Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 130

  1. The extent to which data will be collected during an IS audit should be determined based on the:

    • availability of critical and required information.
    • auditor’s familiarity with the circumstances.
    • auditee’s ability to find relevant evidence.
    • purpose and scope of the audit being done.

    The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditor’s familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee’s ability to find relevant evidence.

  2. While planning an audit, an assessment of risk should be made to provide:

    • reasonable assurance that the audit will cover material items.
    • definite assurance that material items will be covered during the audit work.
    • reasonable assurance that all items will be covered by the audit.
    • sufficient assurance that all items will be covered during the audit work.
    The ISACA IS Auditing Guideline G15 on planning the IS audit states, ‘An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems.’ Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.
  3. An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when:

    • the probability of error must be objectively quantified.
    • the auditor wishes to avoid sampling risk.
    • generalized audit software is unavailable.
    • the tolerable error rate cannot be determined.
    Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). Choice B is incorrect because sampling risk is the risk of a sample not being representative of the population. This risk exists for both judgment and statistical samples. Choice C is incorrect because statistical sampling does not require the use of generalized audit software. Choice D is incorrect because the tolerable error rate must be predetermined for both judgment and statistical sampling.
  4. During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:

    • address audit objectives.
    • collect sufficient evidence.
    • specify appropriate tests.
    • minimize audit resources.
    ISACA auditing standards require that an IS auditor plan the audit work to address the audit objectives. Choice B is incorrect because the auditor does not collect evidence in the planning stage of an audit. Choices C and D are incorrect because they are not the primary goals of audit planning. The activities described in choices B, C and D are all undertaken to address audit objectives and are thus secondary to choice A.
  5. When selecting audit procedures, an IS auditor should use professional judgment to ensure that:

    • sufficient evidence will be collected.
    • all significant deficiencies identified will be corrected within a reasonable period.
    • all material weaknesses will be identified.
    • audit costs will be kept at a minimum level.
    Procedures are processes an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising in the course of an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate and the auditor’s past experience plays a key role in making a judgment. ISACA’s guidelines provide information on how to meet the standards when performing IS audit work. Identifying material weaknesses is the result of appropriate competence, experience and thoroughness in planning and executing the audit and not of professional judgment. Professional judgment is not a primary input to the financial aspects of the audit.
  6. An IS auditor evaluating logical access controls should FIRST:

    • document the controls applied to the potential access paths to the system.
    • test controls over the access paths to determine if they are functional.
    • evaluate the security environment in relation to written policies and practices
    • obtain an understanding of the security risks to information processing.
    When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risks facing information processing by reviewing relevant documentation, by inquiries, and by conducting a risk assessment. Documentation and evaluation is the second step in assessing the adequacy, efficiency and effectiveness, thus identifying deficiencies or redundancy in controls. The third step is to test the access paths-to determine if the controls are functioning. Lastly, the lS auditor evaluates the security environment to assess its adequacy by reviewing the written policies, observing practices and comparing them to appropriate security best practices.
  7. The PRIMARY purpose of an IT forensic audit is:

    • to participate in investigations related to corporate fraud.
    • the systematic collection of evidence after a system irregularity.
    • to assess the correctness of an organization’s financial statements
    • to determine that there has been criminal activity.
    Choice B describes a forensic audit. The evidence collected could then be used in judicial proceedings. Forensic audits are not limited to corporate fraud. Assessing the correctness of an organization’s financial statements is not the purpose of a forensic audit. Drawing a conclusion to criminal activity would be part of a legal process and not the objective of a forensic audit.
  8. An IS auditor is performing an audit of a remotely managed server backup. The IS auditor reviews the logs for one day and finds one case where logging on a server has failed with the result that backup restarts cannot be confirmed. What should the auditor do?

    • Issue an audit finding
    • Seek an explanation from IS management
    • Review the classifications of data held on the server
    • Expand the sample of logs reviewed
    Audit standards require that an IS auditor gather sufficient and appropriate audit evidence. The auditor has found a potential problem and now needs to determine if this is an isolated incident or a systematic control failure. At this stage it is too preliminary to issue an audit finding and seeking an explanation from management is advisable, but it would be better to gather additional evidence to properly evaluate the seriousness of the situation. A backup failure, which has not been established at this point, will be serious if it involves critical data. However, the issue is not the importance of the data on the server, where a problem has been detected, but whether a systematic control failure that impacts other servers exists.
  9. In an IS audit of several critical servers, the IS auditor wants to analyze audit trails to discover potential anomalies in user or system behavior. Which of the following tools are MOST suitable for performing that task?

    • CASE tools
    • Embedded data collection tools
    • Heuristic scanning tools
    • Trend/variance detection tools
    Trend/variance detection tools look for anomalies in user or system behavior, for example, determining whether the numbers for prenumbered documents are sequential or increasing. CASE tools are used to assist software development. Embedded (audit) data collection software is used for sampling and to provide production statistics. Heuristic scanning tools can be used to scan for viruses to indicate possible infected code.
  10. An IS auditor is evaluating a corporate network for a possible penetration by employees. Which of the following findings should give the IS auditor the GREATEST concern?

    • There are a number of external modems connected to the network.
    • Users can install software on their desktops.
    • Network monitoring is very limited.
    • Many user IDs have identical passwords.
    Exploitation of a known user ID and password requires minimal technical knowledge and exposes the network resources to exploitation. The technical barrier is low and the impact can be very high; therefore, the fact that many user IDs have identical passwords represents the greatest threat. External modems represent a security risk, but exploitation still depends on the use of a valid user account. While the impact of users installing software on their desktops can be high {for example, due to the installation of Trojans or key-logging programs), the likelihood is not high due to the level of technical knowledge required to successfully penetrate the network. Although network monitoring can be a useful detective control, it will only detect abuse of user accounts in special circumstances and is, therefore, not a first line of defense.
  11. Which of the following is the PRIMARY advantage of using computer forensic software for investigations?

    • The preservation of the chain of custody for electronic evidence
    • Time and cost savings
    • Efficiency and effectiveness
    • Ability to search for violations of intellectual property rights
    The primary objective of forensic software is to preserve electronic evidence to meet the rules of evidence. Choice B, time and cost savings, and choice C, efficiency and effectiveness, are legitimate concerns that differentiate good from poor forensic software packages. Choice D, the ability to search for intellectual property rights violations, is an example of a use of forensic software.
  12. An IS auditor has imported data from the client’s database. The next step-confirming whether the imported data are complete-is performed by:

    • matching control totals of the imported data to control totals of the original data.
    • sorting the data to confirm whether the data are in the same order as the original data.
    • reviewing the printout of the first 100 records of original data with the first 100 records of imported data.
    • filtering data for different categories and matching them to the original data.
    Matching control totals of the imported data with control totals of the original data is the next logical step, as this confirms the completeness of the imported datA. It is not possible to confirm completeness by sorting the imported data, because the original data may not be in sorted order. Further, sorting does not provide control totals for verifying completeness. Reviewing a printout of 100 records of original data with 100 records of imported data is a process of physical verification and confirms the accuracy of only these records. Filtering data for different categories and matching them to original data would still require that control totals be developed to confirm the completeness of the data.
  13. The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?

    • Test data
    • Generalized audit software
    • Integrated test facility
    • Embedded audit module
    Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining if there were overpayments and to whom they were made. Test data would test for the existence of controls that might prevent overpayments, but it would not detect specific, previous miscalculations. Neither an integrated test facility nor an embedded audit module would detect errors for a previous period.
  14. During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should:

    • create the procedures document.
    • terminate the audit.
    • conduct compliance testing.
    • identify and evaluate existing practices.
    One of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization. IS auditors should not prepare documentation, as doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.
  15. In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:

    • identify and assess the risk assessment process used by management.
    • identify information assets and the underlying systems.
    • disclose the threats and impacts to management.
    • identify and evaluate the existing controls.
    It is important for an IS auditor to identify and evaluate the existing controls and security once the potential threats and possible impacts are identified. Upon completion of an audit an IS auditor should describe and discuss with management the threats and potential impacts on the assets.
  16. Which of the following should be of MOST concern to an IS auditor?

    • Lack of reporting of a successful attack on the network
    • Failure to notify police of an attempted intrusion
    • Lack of periodic examination of access rights
    • Lack of notification to the public of an intrusion
    Not reporting an intrusion is equivalent to an IS auditor hiding a malicious intrusion, which would be a professional mistake. Although notification to the police may be required and the lack of a periodic examination of access rights might be a concern, they do not represent as big a concern as the failure to report the attack. Reporting to the public is not a requirement and is dependent on the organization’s desire, or lack thereof, to make the intrusion known.
  17. Which of the following would normally be the MOST reliable evidence for an auditor?

    • A confirmation letter received from a third party verifying an account balance
    • Assurance from line management that an application is working as designed
    • Trend data obtained from World Wide Web (Internet) sources
    • Ratio analysts developed by the IS auditor from reports supplied by line management
    Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable.
  18. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware of which of the following?

    • The point at which controls are exercised as data flow through the system
    • Only preventive and detective controls are relevant
    • Corrective controls can only be regarded as compensating
    • Classification allows an IS auditor to determine which controls are missing
    An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect, since corrective controls remove or reduce the effects of errors or irregularities and are exclusively regarded as compensating controls. Choice D is incorrect and irrelevant since the existence and function of controls is important, not the classification.
  19. Which audit technique provides the BEST evidence of the segregation of duties in an IS department?

    • Discussion with management
    • Review of the organization chart
    • Observation and interviews
    • Testing of user access rights
    By observing the IS staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IS staff, the auditor can get an overview of the tasks performed. Based on the observations and interviews the auditor can evaluate the segregation of duties. Management may not be aware of the detailed functions of each employee in the IS department; therefore, discussion with the management would provide only limited information regarding segregation of duties. An organization chart would not provide details of the functions of the employees. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform.
  20. During a review of a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication, the IS auditor would use:

    • test data to validate data input.
    • test data to determine system sort capabilities.
    • generalized audit software to search for address field duplications.
    • generalized audit software to search for account field duplications.
    Since the name is not the same {due to name variations), one method to detect duplications would be to compare other common fields, such as addresses. A subsequent review to determine common customer names at these addresses could then be conducted. Searching for duplicate account numbers would not likely find duplications, since customers would most likely have different account numbers for each variation. Test data would not be useful to detect the extent of any data characteristic, but simply to determine how the data were processed.