Quick Review

• An audit program defines the audit strategy and the plans that include scope, objectives, resources, and procedures used to evaluate controls and processes.

• IS auditors need to stay current with technology through training courses, webinars, ISACA chapter training events, and industry conferences.

• Several laws, regulations, and standards require internal or external audits to ensure that organizations achieve and maintain compliance.

• The types of controls are physical, technical, and administrative.

• The classes of controls are preventive, detective, deterrent, corrective, compensating, and recovery.

• The categories of controls are automatic and manual.

• The types of audits are operational audits, financial audits, integrated audits, IS audits, administrative audits, compliance audits, forensic audits, and service provider audits. Pre-audits can be performed to help an organization prepare for an upcoming audit. Internal audits and external audits refer to the relationship of auditor to auditee.

• Compliance testing is used to determine whether control procedures are properly designed and are operating properly. Substantive testing is used to verify the accuracy and integrity of transactions as they flow through a system.

• Audit methodologies define an audit subject, audit objective, type of audit, audit scope, pre-audit planning, audit statement of work, audit procedures, communication plan, report preparation, wrap-up, and post-audit follow-up.

• The types of evidence that the auditor will collect during an audit include observations, written notes, correspondence, process and procedure documentation, and business records.

• During an audit, the auditor should obtain org charts, department charters, third-party contracts, policies and procedures, risk ledgers, incident logs, standards, and system documentation. He or she should conduct several interviews with pre-written questions and carefully observe personnel to understand their discipline as well as organizational culture and maturity.

• The types of sampling include statistical sampling, judgmental sampling, attribute sampling, variable sampling, stop-or-go sampling, discovery sampling, and stratified sampling. The IS auditor needs to understand the meaning of confidence coefficient, sampling risk, precision, expected error rate, sample mean, sample standard deviation, and tolerable error rate.

• An audit report usually includes a cover letter, introduction, summary, audit description, list of systems examined, interviewees, evidence, explanation of sampling techniques, findings, and, optionally, recommendations.

• The types of risks that are related to audits include control risk, detection risk, inherent risk, overall audit risk, and sampling risk.

• Computer-assisted audit techniques, generalized audit software, and continuous auditing present many challenges and opportunities that may result in more frequent and rapid reporting, which can help to reduce the time needed to mitigate control failures and exceptions.

• External auditors may be needed when the organization lacks specific expertise or resources to conduct an internal audit. However, some regulations and standards require external, independent audits.

Questions

1. create any text file

2. write your answers

3. save the file

4. and send it to me (attach it in the zoom-chat-box or email it to me at omar@simpleinfosec.com)  

1.   An IS auditor is planning an audit project and needs to know which areas represent the highest risk. What is the best approach for identifying these risk areas?

A.   Perform the audit; control failures will identify the areas of highest risk.

B.   Perform the audit and then perform a risk assessment.

C.   Perform a risk assessment first, and then concentrate control tests in high-risk areas identified in the risk assessment.

D.   Increase sampling rates in high-risk areas.

2.   An auditor has detected potential fraud while testing a control objective. What should the auditor do next?

A.   Notify the audit committee.

B.   Conduct a formal investigation.

C.   Report the fraud to law enforcement.

D.   Report the suspected fraud to management.

3.   The possibility that a process or procedure will be unable to prevent or detect serious errors and wrongdoing is known as

A.   Detection risk

B.   Inherent risk

C.   Sampling risk

D.   Control risk

4.   The categories of risk treatment are

A.   Risk reduction, risk transfer, risk avoidance, and risk acceptance

B.   Risk avoidance, risk transfer, and risk mitigation

C.   Risk avoidance, risk reduction, risk transfer, risk mitigation, and risk acceptance

D.   Risk avoidance, risk treatment, risk mitigation, and risk acceptance

5.   An IS auditor needs to perform an audit of a financial system and needs to trace individual transactions through the system. What type of testing should the auditor perform?

A.   Discovery testing

B.   Statistical testing

C.   Compliance testing

D.   Substantive testing

6.   An IS auditor is auditing the change management process for a financial application. The auditor has two primary pieces of evidence: change logs and a written analysis of the change logs performed by a business analyst. Which evidence is best and why?

A.   The change log is best because it is subjective.

B.   The written analysis is best because it interprets the change log.

C.   The change log is best because it is objective and unbiased.

D.   The written analysis is best because it is objective.

7.   Under which circumstances should an auditor use subjective sampling?

A.   When the population size is low

B.   When the auditor believes that specific transactions represent higher risk than most others

C.   When the risk of exceptions is low

D.   When statistical sampling cannot be performed

8.   An IS auditor has discovered a high-risk exception during control testing. What is the best course of action for the IS auditor to take?

A.   Immediately perform mitigation.

B.   Include the exception in the report and mark the test as a control failure.

C.   Immediately inform the auditee of the situation.

D.   Immediately inform the audit committee of the situation.

9.   What is the appropriate role of an IS auditor in a control self-assessment?

A.   The IS auditor should participate as a subject matter expert.

B.   The IS auditor should act as facilitator.

C.   The IS auditor should not be involved.

D.   The IS auditor should design the control self-assessment.

10.   Which of the following would not be useful evidence in an IS audit?

A.   Personnel handbook

B.   Organization mission statement and objectives

C.   Organization chart

D.   Organization history

11.   An auditor has discovered that automated work papers were configured with read/write permissions for database administrators. What actions should the auditor take?

A.   Simply continue to rely on the automated work papers.

B.   Note an exception and continue to rely on these automated work papers.

C.   Recommend that permissions on automated work papers be changed so that no personnel have write access and so that this data may be relied upon in the future.

D.   Notify the board of directors or the audit committee.

12.   During an audit, an auditor has discovered a process that is being performed consistently and effectively, but the process lacks procedure documentation. What action should the auditor take?

A.   Document the process.

B.   Find that the process is effective but recommend that it be documented.

C.   Write the procedure document for the auditee and include it in audit evidence.

D.   Find that the process is ineffective.

13.   During audit planning, an auditor has discovered that a key business process in the auditee organization has been outsourced to an external service provider. Which option should the auditor consider?

A.   Audit the external service provider or rely on an SSAE 16 audit report if one is available.

B.   Audit the external service provider.

C.   Determine that the business process is not effective.

D.   Request that the external service provider submit its internal audit work papers.

14.   Why should an auditor prefer bank statements over a department’s own business records that list bank transactions?

A.   Bank statements can be provided in electronic format.

B.   Bank statements contain data not found in internal records.

C.   Bank statements are usually easier to obtain.

D.   Bank statements are independent and objective.

15.   Which of the following statements is true about ISACA audit standards and guidelines?

A.   ISACA audit standards are mandatory, while ISACA audit guidelines are optional.

B.   ISACA audit standards are optional, while ISACA audit guidelines are mandatory.

C.   ISACA audit standards and guidelines are mandatory.

D.   ISACA audit standards and guidelines are optional.