Assessments

In this section, you will find the answers to the assessment questions.

Content of the audit charter

1. Answer: A. Higher management
   Explanation: Ideally, top management should approve the audit charter. The approved audit charter is the basis on which the chief audit officer carries out audit processes. The IS department and the IT steering committee should not be involved in the preparation of the audit charter.
2. Answer: D. Outline the overall authority, scope, and responsibilities of the audit function.
   Explanation: The overall scope, authority, and responsibility of the audit function is outlined in an audit charter. The charter should not be frequently modified. The audit charter will not cover procedural aspects such as the audit calendar and resource allocation. Business continuity arrangements should ideally be incorporated in the BCP document, and it should not form part of the audit charter.
3. Answer: D. To prescribe the authority and responsibilities of the audit department
   Explanation: The main purpose of the audit charter is to define the auditor's roles and responsibilities. The audit charter should empower auditors to perform their work. Procedural aspects such as audit procedure, resource allocation, and ethical standards should not be a part of the audit charter.

4. Answer: B. The audit charter
   The audit charter includes the overall scope, responsibility, and authority of the audit department. Audit planning is included in the audit calendar. The risk assessment and treatment plan should contain details of identified risks and their mitigating controls. The compendium of audit observations contains a summary of critical audit observations for top management.
5. Answer: C. To understand the authority and responsibility of individuals
   Explanation: An organization chart is used to derive details about the authority and responsibility of relevant functions in the organization. It will help to understand whether proper segregation of duties exists.

6. Answer: A. The audit charter
   Explanation: The overall scope, authority, and responsibility of the audit department is outlined in the audit charter. Primarily, the actions of the audit team will be influenced and guided by this charter.
7. Answer. C. Security policy decisions
   Explanation: On the basis of the outcome of the risk management process, the organization determines the security requirements. Other choices are not directly impacted by the results of the risk management process.
8. Answer: B. The audit function's reporting structure
   Explanation: The overall scope, authority, and responsibility of the audit department is outlined in the audit charter. It should also document the reporting matrix of the audit function. Generally, the head of the audit reports to an audit committee.
9. Answer: A. The approved audit charter
   Explanation: The overall scope, authority, and responsibility of the internal audit department is outlined in the audit charter. The audit charter should be approved by top management/members of the board. The other options are not correct.
10. Answer: C. The internal audit function
    Explanation: The overall scope, authority, and responsibility of the internal audit department is outlined in the audit charter. The authority, scope, and responsibilities of the external audit are governed by the engagement letter.
11. Answer: C. The approved audit charter
    Explanation: An internal audit charter is an official document that comprises the internal audit department's objectives, authority, responsibilities, and delegation of authority.

12. Answer. B. The audit function must be independent of the business function and should have direct access to the board audit committee.
    Explanation: The audit function should be independent of influence and bias. Having direct and immediate access to the audit committee can enable auditors to raise major irregularities and concerns without any influence from business functions.
13. Answer. D. To provide a clear mandate in terms of authority and responsibilities for performing the audit function
    Explanation: The charter's main purpose is to define the auditor's roles and responsibilities. The audit charter empowers the audit function to carry out their work. The other options are not relevant to this purpose.

Audit planning

1. Answer: B. To identify high-risk processes in the organization
   Explanation: The identification of high-risk areas within the audit scope is the first step in the audit procedure. Audit planning can be done in accordance with the findings regarding the risk-prone areas.
2. Answer: D. The optimal use of audit resources for high-risk processes
   Explanation: The identification of high-risk areas within the audit scope is the first step in the audit procedure. Audit planning can be done in accordance with the findings regarding the risk-prone areas. Risk-based audit planning is designed to ensure that enough audit resources are spent on the risk-prone areas.
3. Answer: B. The evaluation of threats and vulnerabilities applicable to the data center
   Explanation: Getting information and an understanding of the processes being audited and evaluating the risks and various threats will help auditors to concentrate on high-risk areas, thereby making the audit more effective and relevant.
4. Answer: A. To identify high-risk processes
   Explanation: The identification of high-risk areas within the audit scope is the first step in the audit procedure. Audit planning can be done in accordance with the findings regarding the risk-prone areas. Risk-based audit planning is designed to ensure that enough audit resources are spent on the risk-prone areas.

Business process applications and controls

1. Answer: C. The contract for the trading partner is not entered
   Explanation: Legal liability cannot be enforced in the absence of an agreement between trading partners. There may be uncertainty with respect to legal liability. This will be the area of most concern. A dedicated communication channel is considered a good control for EDI transactions.
2. Answer: A. Ensuring the integrity and confidentiality of transactions
   Explanation: Encryption is a technical control through which plaintext is converted into encrypted (non-readable) text. Encryption processes are implemented to ensure the integrity and confidentiality of transactions.
3. Answer: B. Building a segment count total into transaction set trailer
   Explanation: Building a segment count total ensures the completeness of inbound transactions in an EDI environment.

4. Answer. B. Key verification
   Explanation: In key verification, the same field is filled in twice and a machine compares the entries for verification and validation. A reasonableness check ensures the logical reasoning of an input transaction. The control total is a system-based control that ensures that all relevant data is captured. A sequence check ensures the continuity of serial numbers. Completeness controls ensure the presence input for all required fields.
5. Answer: D. Non-repudiation
   Explanation: Non-repudiation is a control that ensures that the sender cannot deny a transaction. It ensures that a transaction is enforceable.

Types of controls

1. Answer: A. Preventive controls
   Explanation: Preventive controls are incorporated in such a way that prevents a threat event and thus avoids its potential impact. Detective controls are implemented to detect threat events once they have occurred. Detective controls aim to reduce the impact of an event. Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring a business to its routine operations. Compensating controls are alternate measures that are employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for a weakness in another area.

2. Answer: B. Detective controls
   Explanation: Preventive controls are incorporated in such a way that prevents a threat event and thus avoids its potential impact. Detective controls are implemented to detect threat events once they have occurred. Detective controls aim to reduce the impact of an event. Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring a business to its routine operations. Compensating controls are alternate measures that are employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for a weakness in another area.
3. Answer: A. Preventive controls
   Explanation: Segregation of duties is an attempt to prevent fraud or irregularities by segregating duties such that no single employee can commit fraud or other irregularities.

4. Answer: A. Preventive controls
   Explanation: Well-designed documents are an attempt to prevent errors by implementing efficient and effective operational procedures in the organization.
5. Answer: C. Corrective controls
   Explanation: Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring the routine operations of the business.
6. Answer: A. Preventive controls
   Explanation: Employing only qualified personnel is an attempt to prevent errors or other irregularities.
7. Answer: C. Corrective controls
   Explanation: The check subroutine corrects the error. It modifies the processing system and minimizes the likelihood of future occurrences of the problem.
8. Answer: D. Deterrent controls
   Explanation: A deterrent control is anything intended to warn a potential attacker not to attack.
9. Answer: B. Detective controls
   Explanation: Detective controls use controls that detect and report the prevalence of an error, omission, or malicious act.

10. Answer: B. Detective controls
    Explanation: Detective controls detect and report the prevalence of an error, omission, or malicious act.

11. Answer: C. Corrective controls
    Explanation: Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring to the routine operations of a business.
12. Answer: C. Corrective controls
    Explanation: Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring to the routine operations of a business. They provide a remedy to problems discovered by detective controls.
13. Answer: D. Compensating controls
    Explanation: Compensating controls are an alternate measure that is employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for weaknesses in other areas.
14. Answer: A. Preventive controls
    Explanation: Preventive controls detect problems before they arise. They prevent omissions, errors, or malicious acts from occurring.

15. Answer: A. Preventive controls
    Explanation: Access control aims to prevent access by unauthorized persons. It prevents omissions, errors, or malicious acts from occurring.
16. Answer. C. Control risk
    Explanation: Control risk is a term that signifies the possibility that a control will fail to prevent or detect unwanted actions.
17. Answer. D. Detective controls are used to determine whether an error has occurred and corrective controls fix problems before losses occur.
    Explanation: Detective controls are designed to detect or indicate that an error has occurred. Examples of detective controls include audits, hash totals, echo controls, and so on. Corrective controls are designed to correct a risk or deficiency to prevent losses. Examples of corrective controls include business continuity planning, backup procedures, and more.
18. Answer. A. Give the auditor an overview of control testing.
    Explanation: On the basis of control objectives, an auditor can plan control testing to evaluate the effectiveness and efficiency of implemented controls.

Risk-based audit planning

1. Answer: C. Identifying vulnerabilities
   Explanation: The identification of vulnerabilities is an important aspect of conducting a risk assessment. If a vulnerability is appropriately recognized, controls and audit planning may not be effective.
2. Answer: B. Identifying high-risk processes of the organization
   Explanation: The identification of high-risk processes is the first and most critical step in risk-based audit planning. Audit planning should be done in accordance with high-risk areas.
3. Answer: B. Ensuring that critical vulnerabilities and threats have been recognized
   Explanation: The identification of vulnerabilities and threats is critical in developing a risk-based audit strategy. This will help in the determination of the processes to be considered in the scope of audit. The audit team can concentrate on high-risk areas.
4. Answer: D. Identifying and analyzing current controls
   Explanation: Once the threats and vulnerabilities are identified, the auditor should evaluate existing controls to draw a conclusion about residual risk.

5. Answer: D. Focusing on high-risk areas
   Explanation: The main advantage of a risk-focused audit is that the auditor can focus on areas of high risk. This will help to plan an audit in such a way that means the audit team can concentrate on the high-risk processes.
6. Answer: A. The criticality of IT assets
   Explanation: Protecting an asset will involve costs. It is important to understand the criticality of assets when designing appropriate levels of protection.
7. Answer: B. Detection
   Explanation: Detection risk refers to the risk that an internal audit fails to prevent or detect. Inherent risk refers to risk that exists before applying any controls. Control risk refers to risk that internal controls fail to prevent or detect. Business risks are not impacted by inadequate audit procedure.
8. Answer: C. Detection risk.
   Explanation: Detection risk refers to risk that an internal audit fails to prevent or detect.
9. Answer: A. The product of probability and impact
   Explanation: Risk is the product of impact and product. Option A considers both probability and impact. Option B considers only the probability of occurrence. Option C considers only the quantum of the impact. Option D is not applicable to the structured and scientific process of risk assessment.

10. Answer: D. Reviewing the threats and vulnerabilities applicable to the data center
    Explanation: The identification of vulnerabilities and threats is the first step in a risk assessment process. Once the threats and vulnerabilities are identified, the auditor should evaluate existing controls and their effectiveness to draw a conclusion about the residual risk. Continuous risk monitoring is implemented during the risk monitoring function.
11. Answer: Evaluating the threats and vulnerabilities applicable to the data center
    Explanation: Out of the given options, the first step in evaluating the security controls of a data center is evaluating the threats to and vulnerabilities of the data center. Options A and D are followed once the vulnerabilities and threats are identified. Option C is not considered as a part of a security analysis.
12. Answer: C. Information assets are subject to suitable levels of protection
    Explanation: Data classification helps in determining the appropriate level of protection for information assets. Having a specific level of information security is important when protecting data and other IT assets.

13. Answer: A. Analyzing the inherent risk assessment
    Explanation: The inherent risk assessment is the assessment of risk at a gross level without considering the impact of controls. The first step in a risk-focused audit is to obtain relevant details about the industry and organization to consider the inherent risk level.
14. (14) Answer: A. Determining high-risk processes
    Explanation: In risk-based planning, it is very important to determine high-risk areas. This will help to determine the areas to be audited.
15. Answer: A. Subject-oriented
    Explanation: To determine risk, you need to calculate probability and impact. Probability is based on estimates and estimates are always subjective. Risk assessment is based on perception.
16. Answer: C. Implementing relevant controls
    Explanation: The risk management process includes the assessment of risk and, on the basis of the outcome, the designing of various controls. The objective of the risk assessment process is to address the recognized risks by implementing appropriate controls.
17. Answer: B. Senior business management
    Explanation: Top business management have the final authority and also the responsibility for the smooth operation of the organization. They should not further delegate their responsibility for risk management. The other options should help authorities in determining the risk appetite of the organization.

18. Answer: A. Finding threats/vulnerabilities associated with current IT assets
    Explanation: The biggest factor in evaluating IT risk is finding and evaluating threats and vulnerabilities associated with IT assets. The other options, though very important factors for the risk assessment process, are not more important than option A.
19. Answer: C. Identifying threats and their likelihood of occurrence
    Explanation: Once the critical assets are identified, the next step is to determine vulnerabilities and then to look at threats and their probability of occurrence.
20. Answer: D. Vulnerability
    Explanation: A lack of security measures indicates a weakness or vulnerability. A vulnerability can be in the form of a lack of up-to-date anti-virus, weak software coding, poor access control, and more. It must be noted that vulnerabilities can be controlled by the organization.

21. Answer: C. The identification of assets
    Explanation: The identification of critical assets is the first step in the development of a risk assessment process.
22. Answer: B. Are created on the basis of risk analysis
    Explanation: In the bottom-up approach, risks related to processes are identified and considered. The approach starts by considering the process-level requirements and operational-level risk. The other options are the benefits of the top-down approach. In the top-down approach, policies are consistent across the organization and there is no conflict with overall corporate policy.
23. Answer: A. Implementing controls
    Explanation: Risks are managed and reduced by incorporating proper security and relevant controls. Through insurance, risk is transferred. Auditing and certification help in providing assurance, while SLAs help in risk allocation.
24. Answer: A. Addresses the risk
    Explanation: The most important factor for implementing controls is to ensure that the controls address the risk.
25. Answer: A. Inherent risk
    Explanation: Gross risk or risk before controls is known as inherent risk.
26. Answer: B. Control risk
    Explanation: Control risk refers to risk that internal controls fail to prevent or detect. Control risk refers to risk the internal control system of the organization will not able to detect, correct, or prevent.
27. Answer: C. All relevant risks must be documented and analyzed.
    Explanation: It is most important that identified risks are properly documented. After proper documentation, other factors should be considered.

28. Answer. C. Perform a risk assessment first and then concentrate control tests on high-risk areas
    Explanation: On the basis of risk assessment, the audit team should devote more testing resources to high-risk areas.
29. Answer. A. The adoption of mature technology by the organization
    Explanation: Technology adoption may not have a huge impact while planning an audit as compared to other options. All the options are important, but the technology's maturity alone has the least influence on an organization's risk assessment.

Types of audit and assessment

1. Answer. C. IS audit
   Explanation: An IS audit is designed to evaluate an information system and any related resources to determine the adequacy of the internal controls that provide the availability, integrity, and confidentiality of the IT assets of the system.
2. Answer. B. Compliance audit
   Explanation: A compliance audit includes specific tests of controls to determine adherence to specific regulatory or legal requirements.
3. Answer. C. Integrated audit
   Explanation: There are different types of integrated audits that may combine financial and operational audit steps to assess the overall objectives of an organization and safeguard the efficiency and compliance of assets.
4. Answer. A. Functional audit
   Explanation: A functional audit provides an independent evaluation of software products. The audit comes either prior to software delivery or after implementation.
5. Answer. D. Computer forensic audit
   Explanation: This is an investigation that includes the analysis of electronic devices. An IS auditor can support an IS manager or forensic specialist when conducting forensic analysis and auditing to ensure adherence to policy and procedure.
6. Answer: D. Operational audit
   Explanation: An operational audit is designed to perform an operational audit and other aspects related to the effectiveness, efficiency, and productivity of an enterprise.