Which of the following is the main requirement in reporting results of an IS audit the report is?

You are correct, the answer is B.

A. Test data would test for the existence of controls that might prevent overpayments, but it would not detect specific, previous miscalculations.

B. Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made.

C. An integrated test facility would help identify a problem as it occurs, but would not detect errors for a previous period.

D. An embedded audit module can enable the IS auditor to evaluate a process and gather audit evidence, but it would not detect errors for a previous period.

You answered D. The correct answer is C.

A. The owner of the system may be present at the time of evidence retrieval, but this is not absolutely necessary. In some cases, the owner could be the subject of the investigation.

B. In most cases, it is required that the investigator power off the machine to create a forensic image of the hard drive, so this is not an issue. Prior to powering off the machine, the investigator would normally photograph what is on the screen of the computer and identify what documents are open and any other information that may be relevant. It is important that the investigator power off the machine rather than performing a shutdown procedure. Many operating systems perform a cleanup of temporary files during shutdown, which potentially would destroy valuable evidence.

C. It is very important that evidence be handled properly through a documented chain of custody and never modified improperly in a physical or, more important, logical manner. The goal of this process is to be able to testify truthfully in court that the technical investigator did not modify the data in any improper manner. If the investigator does not have sufficient documentation of the handling of manual or digital evidence, the defense will try to prevent the admission of evidence based on the fact that it may have been tampered with or modified. Note that legal requirements for digital evidence preservation could vary from country to country, so local laws should be taken into consideration.

D. Depending on the type of system being accessed, it may not be possible to capture an image of the contents of random access memory (RAM).

You are correct, the answer is D.

A. The findings of a previous audit are of interest to the auditor, but they are not the most critical step. The most critical step involves finding the current issues, not reviewing the resolution of older issues.

B. A physical security review of the data center facility is important, but is a very narrow scope and not as critical as performing a risk assessment.

C. Reviewing information security policies and procedures would normally be conducted during fieldwork, not planning.

D. Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IS Audit and Assurance Standard 1202 Risk Assessment in Planning, statement 1202.2: "IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements." In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation.

You are correct, the answer is C.

A. A size check is useful because passwords should have a minimum length, but it is not as strong of a control as validity.

B. Passwords are not typically entered in a batch mode, so a hash total would not be effective. More important, a system should not accept incorrect values of a password, so a hash total as a control will not indicate any weak passwords, errors or omissions.

C. A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used—for example, not using a dictionary word, including non-alphabetical characters, etc. An effective password must have several different types of characters: alphabetical, numeric and special.

D. The implementation of a field check would not be as effective as a validity check that verifies that all password criteria have been met.

You answered D. The correct answer is C.

A. In general, highly complex business processes may have more key controls than business areas with less complexity; however, finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-thought-out key control structure has been established from the beginning, finding any overlap in key controls will not be possible.

B. An integrated test facility (ITF) is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls.

C. As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts have the opportunity to come across unnecessary or overlapping key controls in existing systems.

D. By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls; however, the process of implementing an automated auditing solution would better identify overlapping controls.

You answered A. The correct answer is C.

A. Based on this discussion, the IS auditor will finalize the report and present the report to relevant levels of senior management. This discussion should, however, also address a timetable for remediation of the audit findings.

B. This discussion will, first of all, inform management of the findings of the audit and, based on these discussions, management may agree to develop an implementation plan for the suggested recommendations, along with the time lines.

C. Before communicating the results of an audit to senior management, the IS auditor should discuss the findings with the auditee. The goal of such a discussion is to confirm the accuracy of the findings and to propose or recommend a course of corrective action.

D. At the draft report stage, the IS auditor may recommend various controls to mitigate the risk, but the purpose of the meeting is to validate the findings of the audit with management.

What are the audit reporting requirements?

Which of the following choices is most important for an is auditor to understand when auditing an e commerce environment?

What it the primary purpose of an IS audit report?

What is the most important part of an audit?