Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 132

  1. In the process of evaluating program change controls, an IS auditor would use source code comparison software to:

    • examine source program changes without information from IS personnel.
    • detect a source program change made between acquiring a copy of the source and the comparison run.
    • confirm that the control copy is the current version of the production program.
    • ensure that all changes made in the current source copy are detected.

    An IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify changes. Choice B is incorrect, because the changes made since the acquisition of the copy are not included in the copy of the software. Choice C is incorrect, as an IS auditor will have to gain this assurance separately.
    Choice D is incorrect, because any changes made between the time the control copy was acquired and the source code comparison is made will not be detected.

  2. The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:

    • confirm that the auditors did not overlook any important issues.
    • gain agreement on the findings.
    • receive feedback on the adequacy of the audit procedures.
    • test the structure of the final presentation.
    The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings. The other choices, though related to the formal closure of an audit, are of secondary importance.
  3. Which of the following audit techniques would BEST aid an auditor in determining whether there have been unauthorized program changes since the last authorized program update?

    • Test data run
    • Code review
    • Automated code comparison
    • Review of code migration procedures
    An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure. Test data runs permit the auditor to verify the processing of preselected transactions, but provide no evidence about unexercised portions of a program. Code review is the process of reading program source code listings to determine whether the code contains potential errors or inefficient statements. A code review can be used as a means of code comparison but it is inefficient. The review of code migration procedures would not detect program changes.
  4. Though management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should:

    • include the statement of management in the audit report.
    • identify whether such software is, indeed, being used by the organization.
    • reconfirm with management the usage of the software.
    • discuss the issue with senior management since reporting this could have a negative impact on the organization.
    When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in the report. With respect to this matter, representations obtained from management cannot be independently verified. If the organization is using software that is not licensed, the auditor, to maintain objectivity and independence, must include this in the report.
  5. While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:

    • audit trail of the versioning of the work papers.
    • approval of the audit phases.
    • access rights to the work papers.
    • confidentiality of the work papers.
    Encryption provides confidentiality for the electronic work papers. Audit trails, audit phase approvals and access to the work papers do not, of themselves, affect the confidentiality but are part of the reason for requiring encryption.
  6. The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to:

    • comply with regulatory requirements.
    • provide a basis for drawing reasonable conclusions.
    • ensure complete audit coverage.
    • perform the audit according to the defined scope.
    The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses but also documenting and validating them.
    Complying with regulatory requirements, ensuring coverage and the execution of audit are all relevant to an audit but are not the reason why sufficient and relevant evidence is required.
  7. After initial investigation, an IS auditor has reasons to believe that fraud may be present.

    The IS auditor should:

    • expand activities to determine whether an investigation is warranted
    • report the matter to the audit committee.
    • report the possibility of fraud to top management and ask how they would like to be proceed.
    • consult with external legal counsel to determine the course of action to be taken.
    An IS auditor’s responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation. Normally, the IS auditor does not have authority to consult with external legal counsel.
  8. Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file?

    • Attribute sampling
    • Generalized audit software (GAS)
    • Test data
    • Integrated test facility (ITF)
    Generalized audit software (GAS) would enable the auditor to review the entire invoice file to look for those items that meet the selection criteria. Attribute sampling would aid in identifying records meeting specific conditions, but would not compare one record to another to identify duplicates. To detect duplicate invoice records, the IS auditor should check all of the items that meet the criteria and not just a sample of the items. Test data are used to verify program processing, but will not identify duplicate records. An integrated test facility (ITF) allows the IS auditor to test transactions through the production system, but would not compare records to identify duplicates.
  9. Which of the following would be the MOST effective audit technique for identifying segregation of duties violations in a new enterprise resource planning (ERP) implementation?

    • Reviewing a report of security rights in the system
    • Reviewing the complexities of authorization objects
    • Building a program to identify conflicts in authorization
    • Examining recent access rights violation cases
    Since the objective is to identify violations in segregation of duties, it is necessary to define the logic that will identify conflicts in authorization. A program could be developed to identify these conflicts. A report of security rights in the enterprise resource planning (ERP) system would be voluminous and time consuming to review; therefore, this technique is not as effective as building a program. As complexities increase, it becomes more difficult to verify the effectiveness of the systems and complexity is not, in itself, a link to segregation of duties. It is good practice to review recent access rights violation cases; however, it may require a significant amount of time to truly identify which violations actually resulted from an inappropriate segregation of duties.
  10. Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?

    • System log analysis
    • Compliance testing
    • Forensic analysis
    • Analytical review
    Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. It is unlikely that the system log analysis would provide information about the modification of programs. Forensic analysis is a specialized technique for criminal investigation. An analytical review assesses the general control environment of an organization.
  11. During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next?

    • Recommend redesigning the change management process.
    • Gain more assurance on the findings through root cause analysis.
    • Recommend that program migration be stopped until the change process is documented.
    • Document the finding and present it to management.
    A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management.
  12. During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system?

    • Dumping the memory content to a file
    • Generating disk images of the compromised system
    • Rebooting the system
    • Removing the system from the network
    Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory. The other choices are appropriate actions for preserving evidence.
  13. An IS auditor who was involved in designing an organization’s business continuity plan(BCP) has been assigned to audit the plan. The IS auditor should:

    • decline the assignment.
    • inform management of the possible conflict of interest after completing the audit assignment.
    • inform the business continuity planning (BCP) team of the possible conflict of interest prior to beginning the assignment.
    • communicate the possibility of conflict of interest to management prior to starting the assignment.
    Communicating the possibility of a conflict of interest to management prior to starting the assignment is the correct answer. A possible conflict of interest, likely to affect the auditor’s independence, should be brought to the attention of management prior to starting the assignment. Declining the assignment is not the correct answer because the assignment could be accepted after obtaining management approval. Informing management of the possible conflict of interest after completion of the audit assignment is not correct because approval should be obtained prior to commencement and not after the completion of the assignment. Informing the business continuity planning (BCP) team of the possible conflict of interest prior to starting of the assignment is not the correct answer since the BCP team would not have the authority to decide on this issue.
  14. An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?

    • Personally delete all copies of the unauthorized software.
    • Inform the auditee of the unauthorized software, and follow up to confirm deletion.
    • Report the use of the unauthorized software and the need to prevent recurrence to auditee management.
    • Take no action, as it is a commonly accepted practice and operations management is responsible for monitoring such use.
    The use of unauthorized or illegal software should be prohibited by an organization. Software piracy results in inherent exposure and can result in severe fines. An IS auditor must convince the user and user management of the risk and the need to eliminate the risk. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing or deleting the unauthorized software.
  15. Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should:

    • include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings.
    • not include the finding in the final report, because the audit report should include only unresolved findings.
    • not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit.
    • include the finding in the closing meeting for discussion purposes only.
    Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing.
  16. During an implementation review of a multiuser distributed application, an IS auditor finds minor weaknesses in three areas-the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the audit report, the IS auditor should:

    • record the observations separately with the impact of each of them marked against each respective finding.
    • advise the manager of probable risks without recording the observations, as the control weaknesses are minor ones.
    • record the observations and the risk arising from the collective weaknesses.
    • apprise the departmental heads concerned with each observation and properly document it in the report.
    Individually the weaknesses are minor; however, together they have the potential to substantially weaken the overall control structure. Choices A and D reflect a failure on the part of an IS auditor to recognize the combined effect of the control weakness. Advising the local manager without reporting the facts and observations would conceal the findings from other stakeholders.
  17. During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:

    • ask the auditee to sign a release form accepting full legal responsibility.
    • elaborate on the significance of the finding and the risks of not correcting it.
    • report the disagreement to the audit committee for resolution.
    • accept the auditee’s position since they are the process owners.
    If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risks and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, an IS auditor should not automatically agree just because the auditee expresses an alternate point of view.
  18. When preparing an audit report, the IS auditor should ensure that the results are supported by:

    • statements from IS management.
    • workpapers of other auditors.
    • an organizational control self-assessment.
    • sufficient and appropriate audit evidence.
    ISACA’s standard on ‘reporting’ requires the IS auditor have sufficient and appropriate audit evidence to support the reported results. Statements from IS management provide a basis for obtaining concurrence on matters that cannot be verified with empirical evidence. The report should be based on evidence collected during the course of the review even though the auditor may have access to the work papers of other auditors. The results of an organizational control self-assessment (CSA) could supplement the audit findings. Choices A, B and C might be referenced during an audit but, of themselves, would not be considered a sufficient basis for issuing a report.
  19. The final decision to include a material finding in an audit report should be made by the:

    • audit committee.
    • auditee’s manager.
    • IS auditor.
    • CEO of the organization
    The IS auditor should make the final decision about what to include or exclude from the audit report. The other choices would limit the independence of the auditor.
  20. The success of control self-assessment (CSA) highly depends on:

    • having line managers assume a portion of the responsibility for control monitoring.
    • assigning staff managers the responsibility for building, but not monitoring, controls.
    • the implementation of a stringent control policy and rule-driven controls.
    • the implementation of supervision and the monitoring of controls of assigned duties.
    The primary objective of a CSA program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a control self-assessment (CSA) program depends on the degree to which line managers assume responsibility for controls- Choices B, C and D are characteristics of a traditional audit approach, not a CSA approach.