This document outlines the program for Domain 1 of the CISA review course offered by the Suriname College of Accountancy. Domain 1 covers "The Process of Auditing Information Systems" and will be delivered over 8 days. The program details the daily topics to be covered, including the ISACA standards and guidelines for IS auditing, audit planning, risk analysis, internal controls, performing IS audits, and using audit techniques like continuous auditing. Successful completion of all 5 domains and the exam will provide candidates with the CISA certification.
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
Understanding this course help you have an idea on how the audit assessment is performed and where the focus lies. General controls take a large percentage of the entire Audit function and should be paid adequate attention during the session.
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard.
https://www.infosectrain.com/blog/cisa-domain-1-part-3-the-process-on-auditing-information-systems/
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
Understanding this course help you have an idea on how the audit assessment is performed and where the focus lies. General controls take a large percentage of the entire Audit function and should be paid adequate attention during the session.
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard.
https://www.infosectrain.com/blog/cisa-domain-1-part-3-the-process-on-auditing-information-systems/
Knowledge of the purpose of IT strategy, policies, standards & pro cedures for an organization and the essential elements of each
https://www.infosectrain.com/blog/part-2-cisa-domain-2-governance-and-management-of-it/
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
Study Flashcards On CISA Domain 4 Information Systems Operations, Maintenance and Support at Cram.com. Quickly memorize the terms, phrases and much more. Infosectrain.com makes it easy to get the grade you want!
PART 1 – CISA Domain 3 – Information Systems Acquisition, development and implementation
Overall understanding of Domain 3
What is benefits realization?
What is portfolio management?
https://www.infosectrain.com/blog/cisa-domain-3-information-systems-acquisition-development-and-implementation-part1/
This article covers –
Overall understanding of the domain
Important concepts to focus on from exam point of view
The article is split into 10 parts as below:
Part 1 – Information Systems operations, Management of IS operations, ITSM
Part 2 – Service Level Agreements, Operational Level Agreements, Incident and problem Management process
https://www.infosectrain.com/blog/cisa-domain-4-information-systems-operations-maintenance-and-service-management/
Defining an IT Auditor,
IT Auditor Certifications & ISACA,
IT Audit Phases,
Preparing to be Audited,
How IT auditor audits an Applications,
Auditing technology for Information System.
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
Materi Perkuliahan Control and Auditing Information System in Uin Suska Riau.
About Fundamental and Theory Control and Audit. Where this Slide just Theory, not spesific because it just job from teacher in the class.
Knowledge of the purpose of IT strategy, policies, standards & pro cedures for an organization and the essential elements of each
https://www.infosectrain.com/blog/part-2-cisa-domain-2-governance-and-management-of-it/
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
Study Flashcards On CISA Domain 4 Information Systems Operations, Maintenance and Support at Cram.com. Quickly memorize the terms, phrases and much more. Infosectrain.com makes it easy to get the grade you want!
PART 1 – CISA Domain 3 – Information Systems Acquisition, development and implementation
Overall understanding of Domain 3
What is benefits realization?
What is portfolio management?
https://www.infosectrain.com/blog/cisa-domain-3-information-systems-acquisition-development-and-implementation-part1/
This article covers –
Overall understanding of the domain
Important concepts to focus on from exam point of view
The article is split into 10 parts as below:
Part 1 – Information Systems operations, Management of IS operations, ITSM
Part 2 – Service Level Agreements, Operational Level Agreements, Incident and problem Management process
https://www.infosectrain.com/blog/cisa-domain-4-information-systems-operations-maintenance-and-service-management/
Defining an IT Auditor,
IT Auditor Certifications & ISACA,
IT Audit Phases,
Preparing to be Audited,
How IT auditor audits an Applications,
Auditing technology for Information System.
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
Materi Perkuliahan Control and Auditing Information System in Uin Suska Riau.
About Fundamental and Theory Control and Audit. Where this Slide just Theory, not spesific because it just job from teacher in the class.
IT management audits can serve multiple purposes and provide many benefits. First, audits are used to validate compliance with established technology related policies, programs and procedures. Then, audits are also used as an investigative tool, to gather information and analyze current operational conditions for the purposed of recommending specific “policies, programs and procedures”. The primary purpose of a given audit will determine the scope and related execution planning. Validation audits are likely performed on a regularly scheduled basis, with a standardized scope and set of executing procedures. Investigative audits are likely triggered in response to a specific need, and planning will be shaped by unique goals and circumstances. Whatever the purpose, the goal is to ensure that audits serve a purpose, are planned for minimal disruption, and that all results are used to maximize IT value.
A Monitor System in Data Redundancy in Information Systemijsrd.com
The structure of a few of the Information Assurance (IA) processes currently being used in the United States government. In this paper, the general structure of the processes that are uncovered and used to create a Continuous Monitoring Process that can be used to create a tool to incorporate any process of similar structure. The paper defines a concept of continuous monitoring that attempts to create a process from the similar structure of several existing IA processes. The specific documents and procedures that differ among the processes can be incorporated to reuse scan results and manual checks that have already been conducted on an IS A proof-of-concept application is drafted to demonstrate the main aspects of the proposed tool. The possibilities and implications of the proof-of-concept application are explored, to develop a fully functional and automated version of the proposed Continuous Monitoring tool.
The ICT Vision 2020 envisions the ICT Association of Suriname’s perspective of the role of the ICT sector in the development of the Republic of Suriname and its impact on the Surinamese economy. Inspired by researches in the ICT industry of Suriname combined with insights of relevant stakeholders, the discussion paper ‘ICT Vision 2020’ aspires to guide the potential growth of the ICT sector in an effective manner and addresses the preconditions and recommendations to policy makers.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
The ICT Association Suriname in collaboration with the Telecommunication Authority Suriname (TAS) presented a Cybersecurity awareness session for the members of the Chamber of Commerce. TAS presented the national response to IT incidents by explaining the implementation of the Computer Emergency Response Team (CERT).
SUVA - Financial Reporting Act - July 2014 (Dutch)Cyril Soeri
In het kader van de modernisering van de wetgeving is een concept wet op de jaarrekening opgesteld om de transparantie en uniformiteit van financiële verantwoordingen te bevorderen. De voordelen van deze wet alsook de attentiepunten om invulling te geven aan deze wet voor u als ondernemer worden gedurende deze awareness sessie aan de orde gebracht.
IFRS for SME update ICAC June 2014 Andrew Brathwaithe and Cyril Soeri Cyril Soeri
On the 32nd Conference of the Institute of Chartered Accountants of the Caribbean in 2014, we presented the recent amendments made in IFRS for SME and introduced the "Guide for Micro-sized Entities Applying the IFRS for SMEs" published by the IASB. Special thanks goes out to Andrew Brathwaithe of the SME Implementation Group (working and advising group of the IASB) in his valuable insights for this presentation.
Dutch presentation of the Draft Electronic Transactions Act for Suriname ( ETW 2012). The draft law will enhance possibilities for e-commerce and e-government activities in Suriname.
ICT Association Suriname Presentation On eGovernment 2012Cyril Soeri
This presentation was presented to raise awareness on eGovernment which is mainly based on the Worldbanks\' eGovernment Handbook for developing countries.
ICT Association Suriname at Virtual Educa Caribbean 2012Cyril Soeri
Virtual Educa Caribbean 2012 Conference on 29 February 2012 -2 March 2012 (Hermitage Mall / TBL). This conference offers participants the opportunity to show best practices how ICTs make a crucial impact in innovation, competitiveness, and development in education.
Presentation IFRS Seminar 2011 Suriname: Situational And Needs Analysis
CISA Domain 1 - IS Auditing (day 1)
1. Suriname College of Accountancy
CISA DOMAIN 1:
THE PROCESS OF AUDITING INFORMATION SYSTEMS
1
Cyril Soeri MA RA CISA CIS LI
Gregory Tai-Apin CISA CIS LI COBIT Foundation
Day 1
2. Suriname College of Accountancy
CISA Program
2
The CISA program consists of the following five domains:
1. The Process of Auditing Information Systems (3 -26 Feb 2015);
2. Governance and Management of IT (17 March – 9 Apr 2015);
3. Information Systems Acquisition, Development and Implementation
(28 Apr – 21 May 2015);
4. Information Systems Operations, Maintenance and Support
(11 Jun – 2 Jul 2015);
5. Protection of Information Systems (21 Jul – 13 Aug 2015).
September 2015: expected early registration date for CISA exam
Exam training sessions: 5 Oct – 9 Oct (daily sessions)
CISA Exam in December 2015
3. Suriname College of Accountancy
Program of Domain 1 (1a)
3
DAY 1 The Process of Auditing Information Systems
The universe of an IT auditor
The ISACA route
Management of the IS Audit Function
Organization of the IS audit function
Audit Planning
4. Suriname College of Accountancy
Program of Domain 1 (1b)
4
DAY 1 (Cont’d): The Process of Auditing Information Systems
ISACA IT audit and Assurance Standards and Guidelines
ISACA Code of Professional Ethics
ISACA IT Audit and Assurance Standards Framework
Auditing Standards
ISACA IT Audit and Assurance Guidelines
ISACA IT Audit and Assurance Tools and Techniques
Information Technology Assurance Framework (ITAF)
5. Suriname College of Accountancy
Program of Domain 1 (2)
5
DAY 2 The Process of Auditing Information Systems (cont’d)
Risk Analysis
Internal Controls
Internal Control Objectives
IS Control Objectives
COBIT
General Controls
IS Controls
6. Suriname College of Accountancy
Program of Domain 1 (3)
6
DAY 3 The Process of Auditing Information Systems (cont’d)
Performing an IS Audit (1):
Classification of Audits
Audit Programs
Audit Methodology
Fraud Detection
7. Suriname College of Accountancy
Program of Domain 1 (4)
7
Day 4 The Process of Auditing Information Systems (cont’d)
Performing an IS Audit (2):
Risk-based Auditing
Audit Risk and Materiality
Assessing & Treating Risks
Risk Assessment Techniques
8. Suriname College of Accountancy
Program of Domain 1 (5)
8
Day 5 The Process of Auditing Information Systems (cont’d)
Performing an IS Audit (3):
Audit Objectives
Compliance versus Substantive Testing
Audit Evidence
Interviewing and Observing Personnel in Performance of their Duties
Sampling
9. Suriname College of Accountancy
Program of Domain 1 (6)
9
DAY 7 The Process of Auditing Information Systems (cont’d)
Performing an IS Audit (5):
Using Services of Other Auditors and Experts
Computer-Assisted Audit Techniques
Evaluation of Strengths and Weaknesses
Communicating Audit Results
Management Implementation of Recommendations
Audit Documentation
10. Suriname College of Accountancy
Program of Domain 1 (7)
10
DAY 8 The Process of Auditing Information Systems (cont’d)
Control Self-assessment (CSA)
Objectives
Benefits
Disadvantages
Auditor Role in CSA
Technology drivers for CSA
Traditional vs. CSA approach
11. Suriname College of Accountancy
Program of Domain 1 (8)
11
DAY 8 The Process of Auditing Information Systems (cont’d)
The evolving IS Audit Process
Integrated audit
Continuous auditing
Exam training
CISA’s road ahead
Closing session
12. Suriname College of Accountancy
OVERVIEW
CISA Domain 1: The process of IS Auditing
12
13. Suriname College of Accountancy
Learning objectives
13
There are five tasks within the domain covering the process of auditing information
systems:
1. Develop and implement a risk-based IT audit strategy in compliance with IT
audit standards to ensure that key areas are included.
2. Plan specific audits to determine whether information systems are protected,
controlled and provide value to the organization.
3. Conduct audits in accordance with IT audit standards to achieve planned audit
objectives.
4. Report audit findings and make recommendations to key stakeholders to
communicate results and effect change when necessary.
5. Conduct follow-ups or prepare status reports to ensure that appropriate actions
have been taken by management in a timely manner.
14. Suriname College of Accountancy
MANAGEMENT OF THE IS AUDIT FUNCTION
CISA Domain 1: The process of IS Auditing
14
15. Suriname College of Accountancy
Organization of the IS Audit function
15
Internal IS Audit services:
Audit charter approved by senior management;
External IS Audit services:
Formal contract or statement of work
16. Suriname College of Accountancy
Exam training
16
A1-15 (Q) Audit charter
An audit charter should:
A. be dynamic and change often to coincide with the changing nature
of technology and the audit profession.
B. clearly state audit objectives for, and the delegation of, authority to
the maintenance and review of internal controls.
C. document the audit procedures designed to achieve the planned
audit objectives.
D. outline the overall authority, scope and responsibilities of the audit
function.
17. Suriname College of Accountancy
Exam training
17
A1-15 (A)
D) is the correct answer.
Justification:
A. The audit charter should not be subject to changes in technology and should not
significantly change over time. The chartcr should be approved at the highest level of
management.
B. An audit chartcr will state the authority and reporting requirements for the audit, but
not the details of maintenance of internal controls.
C. An audit charter would not be at a detailed level and, therefore, would not include
specific audit objectives or procedures.
D). An audit charter should state management's objectives for and delegation of
authority to IS auditors.
18. Suriname College of Accountancy
Exam training
18
A1-72 (Q) IS audit charter
An organization's IS audit charter should specify the:
A. short- and long-term plans for IS audit engagements.
B. objectives and scope of IS audit engagements.
C. detailed training plan for the IS audit staff.
D. role of the IS audit function.
19. Suriname College of Accountancy
Exam training
19
A1-72 (A)
D is the correct answer.
Justification:
A. Short-term and long-term planning is the responsibility of audit
management.
B. The objectives and scope of each IS audit should be agreed on in an
engagement letter. The charter would spccify the objectives and scope of
the audit function but not of individual engagements.
C. A training plan, based on the audit plan, should be developed by audit
management.
D). An IS audit charter establishes the role of the information systems
audit function. The charter should describe the overall authority, scope
and responsibilities of the audit function. It should be approved by the
highest level of management and, if available, by the audit committee.
20. Suriname College of Accountancy
IS Audit Resource Management
20
Professional competence through continuing
professional education (CPE);
Necessary IT resources to properly perform IS
audits of a highly specialized nature (e.g., tools,
methodology, work programs).
21. Suriname College of Accountancy
Audit planning (1)
21
Annual planning:
Short term – audit issues to be covered;
Long term – changes in IT strategic direction;
Individual Audit assignments – considerations:
the results of periodic risk assessments,
changes in the application of technology,
evolving privacy issues and regulatory requirements,
system implementation/upgrade deadlines,
current and future technologies,
requirements from business process owners,
IS resource limitations.
22. Suriname College of Accountancy
Audit planning (2)
22
To perform audit planning, the IS auditor should perform the following steps:
1. Gain an understanding of the business's mission, objectives, purpose and
processes, which include information and processing requirements such
as availability, integrity, security and business technology, and
information confidentiality.
2. Identify stated contents such as policies, standards and required
guidelines, procedures and organization structure.
3. Perform a risk analysis to help in designing the audit plan.
4. Set the audit scope and audit objectives.
5. Develop the audit approach or audit strategy.
6. Assign personnel resources to the audit.
7. Address engagement logistics.
23. Suriname College of Accountancy
Effect of laws and regulation on
IS Audit planning (1)23
The contents of IS legal regulations regard:
Establishment of the regulatory requirements
Organization of the regulatory requirements
Responsibilities assigned to the corresponding entities
Correlation to financial, operational and IT audit functions
There are two major areas of concern:
legal requirements placed on audit or IS audit;
legal requirements placed on the auditee and its systems, data
management, reporting, etc.
24. Suriname College of Accountancy
Effect of laws and regulation on
IS Audit planning (2)24
The following are steps an IS auditor would perform to determine an
organization's level of compliance with external requirements (to be
continued):
Identify those government or other relevant external requirements
dealing with:
Electronic data, personal data, copyrights, e-commerce, e-signatures, etc.
Computer system practices and controls
The manner in which computers, programs and data are stored
The organization or the activities of information technology services
IS audits
25. Suriname College of Accountancy
Effect of laws and regulation on
IS Audit planning (3)25
Steps to determine an organization's level of compliance (cont’d):
Document applicable laws and regulations;
Assess whether the management of the organization and the IS function have
considered the relevant external requirements in making plans and in setting
policies, standards and procedures, as well as business application features;
Review internal IS department/function/activity documents that address
adherence to laws applicable to the industry;
Determine adherence to established procedures that address these requirements;
Determine if there are procedures in place to ensure contracts or agreements with
external IT services providers reflect any legal requirements related to
responsibilities;
26. Suriname College of Accountancy
Exam training
26
A1-99 (Q) Planning
The effect of which of the following should have priority in
planning the scope and objectives of an IS audit:
A. Applicable statutory requirements
B. Applicable corporate standards
C. Applicable industry best practices
D. Organizational policies and procedures
27. Suriname College of Accountancy
Exam training
27
A1-99 (A)
A is the correct answer.
Justification:
A. The effect of applicable statutory requirements must be factored in while
planning an IS audit— the IS auditor has no options in this respect because there
can be no limitation of scope in respect to statutory requirements.
B. Statutory requirements always take priority over corporate standards.
C. Industry best practices help plan an audit; however, best practices are not
mandatory and can be deviated from to meet organization objectives.
D. Organizational policies and procedures arc important, but statutory requirements
always take priority. Organizational policies must be in alignment with statutory
requirements.
28. Suriname College of Accountancy
Exam training
28
A1-101 (Q) Planning
An IS auditor is planning to evaluate the control design effectiveness
related to an automated billing process. Which of the following is the
MOST effective approach for the auditor to adopt?
A. Process narrative
B. Inquiry
C. Reperformance
D. Walk-through
29. Suriname College of Accountancy
Exam training
29
A1-101 (A)
D) is the correct answer.
Justification:
A. Process narratives may not be current or complete and may not reflect the actual
process in operation.
B. Inquiry can be used to understand the controls in a process only if it is
accompanied by verification of evidence.
C. Repcrformance is used to evaluate the operating effectiveness of the control
rather than the design of the control.
D. Walk-throughs involve a combination of inquiry and inspection of evidence
with respect to business process controls. This is the most effective basis for
evaluation of the design of the control as it actually exists.
30. Suriname College of Accountancy
Exam training
30
A1-3 (Q) Audit plan
An IS auditor is developing an audit plan for a repeat client. The IS auditor
reviews the prior-year audit plan and finds that the previous plan was
designed to review the company's network and email systems, which were
newly implemented last year, but the plan did not include reviewing the e-
commerce web server. The company IT manager indicates that this year the
organization prefers to focus the audit on a newly-implemented enterprise
resource planning (ERP) application. How should the IS auditor respond?
A. Audit the new ERP application as requested by the IT manager.
B. Audit the e-commerce server because it was not audited last year.
C. Determine the highest-risk systems and plan the audit based on the results.
D. Audit both the e-commerce server and the ERP application.
31. Suriname College of Accountancy
Exam training
31
A1-3 (A)
C is the correct answer.
Justification:
A. Auditing the new enterprise resource planning (ERP) application does not reflect a risk-based approach.
Although ERP systems typically contain sensitive data and may present risk of data loss or disclosure to the
organization, without a risk assessment, the decision to solely audit the ERP system is not a risk-based
decision.
B. Auditing the e-commerce server because it was not audited last year does not reflect a risk-based
approach. In addition, the IT manager may know about problems with the e-commerce server and may be
intentionally trying to steer the audit away from that vulnerable area. Although at first glance e-commcrce
may seem to be the most risky area, an assessment must be conducted rather than relying on the judgment
of the IS auditor or IT manager.
C. The best course of action is to conduct a risk assessment and design the audit plan to cover the areas
of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement
1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach and
supporting methodology to develop the overall IS audit plan and determine priorities for the effective
allocation of IS audit resources."
D. The creation of the audit plan should be performed in cooperation with management and based on risk.
The IS auditor should not arbitrarily decide on what needs to be audited.
32. Suriname College of Accountancy
ISACA IT AUDIT AND ASSURANCE
STANDARDS AND GUIDELINES
CISA Domain 1: The process of IS Auditing
32
33. Suriname College of Accountancy
ISACA Code of Professional Ethics (1)
33
Members and ISACA certification holders shall (to be cont’d):
1. Support the implementation of, and encourage compliance
with appropriate standards, procedures and controls for
information systems.
2. Perform their duties with objectivity, due diligence and
professional care, in accordance with professional standards
and best practices.
3. Serve in the interest of stakeholders in a lawful and honest
manner, while maintaining high standards of conduct and
character, and not engage in acts discreditable to the
profession.
34. Suriname College of Accountancy
ISACA Code of Professional Ethics (2)
34
Members and ISACA certification holders shall (cont’d):
4. Maintain the privacy and confidentiality of information obtained in the
course of their duties unless disclosure is required by legal authority.
Such information shall not be used for personal benefit or released to
inappropriate parties.
5. Maintain competency in their respective fields and agree to undertake
only those activities that they can reasonably expect to complete with
professional competence.
6. Inform appropriate parties of the results of work performed, revealing
all significant facts known to them.
7. Support the professional education of stakeholders in enhancing their
understanding of IS security and control.
35. Suriname College of Accountancy
ISACA IT Audit and Assurance Standards Framework
35
The framework for the ISACA IT audit and assurance standards provides
for multiple levels as follows:
Standards define mandatory requirements for IT audit and assurance
and reporting.
Guidelines provide guidance in applying IT audit and assurance
standards. The IS auditor should consider them in determining how to
achieve implementation of the above standards, use professional
judgment in their application and be prepared to justify any difference.
Tools & Techniques: Procedures provide examples of processes an IS
auditor might follow in an audit engagement. The procedure documents
provide information on how to meet the standards when completing IS
auditing work, but do not set requirements.
37. Suriname College of Accountancy
ISACA IT Audit and Assurance Guidelines
37
G1Using the Work of Other Auditors G22Businesstoconsumer (B2C) Ecommerce Review
G2Audit Evidence Requirement G23System Development Life Cycle (SDLC) Review
G3Use of ComputerAssisted Audit Techniques (CAATs) G24Internet Banking
G4Outsourcing of IS Activities to Other Organizations G25Review of Virtual Private Networks
G5Audit Charter G26Business Process Reengineering (BPR) Project Reviews
G6Materiality Concepts for Auditing Information Systems G27Mobile Computing
G7Due Professional Care G28Computer Forensics
G8Audit Documentation G29Postimplementation Review
G9Audit Considerations for Irregularities G30Competence
G10Audit Sampling G31Privacy
G11Effect of Pervasive IS Controls G32Business Continuity Plan Review From IT Perspective
G12Organizational Relationship and Independence G33General Considerations on the Use of the Internet
G13Use of Risk Assessment in Audit Planning G34Responsibility, Authority and Accountability
G14Application Systems Review G35Followup Activities
G16Effect of Third Parties on Organization's IT Controls G36Biometric Controls
G17Effect of Nonaudit Role on IS Auditor's Independence G37Configuration Management
G18IT Governance G38Access Control
G19Irregularities and Illegal Acts G39IT Organizations
G20Reporting G40Review of Security Management Practices
G21Enterprise Resource Planning (ERP) Systems Review G41Return on Security Investment (ROSI)
G42Continuous Assurance
38. Suriname College of Accountancy
ISACA IT Audit and Assurance Tools and Techniques
38
P1 IS Risk Assessment
P2 Digital Signatures
P3 Intrusion Detection
P4 Viruses and Other Malicious Code
P5 Control Risk Selfassessment
P6 Firewalls
P7 Irregularities and Illegal Acts
P8 Security Assessment—Penetration Testing and Vulnerability Analysis
P9 Evaluation of Management Controls Over Encryption Methodologies
P10 Business Application Change Control
P11 Electronic Funds Transfer (EFT)
39. Suriname College of Accountancy
Information Technology Assurance Framework
(ITAF) (1)39
General Standards—The guiding principles under which the IT assurance
profession operates.
Performance Standards—Deal with the conduct of the assignment.
Reporting Standards—Address the types of reports, means of
communication and the information communicated.
Guidelines—Provide the IT audit and assurance professional with
information and direction about an audit or assurance area.
Tools and Techniques——Provide specific information on various
methodologies, tools and templates.
40. Suriname College of Accountancy
Exam training
40
A1-37 (Q) Data flow diagrams
Data flow diagrams are used by IS auditors to:
A. order data hierarchically.
B. highlight high-level data definitions.
C. graphically summarize data paths and storage.
D. portray step-by-step details of data generation.
41. Suriname College of Accountancy
Exam training
41
A1-37 (A)
C is the correct answer.
Justification:
A. Data flow diagrams do not order data in a hierarchy.
B. A data dictionary may be used to document data definitions, but the data flow
diagram is used to document how data move through a process.
C. Data How diagrams are used as aids to graph or chart data flow and storage.
They trace data from their origination to destination, highlighting the paths and
storage of data.
D. The purpose of a data flow diagram is to track the movement of data through a
process and is not primarily to document or indicate how data are generated.
42. Suriname College of Accountancy
Exam training
42
A1-39 (Q) Organizational chart
An IS auditor reviews an organizational chart PRIMARILY for:
A. an understanding of workflows.
B. investigating various communication channels.
C. understanding the responsibilities and authority of
individuals.
D. investigating the network connected to different employees.
43. Suriname College of Accountancy
Exam training
43
A1-39 (A)
C is the correct answer.
Justification:
A. A workflow diagram would provide information about the roles of different
employees. This is not the purpose of an organizational chart.
B. The organizational chart is a key tool for an auditor to understand roles and
responsibilities and reporting lines, but is not used for examining communications
channels.
C. An organizational chart provides information about the responsibilities and
authority of individuals in the organization. This helps an IS auditor to know if
there is a proper segregation of functions.
D. A network diagram will provide information about the usage of various
communication channels and will indicate the connection of users to the network.
44. Suriname College of Accountancy
Exam training
44
A1-88 (Q) Independence
Which of the following responsibilities would MOST likely compromise
the independence of an IS auditor when reviewing the risk
management process?
A. Participating in the design of the risk management framework
B. Advising on different implementation techniques
C. Facilitating risk awareness training
D. Performing a due diligence review of the risk management
processes
45. Suriname College of Accountancy
Exam training
45
A1-88 (A)
A is the correct answer.
Justification:
A. Participating in the design of the risk management framework involves
designing controls, which will compromise the independence of the IS auditor to
audit the risk management process.
B. Advising on different implementation techniques will not compromise the IS
auditor's independence because the IS auditor will not be involved in the decision-
making process.
C. Facilitating awareness training will not hamper the IS auditor's independence
because the auditor will not be involved in the decision-making process.
D. Due diligence reviews are a type of audit generally related to mergers and
acquisitions.
46. Suriname College of Accountancy
CYRIL.SOERI@TAH.SR / GREGORY.TAI-APIN@BNETS.SR
MOB: 719 00 47 / 89 29 293
SURINAME COLLEGE OF ACCOUNTANCY
FLUSTRAAT 35
PARAMARIBO, SURINAME
TEL +597 - 531 330 / 531 350
FAX +597 - 531 340
WEBSITE: SURINAMECOLLEGEOFACCOUNTANCY.COM
46
Q&A