An IS auditor is performing a routine procedure to test for the possible existence of fraudulent transactions. Given there is no reason to suspect the existence of fraudulent transactions, which of the following data analytics techniques should be employed?
Correct Answer: C
Section: The process of Auditing Information System
Question 472
Which of the following would be the MOST efficient audit approach, given that a compliance-based approach was adopted in the previous year?
Correct Answer: D
Section: The process of Auditing Information System
Question 473
Which of the following is the PRIMARY risk when business units procure IT assets without IT involvement?
Correct Answer: D
Question 474
Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?
Correct Answer: B
This is because the business processes are the core activities and functions that enable the organization to achieve its objectives and create value for its stakeholders. The business processes are also the sources and drivers of various risks that may affect the organization's performance, compliance, and reputation. Therefore, the IS auditor should focus on understanding, assessing, and prioritizing the business processes that are most critical, complex, or vulnerable to the organization's success, and align the audit objectives, scope, and resources accordingly12. Critical business applications (A) are not the most important area of focus for an IS auditor when developing a risk-based audit strategy, but rather a specific aspect of the business processes that may require attention. Critical business applications are the software systems that support the execution and automation of the business processes, such as enterprise resource planning (ERP), customer relationship management (CRM), or accounting systems. Critical business applications may pose significant risks to the organization if they are not reliable, secure, or efficient. Therefore, the IS auditor should consider the criticality, functionality, and dependency of the business applications when planning the audit, but not as the primary focus12. Existing IT controls are not the most important area of focus for an IS auditor when developing a risk-based audit strategy, but rather an outcome or output of the risk assessment process. Existing IT controls are the policies, procedures, practices, and technologies that are implemented to manage and mitigate the IT-related risks that may affect the organization's business processes and objectives. Existing IT controls may vary in their design, effectiveness, and maturity. Therefore, the IS auditor should evaluate and test the existing IT controls as part of the audit execution and reporting process, but not as the main focus12. Recent audit results (D) are not the most important area of focus for an IS auditor when developing a risk-based audit strategy, but rather an input or source of information for the risk assessment process. Recent audit results are the findings, recommendations, and opinions of previous audits that may provide insights or feedback on the organization's business processes, risks, and controls. Recent audit results may also indicate any changes or trends in the organization's risk profile or environment. Therefore, the IS auditor should review and consider the recent audit results as part of the audit planning and scoping process, but not as the main focus12.
Question 475
Which of the following is the BEST security control to validate the integrity of data communicated between production databases and a big data analytics system?
Correct Answer: A
Explanation Hashing is a technique that transforms data into a fixed-length value, called a hash or a digest, that uniquely represents the original data. Hashing can be used to validate the integrity of data communicated between production databases and a big data analytics system by comparing the hash values of the data before and after the communication. If the hash values match, the data has not been altered; if they differ, the data has been tampered with or corrupted. Hashing is a better security control than encrypting, running and comparing the count function, or hosting a digital certificate for this purpose because: Encrypting in-scope data sets can protect the confidentiality of the data, but not necessarily the integrity. Encryption algorithms can be broken or bypassed by malicious actors, or encryption keys can be compromised or lost. Moreover, encryption adds overhead to the communication process and may affect the performance of the big data analytics system. Running and comparing the count function within the in-scope data sets can only verify the number of records or elements in the data sets, but not the content or quality of the data. The count function cannot detect any changes or errors in the data values, such as missing, duplicated, corrupted, or manipulated data. Hosting a digital certificate for in-scope data sets can provide authentication and non-repudiation for the data sources, but not integrity for the data itself. A digital certificate is a document that contains information about the identity and public key of an entity, such as a person, organization, or device. A digital certificate does not contain or verify the actual data that is communicated between production databases and a big data analytics system. References: Ensuring Data Integrity with Hash Codes Database Security: An Essential Guide Control methods of Database Security
