CISA Concepts Flashcards Preview

CISA Stuff > CISA Concepts > Flashcards

Flashcards in CISA Concepts Deck (92):
1

What is the definition of audit?

Auditing is a detailed and specific evaluation of a process, procedure, organization, job function, or system, in which results are gathered and reported.

2

What is the purpose of ethics?

To mandate the professional and personal conduct of auditors

3

According to the ISACA Code of Ethics is an auditor allowed to share the results of an audit with other personnel?

The auditor must maintain confidentiality of the audit unless required by legal authority

4

Should the IS audit plan be integrated into the overall audit plan for the organization?

The IS Audit function must fulfill all organizational audit objectives.

5

An IS Auditor is best advised to follow the standards provided by ISACA for conducting an planning IS Audits

ISACA audit standards are recommendations for planning IS audits.

6

ISACA Audit standard S2 Independence refers to what?

An Auditor should be independent of the area being audited

7

Standard S4 Professional Competence, requires the auditor to have the skills to conduct the audit?

appropriate continuing professional education

8

The basis for an audit plan should be what?

Risk

9

Audit findings and conclusions are supported by what?

Evidence

10

When an auditor uses the assistance of outside experts, what obligations does the auditor have to review the work of the experts?

The auditor must apply additional test procedures if the work of outside experts is not adequate

11

When an auditor is planning an information system audit and suspects a potential control weakness, what are they obligated to do?

The auditor must consider the materiality of the weakness and plan the audit accordingly.

12

What role does risk assessment have in audit planning?

Risk assessment is used to determine the priorities for audit and allocation of audit resources.

13

What steps should an auditor take when a material irregularity is discovered?

The auditor should communicate the irregularity to management in a timely manner

14

What is the risk to an audit if unusual relationships exist between staff members in the area being audited?

The auditor may be provided inaccurate evidence

15

True or False? Supervision of the information systems audit staff should not be necessary if the staff is adequately trained and experienced

TRUE

16

Once an audit is completed and submitted does the auditor have any further responsibility?

Yes, the auditor should follow up to ensure that management addressed any audit issues in a timely manner

17

IT governance means:

The IT function aligns with business mission, values and objectives

18

Relationships with third parties may:

Require the organization to comply with the security standards of the third party

19

True or False? The organization does not have to worry about the impact of third party relationships on the security program

FALSE

20

The role of an Information Systems Security Steering Committee is to:

Provide feedback from all areas of the organization

21

The most effective tool a security department has is:

A security awareness program

22

The role of Audit in relation to Information Security is:

The validate the effectiveness of the security program against established metrics

23

Who should be responsible for development of a risk management strategy?

The Security Manager

24

The security requirements of each member of the organization should be documented in:

Their job descriptions

25

What could be the greatest challenge to implementing a new security strategy?

Obtaining buy-in from employees

26

Which forms of wireless media operate only when there are no obstacles in the transmission path?

Spread spectrum

27

What best defines electrical noise?

Extraneous signals introduced onto network media.

28

An audit log is an example of a:

Detective control

29

A compensating control is used:

When normal controls are not sufficient to mitigate the trick

30

A disgruntled former employee is a:

Threat

31

A bug or software flaw is a:

Vulnerability

32

Encryption is an example of a:

Countermeasure

33

The examination of risk factors would be an example of:

Risk analysis

34

True/False: The only real risk mitigation technique is based on effective implementation of technical controls.

FALSE

35

Should a risk assessment consider controls that are planned but not yet implemented?

Yes, because it would not be appropriate to recommend implementing controls that are already planned

36

What is the purpose of a control?

Controls are used to resolve vulnerabilities

37

What is the definition of risk assessment?

The evaluation of the level of risk to an information system.

38

What is residual risk?

The level of risk that remains after the implementation of controls

39

What is the primary focus of risk assessment?

Regulatory requirements

40

What is audit detection risk?

The risk that the tests used during an audit did not discover an error

41

What is inherent risk?

A risk associated with pre-existing errors in the control environment

42

What is the first phase of the risk analysis process?

Critical asset identification

43

What are the components of risk analysis?

Threat, vulnerability and impact

44

What is the relationship between risk assessment and audit?

Risk assessment is used to identify high-risk areas to be audited

45

The intent of a control is to:

Reduce the likelihood or impact of the threat

46

If the materiality is minimal then:

It may be ignored

47

The determination of materiality is:

Based on the judgment of the auditor

48

An example of a preventative control is:

B) A security policy

49

An example of a detective control is:

Review of audit logs

50

A corrective control is designed to:

Restore systems to normal

51

An example of a corrective control is:

A business continuity plan

52

An organization implements a procedure to control changes to the configuration of an information system. This would be an example of a(n):

Administrative Control

53

Administrative controls are used to:

Monitor compliance with policy

54

Internal controls may be:

either manual or automated

55

The development of an IS Audit strategy will include:

Identification of controls to be evaluated

56

Once the audit strategy is developed, the auditor will:

Communicate the strategy to management.

57

What control classification would an auditor use to monitor an organization's internal corporate network in order to report any unauthorized access attempts?

Detective

58

The audit charter is an important document. What is included in the audit charter?

The scope of the audit function

59

Developing an audit plan requires the determination of required personnel resources and?

Arranging for access to the audit area

60

The audit plan must be designed to ensure compliance with laws and regulations, this will require the knowledge of the regulations and?

A review to ensure management were aware of regulations when developing policies and procedures

61

The audit plan will be based on:

The stated objectives of the audit

62

The purpose of audit objectives is to establish whether internal controls are minimizing risk and?

functioning properly

63

A operational audit is designed to test?

The effectiveness of the organization's internal control environment

64

What is the purpose of a specialized audit?

A specialized audit tests the services provided by an external organization

65

What is a primary consideration when performing a forensic audit?

Maintaining proper evidence handling and management techniques

66

What is the purpose of audit planning?

Audit planning provides a clear overview of the audit before the audit commences

67

What is the most critical step in audit planning?

Focus on high risk areas

68

How do laws and regulations affect an audit plan?

The audit plan must be designed to test for compliance with laws and regulations

69

What is the responsibility of the auditor in relation to fraud

The auditor must always be watchful for fraud while performing an audit

70

Who should be able to see an audit methodology document?

The audit methodology document is used to communicate with all audit team members

71

When an auditor finds a minor violation of policy or procedures, what should their course of action be?

Include the violation in the audit report

72

When an auditor finds a problem that is outside the scope of the audit plan, what should be done?

Consult with audit management about adjusting the scope of the problem

73

An auditor has found a problem and notified management. The problem was immediately fixed. Should the problem be included in the audit report?

Yes, all material findings should be in the report, but noted as fixed.

74

True or False? An audit that finds no serious issues may not require the preparation of an audit report

FALSE

75

All data gathered during an audit is considered?

audit evidence

76

Common methods of gathering information during an audit include:

Interviewing

77

When using observation as an audit data gathering method, what is an important concern?

Do not disrupt business operations

78

What is a characteristic of a divisional organization structure?

Teams operate as separate units within the parent organization

79

What is the advantage of using CAATS to support an audit

CAATS provide an effective way to collect and analyze data from different electronic systems

80

When data is gathered to determine whether users are following policies, this is an example of?

Compliance audit

81

An audit that validates individual transactions to test the effectiveness of a procedure is a?

Substantive audit

82

What type of audit evidence is considered more reliable?

Obtained from independent parties

83

An auditor checks 100 transactions to see if they were handled correctly. What type of audit is this

Compliance audit

84

An audit that checks that all transactions over $5000 require approval by a supervisor is what type of audit?

Substantive audit

85

An auditor needs to select a certain number of transactions for examination. What method may be used for this?

Statistical sampling

86

What is the definition of sampling?

Selecting a subset of a larger group of items that will represent the entire group

87

Which type of sampling depends on auditor judgement?

Non-statistical sampling

88

When, during the SDLC, is a test plan developed?

During the design phase

89

What is the purpose of testing?

To uncover any bugs or flaws in the system

90

Change management and problem management are parts of a:

Configuration management process

91

What form of systems migration will have the least impact on business operations

Parallel

92

What task must be done to enable a data migration from an old system to a new one?

Ensure that the data is converted to a format acceptable for the new system