2021 IT Audit Workshop

Domain 1 - Information System Auditing Process

Contents

01 Overview 01

02 Planning
Introduction 02
IS Audit Standards, Guidelines, and Code of Ethics
Business Processes 03
Types of Controls
Risk-based Audit Planning 04
Types of Audits and Assessments

03 Execution
Audit Project Management
Sampling Methodology
Audit Evidence Collection Techniques
Data Analytics
Reporting and Communication Techniques
Quality Assurance and Improvement of Audit Process

04 Course Wrap-Up

Domain 1 2
Overview
Rules of the Road

01
To optimize your Virtual Classroom experience:
• Class participation – use the tools we have in the system
02
• Close all other applications except for the Virtual Classroom
• Let the facilitators know if the pace is too slow or too fast, or there is any other technical problem 03

04
To receive Learning Hours credit you must:
• Remain logged on for the full length of the session using your Deloitte ID
• Participate in activities

We promise to:
• Give you opportunities to grab a drink and have a break!

Domain 1 3
Overview
Domain 1 - Information System Auditing Process

01
The Information systems (IS) auditing process encompasses the standards, principles, methods, guidelines,
practices and techniques that an IS auditor uses to plan, execute, assess and review business or
information systems and related processes. 02

03
An IS auditor must have a thorough understanding of this auditing process as well as IS processes, business
processes and controls designed to achieve organizational objectives and protect organization assets.
04

Domain 1 4
Overview
Domain 1 - Information System Auditing Process

01
Learning Objectives:
• Plan an audit to determine whether information systems are protected, controlled, and provide value to
02
the organization.
• Conduct an audit in accordance with IS audit standards and a risk-based IS audit strategy. 03
• Communicate audit progress, findings, results and recommendations to stakeholders.
• Conduct audit follow-up to evaluate whether risk has been sufficiently addressed. 04

• Evaluate IT management and monitoring of controls.

• Utilize data analytics tools to streamline audit processes.
• Provide consulting services and guidance to the organization in order to improve the quality and control
of information systems.
• Identify opportunities for process improvement in the organization’s IT policies and practices.

Domain 1 5
Overview
Warm up question 1

01
The approach an IS auditor should use to plan IS audit coverage should be based on?

02
A. Risk
B. Materiality 03
C. Fraud monitoring
04
D. Sufficiency of audit evidence

Domain 1 6
Overview
Warm up question 1

01
The approach an IS auditor should use to plan IS audit coverage should be based on?

02
A. Risk
B. Materiality 03
C. Fraud monitoring
04
D. Sufficiency of audit evidence

Ans: A

Domain 1 7
Overview
Warm up question 2

01
Which of the following types of audit risk assumes an absence of compensating controls in the area being
reviewed?
02

A. Control risk 03
B. Detection risk
C. Inherent risk 04

D. Sampling risk

Domain 1 8
Overview
Warm up question 2

01
Which of the following types of audit risk assumes an absence of compensating controls in the area being
reviewed?
02

A. Control risk 03
B. Detection risk
C. Inherent risk 04

D. Sampling risk

Ans: C – Inherent risk is the risk level or exposure without considering the actions that management has
taken or might take

Domain 1 9
Planning

10
Planning
Business Process

01
IS Audit is the formal examination and/or testing of information systems to determine whether
• Information systems are in compliance with applicable laws, regulations, contracts and/or industry
02
guidelines
• Information systems and related processes comply with governance criteria and related and 03
relevant policies and procedures
• IS data and information have the appropriate levels of confidentiality, integrity and availability 04
• IS operations are being accomplished efficiently and effectiveness

Domain 1 11
Planning
Business Process

01
An IS Auditor must understand and be able to evaluate the business processes of the organization
• Business Process is an interrelated set of cross-functional activities that result in the delivery of
02
product or service
• It is controlled by policies, procedures, practices and organizational structures designed to provide 03
reasonable assurance that a business process will achieve its objectives
• A business process owner is the individual responsible for identifying process requirements, 04
approving process design and managing process performance, and should be at an appropriate
high level in an organization

Domain 1 12
Planning
IS Internal Audit Function

01
• The Role of the IS internal function should be established by an audit charter approved by the board of
directors and audit committee
02
• IS Audit can be a part of internal audit, function as an independent group, or be integrated within a
financial or management auditors
03
• The responsibilities, authority and accountability of the IS audit function should be appropriately
documented in the audit charter or engagement letter
04
• The IS audit function should be led in a manner that ensures that the audit function objectives should
be fulfilled

Domain 1 13
Planning
Steps to Perform Audit Planning

01
• Gain an understanding of the organization’s mission, objectives, purpose and processes, which include
information and processing requirements
02
• Gain an understanding of the organization's governance structure
• Understand changes in business environment 03
• Review prior work papers
• Identify stated contents such as policies, standards and required guidelines, procedures and 04
organization structure
• Perform risk analysis
• Set audit scope and objectives
• Develop audit approach or audit strategy
• Assign personnel and address engagement objectives

Domain 1 14
Planning
Effect of Laws and Regulations

01
Two Major Areas of Concerns:
• Legal requirements placed on audit
02
• Legal requirements placed on the auditee and its systems
03
IS auditor should
• Identify those relevant external requirements 04

• Document applicable laws and regulations

• Assess whether management and IT function have considered the relevant external requirements
• Review internal IT department/function/activity documents that address the applicable laws
• Determine whether the established procedures address these requirements
• Determine if there are procedures to ensure contracts or agreements with external IT services
providers reflect any legal requirements related to responsibilities

Domain 1 15
Planning
Types of Controls

01
Two key aspects that controls should address
• What should be achieved
02
• What should be avoided
03
Internal controls address business/operational objectives and should also address undesired events
through prevention, detection and correction 04

Domain 1 16
Planning
Types of Controls

01

02

03

04

Domain 1 17
Planning
Types of Controls

01
IS Control Objectives are
• Statements of the designed result or purpose to be achieved by implementing controls around
information system processes 02
• Comprised of policies, procedures, practices and organizational structure
• Designed to provide reasonable assurance that business objectives will be achieved and undesired 03
events will be prevented, or detected and corrected
04
Organizational management needs to make choices by:
• Selecting those objectives that are applicable
• Deciding on those that will be implemented
• Choosing how to implement them
• Accepting the risk of not implementing those that might apply

Domain 1 18
Planning
Types of Controls

01
General controls
• Internal accounting controls, operational controls, administrative controls, and etc
02
IS specific controls
• Strategy and direction of the IT function 03
• General organization and management of the IT Function
• Access to IT resources 04
• System development methodologies and change control
• Operational Procedures
• System programming and technical support function
• Quality assurance
• Physical access controls
• BCP/DRP
• Network and communication technology
• Database administration
• Protection and detective mechanism against attacks

Domain 1 19
Planning
Risk-based Audit Planning

01
• Inherent Risk – without considering controls
• Control Risk – risk that would not be prevented or detected on a timely basis by the system of internal
02
controls
• Detection Risk – The risk that material errors or misstatements that have occurred will not be detected 03
by an auditor
• Overall Audit Risk – Probability that information or financial reports may contain material errors and 04
that the auditor may not detect an error that has occurred

Audit Inherent Control Detection

Risk Risk Risk Risk

ROMM

Domain 1 20
Planning
Risk-based Audit Planning

01
• Risk assessments should identify, quantify and prioritize risk
• Risk assessments should be performed periodically
02
• Company should establish the criteria for determining whether risk can be managed within the risk
appetite 03
• Possible risk response options:
 Risk mitigation 04

 Risk acceptance
 Risk avoidance
 Risk sharing (transfer)

Domain 1 21
Planning
Types of Audits and Assessments

01
• IS audit
• Compliance audit
02
• Financial audit
• Operational audit 03
• Integrated audit
• Administrative audit 04

• Specialized audit
 Third-party service audit
 Fraud audit
 Forensic audit
• Computer forensic audit
• Functional audit

Domain 1 22
Planning
Question

01
An IS auditor is developing audit plan for an environment that includes new systems. The organization’s
management wants the IS auditor to focus on recently implemented systems. How should the IS auditor
respond? 02

03
A. Audit the new systems as requested by management
B. Audit systems not included in last year’s scope 04
C. Determine the highest-risk systems and plan accordingly
D. Audit both the systems not in last year’s scope and the new systems

Domain 1 23
Planning
Question

01
An IS auditor is developing audit plan for an environment that includes new systems. The organization’s
management wants the IS auditor to focus on recently implemented systems. How should the IS auditor
respond? 02

03
A. Audit the new systems as requested by management
B. Audit systems not included in last year’s scope 04
C. Determine the highest-risk systems and plan accordingly
D. Audit both the systems not in last year’s scope and the new systems

Ans: C
The best action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk.
ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1:
“The IS audit and assurance function shall use an appropriate risk assessment approach and supporting
methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS
audit resources.”

Domain 1 24
Execution

25
Execution
Audit Project Management

01

Monitor project activity 02

Report actual progress against
planned audit steps
Execute the plan 03
Execute audit tasks
Build the audit plan 04
Check out the necessary audit task
across a timeline, optimizing
Plan the audit engagement resources use
Plan the audit, considering project-
specific risk

Domain 1 26
Execution
Audit Project Management

01
An audit program is a step-by-step set of audit procedures and instructions that should be performed to
complete an audit
02
The main purposes of developing an audit program:
• Formal documentation of audit procedures and sequential steps 03
• Creation of procedures that are repeatable and easy to use
• Documentation of the type of testing that will be used 04

• Meeting generally accepted audit standards that relate to the planning phase in the audit process

Domain 1 27
Execution
Audit Project Management

01

02

Fieldwork
Planning Reporting 03
and
Phase Documentatio Phase
n Phase 04

1. Determine audit subject 1. Acquire data 1. Gather report requirements

2. Define audit objective
3. Set audit scope
4. Perform pre-audit planning
5. Determine Procedures
2. Test controls 2. Draft report
3. Issue discovery and validation 3. Issue report
4. Document results 4. Follow-up
Domain 1 28
Execution
Audit Work Papers

01
• All audit plans, programs, activities, tests, findings and incidents should be properly documented in the
working paper
02
• Format and media can vary
• Auditors should consider how to maintain the integrity and protection of audit test evidence in order to 03
preserve its value
04

Domain 1 29
Execution
Fraud

01
• Management is primarily responsible for establishing, implementing and maintaining an internal control
system that leads to deterrence and/or timely detection of fraud.
02
• Internal controls may fail where such controls are circumvented by exploiting vulnerabilities or through
management-perpetrated weakness in controls or collusion among people
03
• The presence of internal controls does not eliminate fraud
• IS auditors should be aware of the possibilities and means of perpetrating fraud, especially by exploiting 04
the vulnerabilities and overriding controls

Domain 1 30
Execution
Sampling Methodology

01
An IS Auditor should consider the purpose of the sample:
• Compliance testing/test of controls – an audit procedure designed to evaluate the operating
02
effectiveness of controls in preventing, or detecting and correcting, material weaknesses
• Substantive testing/test of details – an audit procedure designed to detect material weaknesses at 03
the assertion level
04

Domain 1 31
Execution
Sampling Methodology

Compliance Testing Substantive Testing 01

• To test an organization’s compliance with • To evaluate the integrity of individual

control procedures
• Determine whether controls are being
applied in manner that complies with
management policies and procedures
transactions, data or other information 02
• Provide evidence of the validity and
integrity of the balances in the financial 03
statements and the transactions that
support these balances
• Test for monetary errors directly affecting 04
financial statement balances or other
relevant data

Direct correlation – if the results of compliance testing reveal the presence of adequate internal
controls -> minimizing the substantive procedures could be justified

Domain 1 32
Execution
Sampling Methodology

01

Non- 02
statistical
Statistical
sampling
sampling 03
(judgement
sampling)
04

• Require an IS auditor to use judgement when defining the population characteristics, and thus, are
subject to risk that incorrect conclusion could be drawn (sampling risk)
• Statistical sampling permits an IS auditor to quantify the probability of errors

Domain 1 33
Execution
Sampling Methodology

01
• Attribute sampling – generally applied in compliance testing, deals with the presence or absence of the
attribute
02
• Attribute sampling
• Stop-or-go sampling 03
• Discovery sampling
• Variable sampling – generally applied in substantive testing, deals with population characteristics that 04
vary
• Stratified mean per unit
• Unstratified mean per unit
• Difference estimation

Domain 1 34
Execution
Sampling Methodology

01
• Sampling risk - arise from the possibility that an IS auditor’s conclusion might be different from what
would be reached IF the entire population were subject to the same audit procedure
02
• Risk of incorrect acceptance – a material weakness is assessed as unlikely when the population is
materially misstated
03
• Risk of incorrect rejection – a material weakness is assed as likely, when the population is not
materially misstated
04

Domain 1 35
Execution
Question

01
Which of the following sampling methods is MOST useful when testing for compliance:

02
A. Attribute sampling
B. Variable sampling 03
C. Stratified mean-per-unit sampling
04
D. Difference estimation sampling

Domain 1 36
Execution
Question

01
Which of the following sampling methods is MOST useful when testing for compliance:

02
A. Attribute sampling
B. Variable sampling 03
C. Stratified mean-per-unit sampling
04
D. Difference estimation sampling

Ans: A
Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a
sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a
population and is used in compliance testing to confirm whether the quality exists. For example, an
attribute sample may check all transactions over a certain predefined dollar amount for proper approvals.

Domain 1 37
Break time

38
Execution
Audit Evidence Collection Techniques

01
• Audit evidence may include:
• Observation
02
• Notes taken from interviews
• Results of independent confirmation from different stakeholders 03
• Material extracted from communication and internal documentations or contracts
• Results of audit test procedures 04

Domain 1 39
Execution
Audit Evidence Collection Techniques

01
• Determinants for evaluating the reliability of audit evidence may include:
• Independence of the provider of the evidence
02
• Qualifications of the individual providing the information / evidence
• Objectivity of the evidence 03
• Timing of the evidence
• The quality and quantity of evidence must be assessed 04

• Competent (quality): when audit evidence is both valid and relevant

Domain 1 40
Execution
Audit Evidence Collection Techniques

01
The following are techniques for gathering evidence:
• Reviewing IS organization structures
02
• Reviewing IS policies and procedures
• Reviewing IS standards 03
• Reviewing IS documentation
• Interviewing appropriate personnel 04

• Observing processes and employee performance

• Reperformance
• Walkthroughs

Domain 1 41
Execution
Audit Evidence Collection Techniques

01
Interviewing and observation personnel in performance of their duties
• Actual functions
• Actual process/procedures 02
• Security awareness
• Reporting relationships 03
• Observation drawbacks
04

Domain 1 42
Execution
Data Analytics

01
IS Auditor can use data analytics for:
• Determination of the operational effectiveness of the current control environment
• Determination of the effectiveness of anti-fraud procedures and controls 02
• Identification of business process errors, improvements and inefficiencies
• Identification of exceptions or unusual business roles 03
• Identification of fraud
• Identification of areas where poor data quality exists 04
• Performance of risk assessment
• Validating the data
• Executing the tests and documenting the results

Domain 1 43
Execution
Data Analytics

01
Data analytics can be effective in both the planning and fieldwork phase Planning

Documentation 02
Fieldwork and
03
Reporting

Can be used to accomplish the following: 04

• Combining logical access files with HR master files
• Combining file library settings with data from change management systems and dates of file changes ->
check for authorization
• Reviewing table or system configuration settings
• Reviewing system logs for unauthorized access or usual activities
• Testing system conversion
• Testing logical access SOD

Domain 1 44
Execution
Data Analytics

01
Computer-assisted audit techniques (“CAATs”):
• Important tools that an IS auditor uses to gather and analyze data
• Enables an IS auditor to gather information independently 02
• CAATs include many types of tools and techniques such as generalized audit software (GAS), utility
software, debugging and scanning software, test data, application software tracing and mapping, and 03
expert systems
• GAS refers to standard software that has the capability to directly read and access data from various 04
database platforms, flat-file systems and ASCII formats
• GAS provides an IS auditor with an independent means to gain access to data for analysis and the ability
to use high-level software to invoke functions to be performed on data files
• Common features: file access, file re-organization, data selection, statistical functions, arithmetical
functions

Domain 1 45
Execution
Data Analytics

01
Computer-assisted audit techniques (“CAATs”):
• Utility software is a subset of software – such as report generators of the database management system
– that provides evidences about system control effectiveness 02
• Test data involve an IS auditor using a sample set of data to assess whether logic errors exist in a
program and whether its program meets its objectives 03
• These tools and techniques can be used in:
• Test of details of transactions and balances 04
• Analytical review procedures
• Compliance tests of IS general controls
• Compliance tests of IS application controls
• Network and OS vulnerability assessments
• Penetration testing
• Application security testing and source code security scans

Domain 1 46
Execution
Data Analytics

01
Computer-assisted audit techniques (“CAATs”):
• Examples of documentation to retain:
• Online reports detailing high-risk issues for review 02
• Commented program listings
• Flowcharts 03
• Sample reports
• Record and file layouts 04
• Field definitions
• Operating instructions
• Description of applicable source documents

Domain 1 47
Execution
Continuous Auditing Techniques

01
• Important IS audit tools – particularly when they are used in time sharing environments that process a
large number of transactions
• E.g., when a system is misused by someone withdrawing money from an inoperative account -> report 02
this withdraw to the auditor in a timely manner
• 5 types of automated evaluation techniques applicable to continuous auditing: 03
• System control audit review file and embedded audit modules (SCARF/EAM)
• Snapshots 04
• Audit hooks
• Integrated test facility (ITF)
• Continuous and intermittent simulation (CIS)

Domain 1 48
Execution
Reporting and communication techniques

01
• Communicating audit results…
• Ensure that the facts presented are correct and material
• Ensure that the recommendations are realistic and cost-effective 02
• Recommend implementation dates for agreed-on recommendations
03

04

Domain 1 49
Execution
Reporting and communication techniques

01
• 6 audit report objectives
• Formally present the audit results
• Serve as formal closure of the audit engagement 02
• Provide statements of assurance and, if needed, identification of areas requiring corrective actions
and related recommendations 03
• Serve as a valued reference for any party researching the auditee or audit topic
• Serve as the basis for a follow-up audit if audit findings were presented 04
• Promote audit credibility. This depends on the report being well developed and well written

Domain 1 50
Execution
Reporting and communication techniques

01
Audit report structure and contents
• Introduction – statement of objective, limitations, period, general statement, statement on audit
methodology and guidelines 02
• Audit findings
• Overall conclusion and opinion 03
• Reservation or qualifications with respect to the audit
• This may state that the controls or procedures were found to be adequate or inadequate. The 04
balance of the audit report should support that conclusion, and the over evidence gathered during
the audit should provide an even greater level of support
• Detailed audit findings and recommendation
• IS auditor may choose to present minor findings in an alternate format, such as by memorandum

Domain 1 51
Execution
Reporting and communication techniques

01
Audit Documentation should include, at a minimum…
• Planning and preparation of the audit scope and objectives
• Description and/or walkthroughs on the scoped audit area 02
• Audit Program
• Audit steps performed and audit evidence gathered 03
• Use of services of other auditors and experts
• Audit findings, conclusion and recommendations 04
• Audit documentation relation with document identification and dates

It is also recommended to include below:

• A copy of the report issued
• Evidence of audit supervisory review

Domain 1 52
Execution
Reporting and communication techniques

01
Follow-up activities
• It would not be effective if audits are performed and reports issued with no follow-up to determine
whether management has taken appropriate corrective actions 02
• IS auditors should have a follow-up program to determine if agreed-on corrective actions have been
implemented (might not be applicable for external audits) 03

04

Domain 1 53
Execution
Question

01
An IS auditor finds a small number of user access requests that were not authorized by managers through
the normal predefined workflow steps and escalation rules. The IS auditor should:
02

A. Perform an additional analysis 03

B. Report the problem to the audit committee
C. Conduct a security risk assessment 04

D. Recommend that the owner of the identity management system fix the workflow issues

Domain 1 54
Execution
Question

01
An IS auditor finds a small number of user access requests that were not authorized by managers through
the normal predefined workflow steps and escalation rules. The IS auditor should:
02

A. Perform and additional analysis 03

B. Report the problem to the audit committee
C. Conduct a security risk assessment 04

D. Recommend that the owner of the identity management system fix the workflow issues

Ans: A
The IS auditor needs to perform additional analysis to determine why the approval and workflow processes
are not working as intended. Before making any recommendation, the IS auditor should gain a good
understanding of the scope of the problem and the factors that caused this incident. The IS auditor should
identify whether the issue was caused by managers not following procedures, a problem with the
workflow of the automated system or a combination of the two.

Domain 1 55
Execution
Quality assurance and improvements of the audit process

01
IS auditor plays an important role in improving the quality and control of information systems in an
organization
02

Elements quality control with respect to an audit engagement include the following: 03
• Leadership responsibilities for quality in audits
• Ethical requirement (including independence) 04
• Acceptance and continuance of client relationships and specific audit engagements
• Assignment of engagement teams
• Engagement performance
• Monitoring

Domain 1 56
Execution
Quality assurance and improvements of the audit process

01
Have you heard of CSA?

02
A. Yes
B. No 03

04

Domain 1 57
Execution
Quality assurance and improvements of the audit process

01
• Control self-assessment – assessment of control made by the staff and management
• Management technique to assure stakeholders, customers and other parties that the internal control
02
system of the organization is reliable
• Ensures that employees are aware of the risk to the business and they conduct periodic, proactive 03
reviews of controls
• Methodology to review key business objectives, risks involved, and internal controls designed to 04
management business risk in a formal, documented and collaborative process

Domain 1 58
Execution
Quality assurance and improvements of the audit process

01
The role of IS auditor in CSA
• Acts as a facilitator to the business process owners to help them define and assess appropriate controls,
02
and helps the process owners understand the need for controls, based on the risk to the business
processes
03
• The process owners run the processes use their knowledge and understanding to evaluate the
performance of controls against the objectives
04
• As process owners have a greater knowledge of the process objectives, they are in an ideal position
to define the appropriate controls

CSA can be implemented in various methods, for example:

• Facilitated workshops allow functional management and IS auditor come together to explore their own
experiences and those of others

Domain 1 59
Execution
Quality assurance and improvements of the audit process

01
Benefits of CSA
• Early detection of risk
02
• More effective and improved internal controls
• Creation of cohesive teams through employee involvement 03
• Development of a sense of ownership of the controls in the employees and process owners and
reduction of their resistance to control improvement initiatives 04

• Increased employee awareness of organizational objectives, and knowledge of risk and internal controls
• Increased communication between operational and top management
• High motivated employees
• Improved audit rating process
• Reduction in control cost
• Assurance provided to stakeholders and customers
• Necessary assurance given to top management about the adequacy of internal controls as required by
regulations and laws

Domain 1 60
Execution
Quality assurance and improvements of the audit process

01
Disadvantages of CSA
• It could be mistaken as an audit function replacement
02
• It may be regarded as an additional workload
• Failure to act on improvement suggestions could damage employee morale 03
• Lack of motivation may limit effectiveness in the detection of weak controls
04

Domain 1 61
Execution
Quality assurance and improvements of the audit process

01
Integrated auditing
• IS auditors MUST develop an understanding of IT control structure AND
02
business control structures
• Typically involves: 03
• Identification of risk faced by the organization for the area being Operational Financial
audited Audit Audit
04
• Identification of relevant key controls
• Review and understanding of the design of key controls
• Testing that key controls are supported by the IT system IS Audit
• Testing that management controls operate effectively
• A combined report or opinion on control risk, design and
weaknesses
• An integrated audit demands a focus on business risk and a drive for
creative control solution

Domain 1 62
Course Wrap-up

63
Course Wrap-up
Question 1

01
Which of the following outline the overall authority to perform an IS audit?

02
A. The audit scope with goals and objectives
B. A request from management to perform an audit 03
C. The approved audit charter
04
D. The approved audit schedule

Domain 1 64
Course Wrap-up
Question 1

01
Which of the following outline the overall authority to perform an IS audit?

02
A. The audit scope with goals and objectives
B. A request from management to perform an audit 03
C. The approved audit charter
04
D. The approved audit schedule

Ans: C

Domain 1 65
Course Wrap-up
Question 2

01
In performing a risk-based audit, which risk assessment is completed FIRST by an IS auditor?

02
A. Detection risk assessment
B. Control risk assessment 03
C. Inherent risk assessment
04
D. Fraud risk assessment

Domain 1 66
Course Wrap-up
Question 2

01
In performing a risk-based audit, which risk assessment is completed FIRST by an IS auditor?

02
A. Detection risk assessment
B. Control risk assessment 03
C. Inherent risk assessment
04
D. Fraud risk assessment

Ans: C – Inherent risk exists independently of an audit and can occur because of the nature of the business.
To successfully conduct an audit, it is important to be aware of the related business processes, and thus the
inherent risk.

Domain 1 67
Course Wrap-up
Question 3

01
Which of the following would an IS auditor MOST likely focus on when developing a risk-based audit
program?
02

A. Business processes 03
B. Administrative controls
C. Environmental controls 04

D. Business strategies

Domain 1 68
Course Wrap-up
Question 3

01
Which of the following would an IS auditor MOST likely focus on when developing a risk-based audit
program?
02

A. Business processes 03
B. Administrative controls
C. Environmental controls 04

D. Business strategies

Ans: A – A risk-based audit approach focuses on the understanding of the nature of the business and being
able to identify and categorize risk.

Domain 1 69
Course Wrap-up
Question 4

01
An IS auditor performing a review of an application’s controls finds a weakness in system software that
could materially impact application. In this situation, an IS auditor should:
02

A. Disregard these control weaknesses because a system software review is beyond the scope of this 03
review
B. Conduct a detailed system software review and report the control weaknesses 04
C. Include in the report that the audit was limited to a review of the application’s control
D. Review the system software controls as relevant and recommend a detailed system software review

Domain 1 70
Course Wrap-up
Question 4

01
An IS auditor performing a review of an application’s controls finds a weakness in system software that
could materially impact application. In this situation, an IS auditor should:
02

A. Disregard these control weaknesses because a system software review is beyond the scope of this 03
review
B. Conduct a detailed system software review and report the control weaknesses 04
C. Include in the report that the audit was limited to a review of the application’s control
D. Review the system software controls as relevant and recommend a detailed system software review

Ans: D

Domain 1 71
Course Wrap-up
Question 5

01
Which of the following is the MOST important reason why an audit planning process should be reviewed at
periodic intervals?
02

A. To plan for deployment of available audit resources 03

B. To consider changes to the risk environment
C. To provide inputs for documentation of the audit charter 04

D. To identify the applicable IS audit standards

Domain 1 72
Course Wrap-up
Question 5

01
Which of the following is the MOST important reason why an audit planning process should be reviewed at
periodic intervals?
02

A. To plan for deployment of available audit resources 03

B. To consider changes to the risk environment
C. To provide inputs for documentation of the audit charter 04

D. To identify the applicable IS audit standards

Ans: B – Short- and long-term issues that derive audit planning can be heavily impacted by changes to the
risk environment, technologies and business processes of the enterprise

Domain 1 73
Course Wrap-up
Question 6

01
Which of the following is MOST effective for implementing a control self-assessment within small business
units?
02

A. Informal peer reviews 03

B. Facilitated workshops
C. Process flow narratives 04

D. Data flow diagram

Domain 1 74
Course Wrap-up
Question 6

01
Which of the following is MOST effective for implementing a control self-assessment within small business
units?
02

A. Informal peer reviews 03

B. Facilitated workshops
C. Process flow narratives 04

D. Data flow diagram

Ans: B
A, C and D are not correct as informal peer reviews might not identify and assess all control issues

Domain 1 75
Course Wrap-up
Question 7

01
Which of the following would an IS auditor perform FIRST when planning an IS audit?

02
A. Define audit deliverables
B. Finalize the audit scope and audit objectives 03
C. Gain an understanding of the business’s objectives and purpose
04
D. Develop the audit approach or audit strategy

Domain 1 76
Course Wrap-up
Question 7

01
Which of the following would an IS auditor perform FIRST when planning an IS audit?

02
A. Define audit deliverables
B. Finalize the audit scope and audit objectives 03
C. Gain an understanding of the business’s objectives and purpose
04
D. Develop the audit approach or audit strategy

Ans: C

Domain 1 77
Course Wrap-up
Question 8

01
An organization performs a daily backup of critical data and software files and stores the backup tapes at
an offsite location. The backup tapes are used to restore the files in case of a disruption. This is an example
of a: 02

03
A. Preventive control
B. Management control 04
C. Corrective control
D. Detective control

Domain 1 78
Course Wrap-up
Question 8

01
An organization performs a daily backup of critical data and software files and stores the backup tapes at
an offsite location. The backup tapes are used to restore the files in case of a disruption. This is an
example of a: 02

03
A. Preventive control
B. Management control 04
C. Corrective control
D. Detective control

Ans: C

Domain 1 79
Thank you

80
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also
referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third
parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see
www.deloitte.com/about to learn more.
Deloitte Asia Pacific Limited is a company limited by guarantee and a member firm of DTTL. Members of Deloitte Asia Pacific Limited and their related entities, each of which are separate and
independent legal entities, provide services from more than 100 cities across the region, including Auckland, Bangkok, Beijing, Hanoi, Hong Kong, Jakarta, Kuala Lumpur, Manila, Melbourne,
Osaka, Seoul, Shanghai, Singapore, Sydney, Taipei and Tokyo.
The Deloitte brand entered the China market in 1917 with the opening of an office in Shanghai. Today, Deloitte China delivers a comprehensive range of audit & assurance, consulting, financial
advisory, risk advisory and tax services to local, multinational and growth enterprise clients in China. Deloitte China has also made—and continues to make—substantial contributions to the Insert sponsorship mark here
development of China's accounting standards, taxation system and professional expertise. Deloitte China is a locally incorporated professional services organization, owned by its partners in China.
To learn more about how Deloitte makes an Impact that Matters in China, please connect with our social media platforms at www2.deloitte.com\cn\en\social-media.
This communication and any attachment to it is for internal distribution among personnel of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms and their related
entities (collectively, the “Deloitte organization”). It may contain confidential information and is intended solely for the use of the individual or entity to whom it is addressed. If you are not the
intended recipient, please notify us immediately and then please delete this communication and all copies of it on your system. Please do not use this communication in any way.
None of DTTL, its member firms, related entities, employees or agents shall be responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on
this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.
© 2021. For information, contact Deloitte China.