Which of the following BEST describes the early stages of an IS audit? Observing key organizational facilities Assessing the IS environment Understanding the business process and environment applicable to the review Reviewing prior IS audit reports.
In performing a risk-based audit, which risk assessment is completed initially by the IS auditor? Detection risk assessment Control risk assessment Inherent risk assessment Fraud risk assessment.
While developing a risk-based audit program, on which of the following would the IS auditor MOST likely focus? Business processes Critical IT applications Operational controls Business strategies.
Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed? Control risk Detection risk Inherent risk Sampling risk.
An IS auditor performing a review of an application's controls finds a weakness in system software that could materially impact the application. The IS auditor should: disregard these control weaknesses since a system software review is beyond the scope of this review. conduct a detailed system software review and report the control weaknesses. include in the report a statement that the audit was limited to a review of the application's controls. review the system software controls as relevant and recommend a detailed system software review.
The PRIMARY use of generalized audit software (GAS) is to: test controls embedded in programs. test unauthorized access to data. extract data of relevance to the audit. reduce the need for transaction vouching.
Which of the following is MOST effective for implementing a control self-assessment (CSA) within business units? Informal peer reviews Facilitated workshops Process flow narratives Data flow diagrams.
The FIRST step in planning an audit is to: define audit deliverables. finalize the audit scope and audit objectives. gain an understanding of the business' objectives. develop the audit approach or audit strategy.
The approach an IS auditor should use to plan IS audit coverage should be based on: risk. materiality. professional skepticism. sufficiency of audit evidence.
A company performs a daily backup of critical data and software files, and stores the backup tapes at an offsite location. The backup tapes are used to restore the files in case of a disruption. This is a: preventive control. management control. corrective control. detective control.
IT governance ensures that an organization aligns its IT strategy with: Enterprise objectives. IT objectives. Audit objectives. Control objectives.
Which of the following would be included in an IS strategic plan? Specifications for planned hardware purchases Analysis of future business objectives Target dates for development projects Annual budgetary targets for the IS department.
Which of the following BEST describes an IT department's strategic planning process? The IT department will have either short-range or longrange plans depending on the organization'S broader plans and objectives. The IT department's strategic plan must be time- and project-oriented, but not so detailed as to address and help determine priorities to meet business needs. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements. Short-range planning for the IT department does not
need to be integrated into the short-range plans ofthe
organization since technological advances will drive the
IT department plans much quicker than organizational
plans.
The MOST important responsibility of a data security officer in an organization is: Recommending and monitoring data security policies. Promoting security awareness within the organization. Establishing procedures for IT security policies. Administering physical and logical access controls.
Which ofthe following is MOST likely to be performed by the security administrator? Approving the security policy Testing application software Ensuring data integrity Maintaining access rules.
An IS auditor should ensure that IT governance performance measures: Evaluate the activities of IT oversight committees. Provide strategic IT drivers. Adhere to regulatory reporting standards and definitions. Evaluate the IT department.
Which of the following tasks may be performed by the same person in a well-controlled information processing computer center? Security administration and change management Computer operations and system development System development and change management System development and systems maintenance.
Which of the following is the MOST critical control over database administration? Approval of DBA activities Segregation of duties Review of access logs and activities Review of the use of database tools.
When a complete segregation of duties cannot be achieved in an online system environment, which ofthe following functions should be separated from the others? Origination Authorization Recording Correction.
In a small organization where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should the IS auditor recommend? Automated logging of changes to development libraries Additional staff to provide segregation of duties Procedures that verify that only approved program changes are implemented Access controls to prevent the operator from making program modifications.
|
