CISA

Card Set Information

Author:
Anonymous
ID:
306708
Filename:
CISA
Updated:
2015-09-01 20:50:01
Tags:
CISA JOSH
Folders:

Description:
CISA Review
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user Anonymous on FreezingBlue Flashcards. What would you like to do?


  1. First step in Audit Planning?
    Gain an understanding of the business' mission, objective, purpose and processes
  2. Steps to perform audit planning
    • 1. Gain an understanding of the business
    • 2. Understand changes to the business, review prior work, identify content/policies/procedures of the business
    • 3. Perform a risk analysis
    • 4. Set the scope and objectives of the audit
    • 5. Develop the audit approach/strategy
    • 6. Assign resources and logistics
  3. Risk assessment process for Audit risk analysis
    • BO/Assets/RA/RM/RT
    • 1. Identify business objectives
    • 2. Identify information assets supporting BOs
    • 3. Perform risk assessment (RA)
    • 4. Perform risk mitigation 
    • 5. Perform risk treatment
    • 6. Risk reevaluation, start at 1
  4. Within the risk assessment process for Audit risk analysis, what does performing a risk assessment (RA) entail?
    Identify threats, vulnerabilities, probabilities, and impacts
  5. Within the risk assessment process for Audit risk analysis, what does risk mitigation (RM) entail?
    Map risks with controls in place
  6. Within the risk assessment process for Audit risk analysis, what does risk treatment (RT) entail?
    Treat significant risks not mitigated by existing controls
  7. Audit Phases
    • 1. Audit subject - ID area to be audited
    • 2. Audit objective
    • 3. Audit scope
    • 4. Preaudit planning
    • 5. Audit procedures and data gathering
    • 6. Procedures for eval test or rev results 
    • 7. Communicate w/ mgmt
    • 8. Audit report prep
  8. Risk based Audit approach overview
    • 1. Gather info and plan
    • 2. Obtain understanding of Internal Ctrl
    • 3. Perform compliance tests
    • 4. Perform substantive tests
    • 5. Conclude the audit
  9. Inherent risk
    Risk level without taking into account controls, exists independent of an audit
  10. Control risk
    Risk that a material error would not be prevented or detected on a timely basis by the system of internal controls
  11. Detection risk
    Risk that material errors/misstatements will not be detected by the IS auditor
  12. Overall Audit Risk
    • Probability that information or financial reports may contain material errors.
    • AR = IR * DR * CR
  13. Sampling risk
    Risk that the auditor will draw the wrong conclusion from the sample
  14. Two types of Statistical Sampling
    Attribute and variable
  15. Types of attribute sampling
    • Attribute sampling/fixed sample size/frequency-estimating
    • stop-or-go
    • Discovery
  16. Stop-or-go Sampling
    Helps prevent excessive sampling, allows an audit test to be stopped at the earliest possible moment. Used when it is believed that their are few errors
  17. Discovery sampling
    Used when the expected occurrence rate is extremely low. Used when the objective is to seek out fraud
  18. Types of Variable sampling
    • Stratified mean per unit
    • Unstratified mean per unit
    • Difference estimation
  19. Relationship between the confidence coefficient and sample size
    The greater the confidence coefficient (95, 90%) the greater the sample size
  20. Level of risk as it relates to sampling
    Equal to one minus the confidence coefficient, 1.00 - .95 = .05 for example
  21. Precision as it relates to sampling
    • Acceptable range difference between the sample and the actual population
    • % for attribute
    • $ for variable
  22. Relation between precision and sample size
    Higher precision the lower the sample size and the greater risk of large total error

    Acceptable range difference between the sample and the actual population
  23. Expected error rate and its relation to sample size
    • Estimate stated as a % of the errors that may exists
    • Greater the expected error rate the greater the sample size
  24. Generalized Audit Software (GAS)
    Standard software that has the capability to directly read and access data from various DB platforms, flat-files, and ASCII formats
  25. Utility software
    Provides evidence to auditors about system control effectiveness
  26. Test data
    Auditors use a sample set of data to assess whether logic errors exist in a program and whether the program meets its objectives
  27. Integrated Test Facility (ITF)
    • GAS, creates a fictitious entity in the database to process test transaction simultaneously with live input.
    • Periodic testing does not require a separate test process
  28. Application software tracing and mapping (GAS)
    Provides information about the internal controls built in the system
  29. Expert Systems (GAS)
    • Gives direction and valuable information to all levels of auditor involved in the audit
    • Query based system built on knowledge of senior auditors or managers
  30. Elements of IT Balance Scorecard
    • Future Orientation
    • Operational Excellence
    • User Orientation
    • Business Contribution
  31. Basic outcomes of effective security governance
    • Strategic alignment
    • Risk Management compliance
    • Value Delivery
  32. Enterprise Architecture
    • Documenting an organization's IT assets in a structured manner to facilitate understanding, management, and planning for IT investments
    • Involves both a current and optimized future state representation/map
  33. COBIT 5 Risk Management Process
    • Collect Data
    • Analyze Risk
    • Maintain a risk profile
    • Articulate Risk
    • Define a risk mgmt action portfolio 
    • Respond to risk
  34. Duties that should be segregated in general
    • Custody of the assets
    • Authorization
    • Recording Transactions
  35. What is a systems analyst?
    Specialist who design systems based on the needs of the users. Usually involved in the initial phase of SDLC
  36. Steps for the risk assessment within a BCP
    • Identify the HR, data, resources etc.
    • Identify a list of potential vulnerabilities 
    • Identify the est probability of the occurrence of identified threats
    • Identify the efficiency and effectiveness of the current risk mitigation controls
  37. BCP Life Cycle
    • Risk assessment and analysis
    • BIA
    • BC Strategy Development
    • BC Plan developement and Strategy execution
    • BC Awareness training and testing
    • BCP Monitoiring, maintenance and update
    • Project planning go to start (this could be first?)
  38. Business Impact Analysis steps
    • ID Priority Critical business processes
    • ID Organizational risks
    • ID Threats to critical business processes
  39. Relationship between downtime costs and recovery time?
    Downtime costs increase with time
  40. Relationship between recovery costs and recovery time
    Recovery costs decrease with time
  41. BCP - Preparedness Test
    A localized version of a full test, wherein actual resources are expended in the simulation of a system crash
  42. Risk management practices from an IT governance perspective
    • Collect Data
    • Analyze risk
    • Maintain a risk profile
    • Articulate risk
    • Define a risk mgmt action portfolio
    • Respond to risk
  43. What does Function Point Analysis measure?
    Measure the size of a system based on the number and complexity of inputs, outputs, files, interfaces and queries
  44. What is Time box Mangement
    Project management technique for defining and deploying software deliverables in a short and fixed time period, with predetermine specific resources
  45. What is Earned Value Analysis
    • A technique for determining whether actual spending is in line with plan spending for a project.
    • Compares budget to date, actual spending to date, est to complete and est at completion
  46. Risk management process executed repeatedly during a project
    • Identify risk
    • Assess and evaluate risk
    • Manage risk
    • Monitor
    • Evaluate the risk management process
  47. Verification and Validation (V-Model)
    • User Requirements - Acceptance Testing
    • Functional Requirements - System Testing
    • Architectural Design - Integration Testing
    • Detailed Design - Unit Testing
    • Code
    • UFAD - ASIU
  48. Traditional SDLC/Waterfall method
    • 1. Feasibility Study
    • 2. Requirements Definition
    • 3. Software Selection & Acquisition (Purchase)
    • 4. Design (In-House)
    • 5. Development (in-house)
    • 6. Configuration (Purchase)
    • 7. Final Testing and implementation 
    • 8. Post-implementation
    • Frank Roger SAD DC TIP
  49. Iterative Approach for software development
    Business requirements are developed and tested in iterations until the entire app is designed, built and tested.
  50. Regarding software development, what are cohesion and coupling?
    • Cohesion - each software item performs a single dedicated function 
    • Coupling - retains independence from other comparable items
  51. Difference between QAT and UAT
    • Quality Assurance Testing - focuses on technical aspects of the app
    • User Acceptance Testing - focuses on the functional aspects
  52. What occurs after completion of acceptance testing?
    Certification and accreditation
  53. White box testing
    • Testing method in which the internal structure/design is known to the tester.
    • Assess the effectiveness of software program logic
  54. Black box testing
    Testing components of a system's functional operating effectiveness w/o regards to the specific internal program structure
  55. Regression testing
    Rerunning a portion of a test scenario to ensure that changes have not introduced new errors
  56. What are the three functions within each trading partner's system for a Traditional EDI?
    • Communications handler
    • EDI interface
    • Application system
  57. Audit monitors
    Devices installed at EDI workstations to capture transactions as they are received
  58. Expert Systems
    Based upon judgmental rules, the system can determine the audit significance of transactions
  59. For auditing EDI what must an IS auditor evaluate?
    Ensure that all inbound transactions are received and translated accurately, passed to an application, and processed only once
  60. In the context of BI, an enterprise data flow diagram architecture consists of:
    • Presentation/desktop layer
    • Data mart layer - subset of warehouse
    • Data preparation layer - prep for load to data marts
    • Data warehouse layer
    • Data Staging and quality layer
    • Data access layer - connects source and stores
    • Data source layer 
    • Metadata repository layer
    • Warehouse Management Layer
    • Application messaging layer (transport)
    • Internet/intranet layer
  61. What is a decision support system?
    An interactive system that provides the user with easy access to decision models and data from a wide range of sources in order to support semi-structured decision making tasks
  62. Where does a Decision Support System get its data to make decisions?
    From business intelligence tools
  63. What are the characteristics of a DSS?
    • Aims at solving less structured (semi-structured), under-specified problems
    • Combines the use of models or analytical techniques with traditional data access and retrieval functions
    • Emphasizes flexibility and adaptability to accommodate changes in the environment
  64. What does the scrum development technique aim to move?
    Move the planning and directing tasks from the project manager to the team
  65. What kind of development is scrum?
    Agile development
  66. What is Rapid Application Development (RAD)?
    • Methodology that enables organizations to develop strategically important systems quickly while reducing development costs and maintaining quality
    • Imposes rigid limits on development time frames and reusing existing components
  67. Simple Object Access Protocol (SOAP)
    Used to define APIs, XML language
  68. Project Phases of Physical Architecture Analysis
    • Review of existing architecture
    • Vendor selection (runs in parallel)
    • Analysis and Design
    • Draft functional requirements
    • Functional requirements
    • Define final functional requirements
    • Proof of concept
  69. Project Phases of Planning the Implementation Infrastructure
    • Requirements analysis goes in parallel
    • Procurement phase
    • Delivery time
    • Installation plan
    • Installation test plan
  70. Within the phases of planning the implementation of infrastructure, procurement phase steps
    • Develop vendor criteria
    • Develop vendor long list
    • Develop vendor short list
    • Select preferred vendors
    • Define partnership
  71. Within the phases of planning the implementation of infrastructure, delivery time steps
    • Develop delivery plan
    • Review plan
  72. Within the phases of planning the implementation of infrastructure, installation plan steps
    • Develop installation plan
    • Review
  73. Within the phases of planning the implementation of infrastructure, installation test plan steps
    • Develop
    • Review
  74. What is ISO 9126?
    An international standard to assess the quality of software
  75. What is ISO/IEC 15504?
    Provides guidance on process improvement, bench-marking and assessment. Can be leveraged to create enterprise best practices.
  76. Capability Maturity Model Integration, Characteristics of the Maturity Levels
    • Level 1 - Initial - Processes are unpredictable, poorly controlled and reactive
    • Level 2 - Managed - Process is characterized for projects, reactive
    • Level 3 - Defined - Process characterized for the org and is proactive
    • Level 4 - Quantitatively Managed - Process is measured and controlled 
    • Level 5 - Optimizing - Focus is on process improvement
  77. ISO/IEC 15504 - Capability levels rating scale
    • Level 0 - Incomplete process
    • Level 1 - Performed process-achieves its purpose
    • Level 2 - Managed process
    • Level 3 - Established process-implemented using a defined process that is capable of achieving its process outcomes
    • Level 4 - Predictable process
    • Level 5 - Optimizing process
  78. Parity checking
    Error detecting, a bit is added to data to indicate whether the sum of that data is odd or even. If the bit disagrees after transmission an error occurred. 50% probability
  79. Systems Control Audit Review File and Embedded Audit Modules (SCARF)
    Embedding specially written audit software in the organization's host application system so the application systems are monitored on a selective basis
  80. Audit hooks
    Embedding hooks in app systems to function as red flags, and to induce IS auditors to act before error or irregularity gets out of hand
  81. Integrated test facility (ITF)
    dummy entities are set up and included in an auditee's production files
  82. Online auditing technique: Snapshot
    • Records flow of designated transactions through logic paths within programs
    • Verifies program logic
  83. Online auditing technique: Mapping
    Identifies specific program logic that has not been tested, and analyzes programs during execution to indicate whether program statements have been executed
  84. Online auditing technique: Tracing and tagging
    • Tracing shows the trail of instructions executed during an application
    • Tagging involves placing an indicator on selected transactions at input and using tracing to track them
  85. What is a transaction journal/log
    A manual or automated log of all updates to data files and databases
  86. What are functional acknowledgements? (EDI)
    Standard EDI transactions that tell the trading partner that their electronic documents were received. Audit trail
  87. DSS Risks
    • Nonexistent or unwilling users
    • Multiple users or implementer
    • Disappearing users, implementer or maintainers
    • Inability to specify purpose or usage patterns in advance
    • Inability to predict and cushion impact on all parties
    • Lack or loss of support
    • Lack of exp with similar systems
    • Technical problems and cost-effectiveness issues
  88. EDI Controls
    • Key verification - used for encryption and data protection
    • One-for-one checking - validates transactions are accurate and complete
    • Manual recalculations - verify that the processing is correct
    • Functional acknowledgements - audit trail, data mapping
  89. Project Management Triangle
    The relationship between resources, time, and quality. The area of the triangle does not change.

What would you like to do?

Home > Flashcards > Print Preview