For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing EMERGING risk?CONTINUOUS auditingIn a small organization, the FUNCTION of release manager and application programmer are performed by the SAME employee. What is the BEST compensating CONTROL in this scenario?VERIFY that only approved program changes are implementedIn PLANNING an IS audit, the MOST critical STEP is:The IDENTIFICATION of the areas of SIGNIFICANT risk.The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function?Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts.An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase?Development of a risk assessmentAn IS auditor discovers that devices connected to the network are not included in a network diagram that had been used to develop the scope of the audit. The chief information officer explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST:Evaluate the impact of the undocumented devices on the audit scope.An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:Control objectives and activities.An IS auditor is developing an audit plan for an environment that includes new systems. The organization's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?Determine the highest-risk systems and plan accordingly.An IS auditor is reviewing a project risk assessment and notices that the overall residual risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of unauthorized users the project may affect?Inherent riskAn IS auditor is reviewing a software application that is built on the principles of service-oriented architecture. What is the INITIAL step?Understanding services and their allocation to business processes by reviewing the service repository documentation.An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank's financial risk is properly addressed, the IS auditor will most likely review which of the following?Wire transfer proceduresAn IS auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. This logging is:Not an adequate control.An IS auditor performing an audit of the risk assessment process should FIRST confirm that:Assets have been identified and rankedAn IS auditor performing a review of application controls would evaluate the:Impact of any exposures discovered.An IS auditor reviewing the process of log monitoring wants to evaluate the organization's manual review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?Walk-throughAn IS auditor should ensure that review of online electronic funds transfer reconciliation procedures should include:Tracing.An IS auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the:Authentication techniques for sending and receiving messages.A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and:Ability, as an IS auditor, to be independent of existing IT relationships.The MAIN purpose of the annual IS audit plan is to:Allocate resources for audits.The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is:Substantive testing.The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to:Provide a basis for drawing reasonable conclusions.An organization's IS AUDIT CHARTER should specify the:ROLE of the IS audit FUNCTIONAn organization uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks and reports for distribution. To BEST ensure payroll data accuracy:
Payroll reports should be COMPARED to input forms.A PRIMARY benefit derived for an organization employing control self- assessment (CSA) techniques is that it:Can IDENTIFY high-RISK areas that might need a detailed review later.The PRIMARY objective of the audit INITIATION meeting with an IS audit client is to:discuss the SCOPE of the audit.The PRIMARY purpose of an IT FORENSIC audit is:the systematic COLLECTION and analysis of EVIDENCE after a system irregularity.The PRIMARY purpose of the IS audit charter is to:outline the RESPONSIBILITY and AUTHORITY of the IS audit function.The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of an audit assignment is to:UNDERSTAND the business PROCESS.The PURPOSE of a CHECKSUM on an amount field in an electronic data interchange communication of financial transactions is to ensure:INTEGRITY.The success of control self-assessment (CSA) DEPENDS highly on:line managers assuming a portion of the responsibility for control monitoring.A system developer transfers to the audit department to serve as an IT auditor. When production systems are to be reviewed by this employee, which of the following will become the MOST significant concern?The work may be construed as a self-audit.To ensure that audit resources deliver the best value to the organization, the FIRST step in an audit project is to:develop the audit PLAN on the basis of a detailed RISK assessment.What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?It detects risk sooner.When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:vulnerabilities and threats are identified.When developing a risk management program, what is the FIRST activity to be performed?Inventory of assetsWhen evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following?The point at which controls are exercised as data flow through the systemWhen evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of:improper transaction authorization.When performing a risk analysis, the IS auditor should FIRST:IDENTIFY the organization's information ASSETS.Which of the following choices would be the BEST source of information when developing a risk-based audit plan?Senior management identify key business processes.Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?Compensating controlsWhich of the following does a lack of adequate controls represent?A vulnerabilityWhich of the following is an attribute of the control self- assessment approach?Broad stakeholder involvementWhich of the following is evaluated as a preventive control by an IS auditor performing an audit?Table lookupsWhich of the following is in the BEST position to approve changes to the audit charter?Audit committeeWhich of the following is MOST important for an IS auditor to understand when auditing an e- commerce environment?The nature and criticality of the business process supported by the applicationWhich of the following is MOST important to ensure that effective application controls are maintained?Control self- assessmentWhich of the following is MOST likely be considered a conflict of interest for an IS auditor who is reviewing a cybersecurity implementation?Designing the cybersecurity controlsWhich of the following is the FIRST step in an IT risk assessment for a risk-based audit?Understand the business, its operating model and key processes.Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan?Define the audit universe.Which of the following is the key benefit of a control self- assessment?Management ownership of the internal controls supporting business objectives is reinforced.Which of the following is the MAIN reason to perform a risk assessment in the planning phase of an IS audit?To provide reasonable assurance material items will be addressedWhich of the following is the MOST critical step when planning an IS audit?Perform a risk assessment.Which of the following is the PRIMARY purpose of a risk-based audit?Material areas are addressed first.Which of the following is the PRIMARY requirement for reporting IS audit results? The report is:Backed by sufficient and appropriate audit evidence.Which of the following represents an example of a preventive control with respect to IT personnel?Implementation of a badge entry system for the IT facilityWhich of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment?Lack of transaction authorizationsWhich of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process?Participating in the design of the risk management frameworkWhich of the following situations could impair the independence of an IS auditor? The IS auditor:Implemented specific functionality during the development of an applicationWhich of the following would be expected to approve the audit charter?Audit committeeWhich of the following would be the GREATEST concern if audit objectives are not established during the initial phase of an audit program?Important business risk may be overlooked
While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to:Continue to test the accounting application controls and include the deficiency in the final report.While planning an IS audit, an assessment of risk should be made to provide:Reasonable assurance that the audit will cover material items.While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:Confidentiality of the work papers.
Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience?Professional standardsWhich of the following is the most important skill an is auditor should develop?Which of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit? Project management is correct.
Which aspects should the auditor's understanding of the entity and its environment cover?Internal Control
The auditor's understanding of the entity and its environment consists of an understanding of the following aspects: (a) Industry, regulatory, and other external factors, including the applicable financial reporting framework.
What are the factors the auditor must evaluate to understand IT?Yes, an auditor must understand each component of the client's financial reporting controls. This includes the control environment, risk assessment process, information system, control activities that relate to the audit, and the client's monitoring of the controls.
Which of the following auditing techniques would be the most appropriate for a retail business with a large volume of transactions to address emerging risk proactively?For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk? Continuous auditing.
|