Chapter - 1. Information System Auditing Process
Chapter - 1. Information System Auditing Process
Chapter 1
Part A: Planning
I.I IS Audit Standards, Guidelines, Functions and Codes of Ethics .......................... ....................... .......31
1.2 Ty pes of Audits, Assessments and Rev iews ................................ ...................... ..... ............... .. ......... ..34
1.3 Risk-Based Audit Planning ........ ........ ............. ....... ..................... .... ..... ....... ............. .......................... 38
1.4 Types of Controls and Considerations ............. ... ....................................... ......... .... ..... ..................... .. 43
Part B: Execution
1.5 Audit Project Management.. .......... .... ................. ......... ....... .. ........... .............. ............ .. ............ .... ....... 53
1.6 Audit Testing and Sampling Methodology ........................... ............... ...... .......... ............................... 60
1.7 Audit Evidence Collection Techniques ......................... ................... .................................................. 63
1.8 Audit Data Analytics ................................... ... ................................................................... ..... ............ 66
1.9 Reporting and Communication Techniques ............................................... ......................... .... ..... .......73
1.1 0 Quality Assurance and Improvement of the Audit Process ...... ............. ................................ ........... 77
Case Study
Case Study ............................... ........................................................... ......... .. ........ ..... ............................. .. 79
Chapter 1 Answer Key .......................................................... ..... .................................. .......................... ... 82
2. Which of the following is the key benefit of a control 6. Which of the following is the MOST important
self-assessment (CSA)? reason for reviewing an audit planning process at
periodic intervals?
A. Management ownership of the internal controls
supporting business objectives is reinforced. A. To plan for deployment of available audit
B. Audit expenses are reduced when the assessment resources
results are an input to external audit work. B. To consider changes to the risk environment
C. Fraud detection is improved because internal C. To provide inputs for documentation of the audit
business staff are engaged in testing controls. charter
D. Internal auditors can use the results of the D. To identify the applicable IS audit standards
assessment to shift to a consultative approach.
7. Which of the following is a KEY benefit of a control
3. Which of the following would an information systems self-assessment (CSA)?
(IS) auditor MOST likely focus on when developing
a risk-based audit program? A. Management ownership of the internal controls
suppotting business objectives is reinforced.
A. Business processes B. Audit expenses are reduced when the assessment
B. Administrative controls results are an input to external audit work.
C. Environmental controls C. Fraud detection is improved because internal
D. Business strategies business staff are engaged in testing controls.
D. Internal auditors can use the results of the
4. Which of the following types of audit risk assumes assessment to shift to a consultative approach .
an absence of compensating controls in the area being
reviewed? 8. Which of the following is the MOST critical step
when planning an information systems (IS) audit?
A. Control risk
B. Detection risk A. Review of prior audit findings
C. Inherent risk B. Executive management's approval of the audit
D. Sampling risk plan
C. Review of information security policies and
5. An information systems (IS) auditor performing a procedures
review of an application's controls finds a weakness D . Performance of a risk assessment
in system software that could materially impact the
application. In this situation, an IS auditor should: 9. The approach an information systems (IS) auditor
should use to plan IS audit coverage should be based
A. disregard these control weaknesses because a on:
system software review is beyond the scope of this
review. A. risk.
B. conduct a detailed system software review and B. materiality.
report the control weaknesses. C. fraud monitoring.
C. include a statement in the report that the audit was D. sufficiency of audit evidence.
limited to a review of the application's controls.
D. review the relevant system software controls and
recommend a detailed system software review.
A. preventive control.
B. management control.
C. corrective control.
D. detective control.
Answers on page 28
Chapter 1 Answer Key 4. A. Control risk is the risk that a material error exists
that will not be prevented or detected in a timely
Self-Assessment Questions manner by the system of internal controls.
B. Detection risk is the risk that a material
1. A. The audit scope is specific to a single audit and misstatement with a management assertion will
does not grant authority to perform an audit. not be detected by an audit and assurance
B. A request from management to perform an audit is professional 's substantive tests. It consists of two
not sufficient because it relates to a specific audit. components: sampling risk and non-sampling risk.
C. The approved audit charter outlines C. Inherent risk is the risk level or exposure
the auditor's responsibility, authority and assessed without considering the actions that
accountability. management has taken or might take.
D . The approved audit schedule does not grant D. Sampling risk is the risk that incorrect
authority to perform an audit. assumptions are made about the characteristics of
a population from which a sample is taken. Non-
2. A. The objective of control self-assessment (CSA) sampling risk is detection risk that is unrelated to
is to have business managers become more sampling; it can be due to a variety of reasons,
aware of the importance of internal control including human error.
and their responsibility in terms of corporate
governance. 5. A. An information systems (IS) auditor is not
B. Reducing audit expenses is not a key benefit of expected to ignore control weaknesses just
CSA. because they are outside the scope of a current
C. Improved fraud detection is impo1tant but not review.
as impo1tant as control ownership. It is not a B. The conduct of a detailed systems software review
principal objective of CSA. may hamper the audit's schedule, and an IS
D . CSA may give more insights to internal auditors, auditor may not be technically competent to do
allowing them to take a more consultative role; such a review at the time of the audit.
however, this is an additional benefit, not the key C. If there are control weaknesses that have
benefit. been discovered by an IS auditor, they should
be disclosed. By issuing a disclaimer, this
3. A. A risk-based audit approach focuses on responsibility would be waived.
understanding the nature of the business and D. The appropriate option would be to review
being able to identify and categorize risk. the relevant systems software and recommend
Business risk impacts the long-term viability a detailed systems software review for which
of a specific business. Thus, an information additional resources may be recommended.
systems (IS) auditor using a risk-based audit
approach must be able to understand business 6. A. Deployment of available audit resources is
processes. determined by the audit assignments, which are
B. Administrative controls, while an imp01tant subset influenced by the planning process.
of controls, are not the primary focus needed to B. Short- and long-term issues that drive audit
understand the business processes within the scope planning can be heavily impacted by changes to
of an audit. the risk environment, technologies and business
C. Like administrative controls, environmental processes of the enterprise.
controls are an important control subset; however, C. The audit charter reflects the mandate of top
they do not address high-level overarching management to the audit function and resides at
business processes under review. a more abstract level.
D. Business strategies are the drivers for business D. Applicability of information systems (IS) audit
processes; however, in this case, an IS auditor is standards, guidelines and procedures is universal
focusing on the business processes that were put in to any audit engagement and is not influenced by
place to enable the organization to implement its short- and long-term issues.
strategies.
7. A. The objective of control self-assessment (CSA) play a part in audit planning but only as it pertains
is to have business managers become more to organizational risk.
aware of the importance of internal control D. Sufficiency of audit evidence pertains to the
and their responsibility in terms of corporate evaluation of the sufficiency of evidence obtained
governance. to suppott conclusions and achieve specific
B. Reducing audit expenses is not a key benefit of engagement objectives.
CSA.
C. Improved fraud detection is important but not 10.A. Preventive controls are those that avert problems
as important as control ownership. It is not a before they arise. Backup media cannot be used to
principal objective of CSA. prevent damage to files and, therefore, cannot be
D . CSA may give more insights to internal auditors, classified as preventive controls.
allowing them to take a more consultative role; B. Management controls modify processing systems
however, this is an additional benefit, not the key to minimize repeat occurrences of the problem.
benefit. Backup media do not modify processing systems
and, therefore, do not fit the definition of
8. A. The findings of a previous audit are of interest management controls.
to the auditor, but they are not the most critical C. A corrective control helps to correct or
step. The most critical step involves finding the minimize the impact of a problem. Backup
current issues or high-risk areas, not reviewing the media can be used for restoring the files in
resolution of older issues. A review of historical case of damage to the files, thereby reducing
audit findings could indicate that management is the impact of a disruption.
not resolving the risk items identifi ed or that the D. Detective controls help to detect and report
recommendations were ineffective. problems as they occm. Backup media do not aid
B. Executive management is not required to approve in detecting errors.
the audit plan. It is typically approved by the audit
committee or board of directors. Management
could recommend areas to audit.
C. Reviewing information security policies and
procedures is normally conducted during
fieldwork, not planning.
D. Of all the steps listed, performing a risk
assessment is the most critical. Risk assessment
is required by ISACA IS Audit and Assurance
Standard 1201 (Risk Assessment in Planning),
statement 1201.2: "IT audit and assurance
practitioners shall identify and assess risk
relevant to the area under review when
planning individual engagements." In addition
to the standards requirement, if a risk
assessment is not performed, then high-risk
areas of the auditee systems or operations may
not be identified for evaluation.
These main phases can be further broken down into The framework for the ISACA IS Audit and Assurance
subphases; for example, the reporting phase can be Standards provides for multiple levels of documents:
broken down into report writing and issuance, issue • Standards define mandatory requirements for IS audit
follow-up and audit closing. The organization and and assurance and reporting.
• Guidelines provide guidance in applying IS audit 1.1.3 ISACA Code of Professional Ethics
and assurance standards. The IS auditor should
consider guidelines in determining how to achieve ISACA's Code of Professional Ethics guides the
implementation of standards, use professional professional and personal conduct of ISA CA members
judgment in their application and be prepared to and certification holders.
justify any departures. ISACA members and certification holders shall:
• Tools and techniques provide examples of processes 1. Support the implementation of, and encourage
an IS auditor might follow in an audit engagement. compliance with, appropriate standards and
The tools and techniques documents provide procedures for the effective governance and
information on how to meet standards when management of enterprise information systems and
completing IS auditing work, but they do not set technology, including audit, control, security and risk
requirements. management.
ISACA IS Audit and Assurance Standards are divided 2. Perform their duties with objectivity, due diligence
into general, performance and rep01ting categories: and professional care, in accordance with professional
• General-Provide the guiding principles under which standards.
the IS assurance profession operates. They apply to 3. Serve in the interest of stakeholders in a lawful
the conduct of all assignments and deal with an IS manner, while maintaining high standards of conduct
auditor's ethics, independence, objectivity, due care, and character, and not discrediting their profession or
knowledge, competency and skill. the Association.
• Performance-Deal with the conduct of the 4. Maintain the privacy and confidentiality of
assignment, such as planning and supervision; information obtained in the course of their activities
scoping; risk and materiality; resource mobilization; unless disclosure is required by legal authority. Such
supervision and assignment management; audit and information shall not be used for personal benefit or
assurance evidence and the exercising of professional released to inappropriate parties.
judgment and due care 5. Maintain competency in their respective fields and
• Reporting-Address the types of reports, means of agree to undertake only those activities they can
communication and the information communicated reasonably expect to complete with the necessary
skills, knowledge and competence.
1.1.2 ISACA IS Audit and Assurance 6. Inform appropriate parties of the results of work
performed, including the disclosure of all significant
Guidelines facts known to them that, if not disclosed, may distort
ISACA IS Audit and Assurance Guidelines provide the repo1ting of the results.
guidance and information on how to comply with the 7. Suppo1t the professional education of stakeholders in
ISACA IS Audit and Assurance Standards. An IS auditor enhancing their understanding of the governance and
should: management of enterprise information systems and
• Consider the guidelines in detennining how to technology, including audit, control, security and risk
implement ISACA Audit and Assurance Standards management.
• Use professional judgment in applying them to
specific audits Note
• Be able to justify any depatture from the ISACA
A CISA candidate is not expected to memorize the
Audit and Assurance Standards
ISA CA Code of Professional Ethics. 1 The exam will
test a candidate's understanding and application of the
Note
code.
The CISA candidate is not expected to know specific
ISACA standard and guidance numbering or memorize
any specific ISACA IS audit and assurance standard
or guideline. However, the exam will test a CISA
candidate's ability to apply these standards and
guidelines within the audit process.
1.1.4 ITAF TM firm, the scope and objectives of the services should be
documented in a formal contract or statement of work
ITAF is a comprehensive and best practice-setting between the contracting organization and the service
reference model that: provider. In either case, the internal audit function should
• Establishes standards that address IS auditor roles and be independent and report to an audit committee, if one
responsibilities; knowledge and skills; and diligence, exists, or to the highest management level, such as the
conduct and rep01ting requirements board of directors.
• Defines terms and concepts specific to IS assurance
• Provides guidance and tools and techniques on the Note
planning, design, conduct and reporting ofIS audit
and assurance assignments For additional guidance, see standard 1001 Audit
Chatter and guideline 2001 Audit Charter.
Note
Management of the IS Audit Function
A CISA candidate will not be tested on the
organization or arrangement of the ITAF framework. The IS audit function should be managed and led in
However, the application of audit and assurance a manner that ensures that the diverse tasks performed
standards is tested. by the audit team will fulfill audit function objectives,
while preserving audit independence and competence.
Fmthermore, managing the IS audit function should
1.1.5 IS Internal Audit Function
ensure value-added contributions to senior management
The role of the IS internal audit function should be in the efficient management of IT and achievement of
established by an audit charter approved by the board business objectives.
of directors and the audit committee (or by senior
management if these entities do not exist). Professionals Note
should have a clear mandate to perform the IS audit
For additional guidance, see standards 1002
function, which may be expressed in the audit charter.
Organizational Independence, I 003 Auditor
Audit Charter Objectivity, I 004 Reasonable Expectation and 1005
Due Professional Care. Also see the related guidelines:
IS audit can be a part of internal audit, or function as an 2002, 2003, 2004 and 2005.
independent group or be integrated within a financial and
operational audit to provide IT-related control assurance
IS Audit Resource Management
to the financial or management auditors. Therefore, the
audit charter may include IS audit as an audit supp01t IS technology is constantly changing. Therefore, it is
function. Additionally, the audit chatter should include important that IS auditors maintain their competency
the IS audit function's role with consulting-related through updates of existing skills and obtain training
services that it may perform. directed toward new audit techniques and technological
areas. An IS auditor must have the technical skills and
The charter should clearly state management's
knowledge necessary to perform audit work. Further, an
responsibility and objectives for, and delegation of
IS auditor must maintain technical competence through
authority to, the IS audit function. The highest level
appropriate continuing professional education. Skills and
of management and the audit committee, if one exists,
knowledge should be taken into consideration when
should approve the chatter. Once established, the chatter
planning audits and assigning staff to specific audit
should be changed only ifthe change is thoroughly
assignments.
justified.
Preferably, a detailed staff training plan should be drawn
The responsibility, authority and accountability of the IS
up for the year based on the organization's direction
audit function should be appropriately documented in an
in terms of technology and related risk that needs to
audit charter or engagement letter. An audit chatter is
be addressed. The plan should be reviewed periodically
an overarching document that covers the entire scope of
to ensure that training efforts and results are aligned
audit activities in an entity while an engagement letter
with the direction the audit organization is taking.
is more focused on a patticular audit exercise to be
Additionally, IS audit management should provide the
initiated in an organization with a specific objective in
necessary IT resources to properly perform IS audits of a
mind. If IS audit services at·e provided by an external
highly specialized nature (e.g., tools, methodology, work • Access to systems, premises and records
programs). • Confidentiality restrictions to protect customer-related
information
Note • Use of computer-assisted auditing techniques
(CAATs) and other tools to be used by the external
For additional guidance, see standard 1006 Proficiency audit service provider
and guideline 2006 Proficiency. • Standards and methodologies for performance of
work and documentation
Using the Services of Other Auditors and Experts • Nondisclosure agreements
Due to the scarcity of IS auditors and the need for The IS auditor or entity outsourcing the auditing services
IT security specialists and other subject matter experts should monitor the relationship to ensure objectivity and
to conduct audits of highly specialized areas, the independence throughout its duration. It is important to
audit depa1tment or auditors entrusted with providing understand that although a part or the whole of the audit
assurance may require the services of other auditors work may be delegated to an external service provider,
or experts. Outsourcing oflS assurance and security the related professional liability is not necessarily
services is increasingly becoming a common practice. delegated. Therefore, it is the responsibility of the IS
auditor or entity employing the services of external
Note service providers to:
• Clearly communicate the audit objectives, scope and
The IS auditor should be familiar with ISACA
methodology through a formal engagement Jetter
Audit and Assurance Standard 1204 Performance and
• Establish a monitoring process for regular review of
Supervision and the IS Audit and Assurance Guideline
the work of the external service provider with regard
2206 Using the Work of Other Experts, which focus on
to planning, supervision, review and documentation.
the rights of access to the work of other experts.
For example, the work papers of other IS auditors
External experts could include expe1ts in technologies or experts should be reviewed to confirm the work
such as networking, systems integration and digital was appropriately planned, supervised, documented
forensics, or subject matter expe1ts who specialize in a and reviewed and to consider the appropriateness and
paiticular industry or area such as banking, securities sufficiency of the audit evidence provided. Likewise,
trading, insurance, privacy or the law. the repo1ts of other IS auditors or experts should be
reviewed to confirm the scope specified in the audit
When there is a proposal to outsource a pa1t or all of IS charter, terms of reference or letter of engagement has
audit services to other auditors and experts or external been observed, the repmts were performed within the
service providers, the IS auditor should consider: defined auditable period, any significant assumptions
• Restrictions on outsourcing of audit/security services used by other IS auditors or expetts have been
provided by laws and regulations identified and the findings and conclusions repmted
• Audit chatter or contractual stipulations have management approval.
• Impact on overall and specific IS audit objectives • Assess the usefulness and appropriateness of such
• Impact on IS audit risk and professional liability external providers' reports and assess the impact of
• Independence and objectivity of other auditors and significant findings on the overall audit objectives
experts
• Professional competence, qualifications and 1.2 Types of Audits, Assessments and
experience
Reviews
• Scope and approach of work to be outsourced
• Supervisory and audit management controls An IS auditor should understand the various types of
• Method and modalities of communication of results audits, assessments and reviews that can be performed
of audit work along with the basic associated audit procedures, which
• Compliance with legal and regulatory stipulations may be carried out by internal or external groups.
• Compliance with applicable professional standards
An audit includes formal inspection and verification
Based on the nature of assignment, the IS auditor may to check whether standards or guidelines are being
also need to consider: followed, records are accurate, or efficiency and
• Testimonials/references and background checks effectiveness targets are met. Formal audits provide a
higher level of assurance than broader assessments and • Administrative audit-An administrative audit is
reviews. In general, assessments and reviews may be designed to assess issues related to the efficiency of
perceived with less negative stigma than audits and operational productivity within an organization.
may focus on opportunities for reducing the costs of • Specialized audit-Many different types of
poor quality, employee perceptions on quality aspects, specialized audits are conducted. Within the category
proposals to senior management on policy, goals, etc. of IS audit, specialized reviews may examine areas
such as fraud or services performed by third parties.
Some examples of audits, assessment and reviews • Third-party service audit-A third-patty service
include: audit addresses the audit of outsourced
• IS audit-An IS audit is designed to collect financial and business processes to third-party
and evaluate evidence to determine whether an service providers that may operate in different
information system and related resources are jurisdictions. A third-party service audit issues an
adequately safeguarded and protected; maintain data opinion on a service organization's description of
and system integrity and availability; provide relevant controls through a service auditor's report, which
and reliable information; achieve organizational goals then can be used by the IS auditor of the entity that
effectively; consume resources efficiently; and have, engages the service organization.
in effect, internal controls that provide reasonable • Fraud audit-A fraud audit is a specialized
assurance not only that business, operational and audit designed to discover fraudulent activity.
control objectives will be met but also that undesired Auditors often use specific tools and data analysis
events will be prevented or detected and corrected in techniques to discover fraud schemes and business
a timely manner. irregularities.
• Compliance audit-A compliance audit includes • Forensic audit-A forensic audit is a specialized
tests of controls to demonstrate adherence to specific audit to discover, disclose and follow up on fraud
regulations or industry-specific standards or practices. and crime. The primary purpose of such an audit
These audits often overlap other types of audits but is the development of evidence for review by law
may focus on patticular systems or data. enforcement and judicial authorities.
• Financial audit-A financial audit assesses the • Computer forensic audit- A computer forensic
accuracy of financial repmting. A financial audit will audit is an investigation that includes the analysis of
often involve detailed, substantive testing, although IS electronic computing devices with the intent to gather
auditors are increasingly placing more emphasis on a and preserve evidence. An IS auditor possessing the
risk- and control-based audit approach. A financial necessary skills can assist an information security
audit relates to financial information integrity and manager or forensic specialist in performing forensic
reliability. investigations and can conduct an audit of the system
• Operational audit-An operational audit is designed to ensure compliance with the evidence collection
to evaluate the internal control structure in a given procedures for forensic investigation.
process or area. IS audits of application controls or • Functional audit-A functional audit provides
logical security systems are examples of operational an independent evaluation of software products,
audits. verifying that its configuration items' actual
• Integrated audit-There are different types of functionality and performance are consistent with the
integrated audits, but typically an integrated audit requirement specifications. Specifically, a functional
combines financial and operational audit steps and audit is conducted either prior to softwai·e delivery or
may or may not include the use of an IS auditor. after implementation.
An integrated audit is performed to assess the overall • Readiness assessment-A readiness assessment is
objectives within an organization, related to financial a review of an organization's current state of
information and to safeguarding assets, maximizing compliance or adherence to documented standards.
efficiency and ensuring compliance. An integrated Readiness assessments generally focus on control
audit can be performed by external or internal design as opposed to operating effectiveness and
auditors and includes compliance tests of internal result in actionable items for an organization to
controls and substantive audit steps. See section 1:10 remediate prior to a formal audit.
Quality Assurance and Improvement of the Audit
Process for more information.
control systems under its authority through process The integrated audit process typically involves:
improvements in control structures, including an active • Identification of risk faced by the organization for the
monitoring component. area being audited
• Identification of relevant key controls
To be effective in this facilitative and innovative role,
• Review and understanding of the design of key
the IS auditor must understand the business process
controls
being assessed. It is important to remember that in
• Testing IT system support for key controls
the CSA process, IS auditors arn the facilitators and
• Testing operational effectiveness of management
the management client is the participant. For example,
controls
during a CSA workshop, instead of performing detailed
• A combined report or opinion on control risk, design
audit procedures, the IS auditor will lead and guide the
and weaknesses
auditees in assessing their environment by providing
insight into the objectives of controls based on risk An integrated audit demands a focus on business risk
assessment. The managers, with a focus on improving the and a drive for creative control solutions. It is a team
productivity of the process, might suggest replacement effort of audit and assurance professionals with different
of preventive controls. In this case, the IS auditor is skill sets. Using this approach permits a single audit of
better positioned to explain the risk associated with such an entity with one comprehensive report. An additional
changes. benefit is that this approach assists in staff development
and retention by providing variety and the ability to see
To provide higher-quality audits and make use of internal
how all the elements (functional and IT) mesh to form
and/or external audits or subject matter expertise, an
the complete picture. See figure 1.2 for an integrated
integrated audit approach is used to perform risk-based
auditing approach.
assessments of internal controls over an operation,
process or entity. Figure 1.2- An Integrated Audit
• Shareholders better understand the linkage between be defined to determine the overall risk for each of the
the push for a greater degree of corporate governance processes.
and its impact on the generation of financial
The audit plan can then be constructed to include all
statements that can be relied on.
of the processes that are rated "high," which would
All these developments have contributed to the growing represent the ideal annual audit plan. However, in
popularity of integrated audits. practice, often the available resources are not sufficient
to execute the entire ideal plan. This analysis will help
1.3 Risk-Based Audit Planning the audit function demonstrate the gap in resourcing and
give top management a good idea of the amount ofrisk
Audit planning is conducted at the beginning of the audit that it is accepting if it does not add to or augment the
process to establish the overall audit strategy and detail existing audit resomces.
the specific procedures to be carried out to implement
the strategy and complete the audit. It includes both Analysis of short- and long-term issues should occur at
short- and long-term planning. Short-term planning least annually. This frequency is necessary to consider
considers audit issues that will be covered during new control issues, enhanced evaluation techniques,
the year, whereas long-term planning considers risk- and changes in the risk environment, technologies and
related issues regarding changes in the organization's IT business processes. The results of this analysis should
strategic direction that will affect the organization's IT be reviewed by senior audit management and approved
environment. by the audit committee, if available, or alternatively by
the board of directors, and communicated to relevant
All of the relevant processes that represent the blueprint levels of management. The annual planning should be
of the enterprise's business should be included in the updated if any key aspects of the risk environment have
audit universe. The audit universe ideally lists all the changed (e.g., acquisitions, new regulatory issues, market
processes that may be considered for audit. Each process conditions).
may undergo a qualitative or quantitative risk assessment
ca11'ied out by evaluating the risk in the context of Note
defined, relevant risk factors. The risk factors are those
that influence the frequency and/or business impact For additional guidance, see standards 1007 Assertions
ofrisk scenarios. For example, for a retail business, and 1008 Criteria and related guidelines 2007 and
reputation can be a critical risk factor. The evaluation of 2008.
risk should ideally be based on inputs from the business
process owners. Evaluation of the risk factors should be 1.3.1 Individual Audit Assignments
based on objective criteria, although subjectivity cannot
be completely avoided. For example, with respect to the In addition to overall annual planning, each individual
reputation factor, the criteria (based on which inputs can audit assignment must be adequately planned. An
be solicited from the business) may be rated as: IS auditor should understand that other considerations
• High-A process issue may result in reputational -such as the results of periodic risk assessments,
damage that will take the organization more than six changes in the application of technology and evolving
months to recover. privacy issues and regulatory requirements-may impact
• Medium- A process issue may result in reputational the overall approach to the audit. An IS auditor
damage that will take the organization less than six should take into consideration system implementation/
months but more than three months to recover. upgrade deadlines, cmTent and future technologies,
• Low-A process issue may result in reputational requirements from business process owners and IS
damage that will take the organization less than three resource limitations.
months to recover. When planning an audit, an IS auditor must understand
In this example, the defined time frame represents the the overall environment under review. This should
objective aspect of the criteria, and the subjective aspect include gaining a general understanding of the various
of the criteria can be found in the business process business practices and functions relating to the audit
owners ' determination of the time frame-whether it is subject, as well as the types of information systems
more than six months or less than three months. After the and technology supporting the activity. For example,
risk is evaluated for each relevant factor, a criterion may an IS auditor should be familiar with the regulatory
environment in which the business operates.
To perfmm audit planning, an IS auditor should perform assurance. The content of these legal regulations pertains
the steps indicated in figure 1.3. to:
• Establishment of regulatory requirements
Note • Responsibilities assigned to corresponding entities
• Financial, operational and IS audit functions
For additional guidance, see standard 1201 Risk
Assessment in Planning and guideline 2201 Risk Management at all levels should be aware of the external
Assessment in Planning. requirements relevant to the goals and plans of the
organization and to the responsibilities and activities of
the information services department/function/activity.
1.3.3 Audit Risk and Materiality • Control risk- This is the risk of a material error
that would not be prevented or detected on a timely
Audit risk can be defined as the risk that information basis by the system of internal controls. For example,
collected may contain a material error that may go the control risk associated with manual reviews
undetected during the audit. An IS auditor should also of computer logs can be high because activities
consider, if applicable, other factors relevant to the requiring investigation are often overlooked due
organization: customer data; privacy; availability of to the volume of logged information. The control
provided services; and corporate and public image, as in risk associated with computerized data validation
the case of public organizations or foundations. procedures is ordinarily low ifthe processes are
Audit risk is influenced by: consistently applied.
• Inherent r isk- As it relates to audit risk, inherent • Detection risk- This is the risk that material errors
risk is the risk level or exposure of the process/ or misstatements will not be detected by an IS auditor.
entity to be audited without regard to the controls • Overall audit risk- This is the risk that the auditor
management has implemented. Inherent risk exists may not detect a material error in information or
independent of an audit and can occur because of the financial rep01ts. An objective in formulating the
nature of the business. audit approach is to limit the audit risk in the
area under scrutiny so the overall audit risk is at
a sufficiently low level at the completion of the security requirements and the risk landscape (e.g., in
examination. the assets, threats, vulnerabilities and impacts) and
whenever significant changes occur. It is important to
An internal control weakness or set of combined internal
note that IT management is responsible for conducting
control weaknesses may leave an organization highly
risk assessments. If expertise is not present within the
susceptible to the occurrence of a threat (e.g., financial
organization, the IS auditor may assist in risk assessment
loss, business interruption, loss of customer trust,
efforts. However, management is ultimately responsible
economic sanction). An IS auditor should be concerned
for the risk assessment process. The IS auditor may
with assessing the materiality of the items in question
perform a separate risk assessment to supplement the
through a risk-based audit approach to evaluating internal
needs ofrisk-based audit planning.
controls.
Refer to section 2.5 Enterprise Risk Management for
Materiality refers to the importance of a piece of
additional details on risk assessments.
information with regard to its impact or effect on the
functioning of the entity being audited. Materiality is
1.3.5 IS Audit Risk Assessment
the expression of the relative significance or importance
of a pmticular matter in the context of the enterprise Techniques
as a whole. There is an inverse relationship between When determining which functional areas should be
materiality and the level of audit risk acceptable to the audited, an IS auditor may face a large variety of audit
IS auditor (i.e., the higher the materiality level, the lower subjects. Each of these subjects may incur different types
the acceptability of the audit risk and vice versa). of risk. An IS auditor should evaluate risk candidates to
An IS auditor should have a good understanding of audit determine the high-risk areas that should be audited.
risk when planning an audit. An audit sample may not There are many risk assessment methodologies available
reflect every potential e1TOr in a population. However, by to an IS auditor, ranging from simple classifications
using proper statistical sampling procedures or a strong based on the auditor's judgment of high, medium and
quality control process, the probability of detection risk low, to complex scientific calculations that provide
can be reduced to an acceptable level. numeric risk ratings.
Similarly, when evaluating internal controls, an IS One such risk assessment approach is a scoring system
auditor should realize that a given system may not detect that is useful in prioritizing audits based on an evaluation
a minor error. However, that specific error, combined of risk factors . The system considers variables such as
with others, could become material to the overall system. technical complexity, level of control procedures in place
and level of financial loss. These variables may or may
Note
not be weighted. The risk values are then compared to
A CISA candidate should understand audit risk and each other, and audits are scheduled accordingly.
not confuse it with statistical sampling risk, which is Another form of risk assessment is subjective, in which
the risk that incorrect assumptions m·e made about the an independent decision is based on business knowledge,
characteristics of a population from which a sample is executive management directives, historical perspectives,
selected. business goals and environmental factors. A combination
of techniques can be used. Risk assessment methods may
1.3.4 Risk Assessment change and develop over time to best serve the needs of
the organization. An IS auditor should consider the level
An IS auditor should understand how the organization of complexity and detail appropriate for the organization
being audited approaches risk assessment. Risk being audited.
assessments should identify, quantify and prioritize
risk against criteria for risk acceptance and objectives IS auditors should leverage the results of management
relevant to the organization. The results should guide and risk assessments to supplement their own risk assessment
determine the appropriate management action, priorities procedures. A degree of professional skepticism should
for managing information security risk and priorities for be leveraged when reviewing or leveraging management
implementing controls selected to protect against risk. assessments of risk due to potential independence
impairment.
Risk assessments should be performed by management
periodically to address changes in the environment,
Using risk assessment to determine areas to be audited: management that the organization's business objectives
• Enables audit management to effectively allocate will be achieved, and that risk events will be prevented
limited audit resources or detected and corrected. Internal control activities and
• Ensures that relevant information has been obtained supporting processes may be manual or automated.
from all levels of management, including boards of
directors, IS auditors and functional area managers. 1.4.1 Internal Controls
Generally, this information assists management in
Internal controls operate at all levels within an
effectively discharging its responsibilities and ensures
organization to mitigate risk exposures that potentially
that the audit activities are directed to high-risk areas,
could prevent it from achieving its business objectives.
which will add value for management.
The board of directors and senior management are
• Establishes a basis for effectively managing the audit
responsible for establishing the appropriate culture to
depattment
facilitate an effective and efficient internal control system
• Provides a summary of how the individual audit
and for continuously monitoring the effectiveness of the
subject is related to the overall organization as well
internal control system, although each individual within
as to the business plans
an organization must take patt in this process.
1.3.6 Risk Analysis There are two key aspects that controls should address:
1. What should be achieved
Risk analysis, a subset of risk assessment, is used during 2. What should be avoided
audit planning to help identify risk and vulnerabilities
so an IS auditor can determine the controls needed to Internal controls or control activities help ensure that
mitigate risk. Risk assessment procedures provide a basis management directives are catTied out. They help
for the identification and assessment of risk of material ensure that necessai·y actions are taken to address risk
vulnerabilities; however, they do not provide sufficient and to achieve the enterprise's business objectives.
appropriate audit evidence to support the audit opinion. Control activities occur throughout the enterprise, at
all levels and in all functions , such as granting
In evaluating IT-related business processes applied by approvals and authorizations, implementing verifications
an organization, it is important to understand the and reconciliations, reviewing operating performance,
relationship between risk and control. IS auditors must securing assets and ensuring separation of duties.
be able to identify and differentiate risk types and
the controls used to mitigate risk. They should have 1.4.2 Control Objectives and Control
knowledge of common business risk areas, related
technology risk and relevant controls. They should also
Measures
be able to evaluate the risk assessment and management A control objective is defined as an objective of one
processes and techniques used by business managers, or more operational areas or roles, which is designed to
and to make assessments of risk to help focus and plan contribute to the fulfillment of the company's strategic
audit work. In addition to understanding business risk goals. That is, the control objective is explicitly related to
and control, IS auditors must understand that risk exists the company's overall strategy.
within the audit process.
Control objectives are statements of the desired result
or purpose to be achieved by implementing control
1.4 Types of Controls and Considerations
activities (procedures). For example, control objectives
Every organization has controls in place. An effective may relate to:
control is one that prevents, detects and/or contains • Effectiveness and efficiency of operations
an incident and enables recovery from a risk event. • Reliability of financial repo1ting
Organizations design, develop, implement and monitor • Compliance with applicable laws and regulations
information systems through policies, procedures, • Safeguai·ding information assets
practices and organizational structures to address vatfous
Control objectives apply to all controls, whether they
types of risk.
are manual, automated or both (e.g., review of system
Controls ai·e normally composed of policies, procedures, logs). Control objectives in an IS environment do not
practices and organizational structures that are differ from those in a manual environment; however,
implemented to reduce risk to the organization. Internal the way the controls are implemented may be different.
controls are developed to provide reasonable assurance to
Thus, control objectives need to be addressed relevant to and management information (information objectives)
specific IS-related processes. and customer data, through:
• Authorization of the input-Each transaction is
A control measure is defined as an activity contributing authorized and entered only once.
to the fulfillment of a control objective. Both the control • Validation of the input-Each input is validated
objective and control measure serve the decomposition of and will not have a negative impact on the
the strategic-level goals into such lower-level goals and processing of transactions.
activities that can be assigned as tasks to the staff. This • Accuracy and completeness of transaction
assignment can take the form of a role specified in a job processing- All transactions are recorded
description. accurately and entered into the system for the
proper period.
IS Control Objectives
• Reliability of overall information processing
IS control objectives include a complete set ofhigh- activities-All programmatic actions taken by the
level requirements to be considered by management for system during processing are sound.
effective control of each IT process area. IS control • Accuracy, completeness and security of the
objectives are: output-Outputs can be relied upon and
• Statements of the desired result or purpose to countermeasures are implemented to enable
be achieved by implementing controls around IS security of information assets generated.
processes • Database confidentiality, integrity and
• Policies, procedures, practices and organizational availability-The underlying systems of record
structures have general IS security controls.
• Requirements designed to provide reasonable • Ensuring appropriate identification and authentication
assurance that business objectives will be achieved of users of IS resources (end users and infrastructure
and undesired events will be prevented or detected support)
and cotTected • Ensuring the efficiency and effectiveness of
operations (operational objectives)
Organizational management needs to make choices
• Complying with users' requirements, organizational
relative to control objectives by:
policies and procedures and applicable laws and
• Selecting those that are applicable
regulations (compliance objectives)
• Deciding on those that will be implemented
• Ensuring availability ofIT services by developing
• Choosing how to implement them (i.e., frequency,
efficient business continuity plans (BCPs) and
span, automation, etc.)
disaster recovery plans (DRPs) that include backup
• Accepting the risk of not implementing others that
and recovery processes
may apply
• Enhancing protection of data and systems by
Specific IS control objectives include: developing an incident response plan
• Safeguarding information assets, including ensuring • Ensuring integrity and reliability of systems
that information on automated systems is up to date by implementing effective change management
and secme from improper access procedures
• Ensuring that system development life cycle (SDLC) • Ensuring that outsourced IS processes and services
processes are established, in place and operating have clearly defined service level agreements (SLAs)
effectively to provide reasonable assurance that and contract terms and conditions designed to protect
development of business, financial and/or industrial the organization's assets and meet business goals and
software systems and applications is repeatable, objectives
reliable and aligned to business objectives
• Ensuring integrity of general operating system (OS) General Control Methods
environments, including network management and General control methods apply to all areas of an
operations organization as seen in figure 1.5.
• Ensuring integrity of sensitive and critical application
system environments, including accounting/financial
- ~-..imm
- -
1..-:1 1:.1• ti&'-'
-
·~~r.11111)[:.ll
Technical Also known as logical controls, controls that are • Firewall ru lesets
provided through the use of technology, equipment
or devices. A technica l control requires proper
• Network or host-based intrusion detection
systems (IDSs)
managerial (administrative) controls to operate
correctly.
• Passwords
• Antimalware so lutions
Physical Controls that are installed to physically restrict • Physical access badges and locks
access to a facility or hardware. Physical controls
require maintenance, monitoring and the ability to
• Closed-circuit TV (CCTV)
Often operational and administrative controls that • Systems development methodologies and change
concern day-to-day operations, functions and activities control
are included within managerial controls. Technical • Operations procedures
controls and physical controls, respectively, relate to the • Systems programming and technical support
use of technology and the use of physical equipment or functions
devices to regulate access. • Quality assurance (QA) procedures
• Physical access controls
An enterprise should maintain a proper balance of control
• BCP/DRP
types in order to meet its specific needs and help achieve
• Networks and communication technology (e.g., local
its business objectives. For example, the implementation
area networks, wide area networks, wireless)
of a technical control, such as a firewall, requires train ing
• Database administration
for the staff who manage or operate it, correct procedures
• Protective and detective mechanisms against internal
for its configuration, assignment of responsibilities for
and external attacks
its monitoring and schedules for regular testing. If these
coinciding controls are not in place, stakeholders may Note
develop a false sense of security, resulting in unidentified
vulnerabilities, an ineffective use of resources and greater A CISA candidate should understand concepts
risk than anticipated or intended. regarding IS controls and how to apply them in
planning an audit.
IS-Specific Controls
Each general control method can be translated into an Business Process Applications and Controls
IS-specific control. A well-designed information system
In an integrated application environment, controls are
should have controls built in for all its sensitive or
embedded and designed into the business application
critical functions. For example, there should be a general
that supports the processes. Business process control
procedure to ensure that adequate safeguards over access
assurance involves evaluating controls at the process
to assets and facilities can be translated into an IS-related
and activity levels, which may be a combination
set of control procedures, covering access safeguards
of management, programmed and manual controls.
over computer programs, data and equipment.
In addition to evaluating general controls that affect
Examples ofIS-specific control procedures include: the processes, an IS auditor should evaluate business
• Strategy and direction of the IT function process owner-specific controls-such as proper security
• General organization and management of the IT and separation of duties (SoD), periodic reviews, and
function approvals of access and application controls within the
• Access to IT resources, including data and programs business process.
To effectively audit business application systems, an and material requirements planning). Given their unique
IS auditor must obtain a clear understanding of the characteristics, computerized application systems add
application system under review. Numerous financial and complexity to audit efforts. These characteristics may
operational functions are computerized for the purpose include limited audit trails, instantaneous updating and
of improving efficiency and increasing the reliability of information overload.
information. These applications range from traditional
Figure 1.6 describes sample risk and controls for
(including general ledger, accounts payable and payroll)
common business applications in an enterprise.
to industry-specific (such as bank loans, trade clearing
1:,. ......,,
- . ....ww.;;;.1.,
1$"71.1
ii ~~M~- 1lli1lill i: .
- __ _..,.
- - _
- ...
- - -
1 11 ~ • . _. l'! lJ.:\ •• t ;nat ll L~I
-
Ecommerce Ecommerce is the buying and selling of goods Due to their exposure to the Internet,
on line. ecommerce applications are subject to a
high risk of Structured Query Language (SQL)
injection attacks. IS-specific controls such as
secure coding training for developers, system
development life cycle (SDLC) code reviews
and form input validity checks could be used
to mitigate applicable risk.
Electronic data EDI replaced the traditional paper document Transmitted data Is at risk of being
interchange (EDI) exchange, such as medical claims and records, intercepted and potentially manipulated
purchase orders, invoices or material release or compromised. Appropriate encryption
schedules . controls should be used to ensure the
confidentiality and integrity of transmitted
data.
Email Email services are used by an enterprise to Email provides an avenue for attackers
communicate electronically with internal or to manipulate end users through social
external parties. engineering. Spam filtering, hyperlink
verification and phishing training for email
users can decrease the likelihood of phishing-
related social engineering attacks.
Industrial control systems ICS is a general term that encompasses Systems like SCADA are highly sensitive and
(ICSs) several types of control systems, including if compromised can have a direct Impact
supervisory control and data acquisition on human life. Organizations should consider
(SCADA) systems, distributed control systems adding perimeter security controls, such
(DCSs) and other control system configurations as network segmentation and multifactor
such as programmable logic controllers (PLCs), authentication, to get into and administer
which are often found in industrial sectors and high-risk SCADA environments.
critical infrastructures.
Artificial intelligence (Al) Expert systems are an area of Al and perform Al systems rely on learned data and
and expert systems a specific function or are prevalent in certain associated decision trees that can be
industries. An expert system allows the user to inherently biased. An IS auditor should ensure
specify certain basic assumptions or formulas that the proper level of expertise was used
and then uses those assumptions or formulas in developing the basic assumptions and
to analyze arbitrary events. formulas.
A CISA candidate should be familiar with Controls are implemented to provide reasonable
different types of business application systems and assurance to management that the organization's business
architectures, processes, risk and related controls objectives will be achieved, and risk events will
and IS audit implications and practices. The IS be prevented or detected and corrected. Elements of
auditor should consult industry- or technology-specific controls that should be considered when evaluating
guidance and apply applicable IS-specific controls control strength are classified as preventive, detective or
as necessary. For example, when reviewing an corrective in nature.
ecommerce application, an IS auditor might consider Figure 1.7 describes control categories.
applicable guidance from authoritative sources such
as the Open Web Application Security Project
(OWASP). 2 Where specific skillsets are not present
within an IS audit department, external experts should
be brought in to perfonn applicable reviews.
-
1 -: ii" :ie111
- -
.l:.lt , , . ,
-
• _.i._....... ; - ,
Preventive Inhibit or impede attempts to violate security policy and practices. Encryption, user authentication and
vau lt-construction doors are examples of preventive controls.
Deterrent Provide guidance or warnings that may dissuade intentional or unintentional attempts at compromise.
Warning banners on login screens, acceptable use policies, security cameras and rewards for the arrest
of hackers are examples of deterrent contro ls.
Detective Provide warnings of violations or attempted violations of security policy and practices without inhibiting
or impeding the questionable actions. Audit trails, intrusion detection systems (IDSs) and checksums are
examples of detective controls.
Corrective Remediate errors, omissions, unauthorized uses and intrusions when detected . Data backups, error
correction and automated fa il over are examples of corrective controls.
Compensating Offset a deficiency or weakness in the control structure of the enterprise, often because the baseline
contro ls cannot meet a stated requirement due to legitimate technica l or business constraints . Placing
unsecured systems on isolated network segments with strong perimeter security and adding th ird-party
cha ll enge-response mechanisms to devices that do not support individual login accounts are examples of
compensating controls that, wh il e not directly address ing vulnerabi lities, make it harder to exploit them.
Source: ISACA, CRJSC Official Review Manual 7'" Edition Revised, USA, 2023
Preventive controls are generally stronger at mitigating enterprise recover from the effects of an attack. For
risk because they prevent threat events from occurring. example, if unauthorized access has been gained to a
For example, if a malicious threat actor attempts to specific enterprise computer, a procedure is initiated to
log into a system that is accessible from the Internet protect the rest of the network.
with a compromised password, multifactor authentication
Organizations must implement a variety of control types
requirements could prevent the threat actor from
based on applicable risk and cost-benefit analysis. In
successfully accessing the system.
summary, detective and preventive controls are used to
By contrast, a detective control does not stop reduce the likelihood of a threat event (the probability
unauthorized uses or entries from occurring, but it of something happening), while corrective controls are
indicates that a threat event took place or is in progress. intended to mitigate the consequences (figu re 1.8).
If a threat event occurs, a corrective control helps an
Capacity
BC or IT DR plan
management
Special clauses in
Service desk
vendor contracts
Risk management
Configuration
management
Source: ISACA, Fundamentals of Information Systems Audit and Assurance (Facilitator Guide), USA, 2018
Compensating
Threat
Control
Deterrent Corrective
Control Control
Detective
Vulnerability
Control
Preventive
Impact
..___c_o_nt_ro_I___ Reduces Decreases
Source: Adapted from ISACA, CRJSCW Review Manual, 7111 Edition Rev ised, USA, 2023
control was designed to achieve. Placing unsecured prospective cloud customers in assessing the overall
systems on isolated network segments with strong security risk of a cloud provider
perimeter security and adding third-party challenge-
Organizations leveraging prescriptive control
response mechanisms to devices that do not supp01t
frameworks must identify applicable countermeasures
individual login accounts are examples of compensating
in place to meet outlined control objectives. In some
controls. Although the examples in the following sections
instances, prescriptive controls may not be applicable to
are IT-specific, it is possible for non-IT compensating
an organization based on unique business practices. For
controls to exist.
example, if an organization accepting credit cards does
not store credit card data as a part of its business process,
1.4.5 Prescriptive Controls and
then controls applicable to the protection of stored
Frameworks credit card information are likely not applicable. Where
In some instances, authoritative sources provide a prescriptive controls do not apply to an organization, the
prescriptive set of controls or control objectives for organization should ensure the reasons and validation on
an organization to implement and assess. Prescriptive non-applicability are formally documented.
control sets or control frameworks attempt to provide
a standard set of controls an organization should 1.4.6 Evaluation of the Control
implement to mitigate applicable risk to the organization Environment
as a whole or to a specific business process.
The control environment should be reviewed in
Examples of sets of prescriptive controls or control accordance with the risk-based audit plan. Although IS
objectives include: audit will execute its risk-based audit plan, it is impo1tant
• Center for Internet Security (CIS) 18 Critical to note that IS management should also evaluate the
Security Controls 3-A prescriptive, prioritized and effectiveness of the control environment.
simplified set of best practices that organizations can
use to strengthen their cybersecurity postures Management Control Monitoring
• OWASP Software Assurance Maturity Model Management may perform its own monitoring of control
(SAMM) 4-An open framework to help effectiveness within a given audit cycle. This process
organizations formulate and implement strategies for helps to identify control deviations prior to a potentially
software security that are tailored to the specific risk less frequent audit and allows management to take
they face corrective action.
• Service Organization Controls (SOC) reports 5-
A framework developed by the American Institute Control monitoring ensures that:
of Ce1tified Public Accountants (AICPA) meant to • Control requirements are being met.
be used by organizations to process data related to • Standards are being followed.
services they provide • Employees are complying with enterprise policies,
• Payment Card Industry (PCI) Data Security practices and procedures.
Standard (DSS) 6-A set of requirements that must Management can use the results of its own control
be met by organizations that store, process, transmit monitoring effo1ts to continuously improve the
or in any way affect the security of credit card data organization's security program. An IS auditor may
• Cloud Security Alliance (CSA) Cloud Controls leverage these results as reassurance that controls were
Matrix (CCM)7-A cybersecurity control framework effectively working over a period of time. When
for cloud computing encompassing various key
practices to ensure cloud security across different
cloud models and designed to provide fundamental
security principles to guide cloud vendors and assist
Center for Internet Security, "The 18 CIS Critical Security Controls," https:llwww.cisecurity.org/con trols/cis-controls-list
OWASP Project, "OWASP SAMM," https://owasp.orglwww-project-samm/
5 American Institute of Certified Public Accountants, "SOC 2®- SOC for Service Organizations: Trust Services Criteria," https://us.aicpa.orgl
interestareaslfrc/assuranceadvisoryserviceslaicpasoc2report
6 Payment Card Industry Security Standards Council, "PC! DSS: v4.0," https://docs-prv.pcisecuritystandards.org/PCJ%20DSS/Standard!PCJ-DSS-
v4_0.pdf
7 Cloud Security Alliance, "Cloud Controls Matrix," https://cloudsecurityalliance.org/researchlcloud-controls-matrix/
Planning Phase
. ..
- .
~-··
zrc .
Reporting Phase
Gather report
Draft report. Issue report.
requirements.
Source: ISACA, Information Systems Auditing: Tools and Techniques- Creating Audit Programs, USA, 2016
Planning
Planning steps can be fmther broken down into more
specific activities, as shown in figure 1.12.
' .
17ur. u -.....,~·L!J ii:~~-i;. •1"ii..•l.ll
-
1. Determine audit subject. Identify the area to be audited (e.g., business function, system, physical location).
2. Define audit objective. Identify the purpose of the audit. For example, an objective might be to determine
whether program source code changes occur in a well-defined and controlled
environment.
3. Set audit scope. Identify the specific systems, function or unit of the organization to be included in the
review. In the case of the program changes example, the scope statement might limit
the review to a single application, system or a limited period of time. This step is very
important because the information systems (IS) auditor will need to understand the IT
environment and its components to identify the resources that will be required to conduct
a comprehensive evaluation. A clear scope will help the IS auditor define a set of testing
points that are relevant to the audit and to further determine the technical skills and
resources necessary to evaluate different technologies and their components.
Figure 1.12- Audit Process Activities for the Planning Phase (cont.)
5. Determine aud it procedures At this stage of the audit process, the aud it team shou ld have enough information to
and steps for data gatherin g. identify and select the audit app roach or strategy and start developing the aud it program.
Some of the specific activities in this step are:
• Identify and obtain departmental policies, stand ards and guidelin es for review.
• Identify any regulatory comp liance requirem ents .
• Identify a list of individual s to interview.
• Identify methods and too ls to perform the evaluation .
• Develop audit tools and methodology to test and verify controls .
• Develop test scripts .
• Identify criteria for evaluating the test.
• Define a method ology to eva luate whether the test and its resu lts are accurate (and
repeatab le if necessary) .
Source: ISACA, Information Systems Auditing: Tools and Techniques- Creating Audit Programs, USA, 2016
Fieldwork/ Documentation
Fieldwork/doc umentation steps can be further broken
down into more specific activities, as shown in
figure 1.13.
1. Acquire data. Establish a process to acquire audit-related data. An advance request list can be used to
identify key evidence or interviews/observations that need to be gathered or performed
during an audit. The IS auditor should establish a process to collect evidence in a secure
manner (e.g., through fileshare). A governance, risk and compliance (GRC) tool may help
facilitate audit data collection for more advanced audit functions.
2. Test controls. Use testing techniques (e.g., interviews, observations, inspections, etc.) to evaluate
controls applicable to the acquired data. In some instances, sampling may be required to
review a subset of an overall population. For example, an IS auditor may select a sample
of servers and perform an observation to confirm that antimalware solutions are installed
per policy.
3. Discover and validate Identify potential issues throughout the audit process. Issues are deviations
issues. from expected audit outcomes (e.g., policy requirements) and are the basis for
recommendations the auditor will provide for management action.
4. Document results . Document the results within the audit program and work papers per document audit
standards for the IS auditor's organization.
Reporting/Follow Up
Reporting/follow-up phase steps can be broken down into
specific activities, as shown in figure 1.14.
1.5.3 Audit Programs • Creation of procedures that are repeatable and easy
to use by internal or external audit and assurance
An audit program is a step-by-step set of audit professionals who need to perform similar audits
procedures and instructions that should be performed to • Documentation of the type of testing that will be used
complete an audit. It is based on the scope and objective (compliance and/or substantive)
of the pa1ticular assignment. • Meeting generally accepted audit standards that relate
The main purposes of developing an audit program are: to the planning phase in the audit process
• Formal documentation of audit procedures and An IS auditor often evaluates IT functions and
sequential steps systems from different perspectives, such as security
(confidentiality, integrity and availability), quality
(effectiveness, efficiency), fiduciary (compliance, • The use of specialized software to assess the
reliability), service and capacity. The audit work program contents of operating systems, databases and
is the audit strategy and plan-it identifies scope, audit application parameter files
objectives and audit procedures to obtain sufficient, • Flowcharting techniques for documenting business
relevant and reliable evidence to draw and support audit processes and automated controls
conclusions and opinions. • The use of audit logs and reports to evaluate
parameters
General audit procedures are the basic steps in the
• Review of documentation
performance of an audit and usually include:
• Inquiry and observations
• Obtaining and recording an understanding of the audit
• Walk-throughs
area/subject
• Reperformance of controls
• Creating a risk assessment and general audit plan and
schedule Note
• Performing detailed audit planning that includes the
necessary audit steps and a breakdown of the work For additional guidance, see standard 1204
planned across an anticipated timeline Performance and Supervision and guideline 2204
• Conducting a preliminary review of the audit area/ Performance and Supervision.
subject
• Evaluating the audit area/subject
1.5.4 Audit Work Papers
• Verifying and evaluating the .appropriateness of
controls designed to meet control objectives All audit plans, programs, activities, tests, findings
• Conducting compliance testing (tests of the and incidents should be properly documented in work
implementation of controls and their consistent papers. The format and media of work papers can vary,
application) depending on the specific needs of the department. IS
• Conducting substantive testing (confirming the auditors should particularly consider how to maintain the
accuracy of information) integrity and protection of audit test evidence in order
• Reporting (communicating results) to preserve its value as substantiation in support of audit
• Following up in cases that rely on an internal audit results.
function
Work papers can be considered the bridge or interface
Minimum Skills to Develop an Audit Program between the audit objectives and the final repo1t.
Work papers should provide a seamless transition-with
The development of meaningful audit and assurance traceability and support for the work performed- from
programs depends on the auditor's ability to customize objectives to report and from report to objectives. In this
procedures according to the nature of the subject under context, the audit repo1t can be viewed as a particular
review and the specific risk that must be addressed in work paper.
the audit area/organization. Skills that can assist an IS
auditor in creating an audit program include: IS auditors should ensure that the same security-related
• Sufficient understanding of the nature of the requirements they may be assessing are considered for
enterprise and its industry to identify and categorize the audit work papers they collect. IS audit reports and
types of risk and threat related work papers can contain sensitive information
• Good understanding of the IT space and its that could be leveraged by malicious actors. A retention
components and sufficient knowledge of the and destruction process should be established based on
technologies that affect them legal requirements for each audit type.
• Understanding of the relationship between business
risk and IT risk 1.5.5 Fraud, Irregularities and Illegal Acts
• Basic knowledge of risk assessment practices Management is primarily responsible for establishing,
• Understanding of testing procedures for evaluating implementing and maintaining an internal control
IS controls and identifying the best method of system that enables the deterrence and/or timely
evaluation, such as: detection of fraud. Internal controls may fail due to
• The use of generalized audit software (GAS) to
exploitation of vulnerabilities, management-perpetrated
survey the contents of data files (e.g., system logs,
control wealmesses or collusion among people.
user access list)
The presence of internal controls does not altogether In Agile models, design and specification documentation
eliminate fraud . IS auditors should observe and exercise are kept to the bare minimum required, and a major part
due professional care in all aspects of their work and be of documentation is created at the operations and support
alert to opportunities that may allow fraud to materialize. levels (e.g., user manuals), which occur much later in the
They should be aware of the possibilities and means system life cycle. In the context of an IS audit, this would
of perpetrating fraud, especially through exploitation of result in blurring or altogether abolishing the temporal
vulnerabilities and overriding controls in the IT-enabled separation between planning and fieldwork phases. Agile
enviromnent. They should have knowledge of fraud and audits, thus, address major bottlenecks in many audits.
fraud indicators and be alert to the possibility of fraud
For example, necessary data- such as lists of system
and errors while performing an audit.
users from the system itself or an authorization database
During the course of regular assurance work, an IS or file-can be requested and prepared by the auditees
auditor may come across instances or indicators of fraud. while the auditors are still trying to finalize remaining
After careful evaluation, an IS auditor may communicate audit program steps. In addition, auditors can analyze
the need for a detailed investigation to appropriate data already collected while waiting for the audit team
authorities. In the case of an IS auditor identifying a to schedule planning phase meetings with other auditees
major fraud or ifthe risk associated with the detection is or the team members. Elimination of the requirement
high, audit management should consider communicating for strict temporal separation between planning and
the issue to the audit committee in a timely manner. fieldwork makes audit more efficient. Tasks run in
parallel (i.e., planning may be going on as the auditees
Regarding fraud prevention, an IS auditor should be
collect requested data, or fieldwork may be occurring
aware of potential legal requirements concerning the
while meetings to address remaining planning issues are
implementation of specific fraud detection procedures
taking place).
and the reporting of fraud to appropriate authorities.
Benefits of Agile Auditing
Note
Agile methodologies benefit audit departments through
For additional guidance, see standard 1207 Irregularity production of rapid audit results, avoidance of siloed
and Illegal Acts and guideline 2207 Irregularity and audit and customer teams, communications in near real
Illegal Acts. time and effective collaboration with auditees. Agile also
ensures that IT audit engagements are more successful
1.5.6 Agile Auditing through:
• Reduced end-to-end planning-Instead of audit
A goal for any IS audit function is to provide faster engagements being planned over several months,
and more efficient ways to conduct an IS audit to Agile reduces the planning process to weeks or even
demonstrate the value provided to stakeholders. One days due to condensed sprint cycles and a small-scale,
method to achieve this is leveraging Agile concepts. iterative approach.
• Streamlined audit engagements-Combining the
Agile Auditing Overview planning, fieldwork and reporting phases into a
The term "agile" usually refers to software single cohesive engagement avoids the execution of
development and emphasizes individuals and interactions disparate audit phases with long lead times.
over processes and tools, working software over • Direct customer collaboration-Involving
comprehensive documentation, customer collaboration customers in the Agile scrum (i.e., daily standup
over contract negotiation and responding to change over meeting) at the beginning of the audit engagement
following a plan.8 Traditional IS audit, on the other hand, sprint gives them a seat at the table. This
has used strict standards and frameworks, resulting in involvement further facilitates their input in guiding
rather rigid audit engagement constraints that, essentially, the engagement to both valid and highly beneficial
represented projects. IT projects have similarly inflexible audit outcomes for all parties.
models. However, they have evolved from the formal • Flexible audit scope-As new information is
Waterfall model to less formal, but very often more provided to or discovered by auditors, Agile
efficient, models that are usually collectively known as facilitates real-time audit scope adjustments. Auditors
"Agile." should continue to obtain audit management approval
as potential scope adjustments are identified and be Unlike audit plans that are reviewed annually, Agile
prepared to adjust testing focus as new information is audit plans are reviewed every quarter (or more
discovered or provided by audit customers. frequently in some instances) due to the Agile
• Real-time assurance--Direct customer collaboration iterative approach to conducting an audit engagement.
means customers are informed of audit findings or
control weaknesses as they are discovered by auditors Agile Auditing Compared to Established
versus receiving a draft audit rep01t toward the end Assurance Standards
of an audit engagement. Auditors should provide Figure 1.15 shows how Agile complements general,
audit customers with updates on potential findings or performance and reporting standards and guidelines
control weaknesses as testing uncovers them. found in the ISACA ITAF standard. The comparison
• Frequent audit plan updates-The increased in figure 1.15 shows how Agi le audit techniques
velocity of engagements produced by Agile IT audits complement adherence to the standard.
provides an opportunity to revisit the audit bacldog
and annual plan and make revisions more frequently.
!!!:!..~""'~l;lft - · ··~.!...
-- --- - - --
1 1:.JllilT·"lll•J:"'lir..-,T.. llTtl•ll ~.;;- .
-
--. -
-
t ll ;J 1:.... ~-·
- -- ttE
General Standard 1002-0rganizational Independence • Agile encourages more direct levels of communication
The IT audit and assurance function sha ll be free from and involvement with audit customers, which reflects
conflicts of interest and undue influence in all matters auditors' organizational independence.
related to audit and assurance engagements. • The collaborative approach used in Agile (and facilitated
by organizational independence) allows audit to leverage
subject matter expertise to allow expedient agreement
on aud it findings and minimize remediation timelines.
General Standard 1003- Auditor Objectivity • While differing from the traditional approach to aud it,
IT audit and assurance practitioners shall be objective in all Agile does not comprom ise auditor objectivity, which
matters related to audit and assurance engagements. may be impaired if conflicts of interest arise.
• Agile aud it f unctions retain their professional skepticism
and abi lity to make final decisions throughout the aud it
engagement.
General Standard 1005-Due Professional Care • The aud it backlog is prioritized more often under Agile,
Auditors will exercise due diligence and professional care. which cons iders the required resources, estab li shment
They will maintain high standards of conduct and character, of proper audit scope, proper audit objectives and
and they will refrain from engaging in acts that may discredit adequate levels of diligence and discretion .
themselves or the profession . Privacy and confidentiality • With Agile, audit management retains its right to
of information obtained during the course of the aud itor's conclude on key matters of each aud it engagement.
duties should be maintained.
General Standard 1006-Proficiency • Daily standup scrum meetings and two-week sprint
IT audit and assurance practitioners, collectively with others cycles greatly enhance development of audit staff at the
assisting with the audit and assurance engagement, sha ll junior and senior levels.
possess the professional competence to perform the work • Increased collaboration with audit customers allows
required . audit staff to learn the business more completely.
Reporting Standard 1402.3-Follow-Up Activities and • The collaborative and frequent communication
processes leveraged by Agile seek to ensure full
Acceptance of Risk
Where it is determined that the risk related to a finding disclosure to executive management of any accepted
has been accepted and is greater than the enterpris e's ri sk risk taken by audit customers.
appetite, this risk acceptance shou ld be discussed with
senior management.
General Guideline 2001.2.6-Performance of Quality • The Agile sprint retrospective is a tool the audit team
Assurance (QA) uses to analyze how the last sprint delivered with regard
Accountability of the audit and assurance function includes to individuals, interactions among customers and the
but is not limited to the QA Process (e.g., interviews, audit team, executed processes, audit tools and the
customer satisfaction surveys, assignment performance definition of "done."
surveys) that establishes an understanding of the auditees'
needs and expectations relevant to the audit function.
1.6 Audit Testing and Sampling It is important that an IS auditor understands the
specific objective of a compliance test and of the control
Methodology
being tested. Compliance tests can be used to test the
Valid conclusions can be reached using audit sampling. existence and effectiveness of a defined process, which
When using (;)ither statistical or nonstatistical sampling may include a trail of documentary and/or automated
methods, IS auditors should design and select an audit evidence (e.g., to provide assurance that only authorized
sample, perform audit procedures and evaluate sample modifications are made to production programs).
results to obtain sufficient and appropriate evidence
A substantive test substantiates the integrity of actual
to form a conclusion. When using sampling methods
processing. It provides evidence of the validity and
to draw a conclusion about the entire population,
integrity of the balances in the financial statements
professionals should use statistical sampling.
and the transactions that suppott those balances. An IS
An IS auditor should consider the purpose of the sample: auditor could use substantive tests to check for monetary
• Compliance testing/test of controls-An audit errors directly affecting financial statement balances or
procedure designed to evaluate the operating other relevant data of the organization. Additionally, an
effectiveness of controls in preventing, or detecting IS auditor might develop a substantive test to evaluate
and c01Tecting, material weaknesses the completeness and accuracy of report data. To perform
• Substantive testing/test of details-An audit this test, the IS auditor might use a statistical sample,
procedure designed to detect material weaknesses at which will allow the IS auditor to develop a conclusion
the asse1tion level regarding the accuracy of all the data.
A direct correlation exists between the level of internal
1.6.1 Compliance Versus Substantive
controls and the amount of substantive testing required.
Testing If the results of testing controls (compliance tests)
Compliance testing is evidence gathering for the purpose reveal the presence of adequate internal controls, then
of testing an organization's compliance with control minimizing the substantive procedures could be justified.
procedures. This differs from substantive testing, in Conversely, ifthe control testing reveals weaknesses in
which evidence is gathered to evaluate the integrity of controls that may raise doubts about the completeness,
individual transactions, data or other information. accuracy or validity of the accounts, substantive testing
can alleviate those doubts.
A compliance test determines whether controls are being
applied in a manner that complies with management Examples of compliance testing of controls where
policies and procedures. For example, if an IS auditor sampling could be considered include user access rights,
is concerned about whether production program library program change control procedures, documentation
controls are working properly, the IS auditor might select procedures, program documentation, follow-up of
a sample of programs to determine whether the source exceptions, review of logs and software license audits.
and object versions are the same. The broad objective of Examples of substantive tests where sampling could be
any compliance test is to provide reasonable assurance considered include performance of a complex calculation
of a particular control as perceived in the preliminary (e.g., interest) on a sample of accounts or a sample of
evaluation. transactions to vouch for suppotting documentation.
and useful audit evidence. These methods of sampling opportunity or probability of being selected. Within these
require an IS auditor to use judgment when defining two general approaches to audit sampling, there are two
the population characteristics and, thus, are subject to primary methods of sampling used- attribute sampling
the risk that incorrect conclusions could be drawn from and variable sampling. Attribute sampling, generally
the sample (sampling risk). However, statistical sampling applied in compliance testing, deals with the presence
permits an IS auditor to quantify the probability of or absence of the attribute and provides conclusions that
error (confidence coefficient). To be a statistical sample, are expressed in rates of incidence.
each item in the population should have an equal
Confidence coefficient A percentage expression (90 percent, 95 percent, 99 percent, etc.) of the probability that
(confidence level or reliability the characteristics of the sample are a true representation of the population. Generally,
factor) a 95 percent confidence coefficient is considered a high degree of assurance. If an
information systems (IS) auditor knows internal controls are strong, the confidence
coefficient may be lowered. The greater the confidence coefficient, the larger the sample
size.
Level of risk Equal to one minus the confidence coefficient. For example, if the confidence coefficient
is 95 percent, the level of risk is five percent (100 percent minus 95 percent).
Precision Set by an IS auditor, the acceptable range difference between the sample and the actual
population. For attribute sampling, this figure is stated as a percentage. For variable
sampling, this figure is stated as a monetary amount or a number. The higher the
precision amount, the smaller the sample size and the greater the risk of fairly large
total error amounts going undetected. The smaller the precision amount, the greater the
sample size. A very low precision level may lead to an unnecessarily large sample size.
Expected error rate An estimate stated as a percentage of the errors that may exist. The greater the
expected error rate, the greater the sample size. This figure is applied to attribute
sampling formulas but not to variable sampling formulas .
Sample mean The sum of all sample values divided by the size of the sample. The sample mean
measures the average value of the sample.
Sample standard deviation The variance of the sample values from the mean of the sample. Sample standard
deviation represents the spread or dispersion of the sample values.
Tolerable error rate Describes the maximum misstatement or number of errors that can exist without an
account being materially misstated. Tolerable rate is used for the planned upper limit
of the precision range for compliance testing. The term is expressed as a percentage.
"Precision range" and "precision" have the same meaning when used in substantive
testing.
Population standard deviation A mathematical concept that measures the relationship to the normal distribution. The
greater the standard deviation, the larger the sample size. This figure is applied to
variable sampling formulas but not to attribute sampling formulas.
Attribute sampling refers to three different, but related, population. Attribute sampling answers the question,
types of proportional sampling: "How many?"
• Attribute sampling (fixed sample-size attribute • An example of an attribute that might be tested
sampling or frequency-estimating sampling)--A is approval signatures on computer access request
sampling model used to estimate the rate (percent) forms.
of occurrence of a specific quality (attribute) in a • Stop-or-go sampling-A sampling model that helps
prevent excessive sampling of an attribute by
allowing an audit test to be stopped at the earliest
possible moment. Stop-or-go sampling is used when
an IS auditor believes that relatively few errors will samples are drawn from the various groups; used
be found in a population. to produce a smaller overall sample size relative to
• Discovery sampling-A sampling model most often unstratified mean per unit
used when the objective of the audit is to seek • Unstratified mean per unit- A statistical model in
out (discover) fraud, circumvention ofregulations which a sample mean is calculated and projected as
or other irregularities. For example, if the sample an estimated total
is found to be error free, it is assumed that no • Difference estimation- A statistical model used to
fraud/irregularity exists; however, if a single error is estimate the total difference between audited values
found, the entire sample is believed to be fraudulent/ and book (unaudited) values based on differences
irregular. obtained from sample observations
Variable sampling (dollar estimation or mean estimation Variable sampling, generally applied in substantive
sampling) is a technique used to estimate the monetary testing, deals with population characteristics that vary,
value or some other unit of measure (such as weight) such as monetary values and weights (or any other
of a population from a sample portion. An example measurement), and provides conclusions related to
of variable sampling is a review of an organization's deviations from the norm.
balance sheet for material transactions and an application
Key steps in the construction and selection of a sample
review of the program that produced the balance sheet.
for an audit test are shown in figure 1.18.
Variable sampling refers to three types of quantitative
sampling models:
• Stratified mean per unit-A statistical model in
which the population is divided into groups and
When planning the IS audit, the type of audit evidence processed by dynamic systems, such as spreadsheets,
to be gathered, its use as audit evidence to meet audit may not be retrievable after a specified period of time
objectives and its varying levels of reliability should be if changes to the files are not controlled or the files
considered. are not backed up.
Audit evidence may include: An IS auditor gathers a variety of evidence during an
• An IS auditor's observations (presented to audit. Some evidence may be relevant to the objectives
management) of the audit, while other evidence may be considered
• Notes taken from interviews peripheral. An IS auditor should focus on the overall
• Results of independent and qualified third-paity objectives of the review and not the nature of the
assessors evidence gathered.
• Material extracted from correspondence and internal
The quality and quantity of evidence must be assessed.
documentation or contracts with external partners
These two characteristics are referred to by the
• The results of audit test procedures
International Federation of Accountants (IFAC) as
While all evidence will assist an IS auditor in appropriate (quality) and sufficient (quantity). Evidence
developing audit conclusions, some types of evidence is competent when it is both reliable and relevant.
are more reliable than others. The rules of evidence and Audit judgment is used to determine when sufficiency is
sufficiency and the competency of evidence must be achieved in the same manner that it is used to determine
considered as required by audit standards. the appropriateness of evidence.
Determinants for evaluating the reliability of audit An understanding of the rules of evidence is important
evidence include: for IS auditors because they may encounter a variety of
• Independence of the provider of the evidence evidence types.
-Evidence obtained from outside sources is
more reliable than evidence from within the Note
organization. This is why confirmation letters are
A CISA candidate, given an audit scenario, should be
used for verification of accounts receivable balances.
able to determine which evidence-gathering technique
Additionally, signed contracts or agreements with
would be best in a given situation.
external parties can be considered reliable if the
original documents are made available for review.
Techniques for gathering evidence include:
• Qualifications of the individual providing the
• Reviewing IS organization structures-An
information/evidence-Whether the providers of the
organizational structure that provides adequate SoD
information/evidence ai·e inside or outside of the
is a key general control in an IS environment. An
organization, an IS auditor should always consider
IS auditor should understand general organizational
the qualifications and functional responsibilities of
controls and be able to evaluate those controls in
the persons providing the information. This can also
the organization under audit. Where there is a strong
be true of an IS auditor. If an IS auditor does not
emphasis on cooperative distributed processing or on
have a good understanding of the technical area under
end-user computing, IT functions may be organized
review, the information gathered from testing that
somewhat differently from the classic IS organization,
area may not be reliable, especially ifthe IS auditor
which consists of separate systems and operations
does not fully understand the test.
functions . An IS auditor should be able to review
• Objectivity of the evidence-Objective evidence is
organizational structures and assess the level of
more reliable than evidence that requires considerable
control they provide.
judgment or interpretation. An IS auditor's review of
• Reviewing IS policies and procedures-An IS
media inventory is direct, objective evidence. An IS
auditor should review whether appropriate policies
auditor's analysis of the efficiency of an application,
and procedures are in place, determine whether
based on discussions with certain personnel, may not
personnel understand the implemented policies and
be objective audit evidence.
procedures and ensure that policies and procedures
• Timing of the evidence-An IS auditor should
are being followed . An IS auditor should verify
consider the time during which information exists
that management assumes full responsibility for
or is available in determining the nature, timing
formulating, developing, documenting, promulgating
and extent of compliance testing and, if applicable,
and controlling policies covering general aims
substantive testing. For example, audit evidence
and directives. Periodic reviews of policies and technique involves the actual performance of the
procedures for appropriateness should be carried out. control under assessment in real time.
• Reviewing IS standards-An IS auditor should first • Walk-th roughs-The walk-through is an audit
understand the existing standards in place within the technique to confirm the understanding of controls.
organization. A walkthrough can help ensure the control owner
• Reviewing IS documentation-A first step in and IS auditor clearly understand the controls to be
reviewing the documentation for an information assessed and assist in the identification of evidence to
system is to understand the existing documentation be collected to validate control effectiveness.
in place within the organization. This documentation
Whi le these evidence-gathering techniques are part of an
could be a hard copy or a copy stored electronically.
audit, an audit is not limited to review work. It includes
If the latter, controls to preserve the document
examination, which incorporates the testing of controls
integrity should be evaluated by an IS auditor. An
and audit evidence and, therefore, includes the results of
IS auditor should look for a minimum level of IS
audit tests.
documentation. Documentation may include:
• Systems development initiating documents (e.g., An IS auditor should recognize that with systems
feasibility studies) development techniques, such as computer-aided
• Documentation provided by external application software engineering (CASE) or prototyping, traditional
suppliers systems documentation will not be required or will be
• SLAs with external IT providers provided in an automated form. However, an IS auditor
• Functional requirements and design specifications should look for documentation standards and practices
• Tests plans and reports within the IS organization.
• Program and operations documents
• Program change logs and histories An IS auditor should be able to review documentation
• User manuals for a given system and determine whether it follows the
• Operations manuals organization's documentation standards. In addition, an
• Security-related documents (e.g., security plans, IS auditor should understand the current approaches to
risk assessments) developing systems-such as object orientation, CASE
tools or prototyping-and how the documentation is
• BCPs
• QA reports constructed. An IS auditor should recognize other
• Repmts on security metrics components of IS documentation, such as database
• Interviewing appropriate personnel- See section specifications, file layouts or self-documented program
1. 7 .1 Interviewing and Observing Personnel in listings.
Performance of Their Duties.
• Observing processes and employee performance--
1.7.1 Interviewing and Observing
The observation of processes is a key audit technique Personnel in Performance of Their Duties
for many types of review. An IS auditor should be
Interviewing techniques are an important skill for an
unobtrusive while making observations and should
IS auditor. Interviews should be organized in advance
document everything in sufficient detail to be able
with objectives clearly communicated, follow a fixed
to present it, if required, as audit evidence. In some
outline and be documented by interview notes. Using an
situations, the release of the audit report may not be
interview form or checklist prepared by an IS auditor is a
timely enough to use observations as evidence, which
good approach.
may necessitate the issuance of an interim report to
management of the area being audited. An IS auditor Remember that the purpose of such an interview is to
may wish to consider whether documentary evidence gather audit evidence using techniques, such as inquiry,
would be useful as evidence (e.g., photograph of a observation, inspection, confirmation, performance and
server room with doors fully opened). monitoring. Personnel interviews are discoveries by
• Reperformance--The reperformance process is a nature and should never be accusatory; the interviewer
key audit technique that generally provides better should help people feel comfortable, encouraging them to
evidence than the other techniques and is, therefore, share information, ideas, concerns and knowledge. An IS
used when a combination of inquiry, observation and auditor should verify the accuracy of the notes with the
examination of evidence does not provide sufficient interviewee.
assurance that a control is operating effectively. This
Observing personnel in the performance of their duties • Identify business process errors
assists an IS auditor in identifying: • Identify business process improvements and
• Actual functions-Observation can be an adequate inefficiencies in the control environment
test to ensure that the individual who is assigned • Identify exceptions or unusual business rules
and authorized to perform a particular function is the • Identify fraud
person who is actually doing the job. It allows an IS • Identify areas where poor data quality exists
auditor an opportunity to witness how policies and • Conduct a risk assessment at the planning phase of an
procedures are understood and practiced. Depending audit
on the specific situation, the results of this type of test
The process used to collect and analyze data includes:
should be compared with the respective logical access
• Setting the scope (e.g., determining audit/review
rights.
objectives; defining data needs, sources and
• Actual processes/procedures-Performing a walk-
reliability)
through of the process/procedure allows an IS
• Identifying and obtaining the data (e.g., requesting
auditor to obtain evidence of compliance and observe
data from responsible sources, testing a sample of
deviations, if any. This type of observation can prove
data, extracting the data for use)
useful for physical controls.
• Validating the data (e.g., determining ifthe data is
• Security awareness-Security awareness should be
sufficient and reliable to perform audit tests) by:
observed to verify an individual's understanding and • Validating balances independent of the data set
practice of good preventive and detective security extracted
measures to safeguard the enterprise's assets and • Reconciling detailed data to rep01t control totals
data. This type of information can be supported with • Validating numeric, character and date fields
an examination of previous and planned security • Verifying the time period of the data set (i.e.,
training. determining that it meets scope and purpose)
• Reporting relationships-Rep01ting relationships • Verifying that all necessary fields identified in the
should be observed to ensure that assigned scope are actually included in the acquired data set
responsibilities and adequate SoD are being practiced. • Executing the tests (e.g., running scripts and
Often, the results of this type of test should be performing other analytical tests)
compared with the respective logical access rights. • Documenting the results (e.g., recording the testing
• Observation drawbacks-The observer may purpose, data sources and conclusions reached)
interfere with the observed environment. Personnel, • Reviewing the results (e.g., ensuring that the testing
upon noticing that they are being observed, may procedures have been adequately performed and
change their usual behavior. Interviewing information reviewed by a qualified person)
processing personnel and management should provide • Retaining the results (e.g., maintaining important test
adequate assurance that the staff has the required elements), such as:
technical skills to perform the job. This is an • Program files
important factor that contributes to an effective and • Scripts
efficient operation. • Macros/automated command tests
• Data files
1.8 Audit Data Analytics
Data analytics can be effective for an IS auditor in both
Data analytics is an imp01tant tool for an IS auditor. the planning and fieldwork phases of an audit.
Through the use of technology, an IS auditor can select
Analytics can be used to:
and analyze full data sets to continuously audit or
• Combine logical access files with human resources
monitor key organizational data for abnormalities or
employee master files for authorized users
variances that can be used to identify and evaluate
• Combine file library settings with data from the
organizational risk and achieve compliance with control
change management systems and dates of file changes
and regulatory requirements.
that can be matched to dates of authorized events
An IS auditor can use data analytics to: • Match ingress with egress records to identify
• Determine the operational effectiveness of the current tailgating in physical security logs
control environment • Review table or system configuration settings
• Determine the effectiveness of antifraud procedures • Review system logs for unauthorized access or
and controls unusual activities
• Test system conversion exist in a program and whether the program meets its
• Test logical access SoD (e.g., analysis of Active objectives. The review of an application system will
Directory data combined with job descriptions) provide information about internal controls built into the
system. The audit-expert system will provide direction
1.a.1 Computer-Assisted Audit and valuable information to all levels of auditors while
Techniques carrying out the audit because the query-based system
is built on the knowledge base of senior auditors or
CAATs are important tools that an IS auditor uses managers.
to gather and analyze data during an IS audit or
review. When systems have different hardware and Utility software tools and techniques can be used in
software environments, data structures, record formats or performing various audit procedures such as:
processing functions, it is almost impossible for an IS • Tests of the details of transactions and balances
auditor to collect ce1tain evidence without using such a • Analytical review procedures
software tool. • Compliance tests ofIS general controls
• Compliance tests of IS application controls
CAATs also enable an IS auditor to gather information • Network and OS vulnerability assessments
independently. They provide a means to gain access and • Penetration testing
analyze data for a predetermined audit objective and to • Application security testing and source code security
report the audit findings with emphasis on the reliability scans
of the records produced and maintained in the system.
The reliability of the source of the information used An IS auditor should have a thorough understanding
provides reassurance on findings generated. of CAATs and know where and when to apply them.
For example, an IS auditor should review the results of
CAATs include many types of tools and techniques engagement procedures to determine whether there are
such as GAS, utility software, debugging and scanning indications that irregularities or illegal acts may have
software, test data, application software tracing and occurred. Using CAATs could aid significantly in the
mapping and expe1t systems. effective and efficient detection of irregularities or illegal
GAS refers to standard software that can directly read acts.
and access data from various database platforms, flat-file An IS auditor should weigh the costs and benefits of
systems and American Standard Code for Information using CAATs before going through the effort, time and
Interchange (ASCII) formats. GAS provides an IS expense of purchasing or developing them. Issues to
auditor with an independent means to gain access to data consider include:
for analysis and the ability to use high-level, problem- • Ease of use for existing and future audit staff
solving software to invoke functions to be performed on • Training requirements
data files. Features include mathematical computations, • Complexity of coding and maintenance
stratification, statistical analysis, sequence checking, • Flexibility of uses
duplicate checking and recomputations. Functions • Installation requirements
commonly supp01ted by GAS include: • Processing efficiencies
• File access-Enables the reading of different record • Effo1t required to bring the source data into the
formats and file structures CAATs for analysis
• File reorganization-Enables indexing, so1ting, • Ensuring the integrity of imp01ted data by
merging and linking with another file safeguarding its authenticity
• Data selection-Enables global filtration conditions • Recording the time stamp of data downloaded at
and selection criteria critical processing points to sustain the credibility of
• Statistical functions-Enables sampling, the review
stratification and frequency analysis • Obtaining permission to install the software on the
• Arithmetical functions-Enables arithmetic auditee servers
operators and functions • Reliability of the software
Utility software is a subset of software- such as • Confidentiality of the data being processed
report generators of the database management system When developing CAATs, the following are examples of
(DBMS)-that provides evidence about system control documentation to be retained:
effectiveness. Test data involves an IS auditor using • Online rep01ts detailing high-risk issues for review
a sample set of data to assess whether logic errors
be a "dangerous" or exception condition. For example, a transaction follows, from the input to the output
whether a set of granted IS access permissions is to stage. With the use of this technique, transactions
be deemed risk-free will depend on having well-defined are tagged by applying identifiers to input data and
SoD. On the other hand, it may be much harder to decide recording selected information about what occurs for
if a given sequence of steps taken to modify and maintain an IS auditor's subsequent review.
a database record points to a potential risk. 3. Audit hooks- This technique involves embedding
hooks (e.g., logging and monitoring triggers) in
It is imp01iant to validate the source of the data used for
application systems to function as red flags and
continuous auditing and note the possibility of manual
induce IS security and auditors to act before an error
changes.
or irregularity gets out of hand.
4. Integrated test facility (ITF)-With this technique,
1.8.3 Continuous Auditing Techniques
dummy entities are set up and included in an
Continuous auditing techniques are important IS audit auditee's production files. An IS auditor can make
tools, particularly when they are used in time-sharing the system either process live transactions or test
environments that process a large number of transactions transactions during regular processing runs and have
but leave a scarce paper trail. By permitting an IS auditor the transactions update the records of the dummy
to evaluate operating controls on a continuous basis entity. The operator enters the test transactions
without disrupting the organization's usual operations, simultaneously with the live transactions that are
continuous auditing techniques improve the security entered for processing. An auditor then compares
of a system. When a system is misused by someone the output with the data that has been independently
withdrawing money from an inoperative account, a calculated to verify the correctness of the computer-
continuous auditing technique will repoti this withdrawal processed data.
in a timely fashion to an IS auditor. Thus, the time 5. Continuous and inter mittent simulation (CIS)-
lag between the misuse of the system and the detection During a process run of a transaction, the computer
of that misuse is reduced. The realization that failures, system simulates the instruction execution of the
improper manipulation and lack of controls will be application. As each transaction is entered, the
detected on a timely basis by the use of continuous simulator decides whether the transaction meets
auditing procedures gives an IS auditor and management certain predetermined criteria and, if so, audits
greater confidence in a system's reliability. the transaction. If not, the simulator waits until it
encounters the next transaction that meets the criteria.
There are five types of automated evaluation techniques
applicable to continuous auditing: In figure 1.19, the relative use cases of the various
1. Systems control audit review file and embedded continuous auditing tools are presented.
audit modules (SCARF/EAM}-The use of this
technique involves embedding specially written audit
software in the organization's host application system
so the application systems are monitored on a
selective basis.
2. Snapshots- This technique involves taking what
might be termed "pictures" of the processing path that
Useful when: Regu lar An audit trail is On ly select It is not beneficia l Transactions
processing cannot required . transactions or to use test data. meeting certa in
be interrupted. processes need to criteria need to be
be examined. examined.
The use of each of the continuous auditing techniques implementation depend, to a large extent, on the
has advantages and disadvantages. Their selection and complexity of an organization's computer systems and
applications and an IS auditor's ability to understand time, inefficiencies of the audit process, overhead due
and evaluate the system with and without the use of to work segmentation, multiple quality or supervisory
continuous auditing techniques. In addition, an IS auditor reviews or discussions concerning the validity of
must recognize that continuous auditing techniques are findings.
not a cure for all control problems and that the use of
Full top management suppo1t, dedication and extensive
these techniques provides only limited assurance that the
experience and technical knowledge are all necessary to
information processing systems examined are operating
accomplish continuous auditing, while minimizing the
as they were intended to function.
impact on the underlying audited business processes.
Techniques that are used to operate in a continuous The auditing layers and settings may also need continual
auditing environment must work at all data levels- adjustment and updating.
single input, transaction and databases-and include:
Besides difficulty and cost, continuous auditing has an
• Transaction logging
inherent disadvantage in that internal control expe1ts and
• Query tools
auditors might be hesitant to trust an automated tool in
• Statistics and data analysis
lieu of their personal judgment and evaluation. Also,
• DBMSs
mechanisms have to be put in place to eliminate false
• Data warehouses, data marts, data mining
negatives and false positives in the reports generated
• Intelligent agents
by such audits so that the report generated continues to
• EAM
inspire stakeholders' confidence in its accuracy.
• Neural network technologies
• Standards such as Extensible Business Reporting
1.8.4 Artificial Intelligence in IS Audit
Language (XBRL)
A1tificial intelligence (AI) is increasingly being used
Intelligent software agents may be used to automate
in many business functions. Detecting fraudulent
the evaluation processes and allow for flexibility
transactions, performing data quality checks, screening
and dynamic analysis capabilities. The configuration
for negative news and data processing have all
and application of intelligent agents (bots) allow for
been successfully automated via Al/machine learning
continuous monitoring of systems settings and the
(ML) techniques. Implementing AI or ML for large
delivery of alert messages when ce1tain thresholds are
multinational corporate banks leads to big savings in
exceeded or certain conditions are met.
manual overhead and reconciliation efforts.
Full continuous auditing processes have to be carefully
~S auditors may benefit from using Al/ML techniques to
built into applications and work in layers. The auditing
mcrease overall audit efficiency or decrease audit risk.
tools must operate in parallel with normal processing-
Efficiency can be gained through automating tedious
capturing real-time data, extracting standardized profiles
manual processes like audit work paper markups or data
or descriptors and passing the result to the auditing
manipulation. Audit risk may be decreased through the
layers.
ability to increase audit sample sizes or provide auditors
Continuous auditing has an intrinsic edge over point-in- with more time and information to analyze audit results
time or periodic auditing because it captures internal for fmther testing and follow up.
control problems as they occur, preventing negative
Figure 1.20 outlines specific tasks and automation
effects. Implementation can also reduce possible or
opportunities for Al/ML in IS audit.
intrinsic audit inefficiencies such as delays, planning
Figure 1.20-The Role of RPA and AI Within the Audit Life Cycle
0
<{}
Audit Setup
Cv
Auditing Fieldwork
AUTOMATION VIA:
NLP. predictive analysis
and RPA
Source: Menon, S.; "How Can AI Drive Audits?," ISA CA Journal, vol. 4, 30 June 2021 , https://www.isaca.org/resources/isaca-journal/
issues/2021 /volume-4/how-can-ai-drive-audits
9 Alexiou, S. ; "Algorithms and the Auditor," ISACA Journal, vol. 6, 23 November 202 1, https://111111111.isaca.org/resourcesl isaca-:Journa/lissues/202/I
volume-6/algorithms-and-the-auditor
Algorithms can be simple or complex, and not all • Perform whatever operations are needed to enable a
algorithms are effective. Some are more suited to comparison.
solving a problem than others. The feasibility of using • Perfo1m the comparison.
technological advancements, such as AI, is dependent on • Assess the results and their significance.
finding an efficient algorithm that makes computations
A complete algorithm involves a detailed prescription of
fast. 10 An example is homomorphic encryption, which
all the general tasks and how to perform each subtask. 13
enables the manipulation of encrypted data without the
Regardless of the complexity, an algorithm is just one
need to convert it to cleartext first. 11
way to tackle a problem, and it is important to review and
Audits can be considered similarly. For example, audits adapt algorithms as changes and needs dictate.
include checking a current state (as is) versus the desired
Figure 1.21 further expands on specific applications and
state (as should be). These checks direct an algorithm
to:I2 use cases for Al/ML techniques in IS audit.
• Obtain the "as is" and "as should be" versions.
ltll8r- - -
llf:.feil 1!';111l:':-:.--. - ~
-
I l ll f 11 : -
Source: Menon, S.; "How Can AI Drive Audits?," JSACA Journal, vol. 4, 30 June 2021, https:/lwww.isaca.org/resources/isaca-journal/
issues/2021 lvolume-4/how-can-ai-drive-audits
Interpretation of Al/ML Results used is able to answer the question that the auditor is
asking. Specific factors to consider include: 14
Al/ML results should always be interpreted at some
• Data inputs must be validated as part of the Al/ML
point by a person. IS auditors must ensure that testing is
assisted audit process upon implementation and
designed to answer the question of whether a tool being
periodically. The use of the Al/ML tool will be
IO Ibid.
11 Armknecht, F.; C. Boyd; C. Carr et al.; "A Guide to Fully Homomorphic Encryption," 2015, https://eprint. iac 1: org/201511I92.pdf
12 Op cit Alexiou
13 Ibid.
14 Ibid.
useless if the data being ingested or analyzed is not may be properly addressed. Communication skills (both
complete and accurate. When possible, the IS auditor written and verbal) determine the effectiveness of the
should ensure raw system data may be obtained for audit reporting process. Communication and negotiation
analysis and checking of AI/ML tool conclusions. skills ai·e required throughout the audit. Successful
• The statistical significance of results should be resolution of audit findings with auditees is essential
understood by the IS auditor and results should be so that auditees will adopt the recommendations in the
representative of the entire audit universe. report and initiate prompt corrective action. To achieve
• Supp01t for actual conclusions must be based this goal, an IS auditor should be skilled in the use of
on information. Failure to understand that results techniques such as facilitation, negotiation and conflict
include assumptions and caveats can create problems, resolution. An IS auditor should also understand the
especially if the need for proof is substituted by concept of materiality (i.e., the relative importance of
computer output. For example, there have been audit findings based on business impact) when reporting
instances of suspects being wrongly identified by audit results.
facial recognition algorithms run on blurry images. 15
1. 9.1 Communicating Audit Results
Al/ML Audit Risk and Considerations
The exit interview, conducted at the end of the
AI/ML techniques are an evolution of CAATs, and the audit, provides an IS auditor with the opportunity to
same considerations should be made to ensure they discuss findings and recommendations with the auditee
are performing as expected. Specific to AI/ML, the IS management. During the exit interview, an IS auditor
auditor should consider: should:
• Inadequate testing of AI outcomes can produce • Ensure that the facts presented in the report are
questionable results or audit outcomes. IS auditors correct and material
should ensure adequate testing is performed and • Ensure that the recommendations are realistic and
substantiated by human-led testing. AI/ML programs cost-effective and, if not, seek alternatives through
are often proprietary. Documentation, if available at negotiation with auditee management
all, is typically not detailed enough to explain exactly • Recommend implementation dates for agreed-on
what the algorithm is doing. Even if it is, it may be recommendations
complex and hard for a nonexpert to understand.
• Training data fed to algorithms, paiticularly ML IS auditors should be aware that, ultimately, they
algorithms, should be correct and adequate. Such data are responsible to senior management and the audit
should be able to cover both usual and unusual cases. committee, and they should feel free to communicate
In some rare cases, poor training results in algorithms issues or concerns to them. An attempt to deny access
producing incorrect results. by levels lower than senior management would limit the
• The tendency to trust the machine's answer is independence of the audit function.
strong, but justified only ifthe correctness has been Before communicating the results of an audit to senior
exhaustively tested and the machine actually answers management, an IS auditor should discuss the findings
the appropriate questions. with the auditee management to gain agreement on
• Using Al tools built by humans introduces the ethics the findings and develop an agreed-upon course of
and bias of human judgment and stereotyping. corrective action. In cases of disagreement, an IS
auditor should elaborate on the significance of the
1.9 Reporting and Communication findings, risk and effects of not correcting the control
Techniques weakness. Sometimes the auditee management may
request assistance from an IS auditor in implementing
Effective and cleat· communication can significantly the recommended control enhancements. An IS auditor
improve the quality of audits and optimize their results. should communicate the difference between an IS
Audit findings should be repo1ted and communicated to auditor's role and that of a consultant and consider how
stakeholders, with appropriate buy-in from the auditees, assisting the auditee may adversely affect an IS auditor's
for the audit process to be successful. An IS auditor independence.
should also consider the motivations and perspectives
of the recipients of the audit report so their concerns
15
Hill, K.; "Wrongfully Accused by an Algorithm," The New York Times, 24 June 2020, https://111111111.nytimes.com/2020/06/24/technology/facial-
recognition-arrest.html
After an agreement has been reached with auditee 1. 9.3 Audit Report Structure and
management, IS audit management should brief senior
Contents
auditee management. A summary of audit activities
should be presented periodically to the audit committee. Audit rep01ts are the end product of the IS audit
Audit committees typically are composed of individuals work. The exact format of an audit report will vary by
who do not work directly for the organization and, thus, organization; however, an IS auditor should understand
provide an IS audit and assurance professional with an the basic components of an audit report and how it
independent route to report sensitive findings. communicates audit findings to management.
The six objectives of audit reporting are to: The CISA candidate should become familiar with
1. Formally present the audit results to the auditee (and the ISACA IS Audit and Assurance Standards 1401
the audit client, if different from the auditee) Reporting and 1402 Follow-up Activities.
2. Serve as formal closure of the audit engagement
3. Provide statements of assurance and, if needed, Audit reports usually include:
identification of areas requiring corrective action and • An introduction to the repott, stating audit objectives,
related recommendations limitations to the audit and scope, the period of audit
4. Serve as a valued reference for any patty researching coverage, an overview of the nature and extent of
the auditee or audit topic audit procedures conducted and processes examined
5. Serve as the basis for a follow-up audit if audit during the audit, and a statement regarding the IS
findings were presented audit methodology and guidelines
6. Promote audit credibility, which depends on the report • Audit findings , presented in separate sections and
being well developed and well written often grouped in sections by materiality and/or
The IS audit-specific repotting objectives are developed intended recipient
based on repo1t requirements from auditee management • An overall conclusion and opinion regarding the
and other users of the rep01t and in compliance with adequacy of controls and procedures examined during
IS audit and assurance standm·ds and audit organization the audit, and the actual potential risk identified as a
protocols. The auditee or other stakeholders, such consequence of detected deficiencies
as oversight organizations, are identified during audit • Reservations or qualifications with respect to the
planning. An IS auditor develops the audit scope and audit
• An IS auditor may state that the controls or
objectives by considering those requirements and other
procedures examined were found to be adequate or
elements of audit planning-such as the assessments of
inadequate. The balance of the audit report should
risk, materiality and appropriateness of stated controls-
support that conclusion, and the overall evidence
together with regulatory and IT governance requirements.
gathered during the audit should provide an even
The audit report formally presents the purpose and the
greater level of support for the audit conclusions.
results of the audit in line with those requirements. Every
• Detailed audit findings and recommendations
audit report should provide unbiased, well-supported • An IS auditor may include specific findings in
responses to the audit's objectives. For example, if an audit report, based on the materiality of the
the audit objective is to determine whether adequate findings and the intended recipient of the audit
controls are in effect to provide reasonable assurance report. For example, an audit repo1t directed to the
that only authorized physical access can be gained to audit committee of the board of directors may not
the data center, then the report should state an IS include findings that are impo1tant only to local
auditor 's conclusion or opinion as to the adequacy of management and have little control significance to
the controls to achieve that objective. If controls need to the overall organization. The decision regarding
be implemented or strengthened to achieve the objective, what to include in various levels of audit reports
then the report should provide a recommendation to meet depends on the guidance provided by upper
that need. management.
• A variety of findings , some of which may be material issuance of the report. However, prior communication of
while others are minor in natw-e significant findings should not alter the intent or content
• An IS auditor may choose to present minor of the report.
findings to management in an alternate format,
such as by memorandum. 1. 9.4 Audit Documentation
An IS auditor should make the final decision about what Audit documentation is the written record that provides
to include or exclude from the audit repmt. Generally, an the suppmt for the representations in the auditor's report.
IS auditor should be concerned with providing a balanced It should:
report, describing not only negative issues in terms of • Demonstrate that the engagement complied with the
findings but positive constructive comments regarding standards
improved processes and controls or effective controls • Suppmt the basis for the auditor's conclusions
already in place. Overall, an IS auditor should exercise
independence in the repmting process. Audit documentation should include, at a minimum:
• Planning and preparation of the audit scope and
Auditee management evaluates the findings, stating objectives
corrective actions to be taken and timing for • Description and/or walk-throughs on the scoped audit
implementing the anticipated corrective actions. area
Management may not be able to implement all • Audit program
audit recommendations immediately. For example, • Audit steps performed and audit evidence gathered
an IS auditor may recommend changes to an • Use of services of other auditors and experts
information system that is undergoing other changes • Audit findings, conclusions and recommendations
or enhancements. An IS auditor should not necessarily • Audit documentation relation with document
expect that the other changes will be suspended until identification and dates
the audit recommendations are implemented. All may be
implemented at once. It is also recommended that documentation include:
• A copy of the repo11 issued as a result of the audit
An IS auditor should discuss the recommendations and work
any planned implementation dates whjle in the process • Evidence of audit supervisory review
of releasing the audit report. Various constraints- such
as staff limitations, budgets or other projects- may Documents should include audit information that is
limit immediate implementation. Management should required by laws and regulations, contractual stipulations
develop a firm program for taking corrective actions. and professional standards. Audit documentation is the
It is important to obtain a commitment from auditee necessary evidence supporting the conclusions reached
management on the implementation date for the action and should be clear, complete, easily retrievable and
plan (implementing the solution can take a long time) and sufficiently comprehensible. Audit documentation is
how it will be performed because the corrective action generally the prope11y of the auditee and should be
may bring risk that might be avoided if identified while accessible only to authorized personnel under specific or
discussing and finalizing the audit report. If appropriate, general permission. When access to audit documentation
an IS auditor may want to report to senior management is requested by external parties, an IS auditor should
on the progress of implementing recommendations. obtain appropriate prior approval of senior management
and legal counsel before providing it to those external
The report should include all sigruficant audit findings . parties.
When a finding requires explanation, an IS auditor
should describe the finding, its cause and risk. When Policies should be developed regarding custody, retention
appropriate, an IS auditor should provide the explanation requirements and release of audit documentation. The
in a separate document and refer to it in the report. For documentation format and media are optional, but due
example, this approach may be appropriate for highly diligence and good practices require that work papers
confidential matters. An IS auditor should also identify be dated, initialed, page-numbered, relevant, complete,
the orgaruzational, professional and governmental criteria clear, self-contained and properly labeled, filed and kept
applied. The report should be issued in a timely in custody. Work papers may be automated. An IS
manner to encourage prompt corrective action. When auditor should consider how to maintain integrity and
appropriate, an IS auditor should promptly communicate protection of audit test evidence to preserve its proof
significant findings to the appropriate persons prior to the value in suppo11 of audit results.
An IS auditor should be able to prepare adequate work Although IS auditors who work for external audit firms
papers, narratives, questionnaires and understandable may not necessarily follow this process, they may
system flowcha1ts. Audit documentation or work papers achieve these tasks if they are agreed to by the auditee.
can be considered the bridge or interface between
The timing of the follow-up will depend on the criticality
the audit objectives and the final report. They should
of the findings and is subject to an IS auditor's judgment.
provide a seamless transition-with traceability and
The results of the follow-up should be communicated
accountability-from objectives to report and from report
to appropriate levels of management. The level of an
to objectives. The audit report, in this context, can be
IS auditor's follow-up review will depend on several
viewed as a set of particular work papers.
factors. In some instances, an IS auditor may merely need
The quest for integrating work papers in the auditor's to inquire as to the current status. In other instances, an
environment has resulted in all major audit and project IS auditor who works in an internal audit function may
management packages, CAATs and expert systems have to perform ce1tain audit steps to determine whether
offering a complete array of automated documentation the corrective actions agreed on by management have
and import-export features. been implemented.
Audit documentation should suppmt the audit findings
1.9.6 Types of IS Audit Reports
and conclusions/opinions. Time of evidence can be
crucial to supporting audit findings and conclusions. An The IS audit repo1t is driven mainly by the type of audit
IS auditor should take care to ensure that the evidence engagement and the reporting requirements from IS audit
gathered and documented will be able to support audit and assurance standards. While most IS audits result in
findings and conclusions. a single IS audit repmt, in some situations, more than
The concept of materiality is a key issue when deciding one report can be applicable. For example, in addition to
a repmt for a general audience, a separate confidential
which findings to bring forward in an audit repmt. Key
security report containing detailed technical information
to determining the materiality of audit findings is the
may need to be created to ensure that security risk is not
assessment of what would be significant to different
disclosed to unintended parties.
levels of management. Assessment requires judging the
potential effect of a finding if corrective action is not The organization and specific content of the report
taken. For example: also depend on the scope and objectives of the audit
• A weakness in information security physical access engagement and the degree to which IT processes and
controls at a remote distributed computer site may systems are examined or require explanation. The format
be significant to management at the site but would and protocols for audit report presentation can depend
not necessarily be material to upper management at on any requirements and expectations set fo1th between
headquaiters. However, there may be other matters the audit organization and the auditee. Requirements for
at the remote site that would be material to upper audit report contents or format may be requested by
management. the audit client who may or may not be from the same
• A review of access deprovisioning might discover organization as the auditee.
that a terminated user's access was notremoved after
Although review, examination and agreed-upon
the user's termination date but show that it was caught
procedure engagements have similar repo1ting
during management's review of security access, at
requirements, each type of engagement stipulates
which time the terminated user 's access was removed.
different reporting requirements and limitations. The
This type of discovery would not likely be brought
primary distinctions among reviews, examinations and
to the attention of upper management but would be
agreed-upon procedures stem from the audit objectives,
documented and discussed with auditee management.
the nature and extent of audit work and the level of
1.9.5 Follow-Up Activities assurance to be provided. While all three types of audits
include review work, performing audit tests is far more
Auditing is an ongoing process. An IS auditor is not prevalent in audits or examinations that require stronger
effective if audits are performed and reports issued, evidence for formulation of an opinion. Agreed-upon
but no follow-up is conducted to determine whether procedures may also include testing, but because of
management has taken appropriate corrective actions. IS other limitations, an audit opinion may not be expressed.
auditors should have a follow-up program to dete1mine Although audit scope may be the same for reviews
if agreed-on corrective actions have been implemented.
Betatronics is a mid-sized manufacturer of electronic A. Perform a survey audit of logical access controls.
goods with headquarters in the United States and B. Revise the audit plan to focus on risk-based
factories in Latin America. An IS auditor within the auditing.
enterprise has been asked to perform preliminary work C. Perform an IT risk assessment.
that will assess the organization's readiness for a D. Begin testing controls that the IS auditor feels are
review to measme compliance with new US regulatory most critical.
requirements.
2. When auditing the logical secmity, the IS auditor is
The requirements are designed to ensure that
MOST concerned when observing:
management is taking an active role in setting up and
maintaining a well-controlled environment and to assess
A. the system administrator account is known by
management's review and testing of the general IT
everybody.
controls. Areas to be assessed include:
B. the passwords are not enforced to change
• Logical and physical security
frequently.
• Change management
C. the network administrator is given excessive
• Production control and network management
permissions.
• IT governance
D. the IT department does not have a written policy
• End-user computing
on privilege management.
The IS auditor has been given six months to perform
preliminary work. In previous years, repeated problems 3. When testing program change management in this
were identified in the areas of logical security and change case, how should the sample be selected?
management. Logical security deficiencies included
the sharing of administrator accounts and failure to A. Change management documents should be
enforce adequate controls over passwords. Change selected at random and examined for
management deficiencies included improper segregation appropriateness.
of incompatible duties and failure to document all B. Changes to production code should be
changes. Additionally, the process for deploying OS sampled and traced to appropriate authorizing
updates to servers was found to be only partially documentation.
effective. C. Change management documents should be
The chief information officer (CIO) requested direct selected based on system criticality and examined
reports to develop narratives and process flows for appropriateness.
describing major activities for which IT was responsible. D. Changes to production code should be sampled
Those tasks were completed, approved by the various and traced back to system-produced Jogs
process owners and the CIO, and then forwarded to the indicating the date and time of the change.
IS auditor for examination. Following the completion
of the preliminary audit work, Betatronics decides to 4. List three general IT controls the IS auditor would use
plan audits for the next two years. After accepting the for substantive testing when planning audits for the
appointment, the IS auditor notes that: next two years.
• The entity has an audit chatter that details the scope
and responsibilities of the IS audit function and 5. The FIRST priority of the IS auditor in year one
specifies the audit committee as the overseeing body should be to study the:
for audit activity.
• The entity is subject to regulatory compliance A. Previous IS audit reports in order to plan the audit
requirements that require its management to certify schedule
the effectiveness of the internal control system as it B. Audit charter in order to plan the audit schedule
relates to financial reporting. C. Impact of the increased employee turnover
• The entity has been recording consistent growth over D. Impact of the implementation of a new enterprise
the last two years at double the industry average. resource plan on the IT environment
• The entity has seen increased employee turnover.
A. Inherent risk
B. Residual risk
C. Control risk
D. Material risk
Answers on page 82
D. This is not an example of material risk. Material classified as fully addressed, partially addressed and
risk is any risk large enough to threaten the overall not applicable by comparing the standard COBIT
success of the business in a material way. framework to the organization's reality. Further
frameworks, standards and practices can be included
8. Possible answer: The COBIT framework can be in each respective process, as COBIT guidance
leveraged and adapted. Each process can be suggests.