The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to: A. comply with regulatory requirements. B. provide a basis for drawing reasonable conclusions. C. ensure complete audit coverage. D. perform the audit according to the defined scope.
Correct Answer: B
Explanation:
Explanation:
The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses but also documenting and validating them.
Complying with regulatory requirements, ensuring coverage and the execution of audit are all relevant to an audit but are not the reason why sufficient and relevant evidence is required.
While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the: A. audit trail of the versioning of the work papers. B. approval of the audit phases. C. access rights to the work papers. D. confidentiality of the work papers.
Correct Answer: D
Explanation:
Explanation:
Encryption provides confidentiality for the electronic work papers. Audit trails, audit phase approvals and access to the work papers do not, of themselves, affect the confidentiality but are part of the reason for requiring encryption.
Though management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should: A. include the statement of management in the audit report. B. identify whether such software is, indeed, being used by the organization. C. reconfirm with management the usage of the software. D. discuss the issue with senior management since reporting this could have a negative impact on the organization.
Correct Answer: B
Explanation:
Explanation:
When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in the report. With respect to this matter, representations obtained from management cannot be independently verified. If the organization is using software that is not licensed, the auditor, to maintain objectivity and independence, must include this in the report.
Which of the following audit techniques would BEST aid an auditor in determining whether there have been unauthorized program changes since the last authorized program update? A. Test data run B. Code review C. Automated code comparison D. Review of code migration procedures
Correct Answer: C
Explanation:
Explanation:
An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure. Test data runs permit the auditor to verify the processing of preselected transactions, but provide no evidence about unexercised portions of a program. Code review is the process of reading program source code listings to determine whether the code contains potential errors or inefficient statements. A code review can be used as a means of code comparison but it is inefficient. The review of code migration procedures would not detect program changes.
The PRIMARY purpose for meeting with auditees prior to formally closing a review is to: A. confirm that the auditors did not overlook any important issues. B. gain agreement on the findings. C. receive feedback on the adequacy of the audit procedures. D. test the structure of the final presentation.
Correct Answer: B
Explanation:
Explanation:
The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings. The other choices, though related to the formal closure of an audit, are of secondary importance.
In the process of evaluating program change controls, an IS auditor would use source code comparison software to: A. examine source program changes without information from IS personnel. B. detect a source program change made between acquiring a copy of the source and the comparison run. C. confirm that the control copy is the current version of the production program. D. ensure that all changes made in the current source copy are detected.
Correct Answer: A
Explanation:
Explanation:
An IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify changes. Choice B is incorrect, because the changes made since the acquisition of the copy are not included in the copy of the software. Choice C is incorrect, as an IS auditor will have to gain this assurance separately.
Choice D is incorrect, because any changes made between the time the control copy was acquired and the source code comparison is made will not be detected.
The PRIMARY reason an IS auditor performs a functional walkthrough during the preliminary phase of an audit assignment is to: A. understand the business process. B. comply with auditing standards. C. identify control weakness. D. plan substantive testing.
Correct Answer: A
Explanation:
Explanation:
Understanding the business process is the first step an IS auditor needs to perform. Standards do not require an IS auditor to perform a process walkthrough. Identifying control weaknesses is not the primary reason for the walkthrough and typically occurs at a later stage in the audit, while planning for substantive testing is performed at a later stage in the audit.
An IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a vendor product to address this vulnerability. The IS auditor has failed to exercise: A. professional independence B. organizational independence. C. technical competence. D. professional competence.
Correct Answer: A
Explanation:
Explanation:
When an IS auditor recommends a specific vendor, they compromise professional independence. Organizational independence has no relevance to the content of an audit report and should be considered at the time of accepting the engagement. Technical and professional competence is not relevant to the requirement of independence.
An IS auditor interviewing a payroll clerk finds that the answers do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should: A. conclude that the controls are inadequate. B. expand the scope to include substantive testing C. place greater reliance on previous audits. D. suspend the audit.
Correct Answer: B
Explanation:
Explanation:
If the answers provided to an IS auditor’s questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests. There is no evidence that whatever controls might exist are either inadequate or adequate. Placing greater reliance on previous audits or suspending the audit are inappropriate actions as they provide no current knowledge of the adequacy of the existing controls.
When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with: A. analysis. B. evaluation. C. preservation. D. disclosure.
Correct Answer: C
Explanation:
Explanation:
Preservation and documentation of evidence for review by law enforcement and judicial authorities are of primary concern when conducting an investigation. Failure to properly preserve the evidence could jeopardize the acceptance of the evidence in legal proceedings. Analysis, evaluation and disclosure are important but not of primary concern in a forensic investigation.
Please disable your adblocker or whitelist this site!