0% found this document useful (0 votes)

112 views169 pages

CISA Chapter 1

Uploaded by

Nyange Masham

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

112 views169 pages

CISA Chapter 1

Uploaded by

Nyange Masham

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPT, PDF, TXT or read online on Scribd

You are on page 1/ 169

2019 CISA REVIEW COURSE

CORNERSTONE’S
SUPPORT
www.cornerstonetz.com/moodle
DOMAIN 1

The Process of Auditing

Information Systems
Course Agenda

• Learning Objectives
• Discuss Task and Knowledge Statements
• Discuss specific topics within the chapter
• Case studies
• Practice questions

© Copyright 2014 ISACA. All rights reserved.

4
What is in me in D-1?

• Describe an IS audit
• Explain how an IS audit function should be
managed
• List ISACA audit standards and guidelines
• Describe the risks in audit

© Copyright 2014 ISACA. All rights reserved.

5
What is in me in D-1?

• Describe the internal controls

• Explain the control assessment
• Describe how IS audit should be performed?
• Apply audit principles

© Copyright 2014 ISACA. All rights reserved.

6
Definition of Auditing

Systematic process by which a competent,

independent person objectively obtains and
evaluates evidence regarding assertions
about an economic entity or event for the
purpose of forming an opinion about and
reporting on the degree to which the
assertion conforms to an identified set of
standards

© Copyright 2014 ISACA. All rights reserved.

7
Definition of IS audit

Any audit that encompasses

review and evaluation (wholly or
partly) of automated information
processing systems, related non-
automated processes and the
interfaces between them

© Copyright 2014 ISACA. All rights reserved.

8
1.2.1 Organization of the IS Audit Function

Definitions and terms

•IS audit
•Audit charter
– Stating management’s responsibility and objectives for, and
delegation of authority to, the IS audit function
– Outlining the overall authority, scope and responsibilities of the
audit function
•Approval of the audit charter
- Senior governance levels

© Copyright 2014 ISACA. All rights reserved.

9
1.2.1 Organization of the IS Audit Function

Key concepts
•Classification of audit
•Types of audits

© Copyright 2014 ISACA. All rights reserved.

10
Classification of Audits

The IS auditor should understand the various types of audits that can
be performed, internally or externally, and the audit procedures
associated with each:
•Compliance audits
•Financial audits
•Operational audits
•Integrated audits
•Administrative audits
•IS audits
•Specialized audits
•Forensic audits

© Copyright 2014 ISACA. All rights reserved.

11
1.2.1 Organization of the IS Audit Function

Stages of audit
-Planning
-Audit evidence
-Reporting

© Copyright 2014 ISACA. All rights reserved.

12
1.2.2 IS Audit Resource Management

• Limited number of IS auditors

• Maintenance of their technical competence
• Assignment of audit staff

© Copyright 2014 ISACA. All rights reserved.

13
Knowledge & Task statements

• Task statements
• Knowledge statements

© Copyright 2014 ISACA. All rights reserved.

Domain 1 – Task Statements

There are T1.1 Develop and implement a risk-based IT

five tasks audit strategy in compliance with IT audit
within this standards to ensure that key areas are
domain that included.
a CISA must
know how to T1.2 Plan specific audits to determine whether
perform. information systems are protected,
controlled and provide value to the
organization.
T1.3 Conduct audits in accordance with IT audit
standards to achieve planned audit
objectives.

© Copyright 2014 ISACA. All rights reserved.

15
Domain 1 – Task Statements (contd.)

T1.4 Report audit findings and make recommendations to

key stakeholders to communicate results and effect
change when necessary.
T1.5 Conduct follow-ups or prepare status reports to ensure
appropriate actions have been taken by management in
a timely manner.

© Copyright 2014 ISACA. All rights reserved.

16
Domain 1 - Knowledge Statements

There are 10 KS1.1 Knowledge of ISACA IT Audit and

knowledge Assurance Standards, Guidelines, and
statements Tools and Techniques; Code of
within the Professional Ethics; and other applicable
process of standards
auditing
information KS1.2 Knowledge of risk assessment concepts,
systems tools and techniques in an audit context
domain. KS1.3 Knowledge of control objectives and
controls related to information systems

© Copyright 2014 ISACA. All rights reserved.

17
Domain 1 - Knowledge Statements (contd.)

KS1.4 Knowledge of audit planning and audit project

management techniques, including follow-up
KS1.5 Knowledge of fundamental business processes (e.g.,
purchasing, payroll, accounts payable, accounts
receivable) including relevant IT
KS1.6 Knowledge of applicable laws and regulations that
affect the scope, evidence collection and preservation,
and frequency of audits

© Copyright 2014 ISACA. All rights reserved.

18
Domain 1 - Knowledge Statements (contd.)

KS1.7 Knowledge of evidence collection techniques (e.g.,

observation, inquiry, inspection, interview,
data analysis) used to gather, protect and preserve
audit evidence
KS1.8 Knowledge of different sampling methodologies
KS1.9 Knowledge of reporting and communication
techniques (e.g., facilitation, negotiation, conflict
resolution, audit report structure)
KS1.10 Knowledge of audit quality assurance systems and
frameworks

© Copyright 2014 ISACA. All rights reserved.

19
1.2.3 Audit Planning

Shot- term and Long-term Things to Consider

planning
• Individual Audit Planning • New control issues
• Understanding of overall • Changing technologies
environment • Changing business
processes
• Enhanced evaluation
techniques
• Business practices and
functions
• Information systems and
technology

© Copyright 2014 ISACA. All rights reserved.

20
Audit Objectives

Specific goals of the audit

• Compliance with legal and regulatory requirements
• Confidentiality
• Integrity
• Reliability
• Availability

© Copyright 2014 ISACA. All rights reserved.

21
1.2.3 Audit Planning (cont.)

© Copyright 2014 ISACA. All rights reserved.

22
1.2.4 Effect of Laws and Regulations on IS Audit
Planning

Regulatory requirements generally describe the:

• Establishment

• Organization

• Responsibilities

• Correlation of the regulation to financial, operational and IS audit

functions

© Copyright 2014 ISACA. All rights reserved.

23
1.2.4 Effect of Laws and Regulations on IS Audit
Planning (cont.)

Steps to determine compliance with external requirements:

• Identify external requirements

• Document pertinent laws and regulations

• Assess whether management and the IS function have considered

the relevant external requirements
• Review internal IS department documents that address adherence to
applicable laws
• Determine adherence to established procedures

© Copyright 2014 ISACA. All rights reserved.

24
1.6.7 Risk Assessment and Treatment

Identifying risk & Assessing security risks

• Risk assessments should identify, quantify and prioritize risks
against criteria for risk acceptance and objectives relevant to
the organization
• Should be performed periodically to address changes in the
environment, security requirements and when significant
changes occur

© Copyright 2014 ISACA. All rights reserved.

25
1.6.7 Risk Assessment and Treatment (cont.)

Treating security risks

• Each risk identified in a risk assessment needs to be treated
• Possible risk responses include:
– Risk mitigation
– Risk acceptance
– Risk avoidance
– Risk transfer/sharing

© Copyright 2014 ISACA. All rights reserved.

26
1.6.8 Risk Assessment Techniques

• Enables management to effectively allocate limited audit

resources
• Ensures that relevant information has been obtained from all
levels of management
• Establishes a basis for effectively managing the audit
department
• Provides a summary of how the individual audit subject is
related to the overall organization as well as to the business
plan

© Copyright 2014 ISACA. All rights reserved.

27
1.4 Risk Assessment & Analysis

From the IS auditor’s perspective, risk analysis serves more than

one purpose:
•It assists the IS auditor in identifying risks and threats to an IT
environment and IS system—risks and threats that would need
to be addressed by management—and in identifying system
specific internal controls. Depending on the level of risk, this
assists the IS auditor in selecting certain areas to examine.

© Copyright 2014 ISACA. All rights reserved.

28
1.4 Risk Analysis (cont.)

• It helps the IS auditor in his/her evaluation of controls in audit

planning.
• It assists the IS auditor in determining audit objectives.
• It supports risk-based audit decision making.
• Part of audit planning
• Helps identify risks and vulnerabilities
• The IS auditor can determine the controls needed to mitigate
those risks

© Copyright 2014 ISACA. All rights reserved.

29
1.4 Risk Analysis (cont.)

IS auditors must be able to:

• Be able to identify and differentiate risk types and the
controls used to mitigate these risks
• Have knowledge of common business risks, related
technology risks and relevant controls
• Be able to evaluate the risk assessment and management
techniques used by business managers, and to make
assessments of risk to help focus and plan audit work
• Have an understand that risk exists within the audit process

© Copyright 2014 ISACA. All rights reserved.

30
1.4 Risk Analysis (cont.)

In analyzing the business risks arising from the use of IT, it is

important for the IS auditor to have a clear understanding of:
•The purpose and nature of business, the environment in which
the business operates and related business risks
•The dependence on technology and related dependencies that
process and deliver business information
•The business risks of using IT and related dependencies and
how they impact the achievement of the business goals and
objectives
•A good overview of the business processes and the impact of IT
and related risks on the business process objectives

© Copyright 2014 ISACA. All rights reserved.

31
1.4 Risk Analysis (cont.)

© Copyright 2014 ISACA. All rights reserved.

32
2018 CISA REVIEW COURSE
Introduction

Quotes

While it is wise to learn from experience, It’s

wiser to learn from the experience of others

© Copyright 2014 ISACA. All rights reserved.

Possible IS Audits

• Firewall services audit

• IT security system audit
• Accounting system audit
• ATM system audit
• Email exchange system
• Source code review
• HR systems
• Access management
• Business continuity

© Copyright 2014 ISACA. All rights reserved.

Stage

• Planning
• Audit evidence
• Reporting
• Follow-up on implementation

© Copyright 2014 ISACA. All rights reserved.

Audit Objectives

Specific goals of the audit

• Confidentiality of system
• Integrity of system
• Availability of system

© Copyright 2014 ISACA. All rights reserved.

37
Risk Assessment and Treatment (cont.)

Planning for IS audit engagement requires risk assessment to be

performed. High risk areas
Risk assessment: IT Threats + Likelihood + Impact
Priotization of Risk: High risk  Medium risk  Low risk

Treating security risks

Each risk identified in a risk assessment needs to be treated

Possible risk responses include:

Risk mitigation
Risk acceptance
Risk avoidance
Risk transfer/sharing

© Copyright 2014 ISACA. All rights reserved.

38
Today

• Internal controls
• Audit evidence
• Sampling
• Reporting
• Question and answers

© Copyright 2014 ISACA. All rights reserved.

1.5 Internal Controls

Policies, procedures, practices and organizational structures

implemented to reduce risks
•Classification of internal controls
– Preventive controls
– Detective controls
– Corrective control

© Copyright 2014 ISACA. All rights reserved.

40
Real life example

House
Security light

Wall

Dog

sensor
Security Guard House
Gate

© Copyright 2014 ISACA. All rights reserved.

1.5 Internal Controls (cont.)

© Copyright 2014 ISACA. All rights reserved.

42
1.5 Internal Controls (cont.)

IT controls classification
• IT General controls
• Applications controls

© Copyright 2014 ISACA. All rights reserved.

43
IT General controls

• Controls that affect overall functioning of IT environment

IT General controls includes

• Access controls (Physical & Logical)
• Back up controls
• System development controls
• IT operations controls

© Copyright 2014 ISACA. All rights reserved.

Application controls

• Specific controls which apply to a particular system

• Application are divided into Input controls, Processing
controls and output controls
• Example of Input controls are Data validity controls, range
check controls

• Example of processing control is Atomicity- either all

happen or none happen. These changes include
database changes or processing transaction
• Example of output control is exceptional reporting

© Copyright 2014 ISACA. All rights reserved.

1.5 Internal Controls (cont.)

Internal control system

• Internal accounting controls
• Operational controls
• Administrative controls

© Copyright 2014 ISACA. All rights reserved.

46
1.5.1 IS Control Objectives

Internal control objectives apply to all areas, whether manual or

automated. Therefore, conceptually, control objectives in an IS
environment remain unchanged from those of a manual
environment.

© Copyright 2014 ISACA. All rights reserved.

47
1.5.1 IS Control Objectives (cont.)

Specific IS control objectives may include:

•Safeguarding assets
•Ensuring the integrity of general operating system environments

© Copyright 2014 ISACA. All rights reserved.

48
1.5.1 IS Control Objectives (cont.)

• Ensuring the integrity of sensitive and critical application

system environments through:
– Authorization of the input
– Validation of the input
– Accuracy and completeness of processing of transactions
– All transactions are recorded accurately and entered into
the system for the proper period
– Reliability of overall information processing activities
– Accuracy, completeness and security of the output
– Database integrity

© Copyright 2014 ISACA. All rights reserved.

49
1.5.1 IS Control Objectives (cont.)

• Ensuring appropriate identification and authentication of

users of IS resources
• Ensuring the efficiency and effectiveness of operations
• Complying with requirements, policies and procedures, and
applicable laws
• Developing business continuity and disaster recovery plans
• Developing an incident response plan
• Implementing effective change management procedures

© Copyright 2014 ISACA. All rights reserved.

50
1.3.2 ISACA IS Audit and Assurance Standards
Framework

Framework for the ISACA IS Auditing Standards:

•Standards www.isaca.org/standards
•Guidelines www.isaca.org/guidelines
•Tools and Techniques

© Copyright 2014 ISACA. All rights reserved.

51
1.3.5 Relationship Among Standards,
Guidelines, and Tools and Techniques

Standards
• Must be followed by IS auditors
Guidelines
• Provide assistance on how to implement the standards
Tools and Techniques
• Provide examples for implementing the standards

© Copyright 2014 ISACA. All rights reserved.

52
1.3.2 ISACA IS Audit and Assurance Standards
Framework (cont.)

Objectives of • To inform management and other

the ISACA IS interested parties of the profession’s
Audit and expectations concerning the work of
Assurance audit practitioners
Standards:
• To inform information system auditors
of the minimum level of acceptable
performance required to meet
professional responsibilities set out in
the ISACA Code of Professional Ethics

© Copyright 2014 ISACA. All rights reserved.

53
1.3.2 ISACA IS Audit and Assurance Standards
Framework (cont.)

© Copyright 2014 ISACA. All rights reserved.

54
1.3.2 ISACA IS Audit and Assurance Standards
Framework (cont.)

© Copyright 2014 ISACA. All rights reserved.

55
1.3.1 ISACA Code of Professional Ethics

• The Association’s Code of Professional Ethics provides

guidance for the professional and personal conduct of
members of ISACA and/or certification holders.

© Copyright 2014 ISACA. All rights reserved.

56
1.3.2 ISACA IS Audit and Assurance Standards
Framework – 1001 and 1002

1001– Audit Charter 1002– Organizational

Independence
• Document the audit • Stay independent of the
function appropriately in an area or activity being
audit charter, indicating reviewed to permit
purpose, responsibility, objective completion of the
authority and accountability audit and assurance
• Agree upon and get the engagement
audit charter approved at an
appropriate level within the
enterprise

© Copyright 2014 ISACA. All rights reserved.

1.3.2 ISACA IS Audit and Assurance Standards
Framework – 1003 and 1004

1003– Professional 1004– Reasonable Expectation

Independence
• Stay independent and • Reasonable expectation that:
objective in both attitude – an engagement can be
and appearance in all completed in accordance
with IS audit and assurance
matters related to audit and standards
assurance engagements – the scope enables
conclusion and addresses
restrictions
– Management understands
its obligations with respect
to relevant and timely
information

© Copyright 2014 ISACA. All rights reserved.

1.3.2 ISACA IS Audit and Assurance Standards
Framework – 1005 and 1006

1005– Due Professional Care 1006– Proficiency

• Exercise due professional • Possess adequate skills and

care, including observance proficiency in conducting IS
of applicable professional audit and assurance
audit standards, in planning, engagements
performing and reporting on • Possess adequate
the results of engagements knowledge of the subject
matter
• Appropriate continuing
professional education and
training.

© Copyright 2014 ISACA. All rights reserved.

1.3.2 ISACA IS Audit and Assurance Standards
Framework – 1007 and 1008

1007– Assertions 1008– Criteria

• Review the assertions • Select criteria that are

against which the subject objective, complete,
matter will be assessed to relevant, measureable,
determine that such understandable, widely
assertions are capable of recognised, authoritative
being audited and that the and understood
assertions are sufficient, • Select criteria issued by
valid and relevant relevant authoritative
bodies

© Copyright 2014 ISACA. All rights reserved.

1.3.2 ISACA IS Audit and Assurance Standards
Framework – 1201 and 1202

1201– Engagement Planning 1202– Risk Assessment in Audit

Planning
• Address the objective(s), • Use an appropriate risk
scope, timeline and assessment approach and
deliverables, compliance supporting methodology to
develop the overall IS audit
with applicable laws and
plan
professional auditing
• Identify and assess risk
standards
relevant to the area under
• Develop and document an review
IS audit or assurance • Evaluate subject matter risk,
engagement project plan audit risk and related
exposure to the enterprise

© Copyright 2014 ISACA. All rights reserved.

1.3.2 ISACA IS Audit and Assurance Standards
Framework – 1203

1203– Performance and Supervision

• Work in accordance with the approved IS audit plan to cover

identified risk
• Supervise IS audit staff to accomplish audit objectives and
meet audit standards
• Develop relevant knowledge and skills
• Obtain sufficient, reliable, relevant and timely evidence
• Document the audit process, audit work and audit evidence
• Identify and conclude on findings

© Copyright 2014 ISACA. All rights reserved.

1.3.2 ISACA IS Audit and Assurance Standards
Framework – 1204

1204 – Materiality

• Consider potential weaknesses or absences of controls while

planning an engagement
• consider the cumulative effect of minor control deficiencies or
weaknesses
• Disclose absence of controls or ineffective controls, significance of
the control deficiencies and probability of these weaknesses
resulting in a significant deficiency

© Copyright 2014 ISACA. All rights reserved.

1.3.2 ISACA IS Audit and Assurance Standards
Framework – 1204 and 1205

1204 – Materiality 1205 – Evidence

• Consider potential weaknesses • Obtain sufficient and
or absences of controls appropriate evidence to draw
• Consider the cumulative effect reasonable conclusions
of minor control deficiencies • Evaluate the sufficiency of
• Disclose absence of controls or evidence obtained to support
ineffective controls, conclusions and achieve
significance of the control objectives
deficiencies and probability of
these weaknesses resulting in
a significant deficiency

© Copyright 2014 ISACA. All rights reserved.

1.3.2 ISACA IS Audit and Assurance Standards
Framework – 1206

1206 – Using the Work of Other Experts

• Consider using the work of other experts for the IS audit or

assurance engagement
• Assess and approve the adequacy of the other experts’ prior
to the IS audit or assurance engagement
• Document the extent of use and reliance on the work of other
experts.
• Apply additional test procedures where the work of other
experts does not provide sufficient and appropriate audit
evidence.

© Copyright 2014 ISACA. All rights reserved.

1.3.2 ISACA IS Audit and Assurance Standards
Framework – 1207

1207– Irregularity and Illegal Acts

• Consider the risk of irregularities and illegal acts

• Maintain an attitude of professional scepticism
• Document and communicate any material
irregularities or illegal act to the appropriate
party in a timely manner

© Copyright 2014 ISACA. All rights reserved.

1.3.2 ISACA IS Audit and Assurance Standards
Framework – 1401 and 1402

1401 – Reporting 1402 – Follow-up Activities

• Provide a report to • Monitor relevant

communicate the results information to conclude
with details like, scope, whether management has
objectives, period of planned/taken appropriate,
coverage, extent of work timely action to address
performed, etc. reported audit findings and
recommendations

© Copyright 2014 ISACA. All rights reserved.

1.3.3 ISACA IS Audit and Assurance Guidelines

New #. Guideline (old #.) Effective Date

2001 Audit Charter (G5) 1 Feb 2008
2002 Organisational Independence (G12) 1 Aug 2008
2003 Professional’s Independence (G17) 1 May 2010
2004 Reasonable Expectation In development
2005 Due Professional Care (G7) 1 Mar 2008
2006 Proficiency (G30) 1 Jun 2005
2007 Assertions In development

© Copyright 2014 ISACA. All rights reserved.

68
1.3.3 ISACA IS Auditing and Assurance
Guidelines (cont.)

New #. Guideline (old #.) Effective Date

2008 Criteria In development
2201 Engagement Planning (G15) 1 May 2010
Risk Assessment in Audit Planning
2202 1 Aug 2008
(G13)
2203 Performance and Supervision (G8) 1 Mar 2008
2204 Materiality (G6) 1 May 2008
2205 Evidence (G2) 1 May 2008
Using the Work of Other Experts
2206 1 Mar 2008
(G1)

© Copyright 2014 ISACA. All rights reserved.

69
1.3.3 ISACA IS Auditing and Assurance
Guidelines (cont.)

New #. Guideline (old #.) Effective Date

2207 Irregularity and Illegal Acts (G9) 1 Sept 2008
2208 Audit Sampling (G10) 1 Aug 2008
2401 Reporting (G20) 16 Sept 2010
2402 Follow-up Activities (G35) 1 March 2006

© Copyright 2014 ISACA. All rights reserved.

70
1.3.4 ISACA IS Audit and Assurance Tools and
Techniques

• Guidance and examples of possible processes an IS auditor

might follow in an audit engagement.
• IS auditors should apply their own professional judgment to
the specific circumstances.

© Copyright 2014 ISACA. All rights reserved.

71
1.3.5 Relationship Among Standards,
Guidelines, and Tools and Techniques

Standards
• Must be followed by IS auditors
Guidelines
• Provide assistance on how to implement the standards
Tools and Techniques
• Provide examples for implementing the standards

© Copyright 2014 ISACA. All rights reserved.

72
Evidence

© Copyright 2014 ISACA. All rights reserved.

1.6.2 Audit evidence & Programs

• Based on the scope and objective of the particular assignment

• IS auditor’s perspectives:
– Security (confidentiality, integrity and availability)
– Quality (effectiveness, efficiency)
– Fiduciary (compliance, reliability)
– Service and capacity

© Copyright 2014 ISACA. All rights reserved.

74
1.6.2 Audit Programs (cont.)

General audit procedures are the basic steps in the performance

of an audit and usually include:
•Understanding of the audit area/subject
•Risk assessment and general audit plan
•Detailed audit planning
•Preliminary review of audit area/subject
•Evaluating audit area/subject
•Verifying and evaluating controls
•Compliance testing
•Substantive testing
•Reporting (communicating results)
•Follow-up

© Copyright 2014 ISACA. All rights reserved.

75
1.6.2 Audit Programs (cont.)

Procedures for Testing and Evaluating IS Controls

• Use of generalized audit software to survey the contents of data
files
• Use of specialized software to assess the contents of operating
system parameter files- For system parameters.
• Flow-charting techniques for documenting automated applications
and business process
• Use of audit reports available in operation systems
• Documentation review
• Observation
• Walkthroughs
• Reperformance of controls

© Copyright 2014 ISACA. All rights reserved.

76
1.6.2 Audit Programs (cont.)

Computed assisted Audit tools (CAATs)

Generalized audit software (GAS)

refers to software designed to read, process and write data with
the help of functions performing specific audit routines i.e.
ACL, IDEA
Advantages of GAS
• Facilitates and automates testing of 100% of population
• Focuses attention on specific risk areas or transactions
• Identifies duplicate items

© Copyright 2014 ISACA. All rights reserved.

77
1.6.3 Audit Methodology

A set of documented audit procedures designed to achieve

planned audit objectives
•Composed of:
– Statement of scope
– Statement of audit objectives
– Statement of audit programs
•Set up and approved by the audit management
•Communicated to all audit staff

© Copyright 2014 ISACA. All rights reserved.

78
Sampling

Audit sampling
Sampling involves looking at less than 100% of transactions
Used for tests of controls and direct substantive tests of account
balances and assertions
Sampling is used when time and cost consideration preclude a
total verification of all transactions or events.

Sample- subset of population members used to perform testing

Sampling is used to infer x-stics about a popn based on the x-

stics of a sample. Care should be taken to avoid selecting wrong
conclusion from sample.
© Copyright 2014 ISACA. All rights reserved.
79
Sampling cont’d

Sampling risk: the auditor’s conclusion based on a sample might be

different from the conclusion if the test were applied in the same way
to the entire population

Non-sampling Risk: auditor reaches an erroneous conclusion for any

reason not related to sampling risk

Sampling approaches
Statistical sampling: uses application of probability theory and
statistical inference, along with auditor judgment and experience, in a
sample application

SS uses mathematical law of probability to (1) calculate sample size (2)

select sample size (3) Evaluate sample size and make the inference.

© Copyright 2014 ISACA. All rights reserved.

80
Sampling cont’d

Statistical sampling:
Under SS, IS auditor decides on how closely the sample should
represent the popn (Assessing Precision) and number of times in
100 that the sample should represent the population (reliability
of confidence level)

Non-statistical sampling: Application of auditor judgment and

experience in a sample application i.e. haphazard sampling

© Copyright 2014 ISACA. All rights reserved.

81
Sampling method

© Copyright 2014 ISACA. All rights reserved.

82
Sampling method cont’d

• Random sampling- sample are selected at random

• Fixed interval sampling- sample existing at every n+interval
increment is selected

© Copyright 2014 ISACA. All rights reserved.

83
Compliance/Control testing

- Means verifying if policies and procedures that have been put

in place are working

- Sampling approaches for Compliance testing

Attribute sampling- the aim is to determine whether an
attribute (certain quality) is present or absent in the subject
sample. The result will specify the rate of occurrence eg if 1
exception is noted in 100 units then its 1%
Stop n go sampling- used when few errors are expected and
provide opportunity to stop at the earliest opportunity.
Discovery sampling- this is 100% sampling used to detect fraud
or when the likelihood of evidence existing is low.

© Copyright 2014 ISACA. All rights reserved.

84
Substantive testing

Monetary-unit sampling uses attribute sampling theory to

estimate the monetary (e.g. in €) amount of misstatement for a
class of transactions or an account balance.

Variable sampling- is a technique used to estimate the mean of

a class of transactions or account balance and test for
mistatements. It is more frequently used to determine whether
an account is materially misstated.

© Copyright 2014 ISACA. All rights reserved.

85
Other key terms in sampling

• Error rate
• Expected error rate
• Tolerable error rate
• Confidence level- Level of reliability (possibility that sample is
a true representation of popn)
• Precision- acceptable range difference between sample and
popn. How close is sample to popn in term. The high precision
means the difference is small is small and hence low sample
size. Vice verse is true

© Copyright 2014 ISACA. All rights reserved.

1.5.2 Audit regulations & standards

Sarbanes Oxyley Act

COBIT

© 2012 ISACA® All rights reserved.

87
© Copyright 2014 ISACA. All rights reserved.
87
1.5.2 Audit regulations

Sarbanes Oxyley Act- 2002

•A result of major collapse of two company
(Enron & World com) as a result of audit failure
•Thousands of investors lost their fortune b’se
of reliance on auditors reports i.e. share price
of Enron dropped from USD 90 to below USD
1
•The act came to prevent the action of
investors

© 2012 ISACA® All rights reserved.

88
© Copyright 2014 ISACA. All rights reserved.
88
1.5.2 COBIT 5

IT Governance

Val IT 2.0
Evolution of

Management (2008)

Control
scope

Risk IT
(2009)
Audit

COBIT1 COBIT2 COBIT3 COBIT4.0/4.1

1996 1998 2000 2005/7 2012

An business framework from ISACA, at www.isaca.org/cobit

The five COBIT 5 principles are:

1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-end
3. Applying a Single Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance From Management

© Copyright 2014 ISACA. All rights reserved.

90
Principle 1. Meeting Stakeholder Needs

Principle 1. Meeting Stakeholder Needs

Enterprises exist to create value for their stakeholders.

Source: COBIT® 5, figure 3. © 2012 ISACA® All rights reserved.

91
© Copyright 2014 ISACA. All rights reserved.
Principle 1: Meeting Stakeholder Needs

• Stakeholder needs have to

be transformed into an
enterprise’s practical
strategy.
• The COBIT 5 goals cascade
translates stakeholder needs
into specific, practical and
customised goals within the
context of the enterprise, IT-
related goals and enabler
goals.

© Copyright 2014 ISACA. All rights reserved.

92 Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved.
1. Meeting Stakeholder Needs (cont.)

Principle 1. Meeting Stakeholder Needs:

Enterprises have many stakeholders, and ‘creating value’
means different—and sometimes conflicting—things to
each of them.
Governance is about negotiating and deciding amongst
different stakeholders’ value interests.
The governance system should consider all stakeholders
when making benefit, resource and risk assessment
decisions.
For each decision, the following can and should be asked:
Who receives the benefits?
Who bears the risk?
What resources are required?
93
© Copyright 2014 ISACA. All rights reserved.
2. Covering the Enterprise End-to-end
Principle 2. Covering the Enterprise End-to-end:
COBIT 5 addresses the governance and management of
information and related technology from an enterprisewide,
end-to-end perspective.
This means that COBIT 5:
Integrates governance of enterprise IT into enterprise
governance, i.e., the governance system for enterprise IT
proposed by COBIT 5 integrates seamlessly in any
governance system because COBIT 5 aligns with the
latest views on governance.
Covers all functions and processes within the enterprise;
COBIT 5 does not focus only on the ‘IT function’, but
treats information and related technologies as assets that
need to be dealt with just like any other asset by everyone
in the enterprise.
94
© Copyright 2014 ISACA. All rights reserved.
Principle 2: Covering the Enterprise End-to-end

Key
components
of a
governance
system
Source: COBIT® 5, figure 8. © 2012 ISACA® All rights reserved.

Source: COBIT® 5, figure 9. © 2012 ISACA® All rights reserved.

© Copyright 2014 ISACA. All rights reserved.

95
Principle 3: Applying a Single, Integrated
Framework

There are many IT-related standards and best practices, each

providing guidance on a subset of IT activities. COBIT 5 aligns
with other relevant standards and frameworks at a high level,
and thus can serve as the overarching framework for governance
and management of enterprise IT.

© Copyright 2014 ISACA. All rights reserved.

96
3. Applying a Single Integrated Framework

Principle 3. Applying a Single Integrated Framework:

COBIT 5 aligns with the latest relevant other standards and
frameworks used by enterprises:
Enterprise: COSO, COSO ERM, ISO/IEC 9000,
ISO/IEC 31000
IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series,
TOGAF, PMBOK/PRINCE2, CMMI
This allows the enterprise to use COBIT 5 as the
overarching governance and management framework
integrator.
ISACA plans a capability to facilitate COBIT user mapping
of practices and activities to third-party references.
97
© Copyright 2014 ISACA. All rights reserved.
4. Enabling a Holistic Approach

Principle 4. Enabling a Holistic Approach

COBIT 5 enablers are:
• Factors that, individually and collectively, influence whether
something will work—in the case of COBIT, governance
and management over enterprise IT
• Driven by the goals cascade, i.e., higher-level IT-related
goals define what the different enablers should achieve
• Described by the COBIT 5 framework in seven categories

98
© Copyright 2014 ISACA. All rights reserved.
4. Enabling a Holistic Approach (cont.)
Principle 4. Enabling a Holistic Approach

Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.

99
© Copyright 2014 ISACA. All rights reserved.
4. Enabling a Holistic Approach (cont.)
Principle 4. Enabling a Holistic Approach:
1. Processes—Describe an organised set of practices and activities to achieve
certain objectives and produce a set of outputs in support of achieving overall
IT-related goals
2. Organisational structures—Are the key decision-making entities in an
organisation
3. Culture, ethics and behaviour—Of individuals and of the organisation; very
often underestimated as a success factor in governance and management
activities
4. Principles, policies and frameworks—Are the vehicles to translate the desired
behaviour into practical guidance for day-to-day management
5. Information—Is pervasive throughout any organisation, i.e., deals with all
information produced and used by the enterprise. Information is required for
keeping the organisation running and well governed, but at the operational level,
information is very often the key product of the enterprise itself.
6. Services, infrastructure and applications—Include the infrastructure,
technology and applications that provide the enterprise with information
technology processing and services
7. People, skills and competencies—Are linked to people and are required for
successful completion of all activities and for making correct decisions and
taking corrective actions 100
© Copyright 2014 ISACA. All rights reserved.
4. Enabling a Holistic Approach (cont).
Principle 4. Enabling a Holistic Approach:
Systemic governance and management through interconnected
enablers—To achieve the main objectives of the enterprise, it must
always consider an interconnected set of enablers, i.e., each
enabler:
Needs the input of other enablers to be fully effective,
e.g., processes need information, organisational structures
need skills and behaviour
Delivers output to the benefit of other enablers, e.g.,
processes deliver information, skills and behaviour make
processes efficient
This is a KEY principle emerging from the ISACA development
work around the Business Model for Information Security (BMIS).

101
© Copyright 2014 ISACA. All rights reserved.
5. Separating Governance From Management

Principle 5. Separating Governance From Management:

The COBIT 5 framework makes a clear distinction
between governance and management.
These two disciplines:
Encompass different types of activities
Require different organisational structures
Serve different purposes
Governance—In most enterprises, governance is the
responsibility of the board of directors under the
leadership of the chairperson.
Management—In most enterprises, management is the
responsibility of the executive management under the
leadership of the CEO.
102
© Copyright 2014 ISACA. All rights reserved.
5. Separating Governance From Management (cont.)

Principle 5. Separating Governance From

Management:
•Governance ensures that stakeholders needs, conditions
and options are evaluated to determine balanced, agreed-
on enterprise objectives to be achieved; setting direction
through prioritisation and decision making; and
monitoring performance and compliance against agreed-
on direction and objectives (EDM).
•Management plans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the enterprise objectives
(PBRM).
103
© Copyright 2014 ISACA. All rights reserved.
Principle 4: Enabling a Holistic Approach

COBIT 5 Enabler Dimensions:

• All enablers have a set of common dimensions. This set of
common dimensions:
– Provides a common, simple and structured way to deal with
enablers
– Allows an entity to manage its complex interactions
– Facilitates successful outcomes of the enablers

Source: COBIT® 5, figure

13. © 2012 ISACA® All
rights reserved.

© Copyright 2014 ISACA. All rights reserved.

104
Principle 5: Separating Governance From
Management

• Governance ensures that stakeholders needs, conditions and

options are evaluated to determine balanced, agreed-on
enterprise objectives to be achieved; setting direction
through prioritisation and decision making; and monitoring
performance and compliance against agreed-on direction and
objectives (EDM).
• Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to
achieve the enterprise objectives (PBRM).

© Copyright 2014 ISACA. All rights reserved.

105
Principle 5: Separating Governance From
Management (cont.)

COBIT 5 is not
prescriptive, but it
advocates that
organisations
implement
governance and
management
processes such
that the key areas
are covered, as
shown.

Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.

© Copyright 2014 ISACA. All rights reserved.

106
1.6.2 Audit Programs

• Based on the scope and objective of the particular assignment

• IS auditor’s perspectives:
– Security (confidentiality, integrity and availability)
– Quality (effectiveness, efficiency)
– Fiduciary (compliance, reliability)
– Service and capacity

© Copyright 2014 ISACA. All rights reserved.

107
1.6.2 Audit Programs (cont.)

General audit procedures are the basic steps in the performance

© Copyright 2014 ISACA. All rights reserved.

108
1.6.2 Audit Programs (cont.)

Procedures for Testing and Evaluating IS Controls

• Use of generalized audit software to survey the contents of data
files
• Use of specialized software to assess the contents of operating
system parameter files
• Flow-charting techniques for documenting automated applications
and business process
• Use of audit reports available in operation systems
• Documentation review
• Observation
• Walkthroughs
• Reperformance of controls

© Copyright 2014 ISACA. All rights reserved.

109
1.6.3 Audit Methodology

A set of documented audit procedures designed to achieve

© Copyright 2014 ISACA. All rights reserved.

110
1.6.3 Audit Methodology (cont.)

What is documented in work papers (WPs)?

• Audit plans
• Audit programs
• Audit activities
• Audit tests
• Audit findings and incidents

© Copyright 2014 ISACA. All rights reserved.

111
1.6.4 Fraud Detection

• Management’s responsibility
• Benefits of a well-designed internal control system
– Deterring fraud at the first instance
– Detecting fraud in a timely manner
• Fraud detection and disclosure
• Auditor’s role in fraud prevention and detection

© Copyright 2014 ISACA. All rights reserved.

112
1.6.5 Risk-based Auditing

© Copyright 2014 ISACA. All rights reserved.

113
1.6.6 Audit Risk and Materiality

Audit risk categories

• Inherent risk
• Control risk
• Detection risk
• Overall audit risk

© Copyright 2014 ISACA. All rights reserved.

114
1.6.10 Compliance vs. Substantive Testing

• Compliance test
– Determines whether controls are in compliance with
management policies and procedures
• Substantive test
– Tests the integrity of actual processing
• Correlation between the level of internal controls and substantive testing required
• Relationship between compliance and substantive tests

© Copyright 2014 ISACA. All rights reserved.

115
1.6.10 Compliance vs. Substantive Testing (cont.)

116

© Copyright 2014 ISACA. All rights reserved.

1.6.11 Evidence

It is a requirement that the auditor’s conclusions be based on

sufficient, competent evidence:
• Independence of the provider of the evidence
• Qualification of the individual providing the information or evidence
• Objectivity of the evidence
• Timing of the evidence

© Copyright 2014 ISACA. All rights reserved.

117
1.6.11 Evidence (cont.)

Techniques for gathering evidence:

• Review IS organization structures
• Review IS policies and procedures
• Review IS standards
• Review IS documentation
• Interview appropriate personnel
• Observe processes and employee
performance
• Reperformance
• Walkthroughs

© Copyright 2014 ISACA. All rights reserved.

118
1.6.12 Interviewing and Observing Personnel in
Performance of Their Duties

• Actual functions

• Actual processes/procedures

• Security awareness

• Reporting relationships

• Observation drawbacks

119
1.6.14 Using the Services of Other Auditors
and Experts

Considerations when using services of other auditors and

experts:
•Restrictions on outsourcing of audit/security services provided
by laws and regulations
•Audit charter or contractual stipulations
•Impact on overall and specific IS audit objectives
•Impact on IS audit risk and professional liability
•Independence and objectivity of other auditors and experts

120
1.6.14 Using the Services of
Other Auditors and Experts (cont.)

Considerations when using services of other auditors and

experts:
•Professional competence, qualifications and experience
•Scope of work proposed to be outsourced and approach
•Supervisory and audit management controls
•Method and modalities of communication of results of audit
work
•Compliance with legal and regulatory stipulations
•Compliance with applicable professional standards

121
1.6.16 Evaluation of Audit Strengths and
Weaknesses (cont.)

Judging materiality of findings

• Materiality is a key issue

• Assessment requires judgment of the potential effect of the

finding if corrective action is not taken

122
1.6.17 Communicating Audit Results

Exit interview Presentation techniques

• Correct facts • Executive summary

• Realistic recommendations • Visual presentation
• Implementation dates for
agreed recommendations

Audit report structure and contents

• An introduction to the report
• Audit findings presented in separate sections
• The IS auditor’s overall conclusion and opinion
• The IS auditor’s reservations with respect to the audit
• Detailed audit findings and recommendations
• A variety of findings

124
1.6.18 Management Implementation of
Recommendations

• Auditing is an ongoing process

• Timing of follow-up

125
1.6.19 Audit Documentation

Audit documentation includes:

• Planning and preparation of the audit scope and objectives
• Description on the scoped audit area
• Audit program
• Audit steps performed and evidence gathered
• Other experts used
• Audit findings, conclusions and recommendations

126
1.7 Control Self-Assessment

• A management technique
• A methodology
• In practice, a series of tools
• Can be implemented by various methods

127
1.7 Control Self-Assessment (cont.)

128
1.7.1 Objectives of CSA

• Leverage the internal audit function by shifting some control

monitoring responsibilities to functional areas
• Enhancement of audit responsibilities, not a replacement
• Educate management about control design and monitoring
• Empowerment of workers to assess the control environment

129
1.7.2 Benefits of CSA

• Early detection of risks

• More effective and improved internal controls
• Increased employee awareness of organizational objectives
• Highly motivated employees
• Improved audit rating process
• Reduction in control cost
• Assurance provided to stakeholders and customers

130
1.7.3 Disadvantages of CSA

• Could be mistaken as an audit function replacement

• May be regarded as an additional workload
• Failure to act on improvement suggestions could damage
employee morale
• Lack of motivation may limit effectiveness in the detection of
weak controls

131
1.7.4 Auditor Role in CSA

• Internal control professionals

• Assessment facilitators

132
1.7.6 Traditional vs. CSA Approach

• Traditional Approach
– Assigns duties/supervises staff
– Policy/rule driven
– Limited employee participation
– Narrow stakeholder focus
• CSA Approach
– Empowered/accountable employees
– Continuous improvement/learning curve
– Extensive employee participation and training
– Broad stakeholder focus

133
1.8.1 Integrated Auditing

Process whereby appropriate audit disciplines are combined to

assess key internal controls over an operation, process or entity.
• Focuses on risk to the organization (for an internal auditor)
• Focuses on the risk of providing an incorrect or misleading audit
opinion (for an external auditor)

134
1.8.1 Integrated Auditing (cont.)

Process involves:
• Identification of risks faced by
organization and of relevant key
controls
• Review and understanding of the
design of key controls
• Testing that key controls are
supported by the IT system
• Testing that management controls
operate effectively
• A combined report or opinion on
control risks, design and
weaknesses

135
1.8.2 Continuous Auditing

• Distinctive character
– Short time lapse between the facts to be audited and the
collection of evidence and audit reporting
• Drivers
– Better monitoring of financial issues
– Allows real-time transactions to benefit from real-time
monitoring
– Prevents financial fiascoes and audit scandals
– Uses software to determine proper financial controls

136
1.8.2 Continuous Auditing (cont.)

Continuous monitoring Continuous auditing

• Provided by IS management • Audit-driven

tools • Completed using automated
• Based on automated audit procedures
procedures to meet
fiduciary responsibilities

137
1.8.2 Continuous Auditing (cont.)

Application of continuous auditing due to:

• New information technology developments
• Increased processing capabilities
• Standards
• Artificial intelligence tools

138
1.8.2 Continuous Auditing (cont.)

Prerequisites:
• A high degree of automation
• An automated and reliable information-producing process
• Alarm triggers to report control failures
• Implementation of automated audit tools
• Quickly informing IS auditors of anomalies/errors
• Timely issuance of automated audit reports
• Technically proficient IS auditors
• Availability of reliable sources of evidence
• Adherence to materiality guidelines
• Change of IS auditors’ mindset
• Evaluation of cost factors

139
1.8.2 Continuous Auditing (cont.)

IT techniques in a continuous auditing environment:

• Transaction logging
• Query tools
• Statistics and data analysis (CAAT)
• Database management systems (DBMS)
• Data warehouses, data marts and data mining
• Intelligent agents
• Embedded audit modules (EAM)
• Neural network technology
• Standards such as Extensible Business Reporting Language

140
1.8.2 Continuous Auditing (cont.)

• Advantages
– Instant capture of internal control problems
– Reduction of intrinsic audit inefficiencies
• Disadvantages
– Difficulty in implementation
– High cost
– Elimination of auditors’ personal judgment and evaluation

141
1.9.1 Case Study A Scenario

The IS auditor has been asked to perform preliminary work that will
assess the readiness of the organization for a review to measure
compliance with new regulatory requirements. These requirements
are designed to ensure that management is taking an active role in
setting up and maintaining a well-controlled environment and,
accordingly, will assess management’s review and testing of the
general IT control environment.

Areas to be assessed include logical and physical security, change

management, production control and network management, IT
governance, and end-user computing. The IS auditor has been given six
months to perform this preliminary work, so sufficient time should be
available. It should be noted that in previous years, repeated problems
have been identified in the areas of logical security and change
management, so these areas will most likely require some degree of
remediation.

1.9.1 Case Study A Scenario (cont.)

Logical security deficiencies noted included the sharing of

administrator accounts and failure to enforce adequate controls over
passwords. Change management deficiencies included improper
segregation of incompatible duties and failure to document all
changes. Additionally, the process for deploying operating system
updates to servers was found to be only partially effective.

In anticipation of the work to be performed by the IS auditor, the chief

information officer (CIO) requested direct reports to develop narratives
and process flows describing the major activities for which IT is
responsible. These were completed, approved by the various process
owners and the CIO, and then forwarded to the IS auditor for
examination.

Case Study A Question – A1

What should the IS auditor do FIRST?

A. Perform an IT risk assessment.
B. Perform a survey audit of logical access controls.
C. Revise the audit plan to focus on risk-based auditing.
D. Begin testing controls that the IS auditor feels are most
critical.

Case Study A Question – A2

When testing program change management, how should the

sample be selected?
A. Change management documents should be selected at
random and examined for appropriateness.
B. Changes to production code should be sampled and
traced to appropriate authorizing documentation.
C. Change management documents should be selected
based on system criticality and examined for appropriateness.
D. Changes to production code should be sampled and
traced back to system-produced logs indicating the date and
time of the change.

1.9.2 Case Study B Scenario

An IS auditor is planning to review the security of a financial

application for a large company with several locations
worldwide. The application system is made up of a web
interface, a business logic layer and a database layer. The
application is accessed locally through a LAN and remotely
through the Internet via a virtual private network (VPN)
connection.

Case Study B Question – B1

The MOST appropriate type of CAATs tool the auditor should use
to test security configuration settings for the entire application
system is:
A. generalized audit software.
B. test data.
C. utility software.
D. expert system.

Case Study B Question – B2

Given that the application is accessed through the Internet, how

should the auditor determine whether to perform a detailed
review of the firewall rules and virtual private network (VPN)
configuration settings?
A. Documented risk analysis
B. Availability of technical expertise
C. Approach used in previous audit
D. IS auditing guidelines and best practices

Case Study B Question – B3

During the review, if the auditor detects that the transaction

authorization control objective cannot be met due to a lack of
clearly defined roles and privileges in the application, the auditor
should FIRST:
A. review the authorization on a sample of transactions.
B. immediately report this finding to upper management.
C. request that auditee management review the
appropriateness of access rights for all users.
D. use a generalized audit software to check the integrity of
the database.

1.9.3 Case Study C Scenario

An IS auditor has been appointed to carry out IS audits in an

entity for a period of 2 years. After accepting the appointment,
the IS auditor noted that:
– The entity has an audit charter that detailed, among other things, the
scope and responsibilities of the IS audit function and specifies the
audit committee as the overseeing body for audit activity.
– The entity is planning a major increase in IT investment, mainly on
account of implementation of a new ERP application, integrating
business processes across units dispersed geographically. The ERP
implementation is expected to become operational within the next 90
days. The servers supporting the business applications are hosted
offsite by a third-party service provider.

1.9.3 Case Study C Scenario (continued)

– The entity has a new incumbent as chief information security officer

(CISO), who reports to the chief financial officer (CFO).
– The entity is subject to regulatory compliance requirements that
require its management to certify the effectiveness of the internal
control system as it relates to financial reporting. The entity has been
recording growth at double the industry average consistently over the
last two years. However, the entity has seen increased employee
turnover as well.

Case Study Question – C1

The FIRST priority of the IS auditor in year 1 should be to study

the:
A. previous IS audit reports and plan the audit schedule.
B. audit charter and plan the audit schedule.
C. impact of the new incumbent as CISO.
D. impact of the implementation of a new ERP on the IT
environment and plan the audit schedule.

Case Study Question – C2

How should the IS auditor evaluate backup and batch processing

within computer operations?
A. Plan and carry out an independent review of computer
operations.
B. Rely on the service auditor’s report of the service
provider.
C. Study the contract between the entity and the service
provider.
D. Compare the service delivery report to the service level
agreement.

Practice Question – 1-1

Which of the following establishes the overall authority to

perform an IS audit?
A. The audit scope, with goals and objectives
B. A request from management to perform an audit
C. The approved audit charter
D. The approved audit schedule

Practice Question – 1-2

In performing a risk-based audit, which risk assessment is

completed initially by the IS auditor?
A. Detection risk assessment
B. Control risk assessment
C. Inherent risk assessment
D. Fraud risk assessment

Practice Question – 1-3

While developing a risk-based audit program, on which of the

following would the IS auditor MOST likely focus?
A. Business processes
B. Critical IT applications
C. Operational controls
D. Business strategies

Practice Question – 1-4

Which of the following types of audit risk assumes an absence of

compensating controls in the area being reviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk

Practice Question – 1-5

An IS auditor performing a review of an application’s controls

finds a weakness in system software that could materially impact
the application. The IS auditor should:
A. disregard these control weaknesses, as a system software
review is beyond the scope of this review.
B. conduct a detailed system software review and report the
control weaknesses.
C. include in the report a statement that the audit was limited to a
review of the application’s controls.
D. review the system software controls as relevant and
recommend a detailed system software review.

Practice Question – 1-6

Which of the following is the MOST important reason why an

audit planning process should be reviewed at periodic intervals?
A. To plan for deployment of available audit resources
B. To consider changes to the risk environment
C. To provide inputs for documentation of the audit charter
D. To identify the applicable IS audit standards

Practice Question – 1-7

Which of the following is MOST effective for implementing a

control self-assessment (CSA) within business units?
A. Informal peer reviews
B. Facilitated workshops
C. Process flow narratives
D. Data flow diagrams

Practice Question – 1-8

The FIRST step in planning an audit is to:

A. define audit deliverables.
B. finalize the audit scope and audit objectives
C. gain an understanding of the business’s objectives.
D. develop the audit approach or audit strategy.

Practice Question – 1-9

The approach an IS auditor should use to plan IS audit coverage

should be based on:
A. risk.
B. materiality.
C. professional skepticism.
D. Sufficiency of audit evidence.

Practice Question – 1-10

A company performs a daily backup of critical data and software

files and stores the backup tapes at an offsite location. The
backup tapes are used to restore the files in case of a disruption.
This is a:
A. preventive control.
B. management control.
C. corrective control.
D. detective control.

Conclusion

Chapter 1 Quick Reference Review

Page 29 of CISA Review Manual 2014

164
Questions

QUESTIONS
now

1.6.15 Computer-assisted Audit Techniques

• CAATs enable IS auditors to gather information independently

• CAATs include:
– Generalized audit software (GAS)
– Application software tracing and mapping
– Expert systems

166
1.6.15 Computer-assisted Audit Techniques
(cont.)

• Features of generalized audit software (GAS):

– Mathematical computations
– Stratification
– Statistical analysis
– Sequence checking
• Functions supported by GAS:
– File access
– File reorganization
– Data selection
– Statistical functions
– Arithmetical functions

167
1.6.15 Computer-assisted Audit Techniques
(cont.)

Items to consider before utilizing CAATs:

• Ease of use for existing and future audit staff
• Training requirements
• Complexity of coding and maintenance
• Flexibility of uses
• Installation requirements
• Processing efficiencies
• Confidentiality of data being processed

168
1.6.15 Computer-assisted Audit Techniques
(cont.)

Documentation that should be retained:

• Online reports
• Commented program listings
• Flowcharts
• Sample reports
• Record and file layouts
• Field definitions
• Operating instructions
• Description of applicable source documents

169

CISA Student Handout Domain1
No ratings yet
CISA Student Handout Domain1
42 pages
CISA+Domain+4+Cyvitrix+ +updated+2024
No ratings yet
CISA+Domain+4+Cyvitrix+ +updated+2024
104 pages
CISA Lecture Domain 1 PDF
100% (1)
CISA Lecture Domain 1 PDF
143 pages
CISA Review - Week 1
100% (1)
CISA Review - Week 1
66 pages
D1 CISA Q&A 12th Edition
100% (2)
D1 CISA Q&A 12th Edition
82 pages
Cisa CH 1
No ratings yet
Cisa CH 1
156 pages
Domain 2 - CISA
No ratings yet
Domain 2 - CISA
65 pages
CISA 27e CH 5 Protection of Information Assets
No ratings yet
CISA 27e CH 5 Protection of Information Assets
192 pages
Auditing in A Computer Information Systems Environment
100% (1)
Auditing in A Computer Information Systems Environment
72 pages
CISA Review Course - Domain 4
100% (3)
CISA Review Course - Domain 4
85 pages
CISA Full File 1ttekr
No ratings yet
CISA Full File 1ttekr
106 pages
(2007) - Cucker-Learning Theory - An Approximation Theory Viewpoint
No ratings yet
(2007) - Cucker-Learning Theory - An Approximation Theory Viewpoint
237 pages
Project Report On Employee Rentention Finale Rough
No ratings yet
Project Report On Employee Rentention Finale Rough
85 pages
ISACA CISA v2020-09-15 q230
No ratings yet
ISACA CISA v2020-09-15 q230
57 pages
ITAF-4th-Edition Witaf4 FMK Eng 1020
No ratings yet
ITAF-4th-Edition Witaf4 FMK Eng 1020
106 pages
Cgeit Qae Item Development Guide
100% (1)
Cgeit Qae Item Development Guide
16 pages
ITAF Approach To IT Audit Advisory Services
100% (1)
ITAF Approach To IT Audit Advisory Services
13 pages
At Cisa Domain 4 - 23.8.19
No ratings yet
At Cisa Domain 4 - 23.8.19
137 pages
CRISC 6e Domain 1-2017
No ratings yet
CRISC 6e Domain 1-2017
120 pages
CISA Training Domain 1 Study Notes
No ratings yet
CISA Training Domain 1 Study Notes
24 pages
00 - Introduction To CRISC Certification v1.01
No ratings yet
00 - Introduction To CRISC Certification v1.01
35 pages
Task 2.8 Key Terms: CISA Review Course 26 Edition Domain 2: Governance and Management of IT
No ratings yet
Task 2.8 Key Terms: CISA Review Course 26 Edition Domain 2: Governance and Management of IT
13 pages
CRISC
100% (1)
CRISC
78 pages
First Puc PART-1 STATISTICS FOR ECONOMICS
No ratings yet
First Puc PART-1 STATISTICS FOR ECONOMICS
47 pages
2022 ITM Short Course - Week 4
No ratings yet
2022 ITM Short Course - Week 4
27 pages
WAPOE - Outsourced - IT - Environments
No ratings yet
WAPOE - Outsourced - IT - Environments
49 pages
Practical Problems in Research Methods A Casebook With Questions For Discussion - 1st Edition (FULL VERSION DOWNLOAD)
100% (13)
Practical Problems in Research Methods A Casebook With Questions For Discussion - 1st Edition (FULL VERSION DOWNLOAD)
15 pages
Domain 4 - PPT Slides
No ratings yet
Domain 4 - PPT Slides
70 pages
ISCA Quick Revision
No ratings yet
ISCA Quick Revision
22 pages
CISA - 27e - CH - 4 - Information Systems Operations and Business Resilience
No ratings yet
CISA - 27e - CH - 4 - Information Systems Operations and Business Resilience
154 pages
KRI Vs KPI
No ratings yet
KRI Vs KPI
1 page
CISA REVIEW QUESTIONS No Answers
No ratings yet
CISA REVIEW QUESTIONS No Answers
29 pages
05.2 - 2020 - CISA-50Q - Additional - Questions - v1
100% (1)
05.2 - 2020 - CISA-50Q - Additional - Questions - v1
8 pages
A1 CGEIT Exam Passing Principles
No ratings yet
A1 CGEIT Exam Passing Principles
9 pages
Test 1
No ratings yet
Test 1
121 pages
Cisa 02
No ratings yet
Cisa 02
82 pages
The Effect of Teachers Characteristics o
No ratings yet
The Effect of Teachers Characteristics o
58 pages
IT Governance Information Security Governance
No ratings yet
IT Governance Information Security Governance
57 pages
CISA Domain 4
100% (3)
CISA Domain 4
2 pages
CHAPTER LL
No ratings yet
CHAPTER LL
11 pages
IT Governance
No ratings yet
IT Governance
2 pages
A3 4.finished Revision
No ratings yet
A3 4.finished Revision
40 pages
Student Handbook
No ratings yet
Student Handbook
12 pages
Latihan Domain 1 - CISA Review 2013 - Questions & Answers
No ratings yet
Latihan Domain 1 - CISA Review 2013 - Questions & Answers
14 pages
Cisa 2
No ratings yet
Cisa 2
9 pages
CISA Acronyms
No ratings yet
CISA Acronyms
8 pages
ISACA Certification IT Audit - Security - Governance and Risk
No ratings yet
ISACA Certification IT Audit - Security - Governance and Risk
33 pages
CISA-Item-Development-Guide Bro Eng 0219 PDF
No ratings yet
CISA-Item-Development-Guide Bro Eng 0219 PDF
15 pages
CSX F
No ratings yet
CSX F
4 pages
CISA Domain 3 Questions
No ratings yet
CISA Domain 3 Questions
9 pages
CISA Domain 3
No ratings yet
CISA Domain 3
3 pages
CISA Study Notes - 27th August 2022
No ratings yet
CISA Study Notes - 27th August 2022
3 pages
CISA Task Statements
100% (1)
CISA Task Statements
3 pages
Iii-Q1 Module 4
No ratings yet
Iii-Q1 Module 4
8 pages
CISA Practice Quiz - Test Your Knowledge of IT Auditing - ISACA
No ratings yet
CISA Practice Quiz - Test Your Knowledge of IT Auditing - ISACA
4 pages
Syllabus CISA
No ratings yet
Syllabus CISA
9 pages
Cisa Notes 2010
No ratings yet
Cisa Notes 2010
26 pages
Select The Correct Answer
No ratings yet
Select The Correct Answer
10 pages
Crisc SPRING 2013 Certified in Risk and Information Systems Control
No ratings yet
Crisc SPRING 2013 Certified in Risk and Information Systems Control
5 pages
2002 Organisational Independence CISA
No ratings yet
2002 Organisational Independence CISA
7 pages
CISA FAQs Ad
No ratings yet
CISA FAQs Ad
12 pages
CRISC Brochure
No ratings yet
CRISC Brochure
2 pages
Elective
No ratings yet
Elective
6 pages
Coqta1 Week 2
No ratings yet
Coqta1 Week 2
36 pages
Lordk Edid 6507-Case Study Assignment 1 2 3
No ratings yet
Lordk Edid 6507-Case Study Assignment 1 2 3
34 pages
Sample Size and Power
No ratings yet
Sample Size and Power
19 pages
Final Dis
No ratings yet
Final Dis
46 pages
Texas Homework and Practice Workbook Answers Course 1
100% (1)
Texas Homework and Practice Workbook Answers Course 1
8 pages
Cola Project 1
No ratings yet
Cola Project 1
36 pages
Causes and Effect of Examination Malpractices
No ratings yet
Causes and Effect of Examination Malpractices
37 pages
Research Write Up2
No ratings yet
Research Write Up2
23 pages
Population Sample: Sampling and Methods Sampling Method Refers To The Way That Observations Are Selected From A
No ratings yet
Population Sample: Sampling and Methods Sampling Method Refers To The Way That Observations Are Selected From A
23 pages
Modified 4rs Strategy An Intervention in Enhancing Reading Comprehension
No ratings yet
Modified 4rs Strategy An Intervention in Enhancing Reading Comprehension
3 pages
3.1 Benefits of Research
No ratings yet
3.1 Benefits of Research
9 pages
Factors Affecting Eating Out in Restaurants
No ratings yet
Factors Affecting Eating Out in Restaurants
12 pages
A Dissertation Report: BY Lucky Dewangan 20201011
No ratings yet
A Dissertation Report: BY Lucky Dewangan 20201011
32 pages
Self Help Group
No ratings yet
Self Help Group
12 pages
Course Work Syllabus IMS
No ratings yet
Course Work Syllabus IMS
3 pages
Juice Guys
No ratings yet
Juice Guys
10 pages
The Effect of Risk Management On Financial Performance in Centenary Bank Masindi Branch, Uganda.
No ratings yet
The Effect of Risk Management On Financial Performance in Centenary Bank Masindi Branch, Uganda.
9 pages
Assignment 3
No ratings yet
Assignment 3
7 pages
C1 STS
No ratings yet
C1 STS
3 pages
Answer: C: Presentation of Data
No ratings yet
Answer: C: Presentation of Data
4 pages
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
From Everand
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
Lewis Heuermann
No ratings yet
CRISC Certified In Risk and Information Systems Control Exam Practice Questions And Dumps ISACA CRISC Exam Guidebook And Updated Questions
From Everand
CRISC Certified In Risk and Information Systems Control Exam Practice Questions And Dumps ISACA CRISC Exam Guidebook And Updated Questions
Byte Books
No ratings yet
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 3
From Everand
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 3
Byte Books
No ratings yet
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 4
From Everand
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 4
Byte Books
No ratings yet
EC|Council Disaster Recovery Professional Exam Practice Questions and Dumps Exam Guidebook and Updated Questions for DRP
From Everand
EC|Council Disaster Recovery Professional Exam Practice Questions and Dumps Exam Guidebook and Updated Questions for DRP
Byte Books
No ratings yet
CCISO Third Edition
From Everand
CCISO Third Edition
Gerardus Blokdyk
No ratings yet
Qualified Security Assessor Complete Self-Assessment Guide
From Everand
Qualified Security Assessor Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet