CISA Lecture Domain 1 PDF
CISA Lecture Domain 1 PDF
5 Tasks Statements:
1.1 Develop and implement a risk‐based IT audit strategy in
compliance with IT audit standards to ensure that key areas are
included.
1.2 Plan specific audits to determine whether information
systems are protected, controlled and provide value to the
organization.
1.3 Conduct audits in accordance with IS audit standards,
guidelines and best practices to meet planned audit objectives.
1.4 Communicate emerging issues, potential risks, and audit
results to key stakeholders.
1.5 Advise on the implementation of risk management and control
practices within the organization, while maintaining independence.
6/23/2014
Audit planning
Short‐term planning
Long‐term planning
Things to consider
New control issues
Changing technologies
Changing business processes
Enhanced evaluation techniques
Individual audit planning
Understanding of overall environment
Business practices and functions
Information systems and technology
Regulatory requirements
Establishment
Organization
Responsibilities
Correlation to financial, operational and IT
audit functions
As of 16 August 2010
Standards (16)
Guidelines 41 (G19 is cancelled)
Procedures (11)/ Audit and Assurance
Tools & Technique
IS Auditing Standards: 16
G31 Privacy
G32 Business Continuity Plan (BCP) Review From It
Perspective
G33 General Considerations on the Use of the Internet
G34 Responsibility, Authority and Accountability
G35 Follow-up Activities
G36 Biometric Controls
G37 Configuration Management Process
G38 Access Controls
G39 IT Organization
G40 Review of Security Management Practices
G41 Return on Security Investment (ROSI)
G42 Continuous Assurance
S
e Quadrant II (Medium Risk) Quadrant I (High Risk)
n
s
it
i
Suggested Action(s): Suggested Action(s):
v Accept Mitigate
it
y Mitigate
A
s Transfer
s
e
s Quadrant IV (Low Risk) Quadrant III (Medium Risk)
m
e
n
t Suggested Action(s): Suggested Action(s):
T
r
Accept Accept
a
i
Mitigate
n Transfer
i
n
g
Preventive controls
Detective controls
Corrective controls
IS Control Procedures
6/23/2014
Financial audits
Operational audits
Integrated audits
Administrative audits
Information systems audits
Specialized audits
Forensic audits
The IS auditor should understand the various types of audits that can be performed, internally
or externally, and the audit procedures associated with each:
Operational audits- An operational audit is designed to evaluate the internal control Structure
in a given process or area. IS audits of application controls or logical security systems are
examples of operational audits.
integrated audits-An integrated audit combines financial and operational audit steps. It is also
performed to assess the overall objectives within an organization, related to financial
information and assets' safeguarding, efficiency and compliance. An integrated audit can be
performed by external or internal auditors and would include compliance tests of internal
controls and substantive audit steps.
IS auditor’s perspectives
Security (confidentiality, integrity and availability)
Quality (effectiveness, efficiency)
Fiduciary (compliance, reliability)
Service and Capacity
1. Audit subject
Identify the area to be audited
2. Audit objective
Identify the purpose of the audit
3. Audit scope
Identify the specific systems, function or
unit of the organization
4. Pre-audit planning
Audit plans
Audit programs
Audit activities
Audit tests
Audit findings and incidents
Management’s responsibility
Benefits of a well‐designed internal
control system
Deterring frauds at the first instance
Detecting frauds in a timely manner
Fraud detection and disclosure
Auditor’s role in fraud prevention and
detection
Inherent risk
Control risk
Detection risk
Sampling risks
Nonsampling risks
Inherent risk: Inherent risk is the risk that an error exists in the
absence of any compensating controls‐an error which could become
significant when combined.
Control risk: Control risk is the risk that a material error exists that
will not be prevented or detected in a timely manner by the system of
internal controls.
Sampling risks These are the risks that an auditor will falsely accept
or erroneously reject an audit sample (evidence).
Non sampling risks These are the risks that an auditor will fail to
detect a condition because of not applying the appropriate procedure
or using procedures inconsistent with the audit objective (detection
fault).
Business risks These are risks that are inherent in the business or
industry itself. They may be regulatory, contractual, or financial.
Operational risks These are the risks that a process or procedure will
not perform correctly.
Residual risks These are the risks that remain after all mitigation
efforts are performed.
Compliance test
Determines whether controls are in compliance with
management policies and procedures
Substantive test
Tests the integrity of actual processing
A procedure used during accounting audits to check for errors
in balance sheets and other financial documentation. A
substantive test might involve checking a random sample of
transactions for errors, comparing account balances to find
discrepancies, or analysis and review of procedures used to
execute and record transactions.
Auditors gather evidence about these assertions by
undertaking substantive procedures, which may include:
Actual functions
Actual processes/procedures
Security awareness
Reporting relationships
Attribute Sampling
Variable sampling
Confident coefficient
Level of risk
Precision
Expected error rate
Sample mean
Sample standard deviation
Tolerable error rate
Population standard deviation
Sample mean: The sum of a1l sample values, divided by the size of the
sample. The sample mean measures the average value of the sample.
Development of CAATs
Documentation retention
Access to production data
Data manipulation
Assess evidence
Evaluate overall control structure
Evaluate control procedures
Assess control strengths and weaknesses
Exit interview
Correct facts
Realistic recommendations
Implementation dates for agreed
recommendations
Presentation techniques
Executive summary
Visual presentation
A management technique
A methodology
In practice, a series of tools
Implementation of CSA
Facilitated workshops
Hybrid approach
Benefits of CSA
Early Detection of Risk
More Effective and improved internal controls
Highly Motivated Employee
Improved Audit Rating process
Assurance to Top Management and Stakeholders
Disadvantages of CSA
It may be regarded as an additional workload
Failure to act on improvement suggestions could
damage employee morale.
New Topics:
Automated Work Papers
Integrated Auditing
Continuous Auditing
Risk analysis
Audit programs
Results
Test evidences
Conclusions
Reports and other complementary
information
Integrated Auditing
Continuous Monitoring
Management‐driven
Based on automated procedures to meet
fiduciary responsibilities
Continuous Auditing
Audit‐driven
Done using automated audit procedures
Transaction logging
Query tools
Statistics and data analysis (CAAT)
Database management systems (DBMS)
Data warehouses, data marts, data mining.
Artificial intelligence (AI)
Embedded audit modules (EAM)
Neural network technology
Standards such as Extensible Business
Reporting Language
Advantages
Disadvantages
Difficulty in implementation
High cost
Elimination of auditors’ personal judgment and
evaluation
A. Business processes
B. Critical IT applications
C. Operational controls
D. Business strategies
A. preventive control.
B. management control.
C. corrective control.
D. detective control.