Hemang Doshi CISA Study Guide Key
Aspects Questions & Answers 100%
Correct!!
Who should approve the audit charter of an organization? - ANSWERSenior
Management
What should the content of an audit charter be? - ANSWERThe scope, authority,
and responsibilities of the audit function
What is the prime reason for review of an organization chart? - ANSWERTo
understand the authority and responsibility of individuals
The actions of an IS auditor are primiarily influenced by - ANSWERAudit Charter
Which document provides the overall authority for an auditor to perform an audit? -
ANSWERAudit charter
What is the objective of encryption? - ANSWERTo ensure the integrity and
confidentiality of transactions.
How are inbound transactions controlled in an EDI environment? - ANSWERInbound
transactions are controlled via logs of the receipt of inbound transactions, the use of
segment count totals, and the use of check digits to detect transposition and
transcription errors.
What is the objective of key verification control? - ANSWERKey verification is a
method where data is entered a second time and compared with the initial data entry
to ensure that the data entered is correct. This is generally used in EFT transactions,
where another employee re-enters the same data to perform this check before any
money is transferred.
What is the primary reason for the audit function directly reporting to the audit
committee? - ANSWERThe audit function must be independent of the business
function and should have direct access to the audit committee of the board
What is the major risk of EDI transactions? - ANSWERThe absence of agreement (in
the absence of a trading partner agreement, there could be uncertainty related to
specific legal liability)
What is the objective of non-repudiation? - ANSWERNon-repudiation ensures that a
transaction is enforceable and that the claimed sender cannot later deny generating
and sending the message.
What is the most important component of the artificial intelligence/expert system
area? - ANSWERKnowledge base (The knowledge base contains specific
,information or fact patterns associated with a particular subject matter and the rules
for interpreting these facts; therefore, strict access control should be implemented
and monitored to ensure the integrity of the decision rules)
Segregation of duties is an example of which type of control? - ANSWERPreventive
control
Controls that enable a risk or deficiency to be corrected before a loss occurs are
known as what? - ANSWERCorrective control
Controls that directly mitigate a risk or lack of controls directly acting upon a risk are
know as what? - ANSWERCompensating control
The most important step in a risk assessment is to identify - ANSWERThreats and
vulnerabilities
In risk-based audit planning, an IS auditor's first step is to identify what? -
ANSWERHigh risk areas
Once threats and vulnerabilities are identified, what should be the next step? -
ANSWERIdentify and evaluate existing controls
What is the advantage of risk based audit planning? - ANSWERResources can be
utilized for high risk areas
What does the level of protection of information assets depend on? -
ANSWERCriticality of assets
What is risk that is influenced by the actions of an auditor known as? -
ANSWERDetection risk
What is audit risk? - ANSWERAudit risk is the sum total of inherent risk, control risk,
and detection risk
What is risk the product of? - ANSWERProbability and impact
What are the results of risk management processes used for? - ANSWERDesigning
the control
Whose responsibility is the management of risk to an acceptable level? -
ANSWERSenior management
What is the absence of proper security measures known as? - ANSWERVulnerability
What is the advantage of the bottom-up approach for the development of
organizational policies? - ANSWERIt ensures consistency across the organization.
What is risk before controls are applied known as? - ANSWERInherent risk/gross
risk (after the implementation of controls, it is known as residual risk/net risk).
, What does the information systems audit provide? - ANSWERReasonable
assurance about coverage of material items.
What is the first step of an audit project? - ANSWERTo develop an audit plan.
What is the primary reason for a functional walkthrough? - ANSWERTo understand
the business process.
What is the major concern in the absence of established audit objectives? -
ANSWERNot able to determine key business risks.
What is the primary objective for performing risk assessment prior to the audit? -
ANSWERAllocate audit resources to areas of high risks.
What is the step of the audit planning phase? - ANSWERConducting risk
assessments to determine the area of high risk.
Which sampling technique should be used when the probability of error must be
objectively quantified? - ANSWERStatistical sampling.
How can sampling risk be mitigated? - ANSWERStatistical sampling.
Which sampling method is most useful when testing for compliance? -
ANSWERAttribute sampling.
In the case of a strong internal control, could the confidence coefficient/sample size
be increased or lowered? - ANSWERThe confidence coefficient/sampling size may
be lowered.
Which sampling method would best assist auditors when there is concerns of fraud?
- ANSWERDiscovery sampling.
How can you differentiate between compliance testing and substantive testing? -
ANSWERThe objective of compliance testing is to test the presence of controls,
whereas the objective of substantive testing is to test individual transactions. Let's
take the example of asset inventory:
To verify whether control exists for inward/outward of the assets is compliance
testing
To verify the count of physical assets and comparing it with records is substantive
testing
Give an example of compliance testing. - ANSWERTo verify the configuration of a
router for controls
.
To verify the change management process to ensure controls are effective.
Review of system access rights.
Aspects Questions & Answers 100%
Correct!!
Who should approve the audit charter of an organization? - ANSWERSenior
Management
What should the content of an audit charter be? - ANSWERThe scope, authority,
and responsibilities of the audit function
What is the prime reason for review of an organization chart? - ANSWERTo
understand the authority and responsibility of individuals
The actions of an IS auditor are primiarily influenced by - ANSWERAudit Charter
Which document provides the overall authority for an auditor to perform an audit? -
ANSWERAudit charter
What is the objective of encryption? - ANSWERTo ensure the integrity and
confidentiality of transactions.
How are inbound transactions controlled in an EDI environment? - ANSWERInbound
transactions are controlled via logs of the receipt of inbound transactions, the use of
segment count totals, and the use of check digits to detect transposition and
transcription errors.
What is the objective of key verification control? - ANSWERKey verification is a
method where data is entered a second time and compared with the initial data entry
to ensure that the data entered is correct. This is generally used in EFT transactions,
where another employee re-enters the same data to perform this check before any
money is transferred.
What is the primary reason for the audit function directly reporting to the audit
committee? - ANSWERThe audit function must be independent of the business
function and should have direct access to the audit committee of the board
What is the major risk of EDI transactions? - ANSWERThe absence of agreement (in
the absence of a trading partner agreement, there could be uncertainty related to
specific legal liability)
What is the objective of non-repudiation? - ANSWERNon-repudiation ensures that a
transaction is enforceable and that the claimed sender cannot later deny generating
and sending the message.
What is the most important component of the artificial intelligence/expert system
area? - ANSWERKnowledge base (The knowledge base contains specific
,information or fact patterns associated with a particular subject matter and the rules
for interpreting these facts; therefore, strict access control should be implemented
and monitored to ensure the integrity of the decision rules)
Segregation of duties is an example of which type of control? - ANSWERPreventive
control
Controls that enable a risk or deficiency to be corrected before a loss occurs are
known as what? - ANSWERCorrective control
Controls that directly mitigate a risk or lack of controls directly acting upon a risk are
know as what? - ANSWERCompensating control
The most important step in a risk assessment is to identify - ANSWERThreats and
vulnerabilities
In risk-based audit planning, an IS auditor's first step is to identify what? -
ANSWERHigh risk areas
Once threats and vulnerabilities are identified, what should be the next step? -
ANSWERIdentify and evaluate existing controls
What is the advantage of risk based audit planning? - ANSWERResources can be
utilized for high risk areas
What does the level of protection of information assets depend on? -
ANSWERCriticality of assets
What is risk that is influenced by the actions of an auditor known as? -
ANSWERDetection risk
What is audit risk? - ANSWERAudit risk is the sum total of inherent risk, control risk,
and detection risk
What is risk the product of? - ANSWERProbability and impact
What are the results of risk management processes used for? - ANSWERDesigning
the control
Whose responsibility is the management of risk to an acceptable level? -
ANSWERSenior management
What is the absence of proper security measures known as? - ANSWERVulnerability
What is the advantage of the bottom-up approach for the development of
organizational policies? - ANSWERIt ensures consistency across the organization.
What is risk before controls are applied known as? - ANSWERInherent risk/gross
risk (after the implementation of controls, it is known as residual risk/net risk).
, What does the information systems audit provide? - ANSWERReasonable
assurance about coverage of material items.
What is the first step of an audit project? - ANSWERTo develop an audit plan.
What is the primary reason for a functional walkthrough? - ANSWERTo understand
the business process.
What is the major concern in the absence of established audit objectives? -
ANSWERNot able to determine key business risks.
What is the primary objective for performing risk assessment prior to the audit? -
ANSWERAllocate audit resources to areas of high risks.
What is the step of the audit planning phase? - ANSWERConducting risk
assessments to determine the area of high risk.
Which sampling technique should be used when the probability of error must be
objectively quantified? - ANSWERStatistical sampling.
How can sampling risk be mitigated? - ANSWERStatistical sampling.
Which sampling method is most useful when testing for compliance? -
ANSWERAttribute sampling.
In the case of a strong internal control, could the confidence coefficient/sample size
be increased or lowered? - ANSWERThe confidence coefficient/sampling size may
be lowered.
Which sampling method would best assist auditors when there is concerns of fraud?
- ANSWERDiscovery sampling.
How can you differentiate between compliance testing and substantive testing? -
ANSWERThe objective of compliance testing is to test the presence of controls,
whereas the objective of substantive testing is to test individual transactions. Let's
take the example of asset inventory:
To verify whether control exists for inward/outward of the assets is compliance
testing
To verify the count of physical assets and comparing it with records is substantive
testing
Give an example of compliance testing. - ANSWERTo verify the configuration of a
router for controls
.
To verify the change management process to ensure controls are effective.
Review of system access rights.
