Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 02

  1. Which of the following audit risk is related to material errors or misstatements that have occurred that will not be detected by an IS auditor?

    • Inherent Risk
    • Control Risk
    • Detection Risk
    • Overall Audit Risk

    Explanation:

    The risk that material errors or misstatements that have occurred will not be detected by an IS auditor. Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements. An auditor must apply audit procedures to detect material misstatements in the financial statements whether due to fraud or error. Misapplication or omission of critical audit procedures may result in a material misstatement remaining undetected by the auditor. Some detection risk is always present due to the inherent limitations of the audit such as the use of sampling for the selection of transactions. Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed testing.

    For your exam you should know below information about audit risk:

    Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue unqualified report due to the auditor’s failure to detect material misstatement either due to error or fraud. This risk is composed of inherent risk (IR), control risk (CR) and detection risk (DR), and can be calculated thus:

    AR = IR × CR × DR

    Inherent Risk
    Auditors must determine risks when working with clients. One type of risk to be aware of is inherent risk. While assessing this level of risk, you ignore whether the client has internal controls in place (such as a secondary review of financial statements) in order to help mitigate the inherent risk. You consider the strength of the internal controls when assessing the client’s control risk. Your job when assessing inherent risk is to evaluate how susceptible the financial statement assertions are to material misstatement given the nature of the client’s business. A few key factors can increase inherent risk.

    Environment and external factors: Here are some examples of environment and external factors that can lead to high inherent risk:

    Rapid change: A business whose inventory becomes obsolete quickly experiences high inherent risk.
    Expiring patents: Any business in the pharmaceutical industry also has inherently risky environment and external factors. Drug patents eventually expire, which means the company faces competition from other manufacturers marketing the same drug under a generic label.
    State of the economy: The general level of economic growth is another external factor affecting all businesses.
    Availability of financing: Another external factor is interest rates and the associated availability of financing. If your client is having problems meeting its short-term cash payments, available loans with low interest rates may mean the difference between your client staying in business or having to close its doors.
    Prior-period misstatements: If a company has made mistakes in prior years that weren’t material (meaning they weren’t significant enough to have to change), those errors still exist in the financial statements. You have to aggregate prior-period misstatements with current year misstatements to see if you need to ask the client to adjust the account for the total misstatement.

    You may think an understatement in one year compensates for an overstatement in another year. In auditing, this assumption isn’t true. Say you work a cash register and one night the register comes up $20 short. The next week, you somehow came up $20 over my draw count. The $20 differences are added together to represent the total amount of your mistakes which is $40 and not zero. Zero would indicate no mistakes at all had occurred.

    Susceptibility to theft or fraud: If a certain asset is susceptible to theft or fraud, the account or balance level may be considered inherently risky. For example, if a client has a lot of customers who pay in cash, the balance sheet cash account is going to have risk associated with theft or fraud because of the fact that cash is more easily diverted than customer checks or credit card payments.

    Looking at industry statistics relating to inventory theft, you may also decide to consider the inventory account as inherently risky. Small inventory items can further increase the risk of this account valuation being incorrect because those items are easier to conceal (and therefore easier to steal).

    Control Risk

    Control risk has been defined under International Standards of Auditing (ISAs) as following:

    The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.

    In simple words control risk is the probability that a material misstatement exists in an assertion because that misstatement was not either prevented from entering entity’s financial information or it was not detected and corrected by the internal control system of the entity.

    It is the responsibility of the management and those charged with governance to implement internal control system and maintain it appropriately which includes managing control risk.

    There can be many reasons for control risk to arise and why it cannot be eliminated absolutely. But some of them are as follows:

    Cost-benefit constraints
    Circumvention of controls
    Inappropriate design of controls
    Inappropriate application of controls
    Lack of control environment and accountability
    Novel situations
    Outdated controls
    Inappropriate segregation of duties

    Detection Risk
    Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements.
    An auditor must apply audit procedures to detect material misstatements in the financial statements whether due to fraud or error. Misapplication or omission of critical audit procedures may result in a material misstatement remaining undetected by the auditor. Some detection risk is always present due to the inherent limitations of the audit such as the use of sampling for the selection of transactions.
    Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed testing.

    The following answers are incorrect:

    Inherent Risk – It is the risk level or exposure of a process or entity to be audited without taking into account the control that management has implemented.

    Control Risk – The risk that material error exist that would not be prevented or detected on timely basis by the system of internal controls.

    Overall audit risk – The probability that information or financial report may contain material errors and that the auditor may not detect an error that has occurred. An objective in formulating the audit approach is to limit the audit risk in the area under security so the overall audit risk is at sufficiently low level at the completion of the examination.

    Reference:

    CISA review manual 2014 page number 50
    http://en.wikipedia.org/wiki/Audit_risk
    http://www.dummies.com/how-to/content/how-to-assess-inherent-risk-in-an-audit.html
    http://pakaccountants.com/what-is-control-risk/
    http://accounting-simplified.com/audit/risk-assessment/audit-risk.html

  2. Which of the following statement INCORRECTLY describes the Control self-assessment (CSA) approach?

    • CSA is policy or rule driven
    • CSA Empowered/accountable employees
    • CSA focuses on continuous improvement/learning curve
    • In CSA, Staffs at all level, in all functions, are the primary control analyst.
    Explanation:

    The word INCORRECTLY is the keyword used in the question. You need to find out an option which incorrectly describes Control Self-assessment.

    For your exam you should know the information below about control self-assessment:

    Control self-assessment is an assessment of controls made by the staff and management of the unit or units involved. It is a management technique that assures stakeholders, customers and other parties that the internal controls of the organization are reliable.

    Benefits of CSA

    Early detection of risk
    More efficient and improved internal controls
    Creation of cohesive teams through employee involvement
    Developing a sense of ownership of the controls in the employees and process owners, and reducing their resistance to control improvement initiatives
    Increased employee awareness of organizational objectives, and knowledge of risk and internal controls
    Highly motivated employees
    Improved audit training process
    Reduction in control cost
    Assurance provided to stakeholders and customers

    Traditional and CSA attributes
    Traditional Historical CSA
    Assign duties/supervises staff Empowered/accountable employees
    Policy/rule driven Continuous improvement/learning curve
    Limited employee participation Extensive employee participation and training
    Narrow stakeholders focus Broad stakeholders focus
    Auditors and other specialist Staff at all level, in all functions, are the primary control analysts

    The following answers are incorrect:

    The other options specified are correctly describes about CSA.

    Reference:
    CISA review manual 2014 page number 61, 62 and 63

  3. Which of the following statement INCORRECTLY describes the traditional audit approach in comparison to the Control self-assessment approach?

    • In traditional approach, Staffs at all level, in all functions, are the primary control analyst.
    • Traditional approach assigns duties/supervises staff
    • Traditional approach is a policy driven approach
    • Traditional approach requires limited employee participations.
    Explanation:

    The keyword INCORRECTLY is used in the question. You need to find out an option which incorrectly describes the traditional approach.

    For your exam you should know the information below about control self-assessment and traditional approach:

    The traditional approach can be summarized as any approach in which the primary responsibility for analyzing and reporting on internal control and risk is assigned to auditor and to lesser extent, controller department and outside consultants.

    Control self-assessment is an assessment of controls made by the staff and management of the unit or units involved. It is a management technique that assures stakeholders, customers and other parties that the internal controls of the organization are reliable.

    Benefits of CSA

    Early detection of risk
    More efficient and improved internal controls
    Creation of cohesive teams through employee involvement
    Developing a sense of ownership of the controls in the employees and process owners, and reducing their resistance to control improvement initiatives
    Increased employee awareness of organizational objectives, and knowledge of risk and internal controls
    Highly motivated employees
    Improved audit training process
    Reduction in control cost
    Assurance provided to stakeholders and customers

    Traditional and CSA attributes
    Traditional Historical CSA
    Assign duties/supervises staff Empowered/accountable employees
    Policy/rule driven Continuous improvement/learning curve
    Limited employee participation Extensive employee participation and training
    Narrow stakeholders focus Broad stakeholders focus
    Auditors and other specialist Staff at all level, in all functions, are the primary control analysts

    The following answers are incorrect:

    The other options specified are correctly describes about traditional approach.
    Reference:
    CISA review manual 2014 page number 61, 62 and 63

  4. Which of the following is the most important benefit of control self-assessment (CSA)?

    • CSA is a policy/rule driven
    • In CSA approach, risk is identified sooner
    • CSA requires limited employee participations
    • In CSA, resources are being used in an effective manner.
    Explanation:

    Control self-assessment is an assessment of controls made by staff and management within the unit or units involved. It is a management technique that assures stakeholders, customers and other parties that the internal controls of the organization are reliable. The CSA approach requires extensive employee participations and training. This will help to employee understand more about business risks. This will insure the detection of risk in timely manner.

    For your exam you should know the information below about control self-assessment:

    Benefits of CSA
    Early detection of risk
    More efficient and improved internal controls
    Creation of cohesive teams through employee involvement
    Developing a sense of ownership of the controls in the employees and process owners, and reducing their resistance to control improvement initiatives
    Increased employee awareness of organizational objectives, and knowledge of risk and internal controls
    Highly motivated employees
    Improved audit training process
    Reduction in control cost
    Assurance provided to stakeholders and customers

    Traditional and CSA attributes
    Traditional Historical CSA
    Assign duties/supervises staff Empowered/accountable employees
    Policy/rule driven Continuous improvement/learning curve
    Limited employee participation Extensive employee participation and training
    Narrow stakeholders focus Broad stakeholders focus
    Auditors and other specialist Staff at all level, in all functions, are the primary control analysts

    The following answers are incorrect:

    The other options specified are incorrectly describes about CSA.
    Reference:
    CISA review manual 2014 page number 61, 62 and 63

  5. Which of the following testing procedure is used by the auditor during accounting audit to check errors in balance sheet and other financial documentation?

    • Compliance testing
    • Sanity testing
    • Recovery testing
    • Substantive testing
    Explanation:

    A procedure used during accounting audits to check for errors in balance sheets and other financial documentation. A substantive test might involve checking a random sample of transactions for errors, comparing account balances to find discrepancies, or analysis and review of procedures used to execute and record transactions.

    Substantive testing is the stage of an audit when the auditor gathers evidence as to the extent of misstatements in client’s accounting records or other information. This evidence is referred to as substantive evidence and is an important factor in determining the auditor’s opinion on the financial statements as a whole. The audit procedures used to gather this evidence are referred to as substantive procedures, or substantive tests.
    Substantive procedures (or substantive tests) are those activities performed by the auditor during the substantive testing stage of the audit that gather evidence as to the completeness, validity and/or accuracy of account balances and underlying classes of transactions.

    Account balances and underlying classes of transaction must not contain any material misstatements. They must be materially complete, valid and accurate. Auditors gather evidence about these assertions by undertaking substantive procedures, which may include:

    Physically examining inventory on balance date as evidence that inventory shown in the accounting records actually exists (validity assertion);
    Arranging for suppliers to confirm in writing the details of the amount owing at balance date as evidence that accounts payable is complete (completeness assertion); and Making inquiries of management about the collectability of customers’ accounts as evidence that trade debtors is accurate as to its valuation.
    Evidence that an account balance or class of transaction is not complete, valid or accurate is evidence of a substantive misstatement.

    The following answers are incorrect:

    Compliance Testing – Compliance testing is basically an audit of a system carried out against a known criterion.
    Sanity testing – Testing to determine if a new software version is performing well enough to accept it for a major testing effort. If application is crashing for initial use, then system is not stable enough for further testing and build or application is assigned to fix.
    Recovery testing – Testing how well a system recovers from crashes, hardware failures, or other catastrophic problems.

    Reference:
    CISA review manual 2014 page number 52 and 53
    http://www.businessdictionary.com/definition/compliance-test.html

  6. Which of the following testing procedure is used by an auditor to check whether a firm is following the rules and regulations applicable to an activity or practice?

    • Compliance testing
    • Sanity testing
    • Recovery testing
    • Substantive testing
    Explanation:

    Audit undertaken to confirm whether a firm is following the rules and regulations (prescribed by its internal authority or control system) applicable to an activity or practice.

    Compliance testing is basically an audit of a system carried out against a known criterion. A compliance test may come in many different forms dependent on the request received but basically can be broken down into several different types:

    Operating Systems and Applications: A verification that an operating system and/or applications are configured appropriately to the companies needs and lockdown requirements, thus providing adequate and robust controls to ensure that the Confidentiality, Integrity and Availability of the system will not be affected in its normal day to day operation.
    Systems in development: A verification that the intended system under development meets the configuration and lockdown standards requested by the customer.
    Management of IT and Enterprise Architecture: A verification that the in-place IT management infrastructure encompassing all aspects of system support has been put in place. This is to ensure effective change control, audit, business continuity and security procedures etc. have been formulated, documented and put in place.
    Interconnection Policy: A verification that adequate security and business continuity controls governing the connection to other systems, be they Telecommunications, Intranets, Extranets and Internet etc. have been put in place, have been fully documented and correspond to the stated customer requirements.

    The following answers are incorrect:

    Substantive testing – A procedure used during accounting audits to check for errors in balance sheets and other financial documentation. A substantive test might involve checking a random sample of transactions for errors, comparing account balances to find discrepancies, or analysis and review of procedures used to execute and record transactions.

    Sanity testing – Testing to determine if a new software version is performing well enough to accept it for a major testing effort. If application is crashing for initial use, then system is not stable enough for further testing and build or application is assigned to fix.

    Recovery testing – Testing how well a system recovers from crashes, hardware failures, or other catastrophic problems.

    Reference:

    CISA review manual 2014 page number 52 and 53
    http://www.wikijob.co.uk/wiki/substantive-testing

  7. What are the different types of Audits?

    • Compliance, financial, operational, forensic and integrated
    • Compliance, financial, operational, G9 and integrated
    • Compliance, financial, SA1, forensic and integrated
    • Compliance, financial, operational, forensic and capability
    Explanation:

    Compliance, financial, operational, forensic and integrated are different types of audit.

    For your exam you should know the information below:

    What is an audit?
    An audit in general terms is a process of evaluating an individual or organization’s accounts. This is usually done by an independent auditing body. Thus, audit involves a competent and independent person obtaining evidence and evaluating it objectively with regard to a given entity, which in this case is the subject of audit, in order to establish conformance to a given set of standards. Audit can be on a person, organization, system, enterprise, project or product.

    Compliance Audit
    A compliance audit is a comprehensive review of an organization’s adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit. Compliance audit include specific tests of controls to demonstrate adherence to specific regulatory or industry standard. These audits often overlap traditional audits, but may focus on particular system or data.

    What, precisely, is examined in a compliance audit will vary depending upon whether an organization is a public or private company, what kind of data it handles and if it transmits or stores sensitive financial data. For instance, SOX requirements mean that any electronic communication must be backed up and secured with reasonable disaster recovery infrastructure. Health care providers that store or transmit e-health records, like personal health information, are subject to HIPAA requirements. Financial services companies that transmit credit card data are subject to PCI DSS requirements. In each case, the organization must be able to demonstrate compliance by producing an audit trail, often generated by data from event log management software.

    Financial Audit
    A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is intended to provide reasonable assurance, but not absolute assurance, that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to provide an objective independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thus increase user confidence in the financial statement, reduce investor risk and consequently reduce the cost of capital of the preparer of the financial statements.

    Operational Audit
    Operational Audit is a systematic review of effectiveness, efficiency and economy of operation. Operational audit is a future-oriented, systematic, and independent evaluation of organizational activities. In Operational audit financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Operational audit is a more comprehensive form of an Internal audit.

    The Institute of Internal Auditor (IIA) defines Operational Audit as a systematic process of evaluating an organization’s effectiveness, efficiency and economy of operations under management’s control and reporting to appropriate persons the results of the evaluation along with recommendations for improvement.

    Objectives
    To appraise the effectiveness and efficiency of a division, activity, or operation of the entity in meeting organizational goals.
    To understand the responsibilities and risks faced by an organization.
    To identify, with management participation, opportunities for improving control.
    To provide senior management of the organization with a detailed understanding of the Operations.

    Integrated Audits
    An integrated audit combines financial and operational audit steps. An integrated audit is also performed to assess overall objectives within an organization, related to financial information and asset, safeguarding, efficiency and or internal auditors and would include compliance test of internal controls and substantive audit step.

    IS Audit
    An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization’s goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

    The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization’s information. Specifically, information technology audits are used to evaluate the organization’s ability to protect its information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:

    Will the organization’s computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the company’s valuable asset (its information) and establish methods of minimizing those risks.

    Forensic Audit
    Forensic audit is the activity that consists of gathering, verifying, processing, analyzing of and reporting on data in order to obtain facts and/or evidence – in a predefined context – in the area of legal/financial disputes and or irregularities (including fraud) and giving preventative advice.

    The purpose of a forensic audit is to use accounting procedures to collect evidence for the prosecution or investigation of financial crimes such as theft or fraud. Forensic audits may be conducted to determine if wrongdoing occurred, or to gather materials for the case against an alleged criminal.

    The following answers are incorrect:
    Compliance, financial, operational, forensic and integrated are different types of audits. G9, SA1 and capability are not the audit types.

    Reference:

    CISA Review Manual 2014 Page number 47
    http://searchcompliance.techtarget.com/definition/compliance-audit
    http://en.wikipedia.org/wiki/Financial_audit
    http://en.wikipedia.org/wiki/Operational_auditing
    http://en.wikipedia.org/wiki/Information_technology_audit
    http://www.investorwords.com/16445/forensic_audit.html

  8. Statistical sampling is NOT based on which of the following audit sample techniques?

    • Haphazard Sampling
    • Random Sampling
    • Cell Sampling
    • Fixed interval sampling
    Explanation:

    The NOT keyword is used in the question. You need find out an option which is NOT an example of statistical sampling. Statistical sampling is NOT based on Haphazard sampling.
    For your exam you should know the information below

    Audit samples are selected for the purpose of collecting representative evidence to be subjected to either compliance testing or substantive testing. The auditor should consider a selection technique that will provide the most relevant evidence supported by appropriate analytical procedures.
    Two basic types of audit samples can be designed by the auditor to fulfill their requirements:
    statistical and no statistical. Below Figure shows the various audit samples, as well as their testing methods. Care is given to the selection process in order to avoid drawing the wrong conclusion from the wrong sample. This is referred to as a sampling risk. Let’s look at each of these samples more closely.

    Statistical Sampling
    Statistical sampling uses mathematical techniques that result in an outcome that is mathematically quantifiable. Statistical samples are usually presented as a percentage. The purpose of statistical sampling is to gain an objective representation. Samples are selected by an objective mathematical process. The auditor should be aware that if the client has strong internal controls, the sample sizes may be smaller because the odds of fraud or failure will be lower.
    Examples of statistical sampling include the following:

    Random sampling Samples are selected at random.
    Cell sampling Random selection is performed at predefined intervals.
    Fixed interval sampling The sample existing at every n + interval increment is selected for testing.

    No statistical Sampling
    No statistical sampling is based on the auditor’s judgment (also referred to as judgmental sampling). The auditor determines the sample size, the method of generating the sample, and the number of items to be analyzed. The results of judgmental sampling are unlikely to represent the actual population. This is a subjective process usually based on elements of risk or materiality. An example of no statistical sampling includes haphazard sampling, in which the samples are randomly drawn for testing.
    After the samples are selected, the next step is to perform compliance tests or substantive testing.
    Conducting Audit Testing As stated earlier, the basic test methods used will be either compliance testing or substantive testing. Appropriate audit samples will have to be generated for the test.

    Compliance Testing
    Compliance testing tests for the presence or absence of something. Compliance testing includes verifying that policies and procedures have been put in place, and checking that user access rights, program change control procedures, and system audit logs have been activated. An example of a compliance test is comparing the list of persons with physical access to the data center against the HR list of current employees.

    Compliance testing is based on one of the following types of audit samples:

    Attribute sampling Generally popular in compliance testing. The objective is to determine whether an attribute is present or absent in the subject sample. The result is specified by the rate of occurrence—for example, the presence of 1 in 100 units would be 1 percent.
    Stop-and-go sampling Used when few errors are expected. Stop-and-go allows the test to occur without excessive effort in sampling and provides the opportunity to stop testing at the earliest possible opportunity. It is a simple form of testing to reinforce any claim that errors are unlikely in the sample population.

    Discovery sampling A 100 percent sampling used to detect fraud or when the likelihood of evidence existing is low. Forensics is an excellent example of discovery sampling. This is an attempt to discover evidence.
    Precision, or expected error rate The precision rate indicates the acceptable margin of error between audit samples and the total quantity of the subject population. This is usually expressed as a percentage, such as 5 percent. To obtain a very low error rate, it is necessary to use a very large sample in testing. Auditors are justified in using a smaller sample size when the total population is expected to be error-free. A larger sample is required when errors are expected to be present in the population. The larger sample can yield a higher average. When errors are expected, the auditor must examine more data to determine whether the actual errors are within a tolerable error rate (maximum errors you would accept).
    Error levels may be determined by reviewing the findings of a prior audit and by considering changes in the organization’s procedures. Use the risk-based audit strategy to determine whether your samples and tests are telling the truth about the audited.

    Substantive Testing
    Substantive testing seeks to verify the content and integrity of evidence. Substantive tests may include complex calculations to verify account balances, perform physical inventory counts, or execute sample transactions to verify the accuracy of supporting documentation. Substantive tests use audit samples selected by dollar value or to project (forecast or estimate) a total for groups with related characteristics.

    Substantive testing is based on one of the following types of audit samples:

    Variable sampling Used to designate dollar values or weights (effectiveness) of an entire subject population by prorating from a smaller sample. Consider the challenge of counting large volumes of currency by its weight. Variable sampling could be used to count currency by multiplying the physical weight of one unit by the total weight of the combined sample, and then multiplying by the face value printed on the bill or coin. A demonstration is a single $50 bill weighing 1.0 gram, with the entire sample of $50 bills weighing 61 grams altogether. The combined sample weight would indicate a total quantity of 61 bills for an estimated dollar value of $3,050. This is a common technique for forecasting quantity and value of inventory based on particular characteristics.
    Unsatisfied mean estimation Used in an attempt to project an estimated total for the whole subject population.
    Stratified mean estimation Used to calculate an average by group, similar to demographics, whereby the entire population is divided (stratified) into smaller groups based on similar characteristics.
    Examples are teenagers from the ages of 13 to 19, people from the ages of 20 to 29, people from the ages of 30 to 39, and those who are male or female, smokers or nonsmokers, and so on. Difference estimation Used to determine the difference between audited and unaudited claims of value.

    The following answers are incorrect:

    The other options like Random Sampling, Cell Sampling and Fixed Interval Sampling are examples of Statistical sampling.

    Reference:

    CISA review manual 2014 page number 55 to 56
    CISA certified information system auditor study guide Second Edition Page Number 98 to 101

  9. An organization performs nightly backups but does not have a formal policy. An IS auditor should FIRST:

    • evaluate current backup procedures
    • escalate to senior management
    • document a policy for the organization
    • recommend automated backup
  10. An IS auditor reviewing an organization’s data privacy controls observes that privacy notices do not clearly state how the organization uses customer data for its processing operations. Which of the following data protection principles MUST be implemented to address this gap?

    • Maintenance of data integrity
    • Access to collected data
    • Retention of consent documentation
    • Purpose for data collection
  11. An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:

    • phishing
    • structured query language (SQL) injection
    • denial of service (DoS)
    • buffer overflow
  12. In a follow-up audit, an IS auditor notes that management has addressed the original findings in a different way than originally agreed upon. The auditor should FIRST:

    • mark the recommendation as satisfied and close the finding
    • verify if management’s action mitigates the identified risk
    • re-perform the audit to assess the changed control environment
    • escalate the deviation to the audit committee
  13. An organization is considering outsourcing the processing of customer insurance claims. An IS auditor notes that customer data will be sent offshore for processing. Which of the following would be the BEST way to address the risk of exposing customer data?

    • Require background checks on all service provider personnel involved in the processing of data.
    • Recommend the use of a service provider within the same country as the organization.
    • Consider whether the service provider has the ability to meet service level agreements (SLAs).
    • Assess whether the service provider meets the organization’s data protection policies.
  14. An IS audit team is evaluating the documentation related to the most recent application user-access review performed by IT and business management. It is determined the user list was not system-generated. Which of the following should be the GREATEST concern?

    • Source of the user list reviewed
    • Availability of the user list reviewed
    • Confidentiality of the user list reviewed
    • Completeness of the user list reviewed
  15. Which of the following should an IS auditor determine FIRST when evaluating additional hardware required to support the acquisition of a new accounting system?

    • A training program has been developed to support the new accounting system.
    • The supplier has experience supporting accounting systems.
    • The hardware specified will be compliant with the current IT strategy.
    • The hardware will be installed in a secure and environmentally controlled area.
  16. A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?

    • Review a sample of PCRs for proper approval throughout the program change process.
    • Trace a sample of program changes from the log to completed PCR forms.
    • Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date.
    • Trace a sample of complete PCR forms to the log of all program changes.
  17. An IS auditor submitted audit reports and scheduled a follow-up audit engagement with a client. The client has requested to engage the services of the same auditor to develop enhanced controls. What is the GREATEST concern with this request?

    • It would require the approval of the audit manager.
    • It would be beyond the original audit scope.
    • It would a possible conflict of interest.
    • It would require a change to the audit plan.
  18. An IS auditor is evaluating the completeness of privacy procedures involving personally identifiable information (PII). Which of the following is MOST important for the auditor to verify is included in the procedures?

    • Regulatory requirements for protecting PII
    • The organization’s definition of PII
    • Encryption requirements for transmitting PII externally
    • A description of how PII is masked within key systems
  19. The risk that the IS auditor will not find an error that has occurred is identified by which of the following terms?

    • Control
    • Prevention
    • Inherent
    • Detection
  20. An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?

    • Improve the change management process
    • Perform a configuration review
    • Establish security metrics
    • Perform a penetration test