Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 129

  1. Processing controls ensure that data is accurate and complete, and is processed only through which of the following?

    • Documented routines
    • Authorized routines
    • Accepted routines
    • Approved routines

    Processing controls ensure that data is accurate and complete, and is processed only through authorized routines.

  2. What is a data validation edit control that matches input data to an occurrence rate? Choose the BEST answer.

    • Accuracy check
    • Completeness check
    • Reasonableness check
    • Redundancy check
    A reasonableness check is a data validation edit control that matches input data to an occurrence rate.
  3. Database snapshots can provide an excellent audit trail for an IS auditor. True or false?

    • True
    • False
    Database snapshots can provide an excellent audit trail for an IS auditor.
  4. An IS auditor is using a statistical sample to inventory the tape library. What type of test would this be considered?

    • Substantive
    • Compliance
    • Integrated
    • Continuous audit
    Using a statistical sample to inventory the tape library is an example of a substantive test.
  5. An IS auditor is reviewing access to an application to determine whether the 10 most recent “new user” forms were correctly authorized. This is an example of:

    • variable sampling.
    • substantive testing.
    • compliance testing.
    • stop-or-go sampling.
    Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing; such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.
  6. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?

    • Inherent
    • Detection
    • Control
    • Business
    Detection risks are directly affected by the auditor’s selection of audit procedures and techniques. Inherent risks are not usually affected by an IS auditor. Control risks are controlled by the actions of the company’s management. Business risks are not affected by an IS auditor.
  7. Overall business risk for a particular threat can be expressed as:

    • a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.
    • the magnitude of the impact should a threat source successfully exploit the vulnerability.
    • the likelihood of a given threat source exploiting a given vulnerability.
    • the collective judgment of the risk assessment team.
    Choice A takes into consideration the likelihood and magnitude of the impact and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the asset but does not provide the magnitude of the possible damage to the asset. Similarly, choice C considers only the magnitude of the damage and not the possibility of a threat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process.
  8. Which of the following is a substantive test?

    • Checking a list of exception reports
    • Ensuring approval for parameter changes
    • Using a statistical sample to inventory the tape library
    • Reviewing password history reports
    A substantive test confirms the integrity of actual processing. A substantive test would determine if the tape library records are stated correctly. A compliance test determines if controls are being applied in a manner that is consistent with management policies and procedures. Checking the authorization of exception reports, reviewing authorization for changing parameters and reviewing password history reports are all compliance tests.
  9. Which of the following is a benefit of a risk-based approach to audit planning? Audit:

    • scheduling may be performed months in advance.
    • budgets are more likely to be met by the IS audit staff.
    • staff will be exposed to a variety of technologies.
    • resources are allocated to the areas of highest concern
    The risk-based approach is designed to ensure audit time is spent on the areas of highest risk. The development of an audit schedule is not addressed by a risk-based approach. Audit schedules may be prepared months in advance using various scheduling methods. A risk approach does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be performed in a given year.
  10. An audit charter should:

    • be dynamic and change often to coincide with the changing nature of technology and the audit profession.
    • clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.
    • document the audit procedures designed to achieve the planned audit objectives.
    • outline the overall authority, scope and responsibilities of the audit function.
    An audit charter should state management’s objectives for and delegation of authority to IS audit. This charter should not significantly change over time and should be approved at the highest level of management. An audit charter would not be at a detailed level and, therefore, would not include specific audit objectives or procedures.
  11. The MAJOR advantage of the risk assessment approach over the baseline approach to information security management is that it ensures:

    • information assets are overprotected.
    • a basic level of protection is applied regardless of asset value.
    • appropriate levels of protection are applied to information assets.
    • an equal proportion of resources are devoted to protecting all information assets.
    Full risk assessment determines the level of protection most appropriate to a given level of risk, while the baseline approach merely applies a standard set of protection regardless of risk. There is a cost advantage in not overprotecting information. However, an even bigger advantage is making sure that no information assets are over- or under protected. The risk assessment approach will ensure an appropriate level of protection is applied, commensurate with the level of risk and asset value and, therefore, considering asset value. The baseline approach does not allow more resources to be directed toward the assets at greater risk, rather than equally directing resources to all assets.
  12. Which of the following sampling methods is MOST useful when testing for compliance?

    • Attribute sampling
    • Variable sampling
    • Stratified mean per unit
    • Difference estimation
    Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.
  13. Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation?

    • Multiple cycles of backup files remain available.
    • Access controls establish accountability for e-mail activity.
    • Data classification regulates what information should be communicated via e-mail.
    • Within the enterprise, a clear policy for using e-mail ensures that evidence is available.
    Backup files containing documents that supposedly have been deleted could be recovered from these files. Access controls may help establish accountability for the issuance of a particular document, but this does not provide evidence of the e-mail. Data classification standards may be in place with regards to what should be communicated via e-mail, but the creation of the policy does not provide the information required for litigation purposes.
  14. An IS auditor is assigned to perform a post implementation review of an application system. Which pf the following situations may have impaired the independence of the IS auditor? The IS auditor:

    • implemented a specific control during the development of the application system.
    • designed an embedded audit module exclusively for auditing the application system.
    • participated as a member of the application system project team, but did not have operational responsibilities.
    • provided consulting advice concerning application system best practices.
    Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system. Choices B and C are situations that do not impair an IS auditor’s independence. Choice D is incorrect because an IS auditor’s independence is not impaired by providing advice on known best practices.
  15. The PRIMARY advantage of a continuous audit approach is that it:

    • does not require an IS auditor to collect evidence on system reliability while processing is taking place.
    • requires the IS auditor to review and follow up immediately on all information collected.
    • can improve system security when used in time-sharing environments that process a large number of transactions.
    • does not depend on the complexity of an organization’s computer systems.
    The use of continuous auditing techniques can improve system security when used in time- sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place. Choice B is incorrect since an IS auditor normally would review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the use of continuous audit techniques depends on the complexity of an organization’s computer systems.
  16. When developing a risk-based audit strategy, an IS auditor conduct a risk assessment to ensure that:

    • controls needed to mitigate risks are in place.
    • vulnerabilities and threats are identified.
    • audit risks are considered.
    • a gap analysis is appropriate.
    In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage.
    Understanding whether appropriate controls required to mitigate risks are in place is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly related to the audit process and are not relevant to the risk analysis of the environment to be audited. A gap analysis would normally be done to compare the actual state to an expected or desirable state.
  17. To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:

    • schedule the audits and monitor the time spent on each audit.
    • train the IS audit staff on current technology used in the company.
    • develop the audit plan on the basis of a detailed risk assessment.
    • monitor progress of audits and initiate cost control measures.
    Monitoring the time (choice A) and audit programs {choice D), as well as adequate training (choice B), will improve the IS audit staff’s productivity (efficiency and performance), but that which delivers value to the organization are the resources and efforts being dedicated to, and focused on, the higher-risk areas.
  18. An organization’s IS audit charter should specify the:

    • short- and long-term plans for IS audit engagements
    • objectives and scope of IS audit engagements.
    • detailed training plan for the IS audit staff.
    • role of the IS audit function.
    An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope, and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee. Short- term and long-term planning is the responsibility of audit management. The objectives and scope of each IS audit should be agreed to in an engagement letter. A training plan, based on the audit plan, should be developed by audit management.
  19. An IS auditor is evaluating management’s risk assessment of information systems. The IS auditor should FIRST review:

    • the controls already in place.
    • the effectiveness of the controls in place.
    • the mechanism for monitoring the risks related to the assets.
    • the threats/vulnerabilities affecting the assets.
    One of the key factors to be considered while assessing the risks related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risks related to the use of information assets should be evaluated in isolation from the installed controls. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and not during the risk assessment phase A mechanism to continuously monitor the risks related to assets should be put in place during the risk monitoring function that follows the risk assessment phase.
  20. In planning an audit, the MOST critical step is the identification of the:

    • areas of high risk.
    • skill sets of the audit staff.
    • test steps in the audit.
    • time allotted for the audit.
    When designing an audit plan, it is important to identify the areas of highest risk to determine the areas to be audited. The skill sets of the audit staff should have been considered before deciding and selecting the audit. Test steps for the audit are not as critical as identifying the areas of risk, and the time allotted for an audit is determined by the areas to be audited, which are primarily selected based on the identification of risks.