A. be dynamic and change often to coincide with the changing nature of technology and the audit profession. B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls. C. document the audit procedures designed to achieve the planned audit objectives. D. Outline the overall authority, scope and responsibilities of the audit function.
2. Which of the following criteria for selecting the applications to be audited is LEAST likely to be used?
A. Materiality of audit risk
B. Sensitivity of transactions
C. Technological complexity
D. Regulatory agency involvement
3. Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation?
A. Multiple cycles of backup files remain available
B. Access controls establish accountability for e-mail activity C. Data classification regulates what information should be communicated via e-mail D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available Answer:______A_____________________
4. While planning an audit, an assessment of risk should be made to provide:
A. Reasonable assurance that the audit will cover material items. B. Definite assurance that material items will be covered during the audit work. C. Reasonable assurance that all items will be covered by the audit. D. Sufficient assurance that all items will be covered during the audit work. Answer:______A_____________________
5. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware of which of the following?
A. The point at which controls are exercised as data flow through the system B. Only preventive and detective controls are relevant
C. Corrective controls can only be regarded as compensating
D. Classification allows an IS auditor to determine which controls are missing Answer: ____A_______________________
6. During an implementation review of a multiuser distributed application, an IS auditor finds minor weaknesses in three areas—the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the audit report, the IS auditor should:
A. Record the observations separately with the impact of each of them marked against each respective finding. B. Advise the manager of probable risks without recording the observations since the control weaknesses are minor ones. C. Record the observations and the risk arising from the collective weaknesses. D. Apprise the departmental heads concerned with each observation and properly document it in the report. Answer:_______C____________________
7. When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:
A. controls needed to mitigate risks are in place.
B. vulnerabilities and threats are identified.
C. audit risks are considered.
D. a gap analysis is appropriate.
8. The success of control self-assessment (CSA) depends highly on:
A. Having line managers assume a portion of the responsibility for control monitoring. B. Assigning staff managers the responsibility for building, but not monitoring, controls. C. The implementation of a stringent control policy and rule-driven controls. NAME: ______________________________________
D. The implementation of supervision and the monitoring of controls of assigned duties. Answer: ________A___________________
9. A long-term IS employee has asked to transfer to IS auditing. The individual has a strong technical background and broad managerial experience. According to ISACA’s General Standards for IS Auditing, consideration should be...