An IS auditor is reviewing security controls for a critical web based system prior to implementation

The internal audit department has written some scripts that are used for continuous auditing of some info systems. the IT dept. has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectivity audit the IT function?

a) sharing the scripts is not permitted bc it would give IT the ability to pre audit systems and avoid an accurate, comprehensive audit

b) sharing the scripts is required bc IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence

c) sharing is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the script

d) sharing is not permitted bc it would mean that the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring

C

which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit?

a) Complexity of the org's operation

b)Findings and issues noted from the PY

c) Purpose, objective and scope of the audit

d) Auditors familiarity with the organization

C

An IS auditor is developing an audit plan for an environment that includes new systems. The company's mgt want the IS auditor to focus on recently implemented systems. How should the IS auditor respond?

a) Audit the new systems as requested by mgt

b) Audit systems not included in PY scope

c) Determine the highest risk systems and plan accordingly

d) Audit both the systems not in PY scope and the new systems

C

An IS auditor is reviewing security controls for a critical web based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?

a) Publish a report based on the available info, highlighting the potential security weaknesses and the requirement for the follow up audit testing

b) Publish a report omitting the areas where the evidence obtained form testing was inconclusive

c) Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained

d) Inform mgt that audit work cannot be completed prior to implementation and recommend that the audit be postponed

A

an IS auditor is verifying IT policies and found that some of the policies have not been approved by mgt (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST?

a) Ignore the absence of mgt approval bc employees follow the policies

b) recommend immediate mgt approval of the policies

c) emphasize the importance of approval to mgt

d) report the absence of document approval

D

An IS auditor found that the enterprise (EA) recently adopted by an organization has an adequate current state representation. However, the organization has started a separate project to develop a future state representation. The IS auditor should:

a) recommend that this separate project be completed as soon as possible

b) report this issue as a finding in the audit report

c) recommend the adoption of the Zachmann framework

d) re-scope the audit to include the separate project as part of the current audit

B

What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should:

a) interface with various types of enterprise resource planning (ERP) software and databases

b) accurately capture data from the organizations systems without causing excessive performance problems

c) introduce audit hooks into the company's financial systems to support continuous auditing

d) be customizable and support inclusion of custom programming to aid in investigative analysis

B

a L-T IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individuals experience and:

a) length of service, bc this will help ensure technical competence

b) age, bc training in audit techniques may be impractical

c) IT knowledge, bc this will bring enhanced credibility to the audit function

d) ability, as an IS auditor, to be independent of exisiting IT relationships

D

For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk?

a) use of computer assisted audit techniques (CAATs)

b) quarterly risk assessments

c) sampling of transaction logs

d) continuous auditing

D

An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of:

a) variable sampling

b) substantive testing

c) compliance testing

d) stop or go sampling

C

The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?

a) inherent

b) detection

c) control

d) business

B

Which of the following is the most critical steps when planning an IS audit?

a) review findings from prior audits

b) executive mgts approval of the audit plan

c) review information security policies and procedures

d) perform a risk assessment

D

An audit charter should:

a) be dynamic and change to coincide with the changing nature of tech and the audit profession

b) clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls

c) document the audit procedures designed to achieve the planned audit objectives

d) online the overall authority, scope and responsibilities of the audit function

D

An IS auditor finds a small number of user access requests that had not been authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should:

a) perform an additional analysis

b) report the problem to the audit committee

c) conduct a security risk assessment

d) recommend that the owner of the identity mgt (IDM) system fix the workflow issues

A

which of the following sampling methods is MOST useful when testing for compliance?

a) attribute sampling

b) variable sampling

c) stratified mean per unit sampling

d) difference estimation sampling

A

When testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling would not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?

a) develop an alternate testing procedure

b) report the finding to mgt

c) perform a walkthrough of the change mgt process

d) create additional sample data to test additional changes

A

Which of the following situations could impair the independence of an IS auditor? the IS auditor:

a) implemented specific functionality during the development of an application

b) designed an embedded audit module for auditing an application

c) participated as a member of an application project team and did not have operational responsibilities

d) provided consulitng advice concerning application good practives

A

The PRIMARY advantage of continuous audit approach is that it:

a) doesnt require an IS auditor to collect evidence on system reliability while processing is taking place

b) allows the IS auditor to review and follow up on audit issues in a timely manner

c) places the responsibility for enforcement and monitoring of controls on the security department instead of audit

d) simplifies the extraction and correlation of data from multiple and complex systems

B

While planning an IS audit, an assessment of the risk should be made to provide:

a) reasonable assurance that the audit will cover material items

b) definite assurance that material items will be covered during the audit work

c) reasonable assurance that all items will be coverred by the audit

d) sufficient assurance that all items will be covered during the audit work

A

The MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to:

a) inform the audit committee of the potential issue

b) review audit logs for the IDs in question

c) document the finding and explain the risk of using shared IDs

d) request that the IDs be removed from the system

C

An IS auditor is conducting a compliance test to determine whether controls support mgt policies and procedures. The test will assist the IS auditor to determine:

a) that the control is operating efficiently

b) that the control is operating as designed

c) the integrity of data controls

d) the reasonableness of financial reporting controls

B

The vice president of HR has requested an IS audit to identify payroll overpayments for the previous yr. Which would be the BEST audit technique to use in this situation?

a) generate sample test data

b) generalized audit software

c) integrated test facility

d) embedded audit module

B