Digital Accounting and Assurance Board

The Institute of Chartered Accountants of India ISA 3.0

(Set up by an Act of Parliament)

Module - 1

Information Systems Audit Process

1
Learning Objective
• Fundamental Concepts of IS Audit
• Information Systems Audit in Phases
• Tools and techniques used in IS Audit
• Application Controls Review
• Audit of Specialized Systems
• IT Enabled services & Fraud detection

2
 Chapter 1
Concepts of IS Audit

3
Principles of Audit – SA200
• Integrity, objectivity and independence
• Skill and Competence
• Work performed by others
• Documentation
• Accounting system and internal control
• Audit conclusions and reporting
Concepts of IS Audit
• Definition of IS Audit
• Audit in computerized environment
 Audit around the computer
 Audit with the computer
 Audit through the computer
IT Risk
• Concept of IT Risk
• Risk Management
• Risk-based Auditing
• Risk Universe
• Audit Universe
Audit Risk
• Inherent Risk
• Control Risk
• Detection Risk
Internal Controls
• Concept of controls
 Preventive Controls
 Detective Controls
 Corrective Controls
• IT General Controls
• Application Controls
Infrastructure and Organization
• Organization of IS Audit Functions
• Internal and external Audit Control Framework
• Quality Control and peer review
• Standards on audit performance
IT Audit Framework (ITAF)
• Reasonable expectation
• Due professional Care
• Proficiency
• Assertions
• Criteria
Practice Questions

11
Q. 1. The primary purpose and existence of an audit
charter is to:
A. Document the audit process used by the
enterprise
B. Formally document the audit department’s plan
of action.
C. Document a code of professional conduct for the
auditor.
D. Describe the authority and responsibilities of the
audit department/

Correct answer is D
It is like the constitution for the IS Audit function as it
mandates the authority, scope and responsibility of IS Audit
in the organization.
12
Q. 2. Which of the following control classifications
identify the cause of a problem and minimize the impact
of threat
A. Administrative Controls
B. Detective Controls
C. Preventive Controls
D. Corrective Controls

Correct answer is D
Corrective Controls classifications identify the cause of a
problem and minimize the impact of threat. The Goal of
these controls is to identify the root cause of an issue
whenever possible and eliminate the potential for that
occurring again. The other controls are useful but perform
other functions instead.

13
Q.3 Which of the following is NOT generally
considered a category of Audit Risk?
A. Detection Risk
B. Scoping Risk
C. Inherent Risk
D. Control Risk

Correct answer is B
Scoping risk is not generally considered as category of audit
risk. The other risk categories are also possible types of
risk; however they are not the one that question demand.

14
Q.4 Which of the following are most commonly used to
mitigate risks discovered by organizations?
A. Controls
B. Personnel
C. Resources
D. Threats

Correct answer is A
Controls are most commonly used to mitigate risks
discovered by organizations. This is what organizations
implement as a result of the risks an organization discovers.
Resources and personnel are often expended to implement
controls.

15
Q .5 Which of the following is not a type of internal
controls
A. Detective
B. Corrective
C. Preventive
D. Administrative

Answer: D
Administrative is not a type of internal controls. Detective is
designed to detect errors or irregularities that may have
occurred. Corrective is designed to correct errors or
irregularities that have been detected. Preventive is
designed to keep errors or irregularities from occurring.

16
Q.6 What means the rate at which opinion of the IS Auditor
would change if he selects a larger sample size?
A. Audit Risk
B. Materiality
C. Risk Based Audit
D. Controls

Answer: A
Audit risk means the rate at which opinion of the IS Auditor
would change if he selects a larger sample size. Audit risk can be
high, moderate or low depending on the sample size selected by
the IS Auditor. A risk based audit approach is usually adapted to
develop and improve the continuous audit process. Materiality
means importance of information to the users. It is totally the
matter of the professional judgment of the IS Auditor to decide
whether the information is material or immaterial.

17
Q.7. Which of the following cannot be classified as
Audit Risk?
A. Inherent Risk
B. Detection Risk
C. Controllable Risk
D. Administrative Risk

Answer: D
Inherent risk means overall risk of management which is on
account of entity’s business operations as a whole.
Controllable risk is the risk present in the internal control
system and the enterprise can control this risk completely
and eliminate it form the system. Detection risk is the risk
of the IS Auditor when he is not able to detect the inherent
risk or the controllable risk.
18
Q.8. After you enter a purchase order in an on-line system,
you get the message, “The request could not be processed
due to lack of funds in your budget”. This is an example of
error?
A. Detection
B. Correction
C. Prevention
D. Recovery

Answer: C
To stop or prevent a wrong entry is a function of error
prevention . Rest all options work after an error. Prevention
works before an occurring of error.

19
Q .9. When developing a risk-based audit strategy, an IS
auditor should conduct a risk assessment to ensure that:
A. controls needed to mitigate risks are in place.
B. vulnerabilities and threats are identified.
C. audit risks are considered.
D. a gap analysis is appropriate

Answer: B
In developing a risk-based audit strategy, it is critical that the risks
and vulnerabilities be understood. This will determine the areas to
be audited and the extent of coverage. Understanding whether
appropriate controls required to mitigate risks are in place is a
resultant effect of an audit. Audit risks are inherent aspects of
auditing, are directly related to the audit process and are not
relevant to the risk analysis of the environment to be audited. Gap
analysis would normally be done to compare the actual state to an
expected or desirable state. 20
Q .10 . Reviewing management's long-term strategic plans
helps the IS auditor:
A. Gains an understanding of an organization's goals and
objectives.
B. Tests the enterprise's internal controls.
C. Assess the organization's reliance on information systems.
D. Determine the number of audit resources needed.

Answer: A
Strategic planning sets corporate or departmental objectives into
motion. Strategic planning is time- and project-oriented, but
must also address and help determine priorities to meet
business needs. Reviewing long-term strategic plans would not
achieve the objectives expressed by the other choices. 21
 Chapter 2
IS Audit in Phases

22
 Co n du ct i n g a n I S A u d i t

Plan Execute
Understanding
Report
the environment Sampling,Testing Audit report and
and Setting up of & recommendations
objectives Documentation

Risk assessment
& control Audit Follow up
identification Evidence review
Audit Charter
• The audit charter is like the constitution for the IS audit
function.
• The audit charter should clearly address the four aspects
of purpose, responsibility, authority and accountability.
Audit Engagement Letter
• Scope
• Objectives
• Independence
• Risk assessment
• Specific Auditee requirements
• Deliverables
Communicate with Auditee
• Describing the service, its scope, its availability and
timeliness of delivery
• Providing cost estimates or budgets if they are available
• Describing problems and possible resolutions for them
• Providing adequate and readily accessible
facilities for effective communication
• Determining the relationship between the service offered
and the needs of the Auditee
Audit Scope
• Determine range of activities
• Covering matters of significance
• Fulfilling audit objectives
• Issues with high visibility or of current concerns
• Areas of significant degree of changes
• Past non-compliance issues
• Covering past frauds or material errors
Audit Planning - Steps
• Gain an understanding
• Understand changes in environment
• Review prior work papers
• Policy, procedures, standards & guidelines
• Perform Risk Analysis
• Set audit scope & objectives
• Develop audit approach & strategy
• Assign resources
• Address engagement logistics
 Objectives o f IS Controls

Reliability
Fiduciary
Compliance
Efficiency
Objectives of Quality
IS Controls Effectiveness
Confidentiality
Security Integrity
Availability
Understanding Auditee Environment
• Business of the entity
• Organizational structure
• IT infrastructure
• Regulations, Standards, Policy, Procedures,
Guidelines and Practices
Regulations and Standards
• IT Act 2000 (as amended in 2008)
• Sarbanes Oxley Act, 2002
• PCAOB
• LODR
• ISO/IEC 27000 Family
• Regulator’s guidelines
Frameworks and Best Practices

ITAF (3rd edition)

• General Standards
• Performance Standards
• Reporting Standards

COBIT-2019
• Governance system principle
• Governance Framework principle
• Components of Governance System
• Core Governance & Management objectives
Risk Assessment
• Reviewing IT principles, policies and frameworks
• Reviewing Processes, including risk-function-specific
details and activities
• Reviewing organizational structures
• Observing culture, ethics and behavior, factors of the
employees
• Risk-specific information types for enabling risk
governance and management within the enterprise
• With regard to services, infrastructure and
applications, review service capabilities required to
provide
• risk and related functions to an enterprise
• For the people, skills and competencies enabler,
review the skills and competencies specific for risk.
Risk Management
• Collect Data
• Analyze Risk

Risk assessment procedures

• Inquiries
• Analytical procedures
• Observation and inspection
Use of Risk assessment in Audit Planning
 IT General Controls

• Operating System • System Development

Control Controls
• Organizational Controls • BCP Controls
o Segregation of duties • System Maintenance
o Job Description Controls
• Management Controls • Computer Centre
• Financial Controls Security Controls
• Data Management • Internet & Intranet
Controls Controls
• Data Processing Controls • Personal Computer
• Physical Access Controls Controls
• Logical access Controls • Audit Trail Controls
IT Application Controls
• Boundary controls
• Input Controls
• Processing Controls
• Data File Controls
• Output Controls
• Existence Controls
Risk Control Matrix (RCM)
• Details of the Risk
• Risk No. , Risk in depth
• Control No. and control objectives
• Controls implemented
• Control owner
• Process owner
• Testing plan and results
• Risk Ranking
• Used as an audit notebook
Audit Sampling

Statistical sampling
• Random sampling
• Systematic sampling

Non-statistical sampling
• Haphazard sampling
• Judgmental sampling

Business Intelligence
Purpose of Data Analysis – Using CAAT Tools
Compliance Testing
• Evidence gathering techniques
• For Compliance with Control Procedures
• Whether controls applied according to policies and
procedures
• Whether Controls are operating?
• Test the existence and effectiveness of internal
controls

Substantive Testing
• Evidence gathered to evaluate the integrity
• Ensure completeness, accuracy and validity of data
• Testing monetary errors etc.
 Design and Operational effectiveness

Design effectiveness Operational effectiveness

• Working design of • Actual performance of
controls controls
• Documented control is • Effectiveness and
effective efficiency
• By reviewing policies, • Control is working as
procedures designed
• Brainstorm
Audit Evidence
• Independence of the provider
• Qualification of the provider
• Objectivity of evidence
• Timing of evidence
• Types of evidences
o Physical examination

o Confirmation

o Documentation

o Analytical procedures

o Inquiries

o Recalculations

o Performance

o Observations
Audit Documentation
• Planning and preparation of the audit scope and
objectives
• Description and/or walkthroughs on the scoped audit
areas
• Audit program
• Audit steps performed and audit evidence gathered
• Use of services of other IS Auditors and experts
• Audit findings, conclusions and recommendations
• Audit documentation relation with document
identification and dates
• A copy of the report issued as a result of the audit
work.
• Evidence of audit supervisory review
Audit Process
• Test working papers
• Organization of audit working papers
• Documents preservation
• Using work of another auditors
• Using another expert
• Evaluating strength & weaknesses
• Judging the materiality of findings
Risk Ranking
• Typically measured in terms of impact and likelihood
of occurrence
• Quantitative and qualitative analysis
• Use ordinal, internal or ratio scale
• Can not be one size fits for all
• Meaningful evaluation and prioritization
• May use colour coding – Red, orange, green
Audit report
• Executive summary
• Visual presentation
• Report structure- should contain objectives,
limitations, scope, period of audit and coverage, audit
procedure, methodology
• Audit findings/ observation in explicit term
• Related risk and impact
• Auditor’s recommendations/ opinion
• Overall conclusion
Practice Questions

46
1.Which of the following forms of evidence would be
considered to be the most reliable when assisting an IS
Auditor develop audit conclusion?
A. A confirmation letter received from a third party for the
verification of an account balance.
B. Assurance via a control self-assessment received from the
management that an application is working as designed.
C. Trend data obtained from World Wide Web (Internet)
sources.
D. Ratio analysis developed by an IS Auditor from reports
supplied by line management

Correct answer is A
Correct answer is: A. The IS Auditor requires documented
evidence to be submitted during audit procedures. Control self-
assessment though is a good control but it cannot work as an 47

evidence. Trend and ratio analysis can be used to justify some

conclusion but cannot be considered as a conclusive evidence
Q.2. During the review of the controls over the process of
defining IT service levels an IS Auditor would most likely
interview the
A. Systems programmer
B. Legal Staff
C. Business Unit Manager
D. Programmer

Correct answer is C
Business unit manager is the owner of that business unit and he is
the right authority to provide the required information in this
context. First point of interview should be with the person related
to business not the programmer or legal staff
48
Q.3. Which of the following procedures would an IS
Auditor not perform during pre-audit planning to gain an
understanding of the overall environment under review
A. Tour Key organization activities
B. Interview key members of management to understand
business risks
C. Perform compliance tests to determine if regulatory
requirements are met
D. Review prior audit reports

Correct answer is C.
During pre-audit planning there is no question of doing any
compliance test. Compliance test starts during the process of
audit. All other options are the process of collecting information
during pre-audit process
49
Q.4. The first step the IS Audit M a n a g e r should take
when preparing the annual IS audit plan is to:
A. Meet with the audit committee members to discuss the IS
audit plan for the upcoming year
B. Ensure that the IS audit staff is competent in areas that are
likely to appear on the plan and provide training as
necessary.
C. Perform a risk ranking of the current and proposed
application systems to prioritize the IS audits to be
conducted.
D. Begin with the prior year's IS audit plan and carry over any IS
audits that had not been accomplished.

50
Correct answer is C
Because IS audit services should be expended only if the risk
warrants it. Answers a, b, and d occur after c has been completed.
Answer "b" is NOT correct because the IS Audit Manager does not
know what areas are to appear on the IS audit plan until a risk
analysis is completed and discussions are held with the audit
committee members. Answer "a" is NOT correct because the IS Audit
Manager would not meet with the audit committee until a risk
analysis of areas of exposure has been completed. Answer "d" is
NOT correct because a risk analysis would be the first step before
any IS audit services are expended.

51
Q. 5. The pur pose of compliance tests is to provide
reasonable assurance that:
A. Controls are working as prescribed.
B. Documentation is accurate and current.
C. The duties of users and data processing personnel are
segregated.
D. Exposures are defined and quantified.

Correct answer is A
The compliance tests determine whether prescribed controls are
working. Answer "b" is NOT the best choice. Current and
accurate documentation may be a good procedure but it is only
one type of control procedure, therefore, answer a is a better
choice as more control procedures are evaluated. Answer "c" is
NOT the best choice because segregation of duties is only one
type of control procedure, therefore, answer a is a better choice 52

as more control procedures are evaluated. Answer "d" is NOT

the correct choice. Exposures are defined and quantified to
determine audit scope. Compliance tests provide reasonable
Q.6. IS Auditors are most likely to perform tests of internal
controls if, after their evaluation of such controls, they
conclude that:
A. A substantive approach to the audit are cost-effective
B. The control environment is poor.
C. Inherent risk is low.
D. Control risks are within the acceptable limits.

Correct answer is B
Correct answer is: B. IS auditor will most probably perform the
test of internal control when control environment is poor. When
inherent risks are low and control risks are within acceptable limit,
likelihood of testing internal controls get reduced. Concluding the
cost-effectiveness of substantive approach is not the outcome of
testing internal controls. 130
Q.7. Which of the following is the least important
factor in determining the need for an IS Auditor to
be involved in a new system development project?
A. The cost of the system
B. The value of the system to the organization.
C. The potential benefits of the system.
D. The number of lines of code to be written.

Correct answer is D
The size financial of the system is the least important of the
factors listed. All other factors have specific implications and an
IS Auditor can be used to help mitigate the risk to the
corporation with the development of a new system.
54
Q. 8.Each of the f o l l ow i n g is a general control
concern EXCEPT:
A. Organization of the IS Department.
B. Documentation procedures within the IS Department.
C. Balancing of daily control totals.
D. Physical access controls and security measures.

Correct answer is C
Balancing of daily control totals relates to specific applications
and is not considered an overall general control concern. Answer
"b" is NOT the best answer since documentation procedures
within the IS Department is an important general control concern.
Answer "a" is NOT the best answer since organization of the IS
Department is an important general control concern. Answer "d" 55
is NOT the best answer since physical access controls and
security measures are important general control concerns.
Q.9. Which of the following types of audits requires the
highest degree of technical expertise?
A. Systems software audits
B. General controls reviews
C. Microcomputer application audits
D. Mainframe application audits
Correct answer is A
The IS Auditor needs specialized education in hardware and
operating systems software. Answers b, c, and d can be performed
when an IS Auditor has a basic level of technical knowledge and
usually requires no special training.

56
Q.10. A manufacturing company has implemented a new
client/server system enterprise resource planning (ERP)
system. Local branches transmit customer orders to a central
manufacturing facility. Which of the following controls would
BEST ensure that the orders are accurately entered and the
corresponding products produced?
A. Verifying production to customer orders
B. Logging all customer orders in the ERP system
C. Using hash totals in the order transmitting process
D. Approving (production supervisor) orders prior to
production
Correct answer is A.
Verification will ensure that production orders match customer
orders. Logging can be used to detect inaccuracies, but does not in
itself guarantee accurate processing. Hash totals will ensure
accurate order transmission, but not accurate processing centrally.
Production supervisory approval is a time consuming manual
 Chapter 3
IS Audit Tools and Techniques

58
Need for CAAT
• Evidence collection
• Analysis and interpretation
• Evidence verification
• Tools and techniques
Functional Capabilities
• File Access
• File Reorganization
• Data Selection
• Statistical function
• Arithmetical functions
How to Use CAATs
• Set the objectives
• Determine the content and accessibility
• Define the transaction types
• Define the procedures
• Define the output requirements
• Identify audit and IT personnel to be involved
Uses of CAATs
• Exception identification
• Control analysis
• Error identification
• Statistical sampling
• Fraud detection
• Existence check
• Consistency of data
• Duplicates
• Obsolescence
• Overdues
Types of CAATs
• Generalized Audit Software (ACL, IDEA etc.)
• Specialized audit Software
• Utility Software
Continuous Auditing Approach
• Snapshot
• Integrated Test Facility (ITF)
• System activity File Generation
• Embedded Audit Module (EAM)
• Continuous and intermittent Simulation (CIS)
• Audit Hook
• System Control Audit Review File (SCARF)
Practice Questions

65
Q.1. What is one of the key tests which can be ideally carried out using
Computer Assisted Audit Tools (CAATs)?
A. Identification of exceptional transactions based upon set criteria
B. Projections on future trends for specific parameters
C. Carrying out employees’ reference checks
D. Carry out employee appraisals Key

Correct answer is A
One of the many key tests that can be carried out by CAATs is
identification of exceptional transactions based upon set criteria. The IS
auditor can set the criteria based upon the sort of transactions which are
not expected to occur on the basis of the controls which presumably have
been incorporated in the organization’s systems. CAATs are more in the
nature of audit tools & would not be ideal for the other purposes listed in
Options B to D above. Hence, answer at Option A alone is correct.

66
Q.2. Find out the best process carried out using Computer
Assisted Audit Tools (CAATs)?
A. Carry out employee appraisals of Information Systems
Assurances Services
B. Identify potential areas of fraud
C. Projections on future trends for specific parameters
D. Carrying out employees’ reference checks Key

Correct answer is B
One of the many key tests that can be carried out by CAATs is
identification of potential areas of fraud. The IS auditor can set the
criteria based upon the sort of transactions which are not expected
to occur on the basis of presumably have been incorporated in the
organization’s systems. CAATs are more in the nature of audit
tools & would not be ideal for the other purposes listed in Options 67
A, C and D above.
Q.3. What can be ideally carried out using Computer Assisted
Audit Tools (CAATs)?
A. Carry out employee appraisals
B. Projections on future trends for specific parameters
C. Identify data which is inconsistent or erroneous
D. Carrying out employees’ reference checks Key.

Answer: C
One of the many key tests that can be carried out by CAATs is
identification of data which is inconsistent or erroneous. The IS
auditor can set the criteria based upon the sort of data which are not
expected to occur on the basis of the controls which presumably have
been incorporated in the organization’s systems. CAATs are more in
the nature of audit tools & would not be ideal for the other purposes
listed in Options A, B and D above. Hence, option C is correct.
68
Q.4. What is one of the key tests which can be ideally carried
out using Computer Assisted Audit Tools?
A. Carry out employee appraisals
B. Projections on future trends for specific parameters
C. Carrying out employees’ reference checks Key
D. Perform various types of statistical analysis

Correct answer is D
One of the many key tests that can be carried out by CAATs is the
carrying out of various types of statistical analysis which could
throw up areas of inconsistencies, defaults, etc. CAATs are more
in the nature of audit tools & would not be ideal for the other
purposes listed in Options A to C above. Hence, option D is
correct.
69
Q.5. What is one of the key tests which can be ideally carried out
using Computer Assisted Audit Tools (CAATs)?
A. Establishing whether the set controls are working as
prescribed
B. Carry out employee appraisals
C. Projections on future trends for specific parameters
D. Estimation of competitor activity Key.

Correct answer is A
One of the many key tests that can be carried out by CAATs is
establishing whether the set controls are working as intended.
CAATs are more in the nature of audit tools & would not be ideal for
the other purposes listed in Options B to D above. Hence, answer at
Option A alone is correct.

70
Q.6. What is one of the key tests which can be ideally carried
out using Computer Assisted Audit Tools (CAATs)?
A. Carry out market surveys for a new product launch
B. Establishing relationship between two or more areas &
identify duplicate transactions
C. Projections on future trends for specific parameters
D. Estimation of competitor activity Key
Correct answer is B
One of the many key tests that can be carried out by CAATs is
establishing relationship between two or more areas & identify
duplicate transactions. CAATs are more in the nature of audit tools
& would not be ideal for the other purposes listed in Options A, C
and D above. Hence, option B alone is correct.

71
Q.7. Which is one of the most effective tools and techniques to
combat fraud?
A. Computer Assisted Audit Techniques (CAAT)
B. Threats of severe punishment
C. Validation by the I.T. dept. of the police
D. Use of authenticated hard copies Key

Correct answer is A
CAAT is one of the tools useful for carrying out the detection of
suspicious transactions as a pre-emptive or post fraud activity.
Hence, answer at Option A is correct.

72
Q.8. An IS Auditor, concerned that application controls are not
adequate to prevent duplicate payment of invoices, decided to
review the data processing files for possible duplicate
payments. Which of the following techniques/tools would be
useful to the IS Auditor?
A. An integrated test facility.
B. Statistical sampling.
C. Generalized audit software.
D. The Audit Review File.
Correct answer is C
Generalized Audit software is mainly used to find duplicate data.
Options A and D are on line application audit tools and statistical
sampling may not be able to find duplicates..

73
Q.9. Many automated tools are designed for testing and
evaluating computer systems. Which one of the following such
tools impact the systems performance with a greater load and
stress on the system?
A. Test data generators
B. Statistical software packages
C. Test drivers
D. Network traffic analyzers
Correct answer is B
Statistical software packages use all data resources impacting the
processing time and response time. Network traffic analyzers also
use the system resources but not putting stress on production data.
Test data generator is not resource intensive and test drivers are
for specific use without impacting much resources.

74
Q.10. The most appropriate type of CAAT tool the auditor
should use to test security configuration settings for the entire
application systems of any organization is:
A. Generalized Audit Software
B. Test Data
C. Utility Software
D. Expert System

Correct answer is C
Statistical software packages use all data resources impacting the
processing time and response time. Network traffic analyzers also
use the system resources but not putting stress on production data.
Test data generator is not resource intensive and test drivers are
for specific use without impacting much resources. Correct answer
is C 75
 Chapter 4
Application Controls Review of Business
Applications

76
Business Application: Selection Parameters
• Business goal
• Nature of business
• Geographical spread
• Volume of transactions
• Regulatory structure
Types of Business Applications
• Accounting applications
• Banking applications
• ERP applications
• Payroll application
• Airlines reservation applications
• Other business applications
Application Controls Objectives
• Source Data Preparation and Authorisation
• Source Data Collection and Entry
• Accuracy, Completeness and Authenticity Checks
• Processing Integrity and Validity
• Output Review, Reconciliation and Error Handling
• Transaction Authentication and Integrity
Practice Questions

80
Q.1. Application controls shall include all except
A. Application controls are a subset of internal controls.
B. The purpose is to collect timely, accurate and reliable
information.
C. It is part of the of IS Auditor’s responsibility to implement
the same.
D. It is part of business application software.

Correct answer is C
Represents what auditor’s verifies but not that what he/she
implements. Rest is part of definition and purpose of application
controls.

81
Q.2. As per Income Tax Act, 1961 and banking norms, all fixed
deposit holders of bank need to submit their PAN or form 60/61(a
form as per Income Tax Act/Rules). Bank in its account opening
form, has not updated the need for form 60/61 in case PAN is not
there. This defines which control lapse as per COBIT.
A. Source Data Preparation and Authorisation:
B. Source Data Collection and Entry
C. Accuracy, Completeness and Authenticity Checks
D. Processing Integrity and Validity
Correct answer is A
A is the correct answer as the source data capture is not proper. Ensure
that source documents are prepared by authorised and qualified
personnel following established procedures, taking into account
adequate segregation of duties regarding the origination and approval
of these documents. Errors and omissions can be minimised through
good input form design.
82
Q.3. In a public sector bank while updating master data for
advances given, the bank employee does not update
“INSURANCE DATA”. This includes details of Insurance Policy,
Amount Insured, Expiry Date of Insurance and other related
information. This defines which control lapse as per COBIT.
A. Source Data Preparation and Authorisation:
B. Source Data Collection and Entry
C. Accuracy, Completeness and Authenticity Checks
D. Processing Integrity and Validity

Correct answer is C
This ensures that transactions are accurate, complete and valid.
Validate data that were input, and edit or send back for correction as
close to the point of origination as possible.

83
Q.4. An IS Auditor observed that users are occasionally
granted the authority to change system data. The elevated
system access is not consistent with company policy yet is
required for smooth functioning of business operations.
Which of the following controls would the IS Auditor
most likely recommend for long term resolution.
A. Redesign the controls related to data authentication
B. Implement additional segregation of duties controls
C. Review policy to see if a formal exception process is
required
D. Implement additional logging controls.
Correct answer is C
Policy is not a static document. When an exception is a
regular requirement, the best control is to modify the policy
accordingly. 84
Q.5. An IS Auditor, processes a dummy transaction to check
whether the system is allowing cash payments in excess of
Rs.20,000/-. This check by auditor represents which of the
following evidence collection technique?
A. Inquiry and confirmation
B. Re-calculation
C. Inspection
D. Re-performance

Correct answer is D
IS Auditor may process test data on application controls to see
how it responds.

85
Q.6. An IS Auditor is performing a post implementation review
of an organisation’s system and identified output errors within
an accounting application. The IS Auditor determined that
this was caused by input errors. Which of the following
controls should the IS Auditor recommend to management?
A. Recalculations
B. Limit Checks
C. Run-to-run total
D. Reconciliation
Correct answer is D
For finding the anomaly between input and output, reconciliation
is the best option. Re-calculation and run-to-run total will provide
the same result as earlier and limit check is a data validation
control.

86
Q.7. RBI instructed banks to stop cash retraction in all ATMs
across India from April 1, 013. This was result of few ATM
frauds detected. This action by RBI can be best classified as:
A. Creation
B. Rectification
C. Repair
D. None of above

Correct answer is B
A, is not an answer as action by RBI is based on fraud detection.
Repair is done to rectify an error which has occurred in a working
system.

87
Q.8. A central antivirus system determines whether each
personal computer has the latest signature files and
installs the latest signature file before allowing a PC to
connect to the network. This is an example of a:
A. Directive control
B. Corrective Control
C. Compensating Control
D. Detective Control
Correct answer is D
After detecting the deficiency in the situation hence it is a
detective control.

88
Q.9. Company’s billing system does not allow billing to those
dealers who have not paid advance amount against proforma
invoice. This check is best called as:
A. Limit Check
B. Dependency Check
C. Range Check
D. Duplicate Check

Correct answer is B
Dependency check is one where value of one field is related to
that of another.

89
Q.10. While posting message on FACEBOOK, if user posts the
same message again, FACEBOOK gives a warning. The
warning indicates which control.
A. Limit Check
B. Dependency Check
C. Range Check
D. Duplicate Check

Correct answer is D
D is the answer as this is a duplicate check.

90
 Chapter 5
Application Controls Review of
Specialized Systems

91
Application Controls Review
• Inquiry and confirmation
• Reperformance
• Recalculation
• Computation
• Analytical procedures
• Inspection
• Observations
• Other generally accepted methods
Artificial Intelligence
• Simulating human work
• Thinking and reasoning
• Solving simple and complex problems
• Calculations
• Cognitive Science
• Robotics
• Natural Language
Data Warehouse
• Central repository
• Clean, consistent, integrated & meaningful
information
• Extracted from multiple sources
• On-line query processing
• Subject oriented
• Support decision making, and
• Data Mart, Data Mining
IS Auditors Role
• Credibility of the source data
• Accuracy of the source data
• Complexity of the source data structure
• Accuracy of extraction and transformation process
• Access control rules
• Network capacity for speedy access
Decision Support System
• Interactive information support
• Analytical model
• Used by mainly middle management
• Queries not answered by TPS
IS Auditor’s Role
• Credibility of the source data
• Accuracy of the source data
• Accuracy of extraction and transformation process
• Accuracy and correctness of the output generated
• Access control rules
Electronic Fund Transfer
• NEFT, RTGS, IMPS
• Authorisation of payment.
• Validation of receivers details, for correctness and
completeness.
• Verifying the payment made.
• Getting acknowledgement from the receiver, or
alternatively from bank about the payment made.
• Checking whether the obligation against which
the payment was made has been fulfilled.
E-Commerce
• Information sharing, payment, service fulfilment &
support
• Authorisation
• Authentication
• Confirmation
• Payment gateway security

Point of Sales System

• Capture data at the time of transaction
• EDC, scanner, bar-code reader for data capture
• Payment and settlement
IS Auditor’s Role
• Batch control
• Exceptional logs
• Misuse of data in capture machine
• Accuracy and completeness
• On-line updation
• Compliance on regulator’s guidelines
Automated Teller Machine
• Unattended use for banking services
• Cash deposit, withdrawal, cheque book, other services
• Authorized access
• Exception reports
• On-site and off-site
• White-label, brown-label ATM
• Controls on ATM cards, PIN, green PIN
• ATM switches
• Cloning of cards
Practice Questions

10
2
1. Which of the following business purposes can be met by
implementing Data warehouse in an organisation?
A. Business continuity can be ensured in case of disaster.
B. Data in the data ware house can work as a backup
C. The data in the warehouse can be used for meeting
regulatory requirements.
D. Business decisions can be taken and future policies can
be framed based on actual transactional data.

Correct answer is D
Purpose of Data warehouse is to take business decisions and
frame future policies based on the analysis of transactional data.
It cannot act as an alternative to backup. Purpose of the data
ware house is not for business continuity nor is it for regulatory
requirements.
103
2. Which of the following is a characteristic of a decision
support system (DSS)?
A. DSS is aimed at solving highly structured problem.
B. DSS combines the use of models with non-traditional data
access and retrieval functions.
C. DSS emphasizes flexibility in decision making approach
of users.
D. DSS supports only structured decision-making tasks.

Correct answer is B.
It goes with the purpose and definition of decision support system.

104
3. Which of the following audit tools is MOST useful to an IS
auditor when an audit trail is required?
A. Integrated test facility (ITF)
B. Continuous and intermittent simulation (CIS)
C. Audit hooks
D. Snapshots

Correct answer is D.
Snapshot is the right answer as in this technique, IS auditor can
create evidence through IMAGE capturing. A snapshot tool is
most useful when an audit trail is required. ITF can be used to
incorporate test transactions into a normal production run of a
system. CIS is useful when transactions meeting certain criteria
need to be examined. Audit hooks are useful when only select
transactions or processes need to be examined.
105
4. A retail company recently installed data warehousing client
software in multiple, geographically diverse sites. Due to time
zone differences between the sites, updates to the warehouse
are not synchronized. This will affect which of the following
most?
A. Data availability
B. Data completeness
C. Data redundancy
D. Data accuracy

Correct answer is B.
Correct answer is B. One of the major bottlenecks in data ware
house is time synchronisation as the data of different time zones is
merged in data ware house. It ultimately results in in-complete
data for decision making purposes.
106
5. The cashier of a company has rights to create bank master
in TALLY. This error is a reflection of poor definition for
which type of control:
A. User Controls
B. Application Control
C. Input Control
D. Output Control

Correct answer is A.
User controls are not properly defined. User controls need to be
defined based on NEED TO KNOW and NEED TO DO basis. The
above is reflection of a greater problem of improper assessment of
user profiles created in the system

107
6. An employees has left the company. The first thing to do is to:
A. Hire a replacement employee.
B. Disable his/her access rights.
C. Ask the employee to clear all dues/advances.
D. Escort employee out of company premises

Correct answer is B.
The first thing to do as soon as an employee leaves the company is
to disable his/her access rights in system. This needs to be done to
prevent frauds being committed. Other answers may be valid but
are not the first thing to do.

108
7. As part of auditing Information Security of a multinational
bank, an auditor wants to assess the security of information in
ATM facilities. Under which privacy policy should he look for
details pertaining to security guards and CCTV surveillance of
ATM’s?
A. Physical Access and Security Policy
B. Acceptable use of Information Assets Policy
C. Asset Management Policy
D. Business Continuity Management Policy Key.

109
Correct answer is A.
Physical security describes security measures that are designed to
restrict unauthorized access to facilities, equipment and resources,
and to protect personnel and property from damage or harm (such as
espionage, theft, or terrorist attacks). Physical security involves the
use of multiple layers of interdependent systems which include
CCTV surveillance, security guards, Biometric access, RFID cards,
access cards protective barriers, locks, access control protocols, and
many other techniques. B is incorrect - An acceptable use policy
(AUP), also known as an Acceptable Usage policy or Fair Use
policy, is a set of rules applied by the owner or manager of a
network, website or large computer system that restrict the ways in
which the network, website or system may be used. C is incorrect –
This policy defines the requirements for Information Asset’s
protection. It includes assets like servers, desktops, handhelds,
software, network devices etc. Besides, it covers all assets used by
an organization- owned or leased. D is incorrect – This policy
defines the requirements to ensure continuity of business critical 110
8. Neural Networks and Fuzzy Logics are classified under
which category of Artificial intelligence?
A. Cognitive Science
B. Robotics
C. Natural Sciences
D. Virtual Reality

111
Correct answer is A.
Cognitive Science. This is an area based on research in disciplines
such as biology, neurology, psychology, mathematics and allied
disciplines. It focuses on how human brain works and how
humans think and learn. Applications of AI in the cognitive
science are Expert Systems, Learning Systems, Neural Networks,
Intelligent Agents and Fuzzy Logic. B, C and D are incorrect. B.
Robotics: This technology produces robot machines with
computer intelligence and human-like physical capabilities. This
area includes applications that give robots visual perception,
capabilities to feel by touch, dexterity and locomotion. C. Natural
Languages: Being able to 'converse' with computers in human
languages is the goal of research in this area. Interactive voice
response and natural programming languages, closer to human
conversation, are some of the applications. D. Virtual reality is
another important application that can be classified under natural
interfaces. 112
9. In an inter school competition on Artificial Intelligence, four
children develop software which performs the following
different functions respectively. Which of them is a correct
example of the use of basic Artificial Intelligence?
A. Predictive & self-learning word-processing software
B. A calculation software which arrives at the arithmetic total
of figures keyed in
C. A password system which allows access based upon keying
in of the correct password
D. A software which rejects invalid dates like 32nd March
2019.

113
Correct answer is A.
The word-processing software pops up suggested words based
upon the first few words keyed in by the user. Also, when the user
keys in a new word which is not available in its repertoire, it adds
it to its collection & reflects it as an option the next time similar
letters are initiated. In effect, the software is able to observe &
record patterns and improves through ‘learning’. The other
answers in Options B to D involve the basic computing functions
of a computer which are based on a ‘go / no-go’ logic which does
not involve pattern recognition or further learning. Hence, the
correct answer is only as in Option A which displays
characteristics of artificial intelligence.

114
10. Which are the business activities which are strong contenders
for conversion to e-commerce?
A. Those that are paper-based, time consuming & inconvenient
for customers
B. Those relating to software development
C. Those relating to the ‘electronic’ aspects of commerce
D. Those that are not paper-based, speedy & convenient for
customers.

Correct answer is A.
Maximum mileage can be gained from e-commerce by converting
those business activities which are paper-based, time consuming &
inconvenient for customers as indicated in Option A. This will help us
reduce paperwork, accelerate delivery & make it convenient for
customers to operate from the comfort of their homes as also at any
other place of their convenience. Hence, the other options are wrong. 115
 Chapter 6
IT Enabled Services

116
Classification of Audits
• Systems and applications
• Information processing facilities
• System development
• Management of IT and enterprise architecture
• Client/Server, Telecommunications, Intranets and
Extranets
• Compliance audits
• Operational audits
Types of Audits
• Financial audits
• Integrated audits
• Administrative audits
• Specialized Audits
• Information Systems Audit
• Forensic Audits
• Control Self-assessment
• Internal audit/ Compliance review
IT Enabled Services
• Drafting of IT security policies
• Procedures and processes
• Selection of appropriate application
• Design of business workflow
• Perform risk assessment
• Ensuring segregation of duties
• Ensuring right & adequate access control
Frauds
• Fraud detection process using IT
• Due professional Care
• Alert for possible opportunities
• Means of perpetrating frauds
• Exploiting the vulnerabilities
• Overriding controls
• Knowledge of fraud indicator
• Potential legal requirements
• Report to appropriate authority
Cyber Fraud Investigation
• Collecting and analyzing documentation
• Conducting interviews
• Data mining & digital forensics
• Identifying significant risk areas
• Assessing likelihood and impact
• Determine where, how and by whom committed
• Assessing sufficiency of existing controls
Cyber Fraud Risk Assessment
• Theft of critical assets
• Identity theft
• Information theft
• Copyright infringement etc.
Cyber Forensic – Digital Forensics
• Identify
• Preserve
• Analyze
• Present
Fraud investigation Tools and Techniques
• Stratification
• Classification
• Summarization
• Outliers
• Benford Laws
• Trend Analysis
• Gap Test
• Duplicate Test
• Relation
• Compare
Practice Questions

12
5
Q.1. Which of the following factors should not be
considered in establishing the priority of audits
included in an annual audit plan?
A. Prior audit findings
B. The time period since the last audit
C. Auditee procedural changes
D. Use of audit software

Correct answer is D
Use of audit software merely refers to a technique that can
be used in performing an audit. It has no relevance to the
development of the annual audit plan.
Q.2. Which of the following is LEAST likely to be
included in a review to assess the risk of fraud in
application systems?
A. Volume of transactions
B. Likelihood of error
C. Value of transactions
D. Extent of existing controls

Correct answer is B
An error is the least likely element to contribute to the potential
for fraud. Answer A and C are incorrect since volume times value
of transactions gives an indication of the maximum potential loss
through fraud. Answer D is incorrect since gross risk less
existing control gives net risk.
Q.3. A n IS auditor discovers evidence of fraud perpetrated
with a manager's user id. The manager had written the
password, allocated by the system administrator, inside
his/her desk drawer. The IS auditor should conclude that
the:
A. Manager’s assistant perpetrated the fraud.
B. Perpetrator cannot be established beyond doubt.
C. Fraud must have been perpetrated by the manager.
D. System administrator perpetrated the fraud.

Correct answer is B
The password control weaknesses means that any of the other three
options could be true. Password security would normally identify
the perpetrator. In this case, it does not establish guilt beyond doubt.
Q.4. Which of the following situations w o u l d increase
the likelihood of fraud?
A. Application programmers are implementing changes to
production programs.
B. Application programmers are implementing changes to test
programs.
C. Operations support staff are implementing changes to
batch schedules.
D. Database administrators are implementing changes to data
structures.
Correct answer is A
Production programs are used for processing an enterprise's data. It is
imperative that controls on changes to production programs are
stringent. Lack of control in this area could result in application
programs being modified to manipulate the data. Application
programmers are required to implement changes to test
programs.These are used only in development and do not directly
impact the live processing of data. The implementation of changes to
batch schedules by operations support staff will affect the scheduling
of the batches only; it does not impact the live data. Database
administrators are required to implement changes to data
structures.This is required for reorganization of the database to allow
for additions, modifications or deletions of fields or tables in the
database.
Q. 5. Neural n e t w o r k s are effective in detecting
fraud, because they can:
A. Discover new trends since they are inherently linear.
B. Solve problems where large and general sets of training data are
not obtainable.
C. Attack problems that require consideration of a large number of
input variables.
D. Make assumptions about the shape of any curve relating variables
to the output.

Correct answer is C
Neural networks can be used to attack problems that require
consideration of numerous input variables. They are capable of
capturing relationships and patterns often missed by other
statistical methods, and they will not discover new trends. Neural
networks are inherently nonlinear and make no assumption about
the shape of any curve relating variables to the output. Neural
networks will not work well at solving problems for which
sufficiently large and general sets of training data are not
obtainable.
Q.6. The FIRST step in m a n a g i n g the risk of a cyber-
attack is to:
A. Assess the vulnerability impact.
B. Evaluate the likelihood of threats.
C. Identify critical information assets.
D. Estimate potential damage.

Correct answer is C
The first step in managing risk is the identification and
classification of critical information resources (assets). Once
the assets have been identified, the process moves onto the
identification of threats, vulnerabilities and calculation of
potential damages.
Q.7. Which of the following refers to imaging of original
media in presence of an independent third party?
A. Identify
B. Preserve
C. Analyze
D. Present

Correct answer is B
Preserve refers to practice of retrieving identified information
and preserving it as evidence. The practice generally includes
the imaging of original media in presence of an independent
third party.
Q.8. As a measure of IT General controls, an organization
decides to separate those who can input data from those that can
reconcile or approve data. Is this a good move? Why?
A. Yes, it is a good move; it can help prevent unauthorised data
entry.
B. No, it is not a good move; the person who inputs the data is the
best person to approve the data too.
C. Yes, it is a good move; inputting data & reconciling data
requires different skills.
D. No, it is not a good move; data entry errors would be
compounded.

Correct answer is A
Segregation of duties is an important control tool whereby,
conflicting roles in particular, are segregated and handled by
different individuals. It reduces the risk of fraud since one person
cannot independently commit any fraud but would need to collude
with the second. Also, since the output of one individual may
Q.9. A holistic approach to deterrence & prevention of
fraud would be:
A. Strengthening of Governance and Management
framework
B. Focussing on integrity of new recruits
C. Establishing severe punishment for fraud
D. Compensating employees adequately to minimize
temptation

Correct answer is A
A holistic approach to deterrence and prevention of fraud would
require strengthening of governance and management
framework. The answers in options B to D address the issue in
bits and pieces and, hence, are not the right answers. Answer at
Option A alone is correct.
Q.10. After initial investigation, IS auditor has reasons to
believe that there is possibility of fraud, the IS auditor has to:
A. Expand activities to determine whether an investigation is
warranted.
B. Report the matter to the audit committee.
C. Report the possibility of fraud to top management and ask
how they would like to proceed.
D. Consult with external legal counsel to determine the course
of action to be taken.

Correct answer is A
An IS auditor’s responsibility for detecting fraud includes
evaluating fraud indicators and deciding whether any additional
action is necessary or whether an additional investigation should
be recommended. The IS auditor should notify the appropriate
authorities within the organization only if it has determined that the
indicators of fraud are sufficient to recommend an investigation.
Normally, the IS auditor does not have authority to consult with
? Questions

13
7
Thank You

13
8