1. The extent to which data will be collected during an IS audit should be determined based on the: A.

availability of critical and required information. B. auditors familiarity with the circumstances. C. auditees ability to find relevant evidence. D. purpose and scope of the audit being done. 2. Which of the following ensures a senders authenticity and an e-mails confidentiality? A. Encrypting the hash of the message with the senders private key and thereafter encrypting the hash of the message with the receivers public key B. The sender digitally signing the message and thereafter encrypting the hash of the message with the senders private key C. Encrypting the hash of the message with the senders private key and thereafter encrypting the message with the receivers public key D. Encrypting the message with the senders private key and encrypting the message hash with the receivers public key 3. Which of the following is the GREATEST advantage of elliptic curve encryption over RSA encryption? A. Computation speed B. Ability to support digital signatures C. Simpler key distribution D. Greater strength for a given key length 4. Which of the following controls would provide the GREATEST assurance of database integrity? A. Audit log procedures B. Table link/reference checks C. Query/table access time checks D. Rollback and rollforward database features 5. A benefit of open system architecture is that it: A. facilitates interoperability. B. facilitates the integration of proprietary components. C. will be a basis for volume discounts from equipment vendors. D. allows for the achievement of more economies of scale for equipment. Jawaban 1. ANSWER: D NOTE: The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. The scope of an IS

audit should not be constrained by the ease of obtaining the information or by the auditors familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditees ability to find relevant evidence. 2. ANSWER: C NOTE: To ensure authenticity and confidentiality, a message must be encrypted twice: first with the senders private key, and then with the receivers public key. The receiver can decrypt the message, thus ensuring confidentiality of the message. Thereafter, the decrypted message can be decrypted with the public key of the sender, ensuring authenticity of the message. Encrypting the message with the senders private key enables anyone to decrypt it. 3. ANSWER: A NOTE: The main advantage of elliptic curve encryption over RSA encryption is its computation speed. This method was first independently suggested by Neal Koblitz and Victor S. Miller. Both encryption methods support digital signatures and are used for public key encryption and distribution. However, a stronger key per se does not necessarily guarantee better performance, but rather the actual algorithm employed. 4. ANSWER: B NOTE: Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database), and thus provides the greatest assurance of database integrity. Audit log procedures enable recording of all events that have been identified and help in tracing the events. However, they only point to the event and do not ensure completeness or accuracy of the databases contents. Querying/monitoring table access time checks helps designers improve database performance, but not integrity. Rollback and rollforward database features ensure recovery from an abnormal disruption. They assure the integrity of the transaction that was being processed at the time of disruption, but do not provide assurance on the integrity of the contents of the database. 5. ANSWER: A NOTE: Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. In contrast, closed system components are built to proprietary standards so that other suppliers systems cannot or will not interface with existing systems.

Contoh soal ujian cisa Area 1 ( Audit process) Dalam ujian CISA itu soalnya terbagi menjadi bebapa area seperti telah di singgung pada posting sebelummnya. Kali ini saya ingin berbagi mengenai beberapa contoh soal ujian CISA. Soal di bawah ini adalah contoh soal untuk area 1 mengenai Information System Audit Process. 1.An IS auditor is reviewing access to an application to determine whether the 10 most recent new user forms were correctly authorized. This is an example of A. variable sampling. B. substantive testing. C. compliance testing. D. stop-or-go sampling. 2. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks? A. Inherent B. Detection C. Control D. Business 3. Overall business risk for a particular threat can be expressed as: A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability. B. the magnitude of the impact should a threat source successfully exploit the vulnerability. C. the likelihood of a given threat source exploiting a given vulnerability. D. the collective judgment of the risk assessment team. 4. Which of the following is a substantive test? A. Checking a list of exception reports B. Ensuring approval for parameter changes C. Using a statistical sample to inventory the tape library D. Reviewing password history reports 5.Which of the following is a benefit of a risk-based approach to audit planning? Audit: A. scheduling may be performed months in advance. B. budgets are more likely to be met by the IS audit staff. C. staff will be exposed to a variety of technologies. D. resources are allocated to the areas of highest concern. Kunci Jawaban dan penjelasannya: 1.C Penjelasan : Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values such as dollar values. Substantive testing substantiates the integrity of actual processing such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests

indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-orgo sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed. 2.B Penjelasannya: Detection risks are directly affected by the auditors selection of audit procedures and techniques. Inherent risks are not usually affected by an IS auditor. Control risks are controlled by the actions of the companys management. Business risks are not affected by an IS auditor. 3.A Penjelasan : Choice A takes into consideration the likelihood and magnitude of the impact, and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the asset but does not provide the magnitude of the possible damage to the asset. Similarly, choice C considers only the magnitude of the damage and not the possibility of a threat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process 4.C. Penjelasan : A substantive test confirms the integrity of actual processing. A substantive test would determine if the tape library records are stated correctly. A compliance test determines if controls are being applied in a manner that is consistent with management policies and procedures. Checking the authorization of exception reports, reviewing authorization for changing parameters and reviewing password history reports are compliance tests. 5.D Penjelasan : The risk-based approach is designed to ensure audit time is spent on the areas of highest risk. The development of an audit schedule is not addressed by a risk-based approach. Audit schedules may be prepared months in advance using various scheduling methods. A risk approach does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be performed in a given year.