2010 CISA考试重点摘要－安科睿信.pdf

1 2010 CISA 考试重点摘要考试重点摘要 C1 1. CSA (control self-assessment) ? The success of control self-assessment (CSA) highly depends on: A. having line managers assume a portion of the responsibility for control monitoring. B. assigning staff managers the responsibility for building, but not monitoring, controls. C. the implementation of a stringent control policy and rule-driven controls. D. the implementation of supervision and the monitoring of controls of assigned duties. Explanation: The primary objective of a CSA program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a control self-assessment (CSA) program depends on the degree to which line managers assume responsibility for controls. Choices B, C and D are characteristics of a traditional audit approach, not a CSA approach ? When CSA programs are established, IS auditors become internal control professionals and assessment facilitators. IS auditors are the facilitators and the client (management and staff) is the participant in the CSA process. During a CSA workshop, instead of the IS auditor performing detailed audit procedures, they should lead and guide the clients in assessing their environment. Manager, partner and stakeholder should not be roles of the IS auditor. These roles are more appropriate for the client. ? The objectives of CSA programs include education for line management in control responsibility and monitoring and concentration by all on areas of high risk. The objectives of CSA programs include the enhancement of audit responsibilities, not replacement of audit responsibilities. 2. Data flow diagram: no hierarchy, no generation. ? Data flow diagrams are used by IS auditors to: A. order data hierarchically. B. highlight high-level data definitions. C. graphically summarize data paths and storage. D. portray step-by-step details of data generation. Explanation: Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order. 3. Audit Charter ? be approved by highest management (audit committee also would be better) 2 ? Typically sets out the role and responsibility of the internal audit department. It should state managements objectives for and delegation of authority to the audit department. It is rarely changed and does not contain the audit plan or audit process, which is usually part of annual audit planning, nor does it describe a code of professional conduct, since such conduct is set by the profession and not by management. 4. Auditor is responsible to senior management and audit committee. 5. Substantive test ? Determine the Integrity of the actual processing, which provides evidences of the validity of the final outcome. ? Ex: recalculation, confirmation, verification of outcomes form other information sources or observation, Variable sampling ? Which of the following is a substantive test? A. Checking a list of exception reports B. Ensuring approval for parameter changes C. Using a statistical sample to inventory the tape library D. Reviewing password history reports Explanation: A substantive test confirms the integrity of actual processing. A substantive test would determine if the tape library records are stated correctly. A compliance test determines if controls are being applied in a manner that is consistent with management policies and procedures. Checking the authorization of exception reports, reviewing authorization for changing parameters and reviewing password history reports are all compliance tests. 6. Compliance test: determines if controls are being applied in a manner that is consistent with management policies and procedures ? Attribute sampling： ? The primary sampling method used for compliance testing to confirm whether the quality exists. ? To estimate the rate of occurrence of a specific quality (attribute) in a population. 7. Attribute sampling refers to 3 different types: ? Attribute sampling(fixed sample-size attribute sampling/ frequency-estimating sampling): ? Estimate the rate of occurrence of a specific quality in a population ? Ex: approval signature on computer access request form ? stop-or-go sampling: ? 已經預知會有相同大的出現比時可以停止 ? allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed ? Discovery sampling: ? The expected occurrence rates is extremely low ? Often Used to detect fraud 8. Variable sampling: ? Dollar or mean estimation sampling(estimate the monetary value or other unit of measures, such as weight) ? Stratified/unstratified mean per unit ? Difference estimation ? estimate the average or the total value of a population based on a sample ? statistic model used to project a quantitative characteristic ? monetary amount 9. ITF (Integrated testing facility)： ? uses the same programs to compare processing using independently calculated data ? An integrated test facility creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be isolated from production data 10. statistical sampling: ? An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when: A. the probability of error must be objectively quantified. B. the auditor wishes to avoid sampling risk. C. generalized audit software is unavailable. D. the tolerable error rate cannot be determined. Explanation: Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). Choice B is incorrect because sampling risk is the risk of a sample not being representative of the population. This risk exists for both judgment and statistical samples. Choice C is incorrect because statistical sampling does not require the use of generalized audit software. Choice D is incorrect because the tolerable error rate must be predetermined for both judgment and statistical sampling. 11. Generalized audit software: features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking 3 4 and recomputations. The IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll and, thereby, determine if there were overpayments and to whom they were made. Test data would test for the existence of controls that might prevent overpayments, but it would not detect specific, previous miscalculations. Neither an integrated test facility nor an embedded audit module would detect errors for a previous period 12. Risk-based audit approach ? process ? Gather information about the business and industry to evaluate the inherent risks. ? Complete an assessment of the internal control structure. ? Test the internal control ? Based on the test results, substantive tests are carried out and assessed. ? An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work ? the IS auditor is not only relying on risk, but on internal and operational controls as well as knowledge of the company and the business ? It is critical that the risks and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage ? It is important for an IS auditor to identify and evaluate the existing controls and security once the potential threats and possible impacts are identified. Upon completion of an audit an IS auditor should describe and discuss with management the threats and potential impacts on the assets. 13. Detection risks: ? directly affected by the auditors selection of audit procedures and techniques. ? the IS auditor uses an inadequate test procedure and concludes that material errors do not exist, when in fact they do 14. Control risks: a material error exists, which will not be prevented or detected on a timely basis by the system of internal controls 15. Forensic software: The primary objective is to preserve electronic evidence to meet the rules of evidence. Time and cost savings and efficiency and effectiveness are legitimate concerns and differentiate good from poor forensic software packages. The ability to search for intellectual property rights violations is an example of a use of forensic software. 16. Audit hook(審計勾) ： The audit hook technique involves embedding code in application systems for the examination of selected transactions. This helps the IS auditor to act before an error or an irregularity gets out of hand. 17. Embedded audit module: involves embedding specially written software in the organizations host application system so that application systems are monitored on a selective basis. 18. An integrated test facility is used when it is not practical to use test data, and snapshots are used when an audit trail is required. 19. Network operating system user features: ? Online availability of network documentation. ? user access to various resources of network hosts, ? user authorization to access particular resources, ? the network and host computers used without special user actions or commands 20. Network operation system function: ? Support of terminal access to remote hosts ? Handling file transfer between hosts and interuser communications ? Performance management, audit and control 21. Which of the following would be the BEST population to take a sample from when testing program changes? A. Test library listings B. Source program listings C. Program change requests D. Production library listings 5 6 Explanation: The best source from which to draw any sample or test of system information is the automated system. The production libraries represent executables that are approved and authorized to process organizational data. Source program listings would be time intensive. Program change requests are the documents used to initiate change; there is no guarantee that the request has been completed for all changes. Test library listings do not represent the approved and authorized executables. 22. continuous audit approach ? require an IS auditor to collect evidence on system reliability while processing is taking place ? an improve system security when used in time-sharing environments that process a large number of transactions. ? depend on the complexity of an organizations computer systems 23. Snapshots ? Audit trail ? A method of using special programming options to permit the printout of the path through a computer program taken to process a specific transaction ? A procedure for tagging and extending transactions and master records that are used by an IS auditor for tests 24. Audit trail: ? 主要: establishing the accountability and responsibility of processed transactions by tracing transactions through the system ? 次要: provide useful information to auditors who may wish to track 25. system control audit review file: The utilization of hardware and/or software to review and test the functioning of a computer systems 26. The primary reason for conducting IS audits is to determine whether a system safeguards assets and maintains data integrity 27. why e-mail systems have become a useful source of evidence for litigation? Multiple cycles of backup files remain available. Backup files containing documents that supposedly have been deleted could be recovered from these files. Access controls may help establish accountability for the issuance of a particular document, but this does not provide evidence of the e-mail. 28. An IS auditor performing a review of an applications controls would evaluate the: A. efficiency of the application in meeting the business processes. B. impact of any exposures discovered. C. business processes served by the application. D. applications optimization. 7 Explanation: An application control review involves the evaluation of the applications automated controls and an assessment of any exposures resulting from the control weaknesses. The other choices may be objectives of an application audit but are not part of an audit restricted to a review of controls. 29. Domain integrity testing is aimed at verifying that the data conform to definitions, i.e., the data items are all in the correct domains. The major objective of this exercise is to verify that the edit and validation routines are working satisfactorily. 30. Relational integrity tests are performed at the record level and usually involve calculating and verifying various calculated fields, such as control totals. 31. Referential integrity tests involve ensuring that all references to a primary key from another file actually exist in their original file. (PK/FK) 32. Parity check is a bit added to each character prior to transmission. The parity bit is a function of the bits making up the character. The recipient performs the same function on the received character and compares the result to the transmitted parity bit. If it is different, an error is assumed. C2 1. IS auditor ? Primary responsibility is to assure that the company assets are being safeguarded. ? Be best positioned to provide leading practice recommendation to senior management to help to improve the quality and effectiveness of IT governance ? Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities 2. IT security policy ? Align with Business strategy ? Extends/sustains the organizations strategy and objectives. (or be derived form) ? Assimilation(同化) of the framework and intent of a written security policy by all appropriate parties is critical to the successful implementation and maintenance of the security policy. Management support and commitment is no doubt important, but for successful 8 implementation and maintenance of security policy, educating the users on the importance of security is paramount ? Top-down approach: begins by defining operational-level requirements and policies, which are derived and implemented as the result of risk assessments. Enterprise-level policies are subsequently developed based on a synthesis(綜合) of existing operational policies ? Bottom-up approach: ensures that the policies will not be in conflict with overall corporate policy and ensure consistency across the organization. ? Accountability for the corporate security policy cannot be transferred to external parties ? Responsibility ? Top management or the board of directors: the designing of an information systems security policy ? The IS department: the execution of the policy, having no authority in framing the policy. ? The security committee: also functions within the broad security policy framed by the board of directors. ? The security administrator: implementing, monitoring and enforcing the security rules that management has established and authorized 3. Best practice for information security governance provides 4 basic outcomes : ? Strategic alignment ? security requirements driven by enterprise requirements ? Value delivery ? Provides standard set of security practice, such as baseline security following best practices or institutionalized and commoditized solutions ? Risk management ? provides an understanding of risk exposure ? Performance measurement. ? Objective: optimize performance, measure and manage products/services, assure accountability, and make budget decisions 4. IT governance is primarily the responsibility of board of directors/ the 9 executives and shareholders. The chief executive officer is instrumental in implementing IT governance per the directions of the board of directors ? 5. IS steering committee ? keep detailed steering committee minutes to document the decisions and activities of the IS steering committee, and the board of directors should be informed about those decisions on a timely basis ? Monitors and facilitates deployment of IT resources for specific projects in support of business plans. ? Serves as a general review board for major IS projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, the status of IS plans and budgets. 6. IS management ? Monitoring vendor-controlled change control and testing ? Ensuring a separation of duties within the informations processing environment?resposibiliy 7. Security Administrator ? Responsibility: ensure that IS security policies and procedures have been executed properly 8. IT balance scorecard ? Financial evaluation(traditional) ? Customer satisfaction ? Internal(operation) process/processing ? Ability to innovate/innovation capability ? A definition of key performance indicators is required before implementing an IT balanced scorecard 9. Involvement of senior management is MOST important in the development of: A. strategic plans. B. IS policies. C. IS procedures. D. standards and guidelines. Explanation: 10 Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. IS policies, procedures, standards and guidelines are all structured to support the overall strategic plan. 10. Required vacations/holidays of a week or more duration in which someone other than the regular employee performs the job function is often mandatory for sensitive positions This reduces the opportunity to com