Which of the following implementation modes would provide the GREATEST amount of security for

outbound data connecting to the internet?

A.
Transport mode with authentication header (AH) plus encapsulating security payload (ESP)

B.
Secure Sockets Layer (SSL) mode

C.
Tunnel mode with AH plus ESP

D.
Triple-DES encryption mode

Explanation:
Tunnel mode provides protection to the entire IP package. To accomplish this, AH and ESP
services can be nested. The transport mode provides primary protection for the higher layers of
the protocols by extending protection to the data fields (payload) of an IP package. The SSL
mode provides security to the higher communication layers (transport layer). The triple-DES
encryption mode is an algorithm that provides confidentiality

Use of asymmetric encryption in an internet e-commerce site, where there is one private key for the
hosting server and the public key is widely distributed to the customers, is MOST likely to provide
comfort to the:

A.
customer over the authenticity of the hosting organization.

B.
hosting organization over the authenticity of the customer.

C.
customer over the confidentiality of messages from the hosting organization.

D.
hosting organization over the confidentiality of messages passed to the customer.

Explanation:
Any false site will not be able to encrypt using the private key of the real site, so the customer
would not be able to decrypt the message using the public key. Many customers have access to
the same public key so the host cannot use this mechanism to ensure the authenticity of the
customer. The customer cannot be assured of the confidentiality of messages from the host as
many people have access to the public key and can decrypt the messages from the host. The
host cannot be assured of the confidentiality of messages sent out, as many people have access
to the public key and can decrypt it.
Which of the following encrypt/decrypt steps provides the GREATEST assurance of achieving
confidentiality, message integrity and nonrepudiation by either sender or recipient?

A.
The recipient uses their private key to decrypt the secret key.

B.
The encryptedprehash code and the message are encrypted using a secret key.

C.
The encryptedprehash code is derived mathematically from the message to be sent.

D.
The recipient uses the sender’s public key, verified with a certificate authority, to decrypt theprehash
code.

Explanation:
Most encrypted transactions use a combination of private keys, public keys, secret keys, hash
functions and digital certificates to achieve confidentiality, message integrity and
nonrepudiation by either sender or recipient. The recipient uses the sender’s public key to
decrypt the prehash code into a posthash code, which when equaling the prehash code, verifies
the identity of the sender and that the message has not been changed in route; this would
provide the greatest assurance. Each sender and recipient has a private key known only to
themselves and a public key, which can be known by anyone. Each encryption/decryption
process requires at least one public key and one private key, and both must be from the same
party. A single, secret key is used to encrypt the message, because secret key encryption
requires less processing power than using public and private keys. A digital certificate, signed
by a certificate authority, validates senders’ and recipients’ public keys.

An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with
the:

A.
maintenance of access logs of usage of various system resources.

B.
authorization and authentication of the user prior to granting access to system resources.

C.
adequate protection of stored data on servers by encryption or other means.

D.
accountability system and the ability to identify any terminal accessing system resources.

Explanation:
The authorization and authentication of users is the most significant aspect in a
telecommunications access control review, as it is a preventive control. Weak controls at this
level can affect all other aspects. The maintenance of access logs of usage of system resources
is a detective control. The adequate protection of data being transmitted to and from servers by
encryption or other means is a method of protecting information during transmission and is not
an access issue. The accountability system and the ability to identify any terminal accessing
system resources deal with controlling access through the identification of a terminal.

An IS auditor doing penetration testing during an audit of internet connections would:

A.
evaluate configurations.

B.
examine security settings.

C.
ensure virus-scanning software is in use.

D.
use tools and techniques available to a hacker.

Explanation:
Penetration testing is a technique used to mimic an experienced hacker attacking a live site by
using tools and techniques available to a hacker. The other choices are procedures that an IS
auditor would consider undertaking during an audit of Internet connections, but are not aspects
of penetration testing techniques.

A.
show if the message has been altered after transmission.

B.
define the encryption algorithm.

C.
confirm the identity of the originator.

D.
enable message transmission in a digital format.

Explanation:
The message digest is calculated and included in a digital signature to prove that the message
has not been altered. It should be the same value as a recalculation performed upon receipt. It
does not define the algorithm or enable the transmission indigital format and has no effect on
the identity of the user; it is there to ensure integrity rather than identity.
Which of the following concerns associated with the World Wide Web would be addressed by a
firewall?

A.
Unauthorized access from outside the organization

B.
Unauthorized access from within the organization

C.
A delay in Internet connectivity

D.
A delay in downloading using File Transfer Protocol (FTP)

Explanation:
Firewalls are meant to prevent outsiders from gaining access to an organization’s computer
systems through the internet gateway. They form a barrier with the outside world, but are not
intended to address access by internal users; they are more likely to cause delays than address
such concerns.

Which of the following is an example of a passive attack initiated through the Internet?

A.
Traffic analysis

B.
Masquerading

C.
Denial of service

D.
E-mail spoofing

Explanation:
Internet security threats/vulnerabilities are divided into passive and active
attacks. Examples of passive attacks include network analysis,
eavesdropping and traffic analysis. Active attacks include brute force
attacks, masquerading, packet replay, message modification, unauthorized
access through the Internet or web-based services, denial-of-service
attacks, dial-in penetration attacks, e-mail bombing and spamming, and e-
mail spoofing.
Which of the following would be the BEST overall control for an Internet business looking for
confidentiality, reliability and integrity of data?

A.
Secure Sockets Layer (SSL)

B.
Intrusion detection system (IDS)

C.
Public key infrastructure (PKI)

D.
Virtual private network (VPN)

Explanation:
PKl would be the best overall technology because cryptography provides for
encryption, digital signatures and non repudiation controls for
confidentiality and reliability. SSL can provide confidentiality. IDS is a
detective control. A VPN would provide confidentiality and authentication
(reliability).

During an IS audit, which is the BEST method for an IS auditor to evaluate

the implementation of segregation of duties within an IT department?

A. Discuss it with the IT managers.

B. Review the job descriptions of the IT functions.

C. Research past IS audit reports.

D. Evaluate the organizational structure.

the answer is A.

A. Discussing the implementation of segregation of duties with the IT

managers is the best way to determine how responsibilities are assigned
within the department.

B. Job descriptions may not be the best source of information because they
could be outdated or what is documented in the job descriptions may be
different from what is actually performed.

C. Past IS audit reports are not the best source of information because they
may not accurately describe how IT responsibilities are assigned.

D. Evaluating the organizational structure may give a limited view on the

allocation of IT responsibilities. The responsibilities also may have changed
over time.

Which of the following controls would provide the GREATEST assurance of

database integrity?

A. Audit log procedures

B. Table link/reference checks

C. Query/table access time checks

D. Rollback and rollforward database features

The correct answer is B.

A. Audit log procedures enable recording of all events that have been
identified and help in tracing the events. However, they only point to the event
and do not ensure completeness or accuracy of the database contents.

B. Performing table link/reference checks serves to detect table linking errors

(such as completeness and accuracy of the contents of the database), and
thus provides the greatest assurance of database integrity.

C. Querying/monitoring table access time checks helps designers improve

database performance but not integrity.

D. Rollback and rollforward database features ensure recovery from an

abnormal disruption. They assure the integrity of the transaction that was
being processed at the time of disruption, but do not provide assurance on the
integrity of the contents of the database
Which of the following would be the BEST overall control for an Internet
business looking for confidentiality, reliability and integrity of data?

A. Secure Sockets Layer (SSL)

B. Intrusion detection system (IDS)

C. Public key infrastructure (PKI)

D. Virtual private network (VPN)

The correct answer is A.

A. Secure Sockets Layer (SSL) is used for many e-commerce applications to set
up a secure channel for communications providing confidentiality through a
combination of public and symmetric key encryption and integrity through hash
message authentication code (HMAC).

B. An intrusion detection system (IDS) will log network activity but is not used for
protecting traffic over the Internet.

C. Public key infrastructure (PKI) is used in conjunction with SSL or for securing
communications such as e-commerce and email.

D. A virtual private network (VPN) is a generic term for a communications tunnel

that can provide confidentiality, integrity and authentication (reliability). A VPN
can operate at different levels of the Open Systems Interconnection (OSI) stack
and may not always be used in conjunction with encryption. SSL can be called a
type of VPN.
Which of the following has the MOST significant impact on the success of an application
systems implementation?

A.
The prototyping application development methodology

B.
Compliance with applicable external requirements

C.
The overall organizational environment

D.
The software reengineering technique

the answer is C.

A. The prototyping application development technique reduces the time to deploy systems
primarily by using faster development tools that allow a user to see a high-level view of the
workings of the proposed system within a short period of time. The use of any one development
methodology will have a limited impact on the success of the project.

B. Compliance with applicable external requirements has an impact on the implementation

success, but the impact is not as significant as the impact of the overall organizational
environments.

C. The overall organizational environment has the most significant impact on the success of
applications systems implemented. This includes the alignment between IT and the business,
the maturity of the development processes and the use of change control and other project
management tools.

D. The software reengineering technique is a process of updating an existing system by

extracting and reusing design and program components. This is used to support major changes
in the way an organization operates. Its impact on the success of the application systems that
are implemented is small compared with the impact of the overall organizational environment.
Which of the following is the BEST criterion for evaluating the adequacy of an
organization's security awareness program?

A.
Senior management is aware of critical information assets and demonstrates an
adequate concern for their protection.

B.
Job descriptions contain clear statements of accountability for information
security.

C.
In accordance with the degree of risk and business impact, there is adequate
funding for security efforts.

D.
No actual incidents have occurred that have caused a loss or a public
embarrassment.

You are correct, the answer is B.

A. Senior management's level of awareness and concern for information

assets is a criterion for evaluating the importance that they attach to those
assets and their protection, but it is not as meaningful as having job
descriptions that require all staff to be responsible for information security.

B. The inclusion of security responsibilities in job descriptions is a key factor in

demonstrating the maturity of the security program and helps ensure that staff
and management are aware of their roles with respect to information security.

C. Funding is important, but having funding does not ensure that the security
program is effective or adequate.

D. The number of incidents that have occurred is a criterion for evaluating the
adequacy of the risk management program, but it is not a criterion for
evaluating a security program.
When reviewing a project where quality is a major concern, an IS auditor should use the
project management triangle to explain that:

A.increases in quality can be achieved, even if resource allocation is decreased.

B.increases in quality are only achieved if resource allocation is increased.

C.decreases in delivery time can be achieved, even if resource allocation is decreased.

D.decreases in delivery time can only be achieved if quality is decreased.

You are correct, the answer is A.

A. The three primary dimensions of a project are determined by the deliverables, the
allocated resources and the delivery time. The area of the project management triangle,
comprised of these three dimensions, is fixed. Depending on the degree of freedom,
changes in one dimension might be compensated by changing either one or both
remaining dimensions. Thus, if resource allocation is decreased an increase in quality
can be achieved, if a delay in the delivery time of the project will be accepted. The area
of the triangle always remains constant.

B. Increases in quality can be achieved if resource allocation is increased or through

increases in delivery time, not only through increases in resource allocation.

C. A decrease in both delivery time and resource allocation would mean that quality
would have to decrease.

D. A decrease in delivery time may also be addressed through an increase in resource

allocation, even if the quality remains constant.

Which of the following BEST describes the role of a directory server in a public key
infrastructure (PKI)?

A.Encrypts the information transmitted over the network

B.Makes other users' certificates available to applications

C.Facilitates the implementation of a password policy

D. Stores certificate revocation lists (CRLs)

The correct answer is B.

A. Encrypting the information transmitted over the network is a role performed by a security
server.B. A directory server makes other users' certificates available to applications.
C. Facilitating the implementation of a password policy is not relevant to public keyinfrastructure
(PKI).D. Storing certificate revocation lists (CRLs) is a role performed by a security server.

The vice president of human resources has requested an IS audit to identify payroll overpayments for the
previous year. Which would be the BEST audit technique to use in this situation?

A.Generate sample test data

B.Generalized audit software
C.Integrated test facility
D.Embedded audit module
You are correct, the answer is B.

A. Test data would test for the existence of controls that might prevent overpayments, but it would not
detect specific, previous miscalculations.

B. Generalized audit software features include mathematical computations, stratification, statistical

analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized
audit software, could design appropriate tests to recompute the payroll, thereby determining whether
there were overpayments and to whom they were made.

C. An integrated test facility would help identify a problem as it occurs but would not detect errors for a
previous period.

D. An embedded audit module can enable the IS auditor to evaluate a process and gather audit evidence,
but it would not detect errors for a previous period.

The MOST important difference between hashing and encryption is that hashing:

A.is irreversible.

B.output is the same length as the original message.

Incorrect
C.is concerned with integrity and security.
D.is the same at the sending and receiving end.
The correct answer is A.

A. Hashing works one way—by applying a hashing algorithm to a message, a message

hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not
result in the original message. As such, hashing is irreversible, while encryption is reversible.
This is the basic difference between hashing and encryption.

B. Hashing creates a fixed-length output that is usually smaller than the original message, and
encryption creates an output that is usually the same length as the original message.

C. Hashing is used to verify the integrity of the message and does not address security. The
same hashing algorithm is used at the sending and receiving ends to generate and verify the
message hash/digest.
D. Encryption may use different keys or a reverse process at the sending and receiving ends to
encrypt and decrypt.

An IS auditor discovers that devices connected to the network have not been included
in a network diagram that had been used to develop the scope of the audit. The chief
information officer (CIO) explains that the diagram is being updated and awaiting final
approval. The IS auditor should FIRST:

A.expand the scope of the IS audit to include the devices that are not on the network
diagram.

B.evaluate the impact of the undocumented devices on the audit scope.

C.note a control deficiency because the network diagram has not been approved.

D.plan follow-up audits of the undocumented devices.

The correct answer is B.

A. It is important that the IS auditor does not immediately assume that everything on the
network diagram provides information about the risk affecting a network/system. There is a
process in place for documenting and updating the network diagram.

B. In a risk-based approach to an IS audit, the scope is determined by the impact the devices
will have on the audit. If the undocumented devices do not impact the audit scope, then they
may be excluded from the current audit engagement. The information provided on a network
diagram can vary depending on what is being illustrated—for example, the network layer, cross
connections, etc.

C. In this case, there is simply a mismatch in timing between the completion of the approval
process and when the IS audit began. There is no control deficiency to be reported.

D. Planning for follow-up audits of the undocumented devices is contingent on the risk that the
undocumented devices have on the ability of the entity to meet the audit scope.

An organization stores and transmits sensitive customer information within a secure wired
network. It has implemented an additional wireless local area network (WLAN) to support
general-purpose staff computing needs. A few employees with WLAN access have legitimate
business reasons for also accessing customer information. Which of the following represents
the BEST control to ensure separation of the two networks?

A.Establish two physically separate networks.

B.Implement virtual local area network (VLAN) segmentation.

C.Install a dedicated router between the two networks.

D.Install a firewall between the networks.

An organization stores and transmits sensitive customer information within a secure

wired network. It has implemented an additional wireless local area network (WLAN) to support
general-purpose staff computing needs. A few employees with WLAN access have legitimate
business reasons for also accessing customer information. Which of the following represents
the BEST control to ensure separation of the two networks?

A.Establish two physically separate networks.

B.Implement virtual local area network (VLAN) segmentation.

C.Install a dedicated router between the two networks.

D.Install a firewall between the networks.

The correct answer is D.

A. While having two physically separate networks would ensure the security of customer data, it
would make it impossible for authorized wireless users to access that data.
B. While a VLAN would provide separation of the two networks, it is possible, with sufficient
knowledge, for an attacker to gain access to one VLAN from the other.
C. A dedicated router between the two networks would separate them; however, this would be
less secure than a firewall.
D. In this case, a firewall could be used as a strong control to allow authorized users on the
wireless network to access the wired network.
) Variable: is used to establish the reasonableness of dollar amounts.
2) Attribute: is used to determine the rate of occurrence for a specific qualitative
characteristic. If 10 of a sample of 50 transactions were not posted correctly, the error
(deviation) rate is 20%. Note: Attribute and variables sampling are plans, not selection
techniques (eg, random sampling, systematic sampling).

***** A known misstatement is a disagreement between the client and the auditor in a
circumstance where the auditor believes that the client's position results in a departure
from GAAP. This would be the case if there is a known inaccuracy in processing data as
that type of error affects the financial statements. The misapplication of accounting
principles and a classification that is different from that required from GAAP would also
represent departures. If the auditor disagrees with a client estimate, the auditor will not
necessarily conclude that the financial statements are misstated unless the amount
estimated by the client is outside of what the auditor considers an acceptable range.
How do you evaluate the results of control testing?
Auditors commonly use attribute sampling when performing tests of controls. This
sampling plan allows them to search for deviations from control
procedures. Before testing the control, auditors develop a tolerable deviation rate; this
rate is the percentage of time a control can be violated but still be considered effective.
After testing the sample, the sample deviation rate is added to the allowance for
sampling risk to calculate the upper precision limit (UPL). UPL is an estimate of the
maximum deviation rate that likely exists within the entire population. When
the UPL is above the tolerable rate, auditors conclude that the control is ineffective.
In this scenario, calculations are as follows: see picture
Because the UPL exceeds the tolerable rate, the control is considered ineffective and
requires auditors to increase (or keep at maximum) the level of control risk.
Things to remember:When evaluating results of an attribute sampling plan, auditors
calculate the upper precision limit (UPL) by adding the sample deviation rate to the
allowance for sampling risk. If the UPL exceeds the tolerable rate, the control is deemed
ineffective, and control risk is increased or kept at maximum.
What are the steps in attribute sampling plan?
What are some sampling risks in test of controls?

Sampling risk is the risk that the results of a sample do not represent the population
and will lead the auditor to make a wrong conclusion. The two types of sampling risks
relevant to tests of controls are assessing control risk(CR) too low or too high
When evaluating the results of a sample during tests of controls, auditors compare the
deviation rate (DR) with the tolerable rate (TR) to determine the total number of
deviations in the population. If the DR is less than or equal to TR, the control is
considered effective. If DR exceeds TR, then the control is considered ineffective.
In this scenario, the sample DR is less than the TR; however, the DR in
the population exceeds TR. The sample led the auditor to conclude that the controls are
effective, when in fact they are not. Because the auditor believes the control is effective,
CR will be decreased, which will decrease risk of material misstatement and lead to
fewer substantive procedures performed.
Things to remember:The two types of sampling risks relevant to control testing are
assessing control risk (CR) too low or too high. Assessing CR too low occurs when an
auditor incorrectly concludes the control is more effective than it is, leading the auditor
to decrease risk of material misstatement and perform fewer substantive procedures.
The error occurs because the sample deviation rate (DR) is less than the tolerable rate,
but the population DR exceeds it.

Stratification is the process of separating items in a population into smaller

groups (strata) with similar characteristics. The grouping is useful for allocating
specific portions of a sample to each group.
An auditor can separate a population of invoices into two strata: (1) Invoices between
$100 − $1,000, and (2) invoices under $100. Assume the aggregate recorded amounts
for Group 1 and Group 2 are $60,000 and $40,000, respectively. Auditors can allocate a
sample size of 20 by weighting the amount in each stratum to the total to give more
representation to larger amounts, as follows:
Things to remember:Stratification is the process of separating items in a population
into smaller groups (ie, strata) with similar characteristics. It can be used to give larger
amounts a greater representation when selecting items for a sample.

****** Nonsampling risk is the risk that an auditor will draw an incorrect conclusion from
an audit procedure due to a flaw in the procedure or the auditor's interpretation of the
results, which would include selecting an inappropriate audit procedure. Sampling risk is
the risk that there is a flaw with the sample, causing the auditor to draw the wrong
conclusion. This is often associated with a nonrepresentative sample, which would
cause the auditor to conclude that internal controls are more or less effective than they
actually are or concluding that a misstated balance is fairly stated or that a fairly stated
balance is misstated.

Would you use variable sampling rather than attribute sampling to

find a misstatement within a record?

A misstatement within a record is also an attribute. In contrast, if the

auditor were to estimate the total misstatement of the account balance,
variables sampling would be used.
Note: Attribute and variables sampling are plans, not selection techniques
(eg, random sampling, systematic sampling).

What is the purpose of Probability Proportional to Size (PPS)?

Overstating assets or understating liabilities is generally done to improve an entity's

financial position. Overstatements tend to be performed in large amounts and
understatements in smaller amounts. For example, overstating a $2,000 asset
transaction may be recorded as $20,000, whereas an understated liability for the same
amount could be recorded as $20.
Probability proportional to size (PPS) is a sample selection method in which items
are chosen based on their dollar value; therefore, larger (not smaller) values have a
greater chance of selection (Choice B). An advantage of this method is that it helps
to identify overstatement errors.
Things to remember:Probability proportional to size (PPS) is a sample selection
method in which items are chosen based on their dollar value. Because larger values
have a greater chance of selection, PPS is used to test for overstatements. In contrast,
classical variables sampling treats individual items as a sampling unit, regardless of
dollar amount, which is useful to test for understatements
When would an auditor most likely use variables sampling?

The types of statistical sampling plans are variables and attribute sampling. Variables
sampling is used to reach conclusions regarding dollar amounts and to test the
reasonableness of account balances. Variables sampling is commonly used in tests of
details, such as when testing whether the accounts receivable balance is materially
misstated.

In contrast, attribute sampling is used to reach a conclusion about the rate of

occurrence for a specific qualitative characteristic and is commonly used to test
controls. Auditors verifying that purchase orders are properly approved or confirming
that items were canceled correctly or that monthly reconciliations were performed are
verifying a characteristic or attribute of an item (Choices A, B, and D). The objective of
these specific procedures is to verify a trait (eg, proper signature indicating approval),
not to test balances in terms of dollar amount.

Things to remember:Variables sampling is used to reach conclusions regarding dollar

amounts and to test the reasonableness of account balances. Attribute sampling is used
to reach a conclusion about the rate of occurrence for a specific qualitative
characteristic.
Under probability-proportional-to-size (PPS) sampling, how does the
recorded amount of the error effect the sampling interval?

When using probability-proportional-to-size (PPS) sampling, the sampling interval has

two purposes. It is used to:
1) select items from the population
2) estimate errors (ie, misstatements) in the population
To select items, the population is first organized. An item (eg, invoice) will be selected
each time the interval amount is reached (eg, one item picked for every $10,000 in the
population). Once all selections have been made, auditors will evaluate them. If no
errors are noted, auditors can conclude that the population is fairly stated
Things to remember:Under probability-proportional-to-size (PPS) sampling, items are
organized and then selected based on a sampling interval. If the recorded amount is
less than the interval, the error is projected to the sampling interval. If the recorded
amount is greater than the interval, the error is the actual misstatement.

When performing tests of controls, auditors look for deviations from control procedures
(ie, instances when the required process is not followed). A high number (ie, rate)
of deviations from a prescribed control suggests the control is ineffective. Therefore,
the auditor will not rely on the control.
When a control is unreliable, auditors set the control risk high, suggesting that the
chance the control failed to detect a misstatement is also high. Therefore, the overall
risk of material misstatement is also increased.
Things to remember:When performing tests of controls, auditors look for deviations
from control procedures. A high number of deviations from a control suggests the
control is ineffective, implying that the chance that the control failed to detect a
misstatement is high. Therefore, the overall risk of material misstatement is also
increased.

No- Adjustments are proposed if an auditor determines there is a material

misstatement in an account balance. Misstatements are detected during
substantive procedures, not during tests of controls.
What are the inputs in determining sample size? (Hint: TEA)

Attribute sampling is a statistical sampling method that can be used to test

internal controls when a population is so large that it would be inefficient to
test every item. When determining sample size, auditors use attribute sample
size tables or computer software and input the tolerable error/deviation rate,
expected deviation rate, and allowance for sampling risk (TEA) to compute
the sample size.
Things to remember:The three inputs used to determine a sample size are
the tolerable rate, expected deviation rate, and allowance for sampling risk.
The size of the population is ordinarily not a factor when determining sample
size.
When using Probability Proportional to Size Sampling, can the auditor
begin sampling before the entire population is complete?

Yes-
There are two statistical approaches primarily used for substantive testing. These are
classical variables sampling (CVS) and probability-proportional-to-size
(PPS). CVS applies a normal distribution that requires the standard deviation (SD)
be calculated for the entire population. Therefore, it cannot be applied until the
complete population is available.
In contrast, PPS stratifies the population; items are selected proportional to dollar
values (ie, larger values have greater chance of selection). An advantage is that
sampling can begin before the complete population is available because each piece of
the population can be stratified and sampled separately. A disadvantage of the method
is that zero and negative balances require special design consideration (eg, sampled
separately)

When would an auditor typically assess control risk as being too

high?
An auditor assesses control risk too high when a sample is not
representative and the proportion of exceptions in the sample is greater
than in the population. As a result, control risk based on the auditor's
sample will be higher, not lower than the true operating effectiveness of the
control activity. If the auditor believes a control activity relates to an
assertion when it does not, the auditor will assess control risk too low, not
too high. If the auditor believes that the control activity will reduce the
extent of substantive testing, it indicates that the auditor believes the
control can be relied upon, indicative of a low assessment of control risk,
not high.
What are the two types of sampling risk? (Hint: Alpha and Beta)
Sampling risk is the risk that a sample does not represent the population and may lead
the auditor to form an incorrect conclusion. There are two risk types, Type I and Type II,
associated with either control testing or substantive testing. In this scenario, risks refer
to substantive procedures because the auditor is testing for misstatements in account
balances, not effectiveness of controls. The risks related to substantive procedures are:
-Type I (incorrect rejection): The auditor incorrectly concludes that an account
balance is misstated when it is not.
-Type II (incorrect acceptance): The auditor incorrectly concludes that an account
balance is not misstated when it is.

How does Effectiveness and Efficiency effect setting control risk for sampling?

Sampling risk is the risk that a sample does not represent the population and
leads the auditor to form a wrong conclusion about that population. Generally, a
larger sample size results in less sampling risk and vice versa.
Internal controls affect the efficiency of an audit because reliable internal
controls allow auditors to perform fewer procedures (ie, control risk is set to an
appropriately low level). However, if auditors erroneously believe that the
controls are unreliable (ie, control risk is set too high), then unnecessary
substantive procedures will be added to the audit plan.
What is the impact on substantive testing sampling size if control risk is
lower?
Sample size would also be lower.
Control risk is the risk that a material misstatement will not be prevented or
detected and corrected. Thus, if control risk is assessed at a lower level than
previously, it means the auditor will be relying more on the controls and,
therefore, may allow detection risk—the risk that a material misstatement
will not be detected by the auditor—to rise, meaning the auditor can reduce
the sample size.
How do you calculate the sample deviation rate?

When testing controls, auditors look for deviations from control procedures
(ie, instances when established processes are not followed). The error rate (ie,
sample deviation rate) of a given sample is calculated by dividing the number
of deviations by the sample size.
A deviation occurs when items are improperly canceled. If auditors select
voided items, they can replace the items only after verifying that they were
properly voided in adherence with relevant control procedures. In this
scenario, the item that was properly voided and replaced does not constitute a
deviation. A lack of documentation is also considered a deviation from the
control because there is no evidence that the procedure took place. Therefore,
the error rate is 3% (ie, 3 deviations / 100 sampled vouchers).
Things to remember:When testing controls, auditors look for deviations
from control procedures. A deviation occurs when items are improperly
cancelled or lack proper documentation showing that control procedures
were followed. Items voided in adherence with control procedures are not
considered deviations.
Can you name examples of statistical and nonstatistical sampling
methods?
Auditors select items from a population using either statistical or nonstatistical sampling.
Statistical sampling uses the law of probability when selecting a sample size and allows
auditors to quantitatively evaluate sample results and measure sampling
risk. Attribute sampling is used to estimate how much of the population possesses
a specific characteristic. It is a type of statistical sampling commonly used in control
testing.
In contrast, any sampling method that does not allow the auditor to make a statistical
evaluation of the sampling results (eg, haphazard sampling) is considered a nonstatistical
sampling method. The sampling risk is unmeasurable because the results of the sample
cannot be quantitatively evaluated.
Things to remember:Statistical sampling uses the law of probability when selecting a
sample size, which allows auditors to quantitatively evaluate sample results and measure
sampling risk. In contrast, any sampling method that does not allow the auditor to make a
statistical evaluation of the sampling results is considered a nonstatistical sampling
method.

population size has little to no effect on sample size.

There is an inverse relationship between sample size and the tolerable rate
of deviation, since the less concerned an auditor is about an error, indicated
by a high tolerable deviation rate, the less work the auditor will do to
determine if the rate is low enough. There is a direct relationship between
sample size and the degree of assurance desired since the more assurance
sought, the more work the auditor will do to achieve it. There is an inverse
relationship with the planned assessed level of control risk since the
lower the anticipated control risk, the more the auditor will plan to rely on the
control and the more work the auditor will do to make certain that control is
working effectively.

Things to remember:Under probability-proportional-to-size (PPS) sampling,

items are organized and selected based on a sampling interval. If the recorded
amount is less than the interval, the error is projected to the sampling
interval. If the recorded amount is greater than the interval, the error is the
actual misstatement.

***** Is materiality relevant to test of controls?

No- Materiality is relevant to substantive testing
Would an auditor's allowable risk of assessing control risk too high be a
consideration in planning an auditor's sample for test of controls?
No- If there is a high control risk, then the auditor wouldn't rely on internal
controls and instead increase substantive testing.

Therefore, for TOC planning considerations, the auditor would assess the
control risk as being too low.

Does detection risk affect the planning of a sample for a test of controls?
No- the level of detection risk is determined as a result of the auditor's
assessment of control risk; therefore, it wouldn't affect the planning.

What are some characteristics of statistical and non-statistical sampling?

How does the auditor treat voided items in a sampling population?

Auditors select items from a population using either statistical or nonstatistical
sampling. Statistical sampling uses the law of probability when selecting a
sample size and allows auditors to quantitatively evaluate sample results and
measure sampling risk. Attribute sampling is used to estimate how much of
the population possesses a specific characteristic. It is a type of statistical
sampling commonly used in control testing.
In contrast, any sampling method that does not allow the auditor to make a
statistical evaluation of the sampling results (eg, haphazard sampling) is
considered a nonstatistical sampling method. The sampling risk is unmeasurable
because the results of the sample cannot be quantitatively evaluated.
Slight nuance between variable and attribute sampling
An auditor examining inventory would most likely use variables
sampling rather than attribute sampling to?
Answer:Estimate whether the dollar amount of inventory is
reasonable.
Incorrect: A misstatement within a record is also an attribute. In
contrast, if the auditor were to estimate the total misstatement of the
account balance, variables sampling would be used.
Note: Attribute and variables sampling are plans, not selection
techniques (eg, random sampling, systematic sampling).