When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware of which of the following?
A . The point at which controls are exercised as data flow through the system
B . Only preventive and detective controls are relevant
C . Corrective controls can only be regarded as compensating
D . Classification allows an IS auditor to determine which controls are missing
Answer: A
Explanation:
An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect, since corrective controls remove or reduce the effects of errors or irregularities and are exclusively regarded as compensating controls. Choice D is incorrect and irrelevant since the existence and function of controls is important, not the classification.
Leave a Reply