IT Auditor Objectivity Threats

Questions and Answers

What are management assertions?

• Declarations about the compliance with applicable regulations
• Statements made by senior management to ensure IT resources
• Specific attributes of the subject matter made by management (correct)
• Formal declarations made by the board of directors

Which of the following is NOT a common management assertion?

• Efficiency (correct)
• Confidentiality
• Compliance
• Integrity

Who is responsible for making management assertions?

• IT auditors
• Board of directors
• Senior management (correct)
• Enterprise strategies

What do management assertions usually contain?

A list of specific attributes about the subject matter (D)

What is the threat to objectivity when an IT auditor will not appropriately evaluate the results of previous judgments or services performed?

Self-review (D)

Which threat to objectivity occurs when an IT auditor promotes an auditee’s position to the point that professional objectivity is compromised?

Advocacy (D)

What is the condition that causes a weakness or diminished ability to execute audit objectives?

Impairment (A)

Which threat to objectivity involves long or close relationship with the auditee, causing the IT auditor to be too sympathetic to the interests of the auditee?

Familiarity (A)

In which situation should an IT auditor make an appropriate disclosure of the impairment to objectivity or independence?

When an impairment is identified during the audit (B)

Under what condition should an IT auditor not perform nonaudit services or roles in areas where a current or future audit is planned and would likely be performed by the same IT auditor?

When engaging an alternative internal or external resource (A)

What supports objectivity by ensuring that the IT auditor has autonomy and is not subject to conflicts of interest and undue influence exerted by the enterprise being audited?

Organizational Independence (B)

What is the crime of using dishonest methods to take something valuable from a person or enterprise?

Fraud (C)

What does an IT auditor need to do if they determine that objectivity is threatened during an audit?

Eliminate or reduce any impairment to an acceptable level or decline or terminate the audit. (C)

What should be included in the audit report if an IT auditor cannot decline or terminate the audit due to objectivity threats?

An appropriate disclosure of the impairment to objectivity or independence. (D)

When should an IT auditor's involvement in nonaudit services be approved by the chief audit executive and those formally charged with governance and oversight of the audit function?

When engaging an alternative internal or external resource is not feasible. (D)

What does an IT auditor consider throughout the execution of an IT audit?

Accuracy, integrity, and availability (C)

What is the purpose of reviewing management assertions for an IT audit?

To ascertain their sufficiency, validity, and relevance (A)

What should an IT auditor do if they feel that management will not be able to fulfill its responsibility to provide required information for the subject matter?

Inform IT audit management and those charged with governance of the audit function of the identified issue (C)

What is a code of professional ethics used to define and guide in the IT audit profession?

Individual and organizational behavior of employees (D)

What should the scope of an IT audit permit at a minimum?

Conclusion to be drawn on the subject matter (A)

What should be recorded to ensure compliance according to the text?

Only required fields (D)

What is an important aspect an IT auditor should have a reasonable expectation of while conducting an IT audit?

Completion in accordance with appropriate professional standards (B)

What does an IT auditor ensure about information, evidence, and other data required for an audit?

They exist and are accessible (C)

What should an IT auditor do if management assertions developed are inconsistent with good practice?

Inform IT audit management of the inconsistency (A)

What should amounts, dates, and other data related to recorded activities be according to the text?

Recorded appropriately (D)

What is an important consideration before beginning an audit according to the text?

Sufficient understanding of management's responsibilities (C)

What are some of the assertions considered by an IT auditor throughout an IT audit according to the text?

Sufficiency and validity (D)

What does ISACA require of its members and certification holders?

To maintain high standards of conduct and character (A)

What is meant by 'due professional care' for an IT auditor?

Exercising diligence under specific circumstances (C)

How should an IT auditor approach matters requiring professional judgment?

With skepticism, diligence, integrity, and care (B)

What should an IT auditor do to maintain professional competency?

Obtain training directed toward new audit techniques and technologies (A)

What should an IT auditor consider when planning audits?

Competence and conflicts of interest (B)

Why is it important for IT auditors to maintain their competencies?

To comply with developments in professional standards (A)

What should an IT auditor do with information obtained in the course of carrying out duties?

Maintain privacy and confidentiality (D)

What is one of the audit concepts addressed in the Code of Professional Ethics?

Objectivity (B)

What does due professional care require an IT auditor to consider?

Incompetence and conflicts of interest (B)

What should an IT auditor do to achieve audit objectives?

Demonstrate sufficient understanding and competency (C)

What is meant by 'objectivity' in the context of IT auditing?

The ability to exercise judgment with impartiality (A)

What are the three key elements in Cressey's fraud triangle?

Opportunity, motivation, rationalization (D)

Which element of the fraud triangle refers to the perceived financial or other need of the fraudster?

Rationalization (A)

What does rationalization refer to in the context of the fraud triangle?

The way the fraudster internally justifies the crime (C)

What is created by abuse of position and authority, poor internal controls, and poor management oversight?

Opportunity (A)

Which element of the fraud triangle does an IT auditor have the most control over?

Opportunity (C)

What is responsible for establishing, implementing, and maintaining an internal control system that leads to the deterrence and/or timely detection of fraud?

Management (A)

When considering IT assets, what can limit opportunities to commit fraud?

Logical access and segregation of duties (A)

What should management do if an act is alleged, suspected, or detected?

Participate in the investigation process (A)

What is an irregularity according to the text?

A violation of established management policy or regulatory requirement (D)

What is important for enterprises to have in place to identify irregularities and illegal acts quickly?

Awareness, prevention and detection mechanisms (C)

What can directly impact an enterprise's finances and reputation?

Irregularities and illegal acts (B)

Who is responsible for disclosing to an IT auditor any irregularities or illegal acts?

Management (C)

What is the term for the suppression or omission of the effects of transactions from records or documents?

Fraudulent financial reporting (B)

Which of the following is an example of an act that involves noncompliance with laws and regulations?

Unauthorized disclosure of data subject to privacy laws (D)

What is an IT auditor responsible for in relation to irregularities or illegal acts?

Assessing the risk of irregularities or illegal acts (A)

During an IT audit, what may be an indication of persons committing irregularities or illegal acts?

Increase in complaints from customers (B)

What should an IT auditor do after discovering instances or indicators of fraud during regular assurance work?

Communicate the need for a detailed investigation to appropriate authorities (A)

Which action should an IT auditor take if a major fraud is identified?

Communicate it in a timely manner to the audit committee (A)

In relation to an identified act, what should an IT auditor do after receiving direction from informed parties?

Determine subsequent actions such as reporting to enterprise management or internal fraud investigators (D)

What does 'skimming' refer to in the context of irregularities and fraud?

Misappropriation of cash before it is recorded in financial records (C)

What is the role of an IT auditor when performing an audit?

Assessing the risk of irregularities or illegal acts (D)

What should an IT auditor do if they discover instances or indicators of fraud during regular assurance work?

Communicate the need for a detailed investigation to appropriate authorities (C)

What should an IT auditor do after receiving direction from informed parties about an identified act?

Perform limited additional procedures to determine the effect of the act and whether additional acts took place (D)

What actions should an IT auditor take if a major fraud is identified?

Communicate it in a timely manner to the audit committee for appropriate action (B)