Cisa Questionnaire The Is Audit Process Information Technology Essay

Cisa Questionnaire The Is visit Process culture Technology shewThis is take in deterrent pillow slip of abidance, as it states whether controls atomic emergence 18 lastal as per the policy. This pull up stakes include taking inspections of new user account creation forms and cope with it to gibe fulfill is being followed. Variable try is utilize to incur numerical appraise. substantial sampling riddles the integrity of forge such as cr disregard / debit values, balances on fiscal statements. Stop or go sampling technique prohibits excessive sampling of an attri scarcelye.The Stop and go statistical sampling technique in a scenario where it is believed or perceived that comparatively few demerits go step to the fore be exposed, so at that place is point in wasting over sampling of an attribute.Use of statistical standard for record library inventory is an example of ____ type of sampling technique.VariableSubstantiveComplianceStop or goAns. B translationTh is is an example of substantive sampling which confirms the integrity of a process. This test pass on break whether tape library records argon stated in a shed light on manner.What is the major reach of lay on the line ground scrutinise cooking climb up?Planning schedule in advance over monthsStaff film to varied technologiesRe lines onlyocation to atomic number 18as of top concernBudget requirements ar met by quartervas staffAns. C translationThe objective of bump ground scrutinize attack is focus on areas where jeopardize is high. Various scheduling methods are utilize to prepare take schedules and it does non come under gamble establish fire. It also does non relate to budget requirements met by staff and number of sees performed in a given year.Examples of substantive sampling technique includeReview of password history reportsApproval for variety parameters changesTape library inventoryVerifying list of exception reportsAns. C scoreTape library inventory is an example of substantive sampling as it confirms the integrity of a process associated with find out whether tape records are stated in a define manner. All early(a)s are example of compliance sampling as they set apart whether the process in exercising is inline with the established policies and social occasions.The characteristic of an scrutinise charter isIs dynamic is nature and keeps ever-changing frequently as the technology changesIt pays the objectives of undersidevass, brinytenance and polish up of internal records by delegated dominanceDetailed study proceduresOverall scope, self-possession and office of audit functionAns. D news reportAudit charter states direction objectives, scope, ownership and delegation of responsibility of audit function. It should non change frequently and ratified by higher direction. Also it does non contain detail audit procedures.The attender actions and terminations restore the ___ type of endangerment in a major manner.InherentDetectionControl blood lineAns. B exposition hearer selection / decisions during the audit process have direct impact on detecting risks, such as enough number of samples non taken into consumeation etc. Company actions manage the control risks and business and underlying risks are also not impacted by auditor.Particular curse to boilersuit business risk can be articulated in terms ofLikelihood and magnitude of impact , where brat successfully apply a photoMagnitude of impact, where source of threat successfully use a vulnerabilityProbability of a given source of threat exploiting a vulnerabilityRisk assessment team group decisionAns. AExplanationThe preference A addresses both likelihood and magnitude of impact and measures risk to an as arrange in crush manner. plectron B doesnt consider the magnitude of viable damage to an asset. weft C dont consider the possibility of damage ascribable to source threat exploiting a vulnerability and su rvival D is an arbitrary method of determining risk and it is not a scientific risk trouble approach.Risk management approach over baseline approach in learning surety management gives a major advantage in terms ofOver apology of selective ripening assetsBase take protection to all assets irrespective of asset valueAdequate protection apply to all information assetsEqual level of protection for all information assetsAns. CExplanationBaseline approach applies a standard set of protection to all information assets whereas the risk management based approach determines the level of protection to be applied depending on a given level of risk. This saves the costs incurred on momism of an information asset. In baseline approach equal level of protection is applied for all information assets irrespective of asset value so as a result about assets could be under custodial and some could be overprotective.Which interrogation method is more or less effective when doing the complia nce exam?Attribute samplingVariable samplingStratified convey per unitDifference estimationAns. AExplanation plectron A is curb in this scenario. As attribute sampling model thought the rate of occurrence of a specific quality in a population to confirm whether quality is present in compliance testing. The other means of sampling are utilize in substantive testing where flesh out and quantity testing is do.Why netmail is considered a expedient source of depict in litigation in IS audit process?Wide use of email systems in enterprises as medium of chatAccess control mechanisms to establish email discourse accountability rilievo and archiving of information ascending by dint of email systemsData classification guidelines dictating information flow via email systemsAns. CExplanationOption C is just about appropriate as archived/ backed up email files, may contain documents which have been deleted and could be recover. Access controls only establish accountability but do nt give recite of the email. Data classification standardizes what to be communicated by email but dont provide information needed for litigation process.A brandmark writ of execution check out of an application is scheduled by IS auditor. What could be the assertable situation which can hamper the independent assessment of IS auditor.Involved in the development of specific application and implemented specific in operation(p)ity / control integrated an embedded audit module in the application for auditing purposeWas constituent of application system project team but not affect at operational levelGiven advice on considering dress hat practices spot system was in development stageAns. AExplanationChoice A is near appropriate in this scenario because the auditor independence is afflicted in case he was involved actively during the development, acquisition and implementation of the new application. Choice B and C dont hamper auditor independence. And Choice D is not correct as auditor independence is not hampered by given advice on best gon practices.What is the benefit of uninterrupted audit approachCollection of designate is not indispensable on system reliability during the affect stageReview and follow up on all information collectedImprovement in overall security in time sharing purlieu where large number of proceedings refinedNo dependency on complexity of governments systemsAns. CExplanationChoice C is to the highest degree appropriate w.r.t to continuous audit process major benefit as overall security is alter in time sharing environments where large number of transactions is bear upon but leaving insufficient trail of papers. Choice A is not correct as auditor need to collect evidence magical spell processing is ON. Choice B is also not correct in this case as auditor does review and follows up on errors and sensible deficiency. Choice D is also un liable as complexity of organization systems determines the use of continuous audi t process technique.The objective of enabling audit trail isBetter response time for usersInstitute Accountability of processed transactionsImproving operational efficiency of systemsBetter tracking of transactions to give useful information to auditorsAns. BExplanationChoice B is most appropriate in this scenario as accountability and responsibility can be established for processed transactions and tracing could be make end to end. Enabling audit trail dont improve user bang as it might involve additional processing which may impact user response time in other right smart. Choice D could also be considered valid but it is not the main argue for the purpose of enabling audit trails.In a risk based audit strategy, risk assessment is done by IS auditor to ensureRisk mitigation controls are in placeThreats and vulnerabilities are determineRisks cogitate to audit are taken into considerationGap epitome is done as per the needAns. BExplanationChoice B is most appropriate in this s cenario. recognition of threats and vulnerabilities is crucial in determining the scope of audit. Effect of an audit would be to develop controls to mitigate risks. Audit risks are not relevant to risk abbreviation of environment. Gap analysis compares the actual state to expected or sought after state. A whirl could be result of a risk not being flop addressed or missed out.In bon ton to achieve best value to organization in terms of audit resources we should Do audit scheduling and measure the time spent on auditsTraining of audit staff on latest audit technologiesChalk out precise plan based on risk assessmentProgress observe of audits and have cost control measures in placeAns. CExplanationChoice C is most appropriate in this scenario. This get out stick out value to organization in terms of dedicating resources on higher risk areas. Choice A, B and D go away improve the staff productiveness only.An IS audit charter includesPlan for IS audit engagementsScope and obje ctive of audit engagementTraining plan for audit staffIS audit function roleAns. DExplanationChoice D is applicable in this scenario. Choice A is responsibility of audit management. Scope and objective is agree on engagement letter and training of staff is again responsibility of audit management based on audit plan.In the military rating of risk assessment of Information system. The IS auditor go forth first reviewControls in placeEffectiveness of implemented controlsMonitoring mechanism for risks related to assetsThreats/ vulnerabilities impacting assetsAns. DExplanationRisks associated with using assets need to be prised first so preference D is most appropriate in this scenario. Controls effectiveness is single out of risk mitigation stage and risk monitoring is part of risk monitoring function after risk assessment phase.During an audit plan, the most critical note isHigh risk areas identificationSkill set identification of audit teamIdentification of test steps in auditId entification of time allotted to auditAns. AExplanationThe choice A is appropriate in this scenario. The identification of high risk areas is most critical step as that will determine the areas to be focused during the audit. Skill set is determined before audit to begin. experiment steps and time for audit is determined on the basis of areas to be audited.How much info to be collected during audit process will be determined on the basis ofEase of obtaining the information recordsFamiliarity with the environment to be auditedEase of obtaining the evidenceScope and purpose of auditAns. DExplanationScope and purpose will determine the sum up of sample selective information to be collected during the audit. All other choices are strange in this scenario as audit process is not hampered by easement of obtaining records or evidences or familiarity with the environment.During the audit plan, assessment of risk should provideAn trust that audit will cover natural itemsMaterial item s would be covered definitely during the audit workReasonable assurance that All items will be covered by audit workAssurance to serve up that all items will be covered during the audit workAns. AExplanationChoice A. ISACA audit guideline G15 clearly states that An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. Definite assurance clause in choice B is impractical, option C is also not correct as it states all items.Statistical sampling should be used by IS auditor and not judgemental sampling in the scenario mark quantification of error probabilityAvoidance of sampling risk by auditorGeneral use audit parcel is availableUnable to determine the tolerable error rateAns. AExplanationWith an expected error rate and confidence level, objective method of sampling is statistical in nature as it helps auditor to determine size of sample and determine error probability or likelihood. Choice B is not correct because sampling risk is risk of sample. Choice C is also incorrect as statistical sampling doesnt need general bundle. Choice D is also incorrect because tolerable error rate is predetermined in statistical and judgmental sampling.The primary goal of an auditor during the IS audit proviso stage isAddress audit objectivesSufficient evidence parade summon appropriate testsUse less audit resourcesAns. AExplanationAs per ISACA guidelines auditor plan must address audit objectives. Choice B is not correct because evidence is not collected at planning stage. Choice C and D are also incorrect because they are not initial goals of audit plan.During an audit procedure selection, auditor will have to use professional judgment to ascertainSufficient evidence collectionIdentification of significant deficiencies and there correction in reasonable time periodMaterial weakness identifiedMaintain stripped level of audit costsAns. AExplanationProfessional judgment during the frame of an audit process involves subjective and qualitative military rating of conditions. It is based more on foregone experience of auditor and auditor past experience plays a key role in this. Identification of material weaknesses is result of experience and planning thoroughness and also it does not deal with monetary aspects of audit as stated in choice D. plot of ground evaluating sensible admission fee controls an auditor firstDocumentation of controls applied to all affirmable addition paths to system examen of controls to gateway paths to determine they are functionalmilitary rating of security environment w.r.t. policies and procedures laid downObtaining an understanding of security risks to information processing facilitiesAns. DExplanationChoice D is most appropriate in this scenario. The first step is to gather security risks to information processing facilities, by studying financial backing, inquiries and doing risk assessment. Documentation and evaluation is beside step. Third step is to test access paths to ensure controls functionality. The last is auditor evaluation of security environment.The objective of forensic audit is toParticipation in investigations related to merged fraudEvidence collection on domineering basis after system irregularityAssessment of rightness of organizations fiscal statementsDetermine if there was any criminal activityAns. BExplanationChoice B is correct as evidence collection is used for juridical process. They are not only for corporate frauds. Financial statements correctness determination is not purpose of forensic audit. And criminal activity could be part of legal process but it is not the objective of forensic audit.An auditor is reviewing a bread and butter log report of remote host backup. One of the entries in the backup log indicates failure to login to remote legion for backup and there is no entry in log which confirms that backup was restarted. What IS auditor should do?Issue audit findingExpl anation required from IS managementIssue a non complianceIncrease sample of logs to be reviewedAns. DExplanationChoice D is appropriate in this case. beforehand affair audit finding or seeking explanation, or issue of non compliance auditor needs to gather additional evidence to correctly evaluate the situation.For the purpose of auditing critical servers audit trail, auditor wants to use _______ whoreson to determine the potential irregularity in the user or system. baptistry tools infix entropy collection toolHeuristics scanning tool grade/variance detection toolsAns. DExplanationTrend/variance detection tools are used for determining the potential irregularity in the user or system. CASE tools are used in software development and embedded entropy collection tool is used for sample collection and Heuristics scanning tool used to detect virus infections.What could be the possible cause of great concern for an auditor while evaluating a corporate net profit for possible penet ration from employees?Number of international modems connected to mesh topologyUsers have right to install software on there desktops control net income monitoring or no monitoring at allUser ids with identical passwordsAns. DExplanationChoice D is most appropriate in this scenario. It is the greatest threat. Choice A threat is there but depends on use of valid user id. In choice b likelihood is not high due to technical association needed for penetration. Network monitoring is a means for detection.What is the major benefit of using computer forensic softwares in investigations?Preservation of electronic evidenceSaving time and costsMore efficient and effectiveeffective search for violation of Intellectual property rightsAns. AExplanationThe main purpose of forensic software is to preserve the chain of electronic evidence for investigation purpose. Others choice B and C are concerns to identify nice / poor forensic software. Choice D is example of using forensic software.Data is trade from client infobase by auditor, now the following(a) step is to confirm imported data is complete, what step need to be followed to tramp the same.Match control total of imported data with original dataSort data to confirm data is in same baffle as the original dataReview first 100 records of imported data with first 100 records of original dataCategory impertinent filtering of data and twosomeing them to original dataAns. AExplanationThe analytic step in this scenario would be option A. this will confirm the completeness of process. sort may not be applicable in this scenario because original data may not be sorted order. Reviewing partial data does not suffice the purpose either. Filtering data would also need control totals to be established to ensure completeness of data.An audit is to be conducted to identify payroll overpayments in last year. Which audit technique would be best appropriate in this scenario?Data testingUse of general audit software compound t est installingEmbedded audit moduleAns. BExplanationGeneral auditing softwares include mathematical calculations, stratification, statistical analysis, sequence and duplicate checks and re-computations. So auditor can use appropriate tests to re-compute payroll data. riddle data would not detect the anomalies and overpayments. Integrated test facility and embedded edit modules cannot detect previous errors.During an audit process, auditor finds out that security procedures are not documented what he should do?Auditor create procedure documentStop auditDo compliance testing appraise and identify exiting practices being followedAns. DExplanationThe purpose of audit is to identify risks, so the most appropriate approach would be identify and evaluate current practices being followed. Auditors dont create documentation, compliance testing cannot be done as no document is there and stopping audit will jeopardize the objective of audit i.e. risks identification.Threats and their potentia l impacts are identified during the course of an risk analysis stage what should be next most appropriate step?Identification and assessment of risk assessment approach of managementIdentification of all information assets and systemsDisclosure of threats and impacts to managementIdentification and evaluation of existing controlsAns. DExplanationThe next step would be choice D. once the threats and impacts are identified. Next step is to share them with management.Out of the chase which one is the most significant concern for an auditor?Non reporting of network attackNotification failure to police of an attempted irreverence biweekly review of access rights not presentNo notification of intrusion to publicAns. AExplanationFailure to report a network attack is major cause of concern. Reporting to public is organization choice and notification to police is also matter of choice. Periodic examination of access rights could be causing of concern but not as prominent as option A.Which is the most dependable evidence for an auditor out of the followingLetter from 3rd party on compliance parentage management assurance that application is performing as per designInformation obtained from wwwReports supplied by organization management to auditorAns. AExplanationThe most reliable evidence is the one given by external party. Choice B, C and D are not considered reliable.While evaluating a process on the basis of preventive, detective and corrective controls, an IS auditor should know?The point at which controls used as data flow through systemPreventive and detectives controls are only relevant onesCorrective controls are only relevantClassification is required to determine which controls are negligentAns. AExplanationChoice A is most appropriate. Choice B and C are incorrect as all controls are important. Choice D is also not correct because functioning of controls is important and not its classification.The best evidence of duties segregation is identified by using ____ audit technique?Discussions with managementOrganization chart reviewInterviews and observationsUser access rights testingAns. CExplanationBased on choice C an auditor can evaluate the duties segregation. Management may not be aware of detailed functioning, organization chart only depicts hierarchy of reporting, and testing will only tell user rights but will not give any details on function being performed by users.While reviewing a guest master file, auditor discovers that many customer name calling are appearing in duplicate causing sportsman in customer first names. How auditor will determine the amount of duplication in this scenario?Testing data to validate inputTesting data to check sorting capabilitiesUse general audit software to detect address field duplicationsUse general audit software to detect account field duplicationsAns. CExplanationAs names are not same, so we need to use some other field to determine duplication such as address field. Test data will not hel p in this case and meddlesome on account number may not yield desired result because customers could have divergent account numbers for each entry.While testing for computer programme changes what is the best population to choose sample from? library listings testingListing of source programsChange request programsListing of end product libraryAns. DExplanationThe best source to draw sample or test system is automated system. Choice B would be time consuming. Program change request are initial documents to school changes test libraries dont present approved and authorized executables.An integrated test facility is an efficient tool for auditAudit of application control in a cost effective mannerIntegrating audit tests for financial and IS auditorsComparison of processing output with independently calculated data legal instrument to analyze large range of informationAns. CExplanationIt is a useful audit tool because it uses similar program to compare processing with independentl y calculated data. This involves setting up dummy entities and processing test/production data.IS auditors use data flow diagrams toHierarchical ordering of dataHighlighting high level data definitionsSummarize data paths and warehousing in graphical mannerStep by step details of data generation portraitAns. CExplanationData flow diagrams are used to chart flow of data and storage. They dont order data in hierarchical manner. Data flow not necessarily match hierarchy or order of data generation.Review of organization chart is done by auditor toUnderstand workflowsIdentify all communication channelsResponsibility and authority of individualsNetwork diagram connected to different employeesAns. CExplanationOrganization chart always depicts the responsibility and authority of individuals in an organization. This is required to understand the segregation of functions.While performing an audit of network operating system, an auditor should review the following user bluster?Network docum ent availability onlineSupport for terminal access to remote systemsFile transfer handling between users and hostsAudit, control and performance managementAns. AExplanationNetwork operating system user features nominate online availability of network documentation. Choice B, C and D are some examples of network OS functions.In order to ascertain that access to program documentation is only restricted to authorize users, an auditor should checkEvaluation of retention plan for off site storageProcedures being followed by programmersComparison of utilization records to operational scheduleReview data access recordsAns. BExplanationInterview of programmers to understand procedures being followed is the best way to ascertain the access to program documentation is only with authorized personnel. eat up site storage, utilization records and review of data access records will not address security of program documentation.Auditor is evaluating an application which does computation of payme nts. During the audit it is reveled that 50% of calculation is not matching with the set total. What should be the next step auditor need to follow as part of audit practice?Do further test on calculations having errorIdentification of variables that generated inaccurate test resultsTestify some more test cases to reassert the anomalyDocumentation of results, findings, conclusions and recommendationsAns. CExplanationAuditor needs to examine some more test cases where incorrect calculations happened and then confirm with the nett outcome. Once calculations are complete further tests can be performed and then report to be made only after confirmation and not before that.In order to prove the correctness of system valuate calculation the best practice to be followed isIn depth review and analysis of source codeUsing general auditing software to repair program logic for periodical totals calculationSimulate transactions for results equalityIn depth analysis and flow chart prepara tion of the source codeAns. CExplanationThe best way to prove truth of tax calculation is simulation of transactions. Detailed review, flow chart and analysis of source code will not be effective and monthly total will not confirm the correctness of tax calculations at individual level.In finishings control review , auditor must analyze Application efficiency in meeting business processesExposures impactBusiness processes performed by applicationOptimization of applicationAns. BExplanationApplication control review requires analysis of application automated controls and analysis of exposures due to controls weaknesses. The other options could be objective of audit but not specifically meant to analyze application controls.What is the most accurate evidence to prove that purchase orders are legitimate while auditing an inventory application?Application parameters can be modified by unauthorized personnelPurchase order tracingComparison of receiving reports to purchase order detail sApplication documentation reviewAns. AExplanationAccess control testing is the best way to determine purchase orders legitimacy and is the best evidence. Choice B and C are part of further actions and choice D will not serve the purpose as application documentation process and actual process could vary.Irregularities at an early stage can be detected in the best manner by using ______ online auditing technique.Embedded audit moduleIntegrated test facilitySnapshotsAudit booksAns. DExplanationThe audit book technique also involves embedding code in applications to reveal early detection of irregularity. Embedded audit module is used for monitoring application systems on select