Section: The process of Auditing Information System
Explanation:
Inherent Risk is the risk level or exposure of a process or entity to be audited without taking into account
the control that management has implemented. Inherent risk exists independent of an audit and can occur
because of the nature of the business.
For your exam you should know below information about audit risk:
Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue unqualified report
due to the auditor's failure to detect material misstatement either due to error or fraud. This risk is
composed of inherent risk (IR), control risk (CR) and detection risk (DR), and can be calculated thus:
AR = IR × CR × DR
Inherent Risk
Auditors must determine risks when working with clients. One type of risk to be aware of is inherent risk.
While assessing this level of risk, you ignore whether the client has internal controls in place (such as a
secondary review of financial statements) in order to help mitigate the inherent risk. You consider the
strength of the internal controls when assessing the client's control risk. Your job when assessing inherent
risk is to evaluate how susceptible the financial statement assertions are to material misstatement given
the nature of the client's business. A few key factors can increase inherent risk.
Environment and external factors: Here are some examples of environment and external factors that can
lead to high inherent risk:
Rapid change: A business whose inventory becomes obsolete quickly experiences high inherent risk.
Expiring patents: Any business in the pharmaceutical industry also has inherently risky environment and
external factors. Drug patents eventually expire, which means the company faces competition from other
manufacturers marketing the same drug under a generic label.
State of the economy: The general level of economic growth is another external factor affecting all
businesses.
Availability of financing: Another external factor is interest rates and the associated availability of financing.
If your client is having problems meeting its short-term cash payments, available loans with low interest
rates may mean the difference between your client staying in business or having to close its doors.
Prior-period misstatements: If a company has made mistakes in prior years that weren't material (meaning
they weren't significant enough to have to change), those errors still exist in the financial statements. You
have to aggregate prior-period misstatements with current year misstatements to see if you need to ask the
client to adjust the account for the total misstatement.
You may think an understatement in one year compensates for an overstatement in another year. In
auditing, this assumption isn't true. Say you work a cash register and one night the register comes up $20
short. The next week, you somehow came up $20 over my draw count. The $20 differences are added
together to represent the total amount of your mistakes which is $40 and not zero. Zero would indicate no
mistakes at all had occurred.
Susceptibility to theft or fraud: If a certain asset is susceptible to theft or fraud, the account or balance level
may be considered inherently risky. For example, if a client has a lot of customers who pay in cash, the
balance sheet cash account is going to have risk associated with theft or fraud because of the fact that
cash is more easily diverted than customer checks or credit card payments.
Looking at industry statistics relating to inventory theft, you may also decide to consider the inventory
account as inherently risky. Small inventory items can further increase the risk of this account valuation
being incorrect because those items are easier to conceal (and therefore easier to steal).
Control Risk
Control risk has been defined under International Standards of Auditing (ISAs) as following:
The risk that a misstatement that could occur in an assertion about a class of transaction, account balance
or disclosure and that could be material, either individually or when aggregated with other misstatements,
will not be prevented, or detected and corrected, on a timely basis by the entity's internal control.
In simple words control risk is the probability that a material misstatement exists in an assertion because
that misstatement was not either prevented from entering entity's financial information or it was not
detected and corrected by the internal control system of the entity.
It is the responsibility of the management and those charged with governance to implement internal control
system and maintain it appropriately which includes managing control risk.
There can be many reasons for control risk to arise and why it cannot be eliminated absolutely. But some
of them are as follows:
Cost-benefit constraints
Circumvention of controls
Inappropriate design of controls
Inappropriate application of controls
Lack of control environment and accountability
Novel situations
Outdated controls
Inappropriate segregation of duties
Detection Risk
Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements.
An auditor must apply audit procedures to detect material misstatements in the financial statements
whether due to fraud or error. Misapplication or omission of critical audit procedures may result in a
material misstatement remaining undetected by the auditor. Some detection risk is always present due to
the inherent limitations of the audit such as the use of sampling for the selection of transactions.
Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed
testing.
The following answers are incorrect:
Control Risk - The risk that material error exist that would not be prevented or detected on timely basis by
the system of internal controls.
Detection risk - The risk that material errors or misstatements that have occurred will not be detected by an
IS auditor.
Overall audit risk - The probability that information or financial report may contain material errors and that
the auditor may not detect an error that has occurred. An objective in formulating the audit approach is to
limit the audit risk in the area under security so the overall audit risk is at sufficiently low level at the
completion of the examination.
The following reference(s) were/was used to create this question:
CISA review manual 2014 page number 50
http://en.wikipedia.org/wiki/Audit_risk
http://www.dummies.com/how-to/content/how-to-assess-inherent-risk-in-an-audit.html
http://pakaccountants.com/what-is-control-risk/
http://accounting-simplified.com/audit/risk-assessment/audit-risk.html

Section: Information System Operations, Maintenance and Support
Explanation:
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates information from domain names with each of the assigned entities. Most prominently, it translates easily memorized domain names to the numerical IP addresses needed for locating computer services and devices worldwide. The Domain Name System is an essential component of the functionality of the Internet. This article presents a functional description of the Domain Name System.
For your exam you should know below information general Internet terminology:
Network access point -Internet service providers access internet using net access point. A Network Access Point (NAP) was a public network exchange facility where Internet service providers (ISPs) connected with one another in peering arrangements. The NAPs were a key component in the transition from the 1990s NSFNET era (when many networks were government sponsored and commercial traffic was prohibited) to the commercial Internet providers of today. They were often points of considerable Internet congestion.
Internet Service Provider (ISP) - An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. Internet service providers may be organized in various forms, such as commercial, community-owned, non-profit, or otherwise privately owned. Internet services typically provided by ISPs include Internet access, Internet transit, domain name registration, web hosting, co-location.
Telnet or Remote Terminal Control Protocol -A terminal emulation program for TCP/IP networks such as the Internet. The Telnet program runs on your computer and connects your PC to a server on the network.
You can then enter commands through the Telnet program and they will be executed as if you were entering them directly on the server console. This enables you to control the server and communicate with other servers on the network. To start a Telnet session, you must log in to a server by entering a valid username and password. Telnet is a common way to remotely control Web servers.
Internet Link- Internet link is a connection between Internet users and the Internet service provider.
Secure Shell or Secure Socket Shell (SSH) - Secure Shell (SSH), sometimes known as Secure Socket Shell, is a UNIX-based command interface and protocol for securely getting access to a remote computer.
It is widely used by network administrators to control Web and other kinds of servers remotely. SSH is actually a suite of three utilities - slog in, sash, and scp - that are secure versions of the earlier UNIX utilities, rlogin, rash, and rap. SSH commands are encrypted and secure in several ways. Both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted.
Domain Name System (DNS) - The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates information from domain names with each of the assigned entities. Most prominently, it translates easily memorized domain names to the numerical IP addresses needed for locating computer services and devices worldwide. The Domain Name System is an essential component of the functionality of the Internet. This article presents a functional description of the Domain Name System.
File Transfer Protocol (FTP) - The File Transfer Protocol or FTP is a client/server application that is used to move files from one system to another. The client connects to the FTP server, authenticates and is given access that the server is configured to permit. FTP servers can also be configured to allow anonymous access by logging in with an email address but no password. Once connected, the client may move around between directories with commands available Simple Mail Transport Protocol (SMTP) - SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based systems, send mail is the most widely-used SMTP server for e-mail. A commercial package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can also be set up to include POP3 support.
The following answers are incorrect:
SMTP - Simple Mail Transport Protocol (SMTP) - SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail.
On Unix-based systems, send mail is the most widely-used SMTP server for e-mail. A commercial package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can also be set up to include POP3 support.
FTP - The File Transfer Protocol or FTP is a client/server application that is used to move files from one system to another. The client connects to the FTP server, authenticates and is given access that the server is configured to permit. FTP servers can also be configured to allow anonymous access by logging in with an email address but no password. Once connected, the client may move around between directories with commands available SSH - Secure Shell (SSH), sometimes known as Secure Socket Shell, is a UNIX-based command interface and protocol for securely getting access to a remote computer. It is widely used by network administrators to control Web and other kinds of servers remotely. SSH is actually a suite of three utilities - slog in, sash, and scp - that are secure versions of the earlier UNIX utilities, rlogin, rash, and rap. SSH commands are encrypted and secure in several ways. Both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted.
Reference:
CISA review manual 2014 page number 273 and 274

The IS auditor's best course of action in this situation is to determine whether the alternative controls sufficiently mitigate the risk. Alternative controls are different from those originally discussed and agreed with the audit function, but they may still achieve the same objective of addressing the audit issue or reducing the risk to an acceptable level. The IS auditor should evaluate whether the alternative controls are appropriate, effective, and sustainable before closing the audit finding or escalating it to senior management. The other options are not appropriate for resolving this situation, as they do not consider whether the alternative controls are adequate or reasonable. Re-prioritizing the original issue as high risk and escalating to senior management is a drastic step that may undermine the relationship between the auditor and management, and it should be done only after exhausting other means of resolving the issue. Scheduling a follow-up audit in the next audit cycle is unnecessary, as follow-up activities should be performed as soon as possible after management has implemented corrective actions. Postponing follow-up activities and escalating the alternative controls to senior audit management is premature, as follow-up activities should be completed before reporting any findings or recommendations to senior audit management. References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4

Section: Protection of Information Assets
Explanation:
The data owner should be informed of the risks associated with a penetration test, what types of tests are
to be conducted and other relevant details. All other choices are not as important as the data owner's
responsibility for the security of the data assets.