What is the PRIMARY requirement that a data mining and auditing software tool should meet

The internal audit department wrote some scripts that are used for continuous auditing of some information systems. The IT department asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Does sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function?

A. Sharing the scripts is not permitted because it gives IT the ability to pre-audit systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review all programs and software that run on IS systems regardless of audit independence.
C. Sharing the scripts is permissible if IT recognizes that audits may still be conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring.

C. Sharing the scripts is permissible if IT recognizes that audits may still be conducted in areas not covered in the scripts.

Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit?

A. Complexity of the organization's operation
B. Findings and issues noted from the prior year
C. Purpose, objective and scope of the audit
D. Auditor's familiarity with the organization

C. Purpose, objective and scope of the audit

An IS auditor is developing an audit plan for an environment that includes new systems. The organization's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?

A. Audit the new systems as requested by management
B. Audit systems not included in last years's scope.
C. Determine the highest-risk systems and plan accordingly.
D. Audit both the systems not in last year's scope and the new systems.

C. Determine the highest-risk systems and plan accordingly.

An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?

A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.
B. Publish a report omitting the areas where the evidence obtained from testing was inconclusive
C. Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained.
D. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed.

A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.

Which of the following is the key benefit of a control self-assessment?

A. Management ownership of the internal controls supporting business objectives is reinforced.
B. Audit expenses are reduced when the assessment results are an input to external audit work.
C. Fraud detection is improved because internal business staff are engaged in testing controls.
D. Internal auditors can shift to a consultative approach by using the results of the assessment.

A. Management ownership of the internal controls supporting business objectives is reinforced.

What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should:

A. interface with various types of enterprise resource planning software and databases
B. accurately capture data from the organization's system without causing excessive performance problems.
C. introduce audit hooks into the organization's financial systems to support continuous auditing.
D. be customizable and support inclusion of custom programming to aid in investigative analysis.

B. accurately capture data from the organization's system without causing excessive performance problems.

A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and:

A. length of service, because this will help ensure technical competence
B. age, because training in audit techniques may be impractical.
C. IT knowledge, because this will bring enhanced credibility to the audit function.
D. ability, as an IS auditor, to be independent of existing IT relationships.

D. ability, as an IS auditor, to be independent of existing IT relationships.

Which of the following is the MOST critical step when planning an IS audit?

A. Review findings from prior audits
B. Executive management's approval of the audit plan
C. Review information security policies and procedures
D. Perform a risk assessment

D. Perform a risk assessment

An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture. What is the INITIAL step?

A. Understanding services and their allocation to business processes by reviewing the service repository documentation
B. Sampling the use of service security standards as represented by the Security Assertions Markup Language
C. Reviewing the service level agreements established for all system providers
D. Auditing the core service and its dependencies on other systems.

A. Understanding services and their allocation to business processes by reviewing the service repository documentation

An IS auditor conducting s review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?

A. Delete all copies of the unauthorized software.
B. Recommend an automated process to monitor for compliance with software licensing.
C. Report the use of the unauthorized software and the need to prevent recurrence.
D. Warn the end users about the risk of using illegal software.

C. Report the use of the unauthorized software and the need to prevent recurrence.

An audit charter should:

A. be dynamic and change to coincide with the changing nature of technology and the audit profession.
B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.
C. document the audit procedures designed to achieve the planned audit objectives.
D. outline the overall authority, scope and responsibilities of the audit function.

D. outline the overall authority, scope and responsibilities of the audit function.

An IS auditor finds a small number of user access requests that were not authorized by managers through normal predefined workflow steps and escalation rules, The IS auditor should:

A. perform an additional analysis.
B. report the problem to the audit committee.
C. conduct a security risk assessment.
D. recommend that the owner of the identity management system fix the workflow issues.

A. perform an additional analysis.

When testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling does not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?

A. Develop an alternative testing procedure.
B. Report the finding to management.
C. Perform a walkthrough of the change management process.
D. Create additional sample data to test additional changes.

A. Develop an alternative testing procedure.

Which of the following situations could impair the independence of an IS auditor? The IS auditor:

A. implemented specific functionality during the development of an application.
B. designed an embedded audit module for auditing an application.
C. participated as a member of an application project team and did not have operational responsibilities.
D. provided consulting advise concerning application good practices.

A. implemented specific functionality during the development of an application.

The PRIMARY advantage of a continuous audit approach is that it:

A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.
B. allows the IS auditor to review and follow up on audit issues in a timely manner.
C. places the responsibility for enforcement and monitoring of control on the security department instead of audit.
D. simplifies the extraction and correlation of data from multiple and complex systems.

B. allows the IS auditor to review and follow up on audit issues in a timely manner.

Which of the following would impair the independence of a quality assurance team?

A. Ensuring compliance with development methods
B. Checking the test assumptions
C. Correcting coding errors during the testing process.
D. Checking the code to ensure proper documentation.

C. Correcting coding errors during the testing process.

In planning an IS audit, the MOST critical step is the identification of the:

A. areas of significant risk
B. skill sets of the audit staff
C. test steps in audit
D. time allotted for the audit.

A. areas of significant risk

The extent to which data will be collected during an IS audit should be determined based on the:

A. Availability of critical and required information.
B. Auditor's familiarity with the circumstances.
C. Auditee's ability to find relevant evidence.
D. Purpose and scope of the audit being done.

D. Purpose and scope of the audit being done.

While planning an IS audit, an assessment of risk should be made to provide:

A. reasonable assurance that the audit will cover material items.
B. definite assurance that material items will be covered during the audit work.
C. reasonable assurance that all items will be covered by the audit.
D. sufficient assurance that all items will be covered during the audit work.

A. reasonable assurance that the audit will cover material items.