Understanding Business Standards and Procedures

Questions and Answers

What is the role of auditors in implementing policies, standards, guidelines, and procedures for information systems?

To support the implementation of appropriate policies, standards, guidelines, and procedures.

What is the difference between a standard and a guideline?

A standard is a mandatory requirement, while a guideline is intended to provide advice on how to achieve organizational objectives.

What is the primary purpose of a procedure according to Tonkin Effy?

To maintain the highest possible control over the outcome.

What is the significance of considering human factors in procedure evaluation?

It is essential to consider human factors to ensure that procedures are effective and efficient in achieving desired outcomes.

What is the primary focus of personal standards in everyday life?

A person's own internal standards govern everyday life, helping to achieve personal goals and objectives.

What is the purpose of 'best practices' in procedure development?

To provide suggested information to help users develop their own procedures.

What is the first step in performing an IS audit and what tasks must be completed during this step?

The first step is adequate planning, and the tasks that must be completed include listing all processes that may be considered for the audit, evaluating each process by performing a qualitative or quantitative risk assessment, defining the overall risk of each process, and prioritizing and constructing an audit plan.

What is the purpose of short-term and long-term planning in audit planning?

Short-term planning involves all audit issues that will be covered during the year, while long-term planning takes into account all risk-related issues that might be affected by the organization's IT strategic direction.

What triggers individual audits, aside from the yearly analysis of short-term and long-term issues?

Individual audits may be conducted based on new control issues, changes in risk environment, technologies, and business processes.

What is the purpose of performing a qualitative or quantitative risk assessment during audit planning?

The purpose is to evaluate each process and define the overall risk of each process, based on objective criteria.

What is the outcome of the audit planning process?

The outcome is an audit plan that includes all processes that are rated 'high', representing the ideal annual audit plan.

What is essential for an IS auditor to have during the audit planning process?

An understanding of the overall environment under review.

What type of audit evaluates the management of a system, including its configuration, team members' activities, and control environment?

System audit

What is the primary objective of a compliance audit in relation to standards and regulations?

Verify implementation of and adherence to a standard or regulation

What type of audit focuses on evaluating the effectiveness and efficiency of operational practices in service and process environments?

Operational audit

What is the purpose of a product audit, and what does it check against?

To check the attributes against the design specification.

What type of audit combines both financial and operational controls audits?

Integrated audit

What is the primary focus of a financial audit?

Verify financial records, transactions, and account balances