Chapter 3 Review Questions

1. Which of the following is false concerning a control self-assessment (CSA)?

A. Empowers the user to take ownership and accountability
B. Eliminates the need for a traditional audit
C. May be used to identify high-risk areas for later review
D. Will not have the level of independence provided by an external auditor
2. Who has responsibility for setting the scope of the audit?
A. Auditor
B. Client
C. Audit manager
D. Auditee
3. During audit planning, several documents are produced in support of the project.
Which of these is used to identify the person responsible for specific tasks in
order to gain funding and ensure quality?
A. Skills matrix
B. Procurement matrix
C. Task matrix
D. Activities matrix
4. Which of the following would be a concern of the auditor that should be
explained in the audit report along with the findings?
A. Detailed list of audit objectives
B. The need by the current auditor to communicate with the prior auditor
C. Communicating results directly to the chairperson of the audit committee
D. Undue restrictions placed by management on evidence use or audit procedures
5. The auditor is permitted to deviate from professional audit standards when they
feel it is necessary; which of the following is true regarding such deviation?
A. Standards are designed for discretionary use.
B. Deviation is almost unheard of and would require significant justification.
C. Deviation depends on the authority granted in the audit charter.
D. The unique characteristics of the client will require auditor flexibility.
6. Auditors base their report on findings, evidence, and the results of testing. It’s
more of a score than an opinion. Which of the following types of evidence
sampling refeTrecthoneta24.ir 100 percent sample?
A. Attribute
B. Stop-and-go
C. Cell
D. Discovery
7. Which of the following types of risk are of the most interest to an IS auditor?
A. Control, detection, noncompliance, risk of strike
 B. Inherent, noninherent, control, lack of control
C. Sampling, control, detection, inherent
D. Unknown, quantifiable, cumulative
8. The two types of tests are referred to as _____________ and _____________
using________________sampling methods.
A. Substantive tests, compliance tests, variable and attribute
B. Compliance tests, substantive tests, variable and discovery
C. Predictive tests, compliance tests, stop-and-go and difference estimation
D. Integrity tests, compliance tests, stratified mean and unstratified mean
9. Which of these types of computer-assisted audit tools (CAATs) is designed to
process dummy transactions during the processing of genuine transactions?
A. Continuous and intermittent simulation
B. Embedded program audit hooks
C. Embedded audit module
D. Online event monitor
1. Which of the following conditions is false in regard to using the work of other
people during your audit?
A. Ensure independence of the provider.
B. Accept the work based on job position.
C. Use agreed-upon scope and approach.
D. Provide supervision and review.
11. Which type of audit may be used for regulatory licensing or external reporting?
A. Qualified audit
B. Independent assessment
C. Control self-assessment
D. Traditional audit
2. Audits are intended to be conducted in accordance with which of the following
ideals?
A. Specific directives from management concerning evidence and procedure
B. Reporting and communication
C. Assessment of the organizational controls
D. Adherence to standards, guidelines, and best practices
3. Which of the following is not a type of quantitative sampling model?
A. Difference estimation
B. Stratified mean per unit
C. Unstratified mean per unit
D. Qualitative estimation per unit
4. What is the principal issue concerning the use of CAAT?
A. The capability of the software vendor.
B. Possible cost, complexity, and the security of output.
 C. Inability of automated tools to consider the human characteristics
of the environment.
D. Documentary evidence is more effective.
5. What is the purpose of the audit charter?
A. To engage external auditors
B. To grant responsibility, authority, and accountability
C. To authorize the creation of the audit committee
D. To provide detailed planning of the audit
6. Which of the following describes the relationship between compliance testing
and substantive testing?
A. Compliance testing checks for the presence of controls; substantive testing
checks the integrity of internal contents.
B. Substantive testing tests for presence; compliance testing tests actual contents.
C. The tests are identical in nature; the difference is whether the audit
subject is under the Sarbanes–Oxley Act.
D. Compliance testing tests individual account balances; substantive testing
checks
for written corporate policies.
7. What is the purpose of continuous auditing?
A. To assist managers with automated testing
B. To govern, control, and manage the organization
C. To challenge and review assurances
D. To provide daily coordination of all audit activities
8. Which term best describes the difference between the audit sample and the
total population?
A. Precision
B. Tolerable error rate
C. Level of risk
D. Analytic delta
9. What is the biggest issue with the decision to transfer risk to an
outsourced contractor?
A. There is potential for uncontrollable increase in operating cost over time.
B. Outsourcing shifts the entire risk to the contractor.
C. The company still retains liability for whatever happens.
D. Outsourcing shields the company from intrinsic risks.
1. Which is not a purpose of risk analysis?
A. Support risk-based audit decisions
B. Assist the auditor in determining audit objectives
C. Assist the auditor in identifying risks and threats
D. Ensure absolute safety during the audit
2. Which is the best document to help define the relationship of the independent
auditor and provide evidence of the agreed-upon terms and conditions?
A. Audit charter
B. Annual audit plan
C. Engagement letter
D. Auditor’s report
3. ISACA refers to testing for strong controls. What is the best description of a
strong control?
A. Effective implementation of multiple controls targeting the same objective
B. Preventive control that stops the problem from ever occurring
C. Using at least one control in each of the three categories of detective,
corrective, and preventive
D. Implementing comprehensive pervasive controls inside of an ERP application
4. Failing to prevent or detect a material error would represent which type of risk?
A. Overall audit risk
B. Detection risk
C. Inherent risk
D. Control risk
5. What is the best data collection technique the auditor can use if the resources
are available?
A. Surveys that create a broad sample
B. Review of existing documentation
C. Auditor observation
D. Interviews
6. An IS auditor is performing a review of an application and finds something that
might be illegal. The IS auditor should do which of the following?
A. Disregard or ignore the finding because this is beyond the scope of this review
B. Conduct a detailed investigation to aid the authorities in catching the culprit
C. Immediately notify the auditee of the finding
D. Seek legal advice before finishing the audit