Auditing: Benford's Law and Auditor Independence

Questions and Answers

What is the primary risk mitigation focus when verifying the existence of robust patch management processes in an IaaS environment?

• Data encryption
• Data center outages
• System vulnerabilities (correct)
• Physical security

Who is typically responsible for encrypting sensitive data before uploading it to the cloud?

• Managed service provider
• Client (correct)
• Third-party auditor
• Cloud provider

What information must be documented in the audit documentation for each engagement according to AS 1215?

• Auditor independence and staff training (correct)
• Vendor invoices
• Employee salaries
• Cloud service agreement details

What type of cloud service model would you choose to rent virtual machines that include CPUs, RAM, storage, and networking?

IaaS (A)

Who is responsible for the physical security of data centers where cloud services are hosted?

Cloud provider (A)

What does the Y-axis represent on a Benford distribution graph?

The percentage of numbers starting with a specific leading digit (A)

What type of report would an auditor issue when evaluating the design and implementation of controls over financial reporting?

SOC 1 Type II (D)

What does a significant deviation from the expected Benford distribution in a set of vendor invoices suggest?

Further investigation is warranted to understand the cause of the deviation (D)

What is the most suitable list for analysis with Benford's Law?

List of employee salaries within a department (D)

What type of report would an auditor request from a third-party service provider when auditing the financial reports of a company that outsources its payroll?

SOC 1 Type II (A)

What is the typical shape of a graph representing the distribution of leading digits in accordance with Benford's Law?

A downward sloping curve (B)

Who is primarily responsible for the configuration and maintenance of the database that stores customer data in a SaaS application?

The cloud provider (C)