7/28/2019 Information Technology Audit 23-12 Day1
1/83
What is Audit ?
Audit - an evaluation of an organization,system, process, project or product.
http://en.wikipedia.org/wiki/Audithttp://en.wikipedia.org/wiki/Audithttp://en.wikipedia.org/wiki/Audit7/28/2019 Information Technology Audit 23-12 Day1
2/83
Audit Mission
Provide independent, objective assurance andconsulting services designed to add value andimproveorganizations operations.
7/28/2019 Information Technology Audit 23-12 Day1
3/83
What is Information Technology ?
Information technology (IT) is the use of
computers and telecommunications equipmentsto store, retrieve, transmit and manipulate data.
7/28/2019 Information Technology Audit 23-12 Day1
4/83
What is an Information System?
An information system (IS) - is anycombination ofinformation technologyandpeople's activities that support operations,management and decision making.
In a very broad sense, the term informationsystem is frequently used to refer to theinteraction between people, processes, data andtechnology.
http://en.wikipedia.org/wiki/Information_technologyhttp://en.wikipedia.org/wiki/Information_technology7/28/2019 Information Technology Audit 23-12 Day1
5/83
What is IT / IS Audit ?An information technology audit, or information systems audit:
An examination of the management controls within an Information
technology infrastructure/ Systems.
The evaluation of obtained evidence determines if the informationsystems are safeguarding assets, maintaining data integrity, andoperating effectively to achieve the organization's goals orobjectives.
These reviews may be performed in conjunction with a financial statement audit, internal audit,or other form of attestation engagement.
IT audits are also known as "automated data processing (ADP) audits" and "computer audits".They were formerly called "electronic data processing (EDP) audits".
http://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Internal_audithttp://en.wikipedia.org/wiki/Internal_audithttp://en.wikipedia.org/wiki/Internal_audithttp://en.wikipedia.org/wiki/Internal_audithttp://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Financial_audit7/28/2019 Information Technology Audit 23-12 Day1
6/83
Role of External, Internal and IS Auditors The scope of the external audit is usually confined to a financial and
compliance audit to satisfy the statutory, which requires examination of theaccounts and providing an opinion as to whether the financial statementsproduced provide a true and fair picture.
The scope of an internal audit covers the total conduct of business. Theobjectives for internal auditors are set by board/management.
IS Auditor is an independent advisor that address the control environmentof the computer information systems and how they are used. IS Auditors
review different aspects of the systems; such as evaluating system input,processing and output controls, data and physical security, contingencyplanning and system administration, etc.
7/28/2019 Information Technology Audit 23-12 Day1
7/83
Code of Professional EthicsISACA (Information Systems Audit and Control Association) sets
forth this Code of Professional Ethics to guide the professional andpersonal conduct.
Support the implementation of, and encourage compliance with,appropriate standards and procedures for the effective governanceand management of enterprise information systems and technology,including: audit, control, security and risk management.
Perform their duties with objectivity, due diligence and professionalcare, in accordance with professional standards.
Serve in the interest of stakeholders in a lawful manner, whilemaintaining high standards of conduct and character, andnot discrediting the profession or the Association.
7/28/2019 Information Technology Audit 23-12 Day1
8/83
Independence : Refers to the independence of theinternal auditor or of the external auditor from partiesthat may have a financial interest in the business beingaudited.
Objectivity: Judgment based on observable phenomenaand uninfluenced by emotions or personal prejudices.
Due Diligence: Reasonable steps taken by a person inorder to satisfy a requirement.
Professional Care: Applying the care and skill expectedof a reasonably prudent and competent auditor.
Important Terms
http://en.wikipedia.org/wiki/Independencehttp://en.wikipedia.org/wiki/Internal_auditorhttp://en.wikipedia.org/wiki/External_auditorhttp://en.wikipedia.org/wiki/External_auditorhttp://en.wikipedia.org/wiki/Internal_auditorhttp://en.wikipedia.org/wiki/Independence7/28/2019 Information Technology Audit 23-12 Day1
9/83
Maintain the privacy and confidentiality of information obtained inthe course of their activities unless disclosure is required by legalauthority. Such information shall not be used for personal benefit or
released to inappropriate parties.
Maintain competency in their respective fields and agree toundertake only those activities they can reasonably expect tocomplete with the necessary skills, knowledge and competence.
Inform appropriate parties of the results of work performed;revealing all significant facts known to them.
Support the professional education of stakeholders in enhancingtheir understanding of the governance and management ofenterprise information systems and technology, including: audit,control, security and risk management.
Code of Professional Ethics
7/28/2019 Information Technology Audit 23-12 Day1
10/83
Corporate Governance
Corporate governance is "the system by whichcompanies are directed and controlled".
It involves regulatory and market mechanisms,and the roles and relationships between acompanys management, its board, itsshareholders, and the goals for which thecorporation is governed.
7/28/2019 Information Technology Audit 23-12 Day1
11/83
Information technology governance is asubset discipline ofcorporate governancefocused on information technology(IT) systemsand their performance and risk management
IT Governance
http://en.wikipedia.org/wiki/Corporate_governancehttp://en.wikipedia.org/wiki/Information_technologyhttp://en.wikipedia.org/wiki/Performance_managementhttp://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/Performance_managementhttp://en.wikipedia.org/wiki/Information_technologyhttp://en.wikipedia.org/wiki/Corporate_governance7/28/2019 Information Technology Audit 23-12 Day1
12/83
1. IT Function
7/28/2019 Information Technology Audit 23-12 Day1
13/83
2. IT layers
7/28/2019 Information Technology Audit 23-12 Day1
14/83
7/28/2019 Information Technology Audit 23-12 Day1
15/83
7/28/2019 Information Technology Audit 23-12 Day1
16/83
7/28/2019 Information Technology Audit 23-12 Day1
17/83
7/28/2019 Information Technology Audit 23-12 Day1
18/83
Auditor and IT
7/28/2019 Information Technology Audit 23-12 Day1
19/83
Audit Universe
7/28/2019 Information Technology Audit 23-12 Day1
20/83
Business Processes and IT Controls
7/28/2019 Information Technology Audit 23-12 Day1
21/83
21
IT Audit Process
Five Tasks:1. Develop and implement a risk-based IS audit strategy for the
organization in compliance with IS audit standards, guidelinesand best practices.
2. Plan specific audits to ensure that IT and business systems areprotected and controlled.
3. Conduct audits in accordance with IS audit standards,guidelines and best practices to meet planned audit objectives.
4. Communicate emerging issues, potential risks and audit results
to key stakeholders.5. Advise on the implementation of risk management and control
practices within the organization while maintainingindependence.
7/28/2019 Information Technology Audit 23-12 Day1
22/83
22
Process Knowledge Statements
Ten Knowledge Statements:
1. Knowledge of IS Auditing Standards, Guidelinesand Procedures and Code of Professional Ethics
2. Knowledge of IS auditing practices andtechniques
3. Knowledge of techniques to gather informationand preserve evidence
4. Knowledge of the evidence life cycle
5. Knowledge ofcontrol objectives and controlsrelated to IS
7/28/2019 Information Technology Audit 23-12 Day1
23/83
23
Process Knowledge Statements
Ten Knowledge Statements (Contd):
6. Knowledge of risk assessment in an audit context
7. Knowledge of audit planning and managementtechniques
8. Knowledge of reporting and communication techniques
9. Knowledge of control self-assessment (CSA)
10. Knowledge of continuous audit techniques
7/28/2019 Information Technology Audit 23-12 Day1
24/83
24
Organization of IS Audit Function
Audit charter (or engagement letter) Stating managements responsibility and objectives for, and
delegation of authority to, the IS audit function
Outlining the overall authority, scope and responsibilities ofthe audit function
Approval of the audit charter
Change in the audit charter
7/28/2019 Information Technology Audit 23-12 Day1
25/83
25
IS Audit Resource Management
Limited number of IS auditors
Maintenance of their technical competence
Assignment of audit staff
7/28/2019 Information Technology Audit 23-12 Day1
26/83
26
Audit Planning
Audit planning Short-term planning (an year) Long-term planning Things to consider
New control issues Changing technologies Changing business processes Enhanced evaluation techniques
Individual audit planning Understanding of overall environment
Business practices and functions Information systems and technology
7/28/2019 Information Technology Audit 23-12 Day1
27/83
27
Audit Planning Steps1. Gain an understanding of the businesss mission, objectives,
purpose and processes.
2. Identify stated contents (policies, standards, guidelines,
procedures, and organization structure)3. Evaluate risk assessment and privacy impact analysis
4. Perform a risk analysis.
5. Conduct an internal control review.
6. Set the audit scope and audit objectives.
7. Develop the audit approach or audit strategy.8. Assign personnel resources to audit and address engagement
logistics.
Audit Planning
7/28/2019 Information Technology Audit 23-12 Day1
28/83
28
Effect of Laws and Regulations
Each organization, regardless of its size or the industrywithin which it operates, will need to comply with anumber of governmental and external requirements
related to computer system practices and controls.
Establishment of the regulatory requirements Organization of the regulatory requirements
Responsibilities assigned to the corresponding entities Correlation to financial, operational and IT audit
functions
7/28/2019 Information Technology Audit 23-12 Day1
29/83
29
Effect of Laws and Regulations
Steps to determine compliance with externalrequirements: Identify external requirements
Document pertinent laws and regulations
Assess whether management and the IS function have consideredthe relevant external requirements
Review internal IS department documents that address adherenceto applicable laws
Determine adherence to established procedures
7/28/2019 Information Technology Audit 23-12 Day1
30/83
30
ISACA Auditing Standards and Guidelines
Framework for the IS Auditing Standards
Standards
Guidelines
Procedures
7/28/2019 Information Technology Audit 23-12 Day1
31/83
31
ISACA IS Auditing Standards and Guidelines
IS Auditing Standards
1. Audit charter
2. Independence
3. Ethics and Standards
4. Competence
5. Planning
6. Performance of audit work
7. Reporting
8. Follow-up activities
9. Irregularities and illegal acts
10. IT governance
11. Use of risk assessment in auditplanning
7/28/2019 Information Technology Audit 23-12 Day1
32/83
32
ISACA IS Auditing Standards and Guidelines
9. Irregularities and Illegal Acts (Contd)
Obtain written representations from management
Have knowledge of any allegations of irregularities or
illegal acts
Communicate material irregularities/illegal acts
Consider appropriate action in case of inability tocontinue performing the audit
Document irregularity/illegal act relatedcommunications, planning, results, evaluations andconclusions
7/28/2019 Information Technology Audit 23-12 Day1
33/83
33
IT Risk Assessment Quadrants
Quadrant I (High Risk)
Suggested Action(s):
Mitigate
SensitivityRat
ing
Vulnerability Assessment Rating
100%
0%
100%
Quadrant II (Medium Risk)
Suggested Action(s):
Accept
MitigateTransfer
Quadrant III (Medium Risk)
Suggested Action(s):
AcceptMitigate
Transfer
Quadrant IV (Low Risk)
Suggested Action(s):
Accept
Example RiskLevel Assignment
50%
50%
0%
7/28/2019 Information Technology Audit 23-12 Day1
34/83
34
ISACA IS Auditing Standards and Guidelines
ISACA Auditing Procedures
Procedures developed by the ISACA StandardsBoard provide examples.
The IS auditor should apply their own professionaljudgment to the specific circumstances.
7/28/2019 Information Technology Audit 23-12 Day1
35/83
35
Internal Control
Internal Controls
Policies, procedures, practices and organizationalstructures implemented to reduce risks
7/28/2019 Information Technology Audit 23-12 Day1
36/83
36
Internal Control
Components of Internal Control System
Internal accounting controls Operational controls Administrative controls
7/28/2019 Information Technology Audit 23-12 Day1
37/83
37
Internal Control
Internal Control Objectives
Safeguarding of information technology assets
Compliance to corporate policies or legal requirements
Authorization/input
Accuracy and completeness of processing of transactions
Output
Reliability of process
Backup/recovery
Efficiency and economy of operations
7/28/2019 Information Technology Audit 23-12 Day1
38/83
38
Classification of Internal Controls
Preventive controls
Detective controls
Corrective controls
Internal Control
7/28/2019 Information Technology Audit 23-12 Day1
39/83
39
Internal Control
IS Control Objectives
Control objectives in an information systems
environment remain unchanged from those ofa manual environment. However, controlfeatures may be different. The internalcontrol objectives, thus need, to be addressed
in a manner specific to IS-related processes
7/28/2019 Information Technology Audit 23-12 Day1
40/83
40
Internal ControlIS Control Objectives (contd)
Safeguarding assets
Assuring the integrity of general operating systemenvironments
Assuring the integrity of sensitive and criticalapplication system environments through:
Authorization of the input
Accuracy and completeness of processing oftransactions
Reliability of overall information processingactivities
Accuracy, completeness and security of the output
Database integrity
7/28/2019 Information Technology Audit 23-12 Day1
41/83
41
Internal Control
IS Control Objectives (Contd)
Ensuring the efficiency and effectiveness of operations
Complying with requirements, policies andprocedures, and applicable laws
Developing business continuity and disaster recoveryplans
Developing an incident response plan
7/28/2019 Information Technology Audit 23-12 Day1
42/83
Day 1 Recap Audit Mission
Planning
Roles of Internal, external and IS Auditor
Code of Professional Ethics
IS Audit Standards and Guidelines
IT Audit Universe Risk Analysis
7/28/2019 Information Technology Audit 23-12 Day1
43/83
43
IS Control Objectives (Contd)
COBIT
A framework with 34 high-level control objectives Planning and organization
Acquisition and implementation
Delivery and support
Monitoring and evaluation Use of 36 major IT related standards and regulations
Internal Control
7/28/2019 Information Technology Audit 23-12 Day1
44/83
What sort of framework is COBIT?
An IT audit and control framework? COBIT (1996) and COBIT 2nd Edition (1998)
Focus on Control Objectives
An IT management framework? COBIT 3rd Edition (2000)
Management Guidelines added
An IT governance framework? COBIT 4.0 (2005) and COBIT 4.1 (2007) Governance and compliance processes added Assurance processes removed
BUT what is the difference between governance and Management?
7/28/2019 Information Technology Audit 23-12 Day1
45/83
Governance and Management
Governance ensures that enterprise objectives areachieved by evaluating stakeholder needs,conditions and options; setting direction throughprioritisation and decision making; and monitoringperformance, compliance and progress againstagreed-on direction and objectives (DEM).
Management plans, builds, runs and monitorsactivities in alignment with the direction set by thegovernance body to achieve the enterprise objectives(PBRM).
7/28/2019 Information Technology Audit 23-12 Day1
46/83
Governance and Management Defined
(cont.) The COBIT 5 process reference model subdivides the IT-related
practices and activities of the enterprise into two main areasgovernance and managementwith management further dividedinto domains of processes:
The GOVERNANCE domaincontains five governanceprocesses; within each process,evaluate, direct and monitor
(EDM) practices are defined.
The four MANAGEMENTdomains are in line with theresponsibility areas of plan,build, run and monitor (PBRM)
7/28/2019 Information Technology Audit 23-12 Day1
47/83
47
Internal Control
General Control Procedures
apply to all areas of an organization and include
policies and practices established by managementto provide reasonable assurance that specific
objectives will be achieved.
7/28/2019 Information Technology Audit 23-12 Day1
48/83
48
Internal Control
General Control Procedures (Contd)
Internal accounting controls directed at accountingoperations
Operational controls concerned with the day-to-dayoperations
Administrative controls concerned with operational efficiencyand adherence to management policies
Organizational logical security policies and procedures
Overall policies for the design and use of documents andrecords
Procedures and features to ensure authorized access to assets Physical security policies for all data centers
7/28/2019 Information Technology Audit 23-12 Day1
49/83
49
IS Control Procedures Strategy and direction General organization and management Access to data and programs
Systems development methodologies and change control Data processing operations Systems programming and technical support functions Data processing quality assurance procedures Physical access controls
Business continuity/disaster recovery planning Networks and communications Database administration
Internal Control
7/28/2019 Information Technology Audit 23-12 Day1
50/83
50
Definition of Auditing
Systematic process by which a competent,
independent person objectively obtains andevaluates evidence regarding assertions about aneconomic entity or event for the purpose offorming an opinion about and reporting on the
degree to which the assertion conforms to anidentified set of standards.
Performing an IS Audit
7/28/2019 Information Technology Audit 23-12 Day1
51/83
51
Definition of IS Auditing
Any audit that encompasses review andevaluation (wholly or partly) of automatedinformation processing systems, related non-automated processes and the interfaces between
them.
Performing an IS Audit
7/28/2019 Information Technology Audit 23-12 Day1
52/83
52
Performing an IS Audit
Classification of audits:
Financial audits
Operational audits Integrated audits
Administrative audits
Information systems audits
Specialized audits
Forensic audits
7/28/2019 Information Technology Audit 23-12 Day1
53/83
53
Audit Programs
Based on the scope and the objective of theparticular assignment
IS auditors perspectives Security (confidentiality, integrity and availability)
Quality (effectiveness, efficiency)
Fiduciary (compliance, reliability)
Service and Capacity
Performing an IS Audit
7/28/2019 Information Technology Audit 23-12 Day1
54/83
54
General audit procedures Understanding of the audit area/subject
Risk assessment and general audit plan
Detailed audit planning
Preliminary review of audit area/subject
Evaluating audit area/subject
Compliance testing
Substantive testing
Reporting(communicating results)
Follow-up
Performing an IS Audit
7/28/2019 Information Technology Audit 23-12 Day1
55/83
55
Procedures for testing & evaluating IS controls Use of generalized audit software to survey the contents
of data files Use of specialized software to assess the contents of
operating system parameter files Flow-charting techniques for documenting automated
applications and business process Use of audit reports available in operation systems Documentation review Observation Walkthroughs Reperformance of controls
Performing an IS Audit
7/28/2019 Information Technology Audit 23-12 Day1
56/83
56
Performing an IS Audit
Audit Methodology
A set of documented audit procedures designed toachieve planned audit objectives
Composed of Statement of scope
Statement of audit objectives
Statement of work programs
Set up and approved by the audit management Communicated to all audit staff
7/28/2019 Information Technology Audit 23-12 Day1
57/83
57
Typical audit phases
1. Audit subject
Identify the area to be audited
2. Audit objective
Identify the purpose of the audit
3. Audit scope
Identify the specific systems, function or unit of the organization
Performing an IS Audit
7/28/2019 Information Technology Audit 23-12 Day1
58/83
58
Performing an IS Audit
Typical audit phases (Contd)
4. Pre-audit planning
Identify technical skills and resources needed
Identify the sources of information for test or
review
Identify locations or facilities to be audited
7/28/2019 Information Technology Audit 23-12 Day1
59/83
59
Typical audit phases (Contd)
5. Audit procedures and steps for data gathering
Identify and select the audit approach
Identify a list of individuals to interview
Identify and obtain departmental policies, standardsand guidelines
Develop audit tools and methodology
Performing an IS Audit
7/28/2019 Information Technology Audit 23-12 Day1
60/83
60
Typical audit phases (Contd)6. Procedures for evaluating test/review result
7. Procedures for communication with management
8. Audit report preparation Identify follow-up review procedures
Identify procedures to evaluate/test operational efficiency andeffectiveness
Identify procedures to test controls
Review and evaluate the soundness of documents, policies andprocedures.
Performing an IS Audit
7/28/2019 Information Technology Audit 23-12 Day1
61/83
61
Performing an IS Audit
Workpapers (WPs)
What are documented in WPs?
Audit plans
Audit programs
Audit activities
Audit tests
Audit findings and incidents
7/28/2019 Information Technology Audit 23-12 Day1
62/83
62
Performing an IS Audit
Workpapers (Contd)
Do not have to be on paper
Must be
Dated Initialized
Page-numbered
Relevant
Complete Clear
Self-contained and properly labeled
Filed and kept in custody
7/28/2019 Information Technology Audit 23-12 Day1
63/83
63
Performing an IS Audit
Fraud Detection
Managements responsibility
Benefits of a well-designed internal control system Deterring frauds at the first instance
Detecting frauds in a timely manner
Fraud detection and disclosure Auditors role in fraud prevention and detection
7/28/2019 Information Technology Audit 23-12 Day1
64/83
64
Performing an IS Audit
Audit Risk
Audit risk is the risk that the information/financial
report may contain material error that may goundetected during the audit.
A risk-based audit approach is used to assess riskand assist with an IS auditors decision to performeither compliance or substantive testing.
7/28/2019 Information Technology Audit 23-12 Day1
65/83
65
Performing an IS Audit
Audit Risks
Inherent risk Control risk Detection risk Overall audit risk
7/28/2019 Information Technology Audit 23-12 Day1
66/83
66
Performing an IS Audit
Risk-based Approach Overview
Gather Information and Plan
Obtain Understanding of Internal Control Perform Compliance Tests
Perform Substantive Tests
Conclude the Audit
7/28/2019 Information Technology Audit 23-12 Day1
67/83
67
Performing an IS Audit
Materiality
An auditing concept regarding theimportance of an item of information withregard to its impact or effect on thefunctioning of the entity being audited
7/28/2019 Information Technology Audit 23-12 Day1
68/83
68
Performing an IS Audit
Risk Assessment Techniques Enables management to effectively allocate
limited audit resources Ensures that relevant information has been
obtained
Establishes a basis for effectively managing the
audit team Provides a summary of how the individual audit
subject is related to the overall organization andto business plans
7/28/2019 Information Technology Audit 23-12 Day1
69/83
69
Performing an IS Audit
Audit Objectives - Specific goals of the audit
Compliance with legal & regulatory requirements
Confidentiality
Integrity
Reliability
Availability
7/28/2019 Information Technology Audit 23-12 Day1
70/83
70
Performing an IS Audit
Compliance vs. Substantive Testing Compliance test
determines whether controls are in compliance withmanagement policies and procedures
Substantive test
tests the integrity of actual processing
Correlation between the level of internal controls
and substantive testing required Relationship between compliance and substantive
tests
7/28/2019 Information Technology Audit 23-12 Day1
71/83
71
Performing an IS Audit
EvidenceIt is a requirement that the auditorsconclusions must be based on sufficient,competent evidence.
Independence of the provider of the evidence Qualification of the individual providing the
information or evidence Objectivity of the evidence
Timing of evidence
7/28/2019 Information Technology Audit 23-12 Day1
72/83
72
Performing an IS Audit
Techniques for gathering evidence:
Review IS organization structures Review IS policies and procedures
Review IS standards Review IS documentation
Interview appropriate personnel
Observe processes and employee performance
7/28/2019 Information Technology Audit 23-12 Day1
73/83
73
Performing an IS Audit
Interviewing and Observing Personnel Actual functions
Actual processes/procedures
Security awareness
Reporting relationships
7/28/2019 Information Technology Audit 23-12 Day1
74/83
74
Performing an IS Audit
Sampling
General approaches to audit sampling:
Statistical sampling Non-statistical sampling
Methods of sampling used by auditors:
Attribute sampling
Variable sampling
7/28/2019 Information Technology Audit 23-12 Day1
75/83
75
Performing an IS Audit
Sampling (Contd)
Attribute sampling Stop-or-go sampling
Discovery sampling
Variable sampling Stratified mean per unit
Unstratified mean per unit
Difference estimation
7/28/2019 Information Technology Audit 23-12 Day1
76/83
76
Statistical sampling terms:Confident coefficientLevel of riskPrecision
Expected error rate (not for variable sampling)Sample meanSample standard deviationTolerable error ratePopulation standard deviation (not for
attribute sampling)
Performing an IS Audit
7/28/2019 Information Technology Audit 23-12 Day1
77/83
77
Key steps in choosing a sampleDetermine the objectives of the test
Define the population to be sampledDetermine the sampling method, such as
attribute versus variable sampling.
Calculate the sample size
Select the sampleEvaluating the sample from an audit
perspective.
Performing an IS Audit
7/28/2019 Information Technology Audit 23-12 Day1
78/83
Quiz # 11. Four types of Risk Treatment Strategies are
1.
2. 3.
4.
7/28/2019 Information Technology Audit 23-12 Day1
79/83
Quiz #12. The decisions and actions of an IS auditor are
MOST likely to affect which of the following
risks :A. Inherent Risk
B. Detection Risk
C. Control Risk
D. Business Risk
7/28/2019 Information Technology Audit 23-12 Day1
80/83
Quiz # 13. An IS auditor is reviewing the process performed
for the protection of digital evidence. Which of thefollowing findings should present the MOST
concern to the IS auditor:
A. The owner of the system was not present at the time ofthe evidence retrieval.
B. The system was powered off by an investigator.
C. There are no documented logs of the transportation ofevidence.
D. The contents of the random access memory (RAM)were not backed up.
7/28/2019 Information Technology Audit 23-12 Day1
81/83
Quiz # 14. Which of the following should an IS auditor use
to detect duplicate invoice records within an
invoice master file?A. Attribute sampling
B. Generalized audit software (GAS)
C. Test data
D. Integrated test facility (ITF)
7/28/2019 Information Technology Audit 23-12 Day1
82/83
7/28/2019 Information Technology Audit 23-12 Day1
83/83
Quiz # 16) An IS auditor discovers that devices connected to the
network have not been included in a network diagramthat had been used to develop the scope of the audit. The
chief information officer (CIO) explains that the diagramis being updated and awaiting final approval. The ISauditor should FIRST:
A. expand the scope of the IS audit to include the devicesthat are not on the network diagram.
B. evaluate the impact of the undocumented devices on theaudit scope.C. note a control deficiency because the network diagram
has not been updated.D plan follow-up audits of the undocumented devices