我的CISA38天学习笔记(20080614考试)

voca

原帖由 appppa 于 2008-5-25 14:06 发表



关于substantive testing 和compliance testing
comliance testing是用来测试控制是否真正存在,通常通过看一个样本来判断控制是否存在
manual原话substantive tesing substatiates the integrity of actual processing，我的理解：是实质性测试时通过测试的方法来量化控制的有效性，可以是通过使用CAATS来reperform calculation或者use a statistical sample 。

The risk that the IS auditor's substantive procedures will not detect an error that could be material is.
A. Inherent risk
B. Control risk
C. Detection risk
D. Material risk

所以这题。。。。很明显是C。。。实质性过程未能发现的可能重大的错误的风险是detection risk
排除法的话A...固有风险，与实质性测试无关
          B...控制风险，不能被内控系统及时发现的可能重大的错误的风险，与IS审计员的实质性测试无关
          C...detection risk,由于测试方法的问题而产生的风险----就是这个了
          D...


RISK的其他的分类，我暂时还不知。 voca老大路过的时候回答一下，哈哈。。

俺不是老大，只是运气好，过了而已。

说的其它分类就是substantive testing 和compliance testing 啊，
2种分类可以互相引用的， 记得有个题目就是这样处理的

appppa

做题的一点点心得:
1. 不要凭经验,不要理所当然,不要看了一个选项就写答案,而是要选the BEST one,要好好地看四个选项，然后选出最好的一个。
2.IS auditor 不是内审，也不是外审，而是IS审计员，也就是说可以是外审也可以是内审。。。

[ 本帖最后由 appppa 于 2008-6-1 10:59 编辑 ]

appppa

不得不觉得自己E文真的很菜，连着两道都被ISACA耍

109、An IS auditor should be concerned when a telecommunication analyst:
A、monitors systems performance and tracks problems resulting from program changes.
B、reviews network load requirements in terms of current and future transaction volumes.
C、assesses the impact of the network load on terminal response times and network data transfer rates.
D、recommends network balancing procedures and improvements.

NOTE: The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes (choice B), assessing the impact of network load or terminal response times and network data transfer rates (choice C), and recommending network balancing procedures and improvements (choice D). Monitoring systems performance and tracking problems as a result of program changes (choice A) would put the analyst in a self-monitoring role.

The correct answer is A.

An IS auditor should be concerned when a telecommunication analyst。。。


165. Assumptions while planning an IS project involve a high degree of risk because they are:
A. based on known constraints.
B. based on objective past data.
C. a result of a lack of information.
D. often made by unqualified people.

Assumptions are made when adequate information is not available. When an IS project manager makes an assumption, there is a high degree of risk because the lack of proper information can cause unexpected loss to an IS project. Assumptions are not based on "known" constraints. When constraints are known in advance, a project manager can plan according to those constraints rather than assuming the constraints will not affect the project. Having objective data about past IS projects will not lead to making assumptions, but rather helps the IS project manager in planning the project. Hence, if objective past data are available and the project manager makes use of them, the risk to the project is less. Regardless of whether they are made by qualified people or unqualified people, assumptions are risky.
The correct answer is C.
Assumptions while planning an IS project involve a high degree of risk because they are:

唉。。。

[ 本帖最后由 appppa 于 2008-6-4 22:59 编辑 ]

appppa

12. Which of the following online auditing techniques is most effective for the early detection of errors or irregularities?
A. Embedded audit module
B. Integrated test facility
C. Snapshots
D. Audit hooks
The correct answer is: D. Audit hooks

Explanation:
The audit hook technique involves embedding code in application systems for the examination of selected transactions. This helps the IS auditor to act before an error or an irregularity gets out of hand. An embedded audit module involves embedding specially written software in the organization's host application system so that application systems are monitored on a selective basis. An integrated test facility is used when it is not practical to use test data, and snapshots are used when an audit trail is required.

Additional information:
For me，B&C很快可以排除，因为相对embedded technique来说比较晚发现。
Embedded audit modules：A screening process that is incorporated into the regular production programs. The module selects items during the regular production runs that fulfill certain criteria established by the IS auditor and usually outputs or copies these items to a file or report.
Audit hooks：This technique involves embedding hooks in application systems to function as red flags and to induce IS auditors to act before an error or irregularity gets out of hand.
EAM和audit hook都是embedded in system,关键的区别，for EAM, the application system was monitored on a selective basis, 而audit hook可以在错误发生前告之IS审计员以便采取行动，所以可以early detection。

外婆家的桥

●█〓██▄▄▄▄▄▄ ●●●●●●●●回帖就是最好的支持!顶上去^&^>>>>>>>>>>>>>>>
▄▅██████▅▄▃▂
██████████████
◥⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲◤

外婆家的桥

偶也看不懂啊...............汗

saivia

不错，学习了。

Ryan-liumin

very good

Ryan-liumin

不过还真没看明白多少的

fishandgrass

请问一下，楼主报的是中文还是英文呢？
有什么好建议？