Section: The process of Auditing Information System

Section: Protection of Information Assets
Explanation:
Management should ensure that all information assets (data and systems) have an appointed owner who
makes decisions about classification and access rights. System owners typically delegate day-to-day
custodianship to the systems delivery/operations group and security responsibilities to a security
administrator. Owners, however, remain accountable for the maintenance of appropriate security
measures.

Section: Protection of Information Assets
Explanation:
Audit logs are critical to the investigation of the event; however, if not enabled, misuse of the logon ID of the technical lead and the guest account could not be established. The logon ID of the technical lead should have been deleted as soon as the employee left the organization but, without audit logs, misuse of the ID is difficult to prove. Spyware installed on the system is a concern but could have been installed by any user and, again, without the presence of logs, discovering who installed the spyware is difficult. A Trojan installed on the system is a concern, but it can be done by any user as it is accessible to the whole group and, without the presence of logs, investigation would be difficult.

Section: Protection of Information Assets

Section: Protection of Information Assets
Explanation:
A communications handler transmits and receives electronic documents between trading partners and/or
wide area networks (WANs).

Section: Protection of Information Assets
Explanation:
The primary purpose of audit trails is to establish accountability and responsibility for processed
transactions.

The primary concern is to establish a workable disaster recovery plan, which reflects current processing volumes to protect the organization from any disruptive incident. Censuring the deputy CEO will not achieve this and is generally not within the scope of an IS auditor to recommend. Establishing a board to review the plan, which is two years out of date, may achieve an updated plan, but is not likely to be a speedy operation, and issuing the existing plan would be folly without first ensuring that it is workable. The best way to achieve a disaster recovery plan in a short time is to make an experienced manager responsible for coordinating the knowledge of other managers into a single, formal document within a defined time limit.

Trend/variance detection tools look for anomalies in user or system behavior, for example, determining whether the numbers for prenumbered documents are sequential or increasing. CASE tools are used to assist software development. Embedded (audit) data collection software is used for sampling and to provide production statistics. Heuristic scanning tools can be used to scan for viruses to indicate possible infected code.

Section: The process of Auditing Information System
Explanation:
The risk that material errors or misstatements that have occurred will not be detected by an IS auditor.
Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements.
An auditor must apply audit procedures to detect material misstatements in the financial statements whether due to fraud or error. Misapplication or omission of critical audit procedures may result in a material misstatement remaining undetected by the auditor. Some detection risk is always present due to the inherent limitations of the audit such as the use of sampling for the selection of transactions. Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed testing.
For your exam you should know below information about audit risk:
Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue unqualified report due to the auditor’s failure to detect material misstatement either due to error or fraud. This risk is composed of inherent risk (IR), control risk (CR) and detection risk (DR), and can be calculated thus:
AR = IR x CR x DR
Inherent Risk
Auditors must determine risks when working with clients. One type of risk to be aware of is inherent risk.
While assessing this level of risk, you ignore whether the client has internal controls in place (such as a secondary review of financial statements) in order to help mitigate the inherent risk. You consider the strength of the internal controls when assessing the client’s control risk. Your job when assessing inherent risk is to evaluate how susceptible the financial statement assertions are to material misstatement given the nature of the client’s business. A few key factors can increase inherent risk.
Environment and external factors: Here are some examples of environment and external factors that can lead to high inherent risk:
Rapid change: A business whose inventory becomes obsolete quickly experiences high inherent risk.
Expiring patents: Any business in the pharmaceutical industry also has inherently risky environment and external factors. Drug patents eventually expire, which means the company faces competition from other manufacturers marketing the same drug under a generic label.
State of the economy: The general level of economic growth is another external factor affecting all businesses.
Availability of financing: Another external factor is interest rates and the associated availability of financing.
If your client is having problems meeting its short-term cash payments, available loans with low interest rates may mean the difference between your client staying in business or having to close its doors.
Prior-period misstatements: If a company has made mistakes in prior years that weren’t material (meaning they weren’t significant enough to have to change), those errors still exist in the financial statements. You have to aggregate prior-period misstatements with current year misstatements to see if you need to ask the client to adjust the account for the total misstatement.
You may think an understatement in one year compensates for an overstatement in another year. In auditing, this assumption isn’t true. Say you work a cash register and one night the register comes up $20 short. The next week, you somehow came up $20 over my draw count. The $20 differences are added together to represent the total amount of your mistakes which is $40 and not zero. Zero would indicate no mistakes at all had occurred.
Susceptibility to theft or fraud: If a certain asset is susceptible to theft or fraud, the account or balance level may be considered inherently risky. For example, if a client has a lot of customers who pay in cash, the balance sheet cash account is going to have risk associated with theft or fraud because of the fact that cash is more easily diverted than customer checks or credit card payments.
Looking at industry statistics relating to inventory theft, you may also decide to consider the inventory account as inherently risky. Small inventory items can further increase the risk of this account valuation being incorrect because those items are easier to conceal (and therefore easier to steal).
Control Risk
Control risk has been defined under International Standards of Auditing (ISAs) as following:
The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.
In simple words control risk is the probability that a material misstatement exists in an assertion because that misstatement was not either prevented from entering entity’s financial information or it was not detected and corrected by the internal control system of the entity.
It is the responsibility of the management and those charged with governance to implement internal control system and maintain it appropriately which includes managing control risk.
There can be many reasons for control risk to arise and why it cannot be eliminated absolutely. But some of them are as follows:
Cost-benefit constraints
Circumvention of controls
Inappropriate design of controls
Inappropriate application of controls
Lack of control environment and accountability
Novel situations
Outdated controls
Inappropriate segregation of duties
Detection Risk
Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements.
An auditor must apply audit procedures to detect material misstatements in the financial statements whether due to fraud or error. Misapplication or omission of critical audit procedures may result in a material misstatement remaining undetected by the auditor. Some detection risk is always present due to the inherent limitations of the audit such as the use of sampling for the selection of transactions.
Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed testing.
The following answers are incorrect:
Inherent Risk – It is the risk level or exposure of a process or entity to be audited without taking into account the control that management has implemented.
Control Risk – The risk that material error exist that would not be prevented or detected on timely basis by the system of internal controls.
Overall audit risk – The probability that information or financial report may contain material errors and that the auditor may not detect an error that has occurred. An objective in formulating the audit approach is to limit the audit risk in the area under security so the overall audit risk is at sufficiently low level at the completion of the examination.
Reference:
CISA review manual 2014 page number 50
http://en.wikipedia.org/wiki/Audit_risk
http://www.dummies.com/how-to/content/how-to-assess-inherent-risk-in-an-audit.html
http://pakaccountants.com/what-is-control-risk/
http://accounting-simplified.com/audit/risk-assessment/audit-risk.html

Explanation/Reference:
Explanation:
To trace the topology of the network, a graphical interface would be essential. It is not necessary that each network be on the internet and connected to a help desk, while the ability to export to a spreadsheet is not an essential element.

A definition of key performance indicators is required before implementing an IT balanced scorecard. Choices A, C and D are objectives.

Explanation/Reference:
Explanation:
The major benefit of implementing a security program is management’s assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risks.
Recommendations, visions and objectives of the auditor and the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit. The cost of IT security may or may not be reduced.