is only with authorized personnel. Off site storage, utilization records and review of data access records will not address security of program documentation.Auditor is evaluating an application which does computation of payments. During the audit it is reveled that 50% of calculation is not matching with the set total. What should be the next step auditor need to follow as part of audit practice?Do further test on calculations having errorIdentification of variables that generated in absolute test r esultsTestify some more test cases to reconfirm the anomalyDocumentation of results, findings, conclusions and recommendationsAns. CExplanationAuditor needs to examine some more test cases where incorrect calculations happened and then confirm with the final outcome. Once calculations are complete further tests can be performed and then report to be made only after confirmation and not before that.In order to prove the correctness of system tax calculation the best practice to be followed isIn depth review and analysis of source codeUsing general auditing software to recreate program logic for monthly totals calculationSimulate transactions for results comparisonIn depth analysis and flow chart preparation of the source codeAns. CExplanationThe best way to prove trueness of tax calculation is simulation of transactions. Detailed review, flow chart and analysis of source code will not be effective and monthly total will not confirm the correctness of tax calculations at individual le vel.In Applications control review , auditor must analyze Application efficiency in meeting business processesExposures impactBusiness processes performed by applicationOptimization of applicationAns. BExplanationApplication control review requires analysis of application automated controls and analysis of exposures due to controls weaknesses. The other options could be objective of audit but not specifically meant to analyze application controls.What is the most accurate evidence to prove that purchase orders are legitimate while auditing an inventory application?Application parameters can be modified by unauthorized personnelPurchase order tracingComparison of receiving reports to purchase order detailsApplication documentation reviewAns. AExplanationAccess control testing is the best way to determine purchase orders legitimacy and is the best evidence. Choice B and C are part of further actions and choice D will not serve the purpose as application documentation process and actua l process could vary.Irregularities at an early stage can be find in the best manner by using ______ online auditing technique.Embedded audit moduleIntegrated test facilitySnapshotsAudit booksAns. DExplanationThe audit book technique also involves embedding code in applications to reveal early detection of irregularity. Embedded audit module is used for monitoring application systems on select