CISA Quiz

Prioritise the identified risk.

Define the audit universe.

Identify the critical controls.

Determine the testing approach.

Review findings from prior audits.

Executive management's approval of the audit plan.

Review IS security policies and procedures.

Perform Risk Assessment

Does not require an IS auditor to collect evidence on system reliability while processing is taking place

Requires the IS auditor to review and follow up immediately on all information collected

Can improve system security when used in time-sharing environments that process a large number of transactions

Does not depend on the complexity of an organizations computer systems.

Issue an Audit finding

Seek an explanation from IS management

Review the classification of data held on the server

Expand the sample of logs reviewed

Address Audit objectives

Collect sufficient evidence

Specify appropriate tests

Minimize audit resources

A Product of probability and magnitude of impact if threat successfully exploits the vulnerability

The magnitude of impact should a threat source successfully exploit the vulnerability

The likelihood of given threat source exploiting a given vulnerability

The collective judgement of the risk assessment team

Show compliance with standards

Show how results were deduced

Show management’s role

Show due care was exercised

Time frame for audit

Audit Scope

Purpose and Objective

Expectation and obligation of client and auditor

mark the recommendation as satisfied and close the finding

verify if management's action mitigates the identified risk

re-perform the audit to assess the changed control environment

escalate the deviation to the audit committee

Source of the user list reviewed

Availability of the user list reviewed

Confidentiality of the user list reviewed

Completeness of the user list reviewed