Question 1

Senior management has requested that an IS auditor assist the departmental management in
the implementation of necessary controls. The IS auditor should:

Your Answer: inform management of his/her inability to conduct future audits. View

Explanation: Correct! An IS auditor can perform non audit assignments if his or her expertise can be
of use to management; however, by performing the nonaudit assignment, the IS auditor cannot
conduct the future audits of the areas because his or her independence may be compromised. The
independence of the IS auditor will not be impaired when recommending controls to the auditee after
the audit. In this situation, the IS auditor should inform management of the impairment of
independence in conducting further audits in the auditee’s area.

Question 2

The PRIMARY purpose of an audit charter is to:

Your Answer: describe the authority and responsibilities of the audit department. View

Explanation: Correct! Standard S1 - Audit Charter states "The purpose, responsibility, authority and
accountability of the information systems audit function or information audit assignments should be
appropriately documented in an audit charter or engagement letter." The audit charter typically sets out
the role and responsibility of the internal audit department. It should state management's objectives for
and delegation of authority to the audit department.

Question 3

An IS auditor performing a review of an application's controls finds a weakness in system

software that could materially impact the application. The IS auditor should:

Your Answer: review the system software controls as relevant and recommend a detailed system
software review. View

Explanation: Correct! Where the applications are dependent on system software then the
effectiveness of those controls should be considered. If they are not within the existing scope, then an
appropriate option would be to review the system software as relevant to the review and recommend a
detailed system software review for which additional resources may be recommended. See audit
Guideline G14, Application Systems Review Planning Considerations.

Question 4

The use of statistical sampling procedures helps minimize:

Your Answer: detection risk. View

Explanation: Correct! Detection risk is the risk that an IS auditor's substantive procedures will not
detect an error which could be material, individually or in combination with other errors. Using
statistical sampling, an IS auditor can quantify how closely the sample should represent the population
and can quantify the probability of error.

Question 5

Which of the following sampling methods is MOST useful when testing for compliance?

Your Answer: Attribute sampling View

Explanation: Correct! Attribute sampling is the primary sampling method used for compliance testing.
Attribute sampling is a method that is used to estimate the rate of occurrence of a specific quality
(attribute) in a population and is used in compliance testing to confirm whether the quality exists. In
compliance testing of controls, attribute sampling is typically used where the sampling unit is an event
or transaction (e.g., a control such as an authorization on an invoice). For substantive testing, variable
or estimation sampling is frequently used where the sampling unit is often monetary.

Question 6

Which of the following is a substantive test?

Your Answer: Using a statistical sample to inventory the tape library View

Explanation: Correct! A substantive test confirms the integrity of actual processing. A substantive test
would determine if the tape library records are stated correctly. A substantive test substantiates the
integrity of actual processes. The test outlined would substantiate that the control objective has been
achieved.

Question 7

The extent to which data will be collected during an IS audit should be based on the:

Your Answer: purpose and scope of the audit being performed. View

Explanation: Correct! IDuring the course of an audit, an IS auditor should obtain sufficient, reliable
and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be
supported by appropriate analysis and interpretation of this evidence. The extent to which data will be
collected during an IS audit should be related directly to the scope and purpose of the audit. An audit
with a narrow purpose and scope would result in less data collection than an audit with a wider
purpose and scope.

Question 8

Which of the following is the BEST audit technique to identify payroll overpayments through
program error for the previous year?

Your Answer: Generalized Audit Software View

Explanation: Correct! Generalized audit software features include mathematical computations,

stratifications, statistical analysis, sequence checking, duplicate checking and recomputation. The IS
auditor, using generalized audit software, could design appropriate tests to recompute the payroll and,
thereby, determine whether calculation errors resulting in overpayments were made and to whom they
were made.

Question 9

The IS department of an organization wants to ensure that the computer files used in the
information-processing facility are adequately backed up to allow for proper recovery. This is
a(n):

Your Answer: control objective. View

Explanation: Correct! A control objective is a statement of the desired result or purpose to be

achieved by implementing control procedures in a particular process. IS control objectives specify the
minimum set of controls to ensure efficiency and effectiveness in the operations and functions within
an organization.
Question 10

An IS auditor performing a review of management controls relating to application controls

would evaluate the:

Your Answer: impact of any exposures discovered. View

Explanation: Correct! Management bases their response to audit findings on the level of risk that the
business is exposed to from identified weakness. Therefore, a key element of any audit is an
assessment of any exposures resulting from the control weaknesses found.

Question 11

In a risk-based audit approach, in addition to risk, an IS auditor would be influenced by:

Your Answer: the existence of internal and operational controls. View

Explanation: Correct! The existence of internal and operational controls will have a bearing on the IS
auditor's approach to the audit. In a risk-based audit approach, the IS auditor is not only relying on risk,
but also on internal and operational controls, as well as knowledge of the company and business. This
type of risk assessment decision can help relate the cost-benefit analysis of a control to the known
risk, allowing practical choices.

Question 12

In a risk-based audit approach, an IS auditor should FIRST complete a(n):

Your Answer: inherent risk assessment. View

Explanation: Correct! Inherent risk is the susceptibility of an audit area to error which could be
material, individually or in combination with other errors, assuming that there were no related internal
controls. The first step in a risk-based audit approach is to gather information about the business and
industry to evaluate the inherent risks. This is normally undertaken first as part of audit planning.

Question 13

The risk of an IS auditor using an inadequate test procedure and concluding that material
errors do not exist when, in fact, they do is an example of:

Your Answer: detection risk. View

Explanation: Correct! Detection risk is the risk that an IS auditor’s substantive procedures will not
detect an error which could be material, individually or in combination with other errors. For example,
the detection risk associated with identifying breaches of security in an application system is ordinarily
high because logs for the whole period of the audit are not available at the time of the audit. The
detection risk associated with identification of lack of disaster recovery plans is ordinarily low since
existence is easily verified.

Question 14

In planning an audit, the MOST critical step is the identification of the:

Your Answer: areas of high risk. View

Explanation: Correct! When designing an audit plan, an IS auditor should perform a risk assessment
to provide reasonable assurance that all material items (i.e., high risks areas) will be adequately
covered during the audit.
Question 15

To ensure that audit resources deliver the best value to the organization, the FIRST step would
be to:

Your Answer: develop the audit plan on the basis of a detailed risk assessment. View

Explanation: Correct! When designing an audit plan, an IS auditor should perform a risk assessment
to provide reasonable assurance that all material items (i.e., high risks areas) will be adequately
covered during the audit. Monitoring the time and audit programs, as well as providing adequate
training, will improve the IS audit staff productivity (efficiency and performance), but what delivers
value to the organization are the resources and efforts being dedicated to and focused on the higher-
risk areas.

Question 16

During the planning stage of an IS audit, the PRIMARY goal of the IS auditor is to:

Your Answer: address audit objectives. View

Explanation: Correct! ISACA auditing standards require that an IS auditor plan the audit work to
address the audit objectives. The IS auditor should plan the information systems audit coverage to
address the audit objectives and comply with applicable laws and professional auditing standards.

Question 17

When communicating audit results, IS auditors should remember that, ultimately, they are
responsible to:

Your Answer: senior management and/or the audit committee. View

Explanation: Correct! An IS auditor is ultimately responsible to senior management and the audit
committee of the board of directors. Where the IS auditor finds significant deficiencies in the control
environment, the IS auditor should communicate these deficiencies to the audit committee or
responsible authority and disclose in the report that significant deficiencies have been communicated.

Question 18

Corrective action has been taken by an auditee immediately after the identification of a
reportable finding. The auditor should:

Your Answer: include the finding in the final report, because the IS auditor is responsible for an
accurate report of all findings. View

Explanation: Correct! An IS auditor’s report should describe all material or significant weaknesses
and the effect on the achievement of the objectives of the control criteria. If an action is taken after the
audit started but before it ended, the audit report should still identify the finding because the weakness
would have impacted the area being audited for the period of the audit.

Question 19

Which of the following is an objective of a control self-assessment (CSA) program?

Your Answer: Concentration on areas of high risk View

Explanation: Correct! A control self-assessment (CSA) is a technique that adds value by increasing
an operating unit’s involvement in designing and maintaining control and risk systems, as well as
identifying risk exposures and determining corrective action. The process should be risk based and
focus on areas of high risk.
Question 20

A PRIMARY benefit derived from an organization employing control self-assessment (CSA)

techniques is that it:

Your Answer: can identify high-risk areas that might need a detailed review later. View

Explanation: Correct! CSA is predicated on the review of high-risk areas that need either immediate
attention or a more thorough review at a later date.

Question 21

Which of the following is the PRIMARY advantage of using computer forensic software for
investigations?

Your Answer: The preservation of the chain of custody for electronic evidence View

Explanation: Correct! The primary objective of forensic software is to preserve electronic evidence to
meet the rules of evidence. During the conduct of computer investigation, it is critical that
confidentiality is maintained and integrity is established for data and information gathered and made
available to appropriate authorities only. Activity relating to the seizure, access, storage or transfer of
digital evidence must be fully documented, preserved and available for review.