ICAI DISA 3.0 MOdule 1 Quiz

Explanation: Once the business process to be audited is identified, the next step is to identify the control objectives and activities associated with the business processes. The next step is to identify the audit resources. The audit universe is to be determined prior to the finalization of the audit scope.

Explanation: The identification of vulnerabilities and threats is the first step in a risk assessment process. Once the threats and vulnerabilities are identified, the auditor should evaluate existing controls and their effectiveness to draw a conclusion about the residual risk. Continuous risk monitoring is implemented during the risk monitoring function.

Explanation: In the ITF technique, a test transaction is entered. The processing results of the test transaction are compared with the expected results to determine the accuracy of the processing. If the processed results match the expected results, then it determines that processing is happening correctly.

Data may be entered directly into the computer system without supporting documents. In some on-line transaction systems written evidence of data entry authorization (for example, approval for order entry) may be replaced by other procedures, such as authorization controls contained in computer programs (for example, credit limit approval). Hence; the answer in Option C is the correct one.

Explanation: Service-level architecture relies on the principle of multiple clients. The first step of the assignment is to understand how the services are allocated to different business units. Once this is done, the auditor will have a sufficient idea about the risk environment on the basis of which further audit procedures can be developed.

Explanation: The best course of action is to reduce the audit scope and to focus on high-risk areas. The other options do not concentrate on areas where more audit focus is required.

Explanation: A review of the exception report along with a follow-up action represents the best possible evidence. It determines that the control process is in place and also follow-up actions are taken for exceptions.

Explanation: A deterrent control is anything intended to warn a potential attacker not to attack.

Explanation: Access control aims to prevent access by unauthorized persons. It prevents omissions, errors, or malicious acts from occurring.

Explanation: The snapshots technique captures snaps or pictures of the transaction as it is processed at different stages in the system. Details are captured both before the execution and after the execution of the transaction. The correctness of the transaction is verified by validating the before-processing and after processing snaps of the transactions. Snapshot is useful when an audit trail is required.

Explanation: If the sample size is insufficient, the auditor should develop an alternative test procedure to evaluate the change management process.

Represents what auditor’s verifies but not that what he/she implements. Rest is part of definition and purpose of application controls.

Explanation: Once the critical assets are identified, the next step is to determine vulnerabilities and then to look at threats and their probability of occurrence.

Explanation: Well-designed documents are an attempt to prevent errors by implementing efficient and effective operational procedures in the organization.

Explanation: To design a risk-based audit plan, identification of the key business process is very important to determine the area of audit focus. Once the key business process is identified, the other options can be evaluated for further information.

Explanation: A remediation action plan should be in line with the criticality of the audit findings.

Explanation: The goal of such a discussion is to confirm the relevance and accuracy of the audit observation and to discuss a course of correct.

Explanation: The IS auditor should take into account the management view; however, they should independently evaluate the risk related to the audit findings. Normally, an IS auditor would not automatically delete or revise the findings.

Explanation: It is advisable to report the finding even if corrective action is taken by the auditee. For any action taken on the basis of audit observation, the audit report should identify the finding and describe the corrective action taken.

A holistic approach to deterrence and prevention of fraud would require strengthening of governance and management framework. The answers in options B to D address the issue in bits and pieces and; hence; are not the right answers. Answer at Option A alone is correct.

Responsibility for IT systems should lie with the top management with appropriate delegation to lower levels. This would not only ensure that the highly vulnerable IT systems are properly controlled at the highest levels in the company but also ensure that appropriate IT policies are framed; keeping in mind organizational objectives and goals. The perspective of an accountant; whether junior or senior; would be rather limited to his area of operations and responsibility; it may lack the breadth of vision which would be essential at the top management level as also the interfaces between various functions in the business. In any professional organization; no positive bias can be allowed for the dominance of so-called ‘family retainers’ however trustworthy they may be. The operations have to be system driven & not personality driven. Hence; theanswer in Option A is correct.

Explanation: The check subroutine corrects the error. It modifies the processing system and minimizes the likelihood of future occurrences of the problem.

User controls are not properly defined. User controls need to be defined based on NEED TO DO and NEED TO DO basis. The above is reflection of a greater problem of improper assessment of user profiles created in the system.

Explanation: The identification of high-risk areas within the audit scope is the first step in the audit procedure. Audit planning can be done in accordance with the findings regarding the risk-prone areas. Risk-based audit planning is designed to ensure that enough audit resources are spent on the risk-prone areas.

Maximum mileage can be gained from e-commerce by converting those business activities which are paperbased; time consuming & inconvenient for customers as indicated in Option A. This will help us reduce paperwork; accelerate delivery & make it convenient for customers to operate from the comfort of their homes as also at any other place of their convenience. Hence; the other options are wrong.

Snapshot is the right answer as in this technique; IS auditor can create evidence through IMAGE capturing. A snapshot tool is most useful when an audit trail is required. ITF can be used to incorporate test transactions into a normal production run of a system. CIS is useful when transactions meeting certain criteria need to be examined. Audit hooks are useful when only select transactions or processes need to be examined.