In a risk-based audit approach, the IS auditor must consider the inherent risk as well
as considering: A. how to eliminate the risk through the application of controls. B. the balance of loss potential vs. the cost to implement controls. C. whether the risk is material, regardless of management’s tolerance for risk. D. whether the residual risk is higher than the insurance coverage purchased. Which of the following sampling methods is MOST useful when testing for
compliance? A. Attribute sampling B. Variable sampling C. Stratified mean per unit D. Difference estimation. Which of the following is the MOST critical step to perform when planning an IS
audit? A. Review findings from prior audits B. Develop plans to conduct a physical security review of the data center facility. C. Review IS security policies and procedures. D. Perform a risk assessment. While planning an audit, an assessment of risk should be made to provide: A. reasonable assurance that the audit will cover material items. B. definite assurance that material items will be covered during the audit work. C. reasonable assurance that all items will be covered by the audit. D. sufficient assurance that all items will be covered during the audit work. The PRIMARY advantage of a continuous audit approach is that it: A. does not require an IS auditor to collect evidence on system reliability while
processing is taking place. B. requires the IS auditor to review and follow up immediately on all information
collected. C. can improve system security when used in time-sharing environments that
process a large number of transactions. D. does not depend on the complexity of an organization’s computer systems. After reviewing the disaster recovery plan (DRP) of an organization, an IS auditor
requests a meeting with company management to discuss the findings. Which of the
following BEST describes the main goal of this meeting? A. Obtaining management approval of the corrective actions B. Confirming factual accuracy of the findings C. Assisting management in the implementation of corrective actions D. Clarifying the scope and limitations of the audit. When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that: A. controls needed to mitigate risks are in place. B. vulnerabilities and threats are identified. C. audit risks are considered. D. a gap analysis is appropriate. The success of control self-assessment (CSA) depends highly on: A. having line managers assume a portion of the responsibility for control
monitoring. B. assigning staff managers the responsibility for building, but not monitoring,
controls. C. the implementation of a stringent control policy and rule-driven controls. D. the implementation of supervision and the monitoring of controls of assigned
duties. Corrective action has been taken by an auditee immediately after the identification of
a reportable finding. The IS auditor should: A. include the finding in the final report, because the IS auditor is responsible for an
accurate report of all findings. B. not include the finding in the final report, because the audit report should include
only unresolved findings. C. not include the finding in the final report, because corrective action can be
verified by the IS auditor during the audit. D. include the finding in the closing meeting for discussion purposes only. Which of the following audit techniques would BEST aid an auditor in determining
whether there have been unauthorized program changes since the last authorized
program update? A. Test data run B. Code review C. Automated code comparison D. Review of code migration procedures. During an exit interview, in cases where there is disagreement regarding the impact
of a finding, an IS auditor should: A. ask the auditee to sign a release form accepting full legal responsibility. B. elaborate on the significance of the finding and the risks of not correcting it. C. report the disagreement to the audit committee for resolution. D. accept the auditee’s position since they are the process owners. A substantive test to verify that tape library inventory records are accurate is: A. determining whether bar code readers are installed. B. determining whether the movement of tapes is authorized. C. conducting a physical count of the tape inventory. D. checking if receipts and issues of tapes are accurately recorded. An IS auditor issues an audit report pointing out the lack of firewall protection
features at the perimeter network gateway and recommends a vendor product to
address this vulnerability. The IS auditor has failed to exercise: A. professional independence B. organizational independence. C. technical competence. D. professional competence. During the collection of forensic evidence, which of the following actions would
MOST likely result in the destruction or corruption of evidence on a compromised
system? A. Dumping the memory content to a file B. Generating disk images of the compromised system C. Rebooting the system D. Removing the system from the network.
|