Ch 2 Flashcards
(97 cards)
1
Q
Name some soft skills
A
Honest Ethical Attention to detail Professionalism Listening Leadership
2
Q
Name some hard skills
A
Technical competence Knowledge needed to accomplish work writing Thinking Project Mgmt Critical Thinking
3
Q
Honest
A
soft
4
Q
Ethical
A
soft
5
Q
Attention to detail
A
soft
6
Q
Verbal and written skill
A
Hard
7
Q
Analytic skill
A
Hard
8
Q
Interpersonal skill
A
Soft
9
Q
Professional and willingness to take lead
A
Soft
10
Q
Project management and Organizational skill
A
Hard
11
Q
Critical Thinking
A
Hard
12
Q
Professional Ethics describe
A
principles and values that govern acceptable behaivor
13
Q
What does client mean
A
Leadership of the area you are auditing
14
Q
CISA auditors must be
A
Honest and Transparent
15
Q
Define Standards
A
Mandatory actions, Explicit Rules or Controls designed to support and conform to policy through hardware, software or behaivor
16
Q
What makes policy more meaningful and effective
A
Standards
17
Q
Standards should always point to
A
Policy
18
Q
Procedures are
A
Written steps to execute policy
19
Q
Which one is more detailed Policy or Procedures?
A
Procedures
20
Q
What is an outline for a statement of conduct
A
Guideline
21
Q
Are guidelines mandatory to follow
A
No
22
Q
Do guidelines provide general guidance
A
Yes
23
Q
Are guidelines Requirements that need to met or are they recommended
A
Recommended
24
Q
Whats a baseline
A
specific rules that are accepted across the industry as providing the most effective approach to a specific implementation
25
Name some regulatory standards
```
HIPPA
SOX
Base III
PCI
FISMA
COSO
SCADA
FACTA
```
26
HIPPA
Healthcare
27
SOX
Financial
28
Base III
Risk Mgmt Bankin
29
PCI
Credit Cards
30
FISMA
US Govt Security Standards
31
COSO
Financial Fraud Reporting
32
SCADA
Security for Automated Systems
33
FACTA
Reduce Fraud and ID Theft
34
Is regulatory guidance early, on time, or late
Late
35
Most cyber laws are written before or after a major breach
After
36
Name some industry guidance organizations
COBIT
ISO
NIST
FIPS
37
Name the types of audits
Financial
Integrated
Operational
38
What is a financial audit
Audit of financial statements and processes. Usually doesn't include the IT auditor
39
Integrated Audit
Includes a financial and technical audit
40
What are the key risk types
Inherent
Control
Detection
41
Define Detection Risk
Misstatements or material errors have occurred and were not detected
42
What is an inherent risk
Naturally occurring risk because of the nature of business before controls are applied
43
Describe a control risk
Risk that internal controls will not prevent a material error
44
How does ISACA define material
Item of significance that has a real impact on the organization
45
Given the nature of driving, would no speed limits be an inherent risk
Yes
46
What type of risk is it if your dirver airbag does not deploy
It is a control risk
47
What type of risk is an audit
Detection risk
48
Is an audit a type of detection risk?
Yes
49
What is a risk that is (Inherent Risk - Controls)
Residual risk
50
What is left up to the professional opinion of the auditor
Quantitative analysis and qualitative judgement
51
What is quantative analysis
Conclusion based on a series of measurements
52
What is a qualitative judgement
Judgment based on a broad understanding of business and asks the question what might go wrong
53
What is risk mangaement
Identifying, assessing, mitigating and montioring risks
54
What is the risk management process
```
Implement a risk mgmt program
ID Assests
ID threats
Perform risk analysis
Disposition risk
Montior
```
55
Is Risk mgmt a part of corporate governance
Yes
56
Who supports and funds risk mgmt
Senior Leadership
57
The risk mgmt leader should have good Project mgmt skills
Yes
58
What are the risk courses of action
Avoid
Reduce
Accept
Transfer
59
Is monitoring risk important
Yes
60
Why are controls used
To comply with internal policies, regulatory expectations and reduce risk
61
What is risk tolerance
Right controls to reduce risk to an acceptable level
62
Audited systems must meet which requirement
Regalatory and legal requirements
63
Do controls typically start with hihg-level policy and applies to all areas of the company
Yes
64
Name the two categories of procedures
General Control Procedures
| IS Control Procedures
65
Controls are what
Preventative, Detective, Corrective
66
Name a preventative control
Access Control List
67
Name a detective control
IDS
| Security Log
68
Name a corrective control
IPS
| Backup Power Supply
69
What type of control stops a threat immediately
Preventative
70
What tyoe of control identifies a threat after the fact
Detective
71
What type of control tries to remediate the risk of a threat after the fact?
Corrective
72
Who has a fiduciary responsibility of special trust and confidence with the client
The auditor
73
What is the purpose of an IS audit
To evaluate controls against a predetermined control objectives
74
Audit Methodology
Documented approach for performing an audit in a consistent and repeatable manner
75
How does an audit methodology meet the audit objectives
By defingin the following:
Statement of Work
Statement of Scope
Statement of Audit Objectives
76
Name the steps of the audit process
```
Audit Subjects
Audit Objective
Audit Scope
Pre Audit Planning
Data Gathering
Evaluation of test results
Communication with management
Preparation of audit report
```
77
In chain of custody, an auditor must be able to...
Account for who had access to the data
Ensure that access to the data is controlled
Show that the information was protected from tampering
78
What is evidence handling
Handling of any information obtained during the audit
79
Audit evidence should be
```
Sufficient
Usable
Reliable
Relevant
Effective
```
80
Give examples of work papers
Findings
Activities
Tests
81
Work Papers should be properly dated, labled, detailed, clear alnd self contained
Yes
82
What provides confidentiality for Work Papers
Encryption
83
What provides availability for work papers
Backups
84
What provides authorized access for work papers
Access control lists
85
What should be considered for electronic work papers
Encryption
Access lists
Backups
Audit trails and controls
86
Software audit tools used for statistical sampling and data analysis
Computer assisted audit tools
87
Sampling produces...
Generalized results for the population as a whole
88
What are some sampling methods
Statistical
Non Statistical
Variable
Attribute
89
What are teh parts of attribute sampling
Frequency estimating
Stop and Go
Discovery
90
What are a few ways to ensure compliance
Sampling or Monitoring
91
Continuous monitoring is good for which types of processes
Processes that capture, manipulate, store and disseminate data
92
What are the six preconditions that should be present before an org can adopt continuous auditing
System must have acceptable characteristics
System must be reliable, have existing controls and collect data on the systems
System must have a highly automated secondary control system
Auditor must be proficient in the technology
Audit Process must offer a reliable method for obtaining the audit procedure results
Verifiable controls of the audit reporting process must exist
93
QA strives to improve two key attributes
Quality and adherence
94
Best way to avoid surprises
Communicate Communicate Communicate
95
Name the four opinions that an auditor can have
Unqualified
Qualified
Adverse
Disclaimer
96
Opinions can be applied to what
Entire report or single finding
97
What are the three types of audit ratings
Unrated
Satisfactory
Unsatisfactory
