Professional Documents
Culture Documents
Domain - 01
The Process of Auditing Information Systems
Page 2 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Details Study
1.1 Management of IS Audit Function
Ensure the audit team –
i) will fulfill audit function objectives,
ii) preserve audit independence and competence
Managing the audit function should ensure value added contributions to senior management regarding –
i) the efficient management of IT and
ii) achievement of business objectives.
S1 – Audit Charter
>> The purpose, responsibility, authority and accountability of the IS audit function or IS audit assignments should be
appropriately documented in an audit charter or engagement letter.
>> The audit charter or engagement letter should be agreed and approved at an appropriate level within the organization(s).
Page 3 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
For External IS Audit:
For external IS audit, there should be a formal contact or statement of work with –
i) The Scope and
ii) The Objectives
IS audit can be –
i) Part of Internal Audit,
ii) Function as an independent group, or
iii) Integrated with a financial and operational audit.
The Audit (Internal & External) should –
i) Be independent, and
ii) Report to an audit committee or the board of director.
Page 4 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Process failures
Financial operations
Compliance requirements
Individual audit assignments
o In annual planning, each individual audit assignment must be adequately planned.
o The IS auditor should understand considerations that may impact the overall approach to the audit,
like –
Results of periodic risk assessments
Changes in the application of technology, and
Evolving privacy issues and regulatory requirements
o The IS auditor should also take into considerations of –
System implementation/upgrade deadlines
Current and future technologies
Requirements from business process owners, and
IS resource limitations
Audit Planning Steps
1. Gain an understanding of the business’s mission, objectives, purpose and processes, which include
information and processing requirements such as availability, integrity, security and business technology,
and information confidentiality.
2. Understand changes in business environment of the auditee.
3. Review prior work papers.
4. Identify stated contents such as policies, standards and required guidelines, procedures and organization
structure
5. Perform a risk analysis to help in designing the audit plan.
6. Set the audit scope and audit objectives.
7. Develop the audit approach or audit strategy.
8. Assign personnel resources to the audit
9. Address engagement logistics.
Page 5 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is
required by legal authority. Such information shall not be used for personal benefit or released to inappropriate
parties.
5. Maintain competency in their respective fields and agree to undertake only those activities that they can
reasonably expect to complete with professional competence.
6. Inform appropriate parties of the results of work performed, revealing all significant facts known to them.
7. Support the professional education of stakeholders in enhancing their understanding of IS security and control.
Compliance: The act of conformity undertaken due to the trepidation of legal or regulatory sanctions, financial loss, or damage
to reputation and franchise value that may arise when an organization fails to comply with laws, regulations, standards or codes
of conduct of self-regulatory organizations applicable to the business activities and functions within the organization.
Ethics: A code of core values that guides our choices and actions, and determines the purpose and course of our organization and
lives. Standards of duty and virtue that indicate how we should behave.
IS Audit Expert
>> A common misconception is that the standards, guidelines and procedures are absolute. They are not. Appropriate
consideration must be given to local operating conditions, economy, culture, technical competencies and other similar factors.
>> In providing recommendations to management, you are expected to exercise professional judgment, and weigh the nature
and magnitude of risks and costs to the organization related to management's adherence to standards, guidelines and
procedures.
Standards: A metric used to determine the correctness of a thing or process; a set of rules or specifications that, when taken
together, define a software or hardware device. A standard is also an acknowledged basis for comparing or measuring something.
Guidelines: A suggested action or recommendation related to an area of information security policy that is intended to
supplement a procedure. Unlike standards, implementation of guidelines may be at the discretion of the reader.
Procedures: A detailed description of the steps necessary to perform specific operations in conformance with applicable
standards.
The purpose, responsibility, authority and accountability of the IS audit function or IS audit assignments should be
appropriately documented in an audit charter or engagement letter.
The audit charter or engagement letter should be agreed and approved at an appropriate level within the
organization(s).
S2 – Independence (Professional and Organizational)
Professional Independence: In all matters related to the audit, the IS auditor should be independent of the auditee
in both attitude and appearance.
Organizational Independence: The IS audit function should be independent of the area or activity being reviewed
to permit objective completion of the audit assignment.
S3 – Professional Ethics and Standards
The IS auditor should be professionally competent, having the skills and knowledge to conduct the audit assignment.
The IS auditor should maintain professional competence through appropriate continuing professional education and
training.
Page 6 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
S5 – Planning
The IS auditor should plan the information systems audit coverage to address the audit objectives and comply with
applicable laws and professional auditing standards.
The IS auditor should develop and document a risk-based audit approach.
The IS auditor should develop and document an audit plan detailing the nature and objectives, timing, extent and
resources required.
The IS auditor should develop an audit program and procedures.
Audit objective: The specific goal(s) of an audit. These often center on substantiating the existence of internal
controls to minimize business risk.
Audit program: A step-by-step set of audit procedures and instructions that should be performed to complete an
audit.
S6 – Performance of Audit Work
Supervision – IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished and
applicable professional auditing standards are met.
Evidence – During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve
the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this
evidence.
Documentation – The audit process should be documented, describing the audit work and the audit evidence that supports
the IS auditor's findings and conclusions.
Evidence: The information an auditor gathers in the course of performing an IS audit. Evidence is relevant if it pertains to the
audit objectives and has a logical relationship to the findings and conclusions it is used to support.
S7 – Reporting
The IS auditor should provide a report, in an appropriate form, upon completion of the audit. The report should
identify the organization, the intended recipients and any restrictions on circulation.
The audit report should state the scope, objectives, period of coverage and the nature, timing and extent of the audit
work performed.
The report should state the findings, conclusions and recommendations and any reservations, qualifications or
limitations in scope that the IS auditor has with respect to the audit.
The IS auditor should have sufficient and appropriate audit evidence to support the results reported.
When issued, the IS auditor's report should be signed, dated and distributed according to the terms of the audit
charter or engagement letter.
S8 – Follow-up Activities
After the reporting of findings and recommendations, the IS auditor should request and evaluate relevant
information to conclude whether appropriate action has been taken by management in a timely manner.
S9 – Irregularities and Illegal Acts
In planning and performing the audit to reduce audit risk to a low level, the IS auditor should consider the risk of
irregularities and illegal acts.
The IS auditor should obtain sufficient and appropriate audit evidence to determine whether management or others
within the organization have knowledge of any actual, suspected or alleged irregularities and illegal acts.
When performing audit procedures to obtain an understanding of the organization and its environment, the IS
auditor should consider unusual or unexpected relationships that may indicate a risk of material misstatements due
to irregularities and illegal acts.
The IS auditor should design and perform procedures to test the appropriateness of internal control and the risk of
management overriding controls.
Page 7 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
When the IS auditor identifies a misstatement, the IS auditor should assess whether such a misstatement may be
indicative of an irregularity or illegal act. If there is such an indication, the IS auditor should consider the implications
in relation to other aspects of the audit and, in particular, the representations of management.
The IS auditor should obtain written representations from management at least annually or more frequently
depending on the audit engagement. It should:
o Acknowledge its responsibility for the design and implementation of internal controls to prevent and detect
irregularities or illegal acts.
o Disclose to the IS auditor the results of the risk assessment that a material misstatement may exist as a
result of an irregularity or illegal act.
o Disclose to the IS auditor its knowledge of irregularities or illegal acts affecting the organization in relation
to management and employees who have significant roles in internal control.
The IS auditor should have knowledge of any allegations of irregularities or illegal acts, or suspected irregularities or
illegal acts, affecting the organization as communicated by employees, former employees, regulators and others.
If the IS auditor has identified a material irregularity or illegal act, or obtains information that a material irregularity
or illegal act may exist, the IS auditor should communicate these matters to the appropriate level of management in
a timely manner.
If the IS auditor has identified a material irregularity or illegal act involving management or employees who have
significant roles in internal control, the IS auditor should communicate these matters in a timely manner to those
charged with governance.
The IS auditor should advise the appropriate level of management and those charged with governance of material
weaknesses in the design and implementation of internal control to prevent and detect irregularities and illegal acts
that may have come to the IS auditor's attention during the audit.
If the IS auditor encounters exceptional circumstances, such as a material misstatement or illegal act, that affect the
IS auditor's ability to continue performing the audit, the IS auditor should consider the legal and professional
responsibilities applicable in the circumstances, including whether there is a requirement for the IS auditor to report
to those who entered into the engagement or, in some cases, those charged with governance or regulatory
authorities, or consider withdrawing from the engagement.
The IS auditor should document all communications, planning, results, evaluations and conclusions relating to
material irregularities and illegal acts that have been reported to management, those charged with governance,
regulators and others.
S10 – IT Governance
The IS auditor should review and assess whether the IS function aligns with the organization's mission, vision,
values, objectives and strategies.
The IS auditor should review whether the IS function has a clear statement about the performance expected by the
business (effectiveness and efficiency) and assess its achievement.
The IS auditor should review and assess the effectiveness of IS resource and performance management processes.
The IS auditor should review and assess compliance with legal, environmental and information quality, and fiduciary
and security requirements.
A risk-based approach should be used by the IS auditor to evaluate the IS function.
The IS auditor should review and assess the control environment of the organization.
The IS auditor should review and assess the risks that may adversely affect the IS environment.
S11 – Use of Risk Assessment in Audit Planning
The IS auditor should use an appropriate risk assessment technique or approach in developing the overall IS audit
plan and determining priorities for the effective allocation of IS audit resources.
When planning individual reviews, the IS auditor should identify and assess risks relevant to the area under review.
S12 – Audit Materiality
The IS auditor should consider audit materiality and its relationship to audit risk while determining the nature, timing
and extent of audit procedures.
Page 8 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
While planning for audit, the IS auditor should consider potential weakness or absence of controls and whether such
weakness or absence of control could result into significant deficiency or a material weakness in the information
system.
The IS auditor should consider the cumulative effect of minor control deficiencies or weaknesses and absence of
controls to translate into significant deficiency or material weakness in the information system.
The report of the IS auditor should disclose ineffective controls or absence of controls and the significance of the
control deficiencies and possibility of these weaknesses resulting in a significant deficiency or material weakness.
S13 – Using the Work of Other Experts
The IS auditor should, where appropriate, consider using the work of other experts for the audit.
The IS auditor should assess and be satisfied with the professional qualifications, competencies, relevant experience,
resources, independence and quality control processes of other experts, prior to engagement.
The IS auditor should assess, review and evaluate the work of other experts as part of the audit and conclude the
extent of use and reliance on expert’s work.
The IS auditor should determine and conclude whether the work of other experts is adequate and complete to enable
the IS auditor to conclude on the current audit objectives. Such conclusion should be clearly documented.
The IS auditor should apply additional test procedures to gain sufficient and appropriate audit evidence in
circumstances where the work of other experts does not provide sufficient and appropriate audit evidence.
The IS auditor should provide appropriate audit opinion and include scope limitation where required evidence is not
obtained through additional test procedures.
S14 – Audit Evidence
The IS auditor should obtain sufficient and appropriate audit evidence to draw reasonable conclusions on which to
base the audit results.
The IS auditor should evaluate the sufficiency of audit evidence obtained during the audit.
S15 – IT Controls
The IS auditor should evaluate and monitor IT controls that are an integral part of the internal control environment of
the organization.
The IS auditor should assist management by providing advice regarding the design, implementation, operation and
improvement of IT controls.
S16 – E-commerce
The IS auditor should evaluate applicable controls and assess risk when reviewing e-commerce environments to
ensure that e-commerce transactions are properly controlled.
Page 9 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
G9 – Audit Considerations for Irregularities, effective 1 March 2000
G10 – Audit Sampling, effective 1 March 2000
G11 – Effect of Pervasive IS Controls, effective 1 March 2000
G12 – Organizational Relationship and Independence, effective 1 September 2000
G13 – Use of Risk Assessment in Audit Planning, effective 1 September 2000
G14 – Application Systems Review, effective 1 November 2001
G15 – Planning Revised, effective 1 March 2002
G16 – Effect of Third Parties on an Organization's IT Controls, effective 1 March 2002
G17 – Effect of Nonaudit Role on the IS Auditor's Independence, effective 1 July 2002
G18 – IT Governance, effective 1 July 2002
G20 – Reporting, effective 1 January 2003
Page 10 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Accept risk
Transfer risk
Avoid risk
Ongoing assessment of risk levels and control effectiveness
Risk Management
Identify Business
Objectives (BO)
Perform Risk
Mitigation (RM)
[Map Risks with
controls in place]
Page 11 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Risk Assessment and Treatment
Assessing security risks
Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant
to the organization
Performed periodically to address changes in:
The environment
Security requirements and when significant changes occur
Treating security risks
Each risk identified in a risk assessment needs to be treated in a cost-effective manner according to its level of risk
Controls should be selected to ensure that risks are reduced to an acceptable level
IS Controls
Strategy and direction
General organization and management
Access to IT resources, including data and programs
Systems development methodologies and change control
Operations procedures
Systems programming and technical support functions
Quality assurance procedures
Physical access controls
Business continuity/disaster recovery planning
Networks and communications
Database administration
Protection and detective mechanisms against internal and external attacks
Page 12 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Internal control objectives
Safeguarding of IT assets
Compliance to corporate policies or legal requirements
Input
Authorization
Accuracy and completeness of processing of data input/transactions
Output
Reliability of process
Backup/recovery
Efficiency and economy of operations
Change management process for IT and related systems
Page 13 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Audit Objectives
An audit compares (measures) actual activity against standards and policy
Specific goals of the audit
Confidentiality
Integrity
Reliability
Availability
Compliance with legal and regulatory requirements
Elements of an Audit
Audit scope
Audit objectives
Criteria
Audit procedures
Evidence
Conclusions and opinions
Reporting
Creating the Plan for an Audit
1. Gather Information
2. Identify System and Components
3. Assess Risk
4. Perform Risk Analysis
5. Conduct Internal Control Review
6. Set Audit Scope and Objectives
7. Assign Resources
8. Develop Auditing Strategy
Planning the Audit
Based on the scope and objective of the particular assignment
IS auditor’s concerns:
Security (confidentiality, integrity and availability)
Quality (effectiveness, efficiency)
Fiduciary (compliance, reliability)
Service and capacity
Phases of an Audit
Audit subject
Audit objective
Audit scope
Pre-audit planning
Audit procedures and steps for data gathering
Procedures for evaluating the test or review results
Procedures for communication with management
Audit report preparation
Audit Workpapers
Audit plans
Audit programs
Audit activities
Audit tests
Audit findings and incidents
Page 14 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Audit Procedures
Understanding of the audit area/subject
Risk assessment and general audit plan
Detailed audit planning
Preliminary review of audit area/subject
Evaluating audit area/subject
Verifying and evaluating controls
Compliance testing
Substantive testing
Reporting (communicating results)
Follow-up
Page 15 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
A Risk Based Audit Approach
Gather Data
and Plan for
the Audit
Evaluate the
Perform the
Internal
Audit
Control
Conduct Perform
Substating Compliance
Testing Testing
Risk-based Auditing
•Control environment
•Control procedures
•Detection risk assessment
•Control risk assessment
•Equate total risk
•Analytical procedures
•Detailed tests of account balances
•Other substantive audit procedures
•Create recommendations
•Write audit report
Page 16 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Performing the Audit
ISACA IT Audit and Assurance Tools and Techniques
Procedures developed by the ISACA Standards Board provide examples of possible processes an IS auditor might follow in
an audit engagement
The IS auditor should apply their own professional judgment to the specific circumstances
ISACA IT Audit and Assurance Standards Framework
Framework for the ISACA IS Auditing Standards:
Standards
Guidelines
Procedures
Relationship Among Standards, Guidelines and Tools and Techniques
Standards
Must be followed by IS auditors
Guidelines
Provide assistance on how to implement the standards
Tools and Techniques
Provide examples for implementing the standards
Evidence
It is a requirement that the auditor’s conclusions be based on sufficient, competent evidence:
Independence of the provider of the evidence
Qualification of the individual providing the information or evidence
Objectivity of the evidence
Timing of the evidence
Gathering Evidence
Techniques for gathering evidence:
Review IS organization structures
Review IS policies and procedures
Review IS standards
Review IS documentation
Interview appropriate personnel
Observe processes and employee performance
Sampling
General approaches to audit sampling:
Statistical sampling
Non-statistical sampling
Compliance vs. Substantive Testing
Compliance test
Determines whether controls are in compliance with management policies and procedures
Substantive test
Tests the integrity of actual processing
Correlation between the level of internal controls and substantive testing required
Relationship between compliance and substantive tests
Page 17 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Testing Controls
Evaluate the controls to determine the basis for reliance and the
nature, scope and timing of substantive tests.
Use two types of substantive tests to evaluate the validity of the data.
Integrated Auditing
Page 18 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Audit Risk
Inherent Risk
Control Risk
Overall Audit Risk
Detection Risk
Page 19 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Automated Work Papers
Risk analysis
Audit programs
Results
Test evidences
Conclusions
Reports and other complementary information
Minimum controls:
Access to work papers
Audit trails
Automated features to provide and record approvals
Security and integrity controls
Backup and restoration
Encryption techniques
Evaluation of Audit Strengths and Weaknesses
Assess evidence
Evaluate overall control structure
Evaluate control procedures
Assess control strengths and weaknesses
Communicating Audit Results
Exit interview
Correct facts
Realistic recommendations
Implementation dates for agreed recommendations
Presentation techniques
Executive summary
Visual presentation
Audit report structure and contents
Introduction to the report
Audit findings presented in separate sections
The IS auditor’s overall conclusion and opinion
The IS auditor’s reservations with respect to the audit – audit limitations
Detailed audit findings and recommendations
Audit recommendations may not be accepted
Negotiation
Conflict resolution
Explanation of results, findings and best practices or legal requirements
Management Implementation of Audit Recommendations
Ensure that accepted recommendations are implemented as per schedule
Auditing is an ongoing process
Timing a follow-up
Control Self-Assessment
A management technique
A methodology
In practice, a series of tools
Can be implemented by various methods
Page 20 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Objectives of CSA
Leverage the internal audit function by shifting some control monitoring responsibilities to functional areas
Enhancement of audit responsibilities, not a replacement
Educate management about control design and monitoring
Empowerment of workers to assess the control environment
Benefits of CSA
Early detection of risks
More effective and improved internal controls
Increased employee awareness of organizational objectives
Highly motivated employees
Improved audit rating process
Reduction in control cost
Assurance provided to stakeholders and customers
Disadvantages of CSA
Could be mistaken as an audit function replacement
May be regarded as an additional workload
Failure to act on improvement suggestions could damage employee morale
Lack of motivation may limit effectiveness in the detection of weak controls
Page 21 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Continuous Auditing
Distinctive character
Short time lapse between the facts to be audited and the collection of evidence and audit reporting
Drivers
Better monitoring of financial issues
Allows real-time transactions to benefit from real-time monitoring
Prevents financial fiascoes and audit scandals
Uses software to determine proper financial controls
Application of continuous auditing due to:
New information technology developments
Increased processing capabilities
Standards
Artificial intelligence tools
Advantages
Instant capture of internal control problems
Reduction of intrinsic audit inefficiencies
Disadvantages
Difficulty in implementation
High cost
Elimination of auditors’ personal judgment and evaluation
Conclusion
Know
Audit Planning
Performing an Audit
Risk as related to audit planning and performance
Ongoing Audit techniques
Ethics
Page 22 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
From ISACA Demo Training on CISA
Audit Documentation
In addition to the audit plan, the documentation for an IS audit includes:
All the documentation must be kept in safe custody and must be available in accordance with legal, professional and organizational
requirements.
Audit documentation should support the findings and conclusions. Often timing is an important consideration in evidence collection – for
example, in date and time stamping of materials, or in recording the time when observations were made or work was performed. This
information may be critical to supporting the findings and conclusions. It is your responsibility to ensure the evidence gathered and
documented will support your findings. Audit documentation should also contain appropriate working papers, narratives, questionnaires and
system flowcharts.
Audit scope: Defines in specific detail, which areas and/or functions within an organization will be subject to audit, and what
the audit will address, during this audit cycle.
Using the Services of Other Auditors and Experts
Often, the services of other auditors or outside experts may be required for an audit. However, the delegation of work does
not necessarily mean a delegation of professional liability, even if the entire audit is performed by an external service provider.
The IS auditor (or the entity employing the services) is responsible for:
Clearly communicating the audit objectives, scope and methodology through a formal engagement letter to the
external service provider
Implementing a monitoring process to regularly review the work of the external service provider with regard to
planning, supervision, review and documentation
Assessing the usefulness and appropriateness of reports of these external providers
Assessing the impact of significant findings on the overall audit objectives
ISACA IT Audit and Assurance Standards and Guidelines
G1 – Using the Work of Other Auditors and Experts, effective 1 March 2008
Page 23 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
IS Audit Expert
As the IS auditor, you are permitted to use and rely on the audit work carried out by another auditor, either internal or external, but the
nature, timing and extent of audit evidence required will depend upon the significance of the other IS auditor's or expert's work.
Your planning process should identify the level of review that is required to provide sufficient, reliable, relevant and useful audit evidence to
achieve the overall IS audit objectives effectively.
You should consider reviewing the other auditor's or expert's final report, audit programs and audit work papers. You should also consider
whether supplemental testing of the other auditor's or expert's work is required.
Where a review of the other auditor's or expert's work papers is necessary, it is necessary to perform sufficient audit work to confirm that
the other auditor's or expert's work was appropriately planned, supervised, documented and reviewed, and to consider the appropriateness
and sufficiency of the audit evidence provided by them. The other auditor's or expert's compliance with relevant professional standards
should also be assessed.
Finally, assess the usefulness and appropriateness of reports issued by the other auditors and experts, and consider any significant findings
reported by them.
It is your responsibility as the IS auditor to assess the effect of the other auditor's or expert's findings and conclusions on the overall audit
objective, and to verify that any additional work required to meet the overall audit objective is completed.
Q: According to the ISACA IT Audit and Assurance Standards Guidelines, and Procedures, where an independent audit will be required later
and you are the only IS auditor with the requisite skills to carry out both the nonaudit role and the subsequent audit, how should you
proceed in fulfilling your audit responsibilities?
According to the ISACA IT Audit and Assurance Guidelines, specifically G17 – Effect of Nonaudit Role on the IS Auditor's Independence,
paragraph 3 (Independence), subparagraph 3.1.3…
Despite there being no requirement for the IS auditor to be independent while playing a nonaudit role in an IS initiative, you should consider
whether such a role could be deemed to impair independence if you were assigned to audit the IS initiative and/or the related function.
Where such a conflict is foreseeable, you should discuss the issue with the audit committee or equivalent governance body prior to
embarking on the nonaudit role.
The tradeoff between nonaudit role in an IS initiative and the independent audit of the IS initiative (or the related function) should be the
decision of the audit committee or equivalent governance body. Aspects that are likely to influence the decision include:
>> Potential alternative resources for either role
>> Perception of the relative value added by the conflicting activities
>> Potential for educating the IS team so that future initiatives could benefit
>> Career development opportunities and succession planning for the IS auditor
>> Level of risk attached to the nonaudit role
>> Effect on the visibility, profile, image, etc., of the IS audit function
>> Effect of the decision on the requirements of external auditors or regulators, if any
>> The provisions of the IS audit charter
Page 24 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
After the reporting of findings and recommendations, the IS auditor should request and evaluate relevant information to
conclude whether appropriate action has been taken by management in a timely manner. (Reference: ISACA ISACA IT Audit
and Assurance Standard S8 – Follow-up Activities)
Factors that should be considered in determining appropriate follow-up procedures are the:
Any changes in the IS environment that may affect the significance of a reported observation
Important!
If the IS auditor is working in an internal audit environment, responsibility for follow-up should be defined in the internal audit
activity's written charter.
Compliance: The act of conformity undertaken due to the trepidation of legal or regulatory sanctions, financial loss, or damage to
reputation and franchise value that may arise when an organization fails to comply with laws, regulations, standards or codes of conduct of
self-regulatory organizations applicable to the business activities and functions within the organization.
Ethics: A code of core values that guides our choices and actions, and determines the purpose and course of our organization and lives.
Standards of duty and virtue that indicate how we should behave.
Evidence: The information an auditor gathers in the course of performing an IS audit. Evidence is relevant if it pertains to the audit
objectives and has a logical relationship to the findings and conclusions it is used to support
Follow-up activities: The process to ensure prompt and responsive action is taken once management decision has been reached on
recommendations contained in final audit reports.
Governance: The use of institutions, structures of authority and even collaboration to allocate resources and coordinate or control activity
in an organization.
Guidelines: A suggested action or recommendation related to an area of information security policy that is intended to supplement a
procedure. Unlike standards, implementation of guidelines may be at the discretion of the reader.
Policy: Generally, a document that records a high-level principle or course of action which has been decided upon. A policy's intended
purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans
established by the enterprise's management teams. In addition to policy content, policies need to describe the consequences of failing to
comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and
measured.
Procedures: A detailed description of the steps necessary to perform specific operations in conformance with applicable standards.
Standards: A metric used to determine the correctness of a thing or process; a set of rules or specifications that, when taken together,
define a software or hardware device. A standard is also an acknowledged basis for comparing or measuring something.
Page 25 of 26
CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Question 1
Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The
IS auditor should:
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation and follow-up.
Your Answer: inform management of his/her inability to conduct future audits. View
Explanation: Correct! An IS auditor can perform non audit assignments if his or her expertise can be of use to management; however, by
performing the nonaudit assignment, the IS auditor cannot conduct the future audits of the areas because his or her independence may be
compromised. The independence of the IS auditor will not be impaired when recommending controls to the auditee after the audit. In this
situation, the IS auditor should inform management of the impairment of independence in conducting further audits in the auditee’s area.
Question 2
Your Answer: describe the authority and responsibilities of the audit department. View
Explanation: Correct! Standard S1 - Audit Charter states "The purpose, responsibility, authority and accountability of the information
systems audit function or information audit assignments should be appropriately documented in an audit charter or engagement letter." The
audit charter typically sets out the role and responsibility of the internal audit department. It should state management's objectives for and
delegation of authority to the audit department.
Question 3
An IS auditor performing a review of an application's controls finds a weakness in system software that could materially impact the
application. The IS auditor should:
A. disregard these control weaknesses, because a system software review is beyond the scope of this review.
B. conduct a detailed system software review and report the control weaknesses.
C. include in the report a statement that the audit was limited to a review of the application's controls.
D. review the system software controls as relevant and recommend a detailed system software review.
An IS auditor performing a review of an application's controls finds a weakness in system software that could materially impact the
application. The IS auditor should:
Your Answer: conduct a detailed system software review and report the control weaknesses. View
Explanation: Where the applications are dependent on system software then the effectiveness of those controls should be considered.
However, detailed review of such controls can be outside the audit as part of a detailed system software review if it hampers the audit's
schedule, or if IS auditor may not be technically competent to do such a review at this time. See audit Guideline G14, Application Systems
Review Planning Considerations.
Page 26 of 26