ISA 3.0 ICAI module 1

Explanation:
(a) When designing an audit plan, it is important to identify the areas of highest risk to determine the areas to be audited.
(b) Skill sets of audit staff is an important consideration. However, unless risks are identified it will not be known how and where to utilize the skills.
(c) Compliance test and substantial test can be effectively carried out only once auditor is aware about areas of high risk.
(d) Allotment of time is important but not the first & primary step like identification of high-risk areas

Explanation: Primary Risk involved here is critical risks are not identified and may remain unnoticed. Other areas are not of that concern.

Question explanation: Strategic planning sets corporate or departmental objectives into motion. It is time and project-oriented, but must also address and help determine priorities to meet business needs. Reviewing long-term strategic plans will not achieve objectives by other
choice.

Question explanation: In developing a risk-based audit strategy, risks and vulnerabilities are to be understood. This determines areas to be audited and the extent of coverage. Understanding whether appropriate controls required to mitigate risks are in place is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly related to the audit process and are not relevant to the risk analysis of the environment to be audited. Gap analysis would normally be done to compare the actual state to an expected or desirable state.

Question explanation: To stop or prevent a wrong entry is a function of error prevention. All other options work after an error. Prevention works before occurrence of error.

Question explanation: Inherent risk means overall risk of management which is on account of entity’s business operations as a whole. Controllable risk is the risk present in the internal control system and the enterprise can control this risk completely and eliminate it from the system. Detection risk is the risk of the IS Auditor when he is not able to detect the inherent risk or the controllable risk.

Question explanation: Audit risk means the rate at which opinion of the IS Auditor would change if he selects a larger sample size. Audit risk can be high, moderate or low depending on the sample size selected by the IS Auditor. A risk-based audit approach is usually adapted to develop and improve the continuous audit process. Materiality means importance of information to the users. It is totally the matter of the professional judgment of the IS Auditor to decide whether the information is material or immaterial.

Question explanation ; Rate of change of technology increases the importance of implementing and enforcing good practices.

Question explanation: Controls are most commonly used to mitigate risks discovered by organizations. This is what organizations implement as a result of the risks an organization discovers. Resources and personnel are often expended to implement controls

Question explanation: To conduct IS Audit by the IS Auditor, the primary requirement is that he should be able to understand the system and technology being audited. He is not required to be the expert in all subjects. There is no comparison of his knowledge with that of auditee’s staff. He should have the knowledge of audit along with the technology in the related subject of audit.

Question explanation: Corrective Controls classification identify the cause of a problem and minimize the impact of threat. The goal of these controls is to identify the root cause of an issue whenever possible and eliminate the potential for that occurring again. The other controls are useful but perform other functions instead.

Explanation: An audit charter describes the authority, responsibility of the audit department. These are established by the senior management.

Explanation:
(a) Detection risks are directly affected by the auditor's selection of audit procedures and techniques.
(b) Inherent risks usually are not affected by the IS auditor.
(c) Control risks are controlled by the actions of the company's management.
(d) Business risks are not affected by the IS auditor.

Question explanation : IS Audit and Assurance Standards suggest that an IS Auditor should gather sufficient and appropriate audit evidence on which his opinion is based. Here the IS Auditor needs to determine whether this is an isolated incident or a systematic failure. It would be a good practice to make management informed about the incident.

Question explanation : As per the IS Audit and Assurance Standards, any finding, whether subsequently corrected or not should be included in the IS Audit Report if it is material.

Question explanation: Professional Independence carries the highest weight in Assurance Services field.  If due to any action of the IS Auditor, his capacity to carry out audit independently is hindered then the same amounts to failure to maintain Professional Independence.

Question explanation: The IS Auditor requires documented evidence to be submitted during audit procedures. Control self-assessment though is a good control but it cannot work as an evidence. Trend and ratio analysis can be used to justify some conclusion but cannot be considered as a conclusive evidence whereas a confirmation letter is.

Question explanation: Business unit manager is the owner of that business unit and he is the right authority to provide the required information in this context. First point of interview should be with the person related to business not the programmer or legal staff

Question explanation : During pre-audit planning there is no question of doing any compliance test. Compliance test starts during the process of audit. All other options are the process of collecting information during pre-audit process

Question explanation: The compliance tests determine whether prescribed controls are working as intended. Answer "B" is NOT the best choice. Current and accurate documentation may be a good procedure but it is only one type of control procedure, therefore, answer 'A' is a better choice as more control procedures are evaluated. Answer "C" is NOT the best choice because segregation of duties is only one type of control procedure; therefore, answer 'A' is a better choice as more control procedures are evaluated. Answer "D" is NOT the correct choice. Exposures are defined and quantified to determine audit scope. Compliance tests provide reasonable assurance that controls are working as prescribed.

Question explanation: IS auditor will most probably perform the test of internal control when control environment is poor. When inherent risks are low and control risks are within acceptable limit, likelihood of testing internal controls get reduced. Concluding the cost effectiveness of substantive approach is not the outcome of testing internal controls.

Question explanation: The size of the system is the least important of the factors listed. All other factors have specific financial implications and an IS Auditor can be used to help mitigate the risk to the corporation with the development of a new system.

Question explanation: Balancing of daily control totals relates to specific applications and is not considered an overall general control concern. Answer "B" is NOT the correct answer since documentation procedures within the IS Department are an important general control concern. Answer "A" is NOT the correct answer since organization of the IS Department is an important general control concern. Answer "D" is NOT the correct answer since physical access controls and security measures are important general control concerns.

Question explanation: The IS Auditor needs specialized type of education in hardware and operating system software. Options at B, C and D can be performed when an IS auditor has a basic level of data processing technical knowledge and usually requires no special
training.

Question explanation :  Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processing centrally. Production supervisory approval is a time-consuming manual process that does not guarantee proper control.

Question explanation: C. is the correct answer. Policy is not a static document. When an exception is a regular requirement, the best control is to modify the policy accordingly.

Question explanation: C. This ensures that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible.

Question explanation: A. is the correct answer as the source data capture is not proper. Ensure that source documents are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents. Errors and omissions can be minimised through good input form design.

Question explanation: C. It represents what auditor verifies but not that what he/she implements. Rest is part of the definition and purpose of application controls.

Question explanation: When testing the security of the entire application system including operating system, database and application security, the auditor will most likely use a utility software that assists in reviewing the configuration settings. In contrast, the Auditor may use GAS to perform a substantive testing of data and configuration files of the application. Test
data are normally used to check the integrity of the data and expert systems are used to inquire on specific topics. Hence correct answer is C.

Question explanation: Statistical software packages use all data resources impacting the processing time and response time. Network traffic analyzers also use the system resources but not putting stress on production data. Test data generator is not resource intensive and test drivers are for specific use without impacting much resources. Correct answer is B.

Question explanation : Generalised Audit software is mainly used to find duplicate data. Options A and D are on line application audit tools and statistical sampling may not be able to find duplicates. Correct answer is C.

Question explanation: CAAT is one of the tools useful for carrying out the detection of suspicious transactions as a pre-emptive or post fraud activity. Hence, answer at Option A is correct.

Question explanation: One of the many key tests that can be carried out by CAATs is establishing relationship between two or more areas & identify duplicate transactions. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.

Question explanation: One of the many key tests that can be carried out by CAATs is establishing whether the set controls are working as intended. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.

Question explanation: One of the many key tests that can be carried out by CAATs is the carrying out of  various types of statistical analysis which could throw up areas of inconsistencies, defaults, etc. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.

Question explanation: One of the many key tests that can be carried out by CAATs is identification of data which is inconsistent or erroneous. The IS auditor can set the criteria based upon the sort of data which are not expected to occur on the basis of the controls which presumably have been incorporated in the organization’s systems. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.

Question explanation: One of the many key tests that can be carried out by CAATs is identification of potential areas of fraud. The IS auditor can set the criteria based upon the sort of transactions which are not expected to occur on the basis of presumably have been incorporated in the organization’s systems. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Correct answer is A.

Question explanation : One of the many key tests that can be carried out by CAATs is identification of  exceptional transactions based upon set criteria. The IS auditor can set the criteria based upon the sort of transactions which are not expected to occur on the basis of the controls which presumably have been incorporated in the organization’s systems. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.

Question explanation: A. An IS auditor’s responsibility for detecting fraud includes evaluating fraud indicators and deciding whether any additional action is necessary or whether an additional investigation should be recommended. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation. Normally, the IS auditor does not have authority to consult with external legal counsel.

Question explanation : A. A holistic approach to deterrence and prevention of fraud would require strengthening of governance and management framework. The answers in options B to D address the issue in bits and pieces and, hence, are not the right answers. Answer at Option A alone is correct.

Question explanation: A. Segregation of duties is an important control tool whereby, conflicting roles in particular, are segregated and handled by different individuals. It reduces the risk of fraud since one person cannot independently commit any fraud but would need to collude with the second. Also, since the output of one individual may become the input for another, an independent accuracy check of one person’s work by another person becomes a built-in reality. Hence, the answer in Option A is correct.

Question explanation: B. Preserve refers to practice of retrieving identified information and preserving it as evidence. This practice generally includes the imaging of original media in presence of an independent third party.

Question explanation: C. The first step in managing risk is the identification and classification of critical information resources (assets). Once the assets have been identified, the process moves onto the identification of threats, vulnerabilities and calculation of potential damages.

Question explanation: C. Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, and they will not discover new trends. Neural networks are inherently nonlinear and make no assumption about the shape of any curve relating variables to the output. Neural networks will not work well at solving problems for which sufficiently large and general sets of training data are not obtainable.

Question explanation: A. Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of controls in this area could result in application programs being modified to manipulate the data. Application programmers are required to implement changes to test programs. These are used only in development and do not directly impact the live processing of data. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data. Database administrators are required to implement changes to database structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database.

Question explanation: B. The password control weaknesses mean that any of the other three options could be true. Password security would normally identify the perpetrator. In this case, it does not establish guilt beyond doubt.

Question explanation: B. An error is the least likely element to contribute to the potential for fraud. Answer A and C are incorrect since volume and value of transactions give an indication of the maximum potential loss through fraud. Answer D is incorrect since gross risk less existing controls give net risk.

Question explanation: D. Use of audit software merely refers to a technique that can be used in performing an audit. It has no relevance to the development of the annual audit plan.

Question explanation: Correct answer is A. Maximum mileage can be gained from e-commerce by converting those business activities which are paper-based, time consuming & inconvenient for customers as indicated in Option A. This will help us reduce paperwork, accelerate delivery & make it convenient for customers to operate from the comfort of their homes as also at any other place of their convenience. Hence, the other options are wrong.

Question explanation: Correct answer is A. The word-processing software pops up suggested words based upon the first few words keyed in by the user. Also, when the user keys in a new word which is not available in its repertoire, it adds it to its collection & reflects it as an option the next time similar letters are initiated. In effect, the software is able to observe & record patterns and improves through ‘learning’. The other answers in
Options B to D involve the basic computing functions of a computer which are based on a ‘go / no-go’ logic which does not involve pattern recognition or further learning. Hence, the correct answer is only as in Option A which displays characteristics of artificial intelligence.

Question explanation: Correct answer is A. Cognitive Science. This is an area based on research in disciplines such as biology, neurology, psychology, mathematics and allied disciplines. It focuses on how human brain works and how humans think and learn. Applications of AI in the cognitive science are Expert Systems, Learning Systems, Neural Networks, Intelligent Agents and Fuzzy Logic. B, C and D are incorrect. B. Robotics: This technology produces robot machines with computer intelligence and human-like physical capabilities. This area includes applications that give robots visual perception, capabilities to feel by touch, dexterity and locomotion. C. Natural Languages: Being able to 'converse' with computers in human languages is the goal of research in this area. Interactive voice response and natural programming languages, closer to human conversation, are some of the applications. D. Virtual reality is another important application that can be classified under natural interfaces.

Question explanation: Correct answer is A. Physical security describes security measures that are designed to restrict unauthorized access to facilities, equipment and resources, and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physical security involves the use of multiple layers of interdependent systems which include CCTV surveillance, security guards, Biometric access, RFID cards, access cards protective barriers, locks, access control protocols, and many other techniques. B is incorrect - An acceptable use policy (AUP), also known as an Acceptable Usage policy or Fair Use policy, is a set of rules applied by the owner or manager of a network, website or large computer system that restrict the ways in which the network, website or system may be used. C is incorrect – This policy defines the requirements for Information Asset’s protection. It includes assets like servers, desktops, handhelds, software, network devices etc. Besides, it covers all assets used by an organization- owned or leased. D is incorrect – This policy defines the
requirements to ensure continuity of business-critical operations. It is designed to minimize the impact of an unforeseen event (or disaster) and to facilitate return of business to normal levels.

Question explanation: Correct answer is B. the first thing to do as soon as an employee leaves the company is to disable his/her access rights in system. This needs to be done to prevent frauds being committed. Other answers may be valid but are not the first thing to do.

Question explanation: Correct answer is A. User controls are not properly defined. User controls need to be defined based on NEED TO DO and NEED TO DO basis. The above is reflection of a greater problem of improper assessment of user profiles created in the system.

Question explanation: Correct answer is B. One of the major bottlenecks in data ware house is time synchronisation as the data of different time zones is merged in data ware house. It ultimately results in in-complete data for decision making purposes.

Question explanation: Correct answer is D. Snapshot is the right answer as in this technique, IS auditor can create evidence through IMAGE capturing. A snapshot tool is most useful when an audit trail is required. ITF can be used to incorporate test transactions into a normal production run of a system. CIS is useful when transactions meeting certain criteria need to be examined. Audit hooks are useful when only select transactions or processes need to be examined.

Question explanation: Correct answer is B. It goes with the purpose and definition of decision support system.

Question explanation : Correct answer is D. Purpose of Data warehouse is to take business decisions and frame future policies based on the analysis of transactional data. It cannot act as an alternative to backup. Purpose of the data ware house is not for business continuity nor is it for regulatory requirements.

Question explanation: D. is the answer as this is a duplicate check.

Question explanation : B. Dependency check is one where value of one field is related to that of another.

Question explanation: B. is the correct answer. After detecting the deficiency, it is correcting the situation hence it is a corrective control.

Question explanation: B. is the right answer. A, is not an answer as action by RBI is based on fraud detection. Repair is done to rectify an error which has occurred in a working system.

Question explanation: D is correct. For finding the anomaly between input and output, reconciliation is the
best option. Re-calculation and run-to-run total will provide the same result as earlier  and limit check is a data validation control.

Question explanation: D. is the correct answer. The IS Auditor may process test data on application controls to see how it responds.