ACTUAL TEST QUESTIONS AND SOLUTIONS
COMPREHENSIVE REVIEW PACKAGE
●● An IS auditor discovers that devices connected to the network are not
included in a network diagram that had been used to develop the scope
of the audit. The chief information officer explains that the diagram is
being updated and awaiting final approval. The IS auditor should FIRST:
a. expand the scope of the IS audit to include the devices that are not on
the network diagram.
b. evaluate the impact of the undocumented devices on the audit scope.
c. note a control deficiency because the network diagram has not been
approved.
d. plan follow-up audits of the undocumented devices.
Answer: b. evaluate the impact of the undocumented devices on the
audit scope.
In a risk-based approach to an IS audit, the scope is determined by the
impact the devices will have on the audit. If the undocumented devices
do not impact the audit scope, then they may be excluded from the
current audit engagement. The information provided on a network
diagram can vary depending on what is being illustrated—for example,
the network layer, cross connections, etc.
,●● Which of the following is MOST important to ensure before
communicating the audit findings to top management during the closing
meeting?
a. Risk statement includes an explanation of a business impact.
b. Findings are clearly tracked back to evidence.
c. Recommendations address root causes of findings.
d. Remediation plans are provided by responsible parties.
Answer: b. Findings are clearly tracked back to evidence.
Without adequate evidence, the findings hold no ground; therefore, this
must be verified before communicating the findings.
●● The MAIN advantage of an IS auditor directly extracting data from a
general ledger systems is:
a. reduction of human resources needed to support the audit
b. reduction in the time to have access to the information
c. greater flexibility for the audit department
d. greater assurance of data validity
Answer: c. greater flexibility for the audit department
,If the IS auditor executes the data extraction, there is greater assurance
that the extraction criteria will not interfere with the required
completeness, and, therefore, all required data will be collected. Asking
IT to extract the data may expose the risk of filtering out exceptions that
should be seen by the auditor. Also, if the IS auditor collects the data, all
internal references correlating the various data tables/elements will be
understood, and this knowledge may reveal vital elements to the
completeness and correctness of the overall audit activity.
●● Which of the following situations could impair the independence of
an IS auditor? The IS auditor:
a. implemented specific functionality during the development of an
application.
b. designed an embedded audit module for auditing an application.
c. participated as a member of an application project team and did not
have operational responsibilities.
d. provided consulting advice concerning application good practices.
Answer: a. implemented specific functionality during the development
of an application.
Independence may be impaired if an IS auditor is, or has been, actively
involved in the development, acquisition and implementation of the
application system.
, ●● An IS auditor who was involved in designing an organization's
business continuity plan (BCP) has been assigned to audit the plan. The
IS auditor should:
a. decline the assignment.
b. inform management of the possible conflict of interest after
completing the audit assignment.
c. inform the BCP team of the possible conflict of interest prior to
beginning the assignment.
d. communicate the possibility of conflict of interest to audit
management prior to starting the assignment.
Answer: D. communicate the possibility of conflict of interest to audit
management prior to starting the assignment.
A possible conflict of interest, likely to affect the IS auditor's
independence, should be brought to the attention of management prior to
starting the assignment.
●● The vice president of human resources has requested an IS audit to
identify payroll overpayments for the previous year. Which would be the
BEST audit technique to use in this situation?
a. Generate sample test data
b. Generalized audit software
c. Integrated test facility