Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
24 Cards in this Set
- Front
- Back
|
Audit Charter
|
Overarching document that covers the entire scope of audit activities in an entity
|
|
|
The Audit Charter Standard (S1) requires what be documented?
|
Requires the Responsibility, Authority; and Accountability of IS audit function be documented in audit charter or engagement letter
|
|
|
Difference between audit charter and engagement letter?
|
1.2.1
Audit Charter is overarching while engagement letters is: more focused on a particular audit exercise and initiated with specific scope in mind |
|
|
Short term audit planning focus?
|
1.2.2
Takes into account audit issues that will be covered during the year |
|
|
Long term audit planning focus?
|
1.2.2
Takes into account risk-related issues regarding changes in the organization's IT strategic direction that will affect the orgs IT environment. |
|
|
What is preferably drawn to ensure that resource training needs are aligned to the direction that that audit organization is taking?
|
1.2.2
Annual Detailed Staff Training Plan |
|
|
Two major concerns related to the effect of laws and regulations on IS Audit Planning?
|
1.2.4
Legal requirements placed on audit and legal requirements placed on the auditee and its systems, data mgmt, reporting which impact audit scope and objectives. |
|
|
Steps an IS Auditor would perform to determine an orgs level of compliance w/ external requirements?
|
1.2.4
1. Identify external requirements 2. Document applicable laws 3. Assess whether mgmt and IS function considered external requirements. 4. Review internal docs that address adherence to laws 5. Determine adherence to procedures that address requirements |
|
|
What is the most important FUNCTION of ISACA
|
1.3.2
Providing information (common body of knowledge) to support knowledge requirements |
|
|
What are the objectives of the ISACA IT audit and assurance standards
|
1.3.2
To inform: 1. IS auditors of minimum level of performance to meet requirements of Code Professional Ethics 2. Mgmt and others of profession's expectations 3. Certification Holders consequence if failure to comply with standards |
|
|
What is the Framework of ISACA's IT audit and assurance standards?
|
1.3.2
- STANDARDS - mandatory requirements - GUIDELINES - guidance on how to apply standards. - PROCEDURES - provide examples of processes to meet the standards |
|
|
What are the ISACA IT auditing standards?
|
1.3.2
CIE CPPR FIG RM EE CE 1 Charter; 2 Independence; 3 Ethics 4 Competence; 5 Planning; 6 Performance; 7 Reporting 8 Followup; 9 Irregular/Illegal; 10 Goverance 11 Risk Assessment; 12 Materiality 13 Experts; 14 Evidence 15 Controls; 16 e-commerce |
|
|
Accoording to the Information Technology Assurance Framework (ITAF) General Standards IT audit subject material should be evaluated against suitable and appropriate criteria. What are the characteristics of suitable criteria?
|
1.3.6
1. Objectivity - free from bias 2. Measurability - permit consistent measurement when applied by different professionals 3. Understandability- not subj to significantly different interpretations. 4. Completeness- sufficient 5. Relevance - contribute to findings and conclusions that meet objectives |
|
|
In analyzing the business risks arising from the use of IT, it is important for the IS auditor to have a clear understanding of:
|
1.4
1. The purpose & nature of busn, the environment in which the busn operates and related busn risks. 2. The dependence on technology & related dependencies that process and deliver busn info 3. The busn risks of using IT and how impact busn goals/objectives 4. Overview of the busn processes & impact of IT & related risks on busn process objectives |
|
|
What is ISACA's Risk IT and what does enable users to do?
|
1.4
framework dedicated to helping enterprises manage IT related risks. Does this by enabling users to: 1. Integrate the mgmt of IT risk into the overall enterprise risk mgmt of the org 2. make well informed decisions abt extent of risk, the risk appetite and the risk tolerance of the enterprise. 3. Understand how to respond to risk |
|
|
What is the Risk Assessment Process?
|
1.4
BO/RA/RM/RT 1. Identify Busn Objectives (BO) 2. Identify Info Assets Supporting the BOs 3. Perform Risk Assessment (RA): Threat>Vulnerability>Probability>Impact 4. Perform Risk Mitigation (RM) Map risks with controls in place 5. Perform Risk Treatment (RT) Treat significant risks not mitigated by existing controls |
|
|
Functions and Examples of Preventive Controls
|
1.4
Functions of: -Detect problems bf arise -Monitor both operation and inputs -attempt to predict potential problems bf they occur and make adjustments -prevent an error, omission or mal act from occurring Examples -employ qualified people -segregate duties -control access to facilities -use well designed docs (to prevent errors) -establish suitable procedures for authorization of transactions -complete programmed edit checks -use access control sftware that allows only authorized personnel to access sensitive files -use encryption sftware to prevent unauthorized disclosure |
|
|
Functions and Examples of Detective Controls
|
1.4
Functions of: -use controls that detect and report the occurrence of an error, omission or mal act Examples: -hash totals -check pts in production jobs -echo controls in telecomm -error msgs over tape labels -duplicate checking of calcs -periodic performance reporting w/ variances -past due acct reports -internal audit functions -review of activity logs to detect unauthorized access attempts. |
|
|
Functions and Examples of Corrective Controls
|
1.4
Functions: -Minimize the impact of a threat -Remedy problems discovered by detective controls -identify cause of a problem -correct errors arising from a problem -modify the processing systems to minimize future occurrences of the problem Examples: -contingency planning -backup procedures -rerun procedures |
|
|
What is the purpose of COBIT and what are the four domains of the framework?
|
1.5.3
works to support IT governance and mgmt by providing a framework to ensure: -IT is aligned with the busn -IT enables the busn and maximizes benefits -IT resources are used responsibly -IT risks managed appropriately Domains: 1. Plan and Organize 2. Acquire and Implement 3. Deliver and support 4. Monitor and evaluate |
|
|
What is Val IT?
|
1.5.3
Framework that applies practices to unambiguously measure, monitor and optimize the realization of business value from investment in IT. Provides practices for 3 processes: 1. value governance 2. portfolio mgmt 3. investment mgmt |
|
|
What are the individual categories of overall audit risk?
|
1.6.6
Audit Risk - risk that information may contain a material error that may go undetected. Made up of: 1. Inherent risk - susceptibility to material misstmt in the absence of related controls (cash has more inherent risk than coal) 2. Control Risk - material error will not be prevented or detected by the internal controls 3. detection risk - risk that IS auditor uses an inadequate test procedure and concludes that material errors do not exist when they do. |
|
|
What are 8 techniques for gathering evidence?
|
1.6.11
1. Reviewing IS org structures 2. Reviewing IS policies and procedures 3. Reviewing IS Standards 4. Reviewing IS documentation 5. Interviewing personnel 6. Observing processes and employee performance 7. Reperformance 8. Walkthroughs |
|
|
What are the determinants for evaluating the reliability of audit evidence?
|
1.6.11
1. Independence of the provider 2. Qualifications of the individual 3. Objectivity 4. timing exists or becomes available |
