Which of the following auditing techniques would be the most appropriate for a retail business with a large volume of transactions to address emerging risk proactively?

Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is MOST acceptable?

A.
Test the adequacy of the control design.

B.
Test the operational effectiveness of controls.

Correct C.
Focus on auditing high-risk areas.

D.
Rely on management testing of controls.

You are correct, the answer is C.

A. Testing the adequacy of control design is not the best course of action because this does not ensure that controls operate effectively as designed.

B. Testing control operating effectiveness will not ensure that the audit plan is focused on areas of greatest risk.

C. Reducing the scope and focusing on auditing high-risk areas is the best course of action.

D. The reliance on management testing of controls will not provide an objective verification of the control environment.

An IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should:

A.
decline the assignment.

B.
inform management of the possible conflict of interest after completing the audit assignment.

C.
inform the BCP team of the possible conflict of interest prior to beginning the assignment.

Correct D.
communicate the possibility of conflict of interest to audit management prior to starting the assignment.

You are correct, the answer is D.

A. Declining the assignment could be acceptable only after obtaining management approval or it is appropriately disclosed to management, audit management and other stakeholders.

B. Approval should be obtained prior to commencement and not after the completion of the assignment.

C. Informing the business continuity planning (BCP) team of the possible conflict of interest prior to starting the assignment is not the correct answer because the BCP team would not have the authority to decide on this issue.

D. A possible conflict of interest, likely to affect the IS auditor's independence, should be brought to the attention of management prior to starting the assignment.

Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST:

A.
include the statement from management in the audit report.

Correct B.
verify the software is in use through testing.

C.
include the item in the audit report.

D.
discuss the issue with senior management because it could have a negative impact on the organization.

You are correct, the answer is B.

A. The statement from management may be included in the audit report, but the auditor should independently validate the statements made by management to ensure completeness and accuracy.

B. When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in report.

C. With respect to this matter, representations obtained from management cannot be independently verified.

D. If the organization is using software that is not licensed, the IS auditor, to maintain objectivity and independence, must include this in the report, but the IS auditor should verify that this is in fact the case before presenting it to senior management.

The PRIMARY advantage of a continuous audit approach is that it:

A.
does not require an IS auditor to collect evidence on system reliability while processing is taking place.

Correct B.
allows the IS auditor to review and follow up on audit issues in a timely manner.

C.
places the responsibility for enforcement and monitoring of controls on the security department instead of audit.

D.
simplifies the extraction and correlation of data from multiple and complex systems.

You are correct, the answer is B.

A. The continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place.

B. Continuous audit allows audit and response to audit issues in a timely manner because audit findings are gathered in near real time.

C. Responsibility for enforcement and monitoring of controls is primarily the responsibility of management.

D. The use of continuous audit is not based on the complexity or number of systems being monitored.

To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:

A.
schedule the audits and monitor the time spent on each audit.

B.
train the IS audit staff on current technology used in the company.

Correct C.
develop the audit plan on the basis of a detailed risk assessment.

D.
monitor progress of audits and initiate cost control measures.

You are correct, the answer is C.

A. Monitoring the audits and the time spent on audits would not be effective if the wrong areas were being audited. It is most important to develop a risk-based audit plan to ensure effective use of audit resources.

B. The IS auditor may have specialties or the audit team may rely on outside experts to conduct very specialized audits. It is not necessary for each IS auditor to be trained on all new technology.

C. Monitoring the time and audit programs, as well as adequate training, will improve the IS audit staff's productivity (efficiency and performance), but that which delivers value to the organization is ensuring that the resources and efforts being dedicated to audit are focused on higher-risk areas.

D. Monitoring audits and initiating cost controls will not necessarily ensure the effective use of audit resources.

For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk?

A.
Use of computer-assisted audit techniques (CAATs)

B.
Quarterly risk assessments

C.
Sampling of transaction logs

Correct D.
Continuous auditing

You are correct, the answer is D.

A. Using software tools such as computer-assisted audit techniques (CAATs) to analyze transaction data can provide detailed analysis of trends and potential risk, but it is not as effective as continuous auditing, because there may be a time differential between executing the software and analyzing the results.

B. Quarterly risk assessment may be a good technique but not as responsive as continuous auditing.

C. The sampling of transaction logs is a valid audit technique; however, risk may exist that is not captured in the transaction log, and there may be a potential time lag in the analysis.

D. The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.

An organization's IS audit charter should specify the:

A.
plans for IS audit engagements.

B.
objectives and scope of IS audit engagements.

C.
detailed training plan for the IS audit staff.

Correct D.
role of the IS audit function.

You are correct, the answer is D.

A. Planning is the responsibility of audit management.

B. The objectives and scope of each IS audit should be agreed on in an engagement letter. The charter would specify the objectives and scope of the audit function but not of individual engagements.

C. A training plan, based on the audit plan, should be developed by audit management.

D. An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee.

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:

A.
controls needed to mitigate risk are in place.

B.
vulnerabilities and threats are identified.

Incorrect C.
audit risk is considered.

D.
a gap analysis is appropriate.

You answered C. The correct answer is B.

A. Understanding whether appropriate controls required to mitigate risk are in place is a resultant effect of an audit.

B. In developing a risk-based audit strategy, it is critical that the risk and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage.

C. Audit risk is an inherent aspect of auditing, is directly related to the audit process and is not relevant to the risk analysis of the environment to be audited.

D. A gap analysis would normally be done to compare the actual state to an expected or desirable state.

The final decision to include a material finding in an audit report should be made by the:

A.
audit committee.

B.
auditee's manager.

Correct C.
IS auditor.

D.
chief executive officer (CEO) of the organization.

You are correct, the answer is C.

A. The audit committee should not impair the independence, professionalism and objectivity of the IS auditor by influencing what is included in the audit report.

B. The IS auditor's manager may recommend what should or should not be included in an audit report, but the auditee's manager should not influence the content of the report.

C. The IS auditor should make the final decision about what to include or exclude from the audit report.

D. The chief executive officer (CEO) must not provide influence over the content of an audit report as that would be a breach of the independence of the audit function.

In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:

A.
ensure the risk assessment is aligned to management's risk assessment process.

B.
identify information assets and the underlying systems.

C.
disclose the threats and impacts to management.

Correct D.
identify and evaluate the existing controls.

You are correct, the answer is D.

A. An audit risk assessment is conducted for different purposes than management's risk assessment process.

B. It would be impossible to determine impact without first having identified the assets affected; therefore, this must already have been completed.

C. Upon completion of a risk assessment, an IS auditor should describe and discuss with management the threats and potential impacts on the assets as well as recommendations for addressing the risk. However, this cannot be done until the controls have been identified and the likelihood of the threat has been calculated.

D. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.

The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is:

Incorrect A.
control design testing.

B.
substantive testing.

C.
inspection of relevant documentation.

D.
perform tests on risk prevention.

You answered A. The correct answer is B.

A. Testing of control design assesses whether the control is structured to meet a specific control objective. It does not help determine whether the control is operating effectively.

B. Among other methods, such as document review or walk-through, tests of controls are the most effective procedure to assess whether controls accurately support operational effectiveness.

C. Control documents may not always describe the actual process in an accurate manner. Therefore, auditors relying on document review have limited assurance that the control is operating as intended.

D. Performing tests on risk prevention is considered compliance testing. This type of testing is used to determine whether policies are adhered to.

Which of the following BEST describes the purpose of performing a risk assessment in the planning phase of an IS audit?

A.
To establish adequate staffing requirements to complete the IS audit

Correct B.
To provide reasonable assurance that all material items will be addressed

C.
To determine the skills required to perform the IS audit

D.
To develop the audit program and procedures to perform the IS audit

You are correct, the answer is B.

A. A risk assessment does not directly influence staffing requirements.

B. A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assurance is important as well.

C. A risk assessment does not identify the skills required to perform an IS audit.

D. A risk assessment is not used in the development of the audit program and procedures.

Which of the following is the MOST critical step when planning an IS audit?

A.
Review findings from prior audits.

B.
Executive management's approval of the audit plan.

Incorrect C.
Review IS security policies and procedures.

D.
Perform a risk assessment.

You answered C. The correct answer is D.

A. The findings of a previous audit are of interest to the auditor, but they are not the most critical step. The most critical step involves finding the current issues or high-risk areas, not reviewing the resolution of older issues. A review of historical audit findings could indicate that management is not resolving the items or the recommendation was ineffective.

B. Executive management is not required to approve the audit plan. It is typically approved by the audit committee or board of directors. Management could recommend areas to audit.

C. Reviewing information security policies and procedures would normally be conducted during fieldwork, not planning.

D. Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.2: "IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements." In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation.

An IS auditor is developing an audit plan for an environment that includes new systems. The company's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?

A.
Audit the new systems as requested by management.

B.
Audit systems not included in last year's scope.

Correct C.
Determine the highest-risk systems and plan accordingly.

D.
Audit both the systems not in last year's scope and the new systems

You are correct, the answer is C.

A. Auditing the new system does not reflect a risk-based approach. Even though the system could contain sensitive data and may present risk of data loss or disclosure to the organization, without a risk assessment, the decision to solely audit the newly implemented system is not a risk-based decision

B. Auditing systems not included in the previous year's scope does not reflect a risk-based approach. In addition, management may know about problems with the new system and may be intentionally trying to steer the audit away from that vulnerable area. Although at first the new system may seem to be the most risky area, an assessment must be conducted rather than relying on the judgment of the IS auditor or IT manager.

C. The best course of action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources."

D. The creation of the audit plan should be performed in cooperation with management and based on risk. The IS auditor should not arbitrarily decide on what needs to be audited.

A PRIMARY benefit derived for an organization employing control self-assessment (CSA) techniques is that it:

Correct A.
can identify high-risk areas that might need a detailed review later.

B.
allows IS auditors to independently assess risk.

C.
can be used as a replacement for traditional audits.

D.
allows management to relinquish responsibility for control.

You are correct, the answer is A.

A. Control self-assessment (CSA) is predicated on the review of high-risk areas that either need immediate attention or may require a more thorough review at a later date.

B. CSA requires the involvement of IS auditors and line management. What occurs is that the internal audit function shifts some of the control monitoring responsibilities to the functional areas.

C. CSA is not a replacement for traditional audits. CSA is not intended to replace audit's responsibilities, but to enhance them.

D. CSA does not allow management to relinquish its responsibility for control.

Which of the following is the best factor for determining the required data during audit planning phase?

Which of the following is the most important skill that an IT auditor should develop to understand the constraints of conducting an audit?

Which of the following is the most critical step to perform when planning an IS audit?

Which of the following is most important to ensure that effective application controls are maintained?