






Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The use of an integrated test facility (itf) in is auditing and the various audit techniques that an is auditor can employ. It covers topics such as ensuring the segregation of duties, monitoring unauthorized modifications to production programs, determining appropriate sample sizes for testing program change approvals, the importance of supervision and review of audit work, the use of substantive testing and compliance testing, the application of discovery sampling, the evaluation of application controls, and the advantages of continuous auditing. The document also touches on the use of computer-assisted audit techniques (caats) like generalized audit software (gas) and the importance of understanding security risks and developing a risk-based audit plan. Overall, this document provides valuable insights into the key considerations and best practices for is auditors in ensuring the integrity and security of information systems.
Typology: Exams
1 / 11
This page cannot be seen from the preview
Don't miss anything!







substantive test Correct Answer-A substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy or validity) of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test. When using an integrated test facility (ITF), an IS auditor should ensure that: Correct Answer-An ITF creates a fictitious file in the database, allowing for test transactions to be processed simultaneously with live data. The test data must be kept separate from production data Which audit technique provides the BEST evidence of the segregation of duties in an IT department? Correct Answer-C. Based on the observations and interviews, the IT auditor can evaluate the segregation of duties. By observing the IS staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IT staff, the auditor can get an overview of the tasks performed. Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? Correct Answer-B. Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control? Correct Answer-C. A sample of a system-generated report with evidence that the reviewer followed up on the exception represents the best possible evidence of the effective operation of the control because there is documented evidence that the reviewer has reviewed and taken actions based on the exception report.
An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a: Correct Answer-A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size. The PRIMARY purpose for meeting with auditees prior to formally closing a review is to: Correct Answer-B. The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings and responses from management. Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank? Correct Answer-C. Dual control requires that two people carry out an operation. The observation technique would help to ascertain whether two individuals do indeed get involved in execution of the operation and an element of oversight exists. It would also be obvious if one individual is masquerading and filling in the role of the second person. Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience?? Correct Answer-D. Professional standards from ISACA, The Institute of Internal Auditors (IIA) and the International Federation of Accountants (IFAC) require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more. An IS auditor notes that daily reconciliation of visitor access card inventory is not carried out as mandated. During testing, the IS auditor did not find that access cards were missing. In this context, the IS auditor should: Correct Answer-C. The IS auditor should report the lack of daily reconciliation as an exception because a physical inventory count gives assurance only at a point in time and the practice is not in compliance with management's mandated activity.
An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should: Correct Answer-C. In circumstances in which the IS auditor's independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor's independence should be disclosed to the appropriate management and in the report. An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function? Correct Answer-D. The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS auditor can advise as to the completeness of the test cases. In the process of evaluating program change controls, an IS auditor would use source code comparison software to: Correct Answer-A. When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify the changes. Which of the following choices is MOST important for an IS auditor to understand when auditing an e-commerce environment? Correct Answer-C. The e-commerce application enables the execution of business transactions. Therefore, it is important to understand the nature and criticality of the business process supported by the e-commerce application to identify specific controls to review. An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a: Correct Answer-A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size.
For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk? Correct Answer-D. The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly. An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture (SOA). What is the INITIAL step? Correct Answer- A. A service-oriented architecture (SOA) relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services. An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?? Correct Answer-A. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Management could then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system. Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds? Correct Answer-A. Generalized audit software (GAS) is a data analytic tool that can be used to filter large amounts of data. Integrated Test Facility (ITF) Correct Answer-B. The integrated test facility tests the processing of the data and cannot be used to monitor real-time transactions.
reports on malicious activity originating from the Internet as well as the internal network, thus allowing the administrator to take action. Which of the following acts as a decoy to detect active Internet attacks? Correct Answer-A. Honeypots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals' computer systems. The concept of a honeypot is to learn from intruder's actions. A properly designed and configured honeypot provides data on methods used to attack systems. The data are then used to improve measures that could curb future attacks. An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions? Correct Answer-A. Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate approval. Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix? Correct Answer-C. Attribute sampling is the method used for compliance testing. In this scenario, the operation of a control is being evaluated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control. A PRIMARY benefit derived for an organization employing control self- assessment (CSA) techniques is that it: Correct Answer-A. Control self-assessment (CSA) is predicated on the review of high-risk areas that either need immediate attention or may require a more thorough review at a later date. The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors? Correct Answer-C. Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred, and therefore it is suited
to assess the risk of fraud and to identify whether a single occurrence has taken place. During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should: Correct Answer-D. One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization and submit the findings and risk to management with recommendations to document the current controls or enforce the documented procedures. What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit? Correct Answer-A. Control self-assessments (CSAs) require employees to assess the control stature of their own function. CSAs help increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help identify risk in a more timely manner. Which of the following is in the BEST position to approve changes to the audit charter? Correct Answer-B. The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee. While planning an IS audit, an assessment of risk should be made to provide: Correct Answer-reasonable assurance that the audit will cover material items. Which of the following will MOST successfully identify overlapping key controls in business application systems? Correct Answer-Replacing manual monitoring with an automated auditing solution
integrated test facility Correct Answer-B. The integrated test facility tests the processing of the data and cannot be used to monitor real-time transactions. An IS auditor evaluating logical access controls should FIRST: Correct Answer-D. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk. Which of the following choices would be the BEST source of information when developing a risk-based audit plan? Correct Answer-Which of the following choices would be the BEST source of information when developing a risk-based audit plan? Which of the following is an advantage of an integrated test facility (ITF)? Correct Answer-B. An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. Careful planning is necessary, and test data must be isolated from production data Which of the following will MOST successfully identify overlapping key controls in business application systems? Correct Answer-Replacing manual monitoring with an automated auditing solution Computer assisted audit technique (CAAT) Correct Answer-any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities variable sampling Correct Answer-method used for substantive testing, which involves testing transactions for quantitative aspects such as monetary values
attribute sampling Correct Answer-method used for compliance testing. in this scenario, the operation of a control is being evaluated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to dtermine compliance with the control integrated test facility Correct Answer-testing methodology where test data are processed in production systems. The data usually represent a set of fictituous entities such as departments. customers and products. Output reports are verified to confirm the correctness of the processing. When developing a risk management program, what is the FIRST activity to be performed? Correct Answer-C. Identification of the assets to be protected is the first step in the development of a risk management program.