Cisa Questionnaire The Is Audit Process Information Technology Essay
This is sampling example of compliance, as it states whether controls are functional as per the policy. This will include taking samples of new user account creation forms and match it to ensure process is being followed. Variable sampling is used to determine numerical value. Substantive sampling tests the integrity of process such as credit / debit values, balances on financial statements. Stop or go sampling technique prohibits excessive sampling of an attribute.
The Stop and go statistical sampling technique in a scenario where it is believed or perceived that relatively few errors will be exposed, so there is point in wasting over sampling of an attribute.
“Use of statistical sample for tape library inventory” is an example of ____ type of sampling technique.
Variable
Substantive
Compliance
Stop or go
Ans. B
Explanation
This is an example of substantive sampling which confirms the integrity of a process. This test will determine whether tape library records are stated in a correct manner.
What is the major benefit of risk based audit planning approach?
Planning scheduling in advance over months
Staff exposure to varied technologies
Resources allocation to areas of top concern
Budget requirements are met by audit staff
Ans. C
Explanation
The objective of risk based audit approach is focus on areas where risk is high. Various scheduling methods are used to prepare audit schedules and it does not come under risk based approach. It also does not relate to budget requirements met by staff and number of audits performed in a given year.
Examples of substantive sampling technique include:
Review of password history reports
Approval for configuration parameters changes
Tape library inventory
Verifying list of exception reports
Ans. C
Explanation
Tape library inventory is an example of substantive sampling as it confirms the integrity of a process associated with determining whether tape records are stated in a correct manner. All others are example of compliance sampling as they determine whether the process in practice is inline with the established policies and procedures.
The characteristic of an audit charter is:
Is dynamic is nature and keeps changing frequently as the technology changes
It contains the objectives of audit, maintenance and review of internal records by delegated authority
Detailed audit procedures
Overall scope, ownership and responsibility of audit function
Ans. D
Explanation
Audit charter states management objectives, scope, ownership and delegation of responsibility of audit function. It should not change frequently and approved by higher management. Also it does not contain detail audit procedures.
The auditor actions and decisions impact the ___ type of risk in a major manner.
Inherent
Detection
Control
Business
Ans. B
Explanation
Auditor selection / decisions during the audit process have direct impact on detection risks, such as enough number of samples not taken into consideration etc. Company actions manage the control risks and business and inherent risks are also not impacted by auditor.
Particular threat to overall business risk can be articulated in terms of:
Likelihood and magnitude of impact , where threat successfully exploited a vulnerability
Magnitude of impact, where source of threat successfully exploited a vulnerability
Probability of a given source of threat exploiting a vulnerability
Risk assessment team group decision
Ans. A
Explanation
The choice A addresses both likelihood and magnitude of impact and measures risk to an asset in best manner. Choice B doesn’t consider the magnitude of possible damage to an asset. Choice C don’t consider the possibility of damage due to source threat exploiting a vulnerability and choice D is an arbitrary method of determining risk and it is not a scientific risk management approach.
Risk management approach over baseline approach in information security management gives a major advantage in terms of:
Overprotection of information assets
Base level protection to all assets irrespective of asset value
Adequate protection applied to all information assets
Equal level of protection for all information assets
Ans. C
Explanation
Baseline approach applies a standard set of protection to all information assets whereas the risk management based approach determines the level of protection to be applied depending on a given level of risk. This saves the costs incurred on overprotection of an information asset. In baseline approach equal level of protection is applied for all information assets irrespective of asset value so as a result some assets could be under protective and some could be overprotective.
Which testing method is most effective when doing the compliance testing?
Attribute sampling
Variable sampling
Stratified mean per unit
Difference estimation
Ans. A
Explanation
Choice A is appropriate in this scenario. As attribute sampling model estimate the rate of occurrence of a specific quality in a population to confirm whether quality is present in compliance testing. The other means of sampling are used in substantive testing where details and quantity testing is done.
Why email is considered a useful source of evidence in litigation in IS audit process?
Wide use of email systems in enterprises as medium of communication
Access control mechanisms to establish email communication accountability
Backup and archiving of information flowing through email systems
Data classification guidelines dictating information flow via email systems
Ans. C
Explanation
Option C is most appropriate as archived/ backed up email files, may contain documents which have been deleted and could be recovered. Access controls only establish accountability but don’t give evidence of the email. Data classification standardizes what to be communicated by email but don’t provide information needed for litigation process.
A post implementation review of an application is scheduled by IS auditor. What could be the possible situation which can hamper the independent assessment of IS auditor.
Involved in the development of specific application and implemented specific functionality / control
Integrated an embedded audit module in the application for auditing purpose
Was member of application system project team but not involved at operational level
Given advice on considering best practices while system was in development stage
Ans. A
Explanation
Choice A is most appropriate in this scenario because the auditor independence is impaired in case he was involved actively during the development, acquisition and implementation of the new application. Choice B and C don’t hamper auditor independence. And Choice D is not correct as auditor independence is not hampered by given advice on best known practices.
What is the benefit of continuous audit approach:
Collection of evidence is not required on system reliability during the processing stage
Review and follow up on all information collected
Improvement in overall security in time sharing environment where large number of transactions processed
No dependency on complexity of organization’s systems
Ans. C
Explanation
Choice C is most appropriate w.r.t to continuous audit process major benefit as overall security is improved in time sharing environments where large number of transactions is processed but leaving insufficient trail of papers. Choice A is not correct as auditor need to collect evidence while processing is ON. Choice B is also not correct in this case as auditor does review and follows up on errors and material deficiency. Choice D is also incorrect as complexity of organization systems determines the use of continuous audit process technique.
The objective of enabling audit trail is:
Better response time for users
Institute Accountability of processed transactions
Improving operational efficiency of systems
Better tracking of transactions to give useful information to auditors
Ans. B
Explanation
Choice B is most appropriate in this scenario as accountability and responsibility can be established for processed transactions and tracing could be done end to end. Enabling audit trail don’t improve user experience as it might involve additional processing which may impact user response time in other way. Choice D could also be considered valid but it is not the main reason for the purpose of enabling audit trails.
In a risk based audit strategy, risk assessment is done by IS auditor to ensure:
Risk mitigation controls are in place
Threats and vulnerabilities are identified
Risks related to audit are taken into consideration
Gap analysis is done as per the need
Ans. B
Explanation
Choice B is most appropriate in this scenario. Identification of threats and vulnerabilities is crucial in determining the scope of audit. Effect of an audit would be to develop controls to mitigate risks. Audit risks are not relevant to risk analysis of environment. Gap analysis compares the actual state to expected or desired state. A gap could be result of a risk not being correctly addressed or missed out.
In order to achieve best value to organization in terms of audit resources we should :
Do audit scheduling and measure the time spent on audits
Training of audit staff on latest audit technologies
Chalk out detailed plan based on risk assessment
Progress monitoring of audits and have cost control measures in place
Ans. C
Explanation
Choice C is most appropriate in this scenario. This will deliver value to organization in terms of dedicating resources on higher risk areas. Choice A, B and D will improve the staff productivity only.
An IS audit charter includes:
Plan for IS audit engagements
Scope and objective of audit engagement
Training plan for audit staff
IS audit function role
Ans. D
Explanation
Choice D is applicable in this scenario. Choice A is responsibility of audit management. Scope and objective is agreed on engagement letter and training of staff is again responsibility of audit management based on audit plan.
In the evaluation of risk assessment of Information system. The IS auditor will first review:
Controls in place
Effectiveness of implemented controls
Monitoring mechanism for risks related to assets
Threats/ vulnerabilities impacting assets
Ans. D
Explanation
Risks associated with using assets need to be evaluated first so choice D is most appropriate in this scenario. Controls effectiveness is part of risk mitigation stage and risk monitoring is part of risk monitoring function after risk assessment phase.
During an audit plan, the most critical step is:
High risk areas identification
Skill set identification of audit team
Identification of test steps in audit
Identification of time allotted to audit
Ans. A
Explanation
The choice A is appropriate in this scenario. The identification of high risk areas is most critical step as that will determine the areas to be focused during the audit. Skill set is determined before audit to begin. Test steps and time for audit is determined on the basis of areas to be audited.
How much data to be collected during audit process will be determined on the basis of:
Ease of obtaining the information records
Familiarity with the environment to be audited
Ease of obtaining the evidence
Scope and purpose of audit
Ans. D
Explanation
Scope and purpose will determine the amount of sample data to be collected during the audit. All other choices are irrelevant in this scenario as audit process is not hampered by ease of obtaining records or evidences or familiarity with the environment.
During the audit plan, assessment of risk should provide:
An assurance that audit will cover material items
Material items would be covered definitely during the audit work
Reasonable assurance that All items will be covered by audit work
Assurance to suffice that all items will be covered during the audit work
Ans. A
Explanation
Choice A. ISACA audit guideline G15 clearly states that “An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work”. Definite assurance clause in choice B is impractical, option C is also not correct as it states all items.
Statistical sampling should be used by IS auditor and not judgmental sampling in the scenario:
Objective quantification of error probability
Avoidance of sampling risk by auditor
General use audit software is available
Unable to determine the tolerable error rate
Ans. A
Explanation
With an expected error rate and confidence level, objective method of sampling is statistical in nature as it helps auditor to determine size of sample and quantify error probability or likelihood. Choice B is not correct because sampling risk is risk of sample. Choice C is also incorrect as statistical sampling doesn’t need general software. Choice D is also incorrect because tolerable error rate is predetermined in statistical and judgmental sampling.
The primary goal of an auditor during the IS audit planning stage is:
Address audit objectives
Sufficient evidence collection
Mention appropriate tests
Use less audit resources
Ans. A
Explanation
As per ISACA guidelines auditor plan must address audit objectives. Choice B is not correct because evidence is not collected at planning stage. Choice C and D are also incorrect because they are not initial goals of audit plan.
During an audit procedure selection, auditor will have to use professional judgment to ascertain:
Sufficient evidence collection
Identification of significant deficiencies and there correction in reasonable time period
Material weakness identified
Maintain minimal level of audit costs
Ans. A
Explanation
Professional judgment during the course of an audit process involves subjective and qualitative evaluation of conditions. It is based more on past experience of auditor and auditor past experience plays a key role in this. Identification of material weaknesses is result of experience and planning thoroughness and also it does not deal with financial aspects of audit as stated in choice D.
While evaluating logical access controls an auditor first:
Documentation of controls applied to all possible access paths to system
Testing of controls to access paths to determine they are functional
Evaluation of security environment w.r.t. policies and procedures laid down
Obtaining an understanding of security risks to information processing facilities
Ans. D
Explanation
Choice D is most appropriate in this scenario. The first step is to gather security risks to information processing facilities, by studying documentation, inquiries and doing risk assessment. Documentation and evaluation is next step. Third step is to test access paths to ensure controls functionality. The last is auditor evaluation of security environment.
The objective of forensic audit is to:
Participation in investigations related to corporate fraud
Evidence collection on systematic basis after system irregularity
Assessment of correctness of organization’s financial statements
Determine if there was any criminal activity
Ans. B
Explanation
Choice B is correct as evidence collection is used for juridical process. They are not only for corporate frauds. Financial statements correctness determination is not purpose of forensic audit. And criminal activity could be part of legal process but it is not the objective of forensic audit.
An auditor is reviewing a backup log report of remote server backup. One of the entries in the backup log indicates failure to login to remote server for backup and there is no entry in log which confirms that backup was restarted. What IS auditor should do?
Issue audit finding
Explanation required from IS management
Issue a non compliance
Increase sample of logs to be reviewed
Ans. D
Explanation
Choice D is appropriate in this case. Before issue audit finding or seeking explanation, or issue of non compliance auditor needs to gather additional evidence to properly evaluate the situation.
For the purpose of auditing critical servers audit trail, auditor wants to use _______ tool to determine the potential irregularity in the user or system.
CASE tools
Embedded data collection tool
Heuristics scanning tool
Trend/variance detection tools
Ans. D
Explanation
Trend/variance detection tools are used for determining the potential irregularity in the user or system. CASE tools are used in software development and embedded data collection tool is used for sample collection and Heuristics scanning tool used to detect virus infections.
What could be the possible cause of great concern for an auditor while evaluating a corporate network for possible penetration from employees?
Number of external modems connected to network
Users have right to install software on there desktops
Limited network monitoring or no monitoring at all
User ids with identical passwords
Ans. D
Explanation
Choice D is most appropriate in this scenario. It is the greatest threat. Choice A threat is there but depends on use of valid user id. In choice b likelihood is not high due to technical knowledge needed for penetration. Network monitoring is a means for detection.
What is the major benefit of using computer forensic software’s in investigations?
Preservation of electronic evidence
Saving time and costs
More efficient and effective
Efficient search for violation of Intellectual property rights
Ans. A
Explanation
The main purpose of forensic software is to preserve the chain of electronic evidence for investigation purpose. Others choice B and C are concerns to identify good / poor forensic software. Choice D is example of using forensic software.
Data is imported from client database by auditor, now the next step is to confirm imported data is complete, what step need to be followed to verify the same.
Match control total of imported data with original data
Sort data to confirm data is in same order as the original data
Review first 100 records of imported data with first 100 records of original data
Category wise filtering of data and matching them to original data
Ans. A
Explanation
The logical step in this scenario would be option A. this will confirm the completeness of process. Sorting may not be applicable in this scenario because original data may not be sorted order. Reviewing partial data does not suffice the purpose either. Filtering data would also need control totals to be established to ensure completeness of data.
An audit is to be conducted to identify payroll overpayments in last year. Which audit technique would be best appropriate in this scenario?
Data testing
Use of general audit software
Integrated test facility
Embedded audit module
Ans. B
Explanation
General auditing software’s include mathematical calculations, stratification, statistical analysis, sequence and duplicate checks and re-computations. So auditor can use appropriate tests to re-compute payroll data. Test data would not detect the anomalies and overpayments. Integrated test facility and embedded edit modules cannot detect previous errors.
During an audit process, auditor finds out that security procedures are not documented what he should do?
Auditor create procedure document
Stop audit
Do compliance testing
Evaluate and identify exiting practices being followed
Ans. D
Explanation
The purpose of audit is to identify risks, so the most appropriate approach would be identify and evaluate current practices being followed. Auditors don’t create documentation, compliance testing cannot be done as no document is there and stopping audit will jeopardize the objective of audit i.e. risks identification.
Threats and their potential impacts are identified during the course of an risk analysis stage what should be next most appropriate step?
Identification and assessment of risk assessment approach of management
Identification of all information assets and systems
Disclosure of threats and impacts to management
Identification and evaluation of existing controls
Ans. D
Explanation
The next step would be choice D. once the threats and impacts are identified. Next step is to share them with management.
Out of the following which one is the most significant concern for an auditor?
Non reporting of network attack
Notification failure to police of an attempted intrusion
Periodic review of access rights not present
No notification of intrusion to public
Ans. A
Explanation
Failure to report a network attack is major cause of concern. Reporting to public is organization choice and notification to police is also matter of choice. Periodic examination of access rights could be causing of concern but not as big as option A.
Which is the most dependable evidence for an auditor out of the following:
Letter from 3rd party on compliance
Line management assurance that application is performing as per design
Information obtained from www
Reports supplied by organization management to auditor
Ans. A
Explanation
The most reliable evidence is the one given by external party. Choice B, C and D are not considered reliable.
While evaluating a process on the basis of preventive, detective and corrective controls, an IS auditor should know?
The point at which controls used as data flow through system
Preventive and detectives controls are only relevant ones
Corrective controls are only relevant
Classification is required to determine which controls are absent
Ans. A
Explanation
Choice A is most appropriate. Choice B and C are incorrect as all controls are important. Choice D is also not correct because functioning of controls is important and not its classification.
The best evidence of duties segregation is identified by using ____ audit technique?
Discussions with management
Organization chart review
Interviews and observations
User access rights testing
Ans. C
Explanation
Based on choice C an auditor can evaluate the duties segregation. Management may not be aware of detailed functioning, organization chart only depicts hierarchy of reporting, and testing will only tell user rights but will not give any details on function being performed by users.
While reviewing a customer master file, auditor discovers that many customer names are appearing in duplicate causing variation in customer first names. How auditor will determine the amount of duplication in this scenario?
Testing data to validate input
Testing data to check sorting capabilities
Use general audit software to detect address field duplications
Use general audit software to detect account field duplications
Ans. C
Explanation
As names are not same, so we need to use some other field to determine duplication such as address field. Test data will not help in this case and searching on account number may not yield desired result because customers could have different account numbers for each entry.
While testing for program changes what is the best population to choose sample from?
Library listings testing
Listing of source programs
Change request programs
Listing of production library
Ans. D
Explanation
The best source to draw sample or test system is automated system. Choice B would be time consuming. Program change request are initial documents to initiate changes; test libraries don’t present approved and authorized executables.
An integrated test facility is an efficient tool for audit:
Audit of application control in a cost effective manner
Integrating audit tests for financial and IS auditors
Comparison of processing output with independently calculated data
Tool to analyze large range of information
Ans. C
Explanation
It is a useful audit tool because it uses similar program to compare processing with independently calculated data. This involves setting up dummy entities and processing test/production data.
IS auditors use data flow diagrams to:
Hierarchical ordering of data
Highlighting high level data definitions
Summarize data paths and storage in graphical manner
Step by step details of data generation portrait
Ans. C
Explanation
Data flow diagrams are used to chart flow of data and storage. They don’t order data in hierarchical manner. Data flow not necessarily match hierarchy or order of data generation.
Review of organization chart is done by auditor to:
Understand workflows
Identify all communication channels
Responsibility and authority of individuals
Network diagram connected to different employees
Ans. C
Explanation
Organization chart always depicts the responsibility and authority of individuals in an organization. This is required to understand the segregation of functions.
While performing an audit of network operating system, an auditor should review the following user feature?
Network document availability online
Support for terminal access to remote systems
File transfer handling between users and hosts
Audit, control and performance management
Ans. A
Explanation
Network operating system user features comprise online availability of network documentation. Choice B, C and D are some examples of network OS functions.
In order to ascertain that access to program documentation is only restricted to authorize users, an auditor should check:
Evaluation of retention plan for off site storage
Procedures being followed by programmers
Comparison of utilization records to operational schedule
Review data access records
Ans. B
Explanation
Interview of programmers to understand procedures being followed is the best way to ascertain the access to program documentation is only with authorized personnel. Off site storage, utilization records and review of data access records will not address security of program documentation.
Auditor is evaluating an application which does computation of payments. During the audit it is reveled that 50% of calculation is not matching with the set total. What should be the next step auditor need to follow as part of audit practice?
Do further test on calculations having error
Identification of variables that generated inaccurate test results
Testify some more test cases to reconfirm the anomaly
Documentation of results, findings, conclusions and recommendations
Ans. C
Explanation
Auditor needs to examine some more test cases where incorrect calculations happened and then confirm with the final outcome. Once calculations are complete further tests can be performed and then report to be made only after confirmation and not before that.
In order to prove the correctness of system tax calculation the best practice to be followed is:
In depth review and analysis of source code
Using general auditing software to recreate program logic for monthly totals calculation
Simulate transactions for results comparison
In depth analysis and flow chart preparation of the source code
Ans. C
Explanation
The best way to prove accuracy of tax calculation is simulation of transactions. Detailed review, flow chart and analysis of source code will not be effective and monthly total will not confirm the correctness of tax calculations at individual level.
In Applications control review , auditor must analyze :
Application efficiency in meeting business processes
Exposures impact
Business processes performed by application
Optimization of application
Ans. B
Explanation
Application control review requires analysis of application automated controls and analysis of exposures due to controls weaknesses. The other options could be objective of audit but not specifically meant to analyze application controls.
What is the most accurate evidence to prove that purchase orders are legitimate while auditing an inventory application?
Application parameters can be modified by unauthorized personnel
Purchase order tracing
Comparison of receiving reports to purchase order details
Application documentation review
Ans. A
Explanation
Access control testing is the best way to determine purchase orders legitimacy and is the best evidence. Choice B and C are part of further actions and choice D will not serve the purpose as application documentation process and actual process could vary.
Irregularities at an early stage can be detected in the best manner by using ______ online auditing technique.
Embedded audit module
Integrated test facility
Snapshots
Audit books
Ans. D
Explanation
The audit book technique also involves embedding code in applications to reveal early detection of irregularity. Embedded audit module is used for monitoring application systems on selective basis. Integrated test facility is used when use of test data is not practical and snapshots are used in audit trails.
Networking monitoring controls assessment at design level is done by reviewing initially:
Topology diagram
Usage of Bandwidth
Reports on traffic analysis
Locations having bottleneck
Ans. A
Explanation
Review of networking monitoring controls involves ensuring that network documentation is accurate at the very first step. If these diagrams are incorrect then monitoring processes and program diagnosis will not be effective.
During an audit exercise, auditor finds out that there is a virus in the network. What should be the next step auditor should follow:
Evaluate response mechanism
Remove virus from network
Inform the concerned personnel
Ensure virus deletion
Ans. C
Explanation
The choice C is most appropriate, next choice would be A, this is required to analyze the responsiveness to alert mechanism. Other choices are not applicable as auditor is not supposed to make any changes in system.
In order to validate the accuracy of inventory records of tape library which substantive test needs to be performed by auditor:
Ensure that bar code readers are installed
Tape movement is authorized
Physical count of tape inventory
Issue of receipts of tapes is recorded properly
Ans. C
Explanation
The choice C is most appropriate in this scenario. Other choices are examples of compliance test
During the forensic investigation the primary concern of an auditor with regard to evidence should be:
Analysis
Evaluation
Preservation
Disclosure
Ans. C
Explanation
Preservation is the most important concern in forensic investigation for evidence as incomplete / improper evidence would impact the legal process.
While interviewing a payroll clerk during payroll process audit an auditor finds out that responses don’t clarify the job descriptions clearly and do not match the documented procedure. What should be the next step auditor should follow in this scenario?
Assume that controls are inadequate
Increase the scope and do substantive testing
Go by outcome of previous audits
Defer the audit
Ans. B
Explanation
Answers given in response to auditor questions w.r.t to payroll process and documented procedure if don’t match then auditor should expand the scope and do a substantive testing. There is no evidence to conclude controls exist are not sufficient. And choices D and D don’t confirm the capability of current controls.
In an audit report, auditor recommends a firewall product for network perimeter gateway stating the lack of firewall protection features to address vulnerability. In this scenario auditor has failed to use:
Professional independence
Organizational independence
Technical competence
Professional competence
Ans. A
Explanation
Auditor cannot recommend a specific vendor, by doing so he has compromised the professional independence.
During the initial phase of an audit, auditor performs a functional walkthrough in order to:
Understanding business processes
Compliance with auditing standards
Identification of controls weaknesses
Planning for substantive testing
Ans. A
Explanation
The initial step is to understand the business process. Standard don’t require doing functional walkthrough and neither controls weaknesses identification is not the prime objective and substantive testing is planned at the later stage in audit.
What is the objective of formal closure of a review with auditees?
Have a confirmation that any important issues are not overlooked by auditors
Consensus on findings
Feedback on adequacy of audit procedures
Test the final presentation structure
Ans. B
Explanation
Choice B is most appropriate. Others are of secondary importance.
How auditor will determine whether any unauthorized changes have been done in the application before the last authorized change?
Test data run
Review of Code
Automated Code comparison
Code migration procedure review
Ans. C
Explanation
Choice C is most appropriate. Test data only verify certain transactions. Code review is done to identify errors or inefficient statements. Code migration procedure review doesn’t detect changes in program.
Auditor has concluded during audit, that software used in an organization is not licensed. And management is stating otherwise. What auditor should do?
Include management statement in his report
Confirm whether such software is used by organization
Reconfirmation with management on usage of software
Discuss issue with senior management
Ans. B
Explanation
Sufficient evidence needs to be collected before putting a statement in audit report so further investigation is required in the current scenario.
Review of sensitive electronic documents revealed that they are not encrypted, this would compromise the:
Audit trail of documents versioning
Approval of audit phases
Access rights to documents
Confidentiality of documents
Ans. D
Explanation
Confidentiality is compromised in this scenario as documents are sensitive in nature.
During an initial investigation, auditor believes that fraud may be present , what should be next step auditor need to follow:
Expand the activities and determine whether investigation is necessary
Report to audit committee
Report to top management
Consult with external legal counsel and decide next course of action
Ans. A
Explanation
Choice A is most accurate in the current scenario. He needs to evaluate fraud indicators further and then only report them to appropriate personnel. Auditors don’t have authority to consult external legal counsel.
What method should be used to detect duplicate invoice records in an invoice master file?
Attribute sampling
General audit software
Test data
Integrated test facility
Ans. B
Explanation
General audit software is used review invoice master file and identifies the duplicates. Attribute sampling will not compare one record to another for identification of duplicity. Test data is used for verifying processes functionality. And integrated test facility is used to test transactions.
How an auditor will determine if unauthorized changes have been made to a production program?
Analysis of system logs
Compliance testing
Forensic analysis
Analytical review
Ans. B
Explanation
Choice B is most suited in the scenario. This will ensure that change management process is applied in consistent manner. System log analysis is only about modification of programs and forensic analysis is for criminal investigation and analytical review is only for general control reviews.
During the audit of a change control procedure, auditor finds out that change management process in poorly documented and certain procedures have failed related to migration. What should be the next step for an auditor to follow:
Recommendation for redesigning of change management process
Do root cause analysis to gain more assurance
Recommendation on stopping migration process until change management process is properly documented
Document findings and give to management
Ans. B
Explanation
Choice B is most suited in the scenario. This will ensure that change management process is applied in consistent manner and any deficiencies reported are in the process and not resulted from some other process.
An auditor who was involved in designing the BCP plan for an organization was asked to audit the plan. What auditor should do:
Don’t accept the assignment
Inform management on possible conflict of interest after assignment completion
Inform BCP team of possible conflict before starting assignment.
Intimate management on possibility of conflict of interest
Ans. D
Explanation
Choice D is most suited in the scenario. Decline option won’t be suitable as assignment could be accepted on management approval. Choice B does not fit because informing management makes not sense after assignment completion. BCP team has no authority to decide on this.
IT Governance (67 Questions)
IT Steering committee does review of information system in order to ascertain:
Assessment of IT processes support to business requirement
Adequacy of proposed system functionality
Exiting software stability
Nature of complexity of installed technology
Ans. A
Explanation:
IT steering committee had to ensure that IS department works inline with mission and objectives of the organization’s. So choice A is most appropriate in this scenario. Assessment of proposed functionality, stability of existing software and complexity of technology does not depict that IT processes support organization goals.
What is the impact of senior management non commitment to strategic planning for IT?
Lack of investment in technology
Lack of system development methodology
Non alignment of technology with organization objectives
No control over technology contracts
Ans. C
Explanation:
Organizational goals should be supported by IT strategy. The absence of IT strategy means lack of commitment from senior management and that would mean no alignment of IT with organization strategy.
What is the function of IS steering committee?
Vendor controlled Change control and testing monitoring
Separation of duties in IS department
Approval and monitoring of major projects , IS plan and budget status
Liaison between end users and IS department
Ans. C
Explanation:
IS steering committee acts as a general review body for major IS projects and it does not have involvement in day to day activities. Major role of this committee is to overall monitoring of major IS projects and give budget approvals. Vendor managed change control is outsourcing related activity; Liasoning is not role of steering committee.
Role of IS committee is:
Member representation from different departments and staff level
Ensuring execution of IS security policies and procedures in proper manner
Maintenance of minutes of the meeting and formal terms of reference
Briefing in each meeting on new technology trends by vendor
Ans. C
Explanation:
Keeping detailed IS steering committee minutes meeting is important and all members of board would need to be informed on decisions on timely basis. Choice A is not correct because IS steering should have representation from senior management only. Choice B is also not correct as it is responsibility of security administrator or CISO. Choice D is also not correct because vendor participation in meeting is required only if suitable.
Role of senior management is important in the growth of:
Strategic plan
IS policies
IS procedures
Standards and guidelines
Ans. A
Explanation:
Strategic plan will ensure that organization meets it goals and objectives and senior management of participation is to ensure that strategic plan sufficiently addresses goals and objectives of business. All other choices provide support for strategic plan.
From the IT governance perspective it is important to ensure consistency of IT plan with organization’s:
Business plan
Audit plan
Security plan
Investment plan
Ans. A
Explanation:
Choice A is most appropriate in this scenario because IT and business should be aligned and move in one direction, which means organization business plan and IT plans are aligned. Audit and investment plans are not part of IT plan and security plan is defined at corporate level.
Who has the authority to establish acceptable risk level:
Quality assurance management
Senior business management
Chief information officer
Chief security officer
Ans. B
Explanation:
Choice B is most appropriate choice in the current scenario. Senior management is responsible for setting up acceptable level of risk as final responsibility lies with them. Choices A, C and D will be advisors to senior management to ascertain risk level acceptability.
Responsibility of IT governance primarily lies with:
Chief executive officer
Board of directors
IT steering committee
Audit committee
Ans. B
Explanation:
Choice B is most appropriate choice in the current scenario. IT governance is responsibility of shareholders and executives. CEO is responsible in implementing IT governance as per the direction of board of directors. Steering committee monitors and facilitates deployment of resources for projects in support of business plans. Audit committee gives report to board of directors and monitoring of implementation of audit committee recommendations.
Strategic alignment resulting from Information security governance gives:
Driving security requirements by enterprise requirements
Baseline security as per best practices
Commoditized and institutionalized solutions
Risk exposure understanding
Ans. A
Explanation:
Proper implementation of Information security governance leads to four results strategic alignment, value delivery, risk management and performance management. Strategic alignment yields input for security requirements which are determined by requirements of enterprise.
In order to improve strategic alignment we need to follow following IT governance best practice:
Managed risks of suppliers and partners
Knowledge base on customers, products, markets and processes
Creation and sharing of business information support structure
Business and technology imperatives mediation by top management
Ans. D
Explanation:
Mediation by top management from business and technology imperatives is the best practice of IT strategic alignment. Management of supplier and partner risks is risk management practice. Customer, products, markets and processes knowledge based is part of value delivery best practices. Support infrastructure is again part of value delivery and risk management.
Establishment of effective IT governance process requires that organizational structure and processes are:
Organization strategy and objective widen IT strategy
Derive business strategy from IT strategy
Overall governance and IT governance are separate
IT strategy widen organization strategies and objectives
Ans. D
Explanation:
Choice D is most appropriate in this scenario. IT strategy needs to be aligned with business strategy and board and management need to provide leadership, structure, processes to ensure IT sustain and widen organization’s objectives. Choice A is not correct because IT strategy widens organization strategy. IT governance and overall governance cannot be seen in isolation.
Successful implementation of IT governance requires:
IT scoreboard implementation
Organizational strategies identification
Performing risk assessment
Creation of a formal security policy
Ans. B
Explanation:
Choice B is most appropriate in this scenario. Alignment of IT and corporate governance requires identification of organizational strategy. Without having organizational strategy it is irrelevant to have other choices.
The objective of IT governance framework implementation in an organization is:
IT and business alignment
Accountability
Realization of value with IT
Enhance return on investment
Ans. A
Explanation:
Strategic alignment of IT and business is objective of IT governance in order to improve performance of IT and ensure regulatory compliance. All other options will need to be integrated to business strategy and practice.
During the review of IT projects portfolio the major consideration of IS auditor should be:
IT budget
Current IT environment
Business plan
Investment plan
Ans. C
Explanation:
The most appropriate choice in this scenario is C. The projects which meet business strategic objectives get funded. Portfolio management is a holistic approach to company’s overall IT strategy. IT strategy should go hand in hand with business strategy, so review of business plan is quite crucial. Choice A, B and D are important but of secondary in nature.
The objective of IT governance is:
Encourage optimal utilization of IT
Reduction in IT costs
Decentralization of IT resources across the organization
Centralized control on IT
Ans. A
Explanation:
Choice A is most appropriate in the current scenario. Reduction in IT costs is not always the best IT governance outcome. Decentralization of IT resources is not always desired; similarly centralized control of IT may not be always best option.
IT governance lowest level of maturity is ___, where IT balanced scorecard is present?
Repeatable but intuitive
Defined
Managed and measurable
Optimized
Ans. B
Explanation:
Choice B is most appropriate because at defined level IT balanced scorecard is used.
Product profitability reports given by finance and marketing are giving different results. Further investigation revealed that definition of product used by both departments I different. What action should auditor take in the current situation?
UAT for all reports should be done before releasing system in production
Organizational data governance practices bring in place
Report development should be done using standard tools
New reports requirement should have management sign off
Ans. B
Explanation:
Choice B is most appropriate in this scenario as this option addresses this problem of inconsistency directly. Organization wide data governance is needed to ensure efficient management of data assets and which may include putting in practice standard definition of data elements. The other options are standards for development but don’t attack the root cause of problem.
The key element in job descriptions from control perspective is:
Define authority and instructions on how to do the job
Job descriptions are current, documented and available to employee
Job performance expectations related to specific jobs should be communicated
Establishment of accountability and responsibility of employee actions
Ans. D
Explanation:
Choice D is most appropriate in the current scenario. From control perspective, accountability and responsibility needs to be established which helps to give access to systems to employee inline with his job responsibilities? The other options are not directly linked to control. Choice A defines more from procedure perspective. Having access to job descriptions is not a control in itself. Communication of expectations could be standard for performance management but not include control.
What is the best measure to ensure integrity of new staff / employee?
Background screening
Order Now