1. An IS auditor performing a review of the IS department discovers that formal project approval procedures do not exist. In the absence of these procedures, the IS manager has been arbitrarily approving projects that can be completed in a short duration and referring other, more complicated projects to higher levels of management for approval. The IS auditor should recommend as a FIRST course of action that:
A. users participate in the review and approval process.
B. formal approval procedures be adopted and documented.
C. projects be referred to appropriate levels of management for approval.
D. the IS manager's job description be changed to include approval authority.

Answer: B
Explanation:
It is imperative that formal, written approval procedures be established to set accountability. This is true of the IS manager and higher levels of management. Choices A, C and D would be subsequent recommendations once authority has been established.

2. Responsibility and reporting lines cannot always be established when auditing automated systems since:
A. diversified control makes ownership irrelevant.
B. staff traditionally changes jobs with greater frequency.
C. ownership is difficult to establish where resources are shared.
D. duties change frequently in the rapid development of technology.

1. Which of the following would be a compensating control to mitigate risks resulting from an inadequate segregation of duties?
A. Sequence check
B. Check digit
C. Source documentation retention
D. Batch control reconciliations

Answer: D
Batch control reconciliations are an example of compensating controls. Other examples of compensating controls are transaction logs, reasonableness tests, independent reviews and audit trails, such as console logs, library logs and job accounting date. Sequence checks and check digits are data validation edits, and
source documentation retention is an example of a data file control.

2. An IS steering committee should: