1. What is an audit universe and what does it include? List and describe each component you would include in an audit universe.
2. What is Control Objectives for Information and Related Technology (COBIT) and why is it valuable to management and IT auditors?
3. Why are risk assessments significant to the audit function? How does risk help inform an audit?
4. As the IT audit senior of the engagement, you are presenting to the IT manager and partner (as part of the planning meeting) the results of the risk assessment performed in Exhibit 3.3. Based on such results (look at Exhibit 3.3, under the “Risk Rating” and “Action Priority” columns), it seems clear that the audit should focus on Financial Application #2 (FA2). Nevertheless, the IT manager and partner, based on previous relevant experience, believe that the audit should be performed on Financial Application #1 (FA1). The planning meeting is over, and you still feel doubtful on the decision just made. Your task: Answer the questions below showing why the audit should focus on FA#2. In other words, think of additional information not necessarily documented in the risk assessment shown in Exhibit 3.3 related to:
a. Any additional vulnerabilities or weaknesses that may currently be in place affecting FA2
b. Any additional threat-sources that can trigger the vulnerabilities or weaknesses you just identified for FA2
c. Any additional risks or situations involving exposure to loss for the financial information in FA2
d. Any additional controls or procedures that should be implemented to mitigate the risks just identified
5. You are an external IT auditor asked to perform a review of the following: The Financial Transactions Application (FTA) is causing a problem with the General Ledger Application (GLA) due to the timing of the transfer of transactions. Data was transferred late by FTA causing end-of-the-month reports to be inaccurately stated. Managers met to review prior month’s activity reports and noticed a shortfall of $50,000 in some accounts. Prepare an audit plan to conduct procedures to address this type of situation.