• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/11

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

11 Cards in this Set

  • Front
  • Back

What are the 5 Domains?

1. The Process of Auditing Information Systems



2. Governance and Management of IT



3. Information Systems Acquisition, Development, and Implementation



4. Information Systems Operations, Maintenance, and Support



5. Protection of Information Assets

Domain 1


AS1-1 When planning an IS audit, the auditor should FIRST:


A. identify the business process to be audited.


B. perform a risk assessment.


C. determine the objective of the audit.


D. identify needed audit resources.

A. The business process to be audited cannot be identified until the audit objective has been determined.



B. The risk-based approach requires the IS auditor to first understand the entity and its environment in order to identify risk. The risk assessment cannot be performed until the audit objective is determined.



C. [Correct] The IS auditor should develop an audit plan that takes into consideration the objectives of the auditee relevant to the audit area and its technology infrastructure.



D. Audit resources needed for the audit can only be determined after the scope of the audit has been set.

AS1-2 What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?


A. It detects risk sooner.


B. It replaces the audit function.


C. It reduces audit workload.


D. It reduces audit resources.

A. [Correct] CSAs require employees to assess the control stature of their own function. CSAs help increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help identify risk in a more timely manner.



B. CSAs do not replace the audit function; an audit must still be performed to ensure that controls are present.



C. CSAs may not reduce the audit function’s workload and are not a major difference between the two approaches.



D. CSAs do not affect the need for audit resources. While the results of the CSA may serve as a reference point for the audit process, they do not affect the scope or depth of audit work that needs to be performed.

AS1-3 An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business areas the project may affect?



A. Control risk


B. Compliance risk


C. Inherent risk


D. Residual risk

A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested, and would not be due to the number of users or business areas affected.



B. Compliance risk is the penalty applied to current and future earnings for nonconformance to laws and regulations, and may not be impacted by the number of users and business areas affected.



C. [CORRECT] Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without taking into account the actions that management has taken or might take.



D. Residual risk is the remaining risk after management has implemented a risk response, and is not based on the number of user or business areas affected.

The risk that a misstatement could occur but may not be detected and corrected or prevented by entity's internal control mechanism

Control Risk



Example: control risk assessment may be higher in an entity where separation of duties is not well defined.

The risk of legal sanctions, material financial loss, or loss to reputation the organization may suffer as a result of its failure to comply with laws, its own regulations, code of conduct, and standards of best/good practice.

Compliance Risk

_______ risks exist independently of an audit and can occur because of the nature of the business.



________ risks are the risk level or exposure without taking into account the actions that management has taken or might take.



Risk that a material error could occur assuming that there are no related internal controls to prevent or detect the error.



Inherent Risk

An error that should be considered significant to any party concerned with the item in question

Material error

AS1-4 An IS auditor discovers a potential material finding. The BEST course of action is to:


A. report the potential finding to business management.


B. discuss the potential finding with the audit committee.


C. increase the scope of the audit.


D. perform additional testing.

A. The item should be confirmed through additional testing before it is reported to management.



B. The item should be confirmed through additional testing before it is discussed with the audit committee.



C. Additional testing to confirm the potential finding should be within the scope of the engagement.



D. [CORRECT] The IS auditor should perform additional testing to ensure that it is a finding. An auditor can lose credibility if it is later discovered that the finding was not justified.

AS1-5 Which of the following is in the BEST position to approve changes to the audit charter?



A. Board of directors


B. Audit committee


C. Executive management


D. Director of internal audit

A. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval.



B. [[CORRECT[ The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee.



C. Executive management is not required to approve the audit charter. The audit committee is in the best position to approve the charter.



D. While the director of internal audit may draft the charter and make changes, the audit committee should have the final approval of the charter.

IS auditors should be aware that ultimately they are responsible to _______ and the _____________ of the board of directors. IS auditors should feel free to communicate issues or concerns to such management.

Senior Mgmt; audit committee



*an audit committee is an operating committee of the board of directors charged with oversight of financial reporting and disclosure. Committee members are drawn from members of the company's board of directors, with a Chairperson selected from among the committee members.