1- Before an IS auditor can begin an audit of infrastructure or application systems,

the auditor must understand the environment.

2-Automated controls include validation and edit checks, programmed logic functions, and controls.

3-Manual controls are those that auditors or staff manually verify, such as

the review of reconciliation reports, and exception reports.

4-The purpose of both automated and manual controls is to verify the following:

. The validity of data processed is ensured.

. The accuracy of data processed is ensured.
. The data is stored so that controls maintain the security of the data so that accuracy, validity,
confidentiality, and integrity of the data is maintained.
. Processed data is valid and meets expectations.

5-Auditors can perform control checks by doing the following:

. Discovering and identifying application components so that transaction flow can be analyzed.
. Determining the appropriate audit procedures to perform tests to evaluate strengths and
weaknesses of the application.
. Analyzing test results.
. Validating the results and reporting on the application’s effectiveness and efficiency. The results
should also be measured against good programming standards and com- pared against management’s
objectives for the application.

Setting the Scope of the Review

The audit engagement letter should set out clearly the types of matters that will be reviewed during
the audit and the scope of such review.

- Before controls can be examined, an auditor must

understand the business strategy and the business process.

- To understand business objectives and strategy, start with

the company’s busi- ness plan.

Next, review the long- and short-term goals Finally, review the organization’s goals.

- After reviewing this background information,examine process flow charts.

Next, review application controls, data integrity controls, and controls for busi- ness systems.
 - When reviewing input controls, the auditor must

ensure that all transactions have been entered correctly. Whatever controls are used, they should be
capable of checking that input is valid. This becomes important because in many automated systems,
the output of one sys- tem is the input of another. In such situations, data should be checked to verify
the informa- tion from both the sending and receiving applications.

types of authorization controls include these:

. Signatures on forms or documents approving a change.

. Password controls that are required to process a change.
. Client identification controls that allow only certain clients to authorize the change. As an example,
the clerk at the local market cannot authorize a price override, yet the manager can by using their
access login.

- A batch control is a second type of input control. Batch controls combine

transactions into a group. This group then has a value assigned. The total of this transaction can be
based on dol- lar amounts, total counts, total document numbers, or hash totals. This number should
match the count in the receivables system.

- Total dollar amounts verify

that each item totals up to the correct batched total amount.

- Total item counts verify

the total counts match.

- Total document numbers verify that the total number of .

documents in the batch equals the total number of documents processed. Documents could be
invoices generated, orders, or any document count that is used to track accuracy

- Hash totals are generated by

choosing a selected number of fields in a series of transactions. These values are computed again later
to see if the numbers match. An incorrect value indicates that some- thing has been lost, entered
incorrectly, or corrupted somehow.

- Hash Totals

The use of hash totals is similar to how cryptographic hashing algrothims such as MD5 or SHA1 are
used to verify integrity.

- Batch Controls Be aware that the CISA exam might ask questions about what is considered a
valid batch control.

Test candidates should understand each type and know that batch controls are used to detect loss,
duplication, or corruption of data.