1. An IS auditor is reviewing access to an application to determine
whether the 10 most recent "new user" forms were correctly authorized.
This is an example of:
A. variable sampling.
B. substantive testing.
C. compliance testing.
D. stop-or-go
sampling. The correct
answer is:
C. compliance testing.
You did not answer the question.
Explanation:
Compliance testing determines whether controls are being applied in
compliance with policy. This includes tests to determine whether new
accounts were appropriately authorized. Variable sampling is used to
estimate numerical values, such as dollar values. Substantive testing
substantiates the integrity of actual processing, such as balances on
financial statements. The development of substantive tests is often
dependent on the outcome of compliance tests. If compliance tests indicate
that there are adequate internal controls, then substantive tests can be
minimized. Stop-or-go sampling allows a test to be stopped as early as
possible and is not appropriate for checking whether procedures have been
followed.
Area: 1
2. The decisions and actions of an IS auditor are MOST likely to affect
which of the following risks?
A. Inherent
B. Detection
C. Control
D. Business
The correct answer is:
B. Detection
You did not answer the question.
Explanation:
Detection risks are directly affected by the auditor's selection of audit
procedures and techniques. Inherent risks usually are not affected by the IS
auditor. Control risks are controlled by the actions of the company's
management. Business risks are not affected by the IS auditor.
, Area: 1
3. Senior management has requested that an IS auditor assist the departmental
management in the implementation of necessary controls. The IS auditor
should:
A. refuse the assignment since it is not the role of the IS auditor.
B. inform management of his/her inability to conduct future audits.
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation
and follow-up.
The correct answer is:
B. inform management of his/her inability to conduct future audits.
You did not answer the question.
Explanation:
In this situation the IS auditor should inform management of the
impairment of independence in conducting further audits in the auditee area.
An IS auditor can perform nonaudit assignments where the IS auditor's
expertise
can be of use to management; however, by performing the nonaudit assignment,
the IS auditor cannot conduct the future audits of the auditee as his/her
independence may be compromised. However, the independence of the IS auditor
will not be impaired when suggesting/recommending controls to the auditee
after he audit.
Area: 1
4. Overall business risk for a particular threat can be expressed as:
A. a product of the probability and magnitude of the impact if a
threat successfully exploits a vulnerability.
B. the magnitude of the impact should a threat source successfully
exploit the vulnerability.
C. the likelihood of a given threat source exploiting a given vulnerability.
D. the collective judgment of the risk assessment
team. The correct answer is:
A. a product of the probability and magnitude of the impact if a threat
successfully exploits a vulnerability.
You did not answer the question.
Explanation:
Choice A takes into consideration the likelihood and magnitude of the impact
and provides the best measure of the risk to an asset. Choice B provides
only the likelihood of a threat exploiting a vulnerability in the asset but
does not provide the magnitude of the possible damage to the asset.
Similarly, choice C considers only the magnitude of the damage and not
the possibility of a threat exploiting a vulnerability. Choice D defines the
, risk on an arbitrary basis and is not suitable for a scientific risk
management process.
Area: 1
5. Which of the following is a substantive test?
A. Checking a list of exception reports
B. Ensuring approval for parameter changes
C. Using a statistical sample to inventory the tape library
D. Reviewing password history
reports The correct answer is:
C. Using a statistical sample to inventory the tape library
You did not answer the question.
Explanation:
A substantive test confirms the integrity of actual processing. A
substantive test would determine if the tape library records are stated
correctly. A compliance test determines if controls are being applied in a
manner that is consistent with management policies and procedures. Checking
the authorization of exception reports, reviewing authorization for changing
parameters and reviewing password history reports are all compliance tests.
Area: 1
6. The use of statistical sampling procedures helps minimize:
A. sampling risk.
B. detection risk.
C. inherent risk.
D. control risk.
The correct answer is:
B. detection risk.
You did not answer the question.
Explanation:
Detection risk is the risk that the IS auditor uses an inadequate test
procedure and concludes that material errors do not exist, when in fact they
do. Using statistical sampling, an IS auditor can quantify how closely the
sample should represent the population and quantify the probability of
error. Sampling risk is the risk that incorrect assumptions will be made
about the characteristics of a population from which a sample is selected.
Assuming there are no related compensating controls, inherent risk is the
risk that an error exists, which could be material or significant when
combined with other errors found during the audit. Statistical sampling
will not minimize this. Control risk is the risk that a material error exists,
, which will not be prevented or detected on a timely basis by the system of
internal controls. This cannot be minimized using statistical sampling.
Area: 1
7. Which of the following is a benefit of a risk-based approach to
audit planning? Audit:
A. scheduling may be performed months in advance.
B. budgets are more likely to be met by the IS audit staff.
C. staff will be exposed to a variety of technologies.
D. resources are allocated to the areas of highest concern.
The correct answer is:
D. resources are allocated to the areas of highest concern.
You did not answer the question.
Explanation:
The risk-based approach is designed to ensure audit time is spent on the
areas of highest risk. The development of an audit schedule is not
addressed
by a risk-based approach. Audit schedules may be prepared months in advance
using various scheduling methods. A risk approach does not have a direct
correlation to the audit staff meeting time budgets on a particular audit,
nor does it necessarily mean a wider variety of audits will be performed in
a given year.
Area: 1
8. The PRIMARY objective of an IS audit function is to:
A. determine whether everyone uses IS resources according to their
job description.
B. determine whether information systems safeguard assets and maintain
data integrity.
C. examine books of accounts and relative documentary evidence for
the computerized system.
D. determine the ability of the organization to detect
fraud. The correct answer is:
B. determine whether information systems safeguard assets and maintain data
integrity.
You did not answer the question.
Explanation:
The primary reason for conducting IS audits is to determine whether a
system safeguards assets and maintains data integrity. Examining books of
accounts is one of the processes involved in IS audit, but it is not the primary
purpose. Detecting frauds could be a result of an IS audit but is not the
whether the 10 most recent "new user" forms were correctly authorized.
This is an example of:
A. variable sampling.
B. substantive testing.
C. compliance testing.
D. stop-or-go
sampling. The correct
answer is:
C. compliance testing.
You did not answer the question.
Explanation:
Compliance testing determines whether controls are being applied in
compliance with policy. This includes tests to determine whether new
accounts were appropriately authorized. Variable sampling is used to
estimate numerical values, such as dollar values. Substantive testing
substantiates the integrity of actual processing, such as balances on
financial statements. The development of substantive tests is often
dependent on the outcome of compliance tests. If compliance tests indicate
that there are adequate internal controls, then substantive tests can be
minimized. Stop-or-go sampling allows a test to be stopped as early as
possible and is not appropriate for checking whether procedures have been
followed.
Area: 1
2. The decisions and actions of an IS auditor are MOST likely to affect
which of the following risks?
A. Inherent
B. Detection
C. Control
D. Business
The correct answer is:
B. Detection
You did not answer the question.
Explanation:
Detection risks are directly affected by the auditor's selection of audit
procedures and techniques. Inherent risks usually are not affected by the IS
auditor. Control risks are controlled by the actions of the company's
management. Business risks are not affected by the IS auditor.
, Area: 1
3. Senior management has requested that an IS auditor assist the departmental
management in the implementation of necessary controls. The IS auditor
should:
A. refuse the assignment since it is not the role of the IS auditor.
B. inform management of his/her inability to conduct future audits.
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation
and follow-up.
The correct answer is:
B. inform management of his/her inability to conduct future audits.
You did not answer the question.
Explanation:
In this situation the IS auditor should inform management of the
impairment of independence in conducting further audits in the auditee area.
An IS auditor can perform nonaudit assignments where the IS auditor's
expertise
can be of use to management; however, by performing the nonaudit assignment,
the IS auditor cannot conduct the future audits of the auditee as his/her
independence may be compromised. However, the independence of the IS auditor
will not be impaired when suggesting/recommending controls to the auditee
after he audit.
Area: 1
4. Overall business risk for a particular threat can be expressed as:
A. a product of the probability and magnitude of the impact if a
threat successfully exploits a vulnerability.
B. the magnitude of the impact should a threat source successfully
exploit the vulnerability.
C. the likelihood of a given threat source exploiting a given vulnerability.
D. the collective judgment of the risk assessment
team. The correct answer is:
A. a product of the probability and magnitude of the impact if a threat
successfully exploits a vulnerability.
You did not answer the question.
Explanation:
Choice A takes into consideration the likelihood and magnitude of the impact
and provides the best measure of the risk to an asset. Choice B provides
only the likelihood of a threat exploiting a vulnerability in the asset but
does not provide the magnitude of the possible damage to the asset.
Similarly, choice C considers only the magnitude of the damage and not
the possibility of a threat exploiting a vulnerability. Choice D defines the
, risk on an arbitrary basis and is not suitable for a scientific risk
management process.
Area: 1
5. Which of the following is a substantive test?
A. Checking a list of exception reports
B. Ensuring approval for parameter changes
C. Using a statistical sample to inventory the tape library
D. Reviewing password history
reports The correct answer is:
C. Using a statistical sample to inventory the tape library
You did not answer the question.
Explanation:
A substantive test confirms the integrity of actual processing. A
substantive test would determine if the tape library records are stated
correctly. A compliance test determines if controls are being applied in a
manner that is consistent with management policies and procedures. Checking
the authorization of exception reports, reviewing authorization for changing
parameters and reviewing password history reports are all compliance tests.
Area: 1
6. The use of statistical sampling procedures helps minimize:
A. sampling risk.
B. detection risk.
C. inherent risk.
D. control risk.
The correct answer is:
B. detection risk.
You did not answer the question.
Explanation:
Detection risk is the risk that the IS auditor uses an inadequate test
procedure and concludes that material errors do not exist, when in fact they
do. Using statistical sampling, an IS auditor can quantify how closely the
sample should represent the population and quantify the probability of
error. Sampling risk is the risk that incorrect assumptions will be made
about the characteristics of a population from which a sample is selected.
Assuming there are no related compensating controls, inherent risk is the
risk that an error exists, which could be material or significant when
combined with other errors found during the audit. Statistical sampling
will not minimize this. Control risk is the risk that a material error exists,
, which will not be prevented or detected on a timely basis by the system of
internal controls. This cannot be minimized using statistical sampling.
Area: 1
7. Which of the following is a benefit of a risk-based approach to
audit planning? Audit:
A. scheduling may be performed months in advance.
B. budgets are more likely to be met by the IS audit staff.
C. staff will be exposed to a variety of technologies.
D. resources are allocated to the areas of highest concern.
The correct answer is:
D. resources are allocated to the areas of highest concern.
You did not answer the question.
Explanation:
The risk-based approach is designed to ensure audit time is spent on the
areas of highest risk. The development of an audit schedule is not
addressed
by a risk-based approach. Audit schedules may be prepared months in advance
using various scheduling methods. A risk approach does not have a direct
correlation to the audit staff meeting time budgets on a particular audit,
nor does it necessarily mean a wider variety of audits will be performed in
a given year.
Area: 1
8. The PRIMARY objective of an IS audit function is to:
A. determine whether everyone uses IS resources according to their
job description.
B. determine whether information systems safeguard assets and maintain
data integrity.
C. examine books of accounts and relative documentary evidence for
the computerized system.
D. determine the ability of the organization to detect
fraud. The correct answer is:
B. determine whether information systems safeguard assets and maintain data
integrity.
You did not answer the question.
Explanation:
The primary reason for conducting IS audits is to determine whether a
system safeguards assets and maintains data integrity. Examining books of
accounts is one of the processes involved in IS audit, but it is not the primary
purpose. Detecting frauds could be a result of an IS audit but is not the
