Which of the following sampling methods is most useful for compliance testing?

Upgrade to remove ads

Only ₩37,125/year

• Flashcards

• Learn

• Test

• Match

• Flashcards

• Learn

• Test

• Match

Terms in this set (56)

substantive test

A substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy or validity) of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test.

When using an integrated test facility (ITF), an IS auditor should ensure that:

An ITF creates a fictitious file in the database, allowing for test transactions to be processed simultaneously with live data. The test data must be kept separate from production data

Which audit technique provides the BEST evidence of the segregation of duties in an IT department?

C. Based on the observations and interviews, the IT auditor can evaluate the segregation of duties. By observing the IS staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IT staff, the auditor can get an overview of the tasks performed.

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?

B. Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently.

An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control?

C. A sample of a system-generated report with evidence that the reviewer followed up on the exception represents the best possible evidence of the effective operation of the control because there is documented evidence that the reviewer has reviewed and taken actions based on the exception report.

An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a:

A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size.

The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:

B. The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings and responses from management.

Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank?

C. Dual control requires that two people carry out an operation. The observation technique would help to ascertain whether two individuals do indeed get involved in execution of the operation and an element of oversight exists. It would also be obvious if one individual is masquerading and filling in the role of the second person.

Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience??

D. Professional standards from ISACA, The Institute of Internal Auditors (IIA) and the International Federation of Accountants (IFAC) require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more.

An IS auditor notes that daily reconciliation of visitor access card inventory is not carried out as mandated. During testing, the IS auditor did not find that access cards were missing. In this context, the IS auditor should:

C. The IS auditor should report the lack of daily reconciliation as an exception because a physical inventory count gives assurance only at a point in time and the practice is not in compliance with management's mandated activity.

Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as:

A. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of data at the individual transaction level. This can be achieved by comparing the data in the application to the base document. In this case, comparison is made between accounts payable data and the vendor invoices.

Which of the following sampling methods is MOST useful when testing for compliance?

A. Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain pre-defined dollar amount for proper approvals.

The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors?

C. Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.

An IS auditor is developing an audit plan for an environment that includes new systems. The company's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?

C. The best course of action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources."

An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should:

C. In circumstances in which the IS auditor's independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor's independence should be disclosed to the appropriate management and in the report.

An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function?

D. The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS auditor can advise as to the completeness of the test cases.

In the process of evaluating program change controls, an IS auditor would use source code comparison software to:

A. When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify the changes.

Which of the following choices is MOST important for an IS auditor to understand when auditing an e-commerce environment?

C. The e-commerce application enables the execution of business transactions. Therefore, it is important to understand the nature and criticality of the business process supported by the e-commerce application to identify specific controls to review.

An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a:

A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size.

For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk?

D. The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.

An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture (SOA). What is the INITIAL step?

A. A service-oriented architecture (SOA) relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services.

An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor??

A. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Management could then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system.

Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds?

A. Generalized audit software (GAS) is a data analytic tool that can be used to filter large amounts of data.

Integrated Test Facility (ITF)

B. The integrated test facility tests the processing of the data and cannot be used to monitor real-time transactions.

During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by the user's supervisor would represent the BEST compensating control?

D. Computer logs will record the activities of individuals during their access to a computer system or data file and will record any abnormal activities, such as the modification or deletion of financial data.

An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs?

B. Because the data are directly collected by the IS auditor, the audit findings can be reported with an emphasis on the reliability of the records that are produced and maintained in the system. The reliability of the source of information used provides reassurance on the findings generated.

Which of the following sampling methods is MOST useful when testing for compliance?

A. Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain pre-defined dollar amount for proper approvals.

An IS auditor performing a review of application controls would evaluate the:

B. An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses.

A company is planning to install a network-based intrusion detection system (IDS) to protect the web site that it hosts. Where should the device be installed?

C. Network-based IDSs detect attack attempts by monitoring network traffic. A public web server is typically placed on the protected network segment known as the demilitarized zone (DMZ). An IDS installed in the DMZ detects and reports on malicious activity originating from the Internet as well as the internal network, thus allowing the administrator to take action.

Which of the following acts as a decoy to detect active Internet attacks?

A. Honeypots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals' computer systems. The concept of a honeypot is to learn from intruder's actions. A properly designed and configured honeypot provides data on methods used to attack systems. The data are then used to improve measures that could curb future attacks.

An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions?

A. Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate approval.

Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix?

C. Attribute sampling is the method used for compliance testing. In this scenario, the operation of a control is being evaluated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control.

A PRIMARY benefit derived for an organization employing control self-assessment (CSA) techniques is that it:

A. Control self-assessment (CSA) is predicated on the review of high-risk areas that either need immediate attention or may require a more thorough review at a later date.

The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors?

C. Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.

During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should:

D. One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization and submit the findings and risk to management with recommendations to document the current controls or enforce the documented procedures.

What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?

A. Control self-assessments (CSAs) require employees to assess the control stature of their own function. CSAs help increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help identify risk in a more timely manner.

Which of the following is in the BEST position to approve changes to the audit charter?

B. The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee.

While planning an IS audit, an assessment of risk should be made to provide:

reasonable assurance that the audit will cover material items.

Which of the following will MOST successfully identify overlapping key controls in business application systems?

Replacing manual monitoring with an automated auditing solution

An IS auditor performing a review of application controls would evaluate the:

impact of any exposures discovered.

The PRIMARY advantage of a continuous audit approach is that it:

allows the IS auditor to review and follow up on audit issues in a timely manner.

The final decision to include a material finding in an audit report should be made by the:

IS auditor.

An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase?

D. A risk assessment should be performed to determine how internal audit resources should be allocated in order to ensure that all material items will be addressed.

Which of the following is an advantage of an integrated test facility (ITF)?

Periodic testing does not require separate test processes.

The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?

B. Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made.

Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds?

A. Generalized audit software (GAS) is a data analytic tool that can be used to filter large amounts of data.

integrated test facility

B. The integrated test facility tests the processing of the data and cannot be used to monitor real-time transactions.

An IS auditor evaluating logical access controls should FIRST:

D. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk.

Which of the following choices would be the BEST source of information when developing a risk-based audit plan?

Which of the following choices would be the BEST source of information when developing a risk-based audit plan?

Which of the following is an advantage of an integrated test facility (ITF)?

B. An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. Careful planning is necessary, and test data must be isolated from production data

Which of the following will MOST successfully identify overlapping key controls in business application systems?

Replacing manual monitoring with an automated auditing solution

Computer assisted audit technique (CAAT)

any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities

variable sampling

method used for substantive testing, which involves testing transactions for quantitative aspects such as monetary values

attribute sampling

method used for compliance testing. in this scenario, the operation of a control is being evaluated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to dtermine compliance with the control

integrated test facility

testing methodology where test data are processed in production systems. The data usually represent a set of fictituous entities such as departments. customers and products. Output reports are verified to confirm the correctness of the processing.

When developing a risk management program, what is the FIRST activity to be performed?

C. Identification of the assets to be protected is the first step in the development of a risk management program.

Students also viewed

1 - Domain 1: The Process of Auditing Information…

80 terms

leigh_adamski

1 - Domain 1: The Process of Auditing Information…

70 terms

leigh_adamski

CISA Domain 1

88 terms

mckinley_sayre

CISA Questions (1-100)

100 terms

Brandon_Wanlass

Sets found in the same folder

120D Ch 1 review questions

32 terms

nguyen_tan

ACC 580 Exam 1 - CISA Book

45 terms

drabekm

ACC 580 Exam 2 - CISA Book

93 terms

drabekm

CISA 2014 Practice Test

1,180 terms

omrahkhan

Other sets by this creator

CISA Section 5

43 terms

jsharer9

CISA Section 2

44 terms

jsharer9

ch 11

29 terms

jsharer9

ch 10

34 terms

jsharer9

Verified questions

algebra

Name the period and amplitude of the function. Graph at least one period on a separate coordinate plane. y = 2 cos x

Verified answer

algebra

A rancher plans to fence a rectangular pasture adjacent to a river (see figure). The rancher has $100$ meters of fencing, and no fencing is needed along the river. Graph the function $A(x)$ and estimate the dimensions that yield the maximum area of the pasture.

Verified answer

algebra

A rectangle has length 36 cm and width 28 cm. Find the length of another rectangle of equal area whose width is 21 cm.

Verified answer

linear algebra

Find the dimension of the null space of the given matrix A. $$ A = \left[ \begin{array} { r r r r } { 1 } & { - 1 } & { 2 } & { 3 } \\ { 2 } & { - 1 } & { 3 } & { 4 } \\ { 1 } & { 0 } & { 1 } & { 1 } \\ { 3 } & { - 1 } & { 4 } & { 5 } \end{array} \right]. $$

Verified answer

Recommended textbook solutions

Numerical Analysis

9th EditionJ. Douglas Faires, Richard L. Burden

873 solutions

Book of Proof

2nd EditionRichard Hammack

340 solutions

Topology

2nd EditionJames Munkres

622 solutions

Elementary Number Theory

7th EditionDavid Burton

776 solutions

Other Quizlet sets

Audit Exam 2 (Ch 7-10)

44 terms

ALEXANDRA_GOEBEL

Audit Final

132 terms

am788278

Exam 2

55 terms

emmakuechle

Which of the following sampling method is most useful when testing for compliance?

Which of the following sampling methods is most useful?

What is compliance sampling?

Which of the following sampling methods is most useful to auditors when performing test of control?