Information Technology Governance and Auditing vol 1

Information Technology Governance and Auditing

Which of these choices is the best answer regarding who is primarily responsible for providing internal controls to detect, correct, and prevent irregularities or illegal acts?

Select one:

a. Legal, aka general council

b. Information technology

c. Human resources

d. Board of directors

When observing the testing of recovery in a dual-site, operational recovery plan configurations, what should an IS auditor expect to see?

Select one:

a. A procedure that sheds some testing, reporting, and lesser essential functions allowing for the concentration of the surviving site on the critical business processing to be performed

b. Two identical sets of processing equipment set up for hot fail over from one site to the other with no impact on the users

c. Additional equipment being quickly turned on and added to the configuration at the surviving site to accommodate full processing with minimal disruption

d. Business continues as it normally would with no downtime or disruption

Which of the following best describes how a CISA should treat guidance from the IS audit standards?

Select one:

a. IS audit standards are to be treated as guidelines for building binding audit work when applicable.

b. IS audit standards are necessary only when regulatory or legal requirements dictate that they must be applied.

c. IS audit standards are mandatory requirements, unless justification exists for deviating from the standards.

d. A CISA should provide input to the audit process when defendable audit work is required.

In order to meet the requirements of audit, evidence sampling must be

Select one:

a. A random selection of the population in which every item has an equal chance of being selected

b. Within two standard deviations of the mean for the entire population of the data

c. Of a 95 percent or higher confidence level, based on repeated pulls of similar sample sizes

d. Sufficient, reliable, relevant, and useful, and supported by the appropriate analysis

When an audit finding is considered material, it means that

Select one:

a. It is important to the audit in terms of the audit objectives and findings related to them.

b. It has actual substance in terms of hard assets.

c. In terms of all possible risk and management risk tolerance, this finding is significant.

d. Management cares about this kind of finding so it needs to be reported regardless of the risk.

When identifying the potential for irregularities, the auditor should consider

Select one:

a. What kind of firewall is installed at the Internet

b. How much money is devoted to the payroll

c. Whether the best practices are deployed in the IS environment

d. If a vacation policy exists that requires fixed periods of vacation to be mandatory

The most important aspect of a recovery plan in the initial hours of a recovery process will be that

Select one:

a. People have been trained what to do and where to meet to gather and begin recovery without the documented plan

b. Testing results have been included to show current recoverability

c. Call lists and rosters are included for contacting the recovery teams

d. A disaster is declared by management and the EOC is activated as a control center

When planning an IS audit, which of the following factors is least likely to be relevant to the scope of the engagement?

Select one:

a. The complexity of the technology used by the business in performing the business functions

b. The type of business, management, culture, and risk tolerance

c. The concerns of management for ensuring that controls are sufficient and working properly

d. The amount of controls currently in place

What is the principal issue surrounding the use of CAAT software?

Select one:

a. The capability of the software vendor

b. Inability of automated tools to consider the human characteristics of the environment

c. Documentary evidence is more effective

d. The possible cost, complexity, and security of output 

The primary reason for reviewing audit work is to

Select one:

a. Ensure that all of the work is completed and checked by a supervisor.

b. Ensure that all of the audits are consistent in style and technique.

c. Ensure that the conclusions, testing, and results were performed with due professional care.

d. Ensure that the findings are sufficient to warrant the final report rating.

Which of the following management methods provides the most control rather than discretionary flexibility?

Select one:

a. In-house

b. Distributed

c. Centralized

d. Outsourced

Some things to consider when determining what reportable findings should be are

Select one:

a. How many findings there are and how long the report would be if all findings were included

b. The materiality of the findings in relevance to the audit objectives and management's tolerance for risk

c. Whether the test samples were sufficient to support the conclusions

d. How the recommendations will affect the process and future audit work 

 In a risk-based audit approach, an IS auditor must consider the inherent risk and

Select one:

a. Residual risk being higher than the insurance coverage purchased

b. The balance of the loss potential and the cost to implement controls

c. How to eliminate the risk through an application of controls

d. Whether the risk is material, regardless of management's tolerance for risk 

To be effective for disaster recovery, back up copies of computer information should be

Select one:

a. A series of incremental back ups labeled and stored properly in the media library

b. Moved off-site as quickly as possible

c. Labeled and cataloged, corresponding to the recovery plans and sent to the location specified in the plan

d. Stored on-site in the production environment in a fireproof and watertight containet  

Some audit managements choose to use the element of surprise to

Select one:

a. Ensure that staffing is sufficient to manage an audit and daily processing simultaneously

b. Ensure that policies and procedures coincide with the actual practices in place

c. Ensure that supervision is appropriate during surprise inspections

d. Scare the auditees and to see if there are procedures that can be used as a back up 

The declaration of a disaster that invokes a recovery plan process should be

Select one:

a. A decision of the business senior management after considering all alternatives, risks, and costs

b. Only done after a repair and restore has been tried and has failed

c. Made by the IS organizational manager as soon as the need is identified

d. Documented as a process requiring formal approval and an audit trail to provide evidence of the decision  An IS auditor determines that external consulting was used to create a recovery plan. 

Which of the following actions would be most appropriate for the IS auditor to take?

Select one:

a. Review the resultant plan and ensure that the business and IS staff were involved in inputting to the final product.

b. Review the methodology used by the firm and assess its appropriateness for the engaged organization.

c. Review the costs and contract deliverables for the consulting engagement and assess the adequacy of the contract.

d. Ensure that the decisions made by the consultant seemed reasonable for the given business and organizational structure.  

Which of the following is not a method to identify risks?

Select one:

a. Identify the vulnerabilities and effort to correct based on the industry's best practices.

b. Identify the risks, then determine the likelihood of occurrence and cost of a loss.

c. Seek managements risk tolerance and determine what threats exist that exceed that tolerance.

d. Identify the threats, their associated vulnerabilities, and the cost of losses.   

When reviewing the information recovery procedures, an IS auditor would be least concerned with finding procedures that

Select one:

a. Lay down the last complete back up and then all of the subsequent incremental back ups that are available

b. Use hard copy transaction records to return the transactions processing history to the time of disaster from the last available back up

c. Recover all available information from the available back up tapes and move forward with the available information

d. Use the best information available and reconcile the inventories to understand the transactions that may have been lost during the disaster or disruption  

When reviewing the recovery testing reports to management, an IS auditor will be most concerned if the following is not part of the report:

Select one:

a. A comprehensive list of all of the problems and the resultant assigned action items

b. A list of planned goals or milestones with an analysis of the ones that were achieved and those that were not successfully tested

c. An assessment of the time it takes to recover compared to the management expectations for recovery and a gap analysis of the potential impact that any shortfall may have on management's risk or loss expectations

d. A description of the process used to test the recovery, depicting the assumptions made about the recovery situation that was being tested   

Which statement best describes the difference between a detective control and a corrective control?

Select one:

a. One control is used to keep errors from resulting in loss, and the other is used to warn of danger.

b. Neither control stops errors from occurring. One control type is applied sooner than the other.

c. One is used as a reasonableness check, and the other is used to make management aware that an error has occurred.

d. One control is used to identify that an error has occurred and the other fixes the problems before a loss occurs.  

What part of the audited businesses background is least likely to be relevant when assessing risk and planning an IS audit?

Select one:

a. The management structure and culture and their relative depth and knowledge of the business processes

b. A mature technology set in place to perform the business processing functions

c. The company's reputation for customer satisfaction and the amount of booked business in the processing queue

d. The type of business and the appropriate model of transaction processing typically used in this type of business   

Which of the following is not considered an irregularity or illegal act?

Select one:

a. Omitting the effects of fraudulent transactions

b. Misuse of assets

c. Recording transactions that did not happen

d. None of the above  

 What is the correct formula for annual loss expectancy?

Select one:

a. Direct and indirect loss cost estimates times the number of times the loss may occur in a year

b. Indirect and direct potential loss cost times the number of times it might possibly occur

c. The overall value of the risk exposure times the probability for all assets divided by the number of years the asset is held

d. Total actual direct losses divided by the number of years it has been experienced   

The primary objective of performing a root cause analysis is to

Select one:

a. Ensure that you are not trying to address symptoms rather than the real problem that needs to be solved.

b. Determine the costs and benefits of the proposed recommendations.

c. Perform an analysis that justifies the recommendations.

d. Ask why three times.  

When reviewing the rationale for recovery options and decisions, which of the following best describes the correct approach for determining the appropriate direction for recovery planning?

Select one:

a. Looking at all options for the worst case disaster scenario and picking the solution that is cheapest while still meeting the needs of the business

b. Planning for a recovery scenario that will not be costly to implement a solution for while still meeting the requirement for a recovery plan

c. Determining the most likely disaster situation and picking the solution that most closely represents the existing processing configuration

d. Determining the downtime associated with each recovery option and deciding on the one that will recover the business most quickly   

The most important aspect of drawing conclusions in an audit report is to

Select one:

a. Obtain the goals of the audit objectives and to form an opinion on the sufficiency of the control environment.

b. Determine why the client is at risk at the end of each step.

c. Identify control weakness based on test work performed.

d. Prove your initial assumptions were correct.  

Which of the following application attributes are not relevant when determining the priority order for recovery?

Select one:

a. The dependency of the critical applications on the output of this particular application

b. The need for critical applications to be recovered in order to supply input to this application

c. The importance of this application to the business processing needs

d. How much downtime is acceptable to the users of this the application

you can look at the Information Technology Governance and Auditing vol 2 for the nex quis