Download Standards for Information Systems Auditing

Standards for IS Auditing
S1 Audit Charter PDF 1 January 2005
S2 Independence PDF 1 January 2005
S3 Professional Ethics and Standards PDF 1 January 2005
S4 Professional - Competence PDF 1 January 2005
S5 Planning PDF 1 January 2005
S6 Performance of Audit Work PDF 1 January 2005
S7 Reporting PDF 1 January 2005
S8 Follow-up Activities PDF 1 January 2005
S9 Irregularities and Illegal Acts PDF 1 September 2005
S10 IT Governance PDF 1 September 2005

Which of the following is the GREATEST challenge in using test data?
A. Ensuring the program version tested is the same as the production program
B. Creating test data that covers all possible valid and invalid conditions
C. Minimizing the impact of additional transactions on the application being tested
D. Processing the test data under an auditor's supervision

Answer: B

Explanation:

In a risk-based audit approach, an IS auditor, in addition to risk, would be influenced by:
A. the availability of CAATs.
B. management's representation.
C. organizational structure and job responsibilities.
D. the existence of internal and operational controls

Answer: D

Explanation:

A. order data hierarchically.
B. highlight high-level data definitions.
C. graphically summarize data paths and storage.
D. portray step-by-step details of data generation.

Answer: C
Explanation:
Dataflow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.

The MAJOR advantage of the risk assessment approach over the baseline approach to information security management is that it ensures:
A. information assets are overprotected.
B. a basic level of protection is applied regardless of asset value.
C. appropriate levels of protection are applied to information assets.
D. an equal proportion of resources are devoted to protecting all information assets.

Answer: C
Explanation:

When communicating audit results, IS auditors should remember that ultimately they are responsible to:
A. senior management and/or the audit committee.
B. the manager of the audited entity.
C. the IS audit director.
D. legal authorities.

Answer: A
Explanation:

The use of statistical sampling procedures helps minimize:
A. sampling risk.
B. detection risk.
C. inherent risk.
D. control risk.

Answer: B
Explanation:
Detection risk is the risk that the IS auditor uses an inadequate test procedure and concludes that material errors do not exist, when in fact they do. Using statistical sampling, an IS auditor can quantify how closely the sample should represent the population and quantify the probability of error.

1. Best Evidence
Best evidence is the primary evidence used in a trial because it provides the most reliability. An example of something that would be categorized as best evidence is an original signed contract. Oral evidence is not considered best evidence because there is no firsthand reliable proof that supports its validity, and it therefore does not have as good a standing as legal documents. Oral evidence cannot be used to dispute a legal document, but it can be used to interpret the document.

2. Secondary Evidence
Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence. Oral evidence, such as a witness’s testimony, and copies of original documents are placed in the secondary evidence category.

This document contains the results of a detailed mapping of ITIL V3 with COBIT 4.1 as well as a classification of the standards discussed in this publication, per the content of the overview document COBIT Mapping: Overview of International IT Guidance, 2nd Edition.

- COBIT—Released as an IT process and control framework linking IT to business requirements, COBIT initially was used mainly by the assurance community in conjunction with business and IT process owners. With the addition of management guidelines in 2000, COBIT was used more frequently as a management framework, providing management tools, such as metrics and maturity models, to complement the control framework. With the release of COBIT 4.0 in 2005, it became a more complete IT governance framework. Incremental updates to COBIT 4.0 were made in 2007; they can be seen as a fine-tuning of the framework, not fundamental changes. The current version is COBIT 4.1.

Although the traditional approach to auditing has proven itself, it does have some problems. Primarily, this has to do with the fact that responsibility for the audit is placed on the auditors. Managers and employees might feel that it is the auditor’s job to find and report problems. A control self-assessment (CSA) is an attempt to overcome the shortcomings of the traditional approach. According to ISACA,

CSAs can best be defined as a methodology designed to provide assurance to stakeholders, customers, and employees that internal controls have been designed to minimize risks.

CSAs are used to verify the reliability of internal controls. Unlike in traditional auditing, some of the control monitoring responsibilities are shifited to functional areas and the workers in Changes in the IS Audit Process