0% found this document useful (0 votes)
23 views61 pages

Chapter - 1. Information System Auditing Process

Chapter 1 of the CISA Official Review Manual focuses on the information system auditing process, covering standards, guidelines, and methodologies for planning and executing audits. It details the learning objectives, self-assessment questions, and resources for further study, emphasizing the importance of risk-based audit planning and effective communication. The chapter also includes a case study and an answer key for self-assessment questions.

Uploaded by

Badhon Jengcham
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
23 views61 pages

Chapter - 1. Information System Auditing Process

Chapter 1 of the CISA Official Review Manual focuses on the information system auditing process, covering standards, guidelines, and methodologies for planning and executing audits. It details the learning objectives, self-assessment questions, and resources for further study, emphasizing the importance of risk-based audit planning and effective communication. The chapter also includes a case study and an answer key for self-assessment questions.

Uploaded by

Badhon Jengcham
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 61

CISA" Official Review Manua l 2gth Edition I Chapter 1

Chapter 1

Information System Auditing Process


Overview
Domain I Exam Content Outline ... ........ ......... .................. ....................................... .... ........................ ..... 24
Learning Objectives/Task Statements........................................................................... .............................24
Suggested Resources for Further Study ............................................................................ .............. ........... 24
Self-Assessment Questions ................ ................................................ ............................. .......... ................. 24
Chapter I Answer Key ...... ................................................ ...................... ......................................... .. .... ... 28

Part A: Planning
I.I IS Audit Standards, Guidelines, Functions and Codes of Ethics .......................... ....................... .......31
1.2 Ty pes of Audits, Assessments and Rev iews ................................ ...................... ..... ............... .. ......... ..34
1.3 Risk-Based Audit Planning ........ ........ ............. ....... ..................... .... ..... ....... ............. .......................... 38
1.4 Types of Controls and Considerations ............. ... ....................................... ......... .... ..... ..................... .. 43

Part B: Execution
1.5 Audit Project Management.. .......... .... ................. ......... ....... .. ........... .............. ............ .. ............ .... ....... 53
1.6 Audit Testing and Sampling Methodology ........................... ............... ...... .......... ............................... 60
1.7 Audit Evidence Collection Techniques ......................... ................... .................................................. 63
1.8 Audit Data Analytics ................................... ... ................................................................... ..... ............ 66
1.9 Reporting and Communication Techniques ............................................... ......................... .... ..... .......73
1.1 0 Quality Assurance and Improvement of the Audit Process ...... ............. ................................ ........... 77

Case Study
Case Study ............................... ........................................................... ......... .. ........ ..... ............................. .. 79
Chapter 1 Answer Key .......................................................... ..... .................................. .......................... ... 82

©ISACA. All Rights Reserved. I 23


CISA° Official Review Manual 2gth Edition I Chapter 1

Overview • Evaluate audit processes as patt of quality assurance


and improvement programs.
The information systems (IS) auditing process • Evaluate the organization's enterprise risk
encompasses the standards, principles, methods, management (ERM) program.
guidelines, practices and techniques that an IS auditor • Evaluate the readiness of information systems for
uses to plan and execute audits of information systems implementation and migration into production.
supporting critical business processes. • Evaluate potential opportunities and risks associated
with emerging technologies, regulations and industry
An IS auditor must have a thorough understanding practices.
of this auditing process and of IS processes, business
processes and controls designed to achieve organizational
Suggested Resources for Further Study
objectives.
ISACA Audit Programs and
This domain represents 18 percent of the CISA exam
Tools, https ://www. isaca. orglresources/insights-and-
(approximately 27 questions).
expertise/ audit-programs-and-tools

Domain 1 Exam Content Outline ISACA Frameworks, Standards and


Models, https ://www.isaca.org/resources/frameworks-
standards-and-models
Part A: Planning
ISACA, IT Audit Framework (!TAFT)· A
1. IS Audit Standards, Guidelines, Function and Codes Professional Practices Framework for IT Audit,
of Ethics 4th Edition, https ://store. isaca.orgls/store#/store/browse/
2. Types of Audits, Assessments and Reviews detail/a2S4w000004Ko91 EAC
3. Risk-based Audit Planning
4. Types of Controls ISACA IT Audit, https://www.isaca.org/resourceslit-
audit

Part B: Execution ISACA White Papers, https:llwww.isaca.org/resources/


insights-and-expertise/white-papers
1. Audit Project Management
2. Audit Testing and Sampling Methodology Self-Assessment Questions
3. Audit Evidence Collection Teclmiques
4. Audit Data Analytics (including audit algorithms) CISA self-assessment questions supp01t the content in
5. Rep01ting and Communication Techniques this manual and provide an understanding of the type and
6. Quality Assurance and Improvement of Audit Process structure of questions that typically appear on the exam.
Often a question will require the candidate to choose
the MOST likely or BEST answer among the options
Learning Objectives/Task Statements
provided. Please note that these questions are not actual
Within this domain, the IS auditor should be able to: or retired exam items. Please see section About This
• Plan an audit to determine whether information Manual for more guidance regarding practice questions.
systems are protected, controlled and provide value
1. Which of the following outlines the overall authority
to the organization.
to perform an information systems (IS) audit?
• Conduct audits in accordance with IS audit standards
and a risk based IS audit strategy.
A. The audit scope with goals and objectives
• Apply project management methodologies to the audit
B. A request from management to perform an audit
process.
C. The approved audit charter
• Communicate and collect feedback on audit
D. The approved audit schedule
progress, findings , results and recommendations with
stakeholders.
• Conduct post-audit follow up to evaluate whether
identified risk has been sufficiently addressed.
• Utilize data analytics tools to enhance audit processes.
• Evaluate the role and/or impact of automatization
and/or decision-making systems for an organization.

24 I ©ISACA. All Rights Reserved.


CISN Official Review Manual 2sth Edition I Chapter 1

2. Which of the following is the key benefit of a control 6. Which of the following is the MOST important
self-assessment (CSA)? reason for reviewing an audit planning process at
periodic intervals?
A. Management ownership of the internal controls
supporting business objectives is reinforced. A. To plan for deployment of available audit
B. Audit expenses are reduced when the assessment resources
results are an input to external audit work. B. To consider changes to the risk environment
C. Fraud detection is improved because internal C. To provide inputs for documentation of the audit
business staff are engaged in testing controls. charter
D. Internal auditors can use the results of the D. To identify the applicable IS audit standards
assessment to shift to a consultative approach.
7. Which of the following is a KEY benefit of a control
3. Which of the following would an information systems self-assessment (CSA)?
(IS) auditor MOST likely focus on when developing
a risk-based audit program? A. Management ownership of the internal controls
suppotting business objectives is reinforced.
A. Business processes B. Audit expenses are reduced when the assessment
B. Administrative controls results are an input to external audit work.
C. Environmental controls C. Fraud detection is improved because internal
D. Business strategies business staff are engaged in testing controls.
D. Internal auditors can use the results of the
4. Which of the following types of audit risk assumes assessment to shift to a consultative approach .
an absence of compensating controls in the area being
reviewed? 8. Which of the following is the MOST critical step
when planning an information systems (IS) audit?
A. Control risk
B. Detection risk A. Review of prior audit findings
C. Inherent risk B. Executive management's approval of the audit
D. Sampling risk plan
C. Review of information security policies and
5. An information systems (IS) auditor performing a procedures
review of an application's controls finds a weakness D . Performance of a risk assessment
in system software that could materially impact the
application. In this situation, an IS auditor should: 9. The approach an information systems (IS) auditor
should use to plan IS audit coverage should be based
A. disregard these control weaknesses because a on:
system software review is beyond the scope of this
review. A. risk.
B. conduct a detailed system software review and B. materiality.
report the control weaknesses. C. fraud monitoring.
C. include a statement in the report that the audit was D. sufficiency of audit evidence.
limited to a review of the application's controls.
D. review the relevant system software controls and
recommend a detailed system software review.

©ISACA. Al l Rights Reserved. I 25


CISA° Official Review Manual 23th Edition I Chapter 1

10. An organization performs a daily backup of critical


data and software files and stores backup media at an
offsite location. The backup media are used to restore
the files in case of a disruption. This is an example of
a:

A. preventive control.
B. management control.
C. corrective control.
D. detective control.

Answers on page 28

26 I ©ISACA. All Rights Reserved.


CISA" Official Review Manual 2gth Edition I Chapter 1

Page intentionally left blank

©ISACA. Al l Rights Reserved I 27


CI SN Official Review Manual 23th Edition I Chapter 1

Chapter 1 Answer Key 4. A. Control risk is the risk that a material error exists
that will not be prevented or detected in a timely
Self-Assessment Questions manner by the system of internal controls.
B. Detection risk is the risk that a material
1. A. The audit scope is specific to a single audit and misstatement with a management assertion will
does not grant authority to perform an audit. not be detected by an audit and assurance
B. A request from management to perform an audit is professional 's substantive tests. It consists of two
not sufficient because it relates to a specific audit. components: sampling risk and non-sampling risk.
C. The approved audit charter outlines C. Inherent risk is the risk level or exposure
the auditor's responsibility, authority and assessed without considering the actions that
accountability. management has taken or might take.
D . The approved audit schedule does not grant D. Sampling risk is the risk that incorrect
authority to perform an audit. assumptions are made about the characteristics of
a population from which a sample is taken. Non-
2. A. The objective of control self-assessment (CSA) sampling risk is detection risk that is unrelated to
is to have business managers become more sampling; it can be due to a variety of reasons,
aware of the importance of internal control including human error.
and their responsibility in terms of corporate
governance. 5. A. An information systems (IS) auditor is not
B. Reducing audit expenses is not a key benefit of expected to ignore control weaknesses just
CSA. because they are outside the scope of a current
C. Improved fraud detection is impo1tant but not review.
as impo1tant as control ownership. It is not a B. The conduct of a detailed systems software review
principal objective of CSA. may hamper the audit's schedule, and an IS
D . CSA may give more insights to internal auditors, auditor may not be technically competent to do
allowing them to take a more consultative role; such a review at the time of the audit.
however, this is an additional benefit, not the key C. If there are control weaknesses that have
benefit. been discovered by an IS auditor, they should
be disclosed. By issuing a disclaimer, this
3. A. A risk-based audit approach focuses on responsibility would be waived.
understanding the nature of the business and D. The appropriate option would be to review
being able to identify and categorize risk. the relevant systems software and recommend
Business risk impacts the long-term viability a detailed systems software review for which
of a specific business. Thus, an information additional resources may be recommended.
systems (IS) auditor using a risk-based audit
approach must be able to understand business 6. A. Deployment of available audit resources is
processes. determined by the audit assignments, which are
B. Administrative controls, while an imp01tant subset influenced by the planning process.
of controls, are not the primary focus needed to B. Short- and long-term issues that drive audit
understand the business processes within the scope planning can be heavily impacted by changes to
of an audit. the risk environment, technologies and business
C. Like administrative controls, environmental processes of the enterprise.
controls are an important control subset; however, C. The audit charter reflects the mandate of top
they do not address high-level overarching management to the audit function and resides at
business processes under review. a more abstract level.
D. Business strategies are the drivers for business D. Applicability of information systems (IS) audit
processes; however, in this case, an IS auditor is standards, guidelines and procedures is universal
focusing on the business processes that were put in to any audit engagement and is not influenced by
place to enable the organization to implement its short- and long-term issues.
strategies.

28 I ©ISACA. All Rig hts Reserved.


CISA° Official Review Manual 23th Edition I Chapter 1

7. A. The objective of control self-assessment (CSA) play a part in audit planning but only as it pertains
is to have business managers become more to organizational risk.
aware of the importance of internal control D. Sufficiency of audit evidence pertains to the
and their responsibility in terms of corporate evaluation of the sufficiency of evidence obtained
governance. to suppott conclusions and achieve specific
B. Reducing audit expenses is not a key benefit of engagement objectives.
CSA.
C. Improved fraud detection is important but not 10.A. Preventive controls are those that avert problems
as important as control ownership. It is not a before they arise. Backup media cannot be used to
principal objective of CSA. prevent damage to files and, therefore, cannot be
D . CSA may give more insights to internal auditors, classified as preventive controls.
allowing them to take a more consultative role; B. Management controls modify processing systems
however, this is an additional benefit, not the key to minimize repeat occurrences of the problem.
benefit. Backup media do not modify processing systems
and, therefore, do not fit the definition of
8. A. The findings of a previous audit are of interest management controls.
to the auditor, but they are not the most critical C. A corrective control helps to correct or
step. The most critical step involves finding the minimize the impact of a problem. Backup
current issues or high-risk areas, not reviewing the media can be used for restoring the files in
resolution of older issues. A review of historical case of damage to the files, thereby reducing
audit findings could indicate that management is the impact of a disruption.
not resolving the risk items identifi ed or that the D. Detective controls help to detect and report
recommendations were ineffective. problems as they occm. Backup media do not aid
B. Executive management is not required to approve in detecting errors.
the audit plan. It is typically approved by the audit
committee or board of directors. Management
could recommend areas to audit.
C. Reviewing information security policies and
procedures is normally conducted during
fieldwork, not planning.
D. Of all the steps listed, performing a risk
assessment is the most critical. Risk assessment
is required by ISACA IS Audit and Assurance
Standard 1201 (Risk Assessment in Planning),
statement 1201.2: "IT audit and assurance
practitioners shall identify and assess risk
relevant to the area under review when
planning individual engagements." In addition
to the standards requirement, if a risk
assessment is not performed, then high-risk
areas of the auditee systems or operations may
not be identified for evaluation.

9. A. Audit planning requires a risk-based approach.


B. Materiality pertains to potential weaknesses or
absences of controls while planning a specific
engagement, and whether such weaknesses or
absences of controls could result in a significant
deficiency or a material weakness.
C. Fraud monitoring pertains to the identification of
fraud-related transactions and patterns and may

©ISACA. All Rights Reserved. I 29


CISA" Official Review Manual 23th Edition

Page intentionally left blank

30 I ©ISACA. All Rights Reserved.


CISN Official Review Manual 23th Edition I Chapter 1

Part A: Planning naming conventions of these phases can be customized


as long as the procedures and outcomes comply with
Audits are conducted for a variety of reasons. An audit applicable audit standards such as an IT Assurance
can help an organization ensure effective operations, Framework (ITAF).
affirm its compliance with various regulations and
confirm that the business is functioning well and is Note
prepared to meet potential challenges. An audit can Information systems are defined as the combination
also help to gain assurance on the level of protection of strategic, managerial and operational activities and
available for information assets. Most significantly, an related processes involved in gathering, processing,
audit can assure stakeholders of the financial, operational storing, distributing and using information and
and ethical well-being of the organization. IS audits its related technologies. Information systems are
support all those outcomes, with a special focus on distinct from information technology (IT) in that an
the information and related systems upon which most information system has an IT component that interacts
businesses and public institutions depend for competitive with the people and process components. IT is defined
advantage. as the hardware, software, communication and other
IS audit is the formal examination and/or testing of facilities used to input, store, process, transmit and
information systems to determine whether: output data in whatever form. The terms "IS" and "IT"
• Information systems are in compliance with will be used according to these definitions throughout
applicable laws, regulations, contracts and/or industry this manual.
guidelines.
• Information systems and related processes comply 1.1 IS Audit Standards, Guidelines,
with governance criteria and related and relevant
policies and procedures.
Functions and Codes of Ethics
• Confidentiality, integrity and availability ofIS data The credibility of any IS audit activity is largely
meet appropriate levels based on measmable metrics. determined by its adherence to commonly accepted
• IS operations are being accomplished efficiently and standards. The fundamental elements of IS audit are
effectiveness targets are being met. defined and provided within ISACA's IS audit and
During the audit process, an IS auditor reviews the assurance standards and guidelines. ISACA's code of
control framework, gathers evidence, evaluates the professional ethics guides the professional and personal
strengths and weaknesses of internal controls based conduct of ISA CA members and certification holders.
on the evidence and prepares an audit repott that
presents findings and recommendations for remediation 1.1.1 ISACA IS Audit and Assurance
to stakeholders in an objective manner. Standards
In general terms, the typical audit process consists of ISA CA IS Audit and Assurance Standards define
three major phases (figu re 1.1): mandatory requirements for IS auditing and reporting and
• Planning inform a variety of audiences of critical information, such
• Fieldwork/documentation as:
• Reporting/follow-up • For IS auditors, the minimum level of acceptable
performance required to meet the professional
Figure 1.1- Typical Audit Process Phases responsibilities set out in the ISACA Code of
Professional Ethics
Reporting/ • For management and other interested parties, the
Follow-up
profession's expectations concerning the work of
practitioners
Source: ISACA, information Systems Auditing: Tools and
Techniques- Creating Audit Programs, USA, 2016
• For holders of the CISA designation, their
professional performance requirements

These main phases can be further broken down into The framework for the ISACA IS Audit and Assurance
subphases; for example, the reporting phase can be Standards provides for multiple levels of documents:
broken down into report writing and issuance, issue • Standards define mandatory requirements for IS audit
follow-up and audit closing. The organization and and assurance and reporting.

©ISACA. All Rights Reserved. I 31


CISA° Official Review Manual 2gth Edition I Chapter 1

• Guidelines provide guidance in applying IS audit 1.1.3 ISACA Code of Professional Ethics
and assurance standards. The IS auditor should
consider guidelines in determining how to achieve ISACA's Code of Professional Ethics guides the
implementation of standards, use professional professional and personal conduct of ISA CA members
judgment in their application and be prepared to and certification holders.
justify any departures. ISACA members and certification holders shall:
• Tools and techniques provide examples of processes 1. Support the implementation of, and encourage
an IS auditor might follow in an audit engagement. compliance with, appropriate standards and
The tools and techniques documents provide procedures for the effective governance and
information on how to meet standards when management of enterprise information systems and
completing IS auditing work, but they do not set technology, including audit, control, security and risk
requirements. management.
ISACA IS Audit and Assurance Standards are divided 2. Perform their duties with objectivity, due diligence
into general, performance and rep01ting categories: and professional care, in accordance with professional
• General-Provide the guiding principles under which standards.
the IS assurance profession operates. They apply to 3. Serve in the interest of stakeholders in a lawful
the conduct of all assignments and deal with an IS manner, while maintaining high standards of conduct
auditor's ethics, independence, objectivity, due care, and character, and not discrediting their profession or
knowledge, competency and skill. the Association.
• Performance-Deal with the conduct of the 4. Maintain the privacy and confidentiality of
assignment, such as planning and supervision; information obtained in the course of their activities
scoping; risk and materiality; resource mobilization; unless disclosure is required by legal authority. Such
supervision and assignment management; audit and information shall not be used for personal benefit or
assurance evidence and the exercising of professional released to inappropriate parties.
judgment and due care 5. Maintain competency in their respective fields and
• Reporting-Address the types of reports, means of agree to undertake only those activities they can
communication and the information communicated reasonably expect to complete with the necessary
skills, knowledge and competence.
1.1.2 ISACA IS Audit and Assurance 6. Inform appropriate parties of the results of work
performed, including the disclosure of all significant
Guidelines facts known to them that, if not disclosed, may distort
ISACA IS Audit and Assurance Guidelines provide the repo1ting of the results.
guidance and information on how to comply with the 7. Suppo1t the professional education of stakeholders in
ISACA IS Audit and Assurance Standards. An IS auditor enhancing their understanding of the governance and
should: management of enterprise information systems and
• Consider the guidelines in detennining how to technology, including audit, control, security and risk
implement ISACA Audit and Assurance Standards management.
• Use professional judgment in applying them to
specific audits Note
• Be able to justify any depatture from the ISACA
A CISA candidate is not expected to memorize the
Audit and Assurance Standards
ISA CA Code of Professional Ethics. 1 The exam will
test a candidate's understanding and application of the
Note
code.
The CISA candidate is not expected to know specific
ISACA standard and guidance numbering or memorize
any specific ISACA IS audit and assurance standard
or guideline. However, the exam will test a CISA
candidate's ability to apply these standards and
guidelines within the audit process.

1 ISA CA, "Code of Professional Ethics," https:llwww.isaca.org/credenlialing/code-of-professional-ethics

32 I ©ISACA. All Rights Reserved .


CISA° Official Review Manual 281h Edition I Chapter 1

1.1.4 ITAF TM firm, the scope and objectives of the services should be
documented in a formal contract or statement of work
ITAF is a comprehensive and best practice-setting between the contracting organization and the service
reference model that: provider. In either case, the internal audit function should
• Establishes standards that address IS auditor roles and be independent and report to an audit committee, if one
responsibilities; knowledge and skills; and diligence, exists, or to the highest management level, such as the
conduct and rep01ting requirements board of directors.
• Defines terms and concepts specific to IS assurance
• Provides guidance and tools and techniques on the Note
planning, design, conduct and reporting ofIS audit
and assurance assignments For additional guidance, see standard 1001 Audit
Chatter and guideline 2001 Audit Charter.
Note
Management of the IS Audit Function
A CISA candidate will not be tested on the
organization or arrangement of the ITAF framework. The IS audit function should be managed and led in
However, the application of audit and assurance a manner that ensures that the diverse tasks performed
standards is tested. by the audit team will fulfill audit function objectives,
while preserving audit independence and competence.
Fmthermore, managing the IS audit function should
1.1.5 IS Internal Audit Function
ensure value-added contributions to senior management
The role of the IS internal audit function should be in the efficient management of IT and achievement of
established by an audit charter approved by the board business objectives.
of directors and the audit committee (or by senior
management if these entities do not exist). Professionals Note
should have a clear mandate to perform the IS audit
For additional guidance, see standards 1002
function, which may be expressed in the audit charter.
Organizational Independence, I 003 Auditor
Audit Charter Objectivity, I 004 Reasonable Expectation and 1005
Due Professional Care. Also see the related guidelines:
IS audit can be a part of internal audit, or function as an 2002, 2003, 2004 and 2005.
independent group or be integrated within a financial and
operational audit to provide IT-related control assurance
IS Audit Resource Management
to the financial or management auditors. Therefore, the
audit charter may include IS audit as an audit supp01t IS technology is constantly changing. Therefore, it is
function. Additionally, the audit chatter should include important that IS auditors maintain their competency
the IS audit function's role with consulting-related through updates of existing skills and obtain training
services that it may perform. directed toward new audit techniques and technological
areas. An IS auditor must have the technical skills and
The charter should clearly state management's
knowledge necessary to perform audit work. Further, an
responsibility and objectives for, and delegation of
IS auditor must maintain technical competence through
authority to, the IS audit function. The highest level
appropriate continuing professional education. Skills and
of management and the audit committee, if one exists,
knowledge should be taken into consideration when
should approve the chatter. Once established, the chatter
planning audits and assigning staff to specific audit
should be changed only ifthe change is thoroughly
assignments.
justified.
Preferably, a detailed staff training plan should be drawn
The responsibility, authority and accountability of the IS
up for the year based on the organization's direction
audit function should be appropriately documented in an
in terms of technology and related risk that needs to
audit charter or engagement letter. An audit chatter is
be addressed. The plan should be reviewed periodically
an overarching document that covers the entire scope of
to ensure that training efforts and results are aligned
audit activities in an entity while an engagement letter
with the direction the audit organization is taking.
is more focused on a patticular audit exercise to be
Additionally, IS audit management should provide the
initiated in an organization with a specific objective in
necessary IT resources to properly perform IS audits of a
mind. If IS audit services at·e provided by an external

©ISACA All Rights Reserved. I 33


CISA6 Official Review Manual 23th Edition I Chapter 1

highly specialized nature (e.g., tools, methodology, work • Access to systems, premises and records
programs). • Confidentiality restrictions to protect customer-related
information
Note • Use of computer-assisted auditing techniques
(CAATs) and other tools to be used by the external
For additional guidance, see standard 1006 Proficiency audit service provider
and guideline 2006 Proficiency. • Standards and methodologies for performance of
work and documentation
Using the Services of Other Auditors and Experts • Nondisclosure agreements
Due to the scarcity of IS auditors and the need for The IS auditor or entity outsourcing the auditing services
IT security specialists and other subject matter experts should monitor the relationship to ensure objectivity and
to conduct audits of highly specialized areas, the independence throughout its duration. It is important to
audit depa1tment or auditors entrusted with providing understand that although a part or the whole of the audit
assurance may require the services of other auditors work may be delegated to an external service provider,
or experts. Outsourcing oflS assurance and security the related professional liability is not necessarily
services is increasingly becoming a common practice. delegated. Therefore, it is the responsibility of the IS
auditor or entity employing the services of external
Note service providers to:
• Clearly communicate the audit objectives, scope and
The IS auditor should be familiar with ISACA
methodology through a formal engagement Jetter
Audit and Assurance Standard 1204 Performance and
• Establish a monitoring process for regular review of
Supervision and the IS Audit and Assurance Guideline
the work of the external service provider with regard
2206 Using the Work of Other Experts, which focus on
to planning, supervision, review and documentation.
the rights of access to the work of other experts.
For example, the work papers of other IS auditors
External experts could include expe1ts in technologies or experts should be reviewed to confirm the work
such as networking, systems integration and digital was appropriately planned, supervised, documented
forensics, or subject matter expe1ts who specialize in a and reviewed and to consider the appropriateness and
paiticular industry or area such as banking, securities sufficiency of the audit evidence provided. Likewise,
trading, insurance, privacy or the law. the repo1ts of other IS auditors or experts should be
reviewed to confirm the scope specified in the audit
When there is a proposal to outsource a pa1t or all of IS charter, terms of reference or letter of engagement has
audit services to other auditors and experts or external been observed, the repmts were performed within the
service providers, the IS auditor should consider: defined auditable period, any significant assumptions
• Restrictions on outsourcing of audit/security services used by other IS auditors or expetts have been
provided by laws and regulations identified and the findings and conclusions repmted
• Audit chatter or contractual stipulations have management approval.
• Impact on overall and specific IS audit objectives • Assess the usefulness and appropriateness of such
• Impact on IS audit risk and professional liability external providers' reports and assess the impact of
• Independence and objectivity of other auditors and significant findings on the overall audit objectives
experts
• Professional competence, qualifications and 1.2 Types of Audits, Assessments and
experience
Reviews
• Scope and approach of work to be outsourced
• Supervisory and audit management controls An IS auditor should understand the various types of
• Method and modalities of communication of results audits, assessments and reviews that can be performed
of audit work along with the basic associated audit procedures, which
• Compliance with legal and regulatory stipulations may be carried out by internal or external groups.
• Compliance with applicable professional standards
An audit includes formal inspection and verification
Based on the nature of assignment, the IS auditor may to check whether standards or guidelines are being
also need to consider: followed, records are accurate, or efficiency and
• Testimonials/references and background checks effectiveness targets are met. Formal audits provide a

34 I ©ISACA. All Rights Reserved.


CISN Official Review Manual z gth Edition I Chapter 1

higher level of assurance than broader assessments and • Administrative audit-An administrative audit is
reviews. In general, assessments and reviews may be designed to assess issues related to the efficiency of
perceived with less negative stigma than audits and operational productivity within an organization.
may focus on opportunities for reducing the costs of • Specialized audit-Many different types of
poor quality, employee perceptions on quality aspects, specialized audits are conducted. Within the category
proposals to senior management on policy, goals, etc. of IS audit, specialized reviews may examine areas
such as fraud or services performed by third parties.
Some examples of audits, assessment and reviews • Third-party service audit-A third-patty service
include: audit addresses the audit of outsourced
• IS audit-An IS audit is designed to collect financial and business processes to third-party
and evaluate evidence to determine whether an service providers that may operate in different
information system and related resources are jurisdictions. A third-party service audit issues an
adequately safeguarded and protected; maintain data opinion on a service organization's description of
and system integrity and availability; provide relevant controls through a service auditor's report, which
and reliable information; achieve organizational goals then can be used by the IS auditor of the entity that
effectively; consume resources efficiently; and have, engages the service organization.
in effect, internal controls that provide reasonable • Fraud audit-A fraud audit is a specialized
assurance not only that business, operational and audit designed to discover fraudulent activity.
control objectives will be met but also that undesired Auditors often use specific tools and data analysis
events will be prevented or detected and corrected in techniques to discover fraud schemes and business
a timely manner. irregularities.
• Compliance audit-A compliance audit includes • Forensic audit-A forensic audit is a specialized
tests of controls to demonstrate adherence to specific audit to discover, disclose and follow up on fraud
regulations or industry-specific standards or practices. and crime. The primary purpose of such an audit
These audits often overlap other types of audits but is the development of evidence for review by law
may focus on patticular systems or data. enforcement and judicial authorities.
• Financial audit-A financial audit assesses the • Computer forensic audit- A computer forensic
accuracy of financial repmting. A financial audit will audit is an investigation that includes the analysis of
often involve detailed, substantive testing, although IS electronic computing devices with the intent to gather
auditors are increasingly placing more emphasis on a and preserve evidence. An IS auditor possessing the
risk- and control-based audit approach. A financial necessary skills can assist an information security
audit relates to financial information integrity and manager or forensic specialist in performing forensic
reliability. investigations and can conduct an audit of the system
• Operational audit-An operational audit is designed to ensure compliance with the evidence collection
to evaluate the internal control structure in a given procedures for forensic investigation.
process or area. IS audits of application controls or • Functional audit-A functional audit provides
logical security systems are examples of operational an independent evaluation of software products,
audits. verifying that its configuration items' actual
• Integrated audit-There are different types of functionality and performance are consistent with the
integrated audits, but typically an integrated audit requirement specifications. Specifically, a functional
combines financial and operational audit steps and audit is conducted either prior to softwai·e delivery or
may or may not include the use of an IS auditor. after implementation.
An integrated audit is performed to assess the overall • Readiness assessment-A readiness assessment is
objectives within an organization, related to financial a review of an organization's current state of
information and to safeguarding assets, maximizing compliance or adherence to documented standards.
efficiency and ensuring compliance. An integrated Readiness assessments generally focus on control
audit can be performed by external or internal design as opposed to operating effectiveness and
auditors and includes compliance tests of internal result in actionable items for an organization to
controls and substantive audit steps. See section 1:10 remediate prior to a formal audit.
Quality Assurance and Improvement of the Audit
Process for more information.

©ISACA. All Rights Reserved. I 35


CISA° Official Review Manual 2gth Edition I Chapter 1

1.2.1 Control Self-Assessment control design and monitoring, pa1ticularly concentrating


on areas of high risk.
Control self-assessment (CSA) is an assessment of
controls made by the staff and management of the unit When employing a CSA program, measures of
or units involved. It is a management technique that success for each phase (planning, implementation and
assures stakeholders, customers and other patties that the monitoring) should be developed to determine the value
internal control system of the organization is reliable. derived from CSA and its future use. One critical
It also ensures that employees are aware of the risk to success factor (CSF) is a meeting with the business unit
the business and conduct periodic, proactive reviews of representatives (including appropriate and relevant staff
controls. It is a methodology used to review key business and management) to identify the business unit's primary
objectives; to assess risk involved in achieving the objective and to determine the reliability of the internal
business objectives; and to ensure that internal controls control system. Actions that increase the likelihood of
are designed to manage business risk through a formal, achieving the primary objective should be identified.
documented and collaborative process.
Benefits of CSA
An IS auditor acts in the role of facilitator to help
Some of the benefits of CSA include:
business process owners define and assess appropriate
• Early detection of risk
controls and to help them understand the need for
• More effective and improved internal controls
controls, based on risk to the business processes. The
• Creation of cohesive teams through employee
process owners and the personnel who run the processes
involvement
use their knowledge and understanding of the business
• Development of a sense of control ownership among
function to evaluate the performance of controls against
employees and process owners and reduction of their
the established control objectives, while considering the
resistance to control improvement initiatives
risk appetite of the organization. Process owners are in an
• Increased employee awareness of organizational
ideal position to define the appropriate controls because
objectives
they are knowledgeable about the process objectives.
• Increased employee knowledge of risk and internal
A CSA program can be implemented through methods controls
such as questionnaires and surveys, facilitated workshops • Increased communication between operational and
and informal peer reviews. For small business top management
units within organizations, a CSA program can be • Increased motivation for employees
implemented through facilitated workshops in which • Improved audit rating process
functional management and IS auditors come together • Reduction in control cost
and deliberate how best to evolve a control structure for • Assurance provided to stakeholders and customers
the business unit. In a workshop, the role of a facilitator • Necessaiy assurance given to top management
is to support the decision-making process. The facilitator about the adequacy of internal controls relative to
creates a supportive environment to help participants regulations and laws
explore their own experiences and those of others;
identify control strengths and weaknesses; and share Disadvantages of CSA
their knowledge, ideas and concerns. If appropriate, the CSA contains some disadvantages, including:
facilitator may also offer their own expertise in addition • It could be mistaken as an audit function replacement.
to facilitating the exchange of ideas and experience. • It may be regarded as an additional workload (e.g.,
one more rep01t to be submitted to management).
Objectives of CSA
• Failure to act on improvement suggestions could
The primary objective of a CSA program is to leverage damage employee morale.
the internal audit function by shifting some of the • Lack of audit knowledge may limit effectiveness in
control monitoring responsibilities to the functional the detection of weak controls.
areas. It is not intended to replace audit's responsibilities
but to enhance them. Auditees such as line managers The IS Auditor's Role in CSA
are responsible for controls in their environment; the When CSA programs are established, auditors become
managers should be responsible for monitoring the internal control professionals and assessment facilitators.
controls. CSA programs must educate management about Their value in these roles is evident when management
takes ownership and responsibility for internal

36 I ©ISACA. All Rights Reserved.


CISA" Official Review Manual 23th Edition I Chapter 1

control systems under its authority through process The integrated audit process typically involves:
improvements in control structures, including an active • Identification of risk faced by the organization for the
monitoring component. area being audited
• Identification of relevant key controls
To be effective in this facilitative and innovative role,
• Review and understanding of the design of key
the IS auditor must understand the business process
controls
being assessed. It is important to remember that in
• Testing IT system support for key controls
the CSA process, IS auditors arn the facilitators and
• Testing operational effectiveness of management
the management client is the participant. For example,
controls
during a CSA workshop, instead of performing detailed
• A combined report or opinion on control risk, design
audit procedures, the IS auditor will lead and guide the
and weaknesses
auditees in assessing their environment by providing
insight into the objectives of controls based on risk An integrated audit demands a focus on business risk
assessment. The managers, with a focus on improving the and a drive for creative control solutions. It is a team
productivity of the process, might suggest replacement effort of audit and assurance professionals with different
of preventive controls. In this case, the IS auditor is skill sets. Using this approach permits a single audit of
better positioned to explain the risk associated with such an entity with one comprehensive report. An additional
changes. benefit is that this approach assists in staff development
and retention by providing variety and the ability to see
To provide higher-quality audits and make use of internal
how all the elements (functional and IT) mesh to form
and/or external audits or subject matter expertise, an
the complete picture. See figure 1.2 for an integrated
integrated audit approach is used to perform risk-based
auditing approach.
assessments of internal controls over an operation,
process or entity. Figure 1.2- An Integrated Audit

1.2.2 Integrated Auditing


The dependence of business processes on IT requires
that all auditors develop an understanding ofIT control
structures. In addition, IS auditors must develop an
understanding of the business control structures. This
type of integrated auditing can be defined as the process
whereby appropriate audit disciplines are combined to
assess key internal controls over an operation, process
or entity with a focus on risk. A risk assessment aims
to understand and identify risk arising from the entity
and its environment, including relevant internal controls.
At this stage, the role of an IS auditor is typically IS Audit
to understand and identify risk under topical areas
such as information management, IT infrastructure, IT
governance and IT operations. Other audit and assurance
specialists will seek to understand the organizational
environment, business risk and business controls. A key
element of the integrated approach is a discussion among The integrated audit concept has radically changed
the whole audit team of emerging risk, with consideration the way audits are accepted and valued by different
of impact and likelihood. stakeholders. For example:
• Employees or process owners better understand the
Detailed audit work focuses on the relevant controls in
objectives of an audit because they can see the
place to manage risk. IT systems frequently provide a
linkage between controls and audit procedures.
first line of preventive and detective controls, and the
• Top management better understands the linkage
integrated audit approach depends on a sound assessment
between increased control effectiveness and
of their efficiency and effectiveness.
corresponding improvements in the allocation and
utilization of IT resources.

©ISACA All Rights Reserved. I 37


CISA° Official Review Manual 28th Edition I Chapter 1

• Shareholders better understand the linkage between be defined to determine the overall risk for each of the
the push for a greater degree of corporate governance processes.
and its impact on the generation of financial
The audit plan can then be constructed to include all
statements that can be relied on.
of the processes that are rated "high," which would
All these developments have contributed to the growing represent the ideal annual audit plan. However, in
popularity of integrated audits. practice, often the available resources are not sufficient
to execute the entire ideal plan. This analysis will help
1.3 Risk-Based Audit Planning the audit function demonstrate the gap in resourcing and
give top management a good idea of the amount ofrisk
Audit planning is conducted at the beginning of the audit that it is accepting if it does not add to or augment the
process to establish the overall audit strategy and detail existing audit resomces.
the specific procedures to be carried out to implement
the strategy and complete the audit. It includes both Analysis of short- and long-term issues should occur at
short- and long-term planning. Short-term planning least annually. This frequency is necessary to consider
considers audit issues that will be covered during new control issues, enhanced evaluation techniques,
the year, whereas long-term planning considers risk- and changes in the risk environment, technologies and
related issues regarding changes in the organization's IT business processes. The results of this analysis should
strategic direction that will affect the organization's IT be reviewed by senior audit management and approved
environment. by the audit committee, if available, or alternatively by
the board of directors, and communicated to relevant
All of the relevant processes that represent the blueprint levels of management. The annual planning should be
of the enterprise's business should be included in the updated if any key aspects of the risk environment have
audit universe. The audit universe ideally lists all the changed (e.g., acquisitions, new regulatory issues, market
processes that may be considered for audit. Each process conditions).
may undergo a qualitative or quantitative risk assessment
ca11'ied out by evaluating the risk in the context of Note
defined, relevant risk factors. The risk factors are those
that influence the frequency and/or business impact For additional guidance, see standards 1007 Assertions
ofrisk scenarios. For example, for a retail business, and 1008 Criteria and related guidelines 2007 and
reputation can be a critical risk factor. The evaluation of 2008.
risk should ideally be based on inputs from the business
process owners. Evaluation of the risk factors should be 1.3.1 Individual Audit Assignments
based on objective criteria, although subjectivity cannot
be completely avoided. For example, with respect to the In addition to overall annual planning, each individual
reputation factor, the criteria (based on which inputs can audit assignment must be adequately planned. An
be solicited from the business) may be rated as: IS auditor should understand that other considerations
• High-A process issue may result in reputational -such as the results of periodic risk assessments,
damage that will take the organization more than six changes in the application of technology and evolving
months to recover. privacy issues and regulatory requirements-may impact
• Medium- A process issue may result in reputational the overall approach to the audit. An IS auditor
damage that will take the organization less than six should take into consideration system implementation/
months but more than three months to recover. upgrade deadlines, cmTent and future technologies,
• Low-A process issue may result in reputational requirements from business process owners and IS
damage that will take the organization less than three resource limitations.
months to recover. When planning an audit, an IS auditor must understand
In this example, the defined time frame represents the the overall environment under review. This should
objective aspect of the criteria, and the subjective aspect include gaining a general understanding of the various
of the criteria can be found in the business process business practices and functions relating to the audit
owners ' determination of the time frame-whether it is subject, as well as the types of information systems
more than six months or less than three months. After the and technology supporting the activity. For example,
risk is evaluated for each relevant factor, a criterion may an IS auditor should be familiar with the regulatory
environment in which the business operates.

38 I © ISACA. All Rights Reserved .


CI SA° Official Review Manual zgth Edition I Chapter 1

To perfmm audit planning, an IS auditor should perform assurance. The content of these legal regulations pertains
the steps indicated in figure 1.3. to:
• Establishment of regulatory requirements
Note • Responsibilities assigned to corresponding entities
• Financial, operational and IS audit functions
For additional guidance, see standard 1201 Risk
Assessment in Planning and guideline 2201 Risk Management at all levels should be aware of the external
Assessment in Planning. requirements relevant to the goals and plans of the
organization and to the responsibilities and activities of
the information services department/function/activity.

Figure 1.3---Steps to Pe1form Audit Planning


There are two major areas of concern:
1. Legal requirements (i.e., laws, regulations and
contractual agreements) applicable to audit or IS audit
• Gain an understanding of the organization's mission,
2. Legal requirements placed on the auditee regarding its
objectives, purpose and processes, which include
information and processing requirements such as systems, data management, reporting, etc.
availability, integrity, security and business technology
These areas impact the audit scope and audit objectives,
and information confidentiality.
which are important to internal and external audit
• Gain an understanding of the organization's governance
structure and practices related to the audit objectives. and assurance professionals. Legal issues related to
• Understand changes in the business environment of the
ergonomic regulations may also impact the organization's
auditee. business operations.
• Review prior work papers. An IS auditor would perform the following steps to
• Identify stated contents such as policies, standards determine an organization's level of compliance with
and required guidelines, procedures and organization
external requirements :
structure.
• Identify government or other relevant external
• Perform a risk ana lysis to help in designing the aud it
plan. requirements dealing with:
• Electronic data, personal data, copyrights,
• Set the audit scope and audit objectives.
ecommerce, e-signatures, etc.
• Develop the audit approach or audit strategy.
• IS practices and controls
• Assign personnel resources to the audit.
• The manner in which computers, programs and
• Address engagement logistics.
data are stored
• Identify opportunities for continuous audit or audit
automation using computer-assisted audit too ls
• The organization or the activities of information
(CAATs). technology services
• IS audits
• Document applicable laws and regulations.
1.3.2 Effect of Laws and Regulations on • Assess whether the management of the organization
IS Audit Planning and the IT function have considered the relevant
external requit'ements in maldng plans and in setting
Each organization, regardless of its size or the industry policies, standards and procedures and business
within which it operates, will need to comply with application features.
a number of governmental and external requirements • Review internal IT department/function/activity
related to IS practices and controls and the manner in documents that address adherence to laws applicable
which data is used, stored and secured. Additionally, to the industry.
industry regulations can impact the way data is • Determine adherence to established procedures that
processed, transmitted and stored (e.g., stock exchange, address external requirements.
central banks, etc.). Special attention should be given to • Determine ifthere are procedures in place to ensure
compliance issues in industries that are closely regulated. that contracts or agreements with external IT services
providers reflect any legal requirements related to
Because of the dependency on information systems
responsibilities.
and related technology, several countries are making
efforts to add legal regulations concerning IS audit and

©ISACA. All Rights Reserved. I 39


CISA' Official Review Manual 23th Ed ition I Chapter 1

Note some resulting weaknesses. In a risk-based audit


approach, IS auditors do not rely solely on risk
A CISA candidate will not be asked about any specific assessment; they also rely on internal and operational
laws or regulations but may be questioned about controls and knowledge of the organization or the
how one would audit for compliance with laws and business. This type of risk assessment decision-making
regulations. can help relate the cost-benefit analysis of the control
to the known risk, allowing the organization to make
Risk-based audit planning is the deployment of audit practical choices.
resources to areas within an organization that represent
Business risk includes concerns about the probable
the greatest risk. It requires an understanding of the
effects of an uncertain event on achieving established
organization and its environment, specifically:
business objectives. The nature of business risk may
• External and internal factors affecting the
be financial, regulatory or operational. Risk may also
organization
be derived from specific technologies. For example, an
• The organization's selection and application of
airline company is subject to extensive safety regulations
policies and procedures
and economic changes, both of which impact the
• The organization's objectives and strategies
continuing operations of the company. In this context, the
• Measurement and review of the organization's
availability ofIT services and their reliability are critical.
performance
Risk also includes measures an organization is willing to
As part of obtaining this understanding, an IS auditor take to achieve or advance its objectives even though the
must also gain an understanding of the key components results may be unproven or uncertain.
of the organization's:
By understanding the nature of the business, an IS
• Strategy management
auditor can identify and categorize types of risk and can
• Business products and services
better determine the appropriate risk model or approach
• Corporate governance process
in conducting the audit. The risk model assessment can
• Transaction types, transaction pa1tners and transaction
be as simple as creating weights for the types of risk
flows within information systems
associated with the business and identifying the risk in
Effective risk-based auditing uses risk assessment to an equation. On the other hand, risk assessment can be a
drive the audit plan and minimize the audit risk during scheme in which risk is given elaborate weights based on
the execution of an audit. the nature of the business or the significance of the risk.
A simplistic overview of a risk-based audit approach is
A risk-based audit approach is used to assess risk and to
shown in figure 1.4.
assist an IS auditor in making the decision to perform
either compliance testing or substantive testing. It is Note
important to stress that the risk-based audit approach
efficiently assists an IS auditor in determining the nature For further guidance, see standard 1204 Materiality.
and extent of testing.
Within this concept, inherent risk, control risk or
detection risk should not be of major concern, despite

40 I ©ISACA. All Rights Reserved.


CISA° Official Review Manual 23th Edition I Chapter 1

Figure 1.4- Risk-Based Audit Approach

Conclude the Audit.


• Create recommendations · Write audit report

1.3.3 Audit Risk and Materiality • Control risk- This is the risk of a material error
that would not be prevented or detected on a timely
Audit risk can be defined as the risk that information basis by the system of internal controls. For example,
collected may contain a material error that may go the control risk associated with manual reviews
undetected during the audit. An IS auditor should also of computer logs can be high because activities
consider, if applicable, other factors relevant to the requiring investigation are often overlooked due
organization: customer data; privacy; availability of to the volume of logged information. The control
provided services; and corporate and public image, as in risk associated with computerized data validation
the case of public organizations or foundations. procedures is ordinarily low ifthe processes are
Audit risk is influenced by: consistently applied.
• Inherent r isk- As it relates to audit risk, inherent • Detection risk- This is the risk that material errors
risk is the risk level or exposure of the process/ or misstatements will not be detected by an IS auditor.
entity to be audited without regard to the controls • Overall audit risk- This is the risk that the auditor
management has implemented. Inherent risk exists may not detect a material error in information or
independent of an audit and can occur because of the financial rep01ts. An objective in formulating the
nature of the business. audit approach is to limit the audit risk in the
area under scrutiny so the overall audit risk is at

©ISACA Al l Rights Reserved. I 41


CISA' Official Review Manual 2gth Edition I Chapter 1

a sufficiently low level at the completion of the security requirements and the risk landscape (e.g., in
examination. the assets, threats, vulnerabilities and impacts) and
whenever significant changes occur. It is important to
An internal control weakness or set of combined internal
note that IT management is responsible for conducting
control weaknesses may leave an organization highly
risk assessments. If expertise is not present within the
susceptible to the occurrence of a threat (e.g., financial
organization, the IS auditor may assist in risk assessment
loss, business interruption, loss of customer trust,
efforts. However, management is ultimately responsible
economic sanction). An IS auditor should be concerned
for the risk assessment process. The IS auditor may
with assessing the materiality of the items in question
perform a separate risk assessment to supplement the
through a risk-based audit approach to evaluating internal
needs ofrisk-based audit planning.
controls.
Refer to section 2.5 Enterprise Risk Management for
Materiality refers to the importance of a piece of
additional details on risk assessments.
information with regard to its impact or effect on the
functioning of the entity being audited. Materiality is
1.3.5 IS Audit Risk Assessment
the expression of the relative significance or importance
of a pmticular matter in the context of the enterprise Techniques
as a whole. There is an inverse relationship between When determining which functional areas should be
materiality and the level of audit risk acceptable to the audited, an IS auditor may face a large variety of audit
IS auditor (i.e., the higher the materiality level, the lower subjects. Each of these subjects may incur different types
the acceptability of the audit risk and vice versa). of risk. An IS auditor should evaluate risk candidates to
An IS auditor should have a good understanding of audit determine the high-risk areas that should be audited.
risk when planning an audit. An audit sample may not There are many risk assessment methodologies available
reflect every potential e1TOr in a population. However, by to an IS auditor, ranging from simple classifications
using proper statistical sampling procedures or a strong based on the auditor's judgment of high, medium and
quality control process, the probability of detection risk low, to complex scientific calculations that provide
can be reduced to an acceptable level. numeric risk ratings.
Similarly, when evaluating internal controls, an IS One such risk assessment approach is a scoring system
auditor should realize that a given system may not detect that is useful in prioritizing audits based on an evaluation
a minor error. However, that specific error, combined of risk factors . The system considers variables such as
with others, could become material to the overall system. technical complexity, level of control procedures in place
and level of financial loss. These variables may or may
Note
not be weighted. The risk values are then compared to
A CISA candidate should understand audit risk and each other, and audits are scheduled accordingly.
not confuse it with statistical sampling risk, which is Another form of risk assessment is subjective, in which
the risk that incorrect assumptions m·e made about the an independent decision is based on business knowledge,
characteristics of a population from which a sample is executive management directives, historical perspectives,
selected. business goals and environmental factors. A combination
of techniques can be used. Risk assessment methods may
1.3.4 Risk Assessment change and develop over time to best serve the needs of
the organization. An IS auditor should consider the level
An IS auditor should understand how the organization of complexity and detail appropriate for the organization
being audited approaches risk assessment. Risk being audited.
assessments should identify, quantify and prioritize
risk against criteria for risk acceptance and objectives IS auditors should leverage the results of management
relevant to the organization. The results should guide and risk assessments to supplement their own risk assessment
determine the appropriate management action, priorities procedures. A degree of professional skepticism should
for managing information security risk and priorities for be leveraged when reviewing or leveraging management
implementing controls selected to protect against risk. assessments of risk due to potential independence
impairment.
Risk assessments should be performed by management
periodically to address changes in the environment,

42 I ©ISACA. All Rights Reserved.


CISA° Official Review Manual zgth Edition I Chapter 1

Using risk assessment to determine areas to be audited: management that the organization's business objectives
• Enables audit management to effectively allocate will be achieved, and that risk events will be prevented
limited audit resources or detected and corrected. Internal control activities and
• Ensures that relevant information has been obtained supporting processes may be manual or automated.
from all levels of management, including boards of
directors, IS auditors and functional area managers. 1.4.1 Internal Controls
Generally, this information assists management in
Internal controls operate at all levels within an
effectively discharging its responsibilities and ensures
organization to mitigate risk exposures that potentially
that the audit activities are directed to high-risk areas,
could prevent it from achieving its business objectives.
which will add value for management.
The board of directors and senior management are
• Establishes a basis for effectively managing the audit
responsible for establishing the appropriate culture to
depattment
facilitate an effective and efficient internal control system
• Provides a summary of how the individual audit
and for continuously monitoring the effectiveness of the
subject is related to the overall organization as well
internal control system, although each individual within
as to the business plans
an organization must take patt in this process.
1.3.6 Risk Analysis There are two key aspects that controls should address:
1. What should be achieved
Risk analysis, a subset of risk assessment, is used during 2. What should be avoided
audit planning to help identify risk and vulnerabilities
so an IS auditor can determine the controls needed to Internal controls or control activities help ensure that
mitigate risk. Risk assessment procedures provide a basis management directives are catTied out. They help
for the identification and assessment of risk of material ensure that necessai·y actions are taken to address risk
vulnerabilities; however, they do not provide sufficient and to achieve the enterprise's business objectives.
appropriate audit evidence to support the audit opinion. Control activities occur throughout the enterprise, at
all levels and in all functions , such as granting
In evaluating IT-related business processes applied by approvals and authorizations, implementing verifications
an organization, it is important to understand the and reconciliations, reviewing operating performance,
relationship between risk and control. IS auditors must securing assets and ensuring separation of duties.
be able to identify and differentiate risk types and
the controls used to mitigate risk. They should have 1.4.2 Control Objectives and Control
knowledge of common business risk areas, related
technology risk and relevant controls. They should also
Measures
be able to evaluate the risk assessment and management A control objective is defined as an objective of one
processes and techniques used by business managers, or more operational areas or roles, which is designed to
and to make assessments of risk to help focus and plan contribute to the fulfillment of the company's strategic
audit work. In addition to understanding business risk goals. That is, the control objective is explicitly related to
and control, IS auditors must understand that risk exists the company's overall strategy.
within the audit process.
Control objectives are statements of the desired result
or purpose to be achieved by implementing control
1.4 Types of Controls and Considerations
activities (procedures). For example, control objectives
Every organization has controls in place. An effective may relate to:
control is one that prevents, detects and/or contains • Effectiveness and efficiency of operations
an incident and enables recovery from a risk event. • Reliability of financial repo1ting
Organizations design, develop, implement and monitor • Compliance with applicable laws and regulations
information systems through policies, procedures, • Safeguai·ding information assets
practices and organizational structures to address vatfous
Control objectives apply to all controls, whether they
types of risk.
are manual, automated or both (e.g., review of system
Controls ai·e normally composed of policies, procedures, logs). Control objectives in an IS environment do not
practices and organizational structures that are differ from those in a manual environment; however,
implemented to reduce risk to the organization. Internal the way the controls are implemented may be different.
controls are developed to provide reasonable assurance to

©ISACA. All Rights Reserved. I 43


CISA° Official Review Manual 23th Edition I Chapter 1

Thus, control objectives need to be addressed relevant to and management information (information objectives)
specific IS-related processes. and customer data, through:
• Authorization of the input-Each transaction is
A control measure is defined as an activity contributing authorized and entered only once.
to the fulfillment of a control objective. Both the control • Validation of the input-Each input is validated
objective and control measure serve the decomposition of and will not have a negative impact on the
the strategic-level goals into such lower-level goals and processing of transactions.
activities that can be assigned as tasks to the staff. This • Accuracy and completeness of transaction
assignment can take the form of a role specified in a job processing- All transactions are recorded
description. accurately and entered into the system for the
proper period.
IS Control Objectives
• Reliability of overall information processing
IS control objectives include a complete set ofhigh- activities-All programmatic actions taken by the
level requirements to be considered by management for system during processing are sound.
effective control of each IT process area. IS control • Accuracy, completeness and security of the
objectives are: output-Outputs can be relied upon and
• Statements of the desired result or purpose to countermeasures are implemented to enable
be achieved by implementing controls around IS security of information assets generated.
processes • Database confidentiality, integrity and
• Policies, procedures, practices and organizational availability-The underlying systems of record
structures have general IS security controls.
• Requirements designed to provide reasonable • Ensuring appropriate identification and authentication
assurance that business objectives will be achieved of users of IS resources (end users and infrastructure
and undesired events will be prevented or detected support)
and cotTected • Ensuring the efficiency and effectiveness of
operations (operational objectives)
Organizational management needs to make choices
• Complying with users' requirements, organizational
relative to control objectives by:
policies and procedures and applicable laws and
• Selecting those that are applicable
regulations (compliance objectives)
• Deciding on those that will be implemented
• Ensuring availability ofIT services by developing
• Choosing how to implement them (i.e., frequency,
efficient business continuity plans (BCPs) and
span, automation, etc.)
disaster recovery plans (DRPs) that include backup
• Accepting the risk of not implementing others that
and recovery processes
may apply
• Enhancing protection of data and systems by
Specific IS control objectives include: developing an incident response plan
• Safeguarding information assets, including ensuring • Ensuring integrity and reliability of systems
that information on automated systems is up to date by implementing effective change management
and secme from improper access procedures
• Ensuring that system development life cycle (SDLC) • Ensuring that outsourced IS processes and services
processes are established, in place and operating have clearly defined service level agreements (SLAs)
effectively to provide reasonable assurance that and contract terms and conditions designed to protect
development of business, financial and/or industrial the organization's assets and meet business goals and
software systems and applications is repeatable, objectives
reliable and aligned to business objectives
• Ensuring integrity of general operating system (OS) General Control Methods
environments, including network management and General control methods apply to all areas of an
operations organization as seen in figure 1.5.
• Ensuring integrity of sensitive and critical application
system environments, including accounting/financial

44 I ©ISACA. All Rights Reserved.


CISA° Official Review Manual 23th Edition I Chapter 1

Figure 1.5- General Control Methods

- ~-..imm
- -
1..-:1 1:.1• ti&'-'
-
·~~r.11111)[:.ll

Managerial Controls related to the oversight, reporting, • Policies and procedures


(administrative) procedures and operations of a process • Accounting controls (e.g., ba lancing)
• Employee training and development
• Compliance reporting

Technical Also known as logical controls, controls that are • Firewall ru lesets
provided through the use of technology, equipment
or devices. A technica l control requires proper
• Network or host-based intrusion detection
systems (IDSs)
managerial (administrative) controls to operate
correctly.
• Passwords
• Antimalware so lutions

Physical Controls that are installed to physically restrict • Physical access badges and locks
access to a facility or hardware. Physical controls
require maintenance, monitoring and the ability to
• Closed-circuit TV (CCTV)

address and react to an alert.

Often operational and administrative controls that • Systems development methodologies and change
concern day-to-day operations, functions and activities control
are included within managerial controls. Technical • Operations procedures
controls and physical controls, respectively, relate to the • Systems programming and technical support
use of technology and the use of physical equipment or functions
devices to regulate access. • Quality assurance (QA) procedures
• Physical access controls
An enterprise should maintain a proper balance of control
• BCP/DRP
types in order to meet its specific needs and help achieve
• Networks and communication technology (e.g., local
its business objectives. For example, the implementation
area networks, wide area networks, wireless)
of a technical control, such as a firewall, requires train ing
• Database administration
for the staff who manage or operate it, correct procedures
• Protective and detective mechanisms against internal
for its configuration, assignment of responsibilities for
and external attacks
its monitoring and schedules for regular testing. If these
coinciding controls are not in place, stakeholders may Note
develop a false sense of security, resulting in unidentified
vulnerabilities, an ineffective use of resources and greater A CISA candidate should understand concepts
risk than anticipated or intended. regarding IS controls and how to apply them in
planning an audit.
IS-Specific Controls
Each general control method can be translated into an Business Process Applications and Controls
IS-specific control. A well-designed information system
In an integrated application environment, controls are
should have controls built in for all its sensitive or
embedded and designed into the business application
critical functions. For example, there should be a general
that supports the processes. Business process control
procedure to ensure that adequate safeguards over access
assurance involves evaluating controls at the process
to assets and facilities can be translated into an IS-related
and activity levels, which may be a combination
set of control procedures, covering access safeguards
of management, programmed and manual controls.
over computer programs, data and equipment.
In addition to evaluating general controls that affect
Examples ofIS-specific control procedures include: the processes, an IS auditor should evaluate business
• Strategy and direction of the IT function process owner-specific controls-such as proper security
• General organization and management of the IT and separation of duties (SoD), periodic reviews, and
function approvals of access and application controls within the
• Access to IT resources, including data and programs business process.

©ISACA. All Rights Reserved. I 45


CISA' Official Review Manual 28th Edition I Chapter 1

To effectively audit business application systems, an and material requirements planning). Given their unique
IS auditor must obtain a clear understanding of the characteristics, computerized application systems add
application system under review. Numerous financial and complexity to audit efforts. These characteristics may
operational functions are computerized for the purpose include limited audit trails, instantaneous updating and
of improving efficiency and increasing the reliability of information overload.
information. These applications range from traditional
Figure 1.6 describes sample risk and controls for
(including general ledger, accounts payable and payroll)
common business applications in an enterprise.
to industry-specific (such as bank loans, trade clearing

Figure 1.6-Business Application Controls

1:,. ......,,
- . ....ww.;;;.1.,
1$"71.1
ii ~~M~- 1lli1lill i: .
- __ _..,.
- - _
- ...
- - -
1 11 ~ • . _. l'! lJ.:\ •• t ;nat ll L~I

-
Ecommerce Ecommerce is the buying and selling of goods Due to their exposure to the Internet,
on line. ecommerce applications are subject to a
high risk of Structured Query Language (SQL)
injection attacks. IS-specific controls such as
secure coding training for developers, system
development life cycle (SDLC) code reviews
and form input validity checks could be used
to mitigate applicable risk.

Electronic data EDI replaced the traditional paper document Transmitted data Is at risk of being
interchange (EDI) exchange, such as medical claims and records, intercepted and potentially manipulated
purchase orders, invoices or material release or compromised. Appropriate encryption
schedules . controls should be used to ensure the
confidentiality and integrity of transmitted
data.

Email Email services are used by an enterprise to Email provides an avenue for attackers
communicate electronically with internal or to manipulate end users through social
external parties. engineering. Spam filtering, hyperlink
verification and phishing training for email
users can decrease the likelihood of phishing-
related social engineering attacks.

Industrial control systems ICS is a general term that encompasses Systems like SCADA are highly sensitive and
(ICSs) several types of control systems, including if compromised can have a direct Impact
supervisory control and data acquisition on human life. Organizations should consider
(SCADA) systems, distributed control systems adding perimeter security controls, such
(DCSs) and other control system configurations as network segmentation and multifactor
such as programmable logic controllers (PLCs), authentication, to get into and administer
which are often found in industrial sectors and high-risk SCADA environments.
critical infrastructures.

Artificial intelligence (Al) Expert systems are an area of Al and perform Al systems rely on learned data and
and expert systems a specific function or are prevalent in certain associated decision trees that can be
industries. An expert system allows the user to inherently biased. An IS auditor should ensure
specify certain basic assumptions or formulas that the proper level of expertise was used
and then uses those assumptions or formulas in developing the basic assumptions and
to analyze arbitrary events. formulas.

46 I © ISACA. All Rights Reserved.


CISA" Official Review Manual 28th Edition I Chapter 1

Note 1.4.3 Control Classifications

A CISA candidate should be familiar with Controls are implemented to provide reasonable
different types of business application systems and assurance to management that the organization's business
architectures, processes, risk and related controls objectives will be achieved, and risk events will
and IS audit implications and practices. The IS be prevented or detected and corrected. Elements of
auditor should consult industry- or technology-specific controls that should be considered when evaluating
guidance and apply applicable IS-specific controls control strength are classified as preventive, detective or
as necessary. For example, when reviewing an corrective in nature.
ecommerce application, an IS auditor might consider Figure 1.7 describes control categories.
applicable guidance from authoritative sources such
as the Open Web Application Security Project
(OWASP). 2 Where specific skillsets are not present
within an IS audit department, external experts should
be brought in to perfonn applicable reviews.

Figure 1. 7- Control Categories

-
1 -: ii" :ie111
- -
.l:.lt , , . ,

-
• _.i._....... ; - ,

Preventive Inhibit or impede attempts to violate security policy and practices. Encryption, user authentication and
vau lt-construction doors are examples of preventive controls.

Deterrent Provide guidance or warnings that may dissuade intentional or unintentional attempts at compromise.
Warning banners on login screens, acceptable use policies, security cameras and rewards for the arrest
of hackers are examples of deterrent contro ls.

Detective Provide warnings of violations or attempted violations of security policy and practices without inhibiting
or impeding the questionable actions. Audit trails, intrusion detection systems (IDSs) and checksums are
examples of detective controls.

Corrective Remediate errors, omissions, unauthorized uses and intrusions when detected . Data backups, error
correction and automated fa il over are examples of corrective controls.

Compensating Offset a deficiency or weakness in the control structure of the enterprise, often because the baseline
contro ls cannot meet a stated requirement due to legitimate technica l or business constraints . Placing
unsecured systems on isolated network segments with strong perimeter security and adding th ird-party
cha ll enge-response mechanisms to devices that do not support individual login accounts are examples of
compensating controls that, wh il e not directly address ing vulnerabi lities, make it harder to exploit them.

Source: ISACA, CRJSC Official Review Manual 7'" Edition Revised, USA, 2023

Preventive controls are generally stronger at mitigating enterprise recover from the effects of an attack. For
risk because they prevent threat events from occurring. example, if unauthorized access has been gained to a
For example, if a malicious threat actor attempts to specific enterprise computer, a procedure is initiated to
log into a system that is accessible from the Internet protect the rest of the network.
with a compromised password, multifactor authentication
Organizations must implement a variety of control types
requirements could prevent the threat actor from
based on applicable risk and cost-benefit analysis. In
successfully accessing the system.
summary, detective and preventive controls are used to
By contrast, a detective control does not stop reduce the likelihood of a threat event (the probability
unauthorized uses or entries from occurring, but it of something happening), while corrective controls are
indicates that a threat event took place or is in progress. intended to mitigate the consequences (figu re 1.8).
If a threat event occurs, a corrective control helps an

2 Open Web Application Security Project, https://owasp.org/aboutl

©ISACA All Rights Reserved I 47


CISA" Official Review Manual 28th Edition I Chapter 1

Figure 1.8- Control Purpose

Reduce Likelihood Mitigate Consequences

Infrastructure Backup and


monitoring recovery

Capacity
BC or IT DR plan
management

Special clauses in
Service desk
vendor contracts

Spare UPS or power


processing site generator

Risk management

Configuration
management

Source: ISACA, Fundamentals of Information Systems Audit and Assurance (Facilitator Guide), USA, 2018

An adequate mix of controls with different classifications


Note
is important not only to reduce the likelihood of
threat events occurring but also to identify and A CISA candidate should understand the purpose
mitigate consequences. Different types of controls can of and differences between preventive, detective and
complement one another to help ensure that each is corrective controls and be able to recognize examples
working effectively and addressing unique threat events of each.
as outlined in figure 1.9.

48 I ©ISACA. All Rights Reserved.


CISA° Official Review Manual zgth Edition I Chapter 1

Figure 1.9-lnteraction of Control Types and Threat Events

Compensating
Threat
Control

Deterrent Corrective
Control Control

Detective
Vulnerability
Control

Preventive
Impact
..___c_o_nt_ro_I___ Reduces Decreases

Source: Adapted from ISACA, CRJSCW Review Manual, 7111 Edition Rev ised, USA, 2023

1.4.4 Control Relationship to Risk


Figure 1. 10- Control Relationship to Risk
There is a direct relationship between risk and control
that demonstrates that risk is addressed through control
and control is justified by the risk it addresses.
Figure 1.10 shows this relationship.
The IS auditor should have a solid understanding of
the applicable risk to controls being eval uated. This not
only informs the overall audit procedures that will be
used but also helps determine overall materiality of any
control weaknesses that may be identified during the
performance of an IS audit.
When evaluating controls, the IS auditor should ensure Source: ISACA, JT Risk Fundamentals Study Guide, USA, 2020
that management's identified controls are mapped back
to applicable risk. It is management's responsibility to If controls implemented do not mitigate risk to an
ensure controls are documented and implemented per its acceptable level (per the organization's risk tolerance),
assessment of risk. additional controls should be implemented. If appropriate
or required countermeasures cannot be implemented
based on system or business restrictions, compensating
controls may be considered. However, any compensating
control must achieve the same result the underperforming

©ISACA. All Rig hts Reserved. I 49


CISA° Official Review Manual 23th Edition I Chapter 1

control was designed to achieve. Placing unsecured prospective cloud customers in assessing the overall
systems on isolated network segments with strong security risk of a cloud provider
perimeter security and adding third-party challenge-
Organizations leveraging prescriptive control
response mechanisms to devices that do not supp01t
frameworks must identify applicable countermeasures
individual login accounts are examples of compensating
in place to meet outlined control objectives. In some
controls. Although the examples in the following sections
instances, prescriptive controls may not be applicable to
are IT-specific, it is possible for non-IT compensating
an organization based on unique business practices. For
controls to exist.
example, if an organization accepting credit cards does
not store credit card data as a part of its business process,
1.4.5 Prescriptive Controls and
then controls applicable to the protection of stored
Frameworks credit card information are likely not applicable. Where
In some instances, authoritative sources provide a prescriptive controls do not apply to an organization, the
prescriptive set of controls or control objectives for organization should ensure the reasons and validation on
an organization to implement and assess. Prescriptive non-applicability are formally documented.
control sets or control frameworks attempt to provide
a standard set of controls an organization should 1.4.6 Evaluation of the Control
implement to mitigate applicable risk to the organization Environment
as a whole or to a specific business process.
The control environment should be reviewed in
Examples of sets of prescriptive controls or control accordance with the risk-based audit plan. Although IS
objectives include: audit will execute its risk-based audit plan, it is impo1tant
• Center for Internet Security (CIS) 18 Critical to note that IS management should also evaluate the
Security Controls 3-A prescriptive, prioritized and effectiveness of the control environment.
simplified set of best practices that organizations can
use to strengthen their cybersecurity postures Management Control Monitoring
• OWASP Software Assurance Maturity Model Management may perform its own monitoring of control
(SAMM) 4-An open framework to help effectiveness within a given audit cycle. This process
organizations formulate and implement strategies for helps to identify control deviations prior to a potentially
software security that are tailored to the specific risk less frequent audit and allows management to take
they face corrective action.
• Service Organization Controls (SOC) reports 5-
A framework developed by the American Institute Control monitoring ensures that:
of Ce1tified Public Accountants (AICPA) meant to • Control requirements are being met.
be used by organizations to process data related to • Standards are being followed.
services they provide • Employees are complying with enterprise policies,
• Payment Card Industry (PCI) Data Security practices and procedures.
Standard (DSS) 6-A set of requirements that must Management can use the results of its own control
be met by organizations that store, process, transmit monitoring effo1ts to continuously improve the
or in any way affect the security of credit card data organization's security program. An IS auditor may
• Cloud Security Alliance (CSA) Cloud Controls leverage these results as reassurance that controls were
Matrix (CCM)7-A cybersecurity control framework effectively working over a period of time. When
for cloud computing encompassing various key
practices to ensure cloud security across different
cloud models and designed to provide fundamental
security principles to guide cloud vendors and assist

Center for Internet Security, "The 18 CIS Critical Security Controls," https:llwww.cisecurity.org/con trols/cis-controls-list
OWASP Project, "OWASP SAMM," https://owasp.orglwww-project-samm/
5 American Institute of Certified Public Accountants, "SOC 2®- SOC for Service Organizations: Trust Services Criteria," https://us.aicpa.orgl
interestareaslfrc/assuranceadvisoryserviceslaicpasoc2report
6 Payment Card Industry Security Standards Council, "PC! DSS: v4.0," https://docs-prv.pcisecuritystandards.org/PCJ%20DSS/Standard!PCJ-DSS-
v4_0.pdf
7 Cloud Security Alliance, "Cloud Controls Matrix," https://cloudsecurityalliance.org/researchlcloud-controls-matrix/

50 I ©ISACA. All Rights Reserved.


CISA° Official Review Manual 28th Edition I Chapter 1

reviewing management's control monitoring processes,


an IS auditor should ensure the following:
• Identified control exceptions are remediated and
lessons learned are considered for security program
enhancement.
• Metrics are established for critical processes or
control monitoring and are based on management's
risk assessment.
• Metrics identify specific, quantifiable outputs for
reporting.
• Independence considerations are made regarding
potential completeness and accuracy concerns.
• Reporting establishes expected thresholds for control
effectiveness and tracks success over time.

Independent Evaluation of the Control


Environment
Once the applicable risk and controls are understood,
the IS auditor can perform an evaluation of the control
environment. An IS auditor reviews evidence gathered
during the audit to determine ifthe operations reviewed
are well controlled and effective. This is an area that
requires judgment and experience. An IS auditor also
assesses the strengths and weaknesses of the controls
evaluated and determines if they are effective in meeting
the control objectives established as part of the audit
planning process.

©ISACA All Rights Reserved. I 51


CISA6 Official Review Manual 23th Edition

Page intentionally left blank

52 I ©ISACA. All Rights Reserved.


CI SA" Official Review Manual 23th Edition I Chapter 1

Part B: Execution 1.5.1 Audit Objectives


Audit objectives refer to the specific goals that must
Once an audit is planned and the scope and objectives
be accomplished by the audit. In contrast, a control
are defined, the IS auditor is ready to execute the audit.
objective refers to how an internal control should
The following sections provide guidance for executing an
function. An audit generally incorporates several audit
audit.
objectives.
1.5 Audit Project Management Audit objectives often focus on confirming that internal
controls exist to minimize business risk and function
Several steps are required to perform an audit. Adequate as expected. These audit objectives include ensuring
planning is a necessary first step in performing an compliance with legal and regulatory requirements and
effective IS audit. To efficiently use IS audit resources, ensuring the confidentiality, integrity, reliability and
audit organizations must assess the overall risk for availability of information and IT resources. Audit
the general and application areas and related services management may give an IS auditor a general control
being audited, and then develop an audit program that objective to review and evaluate when performing an
consists of objectives and audit procedures to satisfy audit.
the audit objectives. The audit process requires an IS
auditor to gather evidence, evaluate the strengths and A key element in planning an IS audit is to translate basic
wealmesses of controls based on the evidence gathered and wide-ranging audit objectives into specific IS audit
through audit tests, and prepare an audit report that objectives. For example, in a financial/operational audit,
presents those issues (i.e., areas of control weaknesses a control objective could be to ensure that transactions
with recommendations for remediation) to management are properly posted to the general ledger accounts.
in an objective manner. However, in an IS audit, the objective could be extended
to ensure that editing features are in place to detect errors
Audit management must ensure the availability of in the coding of transactions that may impact account-
adequate audit resources and a schedule for performing posting activities.
the audit procedures and, in the case of an internal IS
audit, for conducting follow-up reviews on the status of An IS auditor must understand how general audit
corrective actions taken by management. The process of objectives can be translated into specific IS control
auditing includes defining the audit scope, formulating objectives. Determining an audit's objectives is a critical
audit objectives, identifying audit criteria, performing step in planning an IS audit.
audit procedures, reviewing and evaluating evidence, One of the primary purposes of an IS audit is to
forming audit conclusions and opinions, and repo1ting to identify control objectives and the related controls that
management after discussion with key process owners. address the objective. For example, an IS auditor's
Project management techniques for audit projects initial review of an information system should identify
include: key controls. It should then be determined whether
• P lan the audit engagement-Plan the audit, to test those controls for compliance. An IS auditor
considering project-specific risk. should identify both key general and application controls
• Build the audit plan-Chart the necessary audit after developing an understanding and documenting the
tasks across a timeline, optimizing resource use. business processes and the applications/functions that
Make realistic estimates of the time requirements support those processes and general support systems.
for each task with proper consideration given to the Based on that understanding, an IS auditor should
availability of the auditee. identify the key control points.
• Execute the plan- Execute audit tasks against the Alternatively, an IS auditor may assist in assessing
plan. the integrity of financial reporting data, refened to as
• Monitor p roject activity-Report actual progress substantive testing, through CAATs.
against planned audit steps to ensure challenges are
managed proactively and the scope is completed 1.5.2 Audit Phases
within time and budget.
Each phase in the execution of an audit can be divided
into key steps to plan, define, perform and report the
results, as shown in figure 1.11.

©ISACA. All Rights Reserved. I 53


CISA" Official Review Manual 28th Edition I Chapter 1

Figure 1.11- Typical Audit Process Steps by Phase

Planning Phase

Fieldwork and Documentation Phase

. ..
- .
~-··
zrc .
Reporting Phase

Gather report
Draft report. Issue report.
requirements.

Source: ISACA, Information Systems Auditing: Tools and Techniques- Creating Audit Programs, USA, 2016

Planning
Planning steps can be fmther broken down into more
specific activities, as shown in figure 1.12.

Figure 1.12-Audit Process Activities for the Planning Phase

' .
17ur. u -.....,~·L!J ii:~~-i;. •1"ii..•l.ll
-
1. Determine audit subject. Identify the area to be audited (e.g., business function, system, physical location).

2. Define audit objective. Identify the purpose of the audit. For example, an objective might be to determine
whether program source code changes occur in a well-defined and controlled
environment.

3. Set audit scope. Identify the specific systems, function or unit of the organization to be included in the
review. In the case of the program changes example, the scope statement might limit
the review to a single application, system or a limited period of time. This step is very
important because the information systems (IS) auditor will need to understand the IT
environment and its components to identify the resources that will be required to conduct
a comprehensive evaluation. A clear scope will help the IS auditor define a set of testing
points that are relevant to the audit and to further determine the technical skills and
resources necessary to evaluate different technologies and their components.

54 I ©ISACA. All Rights Reserved.


CISA° Official Review Manual 23th Edition I Chapter 1

Figure 1.12- Audit Process Activities for the Planning Phase (cont.)

,,, ........., ... •l ii:~-i.-i;i IJ-;-llil.I


-
4. Perform preaudit planning. Conduct a risk assessment, which is critica l in setting the final scope of a risk-based
audit. For other types of audits (e.g., compliance), conducting a risk assessment is a
good practice because the resu lts can help the IS audit team justify the engagement and
further refine the scope and prep lanning focus.
• Interview the auditee to inquire about activities or areas of concern that should be
included in the scope of the engagement.
• Identify regu latory comp liance requirements .
• Once the subject, objective and scope are defined, the audit team can identify the
resources needed to perform the audit. Some of the necessary resources to be
defined:
• Technica l skills and resources
• Budget and effort to complete the engagement
• Locations or faci lities to be audited
• Roles and responsibilities among the audit team
• Time frame for the various stages of the audit
• Sources of information for test or review, such as functional flowcharts, policies,
standards, procedures and prior audit work papers
• Points of contact for administrative and logistics arrangements
• A communication plan that identifies whom to inform, when, how often and for
what purposes

5. Determine aud it procedures At this stage of the audit process, the aud it team shou ld have enough information to
and steps for data gatherin g. identify and select the audit app roach or strategy and start developing the aud it program.
Some of the specific activities in this step are:
• Identify and obtain departmental policies, stand ards and guidelin es for review.
• Identify any regulatory comp liance requirem ents .
• Identify a list of individual s to interview.
• Identify methods and too ls to perform the evaluation .
• Develop audit tools and methodology to test and verify controls .
• Develop test scripts .
• Identify criteria for evaluating the test.
• Define a method ology to eva luate whether the test and its resu lts are accurate (and
repeatab le if necessary) .

Source: ISACA, Information Systems Auditing: Tools and Techniques- Creating Audit Programs, USA, 2016

Fieldwork/ Documentation
Fieldwork/doc umentation steps can be further broken
down into more specific activities, as shown in
figure 1.13.

©ISACA Al l Rights Reserved. I 55


CISA° Official Review Manual 23th Edition I Chapter 1

Figure 1.13- Audit Process Activities for the Fieldwork/Documentation Phase

i':.. rrffi~,-. L!J It " '~M~I


-
- 1111

1. Acquire data. Establish a process to acquire audit-related data. An advance request list can be used to
identify key evidence or interviews/observations that need to be gathered or performed
during an audit. The IS auditor should establish a process to collect evidence in a secure
manner (e.g., through fileshare). A governance, risk and compliance (GRC) tool may help
facilitate audit data collection for more advanced audit functions.

2. Test controls. Use testing techniques (e.g., interviews, observations, inspections, etc.) to evaluate
controls applicable to the acquired data. In some instances, sampling may be required to
review a subset of an overall population. For example, an IS auditor may select a sample
of servers and perform an observation to confirm that antimalware solutions are installed
per policy.

3. Discover and validate Identify potential issues throughout the audit process. Issues are deviations
issues. from expected audit outcomes (e.g., policy requirements) and are the basis for
recommendations the auditor will provide for management action.

4. Document results . Document the results within the audit program and work papers per document audit
standards for the IS auditor's organization.

Reporting/Follow Up
Reporting/follow-up phase steps can be broken down into
specific activities, as shown in figure 1.14.

Figure 1.14- Audit Process Activities/or the Reporting/Follow-Up Phase

ii"•_l._"1 ... ::-. --.111


1. Gather report requirements. Reporting requirements are identified prior to drafting an audit report. These
requirements may be derived from internal audit standards for the organization or
through external reporting requirements.
2. Draft report. A draft report is created and reviewed by information systems (IS) audit leadership
prior to review by the auditee. The report includes the overall results of the audit and
potential findings and recommendations for management. Prior to issuing a final report,
the auditee should review and respond to recommendations identifying planned actions
for any recommended remediations.
3. Issue report. Once a report is finalized, it is issued. The final report is retained per internal or external
retention requirements. Audit reports are presented to the oversight function of the
organization (e.g., audit committee).
4. Follow up. A process is established to follow up on management's remediation progress for Issues
identified during an IS audit.

1.5.3 Audit Programs • Creation of procedures that are repeatable and easy
to use by internal or external audit and assurance
An audit program is a step-by-step set of audit professionals who need to perform similar audits
procedures and instructions that should be performed to • Documentation of the type of testing that will be used
complete an audit. It is based on the scope and objective (compliance and/or substantive)
of the pa1ticular assignment. • Meeting generally accepted audit standards that relate
The main purposes of developing an audit program are: to the planning phase in the audit process
• Formal documentation of audit procedures and An IS auditor often evaluates IT functions and
sequential steps systems from different perspectives, such as security
(confidentiality, integrity and availability), quality

56 I ©ISACA. All Rights Reserved.


CISA° Official Review Manual 2gth Edition I Chapter 1

(effectiveness, efficiency), fiduciary (compliance, • The use of specialized software to assess the
reliability), service and capacity. The audit work program contents of operating systems, databases and
is the audit strategy and plan-it identifies scope, audit application parameter files
objectives and audit procedures to obtain sufficient, • Flowcharting techniques for documenting business
relevant and reliable evidence to draw and support audit processes and automated controls
conclusions and opinions. • The use of audit logs and reports to evaluate
parameters
General audit procedures are the basic steps in the
• Review of documentation
performance of an audit and usually include:
• Inquiry and observations
• Obtaining and recording an understanding of the audit
• Walk-throughs
area/subject
• Reperformance of controls
• Creating a risk assessment and general audit plan and
schedule Note
• Performing detailed audit planning that includes the
necessary audit steps and a breakdown of the work For additional guidance, see standard 1204
planned across an anticipated timeline Performance and Supervision and guideline 2204
• Conducting a preliminary review of the audit area/ Performance and Supervision.
subject
• Evaluating the audit area/subject
1.5.4 Audit Work Papers
• Verifying and evaluating the .appropriateness of
controls designed to meet control objectives All audit plans, programs, activities, tests, findings
• Conducting compliance testing (tests of the and incidents should be properly documented in work
implementation of controls and their consistent papers. The format and media of work papers can vary,
application) depending on the specific needs of the department. IS
• Conducting substantive testing (confirming the auditors should particularly consider how to maintain the
accuracy of information) integrity and protection of audit test evidence in order
• Reporting (communicating results) to preserve its value as substantiation in support of audit
• Following up in cases that rely on an internal audit results.
function
Work papers can be considered the bridge or interface
Minimum Skills to Develop an Audit Program between the audit objectives and the final repo1t.
Work papers should provide a seamless transition-with
The development of meaningful audit and assurance traceability and support for the work performed- from
programs depends on the auditor's ability to customize objectives to report and from report to objectives. In this
procedures according to the nature of the subject under context, the audit repo1t can be viewed as a particular
review and the specific risk that must be addressed in work paper.
the audit area/organization. Skills that can assist an IS
auditor in creating an audit program include: IS auditors should ensure that the same security-related
• Sufficient understanding of the nature of the requirements they may be assessing are considered for
enterprise and its industry to identify and categorize the audit work papers they collect. IS audit reports and
types of risk and threat related work papers can contain sensitive information
• Good understanding of the IT space and its that could be leveraged by malicious actors. A retention
components and sufficient knowledge of the and destruction process should be established based on
technologies that affect them legal requirements for each audit type.
• Understanding of the relationship between business
risk and IT risk 1.5.5 Fraud, Irregularities and Illegal Acts
• Basic knowledge of risk assessment practices Management is primarily responsible for establishing,
• Understanding of testing procedures for evaluating implementing and maintaining an internal control
IS controls and identifying the best method of system that enables the deterrence and/or timely
evaluation, such as: detection of fraud. Internal controls may fail due to
• The use of generalized audit software (GAS) to
exploitation of vulnerabilities, management-perpetrated
survey the contents of data files (e.g., system logs,
control wealmesses or collusion among people.
user access list)

©ISACA All Rights Reserved. I 57


CISA' Official Review Manual 23th Edition I Chapter 1

The presence of internal controls does not altogether In Agile models, design and specification documentation
eliminate fraud . IS auditors should observe and exercise are kept to the bare minimum required, and a major part
due professional care in all aspects of their work and be of documentation is created at the operations and support
alert to opportunities that may allow fraud to materialize. levels (e.g., user manuals), which occur much later in the
They should be aware of the possibilities and means system life cycle. In the context of an IS audit, this would
of perpetrating fraud, especially through exploitation of result in blurring or altogether abolishing the temporal
vulnerabilities and overriding controls in the IT-enabled separation between planning and fieldwork phases. Agile
enviromnent. They should have knowledge of fraud and audits, thus, address major bottlenecks in many audits.
fraud indicators and be alert to the possibility of fraud
For example, necessary data- such as lists of system
and errors while performing an audit.
users from the system itself or an authorization database
During the course of regular assurance work, an IS or file-can be requested and prepared by the auditees
auditor may come across instances or indicators of fraud. while the auditors are still trying to finalize remaining
After careful evaluation, an IS auditor may communicate audit program steps. In addition, auditors can analyze
the need for a detailed investigation to appropriate data already collected while waiting for the audit team
authorities. In the case of an IS auditor identifying a to schedule planning phase meetings with other auditees
major fraud or ifthe risk associated with the detection is or the team members. Elimination of the requirement
high, audit management should consider communicating for strict temporal separation between planning and
the issue to the audit committee in a timely manner. fieldwork makes audit more efficient. Tasks run in
parallel (i.e., planning may be going on as the auditees
Regarding fraud prevention, an IS auditor should be
collect requested data, or fieldwork may be occurring
aware of potential legal requirements concerning the
while meetings to address remaining planning issues are
implementation of specific fraud detection procedures
taking place).
and the reporting of fraud to appropriate authorities.
Benefits of Agile Auditing
Note
Agile methodologies benefit audit departments through
For additional guidance, see standard 1207 Irregularity production of rapid audit results, avoidance of siloed
and Illegal Acts and guideline 2207 Irregularity and audit and customer teams, communications in near real
Illegal Acts. time and effective collaboration with auditees. Agile also
ensures that IT audit engagements are more successful
1.5.6 Agile Auditing through:
• Reduced end-to-end planning-Instead of audit
A goal for any IS audit function is to provide faster engagements being planned over several months,
and more efficient ways to conduct an IS audit to Agile reduces the planning process to weeks or even
demonstrate the value provided to stakeholders. One days due to condensed sprint cycles and a small-scale,
method to achieve this is leveraging Agile concepts. iterative approach.
• Streamlined audit engagements-Combining the
Agile Auditing Overview planning, fieldwork and reporting phases into a
The term "agile" usually refers to software single cohesive engagement avoids the execution of
development and emphasizes individuals and interactions disparate audit phases with long lead times.
over processes and tools, working software over • Direct customer collaboration-Involving
comprehensive documentation, customer collaboration customers in the Agile scrum (i.e., daily standup
over contract negotiation and responding to change over meeting) at the beginning of the audit engagement
following a plan.8 Traditional IS audit, on the other hand, sprint gives them a seat at the table. This
has used strict standards and frameworks, resulting in involvement further facilitates their input in guiding
rather rigid audit engagement constraints that, essentially, the engagement to both valid and highly beneficial
represented projects. IT projects have similarly inflexible audit outcomes for all parties.
models. However, they have evolved from the formal • Flexible audit scope-As new information is
Waterfall model to less formal, but very often more provided to or discovered by auditors, Agile
efficient, models that are usually collectively known as facilitates real-time audit scope adjustments. Auditors
"Agile." should continue to obtain audit management approval

8 "Manifesto for Agile Software Development," http://agilemanifesto.org/

58 I ©ISACA. All Rights Reserved.


CISA° Official Review Manual 2gth Edition I Chapter 1

as potential scope adjustments are identified and be Unlike audit plans that are reviewed annually, Agile
prepared to adjust testing focus as new information is audit plans are reviewed every quarter (or more
discovered or provided by audit customers. frequently in some instances) due to the Agile
• Real-time assurance--Direct customer collaboration iterative approach to conducting an audit engagement.
means customers are informed of audit findings or
control weaknesses as they are discovered by auditors Agile Auditing Compared to Established
versus receiving a draft audit rep01t toward the end Assurance Standards
of an audit engagement. Auditors should provide Figure 1.15 shows how Agile complements general,
audit customers with updates on potential findings or performance and reporting standards and guidelines
control weaknesses as testing uncovers them. found in the ISACA ITAF standard. The comparison
• Frequent audit plan updates-The increased in figure 1.15 shows how Agi le audit techniques
velocity of engagements produced by Agile IT audits complement adherence to the standard.
provides an opportunity to revisit the audit bacldog
and annual plan and make revisions more frequently.

Figure 1.15- Complementary Relationship ofAgile Audit Techniques and ITAF

!!!:!..~""'~l;lft - · ··~.!...
-- --- - - --
1 1:.JllilT·"lll•J:"'lir..-,T.. llTtl•ll ~.;;- .
-
--. -
-
t ll ;J 1:.... ~-·
- -- ttE
General Standard 1002-0rganizational Independence • Agile encourages more direct levels of communication
The IT audit and assurance function sha ll be free from and involvement with audit customers, which reflects
conflicts of interest and undue influence in all matters auditors' organizational independence.
related to audit and assurance engagements. • The collaborative approach used in Agile (and facilitated
by organizational independence) allows audit to leverage
subject matter expertise to allow expedient agreement
on aud it findings and minimize remediation timelines.
General Standard 1003- Auditor Objectivity • While differing from the traditional approach to aud it,
IT audit and assurance practitioners shall be objective in all Agile does not comprom ise auditor objectivity, which
matters related to audit and assurance engagements. may be impaired if conflicts of interest arise.
• Agile aud it f unctions retain their professional skepticism
and abi lity to make final decisions throughout the aud it
engagement.
General Standard 1005-Due Professional Care • The aud it backlog is prioritized more often under Agile,
Auditors will exercise due diligence and professional care. which cons iders the required resources, estab li shment
They will maintain high standards of conduct and character, of proper audit scope, proper audit objectives and
and they will refrain from engaging in acts that may discredit adequate levels of diligence and discretion .
themselves or the profession . Privacy and confidentiality • With Agile, audit management retains its right to
of information obtained during the course of the aud itor's conclude on key matters of each aud it engagement.
duties should be maintained.
General Standard 1006-Proficiency • Daily standup scrum meetings and two-week sprint
IT audit and assurance practitioners, collectively with others cycles greatly enhance development of audit staff at the
assisting with the audit and assurance engagement, sha ll junior and senior levels.
possess the professional competence to perform the work • Increased collaboration with audit customers allows
required . audit staff to learn the business more completely.
Reporting Standard 1402.3-Follow-Up Activities and • The collaborative and frequent communication
processes leveraged by Agile seek to ensure full
Acceptance of Risk
Where it is determined that the risk related to a finding disclosure to executive management of any accepted
has been accepted and is greater than the enterpris e's ri sk risk taken by audit customers.
appetite, this risk acceptance shou ld be discussed with
senior management.

©ISACA. Al l Rights Reserved. I 59


CISA° Official Review Manual zgth Edition I Chapter 1

Figure 1.15---Complementmy Relationship ofAgile Audit Techniques and ITAF (cont.)

General Guideline 2001.2.6-Performance of Quality • The Agile sprint retrospective is a tool the audit team
Assurance (QA) uses to analyze how the last sprint delivered with regard
Accountability of the audit and assurance function includes to individuals, interactions among customers and the
but is not limited to the QA Process (e.g., interviews, audit team, executed processes, audit tools and the
customer satisfaction surveys, assignment performance definition of "done."
surveys) that establishes an understanding of the auditees'
needs and expectations relevant to the audit function.

Source: ISACA, Destination: Agile Auditing, USA, 2021

1.6 Audit Testing and Sampling It is important that an IS auditor understands the
specific objective of a compliance test and of the control
Methodology
being tested. Compliance tests can be used to test the
Valid conclusions can be reached using audit sampling. existence and effectiveness of a defined process, which
When using (;)ither statistical or nonstatistical sampling may include a trail of documentary and/or automated
methods, IS auditors should design and select an audit evidence (e.g., to provide assurance that only authorized
sample, perform audit procedures and evaluate sample modifications are made to production programs).
results to obtain sufficient and appropriate evidence
A substantive test substantiates the integrity of actual
to form a conclusion. When using sampling methods
processing. It provides evidence of the validity and
to draw a conclusion about the entire population,
integrity of the balances in the financial statements
professionals should use statistical sampling.
and the transactions that suppott those balances. An IS
An IS auditor should consider the purpose of the sample: auditor could use substantive tests to check for monetary
• Compliance testing/test of controls-An audit errors directly affecting financial statement balances or
procedure designed to evaluate the operating other relevant data of the organization. Additionally, an
effectiveness of controls in preventing, or detecting IS auditor might develop a substantive test to evaluate
and c01Tecting, material weaknesses the completeness and accuracy of report data. To perform
• Substantive testing/test of details-An audit this test, the IS auditor might use a statistical sample,
procedure designed to detect material weaknesses at which will allow the IS auditor to develop a conclusion
the asse1tion level regarding the accuracy of all the data.
A direct correlation exists between the level of internal
1.6.1 Compliance Versus Substantive
controls and the amount of substantive testing required.
Testing If the results of testing controls (compliance tests)
Compliance testing is evidence gathering for the purpose reveal the presence of adequate internal controls, then
of testing an organization's compliance with control minimizing the substantive procedures could be justified.
procedures. This differs from substantive testing, in Conversely, ifthe control testing reveals weaknesses in
which evidence is gathered to evaluate the integrity of controls that may raise doubts about the completeness,
individual transactions, data or other information. accuracy or validity of the accounts, substantive testing
can alleviate those doubts.
A compliance test determines whether controls are being
applied in a manner that complies with management Examples of compliance testing of controls where
policies and procedures. For example, if an IS auditor sampling could be considered include user access rights,
is concerned about whether production program library program change control procedures, documentation
controls are working properly, the IS auditor might select procedures, program documentation, follow-up of
a sample of programs to determine whether the source exceptions, review of logs and software license audits.
and object versions are the same. The broad objective of Examples of substantive tests where sampling could be
any compliance test is to provide reasonable assurance considered include performance of a complex calculation
of a particular control as perceived in the preliminary (e.g., interest) on a sample of accounts or a sample of
evaluation. transactions to vouch for suppotting documentation.

60 I © ISACA. All Rights Reserved.


CI SA° Official Review Manual 281h Edition I Chapter 1

An IS auditor could decide during the preliminary Note


assessment of the controls to include some substantive
testing if the results of the preliminary evaluation A CISA candidate should be knowledgeable about
indicate that implemented controls are not reliable or do when to perform compliance tests or substantive tests.
not exist.
Figure 1.16 shows the relationship between compliance
and substantive tests and describes the two categories of
substantive tests.

Figure 1.16-Understand the Control Environment and Flow a/Transactions

Review the system to identify controls.

Test compliance to determine whether controls are functioning .

Test balances and transactions. Perform analytic review procedures.

1.6.2 Sampling precision) and the number of times in 100 that


the sample should represent the population (the
Sampling is performed when time and cost reliability or confidence level). This assessment is
considerations preclude a total verification of all represented as a percentage. The results of a valid
transactions or events in a predefined population. The statistical sample are mathematically quantifiable.
population consists of the entire group of items that need • Nonstatistical sampling (often referred to as
to be examined. The subset of population members used judgmental sampling}--Uses audit judgment to
to perform testing is called a sample. Sampling is used determine the method of sampling, the number of
to infer characteristics about a population based on the items that will be examined from a population
characteristics of a sample. (sample size) and which items to select (sample
The two general approaches to audit sampling are selection)
• These decisions are based on subjective judgment
statistical and nonstatistical :
as to which items/transactions are the most
• Statistical sampling-An objective method of
material and most risky.
determining the sample size and selection criteria
• Statistical sampling uses the mathematical laws The IS auditor should be familiar with the statistical
of probability to: (1) calculate the sampling size, sampling concepts described in figure 1.17.
(2) select the sample items and (3) evaluate the
sample results and make inferences. When using either statistical or nonstatistical sampling
• With statistical sampling, an IS auditor methods, an IS auditor should design and select an
quantitatively decides how closely the sample audit sample, perform audit procedures and evaluate
should represent the population (assessing sample sample results to obtain sufficient, reliable, relevant

©ISACA Al l Rights Reserved. I 61


CISA' Official Review Manual 281h Edition I Chapter 1

and useful audit evidence. These methods of sampling opportunity or probability of being selected. Within these
require an IS auditor to use judgment when defining two general approaches to audit sampling, there are two
the population characteristics and, thus, are subject to primary methods of sampling used- attribute sampling
the risk that incorrect conclusions could be drawn from and variable sampling. Attribute sampling, generally
the sample (sampling risk). However, statistical sampling applied in compliance testing, deals with the presence
permits an IS auditor to quantify the probability of or absence of the attribute and provides conclusions that
error (confidence coefficient). To be a statistical sample, are expressed in rates of incidence.
each item in the population should have an equal

Figure 1.17-Statistical Sampling Terminology


_.....
II ~..uuUUt ll l

Confidence coefficient A percentage expression (90 percent, 95 percent, 99 percent, etc.) of the probability that
(confidence level or reliability the characteristics of the sample are a true representation of the population. Generally,
factor) a 95 percent confidence coefficient is considered a high degree of assurance. If an
information systems (IS) auditor knows internal controls are strong, the confidence
coefficient may be lowered. The greater the confidence coefficient, the larger the sample
size.

Level of risk Equal to one minus the confidence coefficient. For example, if the confidence coefficient
is 95 percent, the level of risk is five percent (100 percent minus 95 percent).

Precision Set by an IS auditor, the acceptable range difference between the sample and the actual
population. For attribute sampling, this figure is stated as a percentage. For variable
sampling, this figure is stated as a monetary amount or a number. The higher the
precision amount, the smaller the sample size and the greater the risk of fairly large
total error amounts going undetected. The smaller the precision amount, the greater the
sample size. A very low precision level may lead to an unnecessarily large sample size.

Expected error rate An estimate stated as a percentage of the errors that may exist. The greater the
expected error rate, the greater the sample size. This figure is applied to attribute
sampling formulas but not to variable sampling formulas .
Sample mean The sum of all sample values divided by the size of the sample. The sample mean
measures the average value of the sample.
Sample standard deviation The variance of the sample values from the mean of the sample. Sample standard
deviation represents the spread or dispersion of the sample values.

Tolerable error rate Describes the maximum misstatement or number of errors that can exist without an
account being materially misstated. Tolerable rate is used for the planned upper limit
of the precision range for compliance testing. The term is expressed as a percentage.
"Precision range" and "precision" have the same meaning when used in substantive
testing.

Population standard deviation A mathematical concept that measures the relationship to the normal distribution. The
greater the standard deviation, the larger the sample size. This figure is applied to
variable sampling formulas but not to attribute sampling formulas.

Attribute sampling refers to three different, but related, population. Attribute sampling answers the question,
types of proportional sampling: "How many?"
• Attribute sampling (fixed sample-size attribute • An example of an attribute that might be tested
sampling or frequency-estimating sampling)--A is approval signatures on computer access request
sampling model used to estimate the rate (percent) forms.
of occurrence of a specific quality (attribute) in a • Stop-or-go sampling-A sampling model that helps
prevent excessive sampling of an attribute by
allowing an audit test to be stopped at the earliest
possible moment. Stop-or-go sampling is used when

62 I ©ISACA. All Rights Reserved.


CI SA• Official Review Manual zgth Edition I Chapter 1

an IS auditor believes that relatively few errors will samples are drawn from the various groups; used
be found in a population. to produce a smaller overall sample size relative to
• Discovery sampling-A sampling model most often unstratified mean per unit
used when the objective of the audit is to seek • Unstratified mean per unit- A statistical model in
out (discover) fraud, circumvention ofregulations which a sample mean is calculated and projected as
or other irregularities. For example, if the sample an estimated total
is found to be error free, it is assumed that no • Difference estimation- A statistical model used to
fraud/irregularity exists; however, if a single error is estimate the total difference between audited values
found, the entire sample is believed to be fraudulent/ and book (unaudited) values based on differences
irregular. obtained from sample observations
Variable sampling (dollar estimation or mean estimation Variable sampling, generally applied in substantive
sampling) is a technique used to estimate the monetary testing, deals with population characteristics that vary,
value or some other unit of measure (such as weight) such as monetary values and weights (or any other
of a population from a sample portion. An example measurement), and provides conclusions related to
of variable sampling is a review of an organization's deviations from the norm.
balance sheet for material transactions and an application
Key steps in the construction and selection of a sample
review of the program that produced the balance sheet.
for an audit test are shown in figure 1.18.
Variable sampling refers to three types of quantitative
sampling models:
• Stratified mean per unit-A statistical model in
which the population is divided into groups and

Figure 1.18-Steps in the Selection of a Sample for an Audit Test

Determine Define Determine


the the the
objective population method

Sampling Risk Note


Sampling risk arises from the possibility that an
A CISA candidate is not expected to be a sampling
IS auditor's conclusion may be different from the
expert. However, a CISA candidate should have a
conclusion that would be reached ifthe entire population
foundational understanding of the general principles of
were subjected to the same audit procedure. There are
sampling and how to design a sample that is reliable.
two types of sampling risk:
A CISA candidate should also be familiar with the
• The risk of incorrect acceptance--A material
different types of sampling terms and techniques and
weakness is assessed as unlikely when, in fact, the
know when it is appropriate to use each technique.
population is materially misstated.
• The risk of incorrect rejection- A material
weakness is assessed as likely when, in fact, the 1.7 Audit Evidence Collection Techniques
population is not materially misstated.
Evidence is any information used by an IS auditor
to determine whether the entity or data being audited
follows the established criteria or objectives and supp01is
audit conclusions. It is a requirement that conclusions
be based on sufficient, relevant and competent evidence.

© ISACA All Rights Reserved. I 63


CISA° Official Review Manual 2sth Edition I Chapter 1

When planning the IS audit, the type of audit evidence processed by dynamic systems, such as spreadsheets,
to be gathered, its use as audit evidence to meet audit may not be retrievable after a specified period of time
objectives and its varying levels of reliability should be if changes to the files are not controlled or the files
considered. are not backed up.
Audit evidence may include: An IS auditor gathers a variety of evidence during an
• An IS auditor's observations (presented to audit. Some evidence may be relevant to the objectives
management) of the audit, while other evidence may be considered
• Notes taken from interviews peripheral. An IS auditor should focus on the overall
• Results of independent and qualified third-paity objectives of the review and not the nature of the
assessors evidence gathered.
• Material extracted from correspondence and internal
The quality and quantity of evidence must be assessed.
documentation or contracts with external partners
These two characteristics are referred to by the
• The results of audit test procedures
International Federation of Accountants (IFAC) as
While all evidence will assist an IS auditor in appropriate (quality) and sufficient (quantity). Evidence
developing audit conclusions, some types of evidence is competent when it is both reliable and relevant.
are more reliable than others. The rules of evidence and Audit judgment is used to determine when sufficiency is
sufficiency and the competency of evidence must be achieved in the same manner that it is used to determine
considered as required by audit standards. the appropriateness of evidence.
Determinants for evaluating the reliability of audit An understanding of the rules of evidence is important
evidence include: for IS auditors because they may encounter a variety of
• Independence of the provider of the evidence evidence types.
-Evidence obtained from outside sources is
more reliable than evidence from within the Note
organization. This is why confirmation letters are
A CISA candidate, given an audit scenario, should be
used for verification of accounts receivable balances.
able to determine which evidence-gathering technique
Additionally, signed contracts or agreements with
would be best in a given situation.
external parties can be considered reliable if the
original documents are made available for review.
Techniques for gathering evidence include:
• Qualifications of the individual providing the
• Reviewing IS organization structures-An
information/evidence-Whether the providers of the
organizational structure that provides adequate SoD
information/evidence ai·e inside or outside of the
is a key general control in an IS environment. An
organization, an IS auditor should always consider
IS auditor should understand general organizational
the qualifications and functional responsibilities of
controls and be able to evaluate those controls in
the persons providing the information. This can also
the organization under audit. Where there is a strong
be true of an IS auditor. If an IS auditor does not
emphasis on cooperative distributed processing or on
have a good understanding of the technical area under
end-user computing, IT functions may be organized
review, the information gathered from testing that
somewhat differently from the classic IS organization,
area may not be reliable, especially ifthe IS auditor
which consists of separate systems and operations
does not fully understand the test.
functions . An IS auditor should be able to review
• Objectivity of the evidence-Objective evidence is
organizational structures and assess the level of
more reliable than evidence that requires considerable
control they provide.
judgment or interpretation. An IS auditor's review of
• Reviewing IS policies and procedures-An IS
media inventory is direct, objective evidence. An IS
auditor should review whether appropriate policies
auditor's analysis of the efficiency of an application,
and procedures are in place, determine whether
based on discussions with certain personnel, may not
personnel understand the implemented policies and
be objective audit evidence.
procedures and ensure that policies and procedures
• Timing of the evidence-An IS auditor should
are being followed . An IS auditor should verify
consider the time during which information exists
that management assumes full responsibility for
or is available in determining the nature, timing
formulating, developing, documenting, promulgating
and extent of compliance testing and, if applicable,
and controlling policies covering general aims
substantive testing. For example, audit evidence

64 I ©ISACA. All Rights Reserved.


Cl SA° Official Review Manual 29th Edition I Chapter 1

and directives. Periodic reviews of policies and technique involves the actual performance of the
procedures for appropriateness should be carried out. control under assessment in real time.
• Reviewing IS standards-An IS auditor should first • Walk-th roughs-The walk-through is an audit
understand the existing standards in place within the technique to confirm the understanding of controls.
organization. A walkthrough can help ensure the control owner
• Reviewing IS documentation-A first step in and IS auditor clearly understand the controls to be
reviewing the documentation for an information assessed and assist in the identification of evidence to
system is to understand the existing documentation be collected to validate control effectiveness.
in place within the organization. This documentation
Whi le these evidence-gathering techniques are part of an
could be a hard copy or a copy stored electronically.
audit, an audit is not limited to review work. It includes
If the latter, controls to preserve the document
examination, which incorporates the testing of controls
integrity should be evaluated by an IS auditor. An
and audit evidence and, therefore, includes the results of
IS auditor should look for a minimum level of IS
audit tests.
documentation. Documentation may include:
• Systems development initiating documents (e.g., An IS auditor should recognize that with systems
feasibility studies) development techniques, such as computer-aided
• Documentation provided by external application software engineering (CASE) or prototyping, traditional
suppliers systems documentation will not be required or will be
• SLAs with external IT providers provided in an automated form. However, an IS auditor
• Functional requirements and design specifications should look for documentation standards and practices
• Tests plans and reports within the IS organization.
• Program and operations documents
• Program change logs and histories An IS auditor should be able to review documentation
• User manuals for a given system and determine whether it follows the
• Operations manuals organization's documentation standards. In addition, an
• Security-related documents (e.g., security plans, IS auditor should understand the current approaches to
risk assessments) developing systems-such as object orientation, CASE
tools or prototyping-and how the documentation is
• BCPs
• QA reports constructed. An IS auditor should recognize other
• Repmts on security metrics components of IS documentation, such as database
• Interviewing appropriate personnel- See section specifications, file layouts or self-documented program
1. 7 .1 Interviewing and Observing Personnel in listings.
Performance of Their Duties.
• Observing processes and employee performance--
1.7.1 Interviewing and Observing
The observation of processes is a key audit technique Personnel in Performance of Their Duties
for many types of review. An IS auditor should be
Interviewing techniques are an important skill for an
unobtrusive while making observations and should
IS auditor. Interviews should be organized in advance
document everything in sufficient detail to be able
with objectives clearly communicated, follow a fixed
to present it, if required, as audit evidence. In some
outline and be documented by interview notes. Using an
situations, the release of the audit report may not be
interview form or checklist prepared by an IS auditor is a
timely enough to use observations as evidence, which
good approach.
may necessitate the issuance of an interim report to
management of the area being audited. An IS auditor Remember that the purpose of such an interview is to
may wish to consider whether documentary evidence gather audit evidence using techniques, such as inquiry,
would be useful as evidence (e.g., photograph of a observation, inspection, confirmation, performance and
server room with doors fully opened). monitoring. Personnel interviews are discoveries by
• Reperformance--The reperformance process is a nature and should never be accusatory; the interviewer
key audit technique that generally provides better should help people feel comfortable, encouraging them to
evidence than the other techniques and is, therefore, share information, ideas, concerns and knowledge. An IS
used when a combination of inquiry, observation and auditor should verify the accuracy of the notes with the
examination of evidence does not provide sufficient interviewee.
assurance that a control is operating effectively. This

© lSACA All Rights Reserved. I 65


CISA6 Official Review Manual 23th Edition I Chapter 1

Observing personnel in the performance of their duties • Identify business process errors
assists an IS auditor in identifying: • Identify business process improvements and
• Actual functions-Observation can be an adequate inefficiencies in the control environment
test to ensure that the individual who is assigned • Identify exceptions or unusual business rules
and authorized to perform a particular function is the • Identify fraud
person who is actually doing the job. It allows an IS • Identify areas where poor data quality exists
auditor an opportunity to witness how policies and • Conduct a risk assessment at the planning phase of an
procedures are understood and practiced. Depending audit
on the specific situation, the results of this type of test
The process used to collect and analyze data includes:
should be compared with the respective logical access
• Setting the scope (e.g., determining audit/review
rights.
objectives; defining data needs, sources and
• Actual processes/procedures-Performing a walk-
reliability)
through of the process/procedure allows an IS
• Identifying and obtaining the data (e.g., requesting
auditor to obtain evidence of compliance and observe
data from responsible sources, testing a sample of
deviations, if any. This type of observation can prove
data, extracting the data for use)
useful for physical controls.
• Validating the data (e.g., determining ifthe data is
• Security awareness-Security awareness should be
sufficient and reliable to perform audit tests) by:
observed to verify an individual's understanding and • Validating balances independent of the data set
practice of good preventive and detective security extracted
measures to safeguard the enterprise's assets and • Reconciling detailed data to rep01t control totals
data. This type of information can be supported with • Validating numeric, character and date fields
an examination of previous and planned security • Verifying the time period of the data set (i.e.,
training. determining that it meets scope and purpose)
• Reporting relationships-Rep01ting relationships • Verifying that all necessary fields identified in the
should be observed to ensure that assigned scope are actually included in the acquired data set
responsibilities and adequate SoD are being practiced. • Executing the tests (e.g., running scripts and
Often, the results of this type of test should be performing other analytical tests)
compared with the respective logical access rights. • Documenting the results (e.g., recording the testing
• Observation drawbacks-The observer may purpose, data sources and conclusions reached)
interfere with the observed environment. Personnel, • Reviewing the results (e.g., ensuring that the testing
upon noticing that they are being observed, may procedures have been adequately performed and
change their usual behavior. Interviewing information reviewed by a qualified person)
processing personnel and management should provide • Retaining the results (e.g., maintaining important test
adequate assurance that the staff has the required elements), such as:
technical skills to perform the job. This is an • Program files
important factor that contributes to an effective and • Scripts
efficient operation. • Macros/automated command tests
• Data files
1.8 Audit Data Analytics
Data analytics can be effective for an IS auditor in both
Data analytics is an imp01tant tool for an IS auditor. the planning and fieldwork phases of an audit.
Through the use of technology, an IS auditor can select
Analytics can be used to:
and analyze full data sets to continuously audit or
• Combine logical access files with human resources
monitor key organizational data for abnormalities or
employee master files for authorized users
variances that can be used to identify and evaluate
• Combine file library settings with data from the
organizational risk and achieve compliance with control
change management systems and dates of file changes
and regulatory requirements.
that can be matched to dates of authorized events
An IS auditor can use data analytics to: • Match ingress with egress records to identify
• Determine the operational effectiveness of the current tailgating in physical security logs
control environment • Review table or system configuration settings
• Determine the effectiveness of antifraud procedures • Review system logs for unauthorized access or
and controls unusual activities

66 I ©ISACA. All Rights Reserved.


CI SN Official Review Manual 28 1h Edition I Chapter 1

• Test system conversion exist in a program and whether the program meets its
• Test logical access SoD (e.g., analysis of Active objectives. The review of an application system will
Directory data combined with job descriptions) provide information about internal controls built into the
system. The audit-expert system will provide direction
1.a.1 Computer-Assisted Audit and valuable information to all levels of auditors while
Techniques carrying out the audit because the query-based system
is built on the knowledge base of senior auditors or
CAATs are important tools that an IS auditor uses managers.
to gather and analyze data during an IS audit or
review. When systems have different hardware and Utility software tools and techniques can be used in
software environments, data structures, record formats or performing various audit procedures such as:
processing functions, it is almost impossible for an IS • Tests of the details of transactions and balances
auditor to collect ce1tain evidence without using such a • Analytical review procedures
software tool. • Compliance tests ofIS general controls
• Compliance tests of IS application controls
CAATs also enable an IS auditor to gather information • Network and OS vulnerability assessments
independently. They provide a means to gain access and • Penetration testing
analyze data for a predetermined audit objective and to • Application security testing and source code security
report the audit findings with emphasis on the reliability scans
of the records produced and maintained in the system.
The reliability of the source of the information used An IS auditor should have a thorough understanding
provides reassurance on findings generated. of CAATs and know where and when to apply them.
For example, an IS auditor should review the results of
CAATs include many types of tools and techniques engagement procedures to determine whether there are
such as GAS, utility software, debugging and scanning indications that irregularities or illegal acts may have
software, test data, application software tracing and occurred. Using CAATs could aid significantly in the
mapping and expe1t systems. effective and efficient detection of irregularities or illegal
GAS refers to standard software that can directly read acts.
and access data from various database platforms, flat-file An IS auditor should weigh the costs and benefits of
systems and American Standard Code for Information using CAATs before going through the effort, time and
Interchange (ASCII) formats. GAS provides an IS expense of purchasing or developing them. Issues to
auditor with an independent means to gain access to data consider include:
for analysis and the ability to use high-level, problem- • Ease of use for existing and future audit staff
solving software to invoke functions to be performed on • Training requirements
data files. Features include mathematical computations, • Complexity of coding and maintenance
stratification, statistical analysis, sequence checking, • Flexibility of uses
duplicate checking and recomputations. Functions • Installation requirements
commonly supp01ted by GAS include: • Processing efficiencies
• File access-Enables the reading of different record • Effo1t required to bring the source data into the
formats and file structures CAATs for analysis
• File reorganization-Enables indexing, so1ting, • Ensuring the integrity of imp01ted data by
merging and linking with another file safeguarding its authenticity
• Data selection-Enables global filtration conditions • Recording the time stamp of data downloaded at
and selection criteria critical processing points to sustain the credibility of
• Statistical functions-Enables sampling, the review
stratification and frequency analysis • Obtaining permission to install the software on the
• Arithmetical functions-Enables arithmetic auditee servers
operators and functions • Reliability of the software
Utility software is a subset of software- such as • Confidentiality of the data being processed
report generators of the database management system When developing CAATs, the following are examples of
(DBMS)-that provides evidence about system control documentation to be retained:
effectiveness. Test data involves an IS auditor using • Online rep01ts detailing high-risk issues for review
a sample set of data to assess whether logic errors

©ISACA. All Rights Reserved. I 67


CISA" Official Review Manual 2sth Edition I Chapter 1

• Commented program listings • Continuous monitoring-Enables an organization to


• Flowcharts observe the performance of one or many processes,
• Sample reports systems or types of data. For example, real-time
• Record and file layouts antivirus or intrusion detection systems may operate
• Field definitions in a continuous monitoring fashion.
• Operating instructions
Continuous auditing should be independent of continuous
• Description of applicable source documents
control or monitoring activities. When both continuous
CAATs documentation should be referenced to the audit monitoring and auditing take place, continuous assurance
program and clearly identify the audit procedures and can be established. In practice, continuous auditing
objectives being served. When requesting access to is the precursor to management adopting continuous
production data for use with CAATs, an IS auditor should monitoring as a process on a day-to-day basis. Often,
request read-only access. Any data manipulation by an the audit function will hand over the techniques used
IS auditor should be applied to copies of production files in continuous auditing to the business, which will then
in a controlled environment to ensure that production run the continuous monitoring. This collaboration has led
data is not exposed to unauthorized updating. Most to increased appreciation among process owners of the
CAATs allow for production data to be downloaded from value that the audit function brings to the organization,
production systems to a standalone platform and then leading to greater confidence and trust between the
analyzed from the standalone platform, thereby insulating business and the audit function . Nevertheless, the lack
the production systems from any adverse impact. of independence and objectivity inherent in continuous
monitoring should not be overlooked, and continuous
CAATs as a Continuous Online Audit Approach monitoring should never be considered as a substitute for
An important advantage of CAATs is the ability to the audit function .
improve audit efficiency through continuous online Continuous auditing efforts often incorporate new
auditing techniques. To this end, an IS auditor must IT developments; increased processing capabilities of
develop audit techniques that are appropriate for use with current hardware, software, standards and AI tools;
advanced information systems. and attempts to collect and analyze data at the
In addition, the IS auditor must be involved in the moment of the transaction. Data must be gathered
creation of advanced systems at the early stages from different applications working within different
of development and implementation and must make environments, transactions must be screened, the
greater use of automated tools that are suitable for the transaction environment has to be analyzed to detect
organization's automated environment. This takes the trends and exceptions, and atypical patterns (i.e., a
form of the continuous audit approach. transaction with significantly higher or lower value than
typical for a given business pattner) must be exposed. If
1.a.2 Continuous Auditing and Monitoring all this must happen in real time, perhaps even before
final sign-off of a transaction, it is mandatory to adopt
Continuous auditing is an approach used by IS auditors and combine various top-level IT techniques. The IT
to monitor system reliability on a continuous basis and environment is a natural enabler for the application of
gather selective audit evidence through the computer. continuous auditing because of the intrinsic automated
A distinctive characteristic of continuous auditing is nature of its underlying processes.
the short time lapse between the facts to be audited,
Continuous auditing aims to provide a more secure
the collection of evidence and audit reporting. To
platform to avoid fraud and a real-time process aimed
properly understand the implications and requirements
at ensuring a high level of financial control. Continuous
of continuous auditing, a distinction is made between
auditing and monitoring tools are often built into many
continuous auditing and continuous monitoring:
enterprise resource planning packages and most OS
• Continuous auditing-Enables an IS auditor to
and network security packages. These environments,
perform tests and assessments in a real-time or
if appropriately configured and populated with rules,
near-real-time environment. Continuous auditing is
parameters and formulas, can output exception lists on
designed to enable an IS auditor to report results on
request while operating against actual data. Therefore,
the subject matter being audited within a much sh01ter
they represent an instance of continuous auditing. The
time frame than under a traditional audit approach.
difficulty, but significant added value, ofusing these
features is that they postulate a definition of what would

68 I ©ISACA. All Rights Reserved.


CISA° Official Review Manual 28 1h Edition I Chapter 1

be a "dangerous" or exception condition. For example, a transaction follows, from the input to the output
whether a set of granted IS access permissions is to stage. With the use of this technique, transactions
be deemed risk-free will depend on having well-defined are tagged by applying identifiers to input data and
SoD. On the other hand, it may be much harder to decide recording selected information about what occurs for
if a given sequence of steps taken to modify and maintain an IS auditor's subsequent review.
a database record points to a potential risk. 3. Audit hooks- This technique involves embedding
hooks (e.g., logging and monitoring triggers) in
It is imp01iant to validate the source of the data used for
application systems to function as red flags and
continuous auditing and note the possibility of manual
induce IS security and auditors to act before an error
changes.
or irregularity gets out of hand.
4. Integrated test facility (ITF)-With this technique,
1.8.3 Continuous Auditing Techniques
dummy entities are set up and included in an
Continuous auditing techniques are important IS audit auditee's production files. An IS auditor can make
tools, particularly when they are used in time-sharing the system either process live transactions or test
environments that process a large number of transactions transactions during regular processing runs and have
but leave a scarce paper trail. By permitting an IS auditor the transactions update the records of the dummy
to evaluate operating controls on a continuous basis entity. The operator enters the test transactions
without disrupting the organization's usual operations, simultaneously with the live transactions that are
continuous auditing techniques improve the security entered for processing. An auditor then compares
of a system. When a system is misused by someone the output with the data that has been independently
withdrawing money from an inoperative account, a calculated to verify the correctness of the computer-
continuous auditing technique will repoti this withdrawal processed data.
in a timely fashion to an IS auditor. Thus, the time 5. Continuous and inter mittent simulation (CIS)-
lag between the misuse of the system and the detection During a process run of a transaction, the computer
of that misuse is reduced. The realization that failures, system simulates the instruction execution of the
improper manipulation and lack of controls will be application. As each transaction is entered, the
detected on a timely basis by the use of continuous simulator decides whether the transaction meets
auditing procedures gives an IS auditor and management certain predetermined criteria and, if so, audits
greater confidence in a system's reliability. the transaction. If not, the simulator waits until it
encounters the next transaction that meets the criteria.
There are five types of automated evaluation techniques
applicable to continuous auditing: In figure 1.19, the relative use cases of the various
1. Systems control audit review file and embedded continuous auditing tools are presented.
audit modules (SCARF/EAM}-The use of this
technique involves embedding specially written audit
software in the organization's host application system
so the application systems are monitored on a
selective basis.
2. Snapshots- This technique involves taking what
might be termed "pictures" of the processing path that

Figure 1.19- Continuous Auditing Tools- Use Cases

Complexity Very high Medium Low High Medium

Useful when: Regu lar An audit trail is On ly select It is not beneficia l Transactions
processing cannot required . transactions or to use test data. meeting certa in
be interrupted. processes need to criteria need to be
be examined. examined.

The use of each of the continuous auditing techniques implementation depend, to a large extent, on the
has advantages and disadvantages. Their selection and complexity of an organization's computer systems and

©ISACA. All Rights Reserved. I 69


CISA6 Official Review Manual 23th Edition I Chapter 1

applications and an IS auditor's ability to understand time, inefficiencies of the audit process, overhead due
and evaluate the system with and without the use of to work segmentation, multiple quality or supervisory
continuous auditing techniques. In addition, an IS auditor reviews or discussions concerning the validity of
must recognize that continuous auditing techniques are findings.
not a cure for all control problems and that the use of
Full top management suppo1t, dedication and extensive
these techniques provides only limited assurance that the
experience and technical knowledge are all necessary to
information processing systems examined are operating
accomplish continuous auditing, while minimizing the
as they were intended to function.
impact on the underlying audited business processes.
Techniques that are used to operate in a continuous The auditing layers and settings may also need continual
auditing environment must work at all data levels- adjustment and updating.
single input, transaction and databases-and include:
Besides difficulty and cost, continuous auditing has an
• Transaction logging
inherent disadvantage in that internal control expe1ts and
• Query tools
auditors might be hesitant to trust an automated tool in
• Statistics and data analysis
lieu of their personal judgment and evaluation. Also,
• DBMSs
mechanisms have to be put in place to eliminate false
• Data warehouses, data marts, data mining
negatives and false positives in the reports generated
• Intelligent agents
by such audits so that the report generated continues to
• EAM
inspire stakeholders' confidence in its accuracy.
• Neural network technologies
• Standards such as Extensible Business Reporting
1.8.4 Artificial Intelligence in IS Audit
Language (XBRL)
A1tificial intelligence (AI) is increasingly being used
Intelligent software agents may be used to automate
in many business functions. Detecting fraudulent
the evaluation processes and allow for flexibility
transactions, performing data quality checks, screening
and dynamic analysis capabilities. The configuration
for negative news and data processing have all
and application of intelligent agents (bots) allow for
been successfully automated via Al/machine learning
continuous monitoring of systems settings and the
(ML) techniques. Implementing AI or ML for large
delivery of alert messages when ce1tain thresholds are
multinational corporate banks leads to big savings in
exceeded or certain conditions are met.
manual overhead and reconciliation efforts.
Full continuous auditing processes have to be carefully
~S auditors may benefit from using Al/ML techniques to
built into applications and work in layers. The auditing
mcrease overall audit efficiency or decrease audit risk.
tools must operate in parallel with normal processing-
Efficiency can be gained through automating tedious
capturing real-time data, extracting standardized profiles
manual processes like audit work paper markups or data
or descriptors and passing the result to the auditing
manipulation. Audit risk may be decreased through the
layers.
ability to increase audit sample sizes or provide auditors
Continuous auditing has an intrinsic edge over point-in- with more time and information to analyze audit results
time or periodic auditing because it captures internal for fmther testing and follow up.
control problems as they occur, preventing negative
Figure 1.20 outlines specific tasks and automation
effects. Implementation can also reduce possible or
opportunities for Al/ML in IS audit.
intrinsic audit inefficiencies such as delays, planning

70 I ©ISACA. All Rights Reserved .


CISA" Official Review Manual 28th Edition I Chapter 1

Figure 1.20-The Role of RPA and AI Within the Audit Life Cycle

0
<{}
Audit Setup
Cv
Auditing Fieldwork

Tasks: Tasks: Tasks: Tasks:


1. Preselect audit 1. Communication audit 1. Evaluate as-is 1. Prepare audit report
candidates scope working process 2. Review issues
2. Plan for audit 2. Document key risk 2. Identify issues and 3. Audit debrief
3. Identify risk and and co ntrols observations
4. Update risk profi le of
dependencies 3. Understa nd the 3. Compare with business unit/team
of associated process landscape designed processes
business functions and co ntrols

Automation Scope: Automation Scope: Automation Scope: Automation Scope:


1. Ready view of similar 1. Automate analysis and 1. Automate audit tasks 1. Automate text-based
audits of com parable summary of wordy and 2. Modeling of data audit report
business functions and document-heavy 2. Data visualization of
policies, standa rd 3. Data sample testi ng
aud it type key issues and risk
operating procedures automation
2. Risk-based audit 3. Inte lligent reporting
(SOPs) and others in 4. Aggregating and
assessment reports of audit-based
the audit scope interpreti ng data via
3. Continuous controls ru le engine quantificat ion of
monitoring regard ing 2. Prepopulate and share issues
fin dings based on initial 5. Fraudulent data
business processes
analysis of SOPs and detection
4. Auto generation of AUTOMATION VIA:
other available
checklists NLP. natura l language
documents AUTOMATION VIA:
generation, predictive
3. Keyword-based analys is NLP. natural language ana lysis and RPA
AUTOMATION VIA: generation, predictive
4. Rule engine to
NLP. predictive analysis analysis and RPA
extrapolate outcome
and RPA
analys is

AUTOMATION VIA:
NLP. predictive analysis
and RPA

Source: Menon, S.; "How Can AI Drive Audits?," ISA CA Journal, vol. 4, 30 June 2021 , https://www.isaca.org/resources/isaca-journal/
issues/2021 /volume-4/how-can-ai-drive-audits

Audit Algorithms Algorithms as a concept are often associated with


mathematics or computer science, which can make them
It is important for practitioners, specifically IS auditors,
seem intimidating and difficult to understand. However,
to understand what algorithms are and why they matter,
algorithms are simply ways to solve a specific problem.
that smart algorithms are not new, and that humans have
For example, babies cry when they need nourishment,
a decisive role in algorithm design and metrics. It is the
pain management or attention. An algorithm can be as
auditor's job to ask questions using the correct tools,
simple as "If hungry, then cry." 9 Algorithms are used
interpret results and remember that errors are possible
to solve everyday problems-from cooking to driving to
even with the most advanced algorithms.
troubleshooting to diagnosing a medical condition.

9 Alexiou, S. ; "Algorithms and the Auditor," ISACA Journal, vol. 6, 23 November 202 1, https://111111111.isaca.org/resourcesl isaca-:Journa/lissues/202/I
volume-6/algorithms-and-the-auditor

© ISACA. All Rights Reserved. I 71


CISA° Official Review Manual 23th Edition I Chapter 1

Algorithms can be simple or complex, and not all • Perform whatever operations are needed to enable a
algorithms are effective. Some are more suited to comparison.
solving a problem than others. The feasibility of using • Perfo1m the comparison.
technological advancements, such as AI, is dependent on • Assess the results and their significance.
finding an efficient algorithm that makes computations
A complete algorithm involves a detailed prescription of
fast. 10 An example is homomorphic encryption, which
all the general tasks and how to perform each subtask. 13
enables the manipulation of encrypted data without the
Regardless of the complexity, an algorithm is just one
need to convert it to cleartext first. 11
way to tackle a problem, and it is important to review and
Audits can be considered similarly. For example, audits adapt algorithms as changes and needs dictate.
include checking a current state (as is) versus the desired
Figure 1.21 further expands on specific applications and
state (as should be). These checks direct an algorithm
to:I2 use cases for Al/ML techniques in IS audit.
• Obtain the "as is" and "as should be" versions.

Figure 1. 21---Suggested AI/ML Techniques for Use in Auditing

ltll8r- - -
llf:.feil 1!';111l:':-:.--. - ~
-
I l ll f 11 : -

Document classification Application of classification models (e.g., decision • Understanding standard


trees, Bayesian classifiers, nearest neighbors) to assign operating procedures, policies
documents or text segments to a specific topic or label and other deliverables reviewed
during auditing
• Making inferences from
previous similar audit reports
Text summarization The process of combining frequently used words, • Generating audit observations
phrases and topics to generate a natural language and inferences
summary of a text or a document set • Auto-generating audit checklists
Topic analysis Analysis performed across documents, groups of • Analyzing data
documents or document texts to identify unique topics
that link documents or sections of documents
• Building keyword rule engine for
audits
Search and retrieval The process of searching a database or repository of • Making similar audit report
processed information to retrieve documents that align inferences
with the topics or themes entered in the search criteria
Statistical analysis A basic statistical analysis technique that evaluates • Aggregating data
term, phrase or topic trends • Interpreting data
Sentiment analysis The ability to extract and analyze text or groups of text in • Identifying key issues and risk
documents to understand author sentiments • Making intelligent inferences
and preparing audit reports

Source: Menon, S.; "How Can AI Drive Audits?," JSACA Journal, vol. 4, 30 June 2021, https:/lwww.isaca.org/resources/isaca-journal/
issues/2021 lvolume-4/how-can-ai-drive-audits

Interpretation of Al/ML Results used is able to answer the question that the auditor is
asking. Specific factors to consider include: 14
Al/ML results should always be interpreted at some
• Data inputs must be validated as part of the Al/ML
point by a person. IS auditors must ensure that testing is
assisted audit process upon implementation and
designed to answer the question of whether a tool being
periodically. The use of the Al/ML tool will be

IO Ibid.
11 Armknecht, F.; C. Boyd; C. Carr et al.; "A Guide to Fully Homomorphic Encryption," 2015, https://eprint. iac 1: org/201511I92.pdf
12 Op cit Alexiou
13 Ibid.
14 Ibid.

72 I ©ISACA. All Rights Reserved.


CISA" Official Review Manual 29th Edition I Chapter 1

useless if the data being ingested or analyzed is not may be properly addressed. Communication skills (both
complete and accurate. When possible, the IS auditor written and verbal) determine the effectiveness of the
should ensure raw system data may be obtained for audit reporting process. Communication and negotiation
analysis and checking of AI/ML tool conclusions. skills ai·e required throughout the audit. Successful
• The statistical significance of results should be resolution of audit findings with auditees is essential
understood by the IS auditor and results should be so that auditees will adopt the recommendations in the
representative of the entire audit universe. report and initiate prompt corrective action. To achieve
• Supp01t for actual conclusions must be based this goal, an IS auditor should be skilled in the use of
on information. Failure to understand that results techniques such as facilitation, negotiation and conflict
include assumptions and caveats can create problems, resolution. An IS auditor should also understand the
especially if the need for proof is substituted by concept of materiality (i.e., the relative importance of
computer output. For example, there have been audit findings based on business impact) when reporting
instances of suspects being wrongly identified by audit results.
facial recognition algorithms run on blurry images. 15
1. 9.1 Communicating Audit Results
Al/ML Audit Risk and Considerations
The exit interview, conducted at the end of the
AI/ML techniques are an evolution of CAATs, and the audit, provides an IS auditor with the opportunity to
same considerations should be made to ensure they discuss findings and recommendations with the auditee
are performing as expected. Specific to AI/ML, the IS management. During the exit interview, an IS auditor
auditor should consider: should:
• Inadequate testing of AI outcomes can produce • Ensure that the facts presented in the report are
questionable results or audit outcomes. IS auditors correct and material
should ensure adequate testing is performed and • Ensure that the recommendations are realistic and
substantiated by human-led testing. AI/ML programs cost-effective and, if not, seek alternatives through
are often proprietary. Documentation, if available at negotiation with auditee management
all, is typically not detailed enough to explain exactly • Recommend implementation dates for agreed-on
what the algorithm is doing. Even if it is, it may be recommendations
complex and hard for a nonexpert to understand.
• Training data fed to algorithms, paiticularly ML IS auditors should be aware that, ultimately, they
algorithms, should be correct and adequate. Such data are responsible to senior management and the audit
should be able to cover both usual and unusual cases. committee, and they should feel free to communicate
In some rare cases, poor training results in algorithms issues or concerns to them. An attempt to deny access
producing incorrect results. by levels lower than senior management would limit the
• The tendency to trust the machine's answer is independence of the audit function.
strong, but justified only ifthe correctness has been Before communicating the results of an audit to senior
exhaustively tested and the machine actually answers management, an IS auditor should discuss the findings
the appropriate questions. with the auditee management to gain agreement on
• Using Al tools built by humans introduces the ethics the findings and develop an agreed-upon course of
and bias of human judgment and stereotyping. corrective action. In cases of disagreement, an IS
auditor should elaborate on the significance of the
1.9 Reporting and Communication findings, risk and effects of not correcting the control
Techniques weakness. Sometimes the auditee management may
request assistance from an IS auditor in implementing
Effective and cleat· communication can significantly the recommended control enhancements. An IS auditor
improve the quality of audits and optimize their results. should communicate the difference between an IS
Audit findings should be repo1ted and communicated to auditor's role and that of a consultant and consider how
stakeholders, with appropriate buy-in from the auditees, assisting the auditee may adversely affect an IS auditor's
for the audit process to be successful. An IS auditor independence.
should also consider the motivations and perspectives
of the recipients of the audit report so their concerns

15
Hill, K.; "Wrongfully Accused by an Algorithm," The New York Times, 24 June 2020, https://111111111.nytimes.com/2020/06/24/technology/facial-
recognition-arrest.html

©ISACA All Rights Reserved. I 73


CISA6 Official Review Manual 2sth Edition I Chapter 1

After an agreement has been reached with auditee 1. 9.3 Audit Report Structure and
management, IS audit management should brief senior
Contents
auditee management. A summary of audit activities
should be presented periodically to the audit committee. Audit rep01ts are the end product of the IS audit
Audit committees typically are composed of individuals work. The exact format of an audit report will vary by
who do not work directly for the organization and, thus, organization; however, an IS auditor should understand
provide an IS audit and assurance professional with an the basic components of an audit report and how it
independent route to report sensitive findings. communicates audit findings to management.

1. 9.2 Audit Report Objectives Note

The six objectives of audit reporting are to: The CISA candidate should become familiar with
1. Formally present the audit results to the auditee (and the ISACA IS Audit and Assurance Standards 1401
the audit client, if different from the auditee) Reporting and 1402 Follow-up Activities.
2. Serve as formal closure of the audit engagement
3. Provide statements of assurance and, if needed, Audit reports usually include:
identification of areas requiring corrective action and • An introduction to the repott, stating audit objectives,
related recommendations limitations to the audit and scope, the period of audit
4. Serve as a valued reference for any patty researching coverage, an overview of the nature and extent of
the auditee or audit topic audit procedures conducted and processes examined
5. Serve as the basis for a follow-up audit if audit during the audit, and a statement regarding the IS
findings were presented audit methodology and guidelines
6. Promote audit credibility, which depends on the report • Audit findings , presented in separate sections and
being well developed and well written often grouped in sections by materiality and/or
The IS audit-specific repotting objectives are developed intended recipient
based on repo1t requirements from auditee management • An overall conclusion and opinion regarding the
and other users of the rep01t and in compliance with adequacy of controls and procedures examined during
IS audit and assurance standm·ds and audit organization the audit, and the actual potential risk identified as a
protocols. The auditee or other stakeholders, such consequence of detected deficiencies
as oversight organizations, are identified during audit • Reservations or qualifications with respect to the
planning. An IS auditor develops the audit scope and audit
• An IS auditor may state that the controls or
objectives by considering those requirements and other
procedures examined were found to be adequate or
elements of audit planning-such as the assessments of
inadequate. The balance of the audit report should
risk, materiality and appropriateness of stated controls-
support that conclusion, and the overall evidence
together with regulatory and IT governance requirements.
gathered during the audit should provide an even
The audit report formally presents the purpose and the
greater level of support for the audit conclusions.
results of the audit in line with those requirements. Every
• Detailed audit findings and recommendations
audit report should provide unbiased, well-supported • An IS auditor may include specific findings in
responses to the audit's objectives. For example, if an audit report, based on the materiality of the
the audit objective is to determine whether adequate findings and the intended recipient of the audit
controls are in effect to provide reasonable assurance report. For example, an audit repo1t directed to the
that only authorized physical access can be gained to audit committee of the board of directors may not
the data center, then the report should state an IS include findings that are impo1tant only to local
auditor 's conclusion or opinion as to the adequacy of management and have little control significance to
the controls to achieve that objective. If controls need to the overall organization. The decision regarding
be implemented or strengthened to achieve the objective, what to include in various levels of audit reports
then the report should provide a recommendation to meet depends on the guidance provided by upper
that need. management.

74 I ©ISACA. All Rights Reserved .


CI SA° Official Review Manual 2gth Ed ition I Chapter 1

• A variety of findings , some of which may be material issuance of the report. However, prior communication of
while others are minor in natw-e significant findings should not alter the intent or content
• An IS auditor may choose to present minor of the report.
findings to management in an alternate format,
such as by memorandum. 1. 9.4 Audit Documentation
An IS auditor should make the final decision about what Audit documentation is the written record that provides
to include or exclude from the audit repmt. Generally, an the suppmt for the representations in the auditor's report.
IS auditor should be concerned with providing a balanced It should:
report, describing not only negative issues in terms of • Demonstrate that the engagement complied with the
findings but positive constructive comments regarding standards
improved processes and controls or effective controls • Suppmt the basis for the auditor's conclusions
already in place. Overall, an IS auditor should exercise
independence in the repmting process. Audit documentation should include, at a minimum:
• Planning and preparation of the audit scope and
Auditee management evaluates the findings, stating objectives
corrective actions to be taken and timing for • Description and/or walk-throughs on the scoped audit
implementing the anticipated corrective actions. area
Management may not be able to implement all • Audit program
audit recommendations immediately. For example, • Audit steps performed and audit evidence gathered
an IS auditor may recommend changes to an • Use of services of other auditors and experts
information system that is undergoing other changes • Audit findings, conclusions and recommendations
or enhancements. An IS auditor should not necessarily • Audit documentation relation with document
expect that the other changes will be suspended until identification and dates
the audit recommendations are implemented. All may be
implemented at once. It is also recommended that documentation include:
• A copy of the repo11 issued as a result of the audit
An IS auditor should discuss the recommendations and work
any planned implementation dates whjle in the process • Evidence of audit supervisory review
of releasing the audit report. Various constraints- such
as staff limitations, budgets or other projects- may Documents should include audit information that is
limit immediate implementation. Management should required by laws and regulations, contractual stipulations
develop a firm program for taking corrective actions. and professional standards. Audit documentation is the
It is important to obtain a commitment from auditee necessary evidence supporting the conclusions reached
management on the implementation date for the action and should be clear, complete, easily retrievable and
plan (implementing the solution can take a long time) and sufficiently comprehensible. Audit documentation is
how it will be performed because the corrective action generally the prope11y of the auditee and should be
may bring risk that might be avoided if identified while accessible only to authorized personnel under specific or
discussing and finalizing the audit report. If appropriate, general permission. When access to audit documentation
an IS auditor may want to report to senior management is requested by external parties, an IS auditor should
on the progress of implementing recommendations. obtain appropriate prior approval of senior management
and legal counsel before providing it to those external
The report should include all sigruficant audit findings . parties.
When a finding requires explanation, an IS auditor
should describe the finding, its cause and risk. When Policies should be developed regarding custody, retention
appropriate, an IS auditor should provide the explanation requirements and release of audit documentation. The
in a separate document and refer to it in the report. For documentation format and media are optional, but due
example, this approach may be appropriate for highly diligence and good practices require that work papers
confidential matters. An IS auditor should also identify be dated, initialed, page-numbered, relevant, complete,
the orgaruzational, professional and governmental criteria clear, self-contained and properly labeled, filed and kept
applied. The report should be issued in a timely in custody. Work papers may be automated. An IS
manner to encourage prompt corrective action. When auditor should consider how to maintain integrity and
appropriate, an IS auditor should promptly communicate protection of audit test evidence to preserve its proof
significant findings to the appropriate persons prior to the value in suppo11 of audit results.

©ISACA. All Rights Reserved. I 75


CISA' Official Revi ew Manual 23th Edition I Chapter 1

An IS auditor should be able to prepare adequate work Although IS auditors who work for external audit firms
papers, narratives, questionnaires and understandable may not necessarily follow this process, they may
system flowcha1ts. Audit documentation or work papers achieve these tasks if they are agreed to by the auditee.
can be considered the bridge or interface between
The timing of the follow-up will depend on the criticality
the audit objectives and the final report. They should
of the findings and is subject to an IS auditor's judgment.
provide a seamless transition-with traceability and
The results of the follow-up should be communicated
accountability-from objectives to report and from report
to appropriate levels of management. The level of an
to objectives. The audit report, in this context, can be
IS auditor's follow-up review will depend on several
viewed as a set of particular work papers.
factors. In some instances, an IS auditor may merely need
The quest for integrating work papers in the auditor's to inquire as to the current status. In other instances, an
environment has resulted in all major audit and project IS auditor who works in an internal audit function may
management packages, CAATs and expert systems have to perform ce1tain audit steps to determine whether
offering a complete array of automated documentation the corrective actions agreed on by management have
and import-export features. been implemented.
Audit documentation should suppmt the audit findings
1.9.6 Types of IS Audit Reports
and conclusions/opinions. Time of evidence can be
crucial to supporting audit findings and conclusions. An The IS audit repo1t is driven mainly by the type of audit
IS auditor should take care to ensure that the evidence engagement and the reporting requirements from IS audit
gathered and documented will be able to support audit and assurance standards. While most IS audits result in
findings and conclusions. a single IS audit repmt, in some situations, more than
The concept of materiality is a key issue when deciding one report can be applicable. For example, in addition to
a repmt for a general audience, a separate confidential
which findings to bring forward in an audit repmt. Key
security report containing detailed technical information
to determining the materiality of audit findings is the
may need to be created to ensure that security risk is not
assessment of what would be significant to different
disclosed to unintended parties.
levels of management. Assessment requires judging the
potential effect of a finding if corrective action is not The organization and specific content of the report
taken. For example: also depend on the scope and objectives of the audit
• A weakness in information security physical access engagement and the degree to which IT processes and
controls at a remote distributed computer site may systems are examined or require explanation. The format
be significant to management at the site but would and protocols for audit report presentation can depend
not necessarily be material to upper management at on any requirements and expectations set fo1th between
headquaiters. However, there may be other matters the audit organization and the auditee. Requirements for
at the remote site that would be material to upper audit report contents or format may be requested by
management. the audit client who may or may not be from the same
• A review of access deprovisioning might discover organization as the auditee.
that a terminated user's access was notremoved after
Although review, examination and agreed-upon
the user's termination date but show that it was caught
procedure engagements have similar repo1ting
during management's review of security access, at
requirements, each type of engagement stipulates
which time the terminated user 's access was removed.
different reporting requirements and limitations. The
This type of discovery would not likely be brought
primary distinctions among reviews, examinations and
to the attention of upper management but would be
agreed-upon procedures stem from the audit objectives,
documented and discussed with auditee management.
the nature and extent of audit work and the level of
1.9.5 Follow-Up Activities assurance to be provided. While all three types of audits
include review work, performing audit tests is far more
Auditing is an ongoing process. An IS auditor is not prevalent in audits or examinations that require stronger
effective if audits are performed and reports issued, evidence for formulation of an opinion. Agreed-upon
but no follow-up is conducted to determine whether procedures may also include testing, but because of
management has taken appropriate corrective actions. IS other limitations, an audit opinion may not be expressed.
auditors should have a follow-up program to dete1mine Although audit scope may be the same for reviews
if agreed-on corrective actions have been implemented.

76 I ©ISACA. Al l Rights Reserved.


CI SN Official Review Manual 23th Edition I Ch apter 1

and examinations, scope is likely to be more narrowly 1.10.4 Monitoring


defined for agreed-upon procedure audits.
Monitoring for compliance with applicable requirements
o
1.1 Quality Assurance and Improvement is an important element to ensure that an IS audit
function maintains continuation of the audit process
of the Audit Process within an organization. Examples of monitoring related
IS audit plays an important role in improving the quality initiatives include:
and control of information systems in an organization. • Audit QA-The results of audit QA procedures
As a critical element to the organization's continued should be periodically reviewed and summarized to
improvement, it is important that the audit process itself identify trends and lessons learned. Actionable items
improves continuously. identified dming audit QA should be remediated and
tracked in a formal manner.
1.10.1 Audit Committee Oversight • Independence monitoring-A process should be
established to allow IS auditors to self-repott potential
If present, the audit committee is responsible for impairments of independence. This process can be
oversight of the IS audit function and interaction with integrated into the greater audit function within the
the chief audit executive. If an audit committee does organization. Leadership and IS auditors themselves
not exist, a designated group or individual assumes should periodically check to ensure that their
the responsibilities of oversight of the audit function. independence has not been impaired and report any
An oversight function and continuous performance changes th.rough. the established reporting process.
monitoring of t_he audit function (including IS audit) • Certification and accreditations-Ownership of
should be established and reviewed through periodic applicable certification or accreditation held by an
reporting. IS audit function should be assigned to appropriate
members oflS audit leadership. These individuals
1.10.2 Audit Quality Assurance should ensure that compliance with certification
The quality of individual audits is the responsibility or accreditation bodies applicable to the IS audit
of audit leadership and the assigned project leads. function is maintained.
These individuals are responsible for ensuring that • Continued professional education-Leadership
documented audit procedures are followed. Documented should ensure that a process is in place to
audit procedures may come in a variety of forms (audit monitor the IS auditor 's compliance with continued
manuals, wikis, sampling guidance, etc.) but should be professional education or training requirements.
clearly identified and known to all applicable members of These requirements may be established by an internal
the IS audit function . development plan or through external certifying
bodies.
IS audit leadership is responsible for the review of audit
work papers and final deliverables (e.g., audit reports). A
formal review process (detail review, engagement quality
review, QA, etc.) should be established for all audit types
based on risk and guidance from authoritative sources.

1.10.3 Audit Team Training and


Development
A formal development plan should be established for
all members of the IS audit function. This plan should
include applicable training programs and certifications
by role within the IS audit function. IS audit leadership
should ensure that a budget is created and supports the
needs of training and development for IS audit team
members.

© ISACA. All Rights Reserved. I 77


CISA' Official Review Manual 23th Edition

Page intentionally left blank

78 I ©ISACA All Rights Reserved.


CISA° Official Review Manual 2gth Edition I Chapter 1

Case Study 1. What should the IS auditor do FIRST?

Betatronics is a mid-sized manufacturer of electronic A. Perform a survey audit of logical access controls.
goods with headquarters in the United States and B. Revise the audit plan to focus on risk-based
factories in Latin America. An IS auditor within the auditing.
enterprise has been asked to perform preliminary work C. Perform an IT risk assessment.
that will assess the organization's readiness for a D. Begin testing controls that the IS auditor feels are
review to measme compliance with new US regulatory most critical.
requirements.
2. When auditing the logical secmity, the IS auditor is
The requirements are designed to ensure that
MOST concerned when observing:
management is taking an active role in setting up and
maintaining a well-controlled environment and to assess
A. the system administrator account is known by
management's review and testing of the general IT
everybody.
controls. Areas to be assessed include:
B. the passwords are not enforced to change
• Logical and physical security
frequently.
• Change management
C. the network administrator is given excessive
• Production control and network management
permissions.
• IT governance
D. the IT department does not have a written policy
• End-user computing
on privilege management.
The IS auditor has been given six months to perform
preliminary work. In previous years, repeated problems 3. When testing program change management in this
were identified in the areas of logical security and change case, how should the sample be selected?
management. Logical security deficiencies included
the sharing of administrator accounts and failure to A. Change management documents should be
enforce adequate controls over passwords. Change selected at random and examined for
management deficiencies included improper segregation appropriateness.
of incompatible duties and failure to document all B. Changes to production code should be
changes. Additionally, the process for deploying OS sampled and traced to appropriate authorizing
updates to servers was found to be only partially documentation.
effective. C. Change management documents should be
The chief information officer (CIO) requested direct selected based on system criticality and examined
reports to develop narratives and process flows for appropriateness.
describing major activities for which IT was responsible. D. Changes to production code should be sampled
Those tasks were completed, approved by the various and traced back to system-produced Jogs
process owners and the CIO, and then forwarded to the indicating the date and time of the change.
IS auditor for examination. Following the completion
of the preliminary audit work, Betatronics decides to 4. List three general IT controls the IS auditor would use
plan audits for the next two years. After accepting the for substantive testing when planning audits for the
appointment, the IS auditor notes that: next two years.
• The entity has an audit chatter that details the scope
and responsibilities of the IS audit function and 5. The FIRST priority of the IS auditor in year one
specifies the audit committee as the overseeing body should be to study the:
for audit activity.
• The entity is subject to regulatory compliance A. Previous IS audit reports in order to plan the audit
requirements that require its management to certify schedule
the effectiveness of the internal control system as it B. Audit charter in order to plan the audit schedule
relates to financial reporting. C. Impact of the increased employee turnover
• The entity has been recording consistent growth over D. Impact of the implementation of a new enterprise
the last two years at double the industry average. resource plan on the IT environment
• The entity has seen increased employee turnover.

©ISACA. All Rights Reserved. I 79


CISN Official Review Manual 23th Edition I Chapter 1

6. How should the IS auditor evaluate backup and batch


processing within computer operations?

A. Rely on the service auditor's repmt of the service


provider
B. Study the contract between the entity and the
service provider
C. Compare the service delivery repmt to the SLA
D. Plan and carry out an independent review of
computer operations

7. During the day-to-day work, the IS auditor advises


there is a risk that log review may not result in timely
detection of errors. This is an example of which of the
following?

A. Inherent risk
B. Residual risk
C. Control risk
D. Material risk

8. The IS auditor advised the CIO and team to


improve the general IT control environment, and
adapting COBIT was proposed for that purpose. What
recommendations should the IS auditor make when
considering this framework?

Answers on page 82

80 I ©ISACA. All Rights Reserved .


ClSN Official Review Manual 23th Ed ition I Chapter 1

Page intentionally left blank

© lSACA. All Rights Reserved I 81


CISA" Official Review Manual 281h Edition I Chapter 1

Chapter 1 Answer Key D. When testing a control, it is advisable to trace


from the item being controlled to the relevant
Case Study control documentation.

1. A. Performing a survey audit of logical access


4. Some possible answers include:
controls would occur after an IT risk assessment.
• The IS auditor can check which account was
B . Revising the audit plan to focus on risk-based
recently used for executing a particular system
auditing would occur after an IT risk assessment.
administrator task.
C. An IT risk assessment should be performed
• The IS auditor can check if there was a change
first to ascertain which areas present the
record for any selected system changes (e.g.,
greatest risk and which controls mitigate that
server reboot and patching).
risk. Although narratives and process flows
• The IS auditor can check the transactions to see if
have been created, the organization has not yet
they separated the incompatible duties.
assessed which controls are critical.
D. Testing controls that the IS auditor feels are most 5. A. Previous IS audit repmts will be revisited to save
critical would occur after an IT risk assessment. redundant work and to use as references when
doing the IS audit work.
2. A. The system administrator account being known B. The audit charter defines the purpose,
by everybody is most dangerous. In that case, authority and responsibility of the IS audit
any user could perform any action in the activities. It also sets the foundation for
system, including accessing files and making upcoming activities.
permission and parameter adjustments. C. Impact of employee turnover would be
B . Infrequent password changing would present a addressed when negotiating follow-up activities
concern but would not be as serious as everyone for respective areas ifthere is any gap to close.
knowing the system administrator account. D. Impact of the implementation of a new ERP
C. The network administrator being given excessive would be addressed when negotiating the follow-
permissions would present a concern, but it would up activities for respective areas if there is any gap
not be as serious as everyone knowing the system to close.
administrator account.
D. The absence of a privilege management policy 6. A. The service auditor 's report cannot ensure the
would be a concern, but it would not be as serious discove1y of control inefficiencies.
as everyone knowing the system administrator B. Review of the contract cannot ensure the
account. discovery of control inefficiencies.
C. Comparing the service delive1y repo1t and
3. A. When a sample is chosen from a set of control the service level agreement cannot ensure the
documents, there is no way to ensure that every discovery of control inefficiencies.
change is accompanied by appropriate control D. IS audit should conduct an independent review
documentation. of the backup and batch processing. All other
B. When testing a control, it is advisable to choices cannot ensure the discovery of control
trace from the item being controlled to inefficiencies in the process.
the relevant control documentation. When
a sample is chosen from a set of control 7. A. This is not an example of inherent risk. Inherent
documents, there is no way to ensure that risk is the risk level or exposure without
every change is accompanied by appropriate considering the actions that management has taken
control documentation. Accordingly, changes to or might take (e.g., implementing controls).
production code provide the most appropriate B. This is not an example of residual risk. Residual
basis for selecting a sample. risk is the remaining risk after management has
C. When a sample is chosen from a set of control implemented a risk response.
documents, there is no way to ensure that eve1y C. Control risk exists when a risk cannot be
change is accompanied by appropriate control prevented or detected on a timely basis by the
documentation. system of IS controls, which is described in this
instance.

82 I ©ISACA. All Rights Reserved.


CISA° Official Revi ew Manual 2sth Edition I Chapter 1

D. This is not an example of material risk. Material classified as fully addressed, partially addressed and
risk is any risk large enough to threaten the overall not applicable by comparing the standard COBIT
success of the business in a material way. framework to the organization's reality. Further
frameworks, standards and practices can be included
8. Possible answer: The COBIT framework can be in each respective process, as COBIT guidance
leveraged and adapted. Each process can be suggests.

©ISACA. All Rights Reserved. I 83

You might also like