Midterm IT Audit and Control

Question 1

What is an external (financial) audit?

Answer 1

Independent attestation performed by an expert who expresses an opinion regarding financial statements.

Question 2

What is the key concept underlying external audits?

Answer 2

Independence

Question 3

What role do advisory services play in audits?

Answer 3

To improve clients’ operational effectiveness and efficiency.

Question 4

Define internal auditing.

Answer 4

An independent appraisal function to examine and evaluate activities within an organization.

Question 5

What types of audits do internal auditors perform?

Answer 5

• Financial audits
• Operational audits
• Compliance audits
• Fraud audits

Question 6

How does the independence of auditors differ between external and internal auditors?

Answer 6

External auditors represent outsiders while internal auditors represent the organization’s interests.

Question 7

What is the objective of fraud audits?

Answer 7

To investigate anomalies and gather evidence of fraud that may lead to criminal convictions.

Question 8

According to SOX, to whom must external auditors report?

Answer 8

The audit committee.

Question 9

List the three classes of auditing standards.

Answer 9

• General Qualification
• Field work
• Reporting

Question 10

What is the first step in conducting an IT audit?

Answer 10

Audit planning, which includes the analysis of audit risk.

Question 11

What is the objective of tests of controls in an audit?

Answer 11

To determine if adequate controls are in place and functioning.

Question 12

What is the purpose of Computer-Assisted-Audit Tools and Techniques (CAATTs)?

Answer 12

To extract files for audit purposes.

Question 13

What must managers certify regarding internal controls?

Answer 13

Organization’s internal controls quarterly and annually.

Question 14

What are the four broad objectives of an internal control system?

Answer 14

• Safeguard assets of the firm
• Ensure accuracy and reliability of accounting records
• Promote efficiency in the firm’s operations
• Measure compliance with management’s prescribed policies

Question 15

What are preventive controls designed to do?

Answer 15

Reduce frequency of undesirable events occurring.

Question 16

What are detective controls?

Answer 16

Devices, techniques, and procedures to identify and expose undesirable events that eluded preventive controls.

Question 17

What is the purpose of corrective controls?

Answer 17

To fix the identified problem.

Question 18

What does the COSO Internal Control Framework categorize?

Answer 18

IT & Physical controls.

Question 19

What is transaction authorization in internal controls?

Answer 19

Ensuring all processed transactions are valid.

Question 20

What is the purpose of segregation of duties?

Answer 20

To ensure no single individual has sole control over an entire process.

Question 21

What do accounting records provide in the auditing process?

Answer 21

An audit trail and information needed for day-to-day operations.

Question 22

What do application controls ensure?

Answer 22

Validity, completeness, and accuracy of financial transactions.

Question 23

What are general controls in IT auditing?

Answer 23

• IT governance
• IT infrastructure
• Security and access to operating systems
• Application acquisition and development
• Program change procedures

Question 24

Define vulnerability in the context of risk management.

Answer 24

A weakness or gap in the protection efforts.

Question 25

What is a threat?

Answer 25

Anything that has the potential to cause serious harm to a computer system.

Question 26

What does risk refer to in risk management?

Answer 26

The potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability.

Question 27

List the components of risk management.

Answer 27

* Frame risk * Assess risk * Respond to risk * Monitor risk

Question 28

What is the purpose of the risk framing component?

Answer 28

To produce a risk management strategy addressing risk assessment, response, and monitoring.

Question 29

What factors must organizations identify for establishing a realistic risk frame?

Answer 29

* Risk assumptions * Risk constraints * Risk tolerance * Priorities and trade-offs

Question 30

What does risk assessment aim to identify?

Answer 30

* Threats to organizations * Vulnerabilities * Harm to organizations * Likelihood of harm occurring

Question 31

What are the steps involved in responding to risk?

Answer 31

* Developing alternative courses of action * Evaluating alternatives * Determining appropriate actions * Implementing risk responses

Question 32

What does the risk monitoring component address?

Answer 32

How organizations monitor risk over time.

Question 33

What is the goal of governance in risk management?

Answer 33

Providing strategic direction and ensuring that organizational risks are managed appropriately.

Question 34

What is the role of the Risk Executive?

Answer 34

Serves as the common risk management resource for all people in the organization.

Question 35

What is the purpose of enterprise architecture?

Answer 35

To manage information technology assets to support mission/business processes.

Question 36

What is trustworthiness in the context of risk management?

Answer 36

An attribute that provides confidence in the qualifications and reliability of an entity.

Question 37

What factors affect the degree of trust among entities?

Answer 37

* Missions and goals * Criticality of activities * Risk tolerance * Historical relationships

Question 38

What are the two factors affecting the trustworthiness of information systems?

Answer 38

* Security functionality * Security assurance

Question 39

How does organizational culture influence risk management?

Answer 39

It influences behaviors and actions of leaders and members regarding risk.

Question 40

What concepts relate to risk management?

Answer 40

* Governance * Risk Tolerance * Trust * Culture * Investment Strategy