Ensurepass

 

QUESTION 251

Data flow diagrams are used by IS auditors to:

 

A.

order data hierarchically.

B.

highlight high-level data definitions.

C.

graphically summarize data paths and storage.

D.

portray step-by-step details of data generation.

 

Correct Answer: C

Explanation:

Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of datA. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.

 

 

QUESTION 252

Which of the following should be of MOST concern to an IS auditor?

 

A.

Lack of reporting of a successful attack on the network

B.

Failure to notify police of an attempted intrusion

C.

Lack of periodic examination of access rights

D.

Lack of notification to the public of an intrusion

 

Correct Answer: A

Explanation:

Not reporting an intrusion is equivalent to an IS auditor hiding a malicious intrusion, which would b
e a professional mistake. Although notification to the police may be required and the lack of a periodic examination of access rights might be a concern, they do not represent as big a concern as the failure to report the attack. Reporting to the public is not a requirement and is dependent on the organization’s desire, or lack thereof, to make the intrusion known.

 

 

QUESTION 253

Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation?

 

A.

Multiple cycles of backup files remain available.

B.

Access controls establish accountability for e-mail activity.

C.

Data classification regulates what information should be communicated via e-mail.

D.

Within the enterprise, a clear policy for using e-mail ensures that evidence is available.

 

Correct Answer: A

Explanation:

Backup files containing documents that supposedly have been deleted could be recovered from these files. Access controls may help establish accountability for the issuance of a particular document, but this does not provide evidence of the e-mail. Data classification standards may be in place with regards to what should be communicated via e-mail, but the creation of the policy does not provide the information required for litigation purposes.

 

 

 

 

 

QUESTION 254

The PRIMARY advantage of a continuous audit approach is that it:

 

does not depend on the complexity of an organization’s computer systems.

A.

does not require an IS auditor to collect evidence on system reliability while processing is taking place.

B.

requires the IS auditor to review and follow up immediately on all information collected.

C.

can improve system security when used in time-sharing environments that process a large number of transactions.

D.

 

Correct Answer: C

Explanation:

The use of continuous auditing techniques can improve system security when used in time- sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continuous audit approach oftendoes require an IS auditor to collect evidence on system reliability while processing is taking place. Choice B is incorrect since an IS auditor normally would review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the use of continuous audit techniques depends on the complexity of an organization’s computer systems.

 

 

QUESTION 255

Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should:

 

A.

include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings.

B.

not include the finding in the final report, because the audit report should include only unresolved findings.

C.

not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit.

D.

include the finding in the closing meeting for discussion purposes only.

 

Correct Answer: A

Explanation:

Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing.

 

 

QUESTION 256

An IS auditor has imported data from the client’s database. The next step-confirming whether the imported data are complete-is performed by:

 

A.

matching control totals of the imported data to control totals of the original data

B.

sorting the data to confirm whether the data are in the same order as the original data

C.

reviewing the printout of the first 100 records of original data with the first 100 records of imported data

D.

filtering data for different categories and matching them to the original data

 

Correct Answer: A

Explanation:

Matching control totals of the imported data with control totals of the original data is the next logical step, as this confirms the completeness of the imported datA. It is not possible to confirm completeness by sorting the imported data, because the original data may not be in sorted order. Further, sorting does not provide control totals for verifying completeness. Reviewing a printout of 100 records of original data with 100 records of imported data is a process of physical verification andconfirms the accuracy of only these records. Filtering data for different categories and matching them to original data would still require that control totals be developed to confirm the completeness of the data.

 

 

QUESTION 257

The PRIMARY purpose of audit trails is to:

 

A.

improve response time for users.

B.

establish accountability and responsibility for processed transactions.

C.

improve the operational efficiency of the system.

D.

provide useful information to auditors who may wish to track transactions

 

Correct Answer: B

Explanation:

Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing transactions through the system. The objective of enabling software to provide audit trails is not to improve system efficiency, since it often involves additional processing which may in fact reduce response time for users. Enabling audit trails involves storage and thus occupies disk space. Choice D is also a valid reason; however, it is not the primary reason.

 

 

QUESTION 258

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:

 

A.

controls needed to mitigate risks are in place.

B.

vulnerabilities and threats are identified.

C.

audit risks are considered.

D.

a gap analysis is appropriate.

 

Correct Answer: B

Explanation:

In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage. Understanding whether appropriate controls required to mitigate risksare in place is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly related to the audit process and are not relevant to the risk analysis of the environment to be audited. A gap analysis would normally be doneto compare the actual state to an expected or desirable state.

 

 

QUESTION 259

A substantive test to verify that tape library inventory records are accurate is:

 

A.

determining whether bar code readers are installed.

B.

determining whether the movement of tapes is authorized.

C.

conducting a physical count of the tape inventory.

D.

checking if receipts and issues of tapes are accurately recorded.

 

Correct Answer: C

Explanation:

A substantive test includes gathering evidence to evaluate the integrity of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test. Choices A, B and D are compliance tests.

 

 

QUESTION 260

In an audit of an inventory application, which approach would provide the BEST evidence that purchase orders are valid?

 

A.

Testing whether inappropriate personnel can change application parameters

B.

Tracing purchase orders to a computer listing

C.

Comparing receiving reports to purchase order details

D.

Reviewing the application documentation

 

Correct Answer: A

Explanation:

To determine purchase order validity, testing access controls will provide the best evidence. Choices B and C are based on after-the-fact approaches, while choice D does not serve the purpose because what is in the system documentation may not be thesame as what is happening.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

Comments are closed.