Show:
C
I
S
A
Domain 1
100
When performance issues are discovered during an assessment of the organization's network, the MOST efficient way for the IS auditor to proceed is to examine the: A. antivirus controls that have been put in place. B. protocols used on the network. C. network topology. D. configuration of network devices.
C. -> By reviewing the network topology, the IS auditor can quickly gain a high-level perspective of potential points of failure or bottlenecks. The IS auditor will be directed to specific areas of the network which may require more detailed analysis. The other choices require more time to assess and are secondary to understanding the overall architecture of the network.
100
An IS auditor is reviewing access to an application to determine whether the 10 most recent new accounts were appropriately authorized. This is an example of: A. variable sampling. B. substantive sampling. C. compliance testing. D. stop-or-go sampling.
C. -> Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values such as dollar values. Substantive testing substantiates the integrity of actual processing such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.
100
The decisions and actions of an IS auditor are MOST likely to affect which of the following risks? A. Inherent B. Detection C. Control D. Business
B. -> Detection risks are directly affected by the IS auditor's selection of audit procedures and techniques. Inherent risks are not usually affected by an IS auditor. Control risks can be mitigated by the actions of the company's management. Business risks are not usually affected by an IS auditor.
100
Which of the following would normally be the MOST reliable evidence for an IS auditor? A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as designed. C. Trend data obtained from World Wide Web (Internet) sources D. Ratio analysis developed by the IS auditor from reports supplied by line management.
A. -> Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable.
100
When using an integrated test facility (ITF), an IS auditor should ensure that: A. production data are used for testing. B. test data are isolated from production data. C. a test data generator is used. D. master files are updated with the test data.
B. -> An ITF creates a fictitious file in the database, allowing for test transactions to be processed simultaneously with live data. While this ensures that periodic testing does not require a separate test process, there is a need to isolate test data from production data. An IS auditor is not required to use production data or a test data generator. Production master files should not be updated with test data.
200
What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit? A. It detects risk sooner. B. It replaces the audit function. C. It reduces audit workload. D. It reduces audit resources.
A. It detects risk sooner. Explanation (page 53 A1-109)
200
In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on? A. A size check B. A hash total C. A validity check D. A field check
C. A validity check Explanation - page 45 (A1-93)
200
The PRIMARY purpose of the IS audit charter is to: A. establish the organizational structure of the audit department. B. illustrate the reporting responsibilities of the IS audit function. C. detail the audit processes and procedures performed by the IS audit department. D. outline the responsibility and authority of the IS audit function.
D. outline the responsibility and authority of the IS audit function. Explanation - page 61 (A1-124)
200
Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit? A. Contingency planning B. IS management resource allocation C. Project management D. Knowledge of internal controls
C. Project management Explanation - page 53 (A1-108)
200
Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? A. Transaction logs B. Before and after image reporting C. Table lookups D. Tracing and tagging
C. Table lookups Explanation - page 70 (A1-143)
300
Which of the following does a lack of adequate controls represent? A. An impact B. A vulnerability C. An asset D. A threat
B. A vulnerability Explanation - page 56 (A1-115)
300
During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next? A. Recommend designing the change management process. B. Gain more assurance on the findings through root cause analysis. C. Recommend that program migration be stopped until the change process is documented. D. Document the finding and present it to management.
B. A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management.
300
During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a particular application. Which of the following should the IS auditor do? A. Recommend compensating controls. B. Review the code created by the developer. C. Analyze the quality assurance dashboards. D. Report the identified condition.
D. Report the identified condition. Explanation - page 57 (A1-117)
300
An IS auditor performing an audit of the risk assessment process should FIRST confirm that: A. reasonable threats to the information assets are identified. B. technical and organizational vulnerabilities have been analyzed. C. assets have been identified and ranked. D. the effects of potential security breaches have been evaluated.
C. assets have been identified and ranked. Explanation - page 66 (A1-135)
300
Which of the following represents an example of a preventive control with respect to IT personnel? A. Review of visitor logs for the data center B. A log server that tracks logon IP addresses of users C. Implementation of a badge entry system for the IT facility D. An accounting system checks that tracks employee telephone calls
C. Implementation of a badge entry system for the IT facility Explanation - page 67 (A1-136)
400
Data flow diagrams are used by IS auditors to: A. order data hierarchically. B. highlight high-level data definitions. C. graphically summarize data paths and storage. D. portray step-by-step details of data generation.
C. Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.
400
An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions? A. Attribute B. Variable C. Stop-or-go D. Judgement
A. Attribute Explanation - page 51 (A1-105)
400
During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should: A. ask the auditee to sign a release form accepting full legal responsibility. B. elaborate on the significance of the finding and the risks of not correcting it. C. report the disagreement to the audit committee for resolution. D. accept the auditee's position because they are the process owners.
B. elaborate on the significance of the finding and the risks of not correcting it. Explanation - page 23 (A1-48)
400
Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds? A. Generalized audit software (GAS) B. Integrated test facility C. Regression tests D. Snapshots
A. Generalized audit software (GAS) Explanation - page 69 (A1-140)
400
When auditing a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that it does not cover all of the systems. Which of the following is the MOST appropriate action for the IS auditor? A. Alert management and evaluate the impact of not covering all systems. B. Cancel the audit. C. Complete the audit of the systems covered by existing DRP. D. Postpone the audit until the systems are added to the DRP.
A. Alert management and evaluate the impact of not covering all systems. Explanation - page 68 (A1-139)
500
Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? A. System log analysis B. Compliance testing C. Forensic analysis D. Analytical review
B. Compliance testing Explanation - page 36 (A1-75)
500
The PRIMARY purpose of an IT forensic audit is: A. to participate in investigations related to corporate fraud. B. the systematic collection and analysis of evidence after a system irregularity. C. to assess the correctness of an organization's financial statements. D. to preserve evidence of criminal activity.
B. the systematic collection and analysis of evidence after a system irregularity. Explanation - page 38 (A1-79)
500
Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan? A. Prioritize the identified risk. B. Define the audit universe. C. Identify the critical controls. D. Determine the testing approach.
B. Define the audit universe. Explanation - page 47 (A1-96)
500
An IS auditor planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt? A. Process narrative B. Inquiry C. Reperformance D. Walk-through
D. Walk-through Explanation - page 49 (A1-101)
500
An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: A. most valuable information assets. B. IS audit resources to be deployed. C. auditee personnel to be interviewed. D. control objectives and activities.
D. control objectives and activities. Explanation - page 48 (A1-98)