1. The extent to which data will be collected during an IS audit should be determined, based on the:

A. availability of critical and required information.

B. auditor's familiarity with the circumstances.

C. auditee's ability to find relevant evidence.

D. purpose and scope of the audit being done.

The correct answer is:

D. purpose and scope of the audit being done.

Explanation:

The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditor's familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit and the scope of the audit should not be limited by the auditee's ability to find relevant evidence.

2. An IS auditor is assigned to perform a post implementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor:

A. implemented a specific control during the development of the application system.

B. designed an embedded audit module exclusively for auditing the application system.

C. participated as a member of the application system project team, but did not have operational responsibilities.

D.provided consulting advice concerning application system best practices.

The correct answer is:

A. implemented a specific control during the development of the application system.

Explanation:

Independence may be impaired if the IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system. Choices B and C are situations that do not impair the IS auditor's independence. Choice D is incorrect because the IS auditor's independence is not impaired by providing advice on known best practices.

3. When evaluating the collective effect of preventive, detective or corrective controls within a process an IS auditor should be aware:

A. of the point at which controls are exercised as data flows through the system.

B. that only preventive and detective controls are relevant.

C. that corrective controls can only be regarded as compensating.

D. that classification allows an IS auditor to determine which controls are missing.

The correct answer is:

A. of the point at which controls are exercised as data flows through the system.

Explanation:

An IS auditor should focus on when controls are exercised as data flows through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect since corrective controls remove or reduce the effects of errors or irregularities and are exclusively regarded as compensating controls. Choice D is incorrect and irrelevant since the existence and function of controls is important, not the classification.

4. The PRIMARY advantage of a continuous audit approach is that it:

A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.

B. requires the IS auditor to review and follow up immediately on all information collected.

C. can improve system security when used in time-sharing environments that process a large number of transactions.

D. does not depend on the complexity of an organization's computer systems.

The correct answer is:

C. can improve system security when used in time-sharing environments that process a large number of transactions.

Explanation:

The use of continuous auditing techniques can actually improve system security when used in time-sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place. Choice B is incorrect since an IS auditor normally would review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the use of continuous audit techniques does depend on the complexity of an organization's computer systems.

5. An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The manager had written the password, allocated by the system administrator, inside his/her desk drawer. The IS auditor should conclude that the:

A. manager's assistant perpetrated the fraud.

B. perpetrator cannot be established beyond doubt.

C. fraud must have been perpetrated by the manager.

D. system administrator perpetrated the fraud.

The correct answer is:

B. perpetrator cannot be established beyond doubt.

Explanation:

The password control weaknesses means that any of the other three options could be true. Password security would normally identify the perpetrator. In this case, it does not establish guilt beyond doubt.

6. The corporate office of a company having branches worldwide, developed a control self-assessment program (CSA) for all its offices. Which of the following is the MOST important requirement for a successful CSA?

A. Skills of the workshop facilitator

B. Simplicity of the questionnaire

C. Support from the audit department

D. Involvement of line managers

The correct answer is:

D. Involvement of line managers

Explanation:

Key to the success of a control self-assessment program is the support and involvement of the management and staff responsible for the process being assessed. All other options are essential for CSA to be successful, however in the absence of active involvement from those responsible, the other choices will not result in a successful CSA.

7. Detection risk refers to:

A. concluding that material errors do not exist, when in fact they do.

B. controls that fail to detect an error.

C. controls that detect high-risk errors.

D. detecting an error but failing to report it.

The correct answer is:

A. concluding that material errors do not exist, when in fact they do.

Explanation:

Detection risk refers to the risk that an IS auditor may use an inadequate test procedure and conclude that no material error exists when in fact errors do exist.

8. Which audit technique provides the BEST evidence of the segregation of duties in an IS department?

A. Discussion with management

B. Review of the organization chart

C. Observation and interviews

D. Testing of user access rights

The correct answer is:

C. Observation and interviews

Explanation:

By observing the IS staff performing their tasks, the IS auditor can identify whether they are performing any noncompatible operations and by interviewing the IS staff the auditor can get an overview of the tasks performed. Based on the observations and interviews the auditor can evaluate the segregation of duties. Management may not be aware of the detailed functions of each employee in the IS department, therefore discussion with the management would provide only limited information regarding segregation of duties. An organization chart would not provide details of the functions of the employees and testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform.

9. During a review of a customer master file an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication the IS auditor would use:

A. test data to validate data input.

B. test data to determine system sort capabilities.

C. generalized audit software to search for address field duplications.

D. generalized audit software to search for account field duplications.

The correct answer is:

C. generalized audit software to search for address field duplications.

Explanation:

Since the name is not the same (due to name variations), one method to detect duplications would be to compare other common fields, such as addresses. Subsequent review to determine common customer names at these addresses could then be conducted. Searching for duplicate account numbers would not likely find duplications since customers would most likely have different account numbers for each variation. Test data would not be useful to detect the extent of any data characteristic, but simply to determine how the data were processed.

10. During an implementation review of a multiuser distributed application, the IS auditor finds minor weaknesses in three areas-the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the audit report, the IS auditor should:

A. record the observations separately with the impact of each of them marked against each respective finding.

B. advise the manager of probable risks without recording the observations, as the control weaknesses are minor ones.

C. record the observations and the risk arising from the collective weaknesses.

D. apprise the departmental heads concerned with each observation and properly document it in the report.

The correct answer is:

C. record the observations and the risk arising from the collective weaknesses.

Explanation:

The weaknesses individually are minor, however together they have the potential to substantially weaken the overall control structure. Choices A and D reflect a failure on the part of the IS auditor to recognize the combined affect of the control weakness. Advising the local manager without reporting the facts and observations would conceal the findings from other stakeholders.

11. Which of the following would be the BEST population to take a sample from when testing program changes?

A. Test library listings

B. Source program listings

C. Program change requests

D. Production library listings

The correct answer is:

D. Production library listings

Explanation:

The best source from which to draw any sample or test of system information is the automated system. The production libraries represent executables that are approved and authorized to process organizational data. Source program listings would be time intensive. Program change requests are the documents used to initiate change. There is no guarantee that the request has been completed for all changes. Test library listings do not represent the approved and authorized executables.

12. Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?

A. A substantive test of program library controls

B. A compliance test of program library controls

C. A compliance test of the program compiler controls

D. A substantive test of the program compiler controls

The correct answer is:

B. A compliance test of program library controls

Explanation:

A compliance test determines if controls are operating as designed and are being applied in a manner that complies with management policies and procedures. For example, if the IS auditor is concerned whether program library controls are working properly, the IS auditor might select a sample of programs to determine if the source and object versions are the same. In other words, the broad objective of any compliance test is to provide auditors with reasonable assurance that a particular control on which the auditor plans to rely is operating as the auditor perceived it in the preliminary evaluation.

13. An integrated test facility is considered a useful audit tool because it:

A. is a cost-efficient approach to auditing application controls.

B. enables the financial and IS auditors to integrate their audit tests.

C. compares processing output with independently calculated data.

D. provides the IS auditor with a tool to analyze a large range of information.

The correct answer is:

C. compares processing output with independently calculated data.

Explanation:

An integrated test facility is considered a useful audit tool because it uses the same programs to compare processing using independently calculated data. This involves setting up dummy entities on an application system and processing test or production data against the entity as a means of verifying processing accuracy.