CISA" Official Review Manua l 2gth Edition I Chapter 1

Chapter 1

Information System Auditing Process

Overview
Domain I Exam Content Outline ... ........ ......... .................. ....................................... .... ........................ ..... 24
Learning Objectives/Task Statements........................................................................... .............................24
Suggested Resources for Further Study ............................................................................ .............. ........... 24
Self-Assessment Questions ................ ................................................ ............................. .......... ................. 24
Chapter I Answer Key ...... ................................................ ...................... ......................................... .. .... ... 28

Part A: Planning
I.I IS Audit Standards, Guidelines, Functions and Codes of Ethics .......................... ....................... .......31
1.2 Ty pes of Audits, Assessments and Rev iews ................................ ...................... ..... ............... .. ......... ..34
1.3 Risk-Based Audit Planning ........ ........ ............. ....... ..................... .... ..... ....... ............. .......................... 38
1.4 Types of Controls and Considerations ............. ... ....................................... ......... .... ..... ..................... .. 43

Part B: Execution
1.5 Audit Project Management.. .......... .... ................. ......... ....... .. ........... .............. ............ .. ............ .... ....... 53
1.6 Audit Testing and Sampling Methodology ........................... ............... ...... .......... ............................... 60
1.7 Audit Evidence Collection Techniques ......................... ................... .................................................. 63
1.8 Audit Data Analytics ................................... ... ................................................................... ..... ............ 66
1.9 Reporting and Communication Techniques ............................................... ......................... .... ..... .......73
1.1 0 Quality Assurance and Improvement of the Audit Process ...... ............. ................................ ........... 77

Case Study
Case Study ............................... ........................................................... ......... .. ........ ..... ............................. .. 79
Chapter 1 Answer Key .......................................................... ..... .................................. .......................... ... 82

©ISACA. All Rights Reserved. I 23

 CISA° Official Review Manual 2gth Edition I Chapter 1
Overview
The information systems (IS) auditing process
encompasses the standards, principles, methods,
guidelines, practices and techniques that an IS auditor
uses to plan and execute audits of information systems
supporting critical business processes.
An IS auditor must have a thorough understanding
of this auditing process and of IS processes, business
processes and controls designed to achieve organizational
objectives.
This domain represents 18 percent of the CISA exam
(approximately 27 questions).
Domain 1 Exam Content Outline
Part A: Planning
1. IS Audit Standards, Guidelines, Function and Codes
of Ethics
2. Types of Audits, Assessments and Reviews
3. Risk-based Audit Planning
4. Types of Controls
Part B: Execution
1. Audit Project Management
2. Audit Testing and Sampling Methodology
3. Audit Evidence Collection Teclmiques
4. Audit Data Analytics (including audit algorithms)
5. Rep01ting and Communication Techniques
6. Quality Assurance and Improvement of Audit Process
Learning Objectives/Task Statements
Within this domain, the IS auditor should be able to:
• Plan an audit to determine whether information
systems are protected, controlled and provide value
to the organization.
• Conduct audits in accordance with IS audit standards
and a risk based IS audit strategy.
• Apply project management methodologies to the audit
process.
• Communicate and collect feedback on audit
progress, findings , results and recommendations with
stakeholders.
• Conduct post-audit follow up to evaluate whether
identified risk has been sufficiently addressed.
• Utilize data analytics tools to enhance audit processes.
• Evaluate the role and/or impact of automatization
and/or decision-making systems for an organization.
24 I ©ISACA. All Rights Reserved.
• Evaluate audit processes as patt of quality assurance
and improvement programs.
• Evaluate the organization's enterprise risk
management (ERM) program.
• Evaluate the readiness of information systems for
implementation and migration into production.
• Evaluate potential opportunities and risks associated
with emerging technologies, regulations and industry
practices.
Suggested Resources for Further Study
ISACA Audit Programs and
Tools, https ://www. isaca. orglresources/insights-and-
expertise/ audit-programs-and-tools
ISACA Frameworks, Standards and
Models, https ://www.isaca.org/resources/frameworks-
standards-and-models
ISACA, IT Audit Framework (!TAFT)· A
Professional Practices Framework for IT Audit,
4th Edition, https ://store. isaca.orgls/store#/store/browse/
detail/a2S4w000004Ko91 EAC
ISACA IT Audit, https://www.isaca.org/resourceslit-
audit
ISACA White Papers, https:llwww.isaca.org/resources/
insights-and-expertise/white-papers
Self-Assessment Questions
CISA self-assessment questions supp01t the content in
this manual and provide an understanding of the type and
structure of questions that typically appear on the exam.
Often a question will require the candidate to choose
the MOST likely or BEST answer among the options
provided. Please note that these questions are not actual
or retired exam items. Please see section About This
Manual for more guidance regarding practice questions.
1. Which of the following outlines the overall authority
to perform an information systems (IS) audit?
A. The audit scope with goals and objectives
B. A request from management to perform an audit
C. The approved audit charter
D. The approved audit schedule

2. Which of the following is the key benefit of a control
self-assessment (CSA)?
A. Management ownership of the internal controls
supporting business objectives is reinforced.
B. Audit expenses are reduced when the assessment
results are an input to external audit work.
C. Fraud detection is improved because internal
business staff are engaged in testing controls.
D. Internal auditors can use the results of the
assessment to shift to a consultative approach.
3. Which of the following would an information systems
(IS) auditor MOST likely focus on when developing
a risk-based audit program?
A. Business processes
B. Administrative controls
C. Environmental controls
D. Business strategies
4. Which of the following types of audit risk assumes
an absence of compensating controls in the area being
reviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk
5. An information systems (IS) auditor performing a
review of an application's controls finds a weakness
in system software that could materially impact the
application. In this situation, an IS auditor should:
A. disregard these control weaknesses because a
system software review is beyond the scope of this
review.
B. conduct a detailed system software review and
report the control weaknesses.
C. include a statement in the report that the audit was
limited to a review of the application's controls.
D. review the relevant system software controls and
recommend a detailed system software review.
CISN Official Review Manual 2sth Edition I Chapter 1
6. Which of the following is the MOST important
reason for reviewing an audit planning process at
periodic intervals?
A. To plan for deployment of available audit
resources
B. To consider changes to the risk environment
C. To provide inputs for documentation of the audit
charter
D. To identify the applicable IS audit standards
7. Which of the following is a KEY benefit of a control
self-assessment (CSA)?
A. Management ownership of the internal controls
suppotting business objectives is reinforced.
B. Audit expenses are reduced when the assessment
results are an input to external audit work.
C. Fraud detection is improved because internal
business staff are engaged in testing controls.
D. Internal auditors can use the results of the
assessment to shift to a consultative approach .
8. Which of the following is the MOST critical step
when planning an information systems (IS) audit?
A. Review of prior audit findings
B. Executive management's approval of the audit
plan
C. Review of information security policies and
procedures
D . Performance of a risk assessment
9. The approach an information systems (IS) auditor
should use to plan IS audit coverage should be based
on:
A. risk.
B. materiality.
C. fraud monitoring.
D. sufficiency of audit evidence.
©ISACA. Al l Rights Reserved. I 25
 CISA° Official Review Manual 23th Edition I Chapter 1

10. An organization performs a daily backup of critical

data and software files and stores backup media at an
offsite location. The backup media are used to restore
the files in case of a disruption. This is an example of
a:

A. preventive control.
B. management control.
C. corrective control.
D. detective control.

Answers on page 28

26 I ©ISACA. All Rights Reserved.

 CISA" Official Review Manual 2gth Edition I Chapter 1

Page intentionally left blank

©ISACA. Al l Rights Reserved I 27

 CI SN Official Review Manual 23th Edition I Chapter 1
Chapter 1 Answer Key
Self-Assessment Questions
1. A. The audit scope is specific to a single audit and
does not grant authority to perform an audit.
B. A request from management to perform an audit is
not sufficient because it relates to a specific audit.
C. The approved audit charter outlines
the auditor's responsibility, authority and
accountability.
D . The approved audit schedule does not grant
authority to perform an audit.
2. A. The objective of control self-assessment (CSA)
is to have business managers become more
aware of the importance of internal control
and their responsibility in terms of corporate
governance.
B. Reducing audit expenses is not a key benefit of
CSA.
C. Improved fraud detection is impo1tant but not
as impo1tant as control ownership. It is not a
principal objective of CSA.
D . CSA may give more insights to internal auditors,
allowing them to take a more consultative role;
however, this is an additional benefit, not the key
benefit.
3. A. A risk-based audit approach focuses on
understanding the nature of the business and
being able to identify and categorize risk.
Business risk impacts the long-term viability
of a specific business. Thus, an information
systems (IS) auditor using a risk-based audit
approach must be able to understand business
processes.
B. Administrative controls, while an imp01tant subset
of controls, are not the primary focus needed to
understand the business processes within the scope
of an audit.
C. Like administrative controls, environmental
controls are an important control subset; however,
they do not address high-level overarching
business processes under review.
D. Business strategies are the drivers for business
processes; however, in this case, an IS auditor is
focusing on the business processes that were put in
place to enable the organization to implement its
strategies.
28 I ©ISACA. All Rig hts Reserved.
4. A. Control risk is the risk that a material error exists
that will not be prevented or detected in a timely
manner by the system of internal controls.
B. Detection risk is the risk that a material
misstatement with a management assertion will
not be detected by an audit and assurance
professional 's substantive tests. It consists of two
components: sampling risk and non-sampling risk.
C. Inherent risk is the risk level or exposure
assessed without considering the actions that
management has taken or might take.
D. Sampling risk is the risk that incorrect
assumptions are made about the characteristics of
a population from which a sample is taken. Non-
sampling risk is detection risk that is unrelated to
sampling; it can be due to a variety of reasons,
including human error.
5. A. An information systems (IS) auditor is not
expected to ignore control weaknesses just
because they are outside the scope of a current
review.
B. The conduct of a detailed systems software review
may hamper the audit's schedule, and an IS
auditor may not be technically competent to do
such a review at the time of the audit.
C. If there are control weaknesses that have
been discovered by an IS auditor, they should
be disclosed. By issuing a disclaimer, this
responsibility would be waived.
D. The appropriate option would be to review
the relevant systems software and recommend
a detailed systems software review for which
additional resources may be recommended.
6. A. Deployment of available audit resources is
determined by the audit assignments, which are
influenced by the planning process.
B. Short- and long-term issues that drive audit
planning can be heavily impacted by changes to
the risk environment, technologies and business
processes of the enterprise.
C. The audit charter reflects the mandate of top
management to the audit function and resides at
a more abstract level.
D. Applicability of information systems (IS) audit
standards, guidelines and procedures is universal
to any audit engagement and is not influenced by
short- and long-term issues.
 CISA° Official Review Manual 23th Edition I Chapter 1

7. A. The objective of control self-assessment (CSA) play a part in audit planning but only as it pertains
is to have business managers become more to organizational risk.
aware of the importance of internal control D. Sufficiency of audit evidence pertains to the
and their responsibility in terms of corporate evaluation of the sufficiency of evidence obtained
governance. to suppott conclusions and achieve specific
B. Reducing audit expenses is not a key benefit of engagement objectives.
CSA.
C. Improved fraud detection is important but not 10.A. Preventive controls are those that avert problems
as important as control ownership. It is not a before they arise. Backup media cannot be used to
principal objective of CSA. prevent damage to files and, therefore, cannot be
D . CSA may give more insights to internal auditors, classified as preventive controls.
allowing them to take a more consultative role; B. Management controls modify processing systems
however, this is an additional benefit, not the key to minimize repeat occurrences of the problem.
benefit. Backup media do not modify processing systems
and, therefore, do not fit the definition of
8. A. The findings of a previous audit are of interest management controls.
to the auditor, but they are not the most critical C. A corrective control helps to correct or
step. The most critical step involves finding the minimize the impact of a problem. Backup
current issues or high-risk areas, not reviewing the media can be used for restoring the files in
resolution of older issues. A review of historical case of damage to the files, thereby reducing
audit findings could indicate that management is the impact of a disruption.
not resolving the risk items identifi ed or that the D. Detective controls help to detect and report
recommendations were ineffective. problems as they occm. Backup media do not aid
B. Executive management is not required to approve in detecting errors.
the audit plan. It is typically approved by the audit
committee or board of directors. Management
could recommend areas to audit.
C. Reviewing information security policies and
procedures is normally conducted during
fieldwork, not planning.
D. Of all the steps listed, performing a risk
assessment is the most critical. Risk assessment
is required by ISACA IS Audit and Assurance
Standard 1201 (Risk Assessment in Planning),
statement 1201.2: "IT audit and assurance
practitioners shall identify and assess risk
relevant to the area under review when
planning individual engagements." In addition
to the standards requirement, if a risk
assessment is not performed, then high-risk
areas of the auditee systems or operations may
not be identified for evaluation.

9. A. Audit planning requires a risk-based approach.

B. Materiality pertains to potential weaknesses or
absences of controls while planning a specific
engagement, and whether such weaknesses or
absences of controls could result in a significant
deficiency or a material weakness.
C. Fraud monitoring pertains to the identification of
fraud-related transactions and patterns and may

©ISACA. All Rights Reserved. I 29

 CISA" Official Review Manual 23th Edition

Page intentionally left blank

30 I ©ISACA. All Rights Reserved.


Part A: Planning
Audits are conducted for a variety of reasons. An audit
can help an organization ensure effective operations,
affirm its compliance with various regulations and
confirm that the business is functioning well and is
prepared to meet potential challenges. An audit can
also help to gain assurance on the level of protection
available for information assets. Most significantly, an
audit can assure stakeholders of the financial, operational
and ethical well-being of the organization. IS audits
support all those outcomes, with a special focus on
the information and related systems upon which most
businesses and public institutions depend for competitive
advantage.
IS audit is the formal examination and/or testing of
information systems to determine whether:
• Information systems are in compliance with
applicable laws, regulations, contracts and/or industry
guidelines.
• Information systems and related processes comply
with governance criteria and related and relevant
policies and procedures.
• Confidentiality, integrity and availability ofIS data
meet appropriate levels based on measmable metrics.
• IS operations are being accomplished efficiently and
effectiveness targets are being met.
During the audit process, an IS auditor reviews the
control framework, gathers evidence, evaluates the
strengths and weaknesses of internal controls based
on the evidence and prepares an audit repott that
presents findings and recommendations for remediation
to stakeholders in an objective manner.
In general terms, the typical audit process consists of
three major phases (figu re 1.1):
• Planning
• Fieldwork/documentation
• Reporting/follow-up
Figure 1.1- Typical Audit Process Phases
Reporting/
Follow-up
Source: ISACA, information Systems Auditing: Tools and
Techniques- Creating Audit Programs, USA, 2016
These main phases can be further broken down into
subphases; for example, the reporting phase can be
broken down into report writing and issuance, issue
follow-up and audit closing. The organization and
CISN Official Review Manual 23th Edition I Chapter 1
naming conventions of these phases can be customized
as long as the procedures and outcomes comply with
applicable audit standards such as an IT Assurance
Framework (ITAF).
Note
Information systems are defined as the combination
of strategic, managerial and operational activities and
related processes involved in gathering, processing,
storing, distributing and using information and
its related technologies. Information systems are
distinct from information technology (IT) in that an
information system has an IT component that interacts
with the people and process components. IT is defined
as the hardware, software, communication and other
facilities used to input, store, process, transmit and
output data in whatever form. The terms "IS" and "IT"
will be used according to these definitions throughout
this manual.
1.1 IS Audit Standards, Guidelines,
Functions and Codes of Ethics
The credibility of any IS audit activity is largely
determined by its adherence to commonly accepted
standards. The fundamental elements of IS audit are
defined and provided within ISACA's IS audit and
assurance standards and guidelines. ISACA's code of
professional ethics guides the professional and personal
conduct of ISA CA members and certification holders.
1.1.1 ISACA IS Audit and Assurance
Standards
ISA CA IS Audit and Assurance Standards define
mandatory requirements for IS auditing and reporting and
inform a variety of audiences of critical information, such
as:
• For IS auditors, the minimum level of acceptable
performance required to meet the professional
responsibilities set out in the ISACA Code of
Professional Ethics
• For management and other interested parties, the
profession's expectations concerning the work of
practitioners
• For holders of the CISA designation, their
professional performance requirements
The framework for the ISACA IS Audit and Assurance
Standards provides for multiple levels of documents:
• Standards define mandatory requirements for IS audit
and assurance and reporting.
©ISACA. All Rights Reserved. I 31
 CISA° Official Review Manual 2gth Edition I Chapter 1
• Guidelines provide guidance in applying IS audit
and assurance standards. The IS auditor should
consider guidelines in determining how to achieve
implementation of standards, use professional
judgment in their application and be prepared to
justify any departures.
• Tools and techniques provide examples of processes
an IS auditor might follow in an audit engagement.
The tools and techniques documents provide
information on how to meet standards when
completing IS auditing work, but they do not set
requirements.
ISACA IS Audit and Assurance Standards are divided
into general, performance and rep01ting categories:
• General-Provide the guiding principles under which
the IS assurance profession operates. They apply to
the conduct of all assignments and deal with an IS
auditor's ethics, independence, objectivity, due care,
knowledge, competency and skill.
• Performance-Deal with the conduct of the
assignment, such as planning and supervision;
scoping; risk and materiality; resource mobilization;
supervision and assignment management; audit and
assurance evidence and the exercising of professional
judgment and due care
• Reporting-Address the types of reports, means of
communication and the information communicated
1.1.2 ISACA IS Audit and Assurance
Guidelines
ISACA IS Audit and Assurance Guidelines provide
guidance and information on how to comply with the
ISACA IS Audit and Assurance Standards. An IS auditor
should:
• Consider the guidelines in detennining how to
implement ISACA Audit and Assurance Standards
• Use professional judgment in applying them to
specific audits
• Be able to justify any depatture from the ISACA
Audit and Assurance Standards
Note
The CISA candidate is not expected to know specific
ISACA standard and guidance numbering or memorize
any specific ISACA IS audit and assurance standard
or guideline. However, the exam will test a CISA
candidate's ability to apply these standards and
guidelines within the audit process.
1 ISA CA, "Code of Professional Ethics," https:llwww.isaca.org/credenlialing/code-of-professional-ethics
32 I ©ISACA. All Rights Reserved .
1.1.3 ISACA Code of Professional Ethics
ISACA's Code of Professional Ethics guides the
professional and personal conduct of ISA CA members
and certification holders.
ISACA members and certification holders shall:
1. Support the implementation of, and encourage
compliance with, appropriate standards and
procedures for the effective governance and
management of enterprise information systems and
technology, including audit, control, security and risk
management.
2. Perform their duties with objectivity, due diligence
and professional care, in accordance with professional
standards.
3. Serve in the interest of stakeholders in a lawful
manner, while maintaining high standards of conduct
and character, and not discrediting their profession or
the Association.
4. Maintain the privacy and confidentiality of
information obtained in the course of their activities
unless disclosure is required by legal authority. Such
information shall not be used for personal benefit or
released to inappropriate parties.
5. Maintain competency in their respective fields and
agree to undertake only those activities they can
reasonably expect to complete with the necessary
skills, knowledge and competence.
6. Inform appropriate parties of the results of work
performed, including the disclosure of all significant
facts known to them that, if not disclosed, may distort
the repo1ting of the results.
7. Suppo1t the professional education of stakeholders in
enhancing their understanding of the governance and
management of enterprise information systems and
technology, including audit, control, security and risk
management.
Note
A CISA candidate is not expected to memorize the
ISA CA Code of Professional Ethics. 1 The exam will
test a candidate's understanding and application of the
code.

1.1.4 ITAF TM
ITAF is a comprehensive and best practice-setting
reference model that:
• Establishes standards that address IS auditor roles and
responsibilities; knowledge and skills; and diligence,
conduct and rep01ting requirements
• Defines terms and concepts specific to IS assurance
• Provides guidance and tools and techniques on the
planning, design, conduct and reporting ofIS audit
and assurance assignments
Note
A CISA candidate will not be tested on the
organization or arrangement of the ITAF framework.
However, the application of audit and assurance
standards is tested.
1.1.5 IS Internal Audit Function
The role of the IS internal audit function should be
established by an audit charter approved by the board
of directors and the audit committee (or by senior
management if these entities do not exist). Professionals
should have a clear mandate to perform the IS audit
function, which may be expressed in the audit charter.
Audit Charter
IS audit can be a part of internal audit, or function as an
independent group or be integrated within a financial and
operational audit to provide IT-related control assurance
to the financial or management auditors. Therefore, the
audit charter may include IS audit as an audit supp01t
function. Additionally, the audit chatter should include
the IS audit function's role with consulting-related
services that it may perform.
The charter should clearly state management's
responsibility and objectives for, and delegation of
authority to, the IS audit function. The highest level
of management and the audit committee, if one exists,
should approve the chatter. Once established, the chatter
should be changed only ifthe change is thoroughly
justified.
The responsibility, authority and accountability of the IS
audit function should be appropriately documented in an
audit charter or engagement letter. An audit chatter is
an overarching document that covers the entire scope of
audit activities in an entity while an engagement letter
is more focused on a patticular audit exercise to be
initiated in an organization with a specific objective in
mind. If IS audit services at·e provided by an external
CISA° Official Review Manual 281h Edition I Chapter 1
firm, the scope and objectives of the services should be
documented in a formal contract or statement of work
between the contracting organization and the service
provider. In either case, the internal audit function should
be independent and report to an audit committee, if one
exists, or to the highest management level, such as the
board of directors.
Note
For additional guidance, see standard 1001 Audit
Chatter and guideline 2001 Audit Charter.
Management of the IS Audit Function
The IS audit function should be managed and led in
a manner that ensures that the diverse tasks performed
by the audit team will fulfill audit function objectives,
while preserving audit independence and competence.
Fmthermore, managing the IS audit function should
ensure value-added contributions to senior management
in the efficient management of IT and achievement of
business objectives.
Note
For additional guidance, see standards 1002
Organizational Independence, I 003 Auditor
Objectivity, I 004 Reasonable Expectation and 1005
Due Professional Care. Also see the related guidelines:
2002, 2003, 2004 and 2005.
IS Audit Resource Management
IS technology is constantly changing. Therefore, it is
important that IS auditors maintain their competency
through updates of existing skills and obtain training
directed toward new audit techniques and technological
areas. An IS auditor must have the technical skills and
knowledge necessary to perform audit work. Further, an
IS auditor must maintain technical competence through
appropriate continuing professional education. Skills and
knowledge should be taken into consideration when
planning audits and assigning staff to specific audit
assignments.
Preferably, a detailed staff training plan should be drawn
up for the year based on the organization's direction
in terms of technology and related risk that needs to
be addressed. The plan should be reviewed periodically
to ensure that training efforts and results are aligned
with the direction the audit organization is taking.
Additionally, IS audit management should provide the
necessary IT resources to properly perform IS audits of a
©ISACA All Rights Reserved. I 33
 CISA6 Official Review Manual 23th Edition I Chapter 1
highly specialized nature (e.g., tools, methodology, work
programs).
Note
For additional guidance, see standard 1006 Proficiency
and guideline 2006 Proficiency.
Using the Services of Other Auditors and Experts
Due to the scarcity of IS auditors and the need for
IT security specialists and other subject matter experts
to conduct audits of highly specialized areas, the
audit depa1tment or auditors entrusted with providing
assurance may require the services of other auditors
or experts. Outsourcing oflS assurance and security
services is increasingly becoming a common practice.
Note
The IS auditor should be familiar with ISACA
Audit and Assurance Standard 1204 Performance and
Supervision and the IS Audit and Assurance Guideline
2206 Using the Work of Other Experts, which focus on
the rights of access to the work of other experts.
External experts could include expe1ts in technologies
such as networking, systems integration and digital
forensics, or subject matter expe1ts who specialize in a
paiticular industry or area such as banking, securities
trading, insurance, privacy or the law.
When there is a proposal to outsource a pa1t or all of IS
audit services to other auditors and experts or external
service providers, the IS auditor should consider:
• Restrictions on outsourcing of audit/security services
provided by laws and regulations
• Audit chatter or contractual stipulations
• Impact on overall and specific IS audit objectives
• Impact on IS audit risk and professional liability
• Independence and objectivity of other auditors and
experts
• Professional competence, qualifications and
experience
• Scope and approach of work to be outsourced
• Supervisory and audit management controls
• Method and modalities of communication of results
of audit work
• Compliance with legal and regulatory stipulations
• Compliance with applicable professional standards
Based on the nature of assignment, the IS auditor may
also need to consider:
• Testimonials/references and background checks
34 I ©ISACA. All Rights Reserved.
• Access to systems, premises and records
• Confidentiality restrictions to protect customer-related
information
• Use of computer-assisted auditing techniques
(CAATs) and other tools to be used by the external
audit service provider
• Standards and methodologies for performance of
work and documentation
• Nondisclosure agreements
The IS auditor or entity outsourcing the auditing services
should monitor the relationship to ensure objectivity and
independence throughout its duration. It is important to
understand that although a part or the whole of the audit
work may be delegated to an external service provider,
the related professional liability is not necessarily
delegated. Therefore, it is the responsibility of the IS
auditor or entity employing the services of external
service providers to:
• Clearly communicate the audit objectives, scope and
methodology through a formal engagement Jetter
• Establish a monitoring process for regular review of
the work of the external service provider with regard
to planning, supervision, review and documentation.
For example, the work papers of other IS auditors
or experts should be reviewed to confirm the work
was appropriately planned, supervised, documented
and reviewed and to consider the appropriateness and
sufficiency of the audit evidence provided. Likewise,
the repo1ts of other IS auditors or experts should be
reviewed to confirm the scope specified in the audit
charter, terms of reference or letter of engagement has
been observed, the repmts were performed within the
defined auditable period, any significant assumptions
used by other IS auditors or expetts have been
identified and the findings and conclusions repmted
have management approval.
• Assess the usefulness and appropriateness of such
external providers' reports and assess the impact of
significant findings on the overall audit objectives
1.2 Types of Audits, Assessments and
Reviews
An IS auditor should understand the various types of
audits, assessments and reviews that can be performed
along with the basic associated audit procedures, which
may be carried out by internal or external groups.
An audit includes formal inspection and verification
to check whether standards or guidelines are being
followed, records are accurate, or efficiency and
effectiveness targets are met. Formal audits provide a

higher level of assurance than broader assessments and
reviews. In general, assessments and reviews may be
perceived with less negative stigma than audits and
may focus on opportunities for reducing the costs of
poor quality, employee perceptions on quality aspects,
proposals to senior management on policy, goals, etc.
Some examples of audits, assessment and reviews
include:
• IS audit-An IS audit is designed to collect
and evaluate evidence to determine whether an
information system and related resources are
adequately safeguarded and protected; maintain data
and system integrity and availability; provide relevant
and reliable information; achieve organizational goals
effectively; consume resources efficiently; and have,
in effect, internal controls that provide reasonable
assurance not only that business, operational and
control objectives will be met but also that undesired
events will be prevented or detected and corrected in
a timely manner.
• Compliance audit-A compliance audit includes
tests of controls to demonstrate adherence to specific
regulations or industry-specific standards or practices.
These audits often overlap other types of audits but
may focus on patticular systems or data.
• Financial audit-A financial audit assesses the
accuracy of financial repmting. A financial audit will
often involve detailed, substantive testing, although IS
auditors are increasingly placing more emphasis on a
risk- and control-based audit approach. A financial
audit relates to financial information integrity and
reliability.
• Operational audit-An operational audit is designed
to evaluate the internal control structure in a given
process or area. IS audits of application controls or
logical security systems are examples of operational
audits.
• Integrated audit-There are different types of
integrated audits, but typically an integrated audit
combines financial and operational audit steps and
may or may not include the use of an IS auditor.
An integrated audit is performed to assess the overall
objectives within an organization, related to financial
information and to safeguarding assets, maximizing
efficiency and ensuring compliance. An integrated
audit can be performed by external or internal
auditors and includes compliance tests of internal
controls and substantive audit steps. See section 1:10
Quality Assurance and Improvement of the Audit
Process for more information.
CISN Official Review Manual z gth Edition I Chapter 1
• Administrative audit-An administrative audit is
designed to assess issues related to the efficiency of
operational productivity within an organization.
• Specialized audit-Many different types of
specialized audits are conducted. Within the category
of IS audit, specialized reviews may examine areas
such as fraud or services performed by third parties.
• Third-party service audit-A third-patty service
audit addresses the audit of outsourced
financial and business processes to third-party
service providers that may operate in different
jurisdictions. A third-party service audit issues an
opinion on a service organization's description of
controls through a service auditor's report, which
then can be used by the IS auditor of the entity that
engages the service organization.
• Fraud audit-A fraud audit is a specialized
audit designed to discover fraudulent activity.
Auditors often use specific tools and data analysis
techniques to discover fraud schemes and business
irregularities.
• Forensic audit-A forensic audit is a specialized
audit to discover, disclose and follow up on fraud
and crime. The primary purpose of such an audit
is the development of evidence for review by law
enforcement and judicial authorities.
• Computer forensic audit- A computer forensic
audit is an investigation that includes the analysis of
electronic computing devices with the intent to gather
and preserve evidence. An IS auditor possessing the
necessary skills can assist an information security
manager or forensic specialist in performing forensic
investigations and can conduct an audit of the system
to ensure compliance with the evidence collection
procedures for forensic investigation.
• Functional audit-A functional audit provides
an independent evaluation of software products,
verifying that its configuration items' actual
functionality and performance are consistent with the
requirement specifications. Specifically, a functional
audit is conducted either prior to softwai·e delivery or
after implementation.
• Readiness assessment-A readiness assessment is
a review of an organization's current state of
compliance or adherence to documented standards.
Readiness assessments generally focus on control
design as opposed to operating effectiveness and
result in actionable items for an organization to
remediate prior to a formal audit.
©ISACA. All Rights Reserved. I 35
 CISA° Official Review Manual 2gth Edition I Chapter 1
1.2.1 Control Self-Assessment
Control self-assessment (CSA) is an assessment of
controls made by the staff and management of the unit
or units involved. It is a management technique that
assures stakeholders, customers and other patties that the
internal control system of the organization is reliable.
It also ensures that employees are aware of the risk to
the business and conduct periodic, proactive reviews of
controls. It is a methodology used to review key business
objectives; to assess risk involved in achieving the
business objectives; and to ensure that internal controls
are designed to manage business risk through a formal,
documented and collaborative process.
An IS auditor acts in the role of facilitator to help
business process owners define and assess appropriate
controls and to help them understand the need for
controls, based on risk to the business processes. The
process owners and the personnel who run the processes
use their knowledge and understanding of the business
function to evaluate the performance of controls against
the established control objectives, while considering the
risk appetite of the organization. Process owners are in an
ideal position to define the appropriate controls because
they are knowledgeable about the process objectives.
A CSA program can be implemented through methods
such as questionnaires and surveys, facilitated workshops
and informal peer reviews. For small business
units within organizations, a CSA program can be
implemented through facilitated workshops in which
functional management and IS auditors come together
and deliberate how best to evolve a control structure for
the business unit. In a workshop, the role of a facilitator
is to support the decision-making process. The facilitator
creates a supportive environment to help participants
explore their own experiences and those of others;
identify control strengths and weaknesses; and share
their knowledge, ideas and concerns. If appropriate, the
facilitator may also offer their own expertise in addition
to facilitating the exchange of ideas and experience.
Objectives of CSA
The primary objective of a CSA program is to leverage
the internal audit function by shifting some of the
control monitoring responsibilities to the functional
areas. It is not intended to replace audit's responsibilities
but to enhance them. Auditees such as line managers
are responsible for controls in their environment; the
managers should be responsible for monitoring the
controls. CSA programs must educate management about
36 I ©ISACA. All Rights Reserved.
control design and monitoring, pa1ticularly concentrating
on areas of high risk.
When employing a CSA program, measures of
success for each phase (planning, implementation and
monitoring) should be developed to determine the value
derived from CSA and its future use. One critical
success factor (CSF) is a meeting with the business unit
representatives (including appropriate and relevant staff
and management) to identify the business unit's primary
objective and to determine the reliability of the internal
control system. Actions that increase the likelihood of
achieving the primary objective should be identified.
Benefits of CSA
Some of the benefits of CSA include:
• Early detection of risk
• More effective and improved internal controls
• Creation of cohesive teams through employee
involvement
• Development of a sense of control ownership among
employees and process owners and reduction of their
resistance to control improvement initiatives
• Increased employee awareness of organizational
objectives
• Increased employee knowledge of risk and internal
controls
• Increased communication between operational and
top management
• Increased motivation for employees
• Improved audit rating process
• Reduction in control cost
• Assurance provided to stakeholders and customers
• Necessaiy assurance given to top management
about the adequacy of internal controls relative to
regulations and laws
Disadvantages of CSA
CSA contains some disadvantages, including:
• It could be mistaken as an audit function replacement.
• It may be regarded as an additional workload (e.g.,
one more rep01t to be submitted to management).
• Failure to act on improvement suggestions could
damage employee morale.
• Lack of audit knowledge may limit effectiveness in
the detection of weak controls.
The IS Auditor's Role in CSA
When CSA programs are established, auditors become
internal control professionals and assessment facilitators.
Their value in these roles is evident when management
takes ownership and responsibility for internal
 CISA" Official Review Manual 23th Edition I Chapter 1

control systems under its authority through process
improvements in control structures, including an active
monitoring component.
To be effective in this facilitative and innovative role,
the IS auditor must understand the business process
being assessed. It is important to remember that in
the CSA process, IS auditors arn the facilitators and
the management client is the participant. For example,
during a CSA workshop, instead of performing detailed
audit procedures, the IS auditor will lead and guide the
auditees in assessing their environment by providing
insight into the objectives of controls based on risk
assessment. The managers, with a focus on improving the
productivity of the process, might suggest replacement
of preventive controls. In this case, the IS auditor is
better positioned to explain the risk associated with such
changes.
To provide higher-quality audits and make use of internal
and/or external audits or subject matter expertise, an
integrated audit approach is used to perform risk-based
assessments of internal controls over an operation,
process or entity.
The integrated audit process typically involves:
• Identification of risk faced by the organization for the
area being audited
• Identification of relevant key controls
• Review and understanding of the design of key
controls
• Testing IT system support for key controls
• Testing operational effectiveness of management
controls
• A combined report or opinion on control risk, design
and weaknesses
An integrated audit demands a focus on business risk
and a drive for creative control solutions. It is a team
effort of audit and assurance professionals with different
skill sets. Using this approach permits a single audit of
an entity with one comprehensive report. An additional
benefit is that this approach assists in staff development
and retention by providing variety and the ability to see
how all the elements (functional and IT) mesh to form
the complete picture. See figure 1.2 for an integrated
auditing approach.
Figure 1.2- An Integrated Audit

1.2.2 Integrated Auditing

The dependence of business processes on IT requires
that all auditors develop an understanding ofIT control
structures. In addition, IS auditors must develop an
understanding of the business control structures. This
type of integrated auditing can be defined as the process
whereby appropriate audit disciplines are combined to
assess key internal controls over an operation, process
or entity with a focus on risk. A risk assessment aims
to understand and identify risk arising from the entity
and its environment, including relevant internal controls.
At this stage, the role of an IS auditor is typically IS Audit
to understand and identify risk under topical areas
such as information management, IT infrastructure, IT
governance and IT operations. Other audit and assurance
specialists will seek to understand the organizational
environment, business risk and business controls. A key
element of the integrated approach is a discussion among The integrated audit concept has radically changed
the whole audit team of emerging risk, with consideration the way audits are accepted and valued by different
of impact and likelihood. stakeholders. For example:
• Employees or process owners better understand the
Detailed audit work focuses on the relevant controls in
objectives of an audit because they can see the
place to manage risk. IT systems frequently provide a
linkage between controls and audit procedures.
first line of preventive and detective controls, and the
• Top management better understands the linkage
integrated audit approach depends on a sound assessment
between increased control effectiveness and
of their efficiency and effectiveness.
corresponding improvements in the allocation and
utilization of IT resources.

©ISACA All Rights Reserved. I 37

 CISA° Official Review Manual 28th Edition I Chapter 1
• Shareholders better understand the linkage between
the push for a greater degree of corporate governance
and its impact on the generation of financial
statements that can be relied on.
All these developments have contributed to the growing
popularity of integrated audits.
1.3 Risk-Based Audit Planning
Audit planning is conducted at the beginning of the audit
process to establish the overall audit strategy and detail
the specific procedures to be carried out to implement
the strategy and complete the audit. It includes both
short- and long-term planning. Short-term planning
considers audit issues that will be covered during
the year, whereas long-term planning considers risk-
related issues regarding changes in the organization's IT
strategic direction that will affect the organization's IT
environment.
All of the relevant processes that represent the blueprint
of the enterprise's business should be included in the
audit universe. The audit universe ideally lists all the
processes that may be considered for audit. Each process
may undergo a qualitative or quantitative risk assessment
ca11'ied out by evaluating the risk in the context of
defined, relevant risk factors. The risk factors are those
that influence the frequency and/or business impact
ofrisk scenarios. For example, for a retail business,
reputation can be a critical risk factor. The evaluation of
risk should ideally be based on inputs from the business
process owners. Evaluation of the risk factors should be
based on objective criteria, although subjectivity cannot
be completely avoided. For example, with respect to the
reputation factor, the criteria (based on which inputs can
be solicited from the business) may be rated as:
• High-A process issue may result in reputational
damage that will take the organization more than six
months to recover.
• Medium- A process issue may result in reputational
damage that will take the organization less than six
months but more than three months to recover.
• Low-A process issue may result in reputational
damage that will take the organization less than three
months to recover.
In this example, the defined time frame represents the
objective aspect of the criteria, and the subjective aspect
of the criteria can be found in the business process
owners ' determination of the time frame-whether it is
more than six months or less than three months. After the
risk is evaluated for each relevant factor, a criterion may
38 I © ISACA. All Rights Reserved .
be defined to determine the overall risk for each of the
processes.
The audit plan can then be constructed to include all
of the processes that are rated "high," which would
represent the ideal annual audit plan. However, in
practice, often the available resources are not sufficient
to execute the entire ideal plan. This analysis will help
the audit function demonstrate the gap in resourcing and
give top management a good idea of the amount ofrisk
that it is accepting if it does not add to or augment the
existing audit resomces.
Analysis of short- and long-term issues should occur at
least annually. This frequency is necessary to consider
new control issues, enhanced evaluation techniques,
and changes in the risk environment, technologies and
business processes. The results of this analysis should
be reviewed by senior audit management and approved
by the audit committee, if available, or alternatively by
the board of directors, and communicated to relevant
levels of management. The annual planning should be
updated if any key aspects of the risk environment have
changed (e.g., acquisitions, new regulatory issues, market
conditions).
Note
For additional guidance, see standards 1007 Assertions
and 1008 Criteria and related guidelines 2007 and
2008.
1.3.1 Individual Audit Assignments
In addition to overall annual planning, each individual
audit assignment must be adequately planned. An
IS auditor should understand that other considerations
-such as the results of periodic risk assessments,
changes in the application of technology and evolving
privacy issues and regulatory requirements-may impact
the overall approach to the audit. An IS auditor
should take into consideration system implementation/
upgrade deadlines, cmTent and future technologies,
requirements from business process owners and IS
resource limitations.
When planning an audit, an IS auditor must understand
the overall environment under review. This should
include gaining a general understanding of the various
business practices and functions relating to the audit
subject, as well as the types of information systems
and technology supporting the activity. For example,
an IS auditor should be familiar with the regulatory
environment in which the business operates.

To perfmm audit planning, an IS auditor should perform
the steps indicated in figure 1.3.
Note
For additional guidance, see standard 1201 Risk
Assessment in Planning and guideline 2201 Risk
Assessment in Planning.
Figure 1.3---Steps to Pe1form Audit Planning
• Gain an understanding of the organization's mission,
objectives, purpose and processes, which include
information and processing requirements such as
availability, integrity, security and business technology
and information confidentiality.
• Gain an understanding of the organization's governance
structure and practices related to the audit objectives.
• Understand changes in the business environment of the
auditee.
• Review prior work papers.
• Identify stated contents such as policies, standards
and required guidelines, procedures and organization
structure.
• Perform a risk ana lysis to help in designing the aud it
plan.
• Set the audit scope and audit objectives.
• Develop the audit approach or audit strategy.
• Assign personnel resources to the audit.
• Address engagement logistics.
• Identify opportunities for continuous audit or audit
automation using computer-assisted audit too ls
(CAATs).
1.3.2 Effect of Laws and Regulations on
IS Audit Planning
Each organization, regardless of its size or the industry
within which it operates, will need to comply with
a number of governmental and external requirements
related to IS practices and controls and the manner in
which data is used, stored and secured. Additionally,
industry regulations can impact the way data is
processed, transmitted and stored (e.g., stock exchange,
central banks, etc.). Special attention should be given to
compliance issues in industries that are closely regulated.
Because of the dependency on information systems
and related technology, several countries are making
efforts to add legal regulations concerning IS audit and
CI SA° Official Review Manual zgth Edition I Chapter 1
assurance. The content of these legal regulations pertains
to:
• Establishment of regulatory requirements
• Responsibilities assigned to corresponding entities
• Financial, operational and IS audit functions
Management at all levels should be aware of the external
requirements relevant to the goals and plans of the
organization and to the responsibilities and activities of
the information services department/function/activity.
There are two major areas of concern:
1. Legal requirements (i.e., laws, regulations and
contractual agreements) applicable to audit or IS audit
2. Legal requirements placed on the auditee regarding its
systems, data management, reporting, etc.
These areas impact the audit scope and audit objectives,
which are important to internal and external audit
and assurance professionals. Legal issues related to
ergonomic regulations may also impact the organization's
business operations.
An IS auditor would perform the following steps to
determine an organization's level of compliance with
external requirements :
• Identify government or other relevant external
requirements dealing with:
• Electronic data, personal data, copyrights,
ecommerce, e-signatures, etc.
• IS practices and controls
• The manner in which computers, programs and
data are stored
• The organization or the activities of information
technology services
• IS audits
• Document applicable laws and regulations.
• Assess whether the management of the organization
and the IT function have considered the relevant
external requit'ements in maldng plans and in setting
policies, standards and procedures and business
application features.
• Review internal IT department/function/activity
documents that address adherence to laws applicable
to the industry.
• Determine adherence to established procedures that
address external requirements.
• Determine ifthere are procedures in place to ensure
that contracts or agreements with external IT services
providers reflect any legal requirements related to
responsibilities.
©ISACA. All Rights Reserved. I 39
 CISA' Official Review Manual 23th Ed ition I Chapter 1

Note some resulting weaknesses. In a risk-based audit

approach, IS auditors do not rely solely on risk
A CISA candidate will not be asked about any specific assessment; they also rely on internal and operational
laws or regulations but may be questioned about controls and knowledge of the organization or the
how one would audit for compliance with laws and business. This type of risk assessment decision-making
regulations. can help relate the cost-benefit analysis of the control
to the known risk, allowing the organization to make
Risk-based audit planning is the deployment of audit practical choices.
resources to areas within an organization that represent
Business risk includes concerns about the probable
the greatest risk. It requires an understanding of the
effects of an uncertain event on achieving established
organization and its environment, specifically:
business objectives. The nature of business risk may
• External and internal factors affecting the
be financial, regulatory or operational. Risk may also
organization
be derived from specific technologies. For example, an
• The organization's selection and application of
airline company is subject to extensive safety regulations
policies and procedures
and economic changes, both of which impact the
• The organization's objectives and strategies
continuing operations of the company. In this context, the
• Measurement and review of the organization's
availability ofIT services and their reliability are critical.
performance
Risk also includes measures an organization is willing to
As part of obtaining this understanding, an IS auditor take to achieve or advance its objectives even though the
must also gain an understanding of the key components results may be unproven or uncertain.
of the organization's:
By understanding the nature of the business, an IS
• Strategy management
auditor can identify and categorize types of risk and can
• Business products and services
better determine the appropriate risk model or approach
• Corporate governance process
in conducting the audit. The risk model assessment can
• Transaction types, transaction pa1tners and transaction
be as simple as creating weights for the types of risk
flows within information systems
associated with the business and identifying the risk in
Effective risk-based auditing uses risk assessment to an equation. On the other hand, risk assessment can be a
drive the audit plan and minimize the audit risk during scheme in which risk is given elaborate weights based on
the execution of an audit. the nature of the business or the significance of the risk.
A simplistic overview of a risk-based audit approach is
A risk-based audit approach is used to assess risk and to
shown in figure 1.4.
assist an IS auditor in making the decision to perform
either compliance testing or substantive testing. It is Note
important to stress that the risk-based audit approach
efficiently assists an IS auditor in determining the nature For further guidance, see standard 1204 Materiality.
and extent of testing.
Within this concept, inherent risk, control risk or
detection risk should not be of major concern, despite

40 I ©ISACA. All Rights Reserved.


Figure 1.4- Risk-Based Audit Approach
Conclude the Audit.
• Create recommendations
1.3.3 Audit Risk and Materiality
Audit risk can be defined as the risk that information
collected may contain a material error that may go
undetected during the audit. An IS auditor should also
consider, if applicable, other factors relevant to the
organization: customer data; privacy; availability of
provided services; and corporate and public image, as in
the case of public organizations or foundations.
Audit risk is influenced by:
• Inherent r isk- As it relates to audit risk, inherent
risk is the risk level or exposure of the process/
entity to be audited without regard to the controls
management has implemented. Inherent risk exists
independent of an audit and can occur because of the
nature of the business.
CISA° Official Review Manual 23th Edition I Chapter 1
· Write audit report
• Control risk- This is the risk of a material error
that would not be prevented or detected on a timely
basis by the system of internal controls. For example,
the control risk associated with manual reviews
of computer logs can be high because activities
requiring investigation are often overlooked due
to the volume of logged information. The control
risk associated with computerized data validation
procedures is ordinarily low ifthe processes are
consistently applied.
• Detection risk- This is the risk that material errors
or misstatements will not be detected by an IS auditor.
• Overall audit risk- This is the risk that the auditor
may not detect a material error in information or
financial rep01ts. An objective in formulating the
audit approach is to limit the audit risk in the
area under scrutiny so the overall audit risk is at
©ISACA Al l Rights Reserved. I 41
 CISA' Official Review Manual 2gth Edition I Chapter 1
a sufficiently low level at the completion of the
examination.
An internal control weakness or set of combined internal
control weaknesses may leave an organization highly
susceptible to the occurrence of a threat (e.g., financial
loss, business interruption, loss of customer trust,
economic sanction). An IS auditor should be concerned
with assessing the materiality of the items in question
through a risk-based audit approach to evaluating internal
controls.
Materiality refers to the importance of a piece of
information with regard to its impact or effect on the
functioning of the entity being audited. Materiality is
the expression of the relative significance or importance
of a pmticular matter in the context of the enterprise
as a whole. There is an inverse relationship between
materiality and the level of audit risk acceptable to the
IS auditor (i.e., the higher the materiality level, the lower
the acceptability of the audit risk and vice versa).
An IS auditor should have a good understanding of audit
risk when planning an audit. An audit sample may not
reflect every potential e1TOr in a population. However, by
using proper statistical sampling procedures or a strong
quality control process, the probability of detection risk
can be reduced to an acceptable level.
Similarly, when evaluating internal controls, an IS
auditor should realize that a given system may not detect
a minor error. However, that specific error, combined
with others, could become material to the overall system.
Note
A CISA candidate should understand audit risk and
not confuse it with statistical sampling risk, which is
the risk that incorrect assumptions m·e made about the
characteristics of a population from which a sample is
selected.
1.3.4 Risk Assessment
An IS auditor should understand how the organization
being audited approaches risk assessment. Risk
assessments should identify, quantify and prioritize
risk against criteria for risk acceptance and objectives
relevant to the organization. The results should guide and
determine the appropriate management action, priorities
for managing information security risk and priorities for
implementing controls selected to protect against risk.
Risk assessments should be performed by management
periodically to address changes in the environment,
42 I ©ISACA. All Rights Reserved.
security requirements and the risk landscape (e.g., in
the assets, threats, vulnerabilities and impacts) and
whenever significant changes occur. It is important to
note that IT management is responsible for conducting
risk assessments. If expertise is not present within the
organization, the IS auditor may assist in risk assessment
efforts. However, management is ultimately responsible
for the risk assessment process. The IS auditor may
perform a separate risk assessment to supplement the
needs ofrisk-based audit planning.
Refer to section 2.5 Enterprise Risk Management for
additional details on risk assessments.
1.3.5 IS Audit Risk Assessment
Techniques
When determining which functional areas should be
audited, an IS auditor may face a large variety of audit
subjects. Each of these subjects may incur different types
of risk. An IS auditor should evaluate risk candidates to
determine the high-risk areas that should be audited.
There are many risk assessment methodologies available
to an IS auditor, ranging from simple classifications
based on the auditor's judgment of high, medium and
low, to complex scientific calculations that provide
numeric risk ratings.
One such risk assessment approach is a scoring system
that is useful in prioritizing audits based on an evaluation
of risk factors . The system considers variables such as
technical complexity, level of control procedures in place
and level of financial loss. These variables may or may
not be weighted. The risk values are then compared to
each other, and audits are scheduled accordingly.
Another form of risk assessment is subjective, in which
an independent decision is based on business knowledge,
executive management directives, historical perspectives,
business goals and environmental factors. A combination
of techniques can be used. Risk assessment methods may
change and develop over time to best serve the needs of
the organization. An IS auditor should consider the level
of complexity and detail appropriate for the organization
being audited.
IS auditors should leverage the results of management
risk assessments to supplement their own risk assessment
procedures. A degree of professional skepticism should
be leveraged when reviewing or leveraging management
assessments of risk due to potential independence
impairment.

Using risk assessment to determine areas to be audited:
• Enables audit management to effectively allocate
limited audit resources
• Ensures that relevant information has been obtained
from all levels of management, including boards of
directors, IS auditors and functional area managers.
Generally, this information assists management in
effectively discharging its responsibilities and ensures
that the audit activities are directed to high-risk areas,
which will add value for management.
• Establishes a basis for effectively managing the audit
depattment
• Provides a summary of how the individual audit
subject is related to the overall organization as well
as to the business plans
1.3.6 Risk Analysis
Risk analysis, a subset of risk assessment, is used during
audit planning to help identify risk and vulnerabilities
so an IS auditor can determine the controls needed to
mitigate risk. Risk assessment procedures provide a basis
for the identification and assessment of risk of material
vulnerabilities; however, they do not provide sufficient
appropriate audit evidence to support the audit opinion.
In evaluating IT-related business processes applied by
an organization, it is important to understand the
relationship between risk and control. IS auditors must
be able to identify and differentiate risk types and
the controls used to mitigate risk. They should have
knowledge of common business risk areas, related
technology risk and relevant controls. They should also
be able to evaluate the risk assessment and management
processes and techniques used by business managers,
and to make assessments of risk to help focus and plan
audit work. In addition to understanding business risk
and control, IS auditors must understand that risk exists
within the audit process.
1.4 Types of Controls and Considerations
Every organization has controls in place. An effective
control is one that prevents, detects and/or contains
an incident and enables recovery from a risk event.
Organizations design, develop, implement and monitor
information systems through policies, procedures,
practices and organizational structures to address vatfous
types of risk.
Controls ai·e normally composed of policies, procedures,
practices and organizational structures that are
implemented to reduce risk to the organization. Internal
controls are developed to provide reasonable assurance to
CISA° Official Review Manual zgth Edition I Chapter 1
management that the organization's business objectives
will be achieved, and that risk events will be prevented
or detected and corrected. Internal control activities and
supporting processes may be manual or automated.
1.4.1 Internal Controls
Internal controls operate at all levels within an
organization to mitigate risk exposures that potentially
could prevent it from achieving its business objectives.
The board of directors and senior management are
responsible for establishing the appropriate culture to
facilitate an effective and efficient internal control system
and for continuously monitoring the effectiveness of the
internal control system, although each individual within
an organization must take patt in this process.
There are two key aspects that controls should address:
1. What should be achieved
2. What should be avoided
Internal controls or control activities help ensure that
management directives are catTied out. They help
ensure that necessai·y actions are taken to address risk
and to achieve the enterprise's business objectives.
Control activities occur throughout the enterprise, at
all levels and in all functions , such as granting
approvals and authorizations, implementing verifications
and reconciliations, reviewing operating performance,
securing assets and ensuring separation of duties.
1.4.2 Control Objectives and Control
Measures
A control objective is defined as an objective of one
or more operational areas or roles, which is designed to
contribute to the fulfillment of the company's strategic
goals. That is, the control objective is explicitly related to
the company's overall strategy.
Control objectives are statements of the desired result
or purpose to be achieved by implementing control
activities (procedures). For example, control objectives
may relate to:
• Effectiveness and efficiency of operations
• Reliability of financial repo1ting
• Compliance with applicable laws and regulations
• Safeguai·ding information assets
Control objectives apply to all controls, whether they
are manual, automated or both (e.g., review of system
logs). Control objectives in an IS environment do not
differ from those in a manual environment; however,
the way the controls are implemented may be different.
©ISACA. All Rights Reserved. I 43
 CISA° Official Review Manual 23th Edition I Chapter 1
Thus, control objectives need to be addressed relevant to
specific IS-related processes.
A control measure is defined as an activity contributing
to the fulfillment of a control objective. Both the control
objective and control measure serve the decomposition of
the strategic-level goals into such lower-level goals and
activities that can be assigned as tasks to the staff. This
assignment can take the form of a role specified in a job
description.
IS Control Objectives
IS control objectives include a complete set ofhigh-
level requirements to be considered by management for
effective control of each IT process area. IS control
objectives are:
• Statements of the desired result or purpose to
be achieved by implementing controls around IS
processes
• Policies, procedures, practices and organizational
structures
• Requirements designed to provide reasonable
assurance that business objectives will be achieved
and undesired events will be prevented or detected
and cotTected
Organizational management needs to make choices
relative to control objectives by:
• Selecting those that are applicable
• Deciding on those that will be implemented
• Choosing how to implement them (i.e., frequency,
span, automation, etc.)
• Accepting the risk of not implementing others that
may apply
Specific IS control objectives include:
• Safeguarding information assets, including ensuring
that information on automated systems is up to date
and secme from improper access
• Ensuring that system development life cycle (SDLC)
processes are established, in place and operating
effectively to provide reasonable assurance that
development of business, financial and/or industrial
software systems and applications is repeatable,
reliable and aligned to business objectives
• Ensuring integrity of general operating system (OS)
environments, including network management and
operations
• Ensuring integrity of sensitive and critical application
system environments, including accounting/financial
44 I ©ISACA. All Rights Reserved.
and management information (information objectives)
and customer data, through:
• Authorization of the input-Each transaction is
authorized and entered only once.
• Validation of the input-Each input is validated
and will not have a negative impact on the
processing of transactions.
• Accuracy and completeness of transaction
processing- All transactions are recorded
accurately and entered into the system for the
proper period.
• Reliability of overall information processing
activities-All programmatic actions taken by the
system during processing are sound.
• Accuracy, completeness and security of the
output-Outputs can be relied upon and
countermeasures are implemented to enable
security of information assets generated.
• Database confidentiality, integrity and
availability-The underlying systems of record
have general IS security controls.
• Ensuring appropriate identification and authentication
of users of IS resources (end users and infrastructure
support)
• Ensuring the efficiency and effectiveness of
operations (operational objectives)
• Complying with users' requirements, organizational
policies and procedures and applicable laws and
regulations (compliance objectives)
• Ensuring availability ofIT services by developing
efficient business continuity plans (BCPs) and
disaster recovery plans (DRPs) that include backup
and recovery processes
• Enhancing protection of data and systems by
developing an incident response plan
• Ensuring integrity and reliability of systems
by implementing effective change management
procedures
• Ensuring that outsourced IS processes and services
have clearly defined service level agreements (SLAs)
and contract terms and conditions designed to protect
the organization's assets and meet business goals and
objectives
General Control Methods
General control methods apply to all areas of an
organization as seen in figure 1.5.

Figure 1.5- General Control Methods
- ~-..imm
- -
1..-:1 1:.1• ti&'-'
Managerial Controls related to the oversight, reporting,
(administrative) procedures and operations of a process
Technical Also known as logical controls, controls that are
provided through the use of technology, equipment
or devices. A technica l control requires proper
managerial (administrative) controls to operate
correctly.
Physical Controls that are installed to physically restrict
access to a facility or hardware. Physical controls
require maintenance, monitoring and the ability to
address and react to an alert.
Often operational and administrative controls that
concern day-to-day operations, functions and activities
are included within managerial controls. Technical
controls and physical controls, respectively, relate to the
use of technology and the use of physical equipment or
devices to regulate access.
An enterprise should maintain a proper balance of control
types in order to meet its specific needs and help achieve
its business objectives. For example, the implementation
of a technical control, such as a firewall, requires train ing
for the staff who manage or operate it, correct procedures
for its configuration, assignment of responsibilities for
its monitoring and schedules for regular testing. If these
coinciding controls are not in place, stakeholders may
develop a false sense of security, resulting in unidentified
vulnerabilities, an ineffective use of resources and greater
risk than anticipated or intended.
IS-Specific Controls
Each general control method can be translated into an
IS-specific control. A well-designed information system
should have controls built in for all its sensitive or
critical functions. For example, there should be a general
procedure to ensure that adequate safeguards over access
to assets and facilities can be translated into an IS-related
set of control procedures, covering access safeguards
over computer programs, data and equipment.
Examples ofIS-specific control procedures include:
• Strategy and direction of the IT function
• General organization and management of the IT
function
• Access to IT resources, including data and programs
CISA° Official Review Manual 23th Edition I Chapter 1
-
·~~r.11111)[:.ll
• Policies and procedures
• Accounting controls (e.g., ba lancing)
• Employee training and development
• Compliance reporting
• Firewall ru lesets
• Network or host-based intrusion detection
systems (IDSs)
• Passwords
• Antimalware so lutions
• Physical access badges and locks
• Closed-circuit TV (CCTV)
• Systems development methodologies and change
control
• Operations procedures
• Systems programming and technical support
functions
• Quality assurance (QA) procedures
• Physical access controls
• BCP/DRP
• Networks and communication technology (e.g., local
area networks, wide area networks, wireless)
• Database administration
• Protective and detective mechanisms against internal
and external attacks
Note
A CISA candidate should understand concepts
regarding IS controls and how to apply them in
planning an audit.
Business Process Applications and Controls
In an integrated application environment, controls are
embedded and designed into the business application
that supports the processes. Business process control
assurance involves evaluating controls at the process
and activity levels, which may be a combination
of management, programmed and manual controls.
In addition to evaluating general controls that affect
the processes, an IS auditor should evaluate business
process owner-specific controls-such as proper security
and separation of duties (SoD), periodic reviews, and
approvals of access and application controls within the
business process.
©ISACA. All Rights Reserved. I 45
 CISA' Official Review Manual 28th Edition I Chapter 1

To effectively audit business application systems, an
IS auditor must obtain a clear understanding of the
application system under review. Numerous financial and
operational functions are computerized for the purpose
of improving efficiency and increasing the reliability of
information. These applications range from traditional
(including general ledger, accounts payable and payroll)
to industry-specific (such as bank loans, trade clearing
and material requirements planning). Given their unique
characteristics, computerized application systems add
complexity to audit efforts. These characteristics may
include limited audit trails, instantaneous updating and
information overload.
Figure 1.6 describes sample risk and controls for
common business applications in an enterprise.

Figure 1.6-Business Application Controls

1:,. ......,,
- . ....ww.;;;.1.,
1$"71.1
ii ~~M~- 1lli1lill i: .
- __ _..,.
- - _
- ...
- - -
1 11 ~ • . _. l'! lJ.:\ •• t ;nat ll L~I

-
Ecommerce Ecommerce is the buying and selling of goods Due to their exposure to the Internet,
on line. ecommerce applications are subject to a
high risk of Structured Query Language (SQL)
injection attacks. IS-specific controls such as
secure coding training for developers, system
development life cycle (SDLC) code reviews
and form input validity checks could be used
to mitigate applicable risk.

Electronic data EDI replaced the traditional paper document
interchange (EDI) exchange, such as medical claims and records,
purchase orders, invoices or material release
schedules .
Transmitted data Is at risk of being
intercepted and potentially manipulated
or compromised. Appropriate encryption
controls should be used to ensure the
confidentiality and integrity of transmitted
data.

Email Email services are used by an enterprise to
communicate electronically with internal or
external parties.
Email provides an avenue for attackers
to manipulate end users through social
engineering. Spam filtering, hyperlink
verification and phishing training for email
users can decrease the likelihood of phishing-
related social engineering attacks.

Industrial control systems ICS is a general term that encompasses
(ICSs) several types of control systems, including
supervisory control and data acquisition
(SCADA) systems, distributed control systems
(DCSs) and other control system configurations
such as programmable logic controllers (PLCs),
which are often found in industrial sectors and
critical infrastructures.
Systems like SCADA are highly sensitive and
if compromised can have a direct Impact
on human life. Organizations should consider
adding perimeter security controls, such
as network segmentation and multifactor
authentication, to get into and administer
high-risk SCADA environments.

Artificial intelligence (Al)
and expert systems
Expert systems are an area of Al and perform
a specific function or are prevalent in certain
industries. An expert system allows the user to
specify certain basic assumptions or formulas
and then uses those assumptions or formulas
to analyze arbitrary events.
Al systems rely on learned data and
associated decision trees that can be
inherently biased. An IS auditor should ensure
that the proper level of expertise was used
in developing the basic assumptions and
formulas.

46 I © ISACA. All Rights Reserved.

 CISA" Official Review Manual 28th Edition I Chapter 1

Note 1.4.3 Control Classifications

A CISA candidate should be familiar with
different types of business application systems and
architectures, processes, risk and related controls
and IS audit implications and practices. The IS
auditor should consult industry- or technology-specific
guidance and apply applicable IS-specific controls
as necessary. For example, when reviewing an
ecommerce application, an IS auditor might consider
applicable guidance from authoritative sources such
as the Open Web Application Security Project
(OWASP). 2 Where specific skillsets are not present
within an IS audit department, external experts should
be brought in to perfonn applicable reviews.
Controls are implemented to provide reasonable
assurance to management that the organization's business
objectives will be achieved, and risk events will
be prevented or detected and corrected. Elements of
controls that should be considered when evaluating
control strength are classified as preventive, detective or
corrective in nature.
Figure 1.7 describes control categories.

Figure 1. 7- Control Categories

-
1 -: ii" :ie111
- -
.l:.lt , , . ,

-
• _.i._....... ; - ,

Preventive Inhibit or impede attempts to violate security policy and practices. Encryption, user authentication and
vau lt-construction doors are examples of preventive controls.

Deterrent Provide guidance or warnings that may dissuade intentional or unintentional attempts at compromise.
Warning banners on login screens, acceptable use policies, security cameras and rewards for the arrest
of hackers are examples of deterrent contro ls.

Detective Provide warnings of violations or attempted violations of security policy and practices without inhibiting
or impeding the questionable actions. Audit trails, intrusion detection systems (IDSs) and checksums are
examples of detective controls.

Corrective Remediate errors, omissions, unauthorized uses and intrusions when detected . Data backups, error
correction and automated fa il over are examples of corrective controls.

Compensating Offset a deficiency or weakness in the control structure of the enterprise, often because the baseline
contro ls cannot meet a stated requirement due to legitimate technica l or business constraints . Placing
unsecured systems on isolated network segments with strong perimeter security and adding th ird-party
cha ll enge-response mechanisms to devices that do not support individual login accounts are examples of
compensating controls that, wh il e not directly address ing vulnerabi lities, make it harder to exploit them.

Source: ISACA, CRJSC Official Review Manual 7'" Edition Revised, USA, 2023

Preventive controls are generally stronger at mitigating
risk because they prevent threat events from occurring.
For example, if a malicious threat actor attempts to
log into a system that is accessible from the Internet
with a compromised password, multifactor authentication
requirements could prevent the threat actor from
successfully accessing the system.
By contrast, a detective control does not stop
unauthorized uses or entries from occurring, but it
indicates that a threat event took place or is in progress.
If a threat event occurs, a corrective control helps an
enterprise recover from the effects of an attack. For
example, if unauthorized access has been gained to a
specific enterprise computer, a procedure is initiated to
protect the rest of the network.
Organizations must implement a variety of control types
based on applicable risk and cost-benefit analysis. In
summary, detective and preventive controls are used to
reduce the likelihood of a threat event (the probability
of something happening), while corrective controls are
intended to mitigate the consequences (figu re 1.8).

2 Open Web Application Security Project, https://owasp.org/aboutl

©ISACA All Rights Reserved I 47

 CISA" Official Review Manual 28th Edition I Chapter 1

Figure 1.8- Control Purpose

Reduce Likelihood Mitigate Consequences

Infrastructure Backup and

monitoring recovery

Capacity
BC or IT DR plan
management

Special clauses in
Service desk
vendor contracts

Spare UPS or power

processing site generator

Risk management

Configuration
management

Source: ISACA, Fundamentals of Information Systems Audit and Assurance (Facilitator Guide), USA, 2018

An adequate mix of controls with different classifications

is important not only to reduce the likelihood of
threat events occurring but also to identify and
mitigate consequences. Different types of controls can
complement one another to help ensure that each is
working effectively and addressing unique threat events
as outlined in figure 1.9.
Note
A CISA candidate should understand the purpose
of and differences between preventive, detective and
corrective controls and be able to recognize examples
of each.

48 I ©ISACA. All Rights Reserved.

 CISA° Official Review Manual zgth Edition I Chapter 1

Figure 1.9-lnteraction of Control Types and Threat Events

Compensating
Threat
Control

Deterrent Corrective
Control Control

Detective
Vulnerability
Control

Preventive
Impact
..___c_o_nt_ro_I___ Reduces Decreases

Source: Adapted from ISACA, CRJSCW Review Manual, 7111 Edition Rev ised, USA, 2023

1.4.4 Control Relationship to Risk

Figure 1. 10- Control Relationship to Risk
There is a direct relationship between risk and control
that demonstrates that risk is addressed through control
and control is justified by the risk it addresses.
Figure 1.10 shows this relationship.
The IS auditor should have a solid understanding of
the applicable risk to controls being eval uated. This not
only informs the overall audit procedures that will be
used but also helps determine overall materiality of any
control weaknesses that may be identified during the
performance of an IS audit.
When evaluating controls, the IS auditor should ensure Source: ISACA, JT Risk Fundamentals Study Guide, USA, 2020
that management's identified controls are mapped back
to applicable risk. It is management's responsibility to If controls implemented do not mitigate risk to an
ensure controls are documented and implemented per its acceptable level (per the organization's risk tolerance),
assessment of risk. additional controls should be implemented. If appropriate
or required countermeasures cannot be implemented
based on system or business restrictions, compensating
controls may be considered. However, any compensating
control must achieve the same result the underperforming

©ISACA. All Rig hts Reserved. I 49

 CISA° Official Review Manual 23th Edition I Chapter 1
control was designed to achieve. Placing unsecured
systems on isolated network segments with strong
perimeter security and adding third-party challenge-
response mechanisms to devices that do not supp01t
individual login accounts are examples of compensating
controls. Although the examples in the following sections
are IT-specific, it is possible for non-IT compensating
controls to exist.
1.4.5 Prescriptive Controls and
Frameworks
In some instances, authoritative sources provide a
prescriptive set of controls or control objectives for
an organization to implement and assess. Prescriptive
control sets or control frameworks attempt to provide
a standard set of controls an organization should
implement to mitigate applicable risk to the organization
as a whole or to a specific business process.
Examples of sets of prescriptive controls or control
objectives include:
• Center for Internet Security (CIS) 18 Critical
Security Controls 3-A prescriptive, prioritized and
simplified set of best practices that organizations can
use to strengthen their cybersecurity postures
• OWASP Software Assurance Maturity Model
(SAMM) 4-An open framework to help
organizations formulate and implement strategies for
software security that are tailored to the specific risk
they face
• Service Organization Controls (SOC) reports 5-
A framework developed by the American Institute
of Ce1tified Public Accountants (AICPA) meant to
be used by organizations to process data related to
services they provide
• Payment Card Industry (PCI) Data Security
Standard (DSS) 6-A set of requirements that must
be met by organizations that store, process, transmit
or in any way affect the security of credit card data
• Cloud Security Alliance (CSA) Cloud Controls
Matrix (CCM)7-A cybersecurity control framework
for cloud computing encompassing various key
practices to ensure cloud security across different
cloud models and designed to provide fundamental
security principles to guide cloud vendors and assist
Center for Internet Security, "The 18 CIS Critical Security Controls," https:llwww.cisecurity.org/con trols/cis-controls-list
OWASP Project, "OWASP SAMM," https://owasp.orglwww-project-samm/
5 American Institute of Certified Public Accountants, "SOC 2®- SOC for Service Organizations: Trust Services Criteria," https://us.aicpa.orgl
interestareaslfrc/assuranceadvisoryserviceslaicpasoc2report
6 Payment Card Industry Security Standards Council, "PC! DSS: v4.0," https://docs-prv.pcisecuritystandards.org/PCJ%20DSS/Standard!PCJ-DSS-
v4_0.pdf
7 Cloud Security Alliance, "Cloud Controls Matrix," https://cloudsecurityalliance.org/researchlcloud-controls-matrix/
50 I ©ISACA. All Rights Reserved.
prospective cloud customers in assessing the overall
security risk of a cloud provider
Organizations leveraging prescriptive control
frameworks must identify applicable countermeasures
in place to meet outlined control objectives. In some
instances, prescriptive controls may not be applicable to
an organization based on unique business practices. For
example, if an organization accepting credit cards does
not store credit card data as a part of its business process,
then controls applicable to the protection of stored
credit card information are likely not applicable. Where
prescriptive controls do not apply to an organization, the
organization should ensure the reasons and validation on
non-applicability are formally documented.
1.4.6 Evaluation of the Control
Environment
The control environment should be reviewed in
accordance with the risk-based audit plan. Although IS
audit will execute its risk-based audit plan, it is impo1tant
to note that IS management should also evaluate the
effectiveness of the control environment.
Management Control Monitoring
Management may perform its own monitoring of control
effectiveness within a given audit cycle. This process
helps to identify control deviations prior to a potentially
less frequent audit and allows management to take
corrective action.
Control monitoring ensures that:
• Control requirements are being met.
• Standards are being followed.
• Employees are complying with enterprise policies,
practices and procedures.
Management can use the results of its own control
monitoring effo1ts to continuously improve the
organization's security program. An IS auditor may
leverage these results as reassurance that controls were
effectively working over a period of time. When
 CISA° Official Review Manual 28th Edition I Chapter 1

reviewing management's control monitoring processes,

an IS auditor should ensure the following:
• Identified control exceptions are remediated and
lessons learned are considered for security program
enhancement.
• Metrics are established for critical processes or
control monitoring and are based on management's
risk assessment.
• Metrics identify specific, quantifiable outputs for
reporting.
• Independence considerations are made regarding
potential completeness and accuracy concerns.
• Reporting establishes expected thresholds for control
effectiveness and tracks success over time.

Independent Evaluation of the Control

Environment
Once the applicable risk and controls are understood,
the IS auditor can perform an evaluation of the control
environment. An IS auditor reviews evidence gathered
during the audit to determine ifthe operations reviewed
are well controlled and effective. This is an area that
requires judgment and experience. An IS auditor also
assesses the strengths and weaknesses of the controls
evaluated and determines if they are effective in meeting
the control objectives established as part of the audit
planning process.

©ISACA All Rights Reserved. I 51

 CISA6 Official Review Manual 23th Edition

Page intentionally left blank

52 I ©ISACA. All Rights Reserved.


Part B: Execution
Once an audit is planned and the scope and objectives
are defined, the IS auditor is ready to execute the audit.
The following sections provide guidance for executing an
audit.
1.5 Audit Project Management
Several steps are required to perform an audit. Adequate
planning is a necessary first step in performing an
effective IS audit. To efficiently use IS audit resources,
audit organizations must assess the overall risk for
the general and application areas and related services
being audited, and then develop an audit program that
consists of objectives and audit procedures to satisfy
the audit objectives. The audit process requires an IS
auditor to gather evidence, evaluate the strengths and
wealmesses of controls based on the evidence gathered
through audit tests, and prepare an audit report that
presents those issues (i.e., areas of control weaknesses
with recommendations for remediation) to management
in an objective manner.
Audit management must ensure the availability of
adequate audit resources and a schedule for performing
the audit procedures and, in the case of an internal IS
audit, for conducting follow-up reviews on the status of
corrective actions taken by management. The process of
auditing includes defining the audit scope, formulating
audit objectives, identifying audit criteria, performing
audit procedures, reviewing and evaluating evidence,
forming audit conclusions and opinions, and repo1ting to
management after discussion with key process owners.
Project management techniques for audit projects
include:
• P lan the audit engagement-Plan the audit,
considering project-specific risk.
• Build the audit plan-Chart the necessary audit
tasks across a timeline, optimizing resource use.
Make realistic estimates of the time requirements
for each task with proper consideration given to the
availability of the auditee.
• Execute the plan- Execute audit tasks against the
plan.
• Monitor p roject activity-Report actual progress
against planned audit steps to ensure challenges are
managed proactively and the scope is completed
within time and budget.
CI SA" Official Review Manual 23th Edition I Chapter 1
1.5.1 Audit Objectives
Audit objectives refer to the specific goals that must
be accomplished by the audit. In contrast, a control
objective refers to how an internal control should
function. An audit generally incorporates several audit
objectives.
Audit objectives often focus on confirming that internal
controls exist to minimize business risk and function
as expected. These audit objectives include ensuring
compliance with legal and regulatory requirements and
ensuring the confidentiality, integrity, reliability and
availability of information and IT resources. Audit
management may give an IS auditor a general control
objective to review and evaluate when performing an
audit.
A key element in planning an IS audit is to translate basic
and wide-ranging audit objectives into specific IS audit
objectives. For example, in a financial/operational audit,
a control objective could be to ensure that transactions
are properly posted to the general ledger accounts.
However, in an IS audit, the objective could be extended
to ensure that editing features are in place to detect errors
in the coding of transactions that may impact account-
posting activities.
An IS auditor must understand how general audit
objectives can be translated into specific IS control
objectives. Determining an audit's objectives is a critical
step in planning an IS audit.
One of the primary purposes of an IS audit is to
identify control objectives and the related controls that
address the objective. For example, an IS auditor's
initial review of an information system should identify
key controls. It should then be determined whether
to test those controls for compliance. An IS auditor
should identify both key general and application controls
after developing an understanding and documenting the
business processes and the applications/functions that
support those processes and general support systems.
Based on that understanding, an IS auditor should
identify the key control points.
Alternatively, an IS auditor may assist in assessing
the integrity of financial reporting data, refened to as
substantive testing, through CAATs.
1.5.2 Audit Phases
Each phase in the execution of an audit can be divided
into key steps to plan, define, perform and report the
results, as shown in figure 1.11.
©ISACA. All Rights Reserved. I 53
 CISA" Official Review Manual 28th Edition I Chapter 1

Figure 1.11- Typical Audit Process Steps by Phase

Planning Phase

Fieldwork and Documentation Phase

. ..
- .
~-··
zrc .
Reporting Phase

Gather report
Draft report. Issue report.
requirements.

Source: ISACA, Information Systems Auditing: Tools and Techniques- Creating Audit Programs, USA, 2016

Planning
Planning steps can be fmther broken down into more
specific activities, as shown in figure 1.12.

Figure 1.12-Audit Process Activities for the Planning Phase

' .
17ur. u -.....,~·L!J ii:~~-i;. •1"ii..•l.ll
-
1. Determine audit subject. Identify the area to be audited (e.g., business function, system, physical location).

2. Define audit objective. Identify the purpose of the audit. For example, an objective might be to determine
whether program source code changes occur in a well-defined and controlled
environment.

3. Set audit scope. Identify the specific systems, function or unit of the organization to be included in the
review. In the case of the program changes example, the scope statement might limit
the review to a single application, system or a limited period of time. This step is very
important because the information systems (IS) auditor will need to understand the IT
environment and its components to identify the resources that will be required to conduct
a comprehensive evaluation. A clear scope will help the IS auditor define a set of testing
points that are relevant to the audit and to further determine the technical skills and
resources necessary to evaluate different technologies and their components.

54 I ©ISACA. All Rights Reserved.


Figure 1.12- Audit Process Activities for the Planning Phase (cont.)
,,, ........., ... •l
4. Perform preaudit planning.
5. Determine aud it procedures
and steps for data gatherin g.
Source: ISACA, Information Systems Auditing: Tools and Techniques- Creating Audit Programs, USA, 2016
Fieldwork/ Documentation
Fieldwork/doc umentation steps can be further broken
down into more specific activities, as shown in
figure 1.13.
CISA° Official Review Manual 23th Edition I Chapter 1
ii:~-i.-i;i IJ-;-llil.I
-
Conduct a risk assessment, which is critica l in setting the final scope of a risk-based
audit. For other types of audits (e.g., compliance), conducting a risk assessment is a
good practice because the resu lts can help the IS audit team justify the engagement and
further refine the scope and prep lanning focus.
• Interview the auditee to inquire about activities or areas of concern that should be
included in the scope of the engagement.
• Identify regu latory comp liance requirements .
• Once the subject, objective and scope are defined, the audit team can identify the
resources needed to perform the audit. Some of the necessary resources to be
defined:
• Technica l skills and resources
• Budget and effort to complete the engagement
• Locations or faci lities to be audited
• Roles and responsibilities among the audit team
• Time frame for the various stages of the audit
• Sources of information for test or review, such as functional flowcharts, policies,
standards, procedures and prior audit work papers
• Points of contact for administrative and logistics arrangements
• A communication plan that identifies whom to inform, when, how often and for
what purposes
At this stage of the audit process, the aud it team shou ld have enough information to
identify and select the audit app roach or strategy and start developing the aud it program.
Some of the specific activities in this step are:
• Identify and obtain departmental policies, stand ards and guidelin es for review.
• Identify any regulatory comp liance requirem ents .
• Identify a list of individual s to interview.
• Identify methods and too ls to perform the evaluation .
• Develop audit tools and methodology to test and verify controls .
• Develop test scripts .
• Identify criteria for evaluating the test.
• Define a method ology to eva luate whether the test and its resu lts are accurate (and
repeatab le if necessary) .
©ISACA Al l Rights Reserved. I 55
 CISA° Official Review Manual 23th Edition I Chapter 1

Figure 1.13- Audit Process Activities for the Fieldwork/Documentation Phase

i':.. rrffi~,-. L!J It " '~M~I

-
- 1111

1. Acquire data. Establish a process to acquire audit-related data. An advance request list can be used to
identify key evidence or interviews/observations that need to be gathered or performed
during an audit. The IS auditor should establish a process to collect evidence in a secure
manner (e.g., through fileshare). A governance, risk and compliance (GRC) tool may help
facilitate audit data collection for more advanced audit functions.

2. Test controls. Use testing techniques (e.g., interviews, observations, inspections, etc.) to evaluate
controls applicable to the acquired data. In some instances, sampling may be required to
review a subset of an overall population. For example, an IS auditor may select a sample
of servers and perform an observation to confirm that antimalware solutions are installed
per policy.

3. Discover and validate Identify potential issues throughout the audit process. Issues are deviations
issues. from expected audit outcomes (e.g., policy requirements) and are the basis for
recommendations the auditor will provide for management action.

4. Document results . Document the results within the audit program and work papers per document audit
standards for the IS auditor's organization.

Reporting/Follow Up
Reporting/follow-up phase steps can be broken down into
specific activities, as shown in figure 1.14.

Figure 1.14- Audit Process Activities/or the Reporting/Follow-Up Phase

ii"•_l._"1 ... ::-. --.111

1. Gather report requirements. Reporting requirements are identified prior to drafting an audit report. These
requirements may be derived from internal audit standards for the organization or
through external reporting requirements.
2. Draft report. A draft report is created and reviewed by information systems (IS) audit leadership
prior to review by the auditee. The report includes the overall results of the audit and
potential findings and recommendations for management. Prior to issuing a final report,
the auditee should review and respond to recommendations identifying planned actions
for any recommended remediations.
3. Issue report. Once a report is finalized, it is issued. The final report is retained per internal or external
retention requirements. Audit reports are presented to the oversight function of the
organization (e.g., audit committee).
4. Follow up. A process is established to follow up on management's remediation progress for Issues
identified during an IS audit.

1.5.3 Audit Programs
An audit program is a step-by-step set of audit
procedures and instructions that should be performed to
complete an audit. It is based on the scope and objective
of the pa1ticular assignment.
The main purposes of developing an audit program are:
• Formal documentation of audit procedures and
sequential steps
• Creation of procedures that are repeatable and easy
to use by internal or external audit and assurance
professionals who need to perform similar audits
• Documentation of the type of testing that will be used
(compliance and/or substantive)
• Meeting generally accepted audit standards that relate
to the planning phase in the audit process
An IS auditor often evaluates IT functions and
systems from different perspectives, such as security
(confidentiality, integrity and availability), quality

56 I ©ISACA. All Rights Reserved.


(effectiveness, efficiency), fiduciary (compliance,
reliability), service and capacity. The audit work program
is the audit strategy and plan-it identifies scope, audit
objectives and audit procedures to obtain sufficient,
relevant and reliable evidence to draw and support audit
conclusions and opinions.
General audit procedures are the basic steps in the
performance of an audit and usually include:
• Obtaining and recording an understanding of the audit
area/subject
• Creating a risk assessment and general audit plan and
schedule
• Performing detailed audit planning that includes the
necessary audit steps and a breakdown of the work
planned across an anticipated timeline
• Conducting a preliminary review of the audit area/
subject
• Evaluating the audit area/subject
• Verifying and evaluating the .appropriateness of
controls designed to meet control objectives
• Conducting compliance testing (tests of the
implementation of controls and their consistent
application)
• Conducting substantive testing (confirming the
accuracy of information)
• Reporting (communicating results)
• Following up in cases that rely on an internal audit
function
Minimum Skills to Develop an Audit Program
The development of meaningful audit and assurance
programs depends on the auditor's ability to customize
procedures according to the nature of the subject under
review and the specific risk that must be addressed in
the audit area/organization. Skills that can assist an IS
auditor in creating an audit program include:
• Sufficient understanding of the nature of the
enterprise and its industry to identify and categorize
types of risk and threat
• Good understanding of the IT space and its
components and sufficient knowledge of the
technologies that affect them
• Understanding of the relationship between business
risk and IT risk
• Basic knowledge of risk assessment practices
• Understanding of testing procedures for evaluating
IS controls and identifying the best method of
evaluation, such as:
• The use of generalized audit software (GAS) to
survey the contents of data files (e.g., system logs,
user access list)
CISA° Official Review Manual 2gth Edition I Chapter 1
• The use of specialized software to assess the
contents of operating systems, databases and
application parameter files
• Flowcharting techniques for documenting business
processes and automated controls
• The use of audit logs and reports to evaluate
parameters
• Review of documentation
• Inquiry and observations
• Walk-throughs
• Reperformance of controls
Note
For additional guidance, see standard 1204
Performance and Supervision and guideline 2204
Performance and Supervision.
1.5.4 Audit Work Papers
All audit plans, programs, activities, tests, findings
and incidents should be properly documented in work
papers. The format and media of work papers can vary,
depending on the specific needs of the department. IS
auditors should particularly consider how to maintain the
integrity and protection of audit test evidence in order
to preserve its value as substantiation in support of audit
results.
Work papers can be considered the bridge or interface
between the audit objectives and the final repo1t.
Work papers should provide a seamless transition-with
traceability and support for the work performed- from
objectives to report and from report to objectives. In this
context, the audit repo1t can be viewed as a particular
work paper.
IS auditors should ensure that the same security-related
requirements they may be assessing are considered for
the audit work papers they collect. IS audit reports and
related work papers can contain sensitive information
that could be leveraged by malicious actors. A retention
and destruction process should be established based on
legal requirements for each audit type.
1.5.5 Fraud, Irregularities and Illegal Acts
Management is primarily responsible for establishing,
implementing and maintaining an internal control
system that enables the deterrence and/or timely
detection of fraud. Internal controls may fail due to
exploitation of vulnerabilities, management-perpetrated
control wealmesses or collusion among people.
©ISACA All Rights Reserved. I 57
 CISA' Official Review Manual 23th Edition I Chapter 1
The presence of internal controls does not altogether
eliminate fraud . IS auditors should observe and exercise
due professional care in all aspects of their work and be
alert to opportunities that may allow fraud to materialize.
They should be aware of the possibilities and means
of perpetrating fraud, especially through exploitation of
vulnerabilities and overriding controls in the IT-enabled
enviromnent. They should have knowledge of fraud and
fraud indicators and be alert to the possibility of fraud
and errors while performing an audit.
During the course of regular assurance work, an IS
auditor may come across instances or indicators of fraud.
After careful evaluation, an IS auditor may communicate
the need for a detailed investigation to appropriate
authorities. In the case of an IS auditor identifying a
major fraud or ifthe risk associated with the detection is
high, audit management should consider communicating
the issue to the audit committee in a timely manner.
Regarding fraud prevention, an IS auditor should be
aware of potential legal requirements concerning the
implementation of specific fraud detection procedures
and the reporting of fraud to appropriate authorities.
Note
For additional guidance, see standard 1207 Irregularity
and Illegal Acts and guideline 2207 Irregularity and
Illegal Acts.
1.5.6 Agile Auditing
A goal for any IS audit function is to provide faster
and more efficient ways to conduct an IS audit to
demonstrate the value provided to stakeholders. One
method to achieve this is leveraging Agile concepts.
Agile Auditing Overview
The term "agile" usually refers to software
development and emphasizes individuals and interactions
over processes and tools, working software over
comprehensive documentation, customer collaboration
over contract negotiation and responding to change over
following a plan.8 Traditional IS audit, on the other hand,
has used strict standards and frameworks, resulting in
rather rigid audit engagement constraints that, essentially,
represented projects. IT projects have similarly inflexible
models. However, they have evolved from the formal
Waterfall model to less formal, but very often more
efficient, models that are usually collectively known as
"Agile."
8 "Manifesto for Agile Software Development," http://agilemanifesto.org/
58 I ©ISACA. All Rights Reserved.
In Agile models, design and specification documentation
are kept to the bare minimum required, and a major part
of documentation is created at the operations and support
levels (e.g., user manuals), which occur much later in the
system life cycle. In the context of an IS audit, this would
result in blurring or altogether abolishing the temporal
separation between planning and fieldwork phases. Agile
audits, thus, address major bottlenecks in many audits.
For example, necessary data- such as lists of system
users from the system itself or an authorization database
or file-can be requested and prepared by the auditees
while the auditors are still trying to finalize remaining
audit program steps. In addition, auditors can analyze
data already collected while waiting for the audit team
to schedule planning phase meetings with other auditees
or the team members. Elimination of the requirement
for strict temporal separation between planning and
fieldwork makes audit more efficient. Tasks run in
parallel (i.e., planning may be going on as the auditees
collect requested data, or fieldwork may be occurring
while meetings to address remaining planning issues are
taking place).
Benefits of Agile Auditing
Agile methodologies benefit audit departments through
production of rapid audit results, avoidance of siloed
audit and customer teams, communications in near real
time and effective collaboration with auditees. Agile also
ensures that IT audit engagements are more successful
through:
• Reduced end-to-end planning-Instead of audit
engagements being planned over several months,
Agile reduces the planning process to weeks or even
days due to condensed sprint cycles and a small-scale,
iterative approach.
• Streamlined audit engagements-Combining the
planning, fieldwork and reporting phases into a
single cohesive engagement avoids the execution of
disparate audit phases with long lead times.
• Direct customer collaboration-Involving
customers in the Agile scrum (i.e., daily standup
meeting) at the beginning of the audit engagement
sprint gives them a seat at the table. This
involvement further facilitates their input in guiding
the engagement to both valid and highly beneficial
audit outcomes for all parties.
• Flexible audit scope-As new information is
provided to or discovered by auditors, Agile
facilitates real-time audit scope adjustments. Auditors
should continue to obtain audit management approval

as potential scope adjustments are identified and be
prepared to adjust testing focus as new information is
discovered or provided by audit customers.
• Real-time assurance--Direct customer collaboration
means customers are informed of audit findings or
control weaknesses as they are discovered by auditors
versus receiving a draft audit rep01t toward the end
of an audit engagement. Auditors should provide
audit customers with updates on potential findings or
control weaknesses as testing uncovers them.
• Frequent audit plan updates-The increased
velocity of engagements produced by Agile IT audits
provides an opportunity to revisit the audit bacldog
and annual plan and make revisions more frequently.
Figure 1.15- Complementary Relationship ofAgile Audit Techniques and ITAF
!!!:!..~""'~l;lft - · ··~.!...
-- --- - - --
1 1:.JllilT·"lll•J:"'lir..-,T..
General Standard 1002-0rganizational Independence
The IT audit and assurance function sha ll be free from
conflicts of interest and undue influence in all matters
related to audit and assurance engagements.
General Standard 1003- Auditor Objectivity
IT audit and assurance practitioners shall be objective in all
matters related to audit and assurance engagements.
General Standard 1005-Due Professional Care
Auditors will exercise due diligence and professional care.
They will maintain high standards of conduct and character,
and they will refrain from engaging in acts that may discredit
themselves or the profession . Privacy and confidentiality
of information obtained during the course of the aud itor's
duties should be maintained.
General Standard 1006-Proficiency
IT audit and assurance practitioners, collectively with others
assisting with the audit and assurance engagement, sha ll
possess the professional competence to perform the work
required .
Reporting Standard 1402.3-Follow-Up Activities and
Acceptance of Risk
Where it is determined that the risk related to a finding
has been accepted and is greater than the enterpris e's ri sk
appetite, this risk acceptance shou ld be discussed with
senior management.
CISA° Official Review Manual 2gth Edition I Chapter 1
Unlike audit plans that are reviewed annually, Agile
audit plans are reviewed every quarter (or more
frequently in some instances) due to the Agile
iterative approach to conducting an audit engagement.
Agile Auditing Compared to Established
Assurance Standards
Figure 1.15 shows how Agile complements general,
performance and reporting standards and guidelines
found in the ISACA ITAF standard. The comparison
in figure 1.15 shows how Agi le audit techniques
complement adherence to the standard.
llTtl•ll ~.;;- .
-
--. -
-
t ll ;J 1:.... ~-·
- -- ttE
• Agile encourages more direct levels of communication
and involvement with audit customers, which reflects
auditors' organizational independence.
• The collaborative approach used in Agile (and facilitated
by organizational independence) allows audit to leverage
subject matter expertise to allow expedient agreement
on aud it findings and minimize remediation timelines.
• While differing from the traditional approach to aud it,
Agile does not comprom ise auditor objectivity, which
may be impaired if conflicts of interest arise.
• Agile aud it f unctions retain their professional skepticism
and abi lity to make final decisions throughout the aud it
engagement.
• The aud it backlog is prioritized more often under Agile,
which cons iders the required resources, estab li shment
of proper audit scope, proper audit objectives and
adequate levels of diligence and discretion .
• With Agile, audit management retains its right to
conclude on key matters of each aud it engagement.
• Daily standup scrum meetings and two-week sprint
cycles greatly enhance development of audit staff at the
junior and senior levels.
• Increased collaboration with audit customers allows
audit staff to learn the business more completely.
• The collaborative and frequent communication
processes leveraged by Agile seek to ensure full
disclosure to executive management of any accepted
risk taken by audit customers.
©ISACA. Al l Rights Reserved. I 59
 CISA° Official Review Manual zgth Edition I Chapter 1
Figure 1.15---Complementmy Relationship ofAgile Audit Techniques and ITAF (cont.)
General Guideline 2001.2.6-Performance of Quality
Assurance (QA)
Accountability of the audit and assurance function includes
but is not limited to the QA Process (e.g., interviews,
customer satisfaction surveys, assignment performance
surveys) that establishes an understanding of the auditees'
needs and expectations relevant to the audit function.
Source: ISACA, Destination: Agile Auditing, USA, 2021
1.6 Audit Testing and Sampling
Methodology
Valid conclusions can be reached using audit sampling.
When using (;)ither statistical or nonstatistical sampling
methods, IS auditors should design and select an audit
sample, perform audit procedures and evaluate sample
results to obtain sufficient and appropriate evidence
to form a conclusion. When using sampling methods
to draw a conclusion about the entire population,
professionals should use statistical sampling.
An IS auditor should consider the purpose of the sample:
• Compliance testing/test of controls-An audit
procedure designed to evaluate the operating
effectiveness of controls in preventing, or detecting
and c01Tecting, material weaknesses
• Substantive testing/test of details-An audit
procedure designed to detect material weaknesses at
the asse1tion level
1.6.1 Compliance Versus Substantive
Testing
Compliance testing is evidence gathering for the purpose
of testing an organization's compliance with control
procedures. This differs from substantive testing, in
which evidence is gathered to evaluate the integrity of
individual transactions, data or other information.
A compliance test determines whether controls are being
applied in a manner that complies with management
policies and procedures. For example, if an IS auditor
is concerned about whether production program library
controls are working properly, the IS auditor might select
a sample of programs to determine whether the source
and object versions are the same. The broad objective of
any compliance test is to provide reasonable assurance
of a particular control as perceived in the preliminary
evaluation.
60 I © ISACA. All Rights Reserved.
• The Agile sprint retrospective is a tool the audit team
uses to analyze how the last sprint delivered with regard
to individuals, interactions among customers and the
audit team, executed processes, audit tools and the
definition of "done."
It is important that an IS auditor understands the
specific objective of a compliance test and of the control
being tested. Compliance tests can be used to test the
existence and effectiveness of a defined process, which
may include a trail of documentary and/or automated
evidence (e.g., to provide assurance that only authorized
modifications are made to production programs).
A substantive test substantiates the integrity of actual
processing. It provides evidence of the validity and
integrity of the balances in the financial statements
and the transactions that suppott those balances. An IS
auditor could use substantive tests to check for monetary
errors directly affecting financial statement balances or
other relevant data of the organization. Additionally, an
IS auditor might develop a substantive test to evaluate
the completeness and accuracy of report data. To perform
this test, the IS auditor might use a statistical sample,
which will allow the IS auditor to develop a conclusion
regarding the accuracy of all the data.
A direct correlation exists between the level of internal
controls and the amount of substantive testing required.
If the results of testing controls (compliance tests)
reveal the presence of adequate internal controls, then
minimizing the substantive procedures could be justified.
Conversely, ifthe control testing reveals weaknesses in
controls that may raise doubts about the completeness,
accuracy or validity of the accounts, substantive testing
can alleviate those doubts.
Examples of compliance testing of controls where
sampling could be considered include user access rights,
program change control procedures, documentation
procedures, program documentation, follow-up of
exceptions, review of logs and software license audits.
Examples of substantive tests where sampling could be
considered include performance of a complex calculation
(e.g., interest) on a sample of accounts or a sample of
transactions to vouch for suppotting documentation.

An IS auditor could decide during the preliminary
assessment of the controls to include some substantive
testing if the results of the preliminary evaluation
indicate that implemented controls are not reliable or do
not exist.
Figure 1.16 shows the relationship between compliance
and substantive tests and describes the two categories of
substantive tests.
Figure 1.16-Understand the Control Environment and Flow a/Transactions
Review the system to identify controls.
Test compliance to determine whether controls are functioning .
Test balances and transactions.
1.6.2 Sampling
Sampling is performed when time and cost
considerations preclude a total verification of all
transactions or events in a predefined population. The
population consists of the entire group of items that need
to be examined. The subset of population members used
to perform testing is called a sample. Sampling is used
to infer characteristics about a population based on the
characteristics of a sample.
The two general approaches to audit sampling are
statistical and nonstatistical :
• Statistical sampling-An objective method of
determining the sample size and selection criteria
• Statistical sampling uses the mathematical laws
of probability to: (1) calculate the sampling size,
(2) select the sample items and (3) evaluate the
sample results and make inferences.
• With statistical sampling, an IS auditor
quantitatively decides how closely the sample
should represent the population (assessing sample
CI SA° Official Review Manual 281h Edition I Chapter 1
Note
A CISA candidate should be knowledgeable about
when to perform compliance tests or substantive tests.
Perform analytic review procedures.
precision) and the number of times in 100 that
the sample should represent the population (the
reliability or confidence level). This assessment is
represented as a percentage. The results of a valid
statistical sample are mathematically quantifiable.
• Nonstatistical sampling (often referred to as
judgmental sampling}--Uses audit judgment to
determine the method of sampling, the number of
items that will be examined from a population
(sample size) and which items to select (sample
selection)
• These decisions are based on subjective judgment
as to which items/transactions are the most
material and most risky.
The IS auditor should be familiar with the statistical
sampling concepts described in figure 1.17.
When using either statistical or nonstatistical sampling
methods, an IS auditor should design and select an
audit sample, perform audit procedures and evaluate
sample results to obtain sufficient, reliable, relevant
©ISACA Al l Rights Reserved. I 61
 CISA' Official Review Manual 281h Edition I Chapter 1

and useful audit evidence. These methods of sampling
require an IS auditor to use judgment when defining
the population characteristics and, thus, are subject to
the risk that incorrect conclusions could be drawn from
the sample (sampling risk). However, statistical sampling
permits an IS auditor to quantify the probability of
error (confidence coefficient). To be a statistical sample,
each item in the population should have an equal
opportunity or probability of being selected. Within these
two general approaches to audit sampling, there are two
primary methods of sampling used- attribute sampling
and variable sampling. Attribute sampling, generally
applied in compliance testing, deals with the presence
or absence of the attribute and provides conclusions that
are expressed in rates of incidence.

Figure 1.17-Statistical Sampling Terminology

_.....
II ~..uuUUt ll l

Confidence coefficient
(confidence level or reliability
factor)
A percentage expression (90 percent, 95 percent, 99 percent, etc.) of the probability that
the characteristics of the sample are a true representation of the population. Generally,
a 95 percent confidence coefficient is considered a high degree of assurance. If an
information systems (IS) auditor knows internal controls are strong, the confidence
coefficient may be lowered. The greater the confidence coefficient, the larger the sample
size.

Level of risk Equal to one minus the confidence coefficient. For example, if the confidence coefficient
is 95 percent, the level of risk is five percent (100 percent minus 95 percent).

Precision Set by an IS auditor, the acceptable range difference between the sample and the actual
population. For attribute sampling, this figure is stated as a percentage. For variable
sampling, this figure is stated as a monetary amount or a number. The higher the
precision amount, the smaller the sample size and the greater the risk of fairly large
total error amounts going undetected. The smaller the precision amount, the greater the
sample size. A very low precision level may lead to an unnecessarily large sample size.

Expected error rate An estimate stated as a percentage of the errors that may exist. The greater the
expected error rate, the greater the sample size. This figure is applied to attribute
sampling formulas but not to variable sampling formulas .
Sample mean The sum of all sample values divided by the size of the sample. The sample mean
measures the average value of the sample.
Sample standard deviation The variance of the sample values from the mean of the sample. Sample standard
deviation represents the spread or dispersion of the sample values.

Tolerable error rate
Describes the maximum misstatement or number of errors that can exist without an
account being materially misstated. Tolerable rate is used for the planned upper limit
of the precision range for compliance testing. The term is expressed as a percentage.
"Precision range" and "precision" have the same meaning when used in substantive
testing.

Population standard deviation A mathematical concept that measures the relationship to the normal distribution. The
greater the standard deviation, the larger the sample size. This figure is applied to
variable sampling formulas but not to attribute sampling formulas.

Attribute sampling refers to three different, but related,
types of proportional sampling:
• Attribute sampling (fixed sample-size attribute
sampling or frequency-estimating sampling)--A
sampling model used to estimate the rate (percent)
of occurrence of a specific quality (attribute) in a
population. Attribute sampling answers the question,
"How many?"
• An example of an attribute that might be tested
is approval signatures on computer access request
forms.
• Stop-or-go sampling-A sampling model that helps
prevent excessive sampling of an attribute by
allowing an audit test to be stopped at the earliest
possible moment. Stop-or-go sampling is used when

62 I ©ISACA. All Rights Reserved.


an IS auditor believes that relatively few errors will
be found in a population.
• Discovery sampling-A sampling model most often
used when the objective of the audit is to seek
out (discover) fraud, circumvention ofregulations
or other irregularities. For example, if the sample
is found to be error free, it is assumed that no
fraud/irregularity exists; however, if a single error is
found, the entire sample is believed to be fraudulent/
irregular.
Variable sampling (dollar estimation or mean estimation
sampling) is a technique used to estimate the monetary
value or some other unit of measure (such as weight)
of a population from a sample portion. An example
of variable sampling is a review of an organization's
balance sheet for material transactions and an application
review of the program that produced the balance sheet.
Variable sampling refers to three types of quantitative
sampling models:
• Stratified mean per unit-A statistical model in
which the population is divided into groups and
Figure 1.18-Steps in the Selection of a Sample for an Audit Test
Determine Define Determine
the the the
objective population method
Sampling Risk
Sampling risk arises from the possibility that an
IS auditor's conclusion may be different from the
conclusion that would be reached ifthe entire population
were subjected to the same audit procedure. There are
two types of sampling risk:
• The risk of incorrect acceptance--A material
weakness is assessed as unlikely when, in fact, the
population is materially misstated.
• The risk of incorrect rejection- A material
weakness is assessed as likely when, in fact, the
population is not materially misstated.
CI SA• Official Review Manual zgth Edition I Chapter 1
samples are drawn from the various groups; used
to produce a smaller overall sample size relative to
unstratified mean per unit
• Unstratified mean per unit- A statistical model in
which a sample mean is calculated and projected as
an estimated total
• Difference estimation- A statistical model used to
estimate the total difference between audited values
and book (unaudited) values based on differences
obtained from sample observations
Variable sampling, generally applied in substantive
testing, deals with population characteristics that vary,
such as monetary values and weights (or any other
measurement), and provides conclusions related to
deviations from the norm.
Key steps in the construction and selection of a sample
for an audit test are shown in figure 1.18.
Note
A CISA candidate is not expected to be a sampling
expert. However, a CISA candidate should have a
foundational understanding of the general principles of
sampling and how to design a sample that is reliable.
A CISA candidate should also be familiar with the
different types of sampling terms and techniques and
know when it is appropriate to use each technique.
1.7 Audit Evidence Collection Techniques
Evidence is any information used by an IS auditor
to determine whether the entity or data being audited
follows the established criteria or objectives and supp01is
audit conclusions. It is a requirement that conclusions
be based on sufficient, relevant and competent evidence.
© ISACA All Rights Reserved. I 63
 CISA° Official Review Manual 2sth Edition I Chapter 1

When planning the IS audit, the type of audit evidence
to be gathered, its use as audit evidence to meet audit
objectives and its varying levels of reliability should be
considered.
Audit evidence may include:
• An IS auditor's observations (presented to
management)
• Notes taken from interviews
• Results of independent and qualified third-paity
assessors
• Material extracted from correspondence and internal
documentation or contracts with external partners
• The results of audit test procedures
While all evidence will assist an IS auditor in
developing audit conclusions, some types of evidence
are more reliable than others. The rules of evidence and
sufficiency and the competency of evidence must be
considered as required by audit standards.
Determinants for evaluating the reliability of audit
evidence include:
• Independence of the provider of the evidence
-Evidence obtained from outside sources is
more reliable than evidence from within the
organization. This is why confirmation letters are
used for verification of accounts receivable balances.
Additionally, signed contracts or agreements with
external parties can be considered reliable if the
original documents are made available for review.
• Qualifications of the individual providing the
information/evidence-Whether the providers of the
information/evidence ai·e inside or outside of the
organization, an IS auditor should always consider
the qualifications and functional responsibilities of
the persons providing the information. This can also
be true of an IS auditor. If an IS auditor does not
have a good understanding of the technical area under
review, the information gathered from testing that
area may not be reliable, especially ifthe IS auditor
does not fully understand the test.
• Objectivity of the evidence-Objective evidence is
more reliable than evidence that requires considerable
judgment or interpretation. An IS auditor's review of
media inventory is direct, objective evidence. An IS
auditor's analysis of the efficiency of an application,
based on discussions with certain personnel, may not
be objective audit evidence.
• Timing of the evidence-An IS auditor should
consider the time during which information exists
or is available in determining the nature, timing
and extent of compliance testing and, if applicable,
substantive testing. For example, audit evidence
processed by dynamic systems, such as spreadsheets,
may not be retrievable after a specified period of time
if changes to the files are not controlled or the files
are not backed up.
An IS auditor gathers a variety of evidence during an
audit. Some evidence may be relevant to the objectives
of the audit, while other evidence may be considered
peripheral. An IS auditor should focus on the overall
objectives of the review and not the nature of the
evidence gathered.
The quality and quantity of evidence must be assessed.
These two characteristics are referred to by the
International Federation of Accountants (IFAC) as
appropriate (quality) and sufficient (quantity). Evidence
is competent when it is both reliable and relevant.
Audit judgment is used to determine when sufficiency is
achieved in the same manner that it is used to determine
the appropriateness of evidence.
An understanding of the rules of evidence is important
for IS auditors because they may encounter a variety of
evidence types.
Note
A CISA candidate, given an audit scenario, should be
able to determine which evidence-gathering technique
would be best in a given situation.
Techniques for gathering evidence include:
• Reviewing IS organization structures-An
organizational structure that provides adequate SoD
is a key general control in an IS environment. An
IS auditor should understand general organizational
controls and be able to evaluate those controls in
the organization under audit. Where there is a strong
emphasis on cooperative distributed processing or on
end-user computing, IT functions may be organized
somewhat differently from the classic IS organization,
which consists of separate systems and operations
functions . An IS auditor should be able to review
organizational structures and assess the level of
control they provide.
• Reviewing IS policies and procedures-An IS
auditor should review whether appropriate policies
and procedures are in place, determine whether
personnel understand the implemented policies and
procedures and ensure that policies and procedures
are being followed . An IS auditor should verify
that management assumes full responsibility for
formulating, developing, documenting, promulgating
and controlling policies covering general aims

64 I ©ISACA. All Rights Reserved.


and directives. Periodic reviews of policies and
procedures for appropriateness should be carried out.
• Reviewing IS standards-An IS auditor should first
understand the existing standards in place within the
organization.
• Reviewing IS documentation-A first step in
reviewing the documentation for an information
system is to understand the existing documentation
in place within the organization. This documentation
could be a hard copy or a copy stored electronically.
If the latter, controls to preserve the document
integrity should be evaluated by an IS auditor. An
IS auditor should look for a minimum level of IS
documentation. Documentation may include:
• Systems development initiating documents (e.g.,
feasibility studies)
• Documentation provided by external application
suppliers
• SLAs with external IT providers
• Functional requirements and design specifications
• Tests plans and reports
• Program and operations documents
• Program change logs and histories
• User manuals
• Operations manuals
• Security-related documents (e.g., security plans,
risk assessments)
• BCPs
• QA reports
• Repmts on security metrics
• Interviewing appropriate personnel- See section
1. 7 .1 Interviewing and Observing Personnel in
Performance of Their Duties.
• Observing processes and employee performance--
The observation of processes is a key audit technique
for many types of review. An IS auditor should be
unobtrusive while making observations and should
document everything in sufficient detail to be able
to present it, if required, as audit evidence. In some
situations, the release of the audit report may not be
timely enough to use observations as evidence, which
may necessitate the issuance of an interim report to
management of the area being audited. An IS auditor
may wish to consider whether documentary evidence
would be useful as evidence (e.g., photograph of a
server room with doors fully opened).
• Reperformance--The reperformance process is a
key audit technique that generally provides better
evidence than the other techniques and is, therefore,
used when a combination of inquiry, observation and
examination of evidence does not provide sufficient
assurance that a control is operating effectively. This
Cl SA° Official Review Manual 29th Edition I Chapter 1
technique involves the actual performance of the
control under assessment in real time.
• Walk-th roughs-The walk-through is an audit
technique to confirm the understanding of controls.
A walkthrough can help ensure the control owner
and IS auditor clearly understand the controls to be
assessed and assist in the identification of evidence to
be collected to validate control effectiveness.
Whi le these evidence-gathering techniques are part of an
audit, an audit is not limited to review work. It includes
examination, which incorporates the testing of controls
and audit evidence and, therefore, includes the results of
audit tests.
An IS auditor should recognize that with systems
development techniques, such as computer-aided
software engineering (CASE) or prototyping, traditional
systems documentation will not be required or will be
provided in an automated form. However, an IS auditor
should look for documentation standards and practices
within the IS organization.
An IS auditor should be able to review documentation
for a given system and determine whether it follows the
organization's documentation standards. In addition, an
IS auditor should understand the current approaches to
developing systems-such as object orientation, CASE
tools or prototyping-and how the documentation is
constructed. An IS auditor should recognize other
components of IS documentation, such as database
specifications, file layouts or self-documented program
listings.
1.7.1 Interviewing and Observing
Personnel in Performance of Their Duties
Interviewing techniques are an important skill for an
IS auditor. Interviews should be organized in advance
with objectives clearly communicated, follow a fixed
outline and be documented by interview notes. Using an
interview form or checklist prepared by an IS auditor is a
good approach.
Remember that the purpose of such an interview is to
gather audit evidence using techniques, such as inquiry,
observation, inspection, confirmation, performance and
monitoring. Personnel interviews are discoveries by
nature and should never be accusatory; the interviewer
should help people feel comfortable, encouraging them to
share information, ideas, concerns and knowledge. An IS
auditor should verify the accuracy of the notes with the
interviewee.
© lSACA All Rights Reserved. I 65
 CISA6 Official Review Manual 23th Edition I Chapter 1
Observing personnel in the performance of their duties
assists an IS auditor in identifying:
• Actual functions-Observation can be an adequate
test to ensure that the individual who is assigned
and authorized to perform a particular function is the
person who is actually doing the job. It allows an IS
auditor an opportunity to witness how policies and
procedures are understood and practiced. Depending
on the specific situation, the results of this type of test
should be compared with the respective logical access
rights.
• Actual processes/procedures-Performing a walk-
through of the process/procedure allows an IS
auditor to obtain evidence of compliance and observe
deviations, if any. This type of observation can prove
useful for physical controls.
• Security awareness-Security awareness should be
observed to verify an individual's understanding and
practice of good preventive and detective security
measures to safeguard the enterprise's assets and
data. This type of information can be supported with
an examination of previous and planned security
training.
• Reporting relationships-Rep01ting relationships
should be observed to ensure that assigned
responsibilities and adequate SoD are being practiced.
Often, the results of this type of test should be
compared with the respective logical access rights.
• Observation drawbacks-The observer may
interfere with the observed environment. Personnel,
upon noticing that they are being observed, may
change their usual behavior. Interviewing information
processing personnel and management should provide
adequate assurance that the staff has the required
technical skills to perform the job. This is an
important factor that contributes to an effective and
efficient operation.
1.8 Audit Data Analytics
Data analytics is an imp01tant tool for an IS auditor.
Through the use of technology, an IS auditor can select
and analyze full data sets to continuously audit or
monitor key organizational data for abnormalities or
variances that can be used to identify and evaluate
organizational risk and achieve compliance with control
and regulatory requirements.
An IS auditor can use data analytics to:
• Determine the operational effectiveness of the current
control environment
• Determine the effectiveness of antifraud procedures
and controls
66 I ©ISACA. All Rights Reserved.
• Identify business process errors
• Identify business process improvements and
inefficiencies in the control environment
• Identify exceptions or unusual business rules
• Identify fraud
• Identify areas where poor data quality exists
• Conduct a risk assessment at the planning phase of an
audit
The process used to collect and analyze data includes:
• Setting the scope (e.g., determining audit/review
objectives; defining data needs, sources and
reliability)
• Identifying and obtaining the data (e.g., requesting
data from responsible sources, testing a sample of
data, extracting the data for use)
• Validating the data (e.g., determining ifthe data is
sufficient and reliable to perform audit tests) by:
• Validating balances independent of the data set
extracted
• Reconciling detailed data to rep01t control totals
• Validating numeric, character and date fields
• Verifying the time period of the data set (i.e.,
determining that it meets scope and purpose)
• Verifying that all necessary fields identified in the
scope are actually included in the acquired data set
• Executing the tests (e.g., running scripts and
performing other analytical tests)
• Documenting the results (e.g., recording the testing
purpose, data sources and conclusions reached)
• Reviewing the results (e.g., ensuring that the testing
procedures have been adequately performed and
reviewed by a qualified person)
• Retaining the results (e.g., maintaining important test
elements), such as:
• Program files
• Scripts
• Macros/automated command tests
• Data files
Data analytics can be effective for an IS auditor in both
the planning and fieldwork phases of an audit.
Analytics can be used to:
• Combine logical access files with human resources
employee master files for authorized users
• Combine file library settings with data from the
change management systems and dates of file changes
that can be matched to dates of authorized events
• Match ingress with egress records to identify
tailgating in physical security logs
• Review table or system configuration settings
• Review system logs for unauthorized access or
unusual activities

• Test system conversion
• Test logical access SoD (e.g., analysis of Active
Directory data combined with job descriptions)
1.a.1 Computer-Assisted Audit
Techniques
CAATs are important tools that an IS auditor uses
to gather and analyze data during an IS audit or
review. When systems have different hardware and
software environments, data structures, record formats or
processing functions, it is almost impossible for an IS
auditor to collect ce1tain evidence without using such a
software tool.
CAATs also enable an IS auditor to gather information
independently. They provide a means to gain access and
analyze data for a predetermined audit objective and to
report the audit findings with emphasis on the reliability
of the records produced and maintained in the system.
The reliability of the source of the information used
provides reassurance on findings generated.
CAATs include many types of tools and techniques
such as GAS, utility software, debugging and scanning
software, test data, application software tracing and
mapping and expe1t systems.
GAS refers to standard software that can directly read
and access data from various database platforms, flat-file
systems and American Standard Code for Information
Interchange (ASCII) formats. GAS provides an IS
auditor with an independent means to gain access to data
for analysis and the ability to use high-level, problem-
solving software to invoke functions to be performed on
data files. Features include mathematical computations,
stratification, statistical analysis, sequence checking,
duplicate checking and recomputations. Functions
commonly supp01ted by GAS include:
• File access-Enables the reading of different record
formats and file structures
• File reorganization-Enables indexing, so1ting,
merging and linking with another file
• Data selection-Enables global filtration conditions
and selection criteria
• Statistical functions-Enables sampling,
stratification and frequency analysis
• Arithmetical functions-Enables arithmetic
operators and functions
Utility software is a subset of software- such as
report generators of the database management system
(DBMS)-that provides evidence about system control
effectiveness. Test data involves an IS auditor using
a sample set of data to assess whether logic errors
CI SN Official Review Manual 28 1h Edition I Chapter 1
exist in a program and whether the program meets its
objectives. The review of an application system will
provide information about internal controls built into the
system. The audit-expert system will provide direction
and valuable information to all levels of auditors while
carrying out the audit because the query-based system
is built on the knowledge base of senior auditors or
managers.
Utility software tools and techniques can be used in
performing various audit procedures such as:
• Tests of the details of transactions and balances
• Analytical review procedures
• Compliance tests ofIS general controls
• Compliance tests of IS application controls
• Network and OS vulnerability assessments
• Penetration testing
• Application security testing and source code security
scans
An IS auditor should have a thorough understanding
of CAATs and know where and when to apply them.
For example, an IS auditor should review the results of
engagement procedures to determine whether there are
indications that irregularities or illegal acts may have
occurred. Using CAATs could aid significantly in the
effective and efficient detection of irregularities or illegal
acts.
An IS auditor should weigh the costs and benefits of
using CAATs before going through the effort, time and
expense of purchasing or developing them. Issues to
consider include:
• Ease of use for existing and future audit staff
• Training requirements
• Complexity of coding and maintenance
• Flexibility of uses
• Installation requirements
• Processing efficiencies
• Effo1t required to bring the source data into the
CAATs for analysis
• Ensuring the integrity of imp01ted data by
safeguarding its authenticity
• Recording the time stamp of data downloaded at
critical processing points to sustain the credibility of
the review
• Obtaining permission to install the software on the
auditee servers
• Reliability of the software
• Confidentiality of the data being processed
When developing CAATs, the following are examples of
documentation to be retained:
• Online rep01ts detailing high-risk issues for review
©ISACA. All Rights Reserved. I 67
 CISA" Official Review Manual 2sth Edition I Chapter 1
• Commented program listings
• Flowcharts
• Sample reports
• Record and file layouts
• Field definitions
• Operating instructions
• Description of applicable source documents
CAATs documentation should be referenced to the audit
program and clearly identify the audit procedures and
objectives being served. When requesting access to
production data for use with CAATs, an IS auditor should
request read-only access. Any data manipulation by an
IS auditor should be applied to copies of production files
in a controlled environment to ensure that production
data is not exposed to unauthorized updating. Most
CAATs allow for production data to be downloaded from
production systems to a standalone platform and then
analyzed from the standalone platform, thereby insulating
the production systems from any adverse impact.
CAATs as a Continuous Online Audit Approach
An important advantage of CAATs is the ability to
improve audit efficiency through continuous online
auditing techniques. To this end, an IS auditor must
develop audit techniques that are appropriate for use with
advanced information systems.
In addition, the IS auditor must be involved in the
creation of advanced systems at the early stages
of development and implementation and must make
greater use of automated tools that are suitable for the
organization's automated environment. This takes the
form of the continuous audit approach.
1.a.2 Continuous Auditing and Monitoring
Continuous auditing is an approach used by IS auditors
to monitor system reliability on a continuous basis and
gather selective audit evidence through the computer.
A distinctive characteristic of continuous auditing is
the short time lapse between the facts to be audited,
the collection of evidence and audit reporting. To
properly understand the implications and requirements
of continuous auditing, a distinction is made between
continuous auditing and continuous monitoring:
• Continuous auditing-Enables an IS auditor to
perform tests and assessments in a real-time or
near-real-time environment. Continuous auditing is
designed to enable an IS auditor to report results on
the subject matter being audited within a much sh01ter
time frame than under a traditional audit approach.
68 I ©ISACA. All Rights Reserved.
• Continuous monitoring-Enables an organization to
observe the performance of one or many processes,
systems or types of data. For example, real-time
antivirus or intrusion detection systems may operate
in a continuous monitoring fashion.
Continuous auditing should be independent of continuous
control or monitoring activities. When both continuous
monitoring and auditing take place, continuous assurance
can be established. In practice, continuous auditing
is the precursor to management adopting continuous
monitoring as a process on a day-to-day basis. Often,
the audit function will hand over the techniques used
in continuous auditing to the business, which will then
run the continuous monitoring. This collaboration has led
to increased appreciation among process owners of the
value that the audit function brings to the organization,
leading to greater confidence and trust between the
business and the audit function . Nevertheless, the lack
of independence and objectivity inherent in continuous
monitoring should not be overlooked, and continuous
monitoring should never be considered as a substitute for
the audit function .
Continuous auditing efforts often incorporate new
IT developments; increased processing capabilities of
current hardware, software, standards and AI tools;
and attempts to collect and analyze data at the
moment of the transaction. Data must be gathered
from different applications working within different
environments, transactions must be screened, the
transaction environment has to be analyzed to detect
trends and exceptions, and atypical patterns (i.e., a
transaction with significantly higher or lower value than
typical for a given business pattner) must be exposed. If
all this must happen in real time, perhaps even before
final sign-off of a transaction, it is mandatory to adopt
and combine various top-level IT techniques. The IT
environment is a natural enabler for the application of
continuous auditing because of the intrinsic automated
nature of its underlying processes.
Continuous auditing aims to provide a more secure
platform to avoid fraud and a real-time process aimed
at ensuring a high level of financial control. Continuous
auditing and monitoring tools are often built into many
enterprise resource planning packages and most OS
and network security packages. These environments,
if appropriately configured and populated with rules,
parameters and formulas, can output exception lists on
request while operating against actual data. Therefore,
they represent an instance of continuous auditing. The
difficulty, but significant added value, ofusing these
features is that they postulate a definition of what would

be a "dangerous" or exception condition. For example,
whether a set of granted IS access permissions is to
be deemed risk-free will depend on having well-defined
SoD. On the other hand, it may be much harder to decide
if a given sequence of steps taken to modify and maintain
a database record points to a potential risk.
It is imp01iant to validate the source of the data used for
continuous auditing and note the possibility of manual
changes.
1.8.3 Continuous Auditing Techniques
Continuous auditing techniques are important IS audit
tools, particularly when they are used in time-sharing
environments that process a large number of transactions
but leave a scarce paper trail. By permitting an IS auditor
to evaluate operating controls on a continuous basis
without disrupting the organization's usual operations,
continuous auditing techniques improve the security
of a system. When a system is misused by someone
withdrawing money from an inoperative account, a
continuous auditing technique will repoti this withdrawal
in a timely fashion to an IS auditor. Thus, the time
lag between the misuse of the system and the detection
of that misuse is reduced. The realization that failures,
improper manipulation and lack of controls will be
detected on a timely basis by the use of continuous
auditing procedures gives an IS auditor and management
greater confidence in a system's reliability.
There are five types of automated evaluation techniques
applicable to continuous auditing:
1. Systems control audit review file and embedded
audit modules (SCARF/EAM}-The use of this
technique involves embedding specially written audit
software in the organization's host application system
so the application systems are monitored on a
selective basis.
2. Snapshots- This technique involves taking what
might be termed "pictures" of the processing path that
Figure 1.19- Continuous Auditing Tools- Use Cases
Complexity Very high Medium
Useful when: Regu lar An audit trail is
processing cannot required .
be interrupted.
The use of each of the continuous auditing techniques
has advantages and disadvantages. Their selection and
CISA° Official Review Manual 28 1h Edition I Chapter 1
a transaction follows, from the input to the output
stage. With the use of this technique, transactions
are tagged by applying identifiers to input data and
recording selected information about what occurs for
an IS auditor's subsequent review.
3. Audit hooks- This technique involves embedding
hooks (e.g., logging and monitoring triggers) in
application systems to function as red flags and
induce IS security and auditors to act before an error
or irregularity gets out of hand.
4. Integrated test facility (ITF)-With this technique,
dummy entities are set up and included in an
auditee's production files. An IS auditor can make
the system either process live transactions or test
transactions during regular processing runs and have
the transactions update the records of the dummy
entity. The operator enters the test transactions
simultaneously with the live transactions that are
entered for processing. An auditor then compares
the output with the data that has been independently
calculated to verify the correctness of the computer-
processed data.
5. Continuous and inter mittent simulation (CIS)-
During a process run of a transaction, the computer
system simulates the instruction execution of the
application. As each transaction is entered, the
simulator decides whether the transaction meets
certain predetermined criteria and, if so, audits
the transaction. If not, the simulator waits until it
encounters the next transaction that meets the criteria.
In figure 1.19, the relative use cases of the various
continuous auditing tools are presented.
Low High Medium
On ly select It is not beneficia l Transactions
transactions or to use test data. meeting certa in
processes need to criteria need to be
be examined. examined.
implementation depend, to a large extent, on the
complexity of an organization's computer systems and
©ISACA. All Rights Reserved. I 69
 CISA6 Official Review Manual 23th Edition I Chapter 1

applications and an IS auditor's ability to understand time, inefficiencies of the audit process, overhead due
and evaluate the system with and without the use of to work segmentation, multiple quality or supervisory
continuous auditing techniques. In addition, an IS auditor reviews or discussions concerning the validity of
must recognize that continuous auditing techniques are findings.
not a cure for all control problems and that the use of
Full top management suppo1t, dedication and extensive
these techniques provides only limited assurance that the
experience and technical knowledge are all necessary to
information processing systems examined are operating
accomplish continuous auditing, while minimizing the
as they were intended to function.
impact on the underlying audited business processes.
Techniques that are used to operate in a continuous The auditing layers and settings may also need continual
auditing environment must work at all data levels- adjustment and updating.
single input, transaction and databases-and include:
Besides difficulty and cost, continuous auditing has an
• Transaction logging
inherent disadvantage in that internal control expe1ts and
• Query tools
auditors might be hesitant to trust an automated tool in
• Statistics and data analysis
lieu of their personal judgment and evaluation. Also,
• DBMSs
mechanisms have to be put in place to eliminate false
• Data warehouses, data marts, data mining
negatives and false positives in the reports generated
• Intelligent agents
by such audits so that the report generated continues to
• EAM
inspire stakeholders' confidence in its accuracy.
• Neural network technologies
• Standards such as Extensible Business Reporting
1.8.4 Artificial Intelligence in IS Audit
Language (XBRL)
A1tificial intelligence (AI) is increasingly being used
Intelligent software agents may be used to automate
in many business functions. Detecting fraudulent
the evaluation processes and allow for flexibility
transactions, performing data quality checks, screening
and dynamic analysis capabilities. The configuration
for negative news and data processing have all
and application of intelligent agents (bots) allow for
been successfully automated via Al/machine learning
continuous monitoring of systems settings and the
(ML) techniques. Implementing AI or ML for large
delivery of alert messages when ce1tain thresholds are
multinational corporate banks leads to big savings in
exceeded or certain conditions are met.
manual overhead and reconciliation efforts.
Full continuous auditing processes have to be carefully
~S auditors may benefit from using Al/ML techniques to
built into applications and work in layers. The auditing
mcrease overall audit efficiency or decrease audit risk.
tools must operate in parallel with normal processing-
Efficiency can be gained through automating tedious
capturing real-time data, extracting standardized profiles
manual processes like audit work paper markups or data
or descriptors and passing the result to the auditing
manipulation. Audit risk may be decreased through the
layers.
ability to increase audit sample sizes or provide auditors
Continuous auditing has an intrinsic edge over point-in- with more time and information to analyze audit results
time or periodic auditing because it captures internal for fmther testing and follow up.
control problems as they occur, preventing negative
Figure 1.20 outlines specific tasks and automation
effects. Implementation can also reduce possible or
opportunities for Al/ML in IS audit.
intrinsic audit inefficiencies such as delays, planning

70 I ©ISACA. All Rights Reserved .

 CISA" Official Review Manual 28th Edition I Chapter 1

Figure 1.20-The Role of RPA and AI Within the Audit Life Cycle

0
<{}
Audit Setup
Cv
Auditing Fieldwork

Tasks: Tasks: Tasks: Tasks:

1. Preselect audit
candidates
2. Plan for audit
3. Identify risk and
dependencies
of associated
business functions
1. Communication audit 1. Evaluate as-is 1. Prepare audit report
scope working process 2. Review issues
2. Document key risk 2. Identify issues and 3. Audit debrief
and co ntrols observations
4. Update risk profi le of
3. Understa nd the 3. Compare with business unit/team
process landscape designed processes
and co ntrols

Automation Scope: Automation Scope: Automation Scope: Automation Scope:

1. Ready view of similar
audits of com parable
business functions and
aud it type
2. Risk-based audit
assessment reports
3. Continuous controls
monitoring regard ing
business processes
4. Auto generation of
checklists
AUTOMATION VIA:
NLP. predictive analysis
and RPA
1. Automate analysis and
summary of wordy and
document-heavy
policies, standa rd
operating procedures
(SOPs) and others in
the audit scope
2. Prepopulate and share
fin dings based on initial
analysis of SOPs and
other available
documents
3. Keyword-based analys is
4. Rule engine to
extrapolate outcome
analys is
1. Automate audit tasks 1. Automate text-based
2. Modeling of data audit report
2. Data visualization of
3. Data sample testi ng
key issues and risk
automation
3. Inte lligent reporting
4. Aggregating and
of audit-based
interpreti ng data via
ru le engine quantificat ion of
issues
5. Fraudulent data
detection
AUTOMATION VIA:
NLP. natura l language
AUTOMATION VIA:
generation, predictive
NLP. natural language ana lysis and RPA
generation, predictive
analysis and RPA

AUTOMATION VIA:
NLP. predictive analysis
and RPA

Source: Menon, S.; "How Can AI Drive Audits?," ISA CA Journal, vol. 4, 30 June 2021 , https://www.isaca.org/resources/isaca-journal/
issues/2021 /volume-4/how-can-ai-drive-audits

Audit Algorithms Algorithms as a concept are often associated with

mathematics or computer science, which can make them
It is important for practitioners, specifically IS auditors,
seem intimidating and difficult to understand. However,
to understand what algorithms are and why they matter,
algorithms are simply ways to solve a specific problem.
that smart algorithms are not new, and that humans have
For example, babies cry when they need nourishment,
a decisive role in algorithm design and metrics. It is the
pain management or attention. An algorithm can be as
auditor's job to ask questions using the correct tools,
simple as "If hungry, then cry." 9 Algorithms are used
interpret results and remember that errors are possible
to solve everyday problems-from cooking to driving to
even with the most advanced algorithms.
troubleshooting to diagnosing a medical condition.

9 Alexiou, S. ; "Algorithms and the Auditor," ISACA Journal, vol. 6, 23 November 202 1, https://111111111.isaca.org/resourcesl isaca-:Journa/lissues/202/I
volume-6/algorithms-and-the-auditor

© ISACA. All Rights Reserved. I 71

 CISA° Official Review Manual 23th Edition I Chapter 1

Algorithms can be simple or complex, and not all
algorithms are effective. Some are more suited to
solving a problem than others. The feasibility of using
technological advancements, such as AI, is dependent on
finding an efficient algorithm that makes computations
fast. 10 An example is homomorphic encryption, which
enables the manipulation of encrypted data without the
need to convert it to cleartext first. 11
Audits can be considered similarly. For example, audits
include checking a current state (as is) versus the desired
state (as should be). These checks direct an algorithm
to:I2
• Obtain the "as is" and "as should be" versions.
• Perform whatever operations are needed to enable a
comparison.
• Perfo1m the comparison.
• Assess the results and their significance.
A complete algorithm involves a detailed prescription of
all the general tasks and how to perform each subtask. 13
Regardless of the complexity, an algorithm is just one
way to tackle a problem, and it is important to review and
adapt algorithms as changes and needs dictate.
Figure 1.21 further expands on specific applications and
use cases for Al/ML techniques in IS audit.

Figure 1. 21---Suggested AI/ML Techniques for Use in Auditing

ltll8r- - -
llf:.feil 1!';111l:':-:.--. - ~
-
I l ll f 11 : -

Document classification Application of classification models (e.g., decision • Understanding standard

trees, Bayesian classifiers, nearest neighbors) to assign operating procedures, policies
documents or text segments to a specific topic or label and other deliverables reviewed
during auditing
• Making inferences from
previous similar audit reports
Text summarization The process of combining frequently used words, • Generating audit observations
phrases and topics to generate a natural language and inferences
summary of a text or a document set • Auto-generating audit checklists
Topic analysis Analysis performed across documents, groups of • Analyzing data
documents or document texts to identify unique topics
that link documents or sections of documents
• Building keyword rule engine for
audits
Search and retrieval The process of searching a database or repository of • Making similar audit report
processed information to retrieve documents that align inferences
with the topics or themes entered in the search criteria
Statistical analysis A basic statistical analysis technique that evaluates • Aggregating data
term, phrase or topic trends • Interpreting data
Sentiment analysis The ability to extract and analyze text or groups of text in • Identifying key issues and risk
documents to understand author sentiments • Making intelligent inferences
and preparing audit reports

Source: Menon, S.; "How Can AI Drive Audits?," JSACA Journal, vol. 4, 30 June 2021, https:/lwww.isaca.org/resources/isaca-journal/
issues/2021 lvolume-4/how-can-ai-drive-audits

Interpretation of Al/ML Results
Al/ML results should always be interpreted at some
point by a person. IS auditors must ensure that testing is
designed to answer the question of whether a tool being
used is able to answer the question that the auditor is
asking. Specific factors to consider include: 14
• Data inputs must be validated as part of the Al/ML
assisted audit process upon implementation and
periodically. The use of the Al/ML tool will be

IO Ibid.
11 Armknecht, F.; C. Boyd; C. Carr et al.; "A Guide to Fully Homomorphic Encryption," 2015, https://eprint. iac 1: org/201511I92.pdf
12 Op cit Alexiou
13 Ibid.
14 Ibid.

72 I ©ISACA. All Rights Reserved.


useless if the data being ingested or analyzed is not
complete and accurate. When possible, the IS auditor
should ensure raw system data may be obtained for
analysis and checking of AI/ML tool conclusions.
• The statistical significance of results should be
understood by the IS auditor and results should be
representative of the entire audit universe.
• Supp01t for actual conclusions must be based
on information. Failure to understand that results
include assumptions and caveats can create problems,
especially if the need for proof is substituted by
computer output. For example, there have been
instances of suspects being wrongly identified by
facial recognition algorithms run on blurry images. 15
Al/ML Audit Risk and Considerations
AI/ML techniques are an evolution of CAATs, and the
same considerations should be made to ensure they
are performing as expected. Specific to AI/ML, the IS
auditor should consider:
• Inadequate testing of AI outcomes can produce
questionable results or audit outcomes. IS auditors
should ensure adequate testing is performed and
substantiated by human-led testing. AI/ML programs
are often proprietary. Documentation, if available at
all, is typically not detailed enough to explain exactly
what the algorithm is doing. Even if it is, it may be
complex and hard for a nonexpert to understand.
• Training data fed to algorithms, paiticularly ML
algorithms, should be correct and adequate. Such data
should be able to cover both usual and unusual cases.
In some rare cases, poor training results in algorithms
producing incorrect results.
• The tendency to trust the machine's answer is
strong, but justified only ifthe correctness has been
exhaustively tested and the machine actually answers
the appropriate questions.
• Using Al tools built by humans introduces the ethics
and bias of human judgment and stereotyping.
1.9 Reporting and Communication
Techniques
Effective and cleat· communication can significantly
improve the quality of audits and optimize their results.
Audit findings should be repo1ted and communicated to
stakeholders, with appropriate buy-in from the auditees,
for the audit process to be successful. An IS auditor
should also consider the motivations and perspectives
of the recipients of the audit report so their concerns
15
Hill, K.; "Wrongfully Accused by an Algorithm," The New York Times, 24 June 2020, https://111111111.nytimes.com/2020/06/24/technology/facial-
recognition-arrest.html
CISA" Official Review Manual 29th Edition I Chapter 1
may be properly addressed. Communication skills (both
written and verbal) determine the effectiveness of the
audit reporting process. Communication and negotiation
skills ai·e required throughout the audit. Successful
resolution of audit findings with auditees is essential
so that auditees will adopt the recommendations in the
report and initiate prompt corrective action. To achieve
this goal, an IS auditor should be skilled in the use of
techniques such as facilitation, negotiation and conflict
resolution. An IS auditor should also understand the
concept of materiality (i.e., the relative importance of
audit findings based on business impact) when reporting
audit results.
1. 9.1 Communicating Audit Results
The exit interview, conducted at the end of the
audit, provides an IS auditor with the opportunity to
discuss findings and recommendations with the auditee
management. During the exit interview, an IS auditor
should:
• Ensure that the facts presented in the report are
correct and material
• Ensure that the recommendations are realistic and
cost-effective and, if not, seek alternatives through
negotiation with auditee management
• Recommend implementation dates for agreed-on
recommendations
IS auditors should be aware that, ultimately, they
are responsible to senior management and the audit
committee, and they should feel free to communicate
issues or concerns to them. An attempt to deny access
by levels lower than senior management would limit the
independence of the audit function.
Before communicating the results of an audit to senior
management, an IS auditor should discuss the findings
with the auditee management to gain agreement on
the findings and develop an agreed-upon course of
corrective action. In cases of disagreement, an IS
auditor should elaborate on the significance of the
findings, risk and effects of not correcting the control
weakness. Sometimes the auditee management may
request assistance from an IS auditor in implementing
the recommended control enhancements. An IS auditor
should communicate the difference between an IS
auditor's role and that of a consultant and consider how
assisting the auditee may adversely affect an IS auditor's
independence.
©ISACA All Rights Reserved. I 73
 CISA6 Official Review Manual 2sth Edition I Chapter 1
After an agreement has been reached with auditee
management, IS audit management should brief senior
auditee management. A summary of audit activities
should be presented periodically to the audit committee.
Audit committees typically are composed of individuals
who do not work directly for the organization and, thus,
provide an IS audit and assurance professional with an
independent route to report sensitive findings.
1. 9.2 Audit Report Objectives
The six objectives of audit reporting are to:
1. Formally present the audit results to the auditee (and
the audit client, if different from the auditee)
2. Serve as formal closure of the audit engagement
3. Provide statements of assurance and, if needed,
identification of areas requiring corrective action and
related recommendations
4. Serve as a valued reference for any patty researching
the auditee or audit topic
5. Serve as the basis for a follow-up audit if audit
findings were presented
6. Promote audit credibility, which depends on the report
being well developed and well written
The IS audit-specific repotting objectives are developed
based on repo1t requirements from auditee management
and other users of the rep01t and in compliance with
IS audit and assurance standm·ds and audit organization
protocols. The auditee or other stakeholders, such
as oversight organizations, are identified during audit
planning. An IS auditor develops the audit scope and
objectives by considering those requirements and other
elements of audit planning-such as the assessments of
risk, materiality and appropriateness of stated controls-
together with regulatory and IT governance requirements.
The audit report formally presents the purpose and the
results of the audit in line with those requirements. Every
audit report should provide unbiased, well-supported
responses to the audit's objectives. For example, if
the audit objective is to determine whether adequate
controls are in effect to provide reasonable assurance
that only authorized physical access can be gained to
the data center, then the report should state an IS
auditor 's conclusion or opinion as to the adequacy of
the controls to achieve that objective. If controls need to
be implemented or strengthened to achieve the objective,
then the report should provide a recommendation to meet
that need.
74 I ©ISACA. All Rights Reserved .
1. 9.3 Audit Report Structure and
Contents
Audit rep01ts are the end product of the IS audit
work. The exact format of an audit report will vary by
organization; however, an IS auditor should understand
the basic components of an audit report and how it
communicates audit findings to management.
Note
The CISA candidate should become familiar with
the ISACA IS Audit and Assurance Standards 1401
Reporting and 1402 Follow-up Activities.
Audit reports usually include:
• An introduction to the repott, stating audit objectives,
limitations to the audit and scope, the period of audit
coverage, an overview of the nature and extent of
audit procedures conducted and processes examined
during the audit, and a statement regarding the IS
audit methodology and guidelines
• Audit findings , presented in separate sections and
often grouped in sections by materiality and/or
intended recipient
• An overall conclusion and opinion regarding the
adequacy of controls and procedures examined during
the audit, and the actual potential risk identified as a
consequence of detected deficiencies
• Reservations or qualifications with respect to the
audit
• An IS auditor may state that the controls or
procedures examined were found to be adequate or
inadequate. The balance of the audit report should
support that conclusion, and the overall evidence
gathered during the audit should provide an even
greater level of support for the audit conclusions.
• Detailed audit findings and recommendations
• An IS auditor may include specific findings in
an audit report, based on the materiality of the
findings and the intended recipient of the audit
report. For example, an audit repo1t directed to the
audit committee of the board of directors may not
include findings that are impo1tant only to local
management and have little control significance to
the overall organization. The decision regarding
what to include in various levels of audit reports
depends on the guidance provided by upper
management.

• A variety of findings , some of which may be material
while others are minor in natw-e
• An IS auditor may choose to present minor
findings to management in an alternate format,
such as by memorandum.
An IS auditor should make the final decision about what
to include or exclude from the audit repmt. Generally, an
IS auditor should be concerned with providing a balanced
report, describing not only negative issues in terms of
findings but positive constructive comments regarding
improved processes and controls or effective controls
already in place. Overall, an IS auditor should exercise
independence in the repmting process.
Auditee management evaluates the findings, stating
corrective actions to be taken and timing for
implementing the anticipated corrective actions.
Management may not be able to implement all
audit recommendations immediately. For example,
an IS auditor may recommend changes to an
information system that is undergoing other changes
or enhancements. An IS auditor should not necessarily
expect that the other changes will be suspended until
the audit recommendations are implemented. All may be
implemented at once.
An IS auditor should discuss the recommendations and
any planned implementation dates whjle in the process
of releasing the audit report. Various constraints- such
as staff limitations, budgets or other projects- may
limit immediate implementation. Management should
develop a firm program for taking corrective actions.
It is important to obtain a commitment from auditee
management on the implementation date for the action
plan (implementing the solution can take a long time) and
how it will be performed because the corrective action
may bring risk that might be avoided if identified while
discussing and finalizing the audit report. If appropriate,
an IS auditor may want to report to senior management
on the progress of implementing recommendations.
The report should include all sigruficant audit findings .
When a finding requires explanation, an IS auditor
should describe the finding, its cause and risk. When
appropriate, an IS auditor should provide the explanation
in a separate document and refer to it in the report. For
example, this approach may be appropriate for highly
confidential matters. An IS auditor should also identify
the orgaruzational, professional and governmental criteria
applied. The report should be issued in a timely
manner to encourage prompt corrective action. When
appropriate, an IS auditor should promptly communicate
significant findings to the appropriate persons prior to the
CI SA° Official Review Manual 2gth Ed ition I Chapter 1
issuance of the report. However, prior communication of
significant findings should not alter the intent or content
of the report.
1. 9.4 Audit Documentation
Audit documentation is the written record that provides
the suppmt for the representations in the auditor's report.
It should:
• Demonstrate that the engagement complied with the
standards
• Suppmt the basis for the auditor's conclusions
Audit documentation should include, at a minimum:
• Planning and preparation of the audit scope and
objectives
• Description and/or walk-throughs on the scoped audit
area
• Audit program
• Audit steps performed and audit evidence gathered
• Use of services of other auditors and experts
• Audit findings, conclusions and recommendations
• Audit documentation relation with document
identification and dates
It is also recommended that documentation include:
• A copy of the repo11 issued as a result of the audit
work
• Evidence of audit supervisory review
Documents should include audit information that is
required by laws and regulations, contractual stipulations
and professional standards. Audit documentation is the
necessary evidence supporting the conclusions reached
and should be clear, complete, easily retrievable and
sufficiently comprehensible. Audit documentation is
generally the prope11y of the auditee and should be
accessible only to authorized personnel under specific or
general permission. When access to audit documentation
is requested by external parties, an IS auditor should
obtain appropriate prior approval of senior management
and legal counsel before providing it to those external
parties.
Policies should be developed regarding custody, retention
requirements and release of audit documentation. The
documentation format and media are optional, but due
diligence and good practices require that work papers
be dated, initialed, page-numbered, relevant, complete,
clear, self-contained and properly labeled, filed and kept
in custody. Work papers may be automated. An IS
auditor should consider how to maintain integrity and
protection of audit test evidence to preserve its proof
value in suppo11 of audit results.
©ISACA. All Rights Reserved. I 75
 CISA' Official Revi ew Manual 23th Edition I Chapter 1
An IS auditor should be able to prepare adequate work
papers, narratives, questionnaires and understandable
system flowcha1ts. Audit documentation or work papers
can be considered the bridge or interface between
the audit objectives and the final report. They should
provide a seamless transition-with traceability and
accountability-from objectives to report and from report
to objectives. The audit report, in this context, can be
viewed as a set of particular work papers.
The quest for integrating work papers in the auditor's
environment has resulted in all major audit and project
management packages, CAATs and expert systems
offering a complete array of automated documentation
and import-export features.
Audit documentation should suppmt the audit findings
and conclusions/opinions. Time of evidence can be
crucial to supporting audit findings and conclusions. An
IS auditor should take care to ensure that the evidence
gathered and documented will be able to support audit
findings and conclusions.
The concept of materiality is a key issue when deciding
which findings to bring forward in an audit repmt. Key
to determining the materiality of audit findings is the
assessment of what would be significant to different
levels of management. Assessment requires judging the
potential effect of a finding if corrective action is not
taken. For example:
• A weakness in information security physical access
controls at a remote distributed computer site may
be significant to management at the site but would
not necessarily be material to upper management at
headquaiters. However, there may be other matters
at the remote site that would be material to upper
management.
• A review of access deprovisioning might discover
that a terminated user's access was notremoved after
the user's termination date but show that it was caught
during management's review of security access, at
which time the terminated user 's access was removed.
This type of discovery would not likely be brought
to the attention of upper management but would be
documented and discussed with auditee management.
1.9.5 Follow-Up Activities
Auditing is an ongoing process. An IS auditor is not
effective if audits are performed and reports issued,
but no follow-up is conducted to determine whether
management has taken appropriate corrective actions. IS
auditors should have a follow-up program to dete1mine
if agreed-on corrective actions have been implemented.
76 I ©ISACA. Al l Rights Reserved.
Although IS auditors who work for external audit firms
may not necessarily follow this process, they may
achieve these tasks if they are agreed to by the auditee.
The timing of the follow-up will depend on the criticality
of the findings and is subject to an IS auditor's judgment.
The results of the follow-up should be communicated
to appropriate levels of management. The level of an
IS auditor's follow-up review will depend on several
factors. In some instances, an IS auditor may merely need
to inquire as to the current status. In other instances, an
IS auditor who works in an internal audit function may
have to perform ce1tain audit steps to determine whether
the corrective actions agreed on by management have
been implemented.
1.9.6 Types of IS Audit Reports
The IS audit repo1t is driven mainly by the type of audit
engagement and the reporting requirements from IS audit
and assurance standards. While most IS audits result in
a single IS audit repmt, in some situations, more than
one report can be applicable. For example, in addition to
a repmt for a general audience, a separate confidential
security report containing detailed technical information
may need to be created to ensure that security risk is not
disclosed to unintended parties.
The organization and specific content of the report
also depend on the scope and objectives of the audit
engagement and the degree to which IT processes and
systems are examined or require explanation. The format
and protocols for audit report presentation can depend
on any requirements and expectations set fo1th between
the audit organization and the auditee. Requirements for
audit report contents or format may be requested by
the audit client who may or may not be from the same
organization as the auditee.
Although review, examination and agreed-upon
procedure engagements have similar repo1ting
requirements, each type of engagement stipulates
different reporting requirements and limitations. The
primary distinctions among reviews, examinations and
agreed-upon procedures stem from the audit objectives,
the nature and extent of audit work and the level of
assurance to be provided. While all three types of audits
include review work, performing audit tests is far more
prevalent in audits or examinations that require stronger
evidence for formulation of an opinion. Agreed-upon
procedures may also include testing, but because of
other limitations, an audit opinion may not be expressed.
Although audit scope may be the same for reviews

and examinations, scope is likely to be more narrowly
defined for agreed-upon procedure audits.
o
1.1 Quality Assurance and Improvement is an important element to ensure that an IS audit
of the Audit Process
IS audit plays an important role in improving the quality
and control of information systems in an organization.
As a critical element to the organization's continued
improvement, it is important that the audit process itself
improves continuously.
1.10.1 Audit Committee Oversight
If present, the audit committee is responsible for
oversight of the IS audit function and interaction with
the chief audit executive. If an audit committee does
not exist, a designated group or individual assumes
the responsibilities of oversight of the audit function.
An oversight function and continuous performance
monitoring of t_he audit function (including IS audit)
should be established and reviewed through periodic
reporting.
1.10.2 Audit Quality Assurance
The quality of individual audits is the responsibility
of audit leadership and the assigned project leads.
These individuals are responsible for ensuring that
documented audit procedures are followed. Documented
audit procedures may come in a variety of forms (audit
manuals, wikis, sampling guidance, etc.) but should be
clearly identified and known to all applicable members of
the IS audit function .
IS audit leadership is responsible for the review of audit
work papers and final deliverables (e.g., audit reports). A
formal review process (detail review, engagement quality
review, QA, etc.) should be established for all audit types
based on risk and guidance from authoritative sources.
1.10.3 Audit Team Training and
Development
A formal development plan should be established for
all members of the IS audit function. This plan should
include applicable training programs and certifications
by role within the IS audit function. IS audit leadership
should ensure that a budget is created and supports the
needs of training and development for IS audit team
members.
CI SN Official Review Manual 23th Edition I Ch apter 1
1.10.4 Monitoring
Monitoring for compliance with applicable requirements
function maintains continuation of the audit process
within an organization. Examples of monitoring related
initiatives include:
• Audit QA-The results of audit QA procedures
should be periodically reviewed and summarized to
identify trends and lessons learned. Actionable items
identified dming audit QA should be remediated and
tracked in a formal manner.
• Independence monitoring-A process should be
established to allow IS auditors to self-repott potential
impairments of independence. This process can be
integrated into the greater audit function within the
organization. Leadership and IS auditors themselves
should periodically check to ensure that their
independence has not been impaired and report any
changes th.rough. the established reporting process.
• Certification and accreditations-Ownership of
applicable certification or accreditation held by an
IS audit function should be assigned to appropriate
members oflS audit leadership. These individuals
should ensure that compliance with certification
or accreditation bodies applicable to the IS audit
function is maintained.
• Continued professional education-Leadership
should ensure that a process is in place to
monitor the IS auditor 's compliance with continued
professional education or training requirements.
These requirements may be established by an internal
development plan or through external certifying
bodies.
© ISACA. All Rights Reserved. I 77
 CISA' Official Review Manual 23th Edition

Page intentionally left blank

78 I ©ISACA All Rights Reserved.


Case Study
Betatronics is a mid-sized manufacturer of electronic
goods with headquarters in the United States and
factories in Latin America. An IS auditor within the
enterprise has been asked to perform preliminary work
that will assess the organization's readiness for a
review to measme compliance with new US regulatory
requirements.
The requirements are designed to ensure that
management is taking an active role in setting up and
maintaining a well-controlled environment and to assess
management's review and testing of the general IT
controls. Areas to be assessed include:
• Logical and physical security
• Change management
• Production control and network management
• IT governance
• End-user computing
The IS auditor has been given six months to perform
preliminary work. In previous years, repeated problems
were identified in the areas of logical security and change
management. Logical security deficiencies included
the sharing of administrator accounts and failure to
enforce adequate controls over passwords. Change
management deficiencies included improper segregation
of incompatible duties and failure to document all
changes. Additionally, the process for deploying OS
updates to servers was found to be only partially
effective.
The chief information officer (CIO) requested direct
reports to develop narratives and process flows
describing major activities for which IT was responsible.
Those tasks were completed, approved by the various
process owners and the CIO, and then forwarded to the
IS auditor for examination. Following the completion
of the preliminary audit work, Betatronics decides to
plan audits for the next two years. After accepting the
appointment, the IS auditor notes that:
• The entity has an audit chatter that details the scope
and responsibilities of the IS audit function and
specifies the audit committee as the overseeing body
for audit activity.
• The entity is subject to regulatory compliance
requirements that require its management to certify
the effectiveness of the internal control system as it
relates to financial reporting.
• The entity has been recording consistent growth over
the last two years at double the industry average.
• The entity has seen increased employee turnover.
CISA° Official Review Manual 2gth Edition I Chapter 1
1. What should the IS auditor do FIRST?
A. Perform a survey audit of logical access controls.
B. Revise the audit plan to focus on risk-based
auditing.
C. Perform an IT risk assessment.
D. Begin testing controls that the IS auditor feels are
most critical.
2. When auditing the logical secmity, the IS auditor is
MOST concerned when observing:
A. the system administrator account is known by
everybody.
B. the passwords are not enforced to change
frequently.
C. the network administrator is given excessive
permissions.
D. the IT department does not have a written policy
on privilege management.
3. When testing program change management in this
case, how should the sample be selected?
A. Change management documents should be
selected at random and examined for
appropriateness.
B. Changes to production code should be
sampled and traced to appropriate authorizing
documentation.
C. Change management documents should be
selected based on system criticality and examined
for appropriateness.
D. Changes to production code should be sampled
and traced back to system-produced Jogs
indicating the date and time of the change.
4. List three general IT controls the IS auditor would use
for substantive testing when planning audits for the
next two years.
5. The FIRST priority of the IS auditor in year one
should be to study the:
A. Previous IS audit reports in order to plan the audit
schedule
B. Audit charter in order to plan the audit schedule
C. Impact of the increased employee turnover
D. Impact of the implementation of a new enterprise
resource plan on the IT environment
©ISACA. All Rights Reserved. I 79
 CISN Official Review Manual 23th Edition I Chapter 1

6. How should the IS auditor evaluate backup and batch

processing within computer operations?

A. Rely on the service auditor's repmt of the service

provider
B. Study the contract between the entity and the
service provider
C. Compare the service delivery repmt to the SLA
D. Plan and carry out an independent review of
computer operations

7. During the day-to-day work, the IS auditor advises

there is a risk that log review may not result in timely
detection of errors. This is an example of which of the
following?

A. Inherent risk
B. Residual risk
C. Control risk
D. Material risk

8. The IS auditor advised the CIO and team to

improve the general IT control environment, and
adapting COBIT was proposed for that purpose. What
recommendations should the IS auditor make when
considering this framework?

Answers on page 82

80 I ©ISACA. All Rights Reserved .

 ClSN Official Review Manual 23th Ed ition I Chapter 1

Page intentionally left blank

© lSACA. All Rights Reserved I 81

 CISA" Official Review Manual 281h Edition I Chapter 1
Chapter 1 Answer Key
Case Study
1. A. Performing a survey audit of logical access
controls would occur after an IT risk assessment.
B . Revising the audit plan to focus on risk-based
auditing would occur after an IT risk assessment.
C. An IT risk assessment should be performed
first to ascertain which areas present the
greatest risk and which controls mitigate that
risk. Although narratives and process flows
have been created, the organization has not yet
assessed which controls are critical.
D. Testing controls that the IS auditor feels are most
critical would occur after an IT risk assessment.
2. A. The system administrator account being known
by everybody is most dangerous. In that case,
any user could perform any action in the
system, including accessing files and making
permission and parameter adjustments.
B . Infrequent password changing would present a
concern but would not be as serious as everyone
knowing the system administrator account.
C. The network administrator being given excessive
permissions would present a concern, but it would
not be as serious as everyone knowing the system
administrator account.
D. The absence of a privilege management policy
would be a concern, but it would not be as serious
as everyone knowing the system administrator
account.
3. A. When a sample is chosen from a set of control
documents, there is no way to ensure that every
change is accompanied by appropriate control
documentation.
B. When testing a control, it is advisable to
trace from the item being controlled to
the relevant control documentation. When
a sample is chosen from a set of control
documents, there is no way to ensure that
every change is accompanied by appropriate
control documentation. Accordingly, changes to
production code provide the most appropriate
basis for selecting a sample.
C. When a sample is chosen from a set of control
documents, there is no way to ensure that eve1y
change is accompanied by appropriate control
documentation.
82 I ©ISACA. All Rights Reserved.
D. When testing a control, it is advisable to trace
from the item being controlled to the relevant
control documentation.
4. Some possible answers include:
• The IS auditor can check which account was
recently used for executing a particular system
administrator task.
• The IS auditor can check if there was a change
record for any selected system changes (e.g.,
server reboot and patching).
• The IS auditor can check the transactions to see if
they separated the incompatible duties.
5. A. Previous IS audit repmts will be revisited to save
redundant work and to use as references when
doing the IS audit work.
B. The audit charter defines the purpose,
authority and responsibility of the IS audit
activities. It also sets the foundation for
upcoming activities.
C. Impact of employee turnover would be
addressed when negotiating follow-up activities
for respective areas ifthere is any gap to close.
D. Impact of the implementation of a new ERP
would be addressed when negotiating the follow-
up activities for respective areas if there is any gap
to close.
6. A. The service auditor 's report cannot ensure the
discove1y of control inefficiencies.
B. Review of the contract cannot ensure the
discovery of control inefficiencies.
C. Comparing the service delive1y repo1t and
the service level agreement cannot ensure the
discovery of control inefficiencies.
D. IS audit should conduct an independent review
of the backup and batch processing. All other
choices cannot ensure the discovery of control
inefficiencies in the process.
7. A. This is not an example of inherent risk. Inherent
risk is the risk level or exposure without
considering the actions that management has taken
or might take (e.g., implementing controls).
B. This is not an example of residual risk. Residual
risk is the remaining risk after management has
implemented a risk response.
C. Control risk exists when a risk cannot be
prevented or detected on a timely basis by the
system of IS controls, which is described in this
instance.

D. This is not an example of material risk. Material
risk is any risk large enough to threaten the overall
success of the business in a material way.
8. Possible answer: The COBIT framework can be
leveraged and adapted. Each process can be
CISA° Official Revi ew Manual 2sth Edition I Chapter 1
classified as fully addressed, partially addressed and
not applicable by comparing the standard COBIT
framework to the organization's reality. Further
frameworks, standards and practices can be included
in each respective process, as COBIT guidance
suggests.
©ISACA. All Rights Reserved. I 83