1. Which of the following is a benefit of a risk-based approach to audit planning? Audit:

A. scheduling may be performed months in advance.
B. budgets are more likely to be met by the IS audit staff.
C. staff will be exposed to a variety of technologies.
D. resources are allocated to the areas of highest concern.

The correct answer is:
D. resources are allocated to the areas of highest concern.


Explanation:
The risk-based approach is designed to ensure audit time is spent on the areas of highest risk. The development of an audit schedule is not addressed by a risk-based approach. Audit schedules may be prepared months in advance using various scheduling methods. A risk approach does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be performed in a given year.

Area 1: The IS Audit Process (10%)

2. An IS auditor is assigned to perform a postimplementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor:

A. implemented a specific control during the development of the application system.
B. designed an embedded audit module exclusively for auditing the application system.
C. participated as a member of the application system project team, but did not have operational responsibilities.
D. provided consulting advice concerning application system best practices.

The correct answer is:
A. implemented a specific control during the development of the application system.


Explanation:
Independence may be impaired if the IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system. Choices B and C are situations that do not impair the IS auditor’s independence. Choice D is incorrect because the IS auditor's independence is not impaired by providing advice on known best practices.

Area 1: The IS Audit Process (10%)

3. A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:

A. can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control.

The correct answer is:
A. can identify high-risk areas that might need a detailed review later.



Explanation:
CSA is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date. Answer B is incorrect, because CSA requires the involvement of auditors and line management. What occurs is that the internal audit function shifts some of the control monitoring responsibilities to the functional areas. Answer C is incorrect because CSA is not a replacement for traditional audits. CSA is not intended to replace audit’s responsibilities, but to enhance them. Answer D is incorrect, because CSA does not allow management to relinquish its responsibility for control.

Area 1: The IS Audit Process (10%)

4. IS audit of several critical servers, the IS auditor wants to analyze audit trails to discover potential anomalies in user or system behavior. Which of the following tools is MOST suitable for performing that task?

A. CASE tools
B. Embedded data collection tools
C. Heuristic scanning tools
D. Trend/variance detection tools

The correct answer is:
D. Trend/variance detection tools



Explanation:
Trend/variance detection tools look for anomalies in user or system behavior, for example, determining whether the numbers for prenumbered documents are sequential or increasing. CASE tools are used to assist software development. Embedded (audit) data collection software is used for sampling and to provide production statistics. Heuristic scanning tools can be used to scan for viruses to indicate possible infected code.

Area 1: The IS Audit Process (10%)

5. A local area network (LAN) administrator normally would be restricted from:

A. having end-user responsibilities.
B. reporting to the end-user manager.
C. having programming responsibilities.
D. being responsible for LAN security administration.

The correct answer is:
C. having programming responsibilities.



Explanation:
A LAN administrator should not have programming responsibilities but may have end-user responsibilities. The LAN administrator may report to the director of the IPF or, in a decentralized operation, to the end-user manager. In small organizations, the LAN administrator may also be responsible for security administration over the LAN.

Area 2: IT Governance (15%)