Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • IS A P 1.1: Udit Rocess

    Загружено:

    Pedro Lavi
    23 просмотров19 страниц
    1. The document discusses questions from a CISA exam related to IS audit processes. It provides explanations and rationales for the answers. 2. Key topics covered include compliance testing vs substantive testing, factors that affect audit risks, appropriate measures of risk, statistical sampling techniques, and the purpose of risk-based auditing in allocating resources. 3. The document emphasizes that developing an audit plan based on a detailed risk assessment is important for delivering value by focusing resources on higher-risk areas.

    Исходное описание:

    Оригинальное название

    1A-ISAuditProcess

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    1. The document discusses questions from a CISA exam related to IS audit processes. It provides explanations and rationales for the answers. 2. Key topics covered include compliance testing vs substantive testing, factors that affect audit risks, appropriate measures of risk, statistical sampling techniques, and the purpose of risk-based auditing in allocating resources. 3. The document emphasizes that developing an audit plan based on a detailed risk assessment is important for delivering value by focusing resources on higher-risk areas.

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    23 просмотров19 страниц

    IS A P 1.1: Udit Rocess

    Загружено:

    Pedro Lavi
    1. The document discusses questions from a CISA exam related to IS audit processes. It provides explanations and rationales for the answers. 2. Key topics covered include compliance testing vs substantive testing, factors that affect audit risks, appropriate measures of risk, statistical sampling techniques, and the purpose of risk-based auditing in allocating resources. 3. The document emphasizes that developing an audit plan based on a detailed risk assessment is important for delivering value by focusing resources on higher-risk areas.

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 19

    CISA2009Answers

    1
    ISAUDITPROCESS1.1
    Q1 (C) compliancetesting.
    Compliancetestingdetermineswhethercontrolsarebeingappliedincompliancewith
    policy.Thisincludesteststodeterminewhethernewaccountswereappropriately
    authorized.Variablesamplingisusedtoestimatenumericalvalues,suchasdollar
    values.Substantivetestingsubstantiatestheintegrityofactualprocessing,suchas
    balancesonfinancialstatements.Thedevelopmentofsubstantivetestsisoften
    dependentontheoutcomeofcompliancetests.Ifcompliancetestsindicatethat
    thereareadequateinternalcontrols,thensubstantivetestscanbeminimized.Stopor
    gosamplingallowsatesttobestoppedasearlyaspossibleandisnotappropriatefor
    checkingwhetherprocedureshavebeenfollowed.
    ISAUDITPROCESS1.1
    Q2 (B) Detection
    Detectionrisksaredirectlyaffectedbytheauditor'sselectionofauditproceduresand
    techniques.InherentrisksarenotusuallyaffectedbyanISauditor.Controlrisksare
    controlledbytheactionsofthecompany'smanagement.Businessrisksarenot
    affectedbyanISauditor.
    ISAUDITPROCESS1.1
    Q3 (A) aproductoftheprobabilityandmagnitudeoftheimpactifathreatsuccessfully
    exploitsavulnerability.
    ChoiceAtakesintoconsiderationthelikelihoodandmagnitudeoftheimpactand
    providesthebestmeasureoftherisktoanasset.ChoiceBprovidesonlythelikelihood
    ofathreatexploitingavulnerabilityintheassetbutdoesnotprovidethemagnitude
    ofthepossibledamagetotheasset.Similarly,choiceCconsidersonlythemagnitude
    ofthedamageandnotthepossibilityofathreatexploitingavulnerability.ChoiceD
    definestheriskonanarbitrarybasisandisnotsuitableforascientificrisk
    managementprocess.
    ISAUDITPROCESS1.1
    Q4 (C) Usingastatisticalsampletoinventorythetapelibrary
    Asubstantivetestconfirmstheintegrityofactualprocessing.Asubstantivetestwould
    determineifthetapelibraryrecordsarestatedcorrectly.Acompliancetest
    determinesifcontrolsarebeingappliedinamannerthatisconsistentwith
    managementpoliciesandprocedures.Checkingtheauthorizationofexception
    reports,reviewingauthorizationforchangingparametersandreviewingpassword
    historyreportsareallcompliancetests.
    CISA2009Answers
    2
    ISAUDITPROCESS1.1
    Q5 (D) resourcesareallocatedtotheareasofhighestconcern.
    Theriskbasedapproachisdesignedtoensureaudittimeisspentontheareasof
    highestrisk.Thedevelopmentofanauditscheduleisnotaddressedbyariskbased
    approach.Auditschedulesmaybepreparedmonthsinadvanceusingvarious
    schedulingmethods.Ariskapproachdoesnothaveadirectcorrelationtotheaudit
    staffmeetingtimebudgetsonaparticularaudit,nordoesitnecessarilymeanawider
    varietyofauditswillbeperformedinagivenyear.
    ISAUDITPROCESS1.1
    Q6 (D) outlinetheoverallauthority,scopeandresponsibilitiesoftheauditfunction.
    Anauditchartershouldstatemanagement'sobjectivesforanddelegationofauthority
    toISaudit.Thischartershouldnotsignificantlychangeovertimeandshouldbe
    approvedatthehighestlevelofmanagement.Anauditcharterwouldnotbeata
    detailedleveland,therefore,wouldnotincludespecificauditobjectivesor
    procedures.
    ISAUDITPROCESS1.1
    Q7 (C) appropriatelevelsofprotectionareappliedtoinformationassets.
    Fullriskassessmentdeterminesthelevelofprotectionmostappropriatetoagiven
    levelofrisk,whilethebaselineapproachmerelyappliesastandardsetofprotection
    regardlessofrisk.Thereisacostadvantageinnotoverprotectinginformation.
    However,anevenbiggeradvantageismakingsurethatnoinformationassetsare
    overorunderprotected.Theriskassessmentapproachwillensureanappropriate
    levelofprotectionisapplied,commensuratewiththelevelofriskandassetvalueand,
    therefore,consideringassetvalue.Thebaselineapproachdoesnotallowmore
    resourcestobedirectedtowardtheassetsatgreaterrisk,ratherthanequallydirecting
    resourcestoallassets.
    ISAUDITPROCESS1.1
    Q8 (A) Attributesampling
    Attributesamplingistheprimarysamplingmethodusedforcompliancetesting.
    Attributesamplingisasamplingmodelthatisusedtoestimatetherateofoccurrence
    ofaspecificquality(attribute)inapopulationandisusedincompliancetestingto
    confirmwhetherthequalityexists.Theotherchoicesareusedinsubstantivetesting,
    whichinvolvestestingofdetailsorquantity.
    CISA2009Answers
    3
    ISAUDITPROCESS1.1
    Q9 (A) Multiplecyclesofbackupfilesremainavailable.
    Backupfilescontainingdocumentsthatsupposedlyhavebeendeletedcouldbe
    recoveredfromthesefiles.Accesscontrolsmayhelpestablishaccountabilityforthe
    issuanceofaparticulardocument,butthisdoesnotprovideevidenceoftheemail.
    Dataclassificationstandardsmaybeinplacewithregardstowhatshouldbe
    communicatedviaemail,butthecreationofthepolicydoesnotprovidethe
    informationrequiredforlitigationpurposes.
    ISAUDITPROCESS1.1
    Q10 (A) implementedaspecificcontrolduringthedevelopmentoftheapplicationsystem.
    IndependencemaybeimpairedifanISauditoris,orhasbeen,activelyinvolvedinthe
    development,acquisitionandimplementationoftheapplicationsystem.ChoicesB
    andCaresituationsthatdonotimpairanISauditor'sindependence.ChoiceD
    isincorrectbecauseanISauditor'sindependenceisnotimpairedbyprovidingadvice
    onknownbestpractices.
    ISAUDITPROCESS1.1
    Q11 (C) canimprovesystemsecuritywhenusedintimesharingenvironmentsthatprocessa
    largenumberoftransactions.
    Theuseofcontinuousauditingtechniquescanimprovesystemsecuritywhenusedin
    timesharingenvironmentsthatprocessalargenumberoftransactions,butleavea
    scarcepapertrail.ChoiceAisincorrectsincethecontinuousauditapproachoftendoes
    requireanISauditortocollectevidenceonsystemreliabilitywhileprocessingistaking
    place.ChoiceBisincorrectsinceanISauditornormallywouldreviewandfollowup
    onlyonmaterialdeficienciesorerrorsdetected.ChoiceDisincorrectsincetheuseof
    continuousaudittechniquesdependsonthecomplexityofanorganization'scomputer
    systems.
    ISAUDITPROCESS1.1
    Q12 (B) establishaccountabilityandresponsibilityforprocessedtransactions.
    Enablingaudittrailshelpsinestablishingtheaccountabilityandresponsibilityof
    processedtransactionsbytracingtransactionsthroughthesystem.Theobjectiveof
    enablingsoftwaretoprovideaudittrailsisnottoimprovesystemefficiency,sinceit
    ofteninvolvesadditionalprocessingwhichmayinfactreduceresponsetimeforusers.
    Enablingaudittrailsinvolvesstorageandthusoccupiesdiskspace.ChoiceDisalsoa
    validreason;however,itisnottheprimaryreason.
    CISA2009Answers
    4
    ISAUDITPROCESS1.1
    Q13 (B) vulnerabilitiesandthreatsareidentified.
    Indevelopingariskbasedauditstrategy,itiscriticalthattherisksandvulnerabilities
    beunderstood.Thiswilldeterminetheareastobeauditedandtheextentofcoverage.
    Understandingwhetherappropriatecontrolsrequiredtomitigaterisksareinplaceisa
    resultanteffectofanaudit.Auditrisksareinherentaspectsofauditing,aredirectly
    relatedtotheauditprocessandarenotrelevanttotheriskanalysisofthe
    environmenttobeaudited.Agapanalysiswouldnormallybedonetocomparethe
    actualstatetoanexpectedordesirablestate.
    ISAUDITPROCESS1.1
    Q14 (C) developtheauditplanonthebasisofadetailedriskassessment.
    Monitoringthetime(choiceA)andauditprograms(choiceD),aswellasadequate
    training(choiceB),willimprovetheISauditstaff'sproductivity(efficiencyand
    performance),butthatwhichdeliversvaluetotheorganizationaretheresourcesand
    effortsbeingdedicatedto,andfocusedon,thehigherriskareas.
    ISAUDITPROCESS1.1
    Q15 (D) roleoftheISauditfunction.
    AnISauditcharterestablishestheroleoftheinformationsystemsauditfunction.The
    chartershoulddescribetheoverallauthority,scope,andresponsibilitiesoftheaudit
    function.Itshouldbeapprovedbythehighestlevelofmanagementand,ifavailable,
    bytheauditcommittee.Shorttermandlongtermplanningistheresponsibilityof
    auditmanagement.TheobjectivesandscopeofeachISauditshouldbeagreedtoin
    anengagementletter.Atrainingplan,basedontheauditplan,shouldbedeveloped
    byauditmanagement.
    ISAUDITPROCESS1.2
    Q16 (D) thethreats/vulnerabilitiesaffectingtheassets.
    Oneofthekeyfactorstobeconsideredwhileassessingtherisksrelatedtotheuseof
    variousinformationsystemsisthethreatsandvulnerabilitiesaffectingtheassets.The
    risksrelatedtotheuseofinformationassetsshouldbeevaluatedinisolationfromthe
    installedcontrols.Similarly,theeffectivenessofthecontrolsshouldbeconsidered
    duringtheriskmitigationstageandnotduringtheriskassessmentphase
    Amechanismtocontinuouslymonitortherisksrelatedtoassetsshouldbeputinplace
    duringtheriskmonitoringfunctionthatfollowstheriskassessmentphase.
    CISA2009Answers
    5
    ISAUDITPROCESS1.2
    Q17 (A) areasofhighrisk.
    Whendesigninganauditplan,itisimportanttoidentifytheareasofhighestriskto
    determinetheareastobeaudited.Theskillsetsoftheauditstaffshouldhavebeen
    consideredbeforedecidingandselectingtheaudit.Teststepsfortheauditarenotas
    criticalasidentifyingtheareasofrisk,andthetimeallottedforanauditisdetermined
    bytheareastobeaudited,whichareprimarilyselectedbasedontheidentificationof
    risks.
    ISAUDITPROCESS1.2
    Q18 (D) purposeandscopeoftheauditbeingdone.
    TheextenttowhichdatawillbecollectedduringanISauditshouldberelateddirectly
    tothescopeandpurposeoftheaudit.Anauditwithanarrowpurposeandscope
    wouldresultmostlikelyinlessdatacollection,thananauditwithawiderpurposeand
    scope.ThescopeofanISauditshouldnotbeconstrainedbytheeaseofobtainingthe
    informationorbytheauditor'sfamiliaritywiththeareabeingaudited.Collectingall
    therequiredevidenceisarequiredelementofanISaudit,andthescopeoftheaudit
    shouldnotbelimitedbytheauditee'sabilitytofindrelevantevidence.
    ISAUDITPROCESS1.2
    Q19 (A) reasonableassurancethattheauditwillcovermaterialitems.
    TheISACAISAuditingGuidelineG15onplanningtheISauditstates,Anassessmentof
    riskshouldbemadetoprovidereasonableassurancethatmaterialitemswillbe
    adequatelycoveredduringtheauditwork.Thisassessmentshouldidentifyareaswith
    arelativelyhighriskoftheexistenceofmaterialproblems.Definiteassurancethat
    materialitemswillbecoveredduringtheauditworkisanimpracticalproposition.
    Reasonableassurancethatallitemswillbecoveredduringtheauditworkisnotthe
    correctanswer,asmaterialitemsneedtobecovered,notallitems.
    ISAUDITPROCESS1.2
    Q20 (A) theprobabilityoferrormustbeobjectivelyquantified.
    Givenanexpectederrorrateandconfidencelevel,statisticalsamplingisanobjective
    methodofsampling,whichhelpsanISauditordeterminethesamplesizeandquantify
    theprobabilityoferror(confidencecoefficient).ChoiceBisincorrectbecause
    samplingriskistheriskofasamplenotbeingrepresentativeofthepopulation.This
    riskexistsforbothjudgmentandstatisticalsamples.ChoiceCisincorrectbecause
    statisticalsamplingdoesnotrequiretheuseofgeneralizedauditsoftware.ChoiceDis
    incorrectbecausethetolerableerrorratemustbepredeterminedforbothjudgment
    andstatisticalsampling.
    CISA2009Answers
    6
    ISAUDITPROCESS1.2
    Q21 (A) addressauditobjectives.
    ISACAauditingstandardsrequirethatanISauditorplantheauditworktoaddressthe
    auditobjectives.ChoiceBisincorrectbecausetheauditordoesnotcollectevidencein
    theplanningstageofanaudit.ChoicesCandDareincorrectbecausetheyarenotthe
    primarygoalsofauditplanning.TheactivitiesdescribedinchoicesB,CandDareall
    undertakentoaddressauditobjectivesandarethussecondarytochoiceA.
    ISAUDITPROCESS1.2
    Q22 (A) sufficientevidencewillbecollected.
    ProceduresareprocessesanISauditormayfollowinanauditengagement.In
    determiningtheappropriatenessofanyspecificprocedure,anISauditorshoulduse
    professionaljudgmentappropriatetothespecificcircumstances.Professional
    judgmentinvolvesasubjectiveandoftenqualitativeevaluationofconditionsarisingin
    thecourseofanaudit.Judgmentaddressesagreyareawherebinary(yes/no)
    decisionsarenotappropriateandtheauditor'spastexperienceplaysakeyrolein
    makingajudgment.ISACA'sguidelinesprovideinformationonhowtomeetthe
    standardswhenperformingISauditwork.Identifyingmaterialweaknessesisthe
    resultofappropriatecompetence,experienceandthoroughnessinplanningand
    executingtheauditandnotofprofessionaljudgment.Professionaljudgmentisnota
    primaryinputtothefinancialaspectsoftheaudit.
    ISAUDITPROCESS1.2
    Q23 (D) obtainanunderstandingofthesecurityriskstoinformationprocessing.
    Whenevaluatinglogicalaccesscontrols,anISauditorshouldfirstobtainan
    understandingofthesecurityrisksfacinginformationprocessingbyreviewingrelevant
    documentation,byinquiries,andbyconductingariskassessment.Documentation
    andevaluationisthesecondstepinassessingtheadequacy,efficiencyand
    effectiveness,thusidentifyingdeficienciesorredundancyincontrols.Thethirdstepis
    totesttheaccesspathstodetermineifthecontrolsarefunctioning.Lastly,theIS
    auditorevaluatesthesecurityenvironmenttoassessitsadequacybyreviewingthe
    writtenpolicies,observingpracticesandcomparingthemtoappropriatesecuritybest
    practices.
    ISAUDITPROCESS1.2
    Q24 (B) thesystematiccollectionofevidenceafterasystemirregularity.
    ChoiceBdescribesaforensicaudit.Theevidencecollectedcouldthenbeusedin
    judicialproceedings.Forensicauditsarenotlimitedtocorporatefraud.Assessingthe
    correctnessofanorganization'sfinancialstatementsisnotthepurposeofaforensic
    audit.Drawingaconclusionastocriminalactivitywouldbepartofalegalprocessand
    nottheobjectiveofaforensicaudit.
    CISA2009Answers
    7
    ISAUDITPROCESS1.2
    Q25 (D) Expandthesampleoflogsreviewed
    AuditstandardsrequirethatanISauditorgathersufficientandappropriateaudit
    evidence.Theauditorhasfoundapotentialproblemandnowneedstodetermineif
    thisisanisolatedincidentorasystematiccontrolfailure.Atthisstageitistoo
    preliminarytoissueanauditfindingandseekinganexplanationfrommanagementis
    advisable,butitwouldbebettertogatheradditionalevidencetoproperlyevaluate
    theseriousnessofthesituation.Abackupfailure,whichhasnotbeenestablishedat
    thispoint,willbeseriousifitinvolvescriticaldata.However,theissueisnotthe
    importanceofthedataontheserver,whereaproblemhasbeendetected,but
    whetherasystematiccontrolfailurethatimpactsotherserversexists.
    ISAUDITPROCESS1.3
    Q26 (D) Trend/variancedetectiontools
    Trend/variancedetectiontoolslookforanomaliesinuserorsystembehavior,for
    example,determiningwhetherthenumbersforprenumbereddocumentsare
    sequentialorincreasing.CASEtoolsareusedtoassistsoftwaredevelopment.
    Embedded(audit)datacollectionsoftwareisusedforsamplingandtoprovide
    productionstatistics.Heuristicscanningtoolscanbeusedtoscanforvirusesto
    indicatepossibleinfectedcode.
    ISAUDITPROCESS1.3
    Q27 (D) ManyuserIDshaveidenticalpasswords.
    ExploitationofaknownuserIDandpasswordrequiresminimaltechnicalknowledge
    andexposesthenetworkresourcestoexploitation.Thetechnicalbarrierislowand
    theimpactcanbeveryhigh;therefore,thefactthatmanyuserIDshaveidentical
    passwordsrepresentsthegreatestthreat.Externalmodemsrepresentasecurityrisk,
    butexploitationstilldependsontheuseofavaliduseraccount.Whiletheimpactof
    usersinstallingsoftwareontheirdesktopscanbehigh(forexample,duetothe
    installationofTrojansorkeyloggingprograms),thelikelihoodisnothighduetothe
    leveloftechnicalknowledgerequiredtosuccessfullypenetratethenetwork.Although
    networkmonitoringcanbeausefuldetectivecontrol,itwillonlydetectabuseofuser
    accountsinspecialcircumstancesandis,therefore,notafirstlineofdefense.
    ISAUDITPROCESS1.3
    Q28 (A) Thepreservationofthechainofcustodyforelectronicevidence
    Theprimaryobjectiveofforensicsoftwareistopreserveelectronicevidencetomeet
    therulesofevidence.ChoiceB,timeandcostsavings,andchoiceC,efficiencyand
    effectiveness,arelegitimateconcernsthatdifferentiategoodfrompoorforensic
    softwarepackages.ChoiceD,theabilitytosearchforintellectualpropertyrights
    violations,isanexampleofauseofforensicsoftware.
    CISA2009Answers
    8
    ISAUDITPROCESS1.3
    Q29 (A) matchingcontroltotalsoftheimporteddatatocontroltotalsoftheoriginaldata.
    Matchingcontroltotalsoftheimporteddatawithcontroltotalsoftheoriginaldatais
    thenextlogicalstep,asthisconfirmsthecompletenessoftheimporteddata.Itisnot
    possibletoconfirmcompletenessbysortingtheimporteddata,becausetheoriginal
    datamaynotbeinsortedorder.Further,sortingdoesnotprovidecontroltotalsfor
    verifyingcompleteness.Reviewingaprintoutof100recordsoforiginaldatawith100
    recordsofimporteddataisaprocessofphysicalverificationandconfirmstheaccuracy
    ofonlytheserecords.Filteringdatafordifferentcategoriesandmatchingthemto
    originaldatawouldstillrequirethatcontroltotalsbedevelopedtoconfirmthe
    completenessofthedata.
    ISAUDITPROCESS1.3
    Q30 (B) Generalizedauditsoftware
    Generalizedauditsoftwarefeaturesincludemathematicalcomputations,
    stratification,statisticalanalysis,sequencechecking,duplicatecheckingand
    recomputations.AnISauditor,usinggeneralizedauditsoftware,coulddesign
    appropriateteststorecomputethepayroll,therebydeterminingiftherewere
    overpaymentsandtowhomtheyweremade.Testdatawouldtestfortheexistenceof
    controlsthatmightpreventoverpayments,butitwouldnotdetectspecific,previous
    miscalculations.Neitheranintegratedtestfacilitynoranembeddedauditmodule
    woulddetecterrorsforapreviousperiod.
    ISAUDITPROCESS1.3
    Q31 (D) identifyandevaluateexistingpractices.
    Oneofthemainobjectivesofanauditistoidentifypotentialrisks;therefore,themost
    proactiveapproachwouldbetoidentifyandevaluatetheexistingsecuritypractices
    beingfollowedbytheorganization.ISauditorsshouldnotpreparedocumentation,as
    doingsocouldjeopardizetheirindependence.Terminatingtheauditmayprevent
    achievingoneofthebasicauditobjectives,i.e.,identificationofpotentialrisks.Since
    therearenodocumentedprocedures,thereisnobasisagainstwhichtotest
    compliance.
    ISAUDITPROCESS1.3
    Q32 (D) identifyandevaluatetheexistingcontrols.
    ItisimportantforanISauditortoidentifyandevaluatetheexistingcontrolsand
    securityoncethepotentialthreatsandpossibleimpactsareidentified.Upon
    completionofanauditanISauditorshoulddescribeanddiscusswithmanagementthe
    threatsandpotentialimpactsontheassets.
    CISA2009Answers
    9
    ISAUDITPROCESS1.3
    Q33 (A) Lackofreportingofasuccessfulattackonthenetwork
    NotreportinganintrusionisequivalenttoanISauditorhidingamaliciousintrusion,
    whichwouldbeaprofessionalmistake.Althoughnotificationtothepolicemaybe
    requiredandthelackofaperiodicexaminationofaccessrightsmightbeaconcern,
    theydonotrepresentasbigaconcernasthefailuretoreporttheattack.Reportingto
    thepublicisnotarequirementandisdependentontheorganization'sdesire,orlack
    thereof,tomaketheintrusionknown.
    ISAUDITPROCESS1.3
    Q34 (A) Aconfirmationletterreceivedfromathirdpartyverifyinganaccountbalance
    Evidenceobtainedfromindependentthirdpartiesalmostalwaysisconsideredtobe
    themostreliable.ChoicesB,CandDwouldnotbeconsideredasreliable.
    ISAUDITPROCESS1.3
    Q35 (A) Thepointatwhichcontrolsareexercisedasdataflowthroughthesystem
    AnISauditorshouldfocusonwhencontrolsareexercisedasdataflowthrougha
    computersystem.ChoiceBisincorrectsincecorrectivecontrolsmayalsoberelevant.
    ChoiceCisincorrect,sincecorrectivecontrolsremoveorreducetheeffectsoferrors
    orirregularitiesandareexclusivelyregardedascompensatingcontrols.ChoiceDis
    incorrectandirrelevantsincetheexistenceandfunctionofcontrolsisimportant,not
    theclassification.
    ISAUDITPROCESS1.3
    Q36 (C) Observationandinterviews
    ByobservingtheISstaffperformingtheirtasks,anISauditorcanidentifywhetherthey
    areperforminganyincompatibleoperations,andbyinterviewingtheISstaff,the
    auditorcangetanoverviewofthetasksperformed.Basedontheobservationsand
    interviewstheauditorcanevaluatethesegregationofduties.Managementmaynot
    beawareofthedetailedfunctionsofeachemployeeintheISdepartment;therefore,
    discussionwiththemanagementwouldprovideonlylimitedinformation
    regardingsegregationofduties.Anorganizationchartwouldnotprovidedetailsofthe
    functionsoftheemployees.Testingofuserrightswouldprovideinformationabout
    therightstheyhavewithintheISsystems,butwouldnotprovidecomplete
    informationaboutthefunctionstheyperform.
    CISA2009Answers
    10
    ISAUDITPROCESS1.3
    Q37 (C) generalizedauditsoftwaretosearchforaddressfieldduplications.
    Sincethenameisnotthesame(duetonamevariations),onemethodtodetect
    duplicationswouldbetocompareothercommonfields,suchasaddresses.A
    subsequentreviewtodeterminecommoncustomernamesattheseaddressescould
    thenbeconducted.Searchingforduplicateaccountnumberswouldnotlikelyfind
    duplications,sincecustomerswouldmostlikelyhavedifferentaccountnumbersfor
    eachvariation.Testdatawouldnotbeusefultodetecttheextentofanydata
    characteristic,butsimplytodeterminehowthedatawereprocessed.
    ISAUDITPROCESS1.3
    Q38 (D) Productionlibrarylistings
    Thebestsourcefromwhichtodrawanysampleortestofsysteminformationisthe
    automatedsystem.Theproductionlibrariesrepresentexecutablesthatareapproved
    andauthorizedtoprocessorganizationaldata.Sourceprogramlistingswouldbe
    timeintensive.Programchangerequestsarethedocumentsusedtoinitiatechange;
    thereisnoguaranteethattherequesthasbeencompletedforallchanges.Testlibrary
    listingsdonotrepresenttheapprovedandauthorizedexecutables.
    ISAUDITPROCESS1.3
    Q39 (C) comparesprocessingoutputwithindependentlycalculateddata.
    Anintegratedtestfacilityisconsideredausefulaudittoolbecauseitusesthesame
    programstocompareprocessingusingindependentlycalculateddata.Thisinvolves
    settingupdummyentitiesonanapplicationsystemandprocessingtestorproduction
    dataagainsttheentityasameansofverifyingprocessingaccuracy.
    ISAUDITPROCESS1.3
    Q40 (C) graphicallysummarizedatapathsandstorage.
    Dataflowdiagramsareusedasaidstographorchartdataflowandstorage.They
    tracethedatafromitsoriginationtodestination,highlightingthepathsandstorageof
    data.Theydonotorderdatainanyhierarchy.Theflowofthedatawillnotnecessarily
    matchanyhierarchyordatagenerationorder.
    ISAUDITPROCESS1.3
    Q41 (D) Aconfirmationletterreceivedfromanoutsidesource
    Evidenceobtainedfromoutsidesourcesisusuallymorereliablethanthatobtained
    fromwithintheorganization.Confirmationlettersreceivedfromoutsideparties,such
    asthoseusedtoverifyaccountsreceivablebalances,areusuallyhighlyreliable.
    Testingperformedbyanauditormaynotbereliable,iftheauditordidnothavea
    goodunderstandingofthetechnicalareaunderreview.
    CISA2009Answers
    11
    ISAUDITPROCESS1.3
    Q42 (C) understandingtheresponsibilitiesandauthorityofindividuals.
    Anorganizationalchartprovidesinformationabouttheresponsibilitiesandauthority
    ofindividualsintheorganization.ThishelpsanISauditortoknowifthereisaproper
    segregationoffunctions.Aworkflowchartwouldprovideinformationabouttheroles
    ofdifferentemployees.Anetworkdiagramwillprovideinformationabouttheusage
    ofvariouscommunicationchannelsandwillindicatetheconnectionofuserstothe
    network.
    ISAUDITPROCESS1.3
    Q43 (A) Availabilityofonlinenetworkdocumentation
    Networkoperatingsystemuserfeaturesincludeonlineavailabilityofnetwork
    documentation.Otherfeatureswouldbeuseraccesstovariousresourcesofnetwork
    hosts,userauthorizationtoaccessparticularresources,andthenetworkandhost
    computersusedwithoutspecialuseractionsorcommands.ChoicesB,CandDare
    examplesofnetworkoperatingsystemsfunctions.
    ISAUDITPROCESS1.3
    Q44 (B) interviewprogrammersabouttheprocedurescurrentlybeingfollowed.
    Askingprogrammersabouttheprocedurescurrentlybeingfollowedisusefulin
    determiningwhetheraccesstoprogramdocumentationisrestrictedtoauthorized
    persons.Evaluatingtherecordretentionplansforoffpremisesstorageteststhe
    recoveryprocedures,nottheaccesscontroloverprogramdocumentation.Testing
    utilizationrecordsordatafileswillnotaddressaccesssecurityoverprogram
    documentation.
    ISAUDITPROCESS1.3
    Q45 (B) Periodictestingdoesnotrequireseparatetestprocesses.
    Anintegratedtestfacilitycreatesafictitiousentityinthedatabasetoprocesstest
    transactionssimultaneouslywithliveinput.Itsadvantageisthatperiodictestingdoes
    notrequireseparatetestprocesses.However,carefulplanningisnecessary,andtest
    datamustbeisolatedfromproductiondata.
    ISAUDITPROCESS1.3
    Q46 (C) Examinesomeofthetestcasestoconfirmtheresults.
    AnISauditorshouldnextexaminecaseswhereincorrectcalculationsoccurredand
    confirmtheresults.Afterthecalculationshavebeenconfirmed,furthertestscanbe
    conductedandreviewed.Reportpreparation,findingsandrecommendationswould
    notbemadeuntilallresultsareconfirmed.
    CISA2009Answers
    12
    ISAUDITPROCESS1.3
    Q47 (C) preparingsimulatedtransactionsforprocessingandcomparingtheresultsto
    predeterminedresults.
    Preparingsimulatedtransactionsforprocessingandcomparingtheresultsto
    predeterminedresultsisthebestmethodforprovingaccuracyofataxcalculation.
    Detailedvisualreview,flowchartingandanalysisofsourcecodearenoteffective
    methods,andmonthlytotalswouldnotaddresstheaccuracyofindividualtax
    calculations.
    ISAUDITPROCESS1.3
    Q48 (B) impactofanyexposuresdiscovered.
    Anapplicationcontrolreviewinvolvestheevaluationoftheapplication'sautomated
    controlsandanassessmentofanyexposuresresultingfromthecontrolweaknesses.
    Theotherchoicesmaybeobjectivesofanapplicationauditbutarenotpartofanaudit
    restrictedtoareviewofcontrols.
    ISAUDITPROCESS1.3
    Q49 (A) Testingwhetherinappropriatepersonnelcanchangeapplicationparameters
    Todeterminepurchaseordervalidity,testingaccesscontrolswillprovidethebest
    evidence.ChoicesBandCarebasedonafterthefactapproaches,whilechoiceDdoes
    notservethepurposebecausewhatisinthesystemdocumentationmaynotbe
    thesameaswhatishappening.
    ISAUDITPROCESS1.3
    Q50 (D) Audithooks
    Theaudithooktechniqueinvolvesembeddingcodeinapplicationsystemsforthe
    examinationofselectedtransactions.ThishelpsanISauditortoactbeforeanerroror
    anirregularitygetsoutofhand.Anembeddedauditmoduleinvolvesembedding
    speciallywrittensoftwareintheorganization'shostapplicationsystemsothat
    applicationsystemsaremonitoredonaselectivebasis.Anintegratedtestfacilityis
    usedwhenitisnotpracticaltousetestdata,andsnapshotsareusedwhenan
    audittrailisrequired.
    ISAUDITPROCESS1.3
    Q51 (A) topologydiagrams.
    Thefirststepinassessingnetworkmonitoringcontrolsshouldbethereviewofthe
    adequacyofnetworkdocumentation,specificallytopologydiagrams.Ifthis
    informationisnotuptodate,thenmonitoringprocessesandtheabilitytodiagnose
    problemswillnotbeeffective.
    CISA2009Answers
    13
    ISAUDITPROCESS1.3
    Q52 (C) Informappropriatepersonnelimmediately.
    ThefirstthinganISauditorshoulddoafterdetectingthevirusistoalertthe
    organizationtoitspresence,thenwaitfortheirresponse.ChoiceAshouldbetaken
    afterchoiceC.ThiswillenableanISauditortoexaminetheactualworkabilityand
    effectivenessoftheresponsesystem.AnISauditorshouldnotmakechangestothe
    systembeingaudited,andensuringthedeletionofthevirusisamanagement
    responsibility.
    ISAUDITPROCESS1.3
    Q53 (C) conductingaphysicalcountofthetapeinventory.
    Asubstantivetestincludesgatheringevidencetoevaluatetheintegrityofindividual
    transactions,dataorotherinformation.Conductingaphysicalcountofthetape
    inventoryisasubstantivetest.ChoicesA,BandDarecompliancetests.
    ISAUDITPROCESS1.3
    Q54 (C) preservation.
    Preservationanddocumentationofevidenceforreviewbylawenforcementand
    judicialauthoritiesareofprimaryconcernwhenconductinganinvestigation.Failureto
    properlypreservetheevidencecouldjeopardizetheacceptanceoftheevidencein
    legalproceedings.Analysis,evaluationanddisclosureareimportantbutnotofprimary
    concerninaforensicinvestigation.
    ISAUDITPROCESS1.3
    Q55 (B) expandthescopetoincludesubstantivetesting.
    IftheanswersprovidedtoanISauditor'squestionsarenotconfirmedbydocumented
    proceduresorjobdescriptions,theISauditorshouldexpandthescopeoftestingthe
    controlsandincludeadditionalsubstantivetests.Thereisnoevidencethatwhatever
    controlsmightexistareeitherinadequateoradequate.Placinggreaterrelianceon
    previousauditsorsuspendingtheauditareinappropriateactionsastheyprovideno
    currentknowledgeoftheadequacyoftheexistingcontrols.
    ISAUDITPROCESS1.3
    Q56 (A) professionalindependence
    WhenanISauditorrecommendsaspecificvendor,theycompromiseprofessional
    independence.Organizationalindependencehasnorelevancetothecontentofan
    auditreportandshouldbeconsideredatthetimeofacceptingtheengagement.
    Technicalandprofessionalcompetenceisnotrelevanttotherequirementof
    independence.
    CISA2009Answers
    14
    ISAUDITPROCESS1.3
    Q57 (A) understandthebusinessprocess.
    UnderstandingthebusinessprocessisthefirststepanISauditorneedstoperform.
    StandardsdonotrequireanISauditortoperformaprocesswalkthrough.Identifying
    controlweaknessesisnottheprimaryreasonforthewalkthroughandtypicallyoccurs
    atalaterstageintheaudit,whileplanningforsubstantivetestingisperformedata
    laterstageintheaudit.
    ISAUDITPROCESS1.3
    Q58 (A) examinesourceprogramchangeswithoutinformationfromISpersonnel.
    AnISauditorhasanobjective,independentandrelativelycompleteassuranceof
    programchangesbecausethesourcecodecomparisonwillidentifychanges.ChoiceB
    isincorrect,becausethechangesmadesincetheacquisitionofthecopyarenot
    includedinthecopyofthesoftware.ChoiceCisincorrect,asanISauditorwillhaveto
    gainthisassuranceseparately.ChoiceDisincorrect,becauseanychangesmade
    betweenthetimethecontrolcopywasacquiredandthesourcecodecomparisonis
    madewillnotbedetected.
    ISAUDITPROCESS1.3
    Q59 (B) gainagreementonthefindings.
    Theprimarypurposeformeetingwithauditeespriortoformallyclosingareviewisto
    gainagreementonthefindings.Theotherchoices,thoughrelatedtotheformal
    closureofanaudit,areofsecondaryimportance.
    ISAUDITPROCESS1.3
    Q60 (C) Automatedcodecomparison
    Anautomatedcodecomparisonistheprocessofcomparingtwoversionsofthesame
    programtodeterminewhetherthetwocorrespond.Itisanefficienttechnique
    becauseitisanautomatedprocedure.Testdatarunspermittheauditortoverifythe
    processingofpreselectedtransactions,butprovidenoevidenceaboutunexercised
    portionsofaprogram.Codereviewistheprocessofreadingprogramsourcecode
    listingstodeterminewhetherthecodecontainspotentialerrorsorinefficient
    statements.Acodereviewcanbeusedasameansofcodecomparisonbutitis
    inefficient.Thereviewofcodemigrationprocedureswouldnotdetectprogram
    changes.
    CISA2009Answers
    15
    ISAUDITPROCESS1.3
    Q61 (B) identifywhethersuchsoftwareis,indeed,beingusedbytheorganization.
    Whenthereisanindicationthatanorganizationmightbeusingunlicensedsoftware,
    theISauditorshouldobtainsufficientevidencebeforeincludingitinthereport.With
    respecttothismatter,representationsobtainedfrommanagementcannotbe
    independentlyverified.Iftheorganizationisusingsoftwarethatisnotlicensed,the
    auditor,tomaintainobjectivityandindependence,mustincludethisinthereport.
    ISAUDITPROCESS1.3
    Q62 (D) confidentialityoftheworkpapers.
    Encryptionprovidesconfidentialityfortheelectronicworkpapers.Audittrails,audit
    phaseapprovalsandaccesstotheworkpapersdonot,ofthemselves,affectthe
    confidentialitybutarepartofthereasonforrequiringencryption.
    ISAUDITPROCESS1.3
    Q63 (B) provideabasisfordrawingreasonableconclusions.
    ThescopeofanISauditisdefinedbyitsobjectives.Thisinvolvesidentifyingcontrol
    weaknessesrelevanttothescopeoftheaudit.Obtainingsufficientandappropriate
    evidenceassiststheauditorinnotonlyidentifyingcontrolweaknessesbutalso
    documentingandvalidatingthem.Complyingwithregulatoryrequirements,ensuring
    coverageandtheexecutionofauditareallrelevanttoanauditbutarenotthereason
    whysufficientandrelevantevidenceisrequired.
    ISAUDITPROCESS1.3
    Q64 (A) expandactivitiestodeterminewhetheraninvestigationiswarranted.
    AnISauditor'sresponsibilitiesfordetectingfraudincludeevaluatingfraudindicators
    anddecidingwhetheranyadditionalactionisnecessaryorwhetheraninvestigation
    shouldberecommended.TheISauditorshouldnotifytheappropriateauthorities
    withintheorganizationonlyifithasdeterminedthattheindicatorsoffraudare
    sufficienttorecommendaninvestigation.Normally,theISauditordoesnothave
    authoritytoconsultwithexternallegalcounsel.
    ISAUDITPROCESS1.3
    Q65 (B) Generalizedauditsoftware(GAS)
    Generalizedauditsoftware(GAS)wouldenabletheauditortoreviewtheentire
    invoicefiletolookforthoseitemsthatmeettheselectioncriteria.Attributesampling
    wouldaidinidentifyingrecordsmeetingspecificconditions,butwouldnotcompare
    onerecordtoanothertoidentifyduplicates.TodetectduplicateinvoicerecordstheIS
    auditorshouldcheckalloftheitemsthatmeetthecriteriaandnotjustasampleofthe
    items.Testdataareusedtoverifyprogramprocessing,butwillnotidentifyduplicate
    records.Anintegratedtestfacility(ITF)allowstheISauditortotesttransactions
    throughtheproductionsystem,butwouldnotcomparerecordstoidentifyduplicates.
    CISA2009Answers
    16
    ISAUDITPROCESS1.3
    Q66 (C) Buildingaprogramtoidentifyconflictsinauthorization
    Sincetheobjectiveistoidentifyviolationsinsegregationofduties,itisnecessaryto
    definethelogicthatwillidentifyconflictsinauthorization.Aprogramcouldbe
    developedtoidentifytheseconflicts.Areportofsecurityrightsintheenterprise
    resourceplanning(ERP)systemwouldbevoluminousandtimeconsumingtoreview;
    therefore,thistechniqueisnotaseffectiveasbuildingaprogram.Ascomplexities
    increase,itbecomesmoredifficulttoverifytheeffectivenessofthesystemsand
    complexityisnot,initself,alinktosegregationofduties.Itisgoodpracticetoreview
    recentaccessrightsviolationcases;however,itmayrequireasignificantamountof
    timetotrulyidentifywhichviolationsactuallyresultedfromaninappropriate
    segregationofduties.
    ISAUDITPROCESS1.3
    Q67 (B) Compliancetesting
    Determiningthatonlyauthorizedmodificationsaremadetoproductionprograms
    wouldrequirethechangemanagementprocessbereviewedtoevaluatetheexistence
    ofatrailofdocumentaryevidence.Compliancetestingwouldhelptoverifythatthe
    changemanagementprocesshasbeenappliedconsistently.Itisunlikelythatthe
    systemloganalysiswouldprovideinformationaboutthemodificationofprograms.
    Forensicanalysisisaspecializedtechniqueforcriminalinvestigation.Ananalytical
    reviewassessesthegeneralcontrolenvironmentofanorganization.
    ISAUDITPROCESS1.3
    Q68 (B) Gainmoreassuranceonthefindingsthroughrootcauseanalysis.
    AchangemanagementprocessiscriticaltoITproductionsystems.Before
    recommendingthattheorganizationtakeanyotheraction(e.g.,stoppingmigrations,
    redesigningthechangemanagementprocess),theISauditorshouldgainassurance
    thattheincidentsreportedarerelatedtodeficienciesinthechangemanagement
    processandnotcausedbysomeprocessotherthanchangemanagement.
    ISAUDITPROCESS1.3
    Q69 (C) Rebootingthesystem
    Rebootingthesystemmayresultinachangeinthesystemstateandthelossoffiles
    andimportantevidencestoredinmemory.Theotherchoicesareappropriateactions
    forpreservingevidence.
    CISA2009Answers
    17
    ISAUDITPROCESS1.3
    Q70 (D) communicatethepossibilityofconflictofinteresttomanagementpriortostartingthe
    assignment.
    Communicatingthepossibilityofaconflictofinteresttomanagementpriortostarting
    theassignmentisthecorrectanswer.Apossibleconflictofinterest,likelytoaffectthe
    auditor'sindependence,shouldbebroughttotheattentionofmanagementpriorto
    startingtheassignment.Decliningtheassignmentisnotthecorrectanswerbecause
    theassignmentcouldbeacceptedafterobtainingmanagementapproval.Informing
    managementofthepossibleconflictofinterestaftercompletionoftheaudit
    assignmentisnotcorrectbecauseapprovalshouldbeobtainedpriorto
    commencementandnotafterthecompletionoftheassignment.Informingthe
    businesscontinuityplanning(BCP)teamofthepossibleconflictofinterestpriorto
    startingoftheassignmentisnotthecorrectanswersincetheBCPteamwouldnot
    havetheauthoritytodecideonthisissue.
    ISAUDITPROCESS1.4
    Q71 (C) Reporttheuseoftheunauthorizedsoftwareandtheneedtopreventrecurrenceto
    auditeemanagement.
    Theuseofunauthorizedorillegalsoftwareshouldbeprohibitedbyanorganization.
    Softwarepiracyresultsininherentexposureandcanresultinseverefines.AnIS
    auditormustconvincetheuserandusermanagementoftheriskandtheneedto
    eliminatetherisk.AnISauditorshouldnotassumetheroleoftheenforcingofficer
    andtakeonanypersonalinvolvementinremovingordeletingtheunauthorized
    software.
    ISAUDITPROCESS1.4
    Q72 (A) includethefindinginthefinalreport,becausetheISauditorisresponsibleforan
    accuratereportofallfindings.
    Includingthefindinginthefinalreportisagenerallyacceptedauditpractice.Ifan
    actionistakenaftertheauditstartedandbeforeitended,theauditreportshould
    identifythefindinganddescribethecorrectiveactiontaken.Anauditreportshould
    reflectthesituation,asitexistedatthestartoftheaudit.Allcorrectiveactionstaken
    bytheauditeeshouldbereportedinwriting.
    ISAUDITPROCESS1.4
    Q73 (C) recordtheobservationsandtheriskarisingfromthecollectiveweaknesses.
    Individuallytheweaknessesareminor;however,togethertheyhavethepotentialto
    substantiallyweakentheoverallcontrolstructure.ChoicesAandDreflectafailureon
    thepartofanISauditortorecognizethecombinedaffectofthecontrolweakness.
    Advisingthelocalmanagerwithoutreportingthefactsandobservationswould
    concealthefindingsfromotherstakeholders.
    CISA2009Answers
    18
    ISAUDITPROCESS1.4
    Q74 (B) elaborateonthesignificanceofthefindingandtherisksofnotcorrectingit.
    Iftheauditeedisagreeswiththeimpactofafinding,itisimportantforanISauditorto
    elaborateandclarifytherisksandexposures,astheauditeemaynotfullyappreciate
    themagnitudeoftheexposure.Thegoalshouldbetoenlightentheauditeeor
    uncovernewinformationofwhichanISauditormaynothavebeenaware.Anything
    thatappearstothreatentheauditeewilllesseneffectivecommunicationsandsetup
    anadversarialrelationship.Bythesametoken,anISauditorshouldnotautomatically
    agreejustbecausetheauditeeexpressesanalternatepointofview.
    ISAUDITPROCESS1.4
    Q75 (D) sufficientandappropriateauditevidence.
    ISACA'sstandardonreportingrequirestheISauditorhavesufficientandappropriate
    auditevidencetosupportthereportedresults.StatementsfromISmanagement
    provideabasisforobtainingconcurrenceonmattersthatcannotbeverifiedwith
    empiricalevidence.Thereportshouldbebasedonevidencecollectedduringthe
    courseoftherevieweventhoughtheauditormayhaveaccesstotheworkpapersof
    otherauditors.Theresultsofanorganizationalcontrolselfassessment(CSA)could
    supplementtheauditfindings.ChoicesA,BandCmightbereferencedduringanaudit
    but,ofthemselves,wouldnotbeconsideredasufficientbasisforissuingareport.
    ISAUDITPROCESS1.4
    Q76 (C) ISauditor.
    TheISauditorshouldmakethefinaldecisionaboutwhattoincludeorexcludefrom
    theauditreport.Theotherchoiceswouldlimittheindependenceoftheauditor.
    ISAUDITPROCESS1.5
    Q77 (A) canidentifyhighriskareasthatmightneedadetailedreviewlater.
    CSAispredicatedonthereviewofhighriskareasthateitherneedimmediate
    attentionoramorethoroughreviewatalaterdate.ChoiceBisincorrect,becauseCSA
    requirestheinvolvementofauditorsandlinemanagement.Whatoccursisthatthe
    internalauditfunctionshiftssomeofthecontrolmonitoringresponsibilitiestothe
    functionalareas.ChoiceCisincorrectbecauseCSAisnotareplacementfortraditional
    audits.CSAisnotintendedtoreplaceaudit'sresponsibilities,buttoenhancethem.
    ChoiceDisincorrect,becauseCSAdoesnotallowmanagementtorelinquishits
    responsibilityforcontrol.
    CISA2009Answers
    19
    ISAUDITPROCESS1.5
    Q78 (A) havinglinemanagersassumeaportionoftheresponsibilityforcontrolmonitoring.
    TheprimaryobjectiveofaCSAprogramistoleveragetheinternalauditfunctionby
    shiftingsomeofthecontrolmonitoringresponsibilitiestothefunctionalarealine
    managers.Thesuccessofacontrolselfassessment(CSA)programdependson
    thedegreetowhichlinemanagersassumeresponsibilityforcontrols.ChoicesB,Cand
    Darecharacteristicsofatraditionalauditapproach,notaCSAapproach.
    ISAUDITPROCESS1.5
    Q79 (A) Broadstakeholderinvolvement
    Thecontrolselfassessment(CSA)approachemphasizesmanagementofand
    accountabilityfordevelopingandmonitoringthecontrolsofanorganization's
    businessprocesses.TheattributesofCSAincludeempoweredemployees,continuous
    improvement,extensiveemployeeparticipationandtraining,allofwhichare
    representationsofbroadstakeholderinvolvement.ChoicesB,CandDareattributesof
    atraditionalauditapproach.
    ISAUDITPROCESS1.5
    Q80 (A) Managementownershipoftheinternalcontrolssupportingbusinessobjectivesis
    reinforced.
    Theobjectiveofcontrolselfassessmentistohavebusinessmanagementbecome
    moreawareoftheimportanceofinternalcontrolandtheirresponsibilityintermsof
    corporategovernance.Reducingauditexpensesisnotakeybenefitofcontrolself
    assessment(CSA).Improvedfrauddetectionisimportant,butnotasimportantas
    ownership,andisnotaprincipalobjectiveofCSA.CSAmaygivemoreinsightsto
    internalauditors,allowingthemtotakeamoreconsultativerole;however,thisisan
    additionalbenefit,notthekeybenefit.

    Вам также может понравиться