1. | If an organization chooses to implement a control self-assessment program, the auditor should participate primarily as a: | A. | Monitor | | B. | Facilitator | | C. | Project leader | | D. | The auditor should not participate in the organization's CSA program because doing so would create a potential conflict of interest. |
|
A1: | Answer: B. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a facilitator. |
2. | Which of the following elements must be present to properly log activities and achieve accountability for actions performed by a user? | A. | Identification and authorization only | | B. | Authentication and authorization only | | C. | Identification and authentication only | | D. | Authorization only |
|
A2: | Answer: C. If proper identification and authentication are not performed during access control, no accountability can exist for any action performed. |
3. | When initially planning a risk-based audit, which of the following steps is MOST critical? | A. | Evaluating the organization's entire environment as a whole | | B. | Establishing an audit methodology based on accepted frameworks, such as COBIT or COSO | | C. | Documenting procedures to ensure that the auditor achieves the planned audit objectives | | D. | The identification of the areas of high risk for controls failure |
|
A3: | Answer: D. In planning an audit, the MOST critical step is identifying areas of high risk. |
4. | What is the PRIMARY purpose of audit trails? | A. | To better evaluate and correct audit risk resulting from potential errors the auditor might have committed by failing to detect controls failure | | B. | To establish a chronological chain of events for audit work performed | | C. | To establish accountability and responsibility for processed transactions | | D. | To compensate for a lack of proper segregation of duties |
|
A4: | Answer: C. Although secure audit trails and other logging are used as a compensatory control for a lack of proper segregation of duties, the primary purpose of audit trails is to establish accountability and responsibility for processed transactions. |
5. | Which of the following is the MOST appropriate type of risk to be associated with authorized program exits (trap doors)? | A. | Inherent | | B. | Audit | | C. | Detection | | D. | Business |
|
A5: | Answer: A. Inherent risk is associated with authorized program exits (trap doors). |
6. | When performing an audit of an organization's systems, the auditor's first step should be to: | A. | Develop a strategic audit plan | | B. | Gain an understanding of the focus of the business of the organization | | C. | Perform an initial risk assessment to provide the foundation for a risk-based audit | | D. | Determine and define audit scope and materiality |
|
A6: | Answer: B. The IS auditor's first step is to understand the business focus of the organization. Until the auditor has a good understanding of the organization's business goals, objectives, and operations, the auditor will not be able to competently complete any of the other tasks listed. |
7. | Which of the following risks results when the auditor uses an insufficient test procedure, resulting in the auditor's ill-informed conclusion that material errors do not exist, when, in fact, they do? | A. | Business risk | | B. | Detection risk | | C. | Audit risk | | D. | Inherent risk |
|
A7: | Answer: B. Detection risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when, in fact, they do. |
8. | Which of the following is considered the MOST significant advantage of implementing a continuous auditing approach? | A. | It can improve system security when used in time-sharing environments that process a large number of transactions. | | B. | It can provide more actionable audit results because of the increased input from management and staff. | | C. | It can identify high-risk areas that might need a detailed review later. | | D. | It can significantly reduce the amount of resources necessary for performing the audit because time constraints are more relaxed. |
|
A8: | Answer: A. The PRIMARY advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions. |
9. | When an IS auditor finds evidence of minor weaknesses in controls, such as use of weak passwords, or poor monitoring of reports, which of the following courses of action is MOST appropriate for the auditor? | A. | Take corrective action by informing affected users and management of the controls vulnerabilities | | B. | Realize that such minor weaknesses of controls are usually not material to the audit | | C. | Immediately report such weaknesses to IT management | | D. | Take no corrective action whatsoever, and simply record the observations and associated risk arising from the collective weaknesses into the audit report |
|
A9: | Answer: D. While preparing the audit report, the IS auditor should record the observations and the risk arising from the collective weaknesses. |
10. | Which of the following is considered to present the GREATEST challenge to using test data for validating processing? | A. | Potential corruption of actual live data | | B. | Creation of test data that covers all possible valid and invalid conditions | | C. | Test results being compared to expected results from live processing | | D. | Data isolation issues associated with high-speed transaction processing |
|
A10: | Answer: B. Creating test data that covers all possible valid and invalid conditions is often the greatest challenge in using test data. |